Modified-LOPA; a Pre-Processing Approach for Nuclear Power Plants Safety Assessment

Transcription

1 Modfed-LOPA; a Pre-Processng Approach for Nuclear Power Plants Safety Assessment Seyed Mohsen Gheyas * a, Mohammad Pourgol-Mohammad a a Sahand Unversty of technology, Tabrz, Iran Abstract: Rsk and safety assessment are mportant subjects n modern ndustres. Dfferent methods have been proposed for safety and rsk evaluaton of hgh hazardous facltes. The rsk assessments methods are classfed n three man groups of qualtatve, sem-quanttatve and quanttatve. The methodology s selected dependng on scope and objectve, level of detals and requrements. Nuclear facltes regulatons requre more detaled assessment of system safety. Regulatory body requres utlzaton of probablstc rsk assessments (PRA) for apprasal of desgn, modfcatons and operaton of nuclear power plants. Ths method usually s very complcate, expensve and tme consumng. Sgnfcant amount of resources are needed for a PRA project completon whch n some cases for prelmnary safety evaluaton are not justfed. Smpler methods would be used for prelmnary evaluaton as a pre-processor to quck fnd out of the stuatons (especally n operatonal nuclear power plant). Layer of Protecton Analyss (LOPA) s one of the powerful rsk analyss methods. It s a sem-quanttatve approach wdely used n chemcal process ndustry. Ths method s not a compettve alternatve to full quanttatve methods of rsk analyss for nuclear facltes lke PRA. However, t s smpler and less expensve methodology comparng to full probablstc rsk assessment methods. It evaluates the probablty of falure per demand for the safety system falures and the resultng consequences. It s ntroduced here as a practcal technque for early and quck rsk assessng n many other ndustres. But f LOPA has been selected as a rsk evaluator pre-processor n nuclear systems t requres some modfcatons n methodology structure. Ths research examnes utlzaton of LOPA method for nuclear systems as an order of magntude evaluaton of the safety status. Conventonal LOPA method requres some essental modfcatons n methodology to prepare t as a sutable approach for nuclear systems, especally n ts scenaro development and quanttatve calculatons. The so-called modfed layer of protecton analyss (Modfed-LOPA) methodology s based on mprovement of some features of conventonal LOPA. Some changes are proposed to the classc LOPA method by usng event tree method and Bayesan logc. Snce LOPA and event-tree methods use defnton of scenaros to represent the paths of the accdents, therefore scenaro development s completed n modfed method by usng event-tree method. Then ntatng event frequency and probablty of falure on demand (PFD) of ndependent protecton layers (IPLs) estmatons are updated by Bayesan approach whch ncreases the relablty of results by combnaton of plant specfc data wth generc data from other smlar ndustres. In ths paper Modfed-LOPA method s proposed as a prmary tool for quck hazard analyss, rsk assessment and rsk based decson n nuclear systems. Ths method s more accurate comparng to conventonal LOPA. However t s not a complete substtute for Full PRA n nuclear systems. A smple example of a fre protecton system shows applcaton of ths method and the results are compared wth the results of a PRA approach. Keywords: LOPA, Rsk, Scenaro, Event Tree, Intatng Event, Independent Protecton Layer (IPL), Probablty of Falure on Demand (PFD), Frequency, Bayesan, Nuclear Power Plant. 1. INTRODUCTION Nowadays, dfferent methods have been proposed for safety evaluaton of hgh hazardous facltes. The methods nclude Probablstc Rsk Assessment (PRA), Falure Mode and Effects Analyss (FMEA), Hazard and Operablty (HAZOP), Relablty Block Dagram (RBD) and Layer of Protecton Analyss (LOPA) [1]. Dependng on scope and objectve, level of detals and requrements, the methodology s selected. * Gheyas.Mohsen@gmal.com mpourgol@gmal.com (Author of Correspondng)

