I Collection de notes, internesde la Directiondes Etudes et Recherches

LIENS ENTRE LES ETUDES PROBABILITES DE SURETE ETLA MAINTENANCE DANS LES TRANCHES NUCLEAIRESFRANÇAISES

LINKS BETWEEN PROBABILISTIC SAFETY ASSESSMENTSAND MAINTENANCE IN FRENCH NUCLEAR POWERPLANTS

EDFElectricitéde France •

Electricitéde France

Direction des Etudes et Recherches

SERVICE RÉACTEURS NUCLÉAIRES ET ECHANGEURSDépartement Etudes de Sûreté et de Fiabilité

SERVICE ENSEMBLES DE PRODUCTIONDépartement Surveillance Diagnostic Maintenance

Juin 1992

DEWAILLY J.DUBREUIL-CHAMBARDEL A.JACQUOT LP.MAGNE L.

LIENS ENTRE LES ETUDES PROB ABILISTES DESURETE ET LA MAINTENANCE DANS LESTRANCHES NUCLEAIRES FRANÇAISES

LINKS BETWEEN PROBABILISTIC SAFETYASSESSMENTS AND MAINTENANCE INFRENCH NUCLEAR POWER PLANTS

Pages: 12 93NB00055

Diffusion : J.-M. LecœuvreEDF-DERService IPN, Département SID1, avenue du Général-de-Gaulle92141 Clamart Cedex

© Copyright EDK1993

ISSN 1161-0611

1"

SYNTHESE :

Deux études probabilistes de sûreté (EPS) ont été menées en France sur lestranches nucléaires à eau pressurisée (REP), elles se sont achevées en 1990. Lapremière menée par le CEA/IPSN concernait le palier 900 MW, la seconde menée parEDF concernait le palier 1300 MW. Ces deux EPS évaluent la fréquenced'endommagement du cœur dans tous les états de la tranche, depuis les états d'arrêt àfroid pour rechargement jusqu'à l'état de tranche à pleine puissance. Ces deux étudesseront mises à jour périodiquement en fonction de l'évolution des données et desconnaissances.

Le modèle d'Etude Probabiliste de Sûreté permet de hiérarchiser l'importancedes défaillances des composants dans les scénarios conduisant à un endommagementdu cœur du réacteur et met ainsi en évidence les composants sur lesquels un effort demaintenance doit être fait. Un premier lien est ainsi établi entre les Etudes Probabilistesde Sûreté et celles d'amélioration de la maintenance préventive.

Le rôle de la maintenance dans les EPS constitue un autre lien. La maintenancetelle qu'elle est pratiquée sur les tranches nucléaires a un impact sur la fréquenced'endommagement du cœur du réacteur. Les valeurs des paramètres de fiabilité d'uncomposant sont fonction notamment des tâches de maintenance prescrites pour cematériel. Pour une intervention sur un composant, une consignation est effectuée \rendant indisponible une liste de composants. Enfin, à l'issue de l'intervention, deserreurs (oubli de remise en configuration, ...) peuvent survenir. Chacun de cesparamètres (fiabilité ; indisponibilité liée à la durée de maintenance, mauvaiseconfiguration) a une influence sur le niveau de sûreté de la tranche. Faire plus demaintenance entraîne deux effets antagonistes : diminution des taux de défaillance ducomposant d'une part, augmentation du taux d'indisponibilité et risque de mauvaiseconfiguration d'autre part. Une maintenance accrue ne se justifie que pour prévenir lesdéfaillances des composants ayant des conséquences importantes sur la sûreté, ladisponibilité ou les coûts de maintenance.

En conclusion, pour une bonne évaluation du risque, Ia maintenance doit êtreprise en compte dans !'EPS. Les EPS et les études probabilistes de disponibilité sontindispensables pour optimiser réellement la maintenance.

