Nuclear Engineering and Technology for the 21st Century

9. Risk importance of component represented by multiple basic events (failure modes) involved in CCF Groups

9.1 Introduction

In many cases a particular component in a PRA model may be represented by several basic events (each related to specific failure mode) with each of them being involved in some CCF group of basic events. This case will be discussed in this section under the following assumptions:

Representative basic events are all input into an “OR” gate. In other words, component’s failure logic can be described by expression such as (6-7).
Wherever the component is modeled in the overall FT structure, failure model is always the same (i.e. same set of basic events, all input into an “OR” gate).
Considered component is one among the group of similar or identical m components which share the potential for the same set of failure modes. In other words, each component is represented by the same kind of the failure logic with corresponding set of basic events. Therefore, each basic event from the set belonging to the considered component is a member of a CCF group consisting of m corresponding basic events.

It should be noted that this kind of the component-level modeling is, actually, normally used to represent failures of components in systems with multiple redundant trains in most of the cases when developing system FT models in a PRA.

One simple example is shown in Figure 9-1 and Figure 9-2. It relates to FT modeling of Motor Driven Pumps A and B in EFW system. Failure logic of each pump consists of two failure modes input into an OR gate, the first one representing failure to start and the second one representing failure to run for a mission time. There are two CCF groups of basic events. The first CCF group is formed by the two basic events representing failure to start of corresponding pumps. Two other basic events, representing failure of corresponding pumps to run, form the second CCF group.

Figure 9-1 Example of component-level failure logic with multiple basic events involved in CCF Groups - EFW motor driven pump (MDP) A.

Figure 9-2 component-level failure logic with multiple basic events involved in CCF Groups (continued) - EFW MDP B.

Failure logic for each pump corresponds to expression (6-7) or (6-8). However, the resulting sub-tree in the FT structure shown in Figure 9-1 (“Pump A”) or Figure 9-2 (“Pump B”) is not a “FT module” in the sense of Section 6. The term “FT module” as used in Section 6 referred to a component-level sub-tree independent from the rest of the FT structure, which is not the case here because the same CCF events (either failure to start or failure to run) appear in sub-trees for both pumps. Therefore, we will not use asterisk (*) for denoting the component-level failure, as in (6-7) and (6-8).

In this section we will establish component-level importance measures for the case when considered component is represented in the FT structure in the way discussed above. We will discuss the same three types of failure or unavailability as in Section 8, i.e.:

Failure or unavailability with CCF potential;
Unavailability with no impact on CCF (unavailability due to preventive maintenance);
Particular CCF event (i.e. failure due to a common cause of specific components).

However, before proceeding, one more assumption will be introduced. According to the above discussion, the component-level failure can be expressed as:

(9.1)

where the terms As, s = 1,…,S represent basic events related to the failure modes such as “pump’s failure to start”, “pump’s failure to run”, etc. The additional assumption is that these terms are mutually exclusive. While this assumption can be subject to long discussions, in support of its use for this purpose the following can be said:

Taking as an example “Pump A” from Figure 9-1 and putting down its logic failure expression as A = AFS + AFR (analogously to (6-8)), the terms AFS and AFR can indeed be interpreted as mutually exclusive for the reasons:
- If pump fails to start, it would not be challenged to run and would, therefore, not fail to run;
- On the other hand, if pump fails to run, it had to start successfully and, therefore did not fail to start.
In the quantification of PRA models the terms AFS and AFR would be treated as independent basic events. This is simply because the quantification algorithms in PRA tools such as RiskSpectrum® and others assume that all basic events involved in the minimal cutsets are independent of each other. If so, then component-level failure probability can be written as:

If failure probabilities and failure rates are now taken which are used in the current PRAs (which would show that both P(AFS) and P(AFR) are, typically, considerably lower than 1E-02 per demand or per mission, e.g. NUREG/CR-6928), [33], then it can be readily demonstrated that (“rare event”) approximation

(which corresponds to the assumption on mutual exclusivity) introduces error no larger than a fraction of percent, for a typical pump. Similar argument can be shown for most of the other components modeled in PRA fault trees.

Therefore, by considering the basic events As, s = 1,…,S as mutually exclusive in the derivations which follow one only introduces an assumption which is in certain way already present in PRAs and for which some additional supporting arguments may be found.

With stated assumption:

(9.2)

This time, i.e. for the described case of a component represented by basic events As, s = 1,…,S involved in CCF groups, we will start consideration of component-level importance measures with RAW. Primary reason is that, following the discussions in Section 8, it comes as most intuitive. Additional reason is that, as already mentioned in Section 8, for the last two of the three considered types of failure or unavailability (i.e. preventive maintenance and specific CCF event) other importance measures may not have practical meaning.

9.2 Failure with CCF potential

Calculation of the four importance measures for the case with CCF potential is discussed in Sections 9.2.1 through 9.2.4. Two demonstrations are provided in Example B8 in Appendix B.

9.2.1 RAW

There is a difference between the case when different failure modes As, s = 1,…,S are involved in CCF groups and the example discussed in Section 6.3 (FT module expressed by logic function (6-8)). When component-level failure was postulated in Section 6.3, it did not matter which of the failure modes actually occurred because the impact on the system and, hence, the likelihood of the top event was the same. This, however, is not so when particular failure modes are involved in CCF groups. The reason is that conditional CCF probabilities for different failure modes generally differ. Taking as an example two redundant motor-driven pumps, it can be seen from the references such as NUREG/CR-5845 [36], or NUREG/CR-5497 [37], that conditional CCF probabilities for failure during operation can be considerably lower (e.g. by a factor) than those for failure on demand. For illustration, let us assume that beta-factor for pump’s failure to start is 10% and beta-factor for pump’s failure to run is 5%. Let us, then, postulate that first pump has failed. In such a case, then:

If the failure came from failure to start, the probability that second pump would also fail is 10%;
If, however, the failure came from failure to run during the mission time, the probability that second pump would also fail is 5%.

