Annals of Nuclear Energy 37 (2010) 428433

Contents lists available at ScienceDirect

Annals of Nuclear Energy

journal homepage: www.elsevier.com/locate/anucene

Technical Note

HAZOP-study on heavy water research reactor primary cooling system

M. Hashemi-Tilehnoee *, A. Pazirandeh, S. Tashakor
Science and Research Branch of Islamic Azad University, Tehran, Iran

a r t i c l e

i n f o

Article history:
Received 11 September 2009
Received in revised form 28 November 2009
Accepted 7 December 2009
Available online 6 January 2010

a b s t r a c t
By knowledge-based Hazard and Operability (HAZOP) technique, equipment malfunction and deciencies in the primary cooling system of the generic heavy water research reactor are studied. This technique
is used to identify the representative accident scenarios. The related Process Flow Drawing (PFD) is prepared as our study database for this plant. Since this facility is in the design stage, applying the results of
HAZOP-study to PFD improves the safety of the plant.
2009 Elsevier Ltd. All rights reserved.

1. Introduction
Presently, nuclear power is in focus of the public safety concern
and governments are forced to reconsider its continued role in the
national power policy. Development of systematic methods for
industrial risk assessment has been underway within this technological domain (Wilpert and Itoigawa, 2005). Today, nuclear power
reactors account for a major fraction of the worlds energy production. In addition, research reactors are considered in several countries as an important medium for radioisotope production and
research on nuclear energy.
Since Preliminary Safety Analysis (PSA) is an important phase of
reactor safety assessment, reactor safety should be considered as
an important safety criterion with respect to operation as well as
and the unanticipated situations.
Risk assessment as a combination of risk analysis and risk appraisal is a part of plant safety assessment. The rst stage of risk
analysis is the identication of unsafe situations. In other words,
the risk cannot be evaluated without identifying the involved
hazards. Many of the hazards will be identied by implementing
process hazard analysis (PHA) tools such as what-if/checklist,
HAZOP-study, and Failure Modes and Effects Analysis (FMEA).
The HAZOP method is a formal, systematic, and critical approach
to identifying the qualitative potential of hazards and operating
problems associated with an existing or new system or piece of
equipment caused by deviations from the design intent and their
resulting consequential effects (Kletz, 1997). This is a widely used
method in the world today to identify the hazards in the third level
of hazard study (Hyatt, 2004).
Nelson et al. (2007) performed a simplied HAZOP-study to
identify the initiating events for a steam-methane reforming
hydrogen production plant that linked to a high-temperature
gas-cooled nuclear reactor (HTGR), in the design phase. The possi* Corresponding author. Tel.: +98 911 3532381; fax: +98 123 3285596.
E-mail address: [email protected] (M. Hashemi-Tilehnoee).
0306-4549/$ - see front matter 2009 Elsevier Ltd. All rights reserved.
doi:10.1016/j.anucene.2009.12.006

ble consequences due to the deviations in the normal operation of

the plant were considered, and recommendations with respect to
their cost were proposed for improvement of safety.
In another work, the concept of the traditional failure mode
and effects analysis for the risk priority number (RPN) has been
adopted and applied to HAZOP-study. Since fuzzy logic is an improved trend in industrial hazard study (Markowski et al., 2009),
the hybrid-HAZOP, which is a fusion between the HAZOP and
the traditional RPN, was combined with a fuzzy interface and
named Fuzzy-HAZOP-RPN. By this method, the uncertainty
parameter levels in risk analysis are modeled (Guimares and
Lapa, 2006).
The use of qualitative models in a support system for HAZOP
analyses, in connection with an algorithm for nding the causes
and the consequences of variable deviations, were described by
Bartolozzi et al. (2000).
In another study, an interactive HAZOP method was applied for
the analysis of an emergency interlock system. Through the analysis of the plant PFDs (Process Flow Drawings), the presence of possible interlock actions was required. The individual interlock
system was visualized in the design phase, which provided the
possibility to analyze and change interactively the single interlock
systems. The interactive changes were intended to provide the required reliability (Cocchiara et al., 2001).
A multilevel HAZOP-study in the real commissioning process
was proposed by Cagno et al. (2002) which allowed a signicant
reduction in implementation costs, justifying the use of the technique both in innovative and critical cases, where the expected
saving from risk reduction is high.
In a recent work, by SAPHIRE software as a probabilistic safety
assessment tool, the Iranian heavy water research reactor (IHWRR)
safety systems were evaluated in the rst level of the PSA (Faghihi
et al., 2008). For evaluating the reliability of the reactor safety systems, they computed the total frequency of damage to the core.
Since this facility is in the design stages, its assessment can be useful when the plant is constructed and in operation.

