A Method to Avoid Underestimated Risks in Seismic SUPSA and MUPSA for Nuclear Power Plants Caused by Partitioning Events

: Seismic probabilistic safety assessment (PSA) models for nuclear power plants (NPPs) have many non-rare events whose failure probabilities are proportional to the seismic ground acceleration. It has been widely accepted that minimal cut sets (MCSs) that are calculated from the seismic PSA fault tree should be converted into exact solutions, such as binary decision diagrams (BDDs), and that the accurate seismic core damage frequency (CDF) should be calculated from the exact solutions. If the seismic CDF is calculated directly from seismic MCSs, it is drastically overestimated. Seismic single-unit PSA (SUPSA) models have random failures of alternating operation systems that are combined with seismic failures of components and structures. Similarly, seismic multi-unit PSA (MUPSA) models have failures of NPPs that undergo alternating operations between full power and low power and shutdown (LPSD). Their failures for alternating operations are modeled using fraction or partitioning events in seismic SUPSA and MUPSA fault trees. Since partitioning events for one system are mutually exclusive, their combinations should be excluded in exact solutions. However, it is difﬁcult to eliminate the combinations of mutually exclusive events without modifying PSA tools for generating MCSs from a fault tree and converting MCSs into exact solutions. If the combinations of mutually exclusive events are not deleted, seismic CDF is underestimated. To avoid CDF underestimation in seismic SUPSAs and MUPSAs, this paper introduces a process of converting partitioning events into conditional events, and conditional events are then inserted explicitly inside a fault tree. With this conversion, accurate CDF can be calculated without modifying PSA tools. That is, this process does not require any other special operations or tools. It is strongly recommended that the method in this paper be employed for avoiding CDF underestimation in seismic SUPSAs and MUPSAs.


Multi-Unit Probabilistic Safety Assessments
Probabilistic safety assessments (PSAs) that calculate core damage frequency (CDF) are divided into single-unit PSAs (SUPSAs) and multi-unit PSAs (MUPSAs).
In MUPSA [17], multi-unit core damage frequency (MUCDF), site core damage frequency (SCDF), and single-unit core damage frequency (SUCDF) are defined as accident Figure 1 shows a typical alternating operation system with two pump trains. One train is in an operational state, and the other train is in a standby state. Each train periodically switches its operation status between the operational and standby states. NPPs have alternating operation systems, such as the component cooling water system (CCWS), essential service water system (ESWS), essential chilled water system (ECWS), and chemical and volume control system (CVCS).

Alternating Operation Systems
Energies 2021, 14,2150 2 of 13 In MUPSA [17], multi-unit core damage frequency (MUCDF), site core damage frequency (SCDF), and single-unit core damage frequency (SUCDF) are defined as accident frequencies in which at least two NPPs, at least one NPP, and only one NPP are in a core damage state following an initiating event, respectively. Figure 1 shows a typical alternating operation system with two pump trains. One train is in an operational state, and the other train is in a standby state. Each train periodically switches its operation status between the operational and standby states. NPPs have alternating operation systems, such as the component cooling water system (CCWS), essential service water system (ESWS), essential chilled water system (ECWS), and chemical and volume control system (CVCS). A Boolean equation for the failures in alternating operation systems can be expressed as Equation (1). The Boolean equation can be a fault tree or minimal cut sets (MCSs) that are calculated from the fault tree. In this paper, the operation fractions of X and X are defined as partitioning events. If one NPP has S alternating systems and each system has T partitioning events, the Boolean AND combination number of partitioning events in MCSs might be up to S . The other combinations, such as X X , are not allowed in MCSs since they are mutually exclusive.

