UNIVERSITY OF LJUBLJANA FACULTY OF MATHEMATICS AND PHYSICS Mag. Andrija Volkanovski Impact of offsite power system reliability on nuclear power plant safety Doctoral thesis ADVISER: prof. dr. Borut Mavko CO-ADVISER: doc. dr. Marko Čepin Ljubljana, 2008 UNIVERZA V LJUBLJANI FAKULTETA ZA MATEMATIKO IN FIZIKO Mag. Andrija Volkanovski Vpliv zanesljivosti zunanjega električnega napajanja na varnost jedrske elektrarne Doktorska disertacija MENTOR: prof. dr. Borut Mavko SOMENTOR: doc. dr. Marko Čepin Ljubljana, 2008 Unlike the fairy tale Rumplestiltskin, do not think that by having named the devil that you have destroyed him. Positive verification of his demise is required. System Safety Handbook for the Acquisition Manager, U.S. Air Force Acknowledgements/Zahvale To Ministry of Higher Education, Science and Technology, Republic of Slovenia (contract number 1000-05-310016), and the Reactor Engineering Division of the Jožef Stefan Institute for provided financial support. To mentor prof. dr. Borut Mavko for accepting the responsibility of mentorship and guiding me as a young researcher, honoring me to work with internationally recognized expert and researcher of his rank. To co-mentor and research advisor doc. dr. Marko Čepin, for his support, guidelines, always open door of his office, thousands of e-mails, reviews, comments, discussions, teaching me to do things right and, even more important, to do the right things. I’m especially thankful for his supportive words in the times when I needed them most. Marko, thank you. To all colleagues from Reactor Engineering Division. To Republic of Slovenia and all citizens for accepting and supporting me and my family. To my Parents. To son Aleksandar for reminding me what matters most in life. To wife Sanja, for always being there as my partner. Impact of offsite power system reliability on nuclear power plant safety Keywords: - Loss of offsite power - Core damage frequency - Fault tree - Power flow method - Power system reliability -Nuclear safety Abstract: The nuclear power plant (NPP) safety and the power system reliability are mutually interdependent parameters. The safe operation of the nuclear power plant results in delivering a large amount of electrical energy to the power system and contributes to its stable operation. On the other side, the power system delivers the electrical energy to the house load of the nuclear power plant, which is especially important during the shutdown and the startup of the plant. The loss of offsite power (LOOP) initiating event occurs when all electrical power to the plant from external sources is lost. In spite of the fact that NPP is equipped with the emergency diesel generators in such case, the safety of the plant is decreased at the loss of offsite power. This is confirmed with the results of the probabilistic safety assessment, that show that the contribution of the scenarios connected with the loss of offsite power to the overall risk is several tenths of percents. The current methodologies used for the estimation of the LOOP initiating event frequency are performed generally, not accounting the actual state and the specifics of the power system. A new method for the estimation of the LOOP initiating event frequency is developed. The method combines the linear network flow method with the fault tree analysis features. A computer program consisting of 4622 lines of code supporting this method has been written. The developed method accounts power flows through interconnections, voltages of the substations and the local weather conditions. The viable pathways of power delivery to the house load of the NPP are identified and the consequent fault tree is built. The consequent fault trees are built for other loads in the system. The following results are obtained from the quantitative and qualitative analysis of the constructed fault tree: the minimal cut sets, which are combinations of components failures, resulting in a failure of the power delivery to the house load of the NPP, the weighted power system reliability and the importance measures of the components and groups of the components of the power system. The importance measures identify the most important elements of the power system from the aspect of nuclear safety. The frequency of the LOOP initiating event is assessed based on the unreliability of the power delivery to the house load of the NPP. The impact of changes in the power system to the safety of the NPP is evaluated. The verification of the developed method was performed on small examples. The applicability of the method on the real power systems is validated on a large standard reliability test system. The method is applied on the simplified Slovenian power system. The reliability of the Slovenian power system and the impact of selected changes in the power system to the safety of the NPP are evaluated. The importance of the NPP Krško for the reliable operation of the Slovenian power system is verified. Installation of new diesel generator for providing emergency electrical power would improve safety. Installation of new line Krško-Beričevo is identified as a mean for improved safety and as a prerequisite for additional nuclear power plant at Krško site. PACS: 28.50.Hw, 28.41.Ak, 28.41.Te, 84.32.Dd, 84.37.+q, 84.70.+p, 84.32.-y Vpliv zanesljivosti zunanjega električnega napajanja na varnost jedrske elektrarne Ključne besede: - Izguba zunanjega napajanja -Frekvenca poškodbe sredice -Drevo odpovedi - Metoda pretokov moči - Zanesljivost elektroenergetskega sistema -Jedrska varnost Povzetek: Varnost jedrskih elektrarn in zanesljivost elektroenergetskega sistema sta medsebojno povezana. Varno delovanje jedrske elektrarne daje velike količine električne energije v elektroenergetski sistem in hkrati kot močan vir prispeva k njeni kakovosti. Po drugi strani elektroenergetski sistem daje električno energijo za lastno rabo jedrske elektrarne, kar je še posebej pomembno v času njene zaustavitve in zagona. Začetni dogodek izguba zunanjega napajanja je neželen dogodek, ki se zgodi, če jedrska elektrarna izgubi vse vire zunanjega električnega napajanja. Čeprav je elektrarna opremljena z dizelskimi generatorji, ki se v takem primeru zaženejo, je varnost elektrarne ob tem dogodku poslabšana. To kažejo tudi rezultati verjetnostnih varnostnih analiz, kjer izguba zunanjega napajanja prispeva k kazalcem tveganja nekaj deset odstotkov celote. Trenutne metode za ocenjevanje frekvence izgube zunanjega napajanja so splošne in ne upoštevajo dejanskega stanja elektroenergetskega omrežja in njegovih specifičnih značilnosti. Zato je bila razvita nova metoda za ocenjevanje frekvence začetnega dogodka izguba zunanjega napajanja. Metoda združuje linearni model pretokov moči in analizo dreves odpovedi. Lastni računalniški program v dolžini 4622 vrstic je bil napisan za izvedbo metode. V okviru metode so upoštevani pretoki moči med vozlišči, ki predstavljajo transformatorske postaje, in napetosti v njih. Upoštevane so normalne razmere in tudi delovanje pri odpovedi enega daljnovoda. Lokalne vremenske razmere so upoštevane. Identificirane so možne poti dobave električne energije porabnikom, med katerimi je tudi lastna raba jedrske elektrarne. Za vsak porabnik posebej je razvito odgovarjajoče drevo odpovedi. Rezultati kvalitativne in kvantitativne analize drevesa odpovedi so naslednji: najkrajše poti odpovedi, ki predstavljajo kombinacije odpovedi komponent in ki lahko pomenijo odpovedi sistema, in v konkretnem primeru pomenijo izpad dobave zunanje električne energije za lastno rabo jedrske elektrarne, zanesljivost elektroenergetskega sistema in merila pomembnosti komponent ter skupin komponent sistema. Merila pomembnosti identificirajo najpomembnejše komponente sistema s stališča jedrske varnosti. Frekvenca začetnega dogodka izguba zunanjega napajanja je ocenjena na osnovi nezanesljivosti elektroenergetskega sistema za dobavo lastne rabe jedrske elektrarne. Proučen je vpliv sprememb v elektroenergetskem sistemu na varnost jedrske elektrarne. Metoda je bila preverjena na majhnih primerih. Preizkušena je bila na velikem standardnem primeru elektroenergetskega sistema. Uporabljena je za slovenski elektroenergetski sistem. Rezultati kažejo zanesljivost slovenskega elektroenergetskega sistema. Ocenjen je vpliv določenih sprememb na zanesljivost elektroenergetskega sistema in na varnost jedrske elektrarne. Dodaten dizelski generator v jedrski elektrarni znatno prispeva k njeni večji varnosti. Potrjen je njen pomen v elektroenergetskem sistemu. Izgradnja daljnovoda Krško­Beričevo pomeni izboljšano varnost jedrske elektrarne v Krškem in je hkrati predpogoj za postavitev nove jedrske elektrarne v Krškem. PACS: 28.50.Hw, 28.41.Ak, 28.41.Te, 84.32.Dd, 84.37.+q, 84.70.+p, 84.32.-y Table of contents 1 INTRODUCTION ....................................................................................................................................... 1 1.1 OBJECTIVES AND GOALS ....................................................................................................................... 2 1.2 THE OUTLINE ........................................................................................................................................ 4 2 REVIEW OF ACTIVITIES OF POWER SYSTEM ANALYSIS........................................................... 5 3 PROBABILISTIC SAFETY ASSESSMENT ........................................................................................... 7 3.1 PROBABILISTIC SAFETY ASSESSMENT FUNDAMENTALS ....................................................................... 7 3.2 PSA MODELING.................................................................................................................................. 12 3.2.1 Event Tree Analysis....................................................................................................................... 12 3.2.2 Fault tree analysis......................................................................................................................... 16 3.3 PSA APPLICATIONS AND RISK-INFORMED DECISION MAKING ............................................................. 25 3.4 POWER SYSTEM ANALYSIS METHODS .................................................................................................. 25 3.4.1 Percent Reserve Evaluation .......................................................................................................... 26 3.4.2 Loss-of-the-Largest-Generating-Unit Method .............................................................................. 26 3.4.3 Loss-of-Load-Probability Method.................................................................................................27 3.4.4 Applications of probability theory to power systems..................................................................... 27 3.4.5 Additional Reliability Measures.................................................................................................... 27 4 NEW METHOD DESCRIPTION............................................................................................................ 31 4.1 DEFINITION OF RELIABILITY AND IMPORTANCE INDICES ..................................................................... 31 4.2 FAULT TREE CONSTRUCTION PROCEDURE ........................................................................................... 32 4.2.1 Fault tree construction of loads .................................................................................................... 33 4.2.2 Fault tree construction of substations ........................................................................................... 37 4.3 APPROXIMATE DC LOAD FLOW MODEL AND LINE OVERLOAD TEST .................................................... 39 4.3.1 Direct current (DC) model............................................................................................................ 42 4.3.2 Relation between line power flows and injected power of generators .......................................... 44 4.3.3 Calculation of the elements of the matrix [H]............................................................................... 45 4.3.4 Modifications of the matrix [H] .................................................................................................... 46 4.3.5 Modifications of the matrix [H] in case of the load failure........................................................... 47 4.3.6 Network separation resulting from the line failure ....................................................................... 48 4.3.7 Separated model of the power system ........................................................................................... 49 4.3.8 Improvement of the reactive power flow calculations................................................................... 52 4.3.9 Line overload and substation voltage test..................................................................................... 53 4.4 DESCRIPTION OF THE COMPUTER CODE............................................................................................... 54 5 MODELS AND RESULTS OF THE POWER SYSTEM RELIABILITY ANALYSIS ..................... 57 5.1 IEEE TEST SYSTEM ............................................................................................................................. 57 5.2 THE RESULTS FOR THE IEEE TEST SYSTEM ......................................................................................... 57 5.2.1 The results for IEEE-RTS without consideration of the substations voltages ............................... 58 5.2.2 Change of the cut off used in the analysis ..................................................................................... 62 5.2.3 The results for IEEE-RTS with the consideration of the substations voltages .............................. 62 5.2.4 Summary of the results obtained for the IEEE RTS....................................................................... 66 5.3 SLOVENIAN POWER SYSTEM................................................................................................................ 66 5.4 RESULTS FOR THE SLOVENIAN POWER SYSTEM .................................................................................. 70 5.4.1 Basic Slovenian power system without consideration of voltages................................................. 70 5.4.2 Basic Slovenian power system with the consideration of voltages................................................ 73 5.5 ANALYSIS OF THE CONFIGURATIONS OF THE SLOVENIAN POWER SYSTEM .......................................... 74 5.5.1 Slovenian power system with the single NPP Krško - Beričevo line............................................. 74 5.5.2 Slovenian power system with the double Krško - Beričevo line .................................................... 78 5.5.3 Slovenian power system with the new NPP in Krško and proportional increase of the load........ 81 5.5.4 Slovenian power system with the new NPP in Krško and increase of the load in the substation Divača 84 5.5.5 Summary of the results obtained for the Slovenian Power System................................................ 86 6 IMPACT OF OFFSITE POWER SYSTEM RELIABILITY ON NUCLEAR POWER PLANT SAFETY............................................................................................................................................................... 88 6.1 LOOP DATA ANALYSIS ....................................................................................................................... 