Assessing the Impact of Common Cause Failures on Site Risk within Level 1 Multi-Unit PSA

,


Introduction
Te safe operation of nuclear power plants (NPPs) has been a subject of apex concern, especially in the wake of the Fukushima Daiichi incident.Tis has increased the nuclear industry's strict safety regulations, strengthening the need for a thorough assessment of risk and failure analysis to guarantee the safe operation of nuclear power plants.A wellknown technique used in the nuclear business to analyse risk and failure evaluation linked with nuclear power plants is probabilistic safety assessment (PSA), which is the active process of identifying potential NPP disaster scenarios, their consequences, and probabilities [1,2].PSA is also an invaluable tool which can deliver information concerning the event sequences and scenarios that contribute signifcantly to risk in a nuclear power plant [3].Te capacity of PSA to provide crucial information during the early design phase and highlighting systems that are vulnerable to risk makes it an excellent safety assessment tool.Tis feature enables efective decision making with regard to the design, development, operation, and maintenance of plants and facilities [4].
Unlike the conventional single-unit PSA for individual NPPs co-located at a site, the Fukushima Daiichi nuclear station incident has outlined the probable accident progression status that can occur in a multi-unit site.Due to the fact that most sites have multiple units, PSA for single-unit NPP (SUPSA) analysis has limitations because it does not accurately represent all accident scenarios, categories, and radioactive sources to determine the radiological risk brought on by severe and/or accident events at the site [5].
With an upsurge in the attention that has been drawn to multi-unit risks as a result of the Fukushima Daiichi event, MUPSA approaches and techniques are seen as the criteria to augment the limitations that SUPSA techniques present when dealing with multi-unit risks.Multi-unit risk analysis is particularly important since it has a signifcant impact on the overall study of a multi-unit PSA [5].
A predominant factor considered when undertaking SUPSA is CCF.CCFs are "failures which are the direct result of a shared cause, in which two or more separate channels in a multiple channel system are in a faulty state simultaneously, leading to system fault" [6].Tis phenomenon is seen as a signifcant contributor to SUPSA metrics such as the core damage frequency (CDF) and the large early release frequency (LERF), which are measures of the extent to which the core of a reactor experiences damage and the associated frequency of release of radioactive sources into the environment, as a result of the damage, respectively [1].
CCFs (intra-unit and inter-unit) are expected to play a signifcant role in MUPSA as they provide an assessment of the likelihood that events originating from one unit will have an impact on multiple units.Due to dependencies and CCFs, initiating events (events that cause NPP operation to operate in an out-of-order state) may have an impact on all units in multi-unit sites.High system reliability can be achieved by using redundancy in nuclear power plant operations, but the presence of CCFs makes it possible for a single condition or event to cause fault states to occur in more than one component or unit, regardless of the type of redundancy available in the system design [7].Te main conclusion from PSAs, which led to the non-availability of safety mechanisms for NPPs, is typically attributed to CCFs [8,9].Dependencies ranging from functional, physical, human interaction, component, or hardware dependencies may exist on a site with co-located units due to the presence of CCFs on the site.
A number of studies have suggested very important methods for analysing multi-unit scenarios and treating many aspects of CCF for use in MUPSA studies.Han et al. [10] developed two approaches using AIMS-PSA software to quantify PSA scenarios for a multi-unit nuclear site.Te approach derived and quantifed multi-unit scenarios from a large PSA model by aggregating PSA models for each unit of a six-unit site.Tough other factors of MUPSA such as the shared systems, CCF between units, accident management, and organizational factors were not considered in the study, it developed the minimal cut-set approach and the Monte Carlo approach in AIMS-PSA software with additional multi-unit feature enhancements.Te minimal cut-set approach created by Han et al. [10] generates the minimal cutsets as a result of the numerous accident scenarios that are applicable in a multi-unit PSA, as opposed to a traditional PSA, where the minimal cut-sets are estimated for each scenario and the core damage frequency is quantifed.To supplement cases where the minimal cut-sets cannot be generated or quantifcation values are in doubt, a simulation approach to generate cut-sets known as the Monte Carlo approach and the fault tree top event probability evaluation using Monte Carlo simulation (FTeMC) are used.
In order to evaluate the site CDF for a hypothetical multi-unit LOOP scenario, Kim et al. [11] used a map-up method via the impact vector approach to address risksignifcant inter-unit CCFs.In this approach, when the size of the common cause component group (CCCG) in the original single-unit model was two (2) or three (3), all conceivable combinations of inter-unit CCF events were described in the dual-unit model.If there are more than four (4) CCCGs, a straightforward method is to multiply the single-unit base model by 0.1.Tis was utilized in the estimation of core damage frequency at multi-unit sites.For instance, multiplying the mean probability of four out of four essential chillers failing owing to a CCF (1.02E − 05) by 0.1 yields the mean likelihood of eight out of eight essential chillers failing due to an inter-unit CCF.
In recent additions to the body of quantifying inter-unit CCFs applicable to MUPSA studies, Jang and Jae [12] presented a dual approach to evaluating the inter-unit CCF by analysing the single-unit complete CCF probability and the fraction of each inter-unit CCF event using Swain's dependency model.Te inter-unit CCFs were considered for a four-unit site each unit having a dual emergency diesel generator (EDG) and a shared alternate alternating current diesel generator (AACDG).Te results of the quantifcation with the two inter-unit CCF methods showed that the total probability of occurrence of core damage of both methods was higher than that without inter-unit CCF events because the probability of core damage in more than two units increased signifcantly.
Due to the signifcance of CCFs in the measurement of core damage in MUPSA, it is essential to thoroughly study the dynamics of these CCFs in multi-unit core damage frequency estimation.A qualitative and quantitative analysis of CCFs is crucial for multi-unit PSA in order to determine which categories of CCFs have signifcant quantitative contributions to core damage in the multi-unit scenario or the composition of CCFs in accident sequences and scenarios in cut-sets that lead to core damage.
Te main contribution of the current study is the development and demonstration of a systematic approach to modeling both intra-unit and inter-unit CCFs of the fault trees in the mitigating systems, during both LOOP and SBO events, which was executed using the AIMS-PSA software for the hypothetical dual nuclear site.Additionally, the methodology presented assessed the qualitative importance of CCFs in terms of minimal cut-sets (MCSs) in the accident sequences of the CDF quantifcation in the multi-unit scenario for two initiating events.Tis assessment was done in a comprehensive manner in order to provide insights into the signifcance of CCFs on CDF of the multi-unit site.Te enhanced understanding provided by the study regarding the impact of CCFs on site risk is quite novel.Overall, the quantitative evaluation techniques involve probabilistic estimation, a quantitative importance evaluation, and sensitivity analysis of the CCFs to the overall core damage on the multi-unit site.Te main beneft of this approach is that it focuses on the detailed CCFs analysis in the site core damage quantifcation as more comprehensive failure models (fault trees and event trees) were utilized for the initiating events selected for the site.

