Dynamic Reliability Evaluation of Diesel Generator System of One Chinese 1000MWe NPP Considering Temporal Failure Effects

Loss of power supply from the diesel generator system (DGS) after loss of offsite power (LOOP) will pose great threat to the safety of GEN-II pressurized water reactors (PWR). Therefore, it is very desirable to evaluate the DGS’s reliability. The traditional analyzing tools are limited to static approaches neglecting the dynamic sequence failure behaviors, such as reliability block diagram (RBD), static fault tree (SFT). Static reliability modeling techniques are not capable of capturing the dynamic sequence-dependent failure behaviors typically existing in NPP safety systems such as DGS, and thus often overestimate the unreliability of systems. In this paper, motivated to study the effects of sequence failure behaviors, dynamic fault tree (DFT) is applied to evaluate the reliability of the DGS of one Chinese 1000MWe Nuclear Power Plant (NPP), and an integrated two-phased Markov Chain model is also developed, which can be considered as a contribution of this article. Comparative study of DGS reliability between DFT and SFT is carried out. The results indicate that compared with the result derived from the DFT model, the unreliability of DGS calculated by SFT is greatly overestimated by about one to two orders of magnitude. Therefore, DFT has a potential to improve the economy of NPP by relaxing the overestimated unreliability of nuclear power systems.