88 6.2 METHOD FOR CALCULATION OF LOSS OF OFFSITE POWER IE FREQUENCY ......................................... 92 6.3 IMPACT OF LOOP FREQUENCY ON CDF OF NPP ................................................................................ 93 6.3.1 NPP power system......................................................................................................................... 94 6.3.2 NPP PSA model............................................................................................................................. 96 6.3.3 Sensitivity analysis of CDF ......................................................................................................... 101 6.4 IMPLICATION OF GRID RELATED LOOP ON PLANT CDF ................................................................... 104 6.4.1 Implication of Grid related LOOP on plant CDF in IEEE RTS.................................................. 105 6.4.2 Implication of Grid related LOOP on CDF in Slovenian power system..................................... 107 7 CONCLUSIONS...................................................................................................................................... 109 8 REFERENCES ........................................................................................................................................ 111 APPENDIX A: PRINCIPLES OF ENGINEERING SAFETY……………………………………………...115 APPENDIX B: SUBSTATIONS CONFIGURATIONS……………...………………….…………………..117 APPENDIX C: VERIFICATION OF THE METHOD AND COMPUTER CODE…………..…………..135 APPENDIX D: RELIABILITY PARAMETERS.………………….………………………………………..148 List of Figures FIGURE 2-1 HIERARCHICAL LEVELS IN ELECTRICAL POWER SYSTEMS ..................................................................... 5 FIGURE 3-1 ACTIVITIES IN PSA .............................................................................................................................11 FIGURE 3-2 EVENT TREE DEVELOPMENT PROCESS ................................................................................................. 12 FIGURE 3-3 EXAMPLE EVENT TREE ........................................................................................................................ 13 FIGURE 3-4 SYSTEMS A AND B FAULT TREES AND PART OF THE EVENT TREE SEQUENCE ....................................... 15 FIGURE 3-5 FAULT TREE DEVELOPMENT PROCESS ................................................................................................. 17 FIGURE 3-6 EXAMPLE HPIS................................................................................................................................... 22 FIGURE 3-7 HPIS FAULT TREE ............................................................................................................................... 24 FIGURE 3-8 RELATION COST-RELIABILITY FOR POWER SYSTEMS .......................................................................... 25 FIGURE 4-1 AN EXAMPLE POWER SYSTEM ............................................................................................................. 33 FIGURE 4-2 ADJACENCY MATRIX A OF AN EXAMPLE SYSTEM ................................................................................ 33 FIGURE 4-3 ROOTED TREE FOR SUBSTATION 1 ....................................................................................................... 34 FIGURE 4-4 DISCARDED AND ACCEPTED FLOW PATHS FOR TEST SYSTEM............................................................... 35 FIGURE 4-5 MODULAR FAULT TREE USED FOR FAULT TREE CONSTRUCTION .......................................................... 35 FIGURE 4-6 OPTIONAL CONSTRUCTION OF THE GENERATOR FAILURE GATE.......................................................... 36 FIGURE 4-7 PART OF THE FAULT TREE BUILT FOR LOAD 1 IN THE SUBSTATION 1.................................................... 37 FIGURE 4-8 EXAMPLE SUBSTATION AND SIMPLIFIED MODEL OF THE SUBSTATION ................................................. 38 FIGURE 4-9 FAULT TREE FOR SIMPLIFIED SUBSTATION REPRESENTATION .............................................................. 39 FIGURE 4-10 NOTATION FOR ACTIVE AND REACTIVE POWER AT A TYPICAL BUS I IN POWER FLOW STUDIES .......... 41 FIGURE 4-11 TWO REGIONS SYSTEM ...................................................................................................................... 48 FIGURE 4-12 . CIRCUIT OF A MEDIUM-LENGTH TRANSMISSION LINE...................................................................... 49 FIGURE 4-13 EQUIVALENT CIRCUIT OF A MEDIUM-LENGTH LINE ........................................................................... 52 FIGURE 4-14 BLOCK DIAGRAM OF THE PROGRAM .................................................................................................. 55 FIGURE 5-1 IEEE-96 RELIABILITY TEST SYSTEM ................................................................................................... 58 FIGURE 5-2 BASIC CONFIGURATION OF SLOVENIAN POWER SYSTEM ..................................................................... 67 FIGURE 5-3 SLOVENIAN POWER SYSTEM USED IN THE CONSTRUCTION OF THE MODEL .......................................... 69 FIGURE 5-4 SLOVENIAN POWER SYSTEM WITH THE ADDED LINE NPP KRŠKO – BERIČEVO.................................... 76 FIGURE 5-5 SLOVENIAN POWER SYSTEM WITH THE DOUBLE LINE BETWEEN NPP KRŠKO – BERIČEVO .................. 80 FIGURE 5-6 SLOVENIAN POWER SYSTEM WITH THE TWO NPP KRŠKO AND SINGLE LINE NPP KRŠKO – BERIČEVO 82 FIGURE 6-1 LOOP EVENT COUNTS BY CAUSE ........................................................................................................ 91 FIGURE 6-2 EXAMPLE OF AN OFFSITE POWER SYSTEM ........................................................................................... 94 FIGURE 6-3 CONTRIBUTION OF ACCIDENT GROUPS FOR SURRY UNIT 1 CDF FROM MODEL .................................. 98 FIGURE 6-4 CONTRIBUTION OF LOOP AND SBO TO ALL LOOP ACCIDENT GROUP FOR SURRY UNIT 1 CDF...... 98 FIGURE 6-5 CDF CONTRIBUTION BY INITIATING EVENTS FOR NPP KRŠKO ........................................................... 99 FIGURE 6-6 UNAVAILABILITY OF THE EMERGENCY AC POWER SYSTEM FROM EDG RELIABILITY....................... 101 FIGURE 6-7 UNAVAILABILITY OF THE EMERGENCY AC POWER SYSTEM FROM EDG RELIABILITY, CCF NOT ACCOUNTED ............................................................................................................................................... 102 FIGURE 6-8 DEPENDENCY OF CDF FROM EDG RELIABILITY ............................................................................... 103 FIGURE 6-9 DEPENDENCY OF CDF FROM LOOP FREQUENCY.............................................................................. 103 FIGURE 6-10 DEPENDENCY OF CDF FROM LOOP IE FREQUENCY, IEEE SYSTEM ............................................... 106 FIGURE 6-11 DEPENDENCY OF CDF FROM LOOP IE FREQUENCY, SLOVENIAN POWER SYSTEM.......................... 108 List of Tables TABLE 3-1 LAWS OF THE BOOLEAN ALGEBRA ....................................................................................................... 19 TABLE 3-2 IDENTIFIED MINIMAL CUT SETS FOR HPIS ............................................................................................ 23 TABLE 5-1 IDENTIFIED MCS FOR POWER DELIVERY TO THE LOAD IN THE SUBSTATION 18 .................................... 59 TABLE 5-2 IDENTIFIED MCS FOR POWER DELIVERY TO THE LOAD IN THE SUBSTATION 21 .................................... 59 TABLE 5-3 CALCULATED UNRELIABILITIES FOR THE IEEE RTS ............................................................................ 60 TABLE 5-4 BASIC EVENTS WITH THE LARGEST NRRW .......................................................................................... 60 TABLE 5-5 BASIC EVENTS WITH THE LARGEST NRAW.......................................................................................... 60 TABLE 5-6 BASIC EVENTS WITH THE LARGEST RRW FOR LOAD IN THE SUBSTATION 18 ........................................ 61 TABLE 5-7 BASIC EVENTS WITH THE LARGEST RAW FOR LOAD IN THE SUBSTATION 18........................................ 61 TABLE 5-8 BASIC EVENTS WITH THE LARGEST RRW FOR LOAD IN THE SUBSTATION 21 ........................................ 61 TABLE 5-9 BASIC EVENTS WITH THE LARGEST RAW FOR LOAD IN THE SUBSTATION 21........................................ 62 TABLE 5-10 USED TRUNCATION LIMITS IN ANALYSIS............................................................................................. 62 TABLE 5-11 IDENTIFIED MCS FOR POWER DELIVERY TO THE LOAD IN THE SUBSTATION 18 .................................. 63 TABLE 5-12 IDENTIFIED MCS FOR POWER DELIVERY TO THE LOAD IN THE SUBSTATION 21 .................................. 63 TABLE 5-13 CALCULATED UNRELIABILITIES FOR THE IEEE RTS .......................................................................... 63 TABLE 5-14 CALCULATED VOLTAGES IN THE SUBSTATIONS OF THE IEEE RTS FOR NORMAL REGIME .................. 64 TABLE 5-15 BASIC EVENTS WITH THE LARGEST NRRW ........................................................................................ 64 TABLE 5-16 BASIC EVENTS WITH THE LARGEST NRAW........................................................................................ 65 TABLE 5-17 THE RRW AND RAW IMPORTANCE MEASURES FOR THE LOAD IN THE SUBSTATION 18...................... 65 TABLE 5-18 BASIC EVENTS WITH THE LARGEST RRW FOR THE LOAD IN THE SUBSTATION 21 ............................... 65 TABLE 5-19 BASIC EVENTS WITH THE LARGEST RAW FOR THE LOAD IN THE SUBSTATION 21............................... 66 TABLE 5-20 THE SUBSTATIONS NUMBERS USED IN CONSTRUCTION OF THE BASIC EVENTS .................................... 68 TABLE 5-21 IDENTIFIED MCS FOR POWER DELIVERY TO NPP KRŠKO................................................................... 70 TABLE 5-22 OBTAINED UNRELIABILITIES FOR THE BASIC CONFIGURATION OF THE SLOVENIAN POWER SYSTEM ... 70 TABLE 5-23 OBTAINED RELIABILITY FOR THE BASIC CONFIGURATION OF THE SLOVENIAN POWER SYSTEM .......... 70 TABLE 5-24 BASIC EVENTS WITH THE LARGEST NRRW ........................................................................................ 71 TABLE 5-25 BASIC EVENTS WITH THE LARGEST NRAW........................................................................................ 71 TABLE 5-26 BASIC EVENTS WITH THE LARGEST RRW FOR NPP KRŠKO................................................................ 72 TABLE 5-27 BASIC EVENTS WITH THE LARGEST RAW FOR NPP KRŠKO................................................................ 72 TABLE 5-28 CALCULATED VOLTAGES IN SUBSTATIONS FOR THE BASIC SLOVENIAN POWER SYSTEM .................... 73 TABLE 5-29 CALCULATED POWER FLOWS THROUGH LINES FOR THE BASIC SLOVENIAN POWER SYSTEM ............... 74 TABLE 5-30 IDENTIFIED MCS FOR POWER DELIVERY TO THE NPP KRŠKO ............................................................ 75 TABLE 5-31 OBTAINED UNRELIABILITIES FOR CONFIGURATION WITH THE SINGLE NPP KRŠKO-BERIČEVO LINE... 75 TABLE 5-32 BASIC EVENTS WITH THE LARGEST NRRW, SINGLE NPP KRŠKO – BERIČEVO LINE ADDED ............... 76 TABLE 5-33 BASIC EVENTS WITH THE LARGEST NRAW, SINGLE NPP KRŠKO – BERIČEVO LINE ADDED............... 77 TABLE 5-34 BASIC EVENTS WITH THE LARGEST RRW FOR THE NPP KRŠKO......................................................... 77 TABLE 5-35 BASIC EVENTS WITH THE LARGEST RAW FOR THE NPP KRŠKO......................................................... 77 TABLE 5-36 CALCULATED POWER FLOWS THROUGH LINES FOR SLOVENIAN POWER SYSTEM, SINGLE NPP KRŠKO – BERIČEVO LINE ............................................................................................................................................ 78 TABLE 5-37 IDENTIFIED MCS FOR POWER DELIVERY TO THE NPP KRŠKO ............................................................ 79 TABLE 5-38 OBTAINED UNRELIABILITIES FOR CONFIGURATION WITH THE DOUBLE NPP KRŠKO-BERIČEVO LINE .79 TABLE 5-39 BASIC EVENTS WITH THE LARGEST RRW FOR THE NPP KRŠKO......................................................... 80 TABLE 5-40 BASIC EVENTS WITH THE LARGEST RAW FOR THE NPP KRŠKO......................................................... 80 TABLE 5-41 CALCULATED POWER FLOWS THROUGH LINES OF THE SLOVENIAN POWER SYSTEM, DOUBLE NPP KRŠKO – BERIČEVO LINE.............................................................................................................................. 81 TABLE 5-42 IDENTIFIED MCS FOR POWER DELIVERY TO THE NPP KRŠKO ............................................................ 82 TABLE 5-43 OBTAINED UNRELIABILITIES FOR CONFIGURATION WITH THE PROPORTIONALLY INCREASED LOAD ... 82 TABLE 5-44 BASIC EVENTS WITH THE LARGEST NRRW, NEW NPP AND SINGLE NPP KRŠKO – BERIČEVO LINE ADDED.......................................................................................................................................................... 83 TABLE 5-45 BASIC EVENTS WITH THE LARGEST NRAW, NEW NPP AND SINGLE NPP KRŠKO – BERIČEVO LINE ADDED.......................................................................................................................................................... 83 TABLE 5-46 OBTAINED UNRELIABILITIES FOR CONFIGURATION WITH THE PROPORTIONALLY INCREASED LOAD, DOUBLE NPP KRŠKO – BERIČEVO LINE........................................................................................................ 84 TABLE 5-47 IDENTIFIED MCS FOR THE POWER DELIVERY TO THE NPP KRŠKO ..................................................... 84 TABLE 5-48 OBTAINED UNRELIABILITY FOR INCREASED LOAD IN DIVAČA AND SINGLE NPP KRŠKO–BERIČEVO LINE ADDED.................................................................................................................................................. 84 TABLE 5-49 OBTAINED RELIABILITY FOR INCREASED LOAD IN DIVAČA AND SINGLE NPP KRŠKO – BERIČEVO LINE ADDED.......................................................................................................................................................... 84 TABLE 5-50 OBTAINED UNRELIABILITIES FOR INCREASED LOAD IN DIVAČA AND DOUBLE NPP KRŠKO – BERIČEVO LINE ADDED.................................................................................................................................................. 85 TABLE 5-51 SUMMARIZED RESULTS FOR THE SLOVENIAN POWER SYSTEM ............................................................ 86 TABLE 6-1 PLANT-LEVEL LOOP FREQUENCIES ..................................................................................................... 89 TABLE 6-2 LOOP FREQUENCY COMPARISON WITH THE PREVIOUS REPORTS ......................................................... 89 TABLE 6-3 LOOP DURATION DATA ANALYSIS OF PROBABILITIES OF EXCEEDANCE .............................................. 90 TABLE 6-4 LOOP DURATION COMPARISON ........................................................................................................... 90 TABLE 6-5 EDG PARAMETERS ............................................................................................................................... 95 TABLE 6-6 EDG CCF UNAVAILABILITY ................................................................................................................ 95 TABLE 6-7 EVENT TREES AND INITIATING EVENTS FOR SURRY UNIT 1 PSA .......................................................... 96 TABLE 6-8 SBO IE FREQUENCY............................................................................................................................. 