Application of Dynamic Fault Tree Analysis to Prioritize Electric Power Systems in Nuclear Power Plants

: Because the scope of risk assessments at nuclear power plants (NPPs) is being extended both spatially and temporally, conventional, or static fault trees might not be able to express failure mechanisms, or they could be unnecessarily conservative in their expression. Therefore, realistic assessment techniques are needed to adequately capture accident scenarios. In multi-unit probabilistic safety assessment (PSA), fault trees naturally become more complex as the number of units increases. In particular, when considering a shared facility between units of the electric power system (EPS), static fault trees (SFTs) that prioritize a speciﬁc unit are limited in implementing interactions between units. However, dynamic fault trees (DFTs) can be available without this limitation by using dynamic gates. Therefore, this study implements SFTs and DFTs for an EPS of two virtual NPPs and compares their results. In addition, to demonstrate the dynamic characteristics of the shared facilities, a station blackout (SBO), which causes the power system to lose its function, is assumed—especially with an inter-unit shared facility, AAC DG (Alternate AC Diesel Generator). To properly model the dynamic characteristics of the shared EPS in DFTs, a modiﬁed dynamic gate and algorithm are introduced, and a Monte Carlo simulation is adopted to quantify the DFT models. Through the analysis of the DFT, it is possible to conﬁrm the actual connection priority of AAC DG according to the situation of units in a site. In addition, it is conﬁrmed that some conservative results presented by the SFT can be evaluated from a more realistic perspective by reﬂecting this.


Introduction
The systems and components of nuclear power plants (NPPs) should be evaluated to predict and prepare for potential failures. Probabilistic safety assessments (PSAs) are one commonly used method. Since the Fukushima Daiichi accident in Japan showed that multiple units within a site could be simultaneously exposed to risk, multi-unit PSAs have been studied [1]. For a system under certain conditions, such as activation or failure of preceding equipment, an arrangement of operating or failure times of components may have a significant impact on the entire system. When performing a multi-unit PSA in Korea, this is prominently displayed in the electric power system (EPS). Therefore, when the time arrangement of components is identified, it is expected that it could be possible to contribute to further complementing a system model by securing new combinations of failure of components that have not been previously checked and producing realistic results.
Although conventional event trees and fault trees have often been deemed sufficient in presenting outcomes that fit the purpose of a PSA, they are unavoidably conservative because of the difficulty in identifying the behavior of components over time. In other words, conventional event trees and fault trees do not reflect the dynamic effects of failure timing, the sequence of failing components, or system and operator actions during a failure. In particular, because traditional fault trees apply only to general linear systems, they cannot adequately address the dynamic characteristics of a failure over time, such as only non-repairable devices were considered. Throughout this study, conventional fault trees are called SFTs to distinguish them from DFTs. This paper is organized as follows: Section 2 describes the modeling process and reflects the characteristics of each fault tree in a dual-unit SBO. Section 2.1 covers the structure of the EPSs in the two virtual NPPs, and Section 2.2 introduces the reliability data, and assumptions of the SFT implemented. The features of each dynamic gate that forms the DFT and a method for quantifying them are presented in Sections 2.3.1 and 2.3.2. Section 2.3.3 describes a situation that cannot be solved by the existing dynamic gate alone, due to the characteristics of EPS. The DFT built on that basis is presented in Section 2.3.4, and additional conditional expressions for the dynamic gate developed to reflect the limitations of the AAC DG are also described here. Section 3 then presents the results from the developed SFTs and DFTs and compares their determination of the priorities for the AAC DG. Related discussion and conclusions are given in Section 4.

