By Peng Yongsen , Liu Zhengie, Wang Junmin, Liu Chao and Fan Lewang
【Abstract】 According to the study of relevant regulations, standards and good practices at home and abroad, discusses the types and typical countermeasures of common cause failures, and summarizes the common cause failure analysis method, process and countermeasures for HVAC systems in nuclear power plants.
【Keywords】 nuclear power plant, HVAC system, common cause failure, diversity, failure analysis
* China Nuclear Power Design Company Ltd. (Shenzhen), Shenzhen, Guangdong Province, China
①,Functional dependency: common cause caused by shared or common functional features, such as shared power supply, shared cooling water system or shared labor Art fluid.
②,Spatial dependence: common cause caused by physical characteristics shared by components in the same space, such as the same radiation or chemical conditions Same environment and same supporting structure, etc.
③ ,Inherent dependency: common cause caused by the same technical characteristics, such as adopting the same operating principle or technology and the same failure mode (such as mechanical overload or overpressure)
④ , Human factor dependence: the common cause related to human error, due to the human factor error in the process of affecting some shared or the same personnel activities And produce, such as human error in design or manufacture, operator error in operation and maintenance process.
Functional dependency: common cause caused by shared or common functional features, such as shared power supply, shared cooling water system or shared labor Art fluid.
5)NUREG/CR-7007 gives the main countermeasures for common fault.
① Diversification: including adopting different operating conditions, different working principles, different design teams, equipment with different sizes, different manufacturers, different components and equipment with different physical principles.
② Entity separation: geometric separation or barrier separation (such as separation from barrier mode and orientation) is adopted.
③ Functional isolation: measures such as effective isolation and electrical isolation between safety system and non-safety system. Combined with the requirements of the above specifications, typical common-cause personnel failures and countermeasures of nuclear power plants are summarized, as shown in Table 1
countermeasure |
Functional dependency: Function isolation, effective isolation between safety system and non-safety system, electrical isolation and other measures shall be adopted to prevent the sharing between safety functions and between safety functions and non-safety functions Due to wind |
Spatial dependency:Entity separation uses geometric separation or barrier separation (such as distance orientation) to prevent an initial event or secondary event from causing multiple systems or disabling multiple parts of a system |
Inherent dependence, human dependence:Diversified design, set up two or more multiple components or systems to perform a certain function, and make these different mails or systems have different attributes, so as to reduce the possibility of common cause failure |
Fig. 1 Overall process of common cause fault analysis of HVAC system
For different types of common-cause faults in HVAC systems, targeted identification methods should be adopted. For common-cause faults with inherent and human factors depending on class, safety analysis methods are generally used to identify common-cause risks in HVAC system design. For functional dependency, find the risk point of common cause of support system through failure analysis of support system of HVAC system; For spatial dependence, common cause risk points are identified by disaster analysis.
2.1.1 Identification of Common Cause Risk of HVAC System As a part of nuclear power plant support system, HVAC system provides ventilation and cooling for nuclear power plant frontier process systems and other support systems (such as electrical and instrument control cabinets). Failure of HVAC system may lead to common cause failure of safety functions of the power plant, which may lead to serious consequences, especially the failure of defense-in-depth system of nuclear power plant caused by HVAC system. The weakness of HVAC system design can be identified through nuclear power plant safety analysis, such as failure consequence analysis and initial event analysis, and avoided through diversified design of HVAC system. The methods to identify risks are as follows:
1)Through accident analysis of nuclear power plant, according to the principle that the safety system for dealing with high-frequency accidents of nuclear power plant needs to adopt diversified design, with high-frequency events as the main line, analyze whether its support system (HVAC system) is diversified. Table 2 gives an example of small breach accident analysis in nuclear power plant. It should be noted that the indirect consequences of HVAC system failure also need to be analyzed, such as distribution cabinets E1 and E2 or control in the above cases The ambient temperature of cabinets ⅱ 1 and 12 is controlled by the same HVAC system or two HVAC systems with common cause risk, which may indirectly lead to the failure of medium-pressure safety injection and low-pressure safety injection systems due to common cause failure of HVAC systems, so the failure analysis should be comprehensive.