97 TABLE 6-9 COMPARISON OF THE RESULTS FOR DOMINANT ACCIDENT SEQUENCES BY IE TYPE.............................. 97 TABLE 6-10 DESCRIPTION OF THE INITIATING EVENTS .......................................................................................... 99 TABLE 6-11 THE IDENTIFIED IMPORTANT BE IN THE MODEL ............................................................................... 100 TABLE 6-12 IDENTIFIED MCS FOR EMERGENCY AC POWER SYSTEM FAILURE..................................................... 102 TABLE 6-13 BASIC EVENT DESCRIPTION .............................................................................................................. 102 TABLE 6-14 SHARE OF EACH LOOP DATA CATEGORY INTO OVERALL LOOP...................................................... 104 TABLE 6-15 DESCRIPTION OF THE POWER SYSTEM MODELS AND OBTAINED UNRELIABILITIES FOR IEEE RTS.... 105 TABLE 6-16 CDF AND LOOP FREQUENCY FOR IEEE RTS.................................................................................. 105 TABLE 6-17 DESCRIPTION OF THE POWER SYSTEM MODELS AND OBTAINED UNRELIABILITIES FOR NPP KRŠKO .107 TABLE 6-18 THE OBTAINED LOOP IE FOR THE NPP KRŠKO ............................................................................... 107 List of Abbreviations AC - Alternating Current ASAI - Average Service Availability Index ASIDI - Average System Interruption Duration Index ASIFI - Average System Interruption Frequency Index ATWS – Anticipated Transient Without Scram BE – Basic Event CAIDI - Customer Average Interruption Duration Index CAIFI - Customer Average Interruption Frequency Index CCF – Common Cause Failure CDF - Core Damage Frequency CEMIn - Customers Experiencing Multiple Interruptions CEMSMIn - Customers Multiple Sustained Interruption and Momentary Interruption Events CTAIDI - Customer Total Average Interruption Duration Index DC - Direct Current ECCS - Emergency Core Cooling System EDG - Emergency Diesel Generators EPS - Emergency Power Supply ESWRL - Extremely Severe Weather Related Losses ET – Event Tree FT - Fault tree FV - Fussell - Vesely Importance GD - Grid Disturbances HPIS - High Pressure Injection System IE – Initiating Event IEEE - Institute of Electrical and Electronics Engineers LOCA – Loss of Coolant Accident LOLP – Loss of Load Probability LOOP - Loss of Offsite Power MAIFI - Momentary Average Interruption Frequency Index MAIFIE - Momentary Average Interruption Event Frequency Index MCS - Minimal Cut Set NPP - Nuclear power plant NRAW – Network Risk Achievement Worth NRC - Nuclear regulatory commission NRRW – Network Risk Reduction Worth PCL - Plant Centered Losses PSA - Probabilistic Safety Assessment RAW - Risk Achievement Worth RCS - Reactor Coolant System RDF - Risk Decrease Factor RIF - Risk Increase Factor RRW - Risk Reduction Worth RTS - Reliability Test System RWST - Refueling Water Storage Tank SAIDI - System Average Interruption Duration Index SAIFI - System Average Interruption Frequency Index SBO - Station Blackout SGTR – Steam Generator Tube Rupture SWRL - Severe Weather Related Losses 1 Introduction Nuclear power plants are complex facilities, which produce electrical energy based on the principles of the nuclear fission. Nuclear fuel in the nuclear reactor is used to produce thermal energy in a form of hot steam, using steam turbines and generators being transformed into electrical energy. Structures, systems and components in nuclear power plants comply with the strict technical standards in order that the operation of the plant is safe and effective. The prime purpose of the nuclear safety is prevention of the release of radioactive materials formed in the fuel, ensuring that the operation of nuclear power plants does not contribute significantly to individual and societal health risk. The main specific issue of the nuclear safety is the need for removing the decay heat, which is necessary even for a reactor in shutdown. Nuclear safety is achieved by implementation of a set of measures and actions including multiple barriers integrity approach, defense-in-depth and safety principles 1,2. The multiple barriers integrity is sustained with the provision of effective cooling of the fuel in all modes of operation of the nuclear power plant, inside and outside of the core. The barriers include material of fuel pellets themselves, the cladding of the fuel rods, the integrity of reactor coolant system and the containment, which capture the radioactive substances even if the other barriers fail. The measures constituting the three-level defense-in-depth approach have to be taken in order to ensure that the facilities are operated and the activities are conducted so as to achieve the highest standards of safety that can reasonably be achieved: - The prevention level is related to control the radiation exposure of people and the release of radioactive material to the environment with the appropriate design, construction, installation and supervision of the nuclear power plant. - The protection level is related to restriction of the likelihood of undesired events with the installation of protection and safety systems, which put the plant into a safer state if predefined safety limits are exceeded. - The mitigation level supplements the first two in sense that it relates to the activities, which mitigate the consequences of undesired events, if they occur. The safety principles such as redundancy (the use of more components or systems then minimally necessary for realization of the function), independence, diversity, fail-safe principle (means that the component is put to a safer state, if it has failed) and single failure criterion (means that failure of the single component can not endanger the fulfillment of any safety function) are listed and explained in more details in Appendix A. The nuclear power plant is equipped with the continuous and reliable source of electrical energy in order to sustain the effective cooling of the fuel. In normal operation, the preferred source of electrical energy for self consumption is alternating current [AC] electrical energy from the generator bus through unit transformers. During the startup, shutdown or maintenance of the nuclear power plant (NPP), the offsite power system is the preferred source of electrical energy. The self consumption of the NPP depends on several factors including the design of the plant, selection of cooling system for residual heat and is normally in the range of 5-10% of the net installed power of the plant (electrical). In case of power system failure, the generator is disconnected from power system and the output power of turbine-generator is throttled down in order nuclear power plant to continue to provide energy for its own consumption. If throttle down of the power is unsuccessful, there are backup diesel generators, which provide energy until normal conditions in the power system are restored. In case of the NPP Krško, the normal power supply to the plant auxiliaries is from the generator bus through two unit transformers. The offsite power supplies are from two Electric Power Distribution Systems: a 400 kV and a 110 kV transmission network. The 400 kV switchyard have standard two bus configuration with the three transmission terminals. Two of the 400 kV lines are coming from Zagreb and one from Maribor, each capable of transmitting the full plant electric power. The 110 kV transmission line is connected to combined gas-steam power plant Brestanica, which serves as the alternate preferred source. The onsite emergency power sources are two diesel electric generators. In the event of a breakdown of the 110kV system, Brestanica automatically cut-off all users except NPP Krško (island operation mode). The onsite power system of NPP Krško consists of two distinct subsystems: - Non-Class 1E Power System. - Class 1E Power System (Engineered Safety Features Power System). The onsite emergency power sources are two diesel electric generators connected to Class 1E Power System. The NPP safety and reliability depends partly on the network reliability and vice versa. The failure of the power system results in a loss of offsite power initiating event, which is important contributor to the overall core damage frequency (CDF), is a measure of risk and thus safety of the corresponding NPP. The disconnection of the NPP from the power system results in the deficit of generation directly affecting the reliability and stability of the power system. This interaction between NPP from one side and power system from the other is in the main focus of this thesis. 1.1 Objectives and goals The offsite power system of a nuclear power plant provides the preferred source of electrical power to station equipment3 during the normal operation: - Emergency cooling for the reactor following planned or unplanned shutdowns. - Auxiliary systems for plant startup and safe shutdown. The loss of offsite power (LOOP) initiating event (IE) occurs when all electrical power to the plant from external sources is lost. That event results in simultaneous loss of electrical power to all unit safety buses, requiring the emergency diesel generators to start and supply power to the safety buses for the equipment, which is essential for safe operation of the plant4. A total loss of all AC power as a result of complete failure of both offsite and onsite AC power sources is referred to as a “station blackout” (SBO). Risk analyses performed for NPP indicate that the LOOP can be a significant contributor to the plant risk, contributing more than 70 percent of the overall risk at some plants. Normally, the plant risk due to LOOP is in the range of 20 to 30 percents5, 6. Therefore, the loss of offsite power (LOOP) and its subsequent restoration are important inputs to the plant risk models. These inputs must reflect current industry performance in order that the plant risk models accurately estimate the risk associated with the LOOP. One particularly important subset of LOOP initiated scenarios involves SBO situations, in which the affected plant must achieve safe shutdown, relying on components that do not require AC power, such as turbine or diesel-driven pumps. Thus, the reliability of such components, the direct current (DC) battery depletion times, and the characteristics of offsite power restoration are important contributors to SBO risk. The NPP must have the capability to withstand a SBO and to maintain the core cooling for a specified duration taking into account the regulatory requirements and guides7,8,9, e.g. SBO rule10. On August 14, 2003, a widespread loss of the USA electrical power grid (blackout) resulted in LOOP at nine commercial NPP (in period of time less of two minutes) in the U.S., as well as eleven in Canada11. Major contributors to the domino effect that resulted in plant after plant tripping off-line resulting with the collapse of the electrical grid were: poor maintenance of transmission lines, lack of sensor and relay repair, poor communications between load dispatchers and power plant operators and a lack of understanding of transmission system interdependencies resulting with the overload of lines. As a result of the 2003 blackout, the Nuclear Regulatory Commission (NRC) initiated a comprehensive program to review grid stability and offsite power issues as they relate to NPP8, 12 . The Forsmark-1 NPP on 25th of July 2006 experienced a SBO event13. The cause was shown to be a failure in the 400 kV switchyard of the NPP. Two of the four auxiliary diesel generators failed to start resulting with the lost of power on two of four Class 1E redundant trains. This caused a coastdown of recirculation pumps, shutdown of the turbines and eventually reactor scram. After 23 minutes the operators managed to start the failed generators manually, but this event clearly indicate the impact of LOOP on NPP safety. The NRC study on effects of deregulation and changes in grid operation to nuclear power plant performance clearly re-enforces the need to understand the conditions of the grid throughout the year to assure that the risk due to potential grid conditions remains acceptable14. Evermore the NRC risk-informed regulatory strategy15 depends on plants having access to reliable offsite power. For each light-water-cooled nuclear power plant operating license application8 submitted after September 27, 2007, in its final safety analysis report the applicant shall submit information for: - The redundancy of the onsite emergency ac power sources. - The reliability of the onsite emergency ac power sources. -The expected frequency of loss of offsite power. - The probable time needed to restore offsite power. Two of the issues that are of particular concern for new reactors include: - Should new units be designed to withstand a load rejection without shutting down. - What is the impact of bringing large generators onto the grid. Taking into account the new environment after 11th of September and threats on major infrastructures including the power systems, the need for more detailed analysis of power system reliability come forward16. Data analysis6 from year 1986 through year 2004 reveals that SBO risk was low when evaluated on an average annual basis due to the plant modifications in response to the SBO rule. However, when focus is on grid-related LOOP events, the SBO risk has increased. Current results6 show that the grid initiated LOOP events contribute 52 percent to the SBO core damage frequency (CDF). Severe and extreme weather events, which are generally related to grid events, contribute another 13 percent. The increasing number of grid-related LOOP events in years 2003 and 2004 is a cause of concern. Additionally, if only data6 from the “summer” period is considered, the LOOP increases by approximately a factor of two. By NRC methodology, there are three major LOOP event categories: plant centered, grid related, and weather related. Grid related LOOP events are defined as LOOP that are strictly associated with the loss of the transmission and distribution system due to insufficient generating capacity, excessive loads or dynamic instability. Although the grid failure may also be caused by other factors, such as severe weather conditions, these events are not considered grid related by the NRC since they are caused by external events. In the methodology and guidance documents issued by NRC, grid disturbances are estimated from the site susceptibility to grid related LOOP17,18. Based on the expected frequency, plant is classified in specific group for which predetermined frequency is given. Severe weather related losses are estimated using simple relation, which includes site vulnerability to effects of salt spray, snowfall, tornadoes, storms and a number of transmission lines connected to the plant. The proposed NRC methodology has two major deficiencies: 1. Estimation of the grid-related LOOP is based only on a historical data for the site susceptibility to grid related LOOP, not accounting the overall grid structure and the analytical methodology to estimate the corresponding frequency. The proposed NRC approach does not provide qualitative and quantitative identification of major contributors to grid related LOOP and consequent actions to decrease the frequency, thus improving the plant reliability and safety. 