EPS Structure
The EPS is a supporting system that supplies electric power to all the components and systems in an NPP. In normal operation, the plant transmits the electric power it generates to the outside, and it receives the electricity required for its operation from an offsite power source. Furthermore, the power is depressurized through transformers to match the rated voltage of the plant components and then supplied to each power bus line. In the EPS structure, all bus lines with upper to lower voltages are connected, and each bus line is divided into A and B trains [20]. In addition, each train is designed to recover power using an emergency diesel generator (EDG) in the event of a loss of offsite power (LOOP). If the EDG fails or is otherwise unavailable, the plant enters an SBO situation and gets a supply of power through the AAC DG, an inter-unit shared facility on site [24]. In other words, the AAC DG is only used when both EDGs connected to each train are unavailable. However, a multi-unit SBO, when several units simultaneously need the AAC DG, could still occur if all the EDGs in multiple units fail at the same time. Furthermore, because an AAC DG can be connected to only one train in a single unit, it is difficult to determine the priority between units, as shown in Figure 1. Carlo simulation approach was chosen to determine the near accurate values with simu lation results and secure as many as possible for a specific situation, and only non-repai able devices were considered. Throughout this study, conventional fault trees are calle SFTs to distinguish them from DFTs. This paper is organized as follows: Section 2 describes the modeling process and re flects the characteristics of each fault tree in a dual-unit SBO. Section 2.1 covers the struc ture of the EPSs in the two virtual NPPs, and Section 2.2 introduces the reliability data and assumptions of the SFT implemented. The features of each dynamic gate that form the DFT and a method for quantifying them are presented in Sections 2.3.1 to 2.3.2. Sectio 2.3.3 describes a situation that cannot be solved by the existing dynamic gate alone, du to the characteristics of EPS. The DFT built on that basis is presented in Section 2.3.4, an additional conditional expressions for the dynamic gate developed to reflect the limita tions of the AAC DG are also described here. Section 3 then presents the results from th developed SFTs and DFTs and compares their determination of the priorities for the AA DG. Related discussion and conclusions are given in Section 4.

EPS Structure
The EPS is a supporting system that supplies electric power to all the component and systems in an NPP. In normal operation, the plant transmits the electric power it gen erates to the outside, and it receives the electricity required for its operation from an offsit power source. Furthermore, the power is depressurized through transformers to matc the rated voltage of the plant components and then supplied to each power bus line. I the EPS structure, all bus lines with upper to lower voltages are connected, and each bu line is divided into A and B trains [20]. In addition, each train is designed to recover powe using an emergency diesel generator (EDG) in the event of a loss of offsite power (LOOP If the EDG fails or is otherwise unavailable, the plant enters an SBO situation and gets supply of power through the AAC DG, an inter-unit shared facility on site [24]. In othe words, the AAC DG is only used when both EDGs connected to each train are unavailabl However, a multi-unit SBO, when several units simultaneously need the AAC DG, coul still occur if all the EDGs in multiple units fail at the same time. Furthermore, because a AAC DG can be connected to only one train in a single unit, it is difficult to determine th priority between units, as shown in Figure 1.  On this issue, this paper compares an SFT constructed with the assumption that priority is given to a specific train of a certain unit with a DFT that reflects AAC DG availability according to dynamic interactions. For this purpose, the EPS of generally pressurized water reactor was configured in a simple form to show the dynamic characteristics well. For the convenience of description in the following, the target plant that suffers the top Energies 2021, 14, 4119 4 of 17 event in the fault trees will be called Unit 1, and its neighboring plant on the same site is called Unit 2. Figure 2 shows a simplified single line diagram (SLD) of the EPS for the dual unit, indicating that each unit has access to offsite power, 4.16 kV bus lines, EDGs, and the AAC DG. It is assumed that the offsite power is supplied to both units and connected to trains A and B of the 4.16 kV buses. In addition, each unit has two EDGs that can be connected to either train, and the AAC DG is assumed to be capable of connecting to any train in either unit. This EPS was prepared simply for the purpose of this study; the actual composition would vary depending on the research purpose or actual situation in a plant.
On this issue, this paper compares an SFT constructed with the assumption that priority is given to a specific train of a certain unit with a DFT that reflects AAC DG availability according to dynamic interactions. For this purpose, the EPS of generally pressurized water reactor was configured in a simple form to show the dynamic characteristics well. For the convenience of description in the following, the target plant that suffers the top event in the fault trees will be called Unit 1, and its neighboring plant on the same site is called Unit 2. Figure 2 shows a simplified single line diagram (SLD) of the EPS for the dual unit indicating that each unit has access to offsite power, 4.16 kV bus lines, EDGs, and the AAC DG. It is assumed that the offsite power is supplied to both units and connected to trains A and B of the 4.16 kV buses. In addition, each unit has two EDGs that can be connected to either train, and the AAC DG is assumed to be capable of connecting to any train in either unit. This EPS was prepared simply for the purpose of this study; the actual composition would vary depending on the research purpose or actual situation in a plant.

