RU2335025C1 - Method of control of hazardous technological process with non-stationary objects - Google Patents

Abstract

FIELD: physics.

SUBSTANCE: invention is related to analysis and assessment of technological processes safety and may be used, in particular, for analysis and assessment of safety in NPP control. According to invention, method of control of hazardous technological process with non-stationary objects includes measurement of effects on objects of technological process, determination of permissible limit values of the said effects and comparison of measured effects with permissible values for detection of technological process failures. For every detected failure multiple parts of technological process are determined, which are affected by this failure, and technological process is divided into safety intervals, for which combination of the said failures remains invariable. After that, for every safety interval analysis is carried out on transition of technological process failures from one safety interval to an other with consideration of cause-and-effect relations, and also modeling is performed by means of construction of determinist safety models with consideration of possible scenarios of transition of technological process failures to the following safety intervals. On the basis of prepared models for every safety interval failure probability is determined for equipment used for performance of technological process, and appropriate changes are introduced in the process to provide preset indices of safety.

EFFECT: possibility to assess technological processes with continuously changing safety conditions.

16 cl, 18 dwg, 13 tbl

Description

The present invention relates to the analysis and assessment of the safety of technological processes and can be used, in particular, to perform analysis and safety assessment in the management of nuclear power plants.

Until recently, when performing a probabilistic safety analysis, only a qualitative assessment of the possibility of process violations was carried out. In this case, the safety analysis, as a rule, was limited to brief characteristics of the initial events and the functional analysis of the possibility of certain process violations or damage to work items with a small list of initiating events leading to such violations.

However, the increasing complexity of technological processes, for example, processes associated with the operation of thermal power plants, in particular nuclear power plants, due to a large number of logical and functional connections, as well as the unsteadiness, from the point of view of safety, of technological processes with nuclear fuel, required the development of new approaches to address issues of analysis and safety assessment.

So, for example, in the application of the United States (US 20040086071) describes a method of controlling a nuclear power plant, which provides for the simulation of possible emergency events and applies models to analyze the safety of existing nuclear power plants. In this safety analysis includes three procedures. The first procedure is intended to make a decision on the applicability of conditions and codes and consists of steps to describe the accident scenario, select the object of assessment, confirm the basic conditions and their ranking, select the optimal code, organize documents related to codes, and make a decision on the applicability of codes. The second procedure is designed to evaluate codes and make decisions on replacing variables and consists of steps to evaluate codes and draw up an evaluation matrix, make decisions on breaking up a nuclear power plant into elements, make decisions on the accuracy of codes and experiments, make decisions on input variables of a nuclear power plant and their states associated with factors derived from the analysis of uncertainty and sensitivity, and also includes steps to calculate the sensitivity of a nuclear power plant, a static estimate of uncertainty and accept decision on finite uncertainty. The third procedure is intended for sensitivity analysis and estimation of uncertainty and consists in evaluating a systematic error that was not taken into account in the first and second procedures.

This method allows you to evaluate the safety of only existing facilities and does not allow you to develop technical requirements for ensuring safety during the modernization and development of new NPP equipment.

Known methods for reducing the task of assessing security to the selection of a suitable solution from those available in the database. According to a method for performing a computerized safety analysis of a nuclear reactor (WO 03/005376), the operation of a nuclear power plant is limited to the safe operation area, which is defined as follows: a) use the results of the safety analysis performed earlier, and b) confirm that the previously determined safe operation area is applicable to the new operating conditions of the nuclear power plant.

However, this method can only be used to determine the resource of existing nuclear power plants and the possibility of its extension.

There is also a method for assessing safety when managing a nuclear power plant (US 4,632,802), which provides continuous operation of a nuclear power plant during a failure or in the absence of readiness of one or more plant elements. The method uses a means of storing databases of logical circuits of core damage and failure probabilities. The choice of various scenarios of the station state, adjustment of the probabilities of element failures, linking the sensitivity to the risk of core damage due to element malfunction, as well as sensitivity assessment in relation to the base or control value, is provided. When conducting a safety assessment, the event / failure trees are replaced by one logical model of core damage, which allows you to simulate the interaction within the system that occurs as a result of the sharing of elements or common auxiliary systems.

This method of assessing safety can only be used during the operation of nuclear power plants, but cannot be used during design as a tool to optimize the equipment of a nuclear power plant, for example, a control system, and select the necessary and sufficient number of protections and interlocks that ensure the safety of the facility.

There is also a known method of deterministic safety analysis based on the concept of risks (EP 1378916), which includes ordering initiating events by the frequency of their occurrence, determining a threshold level for the frequency of initiating events, determining an acceptance criterion with an adjustable level of conservatism, determining the value of conservatism using a safety analysis methodology, analysis of events using the methodology of deterministic analysis in the event that the frequency of event initiation exceeds the threshold ram or events analysis using probabilistic analysis methodology, if the frequency of the event initiation is below the threshold level.

The known method also includes identifying an additional system of failures that are not directly related to initiating events, and determining a common frequency threshold value for a combination of the frequency of the initiating event and the frequency of additional failures. Next, an additional fault system is added to the safety analysis until the total frequency of the event and additional faults does not exceed the threshold frequency level.

However, it should be noted that this method allows you to determine the conditions under which it is advisable to use either probabilistic methods of analysis or deterministic methods, but does not allow, if necessary, to use the positive aspects of both groups of methods.

There is also a known method of controlling the installation (EP 0411873), which uses a modeling system using expert, probabilistic and deterministic modeling methods. This modeling system represents a system model in the form of a hierarchical structure of independent object modules interacting with each other, each of which represents an element or system. Objects are linked to each other using a database that is accessible to all objects. The structure of the object module and the hierarchical structure itself are standardized and allow you to add new elements or systems by adding standard object modules, which include an individual object model of the modeled object. The object model contains a deterministic model of element degradation, a probabilistic model of element degradation and expert rules that combine the deterministic and probabilistic models with expert knowledge in order to determine the current state of the object and make recommendations regarding future actions regarding the object.

There is also a known procedure for performing a probabilistic safety analysis of nuclear plants (Procedures for conducting probabilistic safety assessment of nuclear power plants (level 1), International Atomic Energy Agency, Vienna, 1992, STI / PUB / 888), which includes steps for collecting and analyzing the source information, selection of initiating events, defining security functions, defining functional and systemic relationships, defining criteria for successful work, grouping of initiating events, modeling sequences of events and systems, conducting qualitative and quantitative analysis.

The proposed modeling methods are suitable only for stationary, in the sense of safety conditions, systems that allow only slow changes in safety conditions associated, for example, with the degradation of elements.

These procedures are not suitable for the analysis of technological processes with constantly changing safety conditions both during individual technological operations and during technological cycles.

Transport and technological processes are characterized, as a rule, by the fact that the security conditions change significantly both during the transition from one technological operation to another, and during the execution of one technological operation. Moreover, there is a large number of logical and functional relationships between individual operations that affect the safety of the process.

This fact does not allow the use of known methods for analysis and safety assessment. Such technological processes include, for example, nuclear fuel reloading processes. The non-stationary nature of technological processes with nuclear fuel also does not allow the direct use of probabilistic safety analysis (PSA) methods to analyze the safety of these processes.