M. Hashemi-Tilehnoee et al. / Annals of Nuclear Energy 37 (2010) 428433

Our study focuses on hazards identication in the primary cooling system of the IHWRR. The study is based on knowledge-based
HAZOP as a PHA method. We analyzed the plant PFD and generated
a list of required recommendations that are tabulated in a report
form by PHA-PRO (2009).
2. Reactor and primary cooling system identication
IHWRR is a 40 MW thermal tank type reactor, with natural uranium dioxide fuel and heavy water for moderation and cooling system. IHWRR has been designed to fulll several purposes, ranging
from gaining experience and technical know-how for design and
construction for non-power reactors to utilizing the reactor for
activation, irradiation, and radioisotope production (Faghihi et al.,
2008).
The reactor primary and secondary cooling loops are under
pressure. The pressure of the vessel both in moderator and coolant
loops is about 0.28 MPa; the coolant is in liquid phase and does not
mix with the moderator. The residual heat is to be removed by natural convection of the primary cooling loop.
There are two independent nuclear safety systems: shutdown
rods and emergency light water channels. Four beam tubes are
provided in this reactor for medical and industrial applications.
Eight vertical channels are provided for radioisotope production,
irradiation and activation. The IHWRR core consists of 150 fuel
assemblies and the central channel is in a triangular lattice with
a pitch of 265 mm. Sixteen fuel assemblies have neutron ux
detectors. There are 27 control and protection channels, including
three control rod channels, 12 shimming rod channels, six emergency rods (ER), six emergency channels (EC) for light water and
one channel for reference specimen (Faghihi et al., 2008). A brief
description of the primary coolant loop is as follows.
2.1. Primary cooling system identication
IHWRR facility uses two cooling circuit systems. The reactor
cooling systems can fulll the tasks for fuel rod cooling and prevention of fuel melting under both normal and accident operation
conditions. The rst circuit, consists of two independent circuits,
namely, the primary coolant loops and the moderator loops. The
primary cooling loop removes 37 MW of the core heat. The secondary cooling loop, known as the moderator loop, removes about
3 MW of the core heat. The heat transfer from the rst circuit to
the second circuit takes place in the heat exchangers. The heat removal from the second circuit takes place in the cooling towers.
The main components of the cooling systems with their PFD tags
are as follows (Faghihi et al., 2008):
 Primary cooling system YU.
 Moderator system YT.
 Main cooling water system VC.
Moreover, the related systems are:









Helium gas system TP.

Feed water degassing and purication system TD.
Primary coolant purication system TC.
Moderator purication system TE.
Nuclear sampling system TV.
Nuclear building and equipment drain system TY.
Vacuum system TK.
Cooling water chemical treatment system VR.