Alternating Operation Systems
f , X f X f Seismic SUPSA models have random failures of alternating operation systems that are combined with many seismic failures of components and structures. Furthermore, seismic MUPSA models have failures of NPPs that undergo alternating operations between full power and low power and shutdown (LPSD).
An NPP is in full-power operation for 1 or 2 years and in LPSD operation for 1 or 2 months to replace or reload nuclear fuels. That is, NPPs are a kind of alternating operation system. A Boolean equation to calculate the failures in alternating operation NPPs can be expressed as Equation (2). In this paper, the operation fractions of X , X , and X are also defined as partitioning events.
f , X f X f X f X Fraction of full-power operation (2) A Boolean equation for the failures in alternating operation systems can be expressed as Equation (1). The Boolean equation can be a fault tree or minimal cut sets (MCSs) that are calculated from the fault tree. In this paper, the operation fractions of X 1 and X 2 are defined as partitioning events. If one NPP has S alternating systems and each system has T partitioning events, the Boolean AND combination number of partitioning events in MCSs might be up to S T . The other combinations, such as X 1 X 2 , are not allowed in MCSs since they are mutually exclusive.
f(X, B) = X 1 f 1 (B) + X 2 f 2 (B) X 1 = Fraction of train 1 operation X 2 = Fraction of train 2 operation {f 1 (B), f 2 (B)} = Operation failures during {X 1 , X 2 } (1) Seismic SUPSA models have random failures of alternating operation systems that are combined with many seismic failures of components and structures. Furthermore, seismic MUPSA models have failures of NPPs that undergo alternating operations between full power and low power and shutdown (LPSD).
An NPP is in full-power operation for 1 or 2 years and in LPSD operation for 1 or 2 months to replace or reload nuclear fuels. That is, NPPs are a kind of alternating operation system. A Boolean equation to calculate the failures in alternating operation NPPs can be expressed as Equation (2). In this paper, the operation fractions of X 1 , X 2 , and X 3 are also defined as partitioning events.
f(X, B) = X 1 f 1 (B) + X 2 f 2 (B) + X 3 f 3 (B) X 1 = Fraction of full − power operation X 2 = Fraction of LPSD operation with nuclear fuel X 3 = Fraction of LPSD operation without nuclear fuel {f 1 (B), f 2 (B), f 3 (B)} = Operation failures during {X 1 , X 2 , X 3 } Thus, multiple NPPs in a single nuclear site are considered a group of alternating operation NPPs. Since the Kori nuclear site in Korea has nine NPPs and each LPSD PSA has 15 plant operating states (POSs), there might be 16 9 combinations of plant-level partitioning events in the MCSs of MUPSA.

Seismic MCS Conversion to Exact Solutions
Probability calculation from MCSs can be categorized as follows: (1) If the MCS size is small, accurate probability can be calculated by converting MCSs into sum-of-disjoint products (SDPs) [19,20] or applying the inclusion-exclusion principle (IEP) [21] to MCSs.
(2) If the MCS size is huge, accurate probability can be calculated by converting MCSs into a binary decision diagram (BDD) [21]. Here, SDP and BDD have Boolean solutions that have no intersections. (3) Regardless of MCS size, min-cut-upper-bound (MCUB) is popularly calculated from MCSs as an approximate probability.
Seismic SUPSA and MUPSA models have many non-rare events and complemented events. It is well known that CDFs are drastically overestimated if CDFs are directly calculated from MCSs without converting MCSs into exact solutions, such as a BDDs [21], and calculating CDFs from the exact solutions. That is, MCSs for seismic SUPSA and MUPSA should be converted into exact solutions, and seismic CDFs should be calculated from the exact solutions for best-estimate risk calculation. Thus, to calculate accurate seismic CDFs (SUCDF, MUCDF, and SCDF), (1) MCSs are calculated from the fault tree, (2) MCSs are converted to a BDD, and (3) accurate CDFs are calculated from the BDD by a dedicated tool [21]. Instead of MCS conversion to exact solutions, the probability p(f(X, B)) in Equations (1) and (2) can be calculated by applying the inclusion-exclusion equation (see Equation (5)) [19] to MCSs if the MCS is small.
The author of this paper developed the Advanced Cutset Upper Bound Estimator (ACUBE) tool [21] for the US Electric Power Research Institute (EPRI), which converts MCSs into a BDD and calculates the probability from the BDD. It has been actively used as a quantification standard for seismic PSA in the United States.
Efficient BDD algorithms [22][23][24] were developed to convert a fault tree or MCSs into a BDD that has Boolean solutions in the form of nested Shannon decomposition [25]. A great effort was made to develop practical BDD algorithms [26,27] that can solve huge fault trees in PSA.
Probability calculations with simple MCSs are illustrated in Table 1. Most PSA tools calculate probabilities in Case 1. If X and Y are partitioning events, these events satisfy the relations of /X = Y, /Y = X, XY = 0, and X + Y = 1. According to these relations, SDP and BDD probabilities should be p(B) as in Case 2. In this way, partitioning event combinations should be deleted during the probability calculation. However, the deletion of partitioning event combinations is impossible without modifying PSA tools.

