ML20140E372
| ML20140E372 | |
| Person / Time | |
|---|---|
| Site: | Indian Point  |
| Issue date: | 01/31/1986 |
| From: | Alesso H, Altenbach T, Ashmore B, Fromme D, Hershberger M, Kimura C, Lappa D, Patenaude C, Prassinos P, Prassinos P, Sacks I, Casey Smith, William Williams ANALYTIC INFORMATION PROCESSING, INC., LAWRENCE LIVERMORE NATIONAL LABORATORY, SCIENCE APPLICATIONS INTERNATIONAL CORP. (FORMERLY |
| To: | NRC |
| References | |
| NUREG-CR-4179, NUREG-CR-4179-V02, NUREG-CR-4179-V2, UCID-20350-V02, UCID-20350-V2, NUDOCS 8603270475 | |
| Download: ML20140E372 (67) | |
Text
{{#Wiki_filter:- .M'
.e - - -.,
Ne' 3- 4 ' *y -' r, v,%, - . !,
,n * ; .41 v u g x .,J 98 ' .' , .2/: -
; ,e - ' , ' . ;*T
- -e .i. .
s;
, . . . -,%> .,'4t-.:- -
," . . ,, :,) <,,..~,
. p '. v . - i.' . c - s
,c
- ' -6 . . , ,
ft 4 +- 4 -
'*""p i
$[iN I (; j m-d[
y't - ' ' ' . ' ,, . . ' h ,- , M ,'i. * - ' ,
.( -
'. .A'!3N
, { '),.' ' ., ( :' y ' (t. [" . f'*: ',d i,# [, mA : . q -
r rp e, ",.- . - - c
', :Q c.;.;
. 7 *, ,.g e -
~ '; VOl* . :
,. x' - j .q.
, ,m ,.
p
+.#
, . , , . . , . + * . .
- + . . . , . . . - - 4-j'<. ' t. " ' M.*- 1-{ t -
, f . *s 'R' f .. ' 4 , r.
- ' .. .' ' .- ' :r - ,, ;- ,,,. q _ ,.-
,, , . ,_ y, ,, ;; ' ,. - v
'.c..,
. t ; <. ,
Januny 1936
". ',: - o - .- -
- .. . . .; . s .e=4.,, . . l r . .: , . .. . . PDP CUPY ALY .., .,. z ... . - .n,., .
. .[ . , , ' *,,
S.. . . ,.;,s '? " ~
+ ,f -" ' , ' '* j-g-y ;p , '.,
h,_h. 4y*d,-+ ,,.\
- l. y), -. W +s. f . (.',^ a,, $.' g 3 '- 7 ;
' , y4 , [ '..,.'.",,*,-s,-4..J.
, t y; ..,f
,.4 , [7 * * . t. ,.g
. ;- + '
.y,*jg
, ,n . . >
i.- . e,' .; wi .; . ' P .: ' i
.; g y;. , .
- . H , ..- ..
>e, 4,g w:1,- %
, . m.4 e
a, '
=
a4. , , g, .,,, ., v. _J.
& ,f
- . n
, *).
...q, , , ....,~n,. 3 ,- r.
.w 4, 8- , .
- s. < .s . < s. ;.,
.,.e.,. , . . ,,,* w.. . .p.% .,.. ,jn ._ 4.. ,g, ..v. .n. . .u s
.;.r u. ,., .,.a,
, . ..e.. .<, .>' ,7,4 . . , ,
.., . b. - . . a. .-
, . ~. .
.w, c. p %.
.u~...
..n
,: - ,x .. r. s > ; ,.s ,. :
.-- . y 2. , s a . . j;; v u . . r.p... . - .. ., : ., . . , . -
t.. ,g. - sL._r" r )s s.+- - , : ;, c ;,-- . , . - . - "s ,.1.;- .-
- ,; ,' e . v , . !, x e ..@ f :. ..
i ,. :+. . , y6 ,%q j , . p ,: . ..' . 4...',.,c. ,
- 7. , , . u , ,
4, n; -r, 1 = , .. m. u ,, .x .. .. ~,..: . .- . .'. .n .
. .: -- g.,.-. :w >::. .. a. . : u n,. e .y t , , ,
.p-
, _ . ~ .r. , de , . .. . , . .. . .
y ,
. x.-
. , . . w . : - - - , , :,
~, .y ,. , .+ y, y , - ,y.. ,.. .,. . . 4.y. . r. ,.. , .;. - .v. ._. . ., ;..
.. - , t
,, A, ..;....;.,.
; .., e,p:. ., . - y s. w .'- ' ~ . ;- . -s *.
- DIGRAPH MATRIX ANALYSIS FOR i '- r 4.' ,%.i .-
ge,. .,: W. . O^ s i s.
- c. .
, s. . ,,.q .. ,..
-r
.q. , . . . c J. , .>.,.,
. SYSTEMS INTERACTIONS AT t
o ? . ". . [ s ? " ' . Y .,' ' Y- s < J.:e F ;....:. ' c. . '.f. . . ...x'. s,t- uJ >Zw,l. INDIAN POINT UNIT NO. 3 ? k,>
. ,c. s ; ., .- . .
.7.pr k..a g,, ) . .
- - c.;.g. ...% .
a q . ll -[.eq ,3 VOLUME I: - APPENDIX A
- NNMN ;, see .
=_ ~ 5Y
.' - , % ; a> 3 ..:.
g-g.,y .n ; .v W.~g r -r. .
..m
.z
.:- ~ . ~ , . , . A .' l- .i . . . -- * .'.4.= ' ' .- . ' - '.-
'y e . ,
.,, . fq.'-s..y,' .
N.w f n S .gl, p (. : . . g , ;3
, - i.
+J',' . ' , .. ., .
,D'i, p. . . . , . , .s.
.m P. e e
,- U- . .,.4 .;
- s. , .
. .. _ . , , ..e. ,, ~
1 . .- ' N '. " h +.c ,t
','.1 '. '.w'
,. U ~'. .'. +.N y'. e-
; # -. '. c-
. ,+,, . m.
. .,,. k
.m. .r.
u 3'
.. . y. . . .., , .; u* .c..s# 5..a 4 .
, <. . s. t . m ...,,.g......x.. ;, .
.., ., p%.y. . e,,. .,o
.r.
v' . 1 . . ,
,'r . 7 , . ' 4V .- .
- e. s gr. . , 4 ,,-. r.
1'...a : .. ~,..; Y..,
....'4 . . . . .
J f.
. ,., - .. , 'Jg.- .
- f. i l- b ) ') -w g #g .' ,.;-
,7' "y. .' '.
I ri b.: . :/- y P* r
'r b ,"s,f. !a. - ,
~..f4 g -
..,t.- , 4
- t. . '
- r
.e *b
*)
-., f*
,,t,"
s # n -r
. i,'a .' ;. %
, a
. . .g
-p. +
,I-
. - . [ ~-
;. .{'$, .. \g3 .
" .ss >:
W..',. -4
,-* --=- -
.s -
'4.. p' e.*h,i,s',.:,4. -
.p .'i ./ - s4,-..,-. .M. c#. .% .3 N ,, - ?.a.? +' ' : 1, ; " ..- ,- g' ,
' .s,- ., .
.g.-,y ,5 y .s . ,-- t . . _ -
.x., r,. ,>
,,m2_ q,$'..,,, $- ,o .,> - , ,
. ,j ,y - , . . . l.
. ..; ,- ; .a -
2.~;.c ..; -. ,' ., ...+3..
- ..I.> ., .
. -s. . . .; . , , , . , ,s., . ;+
.9
. . .. ., , t ;. ; . . . . ,, ., g, ,.
.u, .- .
x.. .t., . . .( .,. ., '~:.
,. s- .*s.:
'h .. . *y : . ,
c * . . . 9
... - . , '* ' . .,u
.(,.'.. .,.
. . -,,. .gi';"
1 e.. l _ ;9 , .h ,,7 " ! l , . . "; n '3 ..?*' '% - , ,; ~ -
' .Q
..a
.' . % ~
-). ,Q.'n f', . 'y '.", s ; .y ;
..t. %.-.
e.
. g ' , .,z,.,,. , r . . . . <pf,g , ;. - > ;
> ;',% * . ,r....g.
.g. .
y_., pw. , .. --
= ~,
g,
, ,
- a
,8 -. , -
,,e ., .. $ ,' .4, -
u - 3- ,
;. - ,g; . ' ... s ,4 .3.- . .? v y b -
-].-.,9.t. . ,I4t, 9 - .
v
,& * '.: s r. . x . - . Q * < . , .- .-
e
.g, t - ., a
,e
- f. g / %. , . '
,.4 , . .
*,4 aF .
- ', . g ..e,, ,. .,- s :, ,c: . ' . J. g..p' , p , 9 ,% e,. y n. - - .
.,' , ;. - , it . ..
. i . ;
i..,.,, p , . . _ ik , L. ,. % . ,' . ; ..' . .,,), -; tr- .- j . ,
'.*, . : ~ . .;. . , , ' , . . ' . ' . . ' ,.. *R., . . . ,,. S
- %f .q :. 4,M r ; .;,t ,, .L ' _ . h. , *u+ , ., ,
, 'y
,',y
,- ..i
', . . .. . :. ..' ,g , ,,
- ,.. 1.g , . . ; V , >* . 'e s eq .,. e. .-. ' ) ., . ,.j, gy",. , -,. , j ' / ,.x, . c.
.n.
>..,s , . . ' . . 4 s
., ,'..%...'.=s .
t ,c. i o, .
.,t,. . . ,
,s x, - -
.u ;_ y. .y , , un s - _.
.....ig" - ! g'.~ y , e..
c V'.,'.,.,y
,&.? i - ) ' . . . c h .,, ,, r.;- %, ' . c .? ,; " g. ' ... yaTA. . ' . : .
;, .s,'n. e , ',, .. ,
..j ' -.' >.k. . . _%. . ,. %
4 _ y < e
,.. ., ,, g.. ;. . .g.,
^ .. -
.',.','.,".',~+,,'_c.
. . I. ,.% .s
- ,+
... 6;
".. ../ -
..u , ,,->
- a. s
- c. , .,-,e'*-,- ,.-...'. ';;,J. ,'p,.
-x
,.9. .-< .1.'.,,,, -
sg .,=- g--4' < - .. -a ., ,-9.r_ ... v'- 3 9,, .: 's e x,, c s... i. g.. -.
- s *
, ee.,'. . ,, ' - . .. . .- c. -? .r.3' . . .'y
-14' v
, . .c -
. /.
n' 4a.., ;. ,.
