ابهامات و تعیین کمیت نرخ های مشترک شکست و احتمالات برای تجزیه و تحلیل سیستم

Simultaneous failures of multiple components due to common causes at random times are modelled by constant multiple-failure rates. A procedure is described for quantification of common cause failure (CCF) basic event probabilities for system models using plant-specific and multiple-plant failure-event data. Methodology is presented for estimating CCF-rates from event data contaminated with assessment uncertainties. Generalised impact vectors determine the moments for the rates of individual systems or plants. These moments determine the effective numbers of events and observation times to be input to a Bayesian formalism to obtain plant-specific posterior CCF-rates. The rates are used to determine plant-specific common cause event probabilities for the basic events of explicit fault tree models depending on test intervals, test schedules and repair policies. Three methods are presented to determine these probabilities such that the correct time-average system unavailability can be obtained with single fault tree quantification. Recommended numerical values are given and examples illustrate different aspects of the methodology.

Common cause events are defined as events that cause simultaneous failed states of multiple components due to a common cause. Such failures often dominate the unavailability of a standby safety system designed to react to a threatening incident. Failures occur at random times. General multiple-failure rates λi, λij, λijk…, etc. are defined so that λij… dt is the probability of an event failing specific components i,j,… in a small time interval dt. Such shocks have been used in early models with various assumptions [1], [2], [3], [4] and [5]. In standby safety systems these failures remain latent until discovered by a scheduled test and then repaired. Safety components are usually tested periodically. Because single failures as well as CCF can occur at any time, the system unavailability can be a complicated function of time, depending on the event rates, test intervals, test scheduling and repair policies. When a system fault tree is made and the system unavailability is computed step by step as a time-dependent function, typical time-dependent probabilities of CCF-events Zij… are P[Zij…(t)]=uij…(t)=λij…(t−Tt)P[Zij…(t)]=uij…(t)=λij…(t−Tt)=probability of failed states of components i,j,… at time t due to a common cause failing exactly these components simultaneously with rate λij…, when the last possible discovery and repair of such failure occurred at Tt. The time factors are assumed such that these probabilities are clearly smaller than unity. In fault tree models such basic events are input through OR-gates to components i,j,k,…, as illustrated in Fig. 1 and Fig. 2. Fig. 3 illustrates the time-dependent unavailabilities of a simple standby system with two trains and staggered (alternating) testing. In this example every test reveals and repairs also double failures, not only the single unit scheduled for testing. This is why u12(t) starts from zero after every test. An alternative is that a double failure would reduce to a single failure at the first test after a CCF occurs. Modern computer codes for fault tree quantification should allow such models and input data for realistic calculation or monitoring the system unavailability or plant risk.The first topic of this paper deals with estimation of the rates λijk… under uncertainties associated with incomplete records or ambiguities of event observations and interpretations. Moments of the rates are obtained with a method that extends earlier results [6], [7], [8] and [9] to more complex observations [14]. A special impact vector weighting procedure is suggested to account for multiple events in a single observation. The second task is to point out how the moments of CCF-rates so obtained for many individual plants can be combined in the empirical Bayesian estimation (EBE) framework to obtain improved posterior estimates for a target plant or for all plants. This methodology is based on equivalent observations, first introduced in 2001 [10] and later to a wider audience with additional applications [11]. Several variants of one-stage or two-stage EBE could be used in this context. The third problem to be addressed here is: How to define the input probabilities for a fault tree model so that correct time-average risk (or system unavailability) can be obtained with a single fault tree computation, avoiding time-dependent step-by-step calculations? This topic has been addressed in three different ways for standby systems with n redundant trains, n=1, 2, 3 and 4, considering (1) analytical expressions of the system unavailabilities [12], (2) expected residence times of each CCF [13], and (3) mathematically exact transformation equations [17]. The last two methods have produced probabilities also for non-identical components and non-symmetric rates (e.g. λ12≠λ13). In the latest method [17] the probabilities depend on the number of redundant components n (common cause component group size) but not on the system success criterion, and the probabilities include both linear and nonlinear terms of the test interval T. The alternatives are compared, advantages and disadvantages of the results are discussed, and practical numerical recommendations are provided. Three testing and repair policies are considered: consecutive testing, staggered testing with extra tests, and staggered testing without extra tests. These developments are synthesised into a procedure that leads from raw event data collection to plant-specific input parameters for system reliability and risk assessment. 1.1. Notation and acronyms CCCG common cause component group; n components subject to common cause events CCF common cause failure(s) ETRR Extra Testing and Repair Rule: whenever a component is found failed in a test, the other n−1 trains are also tested or inspected, and any failed components are repaired ITRP Individual Testing and Repair Policy: components are tested and repaired individually with regular intervals T; no other component is tested immediately even if one is found to be failed λk/n rate of CCF events failing specific k trains or channels (and no others) in a system with n redundant trains or channels; λk/n dt is the probability of a CCF event in a small time interval dt; k=1,2,…,n, n=2,3,4 λij… rate of CCF events failing exactly components i,j,… (and no others) uij…(t) time-dependent unavailability of exactly components i,j,… due to a common cause zij… time-average unavailability of exactly components i,j,… due to a common cause k/n-event an event able to fail exactly k trains in a system with n trains Λk/n rate of CCF events failing exactly k (any k) trains per event in a group of n trains equation(1) View the MathML sourceΛk/n=(nk)λk/n Turn MathJax on Nk/n number of k/n-events in exposure time Tn T test interval; duration of each test and repair is assumed ≪T≪T, and λij…T≪1λij…T≪1 for all rates Tn observation time for a group of n trains ν index for plants or systems included in a study, ν=1,2,3,…,M M number of plants or systems included in a study m/n system success criterion m-out-of-n:G (m-out-of-n need to work for the system to work) E(Y) expected value of random variable Y σ(Y) standard deviation of random variable Y symmetry CCF-rates of the same multiplicity are equal: λi=λ1/n, λij=λ2/n, λijk=λ3/n for all i,j,…, etc. Y∼χ2(K) Y obeys chi-squared (χ2-) distribution with K degrees of freedom