Objectives of This Study
Seismic SUPSA models have random failures of alternating operation systems that are combined with many non-rare seismic failures. Furthermore, seismic MUPSA models have failures of NPPs that undergo alternating operations between full power and LPSD.
If combinations of mutually exclusive partitioning events are not eliminated in exact solutions, such as a BDD of MCSs, CDFs can be drastically underestimated (see . It is impossible to eliminate intersections of mutually exclusive events without modifying tools for generating MCSs from fault trees and converting MCSs into exact solutions. This CDF underestimation is prohibited for regulatory purposes. For this reason, it is necessary to develop a new fault tree modeling method to avoid CDF underestimation and accurately calculate CDFs.
This paper is the first to report on this CDF underestimation problem caused by partitioning events, and subsequently, this work proposes a simple solution to avoid CDF underestimation that converts partitioning events into conditional events in fault trees.

Exclusive Modeling of One Group of Partitioning Events
If a system has n trains that are alternatively operated one by one or an NPP undergoes n full-power and LPSD operations periodically, a Boolean equation to calculate system failure can be expressed as Equation (3).
where X has n partitioning events and f i (B) can be a complex Boolean equation that consists of random failure events B. The fault tree in Equation (3) is a typical case. Usual fault trees can have Boolean AND combinations of X i 's, and these Boolean AND combinations should be deleted in MCSs since they are mutually exclusive. The partitioning events are mutually exclusive events that satisfy the following equations in Equation (4). They can be depicted by the Venn diagram in Figure 2 that has no intersections of mutually exclusive partitioning events.
Here, 0 and 1 denote empty and union sets, respectively.  If members of are not mutually exclusive, p f , can be calculated by the inclusion-exclusion equation [19] in Equation (5).
However, since X , X , … are mutually exclusive events, Equation (5) should be The probability in Equation (5) is much smaller than that in Equation (6). That is, if Boolean AND combinations of mutually exclusive partitioning events in a single group are not eliminated in the inclusion-exclusion equation or in the exact solutions, such as a BDD, the system failure probability or CDF would be underestimated. However, it is impossible to eliminate mutually exclusive event combinations without modifying calculation tools. Therefore, there is a great need to explicitly model the partitioning events in fault trees instead of revising such tools. This is an objective of this paper.
To accomplish this objective, partitioning events are expressed as shown in Equation (7). They can be confirmed by reflecting the terms on the right-hand side in Equation (7) into the Venn diagram in Figure 2.
X /X X X /X /X X X /X /X …/X X If members of X are not mutually exclusive, p(f (X, B)) can be calculated by the inclusion-exclusion equation [19] in Equation (5).
The probability in Equation (5) is much smaller than that in Equation (6). That is, if Boolean AND combinations of mutually exclusive partitioning events in a single group are not eliminated in the inclusion-exclusion equation or in the exact solutions, such as a BDD, the system failure probability or CDF would be underestimated. However, it is impossible to eliminate mutually exclusive event combinations without modifying calculation tools. Therefore, there is a great need to explicitly model the partitioning events in fault trees instead of revising such tools. This is an objective of this paper.
Then, probabilities of conditional events can be easily derived from the Venn diagram in Figure 2.
p(X c 1 ) = p(X 1 ) Using the conditional events in Equations (10) and (11), partitioning events and their probabilities can be expressed as in Equations (12) and (13).
Finally, f(X, B) in Equation (3) can be converted to Equation (14). Please note that the terms on the right-hand side in Equation (14) are explicitly mutually exclusive since X c i /X c i = 0.
When converting MCSs of f(X, B) into exact solutions, any combination of the terms on the right-hand side in Equation (14) becomes an empty set since X c i /X c i = 0. This is a strength of the method proposed in this paper.
f(X, B) = X c 1 f 1 (B) + /X c 1 X c 2 f 2 (B) + · · · + /X c 1 /X c 2 . . . /X c n−1 X c n f n (B) The Boolean equations in Equations (3) and (14) are identical. It should be noted that the partitioning events in Equation (3) can be modeled in the fault tree using conditional events as in Equation (14). If a fault tree has Boolean AND combinations of partitioning events and they are converted into conditional events, the MCS generation tool from the fault tree automatically deletes these AND combinations (e.g., X 2 X 3 = (/X c 1 X c 2 )(/X c 1 /X c 2 X c 3 ) = 0) Furthermore, the MCS conversion tool to exact solutions automatically deletes similar combinations of conditional events. With this modeling, the underestimation of CDF can be avoided.