The objective of the present invention is to create a method of analysis and assessment of the safety of technological processes, which would allow a quantitative assessment of technological processes with constantly changing safety conditions, both during individual technological operations and during technological cycles using VAB computing tools.

Another objective is the creation of such a safety assessment method that could allow the formation of reasonable safety requirements for optimizing the structure of the process control system, including determining the necessary and sufficient number of protections and interlocks, in particular, technological processes for reloading nuclear fuel.

The method proposed according to the present invention allows to solve the above problems, and also provides increased reliability and reliability of the safety assessment, which is the main factor in the development of new technological processes and modernization or modification of existing processes.

Proposed according to the present invention, the method also allows for a quantitative assessment of process safety.

In addition, the proposed method can be used to assess the safety of the processes of reloading nuclear fuel and other technological processes of a high degree of danger.

According to the invention, a method for controlling a hazardous process with non-stationary objects is carried out using a data processing device, for example, a computer, and includes the following sequence of operations:

- measurement using impact sensors D _i (1 <i <n) on objects involved in the process;

- determination of the maximum permissible values of the impacts D _{i dop} ;

- comparison of the measured impacts D _i with permissible D _{i dop} to identify violations F _i = f (D _i ) of the technological process, acting as sources of danger, which can lead to exceeding the specified permissible effects D _i > D _{i dop} ;

.- determination for each detected violation F _i = f (D _i > D _{i dop} ) of the set of parts of the technological process on which this violation acts, and dividing the technological process into safety intervals R _j = {F ₁ , F ₂ , ... F _i , ... F _n } (1 <j <m), for which the totality of these violations remains unchanged

.

Further, for each safety interval R _j :

- analyze the transition of violations F _i = f (D _i > D _{i dop} ) of the technological process from one safety interval to another, taking into account cause-effect relationships;

- carry out modeling by constructing deterministic safety models taking into account possible scenarios of transition of violations F _i = f (D _i > D _{i dop} ) of the technological process to subsequent safety intervals.

Based on the obtained models, for each safety interval R _j , the probability of failure of the equipment used during the process is determined, and appropriate changes are made to the process, which allows to ensure the specified safety indicators.

Further analysis and safety assessment is carried out by performing the following operations:

- the construction of logical or logical-probabilistic models for each violation F _i = f (D _i > D _{i dop} ) based on the analysis of possible impacts D _i causing the corresponding violations F _i = f (D _i ) of the technological process, and various combinations of such effects;

- the transition from the consideration of the non-stationary technological process to the consideration of the stationary parts of the technological process based on the analysis of the distribution of the zones of action of detected violations F _i = f (D _i > D _{i dop} ) in various parts of the technological process, in particular, the analysis and assessment of safety at each safety interval R _j technological process is carried out by constructing diagrams of separation into safety intervals R _j ;

- the construction of deterministic models of safety intervals R _j taking into account possible scenarios of transition of process violations to subsequent safety intervals R _{j + 1} .

Based on these deterministic models of safety intervals, taking into account possible scenarios and logical and probabilistic models of occurrence of process violations, deterministic-probabilistic safety models of the entire technological process are further constructed.

In this case, deterministic-probabilistic safety models of the entire technological process can be constructed using previously obtained deterministic models of safety intervals R _j and / or logical-probabilistic models of occurrence of violations F _i = f (D _i > D _{i dop} ) of the technological process.

One of the features of the proposed method is that when analyzing the transition of technological process violations take into account the causal relationship between violations F _i = f (D _i > D _{i dop} ), possible violations F _i = f (D _i ) of the technological process and the protection function and locks at every stage of the process.

As violations, which are sources of danger, take violations of the process that can lead to exceeding the normative permissible impacts D _{i dop} on the nodes, parts of nodes (devices) and other objects, the effects of which are subject to normalization within the framework of this technological process and are indicated in the normative -security technical documentation.

Another feature of the method is to analyze the distribution of the zones of action of hazard sources based on the analysis of each unit area of the operation of the technological process and determine which particular sources of danger cause one or another excess of the permissible impact D _{i dop} .

Another feature of the method is the construction of logical and probabilistic models of possible violations of the technological process, in which each initial event is taken into account with the probability of its occurrence, obtained on the basis of the analysis of statistical data for this technological process.

When analyzing and assessing the safety of a technological process, non-stationary objects are considered as objects subject to safety assessment, in particular, at least one of the following: the technological process as a whole, stages and sections of the technological process, products, devices, device units, safety conditions which vary depending on the time and location of the product, unit or device, in particular, depending on at what stage or section of the process the specified e product, device or unit.

Another feature of the method is that when dividing into safety intervals, each violation F _i = f (D _i > D _{i dop} ) in each part of the considered process is taken into account for each selected safety criterion D _{i dop} .

Based on the analysis and safety assessment, they additionally optimize the structure of the process control system, and also determine reasonable indicators of equipment reliability.

Other features and characteristics of the claimed method will be described in more detail below on the example of a method for assessing the safety of the process of reloading nuclear fuel with reference to the accompanying drawings.

It should be noted, however, that this implementation example should not be construed as limiting, since the method proposed in the present invention can be used to analyze and evaluate the safety of any process in which it is required.

BRIEF DESCRIPTION OF THE DRAWINGS

Figure 1 is a diagram of the separation into stages of the technological operation "Installation of fuel assemblies in the reactor."

Figure 2 - verbal model for the analysis of process safety.

Figure 3 is a deterministic model of the transport and technological operation "Installation of fuel assemblies in the reactor."

Figure 4 - a typical logical and probabilistic model of the occurrence of NVD in the security interval.

Figure 5 - deterministic-probabilistic model of the technological process of overloading the reactor core.

6 is an enlarged structural diagram of the control system of the machine reloading.

7 is a diagram of the separation into safety intervals of the technological operation "Installation of fuel assemblies in the reactor."

Fig - deterministic model of the technological operation "Installation of fuel assemblies in the reactor."

Fig.9 is a logical-probabilistic model of the "Fall of fuel assemblies."

Figure 10 - model NVD for the security interval R07.

11 - model NVD for the security interval R19.

Fig - model NVD for the security interval R18.

Fig - model NVD for the security interval R17.

Fig - logical-probabilistic model of NVD F11 for the security interval R17.

Fig - sequence of models F123.

Fig - logical-probabilistic model of NVD F117 for the security interval R21 +.

17 is a flowchart for performing a quantitative safety analysis.

Fig. 18 is a graphical model development algorithm.

The implementation of the present invention will be further shown by the example of analysis and safety assessment of the technological process of overloading the core of the VVER-1000 reactor.

The procedure for analyzing the safety of a technological process in the core is carried out using a system for analyzing and assessing the safety of a technological process, which contains a central processor for analyzing and assessing the safety of a technological process, means for storing data on the technological process, and means for calculating probabilistic safety indicators for each type of event as well as a comprehensive safety indicator.

Data storage tools contain, on the one hand, for example, the data of normative and technological documentation that serve as initial data for the development of a list of safety criteria and a list of excesses of regulatory impacts, and on the other hand, data on a real technological process that are used in the analysis of possible violations of the process and making a list of such violations that lead to exceeding the permissible impacts.