'u..',k r' -
.i f.,' , '7, a,- ,,,, gy ..%, .'.'y.'..'.:e G. . v, % ~.#.-
-, 7;.,
-: y ,, g . 2 . .* * . ,
- c.. , . , . 7" ,c,
,. . s ..y . ,. ,
, . . e'. 3
#_ 7 .'. g0, - t -3 .,' . > , ;.C- *tt,4, ,. ' .. ,q< g; g o ,>
s , y (,g& - l,4, ,
,J ,' , & , x, ..+ ',9 9 . ,: . .- .-
g n, -.s' . . . . . - '. . e . , er . . x .= <,- n,'. 1 *,. &.,,,,' , ' +y ,7. ,. - .
.e.-
w , 'e
,p > -
3, . - ' ' s. .s.
.,e 8 . .
.--,.% r, i - ' - .e
% s...lf sy' ,.% j. ...t~. %g a.. e c < :h . a, i ..+n .~; . +9 .:w.,
.g ,m s.y a '..:. ,.y.y ,94, %. . .v
,.. ' ;~
9- *: , . - ,- n .:f .
.=>.
u_a, j e. . we s .. q, , ,. ._ p k a.
.': $v,. .t',e.m./ n, s
- , f. g* , ..'. ,, ' , . ., Q . ,; , - {'s , : ; ?,,e ,
- t. . , ; -.'.h u T.,s-
, q .. L, 'r
..w.y .t.w. shp ,,..u. .y._ % ..s.?a.:;s.4bc q_ i.
h ., ,y,.o . ,g' g ..gv. m;.x. ..n._ , v f .z .';g' , , ,,, ~. o.
.':-'+', e.
(. e p, . y s,. . < g* ..g*' e.ns tq%. . ., ., .
,a i*.*'[g *l', I y.
cQ* . 9 7, ,,,y% s",. J
. p,
,,s ' . .4 v.,
/ , s- ..,
- g. .
-$ ) - -
- v4
,g.
1 i .
' ." 4 ;. j. -
,.i
.g'.w . ., g . .s e.#. ., ;. s r. -
.d
'.ph 'h ,4~ '
L h ,'i ( , ,1 " g w . .' y.j .g l %,, 'I.**,a ~ .' e4 e. ,. >. , , ', , y* 'y >, r, s. ' ,i * ~,d '9 . l.,y ,.4 ,L% y - ' ?- e 5 + .i - - _ ;49 a ',9.- ,* Ya 's' .e ,i =. %.. '.3[ ' . **? W3 .. . .'-. f. 9 w.,.~4.~ W' +M ~ h,-q9
. ,L4 e,, 't e,4..? ,; - L'i O_ . .:cF,' N .- .a, . + . ,. '.,; 6 )'.
r > s -
/,. . : i $.. ..y .th ,.s -..v ,. ya. a -w ..s, ,= < A , ,,(c. . . .:*
.i.,,, . :*, .10,ys,
-..4 s - . o. - m. . .s *i -
rw*
- x. f. ..;' ... - y e i, , < . . * ,, _W --n, i ,. . p - . , .s.9 , ', . .,
2
._4gpa.
g, ' , e6 s- a _w
-s.v 4 4 *. .. ; . ..6,..-. . * - -" y .
' g. s - .
,. .r . , . s n , ,' ; , .4 , t 3
.4 ,
...\ .U1a '$-%.-h.,, kt,n.2- : b. , -
,x .-
.o . . -P.
n ? M,--A. [.'. y .'m.h M v',-U, . . .e , 4.d'a'/aw ,i'.',s,4.' 6 4.9 W .d.te % v.f> 'y,,AW, I W .. 5
,p. g ',e- @i's.:g,,
v
.'r .Mr[A.gg .N ,Wi g' ' ,- s
/l
'fQ.,' g*g. Mi?-Mk .' ..',.s %j@!
N.,. y*, i
' ' ,p .;
.% * , ., ;, s 'q.
'* M.. c ., g.
Q - , Y :- ,
~. bv ..# '* r<.. .' , " i a.8 a 'V r,'
-,Y' ' , - ,. 9 - ' V 4..
' - ..'s..,
? ,
, .%. .,'%r) %'an ,*: .
',. t
'5 .g't n . i
%. k '4.
WP =r'.
.Y. ' ' s.5. " .
3
., .'....h.. t ..g--e,a:N .'f ,
%a v.3 ' t e.,.. e ,c%,'r+ ' ., ., , 2.,., 4 .
$. k * - - er .'
+,. .yr 2e.s ;w,,. . ,, < --
.. ,-y
- a.
i.. . -s p :-
, k.,.. ~
, :y ya . . :n. v ,n
.Q,^+.... v.
t s *
.,y v 2.
p% ~.t -
.,m y s
.. a . , 4 ,. ,. p .,.
k , ,.y4 -
- .,1;
.u
,~ -- , . . .~.r ,w. A . y ,2. ,n. n. , r. ,.y.
4 n. - . . - . .- , . -- . ., + .. e. >.y. :y g , %n.;.:. r o.
,<.s ..
. m3.,, a 1- g
-~p
., n s , .v. .u, .s , :rgaty . ,r ru ;. - t y -
4 &' ..
., :..s- n
.- : A, , > ' , x.r ,- t-.. .; ~. ;
- w . m. U + ,
r -, -('. . . - -'x . g/..iQ'. j~;.' .,. 4 v. . y . ; i,' ,'. 4 g , ,,4
> m % 2- 4 '
a q'. ' 'p/ t ; ;'w
, : b. c. 1.s. ,, :. - -
W. g < 6 -' t . 'p. 3 4
' - s" .4 epV ;,
, y' ,' w, t. ; . y' e g ' ' . ' . .: .Q, %. 9:-
f.- 1, ,..(
~ . < r - <*- .. _ . ,..,*,..."7,a,'= ...,.4
- s. ~ - ._ .
" ) 4,. y +.,., . . r l9 ,* ., ,-x.'. .. ., , Aa p ' ' ., . n -, ,
,.e.. .
, ',, - # s. %*-y. 4 4, .,;,
,s,.
.'e:u c f. 8',~.*,.
w . .,< - . .~_ . J r- k
, w % + . gn. ,, ~Kga - ,W r . .
' + -
! ,, 4
. : . ,1 :.W, ... p, .'t-e ,v '.. '~9 . , / 2 - e , ,.. .l .4 ;'",,
- - s u:gf,;1,g&. ..4,9. G 'x '- ,W& m'e : . 4 i, s , ,...,';% , . ..
? >' h , .
r : -. g ,. . > -h : +,. ...' p } , - f .'-N.y ' '1. s.pi 't<*
., , , 4.-- Q,4 L. - :
. .% y,...p ,
.ji.,.,.i4.
=
'. ' ' .d'
.D '. p'
.- f
$ p'.)',-<;
=, < ,.Cr%)7, . e, t ., . 'Q p[ps'
. N*'0*y,,n. v 3= s
@41 ,..?' .. . *2 - j , 'sd : M. M .,. , j,'
u e ., Q -~*.'f
. .- ',k'..
* ~ /1 N b .*: g. , c -
.tg e ' A 1.','. : ,'.Id .
J ...
< . 3, .. d -+ y a
. = n i, ' . ~ . '
.,h
' ,- . -W q. p
.: .u ) ,$. a g 6 - *
. ,. q- 2- .i gg, ' . jf.. vi ,* o4 r -e...
--.r'-
'+'+', ._
g hr . . - y r. t ' * ' 4 ,' t ., n .
. e/*^*v.-
m# r,. M. .- -~ ~ -9 # ,, .t' . 7 .$ i, c ,,4^ m, .[w,1 wf. es<,,.y .;y 4 .x
- w s, .
J . y,3, ',,. y ?;. ."~ >..
J u
+. . .:
M st.
. .>.;y,'
.. ' -/ ; .nv;. ' '.;r +, .%c ,
y , y' . n, . -:q=.. ..m., ' ,' y.;, :,;.*--
.q; 1. -;.w' , , , ps ,y. 3+4., . ., .",.. e n. 9 : I. + . g . .? . . p; s*... $ . mhb. # g . . "..1n. ':n + c. .m' 9.,N2 a e- '
f .n. h: , ',p'
=> s, , -'.p 2 h+. 3r, y.y~ 9. .g k; , W. .'4 1
h k o m., n Awe % < a~ > m. a.r 5eWhDh u o.km wha m,.mm d. . .h. w m . u. m m, W un b 0. 4% hhh.e- ' w k ,N i h' ! N.,7 ,3gQ' ' ..,.[,; $ W'..,' &,',-*$ & & w &,,.* Q &i, ,
', ' g. U*WQ&.s c .- 1
-' .' eW - -
.t c- .;
'/'(.s i .g- :f' ' ', d,.'> 4
'.k3 . g g
' J " j- e '.,'.. , , _[F ' ],' , 2 - ,- , f '.m ' . l , f I g ,.* .,
.y i x
NUREG CR-UCRL - R0HHDRAFT AUG 2 0 534 DIGRAPH MATRIX ANALYSIS FOR SYSTEMS INTERACTIONS AT INDIAN POINT UNIT 3 Volume 2 - Appendix A Overview of Digraph Matrix Analysis H. P. Alesso. T. J. Altenbach, P. Prassinos, D. Leppa, C. Kimura, C. Patenaude, Lawrence Livermore National Laboratory 7000 East Avenue Livermore, California 94550 I. J. Sacks, 8. C. Ashmore, D. C. Frome, M. Hershberger Analytic Information Processing, Inc. C. F. Smith, W. J. Williams Science Applications, Inc. ) Prcpared for U. S. Nuclear Regulatory Commission ) bmc ) July, 1984 1207b
I u APPENDIX A l Table of Contents ) l. ! Page A.1 Introduction and Purpose . . . . . . . . . . . . . . . . . . . 4 t A.2 The Basics of DMA System Analysis. . . . . . . . . . . . . . . 4 3 A.2.1 Terminology and Approach. ... . . . . . . . . . . . . . 4 A.2.2 A Simplified System Example . . . . . . . . . . . . . . 7 A.2.3 Expansion Via Unit Models . . . . . . . . . . . . . . . 11 3 A.2.4 ~ DMA Computer Processing . . . . . . . . . . . . . . . . 15 A.2.5 Efficient DMA Codes . . . . . . . . . . . . . . . . . . 22 A.3 Application of DMA to a Plant Safety Assessment. . . . . . . . 33 A.4 Additional Digraph Modeling Discussion . . . . . . . . . . . . 50 A.4.1 Break Model . . . . . . . . . . . . . . . . . ... . . . 50 A.4.2 Modeling Complex Networks with Bi-directional Flow. . . 53 0 A.4.3 Tripleton Code. . . . . . . . . . . . . . . . . . . . . 59 [ l A.4.4 Conditioned Cycle . . . . . . . . . . . . . . . . . . . 60 A.4.5 NOT Gates and Non-Coherent Models . . . . . . . . . . . 62 O 64 A.4.6 Reducing the Problem Size . . . . . . . . . . . . . . . O O b b l 0
g List of Figures Page A-1 The DMA Procedure . . . . . . . . . . . . . . . . . . . . . . 5 O A-2 Conventions for the use of AND and OR Gates . . . . . . . . . 7 A-3a Simplified Spray System . . . . . . . . . . . . . . . . . . . 8 A-3b Digraph of Simplified Spray System. . . . . . . . . . . . . 10 A-4 Uni t Mode l f or a P ump . . . . . . . . . . . . . . . . . . . 11 O A-5 Pump with Redundant Power and Control . . . . . . . . . . . 13 A-6 Partial First Stage Unit Model Expansion of the . . . . . . 14 Digraph of the Simplified Spray System A-7 Graph and Corresponding Adjacency Matrix. . . . . . . . . . 15
- O A-8 Weighted Graph and Logic Network . . . . . . . . . . . . . . 18 A-9 Representation of an AND Operation. . . . . . . . . . . . . 18 A-10 Representation of an OR Operation . . . . . . . . . . . . . 19 A-ll Example of Multiple Gate Logic Network. . . . . . . . . . . 19 O A-12 Component Matrices. . . . . . . . . . . . . . . . . . . . . 20 !
