Probabilistic Risk Assessment (PRA) Lessons from Storms and Floods

ML21081A038
Person / Time
Issue date:	03/22/2021
From:	M'Lita Carr, Ian Gifford, Joseph Kanney, Nathan Siu, Zeechung Wang NRC/RES/DRA
To:
Siu, Nathan - 301 415 0744
References
Download: ML21081A038 (58)
v • d • e

Text

QUALITATIVE PRA INSIGHTS FROM OPERATIONAL EVENTS:

AN EXPLORATORY STUDY (PUBLIC)

N. Siu, I. Gifford, Z. Wang, M. Carr, and J. Kanney Office of Nuclear Regulatory Research U.S. Nuclear Regulatory Commission March 2021 Abstract Qualitative, structured reviews of major accidents and accident precursors (e.g., incidents triggered by major fires) have led to useful insights regarding probabilistic risk assessment (PRA) methods, models, tools, and data. This report provides the results of an exploratory project involving PRA-oriented, qualitative reviews of an additional ten incidents, selected for their relevance to the treatment of external floods and other storm-related hazards (e.g., high winds, lightning, and ice). These results corroborate insights generated by other investigations, but also provide some less-discussed insights of interest to PRA practitioners and developers.

The report also provides insights regarding the educational benefits of such an exploratory project, and identifies a number of potentially important challenges to activities aimed at developing intelligent search tools intended to aid in PRA-oriented reviews and analyses of nuclear power plant (NPP) incidents.

FOREWORD Probabilistic risk assessment (PRA), the engineering analysis process of identifying scenarios and quantifying their likelihood and consequences, provides a structured way of identifying and prioritizing possible mechanisms and scenarios leading to system failure. PRA provides both the mindset and the tools, both inductive (e.g., event trees) and deductive (e.g., fault trees), to help analysts search for what can go wrong and combat the lack of imagination concern raised in post-event investigations of the Fukushima Daiichi reactor accidents [1]. However, when exercising these tools in practical analyses, considerable judgment is usually required, and such judgment can be influenced by normal human biases and heuristics.

As an example of subjective influences, classic psychological experiments with fault tree analysis have demonstrated the potential for even experienced analysts to overemphasize failure paths presented in a fault tree and to overly discount (or even neglect) paths not presented [2]. On the other hand, practical experience shows that brainstorming analysts can suggest unrealistic scenarios that are physically possible but much less likely (and less risk-significant) than others. Clearly, empirical evidence, notably from actual operational experience, can be valuable in both spurring and tempering imagination.

This report documents the results of a limited scope project exploring the potential value of qualitative, PRA-oriented lessons drawn from operational incidents. The report is an expansion of a conference paper on the same subject [3]. It is expected that the results of the project will inform the planning of near-term U.S. Nuclear Regulatory Commission (NRC) research activities aimed at improving the performance, review, and use of PRA studies in regulatory decision making. It is also expected that the results of the project will be useful to external stakeholders (including international organizations) in their planning of future activities.

Note: this report was created by removing non-public information from a 2018 internal staff report [4]. All other information (including conclusions) has not been updated.

References

[1] The Official Report of the Fukushima Nuclear Accident Independent Investigation Commission, The National Diet of Japan, July 2012.

[2] B. Fischoff, P. Slovic, and S. Lichtenstein, Fault trees: sensitivity of estimated failure probabilities to problem representation, Journal of Experimental Psychology: Human Perception and Performance, Vol. 4, No. 1, 330-344(1978).

[3] N. Siu, I. Gifford, Z. Wang, M. Carr, and J. Kanney, Qualitative PRA insights from operational events, Proceedings of 14th International Conference on Probabilistic Safety Assessment and Management (PSAM 14), Los Angeles, CA, September 16-21, 2018.

(ADAMS ML18135A109)

[4] N. Siu, I. Gifford, Z. Wang, M. Carr, and J. Kanney, Qualitative PRA Insights from Operational Events: An Exploratory Study, U.S. Nuclear Regulatory Commission, September 2018. (ADAMS ML18248A117, non-public) ii

EXECUTIVE

SUMMARY

Qualitative, structured reviews of major accidents and accident precursors (e.g., incidents triggered by major fires) have led to useful insights regarding probabilistic risk assessment (PRA) methods, models, tools, and data. This report provides the results of an exploratory, limited scope project involving PRA-oriented, qualitative reviews of ten incidents selected for their relevance to the treatment of external floods and other storm-related hazards (e.g., high winds, lightning, and ice).

The project results corroborate insights generated by other investigations. For example, the incidents reviewed demonstrate the potential importance of: warning times and precautionary measures taken before arrival of a storm or flood; less extreme hazards (when occurring in combination with other events during the incident); multiple hazards arising during a single incident; the persistence of hazards (onsite as well as offsite); offsite hazard management activities affecting warning times and/or onsite hazard levels; the failure of plant design features provided to mitigate hazards, multi-unit and offsite impacts; and hazard-induced challenges to plant staff.

The project results also provide some previously less-discussed insights of interest to PRA practitioners and developers. In particular, the incidents reviewed indicate a number of incident features that, as a means to improve PRA realism, might warrant further research and development. These features include: multiple shocks to the plant during a single incident (including losses of external power as well as different hazards arriving at different times);

scenario dynamics (including the effects of hazard persistence, natural site processes such as drainage of flooded areas following storm passage, plant thermal hydraulic behavior, and plant staff actions over time); and impacts on multiple sites due to a single storm or flood.

Many of the above-mentioned features can, in principle, be addressed in a PRA through proper consideration of the context for equipment and operator actions and/or conservative assumptions. (Regarding conservative assumptions, it should be recognized that overly conservative analyses can improperly bias the PRA results, mask important risk contributors, and thereby discount the value of preparing for less-than-catastrophic scenarios that might be important contributors to actual risk.) Research activities are underway within the U.S. and abroad to address some features. Other features appear to warrant consideration in the planning of future research.

In addition to technical insights relevant to the practice and development of PRA, the project also developed insights regarding the educational benefits of such an exploratory project, and identifies a number of potentially important challenges to activities aimed at developing intelligent search tools intended to aid in PRA-oriented reviews and analyses of nuclear power plant (NPP) incidents.

Regarding educational benefits, the project team, whose members had varying degrees of exposure to external hazards PRA, has improved its understanding of events and mechanisms iii

for some well-known incidents involving external hazards, and has identified and analyzed a number of notable incidents that were previously unknown to the team and, likely, many in the PRA community. Interestingly, although it was not a project aim, the team identified two incidents (Hinkley Point, 1981; Turkey Point, 1992) bearing notable similarities with the well-known Blayais flooding event of 1999, and therefore, from a technical perspective, might be reasonably considered as precursors to the Fukushima Daiichi reactor accidents of 2011.

Regarding lessons relevant to the development of intelligent search tools using knowledge engineering technologies, the project identified a number of challenges. Some of these are relevant not only to external hazards PRA but also more general PRA applications. They include: the appropriateness of current event significance measures in screening incidents for further study; the appropriateness of analytics-based algorithms for identifying risk-important facts or events; the potential multiplicity of sources documenting an incident, variances in information across these sources, and even the potential for errors in information; and the need to consider the perspectives of a wide range of technical disciplines when integrating information regarding an external-hazards initiated incident.

