ML19011A437

From kanterella
Jump to navigation Jump to search
Lecture 7-2 Notable Events 2019-01-22
ML19011A437
Person / Time
Issue date: 01/16/2019
From:
Office of Nuclear Regulatory Research
To:
Nathan Siu 415-0744
Shared Package
ML19011A416 List:
References
Download: ML19011A437 (26)
v  d  e


Text

Some Notable Events and Lessons for PRA Lecture 7-2 1

Overview Key Topics

  • PRA and RIDM motivation for retrospective analysis
  • Lessons from three events

- Blayais (12/27/1999)

- Fukushima Dai-ichi (3/11/2011)

- Narora (3/31/1993) 2

Overview Resources

  • N. Siu, et al., Qualitative PRA insights from operational events, Proceedings of 14th International Conference on Probabilistic Safety Assessment and Management (PSAM 14), Los Angeles, CA, September 16-21, 2018.
  • Institut de Protection et de Sûreté Nucléaire, Rapport Sur LInondation Du Site Du Blayais, Fontenay-aux-Roses, France, January 2000.

(Available from:

http://www.irsn.fr/FR/expertise/rapports_expertise/Documents/surete/r apport_sur_l_inondation_du_site_du_blayais.pdf)

  • N. Siu, et al., PSA technology reminders and challenges revealed by the Great East Japan Earthquake: 2016 update, Proceedings of 13th International Conference on Probabilistic Safety Assessment and Management (PSAM 13), Seoul, Korea, October 2-7, 2016.
  • S.P. Nowlen, M. Kazarians, and F. Wyant, Risk Methods Insights Gained From Fire Incidents, NUREG/CR-6738, 2001.

3

Overview Other References

  • A. Gorbatchev, et al., Report on flooding of Le Blayais power plant on 27 December 1999, Proceedings of EUROSAFE 2000, Cologne, Germany, November 6-7, 2000, Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) Gmbh, Cologne, Germany, 2000.
  • E. Vial, V. Rebour, and B. Perrin, Severe storm resulting in partial plant flooding in Le Blayais nuclear power plant, Proceedings of International Workshop on External Flooding Hazards at Nuclear Power Plant Sites, Atomic Energy Regulatory Board of India, Nuclear Power Corporation of India, Ltd., and International Atomic Energy Agency, Kalpakkam, Tamil Nadu, India, August 29 - September 2, 2005.
  • N. Siu, et al., PSA technology challenges revealed by the Great East Japan Earthquake, Proceedings of PSAM Topical Conference in Light of the Fukushima Dai-Ichi Accident, Tokyo, Japan, April 15-17, 2013.

4

Overview Other References (cont.)

There is an enormous volume of publicly available information on the Fukushima Dai-ichi reactor accidents and other reactor incidents resulting from the 2011 Great East Japan Earthquake and Tsunami. Useful reports include:

  • National Research Council, Lessons Learned from the Fukushima Accident for Improving Safety of U.S. Nuclear Plants, National Academies Press, Washington, DC, 2014.
  • International Atomic Energy Agency, The Fukushima Daiichi Accident: Report by the IAEA Director General, STI/PUB 1710, Vienna, Austria, 2015.
  • Government of Japan, Investigation Committee on the Accident at the Fukushima Nuclear Power Stations of Tokyo Electric Power Company, Final Report, Tokyo, Japan, 2012.
  • Tokyo Electric Power Company, Inc., Fukushima Nuclear Accident Analysis Report, Tokyo, Japan, 2012.
  • The National Diet of Japan, The Official Report of the Fukushima Nuclear Accident Independent Investigation Commission, Tokyo, Japan, 2012.
  • Institute of Nuclear Power Operations, Special Report on the Nuclear Accident at the Fukushima Daiichi Nuclear Power Station, INPO 11-005, Atlanta, GA, 2011.

Other References (cont.)

  • Useful references on other major events:

- U.S. Department of Energy, Electric Power Research Institute, Environmental Protection Agency, Federal Emergency Management Agency, Institute of Nuclear Power Operations, and the U.S. Nuclear Regulatory Commission, Report on the Accident at the Chernobyl Nuclear Power Station, NUREG-1250, January 1987.