I

EXECUTIVE SUMMARY :

Two Probabilistic Safety Assessments (PSAs) carried out in France onPressurized Water Reactor (PWR) units ended in 1990. The first was conducted byCEA/IPSN on 900 MWe units and the second by EDF on 1300 MWe units. ThesePSAs determine the core damage frequency for all plant operating conditions rangingfrom cold shutdown for refuelling to full power operation. Both studies will beperiodically updated to integrate new data and knowledge. The Probabilistic SafetyAssessment model makes it possible to rank component failures in order of importancefor scenarios leading to core damage and thus highlights those components for which amaintenance effort should be made. A first link is thus established betweenProbabilistic Safety Assessments and preventive maintenance improvement studies.The main'.jnance role in PSAs is another link. Maintenance, as it is effected on nuclearunits, has an impact on the core damage frequency. The values of the reliabilityparameters of a component depend on the maintenance operations prescribed for thatcomponent. For the maintenance of a component, a series of other components arepadlocked. At the end of the maintenance operations, errors can be committed(omission to replace a component into service configuration, ...). Each of theseparameters (reliability, maintenance-related unavailability, inadequate configuration)affects the unit safety. Maintenance reinforcement has two opposite effects : thecomponent failure rate decreases but its unavailability as well as the risk of inadequateconfiguration increase. Reinforced maintenance is only justified to prevent the failureof components with important consequences on safety, availability or maintenancecosts. In conclusion, in order to assess risk properly, maintenance should be taken intoaccount in the PSA. Probabilistic safety assessments and probabilistic unavailabilitystudies are a requisite to truly optimize maintenance.

1. What is a Probabilistic Safety Assessment?

A Probabilistic Safety Assessment is a set of reliability models. A reliability model is aqualitative representation of the system misoperation combining relations between "failuremodes" and "failure effects". A reliability model can be used for quantitative processing.Probabilistic Safety Assessments performed in France include three types of models:studies of elementary systems (e.g. FMEA), studies of PSA missions (e.g. fault trees) andstudies of accident sequences (e.g. event trees).

A Failure Modes and Effects Analysis (FMEA) is a model describing the causes and effectsof the failure modes of an elementary system. The FMEA is aimed at studying a systemexhaustively, and listing and classifying failure modes.

A model of the "fault tree" type consists in the analysis of the failure mode combinationsleading to the failure of the PSA missions. Generally several elementary systems areconcerned when a PSA mission is studied. The mission "cooling of the primary system bythe RHRS" involves the operation of the RHRS, RCS, FPCCS1, CVCS and CCSelementary systems, the power supplies and the computerized control system (1300 MWeunits). A fault tree is a thorough qualitative representation of the elementary systemsmisoperation. The failure probability of a PSA mission can be assessed by assigning aprobability to the basic events in the fault tree.

A model of the "event tree" type consists in the analysis of the failures of the PSA missionsrequired following an accident or an incident and which lead to a dreaded event (e.g. coredamage). For an analysis of the accident sequences to be performed, a functional analysisat the unit level (if not at the site level) must be carried out. The event tree is aimed atidentifying and then quantifying accident sequences.

InttiMIngevent

System 1betwMn 0 and T

Repair of a systembefore tj • X

* LHi (i = A or B) : 6.6 W AC Emergency Supplied Distribution System

Fig. 1 - Example of event tree

1 Fuel Pool Cooling and Cleanup System

/

Figure 1 shows an example of event tree. The initiating event is the loss of the LHA andLHB 6.6 kV AC emergency supplied distribution systems due to a short-circuit. Thefrequency of this initiating event is calculated by the state graph method. The first genericevent in this fault tree is the PSA mission "supply feedwater the steam generators". ThisPSA mission is modelled by a fault tree. Times to unacceptable consequences as well aspossible repairs are taken into account for the quantification of accident sequences.

Opening experience(hinclioMl breakdown

u d failure modes)

Elementary Identification of failure modecom Mutions remltfnf

Componentreliability

data

Quantification oftfeelaUuresof -

the PSA minionsRSA misions

SVSTEM5

ANALYSIS

Haltfunction nal

analysts

Identification[ —m. ofaeddent

sequences

Identification ofPSAmiuiou

Opcratiat experience(identification oflnkialini erenls

and human benariour)

Quantification- of accident

sequences

Data on initiatingevents and human

reliability

UNIT

ANALYSIS

Fig. 2 - General procedure for a PSA

Figure 2 shows the general procedure followed when performing a PSA in France. First, afunctional analysis is performed at the unit level: PSA missions are identified for eachinitiating event. Simultaneously, FMEAs are carried out on elementary systems. TheseFMEAs make it possible to identify, for each PSA mission, the failure mode combinationsleading to the failure of this mission. This first stage in the procedure is purely qualitative.