Although the project was of limited scope and exploratory in nature and the project results are purely qualitative, the project team considers the effort spent to be worthwhile. It appears that additional activities, ranging from similar, modestly scoped reviews of selected incidents to larger-scale efforts, perhaps supporting the improvement of existing international databases, could be valuable. The team recommends follow-on activities to disseminate the results of the project in order to: provide the projects results and insights, increase PRA community awareness of the general potential for useful PRA lessons derived from operational experience, and support planning of future PRA-related activities by U.S. Nuclear Regulatory Commission (NRC) and external stakeholders (including industry research organizations and international working groups).

iv

TABLE OF CONTENTS FOREWORD .............................................................................................................................. ii EXECUTIVE

SUMMARY

........................................................................................................... iii TABLE OF CONTENTS ..............................................................................................................v ACRONYMS AND ABBREVIATIONS ....................................................................................... vii

1. INTRODUCTION ................................................................................................................ 9

2. OBJECTIVES AND SCOPE ...............................................................................................11

3. APPROACH.......................................................................................................................13 3.1. General Approach .......................................................................................................13 3.2. Data Sources ..............................................................................................................15 3.3. Example Incident Descriptions and Analyses ..............................................................15 3.3.1. Turkey Point ........................................................................................................15 3.3.2. St. Lucie...............................................................................................................18

4. RESULTS ..........................................................................................................................20 4.1. PRA-Related Observations and Implications...............................................................20 4.1.1. Hazard .................................................................................................................20 4.1.2. Fragility ................................................................................................................21 4.1.3. Plant Response ...................................................................................................22 4.2. Learning-Related Observations...................................................................................25 4.3. Knowledge-Engineering Related Observations ...........................................................26

5. CONCLUSIONS AND RECOMMENDATIONS...................................................................29 ACKNOWLEDGEMENTS .........................................................................................................32 REFERENCES .........................................................................................................................33 APPENDIX A - PRA-ORIENTED EVENT REVIEWS ................................................................37 A.1 Blayais (12/27/1999) .......................................................................................................37 A.2 Hinkley Point (12/13/1981) ..............................................................................................39 A.3. Summary........................................................................................................................40 A.4 References......................................................................................................................41 APPENDIX B - EVENT TIMELINES AND DESCRIPTIONS ......................................................42 B.1 Dresden (12/3/1982) .......................................................................................................42 B.2 Turkey Point (8/24/1992) .................................................................................................45 B.3 Browns Ferry (4/27/2011) ................................................................................................48 v

B.4 Pilgrim (2/8/2013) ............................................................................................................49 B.5 LaSalle (4/17/2013) .........................................................................................................50 B.6 St. Lucie (1/9/2014) .........................................................................................................51 APPENDIX C - LESSONS FOR DEVELOPMENT OF DYNAMIC PRA ....................................52 C.1 Dynamic PRA Background ..............................................................................................52 C.2 A Potential Application for Dynamic PRA ........................................................................53 C.3 References .....................................................................................................................54 APPENDIX D - OTHER POTENTIALLY INTERESTING EVENTS ...........................................56 vi

ACRONYMS AND ABBREVIATIONS AC alternating current ADAMS Agencywide Documents Access and Management System ASN Autorité de Sûreté Nucléaire (France)

ASP accident sequence precursor CCDP conditional core damage probability CNRA Committee of Nuclear Regulatory Authorities (OECD/NEA)

CSNI Committee for the Safety of Nuclear Installations (OECD/NEA)

CW cooling water CWP circulating water pump DC direct current DOE U.S. Department of Energy ECCS emergency core cooling system EDF Electricité de France EDG emergency diesel generator ERM enterprise risk management EST Eastern Standard Time EU European Union FLEX diverse and flexible mitigation strategies GRS Gesellschaft für Anlagen und Reaktorsicherheit (Germany)

HEAF high energy arcing fault HRA human reliability analysis IAEA International Atomic Energy Agency IDPSA Integrated Dynamic-Probabilistic PSA INES International Nuclear and Radiological Event Scale INPO Institute of Nuclear Power Operations IPSN Institut de Protection et de Sûreté Nucléaire (France)

IRS Incident Reporting System (IAEA)

IRSN Institut de Radioprotection et de Sûreté Nucléaire (France)

KE knowledge engineering KM knowledge management INL Idaho National Laboratory LER Licensee Event Report LIP local intense precipitation LOOP loss of offsite power LOUHS loss of ultimate heat sink LWRS Light Water Reactor Sustainability Program (DOE)

MCR main control room MIT Massachusetts Institute of Technology NEA Nuclear Energy Agency (OECD)

NIH U.S. National Institutes of Health NIST U.S. National Institute of Standards and Technology NPP nuclear power plant vii

NPSAG Nordic PSA Group NRC U.S. Nuclear Regulatory Commission OECD Organization for Economic Cooperation and Development OpE operational experience OSC operational support center OUO Official Use Only PCIS primary containment isolation system PRA probabilistic risk assessment PSA probabilistic safety assessment PSAEA Probabilistic Safety Assessment Event Analysis (Belgium)

PSAM Probabilistic Safety Assessment and Management (conference series)

PWR pressurized water reactor QA quality assurance QC quality control RAB reactor auxiliary building RCIC reactor core isolation cooling RES Office Nuclear Regulatory Research (NRC)

RHR residual heat removal RIDM risk-informed decision making RISMC Risk-Informed Safety Margin Characterization pathway (DOE)

RPS reactor protection system SBO station blackout SCD shutdown cooling SNL Sandia National Laboratories SPAR standardized plant analysis risk SSCs systems, structures, and components SUT startup transformer SW service water TSC technical support center UCLA University of California at Los Angeles UE Unusual Event WANO World Association of Nuclear Operators WGOE Working Group on Operational Experience (OECD/NEA/CNRA)

WGRISK Working Group on Risk Assessment (OECD/NEA/CSNI) viii

1. INTRODUCTION Nuclear power plant accident data are sparse. This aphorism concisely expresses much of the motivation for the familiar, decomposition-based modeling approach used in current nuclear power plant (NPP) probabilistic risk assessments (PRAs), and for various standard techniques used to compensate for sparse data at the basic event level (including modeling of key phenomena, expert elicitation, and Bayesian estimation). However, like all aphorisms, caution is needed to avoid overuse. In particular, it should not be (and has not been) taken to mean that empirical information from operating experience is not useful for PRA and that efforts to make improved use of this information are not worth pursuing.

Information from operational experience is, of course, reflected in NPP PRAs and related activities in a number of ways. Besides the routine use of performance data in the quantification of a variety of PRA model parameters, lessons from operational events have been used to update the PRA models themselves. For example, the 1975 Browns Ferry fire [1] led to a scoping level analysis of fire risk in WASH-1400 [2], and a subsequent full-fledged fire PRA methodology [3]. The major elements of the latter remain in use today [4]. More recently, the Fukushima Daiichi reactor accidents spurred re-examinations of a number of potential risk contributors including seismic, flooding, and multi-unit events (e.g., [5, 6]), and have led to the identification of a number of lessons regarding PRA methods, models, tools, and data (e.g., [7]).

On the other hand, there are also examples of noteworthy operational incidents 1 whose significance to PRA has been underappreciated until recently. The 1999 Blayais flooding incident [9] provides a prime example. This incident, which involved multiple external hazards (high wind and flooding) and multiple reactor units and is now recognized as a precursor to the Fukushima accidents [10], apparently had little impact on the general PRA community until after the Fukushima accidents [11].

In the late 1990s, as part of its fire risk research program [12], the U.S. Nuclear Regulatory Commission (NRC) Office of Nuclear Regulatory Research (RES) sponsored a qualitative investigation of notable NPP historical fire incidents aimed at identifying technical issues that may need further research. The project team consisted of three experts with combined expertise in fire PRA, fire science and engineering, and electrical engineering. The project analyzed 30 incidents from two viewpoints: chronological, and PRA-oriented. The chronological analysis considered each key event during the incident and asked how a contemporary fire PRA would treat the event. The PRA-oriented analysis considered each element in fire PRA (e.g., ignition, detection, suppression, plant response) and, for each incident, asked what (if any) insights that incident provided regarding fire PRA treatment of that element. The results of the project, documented in NUREG/CR-6738 [13], provided valuable information for the NRCs fire risk research program, including empirical examples of recognized technical issues (e.g., fire-1 In this report, consistent with International Atomic Energy Agency (IAEA) usage, we use the term incident to refer to NPP events that did not have significant impacts to the public, environment, or the facility [8]. Of course, in some instances, the conditions triggering the incident (e.g., a major storm) had a significant impact on the public and the environment, independent of their effect on potentially exposed NPPs.

9

induced spurious actuations, fire-induced control room abandonment) and a number of phenomena that might warrant further fire PRA method development (e.g., multiple fires during a single incident, multiple hazards during an incident, non-proceduralized recovery actions by plant staff under severe conditions). However, the project also required a significant effort to: a) identify and collect detailed, original-source information for many of the incidents, and b) to analyze this information.

