ML19162A415
| ML19162A415 | |
| Person / Time | |
|---|---|
| Issue date: | 06/13/2019 |
| From: | Nick Melly NRC/RES/DRA |
| To: | |
| T. Rivera | |
| Shared Package | |
| ML19162A411 | List: |
| References | |
| Download: ML19162A415 (228) | |
Text
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Nicholas Melly - Nuclear Regulatory Commission Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD U.S. NRC HQ
Objectives Introduce modeling and analysis methods used to generate an internal events, at-power PRA
- Initiating event identification
- Event tree and fault tree model development
- Human reliability analysis
- Data analysis
- Accident sequence quantification Present PRA model for Simple Nuclear Power Plant used to generate fire PRA model in Module 1 examples Fire PRA Workshop 2019, Rockville, MD Slide 2 Module 1: Internal Event, At-Power PRA Model for SNPP
Outline
- 1. Overview of PRA
- 2. Initiating Event Analysis
- 3. Event Tree Analysis
- 4. Fault tree Analysis
- 5. Human Reliability Analysis
- 6. Data Analysis
- 7. Accident Sequence Quantification Fire PRA Workshop 2019, Rockville, MD Slide 3 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Overview of PRA Nicholas Melly - Nuclear Regulatory Commission Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD U.S. NRC HQ
Overview of PRA Process PRAs are performed to find severe accident weaknesses and provide quantitative results to support decision-making Three levels of PRA have evolved:
Level An Assessment of: Result 1 Plant accident initiators and Core damage frequency systems/operators and contributors response 2 Frequency and modes of Categorization and containment failure frequencies of containment releases 3 Public health consequences Estimation of public and economic risks Fire PRA Workshop 2019, Rockville, MD Slide 5 Module 1: Internal Event, At-Power PRA Model for SNPP
Overview of Level-1/2/3 PRA Bridge Event Level-1 Tree Level-2 Level-3 Event (containment Containment Event Consequence IEs Tree systems) Tree (APET) Analysis RxTrip Consequence LOCA Source Code LOSP CD PDS Terms Calculations SGTR (MACCS) etc.
Plant Systems Severe Accident Offsite Consequence and Human Action Progression Risk Models (Fault Analyses
- Early Fatalities/year Trees and Human (Experimental and
- Latent Cancers/year Reliability Computer Code
- Population Dose/year Analyses) Results)
- Offsite Cost ($)/year
- etc.
Fire PRA Workshop 2019, Rockville, MD Slide 6 Module 1: Internal Event, At-Power PRA Model for SNPP
Principal Steps in PRA LEVEL LEVEL LEVEL 1 2 3 Initiating Accident Accident RCS / Source Release Offsite Health &
Event Sequence Sequence Containment Term Category Conseqs Economic Analysis Analysis Quantif. Response Analysis Character. Analysis Risk Analysis and Analysis Quantif.
Meteorology Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis Sensitivity Sensitivity Sensitivity Analysis Analysis Analysis Population Distribution Emergency Data Response Analysis* Human Reliability Analysis* Pathways Model LERF Assessment Health Effects Economic Effects
- Used in Level 2 as required Fire PRA Workshop 2019, Rockville, MD Slide 7 Module 1: Internal Event, At-Power PRA Model for SNPP
PRA Classification Internal Hazards - Risk from accidents initiated internal to the plant
- Includes internal events, internal flooding and internal fire events External Hazards - Risk from external events
- Includes seismic, external flooding, high winds and tornadoes, airplane crashes, lightning, hurricanes, etc.
At-Power - Accidents initiated while plant is critical and producing power (operating at >X%* power)
Low Power and Shutdown (LP/SD) - Accidents initiated while plant is <X%* power or shutdown
- Shutdown includes hot and cold shutdown, mid-loop operations, refueling
- X is usually plant-specific. The separation between full and low power is determined by evolutions during increases and decreases in power.
Fire PRA Workshop 2019, Rockville, MD Slide 8 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Initiating Events Analysis Nicholas Melly - Nuclear Regulatory Commission Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD U.S. NRC HQ
Principal Steps in PRA LEVEL LEVEL LEVEL 1 2 3 Initiating Accident Accident RCS / Source Release Offsite Health &
Event Sequence Sequence Containment Term Category Conseqs Economic Analysis Analysis Quantif. Response Analysis Character. Analysis Risk Analysis and Analysis Quantif.
Meteorology Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis Sensitivity Sensitivity Sensitivity Analysis Analysis Analysis Population Distribution Emergency Data Response Analysis* Human Reliability Analysis* Pathways Model LERF Assessment Health Effects Economic Effects
- Used in Level 2 as required Fire PRA Workshop 2019, Rockville, MD Slide 10 Module 1: Internal Event, At-Power PRA Model for SNPP
Initiating Event Analysis
Purpose:
Understand what is an initiating event (IE), how to identify them, and group them into categories for further analysis. Identify what IEs can occur for SNPP while at-power Objectives:
- Understand the relationship between initiating event identification and other PRA elements
- Identify the types of initiating events typically considered in a PRA
- Become familiar with various ways to identify initiating events
- Become familiar with criteria for eliminating initiating events
- Understand how initiating events are grouped
References:
- NUREG/CR-2300, NUREG/CR-5750, NUREG/CR-3862, NUREG/CR-4550, Volume 1, NUREG/CR-6928 Fire PRA Workshop 2019, Rockville, MD Slide 11 Module 1: Internal Event, At-Power PRA Model for SNPP
Initiating Events Definition - Any potential occurrence that could disrupt plant operations to a degree that a reactor trip or plant shutdown is required. Initiating events are quantified in terms of their frequency of occurrence (i.e., number of events per calendar year of operation)
Can occur while reactor is at-power, low power, or shutdown
- Focus of this session is on IEs during at-power operation Can be randomly initiated in the plant or caused by internal (e.g., fire) or external (e.g., seismic) hazards
- Internal and external hazards result in the same IEs that can occur randomly Basic categories of internal IEs:
- Transients (initiated by failures in the balance of plant or nuclear steam supply)
- Loss-of-coolant accidents (LOCAs) in reactor coolant system
- Interfacing system LOCAs
- LOCA outside of containment
- Special transients (generally support system initiators)
Fire PRA Workshop 2019, Rockville, MD Slide 12 Module 1: Internal Event, At-Power PRA Model for SNPP
Role of Initiating Events in PRA Identifying initiating events is the first step in the development of accident sequences Accident sequences can be conceptually thought of as a combination of:
- An initiating event, which triggers a series of plant and/or operator responses, and
- A combination of success and/or failure of the plant system and/or operator response that result in a core damage state Initiating event identification is an iterative process that requires feedback from other PRA elements
- System analysis
- Review of plant experience and data Fire PRA Workshop 2019, Rockville, MD Slide 13 Module 1: Internal Event, At-Power PRA Model for SNPP
Initiating Event Analysis Collect information on actual plant trips Identify other abnormal occurrences that could cause a plant trip or require a shutdown Identify the plant response to these initiators, including the functions and associated systems that can be used to mitigate these events Grouping IEs into categories based on their impact on mitigating systems Quantify the frequency of each IE category (Included later in Data Analysis session)
Fire PRA Workshop 2019, Rockville, MD Slide 14 Module 1: Internal Event, At-Power PRA Model for SNPP
Methods for Identification and Grouping IEs Comprehensive Engineering Evaluation (commonly used)
- Analysis of historical events
- Comparison with other studies
- Plant-specific design data Deductive methods (master logic diagram)
- Good process when there is no history of accident initiators (e.g., an advanced reactor)
Failure Modes and Effects Analysis (FMEA)
- Formalized tabular process used to identify potential failures, determine the effect on the plant operation, and identify mitigating actions
- Primarily used to examine support system failures Fire PRA Workshop 2019, Rockville, MD Slide 15 Module 1: Internal Event, At-Power PRA Model for SNPP
Comprehensive Engineering Evaluation Review historical events (reactor trips, shutdowns, system failures)
Discrete spectrum of LOCA sizes considered based on location of breaks (e.g., in vs. out of containment, steam vs.
liquid), components (e.g., pipe vs. SORV), and available mitigation systems Review comprehensive list of possible transient initiators based on existing lists (see for example NUREG/CR-3862) and from Safety Analysis Report Review list of initiating event groups modeled in other PRAs and adapt based on plant-specific information - Typical approach for existing LWRs Feedback provided from other PRA tasks Fire PRA Workshop 2019, Rockville, MD Slide 16 Module 1: Internal Event, At-Power PRA Model for SNPP
Sources of Data for Identifying IEs Plant-specific sources:
- Licensee Event Reports
- Scram reports
- Abnormal, System Operation, and Emergency Procedures
- Plant Logs
- Safety Analysis Report (SAR)
- System descriptions Generic sources:
- NUREG/CR-4550, Volume 1
- Other PRAs Fire PRA Workshop 2019, Rockville, MD Slide 17 Module 1: Internal Event, At-Power PRA Model for SNPP
Criteria for Eliminating IEs Some IEs may not have to modeled because:
- Frequency is very low (e.g., <1E-7/ry)
ASME PRA Standard exclude ISLOCAs, containment bypass, vessel rupture from this criteria
- Frequency is low (<1E-6/ry) and at least two trains of mitigating systems are not affected by the IE
- Effect is slow, easily identified, and recoverable before plant operation is adversely affected (e.g., loss of control room HVAC)
- Effect does not cause an automatic scram or an administrative demand for shutdown (e.g., waste treatment failure)
Fire PRA Workshop 2019, Rockville, MD Slide 18 Module 1: Internal Event, At-Power PRA Model for SNPP
Initiating Event Grouping For each identified initiating event:
- Identify the safety functions required to prevent core damage and containment failure
- Identify the plant systems that can provide the required safety functions Group initiating events into categories that require the same or similar plant response This is an iterative process, closely associated with event tree construction. It ensures the following:
- All functionally distinct accident sequences will be included
- Overlapping of similar accident sequences will be prevented
- A single event tree can be used for all IEs in a category Fire PRA Workshop 2019, Rockville, MD Slide 19 Module 1: Internal Event, At-Power PRA Model for SNPP
Example Initiating Events (PWR) from NUREG/CR-6928 Category Initiating Event Mean Frequency (per critical year)
B Loss of offsite power 4.0E-2 L Loss of condenser 0.2 P Loss of feedwater 0.1 Q General transient 0.8 F Steam generator tube rupture 4.0E-3 ATWS 8.4E-6*
G7 Large LOCA (BWR, PWR) 7.0E-6, 1.2E-6 G6 Medium LOCA (BWR, PWR) 1.0E-4, 5.0E-4 G3 Small LOCA (BWR, PWR) 5.0E-4, 6.0E-4
- From NUREG/CR-5750 Fire PRA Workshop 2019, Rockville, MD Slide 20 Module 1: Internal Event, At-Power PRA Model for SNPP
Example Initiating Events (PWR) from NUREG/CR-6928 (Cont.)
Category Initiating Event Mean Frequency (per critical year)
G2 Stuck-open relief valve (BWR, PWR) 2.0E-2, 3.0E-3 K1 High energy line break outside 1.0E-2*
containment C1+C2 Loss of vital medium or low voltage 9.0E-3 ac bus C3 Loss of vital dc bus 1.2E-3 D Loss of instrument or control air 1.0E-2 E1 Total loss of service water, total loss 4.0E-4 of component cooling water
- From NUREG/CR-5750 Fire PRA Workshop 2019, Rockville, MD Slide 21 Module 1: Internal Event, At-Power PRA Model for SNPP
SNPP Initiating Events Initiator Average Frequency (per yr) Description
%T1 7.23E-01 Reactor Trip
%T2 9.33E-02 Loss of Condenser Vacuum
%T3 4.13E-01 Turbine trip
%T4 3.73E-02 Loss of Main Feedwater
%T5P 4.25E-02 Loss of Offsite Power (Plant-Centered)
%T5C 1.02E-02 Loss of Off-Site Power (Grid-Related)
%T5D 6.26E-03 Loss of Off-Site Power (Weather-Induced)
%T6 7.35E-03 Steamline/Feed line Break Upstream of Main Steam Isolation valves or Downstream of Feedwater Isolation Valves (Includes Stuck-Open Secondary relief valves)
%T7 5.44E-03 Steamline Break Downstream of Main Steam isolation valves (Includes Stuck-Open Secondary relief valves)
%T8 2.94E-04 Loss of 4160 V Bus 1
%T9 2.94E-04 Loss of 4160 V Bus A Fire PRA Workshop 2019, Rockville, MD Slide 22 Module 1: Internal Event, At-Power PRA Model for SNPP
SNPP Initiating Events (Cont.)
Initiator Average Frequency (per yr) Description
%T10 2.94E-04 Loss of 4160 V Bus B
%T11 2.94E-04 Loss of 4160 V Bus 2
%T12 3.00E-03 Loss of 125 VDC Bus A
%T13 3.00E-03 Loss of 125 VDC Bus B
%T15 Fault Tree Model %T15-INIT Loss of CCW System
%T16 Fault Tree Model %T16-INIT Loss of Service Water System
%T17 Fault Tree Model Loss of Instrument Air
%T17-INIT
%T21 3.41E-02 Closure of MSIV (1 SG Loop)
%T22 1.24E-02 Closure of both MSIVs
%T23 1.78E-01 Partial Load Rejection
%T24 5.79E-02 Spurious Steam Gen. Isolation Signal
%T25 7.23E-02 Reactor Trip With PORV Opening/Demand Fire PRA Workshop 2019, Rockville, MD Slide 23 Module 1: Internal Event, At-Power PRA Model for SNPP
SNPP Initiating Events (Cont.)
Initiator Average Frequency (per yr) Description
%T26 Fault Tree Model Loss of Power from120 VAC Buses A & B
%T26-INIT
%S 6.8E-03 Small LOCA (pipe breaks and RCP seal LOCA)
%M 9.60E-06 Medium LOCA (pipe breaks)
%A 7.77E-05 Large LOCA (pipe breaks)
%R 7.93E-03 Steam Generator Tube Rupture
%I1 1.000E-07 Interfacing Systems LOCA at RCS/LPI Interface (1 MOV and 1 check valve in series)
%I2 2.000E-07 Interfacing Systems LOCA at RCS/RHR Interface (2 MOVs in series)
%I3 Fault Tree Model Interfacing Systems LOCA at RCS/CCW I3QINIT interface (Reactor Coolant Pump Cooler rupture)
%VR 2.70E-07 Reactor Vessel Rupture Fire PRA Workshop 2019, Rockville, MD Slide 24 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Accident Sequence Analysis Nicholas Melly - Nuclear Regulatory Commission Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD U.S. NRC HQ
Principal Steps in PRA LEVEL LEVEL LEVEL 1 2 3 Initiating Accident Accident RCS / Source Release Offsite Health &
Event Sequence Sequence Containment Term Category Conseqs Economic Analysis Analysis Quantif. Response Analysis Character. Analysis Risk Analysis and Analysis Quantif.