Main line of defense | Support system of main defense line | Diversified defense line | Support system of diversified defense lines | Common Cause Risk Analysis of HVAC |
Medium pressure safety injection system | Distribution cabinet E1 Control cabinet 11 HVAC system A | Low pressure safety injection system | Distribution cabinet E2 Control cabinet I2 HVAC system A | HVAC system A serves both medium-pressure safety injection and low-pressure safety injection systems, and its failure will lead to over-temperature of rooms of medium-pressure safety injection and low-pressure safety injection systems, which will lead to simultaneous failure of both systems. The safety analysis results are unacceptable, so it is necessary to consider the diversification of HVAC systems. |
2) Through the initial event analysis of the support system, find the initial event caused by the failure of the HVAC system, if the initial event does not exist. Effective means to alleviate, it is necessary to consider the part of the HVAC system for diversified improvement, to prevent the occurrence of the incident. Through the above two methods, we can find the HVAC system that needs to be designed in various ways, and then further analyze this part of the system and make a reasonable improvement plan.
The supporting systems of HVAC system mainly include cooling water system, electrical system and instrument control system, which may lead to the failure of several HVAC systems, so special attention should be paid to the consequences of failure. Through the analysis of the failure consequences of the support system, the risk of common cause failure of HVAC system caused by the failure of the support system is identified. Combined with the analysis results in Section 2.1.1, the failure mode of the support system that causes the failure of HVAC system with diversified requirements is identified, and then the improvement measures are formulated accordingly. Common fault of control and electrical system of nuclear power plant can be analyzed with reference to NUREG /CR-7007.
Through the analysis of internal and external disasters, this paper studies the spatial dependence of HVAC systems, analyzes the possibility and consequences of simultaneous failure of multiple redundant HVAC systems caused by internal and external disasters, and identifies the common failure risk points of HVAC systems caused by internal and external disasters.
According to the identified common cause risk points of HVAC system, sort out all potential improvement schemes, evaluate the benefits of each improvement scheme in terms of safety and engineering cost item by item, and determine the final scheme in combination with various factors such as feasibility and technical maturity of the scheme. For the common cause risk points of HVAC system itself, various methods are mainly used to improve it. Chapter 3 will elaborate the process and methods in detail; For the common cause risk points of HVAC system support system, the method of supporting system diversification is mainly used to improve it. This part is not the scope of HVAC system design, so we can refer to the achievements in related fields and do not discuss it in this paper; For the common cause risk points caused by disasters, it is mainly improved by optimizing the layout and improving the identification requirements of HVAC equipment.
After determining the improvement scheme, it is necessary to carry out impact analysis on the improvement scheme, determine the impact scope and implementability of the improvement, determine that the scheme is executable, and implement the improvement scheme. If it is found that the improvement scheme cannot be implemented, it is necessary to re-determine the scheme.
3.1 HVAC system diversification strategy formulation There are two main types of strategies for HVAC diversification: design diversification and equipment diversification.
1) design diversification: mainly refers to the different principles of realizing functions, such as designing one set of air conditioning system with active cooling and one set of passive cooling The cooling system, two sets of systems stand by each other, this strategy makes the HVAC system have natural diversification, but this way is difficult to achieve in the current nuclear power project. It should be noted that even if there are big differences in system design, such as using the same type of equipment, it is still necessary to evaluate the degree of diversification of equipment.
2) Equipment diversification: equipment with different manufacturers, different components, different physical principles and different sizes is adopted to realize diversification Chemical design, this strategy does not need to make major changes to the system design, and is relatively easy to implement. It is also common in international nuclear power engineering at present The diversification strategy adopted, this paper will focus on the diversification strategy of equipment.
3.2 Introduction to Equipment Diversification Strategy For HVAC systems with diversified needs, it should be noted that not all equipment in the system needs diversification. If the equipment is reliable enough or its failure will not lead to the loss of system safety function, such equipment may not be diversified. Therefore, it is necessary to accurately identify the equipment components that need to be designed in various ways, and take reasonable and feasible improvement measures to make the benefit-cost ratio of improvement within a reasonable range. See fig. 2 for diversified analysis flow of HVAC equipment, and each step will be introduced in detail later.
3.2.1 Identify the equipment that needs diversification
1) possibility.