Recognizing that many issues revealed by historical operating experience have been addressed (for example, the Browns Ferry fire led to stronger regulatory requirements for fire protection),

nevertheless it is reasonable to expect that similarly-resourced retrospective analysis projects focused on other important PRA topics (e.g., external hazards, passive systems reliability, dependent failures, operator errors of commission, recovery actions, multi-unit events) could be valuable to PRA analysts, reviewers, and researchers. It is less obvious what insights might be provided by a smaller-scale effort, albeit one aided by modern search tools and databases.

Note: this report was created by removing non-public information from a 2018 internal staff report [59] and making appropriate editorial changes. All other information (including conclusions) has not been updated.

10

2. OBJECTIVES AND SCOPE This report summarizes the results and insights of an exploratory project to review selected NPP incidents, performed by a small team with varying degrees of PRA expertise. The project had three objectives.

1. Identify insights regarding PRA methods, models, tools, and data (i.e., PRA technology) potentially useful for PRA analysts, reviewers, and/or developers. 2

2. Provide an educational experience for the authors that supports NRCs risk-informed initiatives.

3. Identify lessons regarding the mining of operational experience that may be useful in the development of intelligent search tools.

Regarding the first objective, encouraged by the results of the fire incident review project mentioned earlier, the presumption was that PRA technology insights could be drawn from the incident descriptions. Of course, by their nature, actual incidents typically dont progress deep into a PRA scenario - sometimes an incident that provides PRA modeling lessons may not even involve a reactor trip - and are generally less thoroughly documented than accidents. This tempered the teams expectations regarding the extent and depth of insights that might be drawn from many operational experience reports. It was also recognized that, as mentioned earlier, there have been and continue to be tremendous efforts to draw lessons from the Fukushima Daiichi reactor accidents. Such efforts have, for example, prompted national and international activities, too numerous to list, to reconsider the risk from external hazards, to address multi-unit (and multi-source) events, and to more strongly consider the effect of environmental factors (both those associated with the initial hazard and those induced by accident progression) on plant staff. In many instances, our limited study served only to confirm recognized lessons.

Regarding the second objective, two imperatives faced by the NRC are its need to compensate for its loss of PRA-knowledgeable staff (e.g., due to retirement) and its desire to increase the use of risk information in its regulatory activities. It was anticipated that the project would provide a demonstration of a non-traditional, hands-on activity that can supplement ongoing knowledge management activities (including formal training, workshops, and seminars) [11]. In addition to learning about interesting incidents, it was hoped that the project team members would gain an improved appreciation of empirical failure mechanisms, events, and scenarios, i.e., how things fail (in broad terms, the first element in Kaplan and Garricks risk triplet [14]),

and of associated, current PRA modeling practices. It was also hoped that the act of formulating PRA-relevant insights from available information would promote a deeper and longer-lasting understanding and would also sharpen each team members analytical skills.

2 Although not required by formal definitions of risk and PRA [14, 15], discussions of PRA technology sometimes focus on the treatment of plant response to an initiating event and de-emphasize or even neglect the modeling of hazards leading to the initiating event. This report takes a broader view in which the entire incident scenario is of potential interest.

11

Regarding the third objective, NRC is currently using advanced knowledge engineering (KE) tools (e.g., content analytics tools to support data mining) 3 to draw lessons from operational experience, and such use can only be expected to increase, given the ever-increasing volume of relevant information 4 and the rapid developments in KE technology. 5 In our experience, at least with the current generation of tools, tool development requires the identification of key word patterns and associations by subject matter experts [11]. It was hoped that this project would provide information useful for future KE tool development.

As an exploratory effort, this project had a tightly limited scope. As discussed in the following section, the team reviewed only a small number of U.S. and international incidents and relied upon information readily available to the NRC staff. The team recognizes that the information in many of the sources reviewed is provided at a summary level; a more extensive research effort would likely yield more detailed documents and additional insights. 6 Finally, it should be emphasized that this project was neither an attempt to engage in post-event fault finding nor an exercise to characterize the conditional likelihoods of key failures during postulated accidents. The focus was on identifying qualitative lessons for future PRA use and development.

3 In this report, the term knowledge engineering refers to engineering activities associated with the development and maintenance of information systems; data mining refers to the identification of new lessons and insights from databases (including collections of text documents); and content analytics refers to a broad class of software tools that use a variety of approaches (e.g., natural language queries, trends analysis, contextual discovery, and predictive analytics) to identify patterns and trends across an unstructured database (e.g., a collection of text documents).

4 For example, the NRC continues to receive hundreds of Licensee Event Reports (LERs) each year.

5 The NRC, as with many other government agencies, is investigating how Big Data and artificial intelligence (AI) technologies can be used to improve effectiveness and efficiency [16].

6 See, for example, the discussion of different levels of insights that can be drawn from LER summaries, full-text LERs, and more detailed event investigation reports in NUREG/CR-6093 [17].

12

3. APPROACH 3.1. General Approach This project involved the review of qualitative information on ten NPP incidents (see Table 1).

The incidents were identified by the project team following discussions that considered some of the broad PRA topic areas highlighted by the Fukushima Daiichi reactor accidents, namely external hazards, loss of offsite power (LOOP), and loss of ultimate heat sink (LOUHS), and the availability of information. The selected incidents generally involved external flooding (including flooding caused by local intense precipitation - LIP) and/or severe weather effects (e.g., high winds, salt spray). The incidents had, from a conditional risk perspective, varying levels of safety significance. For the U.S. incidents, the estimated conditional core damage probabilities (CCDPs) range from insignificant (no analysis needed) to 2E-4. 7 The highest CCDP was for the Turkey Point event. For the non-U.S. incidents, per Refs. 22 and 25, respectively, it appears that the Blayais and Maanshan events had CCDPs higher than 1E-3. We do not have CCDP estimates for the Cruas and Hinkley Point events but note that the former was reported as an IAEA International Nuclear and Radiological Event Scale (INES) Level 2 event, and that the latter appears to be a Level 2 event or less. 8 Two of the project team members served as principal analysts. One is a reliability and risk analyst working on the NRC ASP program [37, 38] and has experience performing Level 1 PRA for precursor analysis. The second also has experience with ASP analyses and has provided technical and programmatic support related to risk-informed license amendment applications.

Two other team members provided subject matter expertise on weather- and flooding-related hazards. The project lead, who has methods- and applications experience with internal and external hazards analyses, provided overall direction.

As compared with the fire incidents review mentioned earlier, this project involved only a chronologically-oriented review of the events in each incident, considering broad elements in external hazards PRA: screening, hazard, fragility, and plant response (with special attention to human reliability and other potential sources of dependency), but not the detailed approaches used in current PRAs to address these elements. In general, the approach was to let the data speak, rather than perform a highly-structured (and therefore constrained) analysis. Additional details on the aims and the potential value of a risk-oriented review are provided in Appendix A.

7 In the NRCs Accident Sequence Precursor - ASP - program, events with a CCDP of 1E-3 or greater are considered to be significant precursors [37, 38]. It should be cautioned that the ASP analyses are performed under boundary conditions that, although appropriate for the ASP program, may be limiting for the purposes of this project. In particular, the ASP analyses consider the possibility of additional random hardware failures during an incident, but do not address potential variations in the effects of an external hazard. Additional discussions on limitations of current precursor analysis approaches can be found in numerous papers (e.g., [39, 40]).