Meteorology Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis Sensitivity Sensitivity Sensitivity Analysis Analysis Analysis Population Distribution Emergency Data Response Analysis* Human Reliability Analysis* Pathways Model LERF Assessment Health Effects Economic Effects
- Used in Level 2 as required Fire PRA Workshop 2019, Rockville, MD Slide 26 Module 1: Internal Event, At-Power PRA Model for SNPP
Accident Sequence Analysis
Purpose:
Understand the purposes and techniques of accident sequence (event tree) analysis. Understand the concept of accident sequences and how event tree analysis is related to the identification and quantification of dominant accident sequences. Identify the accident sequences for SNPP occurring from random events while at-power.
Objectives:
- Understand purposes of event tree analysis
- Understand currently accepted techniques and notation for event tree construction
- Understand purposes and techniques of accident sequence identification
- Understand how event tree logic is used to quantify PRAs
References:
NUREG/CR-2300, NUREG/CR-2728 Fire PRA Workshop 2019, Rockville, MD Slide 27 Module 1: Internal Event, At-Power PRA Model for SNPP
Event Trees Typically used to model the response to an initiating event Features:
- Generally, one system-level event tree for each initiating event group is developed
- Identifies systems/functions required for mitigation
- Identifies operator actions required for mitigation
- Identifies event sequence progression
- End-to-end traceability of accident sequences leading to bad outcome Primary use
- Identification of accident sequences which result in some outcome of interest (usually core damage and/or containment failure)
- Basis for accident sequence quantification Fire PRA Workshop 2019, Rockville, MD Slide 28 Module 1: Internal Event, At-Power PRA Model for SNPP
Simple Event Tree Post-Reactor Emergency Emergency Accident Initiating Protection Coolant Coolant Heat Event System Pump A Pump B Removal Sequence - End State/Plant Damage State A B C D E
- 1. A
- 2. AE - plant damage
- 3. AC Success
- 4. ACE - plant damage
- 5. ACD - plant damage Failure
- 6. AB - transfer Fire PRA Workshop 2019, Rockville, MD Slide 29 Module 1: Internal Event, At-Power PRA Model for SNPP
Required Information Knowledge of accident initiators Thermal-hydraulic response during accidents Knowledge of mitigating systems (frontline and support) operation Know the dependencies between systems Identify any limitations on component operations Knowledge of procedures (system, abnormal, and emergency)
Fire PRA Workshop 2019, Rockville, MD Slide 30 Module 1: Internal Event, At-Power PRA Model for SNPP
Principal Steps in Event Tree Development Determine boundaries of analysis Define critical plant safety functions available to mitigate each initiating event Generate functional event tree (optional)
- Event tree heading - order and development
- Sequence delineation Determine systems available to perform each critical plant safety function Determine success criteria for each system for performing each critical plant safety function Generate system-level event tree
- Event tree heading - order and development
- Sequence delineation Fire PRA Workshop 2019, Rockville, MD Slide 31 Module 1: Internal Event, At-Power PRA Model for SNPP
Determining Boundaries Mission time
- Sufficient to reach stable state (generally 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />)
Dependencies among safety functions and systems
- Includes shared components, support systems, operator actions, and physical processes End States (describe the condition of both the core and containment)
- Core OK
- Core vulnerable
- Core damage
- Containment OK
- Containment failed
- Containment vented Extent of operator recovery Fire PRA Workshop 2019, Rockville, MD Slide 32 Module 1: Internal Event, At-Power PRA Model for SNPP
Critical Safety Functions Example safety functions for core and containment Reactor subcriticality Reactor coolant system overpressure protection Early core heat removal Late core heat removal Containment pressure suppression Containment heat removal Containment integrity Fire PRA Workshop 2019, Rockville, MD Slide 33 Module 1: Internal Event, At-Power PRA Model for SNPP
System Success Criteria Identify systems which can perform each function Often includes if the system is automatically or manually actuated Identify minimum complement of equipment necessary to perform function (often based on thermal/hydraulic calculations, source of uncertainty)
- Calculations often realistic, rather than conservative May credit non-safety-related equipment where feasible Fire PRA Workshop 2019, Rockville, MD Slide 34 Module 1: Internal Event, At-Power PRA Model for SNPP
BWR Mitigating Systems Function Systems Reactivity Reactor Protection System, Standby Liquid Control, Control Alternate Rod Insertion RCS Safety/Relief Valves Overpressure Protection Coolant Injection High Pressure Coolant Injection, High Pressure Core Spray, Reactor Core Isolation Cooling, Low Pressure Core Spray, Low Pressure Coolant Injection (RHR)
Alternate Systems- Control Rod Drive Hydraulic System, Condensate, Service Water, Firewater Decay Heat Power Conversion System, Residual Heat Removal (RHR)
Removal modes (Shutdown Cooling, Containment Spray, Suppression Pool Cooling)
Fire PRA Workshop 2019, Rockville, MD Slide 35 Module 1: Internal Event, At-Power PRA Model for SNPP
PWR Mitigating Systems Function Systems Reactivity Control Reactor Protection System RCS Overpressure Safety valves, Pressurizer power-operated relief valves Protection (PORV)
Coolant Injection Accumulators, High Pressure Safety Injection, Chemical Volume and Control System, Low Pressure Safety Injection (LPSI), High Pressure Recirculation (may require LPSI)
Decay Heat Power Conversion System (main feedwater), Auxiliary Removal Feedwater, Residual Heat Removal (RHR), Feed and Bleed (PORV + HPSI)
Fire PRA Workshop 2019, Rockville, MD Slide 36 Module 1: Internal Event, At-Power PRA Model for SNPP
Example Success Criteria for SNPP Short Term Long Term Reactor IE Core Core Trip Cooling Cooling PCS PCS or or Auto Rx Trip 1 of 3 AFW 1 of 3 AFW Transient or or or Man. Rx Trip 1 PORV 1 PORV
& 1 of 2 ECI & 1 of 2 ECR Auto Rx Trip Small LOCA or 1 of 2 ECI 1 of 2 ECR Man. Rx Trip Fire PRA Workshop 2019, Rockville, MD Slide 37 Module 1: Internal Event, At-Power PRA Model for SNPP
Two Basic Approaches for Event Tree Models Two methods are generally used to develop detailed event trees Event trees with boundary conditions (many event trees constructed, each with a unique set of support system BC)
- Involves analyst quantification and identification of intersystem dependencies
- Sometimes called Large-ET/Small-FT or PL&G approach Linked fault trees (event trees are the mechanism for linking the fault trees)
- Employs Boolean logic and fault tree models to pick up intersystem dependencies
- Sometimes called Small-ET/Large-FT approach, used by most of the PRA community Fire PRA Workshop 2019, Rockville, MD Slide 38 Module 1: Internal Event, At-Power PRA Model for SNPP
Event Tree with Boundary Conditions Modeling Approach
- Objective: Explicitly separate-out dependencies to facilitate quantification of sequences
- Focuses attention on context (i.e., the boundary conditions) for performance
- Requires intermediate numerical results (conditional split fractions)
- Often implemented using multiple, linked event trees
- Sometimes referred to as Large-ET approach Fire PRA Workshop 2019, Rockville, MD Slide 39 Module 1: Internal Event, At-Power PRA Model for SNPP
Linked Fault Tree Approach Automatic treatment of shared event/system dependencies
- Support system fault trees are linked into front-line and other support system fault trees One-step quantification Often use large, general-purpose fault trees Used by SPAR models and majority of utility PRAs Used in NUREG-1150 studies Fire PRA Workshop 2019, Rockville, MD Slide 40 Module 1: Internal Event, At-Power PRA Model for SNPP
System-Level Event Tree Development A system-level event tree consists of an initiating event (one per tree), followed by a number of headings (top events), and a sequence of events representing the success or failure of the top events Top events represent the systems, components, and/or human actions required to mitigate the initiating event To the extent possible, top events are ordered in the time-related sequence in which they would occur
- Selection of top events and ordering reflect emergency procedures Each node (or branch point) below a top event represents the success or failure of the respective top event
- Logic is typically binary Downward branch - failure of top event Upward branch - success of top event
- Logic can have more than two branches, with each branch representing a specific status of the top event Fire PRA Workshop 2019, Rockville, MD Slide 41 Module 1: Internal Event, At-Power PRA Model for SNPP
System-Level Event Tree Development (Cont.)
Dependencies among systems(needed to prevent core damage) are identified
- Support systems can be included as top events to account for significant dependencies (e.g., diesel generator failure in station blackout event tree)
Timing of important events (e.g., physical conditions leading to system failure) determined from thermal-hydraulic calculations Branches can be pruned logically (i.e., branch points for specific nodes removed) to remove unnecessary combinations of system success criteria requirements
- This minimizes the total number of sequences that will be generated and eliminates illogical sequences Branches can transfer to other event trees for development Each path of an event tree represents a potential scenario Each potential scenario results in either prevention of core damage or onset of core damage (or a particular end state of interest)
Fire PRA Workshop 2019, Rockville, MD Slide 42 Module 1: Internal Event, At-Power PRA Model for SNPP
System Level Event Tree Determines Sequence Logic ST LT Initiating Rx Rx Core Core Event Trip Trip Cooling Cooling SEQ # STATE LOGIC LOCA AUTO MAN ECI ECR 1 OK 2 LATE-CD /AUTO*/ECI*ECR Success 3 EARLY-CD /AUTO*ECI 4 OK 5 LATE-CD AUTO*/MAN*/ECI*ECR Failure 6 EARLY-CD AUTO*/MAN*ECI 7 ATWS AUTO*MAN Fire PRA Workshop 2019, Rockville, MD Slide 43 Module 1: Internal Event, At-Power PRA Model for SNPP
Sequence Logic Used to Combine System Fault Trees into Accident Sequence Models System fault trees (or cutsets) are combined, using Boolean algebra, to generate core damage accident sequence models
- CD seq. #5 = LOCA
- AUTO * /MAN * /ECI
- ECR Sequence
- 5 Transfers to Fault Tree Logic LOCA AUTO /MAN /ECI ECR IE Fire PRA Workshop 2019, Rockville, MD Slide 44 Module 1: Internal Event, At-Power PRA Model for SNPP
Sequence Cutsets Generated from Sequence Logic Sequence cutsets generated by combining system fault trees (or cutsets) comprised by sequence logic
- Cutsets can be generated from sequence #5 Fault Tree Sequence #5 cutsets = (LOCA) * (AUTO cutsets) * (/MAN cutsets)
- (/ECI cutsets) * ( ECR cutsets)
Or, to simplify the calculation (via delete term)
- Sequence #5 cutsets (LOCA) * (AUTO cutsets) * (ECR cutsets) - any cutsets that contain MAN + ECI cutsets are deleted Fire PRA Workshop 2019, Rockville, MD Slide 45 Module 1: Internal Event, At-Power PRA Model for SNPP
SNPP Transient Event Tree Fire PRA Workshop 2019, Rockville, MD Slide 46 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Systems Analysis Nicholas Melly - Nuclear Regulatory Commission Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD U.S. NRC HQ
Principal Steps in PRA LEVEL LEVEL LEVEL 1 2 3 Initiating Accident Accident RCS / Source Release Offsite Health &
Event Sequence Sequence Containment Term Category Conseqs Economic Analysis Analysis Quantif. Response Analysis Character. Analysis Risk Analysis and Analysis Quantif.
Meteorology Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis Sensitivity Sensitivity Sensitivity Analysis Analysis Analysis Population Distribution Emergency Data Response Analysis* Human Reliability Analysis* Pathways Model LERF Assessment Health Effects Economic Effects
- Used in Level 2 as required Fire PRA Workshop 2019, Rockville, MD Slide 48 Module 1: Internal Event, At-Power PRA Model for SNPP
Systems (Fault Tree) Analysis
Purpose:
Understand purposes and techniques of fault tree analysis. Understand how the appropriate level of detail for a fault tree analysis is established. Understand the terminology, notation, and symbology employed in fault tree analysis. In addition, a discussion of applicable component failure modes relative to the postulation of fault events will be presented.
Objectives:
- Provide a working knowledge of terminology, notation, and symbology of fault tree analysis
- Demonstrate the method of fault tree analysis
- Demonstrate the purposes and methods of fault tree reduction
References:
- NUREG-0492, Fault Tree Handbook
- NUREG/CR-2300, PRA Procedures Guide
- NUREG-1489, NRC Uses of PRA Fire PRA Workshop 2019, Rockville, MD Slide 49 Module 1: Internal Event, At-Power PRA Model for SNPP
Fault Tree Analysis Definition An analytical technique, whereby an undesired state of the system is specified (usually a state that is critical from a safety standpoint), and the system is then analyzed in the context of its environment and operation to find all credible ways in which the undesired event can occur.
NUREG-0492 Fire PRA Workshop 2019, Rockville, MD Slide 50 Module 1: Internal Event, At-Power PRA Model for SNPP
Fault Trees Deductive analysis (event trees are inductive)
Starts with undesired event definition Used to estimate system failure probability Explicitly models multiple failures Identify ways in which a system can fail Models can be used to find:
- System weaknesses
- System failure probability
- Interrelationships between fault events Fire PRA Workshop 2019, Rockville, MD Slide 51 Module 1: Internal Event, At-Power PRA Model for SNPP
Fault Trees (Cont.)
Fault trees are graphic models depicting the various fault paths that will result in the occurrence of an undesired (top) event Fault tree development moves from the top event to the basic events (or faults) which can cause it Fault tree use gates to develop the fault logic in the tree Different types of gates are used to show the relationship of the input events to the higher output event Fault tree analysis requires thorough knowledge of how the system operates and is maintained Fire PRA Workshop 2019, Rockville, MD Slide 52 Module 1: Internal Event, At-Power PRA Model for SNPP
Fault Tree Development Process Event Tree Develop and Update Analysis Notebook 2
Heading Define Define Develop Perform Top Fault Analysis Primary System Fault Tree Tree Event Assumptions 1 & Interfaces 3 Construction 5
& Constraints 4 Fire PRA Workshop 2019, Rockville, MD Slide 53 Module 1: Internal Event, At-Power PRA Model for SNPP
Fault Tree Symbols Symbol Description Logic gate providing a representation OR Gate of the Boolean union of input events.
The output will occur if at least one of the inputs occur.