2. Grid related and severe weather initiated LOOP are closely related19, but that correlation is not included in the NRC methodology. In the estimation of the severe weather related losses, the ambient temperature, which has direct impact on the overall power system reliability8, is excluded from calculations. Enlisted deficiencies in current methodologies indicate necessity for development of the new method for estimation of the LOOP initiating events and detail analysis of the impact that power system state has on the performance and risk of the nuclear power plants. The main objective of the thesis is development of a method, which can be used to assess and improve the safety of the nuclear power plants, which operate in power system using the methods, tools and models known from probabilistic safety assessment20,21,22,23,24,25,26. The method is developed combining linear network flow method with the fault tree analysis features, and computer program based on this method is compiled. Proposed method is applied to a test system used in bulk power system reliability evaluation studies27 and model of the Slovenian power system. Analysis of LOOP IE frequency and resulting core damage frequency of NPP in test systems is done. 1.2 The outline Section 2 reviews main activities in area of power system analysis together with the current state of art in the field. Description of the methods used in the Probabilistic Safety Analysis together with the applications of probability theory to the power systems reliability estimation is given in section 3. In section 4, detail description of the developed method is given. In sections 5 the obtained results for the IEEE (Institute of Electrical and Electronics Engineers) test system and Slovenian power system are given. In section 6 the obtained results from the sensitivity analysis of the LOOP IE and CDF of the reference plant are presented. Final conclusions and remarks are given in section 7. 2 Review of activities of power system analysis The review of main activities in the area of power system analysis is presented together with the state of the art in the field. The power systems are usually large, complex and, in many ways, nonlinear systems. The power systems include multiple components such as generators, switching substations, power lines and loads. The post-fault phenomena in a power system are dynamic in nature and dependent on the grid connection and load flows in different parts of the grid. Therefore, the evaluation of the overall system reliability is extremely complex as it is necessary to include detailed modelling of both generation and transmission facilitates and their auxiliary elements. The power system is usually divided into segments, which can be analyzed separately28. These segments are referred to as generation, transmission and distribution functional zones. These functional zones can be combined to form a series of hierarchical levels for the purpose of conducting system reliability analysis. Hierarchical Level I reliability assessment concerns only the generation facilities. Evaluation of the composite or bulk generation and transmission facilities is designated as Hierarchical Level II study. The entire system evaluation is designated as Hierarchical Level III assessment, as shown on Figure 2-1. System reliability is usually predicted using one or more indices, which quantify expected system reliability performance, implemented using the criteria based on acceptable values of these indices. Figure 2-1 Hierarchical levels in electrical power systems The overall problem of Hierarchical Level III reliability evaluation can be quite complex in most systems as it involves starting at the generating points and terminating at the individual load points. The application of probability methods in power systems came into prominence only in the last three decades considering that the industry itself is more that century old and that discussions on probability concepts appeared in Italian manuscripts seven centuries ago29. Most of the approaches for determination of power system reliability use certain approximation or simplification of the problem in order to degrade the problem on solvable level. Quasi-transient approach30 and examination of cascading failure using linear programming31 were proposed assuming only single components failure and identification of only one critical point in system, not accounting the probability of failure of components. Evaluation of system reliability concerning only the generation facilities and their adequacy to satisfy load using heuristic methodologies was proposed. This methodology, as other HL I reliability assessments, exclude transmission from analysis32,33. The minimal cut set and frequency duration method are used for the planning and design of industrial and commercial electric power distribution systems and their reliability evaluation, but this method is applicable only to small distribution systems34. Screening method for the identification and ranking of infrastructure vulnerabilities, including small power system, due to terrorism based on minimal cut set approach was proposed, but the whole analysis is conditional on the assumed presence of a minor threat35. Event tree method was proposed for the analysis of infrastructures risk from terrorism with the example application on a small power system, but the method lacks of conditional success rate for a network failure, which is estimated by authors and not by a strict method36. An application of Monte Carlo network analysis for reliability assessment of multiple infrastructures, including power system, for terrorist actions37 is proposed, but this method is inadequate when infrastructures are analyzed individually. Application of the sum-of-disjoint products technique for evaluating stochastic network reliability is proposed38, considering only one path between source and sink nodes and assuming that each node is perfectly reliable. Hybrid model that includes both power system dynamic simulations and event trees for the protection was anticipated for power system reliability estimation, accounting only failure of lines protection39. Several variations of Monte Carlo simulation methods including cellular automata and system state transition sampling approach were developed to probabilistically evaluate composite power system long-term reliability40,41,42,43,44,45,46. Deficiency of these methods is that they can only be used for Hierarchical Level II study and convergence problem that they encompass. Recent probabilistic method for transmission grid security evaluation uses event trees and fault trees and combines them with the power system dynamic simulations. Only substation protection and trip operations after line faults are modeled with the event trees. Power system security is studied with a substation model that would include possible malfunctions of the protection and circuit breakers. Only single faults of lines, as result of the protection failure, were accounted in the analysis47,48. Review of the activities in the area of PSA and power system analysis indicate that these two methodologies haven’t been integrated in formal matter as it was done in this thesis, thus providing solution to problems foreseen in the both areas. 3 Probabilistic Safety Assessment The report49 entitled "Reactor Safety Study: An Assessment of Accident Risk in U.S. Commercial Nuclear Power Plants"- WASH 1400 was the first detailed analysis to provide a realistic assessment of the risks associated with the utilization of commercial NPP. A systematic probabilistic method for assessment of reliability and safety of complex systems was developed and applied. In most countries, the method is referred to as Probabilistic Safety Assessment (PSA). In the United States, the method is referred to as Probabilistic Risk Analysis (PRA). The event tree and the fault tree are two basic methods used in Probabilistic Safety Assessment, which is a standardized method for assessment of nuclear power plant safety50,51. There are number of techniques used to perform system modelling. These techniques are grouped into two major categories, inductive and deductive techniques. Inductive analysis begins with the consideration of specific event and goes on to consider the general effect of that specific event in terms of system operability. Event tree analysis is an inductive technique, which organizes and characterizes potential accidents in a methodological manner52. It is suitable for modelling the complex sequences of events and for their efficient evaluation. In system modelling, a deductive analysis is one that begins with a general system operability state and proceeds to deduce the specific events that could give rise to that operability state. Fault tree analysis is the deductive modelling approach used in the PSA to identify and assess the combinations of the undesired events in the context of the system operation and its environment that can lead to the undesired state of the system53, 54. The undesired state of the system is represented by a top event. The logical gates integrate the primary events to the top event. The primary events are the events, which are not further developed, e.g. the basic events and the house events. The fault tree is based on Boolean algebra and probabilistic basis that relates probability calculations to Boolean logic functions. 3.1 Probabilistic Safety Assessment Fundamentals The basic definitions and relations of the probability theory are presented in this section. The PSA purports to assess risk. In the context of PSA, the concept of risk can be defined55, 58, 84 as “the likehood of experiencing a defined set of undesired consequences”. The assessment of risk with the respect to nuclear power plants is intended to achieve four general objectives: - To identify initiating events and event sequences, which are significant contributor to risk. - To provide a realistic quantitative measure of the likehood of these risk contributors. - To provide a realistic evaluation of the potential consequences associated with the hypothetical accident sequences. - To provide a reasonable risk-based framework for making decisions regarding nuclear plant design, operation and sitting. The probability defines quantitatively the likelihood of an event or events. In the context of PSA the concept of probability is thought of in three ways, each with its own applications. In the classical concept, the probability of occurrence of event A is defined as: NA P(A) = (3.1) N Where: NA – Number of occurrences of the event A. N - Mutually exclusive and equally likely random experiments. The empirical (frequentist) concept is the second approach with the relative frequency interpretation of the probability: NA P(A)= lim (3.2) n›. N Where: NA – Number of occurrences of the event A. N – Mutually exclusive and equally likely random experiments. n – Number of experiments. The third definition of probability is the subjective concept and really represents the degree of belief that a given event may occur. Availability is the measure used for continuously operated systems that can tolerate failures, and is defined55 as the probability of the component/device/system to be available when required. Component unavailability is defined55 in general as the probability of being in a failed state when required. The point unavailability is the probability that the component is down at the time. Interval unavailability is associated with the some interval and is the fraction of time that the component is down (ratio of downtime to some cycle time). The unavailability is denoted with the symbol Q and standard forms are: Q =.t (3.3) Where: . – Component failure rate. t – Average fault duration time (detection plus repair time). Or: Q =tD (3.4) t T Where: tD – Average downtime. tT – Total cycle time. The Eq. (3.3) is of the point type and Eq. (3.4) is of the interval type. The failure probability is defined in general as the probability of failure in specified time interval (required operation time, mission time or standby time). The failure probability is also called the unreliability (one minus the reliability). The failure probability is denoted with U and for non-repairable component (component failure rate . is constant) have form: U = 1- e-.t ..t (3.5) It’s notified that in the PSA terminology55 the standard denotation for the unreliability is with the letter “P”. The unreliability is denoted with U in order not to mismatch with the probability. The approximation in the Eq. (3.5) is accurate to within 5% for unreliability U less than 0.1; it is on the conservative side and is small compared to uncertainties in .. Comparison of the Eqs. (3.3) and (3.5) show that they are identical but only in case of constant . and small probabilities. For this specific case the component/system unreliability is equal to its unavailability. The simplified description of reliability defines it as a probability56 that an item can perform its intended function for a specified interval under stated conditions. Reliability as a measure is suitable for quantifying the adequacy of mission oriented systems (systems functioning without failure). There are probability rules, which permit to combine of the probabilities associated with the individual events, to give the probability of overall system behavior. These rules with their description are given. Rule 1 – Independent events. Two events are said to be independent if the occurrence of one event does not affect the probability of the occurrence of the other event. Rule 2 – Mutually exclusive events Two events are said to be mutually exclusive (or disjoint) if they cannot happen at the same time. Rule 3 – Complementary events. Two outcomes of an event are said to be complementary if, when on outcome one doesn’t occur, the other must. If the two outcomes A and B have probabilities P(A) and P(B), then: P(A) + P(B) = 1 (3.6) Rule 4 – Conditional events. Conditional events are events that occur conditionally on the occurrence of another event or events. The conditional probability of event A occurring given that event B has occurred is described mathematically as P(A|B) and can be deduced from Eq. (3.4): number _ of _ ways _ A _ and _ B _ can _ occur P(A | B) = (3.7) number _ of _ ways _ B _ can _ occur Rule 5 – Simultaneous occurrence of events. The simultaneous occurrence of two events A and B is the occurrence of both A and B event. Mathematically is known as the intersection of the two events and is represented as: (A.B), (A AND B) or (AB). In this rule there are two cases to consider: when events are independent or when they are dependent. If two events are independent the probability that they both occur is: P(A .B) = P(A) · P(B) (3.8) If there are n independent events, the principle can be extending to give: P(A .A . A .......A ) = P(A ) · P(A )......P(A ) (3.9) 123 n 12 n In case of dependent events, the probability of occurrence of both events will be: P(A .B) = P(B | A) · P(A) (3.10) = P(A | B) · P(B) Rule 6 – Occurrence of at least one of two events. The occurrence of at least one of two events A and B is the occurrence of A or B or both events and is expressed as: (A U B), (A OR B) or (A+B). In this rule there are three cases to consider: the events are independent but not mutually exclusive, the events are independent and mutually exclusive and third case when events are not independent. The probability of occurrence of at least one of the events that are independent but not mutually exclusive is given by expression: P(A .B) = P(A) + P(B) - P(A) · P(B) (3.11) In case of mutually exclusive events by definition the probability of their simultaneous occurrence P(A)P(B) must be zero, therefore probability of the union of the two events will be: P(A .B) = P(A) + P(B) (3.12) If there are n independent and mutually exclusive events, the union probability will be: n P(A1 . A2 . A3....... . An ) =.P(Ai ) (3.13) i=1 If the two events A and B are not independent the probability of the union of the events will be: P(A. B) = P(A) + P(B) - P(A . B) = P(A) + P(B) - P(B | A) · P(A) (3.14) = P(A) + P(B) - P(A | B) · P(B) Rule 7 – Application of conditional probability. The probability of occurrence of an event A dependent upon a number of mutually exclusive events Bi is calculated as: n P(A)=.P(A | Bi) · P(Bi) (3.15) i=1 The parameters that are associated with the reliability evaluation are described by probability distributions. Two main types of distributions are discrete and continuous. Discrete distributions represent random variables that can assume only certain discrete values whereas continuous distributions represent random variables that can assume an infinite number of values within a finite range. The two most important discrete distributions are the binomial and Poisson distribution and continuous distributions include the normal (or Gaussian), exponential, Weibull, gamma and Rayleigh distribution. All random variables (discrete and continuous) have a cumulative distribution function. It is a function giving the probability that the random variable X is less than or equal to x, for every value x. The cumulative distribution function F(x) formally is defined as: F (x)= P(X . x) (3.16) -.