Text

Nuclear Power Accidents and Incidents: Lessons for PRA (Uiuc Seminar)
	ML20339A570
Person / Time
Issue date:	02/02/2021
From:	Nathan Siu; Office of Nuclear Reactor Regulation, Office of Nuclear Regulatory Research
To:	;
	Nathan Siu
References
	Download: ML20339A570 (117)
	v • d • e

Nuclear Power Accidents and Incidents: Lessons for PRA*

Nathan Siu Senior Technical Adviser for PRA Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission Research Seminar (Virtual)

University of Illinois, Urbana-Champaign February 2, 2021

The views expressed in this presentation are not necessarily those of the U.S. Nuclear Regulatory Commission.

Table of Contents

Overview: operational experience (OpE) and risk-informed decisionmaking (RIDM)

Past performance is no guarantee

OpE narrative mining of future results.

- Case Study 1: Great East Japan Earthquake and Tsunami - Investment disclaimer

- Case Study 2: Selected storms and floods

- Case Study 3: Selected earthquakes

- Summary results Those who cannot remember the

Closing remarks past are condemned to repeat it.

- George Santayana

Additional slides The Life of Reason, 1905

- Recent RIDM trends

- Example regulatory uses of risk information

- Overview: reactor accidents and incidents

- Examples: some real world mechanisms and scenarios 2

OpE and RIDM Some Reactor Fuel Damage Accidents and Incidents*

Windscale 1 TMI 2 Fukushima Daiichi 1-3 Graphite Pile, UK PWR, US BWRs, Japan Graphite Fire Loss of Feedwater EQ + Tsunami, Loss of Power Fermi 1 Chernobyl 4 LMR, US RBMK, Ukraine Flow Blockage Reactivity Accident Leningrad 1 RBMK, Russia Reactivity Accident St. Laurent 1 Bohunice A-1 Paks 2 GCR, France HWGCR, Slovak Republic VVER, Hungary Fuel Misload Fuel Loading Accidents Spent Fuel Pool Accident 1950 1960 1970 1980 1990 2000 2010 2020 3 *Events involving fuel damage at power and/or production reactors

OpE and RIDM And Some Other Rancho Seco PWR, US Madras 2 PHWR, India Serious Incidents*

Maintenance Error Tsunami LOFW, TMI precursor LOUHS Gundremmingen A Turkey Point 3 & 4 H.B. Robinson B/F Bleed and feed cooling VVER, East Germany PWR, US PWR, US LOCA Loss of coolant accident Training Error Storm (Hurricane) Bus Fire (Arc)

LOFW Loss of feedwater Partial LOOP, RV LOCA LOOP RCP Seal Challenge LOMCR Loss of main control room LOOP Loss of offsite power Browns Ferry 1 & 2 Narora Maanshan Fukushima Daiichi 5 LOUHS Loss of ultimate heat sink RV Relief valve BWR, US Davis-Besse PHWR, India PWR, Taiwan BWR, Japan SBO Station blackout (loss of AC power) Cable Fire PWR, US Turbine Fire Storm (Spray) EQ + Tsunami Complicated Trip LOFW, no B/F SBO, LOMCR SBO Loss of all power LaCrosse Armenia Blayais 1 & 2 Cruas 2-4 Duane Arnold BWR, US VVER, Armenia PWR, France PWR, France BWR, US Switchyard Fire Cable Fire Storm (Wind + Flood) Flood (Debris) Storm (Wind)

Partial Uncovery SBO LOOP, Degraded UHS LOUHS LOOP 1950 1960 1970 1980 1990 2000 2010 2020 4 *Selected non-fuel damage events with challenges to core cooling

OpE and RIDM OpE: An Explicit Role in Regulation Functions Standard* Principles**

Reasonable assurance of

Independence adequate protection

Openness

Efficiency

Clarity

When granting, suspending,

Reliability revoking, or amending licenses or construction permits. (Atomic **NRC Strategic Plan Energy Act of 1954, as amended - (NUREG-1614) see NUREG-0980, v1, n7, 2005) 5

OpE and RIDM OpE: Explicit Roles in Risk-Informed a philosophy whereby Decision Making (RIDM) risk insights are considered together with other factors to establish requirements Defense-in-depth that better focus licensee and regulatory attention on Current regulations Safety margins design and operational issues commensurate with their importance to public Integrated health and safety.

Decision Making [Emphases added]

White Paper on Risk-Informed and Performance-Based Regulation, Monitoring Risk SECY-98-144, January 22, 1998.

Adapted from RG 1.174 Adapted from: U.S. Nuclear Regulatory Commission, An Approach for Using Probabilistic Risk Assessment in Risk-Informed 6 Decisions on Plant-Specific Changes to the Licensing Basis, Regulatory Guide 1.174, Revision 3, January 2018.

OpE and RIDM Triplet Definition of Risk (Kaplan and Garrick, 1981)*

Features Risk {si , Ci , pi }

Vector, not scalar

Qualitative and

What can go wrong? quantitative

What are the consequences?

Differences across

How likely is it? accident spectrum

Adopted by NRC. See:

- White Paper on Risk-Informed and Performance-Based Regulation (Revised), SRM to SECY-98-144, March 1, 1999

- Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking, NUREG-2122, May 2013

- Probabilistic Risk Assessment and Regulatory Decisionmaking: Some Frequently Asked Questions, NUREG-2201, September 2016 7

OpE and RIDM OpE: Input to Risk Assessment Operational Experience

(> statistics)

Adapted from NUREG-2150 Other Considerations

Current regulations

Safety margins

Defense-in-depth

Monitoring Quantitative Qualitative 8

OpE and RIDM Mixed Impact of Accidents and Incidents on PRA Technology* Development and Application TMI 2 Error of Commission Fukushima Daiichi 1-3 Combined Hazards Chernobyl 4 Portable Equipment Shutdown Risk Multi-Unit Risk Browns Ferry 1 & 2 Blayais 1 & 2 Fire PRA External Flooding 1950 1960 1970 1980 1990 2000 2010 2020 9 *Technology = methods, models, tools, data

OpE Narrative Mining Mining OpE Narratives for PRA Technology Challenges/Opportunities

Incident databases LER = Licensee Event Report

- Many public (e.g., LERs, ETH) and non-public (e.g., IAEA IRS, INPO ETH = Eidgenssische Technische Hochschule ICES) sources IRS = Incident Reporting System ICES = INPO Consolidated Event System

- Varying purposes (affecting fields, entry criteria), degrees of coverage Selected Reports on Fukushima:

- All contain narratives (unstructured text) Cumulative Pages

OpE narratives 12000 10000

- Content: subjective but potentially rich; can stimulate AND temper 8000 imagination (possible mechanisms and scenarios) Pages 6000

- Volume: ranges from terse (passing mentions) to overwhelming 4000 2000

- Past mining activity: PRA-oriented review of 30 fire events* 0

Key fire PRA topics: multiple fires, control room abandonment, non-03/11/2011 03/10/2012 03/10/2013 03/11/2014 03/11/2015 03/11/2016 03/11/2017 03/11/2018 proceduralized actions

Insights: occurrences, circumstances (context)

Date

S.P. Nowlen, M. Kazarians, and F. Wyant, Risk Methods Insights Gained from Fire Incidents, 10 NUREG/CR-6738, September 2001.

OpE Narrative Mining PRA goes beyond possibility; context provides rationale OPERATOR TERMINATES Possible ISOLATION CONDENSER OPERATION but ISO-XHE-EOC-TERM plausible?

11

OpE Narrative Mining Further Exploration: Post-Fukushima Mining Exercises

General Objectives Note: NPP PRAs identify

- Develop insights (observed mechanisms, scenarios) to millions of possibilities, virtually support PRA technology development all of which will not happen.

- Support staff learning (familiarization with events, PRA The occurrence or non-occurrence of a scenario does approaches) not prove that the PRA model is

- Support future activities (e.g., smart tool development) right or wrong.

Case Studies

- Great East Japan Earthquake and Tsunami (2013, 2016)

- Selected storm and flood events (2018) Last two case studies

- Selected seismic events (2019-2020)

Summary results 12

OpE Narrative Mining Text Mining Cautions The big issue was the hydrogen bubble...

Be aware of 20-20 hindsight, a.k.a.

- MMQB (Monday Morning Quarterbacking)

- I knew it all along syndrome as a barrier to learning Wasnt there

Factual information is often uncertain, limitations can a major persist later records human error?

- Simplifications

- Inconsistencies

- Factual errors

Post-event judgments are subject to normal human biases

- Confirmation bias

- Underestimation/undervaluation of uncertainty

Reviews

- Often reflect technical discipline perspectives

- Often used to assess blame rather than identify opportunities for improvement 13

OpE Narrative Mining Case Study 1: Fukushima CASE STUDY 1: GREAT EAST JAPAN EARTHQUAKE AND TSUNAMI (3/11/2011) 14

OpE Narrative Mining Case Study 1: Fukushima Objectives, Scope, and Approach

Performed in 2013 and updated in 2016 to support ongoing activities (Level 3 PRA project, R&D planning, international discussions) - NOT MMQB/fault finding

All affected plants (i.e., not just Fukushima Daiichi)

Limited to lessons directly linked to accidents (i.e., not logical extensions)

Chronological and PRA-topic review of events

Multiple sources for accident progression and conditions

- Official reports

Government of Japan, National Diet of Japan, TEPCO

U.S. organizations (National Research Council, INPO, EPRI, ANS)

International organizations (e.g., IAEA, WHO, UNSCEAR)

- Other papers and briefings

Findings categorized as reminders or challenges, structured by PRA general topics list; specific topics explored in greater detail N. Siu, D. Marksberry, S. Cooper, K. Coyne, and M. Stutzke, PSA technology challenges revealed by the Great East Japan Earthquake, Proceedings of PSAM Topical Conference in Light of the Fukushima Dai-Ichi Accident, Tokyo, Japan, April 15-17, 2013. (Paper: ML13038A203, Presentation: ML13099A347) 15 N. Siu, K. Compton, S. Cooper, K. Coyne, F. Ferrante, D. Helton, D. Marksberry, and J. Xing, PSA technology reminders and challenges revealed by the Great East Japan Earthquake: 2016 update, Proceedings of 13th International Conference on Probabilistic Safety Assessment and Management (PSAM 13), Seoul, Korea, October 2-7, 2016. (Paper: ML16245A871, Presentation: ML16270A522)

OpE Narrative Mining Case Study 1: Fukushima Technical Topic Technical Topic Reactors Level 1 internal events at power Special Topics Human reliability analysis Level 2 Ageing Level 3 Passive components Low power and shutdown (LPSD) Passive systems Operational data Digital systems Common Cause Failure PRA Event analysis Generic safety issues (GSI) Integrated site risk (including multi-unit events, SFP)

Design and construction Performance indicators and thresholds Topics Internal hazards (e.g., fire, flood, heavy load drop)

New reactors (evolutionary)

External hazards (e.g., seismic, flood, wind)

Advanced reactors Security-related events, safety-security interface List Research and test reactors Emergency preparedness and response Non- Geologic repositories PRA tools General Reactor High-level waste (HLW) Systems Uncertainty and sensitivity analysis methods and tools Facilities Low-level waste/decommissioning Analysis Advanced computational methods and Fuel cycle facilities Methods and Advanced modeling methods (e.g., simulation)

Activities Tools Transportation Elicitation methods Sources Implementation PRA quality (e.g., guidance, standards) and Application Risk-informed regulation infrastructure Risk-informed regulation applications Risk perception and communication 16

OpE Narrative Mining Case Study 1: Fukushima Findings (example)

Topic/Area Challenges [C] and Reminders [R]

Reactors

1) Extending the PSA scope to address: a) multiple units and sites, b) post-accident shutdown risk, and c) on- and off-site emergency response organizations [C]

2) Treatment of the feedback from offsite consequences to plant decision making [C]

Level 1/2/3 PRA

3) Improving realism of accident progression modeling [C]

4) Addressing long-duration scenarios, including availability of supplemental offsite resources (e.g., fuel oil, water, equipment) [C]

5) Characterizing uncertainty in phenomenological codes [C]

Low Power and 1) Treatment of post-accident shutdown risk [R]

Shutdown 2) Treatment of shutdown risk associated with a pre-emptively shutdown plant [R]

1) Ensuring appropriate use of Fukushima data (and worldwide events) in high-level estimates of CDF [R].

