A Reliability model for “safety system-protected object” complex with multiple safety systems Текст научной статьи по специальности «Физика»

A RELIABILITY MODEL FOR "SAFETY SYSTEM-PROTECTED OBJECT" COMPLEX

WITH MULTIPLE SAFETY SYSTEMS

A. I. Pereguda, D. A. Timashov

Obninsk Institute for Nuclear Power Engineering, Obninsk, Russia e-mail: pereguda@iate.obninsk.ru

ABSTRACT

The paper presents a new reliability model for "safety system-protected object" complex with multiple safety systems. It is supposed that the complex consists of one protected object and multiple independent safety systems with complex structures. Scheduled periodic inspections of safety systems are also taken into account. Asymptotic estimates of the mean time to accident and the probability of the accident prior to time t are obtained under some assumptions on operation process of the complex.

1 INTRODUCTION

Hazardous facilities use a variety of systems concerned with safety, with safety systems being the most important of those. Safety systems are provided to detect potentially dangerous protected object failures or conditions and to implement appropriate safety actions. Protected object may have several types of hazardous deviations of protected object operation process that require their own safety systems. Some reliability models for the elements of safety systems were introduced by Hansen and Aar0 (Aar0 & Hansen 1997), Corneliussen and Hokstad (Corneliussen & Hokstad 2003), H0yland and Rausand (H0yland & Rausand 2004). In this paper we propose a different approach to reliability assessment of "safety system-protected object" complex based on asymptotic properties of alternating renewal processes.

In the present study we set out to analyze the reliability of the automated "safety system-protected object" complex with multiple safety systems. Systems of such kind are quite common in the nuclear power engineering, because safety systems of nuclear power plant should employ diversity in the detection of fault sequences and in the initiation of the safety system action to terminate the sequences. We follow Pereguda (Pereguda 2001) in assuming that the operation of the complex can be described using a superposition of alternating renewal processes. Our objective is to provide an asymptotic estimation for such reliability indices as the mean time to accident and the probability of the accident prior to time t.

2 MODEL DESCRIPTION

Let us consider an automated complex of protected object and N safety systems. Safety systems and the protected object are repairable. They are restored to an as-good-as-new state. All failures are supposed to be independent. Let j-th safety system consists of Mj subsystems and k-th subsystem of j-th safety system consists of Cj,k elements.

By Xij, i =1,2,...,j=1,2,.. ,,Ndenote the time to the i-th protected object failure detected by j-th safety system. LetXuj, i =1,2,., j=1,2,...,Nbe independent random variables and for each fixedj let Xij, i=1,2,... be identically distributed random variables with CDF FZ (t). By ytj, i=1,2,...,

j=1,2,...,N denote the time to the protected object repair after it's i-th failure detected by j-th safety system. Let y^j, /=1,2,..., j=1,2,.,N be independent random variables and for each fixed j let yi:j, i=1,2,... be identically distributed random variables with CDF (t). Suppose that moments of the

protected object repair are renewal points of the operation process of the complex. Suppose that FZ (t) and Fr_(t) are nonlattice distributions with finite mean. By £i,j,k,i, i=1,2,..., j=1,2,...,N,

k=1,2,...,Mj, 1=1,2,.,Cj,k denote the time to the i-th failure of the i-th element of the k-th subsystem of the j-th safety system. Let £i,j,k, l, i=1,2,..., j=1,2,...,N, k=1,2,.M, l=1,2,.,Cj, k be independent random variables and for each fixed j, k, l let £i,j,k,l, i=1,2,... be identically distributed random variables with CDF F^ti (t). Suppose that safety system elements are repaired only after

corresponding safety subsystem failure is detected. By ni,j,k, i = 1,2,..., j=1,2,...,N, k=1,2,...,Mj denote the time to repair of the k-th subsystem of the j-th safety system after it's i-th failure. Let ni,j,k, i = 1,2,., j=1,2,.,N, k=1,2,...,Mj be independent random variables and for each fixed j, k let ni,j,k, i = 1,2,. be identically distributed random variables with CDF Fn (t). Suppose that