< x <. The cumulative distribution function for a discrete random variable is found by summing up the probabilities and for a continuous random variable as integral of its probability density function. The probability density function of a continuous random variable is a function, which can be integrated to obtain the probability, that the random variable takes a value in a given interval. More formally, the probability density function, f(x), of a continuous random variable X is the derivative of the cumulative distribution function F(x): dF(x) f (x) = (3.17) dx The probability density function f(x) can be formulated, accounting the definition of the cumulative distribution function F(x) given by Eq. (3.16), as: b f (x)dx = F(b) - F(a) = P(a . x . b) (3.18) . a The cumulative distribution function, as shown by Eq. (3.16), increases from zero to unity as the random variable increases. The random variable in reliability evaluation is frequently time. The cumulative distribution function in reliability terminology is known as the cumulative failure distribution function or unreliability. The complementary the cumulative failure distribution is the survivor function also referred as reliability, designated as R(t): R(t) =1-U (t) (3.19) The failure density function f(t) is defined as derivate of the cumulative failure distribution function U(t): dU (t) dR(t) f (t) ==- (3.20) dt dt The failure rate is one of the most extensively used functions in reliability evaluation, designated as .(t) and referred as hazard rate or force of mortality. The mathematical description of the failure rate is: number _ of _ failures _ per _ unit _ time .(t) = (3.21) number _ of _ components _ exposed _ to _ failure The general expression for the failure rate .(t) at time t is: 1 dR(t) f (t) .(t) =-· = (3.22) R(t) dt R(t) The relation between survivor function (reliability) R(t) and failure rate .(t), from Eq. (3.22), can be expressed as: .t . R(t) = exp.- .(t)dt. (3.23) . . 0 . In case of constant and time independent failure rate . Eq. (3.23) transforms into exponential distribution: R(t) =e-.t (3.24) Using the Eq. (3.24) equation (3.5) is obtained. Input data for the initiating events and component failures is necessary in order to realize quantitative PSA. The development of a data base for accident sequence quantification involves the collection and analysis of data and the evaluation of the appropriate reliability models. Uncertainty analysis is performed in order to measure the accuracy of the quantitative results in PSA57. There are two sources of uncertainty in the data base for component and system failure: natural variability of failure rates and imperfect knowledge of the actual behavior. The uncertainty in the PSA additionally includes the incomplete analysis, incorrectness of the models and sequence quantification. The primary methods for treating uncertainty in PSA are bounding analysis and sensitivity analysis. The PSA is generally divided into three broad areas: system modeling, accident process analysis and accident consequence analysis. The activities that comprise a risk assessment are given on Figure 3-1. Figure 3-1 Activities in PSA The system modeling is the basic element of Level 1 PSA. There are different system modeling techniques and two of them are used exclusively and comprehensively in PSA: event tree analysis and fault tree analysis. Detail description of both techniques is given in the following sections. Formal definition53 of a system defines it as:”A deterministic entity compromising an interacting collection of discrete elements”. The plant damage states identified in the system modeling task are used as the starting point for accident process analysis (Level 2 PSA). The accident process analysis assesses the reactor core behavior and containment response under accident conditions. The outcome of the accident process analysis is the identification of potential releases to the environment in terms of their energies, magnitudes and timing. The accident consequence analysis (Level 3 PSA), using local weather data, the probable radiological dispersion and depletion mechanisms, develops estimates of population radiological doses and environmental contamination. 3.2 PSA Modeling The first step in a PSA, as shown on Figure 3-1, is the identification of potential accident initiators. Accident initiators, also known as initiating events (IE) are undesired events, which present a challenge to the plant, in that if they are not successfully responded to, core damage may result. Initiating events are typically divided into two broad groups: transients and loss­of-coolant accidents (LOCA). These groups are then subdivided in terms of the systems required to respond to the initiator. The subdivision of the LOCAs depends upon the size and location of the break. The accident initiators are grouped on basis of systems required to respond to the initiating event in order to decrease their number on feasible level. Data on the frequency of initiating events is generally obtained from several sources and the largest body of that data is generic. 3.2.1 Event Tree Analysis Event tree analysis is the technique58 used to define potential accident sequences associated with a particular initiating event or set of initiating events. The event tree model describes the logical interrelationships between potential system successes and failures as they respond to the initiating event. The general tasks included in the process of development of event trees are given on Figure 3-2. Figure 3-2 Event tree development process The purpose of first task, plant familiarization, is to provide information necessary for the identification of initiating events, the identification of the success criteria for systems that must directly perform the required safety functions and the identification of the dependences between the frontline system and the support systems, which they require for proper functioning. The functions that must be performed to control the sources of energy in the plant and the radiation hazards are called safety functions. Safety functions are defined by a group of actions that prevent core melting, prevent containment failure or minimize radionuclide releases and they are identified in second step of the event tree development process. Definition of the necessary safety functions forms the preliminary basis for grouping accident initiating events. A comprehensive list of initiating events is necessary to select and compile during third step of the development of ET in order to make certain that the event trees include all potentially significant accident sequences. The selection of initiating events consists of two steps: -Definition of possible events. - Grouping of identified IE’s by the safety function to be performed or combinations of systems responses. Once IE’s have been identified and grouped, it’s necessary to determine the response of the plant to each IE group. Two distinct methods exist for evaluation of plant response: functional and systemic event trees. The functional event tree is an intermediate analytical step for sorting out the complex relationship between accident initiators and system responses. The systemic event tree explicitly defines the response of key plant systems using detailed event sequence analysis. The description of accident sequences is accomplished by developing detailed system event trees developed from either functional event trees or event sequence diagrams. The event trees developed from functional event trees are quantified using the method of fault tree linking, whereas event trees developed from sequence diagrams are quantified using event trees with the boundary conditions. The accident sequence delineation is the most important step in event tree development process. Each heading in the system event trees is quantified using detailed system models in order to determine the likelihood of system failure. The system models for event tree headings require predefined failure criteria based on the success criteria defined for each event tree heading and correlation with the previous failures in the accident sequence (previous failures in the accident sequence may result with the system unavailability or necessity of different system components operation in order to accomplish successful operation). A sample event tree from corresponding reference58 is presented on Figure 3-3 to illustrate event tree construction process. The example used is a LOCA IE associated with a simple imaginary reactor system. - The initiating event IE-A, assumed to be pipe break in the primary coolant system of reactor. - RP, operation of the reactor protection system to shut down the reactor. - ECA, injection of emergency coolant by pump A. - ECB, injection of emergency coolant by pump B. - PAHR, post-accident decay heat removal. The placement of the events across the tree is based upon the time sequence in which they occur or some logical order, reflecting operational interdependence. Consequently the initiating event IE-A is first and PAHR is shown as the last event on the tree. The various sequences are represented by the paths developed with the success (upward path) or failure (downward path) of the events. The far right column of the tree identifies the sequences, for example second sequence is the sequence that starts with the initiating event IE-A and ending with the failure of PAHR function E. For this example event tree it is assumed that either emergency coolant pump A or B is sufficient the emergency coolant requirement. In the column consequences is the final consequence for each accident sequence identified in the event tree. On Figure 3-3 two consequences are identified: core damage and no core damage (OK consequence). Accident sequence can result with the new initiating event (e.g. seal LOCA or anticipated transient without scram), and they are analyzed in separate event tree. The core damage criterion is developed using design basis approach and typical value59 for Westinghouse-type PWR is that hottest core fuel/clad node temperature does not exceed 650°C. Exception is allowed when core is reflooded before significant cladding oxidation has occurred, but time above 650°C is limited to 30 minutes and highest temperature may never exceed 1075°C. The total number of possible sequences in the sample problem is 16, which are reduced to four core damage sequences (eliminating60 branches that have zero conditional probability for at least one event). For example, all sequences on Figure 3-3 with the failed reactor protection system RP will result with the core damage. The sequences resulting with the core damage are evaluated further using containment event tree whereby the failure modes of the various barriers, which prevent the release of the radioactivity to the environment are probabilistically evaluated. The elements to be considered for the accident sequence quantification process are the initiating event, the event tree resulting from the initiating event, the system fault trees and their resulting Boolean failure equations, and the containment failure modes possible for each combination of IE and safety system failures and successes. The event tree sequence is a particular combination of safety system failures and successes for a given initiating event and it doesn’t include a containment failure mode. The event tree sequence quantification process consists of the following steps: - For each sequence, reduce by Boolean algebra the system failure and success equations to obtain the sequence reduced Boolean equation (the sequence cut sets). - Quantify the component faults and outages in each cut set, accomplished on system level. - Assess recovery at the sequence level. - Asses human errors. - Quantify the cut sets of the sequence failure equations. A major portion of the quantification process is involved with the obtaining the Boolean equations for each event tree sequence. They are obtained by Boolean reduction of the Boolean failure and success equations for the systems that fail and succeed on each event tree path in order to account common components that must be Boolean reduced. An example is used to illustrate the requirement of consideration of system successes as well as failures during event tree sequences quantification. On Figure 3-4 are given fault trees for two hypothetical systems A and B. Two faults result in system failure for each of these systems with the fault C1 appearing in both systems. A portion of the event tree involving these two systems is given on bottom of the Figure 3-4, with the sequence 1 when both systems fail and sequence 2 when system B fails while system A succeeds. Initiating Event RP ECA ECB PAHR IE-A B C D E No. 1 23 456 Freq. Conseq. OK CORE DA M.OK CORE DA M. CORE DA M. CORE DA M. Code E C C-E C-D B Figure 3-3 Example event tree The various event possibilities or the systems that need to function to mitigate the consequences of the accident are listed on the top of the event tree and they include: SEQUENCE 1 The Boolean equation for sequence 1 is: Q1 =A · B =(C1+ C2)· (C1+ C3) = C1+ C2 · C3 (3.25) The Eq. (3.25) clearly indicate that it’s not correct to simply multiply the failure probabilities of systems A and B, because the common term, C1, would appear twice. The sequence equation correctly states that both systems fail if C1 occurs or if C2 and C3 occur. The Boolean equation for sequence 2 is: Q2 =A · B =(C1+ C2)· (C1+ C3) = C1·C2 ·C3 . C3 (3.26) The last term in Eq. (3.26) is approximation obtained if the success terms are ignored. The Eq. (3.26) correctly states that the only way for system B failure and system A to succeed is for C3 to occur. If C1 were to occur, both A and B would fail, which is contrary to the system success/failure combination implied by sequence 2. Thus, the Boolean-reduced