Common cause failure analysis and countermeasures for HVAC systems in nuclear power plants

①,Functional dependency: common cause caused by shared or common functional features, such as shared power supply, shared cooling water system or shared labor Art fluid.

②,Spatial dependence: common cause caused by physical characteristics shared by components in the same space, such as the same radiation or chemical conditions Same environment and same supporting structure, etc.

③ ,Inherent dependency: common cause caused by the same technical characteristics, such as adopting the same operating principle or technology and the same failure mode (such as mechanical overload or overpressure)

④ , Human factor dependence: the common cause related to human error, due to the human factor error in the process of affecting some shared or the same personnel activities And produce, such as human error in design or manufacture, operator error in operation and maintenance process.

Functional dependency: common cause caused by shared or common functional features, such as shared power supply, shared cooling water system or shared labor Art fluid.
5)NUREG/CR-7007 gives the main countermeasures for common fault.
① Diversification: including adopting different operating conditions, different working principles, different design teams, equipment with different sizes, different manufacturers, different components and equipment with different physical principles.

② Entity separation: geometric separation or barrier separation (such as separation from barrier mode and orientation) is adopted.
③ Functional isolation: measures such as effective isolation and electrical isolation between safety system and non-safety system. Combined with the requirements of the above specifications, typical common-cause personnel failures and countermeasures of nuclear power plants are summarized, as shown in Table 1

2.Methodology and process of common cause fault analysis of HVAC system

Fig. 1 Overall process of common cause fault analysis of HVAC system

2.1Identification of Common Cause Risk of System

For different types of common-cause faults in HVAC systems, targeted identification methods should be adopted. For common-cause faults with inherent and human factors depending on class, safety analysis methods are generally used to identify common-cause risks in HVAC system design. For functional dependency, find the risk point of common cause of support system through failure analysis of support system of HVAC system; For spatial dependence, common cause risk points are identified by disaster analysis.

2.1.1 Identification of Common Cause Risk of HVAC System As a part of nuclear power plant support system, HVAC system provides ventilation and cooling for nuclear power plant frontier process systems and other support systems (such as electrical and instrument control cabinets). Failure of HVAC system may lead to common cause failure of safety functions of the power plant, which may lead to serious consequences, especially the failure of defense-in-depth system of nuclear power plant caused by HVAC system. The weakness of HVAC system design can be identified through nuclear power plant safety analysis, such as failure consequence analysis and initial event analysis, and avoided through diversified design of HVAC system. The methods to identify risks are as follows:
1）Through accident analysis of nuclear power plant, according to the principle that the safety system for dealing with high-frequency accidents of nuclear power plant needs to adopt diversified design, with high-frequency events as the main line, analyze whether its support system (HVAC system) is diversified. Table 2 gives an example of small breach accident analysis in nuclear power plant. It should be noted that the indirect consequences of HVAC system failure also need to be analyzed, such as distribution cabinets E1 and E2 or control in the above cases The ambient temperature of cabinets ⅱ 1 and 12 is controlled by the same HVAC system or two HVAC systems with common cause risk, which may indirectly lead to the failure of medium-pressure safety injection and low-pressure safety injection systems due to common cause failure of HVAC systems, so the failure analysis should be comprehensive.

2) Through the initial event analysis of the support system, find the initial event caused by the failure of the HVAC system, if the initial event does not exist. Effective means to alleviate, it is necessary to consider the part of the HVAC system for diversified improvement, to prevent the occurrence of the incident. Through the above two methods, we can find the HVAC system that needs to be designed in various ways, and then further analyze this part of the system and make a reasonable improvement plan.

2.1.2 Identification of Common Cause Risk of HVAC Support System

The supporting systems of HVAC system mainly include cooling water system, electrical system and instrument control system, which may lead to the failure of several HVAC systems, so special attention should be paid to the consequences of failure. Through the analysis of the failure consequences of the support system, the risk of common cause failure of HVAC system caused by the failure of the support system is identified. Combined with the analysis results in Section 2.1.1, the failure mode of the support system that causes the failure of HVAC system with diversified requirements is identified, and then the improvement measures are formulated accordingly. Common fault of control and electrical system of nuclear power plant can be analyzed with reference to NUREG /CR-7007.

2.1.3 identification of common cause risks caused by disasters

Through the analysis of internal and external disasters, this paper studies the spatial dependence of HVAC systems, analyzes the possibility and consequences of simultaneous failure of multiple redundant HVAC systems caused by internal and external disasters, and identifies the common failure risk points of HVAC systems caused by internal and external disasters.

2.2determination of HVAC system improvement scheme

According to the identified common cause risk points of HVAC system, sort out all potential improvement schemes, evaluate the benefits of each improvement scheme in terms of safety and engineering cost item by item, and determine the final scheme in combination with various factors such as feasibility and technical maturity of the scheme. For the common cause risk points of HVAC system itself, various methods are mainly used to improve it. Chapter 3 will elaborate the process and methods in detail; For the common cause risk points of HVAC system support system, the method of supporting system diversification is mainly used to improve it. This part is not the scope of HVAC system design, so we can refer to the achievements in related fields and do not discuss it in this paper; For the common cause risk points caused by disasters, it is mainly improved by optimizing the layout and improving the identification requirements of HVAC equipment.