2 Nuclear facltes regulatons requre more detaled assessment of system safety. Regulatory body requres utlzaton of PRA for assessment of desgn, modfcatons and operaton of nuclear power plants. Although t s essental to meet all safety crtera n nuclear systems, the extent and complexty of analyss usually make t dffcult to reach the results n a lmted tme. Sgnfcant amount of resources are needed for a PRA project completon whch n some cases for prelmnary safety evaluaton are not justfed. Smpler methods would be used for prelmnary evaluaton as a preprocessor to quck fnd out of the stuatons (especally n operatonal nuclear power plant). If the fndng concludes the need for a more detal assessment then PRA s recalled. LOPA s one of the powerful rsk methods whch s a sem-quanttatve approach. It s wdely used n chemcal process ndustry. Actually, ths method s not a compettve alternatve to the full quanttatve methods of rsk analyss for nuclear facltes, but the characterstcs of ths method makes t capable of performng a prelmnary nuclear safety and rsk analyss. They nclude: Beng systematc and straght-forward. Expresson of results as sem-quanttatve. Affordable cost, tme and effort requrement compared to Full PRA method. Capablty of focus rsk reducton efforts on mpact events wth hgh severty and hgh probablty [2]. Capablty of quck system desgn weakness dentfcaton for mprovement and modfcaton. In spte of the fact that LOPA has got many postve features, some dffcultes n scenaro dentfcaton and n usng statstcal quanttes, has led many researchers to modfy ths method. In ths paper Modfed-LOPA method s proposed as a prmary tool for quck hazard analyss, rsk assessment and rsk based decson n nuclear systems. Ths method s more accurate comparng to tradtonal LOPA whch gets help from Event Tree structure for developng scenaros and Bayesan logc to update the falure data. However t s not a complete substtute for Full PRA n nuclear systems, but the hghly relable results justfy the usng of Modfed-LOPA as a nuclear rsk preprocessng method. NOMENCLATURE FMEA Falure Mode and Effects Analyss HAZOP Hazard and Operablty I.E. Intatng Event IPL Independent Protecton Layer LOPA Layer of Protecton Analyss NPP Nuclear Power Plant OFS Off-Ste Fre Protecton System ONS On-Ste Fre Protecton System PFD Probablty of Falure on Demand PRA Probablstc Rsk Assessment RBD Relablty Block Dagram SIL Safety Integrty Level SIS Safety Instrumented System 2. LITERATURE REVIEW LOPA has been presented n several works and the results of ts successful mplementaton have been reported n the varous lterature. LOPA s used n [2] to evaluate a hghly reactve process and llustrates the beneft of rsk assessment to follow a HAZOP hazard analyss. Hydroxylamne producton faclty has been evaluated as a practcal case study n ths paper. LOPA has been descrbed n [3] for determnng the requrements for Safety Integrty Level (SIL) of a Safety Instrumented System (SIS). Summers [4] brefly descrbed LOPA as a powerful analytcal tool for assessng the adequacy of protecton layers used to mtgate process hazards. An overvew has been provded n [5] that manly dscusses the commercally avalable exploson preventon and mtgaton systems applcable to gas, dust, mst and hybrd (gas-aerosol) explosons, ncludng basc prncples and proper applcaton for sngle and combned systems and ther

3 Lmtatons. Another research [6] attempts to explan the prncples of LOPA and the means by whch t can be used wthn the accdental rsk assessment methodology for ndustres. In some artcles t s attempted to develop LOPA n methodology. Yun and Mannan [7] presented a Bayesan LOPA methodology whch studed a LNG mportaton termnal as a case study to demonstrate applcaton of the method. It proposes that the Bayesan LOPA method s a powerful tool for rsk assessment of not only the LNG facltes but also n other ndustres, such as petrochemcal, nuclear, and aerospace. LOPA s presented n [8] as an approach that may nclude human harm and s ndependent of the analyst. It also provded how to dentfy and evaluate scenaros for LOPA and brefly descrbes the contrbuton of human errors n accdents. Markowsk and Kotyna [9] appled ncludng an uncertanty aspect n LOPA to the rsk assessment of a hazardous substance release. It has been provded by a bow-te approach beng a composton of fault and event tree. The quanttatve applcaton of the bow-te model has been proposed n the methodology of LOPA. Summers et al. [10] mproved the frequency and rsk reducton tables n the estmate of the hazardous event frequency, and how consequence severty tables can sgnfcantly ncrease confdence n the severty estmate have been showed. A mxed nteger nonlnear programmng model s presented n [11] to mprove the computatonal use of LOPA. The human role and actvtes s revewed n [12] as potental ntatng events and human performance wthn ndependent protecton layers n LOPA methodology. 