equations for event tree sequences must be quantified in order to correctly account for common components among systems. The quantification of the accident sequences requires incorporation of the frequency of the initiating event. For small event/large fault tree method, the initiating event is a simple multiplier to each sequence on the event tree. Using the fault tree event tree linking approach the accident sequences in the event trees are expressed as: n FASj =FIE . QMCSi (3.27) i=1 Where: FASj - Accident sequence frequency for ASj. FIE - Initiating event frequency. n - Number of minimal cut sets. QMCSi - Probability of i-th minimal cut set. The sequence quantification proceeds in two stages. In first stage accident sequence frequencies are calculated without accounting post-accident corrections and using screening values for human error probabilities. The results of this calculation are used to generate the list of important human errors analyzed further during human performance subtask. In second stage recovery of misposition or actual faults on a cutset-specific basis is accounted. In order to make sequences quantification practical, it may be necessary to truncate considering only those cutsets whose probability is above some cutoff or number of events in cutest is smaller then truncation limit called truncation value. Truncation is approximation with the generally uncontrolled consequences on the results71. After plant-specific human error probabilities have been derived, the sequences can be requantified using these values. The final results are obtained by applying appropriate multiplicative factors to each cutest probability, in order to include the possibility that operator action will eliminate one of the faults in the cutest, and thereby prevent core damage. The uncertainty evaluation is performed using the plant-specific gamma posteriors for the initiating event frequencies and the component failure rates together with the error ranges identified for human error rates and recovery probabilities, and following results are obtained: - Overall core damage frequency. -The frequency of each bin. - The frequency of accident sequences contributing the top 99% of total core damage frequency. The purpose of the importance evaluations is to identify the important accident sequences, system failures, component failures and human errors with the regard to core damage frequency. The purpose of the sensitivity analysis is to determine how sensitive the core damage frequency is to possible dependencies among component failures and human errors and to address those assumptions suspected of having a potential significant impact on the results. The final summarized products resulting from accident sequence quantification and event tree analysis are: - Minimal cut sets for systems involved in the sequence. - Binning of all accident sequences on the basis of accident sequence characteristics. - Point estimates for the dominant accident sequences. - Estimate of the core damage frequency, which is an expression of the likelihood that, given the way a reactor is designed and operated, an accident could cause the fuel in the reactor to be damaged. - Plant-specific error bounds on frequencies of dominant accident sequences and on the core-damage frequency. - Importance measures for accident sequences, systems, cut sets and components. - Sensitivity studies showing effects of dependences and human errors. - Engineering insights into systems, components and procedures that most affect risk. 3.2.2 Fault tree analysis Fault tree analysis is the tool used to evaluate the ways in which nuclear plant systems might fail to perform their intended functions. The standard definition53, 54 of the fault tree technique defines it as: “An analytical technique, whereby an undesired state of a system is specified (usually a state that is critical from a safety standpoint), and the system is then analyzed in the context of its environment and operation to find all credible ways in which the undesired event can occur”. If fault tree analysis is the technique by which system fault trees are developed, a workable definition of a fault tree might be: “a graphical depiction of the logical interrelationship between postulated fault events as they contribute to the occurrence of the top event”. Fault tree analysis is a deductive technique in that it goes from effect to cause. Fault tree analysis begins with a hypothetical undesired state of the system, the top event, and deductively identifies the credible events and combinations of the events that might produce that system state. Undesired event definition provides a means of defining the undesired system operability state (top event) in terms of its constituent fault events. Event relationships depict the logical interrelationships between system fault events as they relate to the top event. Logic diagram serves as a roadmap of the system fault paths. Unavailability tool qualitatively identifies how a system may become unavailable. The fault tree analysis when combined with the quantitative techniques provides a means of calculating system failure probabilities. The PSA Procedures Guides identifies58 five essential tasks in the fault tree development, depicted on Figure 3-5. The entire fault tree analysis activity is based on the particular associated top event, therefore the statement of the top event should be clear, accurate and appropriately specific. Top event definition is the process of developing such a top event. A system, as previously defined in the section 3.1, is a collection of discrete elements that interact to perform, in total or in part, a function or set of functions. To perform a fault tree analysis, clear definition of system boundaries is necessary. Standard symbols and notations have been developed to facilitate fault tree analysis approach53. The logical gates integrate the primary events to the top event. The primary events are the events, which are not further developed, e.g. the basic events and the house events. The basic events are the ultimate parts of the fault tree, representing the undesired events, e.g. the component failures, the missed actuation signals61, the human errors62, 63, 64, the unavailability’s due to the test and maintenance activities65, 66, 67, 68, 69, 73 or common cause contributions70. The house events represent the conditions set either to true or false, which support the modeling of connections between the gates and the basic events, and enable that the fault tree better represents the system operation and its environment. Generic to the problem-solving process is the need to establish assumptions and conditions, and for the fault tree analysis process issues that must be addressed are: -Passive failures. -Inadvertent operation. -Secondary failure postulation. - Errors of commission. - System operating states. During the fault tree development process it’s necessary to account Common Cause Failures (CCF). The CCF are defined as failures of dependent components from shared root causes70. The CCF can result from: - Common cause initiating event resulting with the plant transient and increased unavailability of several systems (e.g. earthquake). - Intersystem dependency on joint event probability (e.g. fire resulting with the loss of two systems). - Intercomponent dependency (e.g. battery overrun). Dependent events must be considered not only in the quantification, but also in the definition of the accident sequences in the PSA. The common cause failures are modeled using common cause basic events, which are basic events that represent multiple failures of components from shared root causes. The quantification of the common cause basic events is through selection of the appropriate70 common cause model (e.g. Beta factor, Multiple Greek letters, and Alpha factor). Two types of results are obtained in a fault tree evaluation: qualitative and quantitative results. Qualitative results include: - Minimal cut sets (combinations of components failures causing system failure). - Qualitative importance (qualitative rankings of contributions to system failure). - Common cause potentials (Minimal cut sets potentially susceptible to a single failure cause). The quantitative results include: - Numerical probabilities (probabilities of system and cut set failures). - Quantitative importance (quantitative ranking of contributions to system failure). - Sensitivity evaluations (effects of changes in models and data, error determinations). For the qualitative evaluations, the minimal cut sets are obtained by Boolean reduction, using laws of Boolean algebra given in Table 3-1. The basic steps of Boolean reduction are: - Express fault tree logic as Boolean equation. - Apply rules of Boolean algebra to reduce terms. - Treat results as a reduced form of Boolean equation. - Redraw fault tree diagram to identify fault relationship. The classic fault tree is mathematically represented20, 53 by a set of Boolean equations: Gi =f (Gp, Bj, Hs);i, p .{1..P}, j .{1..J}, s .{1..S} (3.28) Where: Gp - Gate p. Bj - Basic event j. Hs - House event s. P - Number of gates in the fault tree. J - Number of basic events in the fault tree. S - Number of house events. The qualitative importance of the cut sets is identified by ordering the minimal cut sets according to their size (number of basic events in the set). Because the failure probabilities associated with the minimal cut sets often decrease by orders of the magnitude as the size of the cut set increases, the ranking according to size gives a gross indication of the importance of the minimal cut set. The identified minimal cut sets are screened in order to identify the minimal cut sets that are potentially susceptible to common cause failures. Table 3-1 Laws of the Boolean algebra Boolean Law Expression Commutative Law X+Y=Y+X XY=YX Associate Law (X+Y)+Z=X+(Y+Z) (XY)Z=X(YZ) Distributive Law X(Y+Z)=XY+XZ (X+Y)Z=XZ+YZ Identity Law XX=X X+X=X Redundancy Law X(X+Y)=X X+XY=X Complementary Law X+X'=1 XX'=0 (X')'=X De Morgan's Theorem (XY)'=X'+Y' (X+Y)'=X'Y' The quantitative fault tree evaluation includes the following steps: - Determination of the component failure probabilities. - Calculation of the minimal cut set probabilities. - Calculation of the system failure (top event) probability (unavailability). The quantitative measures of the importance of each cut set and of each component (basic event) can also be obtained. The term component represents any basic primary event shown in the event tree. For components two failure probability models are considered: constant failure rate per time and constant failure rate per cycle. Using these constant failure rate models the time-dependent effects such as component burn-in and wear-out are ignored. The calculation of the component unreliability in case of the constant failure rate per time model is described in the 3.1 and given by Eq. (3.5). The failure rate . can be either a standby failure rate or an operating failure rate. In case of the standby failure rate . the time period t used in the Eq. (3.5) should be standby time, in the case of the operating failure rate, the t is the actual operating time period. In case of components that have both operational modes, the proper failure rate should be used with the proper time period. In case of the nonrepairable components the component unreliability is equal to component unavailability, therefore: Q(t)..·t (3.29) Where: Q(t)- Component unavailability at time t. . – Component failure rate. For repairable failures, the component unavailability Q(t) is not equal to the unreliability. If the repair process restores the component to a state where it is essentially as good as new, the unavailability of the component is calculated using two approaches. The first approach is when component is monitored and in this case the unavailability Q(t) quickly reaches a constant asymptotic value QM given by: .·TD QM = ..·TD (3.30) 1+.·TD Where: QM – Unavailability of the monitored component. TD – The average online downtime obtained by statistically averaging the downtime distribution. . – Component failure rate. For components not monitored but periodically tested, any failures occurring are not detectable until the test is performed. The total average unavailability QT for periodically tested components is given as: .·T QT = +.·TR (3.31) 2Where: QM – Unavailability of the periodically tested component. TR – The average repair time obtained from downtime considerations. T- The interval of the periodic tests. . – Component failure rate. In general , the TR is small compared to the T, therefore the Eq. (3.31) can be approximated as: QT . .·T ,TR << T (3.32) 2 The constant failure rate per cycle model, also called p-model, is applied when failures are inherent to the component and are not caused by external mechanisms associated with the exposure time. The reliability characteristics of the p-model are based on the one characterizing value p, the probability of failure per cycle or per demand. For n demands in time t and assuming independent failures, the reliability (Rc) and the unavailability (Qc) are given by: n Rc =1- Qc = (1- p) (3.33) Qc. np, np < 0.1 (3.34) Where: Rc - The reliability of the component. Qc – The component unavailability. n - Number of cycles. p - The probability of failure per cycle. As noted in the above equations, the reliability and unavailability do not depend explicitly on time but on the number of cycles (demands) occurring in that time. Once the components (basic events) reliability characteristics are obtained, the reliability characteristics of the minimal cut sets can be evaluated. For a fault tree of a standby system, such as nuclear safety system, the characteristic of principal concern is minimal cut set unavailability denoted as QMCS. QMCSi = QB1·QB2 QB1·QB3 QB1 I QB2 ·...·QBm QB1 I QB2 I ... I QBm - 1 (3.35) Where: QMCSi – The minimal cut set i probability. QBj – The probability of occurrence of basic event Bj (component unavailability). Assuming the component failures are mutually independent20, recall from the section 3.1 that the probability of an intersection is simply the product of the component probabilities result with the following expression for calculation of the minimal cut set probability: m QMCSi =.QBj (3.36) j=1 Where: QMCSi – The minimal cut set i probability. QBj – The probability of occurrence of basic event Bj (component unavailability). m - Number of basic events in minimal cut set i. The probability of occurrence of basic event Bj is expressed as: QBj =QBj (Tj, .j, qj) (3.37) Where: Tj - Considered time interval. .j - Failure rate of the equipment modelled in the basic event j. qj - Probability of failure of equipment modelled in basic event j. Once the minimal cut sets are quantified, the next step is determination of the system unavailability (top event probability) denoted QGD defined as a probability that the system is down at specific time point and unable to operate if called on. The top event probability is given as: n n n-1 QGD =.QMCSi -. QMCSiI MCSj +. QMCSiI MCSjI MCSk - ... + (-1) Q IMCSi (3.38) i=1 i =1 i< ji< j1). 2 Safety margin An (additive) margin is used for acceptable system performance as a precautionary measure. 2 Stress margins The system is designed so that statistical variations in stresses do not lead to failure. 2 Screening Control measure to eliminate components that may pass operating tests for specific parameters but show signs of possible future failure (or reduced sustainability). 