The pressure of the primary circuit is maintained at a constant

value by a helium gas cushion in the pressurizer. The helium gas

429

system is a common system for the coolant and moderator systems. Thus, the water level is maintained at a nominal level in
the pressurizer.
In addition, in the evaluation procedure, we observed that the
reactor is operated at nominal full power. This state includes most
of the accident initiators, which should be considered in the HAZOP
process.
2.2. Primary cooling system process description
In the hazard analysis procedure, we used the system PFD as a
main database. Fig. 1 illustrates the system PFD (Faghihi et al.,
2008).
In addition, Table 1 shows the legends of the related symbols in
the above-mentioned PFD.
The secondary uid ows from cooling tower to heat exchangers YU10-B001 and YU20-B001. Two coolant exit pipes transfer the
removed heat from the core to the secondary water in the heat
exchangers. Then, the cooled water enters into the core by the
YU10-D001 and YU20-D001 pumps. The YU10-S005 and YU20S005 check-valves stop the water reversion to the loop. If a pump
failed due to the loss of static head in the bypass line, which contains the YU10-S006 and YU20-S006 check-valves, the heat can be
remove from the core by natural circulation.
The pressurizer YU10-B002 is used to control the pressure of
the loop. Helium gas system controls the pressure of the pressurizer (Faghihi et al., 2008).
When the water level in the pressurizer drops, the make-up
pump YU00-D002 is switched on by the regulator signals (the main
signal is received from LRC) and the water returns to the normal
level. The make-up system main components are the make-up
water tank, YU00-B003, and make-up pump, YU00-D002. They
serve to ll the moderator circuit with heavy water and compensate for the leaks.
When the water level in the pressurizer rises from the set-point
level because of temperature increment in the reactor, the water is
discharged through the calandria vessel draining valve, which is
placed at the pump bypass. YU00-B001 and YU00-B002 as storage
tanks with YU00-D004 pump circulate the primary cooling water
to heavy water purication system. As mentioned above, the helium gas system is used to regulate the pressure of YU00-B001,
YU00-B002 and YU00-B003 tanks.
3. Introduction to HAZOP-study technique
HAZOP methodology is a PHA technique used worldwide for
studying not only the hazards of a system, but also its operability
problems, by exploring the effects of any deviations from design
conditions (Dunj et al., 2010). This term is applied to a detailed
method for systematic examination of a well-dened process or
operation, either planned or existing. The overall HAZOP procedure
comprises four sequential steps as shown in Fig. 2 (MacDonald,
2004).
Thus, HAZOP study is a highly disciplined procedure meant to
identify how a process may deviate from its design intent. It is dened as the application of a formal, systematic critical examination
of the process and the engineering intentions of new or existing
facilities to assess the potential for malfunctioning of individual
pieces of equipment, and the consequential effects on the facility
as a whole. Its success lies in the strength of that methodology in
following a systems Process Flow Diagrams (PFDs) and Piping
and Instrumentation Diagrams (P&IDs), breaking the design into
manageable sections with denite boundaries called nodes, so
ensuring the analysis of each piece of equipment in the process.
A small multi-disciplinary team undertakes the analysis, whose

430

M. Hashemi-Tilehnoee et al. / Annals of Nuclear Energy 37 (2010) 428433

Fig. 1. Primary cooling systems PFD.

Table 1
PFD symbols and legends of primary cooling system.
Legend

Symbol

Legend

Symbol

Legend

Water entrance

Water exit

Heat exchanger

Motorized ball valve

Main motorized pump

Motorized pump

Motorized ball valve (normally close)

Motorized valve

Pump

Gate valve

Check valve

Ball valve

Temperature transmitter

Temperature recorder

Temperature indicator and controller

Flow transmitter

Flow indicator

Flow indicator and controller

Level recorder and controller

Raise orice

Pressure transmitter

members should have sufcient experience and knowledge to answer most questions on the spot. The members are selected carefully, and are given the authority to recommend any needed
changes in design. Executing the method relies on using guidewords (such as no, more, less) combined with process parameters

Symbol

(e.g., temperature, ow, pressure) that aim to reveal deviations

(such as less ow, more temperature) of the process intention or
normal operation. This procedure is applied in a particular node,
viz., as a part of the system characterized for a nominal intention
of the operative parameters. Having determined the deviations,

431

M. Hashemi-Tilehnoee et al. / Annals of Nuclear Energy 37 (2010) 428433

Table 3
Corrected symbols instead of incorrect symbols.
Incorrect symbol

Correct symbol

Fig. 2. Overall HAZOP-study procedures.

the expert team explores their feasible causes and their possible
consequences. For every pair of cause-consequence, safeguards
must be identied that could prevent, detect, control, or mitigate
the hazardous situation. Finally, if the safeguards are insufcient
to solve the problem, offering recommendations must be considered (Dunj et al., 2010).