2) Ensuring adequate basis for excluding operational data, especially for rare or infrequent occurrences [R]

Operational Data

3) Ensuring adequate reliability data for temporary mitigating equipment and systems [C]

4) Ensuring adequate reliability data for containment penetration integrity [R]

Event Analysis 1) Performing real-time on-the-fly event risk analysis for incident response and early investigations [C]

1) Identification and treatment of errors of commission, including intentional disabling of passive safety systems [C]

2) Treatment of operator performance when digital systems are lost [C]

New Reactors

3) Addressing staffing requirements (possibly including offsite personnel) when responding to accidents [R]

4) Addressing reliability of passive components (e.g., rupture disks) [R]

17

OpE Narrative Mining Case Study 1: Fukushima Highlighted Topics (2013)

Topic Issues Multiple units/sources, systems not normally analyzed (e.g., security systems), off-PRA scope site organizations, post-accident risk Feedback from Level 3 to Level 1/Level 2 (e.g., venting delays due to delayed Feedback loops evacuation), multi-unit/source interactions Intentional conservatisms skewing risk results and insights, masking important Game over modeling scenarios, de-valuing mitigative activities Offsite resources, additional warnings and shocks, toll on operators, definition of Long duration scenarios safe and stable state Beyond design basis events, multiple correlated hazards, multiple shocks, finite External hazards analysis duration of elevated hazard, multiple damage mechanisms Errors of commission, technical support center and external decision making, ex-Human reliability analysis (HRA) control room actions, new/re-defined performance influencing factors, support of creative HRA methods applications Uncertainty in phenomenological Varying views and treatments of uncertainty (e.g., sensitivity cases, ensemble codes modeling, probabilistic/non-probabilistic methods) across technical disciplines Screening of beyond design basis hazards, biases (e.g., focusing on extreme Searching vs. screening events), systematic methods to search for failures 18

OpE Narrative Mining Case Study 1: Fukushima Highlighted Topics (2016)

Topic Issues Using PRA to ensure defense-in-depth (DID), dealing with full hazard External Hazards spectrum, treating correlated hazards Human Performance and Human Decision making under severe accident conditions, ex-control room Reliability actions, teamwork Long-duration scenarios, equipment survivability and I&C system-related Level 2 PRA impacts, environmental conditions and habitability Effect of offsite hazard on response, intentional venting, onsite Level 3 PRA contractors, aqueous pathway, training and resources, assessment endpoints 19

OpE Narrative Mining Case Study 1: Fukushima SOME DETAILS 20

OpE Narrative Mining Case Study 1: Fukushima PRA Scope (1/2)

Dimension Typical U.S. (c. 2011) Observations (3/11/2011)

Space - Single unit (reactor) - Multiple reactors, SFP; multiple sites

- Frontline mitigating systems + support - Additional systems (e.g., security access)

Time - At power operation - Shutdown operations (incl. testing)

- Accident - Post-accident susceptibility Organization - Onsite staff - Offsite involvement (directions, requests for information)

Improve Damage posture control Permanently restore site Reduce vulnerabilities, plan, Stabilize Identify and promulgate Reduce vulnerabilities, plan, prepare for effective response site lessons prepare for effective response Warning Event time Preparedness Response Recovery Reconstitution Preparedness

+ Analysis 21

OpE Narrative Mining Case Study 1: Fukushima PRA Scope (2/2): Multiple Sites March 11, 2011 August 14, 2003 22

OpE Narrative Mining Case Study 1: Fukushima Feedback Loops (1/1)

Onsite actions Containment venting inhibited by radiation, delayed until local explosion effects evacuation confirmed General Analysis Flow Analysis Refinements 23

OpE Narrative Mining Case Study 1: Fukushima Game Over Modeling (1/4)

Plant Level: Loss of AC and DC Core

- Conventional PRA analysis: core Plant Damage Onset (hr) damage (if AC power is not Peach Bottom (NUREG/CR-7110)* 1.0 recovered) Fukushima Daiichi Unit 1 19

- Deterministic analysis: rapid Fukushima Daiichi Unit 2 89 onset of fuel damage Fukushima Daiichi Unit 3 52

Unmitigated short-term station blackout (STSBO). See N. Bixler, et al.,

System Level: Loss of DC State-of-the-Art Reactor Consequence Analyses Project Volume 1:

Peach Bottom Integrated Analysis, NUREG/CR-7110, Rev. 1, 2013.

- Isolation condenser, RCIC, and HPCI fail (unable to control)**

- DC power is used to operate a number of control valves. Uncontrolled RCIC and/or HPCI could lead to RPV overfill, water in the RCIC/HPCI steam line, and 24 potential failure of the RCIC/HPCI turbine(s). During the accident, operators bypassed some flow through a mini-flow test line (which returns water to the Condensate Storage Tank) to reduce the possibility of RPV overfill.

OpE Narrative Mining Case Study 1: Fukushima Game Over Modeling (2/4): Loss of DC 25

OpE Narrative Mining Case Study 1: Fukushima Game Over Modeling (3/4): RIDM Implications Fire

Useful simplification for applications focused on Internal Events total results Internal Flooding Seismic

Concerns High Winds External Flooding

- Potential overemphasis on scenarios that are actually not as important as others (masking effect) ?

Training resources

Establishing expectations (bias) Fire

- Strong constraints on mitigation actions considered Internal Events Internal Flooding as viable, worth emphasizing (e.g., through Seismic procedures and training) High Winds

- Loss of PRA model credibility to key stakeholders External Flooding 26

OpE Narrative Mining Case Study 1: Fukushima Game Over Modeling (4/4): Other Notes

Assuming immediate failures is not necessarily conservative; in reality, lacking omniscience, operators might spend time trying to implement a non-feasible path

Other common game over modeling assumptions

- Lack of credit for recovery or repair

- Assumed loss of structure contents on failure of structure 27

OpE Narrative Mining Case Study 1: Fukushima Long Duration Scenarios (1/3): Fukushima Early Data from multiple sources, including:

1) International Atomic Energy Agency, The Fukushima Daiichi Accident: Report by the IAEA Director General, STI/PUB 1710, Vienna, Austria, 2015.

28 2) Government of Japan, Investigation Committee on the Accident at the Fukushima Nuclear Power Stations of Tokyo Electric Power Company, Interim Report.

December 26, 2011.

OpE Narrative Mining Case Study 1: Fukushima Long Duration Scenarios (2/3): Fukushima Late Data from multiple sources, including:

1) International Atomic Energy Agency, The Fukushima Daiichi Accident: Report by the IAEA Director General, STI/PUB 1710, Vienna, Austria, 2015.

29 2) Government of Japan, Investigation Committee on the Accident at the Fukushima Nuclear Power Stations of Tokyo Electric Power Company, Interim Report.

December 26, 2011.

OpE Narrative Mining Case Study 1: Fukushima Long Duration Scenarios (3/3): Modeling Challenges

Recovery and repair

- Human reliability analysis (HRA)

- Site and equipment conditions (debris, roads, tools, spares, housing, )

Non-binary behavior (e.g., intermittent and/or degraded performance)

Offsite

- Conditions (site access, demands on emergency services, )

- Organizational response Yuriage - Before and After 3/11 Tsunami 30

OpE Narrative Mining Case Study 1: Fukushima External Hazards Analysis (1/5)

3/11/2011: Seismically-induced loss of offsite power, tsunami-induced loss of all power and multiple severe accidents

Long-standing general approach, e.g.,

- Zion/Indian Point PRAs (1982)1

- PRA Procedures Guide (1983)2

Typical practice

- General emphasis on internal events, earthquakes, internal fires and floods

- Other external hazards (including external floods) sometimes dismissed (pre-3/11)

Typical results

- Important or even dominant contributor to risk

- Uncertainty driver: hazards analysis

1) B.J. Garrick, Lessons learned from 21 nuclear plant probabilistic risk assessments, Nuclear Technology, 84, No. 3, 319-339(1989)

2) American Nuclear Society and the Institute of Electrical and Electronics Engineers, PRA Procedures Guide, NUREG/CR-2300, 1983.

31

OpE Narrative Mining Case Study 1: Fukushima External Hazards Analysis (2/5): Past PRA Results An early study (c. 1980) NUREG-1150 (1990)

Note: Orders-of-magnitude uncertainties 32

OpE Narrative Mining Case Study 1: Fukushima External Hazards Analysis (3/5): Past PRA Results IPEEE vs IPE CDF External vs. Internal CDF (SAMA) 1.E-03 1.E-03 1.E-04 1.E-04 IPEEE CDF External 1.E-05 1.E-05 1.E-06 1.E-06 1.E-07 1.E-07 1.E-07 1.E-06 1.E-05 1.E-04 1.E-03 1.E-07 1.E-06 1.E-05 1.E-04 1.E-03 IPE CDF Internal Note: External includes internal fires 33

OpE Narrative Mining Case Study 1: Fukushima External Hazards Analysis (4/5): Classic PFHA Challenge Potomac River Floods (Little Falls): 1932-2019 1.00 Weibull CCDF Moderate Flood 0.80 Weibull pdf (scaled)

Major Flood Gumbel CCDF 0.60 Gumbel pdf (scaled)

P{X > x} Empirical CCDF 0.40 0.20 Beyond historical experience:

0.00 2 3 4 5 6 7 8 9 10 how to estimate Flood Height (m) for RIDM?

34

OpE Narrative Mining Case Study 1: Fukushima External Hazards Analysis (5/5): Challenges Treatment of consecutive events

Hazards analysis (and pre-conditioning)?

- Relevance of historical data

Natural trends

Man-made trends

- Need for knowledgeable experts

- Role of simulation

- Combination of hazards https://commons.wikimedia.org/wiki/File:Storms_Lothar_and_Martin_december_1999.png

- Technical cultures

What is the hazard (varying points of view) Role of stochastic simulation?

Buy-in for risk assessment (especially rare events)

Fragility analysis

- Full range of hazards (dynamic loads, clogging, )

Plant response analysis

- Human reliability analysis (HRA)

- Dynamics Hurricane tracks adapted from University of Wisconsin-Milwaukee (https://web.uwm.edu/hurricane-models/models/archive/)

Emergency response based on data from National Hurricane Center:

(https://www.nhc.noaa.gov/1992andrew.html) 35

OpE Narrative Mining Case Study 1: Fukushima HRA (1/3): Observations from 3/11

Error of commission (isolation of 1F1 Isolation Condenser)

Psychological impacts

External interventions in decision making

- Seawater injection

- Containment venting

Uncertainty in plant conditions

- Loss of instrumentation

- Loss of access

- Loss of communication systems => messengers (with associated delays for transit, reporting)

Evolving conditions (radiation, explosions, evacuating staff and contractors) affecting recovery actions 36

OpE Narrative Mining Case Study 1: Fukushima HRA (2/3): The Human Dimension

Decision maker frustrations Yoshida was asked if he opened up the accident management manual and used it

- Limitations of available accident management as a reference. He said he never referred to it or even opened it up.

guidance He explained how ineffective measures

- Offsite organizational interventions thought up by people beforehand can be.