Further, the system contains means for creating a verbal model of the technological process, including a description of operating conditions and limits, means for constructing a deterministic-probabilistic model, means for calculating probabilistic safety indicators, means for creating logical-probabilistic models, and other calculating means.

The safety analysis and assessment procedure according to the present invention consists in performing the following sequence of operations.

At the first stage, baseline information is collected, including regulatory, technical and operational documentation for the reloading machine, control system, overloaded products, technological algorithms, service area diagram, transportation and technological operations scheme and other necessary documents.

At the second stage, the analysis of the initial information is carried out, on the basis of which the following basic documents are developed:

1. The process flow chart

This scheme is presented in the form of a multi-level structure, including the process of overloading the reactor core, the technological cycle and the transport and technological operation.

The reloading process is represented in the form of a number of technological cycles, the list of which is determined on the basis of the technical conditions for the reloading machine MPS-V-1000-3 U4.2.

In general, the reloading process consists of 22 types of technological cycles with fuel assemblies (fuel assemblies), including detonation of fuel assemblies, control of the level of a fuel assembly in a reactor, inspection of sockets for a fuel assembly in a reactor; 5 types of technological cycles with elements affecting operability (cluster); 4 types of technological cycles with stopper of SODS pencil case / tight pencil case.

Each technological cycle consists of a given number of typical transport and technological operations. So, for example, according to this implementation example, the number of types of transport and technological operations of this process includes 11 types of transport and technological operations when handling FAs, 4 types of transport and technological operations when handling a cluster; 2 types of transport and technological operations when handling the stopper of a SODS pencil case / tight pencil case.

2. List of safety criteria

As safety criteria take the maximum permissible values of regulatory impacts on overloaded products.

Exceeding the permissible impact is a violation, which consists in exceeding the regulatory impact established by the regulatory and technical documents for various types of impacts on the overloaded product. In this case, the safety criterion will be the absence of excess of regulatory impacts on the object in question, in this case, for example, on an overloaded product.

Safety criteria are established on the basis of an analysis of the Norms and Rules of Rostekhnadzor and operational documentation for nuclear fuel.

An approximate list of safety criteria for overloading the reactor cores (when handling fuel assemblies) is given in table 1.

Table 1 Type of exposure Safety criteria Normative and technical document The fall of the fuel assembly FA not allowed to fall Clause 4.2.8 of the "Safety Rules for the Storage and Transportation of Nuclear Fuel at Nuclear Power Facilities" PNAE G-14-029-91 Torque No torque allowed Paragraph 8.2.7 operating manual "COMPLEX CASSETTE VVER-1000" 0401.22.00.000 RE Side kick Impact of the rod of the reloading machine transporting fuel assemblies with the designs of the reactor or holding pool is not allowed Clause 6.5.11 of the "Safety Rules for the Storage and Transportation of Nuclear Fuel at Nuclear Power Facilities" PNAE G-14-029-91

Extraction / Installation Force The extraction force should not exceed 2205 N. The installation force should not exceed 735 N Paragraph 8.2.4 operating manual "COMPLEX CASSETTE VVER-1000" 0401.22.00.000 RE Compression force The amount of compression force should not exceed 9800 N Paragraph 8.2.3 operating manual "COMPLEX CASSETTE VVER-1000" 0401.22.00.000 RE Extreme upper position of fuel assemblies Raising spent fuel assemblies above a mark that provides an appropriate layer of water from the safety conditions of personnel managing the reloading of nuclear fuel is not allowed Clause 6.5.11 of the "Safety Rules for the Storage and Transportation of Nuclear Fuel at Nuclear Power Facilities" PNAE G-14-029-91 Bending force No bending force allowed Clause 6.5.11 of the "Safety Rules for the Storage and Transportation of Nuclear Fuel at Nuclear Power Facilities" PNAE G-14-029-91 Tensile force The maximum force during the extraction of fuel assemblies in the reactor at the initial section of 40 mm should not exceed 39,200 N Clause 8.2.5 of the operation manual "COMPLEX CASSETS VVER-1000" 0401.22.00.000 TO Self-destruction of fuel assemblies Overloading fuel assemblies with mechanical damage (separation of individual parts or parts of assemblies) is not allowed Clause 10.6 operating manual "COMPLEX CASSETTE VVER-1000" 0401.22.00.000 RE TVS overheating Overloading fuel assemblies while lowering the water level in the holding pool is not allowed Clause 4.2.11 of the "Safety Rules for the Storage and Transportation of Nuclear Fuel at Nuclear Power Facilities" PNAE G-14-029-91

3. The list of violations of the process and operating conditions that can lead to NVD

As violations of the technological process of overloading the active zone, violations of normal operation are accepted, which, in general, are reduced to the following:

- unauthorized movements of mechanisms;

- unauthorized speeds of movement of mechanisms;

- unauthorized directions of movement of mechanisms;

- error of the mechanism reaching the given coordinates;

- finding the mechanism is not in the set position;

- finding the overloaded product in a position that does not correspond to a given position;

- the presence of foreign objects in the area of location of overloaded products;

- deviation of geometry of overloaded products;

- loss of energy supply;

- seismic effects, etc.

Violations of the process are divided into two groups:

- violation of the action, for example, unauthorized movement of the bridge;

- violation of the state, for example, the capture of fuel assemblies is in an intermediate position.

The total number of violations of the technological process considered in the framework of this process is 55, of which 16 NTP are violations of the state.

4. Scheme for the separation of transport and technological operations into intervals with constant security conditions

The next step is to develop a diagram of the separation of transport and technological operations into intervals for which the safety conditions remain constant.

The procedure for constructing a scheme for dividing transport and technological operations into intervals with unchanged safety conditions will be considered in relation to the operation "Installation of fuel assemblies in the reactor".

First, make up a table containing information about the _NVD D _idop , the corresponding sources of danger and the zones of action of the sources of danger. The zone of action of the source of danger determines those areas of the technological operation where sources of danger can lead to unacceptable influences. For example, for some security criteria, a table may look like this (table 2).

table 2 Safety criterion D _idop Hazard source F (D _i ) Hazardous area The fall of the fuel assembly (P1) Unauthorized opening of fuel assembly capture Start - transport position with fuel assemblies. End - the fuel assembly shank is at a distance of 100 mm to the installation site Torque (P2) Unauthorized rotation of the working bar Start - the shank of the installed fuel assembly is at the level of the heads of the standing fuel assemblies. End - fuel assembly is installed in the reactor socket Compression Force (P5) Moving capture of fuel assemblies from fuel assemblies down at unauthorized speed Start - the fuel assembly shank is located at a distance of 100 mm from the installation site of the fuel assembly into the reactor socket. End - fuel assembly is installed in the reactor socket

Next, build a distribution diagram of the coverage area of the AI in various parts of the analyzed TO (figure 1).

In this case, the technological process is represented in the following coordinate system.

On the horizontal axis cause the start and end points of the sources of danger. On the vertical axis cause points corresponding to possible types of damage (NVD). Then, for each source of danger, a zone of its action is built, showing it with a horizontal line. Then, through the start and end points of the obtained hazard zones, draw vertical lines (shown by dashed lines) that divide the entire process operation into intervals for which the conditions for exceeding safety limits remain unchanged, i.e., for example, the number and types of possible damage to fuel assemblies .