A-13 Adjacency Matrix for Logic Network of Figure A-ll . . . . . 20 A-14 Reachability for the Matrix of Figure A-ll. . . . . . . . . 21 l A-15 Input / Output for Code ADJ . . . . . . . . . . . . . . . . . 22 lO A-16 DMA Data Processing Flow. . . . . . . . . . . . . . . . . . 24 , A-17 25 Condensation Program Operation. . . . . . . . . . . . . . . A-18 Reachability Code Flow. . . . . . . . . . . . . . . . . . . 26 A-19 .The Deconditioned Graph . . . . . . . . . . . . . . . . . . 28 lO A-20 Output f rom Code SHORT. . . . . . . . . . . . . . . . . . . 30 A-21 Output from Code MATRIX . . . . . . . . . . . . . . . . . . 31 A-22 Output f rom Code NEWZ . . . . . . . . . . . . . . . . . . . 32 A-23 Partitioning of the Global Digraph. . . . . . . . . . . . . 42 O A-24 Partioning Process. . . . . . . . . . . . . . . . . . . . . 43 A-25 Simplified Example of Comon Mode Failure . . . . . . . . . 48 A-26 Effect of Pipe Break. . . . . . . . . . . . . . . . . . . . 51 j A-27 Break and Block Digraphs. . . . . . . . . . . . . . . . . . 52 l
- O A-28 Use of Strong Component . . . . . . . . . . . . . . . . . . 54 A-29 Modeling of Break Mitigation. . . . . . . . . . . . . . . . 55 l
[ A-30a Crosstie Network. . . . . . . . . . . . . . . . . . . . . . 57 j A-30b Digraph of Crosstie Network . . . . . . . . . . . . . . . . 57 , O A-31 Conditioned Cycle Structure . . . . . . . . . . . . . . . . 60 A-32 Prun ing Example . . . . . . . . . . . . . . . . . . . . . . 66 l A-33 Model Pruned with F as the Terminal Node. . . . . . . . . . 66 4 1 l 1
--~-w - ,m -, - , - - - - , ,n. , ,,v.,,_n., ,- - . _ . , .. , _ _ , . ,,,,,,,.em ,_q,, ,. ,y -
--- - e . . _ , y-,_- -r---, ,, -..,..em_.- ~,,_m,~ _ -,m._.
r I l l APPENDIX A l OVERVIEW 0F DIGRAPH MATRIX ANALYSIS g l l A.1 Introduction and Purpose Digraph Matrix Analysis (DMA) is an approach to the assessment of the O safety of large complex systems. The approach is based on the use of directed l graphs (digraphs) containing logic connectives to represent the propagation of failure through a physical network of interrelated systems, subsystems and O components. The purpose of this Appendix is two-fold. First, a discussion of the application of the DMA approach to a single system is presented. This O discussion is intended to provide a basic understanding of the conventions and procedures used in modeling and analyzing individual systems. The second purpose is to describe the overall procedure of applying DMA to a nuclear O power reactor (i.e., a complex group of interacting systems). In addition to these two purposes, later sections of this appendix address additional topics of relevance to digraoh modeling and analysis. O A.2 The Basics of DMA System Analysis A.2.1 Terminology and Approach O There are three major steps in a DMA failure assessment of a system; these are: o Construction of the system digraph model based on plant schematics, O piping and instrumentation diagrams, operational procedures, and other relevant documentation. b i I l l 1207b O 1 L
O o The processing of the digraph model using a graph-based "reachability" code to determine f ailure paths through the model and o subsequently minimal cut-sets, o Subsequent expansion of the digraph model through the use of unit models to incorporate additional detail regarding support component O dependency. These steps are carried out on an iterative basis to provide an analysis that is ultimately sufficiently detailed to identify potential interactions that 9 may be subtle in nature. Figure A-1 presents a block diagram description of the ma,jor steps in the DMA procedure for modeling a given system. Repest. O Construct high- Expand each Expand each level success- r component into : new component - oriented digraph. its digraph. into its digraph. O Figure A-1. The DMA Procedure The first of these steps begins with the identification of all of the O c mp nents directly necessary for successful system operation. These components are represented by nodes in a digraph model which is developed to closely resemble the physical layout of the piping and instrumentation drawing O (P&lD) or other schematic drawings. To this' layout of nodes representing necessary components directional connectives and logic gates are added. The resulting directed graph with logic connectives, or digraph, is a system model [O in which the logic relationships between components required for system functioning have been explicitly incorporated. LO 1207b O s
r The principal logic conditions incorporated in digraph models are the OR gate a'nd the AND gate. These are discussed in the following paragraphs. If a component requires the successful operation of two support components (i.e., f ailure of either of these support components would result in failure of the basic component), then the nodes representing the support components would be connected to the node representing the basic component by an OR gate. For example, a motor-operated valve may require both electrical power and an actuation signal for successful operation. The nodes rcpresenting the two support components would be connected to the node rcpresenting the valve by an OR gate. Figure A-2a shows the convention used in DMA for representing this example of an OR gate connection. Note that the DMA convention for OR gate representation is multiple inputs into a single node; no other special indication or symbol is used to represent the OR gate. DMA allows an alternative OR condition. Components in series also indicate an OR condition in that any failure in a chain, fails the connecting component. These two OR configuration facilitate the DMA models' ability to resemble the P&ID. If a component requires the successful operation of only one of a group of alternative support components, the nodes representing these support components would be connected to the node representing the basic component using an AND gate. For example, a pump might be supplied with electrical poner from AC mains or from an auxiliary generator. Failure of the pump would result from failure of both AC main power and the auxiliary generator. The use of the AND gate is shown in Fig. A-2b. The notation used is that of Petri Nettheory[A-1]. l l l l l 1207b
r ) El ctrical Power AC Mains l Bus , Breaker Motor-operated C ; Pump C ;0 W Valve Aux Power --+0 h Actuation Signal , G : a) Use of the OR gate b) Use of the AND gate ) Figure A-2. Conventions for the Use of AND and OR gates. The arrows on the connectives or " edges" between the nodes representing ) the components in the system indicate the direction of propagation of the effect of information, physical movement, power, etc. among the components. The digraph model thus contains the physical components directly responsible for the functioning of the system along with the logical relationships among ) the components required for this functioning. A.2.2 A Simplified System Example ) A simplified system schematic is shown in Fig. A-3A. In this example, water from the refueling water storage tank (RWST) flows through two parallel paths to the spray into containment (CONT). Figure A-3B shows the ) corresponding digraph model which includes nodes representing not only the hardware of the original schematic, but also instrumentation (TS1, TS2, C1 and ) C2)thatisrequiredforpropersystemoperation. Either pump (PMP1 or PMP2) will f ail if its supply of water or its control signal f ails, thus there is an OR gate that joins the filter (F2) and controller (C1) to the pump (PMP1), in ) addition, spray into containment will fail only if spray from both paths fail; thus the spray nozzles are joined to CONI by an AND gate to express this criterion. 1207b )
3 Figure 3A Simplified Spray System Outside inside A containment containment RWST > I NC NO NO Filter V5 P1 NC - SN1 F2 V9 P6 V6 NC NO NO Filter H2 PMP2 V7 ) - P3 V4B V1 NC - - SN2 F1 V10 V8 ) )
I i Abbrev. Component Name RWST Refueling Water Storage Tank PS Pipe 5 V4A Valve 4A V3 Valve 3 F2 Filter 2 ) PMP1 Pump 1 Pl Pipe 1 V5 Valve 5 V6 Valve 6 V9 Valve 9 l P2 Pipe 2 l SN1 Spray Nozzle 1 i CONT Spray into containment ) SN2 Spray Nozzle 2
- TS1 Temperature Sensor 1 C1 Controller 1
! P6 Pipe 6 V4B Valve 4B VI Valve 1 F1 Filter 1 ! PMP2 Pump 2 ) P3 Pipe 3 V7 Valve 7 V8 Valve 8 V10 Valve 10 3 P4 Pipe 4 ! TS2 Temperature Sensor 2 l C2 Controller 2 D l l l 1207b )
I l L h Figure A-3b. Digraph of Simplified Spray System l l l ) l l l ) C1 A , V5 j u P1 TS1 P5 V4A V3 F2 PMP1 V9 P2 SN1 V6 ) RWST V7 Containment P3 PMP2 P6 V4B V1 F1 V8 v D TS2 C2 ) . 1 l l ) 1207b l
-. - . . _ - _ _ _ _ _ . _ _ - . _ . . ___=_ . - _ - - _ _ - _.