Staff stressors Yoshida also explained that nuclear plants in Japan were designed with priority

- Progressive loss of situation awareness and control placed on internal factors leading to malfunctions. He went on to explain that

- Onsite conditions (aftershocks, tsunami warnings, no thought was given to malfunctions occurring simultaneously at a number of radiation, dark, debris, open manholes, ) plants due to external factors, such as

- ERC conditions (food, sleep, sanitation, ) tsunami, tornado, a plane crash or an act of terrorism.

- Offsite conditions - The Yoshida Testimony (2014)

The Yoshida Testimony: The Fukushima nuclear accident as told by plant manager Masao Yoshida, Asahi Shimbun, 2014.

37 (Available from: http://www.asahi.com/special/yoshida_report/en/)

OpE Narrative Mining Case Study 1: Fukushima HRA (3/3): Moving Forward

Other analysis concerns NRC, SPAR-H INL, SPAR-H

- Need for improved qualitative analysis (little stories)

Basis for analysis assumptions

Qualitative dimension of risk: what can go wrong

- Treatment of new situations

Ex-MCR (particularly portable equipment) Same method, different teams

Level 2

Event and conditions assessment NRI, CREAM NRI, DT+ASEP

- Collection and use of empirical data

Integrated Human Event Analysis System (IDHEAS)1

Scenario Authoring, Characterization, and Debriefing Application (SACADA)2 Same team, different methods

A RIDM concern: recognition and treatment of model A Bye, et al., International HRA Empirical Study, NUREG/IA-0216, 2011.

uncertainty - more benchmarks?

1. Y.J. Chang and J. Xing, The general methodology of an Integrated Human Event Analysis System (IDHEAS) for human reliability analysis method development, 13th International Conference on Probabilistic Safety Assessment and Management (PSAM 13), Seoul, Korea, October 2-7, 2016. (ML16298A411) 38 2. Y.J. Chang, et al., The SACADA database for human reliability and human performance, Reliability Engineering & System Safety, 125, 117-133 (2014).

OpE Narrative Mining Case Study 1: Fukushima Representation of Uncertainties (1/1)

Post-3/11 Fukushima Forensic study (SNL, ORNL):*

- Reconstructs accident progression at Units 1-3 and Unit 4 SFP

- Key challenge: accident data gaps and uncertainties

- Demonstrates that current tools (MELCOR, TRACE) and modeling approaches can reproduce general trends, with good quantitative agreement in portions of the results

Questions

- How to incorporate findings into a PRA? Into RIDM? Uncertainty Frameworks and

- How to represent and communicate analysis uncertainties? Typologies

Challenges

- Subject complexity

Subjective (Bayesian) vs.

- Multiple purposes Objective (frequentist)

- Personal and discipline viewpoints, sometimes strongly held

Aleatory/Epistemic

Parameter/Model/Completeness

Probabilistic vs. Non-Probabilistic

R. Gauntt, et al., Fukushima Daiichi Accident Stuy (Status as of April 2012), SAND2012-6173, Sandia National 39 Laboratories, July 2012.

OpE Narrative Mining Case Study 1: Fukushima Searching (1/3): Active Supplement?

Typical PRA approach for identifying external hazards:

systematically generate possibilities, then screen

Post-3/11 observations

- IPEEE guidance* allowed screening of external floods based on What would it take deterministic, design-basis considerations to fail all AC and DC?

- ASME/ANS PRA standard addenda (2009 and 2013) allowed similar screening

- The Blayais flood (1999) can be viewed as a non-seismically induced precursor to the Fukushima Daiichi reactor accidents

Active searches for hazards and hazard combinations (red teaming) might support efficient identification

- Logic-based approaches (e.g., Master Logic Diagram, Heat Balance Fault Tree, STAMP/STPA, )

- Functional classifications

- Operational experience

U.S. Nuclear Regulatory Commission, Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) 40 for Severe Accident Vulnerabilities, Final Report, NUREG-1407, 1991.

OpE Narrative Mining Case Study 1: Fukushima Searching (2/3): Example Deductive Approach Heat Balance Fault Tree 41

OpE Narrative Mining Case Study 1: Fukushima Searching (3/3):

External Hazards Scenario-Based Classification Example 42

OpE Narrative Mining Case Study 2: Storms and Floods CASE STUDY 2: SELECTED STORMS AND FLOODS 43

OpE Narrative Mining Case Study 2: Storms and Floods Objectives and Scope

2018 exploratory study1 building on previous Fukushima study and 2016 knowledge engineering tool scoping study2

Objectives

- Identify PRA technology3 insights

- Provide educational experience for RIDM support

- Identify lessons for intelligent search tool development

Scope

- Exploratory, qualitative study

- Limited number of NPP incidents (not conditions)

1. N. Siu, I. Gifford, Z. Wang, M. Carr, and J. Kanney, Qualitative PRA insights from operational events, Proceedings of 14th International Conference on Probabilistic Safety Assessment and Management (PSAM 14), Los Angeles, CA, September 16-21, 2018. (Paper: ML18135A109, Presentation: ML18249A340) 44 2. 3. N. Siu, K. Coyne, and F. Gonzalez, Knowledge Management and Knowledge Engineering at a Risk-Informed Regulatory Agency: Challenges and Suggestions, U.S. Nuclear Regulatory Commission, March 2017. (ML17089A538)

3. Technology = Methods, models, tools, data

OpE Narrative Mining Case Study 2: Storms and Floods Approach

General

- Team: varied PRA experience levels and areas of interest

- Informal event selection, considering

Safety challenge indications (e.g., INES level, CCDP, LOOP, LOUHS)

Information availability

Personal interest INES = IAEA International Nuclear and Radiological Event Scale

- Review structure CCDP = conditional core damage probability LER = Licensee Event Report

Chronological LOOP = loss of offsite power

Hazard, fragility, plant response LOUHS = loss of ultimate heat sink

Principal data sources

- Public (e.g., LERs, papers, technical reports)

- IAEA Incident Reporting System (proprietary) 45

OpE Narrative Mining Case Study 2: Storms and Floods Incidents Reviewed External Floods* Storms*

Hinkley Point, 1981

Turkey Point, 1992

Dresden, 1982

Maanshan, 2001

Blayais, 1999

Browns Ferry, 2011

Cruas, 2009

Pilgrim, 2013

St. Lucie 2014

LaSalle, 2013

Categories are not exclusive.

46

OpE Narrative Mining Case Study 2: Storms and Floods Observations: PRA Technology Confirmatory Less discussed

Multiple hazards

Multiple shocks

Asymmetrical multi-unit impacts

Scenario dynamics

Less-than-extreme hazards

Geographical extent and potential for

Hazard persistence multi-site impacts

Failure of mitigation SSCs

Failure of implicitly considered SSCs

Warning times and precautionary measures

HRA and emergency response complexities 47

OpE Narrative Mining Case Study 2: Storms and Floods Observations: Knowledge Management and Knowledge Engineering

Educational benefits

- Improved understanding of specific events and mechanisms

- Improved understanding of external hazards PRA modeling challenges

- Potential precursors to Fukushima Daiichi

Challenges for intelligent search tools

- Limitations with current event significance measures

- Limitations with analytics-based approaches

- Database concerns (e.g., errors, multiple sources, evolution over time, volatility)

- Need for multidisciplinary interpretation and analysis 48

OpE Narrative Mining Case Study 2: Storms and Floods SOME DETAILS 49

OpE Narrative Mining Case Study 2: Storms and Floods Example: Chronological Review Date/Time Event or Step Description August 17 Turkey Point staff began tracking Tropical Storm Andrew in the control room.

August 21 Plant staff began implementing the Emergency Plan Implementing Procedure (EPIP), including moving equipment inside, tying down equipment, and preparing for storm surge. Equipment was moved from the Unit 3 diesel fuel oil tank, which did not have missile protection.

August 23 An Unusual Event was declared due to hurricane warning issued by the National Hurricane Center.

1800 Units 3 began shutting down. Turkey Point operators estimated that it would take 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months to complete an orderly shutdown and wanted to stagger the shutdown on each unit by 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months . There was concern over the main turbines and balance of plant supporting equipment being located on an open air deck (risking personnel if they needed to be outside). Unit 3 reached Mode 3 at 1940 and Mode 4 at 0213 on Aug 24th.

2000 Unit 4 began shutting down. Both units were kept in Mode 4, rather than Mode 5, to retain steam-driven auxiliary feedwater pumps as an option for removing decay heat. Unit 4 reached Mode 3 at 2245 and Mode 4 at 0405 on Aug. 24th.

August 24 Hurricane Andrew passed directly over Turkey Point, with sustained winds of 235 km/h and gusts of at least 280 0400 km/h. Spurious alarms received for the spent fuel pool low level and instrument air pressure low.

50

OpE Narrative Mining Case Study 2: Storms and Floods Example: PRA-Topic Oriented Review Category Sub-Category Summary Conditions Exceptionally strong storm; high tide, storm surge, wind-driven waves at site.

Dikes (5.7 m) insufficient height and inadequate shape, upgrade suggested by earlier Hazard Protection study not done. Also problems with detection and warning systems.

Onsite Impact Safe Shutdown SSCs Exposed Fragility Safe Shutdown SSCs Affected Barrier SSCs Affected Functions Lost Safe Shutdown Path Recovery Response Operator Actions Other Incident Management Offsite Impact Post-Event Changes (Plant)

Long-Term Post-Event Changes (Fleet) 51

OpE Narrative Mining Case Study 3: Earthquakes CASE STUDY 3: SELECTED EARTHQUAKES 52

OpE Narrative Mining Case Study 3: Earthquakes Objectives and Scope

2019-2020 exploratory study1 extending previous (2013, 2016, 2018) OpE studies

Objectives

- Identify PRA technology2 insights

- Provide educational experience for RIDM support

- Identify lessons for intelligent search tool development

Scope

- Exploratory, qualitative study

- Limited number of NPP incidents (not conditions)

1. N. Siu, J. Xing, N. Melly, F. Sock, and J. Pires, Qualitative PRA Insights from Seismic Events, Proceedings 25th Conference on Structural Mechanics in Reactor 53 2.

Technology (SMiRT-25), Charlotte, NC, August 4-9, 2019. (Paper: ML19162A422, Presentation: ML19210D835)

Technology = methods, models, tools, data

OpE Narrative Mining Case Study 3: Earthquakes Approach

Team: varied experience levels with seismic engineering and PRA; supplemented (human factors, fire) based on early results

Review considerations

- Chronology

- Hazard, fragility, plant response

Principal data sources

- Public (e.g., LERs, ETH Zürich event database, papers, event and seismic PRA guidance reports, industry websites)

- IAEA Incident Reporting System (IRS)

Proprietary

- INPO Consolidated Event System (ICES) 54

OpE Narrative Mining Case Study 3: Earthquakes Dataset Characterization

50 earthquake events* (1975-2019)

Vast majority are minor (little or no effect on plant operations)

Some prior to operation or during shutdown; might have triggered a transient

Minor events => little plant response information available

Most information from

- July 16, 2007 Niigataken Chuetsu-oki earthquake (Kashiwazaki-Kariwa)

- March 11, 2011 Great East Japan earthquake (Fukushima Daiichi, Fukushima Daiini, Onagawa, Tokai Daini, Higashidori)

- August 23, 2011 Mineral (VA) earthquake (North Anna)

Other notable events

- September 21, 1999 Chi Chi earthquake (Chinshan, Kuosheng, Maanshan)

- December 26, 2004 Sumatra-Andaman earthquake (Madras)

Foreshocks and aftershocks are not treated as separate events. Review also considered some earthquakes (not counted in the 50) that 55 did not affect NPPs but whose post-event reports included descriptions of damage to industrial facilities.

