ML19066A389
| ML19066A389 | |
| Person / Time | |
|---|---|
| Issue date: | 02/05/2019 |
| From: | Coyne K, Nathan Siu NRC/RES/DRA |
| To: | |
| N. Siu | |
| References | |
| Download: ML19066A389 (46) | |
Text
Dynamic PRA: The vision and a peek under the hood
- The views expressed in this presentation are not necessarily those of the U.S. Nuclear Regulatory Commission N. Siu and K. Coyne NRC Internal Seminar Commission Hearing Room February 5, 2019 (1:30-3:30) but how does it really work?
Thats so cool Abstract The term Dynamic PRA sparks many reactions within the PRA community. This seminar provides a high-level view of dynamic PRA (what is it? why is it of interest?
what are the general characteristics of current approaches and activities?) and a more detailed look at key issues likely to be of interest to NRC reviewers.
2 Outline
- Overview
- Motivation for DPRA
- What is DPRA?
- Potential benefits
- Challenges to reviewers
- Looking forward
- Illustrations
- HRA Empirical Study: dynamic PRA V&V
- Accident precursor analysis: a potential regulatory application
3 March 11, 2011 (Fukushima Dai-ichi Unit 1: 1F1) 3 LOOP EPS ISO EXT DCL OPR DGR LTC LOOP (Earthquake)
Emergency Power (EDGs)
Isolation Condenser (IC)
Actions to Extend IC Ops Actions to Shed DC Loads Offsite Power Recovery EDG Recovery Long-Term Cooling CD CD CD CD CD CD CD CD CD CD CD CD CD 1
2 3
4 5
6 7
8 9
10 11 12 13 14 15 16 17 18 19 20 21 22 Background and Motivation
4 1F1, 3/11/2011 4
Time Relative Time Hazard Systems Indications Operators/Workers ERC/ER team EP 14:46 0:00 Earthquake Scram 14:47 0:01 MSIVs close, turbine trips, EDGs start and load Rx level drops 14:52 0:06 ICs start automatically RV pressure decreases; RV level in normal range 15:03 0:17 ICs removed from service Cooldown rate exceeding tech spec limits Manually remove IC from service 15:06 0:20 Disaster HQ established in TEPCO Tokyo 15:10 0:24 Determine only 1 train IC needed; cycle A train 15:27 0:41 First tsunami arrives 15:35 0:49 Second tsunami arrives 15:37 0:51 Loss of AC 15:37 0:51 1537-1550: Gradual loss of instrumentation, indications (including IC valve status, RV level),
alarms, MCR main lighting Determine HPCI unavailable 15:42 0:56 TEPCO enters emergency plan (loss of AC power);
ERC established 16:35 1:49 D/DFP indicator lamp indicates "halted" 16:36 1:50 Review accident management procedures, start developing procedure to open containment vent valves without power Cannot determine RV level or injection status; work to restore level indication; do not put IC in service Review accident management procedures, start developing procedure to open containment vent valves without power Declared emergency (inability to determine level or injection)
Dynamic PRA 40 minutes between earthquake and tsunami; transition from confident control to disbelief Background and Motivation Degradation and failure over time, gradually affecting operator information and ability to control
5 5
Time Relative Time Hazard Systems Indications Operators/Workers ERC/ER team EP 16:45 1:59 Determine RV level Emergency cancelled 16:55 2:09 Tsunami alert Workers on way to check D/DFP had to turn back 17:07 2:21 Lose ability to determine RV level or injection status Reentered emergency plan 17:12 2:26 Site superintendent directs investigation of using fire protection to inject water 17:15 2:29 Estimated core uncovery in 1 hr 17:19 2:33 Tsunami alert cleared 17:30 2:44 Diesel-driven fire pump started and left to idle Pressure above 100 psi Manually open valves (in dark) from fire protection system to core spray system; take turns holding D/DFP switch to keep in standby 18:18 3:32 DC power partially returned MO-3A and MO-2A indicate closed 18:18 3:32 MO-3A and MO-2A opened Open IC valves MO-3A and 2A. Steam from condenser observed 18:25 3:39 MO-3A closed Remove IC from service (concerned about failing lines). Entered R/B and T/B to manually open MOV for FP lineup. Hard time finding valve, had wrong key, hard to operate hand wheel. Long time.
Dynamic PRA Error of commission (disabling passive safety system) possibly based on assumed low inventory (usage) 1F1, 3/11/2011 (cont.)