3. MODIFIED-LOPA DESCRIPTION As told before, layer of protecton analyss s a sem-quanttatve approach to evaluate the rsk of potental ncdents and to provde gudance on the adequacy of ndependent protecton layers (IPLs) to lower the rsk. LOPA typcally uses order of magntude categores for ntatng event frequences and for the probabltes of falure of IPLs, whch can mtgate the frequency or reduce the consequence of an ncdent [2]. LOPA focuses rsk reducton efforts on mpact events wth hgh severty and hgh probablty, so ts prmary requrement s to determne these sever events. As a result, LOPA often follows a qualtatve rsk analyss performed as part of a HAZOP, check lst, etc. to dentfy and characterze hazards. LOPA methodology typcally bulds on the nformaton developed durng a qualtatve hazard evaluaton. Then, layers of protecton are ntended to ndependently comply wth three man functons: Preventon, protecton and mtgaton. To be consdered as ndependent protecton layers (IPL s), safeguards need to satsfy some characterstcs: ndependence, specfcty, dependablty and audtablty [4]. The methodology typcally uses order of magntude to express the ntal event frequency, the probablty of falure on demand of the ndependent protecton layers and the magntude of the consequence. Ths way of expresson provdes good achevement to smple comparson and calculaton. It s expected that the results of LOPA be accompaned by [13]: Provdng ratonal, sem-quanttatve, rsk-based answers Reducng emotonalsm Provdng clarty and consstency Documentng the bass of the decson Facltatng understandng among plant personnel Accordng to the lterature revew, especally the research of Yun et al. (2009) and ts proposal for usng the Bayesan LOPA method to rsk assessment n nuclear systems, ths decson was made to recommend a modfcaton n LOPA method for ths purpose. So Modfed-LOPA method has been recommended whch uses Event-tree method for better scenaro development, and Bayesan probablstc method for updatng data and calculatng uncertanty of results. 4. METHODOLOGY STEPS

4 Modfed-LOPA s based on mprovement of some features of conventonal LOPA. Snce LOPA and event-tree methods are usng defnton of scenaros to represent the paths of the accdents, therefore scenaro development n modfed method s completed by usng event-tree method. Intatng event frequency and Probablty of Falure on Demand (PFD) of Independent Protecton Layers (IPLs) data are updated by Bayesan approach. Fgure 1 demonstrates the flowchart and steps for Modfed-LOPA method. Ths flowchart s adapted based on the prevous researches done n [2,7]. The basc steps of ths approach are descrbed below: Process nformaton Process Flow Dagram, P&ID, Process Data, Objectves, Scope, methodology, Crtera Process Hazard Analyss (PHA) HAZOP Hazard Assessment Intatng Event Frequency: Generc Data & Plant Specfc Data Estmate Consequence & Severty Consequence Evaluaton Approaches (Category Approach, Qualtatve Estmates, Quanttatve Estmates) PFD of IPLs: Generc Data & Plant Specfc Data Develop Scenaros Event Tree Method for Developng scenaros Bayesan Engne Identfyng Intatng Event Frequency Identfyng Independent Protecton Layers(IPLs) & Estmatng PFDs of IPLs * Usng PHA results * Each Scenaro must have a Unque (Intatng Event / Consequence) par. * Each IPL must be: Independence, Effectveness, Audtablty Estmate Scenaro Frequency Rsk Rankng, Make Rsk Decsons Rsk Rankng Compare wth tolerable rsk crtera IS THE RISK ACCEPTABLE? no yes Recommendatons for Safety Enhancement Add IPLs or safety measures Fgure 1. Modfed-LOPA Process Flowchart Step1: Process Informaton Frst, a system should be completely dentfed. The ppng and nstrumentaton dagram, process flow dagram, process data, objectves, scope, methodology, crtera and every data of mantenance and falures should be studed. It s recommended that the crtera be provded n ths step to determne the endpont of accdents. Some examples for consderng the endpont of accdents are: overpressure, leak of toxc and flammable fluds, fre or exploson, etc. Step 2: Process Hazards Analyses (PHA) Qualtatve hazard analyss s a fundamental step for dentfcaton consequences of events n LOPA, whch s usually done by HAZOP whch usually s used to dentfy all probable events. In a HAZOP study, the severty of events can be categorzed and t helps the analyzers to opt just the crtcal scenaros for LOPA.

