Both of the preceding trees are really parts of a tree that has a multiplicity of roots and branches. This is called the multiple-failure tree. It starts with many faults and traces them through the various conditions and events to many terminations. It is more generally used as a survey of the whole of a given system that may then be broken down into critical and more detailed single-failure trees and accident-process trees. It is particul­arly useful in defining the interrelationship between events, systems, and safety features.

Figure 1.31 shows a multiple-failure tree devoted to four major faults that might occur in a sodium-cooled system. Terminations are shown to be mainly of the safe variety (including transient but undamaging over­heating), although a major accident to the core is another termination shown. Safety features abound to inhibit the accident from reaching this termination. Also shown is the importance of the plant protective system in providing for the detection of the abnormality and rapid shut-down. It is the one safety feature that applies across the board to all the faults considered.

PROPAGATION

LOCAL DAMAGE

DETECTION ft SHUT-DOWN

EXTENSIVE CORE —> MELT-DOWN CRITICALITY «… n У———- NO YES-

y£s ‘N PARTIAL MELJ-DOWN RETAINED IN CORE SAFETY*————————————

CORE CATCHER

->MAJOR ACCIDENT

L/1 SO

Fig. 1.31. A multiple-failure fault tree for major reactor system accidents (LMFBR).