- U.S. Nuclear Regulatory Commission, Three Mile Island Accident of 1979: Knowledge Management Digest, NUREG/KM-0001, December 2012.

- U.S. Nuclear Regulatory Commission, The Browns Ferry Nuclear Plant Fire of 1975 Knowledge Management Digest, NUREG/KM-0002, Rev. 1, February 2014.

6

Overview Qualitative Retrospective Analysis

  • Provides empirical lessons for

- Risk management (e.g., potential improvements in emergency response as well as plant design and operations)

- Risk assessment (e.g., potentially important failure mechanisms and dependencies)

  • No one best way to perform analysis, but PRA modeling structure provides a useful perspective Dont forget: risk includes qualitative information Risk {si , Ci , pi }

7

Overview Examples of Past Lessons IPEEE Insights Importance of: Hinkley Fukushima

  • External flooding Point TMI-1 PRA Blayais Dai-ichi Flood and Review Flood Accidents
  • Combined hazards 1981 1989 1999 2002 2011 Large volumes of waste water Chalk Fukushima River TMI-2 Dai-ichi Accident Accident Accidents 1952 1979 2011 8

Overview Caution - Beware of 20-20 Hindsight

  • A.k.a.

- MMQB (Monday Morning Quarterbacking)

- I knew it all along syndrome

  • Available information generally uncertain, limitations can be persistent

- Simplifications

- Inconsistencies

- Factual errors

  • Post-event judgments subject to normal human biases

- Confirmation bias

- Underestimation/undervaluation of uncertainty

  • Often used to assess blame rather than identify lessons for moving forward NPP PRAs identify millions of possibilities, virtually all of which will not happen. The occurrence or non-occurrence of a scenario does not prove that the PRA is right or wrong.

9

Overview Example: On Lack of Imagination Early quote captures concern, but is it fair? Helpful?

the thought of a tsunami never crossed my mind.

- Tsuneo Futami (<March 26, 2011: D+15) http://www.nytimes.com/2011/03/27/world/asia/27nuke.html?hp&_r=0 I could not imagine such a huge tsunami as occurred on 11 March.

- Tsuneo Futami (May 17, 2011: M+2) http://spectrum.ieee.org/tech-talk/energy/nuclear/the-scale-of-the-accident-was-beyond-my-imagination/?utm_source=techalert&utm_medium=email&utm_campaign=051911 10

Blayais Le Blayais (December 27, 1999)

  • Two exceptionally strong winter storms (Lothar and Martin) sweep over Western Europe in rapid succession. Martin causes a grid disturbance and LOOP at Units 2 and 4.
  • Wind-driven waves + major storm surge E. de Fraguier, Lessons learned from 1999 Blayais flood:

- Overtop and sweep around dike, damage dike overview of EDF flood risk management plan, NRC Regulatory Information Conference, Rockville, MD, March

- Flood site 9-11, 2010.

  • Flood waters pass through penetrations, burst an internal fire door, and flood key areas within the plant.

- Immerse Unit 1 and 2 low head safety injection and containment spray pumps (but not motors); plant staff declare these inoperable.

- Immerse the motors of Unit 1 Train A emergency service water pumps.

- Unit 1 tripped due to problems caused by debris clogging of circulation water filters.

- Some flooding of auxiliary feedwater and emergency diesel generator rooms but not severe enough to damage.

11

Blayais Confirm following are publicly available Le Blayais (cont.)

  • Offsite flooding and storm damage (downed trees, debris) delay arrival of offsite support personnel (needed to implement emergency action plan).
  • Plant adopts shutdown strategy that accounts for grid instability, potential for additional failures.
  • Event is serious enough to warrant activation of national crisis teams (utility and regulator).
  • Post-event activities include flood hazard re-examinations for all French plants.

12

Blayais Le Blayais - PRA-Oriented Observations*

Sub-Category Summary Comments Category Pre-event conditions from Exceptionally strong storm (985 hPa; 180-200 km/h);

Conditions prior storm (regional or high tide, storm surge, wind-driven waves at site.

organizational) unclear.

Dikes (5.7 m) insufficient height and inadequate shape, upgrade suggested by a 1998 EDF study given low Protection priority. (Work scheduled for 2002.) Also problems with detection and warning systems.