5 Step 3: Estmate Consequence and Severty Consequences are the undesrable outcomes of accdent scenaros. One of the frst decsons of an organzaton must make when choosng to mplement LOPA s how to defne the consequence endpont. Snce the consequences must be categorzed, specal attenton to prmary steps of LOPA s very mportant. There are some approaches for ths purpose nclude [13]: Method 1: Category Approach and usng matrces. Method 2: Qualtatve Estmates; that use the fnal mpact on humans as the consequence of nterest. Method 3: Quanttatve Estmates wth Human harm; whch uses mathematcal models. Step 4: Developng Scenaros A scenaro s an unplanned event or sequence of events that results n an undesrable consequence. Each scenaro conssts of at least two elements whch show the begnnng and the end of an event. These elements are: An ntatng event A consequence A scenaro n ts perfect form, should llustrate the pathway of an event. Each scenaro must have a unque Intatng Event-Consequence par. Snce the defnton of scenaros n LOPA s smlar to the Event-Tree method and both approaches are based on analyzng scenaros, t s consdered to use the tree structures to clarfy the prncples of LOPA scenaros. However process rsk assessment n nuclear systems requres all spectrums of possble accdents that subsequently may exceed the specfed rsk tolerance level, analyzng the worse cases of events s useful a pre-processng. In order to obtan more approprate and accurate analyss, the complete accdent scenaro model s developed. In the tradtonal LOPA, an accdent scenaro s defned as a sngle cause consequence par usng an event tree approach. Only one path of the accdent scenaro, whch merely leads to a major hazard, s analyzed. For more complex scenaros, LOPA should be used several tmes for each ntatng event (IE) separately. Another lmtaton of LOPA s the fact that there s no separaton of top event or loss event. As mentoned n lterature revew, Markowsk and Kotyna [9] suggested bow-te method, whch s composed of a fault tree whch dentfes the causes of the top event or loss event, usually representng unwanted release of the substance and an event-tree showng what are the consequences of such a release. In the bow-te model all connectons between ntatng events, loss event and outcome events are fully dentfed. Although ths method s a very comprehensve approach for mprovng accuracy of LOPA, but ncreasng the computaton sze, makes LOPA exceed a sem-quanttatve method. For ths reason t has been assumed that event tree method s approxmately enough for developng scenaros n LOPA. Usng event tree causes the accdent path to be dentfed exactly, t also causes the IPLs be more transparent, and capablty of lnkage the results to Full PRA method be ncreased. Also exstence of a schematc of a scenaro facltates ts understandng. Step 5: Event Tree Method The event tree s a logcal structure n the form of a tree branch that maps out the dfferent pathways by whch the bad event can come about. All of the paths that cause an adverse outcome must be ncluded and analysts routnely rely on the experence of subject matter experts to know whch events to nclude. The tree structure enables the analyst to order events (usually chronologcally), to separate clusters of events from each other, and to show whether or not events are mportant. The branchng structure shows how an ntatng event that starts a sequence at the left sde of the tree may lead to the bad event that s shown at the far rght sde. Events or optons that depend on other events are shown to the rght of those events on whch they depend [14]. As mentoned before, both LOPA and Event- Tree method utlze the scenaro concepts.