Background and Motivation External influence triggering work stoppage, temporary evacuation, accountability
6 6
Time Relative Time Hazard Systems Indications Operators/Workers ERC/ER team EP 18:50 4:00 Core damage (4-5 hr after trip) 19:00 4:14 Close valves for broken outdoor FP pipes. Broke lock to allow passage between Units 2 and 3.
Ask Tokyo for more fire engines 19:03 4:17 Govt. declares nuclear emergency 20:07 5:21 No pressure indication in MCR; Reactor pressure =
6.89 MPa (1000 psi) local indication 20:49 6:03 Small portable generator installed MCR has temporary lighting 20:50 6:04 Local authorities order evacuation within 2 km 21:19 6:33 Level indication restored; level = 0.20 m (8) above TAF 21:23 6:37 Prime minister orders evacuation within 3 km; sheltering out to 10 km 21:30 6:44 MO-3A opened Place IC in service; steam observed 21:51 7:05 Access to RB restricted due to dose rates - indirect indication of core uncovery 22:00 7:14 Level = 0.55 m (21.7) above TAF 23:50 9:04 Drywell pressure = 0.50 MPa (87 psi) above design Restoration team from ERC enables reading 23:59 9:13 Offsite power supply trucks arrive by midnight Dynamic PRA In hindsight, core damage Game Over for 1F1; continuing 1F1 recovery activities and events impact other units (1F2 and 1F3 core uncovery on 3/14) 1F1, 3/11/2011 (cont.)
Background and Motivation
7 Might the details matter?
Imagine the horse as a sphere It depends Background and Motivation
8 Different perspectives =>
Different challenges and needs Background and Motivation Developers Analysts/
Reviewers Users Understanding Uncertainties Heterogeneity and aggregation Confidence Other Factors (e.g., DID, safety margins)
Stakeholders Time Resources Biases/heuristics Communication Data Bounding/screening Guidance Holes Integration Imagination New science/engineering Operational experience Intended users/applications Computational limits Rewards
9 Late 70s/early 80s fast reactor analyses
- Ispra JRC (Amendola, Reina, Cacciabue)
- Concern with dynamic interaction of transient physics and system logical response: physics trigger response which affects physics, etc.
- Event Sequences and Consequence Spectrum/Logical Analytical Methodology (ESCS/LAM) => DYLAM
- Recognize different time scales (ageing, transients)
- EUROPA LMBR (channel-type) - phenomenological driver or target of opportunity?
- CEA (Lanore, Villeroux, et al.)
- Concern with proper repair (recovery) credit considering large thermal inertia of Super-Phénix (pool-type LMFBR)
- Damage concern: creep rupture of RPV on LODHR
- State-transition (Markov) model; transition probabilities from standard fault tree analysis Background and Motivation
10 Mid-late 80s: treat errors of commission?
Can always add a basic event Operator Stops RCIC Possible but sufficiently probable? Why or why not?
10 Dynamic PRA
OPERATOR STOPS RCIC Background and Motivation
11 Bounded Rationality Model
- Operator actions are not completely random events
- Reasons for decisions and actions (and inaction) affected by context, including
- scenario evolution
- past decisions/actions
- Dynamic PRA provides a framework for treating such context; major challenges in modeling and implementation Background and Motivation
12 What is dynamic PRA?
- Risk {scenarios, consequences, likelihoods}
- PRA: likelihood expressed using probabilities
- Dynamic PRA:
- A simple view: PRA that explicitly models system dynamics
- Typically envisioned as a form of direct simulation but doesnt have to be
- Not intended to address dynamically changing PRAs (e.g.,
risk monitors)
Dy*nam*ics, n. a branch of mechanics that deals with forces and their relation primarily to the motion but sometimes also to the equilibrium of bodies Definition and Illustration
13 Typical Modeling Approaches
- State-Transition Models (cell-to-cell)
- Dynamic Event Trees
- Direct Simulation Definition and Illustration
14 A Simple Example - The Aldemir Tank Liquid level (L)
Control unit state Valve Pump 1 Pump 2 1 < < 2 Open On Off 2
Open Off Off 1
Closed On On Pump 1 Valve Pump 2 L
a1 a2 Definition and Illustration
15 Tank Problem: State-Transition Model Definition and Illustration First transition
16 Tank Problem: Dynamic Event Tree Definition and Illustration Adapted from N. Siu, Risk assessment for dynamic systems: An overview, Reliability Engineering and System Safety, 43, 43-73 (1994).
17 Tank Problem: Discrete Event Simulation Definition and Illustration Adapted from N. Siu, Risk assessment for dynamic systems: An overview, Reliability Engineering and System Safety, 43, 43-73 (1994).