Hazard Flooding washed over and around dike (and damaged dike) around 1930 12/27, entered service trenches, underground galleries and then nuclear island through non-leaktight penetrations and door(s). Flooding of Onsite Impact rooms with electrical and electronic components, Fuel Building (FB) basement (with low-head safety injection -

LHSI - and containment spray system - CSS - pumps),

and Emergency Service Water (ESW) pumping station.

  • Based on document review 13

Blayais Le Blayais Observations (cont.)

Sub-Category Summary Comments Category See below for failed SSCs. Reports general lack Safe Shutdown LHSI and CSS pumps explicit description of SSCs that were exposed but didn't SSCs Exposed declared inoperable.

fail.

Loss of 225kV for all units, 400kV for U2/U4, trip of U2/U4. U1/U3 connected to intact portion of grid. (U1 Some uncertainties in the Safe Shutdown Fragility had minor problems due to grid fluctuations.) U2/U4 timing of events across the SSCs Affected power restored. U1 tripped. U1 Train A ESW motors, various sources.

U1/U2 LHSI and CSS failed.

Dike embankments moved by flood, lowering dike level; Dike damage only Barrier SSCs storm damage to administration building. Fire door mentioned by early IPSN affected failed due to differential pressure. reports.

14

Blayais Le Blayais Observations (cont.)

Sub-Category Summary Comments Category EDGs started and loaded as designed. ESW Loss of U1-U4 225kV and U2/U4 400kV offsite power, degradation probably less Functions Lost U1/U2 LHSI and CSS; partial loss U1 ESW. significant than at some other plants due to use of air-cooled EDGs.

U2/U4 tripped on LOOP, U1 tripped later. SGs fed by AFW (2 MDP, 1 TDP; 1/3 needed, "no sign of failure during operation"). Maintained in RHR cooling until Some uncertainties in the Safe Shutdown stabilization of grid and onsite power. U3 in cold timing of events across the Response Path shutdown following refueling outage; U4 reconnected to various sources.

grid 12/30 after restoration of 225kV. Approach considered likelihood of SRV LOCA and Y2K issues.

Receding floodwaters allowed access to site at 0250 12/28. Floodwaters pumped out by 12/29 using offsite fire pumps. Pumped water released into Gironde after Recovery checking for activity. U1 Train A ESW restored, one LHSI pump and one CSS pump refurbished (but not completely requalified) 1/4/00. Concern with corrosion from chlorine.

15

Blayais Le Blayais Observations (cont.)

Sub-Category Summary Comments Category U4 operators did not treat high water level alarm -

Operator considered covered by ongoing LOOP procedure; alarm Actions not relayed to other units, would have led to earlier U1 shutdown.

Mobilization of national Regional directorate notified at 2240; IPSN on-duty crisis teams indicates the engineer (on-duty b/c of "power supply problems")

perceived seriousness of notified at 2400; receding water allowed additional the event at the time. ).

personnel onsite at 0250 12/28, EDF national crisis External technical experts Other Incident team mobilized at 0315; DSIN officially notified at 0330; at IPSN, including experts Response Management IPSN management notified at 0630; IPSN technical in PSA, had a major role in (cont.) crisis center manned 0745, couldn't rely on PSA model determining an appropriate and had to use judgment; Level 2 emergency plan (PUI) safe shutdown strategy in activated at request of DSIN at 0900 b/c of reduced light of known equipment safety margin at U1/U2; relief team at 2100.

losses.

Site access lost for several hours (until 0200 12/28);

downed trees, power lines, and localized flooding Temporary loss of site blocked roadways. Also problems with phone Offsite Impact access was a significant communications. Emergency plan Level 1 was factor in the response.

postponed (concerns about site access and personnel safety) until 0250, after site access was regained. 16

Blayais Le Blayais Observations (cont.)

Sub-Category Summary Comments Category Plant protective dike now 6.2 m, additional wave protection for wave heights up to 2.7 m, wave breakers in front of dike; inspection program for submerged cables and components that were cleaned; 50 cm Post-Event portable flood barriers, diesel-driven site drainage Changes pumps, leaktight penetrations and doors. New site (Blayais) flooding operating procedure addresses loss of site access, water quality and fuel supply, accessibility of Long- equipment outside unprotected buildings, multi-unit Term impact, flood detection, electrical isolation, and management of water release.