Ideally, the possibility and probability of failure mode are estimated according to the statistical data of failure mode. According to BS 60812-2018[6], it is very important to consider the boundary conditions (applied environment, machinery and/or stress) of each component that affect the probability of failure. For data statistics of equipment failures, please refer to Equipment Reliability Data Report of China Nuclear Power Plant (2015 Edition) and NUREG/CR-69288, and the failure probability of typical HVAC equipment is shown in Table 3
Generally, equipment that needs diversification can be identified through failure mode, impact and hazard analysis (FMECA). FMECA analyzes all possible failure modes of equipment in the system, determines the influence of each failure mode on the system function, and determines its harmfulness according to the severity of the failure mode and its occurrence probability. FMECA includes failure mode impact analysis (FMEA) and hazard analysis (CA). Engineers can carry out analysis according to BS60812-2018[6], and list every failure of components Hazard analysis is carried out on this mode to find out the key failure modes that need attention. There are two aspects to be considered in evaluating the attention of equipment failure modes:
equipment | failure mode | failure probability | source |
Water chilling unit | Startup failure | 9.21*10-3/demand(Normal operation mode is operation) | NUREG |
Startup failure | 2.45*10-5/demand(Normal operation mode is standby) | NUREG | |
Startup failure | 3.06*10-3/demand | China nuclear power plant data | |
Operation failure | 6.93*10-5/demand(Normal operation mode is operation) | NUREG | |
Operation failure | 2.20*10-4/demand(Normal operation mode is standby) | NUREG | |
Operation failure | 1.62*10-6/demand | China nuclear power plant data | |
Electric water valve | Switching or closing failed | 8.22*10-4/demand | NUREG |
Switching or closing failed | 5.03*10-4/demand(Open failure) | China nuclear power plant data | |
Switching or closing failed | 2.36*10-4/demand(Close failure) | China nuclear power plant data | |
malfunction | 3.24*10-8/h | NUREG | |
malfunction | 4.45*10-8/h | China nuclear power plant data | |
water pump | Startup failure | 7.94*10-4/demand | NUREG |
Startup failure | 2.02*10-4/demand | China nuclear power plant data | |
Operation failure | 3.79*10-6/h | NUREG | |
Operation failure | 3.48*10-6/h | China nuclear power plant data | |
fan | Startup failure | 5.43*10-4/demand(Normal operation mode is operation) | NUREG |
Startup failure | 6.52*10-4/demand(Normal operation mode is standby) | NUREG | |
Startup failure | 1.62*10-4/demand | China nuclear power plant data | |
Operation failure | 4.41*10-6/demand(Normal operation mode is operation) | NUREG | |
Operation failure | 3.77*10-4/demand(Normal operation mode is standby,Running time is less than 1h) | NUREG | |
Operation failure | 1.99*10-4/demand(Normal operation mode is standby,Running time is less than 1h) | NUREG | |
Operation failure | 1.86*10-6/h | China nuclear power plant data | |
Electric air valve | Failure of opening or closing | 2.26*10-4/demand | NUREG |
misoperation | 2.92*10-8/h | NUREG | |
check valve | Opening failure | 9.24*10-6/demand | NUREG |
Opening failure | 1.76*10-5/demand | China nuclear power plant data | |
safety valve | Opening failure | 2.42*10-3/demand | NUREG |
Opening failure | 2.47*10-3/demand | China nuclear power plant data | |
Closing failure | 8.86*10-4/demand | NUREG | |
Closing failure | 6.67*10-5/demand | China nuclear power plant data |
2)Severity.
Analyze the consequences of this failure mode, that is, the degree of affecting the safety function. If the system safety function is completely lost due to the failure of equipment components, the severity is considered to be high; If the safety function is degraded, the severity is considered as medium; If the safety function is not affected, the severity is considered as low. Through the hazard assessment of each failure mode of HVAC equipment from two aspects of the possibility and severity of failure mode, Table 4 is adopted for screening, and the failure modes with high hazard (underlined in the table) need further diversified improvement analysis.
probability |
ponderance |
|||
Low(Safety functions are not affected) |
Middle(Safety function degradation) |
High(Loss of safety function) |
||
High |
The frequent occurrence of common causes is the leading factor leading to system failure |
There is no need for diversification |
May not need diversification, need to use engineering judgment for further analysis |
Further analysis and improvement are needed |
Middle |
The frequency of common causes is average, which is not the leading factor of system failure |
There is no need for diversification |
There is no need for diversification |
Further analysis and improvement are needed |
Low |
There is no relevant common cause fault record, which has almost no effect on system failure |
There is no need to diversify, and there is no need to pay too much attention to the usability and maintainability of conventional desig |
There is no need for diversification |
Usually there is no need for further analysis and improvement, but a detailed explanation is needed |
Combined with relevant engineering experience at home and abroad and FMECA analysis of typical HVAC systems, the equipment with high failure probability and harmfulness in HVAC systems and their main failure modes are shown in Table 5.