OpE Narrative Mining Case Study 3: Earthquakes Dataset Summary (50 Earthquakes, 1975-2019)*

Japan Outside Japan Earthquakes Earthquakes exceeding then-current OBE/SSE 3 7 Earthquakes with large aftershocks (Mw > 6)a 4 3 Earthquakes felt at multiple sites 7 9 Earthquakes causing at least one reactor tripb 8 3 Reactor Effects Seismically-induced reactor tripsc 24 9 Seismically-induced complicated transientsd 12e 6 aSomewhat arbitrary value chosen solely for illustrative purposes.

bExcludes events where trip signals were triggered but the reactor was already shutdown.

cIncludes trips due to seismically-induced tsunamis.

dInvolves a reactor trip and potentially significant additional failures (e.g., partial or complete LOOP).

eEleven of these transients occurred on March 11, 2011.

56 *Table (updated from paper) only characterizes study dataset.

OpE Narrative Mining Case Study 3: Earthquakes General Observations: PRA Technology

Reported peak ground accelerations (PGAs) << max values considered in recent PRAs

Other than offsite power, no direct damage to major mitigating systems due to ground motion; major effects due to induced hazards (fire, external flood)

Some reactor trips/safety system actuations for events with very low onsite PGAs

If one unit affected, typically all units onsite also affected

Some events affected multiple sites:

Impacts at Multiple Sites # Events

Reactivity effects:

Minimal response* or greater 10

- Flux-induced trips (Onagawa, 1993; North Anna, 2011)

Reactor trip 3

- Stuck control rod (Kashiwazaki-Kariwa, 2007)

Serious challenge 1

e.g., triggered alert 57

OpE Narrative Mining Case Study 3: Earthquakes Observations: Knowledge Management Educational benefits:

Improved understanding of specific events and mechanisms (including human and organizational factors)

Improved understanding of seismic PRA modeling challenges

Surprises, e.g.,

- Rarity of ground-motion induced damage, seismically-induced fires, and major safety impacts

- Potential for seismically-induced reactivity excursions

- Potential for seismically-induced HEAFs 58

OpE Narrative Mining Case Study 3: Earthquakes Observations: Knowledge Engineering Challenges for intelligent search tools

Lack of direct statements on key issues (e.g., human factors) => need to inference from indirect indications

Need to understand event chronology

Need to integrate information from disciplines outside the normal realm of seismic engineering (e.g.,

human factors, fire protection) => need for broad project corpus

For major accidents, need to cope with voluminous databases

Holy Grail - connecting the dots 59

OpE Narrative Mining Case Study 3: Earthquakes SOME DETAILS 60

OpE Narrative Mining Case Study 3: Earthquakes HRA Framework:

Integrated Human Event Analysis System (IDHEAS) 61

OpE Narrative Mining Case Study 3: Earthquakes Selected Observations: Human and Organizational Factors Macrocognitive Direct Effects (Seismic or Seismically-Induced Hazard)

Function Detection

Loss of I&C (including seismic event detection)

Spurious alarms

Degraded/dangerous site conditions Understanding

Likely minor effects for most events

Fukushima Daiichi o Reduced situational awareness (lack of information) o Effects of mismatched expectations, extreme stress?

Decision Making

Anticipation of future events (e.g., tsunami following EQ)

Action

Onsite and offsite damage, debris, and other impediments

Disruption due to follow-on alerts and aftershocks Teamwork

Off-site center initially non-functional (seismic damage, loss of power, degraded telecommunications, staffing)

Non-nuclear disaster management needs

Disaster scale => involvement of multiple organizations 62

OpE Narrative Mining Case Study 3: Earthquakes Fire PRA and Fire/Seismic Interactions Fire Protection Fire Rapid Detection Safe Defense-In-Depth Prevention and Suppression Shutdown Fire Equipment Plant Fire PRA Frequency Damage Response Analysis Analysis Analysis Fire/Seismic Interactions (NUREG/CR-5088, 1989)

Fire spread from non-Cat I SSCs

Cable pulling

Suppression system failures

Flammable liquid spills

Spurious suppression activation

Flammable gas releases

Degradation of fire recognition and fire fighting 63

OpE Narrative Mining Case Study 3: Earthquakes Selected Observations: Seismic/Fire Interactions Fire PRA Element Interaction Frequency Analysis

Seismically-induced high energy arc fault (HEAF) due to differential ground subsidence (Kashiwazaki-Kariwa)

Seismically-induced HEAF due to shaking (Onagawa)

No other reported seismically-induced fires at NPPs Equipment Damage

Failed transformer bushing leaked oil Analysis

HEAF-induced fire affected entire switchgear cabinet

Suspended dust => spurious fire detection alarms (operators expected)

Dense smoke from HEAF hindered detection of fire location, subsequent fire-fighting

Fire fighting affected by broken underground fire lines

Coordination with offsite fire department hindered by road damage, possibly also by offsite needs Plant Response

No major shutdown complications due to seismic/fire interactions Analysis 64

OpE Narrative Mining Case Study 3: Earthquakes Commentary: Seismic/Fire Interactions No major nuclear safety impacts observed but

HEAFs can be safety-significant (2-hour station blackout, Maanshan, 2001)

Review of 24 U.S. HEAF events (all non-seismic):

- Some root causes might be triggered or exacerbated by EQ

Loose or degraded connections

Foreign material

- Root causes might not be readily identifiable by non-targeted seismic walkdown

- HEAF-targeted preventative maintenance activities would likely be effective 65

OpE Narrative Mining Case Study 3: Earthquakes Reactivity Effects

Neutron flux related trips

- Onagawa 1 (11/27/1993)

Mw 5.8

PGA 0.12 g (reactor trip setting 0.20 g)

- North Anna 1 and 2 (8/23/2011)

Mw 5.8

PGA 0.26 g (DBE 0.18 g soil, 0.12 g rock)

Cumulative Absolute Velocity (CAV)* marginally exceeded in one direction

Momentary loss of power to Seismic Monitoring Instrumentation Panel; geometry changes cause under-moderation and oscillatory (but overall decreasing) flux profiles

Kashiwazaki-Kariwa 7 (2007): Post-event inspection identified stuck control rod (inserted, could not be withdrawn)

Potential for reactivity effects may not be widely appreciated in PRA community

A ground motion intensity measure indicative of structure damage. Argued to be a 66 better indicator than PGA.

OpE Narrative Mining Case Study Summary Results CASE STUDIES

SUMMARY

RESULTS 67

OpE Narrative Mining Case Study Summary Results Insights Relevant to PRA Technology Case studies :

Strengthened basis for many previously recognized messages (e.g., potential importance of external hazards, errors of commission)

Identified instances where (depending on the decision problem) PRA scope might need to be extended (e.g., multi-site events, long-duration events)

Identified mechanisms/scenarios needing multidisciplinary attention (e.g., multiple shocks, induced hazards, scenario dynamics)

Identified phenomena potentially warranting PRA community attention (seismically-induced reactivity excursions, seismically-induced HEAFs*)

Identified previously unrecognized/underpublicized precursors to Fukushima (Hinkley Point, Turkey Point, Blayais)

Identified potential need for supplementary measures/means to highlight incidents (boost the signal) for PRA community attention

The possibility of a seismically-induced HEAF has been recognized due to the 2007 Kashiwazaki-Kariwa (station transformer) and the 2011 Onagawa (non-safety switchgear) events. The insights are: a) generating mechanisms for observed non-seismically induced HEAFS 68 might be activated by a seismic event, and consequentially b) seismically-induced HEAFs might be risk significant (based on the impact of the Maanshan 2001 non-seismic HEAF).

OpE Narrative Mining Case Study Summary Results Knowledge Management and Knowledge Engineering Tool Insights Connect the dots

Knowledge Management

- Useful learning experience for all participants

- Demonstrated value of multidisciplinary perspectives

- Would have benefitted from increased team interactions

Knowledge Engineering Tools Where does it say ?

12000

- Still need deep subject matter expert (SME) expertise to 10000 connect the dots, develop insights (not yet just analytics) 8000 Pages 6000

- Tools need to deal with enormous, heterogeneous database 4000

- With human-in-the-loop implementation, could use improved 2000 tools for screening documents, prioritizing remainder for 0 further examination 03/11/2011 03/10/2012 03/10/2013 03/11/2014 03/11/2015 03/11/2016 03/11/2017 03/11/2018 Date 69

Closing Remarks CLOSING REMARKS 70

Closing Remarks Reminder 1: Accidents are a real possibility Windscale 1 TMI 2 Fukushima Daiichi 1-3 Graphite Pile, UK PWR, US BWRs, Japan Graphite Fire Loss of Feedwater EQ + Tsunami, Loss of Power Fermi 1 Chernobyl 4 LMR, US RBMK, Ukraine Flow Blockage Reactivity Accident

[Before TMI] core damage was never never land Leningrad 1 RBMK, Russia Reactivity Accident

- R. Bari*

St. Laurent 1 Bohunice A-1 Paks 2 GCR, France HWGCR, Slovak Republic VVER, Hungary Fuel Misload Fuel Loading Accidents Spent Fuel Pool Accident 1950 1960 1970 1980 1990 2000 2010 2020

Plenary Panel: Perspectives on Nuclear Safety Since the Three Mile Island Event, ANS Intl Mtg Probabilistic Safety Assessment (PSA 2019), Charleston, SC, 2019.

71

Closing Remarks Reminder 2: It can be a really bad day The NPS ERC [Emergency Response Center] received reports that the nuclear reactors were successively losing their power supplies and Units 1, 2 and 4 in particular had lost all of their power sources. Everyone at the NPS ERC was lost for words at the ongoing unpredicted and devastated state.

- Investigation Committee Interim Report1 we never had enough time, so the pump--the fire engine--ran out of fuel, and it could no longer pump water in when it was time to do so when reactor pressure had fallen. That gave us another letdown, and we talked about sending (workers) to pump in (water). That was when I thought we were coming to the end.

- M. Yoshida, The Yoshida Testimony2

1. Government of Japan, Interim Report (Main Text), Government of Japan Investigation Committee on the Accident at Fukushima Nuclear Power Stations of Tokyo Electric Power Company), Tokyo, Japan, 2011.