Static Fault Tree Analysis
In this study, both an SFT and DFT are evaluated by targeting Unit 1. Therefore, the top event in the fault trees produces a failure to supply power to all trains in Unit 1. The following considerations were applied to construct the SFT of the EPS.

•
It is assumed that 4.16 kV is the offsite power.

Static Fault Tree Analysis
In this study, both an SFT and DFT are evaluated by targeting Unit 1. Therefore, the top event in the fault trees produces a failure to supply power to all trains in Unit 1. The following considerations were applied to construct the SFT of the EPS.

•
It is assumed that 4. 16 4 show part of the SFT for the EPS using the SLD and considerations and the reliability data. Figure 4 stands for the transferred AAC DG failure gate (GEP-AAC) in Figure 3. The SFTs in the figures are for the A train of Unit 1, and the B train has a symmetrical structure. AIMS-PSA software was used to implement this SFT [23].

Characteristics of a Dynamic Fault Tree
A DFT is a method for adding dynamic gates that deal with sequential concepts to an SFT. With the help of dynamic gates, modelers can specify sequence-dependent system failure behavior, spares, and dynamic redundancy management. Furthermore, priorities during a failure event are compact and easily understood in DFTs [3]. They can also consider combinations that can change the failure state of a system by implementing a component's startup, shutdown, and repair within a mission time.
In this study, the Monte Carlo simulation approach was used to quantify the DFTs. The Monte Carlo simulation is mainly used to represent the aleatory uncertainty which is related to the stochastic distribution of the physical parameters in models [16]. The key in using the Monte Carlo simulation method is to generate random numbers to determine the failure timing and failure sequence. The failure rate of each component in the system is assigned to a basic event, and most of the reliability analysis addresses only random failures, which have a constant instantaneous failure rate λ at time t that follows the exponential distribution, as given in Equation (1) [9].
where F(t) is a random number with a uniform distribution generated in [0, 1]. If t is smaller than the mission time, the component is considered to have failed. If the components have a fixed probability, representing a demand failure, it can be expressed as given in Equation (2) [14]. where λ d is a demand failure, q is a random number with a uniform distribution in [0, 1], and t q is a random number generated uniformly between 0 and the mission time.
The failure time of the components derived using those equations is the input for the basic event that constitutes a dynamic gate, enabling the calculation of the unreliability of the top event in a way that reflects the dynamic interactions among components in the system.

Dynamic Gates
The four dynamic gates that constitute DFTs are shown in Figure 5 [6]. Generalized formulas for each dynamic gate that can be used in a spreadsheet were presented in a previous study [26]. In this section, we briefly explain the characteristics of and output derivation formulas for each dynamic gate.
where ( ) is a random number with a uniform distribution generated in [0,1]. If t smaller than the mission time, the component is considered to have failed. If the compo nents have a fixed probability, representing a demand failure, it can be expressed as give in Equation (2) [14].
where is a demand failure, q is a random number with a uniform distribution in [0,1 and is a random number generated uniformly between 0 and the mission time. The failure time of the components derived using those equations is the input for th basic event that constitutes a dynamic gate, enabling the calculation of the unreliability o the top event in a way that reflects the dynamic interactions among components in th system.