6 Fgure 2. LOPA Event Tree Example [15] Step 6: Identfyng Intatng Event Frequency For LOPA, each scenaro has a sngle ntatng event. The frequency of the ntatng event s normally expressed n events per year. Some sources use other unts, such as events per 106 hours [13]. LOPA uses order-of-magntude to express the frequency of ntatng events. In general, ntatng events are dvded n three man categores: external events, human errors and equpment falures. A HAZOP study should represent these ntators. Step 7: Identfyng IPLs and Estmatng PFDs An IPL s a devce, system, or acton that s capable of preventng a scenaro from proceedng to ts undesred consequence ndependent of the ntatng event or the acton of any other layer of protecton assocated wth the scenaro. An IPL must be: Effectve Independent Audtable Lke the prevous step, a HAZOP study should be able to llustrate the safeguards whch are consdered aganst the fnal consequence. Then LOPA analyzers have to separate the IPLs from other safeguards. For LOPA calculatons, t s essental to know the falure rate or probablty of falure of system s IPLs. Thus, the concept of probablty of falure on demand s ntroduced. PFD for an IPL s the probablty that, when demanded, t wll not perform the requred task [13]. PFD s a complement to avalablty and also s a probablstc value. Step 8: Bayesan Probablstc Method Bayesan estmaton ncorporates degree of belef and nformaton beyond that contaned n the data sample, formng the practcal dfference from classcal estmaton. The subjectve nterpretaton of probablty forms the phlosophcal dfference from classcal methods. Bayesan estmaton s comprsed of two man steps. The frst step nvolves usng avalable nformaton to ft a pror dstrbuton to a parameter, such as frequency of an IPL. The second step of Bayesan estmaton nvolves usng addtonal or new data to update the pror dstrbuton. Ths step s often referred to as Bayesan Updatng [16]. The generalzed form of Bayes theorem for dscrete varables s: The terms of ths equaton are: Pr(A j E): The posteror probablty of event Aj gven event E or updated probablty of event A j Pr(A j ): The Pror probablty of event A j Pr(E A j )Lkelhood functon based on sample data n 1 A E A E Pr.Pr Pr : Total probablty Pr A E j A j E A j Pr.Pr n Pr.Pr 1 A E A The above equaton means that probablty data can be updated by combnng the pror probablty (from prevous nformaton or generc data) and the relatve lkelhood (from plant-specfc data). (1)

7 Typcally, the selecton of the pror dstrbuton s somewhat subjectve, so a selecton of a conjugate pror from the same famly of dstrbutons as the posteror can make the choce more objectve for easer computaton of the posteror parameters [7]. Snce usng Bayesan equaton n ts prmary form s dffcult n some cases, t s recommended to use conjugated dstrbutons. In these cases, for example gamma and poson dstrbutons are conjugated. If there s a pror dstrbuton n the form of gamma and a lkelhood dstrbuton n poson, the Bayesan calculaton wll result n a gamma posteror dstrbuton. Step 9: Estmate scenaros frequency After updatng data, scenaros frequency s estmated. The followng s the general procedure for calculatng the frequency for a release scenaro wth a specfc consequence endpont. For ths scenaro, the ntatng event frequency from step 5 s multpled by the product of the IPL and PFDs from step 6 [13]. J C I j j 1 f f PFD f PFD PFD PFD I 1 2 J Step 10: Calculatng Rsk In ths step, the severty of categorzed consequences from step 3 s multpled by scenaros frequency from step 7. C C k k k (2) R C f (3) Step 11: Make rsk decson The calculated rsk s compared wth rsk tolerance crtera for the decson-makng. If, however, the calculated rsk exceeds the rsk crtera, the scenaro s judged to requre addtonal (or stronger) mtgaton (IPLs), or to requre changes n the desgn to make the process nherently safer, thus reducng scenaro frequency or consequence, or (preferably) elmnatng the scenaro [13]. Ths change n accdent path should be consdered n event tree f other IPLs are needed to be added. Also the Bayesan calculatons and scenaros frequency estmatons must be repeated consderng the effect of new changes. Step 12: Safety Management Rsk management must be appled to the all levels of system ncludng desgn, operaton, montorng, test, mantenance, etc. It s mportant to menton that LOPA do not suggest any way to control the rsks, but t clarfes the way of decson makng to help the management team. 5. Applcaton OF MODIFIED-LOPA on NPP Fre Protecton System The methodology s appled on a fre protecton system for a typcal Nuclear Power Plant (NPP) whch s desgned to extngush fres n ths faclty. Fre protecton s consdered a mtgaton IPL as t attempts to prevent a larger consequence subsequent to an event that has already occurred. If a company can demonstrate that t meets the requrements of an IPL for a gven scenaro t may be used [13].