The obtained safety intervals are stationary, in the sense of safety conditions, objects for which standard PSA calculation methods are applicable.

Thus, the entire process is presented in the form of series-connected safety intervals. Moreover, the safety intervals are interconnected not only by the order of execution of individual technological operations, but also by cause-effect relationships of technological process violations occurring at these intervals.

5. Table of distribution of violations

This table is compiled on the basis of the analysis of the transition of process violations from one safety interval to another.

A feature of many transport and technological operations, in particular, operations for reloading nuclear fuel, is the fact that a violation of the technological process of reloading that occurred at any interval of the technological process may not lead to MPE on the reloaded product at this interval, but be transferred to subsequent intervals of the technological process, at which MPE can occur on the reloaded product. For example, during the interval the fuel assemblies move to the transport position, a process violation may occur as a result of which the fuel assemblies will not be raised to the desired level and its lower part will protrude beyond the dimensions of the working rod. At the considered interval, this violation cannot lead to damage to the fuel assemblies, however, in the future, when the fuel assemblies move through the transport corridor, it can bend when interacting with structural elements of the transport corridor.

The specified feature of the technological process leads to the need to analyze the process of distribution of violations in the technological process. In this regard, the "Rules for the propagation of process violations" (Rules) were developed, which are used to analyze the transition of process violations from one safety interval to another.

Then make a summary table of the distribution of violations, which lists all possible violations of the process and all the safety intervals that make up this operation. Filling in this table is carried out using the previously developed Rules. For example, for the first three safety intervals of the operation “Installing fuel assemblies”, the table will look as follows (table 3).

Table 3 Legend Name of violation BI 1.15 BI 1.16 BI 1.17 ... Vh. Out Vh. Out Vh. Out H 2.1.6.1 the bridge is not at the required coordinates of the installation / extraction of fuel assemblies + × + + × + + 2 - H 2.2.6.1 the trolley is not at the coordinates required to install / remove the fuel assemblies + × + + × + + 2 - H 2.2.6.2 the cart is not at the required coordinates of the entrance to the transport corridor - four - - four - - four - H 2.4.7.1 ZTVS with fuel assembly is located above the “transport position with SP” + one - - one - - one - H 2.4.7.2 ZTVS with fuel assembly is located below the "transport position with SP" + one - - one - - one - H 2.4.7.3 ZTVS with a seized fuel assembly is in the "transport position with the product" - four - - four - - four - H 2.4.7.4 ZTVS is not at the required coordinates of the installation / extraction of fuel assemblies (in height) - four - - four - - - - H 2.5.7.1 discrepancy between the actual position of the fuel assembly capture - the capture is open - to the required - 2 - - 2 - - 3 - H 2.5.7.2 discrepancy between the actual position of the fuel assembly capture - the capture is closed - to the required - four - - four - - four - H 2.5.7.3 grip lock is in intermediate position + × + + × + + × + H 2.7.7.1 RS is not at “0 °” (desired position) + × + + × + + × + H 2.7.7.2 RS is not at “45 °” (desired position) - four - - four - - four - H 10 Fuel assembly is not installed in the reactor socket - four - - four - - - - etc.

In this table, the signs "+", "-" indicate the presence or absence of the possibility of a violation at the entrance and exit of the safety interval, the numbers "1" - "6" correspond to the numbers of the rules for the distribution of violations of the process, which are, for example, in the following.

Rule 1: the action of the violation of the technological process ends with the beginning of the regular movement of the mechanism. For example, the effect of a process violation "Error in the bridge reaching the specified coordinates" is terminated after the start of the regular movement of the bridge.

Rule 2: the possibility of a violation of the technological process is excluded provided that the safety interval is implemented in accordance with the technological process, which would be impossible if the violation were considered. For example, the installation of a fuel assembly in the reactor socket terminates the following violations: "Work rod is not at 0 degrees," "The bridge or trolley is not at the coordinates of the extraction / installation of the overloaded product," etc.

Rule 3: the effect of the violation of the technological process (NTP) ceases when the violation of the technological process unconditionally exceeds the permissible impact (MPE). For example, the unauthorized opening of a fuel assembly capture during transportation of fuel assemblies (STP) certainly leads to a fall in fuel assemblies (MPE).

Rule 4: a process violation ceases to be valid at that safety interval where the violation is not a process violation for a given safety interval. For example, a violation of the technological process. The position of the fuel assembly capture “The capture of the fuel assembly is open” ceases to exist after the assembly of the fuel assembly in its regular place.

Rule 5: the effect of a process violation is not considered if it does not allow a regular operation to be performed, but it does not lead to NVD. For example, if you move down a fuel assembly capture located in the “Fuel capture is closed” position, the fuel assembly capture will not land on the fuel assembly, however, this will not create conditions leading to damage to the fuel assembly.

Rule 6: violations of the process associated with violations of normal operation (foreign objects, deviations in the geometric dimensions of the service area, overloaded products, etc.) are considered to have occurred when violations begin to affect the safety of the process. For example, a foreign object located in the reactor socket is not considered as a violation of the technological process until the fuel assemblies are installed in the reactor socket where this object is located. A foreign object in the reactor nest may cause the fuel assembly not to fall into place and a fuel assembly may fall further.

Next, on the basis of these documents form a verbal model for the analysis of the safety of the process (figure 2).

At the third stage, process modeling is carried out, which is performed in the following sequence.

On the basis of the spread table obtained earlier, a deterministic-probabilistic model of the technological operation is built taking into account the possible transition of process violations to subsequent safety intervals (Fig. 3). This model is a set of safety intervals. At the same time, violations of the technological process that occurred at a given safety interval, as well as violations of the technological process that were transmitted from the previous one and caused an excess of the permissible impact at this interval or may cause excess of the permissible impact at subsequent intervals, are considered.

This model takes into account all possible scenarios and ways of development of events and allows a qualitative assessment of the safety of this technological operation. The results of this analysis can be used both independently and for the subsequent quantitative assessment of process safety.

Next, build logical or logical-probabilistic models of the occurrence of each excess of the permissible impact for each safety interval (figure 4). At the same time, such violations of the technological process that occurred at a given safety interval or come from the previous one and caused an excess of the permissible impact at this interval are considered. Also take into account external influences and the protection and blocking available at a given safety interval. Moreover, to obtain quantitative indicators, each violation of the technological process or failures of protections and interlocks are taken into account with the corresponding probabilistic indicator of its occurrence.

Incoming influences can be, for example: accidental impact on the keyboard; issue by the operator of an erroneous command; failure of the remote control (RC) of the control system according to the control function; failure of the software and hardware complex (PTC) of the control system by the control function; failure of the electrical equipment complex (CE) of the control system by the control function.

External incoming influences can be, for example: equipment failures (reloading machine and control system of the reloading machine); operating personnel errors; deviations of the geometric dimensions of the reloaded products from the design dimensions; deviations of geometrical dimensions: fuel assemblies in the reactor, cells of the racks of the storage pool, covers for fresh fuel and a container for spent fuel from the design dimensions; structural elements of the service area not foreseen by the project; foreign objects in the service area; decrease in water level due to leakage of the lining of the aging pool; complete cessation of energy supply; seismic impact.

