An electrical circuit is particularly simple to analyze by a fault tree because the connections are straightforward. Consider the protection circuit shown in Fig. 1.24 (14).

When the switch is closed, power is applied to the timer coil. This closes the timer contacts and applies power to the relay coil, which in turn closes the relay contacts. Power is then supplied through the fuse to the motor. When the switch is opened, the reverse procedure applies.

The fuse and the timer are safeguards; if the motor fails shorted while the relay contacts are closed, then the fuse opens and shuts off the power, and if the switch fails to open again after some time (which is preset) then the timer will open its contacts and remove power from the motor.

The overheating of the wire A-В is an undesirable event in this circuit and it can be prevented if the safeguards operate. As an example of fault tree technique, the following paragraphs analyze the causes which might allow the overheating of A-B.

Figure 1.25 shows the basic fault tree for the undesirable event: an over­heated wire. It could arise only as a result of excessive current and the power being applied for an extended time. The excessive current could come only if the motor fails shorted and the fuse fails to open, and the extended time during which this overpower is applied may result if either the relay contacts fail in a closed position, or the power is not removed from the relay coil.

The power is not removed from the relay coil only if both the timer fails and the switch fails to open. Thus the symbols demonstrate the logical connections between the events.

There are two analytical techniques for constructing fault trees. Each develops the tree to a different depth of detail. The first considers primary component failures that occur while the component is functioning within conditions for which it was designed. The second technique considers secondary component failures that occur when the component is subjected to abnormal conditions.

1.6.2.2.1 Primary failure technique. This method is used mainly in the communication field (control and instrumentation) and in data processing systems (control).

To illustrate the technique we may further analyze the causes of an over­heated wire (Figure 1.26) (14). The motor failed shorted and relay contacts failed closed are both primary failures. To cause the timer to be unable to open there are two other primary causes: the timer coil failed to open and the timer contacts failed closed. If the switch fails to open, a primary failure of the switch contacts failed closed may be responsible, although there are other possible external causes which are here undeveloped.

1.6.2.2.2 Secondary failure technique. This method requires a greater insight into the system and its component parts because it needs a knowl­edge of how systems might operate and interact in abnormal conditions. It is used mainly in accident analysis and therefore it is of most concern to this discussion.

To illustrate this technique we can again further develop the example (Figs. 1.27a and 1.27b) (14). The motor and relay are sensitive to the failure of one another. In Fig. 1.26, relay contacts failed closed was a primary fault, but there may be a secondary reason; they may fail to open because

they have been fused shut by an overcurrent. The overcurrent is a cause of failure only if the relay contacts fuse. Therefore an inhibit conditional gate is needed to describe this situation. The overcurrent might arise if failure of the fuse occurred and the motor failed shorted.

The motor failed shorted might also come from a secondary (abnormal conditions) failure, an extended period of power, but power applied for extended time is a cause for failure only if the motor actually does fail shorted, so another inhibit gate is required. This extended power might arise from a failure of the relay contacts or power not being removed from the relay coil.

Now we notice that the tree is no longer a simple structure but some faults occur in different parts of the tree; thus interconnections or transfers are required.

This is an alternative analytical method in which the stability is assessed from an open-loop analysis.

The frequency response of the open-loop system G(s)H(s) is plotted in two distinct ways to give two equivalent stability criteria.

a. Nyquist criterion. This criterion allows one to calculate the gain and phase margins to give the degree of stability of the system, whereas the

Plotting Rules for Root-Locus Construction

Plotting rule

1 Number of locus branches equals order of denominator of G(s) H(s).

2 Locus is drawn for values of К as К varies from zero to infinity where К is

given by

G(s) H(s) = K(s-z)—/(s-p)—.

3 As К tends to infinity the locus of the closed-loop poles terminates on a zero

of G(s) H(s). Zeros at infinity are included. Also as К tends to zero the locus approaches the poles of G(s) H(s).

4 Loci on the real axis include those sections of the axis to the left of an odd

number of critical frequencies (zeros or poles) of G(s) H(s).

5 Loci near infinity asymptotically approach straight lines which meet the real

axis at an intersection point given by

sum(real part of poles) — sum(real part of zeros)
number of finite poles (p) — number of finite zeros (r)

and they meet the axis at angles given by в = плКр — z) for n odd.

6 Loci have symmetry about the real axis.

7 The values of К at which loci go into the right half-plane can be determined

graphically.

location of poles allowed one to obtain a rate of exponential decay that could be related to a damping factor as in the simulation technique of Section 2.5.2.1.

