The overall procedure, modelling principles and major analysis steps in the development of a Level 1 PSA model for aircraft crash hazard are in good agreement with that of Level 1 PSA in general. Taking into account a general low impact frequency, a conservative consequence modelling is mostly sufficient. However, apart from already mentioned issues in Sec. 3.7.1 some specific analysis tasks can need particular considerations or even further developmental efforts, including especially the following:
-
the appropriate definition of failure modes needs to be reviewed with respect to plant response and fragility analysis ; in current assessment methodologies the development of fragility curves is not mature enough to take into consideration all the relevant characteristics of an aircraft crash ; consequently, no continuous fragility curves are developed, especially not ones that take into account different characteristics of an aircraft crash, e.g. velocity, mass, explosion (See also section 8);
-
there is a lack of well-established methodology on the definition of correlation among aircraft crash induced failure modes and on the quantification of correlation coefficients, e.g. induced vibrations ; this analysis area also needs further development.
-
there are limitations with respect to human reliability analysis applicable to an aircraft crash PSA ; this aspect is discussed in more details in section 9.
As far as external explosions are concerned, the usual PSA limitations are applicable, as those induced by the used model (modelling assumptions) and completeness of the analysis (dependencies, initiators). In general, it is difficult to predict the number of generated missiles and this part of analysis will be probably based on expert judgment. Probability of affecting sensitivity target can be obtained by using geometric probability, i.e. likelihood of impact on a particular area will be uniformly distributed. Probability of target damage will be based on extent of damage as evaluated by the use of appropriate empirical formulae.
Physical processes for some types of fires and explosions need very complex models if high accuracy has to be achieved. These limitations, in practically used models, are accommodated by applying a conservative approach.
The design and operating experience have shown that the explosion hazard has effects close to and often enveloped by those of other hazard sources (such as direct impacts and wind) and therefore the use of simplified approaches, such as the TNT equivalent, is usually justified if applied in conservative, first order screening type evaluations.
The quantitative treatment of uncertainties is in general substituted by conservative estimations. The uncertainties in the external EE PSA results may be addressed as in the PSA standard (ASME/ANS RA-S-2008) and associated guidance documents (RG 1.174, RG 1.200, and NUREG-1855).
In general modelling the SSC for man-made hazards and aircraft PSA should take into account the following basic issues:
-
Modelling of building resistance and tolerance level of the buildings, missile impact, impact on ventilation system and DGs/intakes, long term effects:
-
estimation of the responses of building and components (SSCs), electrical cables, common pathways (propagation of extreme conditions inside the building, loss of ventilation, air-conditioner and electronics),
-
use of equipment qualification regarding extreme temperature i.e. high, long lasting effects, duration of the fire, vibration, explosion,
-
consequences from a failing SSC on other SSCs,
-
common cause failures.
-
Calculation of fragility or failure probability (if applicable), taking into account human’ safety (high temperature, toxic gases), personal protection devices and personnel behaviour,
-
Importance of walk downs and plant specific data,
-
Uncertainty analysis.
In order to obtain the necessary level of detail it is reasonable to organize this process (at least for the first three points above) in an iterative way.
In the following subsections detailed modelling aspects are considered for an aircraft and man-made PSA.
8.1Definition of Failure Modes for SSCs
For each initiating event from an aircraft crash, external fire or explosion, a comprehensive list of SSCs is developed taking into account the relevant impact characteristics of the event under consideration, as well as all the failures that might have an impact on the plant, i.e. the failure of the SSCs may either induce a plant transient or disable a mitigation system. For plants in operation, a plant walk-down is indispensable to verify and refine the list of SSCs derived from analysis so that the impact of structural failures and spatial system interactions are properly considered during the identification of the relevant SCCs. In fact, for the purposes of identifying all relevant SSCs, fragility analysis and PSA modelling are mutually dependent tasks with a two-way information flow between them. Thus, the failure modes that may be due to an aircraft crash/fire/explosion are defined for each SSC identified earlier.
The identification of the relevant SSCs and their failure modes takes into account all the possible effects of an aircraft crash/fire/explosion. The following potential primary (direct) effects of an aircraft crash on a target are considered [5]:
-
local structural damage: an aircraft may hit a target, causing excessive local damage (i.e., penetration and spalling, scrubbing, perforation),
-
global structural damage: when subjected to the impact from an aircraft, a target may undergo excessive structural deformation or displacement (without collapse) or may structurally collapse or overturn,
-
functional failure of SSCs: when a building structure is impacted, attached SSCs in close proximity to the impact location may be subjected to shock and vibration, resulting in their functional failure.
Direct effects of explosions may be structural damage due to pressure waves (as described above) or generated missiles. In case of fire, apart from possible damages of structures, auxiliary equipment (like electrical systems) can be affected. Special attention should be paid to fires associated with detonations. Their consequences can be either local or global.
With respect to secondary (indirect) effects of an aircraft crash, the following impacts are taken into consideration as a minimum:
-
secondary missiles: part of an aircraft and detachment of plant SSCs (e.g. missiles from concrete scrubbing or spalling),
-
aircraft fuel fire,
-
explosion and shockwaves resulting from the crash,
-
hazardous effects induced by an accident on a traditional industrial facility located on the site, e.g. toxic gas cloud, heat flux, pressure wave, vibration and missile impact.
-
ground vibrations.
For fires and explosions it is important to realise that a fire may cause an explosion and vice versa, hence combined effects should be taken into consideration.
The most important areas with respect to identification of SSCs and the failure modes thereof are local or global structural damage and equipment failures that can cause or contribute to functional failures. It is also of prime importance to take the impact of shock and vibration on SSCs outdoor and indoor into account in the analysis.
The relevant failure modes may be identified by the use of an inductive or a deductive approach, or the combination thereof. If an inductive approach is used, then all the consequences of external events from a certain category of aircraft, fire or explosion, affecting an impact zone are mapped first, and the PSA relevant items are selected afterwards. The deductive approach takes a pre-defined comprehensive list of SSC failure modes as a basis and it tries to determine which might be induced by an aircraft crash initiating event. Typically, the deductive approach is followed with the use of inductive thinking to some extent, i.e.:
-
the basis (initial list) is a list of failure events derived from the internal events PSA,
-
plant response and fragility analysis, and failure mode identification are performed in combination and in an iterative manner to supplement the list of failure modes with failures that are not included in the original internal events PSA (new initiating events and component failure modes not credited in the internal events PSA because of the low probability of those events due to random internal failures, e.g. simultaneous opening of multiple steam generator safety relief valves in a PWR).
Share with your friends: |