18 Predominant Approach: Dynamic Event Trees*
18 Dynamic PRA Adapted from: N. Siu, "Risk assessment for dynamic systems: an overview,"
Reliability Engineering and System Safety, 43, 43-73, 1994 Historical J. LaChance, et al., Discrete Dynamic Probabilistic Risk Assessment Model Development and Application, SAND2012-9346, Sandia National Laboratories, October 2012.
More Recently Definition and Illustration
- Sometimes referred to as discrete dynamic event trees One concept One implementation
19 Comments
- Integrated Deterministic-Probabilistic Safety Assessment (IDPSA)
- Integrated Safety Assessment (ISA)
- Computational risk assessment (CRA)
- Integrated PRA (I-PRA)
- Simulation modeling (e.g., discrete event simulation)
- Academic community has focused on tightly coupled problems; tools could be useful for more loosely coupled problems, e.g.,
- Recovery time (e.g., power, portable equipment)
- Force-on-force
- Storm preparation Definition and Illustration
20 Why?
- As with simulation approaches in general
- Improved realism (e.g., elimination of some intermediate modeling approximations)
- Improved insights (e.g., going beyond game over)
- Improved use of available information (what we know)
- Phenomena
- Operational experience
- Broader acceptance outside PRA community
- Natural language framework for integrating multiple disciplines
- Consistency with current directions in engineering
- For PRA/RIDM, potential to address sources of completeness uncertainty, e.g.,
- Errors of commission
- Passive system reliability 20 Dynamic PRA Potential Benefits
21 General Challenges Challenges to Reviewers Developers Analysts/
Reviewers Users Understanding Uncertainties Heterogeneity and aggregation Confidence Other Factors (e.g., DID, safety margins)
Stakeholders Time Resources Biases/heuristics Communication Data Bounding/screening Guidance Holes Integration Imagination New science/engineering Operational experience Intended users/applications Computational limits Rewards
22 Fundamental Question for Reviewers Its a probabilistic simulation, but is it a dynamic PRA?
- Search for what can go wrong?
- Address unlikely events (e.g., distribution tails)?
- Treat important dependencies?
Challenges to Reviewers
23 Searching for Failures: The Red Team
- Examples
- Procedures prevent operation in undesirable regimes =>
what might prompt procedural violations?
- Natural circulation, convection, and conduction will remove decay heat => what might disrupt heat transfer?
- Timely evacuation reduces exposure => how can evacuation be hindered?
- Does the model consider such questions?
Challenges to Reviewers
24 Other Challenges
- Data for model parameters
- Source and interpretation
- Sub-model range
- Sub-model heterogeneity
- Verification and validation
- Completeness uncertainty
- Focus on risk or on whats solvable?
Interesting?
- Whats outside of the model?
- Sensemaking Challenges to Reviewers
25 Not If But When?
Not Why But Why Not?
Practical applications of dynamic PRA are here and will be increasing
- Consistent with engineering trends
- Attractive to students and researchers (industry feedstock)
- Supports exploration of model uncertainties, diverse views
- Tools are available
- Challenges are recognized and are being addressed Its tough to make predictions, especially about the future.
- Yogi Berra Resistance is futile Looking Forward
SOME ILLUSTRATIVE EXAMPLES
27 Expanding on the why?
- Human performance insights
- Available time for action
- Improved realism of context
- Compounding impact of actions
- Explore error forcing contexts
- System insights
- Complex dependencies
- Success criteria
- Event sequence
- Interface between man and Machine Illustrations
28 ADS-IDAC - UMD/UCLA ADS-IDAC - Accident Dynamics Simulator with the Information Decision and Action in a Crew Context operator model
- Discrete Dynamic Event Tree (DDET)
Simulation Method
- Model-based HRA approach
- Integrates a thermal hydraulic nuclear plant model with a control room crew human performance model
- Provides rich situational context for evaluating factors that may influence decision-making performance (e.g.,
identifying error forcing contexts)
Illustrations
29 IDAC Model - Controlling AFW
- Mental model links: (1) indicators &
alarms; (2) beliefs; and (3) actions.