O The sets of single component failures (Singletons) and sets of double component f ailures (Doubletons) that result in overall system f ailure for the O example can be determined by inspection of Fig A-3b. For example, RWST is a Singleton since it supplies both parallel flow paths. Pairs of components taken from alternate flow paths form Doubleton pairs except for those O involving VS, V6, V7, and V8. This is because these components are included in the system in a double parallel configuration. The computer algorithms
~
that solve this problem, however, are capable of evaluating graphs with O thousands of components. A.2.3 Expansion Via Unit Models O The basic digraph is expanded by replacing components with their appropriate models. These unit models incorporate the direct dependence of a given component on support components, and their inclusion in the system 'O digraph is intended to allow the analyst to uncover additional failures which are introduced by support components. The expansion of the components in the digraph using unit models can lead to the identification of common cause O f ailures between components due to shared support components. A typical unit model for an active component might include electric power, control, lubrication and operator or maintenance inputs. In addition, the location of O the component can be represented as an input to the component in order to identify common cause failures that might result from a single initiator affecting multiple components at a common location. A simplified unit model O for a pump is shown in Fig. A-4. Power C PMP O control Lubrication Cooling Figure A-4 Unit Model for a Pump O j lW7 t>
O In this mode, failure of control, power, cooling or lubrication will cause the pump to fail. Failure of the pump could also be caused by the O propagation of an effect from its location, by an operator action, or by incorrect maintenance practices. The f ailure due to location could be an external event such as a fire or an internal event such as the explosive O f ailure of another component which shares the location. The discovery of Singletons and Doubletons involving location may be as significant as the discovery of any other component f ailure sets. There are other possible O inputs to the unit model. For example, component manufacturer could be included with a resulting expansion of the failure sets to include common manufacturer. Thus, comon mode failure could be included in the analysis. O Most vital components such as pumps, valves, etc. are supplied with redundant power systems. Redundancy in the unit model is represented by connecting the redundant supplies to the component via an AND gate, as shown O in Fig. A-5. In this model, the pump is assumed to have redundant power supplies (Main and Auxiliary) as well as redundant controls (AUTOMATIC and OPERATOR). Note that there are two operator inputs (nodes) in this model O representing both: operator takes a wrong action (0PW) and f ailure of operator todotherightaction(OPR). Thus, the operator could mistakenly turn off
-the pump (0PW); or, the operator could f ail to override a control f ailure O (opg),
O lO I 1207b
l l Power 1 : ;
. Power 2 : :
Automatic Control ' OPW c = :. ; o Pump OPRg ::
+ ;
Lubrication Cooling b ) Figure A-5. Pump with Redundant Power and Control ) Each of the components identified in the initial system digraph can thus be expanded by unit models. In this process, generic unit models (to be used , for like-component types) can be developed for efficient modeling. These 9:neric unit models can be used repetitively for similar components (e.g., cotor operated valves), with appropriate adjustment of the unit model inputs. A partial first level unit model expansion of the digraph of Fig. A-3b is ) shown in Fig. A-6. In general, a complete system digraph, such as Fig. A-6, uill not be drawn by the analyst. The complete system digraph model is created by adding the data for each unit model to the data input list which ) describes the system digraph model of the previous expansion. New components which are identified by the unit model expansion procedure can next become the center for continued unit model expansion. For example, ? power could be expanded to include appropriate motor control centers, buses, switches, relays, transformers, etc. As this expansion proceeds, components, locations operators and maintenance shared by systems may be discovered. As a ) r result, the digraph can grow to a very large size. Singletons and Doubletons ! t:hich arise through this expansion will not be apparent to the analyst or team l 1 1207b , )
) {~~~~ Expansion of V5 I l V5 PWR PRMPWR SYSBR I l <= O= O~-O PWROUTl-MAINS ) I AUXPWR DIST AUXGEN ! l -C= C= O l l e________--- a I M' TS1 ) V5 y P1 V6 P5 V4A V3 F2 PMP1 V9 P2 SN1 Expansion Expansion O Containment ) RWST of V6 of V7 g V10 P4 SN2 PMP2 P3 ) P6 :sd V8 V4B V1 F1 Expansion of v8 TS2 v ) C2-Figure A-6. Partial First Stage Unit Model Expansion of the Digraph of the ) System. ) )
)
of analysts constructing the model and require a computer processing step for analysis. The DMA code, based on a reachability calculation, will be explained in ) the following section. The large size of the complete digraph model also requires a procedure to divide this digraph into smaller equivalent units, each of which can be ) processed independently. This procedure is called " partitioning"; the results from the processing of each partition are then combined to yield the global ) digraph results. The partitioning procedure is described in a later section of this appendix. A.2.4 DMA Computer Processing The connectivity of a network can be represented as a graph (partially or ) completely directed), G, or equivalently as an adjacency matrix, A. Figure A-7 shows a typical graph and its adjacency matrix. The results that define an adjacency matrix are as follows: ) a jj = 1 if node i and node j are directly connected 0 otherwise. ) To a aj a a a 2 2 3 4 aj a aj 0 1 0 1 3 0 0 1 0 a2 7 0 0 0 0 a4 a3 a 0 0 1 0 4
)
Figure A-7. Graph and Corresponding Adjacency Matrix. 1207b
) ,
O The adjacency matrix can be viewed as describing the possibility of flow from node i'to node J. That is, an adjacency matrix is a matrix representation of O a flow network directed graph. One-way flow in a network for a pair of nodes (i,j) for which flow propagates from i to j but not from j to i it is represented as: O a 33 = 1 a), = 0. The determination of whether a given node is reachable from any other O node can be made by Boolean manipulation of the adjacency matrix. The connectivity between All pairs of nodes in a network is contained in the Reachability matrix R. The reachability matrix can be derived from the O following property (transitive property): Connection from element k to element n = a kn Connection from element n to element 1 = a nl* O Hence the connectivity between nodes k and 1 (i.e., the matrix element aki) is derived from two terms, a kn and an l both of which must be nonzero for a nonzero ak l; using the Boolean product operation (logical AND), O 1*1 = 1 al=akn k *ani where 1*0 = 0 0*1 = 0 0 0*0 = 0 In matrix notation, for a network containing n nodes O O 1207b ,O
l
-17 .
i la jj a l2
*In II II "Il 8 12
*1n i I l
- i. . . l l. . . 1 I I I .
I 5 l. . . I I. . . I l R 2 [A]*[A] = l l l l
- l. . . l l. . .
i l la 1 ni *n2
*nn I I
Ii *ni *n2
*nI n
! s Whtre R represents the reachability matrix for all paths that. require 2 exactly two steps between all pairs of nodes. For connectivity in exactly m steps, the reachability matrix becomes R,= [A]" . l Thus, the reachability matrix connections of all lengths between node pairs , of any number of steps is given by , k . R= 4 [A]* t m=1 where the summation represents the Boolean sum (logical OR) operation, i.e., I ~1+0=1 0+1=1 1+1=1 , ) 0+0=0 It can be shown that the R matrix converges to a steady-state value, that is, m )- . R ss
- II* L A" m, n=1 I
This procedure is computationally inefficient and many algorithms have b:en developed to more efficiently perform the reachability calculation, two ; i i ofthemoreefficientbeingalgorithmsdevelopedbyWarren[A-3]andWarshall t ! [A-2]. l l 1207b i_._ .. _ _ . . _ - - - _ _ _ _ _ _ _ . . _ _ - . _ _ _ _ _ _ . _ . . _
) Sacks [A-4] has extended the concept of reachability to conditioned graphs *. A conditioned graph.s is a representation of a logical network. This ) extension forms the basis of DMA. The weighted graph of Fig. A-8a is equivalent to the logic network of Fig. A-8b where the weights a and b are taken as binary variables, a b
= L3"LD- C Ac d c d
-- J o V c
D ) (a)WeightedGraph (b)LogicNetwork Figure A-8. Weighted Graph and Logic Network ) The weighting in the graph represents a control on the connectivity of the graphs. The conditioned graph can be represented by an equivalent matrix representation. Figure A-9 shows the logical AND symbol, along with the Boolean equation that it represents and an equivalent conditioned aca cency matrix. A ) 0-9 A B C
- 90 C = A*B A l0 0 8 C 0 A B 10 a C l0 0 0 B
) (a)ANDGate (b) Boolean Equation (c)MatrixRepresentation Figure A-9. Representation of an AND Operation.
=intstechniqueissomewhatsimilartothatproposedbyChamow[A-5].
1207b
)
O 19 The matrix of Fig. A-9 is read in the same from-to manner as before, that is, to get from A M C requires B. Note that C can be reached either from O node A with B or from node B with A. These two adjacencies are equivalent. Figure A-10 shows the logical OR symbol, along with the Boolean equation that it' represents, and an equivalent adjacency matrix. O A A B C C = A +B A l0 0 1 C B l0 0 1 C lo 0 0 0 B (a)ANDGate (b) Boolean Equation (c)MatrixRepresentation Figure A-10. Representation of an OR Operation. O The matrix is read in the same from-to manner as above; node C can be reached from either node A or node B. Combinations of AND and OR gates are easily represented in the conditional adjacency matrix format. Figure A-ll is a logic network composed of two OR gates and one AND gate. O A F m F , B & " e M E D X ) ,0 Figure A-ll. Example of Multiple Gate Logic Network. The individual component logic adjacency matrices for this network are given
- O in Fig. A-12.
O 1207b !O
1 A B F -C D G F G E A 10 0 1 C l0 0 1 F l0 0 G B- 10 0 1 D l0 0 1 G l0 0 F C l0 0 0 G l0 0 0 E l0 0 0 1 ! Figure A-12. Component Matrices l These matrices can be combined into the single adjacency matrix shown in Fig. A-13, which represents the entire network of Fig. A-ll. A -B C D E F G Al0 0 0 0 0 1 0 Bl0 0 0 0 0 1 0 Cl0 0 0 0 0 0 1 010 0 0 0 0 0 1 El0 0 0 0 0 0 0 Fl0 0 0 0 G 0 0 Gl0 0 0 0 F 0 0 Figure A-13. Adjacency Matrix for Logic Network of Figure A-ll. The reachability calculation procedure described previously can be applied to this adjacency matrix to yield all Singletons and Doubletons of the network of Fig. A-ll. In so doing, the question we are attempting to answer is: Can node E be reached from any single node alone or from any combination of two nodes alone? If the adjacency matrix of Fig. A-13 is Boolean AND-ed with itself and the result then OR-ed with the original adjacency matrix, the conditioned reachability matrix of Fig. A-14 results. This matrix is read in the same manner as the adjacency matrix; for example node E can be reached from node A with node G. 1207b , )
O A B C D E F G Al1 0 0 0 G 1 0 Bl0 1 0 0 G 1 0
~.)
2 Cl0 0 1 0 F 0 1 R=E Dl0 0 0 1 F 0 1
**I[A]m El0 0 0 0 1 0 0 Fl0 0 0 0 G 1 0 0 Gl0 0 0 0 F 0 1 Figure A-14. Reachability Matrix for the Network of Figure A-ll.
Column E forms the basis of finding Singletons and Doubletons to node E. q Substitution for G by all nodes which reach node G then yields network connectivity to E. When this substitution process is done cut-sets to degree 2 are found. It is seen that the pairs A, G A, C D A, D F, G FC D, B, etc. are Doubletons to node E. The process described above was implemented with various capabilities in three mainframe computer codes, REACH, CLAMOR and SQUEAK, at Lawrence Livermore National Laboratory [A-6, A-7]. These codes are capable of finding reachability sets of any order which reach any node. CLAMOR and SQUEAK, require a large computer (CDC 7600 or equivalent) to process problems of about 200 nodes. Processing times are on the order of 30 minutes but these codes find all cut-sets of any size. O 1207b 9 i
REACH has restricted the analysis to Singletons, Doubletons, and special case Tripletons, and is a f aster code which runs son a CRAY-1 and is capable of f processing large problems containing thousands of nodes in several minutes . A minicomputer version has been developed for a PDP-il and consists of several interfacing codes [A-9]. These codes will be described next. ) f A.2.5 Efficient DMA Codes The present version of DMA utilizes a f amily of computer programs which I cork together to find Singleton, Doubleton, and specified Tripleton cut-sets of a digraph on a minicomputer. Figure A-16 sitows the data processing flow used for the present implementation of DMA. A brief description of the
) operation of each program will now be given:
o ADJ
) Program ADJ converts alphanumeric adjacency element data into numeric input and provides a count of the number of variables used in the alphanumeric input data file. Example input to the output I from ADJ is shown in Fig. A-15.