This methodology and procedure is summarized in Fig. 4. It has been demonstrated using international common cause failure data. Examples of posterior CCF-rates for groups of n=4 pumps and diesel generators at Loviisa 1 power plant are given in Table 2 using two data sources, EPRI and ICDE. In this case only plants with n=4 parallel trains were used as the population to determine the prior distributions [11]. The differences caused by different data sources are mainly due to less operation years and many zero-failure cases in EPRI data.It is also possible to use data collected from plants(systems) that have different numbers of components in CCCG than the target plant. But then one has to assume some transformation rules for mapping up and down the impact vector weights (or the rates) to be applicable to the plant under study. This was done in [11] using ICDE data. The results are in Table 3. Table options In these cases expanding the population seems to ‘dilute’ the sample so that CCF rates tend to be smaller, with some exceptions. From a limited sample it may be too early to conclude any general tendency. The parametric robust empirical Bayes (PREB, [19]) method used here has been computerised and generates similar tables for the posterior standard deviations and 5th and 95th percentiles, population (prior) mean values and standard deviations, and the same moments under the identity assumption (lumped data). Posterior moments are generated for all plants included in the population, not just for one target plant. In summary, improvements have been made to the procedure for estimating CCF-rates from single-plant and multiple-plant events with assessment uncertainties. The formalism accounts for multiple events in a single observation, and yields ‘virtual’ numbers and observation times to properly combine epistemic assessment uncertainties with aleatory statistical uncertainties. It yields data in the form that is useable for current computer codes designed to carry out Bayesian estimation. The CCF-rates can be used as such in time-dependent systems analyses. The formalism applies also to new plants that have no operating experience yet. One can use the prior (population) mean values as point estimates, and prior distributions in uncertainty studies. Basic common cause event probabilities have been developed for explicit fault tree models in terms of the rates and test intervals, for three testing schemes and repair policies. These probabilities are such that the correct time-average system unavailability can be obtained with a single fault tree quantification. Three methods have been presented to determine such probabilities, and best numerical values have been recommended for linear models. The exact nonlinear probabilities were found problematic when interpreting importance measures calculated for the basic events. Also, the accuracy can suffer when partial system failures are combined with other components in the system minimal cut sets. When in doubt, one should use explicit time-dependent analysis. This paper is largely a summary of earlier work. However, some new results were developed concerning impact vector weights, mapping up, effects of failure-truncation, and comparisons and numerical recommendations for CCF event probabilities for fault tree models.