Protections and interlocks may include, for example, protections and interlocks implemented in the structure of the control system of the reloading machine. Protections and interlocks are divided into two groups: general protections and interlocks and protections and interlocks for each mechanism of the reloading machine.

According to the method of implementation, the groups of protections and interlocks are distributed in the structure of the control system as follows:

- remote control - protection;

- software and hardware complex - protection and blocking;

- a complex of electrical equipment - protection and blocking.

This method of distributing protections and interlocks allows for defense in depth and using the principle of independence in the formation of certain protections and interlocks aimed at ensuring the limits and conditions of safe operation.

Depending on the goals and objectives of the safety analysis of the technological process, various modifications and combinations of the described models are possible, for example, deterministic models of operations and logical-probabilistic models of technological process violations.

For example, sequentially combining deterministic-probabilistic models of technological operations, they build a model of the technological cycle, and then a model of the entire process of overloading the reactor core (Fig. 5).

The model of the overload process provides the ability to determine a comprehensive safety indicator, as well as quantitative safety indicators for each safety criterion.

At the fourth stage, probabilistic safety indicators for the technological process of overloading the core are calculated using the certified Risk Spectrum Professional design complex.

The procedure for calculating quantitative probabilistic safety indicators (safety criteria) is performed in the following sequence:

- introduce a model of the process of reloading into the calculation complex;

- assign probabilistic characteristics of possible violations of the process;

- designate the reliability characteristics of protections and interlocks;

- perform the necessary calculations and analysis of the results;

- present the results of the calculation of probabilistic safety indicators of the transport and technological operation "Installation of fuel assemblies";

- present the results of an analysis of the impact of individual protections and interlocks on probabilistic safety indicators.

At the fifth stage, safety indicators are analyzed that characterize the contribution of individual transport and technological operations and individual protections and interlocks to the overall safety indicator of the core overload process.

At the sixth stage, proposals and recommendations are developed to improve the design and circuit solutions of the reloading machine and control system.

At the seventh stage, recommendations are developed to improve the safety level of nuclear power plants during transport and technological operations with nuclear fuel.

The following is a variant of the quantitative safety assessment of the technological operation “Installation of fuel assemblies in the reactor” for a VVER-1000 type reactor, performed using the claimed method of analysis and safety assessment of a transport and technological process of increased danger.

The object of analysis is the technological complex for reloading the active zone of the reactor installation, including the reloading machine (MP), the MP control system, the structural diagram of which is shown in Fig. 6, the overload zone (reactor), overloaded products (FA), which are considered taking into account possible technological violations the process of overloading, equipment failures, deviations in the geometry of reloaded products (PI) from design, personnel errors, etc.

The control system of the reloading machine (Fig. 6) contains a remote control 1, a hardware and software complex for channel A 2, a software and hardware complex for channel B 3, a logical processing unit 4, a complex 5 of electrical equipment (CE) for controlling actuators, channel A sensors and In (not shown).

In this example, one type of TID is considered - “Fall of fuel assemblies” (see table 1), i.e. the probability of a fuel assembly dropping during the operation "Installation in the reactor" is estimated.

At the first stage, a detailed analysis of the overload process is performed on the basis of data from normative and technical documentation and information on the effects of D _i (1 <i <n) on objects participating in the transport and technological process during the operation "Installation in the reactor" obtained from sensors of the control system (Fig.6). Based on the analysis, a table is formed of the possible causes and conditions for the occurrence of NVD for each safety criterion D _{i dop} for this operation, which are shown in table 4.

Table 4 Safety criterion Impact D _i Failure conditions Fall of fuel assemblies D _idop Unauthorized opening of a fuel assembly capture while moving a fuel assembly A “fall” can occur when the fuel assembly shank is higher than the installation level by more than 50 mm Relocation of fuel assemblies with incompletely closed capture of fuel assemblies A “fall” can occur when the fuel assembly capture spontaneously opens, when a movable fuel assembly is located on vertical and horizontal sections of the technological process Unauthorized opening of a fuel assembly capture after installing a fuel assembly not in the reactor socket (not in a regular place) "Fall" can occur when the capture of fuel assemblies with fuel assemblies Moving the "picked up" fuel assembly: A “fall” of a “picked up” fuel assembly can spontaneously occur in vertical and horizontal sections of the technological process - as a result of jamming of fuel assemblies during landing or gathering of fuel assemblies from the fuel assembly head - with incomplete opening of the fuel assembly capture TVS capture cable break A “fall” can occur when the fuel assembly shank is higher than the installation level by more than 50 mm The destruction of the power circuit capture the fuel assembly Destruction of the power circuit of the ZTVS displacement mechanism

Based on the data obtained, a list of technological process violations (NTP) F = f (D _i ) and operating conditions that directly lead to NVD in the operation "Installation of fuel assemblies in the reactor", i.e. violations for which D _i > D _{i dop} shown in table 5.

Table 5 NTP designation Name of NTP F06 Bridge output not at specified coordinates F12 Trolley exit not to specified coordinates F19 Unauthorized movement of the fuel assembly capture above the coordinate of the fuel assembly installation when opening the HAZ F20 Moving the capture of fuel assemblies while the retainer of the capture of fuel assemblies is in the intermediate position F31 Stop locking the fuel assembly capture in the intermediate position F33 Incomplete opening of fuel assembly capture F34 Incomplete closure of fuel assembly capture F40 The bridge is not at the coordinates of the fuel assembly installation F41 The cart is not at the coordinates of the fuel assembly F46 The capture of fuel assemblies is not at the coordinates of the fuel assembly installation (in height) F52 The fuel assembly capture latch is in an intermediate position F55 FA is not in the reactor socket due to the exit not to the horizontal coordinates of the installation F56 Installation of fuel assemblies not in the reactor cavity due to equipment failures (horizontal) F57 Opening of the HAZ when finding the HAZ not at the vertical coordinates of the installation F64 The movement of the MP mechanisms when jamming the HAZ (when handling fuel assemblies) F66 Moving the picked up fuel assembly according to the technological process F67 Moving the capture of fuel assemblies when picking up fuel assemblies F68 Unauthorized opening of the HAZ when installing a fuel assembly not at the horizontal coordinates of the installation F73 Obstruction to the movement of fuel assemblies during installation due to equipment failures and violations of operating conditions F75 Obstruction of fuel assembly movement during installation due to deviation of installed fuel assemblies from vertical position F76 Obstruction of the installation of fuel assemblies in the reactor socket (loaded zone) due to equipment failures and violations of operating conditions F79 Obstruction of the installation of fuel assemblies in the reactor socket (free zone) due to equipment failures and violations of operating conditions F117 Installation of fuel assemblies not in the reactor socket F118 Unauthorized movement of the latch in the direction of opening the capture of the fuel assembly during vertical movements F123 The capture of fuel assemblies is open when the fuel assembly is not installed in the reactor socket F124 FA not in the reactor socket due to the exit not to the vertical coordinates of the installation

In table 5 and below, the designations of scientific and technical progress and other events used in the safety analysis of nuclear fuel reloading of one of the power units of the Russian NPP are used.

