LOGICAL STRUCTURE OF SCENARIO FOR QUANTITATIVE ANALYSIS

Two models are widely used to present logical structures for quantitative analysis:

event trees and fault trees. The logical structure describes the interdependence of the components to permit statistical analysis of the behaviour of the system. An essential idea in the analysis of logical structures is the concept of success or failure of systems.

2.1. Event tree analysis

An event tree analysis is an inductive analysis. It starts with an initiating event and moves progressively through the successive responses of the system, describing the corresponding results in terms of success or failure. As one moves through the tree, probabilities are assigned to the successes or failures, which allows assessment of the overall probability of failure of the system. As an event tree is developed for a scenario, the logical flow from initial event to final consequence may consist of serial or parallel processes or of a combination of the two. Similarly, systems intended to provide protection can be modelled as an aggregate of subsystems, arranged in series or in parallel. These may consist of subsystems of a secondary order. In complex systems there may be a number of initiating events, each of which can be represented by a separate event tree. The combination of these event trees allows an evaluation of the safety of the system.

IAEA-CN-70/R2.1 141

Event trees are often headed by a left-to-right verbal description of the initiating event and the safety functions which can be requested during the event sequence. The actual tree is drawn beneath this text as a left-to-right line with a bifurcation or fork under each safety function. At each fork, the upward branch represents success of the safety function described in the top line, and the downward branch represents failure.

Event trees are thus binary in nature. Figure 1 shows two parts of an event tree drawn in this manner.

2.2. Fault tree analysis

A fault tree begins with an undesirable event. This undesirable event is called 'top event', because it is placed at the top of the fault tree. How the top event could occur is analysed by the fault tree. Such top events are often identified through a sep-arate analysis before the actual fault tree analysis, using techniques such as HAZOP (Hazard and Operability Studies), as described in Section 3. The construction of a fault tree can also be aided by other preliminary analyses such as FMEA (Failure Modes and Effects Analysis), also described in Section 3. Fault trees are essentially the reverse of event trees, in that they contain a single result and point through a deductive analysis to whatever preceding events could have produced this result.

An example of a fault tree is shown in Fig. 2. Graphically, fault trees are headed by a box with a brief verbal description of the top event. The most important categories of top events are logical 'and' gates (half circles) and 'or' gates (rounded arrowheads).

The top event box is connected through lines to boxes describing intermediate events.

In contrast to event trees, fault trees are multinodal, i.e. one logic gate may well be nec-ted to more than two lower events. At the bottom of the tree, boxes or circles con-tain descriptions of basic events that require no further development. If a tree extends over more than one page (as in Fig. 2), triangles are used to symbolize transfer points.

2.3. Event tree/fault tree and subscenario/subsystem combinations

For the analysis of simple systems, either event tree or fault tree analysis is usually sufficient. In complicated systems such as nuclear power plants, it may be useful to apply both approaches. The probability of failure must be assigned at each branch of the event tree. In complicated systems, this probability cannot be estimated easily. The use of the fault tree method can help in the estimation of these probabilities.

There are two methods of combination of event tree and fault tree analysis. In one of them, probabilities estimated by small fault trees are applied to branches of a large event tree. This combination is known as the large event tree/small fault tree (LET/SFT) method. The converse method, involving a small event tree and large fault trees (SET/LFT), is also available. Which method is suitable depends on the charac-teristics of the sequence analysed.

(a) entend .7 times In * year.

(b)

Somebody Warning Emergency Emergency Emergency „„,,,.,„ Paths enters sign Slop button button works p"'°, leading to dangerarea works? respected? pushed? ? event P

Frequency of

FIG. 1. Fault tree analysis of potential exposure in a modem accelerator [1]. (a) Part 1 of 4; (b) part 2 of 4.

IAEA-CN-70/R3.1 143

per year and per Installation Operator exposed

C3 basic probabilities or frequencies

| derived data

F/G. 2. £v?«f tree analysis of potential exposure in an accelerator [1]. (a) Part 1 of 2; (b) part 2 of 2.

Modelling a scenario of events with logical structures helps assessments of reliability or probability of failure. Definition of subscenarios or subsystems and calculation of their probabilities of failure allow such results to be introduced as parts of more complex sections of the logical structure. With this procedure, calculations relating to a complex event tree or fault tree can be simplified by replacing an assem-bly of components of the subsystem with an estimated single probability of failure as if it were a single component.

3. HAZARD IDENTIFICATION TECHNIQUES FOR