72 2. The Yoshida Testimony: The Fukushima nuclear accident as told by plant manager Masao Yoshida, Asahi Shimbun, 2014. (Available from:

http://www.asahi.com/special/yoshida_report/en/)

Closing Remarks Reminder 3: Accidents [often] have precursors Hinkley Point Blayais Fukushima Unpublicized a French problem Madras Unpublicized Leningrad Chernobyl Unconfirmed until 1990 TMI Rancho Seco TMI similarity recognized 1980*

1950 1960 1970 1980 1990 2000 2010 2020

a two-year old incident that could easily have resulted in an outcome as serious as that of the accident at Three 73 Mile Island. [R.M. Bernero and F.H. Rowsome, Single Failure Potentially Leading to Core Damage, memorandum to H.R. Denton and C. Michelson, U.S. Nuclear Regulatory Commission, March 14, 1980. (ML19323J370)]

Closing Remarks Reminder 4: Annual individual reactor accident probabilities are small but risk cumulates over the fleet and probability increases over time Anyone submitting a PRA for use in the LWR regulatory process should feel that his long-term technical reputation is on the line.

- D. Okrent (1981) 100 Reactors 74

Closing Remarks Reminder 5: Increasing Realism / Reducing Conservatism

Known gaps* in broad scenario categories Rationale Common Example(s)

Out of scope security/sabotage, operation outside approved limits Low significance (pre-analysis judgment) external floods (many plants pre-Fukushima)

Appropriate PRA technology unavailable management and organizational factors PRA not appropriate software, security

Known gaps in treatment of contributors within categories Category Example(s)

External hazards multiple coincident or sequential hazards Human reliability errors of commission, non-proceduralized recovery Passive systems thermal-hydraulic reliability

Terminology of Guidance on the Treatment of Uncertainties Associated with PRAs in Risk-Informed Decision Making, NUREG-1855 Rev. 1, March 2017; 75 a.k.a. known unknowns

Closing Remarks Reminder 6: All models are wrong, but some are useful*

When empirical integral data are sparse or even mod*el, n. a representation of reality created with a non-existent, first principles models are specific objective in mind.

particularly valuable.** A. Mosleh, N. Siu, C. Smidts, and C. Lui, Model Uncertainty: Its Characterization and Quantification, Center for Reliability Engineering, University of Maryland, College Park, MD, 1995. (Also NUREG/CP-

Besides V&V, PRA/RIDM challenges include: 0138, 1994)

- Avoiding overly narrow focus on specific phenomena Will somebody find me a one-(technical discipline influence) handed scientist?!

- Addressing multi-phenomena mechanisms/scenarios - Senator Edmund Muskie (Concorde hearings, 1976) observed in real events (examples) I. Flatow, Truth, Deception, and the Myth of the One-

- Effective communication with stakeholders, Handed Scientist, October 18, 2012. Available from:

https://thehumanist.com/magazine/november-considering model limitations and uncertainties december-2012/features/truth-deception-and-the-myth-of-the-one-handed-scientist

G.E.P. Box and N.R. Draper, Empirical Model-Building and Response Surfaces, John Wiley and Sons, 1987.

76 **Of course, the direct use of empirical data also involves a degree of modeling.

ADDITIONAL SLIDES 77

Additional Slides Recent Trends RECENT RIDM TRENDS 78

Additional Slides Recent Trends Organizational Climate: Transformation Applying the Principles of Good Regulation as a Risk-Informed Regulator, October 15, 2019 (ML19260E683)

Evolving situation (market forces, new technologies, new professionals)

Vision: make safe use of nuclear technology possible

Continuing standard: reasonable assurance of adequate protection

Potentially different ways of achievement - embrace change 79

Additional Slides Recent Trends Worldwide Nuclear Power Growth Under Construction Active Reactors Installed Capacity Realized Capacity 1950 1960 1970 1980 1990 2000 2010 2020 Adapted from: https://upload.wikimedia.org/wikipedia/commons/thumb/5/59/Worldwide_nuclear_power_history.svg/2000px-Worldwide_nuclear_power_history.svg.png 80

Additional Slides Recent Trends Trend: Increasing Emphasis on RIDM In any licensing review or other regulatory decision, the staff should apply risk-informed principles when strict, prescriptive application of deterministic criteria such as the single failure criterion is unnecessary to provide for reasonable assurance of adequate protection of public health and safety.

Staff Requirements - SECY-19-0036 - Application of the Single Failure Criterion to NuScale Power LLCs Inadvertent Actuation Block Valves, SRM-SECY-19-0036, July 2, 2019.

81

Additional Slides Recent Trends Trend: Increasing Emphasis on Quantitative Risk Information "Risk-Informed Performance-Based Technology-Inclusive Guidance for Non-Light Water Reactors," NEI 18-04, Rev. 1, August 29, 2019.

82

Additional Slides Recent Trends Trend: Advancing Technology Adapted from:

Photo courtesy of NEA Halden Reactor Project 1) https://str.llnl.gov/str/March02/March50th.html

2) https://en.wikipedia.org/wiki/History_of_supercomputing#/media/File:Supercomputers-history.svg

3) https://www.top500.org/news/japan-captures-top500-crown-arm-powered-supercomputer/

New (even novel):

Designs Improving analysis capabilities:

Technologies

Computational resources

Operational Concepts

Smart technologies (e.g., content analytics) 83

Additional Slides Recent Trends Trend:

Changing Staff Source: https://www.nrc.gov/reading-rm/doc-collections/commission/slides/2019/20190618/staff

-20190618.pdf 84

Additional Slides Recent Trends For every action Thats too complicated [for PRA].

PRA was never meant to model that.

The uncertainties are too large [to use PRA].

Anybody can do PRA.

I get nightmares every time I think of that [PRA] course.

PRA is for my PhDs.

We dont want you [PRA] guys to be gatekeepers.

[Sweeping motion] Risk it away, risk it away.

85

Additional Slides Uses of Risk Information REGULATORY USES OF RISK INFORMATION:

SOME EXAMPLES 86

Additional Slides Uses of Risk Information NRC Uses of Risk Information PRA Policy Statement (1995)

Increase use of PRA technology in all regulatory matters Regulations and Guidance - Consistent with PRA state-of-the-art

- Complement deterministic approach, support defense-in-depth philosophy Licensing

Benefits:

Operational Decision Experience Support and (1) Considers broader set of potential challenges Certification (2) Helps prioritize challenges (3) Considers broader set of defenses U.S. Nuclear Regulatory Commission, Use of Probabilistic Oversight Risk Assessment Methods in Nuclear Activities; Final Policy Statement, Federal Register, 60, p. 42622 (60 FR 42622), August 16, 1995.

87

Additional Slides Uses of Risk Information Risk Info Uses - Regulations Example (Risk-Informed Fire Protection)

Browns Ferry Nuclear Power Plant fire (3/22/75) Adapted from NUREG-0050

Candle ignited foam penetration seal, initiated cable tray fire; water suppression delayed; complicated shutdown 11.5m 8.5m

Second-most challenging event in U.S.

nuclear power plant operating history TVA File Photo

Spurred changes in requirements and analysis 3m 88

Additional Slides Uses of Risk Information Risk Info Uses - Regulations Example (Risk-Informed Fire Protection)

Post-Browns Ferry deterministic fire protection (10 CFR Part 50, Appendix R) hour fire barrier, OR

- 20 feet separation with detectors and auto suppression, OR hour fire barrier with detectors and auto suppression

Risk-informed, performance-based fire protection (10 CFR 50.48(c), NFPA 805)

- Voluntary alternative to Appendix R

- Deterministic and performance-based elements

- Changes can be made without prior approval; risk must be acceptable

- More than 1/3 U.S. fleet has completed transition

Methods adopted by international organizations From Cline, D.D., et al., Investigation of Twenty-Foot Separation Distance as a Fire Protection Method as Specified in 10 CFR 50, Appendix R, NUREG/CR-3192, 1983.

89

Additional Slides Uses of Risk Information Risk Info Uses - Licensing Example (Changes in plant licensing basis - RG 1.174)

Voluntary changes: licensee requests, NRC reviews

Small risk increases may be acceptable

Change requests may be combined

Decisions are risk-informed 90

Additional Slides Uses of Risk Information Risk Info Uses - Oversight Example (Reactor Oversight Program)

Inspection planning CDF < 1E-6 LERF < 1E-7

Determining significance of findings

- Characterize performance deficiency 1E-6 < CDF < 1E-5 1E-7 < LERF < 1E-6

- Use review panel (if required)

- Obtain licensee perspective 1E-5 < CDF < 1E-4

- Finalize 1E-6 < LERF < 1E-5

Performance indicators CDF > 1E-4 LERF > 1E-5 91

Additional Slides Uses of Risk Information Risk Info Uses - OpE Example (Accident Sequence Precursor Program) 2 (0.1 to 0.99)

Program recommended by WASH-1400 12 (10-2 to 0.1) review group (1978) 43 significant precursor (10-3 to 10-2)

Provides risk-informed view of nuclear 188 plant operating experience (10-4 to 10-3) 272

- Conditional core damage probability (events) (10-5 to 10-4) 402 precursor

- Increase in core damage probability (10-6 to 10-5)

(conditions) 74,666 Total LERs Reviewed Through 2019

Supported by plant-specific Standardized Licensee Event Reports 1969-2019 (No significant precursors since 2002; one under review)

Plant Analysis Risk models 92

Additional Slides Uses of Risk Information Risk Info Uses - Decision Support Example Decision (Research) re*search, n. diligent and systematic inquiry or investigation in order to discover or revise facts, theories, applications, etc.

Specific Analyses Typical products (regulatory research)

Ways to look at and/or approach problems (e.g.,

Methods, Models, frameworks, methodologies)

Tools, Databases, R&D

Points of comparison (e.g., reference Standards, calculations, experimental results)

Guidance,

Job aids (e.g., computational tools, databases, standards, guidance: best practices, procedures)

Problem-specific information (e.g., results, Foundational Knowledge insights, uncertainties)

Side benefits

Education/training of workforce Regulatory Decision Support

Networking with technical community 93

Additional Slides Uses of Risk Information Risk Info Uses - Decision Support Example (Research: Frameworks/Methodologies)

NRC-sponsored Fire PRA Technology Neutral R&D (universities) Framework

Started after Browns

Explored use of risk Ferry fire (1975) metrics to identify

Developed fire PRA licensing basis events approach first used in

Inspiration and part industry Zion and basis for current Indian Point PRAs Licensing (early 80s), same basic Modernization approach today Program

Started path leading to risk-informed fire protection (NFPA 805) 94

Additional Slides Uses of Risk Information Risk Info Uses - Decision Support Example (Research: Reference Points)

NUREG-1150 SOARCA

Continuing point of

Detailed analysis of comparison for potential severe Level 1, 2, 3 results accidents and offsite

Expectations consequences (ballpark)

Updated insights on

Basis for regulatory margins to QHOs Peach Bottom analysis (backfitting, generic issue resolution)

NUREG-1150 (Surry)

Surry Sequoyah 95

Additional Slides Uses of Risk Information Risk Info Uses - Decision Support Example (Research: Methods/Models/Tools)

SPAR IDHEAS-G

Independent plant-

Improved support for specific models qualitative analysis (generic data)

Explicit ties with cognitive

All-hazards (many) science (models, data)

Support SDP, MD 8.3,

General framework for ASP, GSI, SSC studies developing focused

Adaptable for specific applications (e.g., IDHEAS-circumstances ECA)

SAPHIRE

Benefits from NPP simulator studies

General purpose

Consistent with current model-building tool HRA good practices

Multiple user guidance (NUREG-1792) interfaces From https://en.wikipedia.org/wiki/SAPHIRE 96

Additional Slides Accidents and Incidents POWER AND PRODUCTION REACTOR ACCIDENTS, INCIDENTS, AND OTHER INTERESTING EVENTS (1950-2020) 97

Additional Slides Accidents and Incidents Accidents and Other Interesting Events (1 of 6)