INTRODUCTION
In an NPP, most active systems and equipment' functions are dependent on uninterrupted power supply (UPS). These active systems and equipment are very important to the safety of GEN-II pressurized water reactors (PWR). To ensure the safety of the power supply, the NPP utilities often take multiple and different power sources. In normal conditions, the power supply of the NPP is provided by offsite power grid (OPG) through the primary power transmission system. When OPG or primary power transmission system fails, the NPP would disconnect the OPG and switch on electric generators (i.e., entering the island operation state). However, if the island operation is lost as well, the NPP is then powered on by the auxiliary power supply (APS). Worse still, if the APS is also lost, then the NPP will lose the alternating current (AC) power supply [i.e., loss of offsite power (LOOP)]. When the LOOP event happens, the NPP can only seek power supply from emergency diesel generator system. The demand order of the power supply of one Chinese 1000MWe PWR can be depicted by Figure 1.
Station blackout (SBO) accident is well recognized as a severe accident (U.S. NRC, 1998). Once it happens, the safety of the NPP would be greatly challenged. As observed in Figure 1, while the offsite power is lost, the emergency diesel generator system becomes the last candidate. As to active safety systems relying on power supply, they are expected to operate successfully to take the NPP into a safe state after LOOP accident. Therefore, it is very important to carry out an effective reliability evaluation of the DGS after LOOP. Up to now, the reliability evaluation of DGS of NPP has caught much attention. For example, Abdul-Nour et al. (Abdul-Nour et al., 2002), studied maintenance policies for emergency diesel generators (EDG) based on probabilistic safety assessment (PSA) and reliability analysis. Lim et al. (2007) carried out a quantitative assessment of the risk effect taking into account starting time expansion of the EDG. Li (2012) made dynamic analysis of DGS after LOOP. Choi et al. (2010) evaluated the risk contribution of EDG on modified surveillance test interval (STI). Zubair et al. (Zubair and Zhijian, 2011;Zubair and Zhijian, 2013) presented some methods that are used to update the reliability data for EDG. Kančev et al. (2014a), Kančev et al. (2014b) strived to find out failure events of EDG from existing operating record data and performed statistical analysis on the collected data. The researchers mentioned above tried to apply traditional static modeling techniques to analyze the reliability of DGS [e.g., reliability block diagram (RBD) (Figiel and Sule, 1990), SFT, event tree (ET), and go-flow (Yi et al., 2018)] and did not take into account the influence of the temporal failure behaviors. In fact, failure behaviors of DGS are partly sequence-dependent, and need to be considered.
To extend the modeling capability of SFTs for capturing temporal failure behaviors of systems, DFTs were proposed by Professor Dugan JB (Dugan et al., 1992) by integrating several dynamic logic gates into static fault trees (Manian et al., 1998). Compared with traditional SFTs, DFTs can model temporal failure behaviors, such as priority-And failure, sequence enforcing failure, spares failure and functional dependent failure, and thereby can provide more exact evaluation results. To date, DFTs are extensively used for reliability assessment and risk management of industrial systems with temporal failure behaviors (YansongRen and Bechta Dugan, 1998;DurgaRao et al., 2009).
The motivation of this paper is trying to make a more accurate evaluation of the reliability of DGS in one Chinese 1000MWe PWR NPP and find out whether it is beneficial or not to apply DFT methods to analyze systems of NPP tomorrow. DGS of one Chinese 1000MWe PWR can be viewed as a two-phased mission system. In phase one, DGS is a non-repairable system in consideration of limited arrangement time, and in phase two, DGS is a repairable system due to the time permission. For reliability evaluation of phased-mission systems (PMS), several analytical methods were developed, such as phased mission system binary decision diagrams (PMS BDD) (Liudong Xing and Dugan, 2002;Xing, 2007;Li et al., 2018;Zhai et al., 2018) and Markov Chain methods (Dugan, 1991;Dugan et al., 1993). Traditional PMS BDD are only applicable for PMS without sequential failure behaviors, and Makarov Chain methods are typically applied in static PMS as well. For the DGS of one Chinese 1000MWe PWR, the features of its failure behaviors lie in: 1) Having sequential failure behaviors; 2) Component' reparability being different at different phases, that is to say, some component is non-repairable at one phase, and becomes repairable at the other phase. To deal with this new situation and perform the reliability analysis of the DGS, in this contribution, DFTs are adopted to model DGS graphically, and then an integrated two-phased Markov Chain model and the corresponding computing algorithm were developed based on sequential failure scenarios derived from the built DFT, which are contributions of this work.
The rest of this article is structured as follows: a description of the concerned DGS is provided in Section 2. The DFT methodology is presented in Section 3. The reliability models built by DFT and SFT are shown in Section 4. The proposed integrated two-phased Markov Chain methods for the DGS with dynamic configuration are offered in Section 5. In Section 6, the reliability analysis of two-phased DGS is carried out. The Results and discussions are presented in Section 7. Finally, the conclusions and future work are pointed out in Section 8. Figure 2 is the coarse structure scheme of the overall power supply system of one Chinese 1000MWe NPP (GEN-II PWR). The power supply system aims to ensure the permanent bus (LGB and LGC) with continuous 6.6 kV which is used to feed electricity power to the safety-dependent equipment, such as safety injection pump and residual heat removal pump. The equipment contributes much to the safety of the whole NPP. In normal conditions, the whole auxiliary equipment is powered by the primary generator (i.e. Number 1 in Figure 2) through the 26 kV bus. As the primary generators are in a down state, the 26 kV bus is transferred to the 440 kV outer power grid represented by Number 2 through the main transformer. Yet, if the outer power grid is lost neither, the auxiliary equipment is fed power by the auxiliary power supply (APS) indicated by Number 3. Given that APS also fails, the permanent bus is out of power which means the occurrence of LOOP. At the moment, the emergency bus (ILHA and 1LHB) fed by the EDGs denoted by Number four would continue to provide power supply. If the EDGs fail as well (i.e., both 1LHA and 1LHB are out of power), the SBO event would happen. In one Chinese 1000MWe NPP, to strengthen the safety of the EDG, the fifth EDG represented by Number 5 is introduced. The fifth EDG would continue to provide emergency power by a special electricity cab with extremely low failure probability when all other four EDGs fail.

Diesel Generator System
The GDS mainly comprises five diesel generators including four regular diesel generators and the fifth diesel generator. The four regular diesel generators are configured as two trains, and each train is composed of two diesel generators. The fifth diesel generator is served as the last spare. It starts if and only if the two trains are both lost. The success of DGS's function requires at least one train to operate successfully.

Basic Assumptions
The basic assumptions taken in our contribution are listed as follows: • Suppose four regular emergency diesel generators can start successfully when needed, that is to say, neglecting the demand failure. • The mission time of the DGS is chosen as 24 hours.
• In [0, 3] hours, the DGS is assumed to be non-repairable due to limited time arrangement, and in (3, 24) hours, the DGS is allowed to take repairing actions. Hence, the DGS can be divided into two stages: non-repairable stage (0 ≤ t ≤ 3 hours) and repairable stage (3 hours < t ʹ ≤ 24 hours). • Once a piece of equipment fails, the maintenance action should be carried out immediately and the equipment can be perfectly recovered.