At the next stage, the transport and technological operation “Installation of fuel assemblies in the reactor” is divided into intervals R _j (1 <j <m) with unchanged safety conditions.

This operation includes the following actions:

- moving fuel assemblies from the transport position down to the reactor jack;

- installation of fuel assemblies in the reactor socket;

- opening the capture of fuel assemblies;

- gathering of fuel assemblies from the fuel assembly head;

- moving the empty grip up to the transport position.

To divide the specified operation into intervals with constant security conditions (BI), a table (Fig. 7) is compiled similar to the table shown in Fig. 1.

As a result, the technological operation is divided into the following technological intervals:

R17 - Moving fuel assemblies down to the position of the shank of the fuel assembly 200 mm above the level of the heads of the fuel assemblies.

R18 - fuel assembly down to the position of the shank of the fuel assembly, corresponding to the level of the heads of the fuel assembly.

R19 - Moving the fuel assembly shank from the level of the fuel assembly heads to the level of the reactor socket.

R21 - Installation of fuel assemblies in the reactor socket.

R23 - Moving the latch to the position “CAPTURE OF TVS OPEN”.

R26 - Descent of the capture of fuel assemblies with PI in the reactor.

R07 - Moving the capture of fuel assemblies by 4770 mm above the level of the PI heads in the reactor.

R19 - Moving the capture of fuel assemblies in the transport position without PI in the reactor.

An analysis of the scientific and technical progress obtained at the previous stage shows that there are such scientific and technological progress that, after their occurrence, may not immediately lead to NVD, but may remain for some time during the technological process. In this example, these NTPs include the following:

F40 - The bridge is not at the coordinates of the fuel assembly installation.

F41 - The cart is not at the coordinates of the fuel assembly installation.

F46 - The capture of fuel assemblies is not at the coordinates of the fuel assembly installation (in height).

F52 - The catch lock of the fuel assembly is in the intermediate position.

F55 - fuel assemblies are not in the reactor cavity due to the exit to the horizontal coordinates of the installation.

F66 - Movement of the picked up fuel assembly according to the technological process.

F123 - The capture of fuel assemblies is open when the fuel assembly is not installed in the reactor socket.

For these STPs, a table of the distribution of violations by the safety intervals included in the considered technological operation is compiled (table 6). Table 6 is filled in accordance with the Rules for the dissemination of violations of the process. If necessary, the numbers of the Rules are indicated in the table by numbers.

Table 6 NTP designation F40 F41 F46 F52 F55 F66 F123 R17 Vh. + + - + - - - × × four Out + + - + - - - R18 Vh. + + - + - - - × × four Out + + - + - - - R19 Vh. + + - + - - - Out + + + + - - - R21 Vh. + + + + - - - 2 2 Out - - + + + - - R23 Vh. - - + + + - - one Out - - + - + - + R26 Vh. - - + - + - + 3 3 Out - - - - - + + R07 Vh. - - - - - + + 3 Out - - - - - + - R08 Vh. - - - - - + - Out - - - - - + -

Next, form a table of cause-effect relationships of NVD and STP (table 7). In this example, the table is filled in for only one type of NVD - "Fall of fuel assemblies".

Table 7 is formed for each safety interval based on the data given in the table of causes and conditions for the occurrence of NVD (table 4) and a list of STPs that can directly lead to NVD (table 5).

For clarity of the considered example, the analysis was performed only for some STPs (from the list of STPs compiled earlier), which can lead to NVD, namely STPs associated with the possibility of unauthorized opening of the fuel assembly capture during vertical movement of fuel assemblies and with the possibility of installing fuel assemblies not in the reactor socket . When a fuel assembly is not installed in the reactor socket during subsequent opening of the fuel assembly capture and its descent from the fuel assembly head, the latter may fall. The results of the analysis of causal relationships of NVD and STP are shown in table 7.

Table 7 BI designation Safety criterion Process violations Name of NTP NTP designation R17 The fall of the fuel assembly Unauthorized movement of the latch in the direction of opening the capture of the fuel assembly during vertical movements F118 R18 F118 R19 F118 R21 FA not in the reactor socket due to the exit not to the vertical coordinates of the installation F124 R23 The capture of fuel assemblies is open when the fuel assembly is not installed in the reactor socket F123 R26 F123 R07 - - R08 - -

The results of the analysis allow us to build a deterministic model for analyzing and assessing the probability of a fuel assembly dropping on the operation “Installing a fuel assembly in a reactor”.

The deterministic model is built on the basis of the separation of operations on BI and the data given in tables 4, 5, 6, 7, taking into account the accepted restrictions on the STP under consideration. A graphical representation of the deterministic model is presented in Fig. 8.

As shown in Fig. 8, a fuel assembly dropping during the operation "Installing a fuel assembly into a reactor" for the reasons chosen for the considered example can occur at intervals R17, R18, R19, R07.

In Fig. 8, dashed lines show the technological connections between the intervals of the technological process, and solid, with the designation of violations, show the propagating violations or violations, passing from one BI to another.

At the next stage, a logical-probabilistic model (LAN) is used, which is used for analysis and assessment of overload safety.

First, the NVD LAN (FA assembly) is built on the operation in question. A graphic image of this model is shown in Fig.9.

For the event "Fall of fuel assemblies" in the technological operation, the designation D01 is adopted. For the event "Fall of fuel assemblies" at any interval, the designation of the corresponding interval is added to the designation D01. A similar rule applies to NTP, i.e. if STP occurs at any interval, then the interval designation is added to the STP designation.

, изображенный под событиями модели, показывает, что это событие является следствием других событий и для него будет создана своя ЛВМ. Знак

, изображенный под событием, показывает, что это событие не предполагает рассматривать его как следствие других событий, т.к. для него может быть назначен вероятностный показатель появления этого события.Sign

, depicted under the events of the model, shows that this event is a consequence of other events and a personal computer will be created for it. Sign

, depicted under the event, shows that this event does not intend to consider it as a consequence of other events, because a probabilistic indicator of the occurrence of this event can be assigned to it.

As shown in FIG. 9, event D01 in a process operation corresponds to the logical sum of events D01RXX on each BI.

Next, on the basis of table 7 build models of NVD on the BI, which are shown in figure 10, 11, 12 and 13, respectively.

An analysis of these models shows that they include STPs, which themselves are a consequence of other STPs and separate models should be built for them. Such NTPs include F118R17, F118R18, F118R19 and F123R07 +.

To build such models, it is necessary to determine the list of initiating events that can lead to the indicated violations and to identify those protections and locks of the control system that can prevent or stop the development of these initiating events. This information can be obtained as a result of the analysis of technical documentation for the MP control system. The specified list of initiating events for the operation in question is given in table 8.

Table 8 NTP designation Triggering Events Failures of protections and locks Name Designation Name Designation F118 Erroneous operator command to open the air conditioning system I061 Failure to protect the remote control to prohibit the opening of the HAZ during vertical movement of fuel assemblies FP007 Spontaneous issuance of a remote control command for the opening of the air conditioning I062 Failure of the PTK protection to prohibit the opening of the HAZ during vertical movement of fuel assemblies FP033 Spontaneous issuance of a PTK command for the opening of a ZTVS I063 - - F123 A fuel assembly is not in the reactor socket due to not reaching the installation coordinates vertically (foreign object in the reactor socket) F124 Failure of the PTK protection to prohibit the opening of a HAZ when installing a fuel assembly above the required level FP063

On Fig shows the LAN F118R17. Similar models are built for R18 and R19.