Year Plant Scenario Notes 1957 Windscale 1 Fire Graphite fire in core, release to environment. Local fire started during annealing operation aimed at releasing (graphite pile, UK) Wigner energy. Operators unable to control, terrified about entire pile ignition. Workers used steel rods to manually push out fuel elements and graphite blocks from burning channels. Offsite contamination prompted interdiction of milk from local farms.1 1966 Fermi 1 Flow Flow blockage, local fuel melting. Segments of zirconium sheets (installed late in construction as a safety barrier)

(LMFBR, US) Blockage tore loose during power ascension, blocked coolant flow. Two fuel assemblies melted. Radiation alarms, reactor manually scrammed. 2,3,4,5 1969 St. Laurent 1 Refueling Refueling error restricted coolant flow, local fuel melting. During refueling, operator overrode automatic control (GCR, France) Error to stop, loaded a flow restrictor instead of fuel. Radiation alarms, automatic scram. About 50 kg fuel melted.2 1971 La Crosse Loss of Feedwater control problems, core uncovery. Hydraulic malfunction caused main steam bypass valve closure, (BWR, US) Feedwater rapidly rising pressure. After manual scram, valve opened and closed erratically. Feedwater shut down intermittently, (LOFW) reactor level dropped 0.69 m (27 inches) below top of core. No indications of fuel damage.2 1975 Greifswald 1 Fire Power cable fire, LOFW, pressurizer safety valves fail to re-seat. Operator actions (some involving trial-and-error (VVER, East problem solving) caused both a loss of offsite power (LOOP) and fire, and later to loss of power and instrumentation Germany) in the main control room. Heavy smoke prevented venting of leaking hydrogen, leading to operator concerns regarding explosion. Bleed and feed cooling through failed-open pressurizer safety valves. 6,7,8,9 1975 Leningrad 1 Reactivity Reactivity excursion, local fuel damage. Most sources agree there was an accident with limited fuel melting.10,11 (RBMK, Soviet Excursion IAEA report suggests RBMK design deficiencies, identifies accident as a precursor to Chernobyl.12 Anonymous Union) Internet source indicates accident occurred during startup, was initiated by control system problems, and was enabled by operator errors.13 98

Additional Slides Accidents and Incidents Accidents and Other Interesting Events (2 of 6)

Year Plant Scenario Notes 1976 Bohunice A-1 Refueling Fresh fuel assembly ejected into reactor hall. During refueling, CO2 primary coolant escaped through a loose (HWGCR, Slovak Error connection (which was indicated as closed). Fuel assembly and other debris ejected. One operator injured by debris, Republic) two field workers suffocated by CO2. Operator actions in hazardous environment closed leak.14 1977 Gundremmingen A LOOP, Partial LOOP, subsequent LOCA with internal flooding. Operator errors during rapid shutdown followed loss of (VVER, East LOCA two power lines. Reactor Coolant System (RCS) overfill led to relief valves opening, three meters of radioactive Germany) coolant water in reactor building. Water and gases later released from the building into the environment. Reactor decommissioned due to accident.15 1978 Beloyarsk 2 Fire Turbine Building fire spreads into Main Control Room (MCR), collapses Turbine Building roof. Burning lube (RBMK, Soviet oil spread into a cable shaft and the Control Building (and MCR) via open penetrations. Turbine Building roof Union) collapsed. Secondary fire from oil-filled transformer. Fire fighting hampered by heavy smoke, bitter cold (-47ºC),

multiple changes in command.6 1978 Rancho Seco LOFW Loss of Non-Nuclear Instrumentation, loss of all feedwater, steam generators (SG) boil dry. During (PWR, US) maintenance, worker drops light bulb into cabinet, causing short circuits, erroneous signals. Integrated Control System reduces main feedwater to zero; no auxiliary feedwater (AFW) flow due to incorrect SG level indication.16 Post-TMI analysis indicates: a) AFW restart was due to randomly drifting SG level indication, and b) without AFW restart pressurizer level could have been high (similar to TMI) with no additional failures.17 1979 Three Mile Island 2 LOFW, LOFW, pilot-operated relief valve (PORV) sticks open, operators throttle high pressure makeup, core (PWR, US) LOCA damage. LOFW and loss of RCS coolant through PORV (unrecognized) lead to saturation conditions, a steam bubble in the RCS, and rising pressurizer level. Throttling action is intended to prevent the system going solid.18 1981 Hinkley Point A-1, LOOP, Severe weather LOOP, loss of ultimate heat sink (LOUHS). Winter storm causes LOOP; storm surge on top of A-2 (GCR, UK) External high tide floods station cooling water pump house (ultimate heat sink).19,20 Flood 99

Additional Slides Accidents and Incidents Accidents and Other Interesting Events (3 of 6)

Year Plant Scenario Notes 1982 Armenia 1 Fire Fire-induced Station Blackout (SBO). Power cable ignited at multiple points in two cable galleries (short circuit),

(VVER, Soviet propagated to adjacent room. Escaping hydrogen in Turbine Building exploded, started oil fire (~300m2). Loss of all Union) power and control for Unit 1, three-hour SBO.6 1985 Davis-Besse LOFW LOFW, loss of AFW, failure to implement feed and bleed cooling. Complicated event, multiple problems.21 (PWR, US) Operator pushed wrong buttons, isolating rather than initiating AFW. Multiple equipment failures, locked hatches and doors,22 safety measures,23 and training deficiencies complicated response. SGs boiled dry. Shift supervisor decided not to implement feed and bleed as required by emergency procedures, recognizing the economic impact of such actions and (correctly) anticipating feedwater restoration.

1986 Chernobyl 4 Reactivity Reactivity excursion and core melt. A delay during a maintenance outage safety test (the delay was in response (RBMK, Soviet Excursion to request for power from offsite dispatchers) led to operation in an unstable operating regime. Automatic scram was Union) intentionally disabled. Test continued despite computer warning to shutdown due to inadequate reactivity margin.

Positive reactivity transient initiated by testing actions, operators were unable to control the excursion.24 1989 Vandellos 1 Fire Fire-induced internal flood. Turbine blade failure ruptured oil lines, caused oil and hydrogen fires. Cascading, (GCR, Spain) burning oil affected lower floors, failed an expansion joint and led to flooding (as well as fire). Smoke entered the MCR and other parts of the plant. Operators needed breathing apparatus to enter dark, smoke-filled areas to perform recovery actions.6 1991 Chernobyl 2 Fire Fire-induced Turbine Building roof collapse. Large oil and hydrogen fire. Main and emergency feedwater failed (RBMK, Soviet by debris or de-energized to allow fire fighting. Minor resuspension of contamination from Unit 4 accident.6 Union) 1992 Turkey Point 3, 4 High Wind Severe weather LOOP. Hurricane Andrew caused a five-day LOOP and loss of: communications, site access, and (PWR, US) some water tanks. Onsite conditions (restricted outdoor access, damage to tools and spare parts, difficulties in providing food and other basic necessities) and uncertainty in offsite conditions severely stressed operators. 25,26,27 100

Additional Slides Accidents and Incidents Accidents and Other Interesting Events (4 of 6)

Year Plant Scenario Notes 1993 Narora 1 Fire Fire-induced SBO. A turbine blade failure caused an oil spill and fire. Fire propagated along cable trays into control (PHWR, India) room; heavy smoke forced MCR abandonment and auxiliary shutdown panel power was lost. 17 hour1.967593e-4 days 0.00472 hours 2.810847e-5 weeks 6.4685e-6 months SBO.6 1993 Onagawa 1 Reactivity Seismically-induced reactivity excursion. A magnitude 5.8 earthquake led to below-design basis peak ground (BWR, Japan) Excursion accelerations but the reactor tripped on neutron flux variation.28,29 1999 Blayais 1, 2 External Severe weather LOOP and partial LOUHS. LOOP at Units 2 and 4 caused by high winds. High water (tide, storm (PWR, France) Flood surge, wind-driven waves) overtopped plant dyke, flooded Units 1 and 2. Unit 1 service water degraded. Units 1 and 2 low-head safety injection and containment spray pumps lost. Loss of site access affected implementation of emergency plans.30,31 2001 Maanshan 1 LOOP, Severe weather LOOP and subsequent station blackout (SBO). Salt spray caused LOOP. Emergency Diesel (PWR, Taiwan) Fire Generator (EDG) A started but tripped. Heavy smoke from a high energy arcing fault (HEAF) prevented access to a switchgear room needed to restore EDG B. Swing EDG used to restore power after ~2 hours.32 2003 Paks 2 Spent Fuel Fuel damage during cleaning. During cleaning to remove corrosion products, increased bypass flow through bore (VVER, Hungary) Pool holes in the fuel assembly walls led to reduced cooling flow and fuel overheating. Radiation alarms led to evacuation Accident of the reactor hall. Lifting the lid of the cleaning vessel led to increased dose rates (maximum of 30 mSv/h = 3 rem/hr) and additional emergency preparedness measures were activated.33 101

Additional Slides Accidents and Incidents Accidents and Other Interesting Events (5 of 6)

Year Plant Scenario Notes 2003 Canada: (PHWR) LOOP Northeast Blackout, LOOP at multiple sites. A power line, softened by inductive heating, contacted Pickering 4-8; overgrown trees. Subsequent power line failures occurred over the next 1.5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months ; grid operator situation Darlington 1,2,4; awareness was hindered by computer failures. Widespread grid failure caused trips at nine U.S. plants and Bruce 3,4,6 non-significant transients (responses managed through normal control systems) at 64 others. 13 of 15 operating Canadian units disconnected from the grid; 11 of these were tripped automatically or manually.

U.S.: Multiple plants experienced post-trip complications.34 Fermi 2 (BWR);

Fitzpatrick (BWR);

Ginna (PWR);

Indian Point 2,3 (PWR);

Nine Mile Point 1,2 (BWR);

Oyster Creek (BWR);

Perry (BWR) 2004 Madras 2 External Tsunami-induced LOUHS. Sumatra-Andaman Earthquake and tsunami. Sea water entered the pump (PHWR, India) Flood house and all seawater pumps (the plants ultimate heat sink) were made unavailable due to water and/or debris. Unit 2 cooldown was accomplished using firewater. (Unit 1 was already in a long-term shutdown.)

The tsunami caused some damage to structures and severe damage to telecommunications.35 2006 Forsmark 1 LOOP LOOP, partial failure of AC and DC power. During maintenance, a short circuit in switchyard caused (BWR, Sweden) LOOP. Sudden overvoltage on the main generator caused the loss of 2/4 trains of safety-related AC and DC power (inverters failed, prevented EDGs from loading). Complete loss of AC and DC power appeared possible due to the same mechanism.36 102

Additional Slides Accidents and Incidents Accidents and Other Interesting Events (6 of 6)

Year Plant Scenario Notes 2007 Kashiwazaki-Kariwa 1-7 Earthquake, Seismically-induced main transformer fire. A M 6.6 earthquake (local intensity VIII to IX) caused beyond (BWR, Japan) Fire design basis ground motion. All operating units tripped automatically. Seismic effects (e.g., onsite damage to fire lines and roads) and coordination problems with offsite emergency services complicated plant response to a seismically-induced main transformer fire (arcing due to ground subsidence ignited oil).37,38 2009 Cruas 2-4 External LOUHS due to flood debris. Vegetation from upstream flood management actions blocked service water (PWR, France) Flood intake. Total loss of service water for Unit 4, partial loss for Units 2 and 3.39 2010 H.B. Robinson Fire Switchgear fire, partial LOOP and reactor coolant pump (RCP) seal cooling challenges. Failure of a (PWR, US) cable to a 4kV non-safety related bus caused an arc flash, a fire. A subsequent breaker failure led to reactor trip. Offsite power was lost to one safety-related bus. Complications due to equipment failures and poor operator performance led to insufficient RCP seal injection and loss of seal cooling. A second fire caused additional significant damage.40,41 2011 Japan BWRs: Earthquake, Earthquake- and tsunami-induced accidents and incidents. Great Tohoku Earthquake and Tsunami.