Table 5 Failure modes of HVAC equipment
failure mode | |
water pump | Motor drive system failure |
Electric water valve | Actuator failure, transmission system failure |
refrigeration unit | Compressor, motor failure, control system failure, refrigerant leakage |
fan | Faults of motor and transmission system |
Electric air valve | Actuator failure, transmission system failure |
Air handing unit | Fan failure |
3.2.2 Evaluation of Equipment Diversification Improvement Scheme After finding the HVAC equipment that needs to be considered for diversification improvement, the diversification improvement scheme is determined according to the failure mode with high harmfulness, and the scheme evaluation is carried out to find the scheme that can effectively improve the diversification degree, mainly by means of probabilistic safety analysis and deterministic analysis. 1) probabilistic safety analysis (PSA) PSA is used to determine the importance of components from the overall common cause failure of the system and its influence on core damage or radioactive release. For equipment that needs further analysis, PSA modeling analysis needs to be carried out through the following steps.
①modeling each type of equipment with high harmfulness in different common fault groups.
② Analyze the influence of increasing redundancy to consider whether extra redundancy is needed as a part of coping with common cause faults
③ Sort the equipment failures according to their importance and consider the overall risk level to support the subsequent judgment. After the PSA analysis and modeling is completed, the risk and benefit can be evaluated through Table 6.
Table 6 PSA analysis income classification
Risk and return | |
High | Common fault of system is the main risk and the leading factor of core damage or radioactive release. Equipment diversification can greatly reduce the failure probability of the whole system. |
Middle | System common cause failure is of medium risk, and equipment diversification has a major contribution to reducing the whole system common cause failure, or system common cause failure is of high risk, so equipment diversification can generally reduce the system failure probability. |
Low | The risk of system common cause failure is low, or the common cause failure is medium and high risk, but the diversification of equipment has little influence on the failure probability of the system. |
score | ||||
1 | 2 | 3 | 4 | |
Design diversity | Same technology | The technology is the same, but some components are different | There are significant technical differences | The technology is completely different |
Equipment diversity | Same manufacturer, same model | Same manufacturer and different models | Different manufacturers (or different technologies of the same manufacturer), but the parts/sub-suppliers may be the same | Different manufacturers (or different technologies of the same manufacturer), most parts adopt different technologies/the whole supply chain is different |
Life cycle diversity | Same design team and operation and maintenance team | Because the manufacturer is the same, the design team and the operation and maintenance team may be different, but it is not mandatory | Due to differences in manufacturers, design teams are likely to be different, and maintenance may be similar or different | Due to different manufacturers and technologies, the design and maintenance teams are likely to be different |
Improvement scheme 1: diversification of suppliers | Improvement scheme 2: technology diversification | ||||
describe | score | describe | score | ||
Evaluation criteria of diversification degree |
Diversified design | Direct fans are used, but the motor voltages can be different. According to FMEA Analysis shows that motor failure is the main failure reason, even if different types are adopted The fan can not solve this problem either | 2 | Different types of fans are used, such as direct fan and belt driven fan | 3 |
Equipment diversification | Due to different suppliers, it is diversified. However, key sub-components may come from the same secondary supplier and need to be avoided by proper management | 3 | Because of different principles, different parts may be used, but some parts may be completely | 3 | |
Life cycle diversification | Because of different suppliers, the design is completed by different teams. However, maintenance and debugging may be carried out by the same team | 3 | Because of different principles, the procedures of design, maintenance and debugging may be different by different teams | 4 | |
Comprehensive score | 2.85 | 3.4 | |||
PSA analyse | Common cause failure of fan is the leading factor of common cause failure of HVAC system | ||||
Engineering experience consideration | The failure rate of belt conveyor fan is higher, and its reliability is worse than that of direct fan | ||||
assessment result | The scores of fans with different suppliers and different principles are close, and motors with different voltages can be used in both schemes. In addition, due to the difference of operating conditions, the probability of partial common cause can be reduced, so both schemes can reduce the common cause of fans to a reasonable and feasible level. Scheme selection should be combined with engineering realization, cost and other factors |