moments of the safety subsystem repair are renewal points of the operation process of the safety subsystem. Suppose that F^ti (t) and Fn (t) are nonlattice distributions with finite mean. A failure

of the safety subsystem may be detected immediately or only during scheduled periodic inspections of the safety subsystem. By Tj,k denote the period of scheduled inspections of the k-th subsystem of the j-th safety system. By dj,k denote the duration of scheduled inspections of the k-th subsystem of the j-th safety system. The safety subsystem may be active or inactive during the inspection. Suppose that each safety system is coherent system (Hoyland & Rausand 2004) and each safety subsystem is coherent system. Let (pjk (xjk1, xjk2,... xjkC.t) denote the system structure function

of the k-th subsystem of the j-th safety system and let y/j(xj1,xj2,...,xjMj) denote the system

structure function of the j-th safety system. Let v be a random number of renewal intervals of the operation process of the complex before an accident. By m denote the time to accident. An accident takes place when safety systems are unable to detect the protected object failure. Our aim is to estimate the mean time to accident Mm and the probability Pr (m < t) of the accident prior to time t.

2 MAIN RESULTS

2.1 Mean time to failure and reliability function

Since the operation process of the complex is a superposition of alternating renewal processes, it follows that

m = s(min(^a,^,2,-", Xi, N )+ 7i,1JZi,1 < min iZi,2,Zi,3-,Zi,» ) + ^',2 JZi,2 < mm (^,1,^,3-,Ji,N ) + i=1

+ Yi,NJZi,N<mm(zi,1,Zi,2 -,Zi,N-1 ))+ min(zZ,1, Zv,2, — , Zv,N

where JA is an indicator function of the event A. By a denote the time to i-th failure of the protected object. By Pi denote the time to i-th repair of the protected object. We obviously have

a, = m^Z^ Z^—, Z,n )

and

Pi = YiJZi,1 <min(Zi,2,Zi,3-,Zi,N) + Y>,2JZi,2<mm(,l,Zi,3-,Zi,n) + — + Yi,nJZi,n<min(Zi,1,Zi,2-,Zi,N-1).

Therefore

and

Fa(t) = Pr0 < t) = Prl 2(a + ß) + a < t

- i =1

\n - 1

Pr(v = n) = q(1 - q) where q is the probability of accident during a renewal interval Vr e (0,1,2,...} .Applying the Laplace-Stieltjes transform to Fm(t), we obtain

F» = E\e »] = jjE\e " | v = n]Pr(v = n)

r+1

2 (a + ß ), 2 (a +ß )|,

where F^s) = J e" stdFw(t) = e[t].We see that

0

|v = n]= E

(v"\ n "Ï

-sl 2(a +ß )+a |

e V i=1 J v = n

Note that

and

Fa (t ) = 1 "ft (l " (t ))

N w

Fß(t ) = 2 Fj (t ) J

1=1 0

j=1

N

n(1 " F, (x ))

r=1

V r * 1

Finally,

Since E0 ] =

where

and

F» = (s)) q(1 " q)n-1 = 7

n=1 1

dFa(s)

dFr (x).

qFa(s)

" (1 " q) Fa(s)Fß(s)

ds

it follows that

s=0

E0 ] = E[a] + (([a] + Eß], q

^ T N. i \

E[a] = Jln(1 "Fi (t))

0 V 1=1

dt

N œ / > <»

E[ß] = 2J(1 " Fyj (t))J

=1 0

ft (1 " F^r ( ))

r=1

Vr

dF1 (t ).

Applying a limit theorem for recurrent point processes with a fixed interarrival time distribution (Kovalenko, Kuznetsov & Pegg 1997) we obtain

Pr

q0

E[a] + E[ß ]

> t

q ^0

Therefore

i=1

n=1

qt

Pr(,< t) ^ )1 - e EH+

q ^0

Note that q ^ 0 for a highly reliable safety system which is the case for most of hazardous facilities.