Logic gate providing a representation of the Boolean intersection of input AND Gate events. The output will occur if all of the inputs occur.
A basic component fault which Basic Event requires no further development.
Consistent with level of resolution in databases of component faults.
Fire PRA Workshop 2019, Rockville, MD Slide 54 Module 1: Internal Event, At-Power PRA Model for SNPP
Fault Tree Symbols (Cont.)
Symbol Description A fault event whose development Undeveloped is limited due to insufficient Event consequence or lack of additional detailed information A transfer symbol to connect Transfer Gate various portions of the fault tree A fault event for which a detailed Undeveloped development is provided as a separate Transfer Event fault tree and a numerical value is derived Used as a trigger event for logic House Event structure changes within the fault tree.
Used to impose boundary conditions on FT. Used to model changes in plant system status.
Fire PRA Workshop 2019, Rockville, MD Slide 55 Module 1: Internal Event, At-Power PRA Model for SNPP
Event and Gate Naming Scheme A consistent use of an event naming scheme is required to obtain correct results Example naming scheme: XXX-YYY-ZZ-AAAA Where:
- XXX is the system identifier (e.g., HPI)
- YYY is the event and component type (e.g., MOV)
- ZZ is the failure mode identifier (e.g., FS)
- AAAA is a plant component descriptor A gate naming scheme should also be developed and utilized - XXXaaa
- XXX is the system identifier (e.g., HPI)
- aaa is the gate number Fire PRA Workshop 2019, Rockville, MD Slide 56 Module 1: Internal Event, At-Power PRA Model for SNPP
Specific Failure Modes Modeled for Each Component Each component associated with a specific set of failure modes/mechanisms determined by:
- Type of component E.g., Motor-driven pump, air-operated valve
- Normal/Standby state Normally not running (standby), normally open
- Failed/Safe state Failed if not running, or success requires valve to stay open Fire PRA Workshop 2019, Rockville, MD Slide 57 Module 1: Internal Event, At-Power PRA Model for SNPP
Typical Component Failure Modes Active Components
- Fail to Start
- Fail to Run
- Fail to Open/Close/Operate
- Unavailability Test or Maintenance Outage Fire PRA Workshop 2019, Rockville, MD Slide 58 Module 1: Internal Event, At-Power PRA Model for SNPP
Typical Component Failure Modes (Cont.)
Passive Components (Not always modeled in PRAs)
- Rupture
- Plugging (e.g., strainers/orifice)
- Fail to Remain Open/Closed (e.g., manual valve)
- Short (cables)
Fire PRA Workshop 2019, Rockville, MD Slide 59 Module 1: Internal Event, At-Power PRA Model for SNPP
Component Boundaries Typically include all items unique to a specific component, e.g.,
- Drivers for EDGs, MDPs, MOVs, AOVs, etc.
- Circuit breakers for pump/valve motors
- Need to be consistent with how data was collected That is, should individual piece parts be modeled explicitly or implicitly For example, actuation circuits (FTS) or room cooling (FTR)
Fire PRA Workshop 2019, Rockville, MD Slide 60 Module 1: Internal Event, At-Power PRA Model for SNPP
Active Components Require Support Signal needed to actuate component
- Safety Injection Signal starts pump or opens valve
- Operator action may be needed to actuate Support systems might be required for component to function
- Service water or component water cooling
- Room cooling Fire PRA Workshop 2019, Rockville, MD Slide 61 Module 1: Internal Event, At-Power PRA Model for SNPP
Definition of Dependent Failures Three general types of dependent failures:
- Certain initiating events (e.g., fires, floods, earthquakes, service water loss) cause failure of multiple components
- Intersystem dependencies including:
Functional dependencies (e.g., dependence on AC power)
Shared-equipment dependencies (e.g., HPCI and RCIC share common suction valve from CST)
Human interaction dependencies (e.g., maintenance error that disables separate systems, such as leaving a manual valve closed in the common suction header from the RWST to multiple ECCS system trains)
- Inter-component dependencies (e.g., design defect exists in multiple similar valves)
The first two types are captured by event tree and fault tree modeling; the third type is known as common cause failure (i.e., the residual dependencies not explicitly modeled) and is treated parametrically Fire PRA Workshop 2019, Rockville, MD Slide 62 Module 1: Internal Event, At-Power PRA Model for SNPP
Common Cause Failures (CCFs)
Conditions which may result in failure of more than one component, subsystem, or system Concerns:
- Defeats redundancy and/or diversity
- Data suggest high probability of occurrence relative to multiple independent failures Fire PRA Workshop 2019, Rockville, MD Slide 63 Module 1: Internal Event, At-Power PRA Model for SNPP
Common Cause Failure Mechanisms Environment
- Radioactivity
- Temperature
- Corrosive environment Design deficiency Manufacturing error Test or Maintenance error Operational error Fire PRA Workshop 2019, Rockville, MD Slide 64 Module 1: Internal Event, At-Power PRA Model for SNPP
Two Common Fault Tree Construction Approaches Sink to Source
- Start with system output (i.e., system sink)
- Modularize system into a set of pipe segments (i.e., group of components in series)
- Follow reverse flow-path of system developing fault tree model as the system is traced Block diagram-based
- Modularize system into a set of subsystem blocks
- Develop high-level fault tree logic based on subsystem block logic (i.e., blocks configured in series or parallel)
- Expand logic for each block Fire PRA Workshop 2019, Rockville, MD Slide 65 Module 1: Internal Event, At-Power PRA Model for SNPP
Example - ECI MV1 CV1 PA T1 V1 MV2 PS-A Water CV2 Source PB MV3 PS-B Success Criteria: Flow from any one pump through any one MV T_ tank V_ manual valve, normally open PS-_ pipe segment P_ pump CV_ check valve MV_ motor-operated valve, normally closed Fire PRA Workshop 2019, Rockville, MD Slide 66 Module 1: Internal Event, At-Power PRA Model for SNPP
ECI System Fault Tree -
Sink to Source Method (Page 1)
ECI fails to deliver
> 1 pump flow ECI-TOP No flow out of MV1 No flow out of MV2 No flow out of MV3 G-MV1 G-MV2 G-MV3 No flow out of pump No flow out of pump MV1 fails closed segments MV2 fails closed segments MV1 G- MV2 G-PUMPS (page 1) PUMPS No flow out of PS-A No flow out of PS-B MV3 fails closed No flow out of pump segments G-PSA G-PSB MV3 G-PUMPS (page 2) (not shown) (page 1)
Fire PRA Workshop 2019, Rockville, MD Slide 67 Module 1: Internal Event, At-Power PRA Model for SNPP
ECI System Fault Tree -
Sink to Source Method (Page 2)
No flow out page 1 of PS-A G-PSA PS-A fails No flow out of V1 G-PSA-F G-V1 CV1 fails closed PA fails V1 fails closed T1 fails CV1 PA V1 T1 Fire PRA Workshop 2019, Rockville, MD Slide 68 Module 1: Internal Event, At-Power PRA Model for SNPP
ECI System Fault Tree -
Sink to Source Method (Page 3)
PA fails PA unavail PA FTS PA FTR ECI Pump CCF T or M CCW-A fails EP-A fails Act-A fails (Not Shown) (Not Shown) (Not Shown)
Fire PRA Workshop 2019, Rockville, MD Slide 69 Module 1: Internal Event, At-Power PRA Model for SNPP
ECI System Fault Tree - Block Diagram Method ECI fails to deliver
> 1 pump flow Injection lines fail Pump segments fail Suction lines fail MV1 fails closed MV2 fails closed PS-B fails PS-A fails V1 fails closed MV3 fails closed T1 fails Fire PRA Workshop 2019, Rockville, MD Slide 70 Module 1: Internal Event, At-Power PRA Model for SNPP
Boolean Fault Tree Reduction Express fault tree logic as Boolean equation Apply rules of Boolean algebra to reduce terms Results in reduced form of Boolean equation Fire PRA Workshop 2019, Rockville, MD Slide 71 Module 1: Internal Event, At-Power PRA Model for SNPP
Rules of Boolean Algebra Fire PRA Workshop 2019, Rockville, MD Slide 72 Module 1: Internal Event, At-Power PRA Model for SNPP
Minimal Cutset A group of basic event failures (component failures and/or human errors) that are collectively necessary and sufficient to cause the TOP event to occur.
Fire PRA Workshop 2019, Rockville, MD Slide 73 Module 1: Internal Event, At-Power PRA Model for SNPP
SNPP System Fault Trees See separate Internal Events Fault Tree Model handout Fire PRA Workshop 2019, Rockville, MD Slide 74 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Human Reliability Analysis Nicholas Melly - Nuclear Regulatory Commission Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD U.S. NRC HQ
Principal Steps in PRA LEVEL LEVEL LEVEL 1 2 3 Initiating Accident Accident RCS / Source Release Offsite Health &
Event Sequence Sequence Containment Term Category Conseqs Economic Analysis Analysis Quantif. Response Analysis Character. Analysis Risk Analysis and Analysis Quantif.
Meteorology Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis Sensitivity Sensitivity Sensitivity Analysis Analysis Analysis Population Distribution Emergency Data Response Analysis* Human Reliability Analysis* Pathways Model LERF Assessment Health Effects Economic Effects
- Used in Level 2 as required Fire PRA Workshop 2019, Rockville, MD Slide 76 Module 1: Internal Event, At-Power PRA Model for SNPP
Human Reliability Analysis
Purpose:
This session will provide a generalized, high-level introduction to the topic of human reliability and human reliability analysis in the context of PRA. Human failure events in the SNPP PRA are identified.
Objectives: Provide students with an understanding of:
- The goals of HRA and important concepts and issues
- Types of human errors
- The basic steps of the HRA process in the context of PRA Fire PRA Workshop 2019, Rockville, MD Slide 77 Module 1: Internal Event, At-Power PRA Model for SNPP
HRA Purpose Why Develop a HRA?
- PRA reflects the as-built, as-operated plant HRA models the as-operated portion Definition of HRA
- A structured approach used to identify potential human failure events (HFEs) and to systematically estimate the probability of those errors using data, models, or expert judgment HRA Produces
- Qualitative evaluation of the factors impacting human errors and successes
- Human error probabilities (HEPs)
Fire PRA Workshop 2019, Rockville, MD Slide 78 Module 1: Internal Event, At-Power PRA Model for SNPP
Modeling of Human Actions Human Reliability Analysis provides a structured modeling process HRA process steps:
- Identification and Definition Human interaction identified, then defined for use in the PRA as a Human Failure Event (HFE)
Includes HFE categorization as to the type of action
- Qualitative analysis of context and performance shaping factors
- Quantification of Human Error Probability (HEP)
- Dependency
- Documentation Fire PRA Workshop 2019, Rockville, MD Slide 79 Module 1: Internal Event, At-Power PRA Model for SNPP
Categories Of Human Failure Events in PRA Operator actions can occur throughout the accident sequence
- Pre-initiator errors (latent errors, unrevealed) occur before the initiating event.
May occur in or out of the main control room Failure to restore from test/maintenance Miscalibration Often captured in equipment failure data For HRA the focus is on equipment being left unavailable or not working exactly right.
- Operator actions contribute or cause initiating events Usually implicitly included in the data used to quantify initiating event frequencies.
Fire PRA Workshop 2019, Rockville, MD Slide 80 Module 1: Internal Event, At-Power PRA Model for SNPP
Categories Of Human Failure Events in PRA (Cont.)
- Post-initiator errors occur after reactor trip. Examples:
Operation of components that have failed to operate automatically, or require manual operation.
Event Tree top event operator actions modeled in the event trees (e.g., failure to depressurize the RCS in accordance with the EOPs)
Recovery actions for hardware failures (example - aligning an alternate cooling system, subject to available time)
Recovery actions following crew failures (example - providing cooling late after an earlier operator action failed)
Operation of components from the control room or locally.
Fire PRA Workshop 2019, Rockville, MD Slide 81 Module 1: Internal Event, At-Power PRA Model for SNPP
Categorization and Definition of Human Failure Events in PRA (Cont.)
Additional category, error of commission or aggravating errors of commission, typically out of scope of most PRA models.
- Makes the plant response worse than not taking an action at all Within each operator action, there are generally, two types of error:
- Diagnostic error (cognition) - Failure of detection, diagnosis, or decision-making
- Execution error (manipulation) - Failure to accomplish the critical steps, once they have been decided, typically due to the following error modes.
Errors of omission (EOO, or Skip) - Failure to perform a required action or step (e.g., failure to monitor tank level)
Errors of commission (EOC, or Slip) - Action performed incorrectly or wrong action performed (e.g., opened the wrong valve, or turned the wrong switch)
Fire PRA Workshop 2019, Rockville, MD Slide 82 Module 1: Internal Event, At-Power PRA Model for SNPP
Human Reliability Analysis is the Combination of Three Basic Steps Identification and Qualitative Quantification Definition taxonomies context from event trees Context from event trees and data availability error producing conditions fault trees databases cognitive error generic error models simulation errors of commission performance shaping factors empirical approaches From about 1980 on, some 38 different HRA methods have been developed - almost all centered on quantification.
There is no universally accepted HRA method (to date).
The context of the operator action comes directly from the event trees and fault trees although some techniques have recently ventured beyond.
Fire PRA Workshop 2019, Rockville, MD Slide 83 Module 1: Internal Event, At-Power PRA Model for SNPP
Dependencies Dependency refers to the extent to which failure or success of one action will influence the failure or success of a subsequent action.