U.S. plants were informed.

All plants re-evaluated, considering additional External flooding within Post-Event phenomena, including realistic combinations. Require scope of IPEEE, but Changes (All analysis of risks of offsite inaccessibility, loss of offsite deterministic screening was French Plants) power supplies, heat sink, communications. Changes allowed. Hazard re-implemented, costs around 110M euros. evaluation required following Fukushima.

17

Blayais Blayais Lessons for NPP PRA

  • Hazard
  • Response

- Multiple hazards - Multiple shocks

- Large extent - Multiple units

- Asymmetrical impact - HRA complexities

- Persistence

  • Onsite damage (ability to perform outside actions)
  • Fragility
  • Uncertainty in effectiveness

- Declaration of inoperability of actions

  • Offsite damage (staffing,

- Willingness to use external resources, restored but unstable grid psychological impact) 18

Fukushima Fukushima Dai-ichi (March 11, 2011)

  • The short version:

The March 11, 2011, Great East Japan Earthquake and tsunami sparked a humanitarian disaster in northeastern Japan and initiated a severe nuclear accident at the Fukushima Daiichi nuclear plant. Three of the six reactors at the plant sustained severe core damage and released hydrogen and radioactive materials.

- National Research Council (2014) 19

Fukushima Fukushima Dai-ichi (cont.)

  • A longer but only partial version:

Category Summary

  • Peak ground acceleration (0.56 g) exceeded design basis.
  • Tsunami (13.1 m) exceeded latest accepted calculation (6.1 m)

Hazard

  • Tsunami warning times: 4 min, 28 min, 45 min
  • Tsunami arrival times: 40 mi, 50 min
  • 180 aftershocks > M 5.0, 5 aftershocks > M 7.0
  • Complete loss of offsite power (collapsed towers, damaged substation)
  • Key electrical components (e.g., switchgear) on lower floor Fragility
  • Loss of access systems
  • Seismically isolated Emergency Response Center (ERC) above tsunami run-up
  • Offsite Center damaged by earthquake, never fully operational
  • Loss of power, indications, lighting, communications, physical access
  • Operators initially confident, stunned by progression of events. Worried about conditions offsite. High radiation; older workers selected for volunteer efforts.
  • Inadequate preparations (procedures, training, staffing); had to develop and implement ad hoc plans on the fly (scavenge car batteries for power, use fire engine trucks for pumping)

Response

  • Extreme conditions (e.g., aftershocks, tsunami warnings, dark, hazardous onsite conditions, evacuations, inadequate supplies and facilities)
  • External distractions (requests for information, directions for action)
  • Intentional isolation of cooling systems (non-consequential at Unit 1, important at Unit 3)
  • Could have been worse (failure of Unit 6 EDG with Unit 5 at full power, lower ERC) or better (no LOOP)
  • Fundamental belief that event would not occur 20

Fukushima The Other Plants Plant Effects Fukushima

  • PGA > design basis Dai-ni
  • Tsunami height = 9.1 m (above calculated 5.2 m)
  • Tsunami arrival time = 35 min
  • Partial LOOP (one offsite line survived), site flooding Onagawa
  • PGA > design basis
  • Tsunami height = 13.8 m (above calculated 9.1 m, below site level of 15 m*)
  • Tsunami arrival time = 45 min
  • Tsunami height = 5.4 m (above calculated 4.88 m, below 7 m sea wall)
  • Tsunami arrival time = 30 min Adapted from

official20110311054624120_30/shakemap/intensity Higashidori

  • Per Kato (2012), initial calculation (1970) was 3 m. Utility chose to set site grade level at 15 m. 21

Fukushima Fukushima Lessons for PRA

  • Many perspectives, many lists
  • External Hazards of topics with specific lessons Ensuring defense in depth
  • More discussion: Lecture 9-1 Full hazard spectrum Correlated hazards
  • Human performance and HRA
  • PRA scope Decision making
  • Feedback loops Ex-control room actions
  • Game over modeling Teamwork
  • Long duration scenarios
  • External hazards analysis Long duration scenarios
  • HRA Equipment survivability, I&C
  • Uncertainties in Environmental conditions and phenomenological codes habitability
  • Searching vs screening
  • Level 3 22

Narora Some Notable Turbine Building Fires Date Plant Notes Oil leak ignites, minor explosion. Dense smoke fills turbine building. Extensive 6/21/1971 Muhleberg damage (non-safety cables), cleanup of HCl acid required.