Dynamic Gates
The four dynamic gates that constitute DFTs are shown in Figure 5 [6]. Generalize formulas for each dynamic gate that can be used in a spreadsheet were presented in previous study [26]. In this section, we briefly explain the characteristics of and outpu derivation formulas for each dynamic gate. The priority AND (PAND) gate is similar to an AND gate, but its output depends on a basic event on the left (A) occurring before an event on the right (B). Therefore, logical expressions for deriving the output of the PAND gate can be represented, as shown in Table 2. In other words, the failure time of B (T B ) is considered as an output of gate only when it is smaller than the mission time (T M ) and larger than the failure time of A (T A ), otherwise the gate provides an output with an infinite failure time (∞). If the failure time of the gate (T PAND ) is also greater than T M , the gate is deemed a failure, and its output state is denoted as 1.
The standby or spare (SPARE) gate reflects extra components (S 1 ) that can replace the failed component with the same functionality. The SPARE gate fails when the failure time of the number of components, including spares, is less than the minimum required. Standby components can fail even when they are dormant, which can be expressed as a dormancy factor, α, where 0 ≤ α ≤ 1. Therefore, a SPARE gate can be cold (α = 0), warm (0 < α < 1), or hot (α = 1), depending on the dormancy factor [11]. In addition, the failure time for a spare component in the standby state can be considered the same as that calculated using its startup failure rate. Table 3 presents logical expressions that produce the output of a SPARE gate that reflects the standby failure of a single spare component.

Component
Time A sequence enforcing (SEQ) gate forces its inputs to fail in a particular order, and those inputs never happen in a different order. Ab SEQ gate can also be considered as a Cold-SPARE (CSP) gate. Table 4 gives an expression for computing an SEQ gate, where the sum of the failure times for the three components (T A , T B , T C ) becomes the final failure time. Like the other gates, the state of the output is compared with T M . This study did not use SEQ or PAND gates to implement the DFT.
The functional dependency (FDEP) gate has a trigger event that forces dependent events to occur. Therefore, the FDEP gate has no output, but it can determine the state of dependent events. Table 5 shows expressions for calculating the components of an FDEP gate. The dependent events determine their own states when the minimum (MIN) failure time between the trigger (T T ) and dependent events (T A , T B ) is smaller than T M . The failure time expression of a dependent event is the same as with an OR gate, and the expression for an AND gate can be given by using the maximum failure time between events instead of the minimum.

Development of Dynamic Gate for a Specific Shared Facility
In an NPP, a component can be shared within a system or between systems. In those cases, a dynamic gate can be expressed in the form of two SPARE gates that share one redundant component, as shown in Figure 6. In an NPP, a component can be shared within a system or between systems. In those cases, a dynamic gate can be expressed in the form of two SPARE gates that share one redundant component, as shown in Figure 6. In general, because the shared spare is used by the side that fails first, it is easy to determine the available priority. The expressions for calculating SPARE gates for this case were discussed in a previous study, as shown in Table 6 [26].  In general, because the shared spare is used by the side that fails first, it is easy to determine the available priority. The expressions for calculating SPARE gates for this case were discussed in a previous study, as shown in Table 6 [26]. Table 6. Logical expression for deriving the output of two SPARE gates that share one component.

Component
Additional Condition 1 (AC1) Additional Condition 2 (AC2) Some additional conditional expressions are required to solve these gates. The first additional condition is the same as the expression for determining the presence or absence of a failed spare in the standby state of a single SPARE gate. The second additional condition determines a SPARE gate in which the components in the operating state (T A , T B ) fail first. In other words, the spare component finds the required gate in a faster time. Therefore, each SPARE gate has a failure time relevant to the shared component through the discrimination state value of those two conditions. However, the above expressions cannot be used if other specific conditions are required to run the shared component, for example, when a spare component is activated only when all operating components have stopped. This is one of the characteristics that appeared in the process of constructing the DFT for the EPS. For example, the EDGs are activated when both trains are unavailable, due to LOOP, and the AAC DG operates only when both EDGs are lost. Therefore, more additional conditional expressions are required to solve dynamic gates that reflect those conditions. How to solve a SPARE gate that includes a shared component with a specific operating condition will be described in the next section.