Fukushima Daiichi 1-6; External Magnitude 9.1 earthquake (intensity IX). SBO and subsequent core melt at Fukushima Daiichi U1-U3 (all at Fukushima Daini 1-4; Flood power); flood damage and SBO at U5 (maintenance outage), LOOP at U6. LOOP at Higashidori Onagawa 1-3; Tokai Daini; (maintenance shutdown) and Tokai Daini (at power, tripped), EDGs operated. Partial LOOP at Fukushima Higashidori 1-2 Daini (all units at power, tripped) and Onagawa (all units at power, tripped).42 2011 North Anna 1, 2 Earthquake Seismically-induced LOOP, reactivity excursion. A magnitude 5.8 earthquake (local intensity VII to VIII) caused beyond design basis accelerations and LOOP (transformer pressure relays). Seismic Monitoring Instrumentation Panel power was lost; both reactors tripped due to neutron flux variations.43,44 2020 Duane Arnold (BWR, US) High Wind High-Wind induced extended duration LOOP, degraded ultimate heat sink. High winds (likely near 130 mph, caused by a Derecho) damaged all six offsite power lines and collapsed the plants non-safety related cooling towers. Minor storm damage led to declaration of secondary containment and one of the two FLEX buildings as inoperable; there was also plugging of an emergency service water strainer. During cooldown under natural circulation, reactor pressure vessel bottom head cooldown limits were exceeded (as 103 anticipated under conditions). Offsite power was restored within 23 hours2.662037e-4 days 0.00639 hours 3.80291e-5 weeks 8.7515e-6 months ; the Unusual Event was exited 27 hours3.125e-4 days 0.0075 hours 4.464286e-5 weeks 1.02735e-5 months after declaration.45,46

Additional Slides Accidents and Incidents Notes - Accidents and Other Interesting Events (1 of 6)

1. L. Arnold, Windscale 1957: Anatomy of a Nuclear Accident, St. Martins Press, NY, 1992.

2. H.W. Bertini, Descriptions of Selected Accidents That Have Occurred at Nuclear Reactor Facilities, ORNLNSIC176, Oak Ridge National Laboratory, April 1980.

3. Fermi - Unit 1, U.S. Nuclear Regulatory Commission. (Available from: https://www.nrc.gov/info-finder/decommissioning/power-reactor/enrico-fermi-atomic-power-plant-unit-1.html)

4. H.A. Wagner and E.P. Alexanderson, Fermi-I : New Age for Nuclear Power, ISBN: 978-0-89448-017-1, LaGrange Park, Ill: American Nuclear Society, 1979.

5. J.G. Fuller, We Almost Lost Detroit, ISBN 0883490706, New York: Readers Digest Press, 1975.

6. S.P. Nowlen, M. Kazarians, and F. Wyant, Risk Methods Insights Gained from Fire Incidents, NUREG/CR-6738, U.S. Nuclear Regulatory Commission, September 2001.

7. M. Rwekamp and E. Gelfort, Sicherheitsrelevanter Kabeltrassenbrand im Kernkraftwerk Greifswald - Beschreibung und Einschtzung, GRS-V-SR 2449-1, Gesellschaft für Anlagen und Reaktorsicherheit (GRS) mbH, Kln, Germany, June 2004.

8. German DR releases details of 1975 Greifswald fire, Nuclear Engineering International, 35, p.6, April 1990. ISSN 0029-5507

9. F. Reisch, Lessons from Greifswald incidents, Nuclear Engineering International, 35, pp. 42-43, June 1990. ISSN 0029-5507

10. Soviets Confirm Accident at Leningrad Nuclear Plant in 1975, Associated Press, June 14, 1990. (Available from:

https://www.apnews.com/9b9e37b945647f77f820b4a5643cc0c7)

11. S.M.K. Garrett, et al., Joint U.S./Russian Study on the Development of a Decommissioning Strategy Plan for RBMK-1000 Unit #1 at the Leningrad Nuclear Power Plant, prepared by Joint U.S./Russian Study Team (Pacific Northwest National Laboratory, Brookhaven National Laboratory, RRC Kurchatov Institute) for U.S. Department of Energy and Russian Federation Ministry of Atomic Energy, December 1997. (Available from https://www.osti.gov/servlets/purl/574167)

12. The Chernobyl Accident: Updating of INSAG-2, INSAG-7, International Atomic Energy Agency, Vienna, 1992.

13. Accident at the Leningrad NPP (LNPP) in 1975, c. 2006? (Available from http://accidont.ru/ENG/LAES.html) 104

Additional Slides Accidents and Incidents Notes - Accidents and Other Interesting Events (2 of 6)

14. J. Kuruc and Lubomir Mátel, Thirtieth Anniversary of Reactor Accident in A-1 Nuclear Power Plant Jaslovske Bohunice, 2007. (Available from:

http://www.iaea.org/inis/collection/NCLCollectionStore/_Public/38/059/38059373.pdf)

15. Gundremmingen Nuclear Power Plant, Wikipedia article, accessed Feburary 22, 2018. Note: various non-public reports provide additional details on the incident.

16. J.W. Minarick and C.A. Kukielka, Precursors to Potential Severe Core Damage Accidents: 1969-1979, A Status Report, NUREG/CR-2497, U.S.

Nuclear Regulatory Commission, June 1982.

17. R.M. Bernero and F.H. Rowsome, Single Failure Potentially Leading to Core Damage, memorandum to H.R. Denton and C. Michelson, U.S.

Nuclear Regulatory Commission, March 14, 1980. (ML19323J370)

18. The accident is heavily documented. For an overview of agency documents, see D. Marksberry, F. Gonzalez, and K. Hamburger, Three Mile Island Accident of 1979 Knowledge Management Digest, Overview, NUREG/KM-0001, rev. 1, U.S. Nuclear Regulatory Commission, June 2016.

19. R. Kirby, Hinkley Point Sediment Transport - Potential Impacts of and on New Structures, BEEMS Technical Report 149, Ravensrodd Consultants, Ltd., September 2010.

20. United Kingdom Environmental Agency, Somerset and the Sea: The 1981 Storm - 25 Years On, 2006.

21. Loss of Main and Auxiliary Feedwater Event at the Davis-Besse Plant on June 9, 1985, NUREG-1154, U.S. Nuclear Regulatory Commission, July 1985.

22. Per NUREG-1154, one running equipment operator tossed keys ten feet ahead to another in their haste to enter a locked AFW pump room.

Another operator worried that plant card readers might fail and he did not have keys as a backup.

23. Per NUREG-1154, fuses for the motor-driven startup feed pump had been removed due to the potential consequences of a break in nearby non-seismically qualified piping. This prevented simple operation of the pump from the MCR.

105

Additional Slides Accidents and Incidents Notes - Accidents and Other Interesting Events (3 of 6)

24. The accident is heavily documented. As an example of a comprehensive report shortly after the event, see U.S. Department of Energy, Electric Power Research Institute, Environmental Protection Agency, Federal Emergency Management Agency, Institute of Nuclear Power Operations, and the U.S. Nuclear Regulatory Commission, Report on the Accident at the Chernobyl Nuclear Power Station, NUREG-1250, January 1987.

For more recent perspectives, see T. Imanaka, Recent Research Activities about the Chernobyl NPP Accident in Belarus, Ukraine and Russia, Research Reactor Institute, Kyoto University, July 2002. (Available from: http://www.rri.kyoto-u.ac.jp/PUB/report/04_kr/img/ekr010.pdf).

25. F.J. Hebdon, Effect of Hurricane Andrew on the Turkey Point Nuclear Generating Station from August 20-30, 1992, NUREG-1474, U.S. Nuclear Regulatory Commission, 1993. (Available from https://www.osti.gov/biblio/10158520)

26. M. Leach, et al., NRC 2005 Hurricane Season Lessons Learned Task Force Final Report, STP-06-039, U.S. Nuclear Regulatory Commission, 2006.

(ML060900005)

27. N. Siu, I. Gifford, Z. Wang, M. Carr, and J. Kanney, Qualitative PRA insights from operational events, Proceedings of 14th International Conference on Probabilistic Safety Assessment and Management (PSAM 14), Los Angeles, CA, September 16-21, 2018. (ML18135A109)

28. Nuclear Power Plants and Earthquakes, Information Library, World Nuclear Association, London, UK, June 2018. (Available from http://www.world-nuclear.org/information-library/safety-and-security/safety-of-plants/nuclear-power-plants-and-earthquakes.aspx)

29. N. Siu, J. Xing, N. Melly, F. Sock, and J. Pires, Qualitative PRA Insights from Seismic Events, Proceedings 25th Conference on Structural Mechanics in Reactor Technology (SMiRT-25), Charlotte, NC, August 4-9, 2019. (ML19162A422)

30. A heavily documented event considered by many to be a precursor to the 2011 Fukushima reactor accidents. See, for example, A. Gorbatchev, et al., Report on flooding of Le Blayais power plant on 27 December 1999, Proceedings of EUROSAFE 2000, Cologne, Germany, November 6-7, 2000 for an early discussion, and E. Vial, V. Rebour, and B. Perrin, Severe storm resulting in partial plant flooding in Le Blayais nuclear power plant, Proceedings of International Workshop on External Flooding Hazards at Nuclear Power Plant Sites, Atomic Energy Regulatory Board of India, Nuclear Power Corporation of India, Ltd., and International Atomic Energy Agency, Kalpakkam, Tamil Nadu, India, August 29 -

September 2, 2005 for a later discussion.

106

Additional Slides Accidents and Incidents Notes - Accidents and Other Interesting Events (4 of 6)

31. Note that French plants use air-cooled EDGs so loss of service water has a lesser effect than for plants with water-cooled EDGs.

32. Atomic Energy Council, Taiwan, The Station Blackout Incident of the Maanshan NPP Unit 1, April 18, 2001. (Available from:

https://www.aec.gov.tw/webpage/control/report/safety/safety_04_002.pdf)

33. Report to the Chairman of the Hungarian Atomic Energy Commission on the Authoritys investigation of the incident at Paks Nuclear Power Plant on 10 April 2003, Hungarian Atomic Energy Authority, May 23, 2003. (Available from: http://tpc.mingorp.hr/eng/news/paks-report.pdf)

34. U.S.-Canada Power System Outage Task Force, Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations, April 2004. (Available from https://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf)

35. International Atomic Energy Agency, The Fukushima Daiichi Accident, Director Generals Report: Detailed Description of Relevant Operating Experience, Annex III of Technical Volume 2, 2015. (Available from https://www-pub.iaea.org/MTCD/Publications/PDF/SupplementaryMaterials/P1710/TV2/AnnexIII.pdf)

36. Significant Loss of Safety-Related Electrical Power at Forsmark, Unit 1, in Sweden, IN 2006-18, U.S. Nuclear Regulatory Commission, August 17, 2006.