A B A,B,1 1-1 2,3,1 0--$C : to D B,D,C 2-A 3,4,5 0---s C,D,B 3-B 5,4,3
) C 0,0,0 4-D 0,0,0 5-D a) Digraph b) Adjacency c) Variable d) Adjacency List (input) List List (output) ) Figure A-15. Input /0utput for Code ADJ. )
1207b
)
O The 0,0,0 at the end of the alphanumeric data is used to indicate the end of the input data stream.
.O o CONDENSE Program CONDENSE removes " redundant" node numbers from the O numeric adjacency element list by a process of forward condensation. The rule for forward condensation is:
If a node is adjacent to only one other node, its number can be O replaced by that of the adjacent node. The digraph of Fig. A-15a condenses into the digraph of Fig. A-17a. The condenser program also renumbers the nodes, eliininating O- any repeated numbers in the numeric adjacency input. Typical output is shown in Figs. A-17b and A-17c. l In effect CONDENSE creates a generic or super node that O represents a list of nodes that were originally ORed together. l
- o -
h l iO I 1207b l t - -
INPUT DATA . ADJ CONDENSE ) 1/ COMPRESS ) TRIPLETON REACHABILITY 3 VERSIONS AVAILABLE CODE FFASTBIT ) CODE l VBIT (WVBIT
't y _
! NEW2 MATRIX SHORT Figure A-16. DMA Data Processing Flow. ) l l b f 1207b
! B - 2,2,1 1-1 0-1 1 2,3,4 2-A A D 4,3,2 2-B H 3-D C 0,0,0 4-C a) Condensed Digraph b) Adjacency List c) Variable List Output Figure A-17. Condensation Program Operation Condens'ation has a high payoff in the use of a matrix reachability code since processing times is approximately proportional to the third power to the order of the adjacency matrix and the computer memory requirement is proportional to the square of the order. Condensation typically reduces problem size by about 1/3. For example, an early version of a safety injection system model condensed from 1004 nodes to 625 nodes.
REACHABILITY The reachability code finds all of the Singletons and Doubletons of the system digraph. This operation is performed using the logic shown in Fig. A-18. b 1 l 1207b ) l
d 0 INPUT
' DATA ,
O a f REACHABILITY ON 9 DECONDITIONED "O MATRIX
' /
O INNER PRODUCT ON AND GATES
<r O
TEST FOR CONVERGENCE O Yes m FINISHED COMPLETED No O j w ' TURN ON NODE K [O Figure A-18. Reachability Code Flow lO I l l
- g I
i
- f. 0 1207b
g All unconditional adjacency data (e.g., A,B,1 nodes that do not connect through an AND gate) is processed by a f ast binary reachability O algorithm. To conserve storage and enhance speed, each element in the reachability (and also the adjacency) matrix is represented by one bit, and computer hardware Boolean logic operations are used on words containing N O bits. Thus, a reachability matrix of 16 elements would take 1 x 16 words of storage in a computer with a 16 bit word size. The Warren Algorithm [A-3] is used for the reachability calculation. This algorithm appears to be more g efficient for sparse matrices than the Warshall Algorithm [A-2] and is given below. Warren Algorithm (Takenfrom[A-3]) o- 51 (initialization) A is the adjacency matrix of G. S2- Do 53 for i = 2, ..., n. 53 Do 54 for j = 1, 2, . . . , n. S4 If A(1,j) = 1, then Do 55 for k = 1, 2, ..., n. O 55 A(1,k) = A(1,k) + A(j,k). 56 Do S7 for i = 1, 2, ..., n-l. O 57 Do 58 for j = i+1, i+2, . . . , n. 58 If A(i,j) = 1, then Do 59 for k = 1, 2, ..., n. 59 A(1,k) = A(1,k) + A(j,k). O S10 HALT. Note: + represents the Boolean OR operation. The result of this binary reachability calculation is the set of Singletons O for the digraph with all AND gates removed. Figure A-19 shows this case.
- O-l 1207b
^O h
O A B A B C D A B D D A 0 1 0 0 0 % ; W G A 0 B 0 0 0 0 ' 0 C 0 0 0 0 0-9 0 0 C C D 0 0 O a) Digraph b) Deconditioned Digraph c)Reachability Matrix Figure A-19. The Deconditioned Graph O The reachability code then performs an inner product operation on each conditional adjacency entry. This inner product AND's the columns given !O by the two input entries (B and C in the example) and places the result in the column indicated by the output entry (D). Each conditioned entry is processed through this inner product. The Reachability Matrix which results from this inner product
.O process is then processed through the Warren Algorithm to " connect up" all of the new partial paths found by the inner product operation. This inner
'O product /reachability loop is repeated until the Reachability Matrix converges. The resulting matrix is the Single Dependency Reachability Matrix which contains all Singletons of the system digraph. iO' Double dependency is found in a similar manner with one difference. One of the nodes in the problem is " turned on" (the f ailure of that component is set to TRUE) and the single dependency calculation is repeated. The o resulting " single dependency matrix" is conditional on the " turned on" node. As a result, the process identifies double dependencies (Doubletons). Each of the nodes is " turned on" is succession and the corresponding single dependency (O matrix generated. The output ultimately contains all Singletons and all Doubletons of the model. 1 O 1207b
- O
) OUTPUT CODES There are three types of output codes presently used. These codes ) ginerate:
- 1. A list of the Singletons and Doubletons (SHORT);
- 2. A set of Reachability Matrices (MATRIX); and
) 3. A Singleton /Doubleton Matrix (NEW2). Program SHORT allows the user to search the output file generated by the reachability code for specific " reaches" either from or to a node. Using ) this code, it is possible to find all Singletons and Doubletons to a specific terminal node and to determine why they have occurred. A typical output from SHORT is shown in Fig. A-20. ). Program MATRIX presents the reachability output file in conventional adjacency matrix format. The output from this program is composed of N+2 matrices. The first two of these are the deconditioned adjacency and single ) dependency reachability matrices, respectively. The other N matrices are the conditional " single dependency" reachability matrices for each of the N components taken one at a time. Typical output from MATRIX is shown in ) Fig. 21. Program NEW2 generates the Singletons and Doubletons in the most useful and compact format (Fig. A-22). The Singletons are listed below the ) Doubleton Matrix. The Doubleton Matrix is read as follows: Each element i,j with an asterisk presents a Doubleton composed of component i and component j. ) 1207b ) j
1
'^
y'r81^1tt &s%YaViEPa!?J7..1.1 FOR ALL d i g! j fg g" i y 5: c: 19 g "g :iL: 2 P= D= 3: t: y,86wd"pLm;.Qb"a ss > > roa aa d' I! IIE! JEli i > i ro* *a g,8twe8iswRwa">> + i > Figure A-20. Output from Code SHORT 1 1207b )
n ) ) ADJACENCY MATRIX ) SINGLE DEPEN = g EACHABILITY MATRIX 00100 ) 2 AND ' TWO VARIABLE R ACHABILITY MATRIX l > LITY MATRIX 3 AND TWO VARIABLE R A l 00000 1E TWO VARIABLE REACHABILITY MATRIX 4 AND ) ! lEum 5AW TWO VARIABLE R AgLITY MATRIX 000:.0 i Figure A-21. Output from Code MATRIX.
?
1207b
)
I DOUBLETON MATRIX ) 2 3 5 2l- - 31- - ) 51* -
*** SINGLET 0NS ***
) 4 0 ) Figure A-22. Output from Code NEW2. ) ? I
)
1207b )
~
) A.3 Application of DMA to a Plant Safety Assessment I'n Section A-2, we presented general concepts of DMA which would be I applicable in any system risk analysis. In this section, we present an approach to extend the guidance for DMA in order to be able to conduct a risk assessment of a nuclear power plant. ) Guidance for the implementation of DMA systems interaction assessment was published in Ref. A-10. This section sumarizes the major steps and procedures in carrying out such an analysis. ) The four major steps in a digraph matrix analysis are listed in Table A-1 Table A-1. Overview of Digraph-Matrix Analysis for Nuclear Power Plants. ) Step 1: Select combinations of systems for detailed evaluation. (This is equivalent to the Probabilistic Risk Assessment (PRA) event tree analysis designed to find accident sequences). Step 2: Construct a global digraph model for each system combination (e.g. ) accidentsequence). Step 3: Partition digraph models into independent subdigraphs and find Singleton and Doubleton minimum cut-sets of accident sequences. Step 4: Evaluate Singletons and Doubletons on the basis of probability and ) display results. Each of these steps, broken into substeps, will be discussed in turn. ) Step 1: Selection of Combinations of Systems for Detailed Evaluation This step focuses on the four safety-systems functions at a nuclear power plant and uses event tree methodology resulting in the selection of ) combinations of front-line systems among which system interactions might exist. This includes consideration of other plant operating modes.
)
1207b
I l ) This step is accomplished in a manner similar to a PRA event tree l analysis. Event tree analysis is an inductive logic technique that ) sequentially models events, with success and failure, following a selected i initiating event and proceeding to a series of logical outcomes. An event tree begins with an initiating event, and then displays a sequence of events on the system level that forms a set of branches, each of which represents a spacific accident sequence whose effects relate directly from the events in the sequence. Complete event tree analysis requires the identification of all ) possible initiating events and the development of an event tree for each. The first step in finding accident sequences (or combinations of systems for detailed evaluation) can be accomplished by the following six substeps. ) Substep 1A: Study of Plant Design and Operating History Analysts first gather all pertinent existing information about the ) plant. A large amount of information is collected, synthesized, and documented to form the basis for subsequent analytical activities. A list of plant systems is developed and reviewed for its potential impact on risk. ) Appropriate sources of information include design documents, safety evaluation reports, plant system descriptions and operating procedures and previous safety studies. ) Substep lb: Development of a List of Accident Initiators TheReactorSafetyStudy(WASH-1400)[A-9]genericlistofaccident ) initiators is reviewed to see which apply to the plant being studied. This list should reflect applicable operating experience. The accident initiators t l are then grouped in terms of common mitigation requirements. 1207b
O Accident-initiating events are identified and grouped according to the similarity of plant response. Generic lists, operatin'g histories, and plant-O specific data can be f actored into a generalized engineering proces's in which f exhaustive lists of initiating events, including their occurrence frequency, , are compiled and grouped. Efforts must be made to ensure that the set of O initiating events considered is as complete and comprehensive as practical. Their are two major classes of accident initiators: loss of coolant accidents (LOCA) and power transients. O Substep ic: Development of Functional Event Trees To avoid unacceptable reactor core damage and a release of unacceptable O levels of radioactivity to the site environs, four basic safety functions have been specified by the NRC:
- 1. To maintain the primary coolant inventory.