8 The INES scale was created in 1990 [8], i.e., after the Hinkley Point event.

13

Table 1. Incidents Reviewed Scenario Date Plant(s) Notes Type*

1981-12-13 Hinkley Point External Flood Pump house flooding. Winter storm causes grid problems; A-1, A-2 storm surge on top of high tide floods station cooling water pump house. [18, 19]

1982-12-03 Dresden 2, 3 External Flood Pump house flooding. Illinois and Kankakee rivers flood after several days of heavy rainfall; flood is 2 above historical maximum; flood level could have (but did not) fail service water (SW) pumps. [20, O3, O4]

1992-08-24 Turkey Point High Wind; Severe weather LOOP. Hurricane Andrew caused 5-day 3, 4 LOOP LOOP and loss of: communications, site access, some (weather) water tanks. Severe stress on operators. [21, 22]

1999-12-27 Blayais 1, 2 External Flood Severe weather LOOP and flooding. LOOP at Units 2 and 4 caused by high winds. Tide, storm surge, wind-driven waves overtop dyke, flood Units 1 and 2. Unit 1 SW degraded, Units 1 and 2 low-head safety injection and containment spray pumps lost. Site access lost. [9, 23-26]

2001-03-17 Maanshan 1 LOOP Severe weather LOOP and subsequent station blackout (Weather); (SBO). Salt spray caused LOOP. Emergency Diesel Fire (HEAF) Generator (EDG) A started but tripped. Heavy smoke from high energy arcing fault (HEAF) prevented access to switchgear room to restore EDG B. Swing EDG used to restore power after ~2 hours. [27, 28]

2009-12-01 Cruas 2-4 External Flood LOUHS due to flood debris. Vegetation blocked SW intake. Total loss of SW for Unit 4, partial loss Units 2 and 3. [29]

2011-04-27 Browns Ferry High Wind; Severe weather LOOP. LOOP caused by tornado (part of 1-3 LOOP a tornado swarm). Complications with EDG C, loss of (weather) shutdown cooling at Units 1 and 2. [30, 31]

2013-02-08 Pilgrim LOOP Severe weather LOOP. A severe winter storm caused grid (weather) problems, LOOP. EDGs started and loaded.

Complications included an unstable grid and a second LOOP due to ice bridging of the startup transformer.

Overall duration ~4 days. [32))

2013-04-17 LaSalle 1, 2 LOOP Lightning induced LOOP. Lighting strike at switchyard, (switchyard) fault propagated to direct current (DC) protective system.

One residual heat removal (RHR) pump failed to start due to control design fault. Offsite power restored ~17 hours after LOOP. [33]

2014-01-09 St. Lucie 1 External Flood Reactor Auxiliary Building flood due to LIP. Heavy rainfall challenged site storm drains, backed into Reactor Auxiliary Building through unsealed conduits. Attempts to control flooding failed; Unusual Event (UE) declaration cleared when storm passed (~8 hours). [34-36]

• The LOOP categories (e.g., weather, switchyard) affect LOOP recovery times in the NRCs Standardized Plant Analysis Risk (SPAR) models [37].

14

3.2. Data Sources There are many useful sources of information available to NRC PRA analysts interested in NPP operational experience. These sources include: volatile, unendorsed, yet often wide-ranging Web articles (Wikipedia articles provide a prime example); training material (e.g., classroom examples to support key PRA concepts, 9 supporting documents such as NUREG/CR-6042

[41]); formal studies of individual events (particularly for the Three Mile Island, Chernobyl, and Fukushima Daiichi accidents, but also for selected lesser events); internal NRC operational experience studies on selected topics; voluntary reports to international databases (e.g., the IAEA Incident Reporting System - IRS - https://irs.iaea.org); legally required event reports (e.g.,

LERs); and regulatory post-event inspection reports. Collectively and often individually, these sources provide useful information on key occurrences (e.g., equipment and safety functions lost) and on key factors behind these occurrences (e.g., the causes of equipment losses), as well as free-form narratives helping readers understand the progression of events. Some of the sources are in the form of structured databases which have fields enabling rapid searching and screening.

For this exploratory project, the team primarily relied upon publicly available information for U.S.

incidents, primarily LERs, staff analyses performed for the NRCs ASP program, and selected reports. For the international incidents, the team used information found through Internet searches, the IAEAs IRS restricted-access database and, in a few cases, publicly available documents provided by international colleagues. 10 For a number of incidents, our analyses raised questions concerning the storms that created the onsite hazards. We were usually able to answer these questions using publicly available reports and/or agency websites providing access to weather data (e.g., www.climate.gov).

3.3. Example Incident Descriptions and Analyses The following discussions of the Turkey Point (1984) [21, 22] and St. Lucie (2014) [34-36]

incidents illustrate the types of observations developed from our incident reviews. Annotated event timelines for some of the incidents listed in Table 1 are provided in Appendix B. The PRA-related implications of these observations are discussed in Section 4.

3.3.1. Turkey Point On August 24, 1992, the Turkey Point site (two nuclear and two fossil units at the time of the event) was hit by a Category 5 hurricane (Hurricane Andrew). The eye of the hurricane passed directly over Turkey Point at 4:40 am EST. The site experienced high winds for seven hours, with peak wind gusts in excess of 300 km/h (187 mph) and sustained winds of 233-250 km/h (145-155 mph), a storm surge of 2.1m (7 ft) and associated debris, and rain sufficiently heavy to 9 Interestingly, even such material can have important omissions. For example, a draft HRA training course attended by one of the project members provided a description of the TMI accident that didnt mention the key error of commission (the operators mistaken throttling of high pressure makeup).

10 Note that this report cites only information available from public sources.

15

cause some damage but not to promote general site flooding. It appears that the site was not affected by any lightning or tornadoes associated with the hurricane.

Responding to hurricane warnings, the site started its emergency preparations several hours before the storms arrival, and the nuclear units were in hot shutdown (Mode 4), using the RHR system for cooling, when the storm hit. 11 One of the nuclear units (Unit 3) lost offsite power when the eye passed over the site; the other nuclear unit (Unit 4) lost power roughly 40 minutes later. 12 As designed, the EDGs started and loaded, providing needed power. One line of offsite power was restored four days after the event but was unreliable for several days. A second line of offsite power was restored on August 31, seven days after the event.

Some additional interesting event features are as follows.

• The U.S. National Hurricane Center began tracking the storm off the coast of Africa on August 14 and declared Andrew a tropical storm on August 17. The Turkey Point staff initiated emergency preparations on August 21, with the storm approximately 800 miles off shore. These preparations included identifying plant staff that would stay on site during the event, and training on potential scenarios involving losses of instrument air, RHR, offsite power, and EDGs. On August 23, a hurricane warning was issued and Turkey Point declared a UE.

• The Turkey Point plant manager had prior experience working at the St. Lucie plant during Hurricane David in 1979. Due in large part to this experience, Turkey Point had revised its Emergency Plan Implementing Procedure before the hurricane. Also, although the plants commitments made in response to the NRC station blackout rule only required that the plant commence shutdown two hours prior to the expected onset of hurricane force winds, plant staff estimated that it would take eight hours to enter Mode 4 and initiated shutdown on Units 3 and 4 on August 23 at 6:00 pm and 8:00 pm, respectively. Plant staff were distributed to strategic locations and the plants Technical Support Center (TSC) and Operational Support Center (OSC) were relocated to Class I building locations, due to concerns about possible damage to their original (non-Class I) buildings. Both the TSC and OSC were declared operational at 11:22 pm. Unit 3 reached Mode 4 at 2:13 am, August 24; Unit 4 reached Mode 4 at 4:05 am. A site survey to ensure staff safety concluded at 3:00 am, as sustained winds started to exceed 48 km/h (30 mph). Its useful to note that the storm arrived two hours earlier than initially expected.

• The sustained wind speeds experienced were above the plants design basis sustained wind speed of 233 km/h (145 mph), but well below the design basis tornado wind speed of 542 km/h (337 mph). The storm surge experienced was also well below the design basis storm surge height of 13.7m (22 ft).

11 The plant operators chose to maintain the reactors in Mode 4 rather than Mode 5 (cold shutdown) in order to ensure the availability of turbine-driven auxiliary feedwater (AFW), should it be needed.

12 Unit 4 received power from one of the fossil units (Unit 2), until the latter unit was shutdown at 5:22 am EST.

16

• The storm did not cause any significant damage to Class I buildings. The storm did fail many Class III structures, including a 100,000 gallon water tower. The tower collapse, caused by a wind-generated missile that struck an unprotected tower support, rendered two raw water tanks and fire system piping and associated support systems inoperable.

The storm also damaged the chimney for fossil Unit 2. If that chimney had collapsed, it might have struck the Unit 4 EDG building.

• The storm caused water damage to some equipment, including the breaker for an RHR discharge valve and a battery charger.

• The storm caused the loss of offsite communications. Helicopters and portable communications were used until traditional communication methods were restored on August 25. Temporary satellite communication was provided by the NRC.

• Onsite communications remained available and enabled contact with staff distributed at various site locations. Many of these locations were isolated during the storm, due to the hazardous external conditions.