NTP F123 is a pervasive violation (see Table 6), therefore, to evaluate the probability of F123 on R07, a sequence of F123 models should be constructed for all BIs. These models are shown in Fig. 15. The relationship of models of different intervals is shown by dashed lines.

The STP F123 occurs on the interval R23 as a result of the failure of protection FP063 when the fuel assembly is not installed in the reactor socket (F117). Thus, it is necessary to build another model - F117R21 +.

Installation of fuel assemblies not in the reactor socket can occur for a number of reasons. For this example, one case was considered, namely, the installation of a fuel assembly not in the reactor socket due to the ingress of a foreign object into the reactor socket. LAN F117R21 + for this case is shown in Fig.16.

All the constructed models are combined into one common model of fuel assembly dropping during the operation “Installation of fuel assemblies in the reactor”.

As a rule, due to cumbersomeness, the physical union of individual models into one is not performed.

The union is carried out by organizing links from events of a higher-level model to the upper event of lower-level models. This method is used, for example, when using the Risk Spectrum software package (RELCON, Sweden) for model formation and calculations.

, являются базовыми событиями, для которых назначаются вероятностные показатели. В рассматриваемом примере к ним относятся FP063, F070, I061, FP007, I062, FP033, I063.Model events indicated by

are basic events for which probability indicators are assigned. In this example, these include FP063, F070, I061, FP007, I062, FP033, I063.

The initial data on the probability of basic events are taken from a safety analysis performed for one of the power units of nuclear power plants with a VVER-1000 type reactor, and are shown in Table 9.

Table 9 Event designation Event name The probability of the event P (F _Di ) FP063 Failure of the PTK protection to prohibit the opening of a HAZ when installing a fuel assembly above the required level 5 * 10 ^-3 F070 Foreign object in reactor cavity 6 * 10 ^-3 I061R17 Erroneous operator command to open the air conditioning system 5.4 * 10 ^-2 I061R18 2.7 * 10 ^-2 I061 R19 4.12 * 10 ^-1 FP007 Failure to protect the remote control to prohibit the opening of the HAZ during vertical movement of fuel assemblies 6.24 * 10 ^-3 I062R17 Spontaneous issuance of a remote control command for the opening of the air conditioning 8.1 * 10 ^-5 I062R18 4.05 * 10 ^-5 I062R19 6.18 * 10 ^-4 FP033 Failure of the PTK protection to prohibit the opening of the HAZ during vertical movement of fuel assemblies 5 * 10 ^-3 I063R17 Spontaneous issuance of a PTK command for the opening of a ZTVS 5,4 * 10 ^-5 I063R18 2.7 * 10 ^-5 I063R19 4.12 * 10 ^-4

The probability of events was calculated taking into account the total number of operations to install fuel assemblies in the reactor performed in the process of core reloading.

Calculations and analysis of the results were performed using the Risk Spectrum software package [Risk Spectrum PSA Professional 1.20 / Theory Manual - RELCOM AB, 1998. - 57 p.].

The calculation results are shown in table 10.

Table 10 MCO No. Probability P (ΣF _i ) Contribution,% Event F ₁ Event F ₂ Event F ₃ Event F ₄ one 1,70E-07 39.27 I063R19 A I063R19V 2 1,50E-07 34.71 F070R21 FP063 A FP063 V 3 6.43E-08 14.87 FP007 FP033 A FP033V I061R19 four 1,55E-08 3.57 FP033 A FP033V I062R19 5 8.42E-09 1.95 FP007 FP033 A FP033V I061R17 6 5.30E-09 1.23 FP007 FP033V I061R19 I063R19 A 7 5.30E-09 1.23 FP007 FP033 A I061R19 I063R19V 8 4.21E-09 0.97 FP007 FP033 A FP033V I061R18 9 2.92E-09 0.67 I063R17 A I063R17V 10 2.03E-09 0.47 FP033 A FP033V I062R17 eleven 1,27E-09 0.29 FP033 A I062R19 I063R19V 12 1,27E-09 0.29 FP033V I062R19 I063R19 A 13 1.01E-09 0.23 FP033 A FP033V I062R18 fourteen 7.29E-10 0.17 I063R18 A I063R18 V fifteen 9,10E-11 0.02 FP007 FP033V I061R17 I063R17 A 16 9,10E-11 0.02 FP007 FP033 A I061R17 I063R17V 17 2.27E-11 0.01 FP007 FP033 A I061R18 I063R18 V eighteen 2.27E-11 0.01 FP007 FP033V I061R18 I063R18 A 19 2.19E-11 0.01 FP033V I062R17 I063R17 A twenty 2.19E-11 0.01 FP033 A I062R17 I063R17V 21 5.47E-12 0 FP033V I062R18 I063R18 A 22 5.47E-12 0 FP033 A I062R18 I063R18 B The total value of the probability of a fall in the fuel assembly 4,322E-07

In the table, along with the general value of the probability of a fuel assembly dropping during the operation “Installing a fuel assembly into a reactor”, the probabilities of individual minimum cross sections (MES) are given, which make it possible to determine the groups of basic events that most affect the probability of a fuel assembly dropping.

In engineering practice, the most common is the analysis of the significance of basic events by the Fussell-Veselu coefficient (FV). The FV coefficient shows how much (if measured in%), the probability of the estimated event (fuel assembly drop) will decrease if each of the components of the system becomes completely unreliable. The simplicity of interpretation of the FV coefficient makes it possible to use it to formulate recommendations for eliminating weaknesses in the analyzed object of analysis.

The values of the FV coefficients for the considered base events are given in table 11.

Table 11 No. Base Event Designation Description of the underlying event Fv one I063 Spontaneous issuance of a PTK command for the opening of a ZTVS 4,079 * 10 ^-01 2 FP063 Failure of the PTK protection to prohibit the opening of a HAZ when installing a fuel assembly above the required level 3.47 * ^10-01 3 F070 Foreign object in reactor cavity 3.47 * ^10-01 four FP033 Failure of the PTK protection to prohibit the opening of the HAZ during vertical movement of fuel assemblies 2,362 * ^10-01 5 FP007 Failure to protect the remote control to prohibit the opening of the HAZ during vertical movement of fuel assemblies 2.03 * ^10-01 6 I061 Erroneous operator command to open the air conditioning system 1,732 * 10 ^-01 7 I062 Spontaneous issuance of a remote control command for the opening of the air conditioning 4,164 * 10 ^-02

An analysis of the obtained results shows that the basic events I063, FP063, and F070 (FV = 0.347 ÷ 0.408) have the greatest influence on the probability of a FA failure. The first two events are associated with PTK failures (according to the control function and the protection function).