The frequency response of the open-loop system G(s)H(s) is plotted on an Argand diagram and the criterion states: “If a system is unstable the number of unstable frequencies is given by the number of times this fre­quency response curve encircles the —1 point in a clockwise direction.” Defining

W{s) = G(s)H(s) + 1 (2.17)

to be the closed-loop characteristic, from Cauchy’s theorem in complex number theory, assuming that IT(.s) is single-valued and has finite poles in a contour C and is not zero on C, then

Jc W'{s)IW{s) = 2ni(Z — P)

[In W(s)]c = 2ni(Z — P)

= A2 + iB2 — Ax — iBx where Fig. 2.29a defines the anticlockwise path around contour C.

Fig. 2.29a. C contour in the і plane.

Аг — A2

В2— B1 = 2n(Z — P)

One revolution of the W plane origin gives Ini, thus the number of encir­clements of the W origin is equal to Z — P.

The stability criterion now arises because the closed-loop transfer func­tion pole is a zero of W(s) and therefore for stability there should be no zeros in the right half-plane of W(s). For stability there must be as many encirclements as W(s) has poles in the right half-plane.

Thus the number of encirclements of the origin in the W(s) plane (Z — 0) is equal to the number of encirclements of the point —1 in the G(s)H(s) plane, and this in turn is equal to the number of poles of the open-loop transfer function as shown above. The negative sign now implies clockwise encirclements. Examples are given in Section 2.5.3.3.

The effect of a time lag is to make the closed-loop system more unstable in general. See the second Nyquist example in Section 2.5.3.3.

b. Bode plot method. Again using the open-loop response of the system, the phase and gain may be plotted and the Nyquist criterion used in a slightly different manner.

The gain is defined as M where:

M = 20 log10 (response argument)

and the gain and phase are plotted against frequency. Because of the loga­rithmic formulation the gains and phases can be added for multiplicative systems, so that the frequency responses of sections of the system can be easily totalled. See the example in Section 2.5.3.3.

Thus the response of the neutron kinetics can be calculated separately from the thermal characteristic response, and the feedback and each can be converted into a separate tabulation of gain and phase versus frequency which can be summed. The only diffculty occurs where multiple feedback paths exist.

The Nyquist diagram for the — 1 point is translated here into a similar one on the Bode diagram for the point of 0 dB and a phase of —180°. For mere stability, the system must have a negative gain at 180° but, in practice, for suitable operational stability one needs some damping, which is provided by a gain margin of about 20 dB (Fig. 2.29b).

Following a break in the primary circuit the following engineered safety features might be invoked by a particular design. (Naturally not all of them would be required and exactly which would be used would be a func­tion of the plant size, layout and concept details, and other safety features being used.)

Plant protective system to shutdown the reactor.

Wrapped and restrained pipework to guard or restrict pipe breakage.

Safety guard tanks around components (or minimum volume containers to restrict coolant loss).

Double pipework to avoid coolant loss.

Comparison of Earthquake Scales0

Elevated design and layout designed to minimize outflow.

Check valves to reduce loss of coolant.

Hydraulic diodes to reduce loss of coolant.

Reserve coolant volumes to provide for coolant loss.

Siphon breakers to reduce outflow.

Isolation valves to isolate the failed loop or pipe.

Multiple path design to minimize the effect of a pipe rupture.

In the failed assembly the pressure may attain 1000 psia locally which reduces to 150 psia when the whole subassembly is voided. Thus the pressure transient is roughly a very rapid rise to the peak followed by an exponential decay over the next 8-10 msec to the lower value.

If the failure is in the center of the subassembly, then explosion work (28a) has shown that the subassembly duct may only experience an atten­uated value of a third of the peak value of pressure. Static calculations for the response of the assembly duct show that even in the irradiated state the duct can withstand several hundreds of psia without failure. However, if the original failure is close to the subassembly duct wall, then the original localized pressure of 1000 psia could cause failure in the corner of a hex­agonal boundary (28b).

In any particular case, inertial calculations may be performed on the subassembly duct since the usual duct thickness is sufficient for the duct to have a natural damped vibrational mode with a period of about 1 msec. It will therefore not respond to acoustic waves generated in shorter times. Thus the duct essentially sees a steady pressure acting upon it even though this pressure may be localized. Any acoustic wave will have a very small invested energy (1 or 2 W-sec) because the relaxation time is so short (40 psec for a central pin). The questions to be answered include:

(a) Does the duct wall fail for localized pressures and over what axial extent does it do so?

(b) If the duct fails, what pressure deformation does the adjacent duct wall experience and does this deformation cause boiling of the coolant in the second subassembly?

If boiling is caused in the second subassembly, then of course this con­stitutes propagation of the failure, since there is nothing now to stop the process of damage from repeating itself though on a slower time scale.

However, calculations to date appear to show that even with considerable deformation, the adjacent assembly does not experience boiling, even when the outer coolant channels are completely constricted (28b).