Since standard HAZOP assessments focus only on the malfunction of equipment and process variables, methodologies were
developed to consider humanmachine interfaces, organizational
style, management attitudes, procedures and training, and batch
processes and pipeless plants. Wherein the researchers proposed
a novel method for incorporating analysis of hazards introduced
by human error into standard HAZOP by adding a new set of guide
words (such as missing, mistimed) and parameters (person, information, action) to focus on management and organizational factors
that can contribute to risk. Their method employs conditional reliance on procedure/training as a safeguard (Dunj et al., 2010). A related human factor issue appears when hazard identication is
focused not only on analyzing typical process deviations but also
on initiating events led by human errors. These events normally

Table 2
The results of HAZOP-study.
Deviations Causes

Consequences

Node: 1. Primary cooling loop in connection with reactor core

1.1. No/less ow of entrance water from cooling tower line
1. Cooling tower components failure 1.1. LOCA

1.2. Core melt

2. Motorized valve motive system
failure

1.2. Less fow of core outlet

1. Failure of YU20-D001 pump
2. Low Pressure YU10-B002
pressurizer
1.3. High-temperature of primary outlet loop
1. Excess reactivity insertion

2.1. Same as above

Recommendations

1.1.1.
1.1.2.
1.1.3.
1.2.1.

EC
1.
ER
2.
Motorized valve open to rise ow
Same as above
1.
2.
2.1.1. EC
1.
2.1.2. ER
2.
3.
4.

TAH10-001 and TAH20-001

FAL10-001 and FAL20-001
TAH10-001 and TAH20-001
FAL10-001 and FAL20-001
TAH10-001 and TAH20-001
FAL10-001 and FAL20-001
Bypass line
Motorized valve fail status

1.1. LOCA
1.2. Core Melt
2.1. Same as above

1.1.1. Bypass valve. YU20-S006

1.2.1. Same as above
2.1.1. Pressurizer pressure control loop

5. Pump fail indication

5. Pump fail indication
6. PAL10-001

1.1. LOCA

1.1.1. ECCS (Emergency core cooling

system)
1.1.2. ER
1.1.3. EC
1.1.4. Cooling tower ow control loop
1.2.1. Same as above

1. TAH10-001 and TAH20-001

1.2. Core melt

1.4. Low pressure of YU10-B002
1. Helium feeder line blockage

Safeguards

2. Control valve fail (close)

1.1.1.
1.1.2.
1.1.3.
1.2. Damage to pump TU10-D001 1.2.1.
2.1. Same as above
2.1.1.

3. Outlet of helium line opened

3.1. Same as above

3.1.1. Same as above

6.
6.
7.
6.

1.1. Leakage to helium line

1.1.1. LRC loop

1. TAH10-001 and TAH20-001

1.5. High level of YU10-B002

1. Excessive increment of core
temperature

2. Pressure decrease of YU10-B002

1.1. Coolant in the core begin to

boiling

PT
EC
ER
Same as 1.1.1.
Same as above

1. TAH10-001 and TAH20-001

2.1. Same as above

2.1.1. Same as above

2.2. Damage to YU10-B002

pressurizer

2.2.1. Same as above

6. PAL10-001

8.
9.
6.
8.
9.
6.

PAL10-001
PAL10-001
Control valve fail indication (lock)
PAL10-001

LAH10-001
Check valve (for helium input line)
PAL10-001
LAH10-001
Check valve (for helium input line)
PAL1O-001

8. LAH10-001

432

M. Hashemi-Tilehnoee et al. / Annals of Nuclear Energy 37 (2010) 428433

Table 4
Required corrections which must be applied to some points in the PFD.
Old PFD

1.
2.
3.
4.
5.
6.