• Storm debris did not cause the loss of plant service water. However, this was due to hourly cleaning of the service water strainers by plant staff.

• Recovery actions were severely hampered due to storm damage. There was no lighting in support buildings, computer access was unavailable, and few vehicles survived the wind and rain damage. Spare parts and tools were also damaged during the storm.

Even replacement parts that appeared intact could not be relied upon until properly tested.

• Offsite damage also hampered recovery efforts. Roads were blocked with large debris.

During road clearing efforts, the lack of high voltage detectors required the use of long chains thrown over downed power lines to check for energization.

• Plant personnel performed under highly challenging conditions. The hazardous conditions which prevented staff from going outside their Class I buildings, a lack of instrumentation, 13 and the loss of offsite communications prevented staff from developing a clear picture of site conditions. The loss of offsite communications also amplified staff concern regarding offsite conditions, their families, and homes.

Furthermore, the site had difficulty providing food, temporary living quarters, and other basic necessities. The food supply was exhausted before access roads were cleared, requiring the use of helicopter delivery.

• Offsite assistance proved invaluable during the event response. Local utilities and the St. Lucie plant provided needed staffing support, food, water, diesel fuel, portable generators, chain saws, hand tools, clothes, and personal items.

13 As discussed in Ref. 21, the meteorological tower data was of limited use even before the towers and equipment failed.

17

From a public and staff safety perspective, it is important to recognize that despite the extreme challenges posed by the storm, the sites actions before, during, and after the hurricane were ultimately successful.

3.3.2. St. Lucie In the early afternoon of January 9, 2014, the St. Lucie plant (two nuclear units) was struck by a heavy rainstorm. Due to blockage of a normal drain path, water backed up in the emergency core cooling system (ECCS) pipe tunnel and then flowed into the Unit 1 reactor auxiliary building (RAB) through degraded conduits that were below the design basis external flood elevation but were missing required flood barriers. At 4:10 pm EST, operators reported that water was backing up through RAB floor drains and flowing into the ECCS pump room. Per procedure, operators isolated the ECCS pump room, but RAB flooding continued. A mitigation plan, involving the batchwise drainage of water into the ECCS pump room and then removal of that water using the ECCS sump pumps, was developed and implemented at 4:35 pm. One hour later, a higher capacity temporary pump was brought into service to reduce the water flow into the RAB. At 6:03 pm, it was determined that the accumulated rainfall exceeded the sites storm drain system capacity and a UE was declared. Operators removed the drain blockage by clearing a drainage pipe and opening a gate valve. The UE declaration remained in effect until midnight, when the rains subsided and storm drains were observed to be removing accumulated water. During the event, the reactor remained at power and all safe shutdown equipment remained operable.

It can be seen that this event had a very small actual safety impact. Nevertheless, it exhibits a number of interesting features.

• National Weather Service data from local meteorological stations and from area radar indicate that: a) heavy rain conditions at the plant lasted from around 12:30 pm to around 6:00 pm; and b) most (nearly 90%) of the total rainfall was deposited before the operators observation of RAB flooding at 4:10 pm.

• National Weather Service data also indicate large variations in measured rainfall across the area, ranging from a low of around 140mm (5.54 inches) to a high of 270mm (10.64 inches).

• The flood did not reach design basis levels and it appears that all essential services (notably electric power) were available.

• When the existing plant flooding procedures did not control the RAB flooding, operators were able to develop and implement a plan that prevented flooding of key equipment.

• Some of the operator actions were performed outdoors, under conditions of continuing heavy rainfall and gusty winds.

18

• After the event, it was determined that a number of other conduits also lacked required flood barriers, that the barriers had been missing since plant modifications in 1978 and 1982, and that the missing barriers were not detected by flooding walkdowns performed in 2012. 14 14 The documentation reviewed addresses the conduit flood barrier problems but does not provide information on the nature and duration of the drainage blockage.

19

4. RESULTS This section provides the project teams observations and insights. The discussion is organized to mirror the project objectives identified in Section 2 of this report.

4.1. PRA-Related Observations and Implications Many of our results echo insights developed not only by other, post-Fukushima PRA-related reviews and activities (e.g., [7, 42, 43]), but also some pre-Fukushima event lessons-learned activities (notably following the Blayais flood [23-26]). Some even echo insights from early discussions of external hazards PRA (e.g., [44]). It is worth noting that a number of the incidents in Table 1 are likely not well known within the PRA community. Thus, even if they do not provide fresh insights, they provide additional support to recognized lessons. We also note that a few of our insights suggest potentially important topics for future PRA research.

4.1.1. Hazard All of the incidents reviewed in this project were triggered directly or indirectly by major storms.

Notable features of the hazards affecting the plant include the following.

• Multiple hazards. A number of the incidents involved two or more of the following: high winds, salt spray, flooding, and debris clogging. A few winter events may have involved extreme cold, although no effects were explicitly identified. One event involved salt spray followed by heavy smoke within a building due to an electrical fault and HEAF.

• Large extent. A number of the storms caused significant damage offsite, limiting or even blocking access to the site and hindering recovery activities. Some storms affected even larger geographical areas (e.g., multiple states, multiple countries). In a few of these cases, multiple sites were affected. The effects on sites not listed in Table 1 were minor, but it can be seen that a more severe (if presumably less likely) storm might affect plants relying on mutual aid agreements and/or regional support centers.

• Asymmetrical impact. A number of storms affecting multi-unit sites did not affect all units to the same degree. Indeed, in some cases, some units appear to have suffered no significant impact.

• Challenge from less extreme hazard levels. In some incidents, the external hazards appeared to be less severe than those addressed by the plant design basis, but nevertheless presented significant challenges to the operators. 15 Even in the case of some floods beyond then-current design bases, it appears that significant flooding 15 This is a reminder that potentially risk-significant scenarios need not involve overwhelming external hazards; accidents often involve the uncommon combination of not-uncommon events [45]. (See also [46].)

20

started before the design basis flood level was reached, due to a phenomenon (wind-driven waves) that had not yet been considered.

• Persistence. For some events, the effects of flooding (offsite as well as onsite) persisted hours or even days after the storm passed.

• Dynamic behavior. In a number of incidents, the site experienced significant storm effects well before peak storm conditions were reached. Also, a number of storms presented multiple, sequential threats to the affected plants. One event involved multiple flood peaks, another multiple wind peaks, and others different hazards (e.g., high wind, flooding) at different times. The time gap between hazards likely affected the degree of challenge to the operators in achieving safe shutdown.

• Offsite natural hazard risk management actions. Early severe weather warnings, leading to pre-emptive measures onsite, played an important role in a number of the events. In one case, on the other hand, a lack of warning to potentially affected units may have contributed to difficulties in plant response. Regarding a different aspect of risk management, river flood control actions had no apparent effect on the plant in one event but had a downstream effect on a plant in another.

Some of the above features (e.g., regarding storm dynamics) can be handled in a PRA with standard, conservative modeling assumptions (e.g., assuming a maximum flood height is reached instantaneously at the beginning of the scenario). Stochastic storm simulation tools that enable more realistic treatment of storm dynamics also are available (e.g., [47, 48]). Other features (e.g., PRA treatment of multiple hazards) are the subject of active research (e.g., [49, 50]). Still others (e.g., treatment of multi-site effects) are starting to be investigated (e.g., [51])

but have not yet received the full attention of the broad PRA community. We note that all of the features affect the context for plant staff and organizational actions, and may be worth considering in a qualitative manner, even in a conservative, single unit PRA.

4.1.2. Fragility Although specific information on the exposure of systems, structures, and components (SSCs) to potential hazards is generally lacking in the documents reviewed, information is available on actual failures. Notable failures during the incidents reviewed include the following.