8 Fgure 3. Layers of Protecton Aganst a Fre Scenaro. Descrpton of faclty Ths fre protecton faclty ncludes two separate systems, On-Ste fre protecton system (ONS) and Off-Ste fre protecton system (OFS). Each of the systems s a set of dfferent components such as sensors, alarms, tanks, valves, pumps, etc. but t s supposed that ONS and OFS systems wll meet all characterstcs of the ndependent protecton system. Analyss by PRA Ths system has been completely studed by PRA approach [1]. Ths method has consdered all subsystems and equpment n order to get the most accurate results. Three dfferent scenaros are defned, Fg. 4 shows the event-tree of these scenaros. PRA calculatons shows the frequency of fre event n such plant s 7.1E-4, and PFD of ONS system s 2.8E-3, also PFD of OFS system s 1E-4 [1]. Intatng Event Fre f I.E. = 1E-4 IPL 1: On-Ste Fre Protecton System (ONS) S F IPL 2: Off-Ste Fre Protecton System (OFS) S F End Result Damage state 1 Damage state 2 Damage state 3 Damage Mnor Major Catastrophc Fgure 4. Scenaro of Events Followng a Fre Usng the Event-Tree Method [1] Modfed-LOPA Consder a change n components of prmary ONS system. If ths system be a fre protecton of an n operaton nuclear power plant, a new rsk assessment wll be needed. But PRA method requres a huge amount of calculatons and resources. So Modfed-LOPA would be used as a smpler method and a pre-processor. The pre-assumptons consdered to analyze ths system by Modfed-LOPA are as followed: The same defned scenaros n Fgure 4. Are also consdered. The calculated results of PRA are used as mean values of pror data. Frequency of fre accdent and PFD of OFS system are same as before, because of no change. New ONS system was tested n smlar facltes for 1000 demands, and 3 falures were observed.

9 The pror data wll be updated by Bayesan method. Bayesan Updatng The smplest type of pror dstrbuton from the standpont of the mathematcs of Bayesan nference s a so-called conjugate pror, n whch the pror and posteror dstrbuton are of the same functonal type (e.g., beta, gamma), and the ntegraton needed to obtan the normalzng constant n Bayes Theorem s effectvely crcumvented [17]. For pror dstrbuton of PFD of ONS system, the mean value s 2.8E-3. And from engneerng judgment ts standard devaton s estmated 1.4E-3 and a Beta dstrbuton has been assgned for t. For the bnomal dstrbuton, the conjugate pror s a beta dstrbuton. So n ths case, the lkelhood functon s modeled by a Bnomal dstrbuton. Elements of Bayesan updatng from Eq. (1) for updatng PFD of ONS system are shown n Table 1 from Appendx A. Rsk Calculaton Table 2 n Appendx A, shows the results of rsk calculaton by Modfed-LOPA and compares t to the result of PRA approaches. As observed n Table 2, a lttle ncrease n PFD of ONS system, the calculated rsk of scenaros leads a larger dscrepancy of the results between two approaches. Common cause falure s consdered n the calculaton of PRA but the events are consdered ndependent n LOPA. Ths s another reason for the dscrepancy between two methods. Another reason for ths dfference s due to the updated value of PFD usng Bayesan formula. 6. CONCOLUDING REMARKS The research demonstrated the applcaton of modfed LOPA methodology on safety evaluaton of nuclear facltes. In classc LOPA, only the most severe consequences are often consdered. However, Modfed-LOPA consders all probable scenaros wth assstance of Event Tree method. Bayesan updatng makes estmaton of the frequences and PFD more accurate by utlzaton of hstorc and feld data. In ths paper Modfed-LOPA s represented as a powerful pre-processng method n nuclear power plants. The example shows good agreement of ts result n comparson wth a full PRA approach. The effect of usng Event Tree structure could be better demonstrated f the studes consst a large scope system wth very complcate components. Besdes, for new desgned systems wth lack of falure data or n case of unrelable collected falure data, usng Bayesan logc whch gves analysers the ablty of updatng the plant specfc data wth generc data from other smlar systems, can lead to more relable results. Modfed-LOPA wll be known as the most comprehensve sem-quanttatve method f economc survey be added to t. 7. REFERENCES [1] Modarres, M., Rsk Analyss n Engneerng: Technques, Tools, and Trends. 