2.3implementation of HVAC system improvement scheme

After determining the improvement scheme, it is necessary to carry out impact analysis on the improvement scheme, determine the impact scope and implementability of the improvement, determine that the scheme is executable, and implement the improvement scheme. If it is found that the improvement scheme cannot be implemented, it is necessary to re-determine the scheme.

3 Diversified design analysis of HVAC system

3.1 HVAC system diversification strategy formulation There are two main types of strategies for HVAC diversification: design diversification and equipment diversification.
1) design diversification: mainly refers to the different principles of realizing functions, such as designing one set of air conditioning system with active cooling and one set of passive cooling The cooling system, two sets of systems stand by each other, this strategy makes the HVAC system have natural diversification, but this way is difficult to achieve in the current nuclear power project. It should be noted that even if there are big differences in system design, such as using the same type of equipment, it is still necessary to evaluate the degree of diversification of equipment.
2) Equipment diversification: equipment with different manufacturers, different components, different physical principles and different sizes is adopted to realize diversification Chemical design, this strategy does not need to make major changes to the system design, and is relatively easy to implement. It is also common in international nuclear power engineering at present The diversification strategy adopted, this paper will focus on the diversification strategy of equipment.
3.2 Introduction to Equipment Diversification Strategy For HVAC systems with diversified needs, it should be noted that not all equipment in the system needs diversification. If the equipment is reliable enough or its failure will not lead to the loss of system safety function, such equipment may not be diversified. Therefore, it is necessary to accurately identify the equipment components that need to be designed in various ways, and take reasonable and feasible improvement measures to make the benefit-cost ratio of improvement within a reasonable range. See fig. 2 for diversified analysis flow of HVAC equipment, and each step will be introduced in detail later.

3.2.1 Identify the equipment that needs diversification                                                                                                              
 1) possibility.
Ideally, the possibility and probability of failure mode are estimated according to the statistical data of failure mode. According to BS 60812-2018[6], it is very important to consider the boundary conditions (applied environment, machinery and/or stress) of each component that affect the probability of failure. For data statistics of equipment failures, please refer to Equipment Reliability Data Report of China Nuclear Power Plant (2015 Edition) and NUREG/CR-69288, and the failure probability of typical HVAC equipment is shown in Table 3
Generally, equipment that needs diversification can be identified through failure mode, impact and hazard analysis (FMECA). FMECA analyzes all possible failure modes of equipment in the system, determines the influence of each failure mode on the system function, and determines its harmfulness according to the severity of the failure mode and its occurrence probability. FMECA includes failure mode impact analysis (FMEA) and hazard analysis (CA). Engineers can carry out analysis according to BS60812-2018[6], and list every failure of components Hazard analysis is carried out on this mode to find out the key failure modes that need attention. There are two aspects to be considered in evaluating the attention of equipment failure modes:

2)Severity.
Analyze the consequences of this failure mode, that is, the degree of affecting the safety function. If the system safety function is completely lost due to the failure of equipment components, the severity is considered to be high; If the safety function is degraded, the severity is considered as medium; If the safety function is not affected, the severity is considered as low. Through the hazard assessment of each failure mode of HVAC equipment from two aspects of the possibility and severity of failure mode, Table 4 is adopted for screening, and the failure modes with high hazard (underlined in the table) need further diversified improvement analysis.

Table 4 Hazard Assessment Matrix

Combined with relevant engineering experience at home and abroad and FMECA analysis of typical HVAC systems, the equipment with high failure probability and harmfulness in HVAC systems and their main failure modes are shown in Table 5.
Table 5 Failure modes of HVAC equipment

3.2.2 Evaluation of Equipment Diversification Improvement Scheme After finding the HVAC equipment that needs to be considered for diversification improvement, the diversification improvement scheme is determined according to the failure mode with high harmfulness, and the scheme evaluation is carried out to find the scheme that can effectively improve the diversification degree, mainly by means of probabilistic safety analysis and deterministic analysis. 1) probabilistic safety analysis (PSA) PSA is used to determine the importance of components from the overall common cause failure of the system and its influence on core damage or radioactive release. For equipment that needs further analysis, PSA modeling analysis needs to be carried out through the following steps.
①modeling each type of equipment with high harmfulness in different common fault groups.
② Analyze the influence of increasing redundancy to consider whether extra redundancy is needed as a part of coping with common cause faults
③ Sort the equipment failures according to their importance and consider the overall risk level to support the subsequent judgment. After the PSA analysis and modeling is completed, the risk and benefit can be evaluated through Table 6.
Table 6 PSA analysis income classification

Table 7 Diversification score

Table 8 Evaluation of Fan Diversification Scheme

References:
[1]national nuclear safety administration, design safety regulations for nuclear power plants: HAF102-2016[S]. Beijing: national nuclear safety administration, 2016:24[2] International Atomic Energy Agency. Safety of nuclear power plants: design specific safety requirements: IAEA ssr-2/1-212s. Vienna:IAEA2012:26-28