- 1. Human interaction depends on the accident scenario, including the type of initiating event
- 2. Dependencies between multiple human actions modeled within the accident scenario,
- 3. Human interactions performed during testing or maintenance can defeat system redundancy,
- 4. Multiple human interactions modeled as a single human interaction may involve significant dependencies. (from SHARP1)
Fire PRA Workshop 2019, Rockville, MD Slide 84 Module 1: Internal Event, At-Power PRA Model for SNPP
Levels of Precision Conservative (screening) level useful for determining which human errors are the most significant contributors to overall system error Those found to be potentially significant contributors can be profitably analyzed in greater detail (which often lowers the HEP)
Fire PRA Workshop 2019, Rockville, MD Slide 85 Module 1: Internal Event, At-Power PRA Model for SNPP
HRA Methods Attempt to reflect the following characteristics:
- Plant behavior and conditions
- Timing of events and the occurrence of human action cues
- Parameter indications used by the operators and changes in those parameters as the scenario proceeds
- Time available and locations necessary to implement the human actions
- Equipment available for use by the operators based on the sequence
- Environmental conditions under which the decision to act must be made and the actual response must be performed
- Degree of training, guidance, and procedure applicability Fire PRA Workshop 2019, Rockville, MD Slide 86 Module 1: Internal Event, At-Power PRA Model for SNPP
Common HRA Methodologies in the USA Technique for Human Error Rate Prediction (THERP)
Accident Sequence Evaluation Program (ASEP) HRA Procedure Cause-Based Decision Tree (CBDT) Method Human Cognitive Reliability (HCR)/Operator Reliability Experiments (ORE) Method Standardized Plant Analysis Risk HRA (SPAR-H) Method A Technique for Human Event Analysis (ATHEANA)
Fire PRA Workshop 2019, Rockville, MD Slide 87 Module 1: Internal Event, At-Power PRA Model for SNPP
Example Human Failure Events in SNPP PRA Event Name Event Description OPER-1 Operator fails to switch HPI over to recirculation OPER-4 Operator fails to establish feed and bleed cooling OPER-7 Operator fails to trip reactor coolant pump Fire PRA Workshop 2019, Rockville, MD Slide 88 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Data Analysis Nicholas Melly - Nuclear Regulatory Commission Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD U.S. NRC HQ
Principal Steps in PRA LEVEL LEVEL LEVEL 1 2 3 Initiating Accident Accident RCS / Source Release Offsite Health &
Event Sequence Sequence Containment Term Category Conseqs Economic Analysis Analysis Quantif. Response Analysis Character. Analysis Risk Analysis and Analysis Quantif.
Meteorology Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis Sensitivity Sensitivity Sensitivity Analysis Analysis Analysis Population Distribution Emergency Data Response Analysis* Human Reliability Analysis* Pathways Model LERF Assessment Health Effects Economic Effects
- Used in Level 2 as required Fire PRA Workshop 2019, Rockville, MD Slide 90 Module 1: Internal Event, At-Power PRA Model for SNPP
Data Analysis
Purpose:
Introduce sources of initiating event data and hardware data and equipment failure modes, including common cause failure, that are modeled in PRAs.
Objectives: Students will be able to:
- Understand parameters typically modeled in PRA
- Understand what is meant by the terms:
Generic data Plant-specific data Bayesian updating
- Identify sources of generic and plant-specific data
- Discuss how plant-specific information is parsed to generate plant-specific data values
- Describe approaches to quantify common-cause failures and how they are included in PRA Fire PRA Workshop 2019, Rockville, MD Slide 91 Module 1: Internal Event, At-Power PRA Model for SNPP
References NUREG/CR-6823 PRA Data Handbook NUREG/CR-5750 IE Frequency Data NUREG/CR-5500 Reliability Study (multiple systems)
NUREG/CR-6928 IE and Component Data NUREG/CR-2300 PRA Procedures Guide NUREG-1489 (App. C) NRC Use of PRA NUREG/CR-5485, Guidelines on modeling Common-Cause failures in PRA NUREG/CR-5497, Common-Cause Failure Parameter Estimations NUREG/CR-6268, Common-Cause Failure Database and Analysis System: Event Definition and Classification N. Siu and D. Kelly, Bayesian Parameter Estimation in PRA, tutorial paper in Reliability Engineering and System Safety 62 (1998)89-116 Martz and Waller, Bayesian Reliability Analysis Fire PRA Workshop 2019, Rockville, MD Slide 92 Module 1: Internal Event, At-Power PRA Model for SNPP
PRA Parameters Initiating Event Frequencies Basic Event Probabilities
- Hardware Component reliability (fail to start/run/operate/etc.)
Component unavailability (due to test or maintenance)
- Common Cause Failures
- Human Errors (discussed in previous session)
Fire PRA Workshop 2019, Rockville, MD Slide 93 Module 1: Internal Event, At-Power PRA Model for SNPP
Categories of Data Two basic categories of data: Plant-specific and generic Some guidance on the use of each category:
- Not feasible or necessary to collect plant-specific data for all components in a PRA (extremely reliable components may have no failures)
- Some generic data sources are non-conservative (e.g., LERS do not report all failures)
- Inclusion of plant-specific data lends credibility to the PRA
- Inclusion of plant-specific data allows comparison of plant equipment performance to industry averages Should use plant-specific data whenever possible, as dictated by the availability of relevant information Fire PRA Workshop 2019, Rockville, MD Slide 94 Module 1: Internal Event, At-Power PRA Model for SNPP
Data Sources for Parameter Estimation Generic data Plant-specific data Bayesian updated data
- Prior distribution
- Updated estimate Fire PRA Workshop 2019, Rockville, MD Slide 95 Module 1: Internal Event, At-Power PRA Model for SNPP
Generic Data Sources NUREG-1150 supporting documents (NUREG/CR-4550 series, pre-1987)
WASH-1400 (pre-1975)
IEEE Standard 500 (1990)
NUREG/CR-3862 for initiating events (pre-1986)
NUREG/CR-5750 for initiating events (1987-1995)
NUREG/CR-5500 for system reliability (1984-1998)
NUREG/CR-6928 for components and initiating events (1998-2002)
NUREG-1032 for loss of offsite power(pre-1988)
NUREG-5496 loss of offsite power (1980-1996)
SECY 04-0060 Loss-of-Coolant Accident Break Frequencies for the Option III Risk-Informed Reevaluation of 10 CFR 50.46, Appendix K to 10 CFR Part 50, and General Design Criteria (GDC) 35 (April 2004)
NUREG-1829 Estimating Loss-of-Coolant Accident (LOCA) Frequencies Through the Elicitation Process (June 2005)
Institute of Nuclear Power Operations Nuclear Plant Reliability Data System (NPRDS) - archival only (no longer maintained)
Institute of Nuclear Power Operations Equipment Performance Information Exchange (EPIX) - replaced NPRDS Fire PRA Workshop 2019, Rockville, MD Slide 96 Module 1: Internal Event, At-Power PRA Model for SNPP
Generic Data Issues Key issue is whether data is applicable for the specific plant being analyzed
- Most generic component data is mid-1980s or earlier vintage
- Some IE frequencies known to have decreased over the last decade Frequencies updated in NUREG/CRs 5750 and 5496
- Criteria for judging data applicability not well defined (do not forget important engineering considerations that could affect data applicability)
- ASME PRA Standard requirements Fire PRA Workshop 2019, Rockville, MD Slide 97 Module 1: Internal Event, At-Power PRA Model for SNPP
Plant-Specific Data Sources Licensee Event Reports (LERs)
- Can also be source of generic data Post-trip SCRAM analysis reports Maintenance reports and work orders System engineer files Control room logs Monthly operating status reports Test surveillance procedures Fire PRA Workshop 2019, Rockville, MD Slide 98 Module 1: Internal Event, At-Power PRA Model for SNPP
Plant-Specific IE and Component Data Collection and Analysis Gather data to obtain raw information needed for estimating event parameters
- Determine period of time for obtaining plant data Entire plant history can be used minus first year of operation Most recent data should be used to represent current maintenance practices and component performance Five to seven years of data is desirable
- Collect plant information from plant records and documents listed on previously
- Sort data by IE category; component, failure mode, and severity Plant changes can affect the categorization of a scram event
- Pool data from several like components in same system
- Screen data Events that can no longer occur due to plant change can be eliminated
- Obtain exposure estimates
- Interpret the information to obtain variables of interest (e.g., failures, demands, operating hours)
- Estimate parameter values from data
- Scram data can be used to estimate some conditional event probabilities (e.g., relief valve sticking open)
Fire PRA Workshop 2019, Rockville, MD Slide 99 Module 1: Internal Event, At-Power PRA Model for SNPP
Component Failure Severity Classification Raw data is classified by severity of the component failure Example severity classes:
- Catastrophic - Component would have failed to perform its function
- Degraded - Component degraded to point where it can not meet required success criteria and was taken out of operation for repair
- Incipient - Component degraded, but could still function and was taken out of operation for repair The class of failure severity determines if raw data is used in calculating a specific data parameter
- Catastrophic and degraded failures are used in calculating failure rates and probabilities, and maintenance outage unavailabilities
- Incipient failures are used to calculate maintenance outage unavailabilities Fire PRA Workshop 2019, Rockville, MD Slide 100 Module 1: Internal Event, At-Power PRA Model for SNPP
Component Exposure Estimates Exposures refers to the amount of component operating time (failure rates) and the number of demands (failure probabilities)
Sources of component exposure include:
- Tests - Tech Specs, procedures, test records used to estimate frequency and duration of tests
- Actuations - Actual equipment usage
- Failure-related actuations - Operability test after maintenance event (ASME Standard says not to include this)
- Interface-related actuations - Increased test frequency per Tech Spec (e.g., DGs) and closure of valves to isolate failed components
- Operation time meter Fire PRA Workshop 2019, Rockville, MD Slide 101 Module 1: Internal Event, At-Power PRA Model for SNPP
Plant-Specific Data Issues Combining data from different sources can result in:
- Double counting of the same failure events
- Inconsistent component boundaries
- Inconsistent definition of failure Plant-specific data is typically very limited
- Small statistical sample size Inaccuracy and non-uniformity of reporting
- LER reporting rule changes Difficulty in interpreting raw failure data
- Administratively declared inoperable, does not necessarily equate to a PRA failure Fire PRA Workshop 2019, Rockville, MD Slide 102 Module 1: Internal Event, At-Power PRA Model for SNPP
Bayesian Methods Employed to Generate Uncertainty Distributions Two motivations for using Bayesian techniques
- Generate probability distributions (classical methods generally only produce uncertainty intervals, not pdfs)
- Compensate for sparse data (e.g., no failures)
In effect, Bayesian techniques combine an initial estimate (prior) with plant-specific data (likelihood function) to produce a final estimate (posterior)
However, Bayesian techniques rely on (and incorporate) subjective judgement
- Different options for choice of prior distribution (i.e., the starting point in a Bayesian calculation)
Fire PRA Workshop 2019, Rockville, MD Slide 103 Module 1: Internal Event, At-Power PRA Model for SNPP
Bayes Theorem is Basis for Bayesian Updating of Data Typical use: Sparse plant-specific data combined with generic data using Bayes Theorem:
L( E ) 0 ( )
1 ( E ) =
L( E ) ( ) d 0
Where:
- () is prior distribution (generic data)
- L(El) is likelihood function (plant-specific data)
- 1(l) is posterior distribution (updated estimate)
Fire PRA Workshop 2019, Rockville, MD Slide 104 Module 1: Internal Event, At-Power PRA Model for SNPP
Common Cause Failures (CCFs)
Conditions which may Common Cause result in failure of more Failure Mechanisms than one component, subsystem, or system Environment Common cause failures - Radioactivity are important since they: - Temperature
- Defeats redundancy and/or - Corrosive environment diversity Design deficiency
- Data suggest high Manufacturing error probability of occurrence relative to multiple Test or Maintenance error independent failures Operational error Fire PRA Workshop 2019, Rockville, MD Slide 105 Module 1: Internal Event, At-Power PRA Model for SNPP
Common Cause Modeling in PRA Three parametric models used
- Beta factor (original CCF model)
Number of common cause failures
=
Total number of failures
- Multiple Greek Letter (MGL) model
( = 2 failures, = 3 failures, = 4 failures)
- Alpha factor model (addressed uncertainty concerns in MGL) k conditional probability that a failure event involves k components failing due to a shared cause, given a failure event Apply to cutsets containing same failure mode for sample component type
- Diesel generators
- Pump
- Batteries Fire PRA Workshop 2019, Rockville, MD Slide 106 Module 1: Internal Event, At-Power PRA Model for SNPP
Beta Factor Example High pressure pumps
- = 10 CCF ÷ 47 total failures 2.1E-1
- Motor-driven pump fail to start = 3.0E-3 per demand Cutset: HPI-MDP-FS-A
- HPI-MDP-FS-B
- Independent failure 3E-3
- CCF = 3E-3 * = 6E-4 Fire PRA Workshop 2019, Rockville, MD Slide 107 Module 1: Internal Event, At-Power PRA Model for SNPP
Limitations of CCF Modeling Limited data, hence generic data often used
- Applicability issue for specific plant Screening values may be used
- Potential to skew the results Not typically modeled across systems since data is collected/analyzed for individual systems Not typically modeled for drivers components (e.g., motor-driven pump/turbine-driven pump)
Causes not explicitly modeled (i.e., each failure mechanism not explicitly modeled)
Fire PRA Workshop 2019, Rockville, MD Slide 108 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Accident Sequence Quantification Nicholas Melly - Nuclear Regulatory Commission Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD U.S. NRC HQ
Principal Steps in PRA LEVEL LEVEL LEVEL 1 2 3 Initiating Accident Accident RCS / Source Release Offsite Health &
Event Sequence Sequence Containment Term Category Conseqs Economic Analysis Analysis Quantif. Response Analysis Character. Analysis Risk Analysis and Analysis Quantif.