O 2. To transfer the heat from the reactor to the final heat sink.
- 3. To render and keep the entire core subtritical.
- 4. To maintain the integrity of the containment and control radioactive O releases.
Systems that fail to meet either one or more of the basic. safety functions are of concern. O For each group of accident initiators identified in Substep lb, the four basic safety functions are subdivided into subfunctions; the corresponding functional event trees are then generated. O To summarize, once the group.of initiating events has been selected, the attendant response of the plant must be determined. This may be accomplished through a functional analysis in which the safety functions required for each O
',s 1207b O
O response are defined and ordered in a function event tree. Success criteria for each function are stated in terms of the required collection of systems - O that perform each individual function. Success criteria are then developed for individual systems and form the basis for characterizing the logic description of the top event of the system event tree. A primary value of O this approach is the stepwise ordered approach of identifying broad functional considerations with specific systems. It provides a framework for the complex task of sorting system responses. O Substep Id: Assignment of Front-Line Systems to Functional Event Trees The safety functions utilized in preparing the functional event trees O (Substep ic) are performed by engineered systems designed specifically for this purpose. In other words, further decomposition of the safety functions into simpler functions yields the specific engineered systems. The O' operability of these systems defines whether the safety functions are performed or not and thus completely defines the course of an accident. These systems are called front-line systems (FLS). The success criteria for the FLS O are defined in this step. The event tree headings are defined as logic statements describing composite. events representing the minimal operability states of front-line O systems and their required supporting systems. This approach leads to event trees with a minimum number of event tree branch headings, and thus f acilitates an understanding of the overall accident progression path. It O does, however, require that support systems be included in the system models. Each event tree heading must have a definite logic statement of the minimum acceptable complement of equipment and system performance required to O 1207b O
l
)
l successfully accomplish the function described by the event tree. These l l succes's criteria should be stated in discrete hardware terms, such as number l of pumps or required flow. Substep le: Results of Event Tree Analysis The event tree analysis produces a set of system combinations (e.g.
. accident sequences). Each system combination is one sequential combination of those front-line systems whose success or failure (as specified) results in s rious consequences to the plant involving the degradation of one or more safety-system functions.
In a simplifying assumption, it is possible to conservatively assume (as Y is done in some cases for PRA) that systems required to work in an accident stquence, work with probability equal to one. We are then left with system combination that are composed of front-line systems that must fail if there is ) to be a serious consequence to the plant. Substep if: Assignment of Support Systems to Front-Line Systems ) To successfully perform their functions, front-line systems depend on the operability of other support systems. Support systems affect the accident response of a plant only through their effect on the FLS. To identify the support systems for each front-line system, th_e following six procedures can be followed: ) 1. The operation of the front-line system must be examined in detail, l identifying both the necessary inputs and all of the outputs. If, ( for example, the FLS is a fluid system, all potential sources of the ) 1207b L
O _38 fluid should be identified.- Next, all of the systems with which the FLSs interface directly (e.g., as discharge points) or indirectly O (e.g., as secondary sides of heat exchangers) should be identified.
- 2. The power sources necessary for the operation of the active components (e.g., electric power and steam) should be identified.
O 3.- The modes of actuating and/or controlling the system must be identified, in particular, whether the system is actuated and O controlled automatically or by the operator action. In both cases the signals necessary to initiate the control system or operator actions must be identified. The possibility of manually overriding O automatic control should also be established, in the case of automatic control, the type of controlling system should be identified (e.g., electrical pneumatic) along with the systems O associated with each type (e.g., power supply, instrument air).
- 4. The cooling systems of the various components of the FLS should be O identified.
- 5. The lubrication systems (if any) of the various components of the O FLS should be identified.
- 6. The general location of the FLS should be established. More O detailed location identification will support the unit model expansion of relevant components.
'O 1207b .O
) The support systems that contribute to the initiating event are then id:ntified for a full compilation to be used in Step 2. Step 2: Constructing a Global Digraph Model for Each System Combination The accident sequences found in Step i are combinations of front line and ) related support systems that must fail in order to produce a severe consequence to the plant involving the loss of one or more vital safety functions. We will refer to these accident sequences as system combinations. ) In Step 2, a single global digraph model is constructed for each system combination The digraph modeling techniques described in Sec. A.2 are first applied ) to each of the front line and support systems included in the system combination. Two major additional items are needed for the integration of the individual systems into a global model for the system combination. They are: )
- 1. identification of system level failure criteria, and
- 2. identification of boundary nodes.
) These two items are related in that system failure criteria are used to characterize how failures in a system can propagate across boundaries into ) other systems. The initial digraph model of a given system will result in the identification of boundary nodes, or nodes at which connections to other ) systems are required. In addition, the unit model expansion process invariably results in the identification of boundary nodes from support I systems, operator interfaces and location. 1207b
iO ~ The coordination of boundary node identifiers is a main concern in the i develo'p ment of the global model. Once boundary nodes common to systems
- O included in the accident sequence have been identified, they are incorporated into each system model with a unique node identifier. Not only shared components, but also shared location and operator actions are includ'ed in this
'O process.
l The individual system digraphs can next be combined into successive ~
- combinations of systems. As each system combination model is produced, it is ,
- O checked for consistency and completeness by processing using the DMA codes discussed in Sec. A.2.5. Corrections to the system combination models are made as necessary. Ultimately, this process results in the integration of all
;O the systems in a given system combination into a single global model.
Step 3: Partitioning of the Global Digraph Model into Independent
- D Subdigraphs and DMA Processing i The global digraph produced from Step 2 is the digraph of the expanded operational model for'the specified accident sequence. The digraph and its O corresponding adjacency matrix grow' larger with each expansion step. At some i
size, the matrix will exceed the memory space limits of the reachability code or will take excessive amounts of computer processing time. There are two
- O ways of. overcoming these computer limitations. First, we can separate the global digraph into independent subdigraphs. Subdigraphs that can not cause the failure of system (s) can be partitioned out of the model.
lO Partitioning into independent subdigraphs can be accomplished according to the following definition: i 1207b
- O I
"*T"
- ye V7&+-'"'-r - - - - - -
*=
D' A connected graph G is separate (capable of being partitioned) if G contains a subgraph g such that the complement of g (g') and g have l 3- only one vertex in common. Wherever possible, analysts can partition the global digraph into independent subdigraphs. 3 A second ~way to overcome computer limitations involves: (1) substitution of equivalent (reduced) networks, and (2) generating generic or super nodes (these nodes can represent many other nodes that are all simply ORed together). O The adjacency matrix can be partitioned into submatrices that can later be recombined into the global digraph. The submatrices can be replaced by equivalent but smaller submatrices. That is, nodes that are on_only the O boundary of the graph represented by the submatrix are eliminated through l Boolean absorption before the recombination. The partitioning / recombination procedure must not eliminate any' O Singletons or Doubletons from the global digraph. The steps in this partitioning procedure, shown in Fig. A-23, will be briefly discussed in the following subsections. Figure A-24 schematically illustrates this lO partitioning, reduction, recombination, and expansion process. For a relatively simple digraph model. O O l
- D l
1207b-
O Figure A-23. Partitioning of the Global Digraph.
.O-Partition into subgraphs._
O 1f O Process subgraphs. O o Eliminate interior components from subgraph reachability m,at,rix. O o e
- O Construct reduced adjacency matrix.
r
- O l
o 1 Process reduced matrix for singletons and doubletons. O i l o IO Add interior components. t 0-L -_
4 O
! ABCDEFG ;
A 0110000 B 'O O O 10 0 0 D C 0000100
'O B
- D 0000010 h
A E 0000010 F F 0000001 i . C- [ G 0000000 (b) Global adjacency matrix
- O (a) Global digraph
, ABD DEFG A 010 D 0010 P2 P1 B 001 E 0010 Df oooo p ooo1 !O A b fi p
f ACE P3 C hs A 010 C 001 (c) Digraph partitions E OOO P3 i (d) Partition adjacency matrices . ABD DEFG ACE A 011 D 0011 A 011 lO B 001 E 0011 C 001 D 000 F 0001 E 000 I G 0000 P2 P3 ,_ P1 l
- O - (e) Reachability matrices for partitions
- l A or B = D ' D or E or F = G A or'C = E -
i (f) Singletons for partitions ' 1 ADEG' ADEG IO A0110 A 0111 D 0001 D 0001 E 0001 E 0001 G O000 G 0000 (g) Reduced adjacency matrix (h) Reduced reachability matrix 0 D is a singleton for G but B is a singleton for D E is a singleton for G C is a singleton for E-l A is a singleton for G F is a singleton for G therefore the full singleton set is A, B, C, D, E, F
- (i) Full set of singletons '.
.O Figure 24. Partitioning process. j l 1 lO
O Substep 3a: Partitioning of the Global Digraph Model Analysts partition the global digraph into independent subdigraphs O according to the above. Each subdigraph is labeled (i = 1, ..., n). If no independent subdigraphs are found, a "partitioner" subroutine (described below) can be used. .O The partitions that are created by the "partitioner" subroutine are based on the basic structure of the digraph and the unit model expansions around
.this graph. The unit model expansions arise from " natural" partitions caused O by operational and spatial considerations and equiv'alent circuits are constructed. Most of the components connected to a given valve are different from components attached to a different valve. As an illustration of this O natural partitioning, consider the global digraph shown in Fig. A-24.
Each of the two " unit models" added to the structure shares only one component with the other unit model and one component with the basic O structure. In addition, each of the three partitions (P1,P2,P3) shown in Fig. A-24(c) contains components that do not link outside of the partitions. Components that link outside of the partition are defined as-lying on the O boundary of a partition. By removing the components that are fully contained within a partition (i.e., do not lie on a boundary), the size of the adjacency matrix for each partition can be reduced in order. The "partitioner" .O subroutine identifies these " interior" components and records their identity. The actual selection of subgraph partitions is performed by an algorithm that traces through the digraph backwards from the components of the basic O structure digraph. The tracing for each component continues until all subgraphs meet two conditions: O 1207b O
) 45-
- 1. The number of components is less than or equal to the maximum size the reachability code can process.
) 2. A set of " interior nodes" that can be eliminated exists in each subgraph.