Materials and Methods
Building a multi-unit PSA model by aggregating single-unit PSA models, determining all multi-unit scenarios, and quantifying the frequency of each scenario are the primary components of the methodology suggested and illustrated in this study.Te event trees (ETs) and fault trees (FTs) were modeled for the occurrence of the LOOP and SBO initiating events using the typical mitigation systems of the hypothetical PWR.To depict the single-unit PSA for each plant, intra-unit CCFs (CCFs within systems) were modeled in the relevant fault trees of the system.Te switch to a multi-unit model is marked by the addition of the multi-unit feature, inter-unit CCF of the EDG of each unit, and shared AACDG between the units.AIMS-PSA software was used to for the modeling of the FTs and ETs, the quantifcation of the site CDF, and obtaining the accident scenarios and the most signifcant CCFs contributing to the core damage in the twin unit.Tese steps are summarised in Figure 1.
In comparison to Jang and Jae [12], the methodology proposed and demonstrated in this study concentrated on investigating and performing detailed analysis of CCFs effects on site risk.Additionally, the methods developed in this study involves quantitative and qualitative analysis of the minimal cut-sets that lead to the site CDF.Finally, the initiating events considered in this study were the multi-unit LOOP, SBO, and the combined LOOP followed by SBO events.
In this study, a scenario is a combination of accident sequences that occur in multiple units, whereas a sequence is an accident event in a single unit [10].Te LOOP and SBO events were selected out of all potential initiating events that could lead to a multi-unit accident scenario (such as internal and external hazards) based on their frequency and their magnitude of efects that these initiating events have on site metrics.Tese initiating events, LOOP and SBO, were triggered for a hypothetical generic two-loop typical pressurized water reactor (PWR) of the Westinghouse design with a thermal output of 1000 MW and designated primary and secondary systems.
When compared to single-unit PSA scenarios, multiunit PSA scenarios typically have diferent modeling and quantifcation characteristics.How to quantify the multiunit aspects, such as shared systems, CCFs, accident management, organizational considerations, and the multiple situations that can result in initiating events, is one of the fundamental challenges in a multi-unit PSA.Combinations of sequences for each initiating event complicate the modeling and quantifcation procedure in a multi-unit PSA.Terefore, modeling and quantifying the core damage scenario in a unit, two units, three units, and so forth would necessitate a substantial number of accident sequence combinations [10].For instance, if there are M units and N sequences per unit, then N M combinations are possible [10].
AIMS-PSA software, developed by Korea Atomic Energy Research Institute (KAERI), was used to develop fault trees and event trees for the initiating events LOOP and SBO.Two generic PWR units that make up the multi-unit site were used to carry out the accompanying safety system response to these initiating events.Tese triggering events place these units into transient mode, resulting in the activation of safety systems and the danger of core damage.Te fault and event trees that were generated to represent the accident progression of the PWR's mitigating systems make up the single-unit model of the CDF.When modeling these occurrences, the intra-unit CCFs of the various systems were considered.Te main multiunit features that were introduced to these single-unit models are the interunit CCF of the emergency diesel generators (EDGs) and the shared alternate AC generators (AACDGs) between the units.By combining the single-unit models of each unit, the top logic for the multi-unit model was constructed using AIMS-PSA software.Te investigation of the CCF inclusion in these models and the quantifcation of the site level CDF were simulated.Science and Technology of Nuclear Installations