3, 4 Safety barriers Physical barriers providing multiple layers of protection; if one layer fails, the next will protect from system failure. 3 Reliability A measure of system failure rate. High reliability against certain types of failures is necessary for system safety. 3 Redundancy Method of achieving reliability for important system functions. Redundant parts protect the system in case of failure of one part. 3 Diversity Redundant system parts are given different design characteristics to avoid failures from a common cause-to­cause failure in all redundant parts. 3 Segregation (Independence, Isolation) Redundant parts should not be dependent on each other. Malfunction in part should not have any consequences for a redundant part. One way to avoid this is to keep the parts physically apart. 3 Fail-safe design Even if a failure of one part occurs, the system remains safe, often by system shut down or by entering a “safe mode” where several events are not permitted. 3 Proven design Relying on design that has been proven by the “test of time”, i.e. using solutions or materials that have been used on many occasions and over time without failure. 3 Single failure criterion (Independent malfunction) Design criteria stating that a failure of a single system part should not lead to system failure. System failure should only be possible in case of independent malfunction. 3 Pilotability (safe information load) The system operator should have access to the control means necessary to prevent failure, and the work should not be too difficult to perform 3 Quality Reliance on materials, constructions etc of proven quality for system design. 3, 4 Principle/method Brief description Category Operational interface control Focusing on controlling the interface between humans and (the rest of) the system and equipment. For example, using interlocks to prevent human action to have harmful consequences. 3 Environmental control The environment should be controlled so that it cannot cause failures. Especially, neither extremes of normal environmental fluctuations nor energetic events such as fire should be able to cause failures. 4 Operating and maintenance procedures Automatic as well as manual procedures are used as a defense against failures. Training in order to follow procedures is a part of such safety procedures. 4 Job study observations Identifying potential causes through collecting data from observations and audits, e.g., interviewing staff about potential or existent hazardous practices. 4 Controlling behavior Controlling certain types of behavior (e.g., alcohol and drug abuse, lack of sleep), e.g., by tests and audits. 4 Standards Standardized solutions of system design, material usage, maintenance procedures etc. Standards may be applied to all areas of safety engineering. 1–4 Timed replacement Replacing components before their performance has decreased as a precautionary procedure. This can be done regularly without any signs of decreased performance, or by using indicators of potential failure such as component degradation or drift. 4 Procedural safeguards Procedures such as instructions to operators to take or avoid specific actions in general or in special circumstances. 4 Warnings Warning devices and information are provided when control measures are insufficient (or in addition to them). APPENDIX B. SUBSTATIONS CONFIGURATIONS The substations have different complexity, which depend on their configuration (single bus, sectionalized single bus, breaker-and-a-half, double bus double breaker, and ring bus), number of generators, number of lines and number of loads connected into it. The configurations of the substations used in the analysis are given in the following sections. I.1 IEEE Test System The IEEE test system includes 24 substations, 7 substations have identical configurations to others, and therefore there are 17 unique substation configurations. The fault trees are developed for all substations. The Figure B-1 shows the configuration of the substation 1 from IEEE RTS. The components (e.g. bus, disconnect switches and circuit breakers), which are active in the normal regime (i.e. closed), and components, which are not active (i.e. open), are identified on Figure B-1 using different coloring schemes. Components in blue are normally open. The connected elements (lines, load and generators) are transferred from primary to secondary bus with disconnection of the active elements and transfer of the energy thought secondary bus in the case of identified error (e.g. short circuit to ground or between phases) from the protection. The following naming procedure is used for the substation components and their corresponding fault trees: the first letters identify the component type (e.g. bus, disconnect switch, circuit breaker), the following two letters identify the substation number and the last three numbers represent the identification of the component. For example, DS01011 identifies Substation 2 has the same scheme as substation 1, therefore the same FT is used. Substations 5 and 6 have the same configurations as substation 4. Substation 10 has the same scheme as substation 9, therefore the same FT is used. Substation 12 has the same scheme as substation 11, therefore the same FT is used. Substation 18 has the same scheme as substation 16, therefore the same FT is used. Substation 19 has the same scheme as substation 8, therefore the same FT is used. I.2 Slovenian power system Configurations of the substations in the Slovenian power system are given in the following APPENDIX C. VERIFICATION OF THE METHOD AND COMPUTER CODE The verification of the method and the corresponding computer code FTASYS is done by comparing the obtained results with those obtained from the commercial software for the small example systems. The verification is done in two steps: - Verification of the fault tree (FT) construction and the identification of the minimal cut sets (MCS). - Verification of the results obtained for load flow calculations. The verification of the FT construction and MCS identification is done by comparing the results obtained from FTASYS and those calculated from commercial software for several small example systems. The FT built by the FTASYS is converted to format compatible to commercial software. The inspection of the built FT is done. The next step is identification of the list of MCS with commercial software and comparison with the list of MCS obtained from FTASYS. The results showed that: 1. Program FTASYS builds FT in accordance with the method. 2. Program FTASYS identifies the same MCS as commercial software, verifying the software section responsible for qualitative FT analysis. The test systems and a part of the obtained results are given in the following sections. I.1 Verification of FT construction and MCS identification The configuration of the simplest 3NET.v1 test system, consisting of three substations, each with generator and load, interconnected with three power lines is given on Figure C-35. All energy flow paths are accounted during the construction of the FT for the loads. The FT built for the power delivery to the load in the substation 1 is given on Figure C-36. Table C-2 Identified MCS for test system 3NET.v1 MCS No. Event 1 Event 2 Event 3 Event 4 1 B1-101 2 G2 101- 1 L1-101 102 L1-101 103 3 G2 101- 1 G2 102- 1 G2 103- 2 4 B1-102 G2 101- 1 L1-101 103 5 B1-103 G2 101- 1 G2 102- 1 6 B1-103 G2 101- 1 L1-101 102 7 B1-102 G2 101- 1 G2 103- 2 8 B1-102 B1-103 G2 101- 1 9 G2 101- 1 G2 102- 1 L1-101 103 L1-102 103 10 G2 101- 1 G2 103- 2 L1-101 102 L1-102 103 The test system 4NET.v1, which has one additional bus compared to 3NET.v1, is shown on Figure C-37. The FT built for load 1 in the test system 4NET.v1 is shown on Figure C-38. Comparison of the FT for power delivery to the load 1 in test systems 3NET.v1 and 4NET.v1 indicates the increase of the size and the complexity of the built FT resulting from addition of one interconnection and one substation. 500000 Table C-3 Identified MCS for test system 4NET.v1 MCS No. Event 1 Event 2 Event 3 Event 4 Event 5 1 B1-101 2 G2 101- 1 L1-101 102 L1-101 103 L1-101 104 3 G2 101- 1 G2 102-1 G2 103- 2 L1-101 104 4 G2 101- 1 G2 104-2 L1-101 102 L1-101 103 5 G2 101- 1 G2 102-1 G2 103- 2 G2 104-2 6 B1-102 G2 101-1 L1-101 103 L1-101 104 MCS No. Event 1 Event 2 Event 3 Event 4 Event 5 7 B1-103 G2 101-1 G2 102- 1 L1-101 104 8 B1-104 G2 101-1 L1-101 102 L1-101 103 9 B1-103 G2 101-1 L1-101 102 L1-101 104 10 B1-102 G2 101-1 G2 104- 2 L1-101 103 11 B1-102 G2 101-1 G2 103- 2 L1-101 104 12 B1-103 G2 101-1 G2 102- 1 G2 104-2 13 B1-104 G2 101-1 G2 102- 1 G2 103-2 14 B1-103 G2 101-1 G2 104- 2 L1-101 102 15 B1-102 G2 101-1 G2 103- 2 G2 104-2 16 B1-102 B1-103 G2 101- 1 L1-101 104 17 B1-102 B1-104 G2 101- 1 L1-101 103 18 B1-103 B1-104 G2 101- 1 G2 102-1 19 B1-103 B1-104 G2 101- 1 L1-101 102 20 B1-102 B1-103 G2 101- 1 G2 104-2 21 B1-102 B1-104 G2 101- 1 G2 103-2 22 G2 101- 1 G2 102- 1 L1-101 103 L1-101 104 L1-102 103 23 B1-102 B1-103 B1-104 G2 101-1 24 G2 101- 1 G2 102-1 G2 104- 2 L1-101 103 L1-102 103 25 G2 101- 1 G2 103-2 L1-101 102 L1-101 104 L1-102 103 26 G2 101- 1 G2 103-2 G2 104- 2 L1-101 102 L1-102 103 27 B1-104 G2 101-1 G2 102- 1 L1-101 103 L1-102 103 28 B1-104 G2 101-1 G2 103- 2 L1-101 102 L1-102 103 The test system 4NET.v2, which has similar configuration as 4NET.v1, with changed interconnections to the substation four is shown on Figure C-39. The FT constructed for the load 1 in the 4NET.v2 test system is shown on Figure C-40. The increase of the size of the FT with the increase of the number of the interconnections is demonstrated on Figure C-40. G2 102- 1 G2 104- 2 G2 103- 2 G2 104- 2 The list of MCS for test system 4NET.v2 given on Figure C-39 and FT shown on Figure C-40 is given in Table C-4. The same MCS are identified with FTASYS. Table C-4 Identified MCS for test system 4NET.v2 MCS No. Event 1 Event 2 Event 3 Event 4 Event 5 Event 6 1 B1-101 2 G2 101- 1 L1-101 102 L1-101 103 3 B1-102 G2 101- 1 L1-101 103 4 B1-103 G2 101- 1 L1-101 102 5 B1-102 B1-103 G2 101- 1 6 G2 101- 1 G2 102- 1 G2 103- 2 G2 104- 2 7 B1-103 G2 101- 1 G2 102- 1 L1-102 104 8 B1-102 G2 101- 1 G2 103- 2 L1-103 104 9 B1-103 G2 101- 1 G2 102- 1 G2 104- 2 10 B1-104 G2 101- 1 G2 102- 1 G2 103- 2 11 B1-102 G2 101- 1 G2 103- 2 G2 104- 2 12 B1-103 B1-104 G2 101- 1 G2 102- 1 13 B1-102 B1-104 G2 101- 1 G2 103- 2 14 G2 101- 1 G2 102- 1 L1-101 103 L1-102 103 L1-102 104 15 G2 101- 1 G2 103- 2 L1-101 102 L1-102 103 L1-103 104 16 G2 101- 1 G2 102- 1 G2 103- 2 L1-102 104 L1-103 104 17 B1-104 G2 101- 1 G2 102- 1 L1-101 103 L1-102 103 18 B1-104 G2 101- 1 G2 103- 2 L1-101 102 L1-102 103 19 G2 101- 1 G2 102- 1 G2 104- 2 L1-101 103 L1-102 103 L1-103 104 20 G2 101- 1 G2 103- 2 G2 104- 2 L1-101 102 L1-102 103 L1-102 104 The test system 4NET.v3 in which all substations are interconnected is shown on Figure C­ 41. The constructed FT is omitted from the results for 4NET.v3 due to the reasons of space. Table C-5 Identified MCS for test system 4NET.v3 MCS No. Event 1 Event 2 Event 3 Event 4 Event 5 Event 6 1 B1-101 2 G2 101- 1 L1-101 102 L1-101 103 L1-101 104 3 G2 101- 1 G2 102- 1 G2 103-2 G2 104-2 4 B1-102 G2 101- 1 L1-101 103 L1-101 104 5 B1-104 G2 101- 1 L1-101 102 L1-101 103 6 B1-103 G2 101- 1 L1-101 102 L1-101 104 7 B1-104 G2 101- 1 G2 102-1 G2 103-2 8 B1-103 G2 101- 1 G2 102-1 G2 104-2 9 B1-102 G2 101- 1 G2 103-2 G2 104- 2 10 B1-102 B1-103 G2 101-1 L1-101 104 11 B1-102 B1-104 G2 101-1 L1-101 103 12 B1-103 B1-104 G2 101- 1 G2 102-1 13 B1-103 B1-104 G2 101-1 L1-101 102 14 B1-102 B1-104 G2 101-1 G2 103-2 15 B1-102 B1-103 G2 101-1 G2 104-2 16 B1-102 B1-103 B1-104 G2 101-1 17 B1-104 G2 101- 1 G2 102-1 L1-101 103 L1-102 103 18 B1-103 G2 101- 1 G2 102-1 L1-101 104 L1-102 104 19 B1-104 G2 101- 1 G2 103-2 L1-101 102 L1-102 103 20 B1-102 G2 101- 1 G2 104-2 L1-101 103 L1-103 104 21 B1-102 G2 101- 1 G2 103-2 L1-101 104 L1-103 104 22 B1-103 G2 101- 1 G2 104-2 L1-101 102 L1-102 104 23 G2 101- 1 G2 102- 1 L1-101 103 L1-101 104 L1-102 103 L1-102 104 24 G2 101- 1 G2 102- 1 G2 104-2 L1-101 103 L1-102 103 L1-103 104 25 G2 101- 1 G2 103- 2 L1-101 102 L1-101 104 L1-102 103 L1-103 104 26 G2 101- 1 G2 102- 1 G2 103-2 L1-101 104 L1-102 104 L1-103 104 MCS No. Event 1 Event 2 Event 3 Event 4 Event 5 Event 6 27 G2 101- 1 G2 103- 2 G2 104-2 L1-101 102 L1-102 103 L1-102 104 28 G2 101- 1 G2 104- 2 L1-101 102 L1-101 103 L1-102 104 L1-103 104 The test system 5NET.v1, which has one additional substation connected thought one line compared to the test system 4NET.v3, is given on Figure C-42. Table C-6 First 20 identified MCS from total 82 for test system 5NET.v1 MCS No. Event 1 Event 2 Event 3 Event 4 Event 5 1 B1-101 2 G2 101- 1 L1-101 102 L1-101 103 L1-101 104 L1-101 105 3 G2 101- 1 G2 105- 2 L1-101 102 L1-101 103 L1-101 104 4 G2 101- 1 G2 102- 1 G2 103- 2 G2 104- 2 L1-101 105 5 G2 101- 1 G2 102- 1 G2 103- 2 G2 104- 2 G2 105- 2 6 B1-102 G2 101- 1 L1-101 103 L1-101 104 L1-101 105 7 B1-105 G2 101- 1 L1-101 102 L1-101 103 L1-101 104 8 B1-104 G2 101- 1 L1-101 102 L1-101 103 L1-101 105 9 B1-103 G2 101- 1 L1-101 102 L1-101 104 L1-101 105 10 B1-102 G2 101- 1 G2 105- 2 L1-101 103 L1-101 104 11 B1-103 G2 101- 1 G2 102- 1 G2 104- 2 L1-101 105 12 B1-104 G2 101- 1 G2 102- 1 G2 103- 2 L1-101 105 13 B1-103 G2 101- 1 G2 105- 2 L1-101 102 L1-101 104 14 B1-104 G2 101- 1 G2 105- 2 L1-101 102 L1-101 103 15 B1-102 G2 101- 1 G2 103- 2 G2 104- 2 L1-101 105 16 B1-104 G2 101- 1 G2 102- 1 G2 103- 2 G2 105- 2 17 B1-105 G2 101- 1 G2 102- 1 G2 103- 2 G2 104- 2 18 B1-103 G2 101- 1 G2 102- 1 G2 104- 2 G2 105- 2 19 B1-102 G2 101- 1 G2 103- 2 G2 104- 2 G2 105- 2 20 B1-102 B1-104 G2 101- 1 L1-101 103 L1-101 105 The two additional versions of the 5NET test system used during the verification are given on Figure C-43 and Figure C-44. The difference between the 5NET.v1 and 5NET.v2 and 5NET.v3 are the additional interconnections to newly added substation. The eight bus system which is the last test system for which inspection of the built FT is done, is shown on Figure C-45. Program FTASYS passed all tests for FT construction verifying the obtained results. LOAD 1 LOAD 5 G5 LOAD 1 LOAD 5 G5 Figure C-45 Test system 8NET.v1 The IEEE RTS is used for the final examination of the FTASYS and the module for MCS identification. The commercial software calculated about 200000 MCS before demodularization for the house load of the NPP situated in the substation 18 of the IEEE RTS. In the final results only 121 MCS are identified. In the FTASYS the 4087 MCS are identified for the house load of the NPP in the substation 18. The truncation limits used during the analysis with the commercial software were maximum 5 BE in MCS and probability less than QMCS<10-12. The change of the truncation limits in the commercial software didn’t result with the increase of the number of the identified MCS. In the developed computer code default truncation limits used in the analysis are maximum 7 BE in MCS and probability less than QMCS<10-14. These truncation limits were changed for the specified loads. The comparison of the MCS verified the MCS identification module in the developed computer code. I.2 Verification of the DC Flow calculations Verification of the results obtained for approximate DC load flow calculations is performed using MATPOWER, a MATLABTM Power Simulation Package. The MATPOWER Version 3.0.0 freely available together with MATLABTM Version 6.5.0 Release 