Meteorology Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis Sensitivity Sensitivity Sensitivity Analysis Analysis Analysis Population Distribution Emergency Data Response Analysis* Human Reliability Analysis* Pathways Model LERF Assessment Health Effects Economic Effects
- Used in Level 2 as required Fire PRA Workshop 2019, Rockville, MD Slide 110 Module 1: Internal Event, At-Power PRA Model for SNPP
Purpose and Objectives Purpose
- Present process for accident sequence quantification Objectives
- Become familiar with the:
Process of generating and quantifying cutsets Adding recovery factors Elimination of illegal cutsets
References:
NUREG/CR-2300 and NUREG/CR-2728 Fire PRA Workshop 2019, Rockville, MD Slide 111 Module 1: Internal Event, At-Power PRA Model for SNPP
Prerequisites for Generating and Quantifying Accident Sequence Cutsets Initiating events and frequencies Event trees to define accident sequences Fault trees and Boolean expressions for all systems (front line and support)
Data (component failures and human errors)
Fire PRA Workshop 2019, Rockville, MD Slide 112 Module 1: Internal Event, At-Power PRA Model for SNPP
Accident Sequence Quantification (Fault-Tree Linking Approach)
Link fault tree models on a sequence level using event trees (i.e., generate sequence logic)
Generate minimal cutsets (Boolean reduction) for each sequence Quantify sequence minimal cutsets with data Eliminate inappropriate cutsets, add operator recovery actions, and requantify Determine dominant accident sequences Perform sensitivity, importance, and uncertainty analysis Fire PRA Workshop 2019, Rockville, MD Slide 113 Module 1: Internal Event, At-Power PRA Model for SNPP
Example Event Tree T A-FAIL B-FAIL C-FAIL #
END-STATE-NAMES 1 OK 2 OK 3 CD 4 CD ET-EXAMPLE - 2005/10/03 Page 3 Fire PRA Workshop 2019, Rockville, MD Slide 114 Module 1: Internal Event, At-Power PRA Model for SNPP
Example Fault Trees System A System B Fails Fails A-FAIL B-FAIL Valve Y Pump 1 Fails Valve X Fails Fails 5.000E-3 1.000E-3 5.000E-3 VALVE-Y PUMP-1 VALVE-X Fire PRA Workshop 2019, Rockville, MD Slide 115 Module 1: Internal Event, At-Power PRA Model for SNPP
Example Fault Trees (Concluded)
System C Fails C-FAIL Pump 1 Fails Valve Y Fails Pump 2 Fails 1.000E-3 5.000E-3 1.000E-3 PUMP-1 VALVE-Y PUMP-2 Fire PRA Workshop 2019, Rockville, MD Slide 116 Module 1: Internal Event, At-Power PRA Model for SNPP
Generating Sequence Logic Fault trees are linked using sequence logic from event trees From the example event tree two sequences are generated:
- Sequence # 3: T * /A-FAIL
- B-FAIL
- C-FAIL
- Sequence #4: T
- A-FAIL Fire PRA Workshop 2019, Rockville, MD Slide 117 Module 1: Internal Event, At-Power PRA Model for SNPP
Generate Minimal Cutsets for Each Sequence A cutset is a combination of events that cause the sequence to occur A minimal cutset is the smallest combination of events that causes to sequence to occur Cutsets are generated by ANDing together the failed top event fault trees, and then, if necessary, eliminating (i.e.,
deleting) those cutsets that contain failures that would prevent successful (i.e., complemented) top events from occurring. This process of elimination is called Delete Term Each cutset represents a failure scenario that must be ORed together with all other cutsets for the sequence when calculating the total frequency of the sequence Fire PRA Workshop 2019, Rockville, MD Slide 118 Module 1: Internal Event, At-Power PRA Model for SNPP
Sequence Cutset Generation Example Sequence #3 logic is T * /A-FAIL
- B-FAIL
- C-FAIL ANDing failed top events yields B-FAIL
- C-FAIL = (PUMP-1 + VALVE-X) * (PUMP-1
- VALVE-Y
- PUMP-2)
= (PUMP-1
- PUMP-1
- VALVE-Y
- PUMP-2) + (VALVE-X
- PUMP-1
- VALVE-Y
- PUMP-2)
= (PUMP-1
- VALVE-Y
- PUMP-2) +
(VALVE-X
- PUMP-1
- VALVE-Y
- PUMP-2)
= PUMP-1
- VALVE-Y
- PUMP-2 Using Delete Term to remove cutsets with events that would fail top event A-FAILS (i.e., VALVE-Y) results in the elimination of all cutsets Sequence #4 logic is T
- A-FAIL, resulting in the cutset T *VALVE-Y Fire PRA Workshop 2019, Rockville, MD Slide 119 Module 1: Internal Event, At-Power PRA Model for SNPP
Eliminating Inappropriate Cutsets When solving fault trees to generate sequence cutsets, it is likely that inappropriate cutsets will be generated Inappropriate cutsets are those containing invalid combinations of events. An example would be:
- SYS-A-TRAIN-1-TEST
- SYS-A-TRAIN-2-TEST .
Typically eliminated by searching for combinations of invalid events and then deleting the cutsets containing those combinations Fire PRA Workshop 2019, Rockville, MD Slide 120 Module 1: Internal Event, At-Power PRA Model for SNPP
Adding Recovery Actions to Cutsets Cutsets are examined to determine whether the function associated with a failed event can be restored; thus recovering from the loss of function If the function associated with an event can be restored, then a Recovery Action is ANDed to the cutset to represent this restoration The probability assigned to the Recovery Action will be the probability that the operators fail to perform the action or actions necessary to restore the lost function Probabilities are derived either from data (e.g., recovery of off-site power) or from human reliability analysis (e.g., manually opening an alternate flow path given the primary flow path is failed)
Fire PRA Workshop 2019, Rockville, MD Slide 121 Module 1: Internal Event, At-Power PRA Model for SNPP
SNPP Integrated PRA Model See separate Internal Events Fault Tree Model handout Fire PRA Workshop 2019, Rockville, MD Slide 122 Module 1: Internal Event, At-Power PRA Model for SNPP
Additional Slides Fire PRA Workshop 2019, Rockville, MD Slide 123 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Overview of PRA Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD
What is Risk?
Arises from a Danger or Hazard Always associated with undesired event Involves both:
- Likelihood of undesired event
- Severity (magnitude) of the consequences Fire PRA Workshop 2019, Rockville, MD Slide 125 Module 1: Internal Event, At-Power PRA Model for SNPP
Risk Definition Risk - The frequency with which a given consequence occurs Risk [ Consequence Magnitude Unit of Time ]=
Frequency [ UnitEvents of Time ]
x Consequences [ Event ]
Magnitude Fire PRA Workshop 2019, Rockville, MD Slide 126 Module 1: Internal Event, At-Power PRA Model for SNPP
Risk Example: Death Due to Accidents Societal Risk = 93,000 accidental-deaths/year in 1991 (based on Center for Disease Control actuarial data)
Average Individual Risk
= (93,000 Deaths/Year)/250,000,000 Total U.S. Population
= 3.7E-04 Deaths/Person-Year 1/2700 Deaths/Person-Year In any given year, approximately 1 out of More people ages 1-44 die from injuries than from any other cause, including every 2,700 people in the entire U.S. cancer, HIV, or the flu.
population will suffer an accidental death Note: www.cdc.gov latest data (2009) 38.4 unintentional deaths per 100,000, thus average individual risk 3.8E-04 Deaths/Person-Year Fire PRA Workshop 2019, Rockville, MD Slide 127 Module 1: Internal Event, At-Power PRA Model for SNPP
Risk Example: Death Due to Cancer Societal Risk = 538,000 cancer-deaths/year in 1991 (based on Center for Disease Control actuarial data)
Average Individual Risk
= (538,000 Cancer-Deaths/Year)/250,000,000 Total U.S. Population
= 2.2E-03 Cancer-Deaths/Person-Year 1/460 Cancer-Deaths/Person-Year In any given year, approximately 1 person out of Note: www.cdc.gov latest data (2007) every 460 people in the entire U.S. population will 217.8 cancer deaths die from cancer per 100,000, thus average individual risk 2.2E-03 Deaths/Person-Year Fire PRA Workshop 2019, Rockville, MD Slide 128 Module 1: Internal Event, At-Power PRA Model for SNPP
NRC Quantitative Health Objectives (QHOs)
Originally known as the Probabilistic Safety Goals
- NRC adopted two probabilistic safety goals on August 21, 1986 High-level goal: Incremental risk from nuclear power plant operation < 0.1% of all risks
- Average individual (within 1 mile of plant) early fatality (accident) risk
< 5E-7/year
- Average individual (within 10 miles of plant) latent fatality (cancer) risk
< 2E- 6/year Lower level subsidiary goals were derived from the high-level QHOs
- Frequency of significant core damage (CDF) < 1E-4/year
- Frequency of large early release of fission products from containment (LERF) < 1E-5/year Fire PRA Workshop 2019, Rockville, MD Slide 129 Module 1: Internal Event, At-Power PRA Model for SNPP
Focus of Course is on At-Power PRA In early risk studies, risk from at-power operation was assumed to be dominant because during shutdown:
- Reactor is subcritical
- Longer time is available to respond to accidents (lower decay heat)
However, limited risk studies of low-power and shutdown operations have suggested that shutdown risk may be significant because:
- Systems may not be available as Tech. Specs. allow more equipment to be inoperable than at-power
- Initiating events can impact operable trains of systems providing critical plant safety functions (e.g., loss of RHR)
- Human errors are more prevalent because operators may find themselves in unfamiliar conditions not covered by training and procedures
- Plant instruments and indications may not be available or accurate Fire PRA Workshop 2019, Rockville, MD Slide 130 Module 1: Internal Event, At-Power PRA Model for SNPP
Specific Strengths of PRA Rigorous, systematic analysis tool Information integration (multidisciplinary)
Allows consideration of complex interactions Develops qualitative design insights Develops quantitative measures for decision making Provides a structure for sensitivity studies Explicitly highlights and treats principal sources of uncertainty Fire PRA Workshop 2019, Rockville, MD Slide 131 Module 1: Internal Event, At-Power PRA Model for SNPP
Principal Limitations of PRA Inadequacy of available data Lack of understanding of physical processes High sensitivity of results to assumptions Constraints on modeling effort (limited resources)
- Simplifying assumptions
- Truncation of results during quantification PRA is typically a snapshot in time
- This limitation may be addressed by having a living PRA Plant changes (e.g., hardware, procedures and operating practices) reflected in PRA model Temporary system configuration changes (e.g., out of service for maintenance) reflected in PRA model Lack of completeness (e.g., human errors of commission typically not considered)
Fire PRA Workshop 2019, Rockville, MD Slide 132 Module 1: Internal Event, At-Power PRA Model for SNPP
Evolution of PRA Use First PRA study (WASH-1400, 1975)
- Provided a better understanding of how nuclear plant accidents might occur and what the potential consequences might be Three Mile Island accident in 1979
- Validated the importance of PRA
- Led to efforts to improve state-of-the-art of PRA, in research into severe accident phenomena and performance of PRAs on more reactors NRC Safety Goals (1986)
- Risk to the public from nuclear power plant operation should be less than 0.1% of the total risk from other man-made causes Fire PRA Workshop 2019, Rockville, MD Slide 133 Module 1: Internal Event, At-Power PRA Model for SNPP
Evolution of PRA Use (Cont.)
Generic Letter 88-20 (1988)
- Requested all nuclear power plant licensees to conduct an Individual Plant Examination (IPE) to investigate plant-specific risk and identify any vulnerabilities. All plants performed a PRA. Plants later identified risk from external events in IPEEE (Individual Plant Examination of External Events)
NRC Policy Statement on the use of PRA in regulatory matters (1995)
- The use of PRA technology should be increased to the extent supported by the state-of-the-art in PRA methods and data and in a matter that complements the NRCs deterministic approach
- Risk-Informed Regulation Implementation Plan generated to define and organize PRA-related activities Fire PRA Workshop 2019, Rockville, MD Slide 134 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Accident Sequence Analysis Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD
Functional Event Tree High-level representation of vital safety functions required to mitigate abnormal event
- Generic response of the plant to achieve safe and stable condition One functional event tree for transients and one for LOCAs Guides the development of more detailed system-level event tree model Generation of functional event trees not necessary; system-level event trees are the critical models
- Could be useful for advanced reactor PRAs Fire PRA Workshop 2019, Rockville, MD Slide 136 Module 1: Internal Event, At-Power PRA Model for SNPP
Functional Event Tree Initiating Reactor Short term Long term Event Trip core cooling core cooling SEQ # STATE IE RX-TR ST-CC LT-CC 1 OK 2 LATE-CD 3 EARLY-CD 4 ATWS Fire PRA Workshop 2019, Rockville, MD Slide 137 Module 1: Internal Event, At-Power PRA Model for SNPP
Small LOCA Event Tree from Surry SDP Notebook SLOCA EIHP AFW FB RCSDEP HPR LPR RS #
1 2
3 4
5 6
7 8
9 10 STATUS OK CD CD OK CD CD OK CD CD CD 11 CD Plant Name Abbrev.: SURY Fire PRA Workshop 2019, Rockville, MD Slide 138 Module 1: Internal Event, At-Power PRA Model for SNPP
Event Tree Reduction and Simplification Single transient event tree can be drawn with specific IE dependencies included at the fault tree level Event tree structure can often be simplified by reordering top events
- Example - Placing ADS before LPCI and CS on a BWR transient event tree Event tree development can be stopped if a partial sequence frequency at a branch point can be shown to be very small If at any branch point the delineated sequences are identical to those in delineated in another event tree, the accident sequence can be transferred to that event tree (e.g., SORV sequences transferred to LOCA trees)
Separate secondary event trees can be drawn for certain branches to simplify the analysis (e.g., ATWS tree)
Fire PRA Workshop 2019, Rockville, MD Slide 139 Module 1: Internal Event, At-Power PRA Model for SNPP
System Level Event Tree Determines Sequence Logic ST LT Initiating Rx Rx Core Core Event Trip Trip Cooling Cooling SEQ # STATE LOGIC LOCA AUTO MAN ECI ECR 1 OK 2 LATE-CD /AUTO*/ECI*ECR Success 3 EARLY-CD /AUTO*ECI 4 OK 5 LATE-CD AUTO*/MAN*/ECI*ECR Failure 6 EARLY-CD AUTO*/MAN*ECI 7 ATWS AUTO*MAN Fire PRA Workshop 2019, Rockville, MD Slide 140 Module 1: Internal Event, At-Power PRA Model for SNPP
Sequence Logic Used to Combine System Fault Trees into Accident Sequence Models System fault trees (or cutsets) are combined, using Boolean algebra, to generate core damage accident sequence models
- CD seq. #5 = LOCA
- AUTO * /MAN * /ECI
- ECR Sequence
- 5 Transfers to Fault Tree Logic LOCA AUTO /MAN /ECI ECR IE Fire PRA Workshop 2019, Rockville, MD Slide 141 Module 1: Internal Event, At-Power PRA Model for SNPP
Sequence Cutsets Generated from Sequence Logic Sequence cutsets generated by combining system fault trees (or cutsets) comprised by sequence logic
- Cutsets can be generated from sequence #5 Fault Tree Sequence #5 cutsets = (LOCA) * (AUTO cutsets) * (/MAN cutsets)
- (/ECI cutsets) * ( ECR cutsets)
Or, to simplify the calculation (via delete term)
- Sequence #5 cutsets (LOCA) * (AUTO cutsets) * (ECR cutsets) - any cutsets that contain MAN + ECI cutsets are deleted Fire PRA Workshop 2019, Rockville, MD Slide 142 Module 1: Internal Event, At-Power PRA Model for SNPP
Plant Damage State (PDS)
Core Damage (CD) designation for end state not sufficient to support Level 2 analysis
- Need details of core damage phenomena to accurately model challenge to containment integrity PDS relates core damage accident sequence to:
- Status of plant systems (e.g., AC power operable?)
- Status of RCS (e.g., pressure, integrity)
- Status of water inventories (e.g., injected into RPV?)