Multi-Unit Initiating Events and Accident Scenarios.
Tis analysis considered the LOOP and SBO initiating events because their presence considerably afects the frequency of plant core damage.Te functional system representation and accident scenarios were modifed from [13,14].A reactor trip is not envisaged in the LOOP scenario that is studied in this study (see Figure 2) with the failure to regain AC power scenario.Te NRAC-LOOP header in the event tree indicates that the ofsite power is not recovered after 30 minutes.Te primary system integrity (PSI-LOOP) header in the event tree essentially made up of the reactor coolant pumps (RCPs) and main feedwater (MFW) pumps are tripped due to the unavailability of power to run the pumps.Emergency diesel generators (EDGs) are restarted successfully to supply electrical power and to restart auxiliary feedwater system (AFW).RCPs operate properly because AFW was successfully resumed.Te event tree of the hypothetical LOOP event is depicted in Figure 2 and is modeled using the AIMS-PSA program in relation to the mitigating systems and structures in the hypothetical unit 1 of the generic PWR.Te event library's %IE LOOP1 event defnes the initiating event, while NRAC-LOOP, PSI-LOOP, SGI-LOOP, and AFW-LOOP defne the top headers of the event tree.Te event tree's sequences 4 and 5 are regarded as causing the unit's core damage.Figure 3 depicts the SBO accident, which results in the loss of all AC power sources, including all EDGs.In this work, the current scenario does not have on-site or ofsite power recovery for seven (7) hours.Te frst functional event NRAC-SBO in the station blackout event tree corresponds to the restoration of AC power to the plant safety busses before the drying of the coolant on the secondary side of the steam generators (SGs).Te second functional event reactant coolant injection (RCI-SBO) in the SBO event tree corresponds to the preserving of the reactor coolant system (RCS) inventory until AC power is restored.Te pressurizer power operated relief valves (PORV) must be closed in order to prevent a loss of coolant accident (LOCA).Te SGI-SBO header represents the secondary side integrity functional event.Te top event of the fault tree corresponding to the AFW failure is the fourth functional event, AFW-SBO.Te fault tree describing the AFW failure considering various AFW system failures serves as the input to this functional event.Te ffth functional event, NRAC-1HR, is the restoration of AC power to the plant safety busses and isolation by the pressurizer block valve within one hour before the start of temperature escalation in the core.Te operator-initiated cooling and depressurization of the reactor coolant system during a protracted station blackout constitutes the sixth functional event DEP-SBO.Te seventh functional event SLOCA-NRST corresponds to the RCP seal LOCA.
Te eighth functional event NRAC-SLOCA indicates non-recovery of AC power LOCA.Te last functional event NRAC-7HRS corresponds to the restoration of AC power to the plant safety busses and isolation by the pressurizer block valve in 7HRS before the start of temperature escalation in the core.
Fault trees were developed for the functional events (top headers in AIMS-PSA software) with their corresponding failure probabilities for basic events involved in the accident sequences of these headers derived from generic failure rate probabilities of systems and CCF data in the USNRC database for use in single-unit PSA [13].