2.2 Probability of accident during a renewal interval

Applying the law of total probability we obtain

N I I W N °

q=S qjPr( < min(^i' -, x;-i , Xj+i, -, Xn J=S q} J"

j=1 j=1 0

f

N

n( - F„ (( ))

r=1

Vr *j

dFj (t):

where qj is the probability of accident during a renewal interval due to j-th safety system failure. The accident takes place during i-th renewal interval due to j-th safety system failure if and only if X j g Qj, where Qj is the set of intervals where the j-th safety system is inactive. Therefore

qj =Jpr(( g Qj- K (t).

0

It is difficult, if at all possible, to obtain explicit relation for Pr(t g Q-). Here we use the following approximate relation:

qj «J € dFX] (t )=

0

where

€ = lim Pr(t e Q- ).

It is known (Hoyland & Rausand 2004) that the j-th safety system availability at time t is

Pj (t) = E[y/j ^,i (t), xj,2 (t),., xjMj (t))] = hj (pj,i (t), pj,2 (t),., PjMj (t)J,

where Pj,k(t) is the availability of the k-th subsystem of the j-th safety system. It can be easily shown that

Pr(t e Qj") = 1" hj (Pr(t e Q^),Pr(t e Q;,2),.,Pr(t e QjMj)), where Ql j is the set of intervals where the k-th subsystem of the j-th safety system is active. Therefore

qj *1 - hj (pj,1, pj,2,. * *, fij-M,),

where

€jk = lim Pr(t e Ql).

t ^tt J

Applying the law of total probability we obtain

00 tt

Pj,k(t) = Pr((e Qlk)= JjPr(( e Q^ | = x,nl,JJ[ = y) (y)dFj (x),

0 0

where £ j k is the time to i-th failure of the k-th subsystem of the j-th safety system. Obviously, £ij,k, i=1,2,... are identically distributed random variables with CDF Fj (t) for each fixed j, k. It can be easily shown that

Fjt (t) = 1 " hj,k (1 " F(j„ (tX1 " j (t), " Fjt,Cj,t (t)),

where

hj,k (Pj,k,1 (t), Pj,k,2 (t), . , Pj,k,Cit (t))= E[(Pj,k (xj,k,1 (t), xj,k,2 (t), . xj,k,Cit (t))].

2.3 Safety system without inspections

By definition Pj,k(t) is the availability of the k-th subsystem of the j-th safety system. We obviously have

j (t) = JJPr(f e Q+k | = x, r,hk = yV) (y^ (x) +

x+y <t

+ JJ Pr (( e Qj,* |j,M = x,rj = y) (y)Fjt (x) = Il +12.

x+y >t

It can be easily shown that

I2 = JJ^[o^Fj (yKk (x) = 1 " ^ (t).

X+y >t

Since the operation process of the safety system is an alternating renewal process, it follows that

I = JJ Pr (t e Qfu * I = x, = y ), (y X =

x+y <t

i

JJPsk (t - x - yjk (y (X) = JPjk (t - ZyiFjk + j ((),

x+y <t

where

Finally,

pjtr (z)=JFjt (z -y)dFV], (y).

i (t) =1 - (t) + J i (t - z +j (z) •

0

This equation is well known as the fundamental renewal equation (Hoyland & Rausand 2004). The

j =l im Pj,k (t ) =-

t J

E

e[J + E rJ

where

E ]=J( - (t ) )dt

o

and

E[j ]=J( - F^k (t )))t.

o

Again, this is the well known equation for the limiting availability (Hoyland & Rausand 2004).

2.4 Safety system with inspections, safety system is inactive during inspection

Let us again write the availability of the k-th subsystem of the j-th safety system as the sum of the following two expressions:

j (t) = JJpr(( e Ql l jj = x, rKuk = y V) (y)dFSj i (() +

Tjk (x,y)<t

+ JJ Pr(( e Qjk | jj k = x,rj = y) (y )dFçjk (x) = I, +12,

Tj,t (x,y)>t

where T,k (£ * ,nuk) =

(/_k6 \+^ V Tj,k + 6m/ J

(( k +&j k )+V1jk is the length of the renewal interval of

the k-th subsystem of the j-th safety system operation process and <x> is an integer part of x. We see that

H x \ >

^ = JJJ

,t (x,y)>t

2 Jt4r(( +öj,i ),r((,* +dj t ) ) + J

T,k +8<

(j,k +6j,t )

dFij,t (y (x).