Fire PRA Workshop 2019, Rockville, MD Slide 143 Module 1: Internal Event, At-Power PRA Model for SNPP
Example Category Definitions for PDS Indicators
A large LOCA (6 to 29)
S1 medium LOCA (2 to 6)
S2 small LOCA (1/2 to 2)
S3 very small LOCA (less than 1/2)
G steam generator tube rupture with SG integrity H steam generator tube rupture without SG integrity V interfacing LOCA
- 2. Status of ECCS I operated in injection only B operated in injection, now operating in recirculation R not operating, but recoverable N not operating and not recoverable L LPI available in injection and recirculation of RCS pressure reduced
- 3. Status of Containment Heat Removal Capability Y operating or operable if/when needed R not operating, but recoverable N never operated, not recoverable Fire PRA Workshop 2019, Rockville, MD Slide 144 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Systems Analysis Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD
System Mission Affects Model Demand based missions (binomial)
- Normally in standby
- Required to perform one (or more) times
- e.g., actuation systems, relief valves Time based missions (Poisson)
- Either in standby or normally operating
- Required to operate for some length of time, which affects unreliability
- e.g., ECCS, SWS Fire PRA Workshop 2019, Rockville, MD Slide 146 Module 1: Internal Event, At-Power PRA Model for SNPP
- 1. Define Top Event Undesired event or state of system
- Often corresponds to an event on an event tree
- Based on success criterion for system Typically initiating event dependent (e.g., HPI would have different success criteria for small LOCA vs. medium LOCA)
Can be sequence dependent Success criteria determined from thermal/hydraulic calculations (i.e., computer code runs made to determine how much injection is needed to keep core covered given particular IE)
- Success criterion used to determine failure criterion Fault tree top event
- Success criterion must be precise (e.g., Uninterupted flow from 2/3 HPIS pumps for 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> through 2/4 injection lines)
Fire PRA Workshop 2019, Rockville, MD Slide 147 Module 1: Internal Event, At-Power PRA Model for SNPP
- 2. Develop and Maintain Analysis Notebook Scope of analysis and system definition Notebook should include system design and operation information (normal and abnormal), support system requirements, instrumentation and control requirements, technical specifications, test and maintenance data, pertinent analytical assumptions, component locations Notebook reflects the iterative nature of fault tree analysis Fire PRA Workshop 2019, Rockville, MD Slide 148 Module 1: Internal Event, At-Power PRA Model for SNPP
- 3. Define Primary System and Interfaces A collection of discrete elements which interact to perform, in total or in part, a function or set of functions System boundary definition depends on:
- Information required from analysis
- Level of resolution of data Clear documentation of system boundary definition is essential Fire PRA Workshop 2019, Rockville, MD Slide 149 Module 1: Internal Event, At-Power PRA Model for SNPP
- 4. Develop Analysis Assumptions and Constraints Analytical assumptions must be developed to compensate for incomplete knowledge Rationale for assumptions should be specified and, wherever possible, supported by engineering analysis Document in notebook Fire PRA Workshop 2019, Rockville, MD Slide 150 Module 1: Internal Event, At-Power PRA Model for SNPP
- 5. Fault Tree Construction Step-by-step postulation of system faults Utilization of standard symbology Postulation consistent with level of resolution of data and assumptions Iterative process Fire PRA Workshop 2019, Rockville, MD Slide 151 Module 1: Internal Event, At-Power PRA Model for SNPP
Reduction of Example Fault Tree Fire PRA Workshop 2019, Rockville, MD Slide 152 Module 1: Internal Event, At-Power PRA Model for SNPP
Reduction of Example Fault Tree (Cont.)
Fire PRA Workshop 2019, Rockville, MD Slide 153 Module 1: Internal Event, At-Power PRA Model for SNPP
Fault Tree Pitfalls Inconsistent or unclear basic event names
- X*X = X, so if X is called X1 in one place and X2 in another place, incorrect results are obtained Missing dependencies or failure mechanisms
- An issue of completeness Unrealistic assumptions
- Availability of redundant equipment
- Credit for multiple independent operator actions
- Violation of plant LCO Modeling T&M unavailability can result in illegal cutsets Putting recovery in FT might give optimistic results Logic loops Fire PRA Workshop 2019, Rockville, MD Slide 154 Module 1: Internal Event, At-Power PRA Model for SNPP
Logic Loops Result from Circular Support Function Dependencies Fire PRA Workshop 2019, Rockville, MD Slide 155 Module 1: Internal Event, At-Power PRA Model for SNPP
Results Sanity checks on cutsets
- Symmetry If Train-A failures appear, do Train-B failures also appear?
- Completeness Are all redundant trains/systems really failed?
Are failure modes accounted for at component level?
- Realism Do cutsets make sense (i.e., Train-A out for T&M ANDed with Train-B out for T&M)?
- Predictive Capability If system model predicts total system failure once in 100 system demands, is plant operating experience consistent with this?
Fire PRA Workshop 2019, Rockville, MD Slide 156 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Human Reliability Analysis Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD
Human Reliability Analysis Starts with the basic premise that the humans can be represented as either:
- A component of a system, or
- A failure mode of a system or component Identifies and quantifies the ways in which human actions initiate, propagate, or terminate fault and accident sequences Human actions with both positive and negative impacts are considered in striving for realism A difficult task in a PRA since need to understand the plant hardware response, the operator response, and the accident progression modeled in the PRA Fire PRA Workshop 2019, Rockville, MD Slide 158 Module 1: Internal Event, At-Power PRA Model for SNPP
Human Reliability Analysis Objectives Ensure that the impacts of plant personnel actions are reflected in the assessment of risk in such a way that:
a) Both pre-initiating event and post-initiating event activities, including those modeled in support system initiating event fault trees, are addressed b) Logic model elements are defined to represent the effect of such personnel actions on system availability/unavailability and on accident sequence development c) Plant-specific and scenario-specific factors are accounted for, including those factors that influence either what activities are of interest or human performance d) Human performance issues are addressed in an integral way so that issues of dependency are captured Fire PRA Workshop 2019, Rockville, MD Slide 159 Module 1: Internal Event, At-Power PRA Model for SNPP
Identification and Definition Process Identify Human Failure Events (HFEs) to be considered in plant models
- Based on PRA event trees, fault trees, and procedures Includes front line systems and support systems
- Often done in conjunction with the PRA modelers (Qualitative Screening)
- Normal Plant Ops - Identify potential errors involving miscalibration or failure to restore equipment by observing test and maintenance, reviewing relevant procedures and plant practices Guidelines for pre-initiator qualitative screening
- Post-Trip Conditions-- Determine potential errors in diagnosing and manipulating equipment in response to various accident situations Fire PRA Workshop 2019, Rockville, MD Slide 160 Module 1: Internal Event, At-Power PRA Model for SNPP
Identification and Definition Process (Cont.)
PRA model identifies component/system/function failures HRA requires definition of supporting information, such as:
- For post-initiating events, the cues being used, timing, and the emergency operating procedure(s) being used ATHEANA - Identify the base case for accident scenario
- Expected scenario - Including operator expectations for the scenario
- Sequence and timing of plant behavior - Behavior of plant parameters
- Key operator actions Fire PRA Workshop 2019, Rockville, MD Slide 161 Module 1: Internal Event, At-Power PRA Model for SNPP
Identification and Definition Process (Cont.)
Review emergency operating procedures to identify potential human errors Flow chart the EOPs to identify critical decision points and relevant cues for actions If possible, do early observations of simulator exercises List human actions that could affect course of events (Qualitative Screening)
Fire PRA Workshop 2019, Rockville, MD Slide 162 Module 1: Internal Event, At-Power PRA Model for SNPP
Qualitative Analysis Context, a set of plant conditions based on the PRA model
- Initiating event and event tree sequence Includes preceding hardware and operator successes/failures
- Cues, Procedure, Time window Qualitatively examine factors that could influence performance (Performance Shaping Factors, PSFs) such as:
- Training/experience - Scenario timing
- Clarity of cues - Workload
- Task complexity - Crew dynamics
- Environmental condition - Accessibility
- Human-machine interface
- Management and organizational factors Note: ATHEANA models Error Forcing Context consisting of plant context and scenario-specific factors that would influence operator response Fire PRA Workshop 2019, Rockville, MD Slide 163 Module 1: Internal Event, At-Power PRA Model for SNPP
Performance Shaping Factors (PSFs)
Are people-, task-, environmental-centered influences which could affect performance Most HRA modeling techniques allow the analyst to account for PSFs during their quantification procedure PSFs can Positively or Negatively impact human error probabilities PSFs are identified and evaluated in the human reliability task analysis Fire PRA Workshop 2019, Rockville, MD Slide 164 Module 1: Internal Event, At-Power PRA Model for SNPP
Quantifying the Human Error Probability Quantifying is the process of:
- Selecting an HRA method, then
- Calculating the Human Error Probability for a HFE Based on the qualitative assessment and Based on the context definition The calculation steps depend on the methodology being used Data sources - The input data for the calculations typically comes operator talk-throughs and/or simulations, while some methods the data comes from databanks or expert judgment The result is typically called a Human Error Probability or HEP Fire PRA Workshop 2019, Rockville, MD Slide 165 Module 1: Internal Event, At-Power PRA Model for SNPP
Screening Too many HFEs to do detailed quantification?
- Trying to reduce level of effort, resources
- Used during IPE era for initial model development ASME PRA Standard
- Pre-initiators: Screening pre-initiators is addressed in High Level Requirement HLR-HR-B
- Post-initiators: Screening is not addressed explicitly as a High Level Requirement Supporting requirement HR-G1 limits the PRA to Capability Category I, if conservative/screening HEPs used Thus, screening is more appropriate to Fire PRA Fire PRA Workshop 2019, Rockville, MD Slide 166 Module 1: Internal Event, At-Power PRA Model for SNPP
Detailed Quantification Point at which you bring all the information you have about each event
- PSFs, descriptions of plant conditions given the sequence
- Results from observing simulator exercises
- Talk-throughs with operators/trainers
- Dependencies Quantification Methods
- Major problem is that none of the methods handle all this information very well Assign HEPs to each event in the models Fire PRA Workshop 2019, Rockville, MD Slide 167 Module 1: Internal Event, At-Power PRA Model for SNPP
Caused Based Decision Tree (CBDT)
Method (EPRI)
Series of decision trees address potential causes of errors, produces HEPs based on those decisions Half of the decision trees involve the man-machine cue interface:
Availability of relevant indications (location, accuracy, reliability of indications);
Attention to indications (workload, monitoring requirements, relevant alarms);
Data errors (location on panel, quality of display, interpersonal communications);
Misleading data (cues match procedure, training in cue recognition, etc.);
Half of the decision trees involve the man-procedure interface:
Procedure format (visibility and salience of instructions, place-keeping aids);
Instructional clarity (standardized vocabulary, completeness of information, training provided);
Instructional complexity (use of "not" statements, complex use of "and" & "or" terms, etc.); and Potential for deliberate violations (belief in instructional adequacy, availability and consequences of alternatives, etc.)
For time-critical actions, the CBDT is supplemented by a time reliability correlation Fire PRA Workshop 2019, Rockville, MD Slide 168 Module 1: Internal Event, At-Power PRA Model for SNPP
EPRI HRA Calculator Software tool Uses SHARP1 as the HRA framework Post-initiator HFE methods:
- For diagnosis, uses CBDT (decision trees) and/or HCR/ORE (time based correlation)
- For execution, THERP for manipulation Pre-Initiator HFE methods:
- Uses THERP and ASEP to quantify pre-initiator HFEs Fire PRA Workshop 2019, Rockville, MD Slide 169 Module 1: Internal Event, At-Power PRA Model for SNPP
ATHEANA Experience-based (uses knowledge of domain experts, e.g.,
operators, pilots, trainers, etc.)
Focuses on the error-forcing context Links plant conditions, performance shaping factors (PSFs) and human error mechanisms Consideration of dependencies across scenarios Attempts to address PSFs holistically (considers potential interactions)
Structured search for problem scenarios and unsafe actions Fire PRA Workshop 2019, Rockville, MD Slide 170 Module 1: Internal Event, At-Power PRA Model for SNPP
HRA Process Summary Human Reliability Analysis provides a structured modeling process Human Interactions are incorporated as Human Failure Events in a PRA, identification and definition finds the HFEs Post-initiator operator actions consist of:
- Qualitative analysis of Context and Performance Shaping Factors Operator action must be feasible (for example, sufficient time, sufficient staff, sufficient cues, access to the area)
- Then Quantitative assessment (using an HRA method)
Includes dependency evaluation Two Parts of the Each Human Failure Event (HFE)
- Operator must recognize the need/demand for the action (cognition)
AND
- Operator must take steps (execution) to complete the actions Fire PRA Workshop 2019, Rockville, MD Slide 171 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Data Analysis Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD
Initiating Event Frequencies Typically combination of:
- Generic data for rare events (e.g., LOCAs)
- Plant-specific data for more common events (most transients)
An IE frequency is a failure rate ()
- Poisson: prob(r failures in time t) = (1/r!) e-t(t)r prob(r >0, in time t) = 1-e-t t (for t << 1)
Parameters required are number of plant scrams and total time
- For at-power PRAs, time parameter is the number of years plant is critical Fire PRA Workshop 2019, Rockville, MD Slide 173 Module 1: Internal Event, At-Power PRA Model for SNPP
Basic Events Probabilities Probability of failure depends on mission and failure rate (i.e., the or p)
- Typically modeled as either Poisson or binomial
- Unavailability (e.g., T&M) calculated directly as a probability However, T&M unavailability can be estimated as an unreliability (like binomial), as well Key feature (of data) is that set of failure events and set of demands (or time) must be consistent with each other Fire PRA Workshop 2019, Rockville, MD Slide 174 Module 1: Internal Event, At-Power PRA Model for SNPP
Failure Probability Models Demand Failures
- Binomial: prob(r failures in n demands)
= pr(1-p)n-r prob(1 failurel1 demand) = p = Qd Failures in Time
- Poisson: prob(r failures in time t) = (1/r!) e-t(t)r prob(r >0, in time t) = 1-e-t t (for t << 1)
Q = Failure probability (unreliability or unavailability) ti = surveillance test interval p = Failure rate (per demand) m = maintenance frequency s = Failure rate (per hour) standby dm = maintenance duration h = Failure rate (per hour) operating tOOS = total time out of service tm = mission time ttotal = total time Fire PRA Workshop 2019, Rockville, MD Slide 175 Module 1: Internal Event, At-Power PRA Model for SNPP
Component Failure Modes Demand failure
- Qd = p
- Need number of failures and valid demands to estimate p Mission time failure (failure to run)
- Qr = 1 - e-htm
- Qr htm (for small t; when t < 0.1)
- Need number of failures and run time to estimate h Test and maintenance unavailability
- Qm = mdm = tOOS/ttotal
- Need either Maintenance frequency (m) and duration (dm)
Out-of-Service (OOS) time (tOOS) and total time (ttotal)
Standby failure (alternative to demand failure model)
- Qs sti/2
- Need number of failures and time in standby to estimate s Fire PRA Workshop 2019, Rockville, MD Slide 176 Module 1: Internal Event, At-Power PRA Model for SNPP
Boundary Conditions and Modeling Assumptions Affect Form of Data Clear understanding of component boundaries and missions needed to accurately use raw data or generic failure rates For example:
- Do motor driven components include circuit breakers? (Are CB faults included in component failure rate?)