Exclusive Modeling of Multiple Group Partitioning Events
A system or NPP can have multiple groups of partitioning events as in Equation (15). Here, X, Y, and Z are the first, second, and third groups of partitioning events, respectively. B has regular basic events.
The partitioning events satisfy the following equations. This can be shown by using the Venn diagram in Figure 2.
Similarly to the conversion in Section 3, all terms on the right-hand in Equation (15) can be exclusively converted to Equation (17). Please note that the terms on the right-hand side in Equation (17)

Application to a Simple System
The new method was applied to the simple Boolean equation in Equation (18). Probabilities of partitioning events and regular basic events are shown in Equation (19).
f(X, B) = X 1 B 1 + X 2 B 2 + X 3 B 3 (18) p(X 1 ) = 0.5, p( The probability of a Boolean equation f(X, B) in Equation (18) can be calculated by the inclusion-exclusion equation [19] as in Equation (20). To avoid the underestimated p(f (X, B)) in Equation (20), the fourth to seventh terms on the right-hand side in Equation (20) should be deleted since they have partitioning event combinations. If an NPP has many alternating operation systems, the fault tree for this NPP would have multiple group partitioning events. In this case, it is difficult to find and delete complex combinations of partitioning events. Furthermore, there is no dedicated tool to delete these complex combinations of partitioning events.
where the conditional events are defined as and their probabilities are The accurate probability of f(X, B) can be calculated by Equation (24) without employing any other techniques or dedicated PSA tools. This is a great strength of the method proposed in this paper.