It can be easily shown that

12 = ( " Ftj, (())-2(1 " Ftj, Wj + 6j,k )))(j(r-1)(rj,i +j ) <t " Jr(( +j ) jV * k

r=1

j,))= (()-(()

where

Note that

()=1 -2(1 - (r(+6,* I)-1

r=1

'jk+aj*nTj*<t Jr(tj,t +6j,t ^

t +6j,t )+:

I1 =

JJpr(( e Q+t | k, M = x, = yV) (y(x) =

Tj,k (x,y)<t

= JJ Pj,k(t" r(x, y))dF,], (y)dFs],k(() = J Pj,k((- z ))F,j,k ( , j )(z),

,k (x,y)<t 0

where Fj,k (( , j )(z) = Pr (rM (j, j ) < t). Therefore

Pj,k (t) = (()" F j (t)l jPj,k (t - zK k (,k , j )) .

0

Applying the same technique as above we get the following estimation:

E

ßj,k = lim P,,k(t ) = „

t^^ E

where

e[1 ]=6,*E

k

j,k

= 6,* 2r( ((r + 1)(( + 6,* )) - FtJt (r(( + 6

r=1

E k ]=J(1 - Fj,* (t pt,

j ,k»b

t )Jdt +

e[ (j j )]=J(1 - F^

0

+(j+6,t )(1+2 r ( ((r+ofe*+6,*))- Fjt (r (+6

V r=1

2.5 Safety system with inspections, safety system is active during inspection

Using the same method as above we obtain

Tj ,k +6j ,k

x

r =0

Pik (t) = JJPr(t e Q.k I = X, V, j,k = y) (yt (x) +

,k (X,y)<t

JJ Pr(( e qM 14M = x,Vi,i,t = y)) (y)Fj (x) = I + /2,

+

,k (X,y)>t

where j (4i,.,t ,Vi,,k ) =

41,j ,k

V Ji,k +Oj,k, j

i,k i, i (j,k ' "j,k) ' ''1,j

1 + 1

(( k + j)+w1Jk is the length of the renewal interval of

the k-th subsystem of the j-th safety system operation process. It is clear that

/2 = JJ^te[0,x]dFVj,k (y(Xd = 1 - Fjt (t)

,k (X,y)>t

and

/ =

JJpr((e Qjk 1= ^ V1, j,k = y Vd (yK,k (xd:

j (X,y)<t

= JJ Pik(t - T(X, y))dFVj,k ()Fj(t) = J Pik(t - z )dFj ( )(z d

j (X,y)<t 0

where FT^(,tV,t)(z) = Pr(rjk(j,vjk)<t). And once again we obtain fundamental renewal equation

Therefore

where

Pik(0 = 1 - FiJt (td + JPik(t - zK,k((i )d •

0

Pik = - "ik (t)=jj ' E 4 ]=J( - Ftl., (()V •

t mt +

Eti,k fe,k ,Vi,k )]=J(1 - FVJ:, 0

+ Tk + Z1 + Z r ( ( + 1)(k + )V F. (r ( + *

V r=1

3 CASE STUDY

Consider the following example. Suppose that complex consists of 5 safety systems and one protected object.

Subsystem 1 Subsystem 1

Subsystem 2 Subsystem 2

Figure 1. Reliability block diagram of the first safety system.

Figure 2. Reliability block diagram of Subsystem 1.

Elem. 1

Elem. I

Figure 3. Reliability block diagram of Subsystem 2.

Elem. 1

Figure 4. Reliability block diagram of the second safety system.

Elem. 2

Figure 5. Reliability block diagram of the third safety system.