- Actions include control manipulations and active information gathering Illustrations
30 HRA Empirical Study
- SGTR Scenarios
- Base - simple SGTR with secondary radiation alarms available
- Complex - SGTR w/ MSLB and MSIV isolation (no secondary radiation alarms)
- LOFW Scenarios
- Base - LOFW, no AFW/MF
- Complex - LOFW, no AFW/MF, but degraded condensate pump available Illustrations
31 HRA Empirical Study
- Crew to crew variability LOFW Base Scenario 0
10 20 30 40 50 60 70 80 0
500 1000 1500 2000 2500 3000 3500 4000 4500 time (seconds)
Illustrations
32 HRA Empirical Study
- Key drivers for crew-to-crew variability
- Pacing (fast crew, slow crew)
- Preferences
- Control inputs
- Goals and strategies
- Capabilities
- Knowledge
- Crew communication
- Situational awareness Challenges to Reviewers
33 HRA Empirical Study
- SGTR Base Scenario
- Trip reactor early (Crew M) or reduce power to troubleshoot (Crew G)
- Slower (G) or faster (M) pacing
- Faster (G) or slower (M)
RCS cooldown rate Illustrations
34 HRA Empirical Study Illustrations HAMMLAB ADS-IDAC
35 Better understanding of error forcing contexts Illustrations
36 36 Dynamic Performance Influencing Factors (PIFs)
Dynamic PIFs 0
2 4
6 8
10 0
500 1000 1500 2000 2500 3000 3500 4000 time (seconds)
PIF Value Time Constraint Load Isolate SG A Time Available:
Low PZR Level Time Available: Low RCS Pressure Time Available:
2 4
6 8
10 0
500 1000 1500 2000 2500 3000 3500 4000 time (seconds)
PIF Value Time Constraint Load Information Load Info Load: Post Trip Alarm Cascade Briefing Hold Isolate SG A Time Available:
Low PZR Level Time Available: Low RCS Pressure Time Available:
2 4
6 8
10 0
500 1000 1500 2000 2500 3000 3500 4000 time (seconds)
PIF Value Time Constraint Load System Criticality Information Load Info Load: Post Trip Alarm Cascade Hi SG A &
PZR Levels Briefing Hold Isolate SG A Time Available:
Low PZR Level Time Available: Low RCS Pressure Time Available:
Hi SG A Level High SCM &
SG A Level, Lo PZR Level Dynamic PIFs 0
2 4
6 8
10 0
500 1000 1500 2000 2500 3000 3500 4000 time (seconds)
PIF Value Time Constraint Load System Criticality Information Load Info Load: Post Trip Alarm Cascade Hi SG A &
PZR Levels Briefing Hold Isolate SG A Time Available:
Low PZR Level Time Available: Low RCS Pressure Time Available:
Hi SG A Level High SCM &
SG A Level, Lo PZR Level Illustrations
37 Robinson Fire (3/28/2010)
Illustrations
38 Robinson Fire (cont)
- Several issues:
- Impact of secondary cooldown
- Impact of RCP seal leakage
- Time available to initiate RCS cooldown Illustrations
39 Robinson Fire (cont)
- Some insights
- Time to CD with 480 gpm RCP seal leak
- Significant time available with 21 gpm RCP seal leak
- Cooldown has limited impact Illustrations
40 Dynamic PRA - Opportunities and Challenges Some Advantages of Dynamic Approaches Does not require traditional pinch points and other constraints Flexible truncation times Easier integration of non-binary information (e.g., degraded equipment)
No need to identify representative sequences Increases focus on physical system behavior Reduces reliance on intermediate assumptions (e.g., success criteria)
Forces explicit treatment of timing Improves realism and ability to extrapolate results Integrates hardware and human performance models Richer context for evaluating human performance Realistic plant modeling (e.g., explicit consideration of control system interaction and procedures)
Avoids game over modeling assumptions End states can be readily tailored to scenarios and not limited to discrete bins Recovery and mitigation actions can be explicitly modeled, including partially successful mitigation and timing variability Illustrations
41 Dynamic PRA - Opportunities and Challenges and some challenges Developing and validating models Development of physical models can be resource intensive Validation/accreditation of models can be difficult, particularly for rare events Obtaining a complete risk profile Ensuring a complete solution space is examined Choosing representative samples Pruning and truncation to avoid sequence explosion Aggregating, interpreting, and communicating results Simulation-based approaches can produce expansive amounts of data Identifying and focusing on key accident scenarios can be difficult Confidence in simulation results (either overly high or low)
No state of practice for calculating importance measures Vertical vs. horizontal slice Evaluating Uncertainty Applying and interpreting uncertainty can difficult - particularly in the absence of a standard state-of-practice.