Application to Simple NPPs
If one NPP U1 or U2 has three operating states (FP, LPSD with nuclear fuel, and LPSD without nuclear fuel), Boolean equations for MUCDF and SCDF can be expressed as in Equation (25), and their fault trees are depicted in Figure 3. Here, %I is a seismic initiating event that has a frequency unit. Since no nuclear fuel is loaded in NPPs during the operation period of X 3 or Y 3 , core damage is impossible. Therefore, f 3 (B) and g 3 (B) are empty sets.
where To avoid MUCDF underestimation, Equation (25) can be converted into Equation (27) by replacing partitioning events of X , X , Y , and Y with conditional events of X ,/X X , Y , and/Y Y , respectively. That is, the fault tree in Figure 3 can be converted to the fault tree in Figure 4. After generating MCSs from the original fault tree in Figure 3 and converting each MCS to a BDD, the underestimated MUCDF is calculated from the BDD in Figure 5. On the other hand, if a similar process is applied to the revised fault tree in Figure 4, the BDD To avoid MUCDF underestimation, Equation (25) can be converted into Equation (27) by replacing partitioning events of X 1 , X 2 , Y 1 , and Y 2 with conditional events of X c 1 ,/X c 1 X c 2 , Y c 1 , and/Y c 1 Y c 2 , respectively. That is, the fault tree in Figure 3 can be converted to the fault tree in Figure 4.
Energies 2021, 14, 2150 9 of 13 To avoid MUCDF underestimation, Equation (25) can be converted into Equation (27) by replacing partitioning events of X , X , Y , and Y with conditional events of X ,/X X , Y , and/Y Y , respectively. That is, the fault tree in Figure 3 can be converted to the fault tree in Figure 4. After generating MCSs from the original fault tree in Figure 3 and converting each MCS to a BDD, the underestimated MUCDF is calculated from the BDD in Figure 5. On the other hand, if a similar process is applied to the revised fault tree in Figure 4, the BDD After generating MCSs from the original fault tree in Figure 3 and converting each MCS to a BDD, the underestimated MUCDF is calculated from the BDD in Figure 5. On the other hand, if a similar process is applied to the revised fault tree in Figure 4, the BDD in Figure 6 is created. During this process, the combinations of mutually exclusive partitioning events are automatically deleted since X c i /X c i = Y c j /Y c j = 0.
in Figure 6 is created. During this process, the combinations of mutually exclusive partitioning events are automatically deleted since X /X Y /Y 0.     Figures 3 and 4, MCSs are converted into a BDD, and then MUCDF and SCDF are calculated from the BDD. The underestimated and accurate CDFs are compared in Table 2. If partitioning events are MCSs are calculated from the MUCDF and SCDF fault trees in Figures 3 and 4, MCSs are converted into a BDD, and then MUCDF and SCDF are calculated from the BDD. The underestimated and accurate CDFs are compared in Table 2. If partitioning events are ignored, both MUCDF and SCDF are underestimated in all calculations, and SCDF is much more underestimated than MUCDF.

Conclusions
There are several systems undergoing alternating operations in NPPs, and each NPP alternates between full power and LPSD. Therefore, complex Boolean AND combinations of mutually exclusive partitioning events should be eliminated when generating MCSs from a fault tree and converting MCSs into exact solutions.
For the correct probability calculation of a fault tree that has partitioning events, a proper modeling method of these events was proposed in Section 3, and the strength and simplicity of this modeling method were demonstrated by the applications in Sections 4 and 5. If MCSs for seismic SUPSA and MUPSA are generated and converted into exact solutions without deleting combinations of mutually exclusive partitioning events, final CDFs (SUCDF, MUCDF, and SCDF) can be underestimated. Unfortunately, it is impossible to eliminate mutually exclusive event combinations without modifying PSA tools for generating MCSs from a fault tree and converting MCSs into a BDD.
Therefore, there is a great need to explicitly model the partitioning events in fault trees instead of revising PSA tools. This paper is the first to report on this problem and provide a solution to avoid CDF underestimation. If the partitioning events are modeled with conditional events in the seismic SUPSA and MUPSA fault trees with the method in this paper, accurate CDF calculation is possible using the existing PSA tools. This is the strength of the proposed method. The use of the method in this paper is strongly recommended for avoiding CDF underestimation in seismic SUPSA and MUPSA.
The failures of alternating operation systems are frequently modeled in internal, flooding, and fire event SUPSAs. Therefore, for calculating accurate CDF, it is also recommended that the modeling method of partitioning events in this paper be applied to any SUPSAs where the failures of alternating operation systems are modeled.