37. Japan Nuclear Technology Institute, Information of Kashiwazaki-Kariwa Power Plant (the 4th news), Rev. 0, July 25, 2007. (ML080320300)

38. IRSNs Viewpoint on the Safety and Radiation Protection of French Nuclear Power Plants in 2007, DSR Report No. 271, Reactor Safety Division, Institut de Radioprotection et de Sûreté Nucléaire, 2009. (Available from:

https://inis.iaea.org/collection/NCLCollectionStore/_Public/43/012/43012271.pdf)

39. P. Dupuy, G. Georgescu, and F. Corenwinder, Treatment of the loss of ultimate heat sink initiating events in the IRSN Level 1 PSA, NEA/CSNI/R(2014)9, Nuclear Energy Agency, Boulogne-Billancourt, France, 2014.

107

Additional Slides Accidents and Incidents Notes - Accidents and Other Interesting Events (5 of 6)

40. L. Reyes, H.B. Robinson Steam Electric Plant - Augmented Inspection Team Report 05000261/2010009, letter to E. McCartney, Carolina Light and Power Company, U.S. Nuclear Regulatory Commission, July 2, 2010. (ML1018301010)

41. Final Precursor Analysis: H.B. Robinson - Electrical Fault Causes Fire and Subsequent Reactor Trip with a Loss of Reactor Coolant Pump Seal Injection and Cooling, U.S. Nuclear Regulatory Commission, September 23, 2011. (ML112411359)

42. A heavily documented event. (As of December 2017 there were over 10,000 pages of reports from Japan and various international organizations.) Examples of detailed analyses include:

Government of Japan, Interim Report (Main Text), Government of Japan Investigation Committee on the Accident at Fukushima Nuclear Power Stations of Tokyo Electric Power Company), Tokyo, Japan, 2011. [Although an interim report, it provides details that are still largely correct]

Tokyo Electric Power Co., Evaluation of the Situation of Cores and Containment Vessels of Fukushima Daiichi Nuclear Power Station Units-1 to 3 and Examination into Unsolved Issues in the Accident Progression, Progress Report No. 5, December 25, 2017. [Provides the latest from TEPCO, includes discussions of the sequence of events and various specific topics - see attachments.]

International Atomic Energy Agency, The Fukushima Daiichi Accident, Director General Report, Vienna, Austria, 2015. [An authoritative, international point of view.]

National Research Council, Lessons Learned from the Fukushima Nuclear Accident for Improving Safety of U.S. Nuclear Plants, National Academies Press, Washington, DC, 2014. [A U.S. perspective. Fewer details than the others but provides a good overview.]

Observations from an NRC visit are documented in: Reflections on Fukushima: NRC Senior Leadership Visit to Japan, 2014, NUREG/KM-0008, December 2014.

108

Additional Slides Accidents and Incidents Notes - Accidents and Other Interesting Events (6 of 6)

43. Dual Unit Reactor Trip and ESF Actuations During Seismic Event with a Loss of Offsite Power, Licensee Event Report 338/2011-003-00, Virginia Electric and Power Co., Mineral, VA, October 20, 2011.

44. Virginia Electric and Power Company, Virginia Electric and Power Company (Dominion), North Anna Power Station Units 1 and 2, North Anna Independent Spent Fuel Storage Installation, Summary Report of August 23, 2011 Earthquake Response and Restart Readiness Determination Plan, Serial No.11-520, September 17, 2011. (ML11262A151)

45. Notice of Unusual Event and Unit Trip Due to Loss of Offsite Power Due to High Winds, Licensee Event Report 2020-001-01, Next Era Energy, September 30, 2020.

46. U.S. Nuclear Regulatory Commission, Duane Arnold Energy Center - Integrated Inspection Report 05000331/2020003 and 07200032/2020001, November 6, 2020. (ML20314A150) 109

Additional Slides Accidents and Incidents Past Events: Looking to Learn or to Exclude?

Interpretive defense - event was not a failure within analysis scope

Relevance defense - event is not applicable to NPPs of interest

Compliance defense - event involved non-compliant behaviors outside scope of analysis

Redemption defense - event revealed problems that have been (or will be) fixed J. Downer, The unknowable ceilings of safety: three ways that nuclear accidents escape the calculus of risk assessments, The Ethics of Nuclear Energy: Risk, Justice, and Democracy in the Post-Fukushima Era, B. Taebi and S.

Roeser (eds.), Cambridge University Press, 2015.

J. Downer, Disowning Fukushima: managing the credibility of nuclear reliability assessment in the wake of disaster, Regulation and Governance, Wiley, 2013.

110

Additional Slides Mechanisms and Scenarios EXAMPLES OF REAL WORLD MECHANISMS AND SCENARIOS 111

Additional Slides Mechanisms and Scenarios Examples: Unexpected/Unusual Loadings

U.S. EDG oil fire

- Fatigue cracking of undocumented instrumentation line.

- Failure occurred during follow-up examination of a reported small oil leak; line was moved slightly.

Nogent flood (2006)1

- Unit 2 condenser circulating water system leak causes p between Turbine Building foundation and floor, lifts floor, fails manhole.

- Water floods Unit 1 Turbine Building, enters Essential Service Water system gallery through penetrations, Component Cooling Water pump room through drains.

1. U.S. Nuclear Regulatory Commission, Construction-Related Experience with Flood Protection Features, IN 2009-06, July 21, 2009. (ML090300546) 112

Additional Slides Mechanisms and Scenarios Examples: Protective Systems

Inadequate (Forsmark 1, 2006)1

- Offsite switchyard two-phase short circuit during maintenance causes LOOP

- Inverters failed on overvoltage, causing loss of 2/4 trains of AC and DC power

Function as designed (Vogtle 1, 1988)2

- Smoke detectors actuated pre-action sprinkler system in cable spreading room

- Water from leakoff lines seeped into control room, caused spurious actuations in Reactor Coolant System

Initiate accident (Fermi 1, 1966)3

- Zirconium sheets installed late in construction as a barrier to molten fuel

- Segments tore loose during power ascension, blocked coolant flow; two assemblies melted

1. U.S. Nuclear Regulatory Commission, Significant Loss of Safety-Related Electrical Power at Forsmark, Unit 1, in Sweden, IN 2006-18, August 17, 2006.

2. Water Leakage into Control Room/Potential Exists for a Safety System Failure, Licensee Event Report 424/88-016R01, November 22, 1988. The sprinkler 113 heads were not actuated and the leakoff valves functioned as designed; leakage occurred via a faulty penetration seal.

3. H.W. Bertini, Descriptions of Selected Accidents That Have Occurred at Nuclear Reactor Facilities, ORNLNSIC176, Oak Ridge National Laboratory, April 1980.

Additional Slides Mechanisms and Scenarios Examples: Secondary Hazards

Maanshan 1 smoke from arcing fault (2001)1

- Salt spray caused LOOP; electrical fault caused high-energy arcing fault (HEAF), loss of faulted safety bus

- Heavy smoke from HEAF delayed access to switchgear room to restore power to undamaged safety bus => 2 hour2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months station blackout

Cruas 2-4 debris from flooding (2009)2

- Flood management actions lead to vegetation debris downstream, clogging of service water intake

- Total loss of service water for Unit 4, partial loss for Units 2 and 3

1. Atomic Energy Council, Taiwan, The Station Blackout Incident of the Maanshan NPP Unit 1, April 18, 2001. (Available from:

https://www.aec.gov.tw/webpage/control/report/safety/safety_04_002.pdf) 114 2. P. Dupuy, G. Georgescu, and F. Corenwinder, Treatment of the loss of ultimate heat sink initiating events in the IRSN Level 1 PSA, NEA/CSNI/R(2014)9, Nuclear Energy Agency, Boulogne-Billancourt, France, 2014.

Additional Slides Mechanisms and Scenarios Examples: Declared Inoperability

Blayais flood (1999)1

- Rooms containing Unit 1 and Unit 2 low-head safety injection and containment spray pumps partially flooded

- Pumps declared inoperable

La Salle shutdown (1996)2

- Foreign material (injectable sealant foam) found on floor of service water tunnel

- Core standby cooling system, emergency core cooling system, and diesel generators declared inoperable, both units shutdown

1. A. Gorbatchev, J.M. Mattéi, V. Rebour, E. Vial, Report on flooding of Le Blayais power plant on 27 december 1999, Proceedings of EUROSAFE 2000, Cologne, Germany, November 6-7, Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) gGmbh, Cologne, Germany. Available at https://www.eurosafe-forum.org/sites/default/files/pe_297_24_1_sem1_1.pdf 115 2. Foreign Material Injected Into Service Water Tunnel Causes Dual Unit Shutdown Due to Inadequate Work Control, Licensee Event Report 373/96-008R01, November 25, 1996.

Additional Slides Mechanisms and Scenarios Examples: Worker Safety Concerns

Point Beach shutdown (2000)1

- Communications lost with diver working in Unit 2 (shutdown) circulating water pump house

- Manual shutdown of Unit 1

U.S. reactor building fire

- Oil fire near reactor coolant pump

- Spurious evacuation alarm (smoke clogged radiation monitor)

- Reactor building evacuated

1. Manual Reactor Trip Due to Concerns for Diver Safety, Point Beach Nuclear Plant Unit 1, Licensee Event Report 266/00-010R00, November 22, 2000.

116

Additional Slides Mechanisms and Scenarios Examples: Operator Actions Besides the well-known errors of commission at TMI (1979), Chernobyl (1986), and Fukushima Daiichi (2011),

operators and other staff have performed actions worthy of Hollywood scripts:

Thriller

- During a loss of feedwater transient, the shift supervisor did not implement operating procedures for feed and bleed cooling (which would contaminate containment), betting (correctly) on timely restoration of auxiliary feedwater (Davis Besse, 1985)1

Action

- In haste to enter the auxiliary feedwater pump room (accessed via a locked grate), an equipment operator tossed keys to another ten feet ahead (Davis Besse, 1985)1

- During a Turbine Building fire (hydrogen deflagration, cascading burning oil), operators (using breathing apparatus) entered dark, smoke filled areas to perform recovery actions (Vandellos, 1989)2

Dark comedy

- A maintenance worker dropped a lightbulb into a cabinet, shorting out non-nuclear instrumentation. Propagating faults led to a scenario that could easily have resulted in an outcome as serious as that of the accident at Three Mile Island a year later (Rancho Seco, 1978).3

Horror

- During a severe power cable fire triggered by an electrician (performing a demonstration for a trainee), operators manipulated switchgear to find intact cables for power (trial and error problem solving) but these actions caused additional failures (Greifswald, 1975). 4

1. Loss of Main and Auxiliary Feedwater Event at the Davis-Besse Plant on June 9, 1985, NUREG-1154, July 1985.

2. S.P. Nowlen, M. Kazarians, and F. Wyant, Risk Methods Insights Gained from Fire Incidents, NUREG/CR-6738, September 2001.

3. R.M. Bernero and F.H. Rowsome, Single Failure Potentially Leading to Core Damage, memorandum to H.R. Denton and C. Michelson, U.S. Nuclear Regulatory Commission, March 14, 1980. (ML19323J370) 117 4. M. Rwekamp and E. Gelfort, Sicherheitsrelevanter Kabeltrassenbrand im Kernkraftwerk Greifswald - Beschreibung und Einschtzung, GRS-V-SR 2449-1, Gesellschaft für Anlagen und Reaktorsicherheit (GRS) mbH, Kln, Germany, June 2004.

ML20339A570

Text

SUMMARY

Navigation menu

Search