13, commercial software from the MathWorks, Inc is used in the analysis. The analysis of errors of the approximate DC model is done with load flows through line. Error is defined as: Gp1(%) + Gp2 (%)Gp % = C-(1) 2 Where: Gp1-Error of calculated power flows on start of the line. Gp2-Error of calculated power flows on the end of the line. Pl - Pl DC1 AC1 Gp1(%) =100 C-(2)PlAC1 Pl - Pl DC 2 AC 2 Gp2 (%) =100 C-(3) PlAC 2 The errors of the reactive power flows are calculated with the same approach. The errors of the calculated voltages are calculated using the relation: U -U DC AC G (%) =100 = U (%) -U (%) C-(4) u DC AC Un The power flows and voltages are calculated and compared for IEEE test system for normal regime (no failed lines) using two of five MATPOWER power flow solvers. The runpf is the default power flow solver based on a standard Newton’s method using a full Jacobean. The second method is a DC power flow, which is obtained by executing rundcpf solver. The calculated difference Gu, using Equation C-(4), between voltages calculated in MATPOWER using runpf and voltages obtained from FTASYS is given in Table C-7. The obtained results verify the module used for voltage calculation in the FTASYS. Table C-7 Difference between calculated voltages Bus No. Matpower Voltage(p.u) FTASYS Voltage(p.u) Diference Gu(%) 101 1.04 1.07 3.89 102 1.04 1.08 4.04 103 0.99 0.99 0.85 104 1.00 1.02 2.32 105 1.03 1.06 2.77 106 1.09 1.10 1.43 107 1.03 1.05 2.86 108 1.00 1.02 2.13 109 1.01 1.01 0.95 110 1.05 1.07 1.63 111 1.00 1.03 3.13 112 1.01 1.04 3.01 113 1.02 1.05 2.91 114 0.98 1.01 2.96 115 1.01 1.01 -0.01 116 1.02 1.02 0.65 117 1.04 1.04 0.33 118 1.05 1.05 0.22 119 1.02 1.03 1.13 120 1.04 1.05 1.63 121 1.05 1.05 0.13 122 1.05 1.05 0.09 123 1.05 1.07 1.87 124 0.98 0.99 0.74 The calculated power flows from MATPOWER are given in Table C-8. The DC power flow solver included in the MATPOWER provides only active power flows in the system, and it doesn’t account transformers off-nominal ratio. The power flows at line start (calculated by runpf), power flows at the line end (calculated by runpf) and flows calculated using rundcpf are given in Table C-8. The power flows obtained from the FTASYS are given in Table C-9. Evaluation of the results for the calculated power flows is done using Eqs. C-(1), C-(2), C-(3) and the obtained results are given in Table C-10. The GpRDC(%) is relative error of results obtained from rundcpf and runpf (exact AC model), both from MatPower. The GpPDC(%) and GqPDC(%) are relative errors of active and reactive power flows calculated from FTASYS and runpf. The GqPDCS and GqPDCE are the absolute errors of reactive power flows, given in MVAr, at the start(GqPDCS) and at the end of the line(GqPDCE) calculated from FTASYS and runpf. The results show that for the active power flows, results from FTASYS have small difference compared to results from the exact AC model. The value of relative error is decreasing with the increase of the line power flow. The results obtained from FTASYS are equal or better from those obtained from rundcpf. There is an error for reactive power flows GqPDC(%), especially for lines which have smaller flows of reactive power, marked with “ * ” in Table C-10. This result is expected accounting the approximations in the methodology. The absolute errors are small (important for overload lines identification), and calculated voltages (important for the identification of the violated bus voltages) are comparable to those obtained from the exact AC model, shown in Table C-7. Table C-8 Calculated power flows using runpf and rundcpf Table C-9 Calculated power flows in FTASYS Bus no. Start End P(MW) Q(MVAr) P(MW) Q(MVAr) P(MW) rundcpf 1 101 102 14.1 -27.7 -14.1 -21.7 14.5 2 101 103 -10.4 24.5 10.9 -28.6 -15.3 3 101 105 60.3 -10.6 -59.5 11.1 64.8 4 102 104 40.0 17.2 -39.4 -18.4 37.9 5 102 106 49.2 -39.4 -47.4 40.3 51.6 6 103 109 30.6 -25.2 -30.2 23.8 37.7 7 103 124 -221.5 16.7 222.6 27.3 -233.0 8 104 109 -34.7 3.4 35.0 -4.9 -36.1 9 105 110 -11.5 -25.1 11.6 23.1 -6.2 10 106 110 -88.6 -67.1 90.2 -207.0 -84.4 11 107 108 115.0 16.2 -112.9 -10.1 115.0 12 108 109 -35.8 4.7 36.3 -7.0 -39.2 13 108 110 -22.3 -29.6 22.8 26.9 -16.8 14 109 111 -94.4 -18.3 94.6 26.5 -93.9 15 109 112 -121.7 -29.6 122.1 43.4 -118.7 16 110 111 -145.1 63.9 145.6 -44.4 -138.7 17 110 112 -174.6 53.1 175.2 -27.1 -163.8 18 111 113 -105.2 -37.8 105.9 33.5 -83.2 19 111 114 -135.0 55.7 136.1 -55.0 -149.4 20 112 113 -56.7 -20.3 56.9 11.7 -38.5 21 112 123 -240.5 4.0 247.4 29.8 -243.9 22 113 123 -239.9 9.8 246.0 19.2 -250.7 23 114 116 -330.1 -4.9 335.8 63.6 -343.4 24 115 116 103.7 -31.0 -103.5 29.2 105.8 25 115 121 -216.0 -43.0 218.8 55.0 -220.4 26 115 121 -216.0 -43.0 218.8 55.0 -220.4 27 115 124 226.2 43.6 -222.6 -27.3 233.0 28 116 117 -320.9 -36.2 323.9 56.5 -326.3 29 116 119 143.6 -45.2 -143.0 45.1 143.6 30 117 118 -185.3 -61.0 186.0 62.6 -184.6 31 117 122 -138.7 4.5 141.2 -9.6 -141.7 32 118 121 -59.5 4.3 59.6 -9.5 -58.8 33 118 121 -59.5 4.3 59.6 -9.5 -58.8 34 119 120 -19.0 -41.1 19.1 32.9 -18.7 35 119 120 -19.0 -41.1 19.1 32.9 -18.7 36 120 123 -83.1 -45.9 83.3 42.7 -82.7 37 120 123 -83.1 -45.9 83.3 42.7 -82.7 Bus no. Start End P (MW) Q(MVAr) P (MW) Q(MVAr) 1 101 102 14.5 -40.0 -14.5 -13.2 2 101 103 -15.3 40.8 15.3 -43.4 3 101 105 64.8 1.2 -64.8 0.3 4 102 104 37.9 31.3 -37.9 -31.0 5 102 106 51.6 -28.4 -51.6 28.4 6 103 109 37.7 -27.3 -37.7 26.1 7 103 124 -236.5 35.4 236.5 10.6 8 104 109 -36.1 16.9 36.1 -18.4 9 105 110 -6.2 -13.4 6.2 10.9 10 106 110 -84.4 -73.0 84.4 -210.1 11 107 108 115.0 26.5 -115.0 -18.2 12 108 109 -39.2 12.9 39.2 -15.0 13 108 110 -16.8 -27.2 16.8 24.3 14 109 111 -96.7 -10.4 96.7 18.8 15 109 112 -122.2 -20.1 122.2 34.0 16 110 111 -140.7 66.3 140.7 -45.9 17 110 112 -166.2 57.2 166.2 -30.3 18 111 113 -83.2 -36.4 83.2 30.0 19 111 114 -149.4 63.9 149.4 -62.5 20 112 113 -38.5 -21.4 38.5 11.5 21 112 123 -243.9 21.9 243.9 19.8 22 113 123 -250.7 31.6 250.7 9.0 23 114 116 -343.4 38.0 343.4 25.3 24 115 116 105.7 -69.3 -105.7 68.0 25 115 121 -220.4 -40.6 220.4 57.6 26 115 121 -220.4 -40.6 220.4 57.6 27 115 124 233.0 28.6 -233.0 -10.2 28 116 117 -326.3 -18.2 326.3 42.8 29 116 119 143.6 -68.0 -143.6 68.4 30 117 118 -184.6 -51.2 184.6 53.9 31 117 122 -141.7 10.2 141.7 -11.4 32 118 121 -58.8 8.9 58.8 -14.0 33 118 121 -58.8 8.9 58.8 -14.0 34 119 120 -18.7 -53.0 18.7 45.1 35 119 120 -18.7 -53.0 18.7 45.1 36 120 123 -82.7 -58.3 82.7 55.7 37 120 123 -82.7 -58.3 82.7 55.7 The values of reactive power flows calculated in the FTASYS are larger than actual verifying that obtained results are conservative. The obtained results verified the used algorithm and computer code. Table C-10 Calculated errors of power flows (%) Bus No. Start End GpRDC(%) GpPDC(%) GqPDC(%) GqPDCS MVAr GqPDCE MVAr 1 101 102 2.5 2.5 2.7 12.29 -8.45 2 101 103 46.3 43.5 59.4 -16.34 14.83 3 101 105 7.4 8.2 -104.3* -11.82 10.82 4 102 104 -5.1 -4.4 75.4 -14.12 12.62 5 102 106 4.9 6.8 -28.7 -10.97 11.86 6 103 109 23.0 24.0 9.1 2.15 -2.29 7 103 124 5.2 6.5 25.3 -18.68 16.69 8 104 109 4.2 3.7 337.0* -13.52 13.48 9 105 110 -45.8 -46.3 -49.7 -11.72 12.19 10 106 110 -4.7 -5.6 5.2 5.92 3.13 11 107 108 0.0 0.9 72.3 -10.32 8.13 12 108 109 9.6 8.8 145.9* -8.24 8.02 13 108 110 -24.7 -25.6 -8.9 -2.38 2.60 14 109 111 -0.5 2.3 -36.1 -7.93 7.69 15 109 112 -2.5 0.3 -26.9 -9.48 9.43 16 110 111 -4.4 -3.2 3.6 -2.37 1.55 17 110 112 -6.2 -5.0 9.7 -4.14 3.17 18 111 113 -20.9 -21.2 -7.1 -1.41 3.50 19 111 114 10.7 10.2 14.2 -8.24 7.47 20 112 113 -32.1 -32.3 1.9 1.07 0.16 21 112 123 1.4 0.0 205.0* -17.87 9.95 22 113 123 4.5 3.2 85.4 -21.84 10.15 23 114 116 4.0 3.1 -471.1* -42.86 38.34 24 115 116 1.9 2.0 128.2* 38.30 -38.79 25 115 121 2.0 1.4 -0.5 -2.44 -2.62 26 115 121 2.0 1.4 -0.5 -2.44 -2.62 27 115 124 3.0 3.8 -48.5 14.96 -17.09 28 116 117 1.7 1.2 -37.0 -17.96 13.72 29 116 119 0.0 0.2 51.0 22.78 -23.29 30 117 118 -0.4 -0.5 -15.0 -9.79 8.73 31 117 122 2.2 1.3 73.7 -5.73 1.84 32 118 121 -1.2 -1.2 78.3 -4.64 4.52 33 118 121 -1.2 -1.2 78.3 -4.64 4.52 34 119 120 -1.7 -1.9 33.1 11.94 -12.21 35 119 120 -1.7 -1.9 33.1 11.94 -12.21 36 120 123 -0.5 -0.6 28.8 12.41 -13.03 37 120 123 -0.5 -0.6 28.8 12.41 -13.03 APPENDIX D. RELIABILITY PARAMETERS The basic event is an event which is not further developed in the fault tree. Each basic event is linked to its probabilistic model in order to quantify the probability of the event. The probability of the basic event corresponding to the failure probability of the modelled component or system is calculated using one of the parametric reliability models. The selection of a specified model is based on the available data and characteristics of the modelled components. The unavailability of the components is calculated as meana (long-term) unavailability: . Qmean = D-(5) .+µ The following relations can be written for failure and repair rate: 1 .= D-(6) MTTF 1 µ= D-(7) MTTR . - Failure rate of the component. µ - Repair rate of the component. MTTF- Mean time to failure. The mean time expected until the first failure. MTTR- Mean time to recovery. The average time that a device will take to recover from a non-terminal failure. Table D-11 Reliability parameters of the components used in the analysis Component type MTTF (Yr) MTTR (Yr) .(1/yr) µ(yr) Qmean Generator P=12MW 3.36E-01 6.85E-03 2.98E+00 1.46E+02 2.00E-02 Generator P=20MW 5.14E-02 5.71E-03 1.95E+01 1.75E+02 1.00E-01 Generator P=50MW 2.26E-01 2.28E-03 4.42E+00 4.38E+02 1.00E-02 Generator P=76MW 2.24E-01 4.57E-03 4.47E+00 2.19E+02 2.00E-02 Generator P=100MW 1.37E-01 5.71E-03 7.30E+00 1.75E+02 4.00E-02 Generator P=155MW 1.10E-01 4.57E-03 9.13E+00 2.19E+02 4.00E-02 Generator P=197MW 1.08E-01 5.71E-03 9.22E+00 1.75E+02 5.00E-02 Generator P=350MW 1.31E-01 1.14E-02 7.62E+00 8.76E+01 8.00E-02 Generator P=400MW 1.26E-01 1.71E-02 7.96E+00 5.84E+01 1.20E-01 Transformer V>550kV 2.48E-02 Transformer 243-346kV 1.70E-02 Transformer 146-242kV 1.61E-02 Transformer 73-145kV 1.24E-02 Bus 138kV 1.13E-02 2.09E+02 5.44E-05 Bus 230kV 9.03E-03 2.04E+02 4.43E-05 Circuit breaker Active 6.60E-03 8.11E+01 8.14E-05 Circuit breaker Passive 5.00E-04 8.11E+01 6.16E-06 Disconnect switch Active 8.14E-05 Disconnect switch Passive 6.16E-06 a Risk Spectrum Theory Manual, Relcon AB, 1998 The mean (long-term) reliability model of monitored repairable component is selected for elements of the power system because only MTTF and MTTR were available as input data and because this model quickly approach asymptotic value given by Eq. D-(5). The input data and obtained unavailability used in the analysis is given in Table D-11. The input data and calculated unavailability of the lines and transformers of the IEEE RTS is given in Table D-12. The unavailability QCCF resulting from the CCF of the interconnections is calculated as product of the Qmean of the other interconnection multiplied by the length (percentage of whole line length) of the interconnection exposed to the CCF. Table D-12 Line data for IEEE RTS Line No. From bus To bus .(1/yr) µ(yr) Qmean QCCF 1 1 2 0.24 547.5 4.38E-04 2 1 3 0.51 876 5.82E-04 3 1 5 0.33 876 3.77E-04 4 2 4 0.39 876 4.45E-04 5 2 6 0.48 876 5.48E-04 6 3 9 0.38 876 4.34E-04 7 3 24 0.02 11.40625 1.75E-03 8 4 9 0.36 876 4.11E-04 9 5 10 0.34 876 3.88E-04 10 6 10 0.33 250.2857 1.32E-03 11 7 8 0.3 876 3.42E-04 12 8 9 0.44 876 5.02E-04 5.02E-04 13 8 10 0.44 876 5.02E-04 5.02E-04 14 9 11 0.02 11.40625 1.75E-03 15 9 12 0.02 11.40625 1.75E-03 16 10 11 0.02 11.40625 1.75E-03 17 10 12 0.02 11.40625 1.75E-03 18 11 13 0.4 796.3636 5.02E-04 5.02E-04 19 11 14 0.39 796.3636 4.89E-04 20 12 13 0.4 796.3636 5.02E-04 5.02E-04 21 12 23 0.52 796.3636 6.53E-04 22 13 23 0.49 796.3636 6.15E-04 23 14 16 0.38 796.3636 4.77E-04 24 15 16 0.33 796.3636 4.14E-04 25 15 21 0.41 796.3636 5.15E-04 5.15E-04 26 15 21 0.41 796.3636 5.15E-04 5.15E-04 27 15 24 0.41 796.3636 5.15E-04 28 16 17 0.35 796.3636 4.39E-04 29 16 19 0.34 796.3636 4.27E-04 30 17 18 0.32 796.3636 4.02E-04 31 17 22 0.54 796.3636 6.78E-04 3.48E-04 32 18 21 0.35 796.3636 4.39E-04 4.39E-04 33 18 21 0.35 796.3636 4.39E-04 4.39E-04 34 19 20 0.38 796.3636 4.77E-04 4.77E-04 35 19 20 0.38 796.3636 4.77E-04 4.77E-04 36 20 23 0.34 796.3636 4.27E-04 4.27E-04 37 20 23 0.34 796.3636 4.27E-04 4.27E-04 38 21 22 0.45 796.3636 5.65E-04 6.49E-04 The reliability parameters of the elements of the power system are taken from multiple sourcesb,c,d. The used input data for calculation of the unavailability of the interconnections of the Slovenian power system is given in Table D-13. The data is the same as the data used for the Macedonian power systeme. Table D-13 Slovenian power system lines reliability parameters Line No. From bus To bus .(/yr) µ(yr) Qmean 1 Krško Krško 2 2.897E-03 2 Krško Maribor 7.5 705.7 1.052E-02 3 Maribor Podlog 3.75 705.7 5.286E-03 4 Podlog Šoštanj G5 3 705.7 4.233E-03 5 Podlog Beričevo 3 705.7 4.233E-03 6 Okroglo Beričevo 6 705.7 8.431E-03 7 Okroglo Beričevo 6 705.7 8.431E-03 8 Beričevo Divača 5.25 705.7 7.385E-03 9 Divača2 Kleče 2.16 839.5 2.566E-03 10 Beričevo Kleče 1.8 839.5 2.140E-03 11 Beričevo Podlog 2 1.44 839.5 1.712E-03 12 Podlog 2 ŠoštanjG4 1.44 839.5 1.712E-03 13 Podlog 2 Cirkovce 1.62 839.5 1.926E-03 14 Beričevo1 Beričevo2 2.897E-03 15 Beričevo1 Beričevo2 2.897E-03 16 Podlog Podlog2 2.897E-03 17 Podlog3 Šoštanj 2.24 938.6 2.381E-03 18 Krško2 Brestanica 2.24 938.6 2.381E-03 19 Krško2 Brestanica 2.24 938.6 2.381E-03 20 Beričevo2 Beričevo3 1.069E-03 21 Beričevo2 Beričevo3 1.069E-03 22 Podlog2 Podlog3 1.069E-03 23 Podlog2 Podlog3 1.069E-03 24 Kleče2 Kleče 1.069E-03 25 Kleče2 Kleče 1.069E-03 The size and location of the loads and generators in the Slovenian power system model is given in ta. Table D-14. The substations marked with “*” at the end of the name have representative and not actual generators in the power system. The generators in the substations Maribor, Divača and Divača 2 represent power flows with the neighboring power systems. The generator in substation Maribor additionally represent adjacent hydro power plants connected to 110 kV power system network. The generators in Podlog 2 and Okroglo represent adjacent hydro power plants that are not directly connected to the specified substations. The size and reposition of the loads and generators in Table D-14 b Billinton R., Allan R. N; Reliability assessment of large electric power systems, Kluwer Academic Publishers,1988 c IEEE Std 500-1984, IEEE Guide to the Collection and Presentation of Electrical, Electronic, Sensing Component, and Mechanical Equipment Reliability Data for Nuclear-Power Generating Stations, 1983 d IAEA-TECDOC-478, Component reliability data for use in probabilistic safety assessment, 1988 e Todorovski M.; Approximate calculation of the power flows in the high voltage networks, Graduation work, Faculty of Electrical engineering - Skopje, Macedonia, 1995 doesn’t represent the actual Slovenian power system but the nearest approximation developed on the basis of the available data. Table D-14 The size of the loads and generators of the Slovenian power system Substation number Substation name Load MW Load MVar Generator MW Generator MVar 1 NPP Krško 30 0 600 130 2 RTP Krško 254 54 0 42 3 Maribor* 139 17 77 0 4 Podlog 0 0 0 0 5 Podlog 2* 0 0 10 0 6 Šoštanj 4 0 0 232 65 7 Šoštanj 5 0 0 246 29 8 Podlog 3 100 50 0 0 9 Šoštanj 1 0 0 35 50 10 Cirkovce 94 105 0 0 11 Beričevo 115 0 0 0 12 Beričevo2 74 60 0 0 13 Beričevo3 80 15 0 0 14 Kleče 2 113 68 0 0 15 Kleče 0 0 0 0 16 Divača* 77 32 0 106 17 Divača 2* 48 47 0 81 18 Okroglo* 159 58 53 0 19 Brestanica 70 0 100 197