System Temporal Failure Behaviors
Given that the success of any diesel generators train can ensure the power supply of the NPP, the diesel generators train is always activated complying with a pre-defined order one by one. In one Chinese NPP, we suppose the train A (i.e., emergency generator set 1) composed of diesel generator B and C are first started when the LOOP event occurs. At the same time, the other train B is kept at an unpowered cold standby state. The train A is always dependent on the success of the cable A [i.e., the emergency safety bus (1LHA)]. Hence train A can fail due to its own random reliability failure or the failure of the trigger event cable A. The train B containing diesel generator E and F never starts unless the failure of the train A. Similarly, the train B always depends on the success of the cable D (1LHB). The fifth diesel generator is the last power source and not activated until both trains A and B fail. Therefore, the SBO event occurs when the last fifth diesel generator loses its function. Obviously, as to the diesel generators of DGS, the unique failure sequence is: train A fails first, then the train B, and the fifth diesel generator fails finally. But these dynamic sequential failure behaviors cannot be captured by the traditional static fault tree modeling techniques. In this paper, we use DFT model to characterize such temporal failure mechanisms, which would be stated with details in Section 4.

Dynamic Fault Tree
DFT model is first developed by Professor Dugan JB and used to characterize dynamic sequential failure behaviors through integrating several dynamic logic gates, such as priority-And (PAND) gate, function dependent (FDEP) gate, sequence enforcing (SEQ) gate, and spare gates including cold spare (CSP) gate, warm spare (WSP). The graphic symbols of these dynamic gates with two input events are shown in Figure 3. The failure behaviors that dynamic logic gates characterize are stated as follows (Ge et al., 2015a;Xu et al., 2021): PAND gate is a typical dynamic gate, which is used to check certain occurrence sequence of basic events. Input basic events under a PAND gate can occur at any order, but only the specific order (i.e., left to right) can fire the PAND gate. In the article, we use a special symbol "→" to represent precedence failure of basic events (i.e., the left input event fails before the right one). Hence, the failure logic expression of the PAND gate shown in Figure 3A can be written as: PAND (e 1 , e 2 ) e 1 → e 2 , where e 1 →e 2 is a cut sequence expression. FDEP gate is used to characterize a scenario where the occurrence of a trigger event can lead to the failure of all dependent events. However, the occurrence of dependent events does not have any effect on the trigger event. Take the dependent event e 1 in Figure 3B as an example, it can fail due to its random failure or the occurrence of the trigger event T. As to the dependent event e 1 under a FDEP gate, its failure logic can be expressed as: FDEP (T, e 1 ) T+ e 1 . Hence, as to a FDEP gate, it can be equivalently converted into a static OR gate. SEQ is a special dynamic gate that is used to describe a situation where the right event is never activated unless the left event fails. That is to say, all the input events are enforced to occur in a specific left to right order. Unlike the failure sequences of input events in PAND gates, the occurrence order in SEQ gate is unique and sole. In this paper, we extend the meaning of SEQ gate, and define the input events under the SEQ gate as either basic events or gate events. Hence, the failure logic of the SEQ gate in Figure 3C can be represented as: SEQ (e 1 , e 2 ) e 1 → 0 e1 e 2 , where 0 e1 e 2 indicates the e 2 is not enabled until e 1 has already occurred. CSP gate is used to capture failure behaviors of one kind of redundant systems where cold spares are kept at an unpowered standby state as the primary component is normal. That is, the cold spares never fail when the primary event is working. The input events under a CSP gate also fail in a specific, from left to right sequence. This failure order is also unique and sole. Compared with the SEQ gate, the only difference is that input events under a CSP gate are limited to basic events. Hence, as to the CSP gate in Figure 3D, its failure logic expression can be also written as: CSP (e 1 , e 2 ) e 1 → 0 e1 e 2 . Although cold redundant systems are often energy saving, the recovery time of a cold spare is a little long. To shorten the recovery time, systems often adopt warm spares which work at a reduced power as the primary component is normal. The warm spare would start to work at full power when the primary component fails. Warm spares can fail either in a warm standby state or working state. Hence, the failure logic of the warm gate in Figure 3E can be expressed as: WSP (e 1 , e 2 ) α e1 e 2 → e 1 +e 1 → 1 e1 e 2 , where α (0 < α < 1) is the dormant factor of the spare e 2 in standby state, α e1 e 2 represents the spare e 2 fails before e 1 in a warm standby state, and 1 e1 e 2 denotes spare e 2 fails after e 1 in a working state. A hot spare gate as shown in Figure 3F is equal to a static AND gate.