Modeling for a Single
Unit.Te PSA model adopted for each unit consists of the sum of the accident sequences of the initiating events LOOP and SBO considered in this study.Te major defning issue of concern is the incorporation of intra-unit CCF basic events into the fault trees of the functional events of these models.Te top logic of unit 1 and unit 2 is shown in Figure 4.In this work, the top logic event for unit 1, CDF_UNIT_1, has two fault trees, namely, LOOP_UNIT_1 and SBO_U-NIT_1.LOOP_UNIT_1 has two sequences, i.e., tag events that lead to core damage as defned in the event tree, sequences 4 and 5 labeled LOOP_UNIT_1-4! and LOOP_UNIT_1-5!, respectively, as shown in Figure 5. Te SBO_UNIT_1 fault tree has twelve sequences including sequences 4, 7, 10, 13, 14, 17, 20, 21, 23, 24, 26, and 27 as shown in Figure 6.Tese sequences as given in the event tree lead to core damage and are present in the fault tree for the CDF top logic for the units, and thus CDF_UNIT_1 has a total of fourteen sequences.CDF_UNIT_2, which is the top event for unit 2, has the same number of sequences as unit 1.
Unit 2 models were distinguished from unit 1 models by prefxing all gates and basic events included in the base single-unit LOOP and SBO models of unit 1 by 2. Tus, the event 2-PPS-MOV-FT-1536 representing "PORV block valve 1536 fails to open" would be an event for unit 2. Regarding the initiator, the same basic event was applied equally to all dual-unit models without distinguishing between units because it was assumed in this study that the initiating events challenged all dual units simultaneously.
Te model for the top event LOOP_UNIT_1-04! of LOOP_UNIT_1 composed of the events NRAC-LOOP, PSI-LOOP, SGI-LOOP, AFW-1, and the sequence 4 tag event #LOOP_UNIT_1-04! is shown in Figure 7 with expanded fault tree of the AFW-1 functional event.Consequently, all other sequences of event tree LOOP_UNIT_2 illustrated in Figure 6 had similar sequences and probabilities.
A selected model of the SBO_UNIT_1 composed of the functional events RCI-SBO, SGI-SBO, DEP-SBO, SLOCA-NRST, NRAC-SLOCA, and NRAC-7HRS with modeled intra-unit CCF shown in red is shown in Figure 8. Intra-unit CCF was modeled in the fault trees of the accident mitigation systems (event trees) for the initiating events of this study.

Development of Multi-Unit CDF Model.
Given the PSA model for each unit, the site level CDF model for the multiunit site was constructed for three diferent initiating event scenarios based on LOOP, SBO, and the combined events of   Science and Technology of Nuclear Installations LOOP followed by SBO events.To determine the overall impact of the two events occurring simultaneously, the site level CDF for the LOOP followed by SBO event was built.
Tese site CDF models are presented in Figures 9-11.

Estimation of the Inter-Unit CCF.
One of the technical difculties for a probabilistic safety assessment for multi-unit sites is the quantifcation of the inter-unit CCF.Te symmetric assumption of intra-unit CCF analysis becomes invalid when quantifying the inter-unit CCF, and a more systemic approach is needed to deal with the dynamics and the asymmetry that inter-unit CCFs present in PSA analysis [15].Te approach for estimating the inter-unit CCF utilized in this work is from Jang and Jae [12], which proposed two methods of estimating the inter-unit CCF using Swain's dependency model and the CCF data in the SUPSA.Based on the approach used in Jang and Jae [12], the value of the inter-unit CCF used in this study for the twin unit considered for this study is 3.87 × 10 − 6 .
In modeling the fault trees for the AAC unavailability, due to LOOP event, the inter-unit CCF basic event "EPDGW-CCF-DG-AB-AAC" represents the inter-unit CCF event for unit 1 and the AAC.Te inter-unit CCF event for unit 2 is "2-EPDGW-CCF-DG-CD-AAC." Te fault tree for the unavailability of the AACDG is given in Figure 12.

Key Assumptions.
Te following assumptions were made for this study: (1) Te two units at the site are generally identical, i.e., they have the same structures, systems, and components (SSCs) and same operating/testing/ maintenance procedures.(2) A multi-unit accident may have an impact on the availability of alternative AC diesel generators (AACDGs) and emergency diesel generators (EDGs).In this study, it was presupposed that units 1 and 2 shared an AACDG, with priority given to unit 1, operating at the time of occurrence of the initiating events.(3) When an initiating event occurs, all units are afected simultaneously or almost simultaneously, and the efects are equal for each unit.