Burning lube oil spread into a cable shaft and the Control Building (and MCR) via open penetrations. Turbine Building roof collapsed. Secondary fire from oil-12/31/1978 Beloyarsk 2 filled transformer. Fire fighting hampered by heavy smoke, bitter cold (-47ºC),

multiple changes in command.

Power cable ignited at multiple points in two cable galleries (short circuit),

10/15/1982 Armenia propagated to adjacent room. Escaping hydrogen in Turbine Building exploded, started oil fire (~300m2). Loss of all power and control for Unit 1, 3-hr SBO.

Hydraulic oil spray onto hot surface, delay in cutting off oil supply (missing valve 10/2/1987 Fort St. Vrain handle). Limited damage area. Smoke entered MCR.

Turbine blade failure ruptures oil lines. Hydrogen fire. Cascading, burning oil affects lower floors, fails expansion joint and leads to flooding (as well as fire).

10/19/1989 Vandellos 1 Smoke enters control room, other parts of plant. Operators need breathing apparatus to enter dark, smoke-filled areas to perform recovery actions.

Large oil and hydrogen fire, collapse of Turbine Building roof. Main and 10/11/1991 Chernobyl 2 emergency feedwater failed by debris or de-energized to allow fire fighting.

Minor resuspension of contamination from Unit 4 accident.

Turbine blade failure causes oil spill and fire. Fire propagates along cable trays 3/31/1993 Narora 1 into control room. Power lost to auxiliary shutdown panel. 17 hour1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br /> SBO.

23

Narora Narora (March 31, 1993)

  • Unit 1 operating, Unit 2 cold shutdown
  • Turbine blade failure, severe vibrations, ruptured oil lines, release of H2 => explosion and fire
  • Fire propagated into Control Equipment Room (lack of proper fire barrier penetration seals).
  • Major part of fire extinguished in 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />.
  • Diesel-driven fire pumps provide water to steam generators, both trip after 3.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> (non-fire CCF?)
  • Smoke forces Main Control Room (MCR) abandonment. (Could not re-enter for 13 hours1.50463e-4 days <br />0.00361 hours <br />2.149471e-5 weeks <br />4.9465e-6 months <br />). No power to Unit 1 emergency control room => operators flying blind for 4.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Entered primary containment to read primary loop instrumentation directly.
  • EDG started and loaded after 5.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />; shutdown cooling pump not energized until 17 hours1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br /> (declared end of SBO).

24

Narora Narora Fire Lessons for PRA

  • Potential importance of large Turbine Building fires
  • Multiple hazards (H2, oil fire)
  • Potential for MCR abandonment due to ex-MCR fires
  • Potential for common cause failure of MCR and external emergency shutdown
  • Successful actions potentially outside written procedures

- Use of fire water as backup cooling

- Entering containment to tap into instrumentation feeds or read form master gauges 25

Comments

  • More events => more PRA and RIDM lessons Useful
  • Also useful for knowledge base and text mining tool project development Confirmatory: Less Discussed:

Multiple hazards Multiple shocks Asymmetrical multi-unit impacts Scenario dynamics Less-than-extreme hazards Geographical extent and potential Hazard persistence for multi-site impacts Failure of mitigation SSCs Failure of implicitly considered SSCs

.L. Hayes, Service Warning times and precautionary measures Assessment: The Historic Tornadoes of April 2011, HRA and emergency response complexities U.S. National Weather Service, 2011. (Available from:

https://www.weather.gov/m edia/publications/assessme nts/historic_tornadoes.pdf) 26

Retrieved from "https://kanterella.com/w/index.php?title=ML19011A437&oldid=1916369"