Construction of the Dynamic Fault Tree
The DFT used in this study reflects all the considerations and reliability data addressed in the SFT. To implement the DFT targeted in this study, it was necessary to distinguish the priority for the spare using the dynamic interactions among components. Figure 7 shows the DFT of the EPS constructed for this study. operating condition will be described in the next section.

Construction of the Dynamic Fault Tree
The DFT used in this study reflects all the considerations and reliability data addressed in the SFT. To implement the DFT targeted in this study, it was necessary to distinguish the priority for the spare using the dynamic interactions among components. Figure 7 shows the DFT of the EPS constructed for this study.  The top event of the DFT is the failure to supply power to all trains in Unit 1, which is the same as for the SFT in Section 2.2. In this DFT, the two SPARE gates on the upper side indicate components within Unit 1, and those on the lower side represent components within Unit 2. If each high-voltage 4.16 kV bus fails, the trains in both units are left without power, despite the additional power systems. Because the 4.16 kV power is supplied from an offsite power source, LOOP and the power of all trains can configure the FDEP gate as a trigger and dependent event, respectively. The EDGs, which support each train when LOOP occurs, are the first spare on all the SPARE gates, and the AAC DG is the second spare that can be shared among all trains on both units. In addition, this study implemented Warm-SPARE (WSP) gates by computing the failure time using the startup failure rate to consider failures in the standby state for all spares.
Gates other than the SPARE gates can be solved using the expressions explained in Section 2.3.2. Therefore, this section provides additional conditional expressions and solutions that reflect the characteristics of the EPS to clarify the SPARE gates. The unusual aspects of the EPS that are to be addressed by the SPARE gates are described in detail in Table 7. Take, for example, the process of deciding whether to connect the AAC DG to train A in Unit 1 after dual-unit LOOP has occurred. Table 7. Logical expressions for the SPARE gate to supply power to train A in Unit 1 following dual-unit LOOP.

Gate Time to Failure (T i ) State (S i ) SPARE Train A with EDG and AAC DG
In the case of EDG A, because a WSP gate is used, the total failure time (T EDGA1−AC ) is calculated by considering the failure of EDG A in standby (T EDGA1−SB ), as shown in Table 3. In addition, an additional condition (AC EDG ) for the EDG judges whether a lack of offsite power to both the 4.16 kV buses (A and B) should be considered. Therefore, if the failure time of the power supplied to 4.16 kV buses A and B (T 4.16A1 , T 4.16B1 ) does not reach the mission time (T M ), EDG A in Unit 1 is started, and the failure time reflecting the first spare (T 4.16A1+EDGA1 ) can be derived. In that way, it is possible to produce the failure time while considering the EDGs for all remaining trains (T 4.16B1+EDGB1 , T 4.16A2+EDGA2 , T 4.16B2+EDGB2 ). The AAC DG can also fail in the dormant state, and the standby time lasts until all of the EDGs for each unit fail. However, for train A of Unit 1 to use the AAC DG, four additional conditions must be met. The first additional condition (AC1) is that the standby time of the AAC DG (T AAC−SB ) must be longer than the sum of the operating times of offsite power and the EDG (T 4.16A1+EDGA1 ). The second additional condition (AC2) checks the priority between trains A and B in Unit 1, which confirms whether train A (T 4.16A1+EDGA1 ) is disabled before B (T 4.16B1+EDGB1 ). The third additional condition (AC3) identifies whether both EDG A and B have failed before T M to determine whether the AAC DG should be connected (i.e., judgement of an SBO). The last condition (AC4) reflects the characteristic of an inter-unit shared facility that is unavailable to the remaining units if the AAC DG is already in use, due to an earlier failure time in Unit 2 (T 4.16A2+EDGA2 , T 4.16B2+EDGB2 ). With those conditions, it is possible to derive the failure time and status of the SPARE gate for the power supply to train A of Unit 1 (T TRA1 ), and the same procedure can be applied to the other SPARE gates.