Quantitative Analyzing Techniques
The commonly used techniques for quantitatively analyzing DFTs are combinatorial methods and state space-based Markov Chain based methods. Combinatorial approaches often refer to inclusion-exclusion principle (IEP) (Liu et al., 2007;Merle et al., 2014), sum of disjoint products (SDP) (Ge et al., 2015b;Ge et al., 2015c;. In contrast with IEP, SDP methods show great merits in solving non-repairable DFTs with high computational efficiency. As to repairable DFTs, the feasible analyzing tools are state space-based Markov Chain methods.

SDP-Based Combinatorial Methods
In SDP-based methods, a DFT is needed to be converted into sum of disjoint products (SDP) form by applying the adapted Shannon's decomposition theorem or improved its connecting rules . The resultant SDP model refers to sequential binary decision diagrams (SBDD). In a SBDD, all paths from the root node to the terminals nodes (1-terimials and 0-terminals) are mutually disjoint where 1-terminal means the failure of the system and 0-terminal means the success of the system. Each path from the root node to 1terminal node is a failure path (1-path) which represents one failure scenario of the system. Suppose that a SBDD model contains m 1-paths (p i , i 1, 2, m), then the unreliability of the system can be calculated by where UR sys (t) represents the unreliability of a considered system. It should be noted that, unlike in traditional static BDDs, each disjoint path in SBDD should be solved as a whole due to dependent nodes. In addition, quantifying and negating a cut sequence is also an indispensable task. Interested readers are suggested to refer to the references (Ge et al., 2015d; Ge and Yang, 2016) for more details.

Basic State Space-Based Markov Chain Method
In this contribution, the basic state space-based Markov Chain method refers to a discrete-state continuous-time homogenous Markov random process approach. For this method, the transition probability from system state i to j (i≠j) only depends on the system state i, j and transition time interval. Suppose that a system has N states, and define a row vector P(t) [p 1 (t), p 2 (t), . . ., p N (t)] that represents the system state probability, and p i (t) indicates the probability of the system in state i at time t. Besides, let Q be the probability transition matrix of the system, which can be written as: where aij is used to determine the probability (a ij dt) that the system will transit from state i to j (i≠j) at a given time interval [t, t + dt]. When i j, the element a ii can be calculated by Then, given that Eq. 2 and 3, we can get the Chapman-Kolmogorov (C-K) differential equation as: where the left side of Eq. 4 is the differentiation of P (t), and C-K differential equation can be solved numerically by trapezoid formula (Hosea and Shampine, 1996), Jensen method (Jensen, 1953), and other numerical integration methods.
For an illustration purpose, Figure 4 shows a Markov chain diagram for a simple system with only one component. State one

Dynamic Fault Tree Model
According to the DGS temporal failure behaviors mentioned above in Section 2.2.2, the DFT model of the DGS is built as shown in Figure 5. As observed in Figure 5, in 0 ∼ 3 h, the DFT model does not consider the reparability of the components of the DGS. In 3 ∼ 24 h, the reparability of the components is considered for reliability analysis ( Figure 5). The failure order of the DGS is that the emergency generator set 1 (train A) fails first, then emergency generator set 2 (train B) starts and fails, and finally the fifth emergency diesel generator fails. Accordingly, we use the sequence enforcing (SEQ) logic gate to characterize this temporal failure behavior. Besides, we use function dependent (FDEP) logic gates to model dependencies between emergency safety bus and diesel generators. It should be noted that we assume that emergency generator buses cannot fail before they start to transmit electricity power.