• Hazard-induced failures of protection-related SSCs (including dikes, penetrations, and internal doors) affecting exposure of other SSCs to the hazard

• LOOP (including partial losses followed by subsequent failures leading to complete loss)

• LOUHS (due to service/cooling water pump motor immersion or intake clogging by debris) 21

• Failure of other SSCs explicitly modelled in PRAs (including water damage to an electrical breaker probably due to wetting but not immersion, as well as immersion of ECCS and support system pump motors)

• Failure of other SSCs typically not explicitly modelled in PRAs (including non-safety structures; communications, lighting, computer systems; spare parts and tools; onsite automobiles, trucks, and trailers)

Pre-event failures not caused by the hazard but affecting the exposure of modelled SSCs included missing or faulty penetration seals and clogged storm drains. For such failures, which can be detected by inspections or walkdowns but can also be undetected for long periods of time, it can be seen that the uncertainty in SSC status might be more epistemic than aleatory in nature, and standard process models for standby component failures might be worth revisiting. 16 4.1.3. Plant Response Although at least one incident caused sufficient alarm to mobilize national-level crisis centers, none of the incidents reviewed actually progressed very far down the sequence of events associated with risk-significant accident scenarios. Nevertheless, we have observed some features of interest, as follows.

• Precautionary measures. As discussed in Section 3, the Turkey Point plant had substantial early warning and took a number of major precautionary measures that helped prepare the plant for the arrival of the hurricane.

• Multiple shocks. As discussed in Section 4.1.1, a number of incidents involved multiple storm hazards (e.g., high wind, flooding). A further incident involved a LOOP, recovery from that LOOP, and then a second LOOP. In another incident, the LOOP was followed by other faults and a HEAF, ultimately resulting in a two-hour SBO.

• Scenario dynamics. In at least two cases, the timing of the multiple shocks to the plant apparently led to different plant responses. In one case, a storm-induced LOOP occurred well before flooding of the plants pump house, and it appears the plant achieved shutdown before service water was lost without major complications. 17 In another case, the storm-induced LOOP and plant flooding occurred at about the same time, and the plant operators were significantly challenged. The persistence of a hazard, 16 Protective SSCs such as penetration seals can be viewed as standby devices, i.e., they are not required to function until a demand (e.g., a flood) occurs. Standard, simple PRA models for standby devices typically treat the unavailability of a standby component using a Poisson model for failures while in standby [52]. Inherent in this treatment, failures are viewed as the result of a random (aleatory) process. In contrast, failures of protective devices that are subject to walkdown inspections in support of a PRA might be more akin to design errors; either the device is failed from the beginning or it isnt. The uncertainty in the actual condition can be reduced/eliminated with a better inspection, and is epistemic in nature.

17 Our summary level information for this event does not indicate any complications.

22

the natural response of the site (e.g., drainage of flooded areas after a storm has passed), the thermal hydraulic behavior of the plant, and the timing of plant staff actions also introduce dynamic considerations. The potential implications for dynamic PRA are discussed in Appendix C.

• HRA complexities. Many of the incidents illustrated challenges to the operators. In addition to coping with the multiple shocks and scenario dynamics mentioned above, these challenges included:

o Storm damage to SSCs not explicitly modelled in PRAs. The previously mentioned damage to communications, lighting, etc. in some incidents clearly affected the operators ability to assess the situation and to implement needed actions. At Turkey Point, as discussed previously, even apparently undamaged spare parts could not be confidently relied upon without proper testing. Further, the onsite loss of cars, trucks, and trailers (which could have provided needed housing for the staff, given the sites isolation from the outside) hindered recovery efforts.

o Need to take shelter. A number of storms were sufficiently severe as to require sheltering. At Turkey Point, when combined with a loss of communication, this made it difficult for the staff to assess external conditions (e.g., whether the storm had subsided).

o Need for outdoor actions. Despite storm conditions, some incidents required outdoor actions (e.g., to determine the status of outdoor drainage systems).

Other actions (e.g., cleaning of service water strainers) may have required activity under hazardous conditions.

o Inadequate procedures. In some cases, existing plant procedures were not adequate for the situation. In one multi-unit flooding event, the flooding response procedure was subordinate to emergency operating procedures being executed, and key flooding response actions were not implemented.

o Offsite damage. A number of incidents led to large scale damage offsite, with safety consequences to the general public and therefore attention from general emergency organizations. A further consequence of this damage was loss of offsite access. At Turkey Point, this led to difficulties in providing food and other basic necessities. Further, the staffs expectation of severe offsite damage, in combination with loss of offsite communication, increased stress due to concerns regarding families and homes. Our reports on other incidents contain no information on the psychological challenges faced by the staff at other plants, so we do not know if their situations were similar to those seen at Turkey Point (and later at Fukushima Daiichi).

23

On the subject of human reliability analysis (HRA), it is important to recognize that while the HRA analyst is typically performing the analysis in the context of a pre-defined PRA scenario, the plant staff is performing under uncertain conditions. The staff will not necessarily know, for example, when a flood will stop (recall that flooding can continue well after a storm has passed), whether mitigation actions using pumps and drains will actually work given unknown and potentially changing water inflow rates, or whether a new shock (e.g., a subsequent LOOP) is the last one or just the latest in a series of problems.

It is also important to recognize that, despite the challenges identified above, the plant operators were ultimately successful in all of the reviewed incidents. Assessing the appropriate degree of credit to operator actions under such circumstances remains a challenge for HRA.

• Site-wide considerations. As discussed in Section 4.1.1, a number of incidents involved multiple units, sometimes in different operating states. At least one incident appears to have involved challenges in coordinating actions across the units. On the positive side, cross-ties to other units on site (including, in the case of Turkey Point, fossil fuel units) provided important support (e.g., power, cooling water) during a number of incidents.

Similar to the treatment of hazards, many of these features can be treated in current PRAs either conservatively, or more realistically with particular attention to contextual factors important to HRA. We note that some features could be relevant to detailed modeling efforts aimed at addressing pre-core damage endstates (i.e., Level 0 PRA [53]), perhaps for the purpose of supporting enterprise risk management (ERM) applications (e.g., [54]). We also note that dynamic PRA [55-57] provides a natural framework for the realistic treatment of the interactions between a hazard and the plant. Additional details on dynamic PRA and its potential value for PRA modeling of storm-initiated scenarios are provided in Appendix C.

Regarding the use of conservative analysis assumptions, it is widely recognized that such assumptions can often be used to avoid analysis complexities by bounding the potential risk impacts. It is also widely recognized that overly conservative analyses can improperly bias PRA results and mask important risk contributors. For example, game over modeling approaches that assume an instantaneous, catastrophic hazard can overly discount the value of developing and exercising procedures and training to deal with more likely events on the scale of those actually experienced by the industry. Such events can feature complexities (e.g., asymmetrical site impacts, event timings) that would not be a factor in an assumed, catastrophic scenario, but nevertheless might need to be dealt with to prevent the incident from escalating into an accident.

24

4.2. Learning-Related Observations This project has been a successful learning exercise for all members of the team.

For some team members, the project constituted their first real exposure to external hazards PRA. One member with internal events experience learned that floods involving water from external sources (e.g., a sea, lake, river, or cooling water canal) entering the plant via an SSC failure (such as the opening of circulating water system air-operated valves triggered by an inverter failure, which led to a 1976 Oconee turbine building flood) is considered an internal flood. (This modeling convention usefully breaks the flooding analysis problem into more manageable pieces but also raises the possibility of analysis stovepiping.) One team member with expertise in external hazards assessment but not in external hazards PRA learned that timeline issues are not easily represented using standard PRA methods and was interested in how variations in external event circumstances and their impacts could be represented in existing PRAs.

In general, the team members have gained awareness of a number of incidents for which they had little or no prior knowledge (notably Hinkley Point) and have learned about a number of PRA-relevant features (discussed earlier in this report) associated with incidents for which most had limited awareness (e.g., Turkey Point, St. Lucie). Even for those incidents for which some members had a greater degree of awareness (e.g., Maanshan, Blayais), the review provided useful perspectives. For example, one of the members framing of the Maanshan incident as a demonstration of a HEAF-induced SBO was changed to a more global view, where the HEAF was just one of a series of events in an external-hazard initiated scenario. As another example, the teams understanding of the conditions faced by the operators at Blayais was improved through a comparison with the Turkey Point incident, which shared some key features with Blayais (and with the Fukushima Daiichi reactor accidents), including: multiple hazards and LOOP, multi-unit effects, and degradation or loss of site access.