Static Fault Tree Evaluation
When the SFT presented in Section 2.2 was quantified, the unavailable frequency of the EPS for Unit 1 in a dual-unit LOOP was 3.108 × 10 −04 . Table 8 shows the top 30 cutsets calculated using the SFT, with each cutset composed of the event names, shown in Table 1.
Each cutset represents a combination of equipment failures that cause EPS unavailability in Unit 1, and becomes a comparison target for the DFT results presented in the next section. The first cutset occupies the largest probability of space as an accident in which even the AAC DG fails in an SBO situation in which both EDGs A and B failed during operation, as shown in Figure 8. In addition, most of the cutsets in the upper ranks consist of a combination of startup and running failures of the EDGs and AAC DG after LOOP. These types of cutsets are marked as group I. However, those cutsets do not show the order of failure for trains A and B in Unit 1, so even if the AAC DG is available, it is not possible to determine which train connects to the AAC DG. Furthermore, the situation of Unit 2 is also unknown. Some of the cutsets produced after the fourteenth cutset and marked as group II contain an accident by which the EDGs are unavailable for both Units 1 and 2, as shown in Figure 9. As suggested as a limitation of the SFT model, this can be understood because of transferring the priority of the AAC DG to Unit 2 when all the EDGs in Unit 2 are unavailable. In other words, because the AAC DG is being used by Unit 2, it is marked as an accident in the cutsets of the SFT that target Unit 1. However, even in that case, the order of train failure cannot be confirmed for either unit, and priority has been assigned to Unit 2 in advance. The SFT analysis can, thus, conservatively evaluate the system by not considering the success margin of events that operate before the components fail. However, that conservatism makes it difficult to implement the actual behavior of the components. 1 and 2, as shown in Figure 9. As suggested as a limitation of the SFT model, this can be understood because of transferring the priority of the AAC DG to Unit 2 when all the EDGs in Unit 2 are unavailable. In other words, because the AAC DG is being used by Unit 2, it is marked as an accident in the cutsets of the SFT that target Unit 1. However, even in that case, the order of train failure cannot be confirmed for either unit, and priority has been assigned to Unit 2 in advance. The SFT analysis can, thus, conservatively evaluate the system by not considering the success margin of events that operate before the components fail. However, that conservatism makes it difficult to implement the actual behavior of the components.

Dynamic Fault Tree Evaluation
In this study, we used Monte Carlo simulations to quantify the DFT by generating 10 10 sets of random numbers. The DFT algorithms required for the study were verified with the case studies and directly coded. The failure time of each component over time can be calculated using Equation (1), otherwise it can be obtained by Equation (2). The reliability data used in the DFT are the same as those in the SFT, and the mission time ( ) of the system was set as 72 h. Most gates can be easily calculated using the expressions explained in Sections 2.3.2 to 2.3.4. In the DFT evaluation results, the mean and standard deviation for the probability of the top event were 3. 29 × 10 and 1.152 × 10 , respectively, about one-tenth of the quantification results of the SFT. Each simulation took about 8 h to quantify, and Google Colab was used as a computing resource [27].
The results from quantifying the DFT through the Monte Carlo simulation can be analyzed in the form of cutsets using the failure time of each component. When the cutsets presented in each simulation were analyzed, it was confirmed that most of the accidents derived as cutsets in the SFT were regarded as successes in the DFT. In other words, all the cutsets from the DFT are included in the cutsets from the SFT, but not vice versa. To check how conservatism was omitted from the DFT, we checked the cutsets from the SFT ( Table 8) deemed successes in the DFT by examining the success factors of accident miti- Figure 9. An accident in which the EDGs are unavailable for both Units 1 and 2, but Unit 2 has AAC DG priority.