Based on operating experience [I], the PSA mission failures and then the accidentsequences are quantified. The models are input and then quantified with the LESSEPStool. The LESSEPS computer tool is used to input, organize and process a set of reliabilitymodels. This tool incorporates: reliability computer codes, a data base management systemand graphic interfaces to input models and data.

2. Some Characteristics of the Probabilistic SafetyAssessments in France

Two Probabilistic Safety Assessments (PSAs) carried out in France on Pressurized WaterReactor (PWR) units ended in 1990. The first was conducted by CEA/IPSN on 900 MWeunits and the second by EDF on 1300 MWe units. These PSAs determine the core damagefrequency for all plant operating conditions ranging from cold shutdown for refuelling tofull power operation. Both studies will be periodically updated to integrate new data andknowledge.

3 . A First link between Probabilistic Safety Assessments andStudies to Improve Preventive Maintenance

3 . 1 . Qualitative Aspects

PSAs carried out in France provide a qualitative list of failure modes of PSA componentshaving or likely to have an impact on reactor core damage. A PSA component is thesmallest element considered in the PSA (e.g. valve, pump, pump motor). The stepsalready performed during a PSA are (1) the identification of PSA missions at the unit levelaccording to the type of initiating event (RCS break, secondary system break, SGTR...)(2) the identification of failure modes of PSA components likely to result in the failure ofPSA missions.

How can we draw up a qualitative list of PSA component failure modes having or likely tohave an impact on reactor core damage? Take for example the function "supply feedwaterto the steam generators" (for decay heat removal from the reactor core). This functioncorresponds to several PSA missions according to the initiating event (AnticipatedTransient Without Scram, Steam Generator Tube Rupture). Besides, the accident sequenceassessment method chosen for French PSAs requires that each PSA mission be studied intwo situations (1) availability of the supporting systems of both trains (2) unavailability ofthe supporting systems of one train.

The components made unavailable as a consequence of the initiating event are not modelled(e.g. steam supply to one of the auxiliary feedwater system -AFS- turbine-driven pumps in1300 MWe units following a steam line break). Likewise, the AFS motor-driven pump isnot modelled when its power supply is lost. To rapidly obtain a qualitative list of the failuremodes of the PSA components, we take the basic events in the fault tree corresponding tothe basic PSA mission, that is one corresponding to the PSA mission where the AFSmotor-driven pumps and the AFS turbine-driven pump(s) are required to operate andwhere all the steam generators must be supplied. This list concerns several elementarysystems (AFS, TBS2, MSS, low-voltage distribution systems, etc.). Other PSAcomponent failure modes are added to the list by examining the other missions (forinstance: isolate the water and steam sides of the steam generator exhibiting a tuberupture : this mission involves the operation of valves belonging to the AFS, TBS andMSS elementary systems). This method was used to draw the qualitative list of the failuremodes of the 900 MW(e) unit CVCS components having or likely to have an impact onthe reactor core damage [2].

2 Turbine Bypass System

I3.2 Ranking the Elements in the Qualitative List Obtained

The Probabilistic Safety Assessment model makes it possible to rank component failures inorder of importance for scenarios leading to core damage and thus highlights thosecomponents for which a maintenance effort should be made.

How is this done? [3][4]. Sensitivity analyses are performed with the computerizedPSA 900 or PSA 1300 by computing the contribution of the PSA component failuremodes to the reactor core damage. This contribution can be expressed as core damagefrequency/unit-year or as a percentage of the total core damage frequency. Each modewhose contribution exceeds a given threshold is considered to be critical. Furthermore,using quantitative PSA models, it is possible to calculate the parameter or sensitivity factorF5 = (AF/F)/(A>./X) where AF/F denotes the relative variation of the core damagefrequency and AX/k that of the failure rate. This factor can aid in decision-making duringmaintenance task selection, by indicating those components on which maintenance shouldbe concentrated and, on the contrary, those for which maintenance tasks may be reduced.