It is not necessary to make the subgraphs disjoint when conducting this
) equivalent circuit substitution. In other words, subgraphs may share common components. But shared components will not be interior nodes and therefore j
will not be eliminated in the subsequent processing. The next step is to u 3 process each subgraph through the reachability code. Substep 3b: Reachability Processing of Subdigraphs
) The adjacency matrices of the subgraph partitions are now individually processed through the reachability code. The reachability matrices for each of the subgraphs are shown in Fig. A-24(e). )
Substep 3c: Elimination of Interior Components Components that are totally interior to the partitions are now identified
) and redefined (on the basis of Boolean absorption) from the subgraph reachability matrices. The unreduced subgraph reachability matrices are retained for use later in determining if these " eliminated" components are O Singletons or Doubletons of the global digraph.
Substep 3d: Construction of the Reduced Adjacency Matrix 0 'The reduced reachability matrices of the subgraphs are now combined into a " reduced global digraph adjacency matrix," shown in Fig. A-24(g). This matrix is the same as the original adjacency matrix, but interior components D 1207b-9
O have been eliminated. -This matrix contains all of the connectivity inform'ation between boundary components that is contained in the original O adjacency matrix. Substep 3e: Reachability Processing on Reduced Adjacency Matrix 0 The reduced matrix is now proct.ssed by the reachability code. This step links up the partitions. The resu'It of this processing is shown in Fig. A-24(h). In this processing sequence, the size of the global adjacency matrix is reduced, thus overcoming the size constraint of the code. The reduced reachability matrix contains all Singletons and Doubletons for the boundary components. In addition, processing can be carried out for selected O tripletons. The " interior" components can now be considered. Substep 3f: Addition of Eliminated Components O The reachability matrix for each of the partitions contains all essential information about the interior components. Each of these interior components that is connected to a boundary component that is a Singleton or part of a h Doubleton in the reduced reachability matrix must be considered as a potential Singleton or Doubleton. The type of connection is important. If there is a direct (unconditional) element between the boundary component in the reduced c: atrix and the interior component, then the interior component has the same impact as the boundary component in the reduced matrix. If the interior component has a conditional relationship, the effect of this relationship must O be considered. O 1207b O
O 47 Summary Each accident sequence (system combination) results in a violation of at O least one of the four basic safety functions. In this step, the system combination was organized in terms of the frontline and support systems. A global digraph for each system combination was constructed. Its Singleton and O Doubleton element cut-sets were found through reachability processing of the digraph's adjacency and matrix. Once all Singleton, Doubleton and selected Tripleton minimum cut-sets of O the global digraph model of the system combination are found, Step 4 is used to evaluate and quantify them. O Step 4: Evaluation on the Basis of Probability and Display of Results Once the Singleton, Doubleton and selected Tripleton minimal cut-sets for all system combinations are found, it is necessary to evaluate the systems O interactions using ranking criteria. These can be evaluated, for example, by normal PRA techniques such as risk analysis, which combines the accident sequence consequence with probability of failure. In addition, quantification O of complete system combination system interaction probabilities can be carried out. The quantification of system combination probabilities is conducted by O assigning a failure probability to each component which was a member of the f ailure sets. The data used for component f ailure probabilities can be taken from data sources such as: WASH 1400 [A-9], IEEE Standard 500 [A-10], the O Zion Seismic Safety Study [A-ll], the Indian Point-3 Probabilistic Safety Study [A-12] and others [A-13, A-14, A-15, A-16]. All component failures which appear in Singletons or Doubletons can be treated as independent. This O independence assumption is accurate to the level of modeling detail in a DMA.
~1207b
r ) Any physical dependency that can be identified would be included in the quantification of the DMA model except for the following: Common Location Common Maintenance Common Manufacturer ) Common Environmental Conditions Shared support systems which would make apparently independent components dependent are explicitly modeled. For example, the f ai. lure of two pumps ) because of the loss of a common component in the component cooling system would appear in a failure set as a Singleton in component cooling or as part of a Doubleton. The pumps which fail due to the cooling failure would not ) appear in the failure set. Figure A-25 illustrates this situation for a simplified case. Electrical 1 ) Pump 1 Cooling ? Safety Pump . 4 Injection Z ;0 Pump 2' Electrical 2 ) Figure A-25. Simplified Example of Comon Mode Failures The failure sets for this case are: ) Cooling Pump Electrical 1
- Electrical 2 Pump 1
- Pump 2
) Electrical 1
- Pump t Electrical 2
- Pump l l
1207b
O Notice that the pumps do not appear in a cut set with the cooling pump. The appearance of a pump in the cut set means that the pump itself fails due O to internal reasons and not due to the f ailure of an external component. The data bases cited previously indicate that most components have several potential failure causes. Each of these failure causes is taken as O independent and combined into a single failure probability for the component by the following equation: n P=1 ,n (1 - Pg ) O 1=l where n is the number of f ailure causes of the component and Pj is the th cause. probability of failure due to the i O The total probability of f ailure due to all Singletons (and Doubletons) is computed using the SIGPI code developed at LLNL [A-ll]. In this code the cut sets are not assumed to be independent. The SIGPI program uses two fast O complementary methods of computing the probabilistic performance of complex systems: the PI method and the SIGMA method. The former exploits the fact that, when system variables are carefully defined, these variables are often O . statistically independent conditional to the environment in which they are embedded, r. very convenient fact from a computational point of view. The later is used to compute the probability of combinations of events produced by O the PI method by disjointing such events, thereby allowing the exact computation of performance. The computational complexity of the overall i process is a polynomial function of the number of components. For very large O problems, where costs of precise answers may be prohibitive, a relaxed i accuracy can be specified, and the SIGPI algorithms will halt when that accuracy has been reached. .O 1207b O
O A.4 Additional Digraph Modeling Discussions A.4.1 Break Modeling O The digraph modeling procedure previously described is valid primarily for the downstream propagation of effects such as system blockage. A pipe break can affect upstream as well as downstream flow. The upstream O propagation results from the f act that a break acts as a sink into which liquid, for example, can drain. This sink could cause upstream components to fail to function.as designed. Figure A-26 illustrates this phenomenon. A O . break in the pipe downstream of valve i could effect the flow of water from the refueling water storage tank to Pump 2. A procedure which extends a digraph model to include the effects of the O propagation of breaks upstream will now be described. This extension propagates the effects of a break both downstream and upstream. The block digraph of the system in Figure A26 is shown in Figure A27a. The digraph O which propagates the effect of breaks both upstream and downstream is shown in Fig. A-27b. In this figure, the primed components (e.g., Pl') represent the f ailure of components in the break mode, and the arrows on both ends of the O connectives between the primed' nodes indicate bidirectional flow. The effect i of a break f ailure anywhere in the system will propagate to all other components. O_ . The nodes which represent component f ailure as a break are connected 3 the nodes which represent component block failure, but the reverse is not true. 1 O O l 1207b !O
) . f RWST BREAK ) PUMP 1 VALVE 1
\/ m
/N l v
)
)
PUMP 2 VALVE 2
) )
Figure A-26. Effect of Pipe Break
) )
(
?
1207b
)
l i RWST P1 VI
- , D V
k O RCS T
/
V P2 V2 ) (a) Block Digraph I 1 1 RWST t P1 V1 .r, ) .s ,-
,- - - - - -)' Z- - - - - - >', 4'g *,
I e e s a f ' ' s RWST f I - 's TI V s # ) #
,' P1 VI S-I .
e 't s
# 3 %
y s i ) RCS t 8 i T , t I
\ r s P2 V2 i s
i h s' V
, t ,4, -
- - - - - -y, , f- - - - - - -Q $ ' ,
P2 _I V2 I ) Figure A-27 Break and Block Digraphs l l 1 1207b )
3 The addition of a break node for each component will approximately double the size of the system digraph. Fortunately, a group of bidirectionally 3 connected nodes can be combined into a single equivalent node (or strong component) reducing the network size (see Sect. A.4.2). The effect of this r_ duction is shown in Fig. A-28. 3 Good system designs will normally have components which are used as break citigators. In fluid flow networks, automatically or manually operated valves and check valves are used for this purpose. In electrical networks, the break 3 (short-circuit) mitigation function is performed by circuit breakers or fuses. In DMA, these break mitigators are modeled by an AND gate on the bidirectional connective between adjacent nodes which represent the component O break modes. The modeling of a typical break mitigating component is shown in Fig. A-29. In this figure, the valve Al, can be used to limit the effect of a pipe break Pl', from affecting upstream components. The use of the valve as a 3 break mitigator is indicated by the double prime in the symbol for the valve, Vl". It should be noted that a break in both Pl' and Vl' will still propagate downstream. The nodes which represent components used for break mitigation 3 are now candidates for unit model expansion following the procedure described in the preceding sections.
? A.4.2 Modeling Complex Networks with Bidirectional Flows The number of possible flow paths through combinations of systems is strongly dependent upon the number of switching or flow junctions in the network and can quickly become quite large. In the case of piping networks, these junctions are the pipe headers where the flow direction is controlled by O
1207b
3 .
/
g RWST P1 y1 3 - h
' ~
,a'
\ ."
s / ,
% / e
% / s J
,- -~~~,~~ s
/
,s RCS [ V'STR1
\
T
/
/ \
/
~
3 , v P2 V2 O Figure A-28 Use of a Strong Component O O O e 1207b 3
f I l ; I I I 1 RWST l P1 V1 ,- )
- a' 's f . .. ..,*
, _ _ _ _ _ _3. ~ ~:. _ _ _ 3. _
, 7 ' ,- y. ) '
- g. ' s t s e s e s i i i '
- I '
s RWST kgy'll f l ,
's i
'j-,,'
' l 8 \,_/' s Ti l P1 VI j- ,I
' r s
.,, e s l '
RCS t '
, T1 ,
\ I
, P2 V2 i l
, i h s'
(
', V,' e a s e <
. . .e "
6, , 4, ,, J
. . _ _ _ -y, , .+ _ . . _ _ .y, _ , y -
l 1 1 P2 V2 F l l l l ) l Figure A-29. Modeling of Break Mitigation. l
)
O upstream and downstream pressure conditions. Two approaches can be used to model'the potential use of all of the possible paths. The first is a global O method whereby an exhaustive list of all possible paths through the network from source (s) to sink (s) would be generated. Such an approach would require substantial effort due to .the large number of paths. The second approach is a O local method whereby the network is modeled length-by-length and header-by-header using a simple digraph algorithm to characterize the switching behavior of the headers. O Consider the network shown in Fig. A-30a. Flow must pass from the RWST to pumps P1, P2, and P3. Crosstie valve V3 is normally closed so, ur.Jer normal conditions, with valve Vi f ailed closed, P1 and P2 would not have an O open path from RWST. These injection paths would fail. However, allowing the operator to open V3 changes the outcome since flow through V2 could supply all three pumps (provided that the piping has been sized to allow for this O contingency). The digraph for this network is shown in Fig. A-30b. The network is considered to consist of pipe headers and the connections between them. The digraph is constructed a header at a time without the need to O consider global path searches. The algorithm used is as follows: 'O 'O O 1207b
~
q 9- A ,- es,
~ R O
~
%n .an W
e O. W3 A O T,, .: C)<l-a
\
O Figure A-30a. Crosstie Network
=St O o "c <
)sama
.eent O TT n
- x '
c yt een in< oom)Y O
,, p) .. -.