Dynamic Fault Tree Evaluation
In this study, we used Monte Carlo simulations to quantify the DFT by generating 10 10 sets of random numbers. The DFT algorithms required for the study were verified with the case studies and directly coded. The failure time of each component over time can be calculated using Equation (1), otherwise it can be obtained by Equation (2). The reliability data used in the DFT are the same as those in the SFT, and the mission time (T M ) of the system was set as 72 h. Most gates can be easily calculated using the expressions explained in Sections 2.3.2-2.3.4. In the DFT evaluation results, the mean and standard deviation for the probability of the top event were 3.29 × 10 −05 and 1.152 × 10 −05 , respectively, about one-tenth of the quantification results of the SFT. Each simulation took about 8 h to quantify, and Google Colab was used as a computing resource [27].
The results from quantifying the DFT through the Monte Carlo simulation can be analyzed in the form of cutsets using the failure time of each component. When the cutsets presented in each simulation were analyzed, it was confirmed that most of the accidents derived as cutsets in the SFT were regarded as successes in the DFT. In other words, all the cutsets from the DFT are included in the cutsets from the SFT, but not vice versa. To check how conservatism was omitted from the DFT, we checked the cutsets from the SFT (Table 8) deemed successes in the DFT by examining the success factors of accident mitigation in the EPS identified through the DFT analysis.
Because the cutsets of the SFT do not consider the order of failure or failure time, the SFT determines only whether a component fails, even if the mission time is met. Therefore, the SFT does not reflect the case in which the AAC DG succeeds in recovering power by operating beyond the mission time after the failure of EDG A and B in Unit 1, as shown in Figure 10. Instead, that case is displayed only in the form of the group I in Table 8. explained in Sections 2.3.2 to 2.3.4. In the DFT evaluation results, the mean and standard deviation for the probability of the top event were 3. 29 × 10 and 1.152 × 10 , respectively, about one-tenth of the quantification results of the SFT. Each simulation took about 8 h to quantify, and Google Colab was used as a computing resource [27].
The results from quantifying the DFT through the Monte Carlo simulation can be analyzed in the form of cutsets using the failure time of each component. When the cutsets presented in each simulation were analyzed, it was confirmed that most of the accidents derived as cutsets in the SFT were regarded as successes in the DFT. In other words, all the cutsets from the DFT are included in the cutsets from the SFT, but not vice versa. To check how conservatism was omitted from the DFT, we checked the cutsets from the SFT (Table 8) deemed successes in the DFT by examining the success factors of accident mitigation in the EPS identified through the DFT analysis.
Because the cutsets of the SFT do not consider the order of failure or failure time, the SFT determines only whether a component fails, even if the mission time is met. Therefore, the SFT does not reflect the case in which the AAC DG succeeds in recovering power by operating beyond the mission time after the failure of EDG A and B in Unit 1, as shown in Figure 10. Instead, that case is displayed only in the form of the group Ⅰ in Table 8.  In addition, the results of the SFT are suggested only in the form of the group II in Table 7 because it is impossible to confirm whether the power supply for Unit 2 is successful, even if the power supply failure in Unit 1 is certain. In other words, this cutset indicates that Unit 2 is already using the AAC DG, and it is impossible to analyze the point at which the EDGs of Unit 2 failed based on the mission time. However, even in the case of such a cutset, it becomes possible to monitor whether the power supply to Unit 2 is successful when the failure time can be considered, as shown in Figure 11. If those status monitoring results are used, it is expected that a margin for core damage to each unit can be given according to the circumstances of connecting the AAC DG to Unit 1 after mitigating the accident at Unit 2 or considering the recovery of the failed component. In addition, the results of the SFT are suggested only in the form of the group Ⅱ in Table 7 because it is impossible to confirm whether the power supply for Unit 2 is successful, even if the power supply failure in Unit 1 is certain. In other words, this cutset indicates that Unit 2 is already using the AAC DG, and it is impossible to analyze the point at which the EDGs of Unit 2 failed based on the mission time. However, even in the case of such a cutset, it becomes possible to monitor whether the power supply to Unit 2 is successful when the failure time can be considered, as shown in Figure 11. If those status monitoring results are used, it is expected that a margin for core damage to each unit can be given according to the circumstances of connecting the AAC DG to Unit 1 after mitigating the accident at Unit 2 or considering the recovery of the failed component. In the DFT, it is possible to prioritize a unit in which two EDGs fail first without specifying the priority to Unit 2 as in the SFT. That means that Unit 1 can use the AAC DG in a dual-unit SBO. In addition, even within a unit, the priority of AAC DG can be given to the train that failed first. Figure 12 shows example cases in which the cutsets containing the components of Unit 2 in the SFT are changed to a successful combination by order of failure and the status of the power supply for Unit 2. In the DFT, it is possible to prioritize a unit in which two EDGs fail first without specifying the priority to Unit 2 as in the SFT. That means that Unit 1 can use the AAC DG in a dual-unit SBO. In addition, even within a unit, the priority of AAC DG can be given to the train that failed first. Figure 12 shows example cases in which the cutsets containing the components of Unit 2 in the SFT are changed to a successful combination by order of failure and the status of the power supply for Unit 2.
In the DFT, it is possible to prioritize a unit in which two EDGs fail first without specifying the priority to Unit 2 as in the SFT. That means that Unit 1 can use the AAC DG in a dual-unit SBO. In addition, even within a unit, the priority of AAC DG can be given to the train that failed first. Figure 12 shows example cases in which the cutsets containing the components of Unit 2 in the SFT are changed to a successful combination by order of failure and the status of the power supply for Unit 2.  These mechanisms show how the results of the DFT can reduce the probability of space occupied by the cutsets of the SFT. In addition, the DFT results show that the priority of the shared facilities could be determined by depicting the interactions among components more realistically using dynamic gates.