Ensuring efficient sampling scheme for uncertainty evaluation (e.g., identifying parameters and capturing dependencies Illustrations
BACKUP SLIDES
43 PSAM 14 (2018)
Title Orgs Case Study of Major Accident to Demonstrate the Possibility of Prediction of Conditions for Accidents NUST*
Addressing Critical Dependencies in the Probabilistic Performance Assessments of Multi-Purpose Systems with PyCATSHOO EDF Mitigation Coverage Evaluation of Passive Systems Based on Causality Estimation Using Multi-Level Flow Model RPI EMRALD, Dynamic PRA for the Traditional Modeler INL Dynamic Modelling of Severe Accident Management for CANDU Reactors in Probabilistic Safety Assessment Kinectrics Using Microworlds to Support Dynamic Human Reliability Analysis INL Code Surrogate Development for Dynamic PRA Using Anisotropic Taylor Kriging Methodology RPI Development of an Online Operator Tool to Support Real-Time Emergency Planning Based on the Use of Dynamic Event Trees and Deep Learning OSU Pattern Identification of Dynamic Event Tree Scenarios with Clustering RPI Severe Accident Scenario Uncertainty Analysis using the Dynamic Event Tree Method JAEA A Method for Modeling Human Behavior as a Dynamic Process in the Context of External and Internal Hazards GRS Aggregation of Autocalculated Human Error Probabilities from Tasks to Human Failure Events in a Dynamic Human Reliability Analysis Implementation INL/NTNU Integrating Classical PRA Models Into Dynamic PRA INL Convergence of Varied Surrogate Models for Seismic Dynamic PRA/PSA OSU A Dynamic Coupled-Code Assessment of Mitigation Actions in an Interfacing System Loss of Coolant Accident OSU/SNL Performing an Accident Sequence Precursor Analysis with the ADS-IDAC Dynamic PSA Software Platform UCLA Discrete Dynamic Event Tree Uncertainty Quantification in the ADS-IDAC Dynamic PSA Software Platform UCLA The Backtracking Process Algorithm: A Dynamic Probabilistic Risk Assessment Method for Autonomous Vehicle Control Systems OSU Comparison of Dynamic Event Trees with and without a Human Reliability Interface in a PWR Station Blackout using Severe Accident Management Guidelines OSU Results of an IDPSA Aimed to Assess the Potential of a Thermally Induced Steam Generator Tube Rupture GRS Recent Analysis and Capability Enhancements to the ADAPT Dynamic Event Tree Driver OSU/SNL
- Norwegian University of Science and Technology
44 PSA 2017 Title Orgs Dynamic Event Tree Generation With RAVEN-MAAP5 Using Finite State Machine System Models OSU/EDF Local Fusion of an Ensemble of Semi-Supervised Self Organizing Maps for Post-Processing Accidental Scenarios Politecnico di Milano IDPSA Approach to Assess the Potential of a Thermally Induced Steam Generator Tube Rupture GRS Dynamic Approach on Multi-Unit Probabilistic Risk Assessment Using Continuous Markov and Monte Carlo Method U. Tokyo Surrogate Model Selection in RAVEN for Seismic Dynamic PRA/PSA OSU Timed-Fault Tree Generation from Dynamic Flowgraph Method The ADS-IDAC Dynamic Platform with Dynamically Linked System Fault Trees UCLA Development of Integrated Site Risk Using the Multi-Unit Dynamic Probabilistic Risk Assessment (MU-DPRA) Methodology UMD/UCLA Dynamicizing the SPAR-H Method: A Simplified Approach to Computation-Based Human Reliability Analysis INL/NTNU A Dynamic Assessment of an Interfacing System Loss of Coolant Accident OSU/SNL Dynamic PRA of a Multi-Unit Plant INL Measuring Risk Importance in a Dynamic PRA Framework INL Dynamic PRA with Component Aging and Degradation Modeled Utilizing Plant Risk Monitoring Data INL Passive System Reliability Analysis Using APSRA+ Methodology and Its Application to Passive Isolation Condenser System of an Advanced Reactor BARC A Case Study of Simulation-Based Dynamic Analysis Approach for Modeling Plant Response to Flooding Events INL
45 Challenges to Developers
- Technical (many being addressed)
- Phenomenological sub-models
- Data
- V&V
- Computational resources
- Aids to support searches
- Aids to support sensemaking
- Economic
- Demonstrating added value
- Demonstrating acceptable resource requirements 45 Dynamic PRA
46 Challenges to Developers (cont.)
- Socio-organizational
- Perception that dynamic PRA is necessarily complex
- Developer community mindset
- Increased detail > increased realism
- Importance of insights (vs. bottom line results)
- Openness to concerns raised by skeptics
- User community mindset
- Potential value of different approaches
- Targeting of development activities
- R&D => product development
- Increased emphasis on actual problem solving (beyond demos)
- Role in PRA toolbox
- What expertise is needed, how to develop and maintain 46 Dynamic PRA