This method clearly established a hierarchy of critical components revealing the mostcritical safety-related components. It thus eliminates from the list of critical componentsthose whose impact on the probability of an undesirable event is insignificant, and ensuresa high level of coherence between Safety and Maintenance Studies. A possible applicationof this method is presented in Table 1.

Failure mode

Long X (/h) for LHP & LHQ **

Short X </h) for LHP & LHQ

y (/d) for LHP and LHQ

Unavailability of LHP and LHQ

Gas turbine failure

Period78/87

3.2 x 10-3

4.5 x IQr3

3.4 x l(r3

5.2 x Hr3

8.OxIO-2

Contribution*

/unit x yearAF

4.8 xlO-7

1.91 x Kr7

2.6 x 10*

2AxIQr*

2.04 xlO-7

%AF/F

66

26.2

3.6

3 3

28

Sensitivity factorFs

(AF/F)/(AAA)

0.77

0.33

4.8 xlO-2

3.4 x Hr2

0.28

* ; to the core damage frequency in the event of a total loss of the electric powersupplies (F)

** : LHP - 6.6 kV AC emergency power supply system (train A)LHQ - 6.6 KV AC emergency power supply system (train B)

Table 1 • Contributions and sensitivity factors

T

I4. Part Played by Maintenance in PSAs

4 . 1 . Problem Exposition

The maintenance role in PSAs is another link. Maintenance, as it is effected on nuclearunits, has an impact on the core damage frequency. The values of the reliability parametersof a component depend on the maintenance operations prescribed for that component. Forthe maintenance of a component, a series of other components are padlocked. At the end ofthe maintenance operations, errors can be committed (omission to replace a component intoservice configuration, ...). Each of these parameters (reliability, maintenance-relatedunavailability, inadequate configuration) affects the unit safety.

4 . 2 . Example of the CVCS in 1300 MWe units

We have ranked the contribution of the failures and unavailabilities of the PSA componentsinvolved in the CVCS missions in 1300 MWe units who play a part in accidents such asthe LOCA, pipe ruptures in the secondary system, tube ruptures in the steam generators,

failures of the CVCS-RBMS3 and the partial loss of the CCS/SWS.

The results of this ranking are presented in Table 2.

Component failures

Charging line unavailability for maintenanceMaintenance of pressure sensors RCV18 and 21LPFailure of test pump upon demandTest pump unavailability for maintenanceCVCS filter 211 or 212 FI pluggingRCV 267 VP left closedRCV 268 VP left closedRCV 269 VP left closedRCV 251VP left openedRCV 252 VP left openedRCV191 PO switch openFailure to open of regulating valve 272 VP on CVCScharging line

TOTAL

Core damagefrequency/ unit x year

\2 XlO'7

33x10-*I J x lO 8

8.4 x 1(T9

1.4 x lO 9

IJxIO-*nit

ti

ti

ti

1.1 x W9

1.8 x lO 7

Percentage contributionto the total core

damage frequency*

1.1

OJl0.14

7AxIO-2

13 XlO"2

1.2 x lO 2

t l

•t

Il

t l

IC

1.OxIO-2

1.7

; the annual core damage frequency for a 1300 MWe-P4 unit « 1.08 x 10 5

Table 2 - Ranking of the contributions of components failures(CVCS of the 1300 MW(e) units)

3 Reactor Boron and Water Makeup System

The ranking of the component failure or unavailability according to its cause reveals thatthe main contributors to the CVCS-induced core damage frequency are padlockingoperations connected to corrective and preventive maintenance, 70%, human errors duringmaintenance, 18%, and component failures, only 8%. By assessing the respectivecontributions, the failures of the different components can be ranked in order of importanceand these failures can be compared to other unavailability causes.

4.3. What is Proposed

Maintenance reinforcement has two opposite effects: the component failure rate decreasesbut its unavailability as well as the risk of inadequate configuration increase. A reinforcedpreventive maintenance is therefore justified only for those components which are reallycritical for the unit safety or for availability or corrective maintenance, that is

- Critical Safety-Related Components: The contribution of the component failure to thecore damage risk and to the fission product release to the environment is much largerthan the contribution of inadequate configuration and unavailability for preventivemaintenance.

- Critical Unavailability-related components: the energy unavailable due to correctivemaintenance is much larger than the energy unavailable due to preventive maintenance.