Each of these failure modes has its own RAW value and they could be considerably different. The component-level RAW value needs to reflect the particular RAW values of all failure modes.

Starting from the most general expression for RAW, (5-4):

(9.3)

Taking into account the assumption on mutual exclusivity reflected in (9-2) this can further be written as:

(9.4)

Upon taking into account P(BAs) = P(B | As)P(As)and rearranging, one finally obtains:

(9.5)

which can be rewritten in a shorter form as:

(9.6)

In the above expression the first term, Hs, is conditional probability that failure of A has occurred due to failure mode As, s = 1,…,S:

(9.7)

The second term, IRAW,s represents the RAW value associated with particular failure mode As, s = 1,…,S. Each of these particular RAW values can be obtained as described in Section 8.

Once RAW is known, all other importance measures can be calculated directly.

Note that (9-7) assumes that there is no additional information regarding which of the failure modes As, s = 1,…,S may have caused the failure of the component. In other words, it reflects the designer’s point of view (long-term averaged status and risk) rather than that of an evaluator of particular precursor event from the operating experience or evaluator of configuration-specific risk (conditional status and risk). For the calculation of long-term averaged RAW the probabilities in (9-7) would be the probabilities of the corresponding basic events in the base-case PRA model. However, in the case of, for example, a precursor evaluation the likelihood of particular failure modes As, s = 1,…,S can be considerably different based on the observed evidence. (For example, it may be known that pump has actually failed to start rather than to continue running.) For more discussion on these aspects interested readers are directed to check other references, such as already mentioned [27] and [29]. It may be worth mentioning that, for reasons such as these, RAW values calculated by a base-case PRA model can be directly used in precursor risk significance assessment only with due attention being paid to interpretation of observed evidence.

9.2.2 RRW

RRW can be calculated directly from its theoretical relation to RAW, (5-9) since it is valid generally:

(9.8)

In this case, P(A) represents component-level failure probability expressed by (9-2).

9.2.3 FC

Without going into mathematical formalism, the absolute contribution for the component A can be defined in a corresponding manner to (5-10) and (8-7) as:

where the terms “C” and “V” have the same meaning as in 8.2.1. Index “s” relates to the numbering of different failure modes, while index “k” relates to numbering of different CCF basic events within particular failure mode. Based on the mutual exclusivity of “V terms” (Section 8.2):

(9.9)

where IFC,s or Ifc,s refers to a contribution from the failure mode “s”, which can be calculated as described in Section 8.

Also, general expression for the top event, (5-3) and (8-3), can be rewritten as

and, then, using the same kind of rationale as in Section 5.4 (including the application of “rare event approximation”), it is not difficult to express FC through the RRW by the formula corresponding to (5-18):

(9.10)

or through RAW, by a formula corresponding to (5-17):

(9.11)

In the latest formula, P(A) is calculated by (9-2).

9.2.4 Reliability importance

Following the same reasoning as in 8.2.4, reliability importance can be calculated directly from RAW and RRW, (5-21), or from FC, (5-22). The probability P(A) is calculated by (9-2).

9.3 Unavailability with no impact on CCF

For the reasons discussed in Section 8.3 we will limit the discussion of risk importance for this type of failure or unavailability on RAW measure. For simplicity, we will use the same kind of convention as in Section 8.3: basic event Vs,1, s = 1,…,S will be defined as occurrence of failure mode As not shared by any other component from the CCF group. (It needs to be noted that now we have S different CCF groups of basic events, i.e. one group of m basic events for each failure mode considered.)

This kind of unavailability of considered component is defined in a way that there is no impact on CCF events involving other components. Therefore, it can be “modeled” as occurrence (setting to “true” status) of any basic event Vs,1, s = 1,…,S, without any additional impact.

In other words, component-level RAW can be obtained as RAW value of any of the basic events Vs,1, s = 1,…,S (which can be read directly from the PRA results). Note that all basic events Vs,1, s = 1,…,S will have the same RAW values. This is because their impact, when assumed “true”, is limited to the considered component only.

9.4 Particular CCF event

The discussion will be, for the reasons discussed in Section 8.4, limited to the RAW values of CCF events involving failures of all m redundant components. In this case we have S common cause failure events which involve all m components, i.e. one such CCF event for each failure mode “s”. For convenience (correspondingly to Section 8.4), we will define basic event Vs,1, s = 1,…,S as, specifically, being occurrence of failure mode As which is shared by all other redundant components.

By definition, when set to “true” status each of these basic events Vs,1, s = 1,…,S fails all m components. In other words, P(B | Vs,M) is same for every Vs,1, s = 1,…,S, resulting with same RAW value.

Thus, RAW value for any of these events (which can be read directly from PRA results) can be taken as representative RAW for the CCF event involving all m components.

Two demonstrations in Example B8 (Appendix B) include RAW values for the CCF of all m components (this section) and unavailability with no impact on CCF (Section 9.3 above), which are compared against the RAW for CCF potential (Section 9.2). The results are, also, shown in Section 10.