The basis of the PTC (software and hardware complex) are the controllers, which are loaded with a control program and a program that implements the work of protections and locks. Failures of the hardware and software complex can be caused by a failure of hardware or software failures (software), which are associated with the presence of software errors that were not identified during the setup and testing. However, if the software has been operating on several objects for a long time without manifesting defects, then the probability of failure due to software errors can be considered negligible. The probability of failure of the technical means of the controller depends on the reliability of its components and the quality of manufacture of the controller. As a rule, controllers of various types, manufactured by different manufacturers, have different reliability characteristics and this makes it possible, if necessary, to replace some products with others that have the same functionality, but better reliability.

An analysis of the reliability of programmable controllers produced by leading companies shows that controllers can be used in the PTC, the reliability of which is several times higher than the reliability of existing equipment.

The following shows how this replacement will affect the likelihood of a fuel assembly dropping.

For the PTC based on the new controllers (Siemens), data on the probability of basic events are given in Table 12.

Table 12 Event Designation (F _i ) Event name The probability of the event P (F _i ) FP063 Failure of the PTK protection to prohibit the opening of a HAZ when installing a fuel assembly above the required level 1.25 * 10 ^-3 FP033 Failure of the PTK protection to prohibit the opening of the HAZ during vertical movement of fuel assemblies 1.25 * 10 ^-3 I063R17 Spontaneous issuance of a PTK command for the opening of a ZTVS 1.35 * 10 ^-5 I063R18 0.675 * 10 ^-5 I063R19 1.03 * 10 ^-4

The probability data for the remaining base events remain the same (see table 10).

Next, a re-calculation of the probability of a fall in the fuel assembly is carried out. The calculation results are summarized in table 13.

Table 13 MCO No. Probability P (ΣF _i ) Contribution,% Event F ₁ Event F ₂ Event F ₃ Event F ₄ one 1,06E-08 39.24 I063R19A I063R19V 2 0.93E-08 34.43 F070R21 FP063 A FP063 V 3 4.01E-09 14.84 FP007 FP033 A FP033V I061R19 four 0.97E-09 3,59 FP033A FP033V I062R19 5 5.26E-10 1.95 FP007 FP033 A FP033V I061R17 6 3.31E-10 1.23 FP007 FP033V I061R19 I063R19 A 7 3.31E-10 1.23 FP007 FP033 A I061R19 I063R19V 8 2.62E-10 0.97 FP007 FP033 A FP033V I061R18 9 1.82E-10 0.67 I063R17 A I063R17V 10 1,27E-10 0.47 FP033 A FP033V I062R17 The total value of the probability of a fall in the fuel assembly 2,701E-08

The result shows that the probability of a fuel assembly dropping when using controllers with higher reliability has decreased by more than 10 times (the previous value is 4.322E-07).

Thus, a targeted change in the characteristics of the control system leads to an effective reduction in the likelihood of damage to overloaded products.

The considered example is illustrative and does not characterize the probability of a fuel assembly dropping during reactor overload, because the analysis took into account only a small part of possible violations of the technological process and did not take into account the possibility of a fuel assembly dropping in other operations.

The considered example is illustrative and does not characterize the probability of a fuel assembly dropping during reactor overload, because the analysis took into account only a small part of possible violations of the technological process and did not take into account the possibility of a fuel assembly dropping in other operations.

Claims (16)

1. A method of controlling a hazardous process with non-stationary objects, including measurement using sensors of impacts D _i (1 <i <n) on objects involved in the technological process, determination of the maximum permissible values of the impacts D _{i dop} , comparing the measured impacts D _i with the permissible D _{i dop} to detect violations F _i = f (D _i ) of the technological process, in which D _{i dop} > D _{i dop} , characterized in that for each detected violation F _i = f (D _i > D _{i dop} ), the set of parts of the technological process on which this violation acts is determined and the technological process is divided into safety intervals R _j = {f ₁ , f ₂ , ... F _j , ... F _n } (1 <j <m), for which the totality of these violations remains unchanged

for each safety interval R _j : analyze the transition of violations F _i = f (D _i > D _{i dop} ) of the technological process from one safety interval to another, taking into account cause-effect relationships; Modeling is performed by constructing a deterministic safety models taking into consideration possible scenarios of transition violations _{F i = f (D i>} D _Imax) process on the subsequent safety intervals, and on the basis of the obtained models for each safety interval R _j , the probability of failure of the equipment used during the process is determined, and appropriate changes are made to the process to ensure the specified safety indicators. 2. The method according to claim 1, characterized in that it further includes the construction of logical or logical-probabilistic models for each violation F _i = f (D _i > D _{i dop} ). 3. The method according to claim 2, characterized in that the logical or logical-probabilistic models are built on the basis of the analysis of the possible effects of D _i causing the corresponding violations F _i = f (D _i ) of the process, and various combinations of such effects. 4. The method according to claim 1, characterized in that at least one of the following is considered as non-stationary objects: the technological process as a whole, stages and sections of the technological process, products, devices, device nodes, the safety conditions of which vary depending from the time and location of the product, unit or device, in particular, depending on at what stage or section of the process the specified product, device or unit. 5. The method according to claim 4, characterized in that the transition from the consideration of the non-stationary technological process to the consideration of the stationary parts of the technological process based on the analysis of the distribution of the zones of action of the detected violations F _i = f (D _i > D _{i dop} ) in various parts of the technological process . 6. The method according to claim 1, characterized in that the transition to stationary conditions is carried out by analyzing and assessing safety at each safety interval R _{j of the} technological process. 7. The method according to claim 1, characterized in that the analysis and assessment of the safety of the process is carried out by constructing diagrams of separation into safety intervals R _j . 8. The method according to claim 1, characterized in that it further includes the construction of deterministic models of safety intervals R _j taking into account possible scenarios of transition of process violations to subsequent safety intervals R _{j + 1} . 9. The method according to claim 1, characterized in that it further includes the construction of deterministic-probabilistic safety models of the entire process. 10. The method according to claim 8 or 9, characterized in that the deterministic-probabilistic safety models of the entire technological process are constructed using the obtained deterministic models of safety intervals R _j . 11. The method according to claim 2 or 9, characterized in that the deterministic-probabilistic safety models of the entire technological process are constructed using the obtained logical-probabilistic models of the occurrence of violations F _i = f (D _i > D _{i dop} ). 12. The method according to any one of claims 2, 8, 9, characterized in that the deterministic-probabilistic safety models of the entire technological process are constructed using the obtained deterministic models of safety intervals R _j and logical-probabilistic models of the occurrence of violations F _i = f (D _i > D _idop ) of the technological process. 13. The method according to claim 1, characterized in that when analyzing the transition of technological process violations take into account the causal relationship between violations F _i = f (D _i > D _{i dop} ), possible violations F _i = f (D _i ) of the process and the function of protections and locks at every stage of the process. 14. The method according to claim 1, characterized in that for the analysis of the distribution of the zones of action of the sources of danger, an analysis of each unit area of the operation of the technological process is carried out to determine which particular sources of danger cause one or another excess of the permissible impact D _{i dop} . 15. The method according to claim 1, characterized in that when dividing into safety intervals, each violation F _i = f (D _i > D _{i dop} ) is taken into account in each part of the process under consideration for each selected safety criterion D _{i dop} . 16. The method according to claim 1, characterized in that the permissible impacts D _{i dop} use the regulatory impact specified in the regulatory technical documentation for safety.

Images