Static Fault Tree Model
Compared with a DFT, static fault trees (SFTs) just integrate static logic gates (OR, AND, and K/M voting gate), and cannot characterize temporal failure behaviors. In fact, SFTs logically express what combinations of basic events that can cause a system failure. The SFT of the considered DGS is modeled as shown in Figure 6. In 0 ∼ 3 h, the DGS is considered to be non-repairable, and in 3 ∼ 24 h, the DGS is considered to be repairable. The DGS modeled by SFT can be efficiently solved using traditional BDD analyzing techniques and tools (Rauzy, 1993;Sinnamon and Andrews, 1997).

THE PROPOSED INTEGRATED TWO-PHASED MARKOV CHAIN METHOD
To perform the reliability evaluation of the DGS model by the DFT shown in Figure 5, an integrated two-phased Markov Chain method is proposed in this part. Firstly, a Markov Chain model including all the DGS's components should be built. The transition process of the Markov Chain should obey the temporal failure behaviors defined by the corresponding DFT. In other words, the fifth EDG5 cannot fail before the emergency generator set 2, and the emergency generator set 2 cannot fail before the emergency generator set 1. Besides, defining the failure states of the Markov Chain model of the DGS is also necessary. The failure states depend on not only the combination of components, but also the failure sequence of components, and they can be defined by the cut sequences derived from the built DFT. Secondly, a computing algorithm for calculating the Markov model of the DGS should be developed. In traditional Markov Chain model, it can be calculated by C-K equation. Yet, in this contribution, considering the reparability of components in two phases is different, the transition matrices of the system states are different. In the first phase, the components are non-repairable, and hence the repair rates are zero. In the second phase, the components become repairable, and their repair rates should be set accordingly. Besides, the initial state probability vectors for both phases are different. In the first phase (0 ≤ t ≤ T ʹ h), the initial state probability vector P (0) can be set as P (0) [1, 0, /, 0] assuming all components are perfectly good. And in the second phase (T ʹ hours < t ≤ T ʹʹ hours), the initial state probability vectorP (0) can be set as the same as P (T ʹ ), which is the state probability vector of the system in the first phase evaluated at t T ʹ hours.
For the integrated two-phased Markov Chain method, the C-K equations for non-repairable and repairable stages are expressed by Eq. 7 and 8 respectively, (8) where P (t) is the system's state probability in the first phase; P(t ʹ ) is the system's state probability in the second phase; Q is the system transition matrix at non-repairable stage in which components' repair rates are zero; Q ʹ is the system transition matrix at the repairable stage.
Given the system transition matrix Q and Q ʹ are known, the system's state probability vectors P(t), P(t ʹ ) can be calculated as follows: 6 RELIABILITY ANALYSIS OF TWO-PHASED DGS 6.1 Phase One: Non-repairable Stage (0 ∼ 3 h) The DGS components are assumed to follow exponential time-tofailure distributions, and their reliability parameters are listed in Table 1 which are referred to the reference (Li, 2012).
In the stage of [0, 3] hours, the DGS is non-repairable. Given that DFT model of the DGS shown in Figure 5, the corresponding Markov chain model with 16 system states and 68 transitions is built as shown in Figure 7. Yet for FT model of the DGS in Figure 6, the corresponding Markov chain model with 180 system states and more than 800 transitions is also built. In the period of [0,3] hours, the DGS is considered to be non-repairable, and that is to say, the repair rates of components A, B, C, D, E, F, G are zero. The 16th state F is the failure state, in other words, the probability of the No. state p (16) is the failure probability of the DGS. Based on the Markov chain model, we can obtain the transition matrix Q, then we can use Eq. 9 to calculate the failure probability of the DGS.
The unreliability of the DGS modeled in static and DFT models is derived as shown in Table2. 1.0 × 10 −10 7.7 × 10 −10 3.2 × 10 −9 9.6 × 10 −9 2.4 × 10 −8 SFT 9.6 × 10 −11 3.0 × 10 −9 2.2 × 10 −8 9.1 × 10 −8 2.7 × 10 −7 6.5 × 10 −7 In the stage of (3, 24] hours, the DGS allows intervention of repair once components fail. The corresponding Markov chain model is also shown in Figure 7, and the dashed lines with two head arrows mean that the transition process is reversible, just like system can transfer from the current state to the next state due to random failure, and then a repair action can drive the system state back to the last one again. In this paper, we assume that any component can get repaired immediately once failure, and the repair action can make a failed component recover perfectly. The reliability of the DGS at the repairable stage is evaluated by applying the proposed integrated two-phased Markov Chain method. During 3 ∼ 24 h, the failure probabilities of DGS modeled by DFT and SFT at different mission time are also calculated by the proposed integrated Markov Chain method, and the results are provided as listed in Table 3.