New PFD

Required changes:
The data line changed to signal line
Local symbols changed to control room symbols
An interlock added between the FIC and TIC signal to control the motorized valve
Temperature alarm high (TAH) and ow alarm low (FAL) instruments added to diagram
Bypass line with a globe valve considered for motorized valve failure situation
These corrections should be applied to the YU10 side

Required changes:
1. The data line changed to signal line
2. Pressure indicator and controller (PIC) in connection with pressure alarm low (PAL) added to PT line
3. A solenoid valve considered in the line of helium gas
4. A level transmitter (LT) in connection with a LRC, equipped with level alarm high (LAH), added to Level controller line
5. YU10 equipment should be corrected as stated for YU20 equipment

present higher frequencies of occurrence than others (e.g., a control failure). While endeavors have been focused on improving
the expert team motivation for nding these types of causes, their
integration into the HAZOP structure still remains incomplete
(Dunj et al., 2010).
By considering different types of HAZOP technique and our case
study, we used the knowledge-based HAZOP. This methodology,
typically, is sometimes applied in place of the Guide Word Methodology. Some assumptions are:
Extensive design standards and procedures are in place.
HAZOP team has experience with similar designs.
Process being HAZOPed is well established.

The basis is to use detailed knowledge-based checklists and the

brainstorm process for possible deciencies (Hyatt, 2004).

4. HAZOP results and discussion

The rst step in reviewing the PFD of a desired plant is dividing
the diagram into proper nodes. Thus, the HAZOP-study on the primary cooling system is focused on the nodes, which are examined
for deviations from the design intent. However, the choice of the
deviations relies upon experience rather than the application of
any recognized method. The keys to efcient HAZOP are (Hyatt,
2004):

M. Hashemi-Tilehnoee et al. / Annals of Nuclear Energy 37 (2010) 428433

 Making nodes sufciently large to minimize repetition.

 Using correct deviations (not too many, not too few).
 Control of HAZOP session.
Therefore, we divided the system PFD to one node that contains
the main equipment. This makes the HAZOP less time-consuming
and decreases the repetition, while it needs a more expert HAZOP
team.
The study provides adequate pseudo-measure or approximation
gauging for the risk, so that a full quantication of the risk would
not be necessary.
By component functional analysis (CFA), the deviations are dened and then the HAZOP team is required to painstakingly study
the consequences in most aspects.
The ve deviations, which are due to damage to the reactor
core, are as follows:
1.
2.
3.
4.
5.

No/less ow of entrance water from cooling tower line.

Less ow of core outlet water.
High-temperature of primary outlet water.
Low pressure of YU10-B002 pressurizer.
High level of YU10-B002 pressurizer.

We considered the loss of coolant accident (LOCA) and the accident that leads to melting the core as the consequences focused on,
which lead to damage to the core in the rst level of PSA.
Besides the equipment whose malfunction leads to the obvious
deviations, instrument deciencies due to system failure must be
taken into account in the study procedure.
Therefore, selecting the proper initiating events (IEs) is according to the above-mentioned deviations. For each IE, the safety functions are those needed to be performed in order to prevent damage
to the core.
LOCA is one of the important consequences that will lead to
core melt-down in the worst situation. The LOCA can occur because of the following events in operating conditions (Faghihi
et al., 2008):
Disconnecting of main reactor pump in the coolant circuit,
except for faults in the scheme and system of electric
supply.
Fault in the welded pipes of primary coolant loops.
Leakage of heat exchangers (internal and external).
Ruptures or mechanical interruptions in the experimental
channel.
Failure of primary coolant pumps (except for mechanical
failure).
In the worst situation, LOCA can occur by rupture of the
head pipeline (400 mm), which is caused by the welded
junction defect and vibrations of pipeline head xed elbows.
Table 2 shows our team HAZOP-study results as a HAZOP worksheet report form that has been tabulated by the PHA-PRO (2009).
For each consequence, the system used a safeguard instrument
or an action as the protection system. The recommendations of this
study can be applied to PFD in order to improve the safety of the
plant. The systems PFD should be corrected as below:
1. Proper tag number should be used for all instruments.
2. Since some physical parameters are monitored and
recorded in control room, it is necessary to change some
symbols of instruments from local symbols to control room
symbols. Table 3 shows these symbols.