Failure mode being modeled also impacts type and form of data needed to quantify the PRA
- FTR - Failures while operating and operating time
- FTS/FTO - Failures and demands (successes)
Fire PRA Workshop 2019, Rockville, MD Slide 177 Module 1: Internal Event, At-Power PRA Model for SNPP
Bayes Theorem is Basis for Bayesian Updating of Data Typical use: Sparse plant-specific data combined with generic data using Bayes Theorem:
L( E ) 0 ( )
1 ( E ) =
L( E ) ( ) d 0
Where:
- () is prior distribution (generic data)
- L(El) is likelihood function (plant-specific data)
- 1(l) is posterior distribution (updated estimate)
Fire PRA Workshop 2019, Rockville, MD Slide 178 Module 1: Internal Event, At-Power PRA Model for SNPP
Bayesian Technique Starts with Subjective Judgment Prior represents ones belief about a parameter before any data have been observed Prior can be either informative or non-informative
- Three common priors Non-informative (Jeffreys) prior Informative prior (e.g., generic data)
Constrained non-informative prior Fire PRA Workshop 2019, Rockville, MD Slide 179 Module 1: Internal Event, At-Power PRA Model for SNPP
Non-Informative Prior Imparts little prior belief or information Minimal influence on posterior distribution
- Except when updating with very sparse data Basically assumes 1/2 of a failure in one demand (for binomial, or in zero time for a Poisson process)
- If update data is very sparse, mean of posterior will be pulled to 0.5 e.g., for plant-specific data of 0/10 (failures/demands)
Update=> 0.5/1 (prior) + 0/10 (likelihood) = 0.5/11 (posterior)
Fire PRA Workshop 2019, Rockville, MD Slide 180 Module 1: Internal Event, At-Power PRA Model for SNPP
Informative Prior Maximum utilization of all available data Prior usually based on generic or industry-wide data Avoids potential conservatism that can result from use of non-informative prior However, good plant-specific data can be overwhelmed by a large generic data set e.g., prior = 100/10000 (failures/demands) = 1E-2 plant-specific = 50/100 (failures/demands) = 0.5 posterior = 150/10100 = 1.5E-2 (basically the prior)
Fire PRA Workshop 2019, Rockville, MD Slide 181 Module 1: Internal Event, At-Power PRA Model for SNPP
Constrained Non-informative Prior Combines certain aspects of informative and non-informative priors
- Weights the prior as a non-informative (i.e., 1/2 of a failure)
- However, constrains the mean value of the prior to some generic-data based value For example: Generic estimate of previous example would be converted to a non-informative prior 100/10000 => 0.5/50 (this then used as the prior)
Update=> 0.5/50 + 50/100 = 50.5/150 = 0.34 Fire PRA Workshop 2019, Rockville, MD Slide 182 Module 1: Internal Event, At-Power PRA Model for SNPP
Common Cause Failures (CCFs)
Conditions which may result in failure of more than one component, subsystem, or system Common cause failures are important since they:
- Defeats redundancy and/or diversity
- Data suggest high probability of occurrence relative to multiple independent failures Fire PRA Workshop 2019, Rockville, MD Slide 183 Module 1: Internal Event, At-Power PRA Model for SNPP
Common Cause Failure Mechanisms Environment
- Radioactivity
- Temperature
- Corrosive environment Design deficiency Manufacturing error Test or Maintenance error Operational error Fire PRA Workshop 2019, Rockville, MD Slide 184 Module 1: Internal Event, At-Power PRA Model for SNPP
Component Data Not Truly Time Independent PRAs typically assume time-independence of component failure rates
- One of the assumptions for a Poisson process (i.e., failures in time)
However, experience has shown aging of equipment does occur
- Failure rate () = (t)
- Bathtub curve (t) Failure Rate t
Burn-in Maturity Wearout Fire PRA Workshop 2019, Rockville, MD Slide 185 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Accident Sequence Quantification Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD
Quantification of Sequence Cutsets Exact Solution for Top = A + B:
P(Top) = P(A + B) = P(A) + P(B) - P(AB)
- Cross terms become unwieldy for large lists of cutsets.
Thus, sequences typically quantified using either:
- Rare-Event Approximation P(Top) = sum of probabilities of individual minimal cutsets (MCSs)
= P(A) + P(B)
P(AB) judged sufficiently small (rare) that it can be ignored (i.e.,
cross-terms are simply dropped)
P(Top Event) P(MCSk)
Or
- Minimal Cutset Upper Bound (min-cut) Approximation P(Top) = 1 - product of cutset success probabilities P(Top Event) < 1- (1-P{MCSk})
Fire PRA Workshop 2019, Rockville, MD Slide 187 Module 1: Internal Event, At-Power PRA Model for SNPP
Comparison of Quantification Methods for P(A+B)
Small values for Large values for A & B dependent P(A) & P(B), A & B P(A) & P(B), A & B independent independent Values P(A) = 0.01 P(A) = 0.4 B = /A P(B) = 0.03 P(B) = 0.6 P(A) = 0.4 P(B) = P(/A) = 0.6 Exact 0.01 + 0.03 - (0.01
- 0.03) 0.4 + 0.6 - (0.4
- 0.6) 0.4 + 0.6 - P(A*/A)
= 0.0397 = 0.76 = 1.0 Rare Event 0.01 + 0.03 = 0.04 0.4 + 0.6 = 1.0 0.4 + 0.6 = 1.0 MinCut UB 1 - [(1-0.01) * (1-0.03)] 1 - [(1-0.4) * (1-0.6)] 1 - [(1-0.4) * (1-0.6)]
= 0.0397 = 0.76 = 0.76 Fire PRA Workshop 2019, Rockville, MD Slide 188 Module 1: Internal Event, At-Power PRA Model for SNPP
Dominant Accident Sequences (Examples)
Surry (NUREG-1150) Grand Gulf (NUREG-1150)
Seq Description % CDF Cum Seq Description % CDF Cum 1 Station Blackout (SBO) - Batt Depl. 26.0 26.0 1 Station Blackout (SBO) With HPCS And RCIC Failure 89.0 89.0 2 SBO - RCP Seal LOCA 13.1 39.1 2 SBO With One SORV, HPCS And RCIC Failure 4.0 93.0 3 SBO - AFW Failure 11.6 50.7 3 ATWS - RPS Mechanical Failure With MSIVs Closed, 3.0 96.0 4 SBO - RCP Seal LOCA 8.2 58.9 Operator Fails To Initiate SLC, HPCS Fails And 5 SBO - Stuck Open PORV 5.4 64.3 Operator Fails To Depressurize 6 Medium LOCA - Recirc Failure 4.2 68.5 7 Interfacing LOCA 4.0 72.5 8 SGTR - No Depress - SG Integty Fails 3.5 76.0 9 Los s of MFW/AFW - Feed & Bleed Fail 2.4 78.4 10 Medium LOCA - Injection Failure 2.1 80.5 11 ATWS - Unfavorable Mod. Temp Coeff. 2.0 82.5 12 Large LOCA - Recirculation Failure 1.8 84.3 13 Medium LOCA - Injection Failure 1.7 86.0 14 SBO - AFW Failure 1.6 87.6 15 Large LOCA - Accumulator Failure 1.6 89.2 16 ATWS - Emergency Boration Failure 1.6 90.8 17 Very Sm all LOCA - Injection Failure 1.5 92.3 18 Small LOCA - Injection Failure 1.1 93.4 19 SBO - Battery Depletion 1.1 94.5 20 SBO - Stuck Open PORV 0.8 95.3 Fire PRA Workshop 2019, Rockville, MD Slide 189 Module 1: Internal Event, At-Power PRA Model for SNPP
Truncation Issues Affect Quantification Two types of truncation
- Cutset frequency
- Cutset order Truncating on number of basic events in a cutset generally limited to vital area analyses Becoming less of a concern with increased computer/software capabilities Truncation cutoff value should be decreased Low probability events can accumulate until change in total frequency becomes
- 1,000 cutsets at 1E-9 each = 1E-6 stable
- 10,000 cutsets at 1E-9 each = 1E-5 Fire PRA Workshop 2019, Rockville, MD Slide 190 Module 1: Internal Event, At-Power PRA Model for SNPP
Importance Measures for Basic Events Provide a quantitative perspective on risk and sensitivity of risk to changes in input values Three are encountered most commonly:
- Fussell-Vesely (F-V)
- Birnbaum
- Risk Reduction (RR)
- Risk Increase (RI) or Risk Achievement (RA)
Fire PRA Workshop 2019, Rockville, MD Slide 191 Module 1: Internal Event, At-Power PRA Model for SNPP
Importance Measures (Layman Definitions)
Risk Achievement Worth (RAW)
- Relative risk increase assuming failure Risk Reduction Worth (RRW)
- Relative risk reduction assuming perfect performance Fussell-Vesely (F-V)
- Fractional reduction in risk assuming perfect performance Birnbaum
- Difference in risk between perfect performance and assumed failure Fire PRA Workshop 2019, Rockville, MD Slide 192 Module 1: Internal Event, At-Power PRA Model for SNPP
Importance Measures (Mathematical Definitions)
R = Baseline Risk R(1) = Risk with the element always failed or unavailable R(0) = Risk with the element always successful RAW = R(1)/R or R(1) - R RRW = R/R(0) or R - R(0)
F-V = [R-R(0)]/R Birnbaum = R(1) - R(0)
Fire PRA Workshop 2019, Rockville, MD Slide 193 Module 1: Internal Event, At-Power PRA Model for SNPP
Limitations of Importance Measures Risk rankings are not always well-understood in terms of their issues and engineering interpretations
- That is, high importance does not necessarily mean dominant contributor to CDF RAW provides indication of risk impact of taking equipment out of service but full impact may not be captured
- That is, taking component out of service for test and maintenance may increase likelihood of initiating event due to human error F-V and RAW rankings can differ significantly when using different risk metrics
- Such as, core damage frequency due to internal events versus external events, shutdown risk, etc.
Individual F-V or RAW measures cannot be combined to obtain risk importance for combinations of events Fire PRA Workshop 2019, Rockville, MD Slide 194 Module 1: Internal Event, At-Power PRA Model for SNPP
Uncertainty Must be Addressed in PRA Uncertainty arises from many sources:
- Inability to specify initial and boundary conditions precisely Cannot specify result with deterministic model Instead, use probabilistic models (e.g., tossing a coin)
- Sparse data on initiating events, component failures, and human errors
- Lack of understanding of phenomena
- Modeling assumptions (e.g., success criteria)
- Modeling limitations (e.g., inability to model errors of commission)
- Incompleteness (e.g., failure to identify system failure mode)
Fire PRA Workshop 2019, Rockville, MD Slide 195 Module 1: Internal Event, At-Power PRA Model for SNPP
PRAs Identify Two Types of Uncertainty Distinction between aleatory and epistemic uncertainty:
- Aleatory from the Latin Alea (dice), of or relating to random or stochastic phenomena. Also called random uncertainty or variability
- Epistemic of, relating to, or involving knowledge; cognitive. From Greek episteme, knowledge. Also called state-of-knowledge uncertainty Fire PRA Workshop 2019, Rockville, MD Slide 196 Module 1: Internal Event, At-Power PRA Model for SNPP
Aleatory Uncertainty Variability in or lack of precise knowledge about underlying conditions makes events unpredictable. Such events are modeled as being probabilistic in nature. In PRAs, these include initiating events, component failures, and human errors For example, PRAs model initiating events, as a Poisson process, similar to the decay of radioactive atoms Poisson process characterized by frequency of initiating event, usually denoted by parameter Fire PRA Workshop 2019, Rockville, MD Slide 197 Module 1: Internal Event, At-Power PRA Model for SNPP
Epistemic Uncertainty Value of is not known precisely Could model uncertainty in estimate of using statistical confidence interval
- Cant propagate confidence intervals through PRA models
- Cant interpret confidence intervals as probability statements about value of PRAs model lack of knowledge about value of by assigning (usually subjectively) a probability distribution to
- Probability distribution for can be generated using Bayesian methods Fire PRA Workshop 2019, Rockville, MD Slide 198 Module 1: Internal Event, At-Power PRA Model for SNPP
Types of Epistemic Uncertainties Parameter uncertainty Modeling uncertainty
- System success criteria
- Accident progression phenomenology
- Health effects models (linear versus nonlinear, threshold versus non-threshold dose-response model)
Completeness
- Complex errors of commission
- Design and construction errors
- Unexpected failure modes and system interactions
- All modes of operation not modeled Fire PRA Workshop 2019, Rockville, MD Slide 199 Module 1: Internal Event, At-Power PRA Model for SNPP
Addressing Epistemic Uncertainties Parameter uncertainty addressed by propagating parameter uncertainty distributions through model Modeling uncertainty usually addressed through sensitivity studies
- Research ongoing to examine more formal approaches Completeness addressed through comparison with other studies and peer review
- Some issues (e.g., design errors) are simply acknowledged as limitations
- Other issues (e.g., errors of commission) are topics of ongoing research Fire PRA Workshop 2019, Rockville, MD Slide 200 Module 1: Internal Event, At-Power PRA Model for SNPP
Prerequisites for Performing a Parameter Uncertainty Analysis Cutsets for individual sequence or groups of sequences (e.g., by initiator or total plant model) exist Failure probabilities for each basic event, including distribution and correlation information (for those events that are uncertain or are modeled as having uncertainty)
Frequencies for each initiating event, including distribution information Fire PRA Workshop 2019, Rockville, MD Slide 201 Module 1: Internal Event, At-Power PRA Model for SNPP
Performing A Parameter Uncertainty Analysis Select cutsets Select sampling strategy
- Monte Carlo: simple random sampling process/technique
- Latin Hypercube: stratified sampling process/technique Select number of observations (i.e., number of times a variables distribution will be sampled)
Perform calculation Fire PRA Workshop 2019, Rockville, MD Slide 202 Module 1: Internal Event, At-Power PRA Model for SNPP
Correlation: Effect on Results Correlating data produces wider uncertainty in results
- Without correlating a randomly selected high value will usually be combined with randomly selected lower values (and vice versa),
producing an averaging effect Reducing calculated uncertainty in the result
- Mean value of probability distributions that are skewed right (e.g.,
lognormal, commonly used in PRA) is increased when uncertainty is increased Fire PRA Workshop 2019, Rockville, MD Slide 203 Module 1: Internal Event, At-Power PRA Model for SNPP
NUREG/CR-6850 FIRE PRA METHODOLOGY Module 1 Internal Event, At-Power Probabilistic Risk Assessment Model for SNPP Level 2/LERF Analysis Fire PRA Workshop June 24, 2019 - June 28, 2019 Rockville, MD
Principal Steps in PRA LEVEL LEVEL LEVEL 1 2 3 Initiating Accident Accident RCS / Source Release Offsite Health &
Event Sequence Sequence Containment Term Category Conseqs Economic Analysis Analysis Quantif. Response Analysis Character. Analysis Risk Analysis and Analysis Quantif.