RESULTS AND DISCUSSIONS
As seen in Table 2 and Table 3, the DGS' unreliability is very low in the time span of 0 ∼ 24 h (less than 10 −5 ). As observed in Table 2 and Figure 8, compared with the DFT model, the unreliability derived by the SFT model is overestimated by one to two orders of magnitude during 0 ∼ 3 h (0 hour ≤ t ≤ 3 hours). Besides, during 3 ∼ 24 h (3 h < t ≤ 24 hours), the unreliability of the DGS is also overestimated by one to two orders of magnitude. From the viewpoint of system safety, conservative results given by SFTs may contribute to the safety of the DGS. However, underestimated reliability sometimes may cause additional economic cost due to reliability improvement measurements, such as redundancy design, and more regular maintenance activities.
Considering the uncertainty of components' failure and repair rates has a great influence on the final reliability results, uncertainty analysis for DGS's unreliability evaluated at mission time t 24 h is carried out in this contribution. The components' failure and repair rates λ and μ can be randomly selected by Monte Carlo simulation method as: λ i u λi + r · δ λi ; μ i u μ i + r · δ μ i , where r is a random that follows Gaussian distribution with mean value 0 and standard variance 1, and it can be produced by applying any of the standard random number generator. When all components' failure and repair rates are generated, the unreliability of the DGS can be calculated by using Eq. 10. 2000 rounds of simulations are made and 2000 samples of DGS unreliability are obtained. The frequency histogram for the unreliability of DGS is obtained as shown in Figure 9 (Sampling number SN 2000). As seen from the frequency histogram, the DGS unreliability is assumed to follow lognormal distribution, and the confidence intervals for DGS unreliability is obtained as [7.4 × 10 -6 , 8.4 × 10 -6 ] with confidence level 95%.

CONCLUSION AND FUTURE WORK
For nuclear power and other industrial systems, temporal failure behaviors extensively exist due to redundancy design and management. Hence, it is necessary to adopt an accurate modeling technique that can reflect the real failure behaviors and give comparatively accurate reliability results. In our contribution, motivated to study the effects of sequence failure behaviors, DFT model-based reliability evaluation of the DGS after LOOP accident is implemented. Compared with traditional static fault tree models, DFTs are more accurate modeling techniques for systems having temporal failure behaviors, and hence can give reliable results. In this contribution, an integrated two-phased Markov Chain method is proposed to analyze the reliability of the DGS. The results indicate the obtained unreliability of the DGS modeled by DFT is lower than that of SFT at one to two orders of magnitude. Apparently, DFT-based method is beneficial for relaxing the overestimated unreliability of a concerned system. The proposed integrated Markov Chain method is also helpful to design more reliable systems economically in unclear power and other industrial fields in the future.
DFT-based methods are still under development. The complex systems of NPP sometimes not only have dynamic sequence Frontiers in Energy Research | www.frontiersin.org December 2021 | Volume 9 | Article 793577 failure behaviors, but also are featured in multi-state and interactions among hardware, software and human, which pose great challenges to their reliability assessments. Our ongoing work is devoted into developing a powerful modeling and analytical technique that can solve these concerned issues effectively.

DATA AVAILABILITY STATEMENT
The original contributions presented in the study are included in the article/Supplementary Material, further inquiries can be directed to the corresponding author.

AUTHOR CONTRIBUTIONS
DG conceptualized and implemented this study, and wrote the original draft; MY and HW carried out data analysis and wrote parts of the contribution; DG instructed and proposed the methodology; XC reviewed and verified the results.