433

3. By considering HAZOP-study recommendations as the

result, the following changes should be applied to the PFD
of the system. Table 4 shows the required corrections. The
required changes are listed at the bottom of the table.
5. Conclusion
The main objective of this study, as an example of nuclear plant
HAZOP-study, is the identication of the risks and analysis of the
hazardous situations in operating conditions of the primary cooling system of a research reactor. The results lead to nding the
key points and proper recommendations to improve the safety of
the plant in the design state. The optimizing results were applied
to the PFD of the primary cooling system. Full understanding of
the design of the above-mentioned facility requires an experienced
HAZOP team that knows the system complexity and related safety
systems. Complete knowledge of the components of the system is
also crucial to database developing.
In addition, the consequence severity of an event in view of its
ability to damage the system versus the frequency of such an event
can be examined by the risk matrix. This weighted and nonnumerical risk matrix can identify the operation regions as transitional, unacceptable and tolerable regions (Hyatt, 2004). Therefore,
the facility with such a degree of sensitivity should be operated in
the transitional region and the equipment operating conditions
should not exceed this region.
Regarding the above-mentioned changes, a probabilistic safety
assessment can be carried out, similar to the one performed by
Faghihi et al. (2008). Then, by comparing the results of these two
studies, we can evaluate the plant by a Hybrid-HAZOP method.
Acknowledgment
The authors are thankful to the referee for a careful reading of
the paper and for valuable comments and suggestions. In addition,
we wish to thank the HAZOP team who helped us on this study, in
particular the instrument and process engineers B. Mirzaeian and
M. Abdous.
References
Bartolozzi, V., Castiglione, L., Picciotto, A., Galluzzo, M., 2000. Qualitative models of
equipment units and their use in automatic HAZOP analysis. Reliability
Engineering and System Safety 70 (1), 4957.
Cagno, E., Caron, F., Mancini, M., 2002. Risk analysis in plant commissioning: the
multilevel Hazop. Reliability Engineering and System Safety 77 (3), 309323.
Cocchiara, M., Bartolozzi, V., Picciotto, A., Galluzzo, M., 2001. Integration of interlock
system analysis with automated HAZOP analysis. Reliability Engineering and
System Safety 74 (1), 99105.
Dunj, J., Fthenakis, V., Vlchez, A., Arnaldos, J., 2010. Hazard and operability
(HAZOP) analysis. A literature review, Journal of Hazardous Materials 173 (1-3),
1932.
Faghihi, F., Ramezani, E., Yousefpour, F., Mirvakili, S.M., 2008. Level-1 probability
safety assessment of the Iranian heavy water reactor using SAPHIRE software.
Reliability Engineering and System Safety 93, 13771409.
Guimares, A.C.F., Lapa, C.M., 2006. Hazard and operability study using approximate
reasoning in light-water reactors passive systems. Nuclear Engineering and
Design 236, 12561263.
Hyatt, N., 2004. Guidelines for Process Hazards Analysis. Hazards Identication and
Risk Analysis. CRC Press in corporation by DYADEM Press.
Kletz, T.A., 1997. Hazop-past and future. Reliability Engineering and System Safety
55 (3), 263266.
Macdonald, D., 2004. Practical Hazops, Trips and Alarms. Elsevier Press.
Markowski, A.S., Mannan, M.S., Bigoszewska, A., 2009. Fuzzy logic for process safety
analysis. Loss Prevention in the Process Industries 22 (6), 695702.
Nelson, P.F., Flores, A., Franois, J.L., 2007. A design-phase PSA of a nuclear-powered
hydrogen plant. Nuclear Engineering and Design 237, 219229.
PHA-PRO software, 2009. DYADEM International Ltd. <http://www.dyadem.com>.
Wilpert, B., Itoigawa, N., 2005. Safety Culture in Nuclear Power Operations. Taylor &
Francis Press.