Results and Discussion
Te analyses of the results of the quantifcation process using the AIMS-PSA software for the site level CDF and the single-unit CDF with respect to the LOOP and SBO initiating events modeled in this project place a focus on observations and summaries of the results involving the CCF basic events, cut-sets  6 Science and Technology of Nuclear Installations of importance, and the dynamics of CCF events of greater importance in the quantifcation process.As part of the evaluation of the qualitative and quantitative results of the CCFs relevant to the site CDF, the Fussell-Vesely (FV) importance measure was used as the metric of importance.Te FV importance measure is defned as the probability that an MCS containing a discussed basic event will cause the top event [3].

Estimation of Site
Level CDF due to LOOP Event.In the multi-unit scenario involving the LOOP event occurring concurrently in both units, a total of sixty eight (68) cut-sets were generated with total probability of occurrence of core damage resulting from the LOOP event for the site (dual unit) estimated to be 2.926E − 04.Te risk frequency of the LOOP initiating event in the individual units is estimated to  Science and Technology of Nuclear Installations be 1.495E − 04 for %IE LOOP1 in unit 1 and 1.431E − 04 for %IE LOOP2 in unit 2. Tis increase in the risk value of the multi-unit scenario and the single-unit value can be attributed to the fact that in the LOOP event, risk-signifcant probabilities of recovering ofsite power were not modeled inherently in the system and it is assumed that the mitigation systems will reduce this risk within 30 minutes of the occurrence of this event.Table 1 summarises the LOOP event analysis for the estimated site level CDF.
Referring to Table 1, unit 1 LOOP event had a slightly greater risk frequency than unit 2 contributing slightly greater than 51% of the total risk of the site CDF, though with lesser cut-set of 32, while unit 1 had risk frequency amounting to almost 49% of the total risk and minimal cut-set of 36.Te LOOP initiating event in unit 1 (% IE_LOOP1) had a greater conditional core damage probability (CCDP) than unit 2 (%IE_LOOP2) as shown in Table 1.Since the CCDP expresses risk in terms of the likelihood of core damage based on the confguration and operation of the plant at a given point in time during the interest period, unit 1's %IE LOOP1 gave rise to a higher risk in the site CDF during the occurrence of the initiating event at the site.Also, unit 1 had priority over unit 2 in terms of the shared AACDG and the assumptions provided for this study in Section 2.4, in the case of an initiating event.
Table 2 presents the frst ten of the most signifcant minimal cut-sets (MCSs) generated by AIMS-PSA software for the multi-unit scenario involving the simultaneous occurrence of LOOP event in both units.
In this LOOP event, the event that no power from AACDG by AACDG failure is contained in each of the frst 4 most signifcant MCSs and acts as the major contributor to the CDF occurrence in both units.Its varying occurrence with unit 1 LOOP initiating event (%IE_LOOP1), unit 2 LOOP initiating event (%IE_LOOP2), unit 1 LOOP Te analysis of the most signifcant MCS of the results shows that all of the most signifcant MCSs are related to the failure of the shared alternate AC DG (AACDG) and the failure of DGs A and B in unit 1 and DGs C and D in unit 2. As all the diesel generators and the shared AACDGs are alike and therefore share the same failure probability for each failure mode, the contributions of similar failure states to the site CDF are the same.In summary, the minimal cut-sets (accident scenarios) where "DGs failed to start and run" account for 95.72% of site CDF.

CCF Circumstances in the Multi-Unit LOOP Event.
Table 3 and Figure 13 show the largest CCF contributors to the site CDF during the concurrent LOOP event in the multi-unit scenario using the FV importance measure registered during event.
Te quantitative results indicate that, for site CDF, the combined contribution of the failure events "Failure to Start and Load due to CCF" for DGs in Units 1 and 2 accounts for 98.86% of the total CCF contribution.Similarly, the interunit CCF contributes 1.74% of the site CDF of the LOOP event.Nevertheless, the CCFs are contained in all the most signifcant MCSs.
Te number of minimal cut-sets, #MCS, and a qualitative analysis of the MCS of the major CCF events signifcantly contributing to the site CDF based on their FV importance measure are shown in Table 3 for accident sequences.Te FV importance measure is a measure of the overall percent contribution of cut-sets containing a basic event of interest to the total risk in the given initiating event.
Te dominant CCF event in the multi-unit CDF is the failure of the DGs in each unit to start and load due to CCF which primarily accounts for the CDF sequences in the LOOP event and fault tree.Te loss of operation of the DGs in each unit, thus, is more severe for the CDF occurrence.Even though the contributions of the remaining CCF events, which included diferent combinations of the shared AAC DG and the DGs in each unit, as depicted in Figure 13, were minimal, they all had the same FV value, indicating equal contributions to the site CDF occurrence.
In summary, using the FV importance measure, the common cause failures primarily from the failure of the DGs to start and run account for 4.58% of the site CDF.