O ,3 . . f_
- O Figure A-30b. Digraph of Crosstie Network.
O
3 At each header, flow can exit through each of the pipes which form the junction (unless a check valve or pump constrains fluid from flowing away from 3 the header in a given pipe). Considering each exit independently, the possible sources of flow to it are AND-ed together and input to a dummy node. The sources are nodes adjacent to the header. The node representing the D h:ader is OR-ed into this dummy node and represents the necessity of an open path through the header to enable flow through the exit path being considered. This process is repeated for each output from the header, and the O entire scheme is repeated at each header through out the network. An example of this modeling is shown by the model for flow through header HDR2. This header is the junction of three pipes. Fluid can flow away from ) the header through any of the three paths. These paths are (.onsidered one at a time, in any order, and the status (success or f'ailure) of each path is embodied by a dummy node. Dummy nodes in this example all begin with D. Node O DHDR2A is the status node for flow away from HDR2 and toward P2. Flow to it can come from either of the two other entrances to the header, so these two l flow paths are AND-ed together and input to the status node. One of these O flow paths originates at DHDRIB and the other at DV3A. The first is the flow away from HDR1 in the pipe connecting it to HDR2. Inputs to DHDRIB will not l be developed until modeling has progressed to HDRl. Node DV3A is flow away O valve V3 in the direction toward HDR2. As before, Node HDR2 inputs to DHDR2A l since integrity of a path through the header is needed with either of the two flow paths for the flow to reach _out of the header toward P2. Once this O simple analysis has been applied to the other branches out of HDR2 and to the other components through which flow can pass in more than one direction, the digraph is complete. i 1207b O
A.4.3 Tripleton Code ! l l The DMA model provides a rich basis for investigation of the effect of , h various component or system failures. For example, the effect of the loss of offsite power could be investigated by " turning on" the node which represents less of offsite power. A special version of the reachability code was ) designed and is used to allow these investigations. This code functions in a manner similar to the reachability code described earlier with one h difference. After the single dependency reachability calculation is ) p:rformed, a double dependency reachability calculation is performed using the node to be " turned on" (a given ~ component f ailure is set to TRUE) as an initial condition to the calculation. The reachability result of this , ) calculation is then used as a result of the single dependency calculation for allsubsequent(Doubleton) calculations. The resulting Doubletons are Tripletons with the turned on node. ) This technique allows a simulation study of the impact of' specific failures on the system. For example, the loss of onsite power could be investigated by creating a master node for onsite power and making it adjacent ) to all onsite power sources. This master node would then be turned on for a Tripleton run. J 3 r i l 1207b
. , _ . , , _ . . - - . . _ , _ _ _ , _ _ , , _ _ . . _ _ . _ _ _ _ _ _ . . _ . ~ . _ , _ , _ , _ _ . _ _ _ _ _ _ . _ _ . . , . . _ _ _ _ _ _ , _ _ _ _ _ _ _ _ _ _ , .
r-3 A.4.4 Csaditioned Cycle A' conditioned cycle occurs when a model contains an AND gate whose output 3 cycles back to become one of its inputs. Figure A-31 shows a graphic example of a simplified digraph with a conditioned cycle. t Q 4 A B ( 0 C CC % O ( 0 D O Figure A-31. Conditioned Cycle Structure The networks can contain any kind of adjacency, including other O conditioned cycles, and can have inputs and outputs to and from the rest of the model. In general, though, conditioned cycles contain an AND-gate whose output is upstream of either or both of its inputs. They are generated O primarily by the implementation of the junction model for bidirectional crossties and by limitations in modeling timing sequences. Should an ultimate source (such as the RWST) provide an input to a conditioned cycle AND gate, O its failure will not propagate to the output of the gate since the output feeds back to itself through the gate. This problem can be corrected by identifying where the RWST feeds into the conditioned cycle and shorting
- O across the gate.
The conditioned cycle problem consists of two parts: l
- 1) Identification of conditioned cycles that need to be broken, and O 2) Addingtheappropriateshort(s).
l 1207b O L
- O o Identification of Conditioned Cycles that Need to be Broken All conditioned cycles can be quickly found for any size problem by first O changing all AND-gates into OR-gates and then processing the resulting model for reachability. For each deconditioned AND-gate, the reachability results are scanned to see if the AND-gate output reaches either of its inputs. Such lO a reach indicates the presence of a conditioned cycle. For each such pair of AND-gate output / input reach nodes there is a path connecting them. This path
; can be found using a digraph path finding code. The resultant path is the i
- O conditioned cycle.
For all of the conditioned cycles found, only those which block the 1 propagation of source failures need to be broken. Therefore, the only
!O conditioned cycles which need shorts added are those in which the ultimate source reaches "into but not out of" the conditioned cycle. Components downstream of the source are also implicitly taken into account by this lO procedure. A single dependence reachability calculation on the fully conditioned model can be used to ascertain which of the conditioned cycles
) found need shorting. 20 iO
- O E
!O
.1207b
!O
7) A.4.5 NOT Gates and Non-Coherent Models DMA allows complement events in the diagraph. The Disjunctive
- 7) Normal Form solution that the DMA codes find can be converted to the set of Prime Implements that capture Concensus Law contributions using the following theorems:
O THEOREM 1: Let 4 be a biform Boolean expression in disjuction normal form, such that 4 = $ v & without loss of generality, where c is monoform, and 4 (c) A t ( &) = Null Set (no literal or its complement in common). Then #' = V' v c gives the complete set of prime implicants. Proof (by contradiction): Assume 4" = p' v c is not the complete set of prime g implicants then 4" = V' v c v A where A is a prime implicant. Then 7' = ( $ v c) " = ( c' A c' ) ' (2.1) O' = (#' v c) v A (2.2) which implies either, 3 c" = c v A by Concensus Law (2.3) or ( v' A c' ) ' = V' v A v 4 (2.4) but equation (2.3) is contrary to the requirement that & is monoform and equation (2.4) is contrary to the requirement than 1 (c) A E (4) = Null Set. Therefore by contradiction, g 7' = V' A c. The next theorem generalizes theorem 1.
O THEOREM 2: Let 4 be a biform Boolean expression in disjunctive normal form, such that 0 = $ v & (without loss of generality) g where & is monoform and & = { X l X is any literal such that its complement does not appear in 4 ). Then f' = V' v & gives the complete set of prime implicants after applying only Boolean absorption laws. pr f (by contradiction): O Assume 4" = V' v & will not yield the complete set of prime implicants af ter applying only Boolean absorption laws, then 3 a prime implicant A such that ( 0)" = ( $ v &)" = ( $' /u c' f = V' v & v A (3.1) O This implies either, 4" = , v A (3.2) O after Boolean absorption; or O ( V v 4' ) ' = V' v & v A (3.3) after B lean absorption; but equation (3.2) is contrary to the O requirement that & is monoform, and equation (3.3) is contrary to the requirement that $ does not have the complement of any literal in 4. O-O
)
A.4.6 Methods of Reducing Problem Size To f acilitate solution of the model,-two independent techniques were used to reduce its size without loss dependency information. Their application is in addition to reduction by-Boolean condensation'as described in Section A.2.4. The automated techniques are called pruning and partitioning. Pruning is the l ) ' process by which parts of the model which cannot flow to the terminal node are discarded (eliminates independent subgraphs that are not relevant). Partitioning is used to replace selected pieces of the model with simpler, smaller " equivalent circuits" which l behave like the original. Together, the two techniques can reduce global models by up to 50% beyond that due to application of Boolean condensation alone. Pruning Consider the simple model in Figure A.32. The model contains 15 nodes. ) The subgraph relevant to the performance of any given node, however, contains fewer than 15 nodes. For instance, performance of node F is not dependent on node P because no path is possible from P to F. Thus, P could be discarded from the model without affecting global ) dependency of F. In general, all nodes not upstream of F could be discarded since they cannot possible affect F. This would leave the model in Figure A.33 which contains only 11 nodes. )
i Every node retained in the pruned model in turn retains all l l information about what it is dependent on. That is because, if a j node, i.e., D, is upstream of F then every node upstream of it is also upstream of F and is therefore kept. The original adjacency is pruned by standing on the designated terminal node and then j " walking" upstream. After the whole model has been swept in this fashion, the list of nodes encountered on the walk is then used to modify the original model. Any line of adjacency input which j contains a node which was not encountered on the walk is discarded since it cannot be conduit to the terminal node. The resultant adjacency input is pruned.and can be processed like a normal adjacency file. ) ) 1 l. 1
66 O s O O1 C O t D
?
R, D: U %d , .Q g t' % F ' L i O y ' n, A_. O, /. J Q- v' V' t i E 1 w v G k i O I O. N l L. r v' d N M n Figure A-32
\/
O
^
C E p - L - Os R, O u- <> OE Ox n v D# v- b,, y. D, f J G E 1 s Figure A-33
- 0 l
lO l
i l
- 66e
) l REFERENCES FOR APPENDIX A A-1. J. L. Peterson, " Petri Nets," Computing Surveys, Volume 9. Number 3, ) I September 1977. i A-2. S. Warshall, "A Theorem on Boolean Matrices," Journal of the Association for Computing Machinery, Volume 9, 11-12, 1962. A-3. H. S. Warren, "A Modification of Warshall's Al9 0rithm for the Transitive Closure of Binary Relations," Comm. ACM, Volume 18, 218-220, 1975. A-4. I. J. Sacks, " Techniques for the Determination of Potential Adversary , ) Sources with Tampering (Level 4.1)," Lawrence Livermore National Laboratory, October 1978. A-5. M. F. Chamow, " Directed Graph Technique for the Analysis of Fault ) Trees," IEEE Transactions on Reliability, R-27, No. 1, April 1978. A-6. P. A. Renard, " Clamor", Lawrence Livermore National Laboratory, MC-79-96, January 1979. A-7. C. J. Patenaude, D. W. Freeman, " Tampering Analysis in the Structured Assessment Approach - A Description of the Level 4 Capability," Lawrence j Livermore National Laboratory, November 1980. A-8. M. N. S. Swamy, K. Thulasiraman, " Graphs, Networks, and Algorithms," John Wiley & Sons, 1981. A-9. I. J. Sacks, " Digraph Matrix Analysis," IEEE Transactions on Reliability (to appear). A-10. H. P. Alesso, I. J. Sacks and C. F. Smith, Initial Guidance on Digraph-Matrix Analysis for Systems Interaction Studies," NUREG ICR-2915 1983. A-ll. G. C. Corynen, "Evoluati'ng the Response of Complex Systems to
- i. Environmental Threats: The In Method," UCRL 53399, Lawrence Livermore National Laboratory, May 1985.
- - .}}