Eleir

.6

.6

Elem. 7

Elem. 7

Elem. 2

Elem. 2

Elem

Elem

Figure 6. Reliability block diag^^^ (ft^ f^rth safety sy^m^IX! 7

Elem

Figure 7. Reliability block diagram of the fifth safety system.

Subsystem 3

Figure 8. Reliability block diagram of Subsystem 3.

-Subsystem 3

Figure 9. Reliability block diagram of Subsystem 4.

Reliability block diagrams of safety systems are shown on Figures 1 through 9. We obviously have N=5, M1=2, M2=1, M3=1, M4=1, M5=2. It can be easily shown that

h(()=StXI®-Pn(OPJtffem. 12 Elem. 5

h2 (t) = 3(2,1 (t)) - 2(P2,1 (t)), h (t) = 3(P3,1 (td)2 - 2tP3,1 (t)),

h4 (td = ((4,1((() + 2 P41 (t )(2 P41 (td -(P41 (t))2 )(1 - P41 (td),

h5(t)=1 -(1 - P51 (t) P52 (t) d2. Therefore Cu=4, Cu=4, C2,1=4, Cs,1=1, C4,1=1, C5,1=6, C5,2=3. We see that

V) = (2P1,1,1(t) - (Pu,1(t))2)(P1,1>2(t) jP1X3(t)P1,1,4 (t) >

1,4»

2 (t) = (2Pi,2,1(t) - (Pl,2,1 (t)) )(Pl1^-2Ît2J3 Pl,2,3 (t)Pl,2,4 (t) ,

' Ir^ct),

Elem. 2

() = P2!! (t)P2,1,2 (t)PÎTlt3JCt^l:4 (t

h3,1(t) = P3,1,1 (t) , h4,1(t) = P4,1,1(t) , h5,1(() = P5,1,1(t)P5,1,2 (t)P5,1,3 (t)P5,1,4 (t)Ps,1,5 (t)P5,1,6 (t) , h„(t ) = (2 P521 (t) - (P5,2,1 (t)) )(P5,2,2 (t)) P5,2,3 (t) .

Let FZj (t) = EXP(t;AZj ), j=1,2,...,N, Fyj (t) = EXP^jj;^..^, (t) = EXP(t;!^ ), j=1,2,...,N, k=1,2,...,Mj, 1=1,2,...,Cjk and F^ (t) = EXP^l*), j=1,2,...N, k=1,2,...,Mj, where

Î1 - e-l, ift > 0

EXP (t ;l) =

0, otherwise.

Suppose that failures of all safety subsystem are detected only during scheduled periodic inspections of the safety subsystem and safety subsystems are active during an inspection. Therefore

E [o] = E [a] + X—q (E [a] + E

q

and

where

Pr(®< tH^1 - e

qt

E [a]+ E[^]

E[a] =---,

A +AZ3 +AZ4 +AZ5

E[p ] =

A + A + A*4 +AZ5

^ A A A A A ^

X | ,2 I ,3 | ,4 + X5

A A A A A

V T1 /2 /3 /4 /5 J

= q1Axt + q2A,2 + q3A,3 + q4A,4 + q5K

A +KX2 +AX3 +KX4 +KX5

q1 * 1 - 0^1,1 + A,2 " $,1^,2 ^ ,

q2 * 1 - 3P2,1 + 2i€3,1, q3 * 1 - 3P,1 + 2]S3,1,

q4 * 1 - P4,1 - 2(2P4,1 - #4,1 )(1 - ), q5 * (1 - P5,1P5,2 ^ ,

E|f I

e[4,1 2

Ae + 3K + A e + AP 2K + 3Ae + K + K

"=»1,1,1 '1,1,2 '1,1,3 '1,1,4 '1,1,1 '1,1,2 '1,1,3 '1,1,4

E [1, 2 ]

Ae + 3Ae + K + Ae 2 Ae + 3K + Ae + Ae

1,2,1 1,2,2 1,2,3 1,2,4 1,2,1 1,2,2 1,2,3 1,2,4

Efc,1 ] = A---La-^. e[xi]=A-, E[4A]=A-,

EkJ= 1

E [5, 2 ]