Estimation of Site Level CDF due to SBO Event.
In the multi-unit scenario involving the SBO event, a total of 100 cut-sets were generated with total probability of  Science and Technology of Nuclear Installations occurrence of core damage resulting from the SBO event for the site (dual unit) estimated to be 2.083e − 9. Te risk frequency for %IE_SBO1 for unit 1 and %IE_SBO2 for unit 2 was estimated to be 1.106E − 009 and 9.768E − 010, respectively.In the modeling of the SBO event tree, considerations were given to probabilities of not recovering ofsite power from 30 minutes to 1 hour and extended to 7 hours given that risk-signifcant probabilities of not recovering ofsite power were increased in these periods of not recovering the ofsite power.
As seen from Table 4, SBO initiating event in unit 1 (%IE_SBO1) presented a slight greater risk to the site CDF than unit 2 (%IE_SBO1) initiating with contributions of 53.097% and 46.903% because of the assumptions made for this study in Section 2.4, Unit 1 was given greater priority than unit 2, upon the occurrence of an initiating event and the shared AACDG.
As expected, "no power from AACDG by AACDG failure" in the SBO event featured prominently in all the 100 cut-sets with EPDGS-AAC for unit 1 appearing in 54 cut-sets with an FV value of 0.530971 while 2-EPDGS-AAC for unit 2 appeared in 46 of the cut-sets with an FV value of 0.469030.

CCF Circumstances in the SBO Multi-Unit Event.
Table 5 and Figure 14 show the largest CCF contributors to the site CDF during the concurrent SBO event in the multiunit scenario using the FV importance measure registered during event.Te quantitative results indicate that the CCF contributes 17.19% to the site CDF in the SBO event, and that the CCFs from the AFW system --specifcally, the CCF of motor-driven pumps and the CCF of undetected leakage through check valves CV27, CF58, or CV89 --accounted for 89.4% of the total CCF contribution to the site CDF.Te CCF of the pressure operated relief valves (PORV) of the RCS system contributed 9.68% while CCF of DGs contributed 0.92% to the total CCF contribution to site CDF.In summary, using the FV importance measure, the common cause failures account for 17.19% of the site CDF.According   Science and Technology of Nuclear Installations to their Fussel-Vesely (FV) importance measure, the major CCF events that signifcantly contributed to the site CDF according to accident sequences are shown in qualitative analysis of the MCS in Table 5.

Estimation of Site Level CDF due to Combined LOOP
Followed by SBO Event.In the multi-unit scenario of the LOOP followed by the SBO event, a total of 134 cut-sets were generated with total probability of occurrence of core damage resulting from the LOOP followed by the SBO event for the site (dual unit) estimated to be 2.926E − 04.Te average risk frequency of both the LOOP initiating events, %IE_LOOP1 and %IE_LOOP2, in the site CDF decreased to 1.4635E − 04 as compared to the risk of 1.495E − 04 in the single-unit event as deduced from Table 6.Additionally, the average risk of both the SBO initiating events, %IE_SBO1 and %IE_SBO2, in the site CDF decreased to 1.0414E − 09 compared to the risk of 1.106E − 09 in the single-unit event as can be inferred from Table 6.It can also be gleaned from Table 6 that most of the risk contributing to the site CDF came from the LOOP events although the SBO events contributed appreciably to the site CDF.A summary of the   Science and Technology of Nuclear Installations percentage contributions of the initiating events to the site CDF of the combined LOOP followed by SBO event is also given in Table 6.An analysis of the scenarios contributing to site CDF reveals that the LOOP initiating events %IE_LOOP1 and % IE_LOOP2 and the event that "no power from AACDG by AACDG failure" (EPDGS-AAC and 2-EPDGS-AAC) were the paramount basic events contributing to the frst two scenarios with values of 49.43% for each scenario and a risk value of 1.4E − 04.
Another cut-set of concern is the failure of the DGs A and B of unit 1 and DGs C and D of unit 2 with varying contributions of 0.69%, 0.13%, and 0.1% in the various cutsets as shown in Table 7. Te analysis of the most signifcant MCS of the results shows that all of the most signifcant MCSs are related to the failure of the shared AACDG and the failure of DGs A and B in unit 1 and DGs C and D in unit 2. As all the diesel generators and the shared AACDG are alike and therefore share the same failure probability for each failure mode, the contributions of similar failure states to the site CDF are the same.In summary, the minimal cut-sets (accident scenarios) where DGs failed to start and run and/ or DG was unavailable due to maintenance account for 99.91% of site CDF.
It is important to observe that the occurrence of the LOOP event had considerable amount of impact on the CDF for each unit and the SBO event had a very small share in the overall CDF of the plant for the LOOP   14 Science and Technology of Nuclear Installations followed by the SBO event in each unit.Tis can be attributed to the fact that in the modeling of the SBO event tree, considerations were given to probabilities of not recovering ofsite power from 30 minutes and 1 hour up to 7 hours given that risk-signifcant probabilities of not recovering ofsite power were increased in these periods of not recovering the ofsite power.Large decrease of the SBO risk is obtained with the introduction of functional Science and Technology of Nuclear Installations events to mitigate the SBO risk in the time sequence (30 minutes to 1 h to 7 h) of the modeled event tree.Te ability of the system to maintain proper functioning within this time frame results in the decrease of the SBO risk frequency in the overall site CDF.It is only commensurate then that most of the risks came from the LOOP event (85.22%) while the SBO event contributed to 14.78% of the CDF for each unit.
Table 7 presents the frst ten of the most signifcant minimal cut-sets (MCSs) generated by AIMS-PSA software for the multi-unit scenario involving the simultaneous occurrence of LOOP followed by SBO event in both units.
In terms of basic event importance for the CCF basic events for the occurrence of site CDF, for each unit, Table 7 summarises the qualitative outlook of the most signifcant cut-sets for the LOOP followed by SBO event.

CCF Circumstances in the
Combined LOOP Followed by SBO Multi-Unit Event.Table 8 and Figure 15 show the largest CCF contributors to the site CDF during the LOOP followed by SBO event in the multi-unit scenario using the FV importance measure registered during the event.
Te quantitative results of the cut-sets reveal that the contribution of the events DGs A and B and DGs C and D fail to start and load due to CCF of unit 1 and unit 2, respectively, contribute to 98.27% of the total CCF contribution and the inter-unit CCF contributions accounting for 1.73% of the total CCF contribution to site CDF.In terms of accident sequences, a qualitative analysis of the MCS of the major CCF events contributing signifcantly to the site CDF according to their Fussel-Vesely (FV) importance measure and the number of minimal cut-sets, #MCS, is shown in Table 8.
In summary, using the FV importance measure, the common cause failures primarily from the failure of the DGs to start and load account for 4.58% of the site CDF.

Percentage Contribution of CCF in the Site CDF.
Regarding the percentage contribution of the CCF events to the site CDF of all the assumed initiating events, it is clearly seen that the percentage of the CCF in the SBO event is of greater magnitude than the LOOP event and the "LOOP followed by SBO" event.It must be noted that the SBO event modeled in this work includes all functional events of a representative SBO event tree for a generic Westinghouse PWR as the events of the CCF are fully captured for all the functional events in the accident sequences of the site CDF.Te qualitative results from the multi-unit SBO event indicate that the MCS that contributes signifcantly to the site CDF contains CCF event with greater FV values, which is indicative of the overall percent contribution of the CCF basic events to the top event risk in the given initiating event as compared to the FV values of the CCF events in the LOOP event.As such, even though the site CDF of the SBO event was of lesser magnitude than that of the LOOP event, the common cause failures of the SBO event contribute to the risk to a larger extent.Also, the occurrence of LOOP event is a key event contributing to the occurrence of the SBO event.Table 9 shows the percentage contributions of the CCF events in the various initiating events in the site CDF estimation.16 Science and Technology of Nuclear Installations

Site CDF Analysis with and without CCF Consideration.
In the LOOP event, the site CDF without CCF consideration in any of the fault trees of the functional systems was estimated to be 2.724E − 04.Tus, with CCF events considered in the modeling process, the site CDF estimated with CCF events increases by 7.42% as compared to the site CDF without CCF events.In this LOOP event without CCF consideration, the most signifcant minimal cut-sets include the failure of the shared AACDG contributing 98% of the site CDF.As the assumed site share an AACDG between units, the contribution of two (2) failure modes (the CCF due to failure to start or run), is a signifcant cut-set to site CDF.In the SBO event, the site CDF without consideration of the CCFs in the fault trees of the functional systems of the accident mitigation systems was estimated to be 1.801E − 09.Tus, with CCF events considered in the modeling process, the site CDF estimated with CCF events increases by 15.66% as compared to the site CDF without CCF events.
Regarding the LOOP followed by the SBO event, the site CDF without CCF consideration was estimated to be 2.721E − 04.Tus, with CCF events considered in the modeling process, the site CDF estimated with CCF events increases by 7.53% as compared to the site CDF without CCF events.Figure 16 gives a pictorial classifcation of the site CDF with and without CCF consideration.Table 10 gives the analysis of site CDF with and without CCF considerations.