At a more detailed level, the team members have gained a better understanding of the challenges associated with the general modeling of external hazards and of associated scenario features. The latter include: early hazard notification and site preparation (equipment and personnel staging, decisions to remain in hot shutdown to facilitate decay heat removal via turbine-driven systems), current modeling of LOOP recovery considering the LOOP type (weather, grid, plant-centered, or switchyard) and the complexities of actual recovery (e.g.,

when power sources can actually be considered reliable), other recovery actions (including the difficulties introduced by damage to spare parts and tools as well as the sources and effects of stress), and equipment fragility (e.g., potential increases in failure probability due to debris clogging that necessitates cleaning actions). The team has also improved its understanding of the different sources of publicly available information (e.g., LERs, precursor analyses, event notification reports, inspection reports, and weather data) that can be useful in the review of past events.

25

As indicated in Section 2, the team was hopeful that by virtue of an active, PRA-oriented analysis, the members would: a) enhance their PRA-related analytical skills, and b) gain knowledge longer lasting than would have been gained by a less-involved review of events.

There are no plans to formally assess the realized degree of benefit, but this aspect could be revisited (e.g., via member interviews) should the need arise (e.g., to support proposals for future, analogous exercises).

4.3. Knowledge-Engineering Related Observations As discussed in Section 2, the NRC, as with many organizations, is interested in using advanced KE tools (e.g., content analytics) to make better use of available data. The following list provides a number of information processing challenges that were identified in the course of this project. 18 These challenges can be met by human analysts as a normal research matter but may take some thought when developing automated tools for extracting factual information from documents and other sources.

• Computed or assigned event significance measures (e.g., CCDPs, IAEA INES ratings, inspection finding significance levels) can be helpful when screening out less significant incidents. However, these measures are not designed to identify events that may be of interest to PRA practitioners and researchers. For example, the CCDPs computed in the NRCs ASP program consider the possibility that additional independent hardware failures could have occurred during a flooding incident, but not the possibility that the flooding hazard could have been worse. Thus, a screening approach that relies exclusively on reported CCDPs might eliminate flooding incidents in which the flooding level stopped just short of key equipment.

• Notable events can be documented in multiple papers, reports, and presentations published over time. Some of the factual details provided in these documents may not always be consistent. A tool developer will need to consider if and how to assess the credibility of the information (e.g., considering consistency with other facts presented in that document and other documents). We note that credibility ratings based purely on the document source can be misleading, as even records from authorities can contain errors (including non-obvious typographical errors). Of course, the assessment of credibility of an overall document or of a particular statement within a document is a general challenge not unique to operational experience data mining, and work is ongoing to address this challenge. 19 18 Other, potentially useful insights are provided in a 2016 feasibility study investigating the potential application of content analytics technology to some prototypical NRC staff activities [11, 58]. It should be cautioned that the pace of technological developments in knowledge engineering is extremely rapid - some of the issues identified in that 2016 study may have been addressed.

19 For example, the National Institutes of Health (NIH) is working on natural language processing (NLP) approaches to identify and assess potential biases in publications in the scientific literature on toxicology. Useful snapshots of current views on challenges and ongoing activities can be found at the National Institute of Standards and Technologys (NIST) annual conference on text analytics (https://tac.nist.gov).

26

• Simple analytics-based approaches to data mining may not work in situations where the importance of a piece of information is not related to its frequency of occurrence in the database (corpus) being searched. Tool developers will need to consider how to address situations where, for example, a key (to PRA) fact is mentioned once in a single document, where a factual error (e.g., an erroneous date) is propagated through multiple documents, or where the emphasis or omission of a particular aspect of the incident is affected by the point of view of the author (including authoring organizations). 20 Even more challenging are situations where source documents address a topic indirectly or not at all, but it can be inferred from theory or other events that the topic was likely important (and therefore additional effort to acquire relevant information is warranted). 21

• Additional challenges with international events can arise in situations where only a reports abstract is translated into English, 22 and where official translations include translation errors. 23

• As organizations increasingly make information available online, it should be recognized that this information is more volatile; an online document accessed at one point in time can be different at a later point in time. Furthermore, it is our experience that online documents often appear to undergo less quality assurance (QA)/quality control (QC) in favor of speedy dissemination.

• Especially when dealing with external hazards, a full understanding of the incident can require the integration of multidisciplinary information scattered over a variety of documents. These documents, often written for a variety of purposes and audiences, can focus on different aspects and even use different terms. For example, a nuclear-safety oriented event report might focus on flooding - an effect - whereas a weather-oriented report might focus on the storm - the source of the hazard - and might not even use the term flood or its variants. Even more challenging for the tool developer, different disciplines can have different preferred conceptual frameworks. For example, a plant systems analyst, thinking in terms of discrete events, may be unsuccessful in a naive search for data indicating when a storm hit the site because the available hazard information is presented with a view that hazard growth is a continuous process over time.

• As a related point, massive amounts of quantitative weather data have become available in the last few years. To provide easy and efficient access, modern websites generate graphical presentations based on user queries. (For example, detailed isopleths for rainfall, based on meteorological station reports and radar imaging, can be interactively 20 Note that omissions can be due to an authors lack of access to certain information, as well as author decisions.

Multiple accounts from different organizations, valuable in general, can be particularly useful in such situations.

21 For example, many incident reports are silent regarding the state of mind of the operators during what would appear to be extremely challenging incidents.

22 General purpose tools such as Google Translate can do a very credible job in translating technical reports but they sometimes stumble when dealing with technical jargon specific to nuclear power and PRA.

23 In one instance, an original source report indicated that offsite power was available, but an English version conference paper largely based on that report indicated that power was unavailable.

27

generated for user-specified time and space intervals.) It appears to us that mining such information to answer such questions as When did heavy rainfall start at Plant X? will present a significant challenge to the KE tool developer.

Most of the above challenges relate to the identification of sound, factual information regarding an incident. With suitable investment, some appear to be addressable with currently available KE technology and human-in-the-loop solutions that dont rely on automation; others may require additional developments. A different type of challenge involves the automated development of broad lessons through the identification of similar (but not necessarily identical) patterns across incidents, in order to address such broad questions as Besides Blayais, have there been any other precursors to the Fukushima Daiichi reactor accidents? The project team members can envision approaches to develop KE solutions to this class of problems but do not have strong knowledge of the current state of practical tools or approaches in this area.

28

5. CONCLUSIONS AND RECOMMENDATIONS This report documents an exploratory project aimed at: 1) developing qualitative insights based on past NPP incidents, 2) providing an educational experience for the project participants, and

3) identifying potential lessons for the development of future data mining tools. Our overall results are as follows.

1) We have identified insights we consider to be useful for PRA practitioners and developers. Some of these insights (e.g., regarding the potential importance of warning times and precautionary measures, less-than-extreme hazard levels, multiple hazards, hazard persistence, offsite hazard management activities, failure of hazard mitigation SSCs, multi-unit and offsite impacts, and HRA complexities) provide additional empirical support to lessons well-recognized by the hazards and PRA communities, especially in the aftermath of the Fukushima Daiichi reactor accidents of 2011. Others, including the potential importance of multiple shocks, scenario dynamics and multi-site events, appear to be less-widely discussed and might imply future development needs.

2) We have improved our understanding of events and mechanisms for some well-known incidents involving external hazards, and have identified and analyzed a number of notable incidents that were previously unknown to us and, we believe, many in the PRA community.

3) We have identified a number of challenges potentially important to the development of advanced KE tools aimed at mining operational experience records in support of external hazards PRAs. These challenges include: the appropriateness of current event significance measures (e.g., CCDPs, IAEA INES ratings) in screening incidents for further study; the appropriateness of analytics-based algorithms for identifying risk-important facts or events; the potential multiplicity of sources documenting an incident, variances in information across these sources, and even the potential for errors in information; and the need to consider the perspectives of a wide range of technical disciplines when integrating information regarding an external-hazards initiated incident.

Regarding the first point, conservative analysis assumptions can often be used to avoid analysis complexities, but overly conservative analyses can improperly bias PRA results and mask important risk contributors. In turn, this masking could discourage preparing (e.g., through the development and exercise of procedures and training) for less-than-catastrophic scenarios that might be important contributors to actual risk.