Ae + Ae + Ae + Ae 3,1 Ae 4,1 Ae

2,1,1 2,1,2 2,1,3 2,1,4 3,1,1 4,1,1

Ae + Ae + Ae + Ae + Ae + Ae 95,1,1 95,1,2 95,1,3 95,1,4 95,1,5 95,1,6

Ae + 3Ae + Ae 2 Ae + 3Ae + Ae

5,2,1 5,2,2 5,2,3 5,2,1 5,2,2 5,2,3

-(Ai1,1,1

p VI 1 / J 2e y+3A^1,1,2 +Ai1,1,3 +Ai1,1,4 A(1,1 +e1,1J

E[ (U7 )] = + (^1,1 + ^1,1) 1 + 1 - g-(Aiu,1 + 3^,2 +Aj1,1,3 + Aa,M ) + M

-71,1 V e

e-(2Ai1,1,1 + 3AiU,2 +Ai1,1,3 + A

1,4 ^1,1 +^1,1 ) ^

1 l2Ai1,1,1 +3Ai1,1,2 +Ae1,1,3 +Ae

1 - e J

1,1,4 ^1,1+e1,1)

E[ (p )] 1 ( a ) 2e_(Ae,2,1 +3Ae,2,2 +^,3 +Ae,2,4(+a,2)

E [[,2 \p1,2,V1,2)\ = — + Vn + a,2 J 1 + 1 - e-(Ail,24+3Ail,2,2 +Ap1,2,3 +Aiw,4 )( ^,2 )

71,2 V ^ - 6

e-(2Ai1,2,1+3\2,2 + A41,2,3 + A41,2,4 fab +«1,2 ) ^

1 - e~'2Ai1,2,1 +3A41,2,2 +A41,2,3 +Ai1,2,4

J

J7)a1,2 )

1 / e (Ap2,1,1 +Ai2,1,2 +Ai2,1,3 +Ai2,1,4 FV +^2,1 )

E[[2,1 (2,1, 72,1 hA-+ (T2,1 + ^2,1 ) 1 + 1 -(2,1,^2,1,2+^2,1,3 + ^,4 ))

7 V 1 - e

e[^3,1 (e, 73,1 +(73,1+a,1) 1+-

AV3,1 V 1

-e

e-Ai3,1,1 (73,1 +a3,1) ^ „-Ai3,1,1 ((3,1 +a3,1)

- e J

1

2

1

e

,-(5,2,1 + 31Î5,2,2 + ^5,2,3 (,2 + ^5,2 ) A

1 - e

,-(,2,1 + 3%,2,2 +^45,2,3 (,2 + ^5,2 ) '

4 CONCLUSIONS

The proposed model permits to assess the reliability of the "safety system-protected object" complex with multiple safety systems. In particular the suggested approach allows to evaluate such reliability indices as the mean time to accident and the probability of the accident prior to time t. The proposed approach allows to take into account the structure of safety systems and scheduled periodic inspections of safety systems. The solution obtained is useful for reliability assessment of nuclear power plants and similar dangerous technological objects.

REFERENCES

Corneliussen, K. & Hokstad, P. 2003. Reliability Prediction Method for Safety Instrumented Systems; PDS Method Handbook, 2003 Edition. SINTEF report STF38 A02420, SINTEF, Trondheim, Norway.

Hansen, G.K. & Aaro, R. 1997. Reliability Quantification of Computer-Based Safety Systems. An Introduction to PDS. SINTEF report STF38 A97434, SINTEF, Trondheim, Norway.

Kovalenko, I.N., Kuznetsov, N.Yu. & Pegg, P.A. 1997. Mathematical Theory of Reliability of Time Dependent Systems with Practical Applications. John Wiley & Sons.

Pereguda, A.I. 2001. Calculation of the Reliability Indicators of the System Protected Object-Control and Protection System. Atomic Energy 90: 460-468.

Rausand, M. & Hoyland, A. 2004. System Reliability Theory: Model, Statistical Methods and Applications. 2nd ed. John Wiley & Sons.