- Components really critical for corrective maintenance: the cost of correctivemaintenance is higher than preventive maintenance's

For these last two categories, the probability of a forced outage or of correctivemaintenance is taken into account. Moreover, preventive maintenance should be performedon wear-prone parts in the safety-related and unavailability-related components.

However preventive maintenance should be avoided for the other component categoriesbecause this could be detrimental to the unit safety or availability and would undulyincrease its cost.

5. And in the Absence of Probabilistic studies?

5 . 1 . The Present Situation

The two Probabilistic Safety Assessments carried out in France on PWRs determine thecore damage frequency for all plant operating conditions ranging from cold shutdown forrefuelling to full power operation. No level 2 PSA has as yet been performed in France:this probabilistic model could be used to assess the frequency of the different fissionproduct release levels to the environment. Neither is there an overall quantitative generationmodel. The development of such a model is complex. Indeed the model must take accountof numerous parameters of the unit operation (maintenance-related unavailability, humanerrors, time to safe shutdown conditions, frequency of function performance requests,

r

11

unavailability cost) and of the equipment maintenance (repair conditions and time, types ofmaintenance operations, maintenance costs). Some of these parameters are not yetaccessible for several reasons:

(1) the assessment of a task efficiency on the reliability parameters of a component ismost of the time qualitative (for instance, sticking can be successfully dealt with byintensifying lubrication) and non quantitative.

(2) the maintenance costs vary according to numerous parameters (dose rate, etc.).(3) preventive maintenance consists in many tasks for a given component

(inspection/control, in-service monitoring, systematic replacement, etc.)(4) the losses of production cannot be easily assessed because they vary according to

when in the year they occur.

5 . 2 . The Ideal Solution

This ideal solution would be provided by a set of models enabling us to determine "righton the spot" the impact of a maintenance operation on the facility safety and availabilitylevel as well as on the maintenance costs so that the selection of the preventive maintenancetasks could be optimized. The set of models would consist of three quantitative models:

a) Two safety-related quantitative models (one to model the core damage, the other thereleases to the atmosphere). They would be used to draw a qualitative list of failuremodes of PSA components having or likely to have an impact on the core damage(first list) and on the fission product releases to the environment (second list). Thecomponents belonging to at least one of these lists would be safety-relatedcomponents. By assessing the contributions of the failure modes and by settingthresholds (annual core damage frequency, frequencies of the different radioactiveproduct releases), on the one hand, and by performing sensitivity calculations, on theother, the failure modes of the PSA components could be subdivided into threecategories (1) critical safety-related, (2) safety-related and (3) non-safety related.

b) An overall quantitative generation model. To develop such a model, one must be ableto have access to as yet inaccessible parameters (see paragraph 5.1 above). With thismodel we could identify the components for which the corrective maintenance cost andproduction loss cost would be higher than the preventive maintenance cost. Thismodel would be used to minimize the sum of the costs (loss of production,corrective maintenance, preventive maintenance).

6. Conclusion

In conclusion, in order to assess risk properly, maintenance should be taken into accountin the Probabilistic Safety Assessments. PSAs and probabilistic unavailability studies are arequisite to truly optimize maintenance.

TVi

REFERENCES

[1] J-M. de Guio, G. Zwingelstein, "Incorporation of feedback of experience inProbabilistic Safety Assessments and for the development of a decision tool formaintenance", IAEA-SM-321/40.

[2] J.P. Jacquot, J. Dewailly, P. Legaud, L. Piepszownik, "Presentation of thedevelopment of the RCM methodology in nuclear plants", Eurodata Meeting,Chamonix, October 4-5, 1990.

[3] J.P. Jacquot, P. Legaud, G. Zwingelstein, "Development of the RCM methodologyfor the EDF nuclear plants: a pilot application to the CVCS system", IAEA TechnicalCommittee Meeting on "Safety-Related Maintenance in the Framework of theReliability-Centered Maintenance Concept", Vienna 27-30 May 1991.

[4] J.P. Jacquot, J.L. Bouchet, A. Despujols, J. Dewailly and C. Martin-Mattei(EDF/DER, France\ "Development of RCM methodology and tools for EDF nuclearpower plants", European Safety and Reliability Conference'92, Copenhagen, 10-12 June 1992.