2006, New York: CRC Press, Taylor & Francs Group [2] We, C., W.J. Rogers, and M.S. Mannan, Layer of protecton analyss for reactve chemcal rsk assessment. Journal of Hazardous Materals, (1): p [3] Dowell I, A.M., Layer of protecton analyss for determnng safety ntegrty level. ISA Transactons, (3): p [4] Summers, A.E., Introducton to layers of protecton analyss. Journal of Hazardous Materals, (1 3): p [5] Pekalsk, A.A., et al., A Revew of Exploson Preventon and Protecton Systems Sutable as Ultmate Layer of Protecton n Chemcal Process Installatons. Process Safety and Envronmental Protecton, (1): p [6] Gowland, R., The accdental rsk assessment methodology for ndustres (ARAMIS)/layer of protecton analyss (LOPA) methodology: A step forward towards convergent practces n rsk assessment? Journal of Hazardous Materals, (3): p [7] Yun, G., W.J. Rogers, and M.S. Mannan, Rsk assessment of LNG mportaton termnals usng the Bayesan LOPA methodology. Journal of Loss Preventon n the Process Industres, (1): p

10 [8] Frst, K., Scenaro dentfcaton and evaluaton for layers of protecton analyss. Journal of Loss Preventon n the Process Industres, (6): p [9] Markowsk, A.S. and A. Kotyna, Bow-te model n layer of protecton analyss. Process Safety and Envronmental Protecton, (4): p [10] Summers, A., W. Vogtmann, and S. Smolen, Improvng PHA/LOPA by consstent consequence severty estmaton. Journal of Loss Preventon n the Process Industres, (6): p [11] Ramírez-Marengo, C., et al., A formulaton to optmze the rsk reducton process based on LOPA. Journal of Loss Preventon n the Process Industres, 2012(0). [12] Myers, P.M., Layer of Protecton Analyss Quantfyng human performance n ntatng events and ndependent protecton layers. Journal of Loss Preventon n the Process Industres, 2012(0). [13] CCPS, Layer of Protecton Analyss -Smplfed Process Rsk Assessment. 2001, New York, NY: Center for Chemcal Process Safety [14] J Wreathall, C.N., Assessng rsk: the role of probablstc rsk assessment (PRA) n patent safety mprovement. Qual Saf Health Care, : p [15] Markowsk, A.S. and M.S. Mannan, Fuzzy logc for ppng rsk assessment (pflopa). Journal of Loss Preventon n the Process Industres, (6): p [16] Mchael Stamatelatos, H.D., Probablstc Rsk Assessment Procedures Gude for NASA Managers and Practtoners. Second ed. 2011, Washngton, DC: NASA Headquarters. [17] Dana Kelly, C.S., Bayesan Inference for Probablstc Rsk Assessment; A Practtoner s Gudebook. 2011, London: Sprnger. [18] O Connor, A.N., Probablty Dstrbutons Used n Relablty Engneerng. 2011, College Park, Maryland: Relablty Informaton Analyss Center (RIAC).

11 APPENDIX A Table 1. Bayesan Approach for Updatng PFD of ONS System [17-18] Pror Lkelhood Posteror Beta Dstrbuton Bnomal Dstrbuton Beta Dstrbuton Scenaro No. Economc consequence severty Table 2. Modfed-LOPA for NPP Fre Protecton System Category frequency of I.E. IPL(s) Updated PFD Calculatng Rsk from Updated Data (Modfed- LOPA) Calculated Rsk from Prmary Data (PRA) * 1 $1,000,000 Mnor 7.10 E - 4 ONS 2.88 E - 3 $ $ $92,000,000 Major 7.10 E - 4 ONS, OFS 1.40 E - 4 $ $ $210,000,000 Catastrophc 7.10 E - 4 * The sgn shows successful operaton of an IPL. ONS, OFS 2.88 E-3 * 1.40 E-4 = 4.03E-7 $ $ 0.018