Regarding the second point, it is interesting to note that although it was not a project aim, we have identified two incidents (Hinkley Point, 1981; Turkey Point, 1992) bearing notable similarities with the well-known Blayais flooding event of 1999, and therefore, from a technical perspective, might be reasonably considered as precursors to the Fukushima Daiichi reactor accidents of 2011. Considering the post-event interest in precursors to the Fukushima accidents 29

[10], it appears that a pre-event analysis using the approach discussed in this report could have been informative.

When considering the above results, it is important to recognize the following limitations.

• The project was a limited scope, exploratory effort. Most of the documents reviewed do not provide many details of interest to PRA modelers. A more extensive effort to identify, acquire, and analyze further documents could result in additional useful insights.

• Many of the incidents reviewed are quite old, and the subject plants have changed since then. Some of our insights may no longer be applicable for these plants.

• The project was a purely qualitative exercise. Our observations provide an empirical indication of possibility, but do not provide any indication of quantitative likelihood.

Given our positive view of the results, we believe that a number of follow-on activities could be valuable. These activities could range from similar, modestly-scoped NRC staff development activities to larger-scale efforts, perhaps involving international organizations such as the IAEA or Nuclear Energy Agency (NEA) working groups. The activities could be limited to PRA-oriented explorations of additional storm- and/or flooding-related incidents, possibly including major storms that could have but didnt affect NPPs, or incidents illustrating other topics of interest to the PRA community (e.g., passive systems, errors of commission) that are not necessarily related to external hazards. More ambitiously, it might be desirable to pursue activities aimed at:

• creating authoritative reference documents, e.g., collections of PRA-oriented descriptions of selected events, to support agency and even industry knowledge management (KM) activities; and/or

• updating incident reporting guidelines to more explicitly address key PRA elements.

In light of the potential benefits, the project team recommends that:

1. information from the project be disseminated to other potentially interested NRC staff (particularly those involved with risk assessment and with operational experience reviews, but also those involved in broader agency KM activities) via report distribution and presentations;

2. follow-on efforts be considered in Office of Nuclear Regulatory Research planning (including planning for broader applications of advanced KE tools [58], as well as planning for PRA activities); and

3. information from the project be disseminated to potentially interested international groups (including the NEA Working Group on Risk Assessment - WGRISK, the NEA 30

Working Group on Operational Experience - WGOE, and the IAEA Division of Nuclear Installation Safety) as input for future activity planning.

31

ACKNOWLEDGEMENTS The authors gratefully acknowledge R. Sigmon (NRC), C. Jones (NRC), F. Corenwinder (IRSN),

H. Pesme (EDF), and F. Ferrante (EPRI) for information provided to help this project, and P. Dupuy (IRSN), G. Georgescu (IRSN), and J. Gauvain (retired) for information provided for past projects that we used in the current effort. We also thank H. Rasouli (NRC) for his support during the initial stages of the project, and F. Ferrante and M. Bensi (U. Maryland) for their useful comments on an early conference paper discussing the status of this project.

32

REFERENCES

[1] U.S. Nuclear Regulatory Commission, The Browns Ferry Fire Nuclear Plant Fire of 1975 Knowledge Management Digest, NUREG/KM-0002, 2013.

[2] U.S. Nuclear Regulatory Commission, Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants, WASH-1400 (NUREG-75/014), 1975.

[3] G. Apostolakis, M. Kazarians, and D.C. Bley, Methodology for assessing the risk from cable fires, Nuclear Safety, 23, pp. 391-407, (1982).

[4] N. Siu, N. Melly, S. P. Nowlen, and M. Kazarians, Fire risk assessment for nuclear power plants, The SFPE Handbook of Fire Protection Engineering, 5th Edition, Springer-Verlag, New York, 2016.

[5] S. Poghosyan and O. Coman, IAEA project: multiunit probabilistic safety assessment, Proceedings of PSAM 14, Fourteenth International Conference of Probabilistic Safety Assessment and Management (this conference), Los Angeles, CA, September 16-21, 2018.

[6] S. Yalaoui, et al., WGRISK Site-level PSA project: status update and preliminary insights for the risk aggregation focus area, Proceedings of ANS International Topical Meeting on Probabilistic Safety Assessment (PSA 2017), Pittsburgh, PA, September 24-28, 2017.

[7] N. Siu, et al., PSA technology challenges revealed by the Great East Japan Earthquake, Proceedings of PSAM Topical Conference in Light of the Fukushima Daiichi Accident, Tokyo, Japan, April 15-17, 2013.

[8] International Atomic Energy Agency and Nuclear Energy Agency, INES: The International Nuclear and Radiological Event Scale, Users Manual 2008 Edition, IAEA, Austria, 2008.

[9] Institut de Protection et de Sûreté Nucléaire, Rapport Sur LInondation Du Site Du Blayais, Fontenay-aux-Roses, France, January 2000. (Available from:

http://www.irsn.fr/FR/expertise/rapports_expertise/Documents/surete/rapport_sur_l_inonda tion_du_site_du_blayais.pdf)

[10] Nuclear Energy Agency, Working Group on Operating Experience [WGOE] Report on Fukushima Daiichi NPP Precursor Events, NEA/CNRA/R(2014)1, Boulogne-Billancourt, France, 2014.

[11] N. Siu, K. Coyne, and F. Gonzalez, Knowledge management and knowledge engineering at a risk-informed regulatory agency: challenges and suggestions, U.S. Nuclear Regulatory Commission, March 2017. (ADAMS ML17089A538)

[12] N. Siu, J.T. Chen, and E. Chelliah, Research needs in fire risk assessment, Proceedings of 25th U.S. Nuclear Regulatory Commission Water Reactor Safety Information Meeting, Bethesda, MD, October 20-22, 1997, NUREG/CP-0162, Vol. 2, pp.93-116, (1997).

[13] S.P. Nowlen, M. Kazarians, and F. Wyant, Risk Methods Insights Gained from Fire Incidents, NUREG/CR-6738, U.S. Nuclear Regulatory Commission, 2001.

[14] S. Kapan and B.J. Garrick, On the quantitative definition of risk, Risk Analysis, 1, pp. 11-37, (1981).

[15] U.S. Nuclear Regulatory Commission, Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking, NUREG-2122, 2013.

[16] U.S. Nuclear Regulatory Commission, Achieving Modern Risk-Informed Regulation, SECY-18-0060, May 23, 2018. (ADAMS ML18110A187).

33

[17] M. Barriere, W. Luckas, D. Whitehead, and A. Ramey-Smith, An Analysis of Operational Experience During Low Power and Shutdown and a Plan for Addressing Human Reliability Assessment Issues, NUREG/CR-6093, 1994.

[18] R. Kirby, Hinkley Point Sediment Transport - Potential Impacts of and on New Structures, BEEMS Technical Report 149, Ravensrodd Consultants, Ltd., September 2010. (Available from https://infrastructure.planninginspectorate.gov.uk/projects/south-west/hinkley-point-c-new-nuclear-power-station/?ipcsection=docs&stage=app&filter1=Environmental+Statement)

[19] United Kingdom Environmental Agency, Somerset and the Sea: The 1981 Storm - 25 Years On, 2006.

[20] Commonwealth Edison, Untitled, LER 237-1982-050, December 13, 1982.

[21] F.J. Hebdon, Effect of Hurricane Andrew on the Turkey Point Nuclear Generating Station from August 20-30, 1992, NUREG-1474, U.S. Nuclear Regulatory Commission, 1993.

(Available from https://www.osti.gov/biblio/10158520)

[22] M. Leach, et al., NRC 2005 Hurricane Season Lessons Learned Task Force Final Report, STP-06-039, U.S. Nuclear Regulatory Commission, Washington, DC, 2006. (ADAMS ML060900005)

[23] A. Gorbatchev, et al., Report on flooding of Le Blayais power plant on 27 December 1999, Proceedings of EUROSAFE 2000, Cologne, Germany, November 6-7, 2000, Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) Gmbh, Cologne, Germany, 2000.

[24] E. Vial, V. Rebour, and B. Perrin, Severe storm resulting in partial plant flooding in Le Blayais nuclear power plant, Proceedings of International Workshop on External Flooding Hazards at Nuclear Power Plant Sites, Atomic Energy Regulatory Board of India, