When Entergy decided it needed an analysis tool for automating outage safety reviews, it wanted one with sufficient detail to determine how component outages affect the status of outage safety functions.

Outage planners could not afford to use conservative assumptions that would adversely limit planning flexibility and force longer outages. At River Bend (BWR, 990MWe) they extended Equipment Out Of Service (EOOS), the analytical method developed by the Electric Power Research Institute. The method is used in power operation to model outage safety analysis. The data incorporated in the system includes: plant-specific and industry wide reliability figures on components and systems; and availability and unavailability figures.

Extending the system offered many benefits: the shutdown model used a lot of the same data as the operations model, providing consistency between the two; costs for additional staff training and for maintaining two sets of data were avoided; and meaningful safety comparisons between on-line and shutdown operations could be made.

EOOS software is used to develop a probabilistic safety analysis for shutdown operations and to evaluate a plant’s shutdown operations protection plan. The program generates a risk profile that measures the chance of core damage in any shutdown condition. River Bend staff can then make scheduling decisions on the basis of this profile and the plant’s defence-in-depth measures.

There are two main EOOS screens. The operator screen allows operators to track equipment taken out of service. The plant safety status (defence-in-depth) for any configuration is given by the PSI (plant safety index), a figure of 0-10 with 10 meaning nothing out of service. The scheduler screen (illustrated) shows risk at various stages in the outage schedule. The colour codes are green (no additional risk), yellow (minimal risk), orange (should be evaluated, may need contingency plan), and red (technical specification violation).

“EOOS makes it possible to see where there will be a conflict between systems,” says Entergy’s John Maher, safety analysis engineer. “Schedulers can work out a schedule which avoids overlapping tasks. It allows the impact of single components taken out of service to be evaluated rather than a whole system, as you can determine what the risk factor is. For example, before this capability was available, a whole bus would have to be assumed out of service if it were necessary to isolate a system to work on it. Now it may be possible to just take out a specific breaker”.

River Bend’s outage risk assessment team co-ordinator, Tom Hunt, lists a number of other areas in which the software has a use: •Emerging work: because EOOS can simultaneously record inputs from scheduling and operations, the effects of adding emergent work can be monitored efficiently and without delay. Staff can then know what scheduled work to put on hold to accommodate an unplanned event and ensure plant safety.

•Emerging issues: EOOS can give an assessment of the plant safety status. For example if a component, such as an emergency diesel generator, was found not to have been operational, EOOS can determine the risk of that situation. Some times an operational or safety concern is raised from outside the plant (by the NRC, pressure groups or politicians). EOOS can reveal the safety status of the plant in these circumstances.

•Licensing: when design engineers want to make a design specification change, they need to undertake a risk evaluation first. EOOS will provide this.

•Motor-operated valve (MOV) ranking: to meet NRC demands, an operator must develop a test and maintenance programme for all safety-related MOVs. A companion programme to EOOS, called CAFTA (computer-aided fault tree analysis) allows an operator to rank MOVs by relative importance to safety, so that he or she can optimise test and maintenance scheduling. Once the priority for testing is established by CAFTA, EOOS is used to develop an operation schedule, either at power or during an outage, when the test can be conducted so that its unavailability will have the least impact on the risk profile of the plant.