Meteorology Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis Sensitivity Sensitivity Sensitivity Analysis Analysis Analysis Population Distribution Emergency Data Response Analysis* Human Reliability Analysis* Pathways Model LERF Assessment Health Effects Economic Effects
- Used in Level 2 as required Fire PRA Workshop 2019, Rockville, MD Slide 205 Module 1: Internal Event, At-Power PRA Model for SNPP
Purpose and Objectives
Purpose:
Students receive a brief introduction to accident progression (Level 2 PRA).
Objectives: At the conclusion of this topic, students will be able to:
- List primary elements which comprise accident phenomenology
- Explain how accident progression analysis is related to full PRA
- Explain general factors involved in containment response
Reference:
NUREG/CR-2300, NUREG-1489 (App. C)
Fire PRA Workshop 2019, Rockville, MD Slide 206 Module 1: Internal Event, At-Power PRA Model for SNPP
Level 2 PRA Risk Measures Current NRC emphasis on LERF
- Risk-informed Decision-Making for Currently Operating Reactors
- Broader view expected for new reactors Some discussion of alternative risk acceptance criteria
- Goals for frequency of various release magnitudes
- Release often expressed in units of activity (not health consequences)
Full-scope Level 2 offers Complete Characterization of Releases to Environment
- Frequency of large/small, early/late releases Fire PRA Workshop 2019, Rockville, MD Slide 207 Module 1: Internal Event, At-Power PRA Model for SNPP
LERF Definition A LERF definition is provided in the PSA Applications Guide:
Large, Early Release: A radioactive release from the containment which is both large and early. Large is defined as involving the rapid, unscrubbed release of airborne aerosol fission products to the environment. Early is defined as occurring before the effective implementation of the off-site emergency response and protective actions.
Fire PRA Workshop 2019, Rockville, MD Slide 208 Module 1: Internal Event, At-Power PRA Model for SNPP
Level 2 PRA is a Systematic Evaluation of Plant Response to Core Damage Sequences LEVEL 2 RCS / Source Release Containment Term Category Response Analysis Character.
and INPUT Analysis Quantif. OUTPUT Phenomena Uncertainty Deterministic:
Accident &
- Reactor transient Analysis Sensitivity Sequences
- Containment response Analysis
- Core damage progression
- Fission product inventory released to environment Computer Logic code models calculations Probabilistic:
Association of
- Relative likelihood of Engineering uncertainty with (confidence in) alternative analyses probability responses for each sequence Application of Grouping of
- Frequency of fission product experimental data results release categories Fire PRA Workshop 2019, Rockville, MD Slide 209 Module 1: Internal Event, At-Power PRA Model for SNPP
Some Subtle Features of the Level 2 PRA Process Level 2 Requires More Information than a Level 1 PRA Generates
- Containment safeguards systems not usually needed to determine core damage
- Level 1 event trees built from success criteria can ignore status of front-line systems that influence extent of core damage Event Trees Create Very Large Number of Scenarios to Evaluate
- Grouping of similar scenarios is a practical necessity Quantification Involves Considerable Subjective Judgment
- Uncertainty, Sensitivity, and Uncertainty in Uncertainty Fire PRA Workshop 2019, Rockville, MD Slide 210 Module 1: Internal Event, At-Power PRA Model for SNPP
Additional Work is Often Required to Link Level 1 Results to Level 2 Plant Damage State (PDS) Analysis Level-1 Sequence Level-2 Containment or Event Tree Add containment Accident Progression systems Event Tree (CET or APET)
OK PDS1 Initiating CD PDS2 Event A OK Source PDSn CD PDSx Terms (Release OK Resolve status of Categories) ignored systems Initiating CD Event B PDSi CD PDSj Fire PRA Workshop 2019, Rockville, MD Slide 211 Module 1: Internal Event, At-Power PRA Model for SNPP
Typical Steps in Level 2 Probabilistic Model Initial plant Consolidated Accident progression / Conditional Initiating Accident damage plant damage containment event tree Release consequence Events sequences states states end states categories bins
(< 100) (millions) (50 to 100) (< 20) (104 to 106) (< 20) (< 20)
Frequency
- Consequence Combine Similar PDS Accident progression /
Risk Integration containment event trees Binning Process (branch probabilities with uncertainties)
Accident sequence event trees (event probabilities from fault trees)
Stop Screen on Iterative truncation low frequency 10-10 ... 10-12 ...
to convergence Sensitivity analysis & reconsideration of low-frequency PDS with high consequences LEVEL 1 LEVEL 1 -2 LEVEL 2 LEVEL 3 Interface Fire PRA Workshop 2019, Rockville, MD Slide 212 Module 1: Internal Event, At-Power PRA Model for SNPP
Major Tasks Plant Damage State (PDS) Analysis
- Link to Level 1 Deterministic Assessments of Plant Response to Severe Accidents
- Containment performance assessment
- Accident progression and source term analysis Probabilistic Treatment of Epistemic Uncertainties
- Account for phenomena not treated by computer codes
- Characterize relative probability of alternative outcomes for uncertain events Couple Frequency with Radiological Release
- Link to Level 3 Fire PRA Workshop 2019, Rockville, MD Slide 213 Module 1: Internal Event, At-Power PRA Model for SNPP
Major Steps of Level 2 Analysis Level 1 - 2 Interface
- Enhance Level 1 accident sequence models to meet Level 2 needs
- Group cutsets into plant damage state (PDS) bins
- Output - Frequency of each PDS bin (5 to 25 PDSs)
Accident Progression Analysis
- Run preliminary MELCOR runs to establish source term Release Categories
- Build Containment Event Tree (CET)
Sequence of events that lead to containment failure and fission product release
- Output - Frequency of each CET end-state Source Term Binning
- Develop criteria for source term binning of CET end-states
- Run additional MELCOR runs to refine source term Release Categories
- Group CET end-states into source term Release Categories
- Output - Frequency of each Release Category Fire PRA Workshop 2019, Rockville, MD Slide 214 Module 1: Internal Event, At-Power PRA Model for SNPP
Level 1 - 2 Interface Enhance Level 1 accident sequence models to address Level 2 information needs
- Add front line systems excluded from core damage sequences, but relevant to the progression of core damage
- Add containment system response to Level 1 models
- Requantify Level 1 results
- Accomplished using either a Containment Safeguards Tree or Bridge Tree Consolidate Level 1 results for Level 2 (PDS Analysis)
- Identify post-core damage attributes important to containment response
- Group Level 1 Sequences (or cutsets) into bins defined in terms of common accident attributes relevant to containment response
- Output - Frequency of PDSs Fire PRA Workshop 2019, Rockville, MD Slide 215 Module 1: Internal Event, At-Power PRA Model for SNPP
Schematic of Accident Progression Event Tree Boundary Recovery of Core In-vessel Processes Ex-vessel Processes Final Conditions: Prior to Vessel & Containment & Containment Outcome Plant Damage States Breach Impact Impact Large/Early Release Pressure Debris in vessel coolability Yes Hydrogen released? Yes No System Setpoint Recovery of injection Yes No High Yes Inter- No No mediate Hydrogen Low burn before vessel Yes breach No Pressure increase due to H2 burn during CCI gas generation Source: NUREG-1150 Fire PRA Workshop 2019, Rockville, MD Slide 216 Module 1: Internal Event, At-Power PRA Model for SNPP
Accident Progression Analysis There are 4 major steps in Accident Progression Analysis
- 1. Develop the Accident Progression Event Trees (APETs)
- 2. Perform structural analysis of containment
- 3. Quantify APET issues
- 4. Group APET sequences into accident progression bins Fire PRA Workshop 2019, Rockville, MD Slide 217 Module 1: Internal Event, At-Power PRA Model for SNPP
Severe Accident Analysis Computer Code (e.g., MAAP or MELCOR) Calculations Provide Foundation Information for Design-Specific Information --
Thermal-hydraulic response/success criteria
- Primary coolant inventory management, reactor pressure control and heat removal Time of major events
- Onset of core damage
- Time to exceed containment failure criteria
- Available time for operator actions Evolution of severe accident phenomena
- RCS and containment pressure/temperature signatures
- Fission product release/transport (source term)
Containment Ultimate Pressure Fire PRA Workshop 2019, Rockville, MD Slide 218 Module 1: Internal Event, At-Power PRA Model for SNPP
Containment Response How does the containment system deal with physical conditions resulting from the accident?
- Pressure
- Heat sources
- Fission products
- Steam and water
- Hydrogen
- Other non-condensables Typical failure modes:
Isolation failure or bypass Blowdown reaction forces Over-pressure (global) Local heating of pressure boundary Creep (axial growth) penetrations or seals Corium-concrete interaction Localized dynamic loads Fire PRA Workshop 2019, Rockville, MD Slide 219 Module 1: Internal Event, At-Power PRA Model for SNPP
Deterministic Analysis Results Useful for APET/CET Quantification Probability of containment failure at vessel breach hinges on likelihood of hydrogen ignition in containment
- Possibilities for ignition sources?
Questions the APET/CET
- Flame propagation from drywell?
should consider
- Debris transport from pedestal?
Containment over-pressure from large burn can also fail drywell wall
- Suppression pool bypass for late in-vessel F.P. releases Reactor vessel failure at low pressure depends on failure of safety valve
- Valve failure criteria? Questions the APET/CET
- Single cycling valve? should consider Fire PRA Workshop 2019, Rockville, MD Slide 220 Module 1: Internal Event, At-Power PRA Model for SNPP
APET/CET Quantification System failure events quantified in manner consistent with Level 1
- Most system issues handled prior to PDS Analysis Dependencies and Data (Aleatory) Uncertainties Accompanying Level 1 systems analysis must be carried forward through PDS:
- Support system failures, if any
- Prior operator performance, if any
- PDS frequency as distribution, if any Most CET events cannot be quantified as randomly occurring events
- Fundamental nature of uncertainty is NOT stochastic (random) behavior of the system
- Epistemic or state-of-knowledge uncertainty
- Probability represents analysts degree of confidence that a particular outcome is true
- Evidence may point to one outcome over another Many events are quantified using engineering judgment Fire PRA Workshop 2019, Rockville, MD Slide 221 Module 1: Internal Event, At-Power PRA Model for SNPP
Uncertainty Analysis in Level 2 PRA Event Quantification in CET Predominantly Reflects Epistemic Uncertainty
- Subjective judgment about a particular outcome Most CET probabilities are estimated as point estimates:
- From deterministic calculations, or
- Engineering judgment Distributions Can Be Defined and Sampled to model epistemic uncertainties Fire PRA Workshop 2019, Rockville, MD Slide 222 Module 1: Internal Event, At-Power PRA Model for SNPP
Issues to Tackle in Propagating Uncertainty through Level 2 APET/CET Large Values of Probability (> 0.1) Are Common
- Eliminates Use of Some Quantification Techniques common to Level 1 Correlation Among Events Can be Complicated
- Event chronology:
Example: Hydrogen Combustion
- Probability of early burn correlated with in-vessel generation
- Probability of burn at vessel breach correlated with early burn
- Probability of late burn correlated with all earlier burns
- Circular Dependence H2 Generation RPV Pressure SRV Behavior H2 Generation Fire PRA Workshop 2019, Rockville, MD Slide 223 Module 1: Internal Event, At-Power PRA Model for SNPP
Source Term Binning Rather than calculate a source term for each end-state of the CET, rules are generated to group end-states with similar source terms
- Each group is referred to as a source term bin or release category
- Rules (binning criteria) are based on knowledge gained Process similar to PDS analysis:
from multiple source term
- Define binning criteria from results calculations of calculations
- Link each CET end-state to a unique Category Fire PRA Workshop 2019, Rockville, MD Slide 224 Module 1: Internal Event, At-Power PRA Model for SNPP
Typical Source Term Binning Characteristics Timing, size, and location of containment failure Plant or accident features that attenuate airborne fission product concentration
- Release path through auxiliary building(s)
- Atmosphere sprays Effectiveness of ex-vessel debris cooling Availability of water after RPV lower head failure
- Cover debris with pool of water (scrubbing)
- Cool RPV surfaces reduces revolatilization Fire PRA Workshop 2019, Rockville, MD Slide 225 Module 1: Internal Event, At-Power PRA Model for SNPP
Release Fraction as a Measure for Comparing Source Terms Bin or group calculated source terms into broad classes based on magnitude and timing of release to the environment
- Release fractions for Iodine (I-131) and Cesium (Cs-137) are established measures of early and long-term health effects, respectively
- Binning criteria can be based on one or both measures Fire PRA Workshop 2019, Rockville, MD Slide 226 Module 1: Internal Event, At-Power PRA Model for SNPP
Full Scope Level 2 PRA: Wide Range of Possible Accidental Releases to Environment Characterization of Releases 95th to the Environment of all 50th Types 10-6 Frequency of exceedance Large/Small 5th Early/Late 10-7 Energetic/Protracted Early Elevated/Ground level 10-8 Late Frequency of Each Type Describes Full Spectrum of 10-9 Releases Associated with Core Damage Events 10x 10x+1 10x+2 10x+3 Release magnitude Fire PRA Workshop 2019, Rockville, MD Slide 227 Module 1: Internal Event, At-Power PRA Model for SNPP
Bounding or Screening Models for U.S.
Risk-Informed Applications (LERF)
NUREG/CR- 6595 (Brookhaven 2004)
- Provides simplified approach designed to supplement Level-I PRAs submitted in support of risk-informed decision making
- Accident sequence information provided in the Level-I PRA is used to estimate the frequencies of various containment failure modes A Simplified Model Can Be Used to Estimate Bounding Value of LERF
- Simple method outlined in NUREG/CR-6595
- Pre-quantified CETs with paths leading to LERF
- Avoids expensive of plant-specific deterministic analysis
- Avoids source term (MELCOR) calculations
- Only useful if bounding values for conditional containment failure probability are tolerable Fire PRA Workshop 2019, Rockville, MD Slide 228 Module 1: Internal Event, At-Power PRA Model for SNPP