Conclusion
Using AIMS-PSA software, a method for evaluating the quantitative magnitude and qualitative proportions of CCFs in the site CDF of multi-unit PSA has been demonstrated.Te site CDF model was used to analyse the responses to the initiating events, LOOP and SBO, occurring simultaneously in the units of the modeled intra-unit CCFs and the inter-unit CCF, which was particularly focused on the shared AACDG and the EDGs.Depending on the type of initiating event under consideration, AIMS-PSA was used to generate cut-sets for each of the initiating event under consideration, and the fndings showed variable degrees of compositions of the CCFs and diferent percentage contributions to the site CDF.
Using the FV importance measure, CCFs in the modeled fault trees contributed to 4.58% to the site CDF of the combined LOOP followed by SBO event.In the LOOP event alone that leads to core damage, the CCF contributed 4.58% to the site CDF while CCFs contributed 17.19% to the site CDF in the SBO event alone that leads to core damage.With CCF events considered in the modeling process, the site CDF estimated with CCF events increased by 7.53% in the combined LOOP followed by SBO event.In the LOOP event alone that leads to core damage, inclusion of CCF events in the modeling increased the site CDF by 7.42%.A 15.66% increase in site CDF was recorded in the SBO event alone that leads to core damage as compared to modeling without CCF events.
In the case of the LOOP event, the CCF event of all the DGs in the units DGs A and B for unit 1 and DGs C and D for unit 2 was the greatest CCF contributor to the site CDF.In the SBO incident, the CCF of UNDETECT LKAGETHRU CHK VLV CV27, CF58, or CV89 and the common cause failure of the motor driven pump, all of the AFW system, were the major CCF contributors to the site CDF.Finally, due to the signifcant infuence the occurrence of the LOOP event has on the site CDF, the CCF event of all the DGs in the units DGs A and B for unit 1 and DGs C and D for unit 2 was the highest CCF contributor in the case of the combined LOOP followed by SBO event.
Te importance of these CCFs to the security of multiple units is evident by the dominance of the CCFs of the DGs and the AACDG in the CCF composition of the cut-set generated for the site CDF.To reduce the site CDF risk to the NPP, it is necessary to carefully examine the failure to start and run as well as the unavailability of DGs due to maintenance.
Te results obtained in this study provide insight into analysing the contributions of functional systems of nuclear plants to site CDF in response to an initiating event.Each of   Science and Technology of Nuclear Installations the initiating events assumed for this work also shows that the site CDF is sensitive to the occurrence of the LOOP event with the CCFs of the shared AACDG being the main contributor to the MCS leading to site CDF.In summary, the results obtained in this work can enhance the understanding of the impact of CCFs on multi-unit site risk as well as serve as a baseline for further studies regarding the qualitative and quantitative categorization of efects of CCFs within MUPSA.

Figure 2 :
Figure 2: Event tree of LOOP event for unit 1 with top headers.

Figure 3 :Figure 4 :
Figure 3: Event tree of station blackout event at unit 2.

Figure 8 :
Figure 8: Model for sequence SBO_UNIT_1-04! of fault tree SBO_UNIT_1 with expanded fault tree of RCI-SBO showing modeled intraunit CCF event of PORV blocking valves in red.

Figure 9 :
Figure 9: Top logic for the site CDF due to LOOP followed by SBO event.

Figure 11 : 6 Figure 12 :
Figure 11: Top logic for the site CDF due to SBO.

Figure 13 :
Figure 13: CCF circumstances in the multi-unit LOOP event.

Figure 14 :
Figure 14: CCF circumstances in the multi-unit SBO event.

Figure 16 :
Figure 16: Site CDF with and without CCF consideration: the representation of the SBO has been adjusted.

Table 1 :
LOOP initiating event analysis for site CDF.

Table 2 :
Summary of most signifcant scenarios in the multi-unit LOOP event.

Table 3 :
Major CCF events in the multi-unit LOOP event.

Table 4 :
SBO initiating event analysis for site CDF.

Table 5 :
Major CCF events in the multi-unit SBO event scenarios.

Table 6 :
Probabilities and percentage contributions of the combined LOOP and SBO events on the site CDF.

Table 7 :
Summary of the most signifcant scenarios in the multi-unit LOOP followed by SBO event.

Table 8 :
Major CCF events in the multi-unit LOOP followed by SBO event.

Table 9 :
Percentage contribution of CCF to site CDF in various events.

Table 10 :
Site CDF analysis with and without CCF considerations.