Conclusions
Considering the operation time of a particular piece of the system, a combination of failures may have an impact on an entire system. In Korea, this is highlighted in the EPS when performing a multi-unit PSA. DFT allows us to present results that consider the operating or failure time arrangement of the components. Therefore, this study analyzed an EPS in a virtual NPP in a dual-unit LOOP condition to compare the results of SFTs and DFTs. However, since the current dynamic gate algorithm alone is insufficient to reflect the characteristics of the EPS, this work modified the algorithm for a SPARE gate using additional conditional expressions to reflect specific conditions of the spare, and especially to address the connection priority of the AAC DG, a facility shared by two units, during a multi-unit accident, such as a LOOP or SBO accident. The quantification result of the DFT for the top event was 10% of that with the SFT. In addition, dynamic characteristics, such as failure timing and sequence, which cannot be reflected in an SFT, were successfully confirmed by the DFT. In other words, more realistic modeling techniques and results were found by reducing the conservatism of modeling in the SFT. The DFT results implementing a flexible arrangement of components presented in this paper are expected to be used in various situations, as well as for the AAC DG. The DFT analysis used a Monte Carlo simulation that was appropriate for dynamically significant components or problems that have a specific purpose, rather than for entire plant systems and their components because of its modeling issues. It would be possible to propose a strategy for modeling DFTs for a specific component or a part of the system to reflect dynamic characteristics on the SFT. As mentioned in the introduction, the scope, and applications of risk assessments at NPPs are expanding, so DFTs are expected to become an important way of supplementing the information available from SFTs to support the entire plant framework during PSAs.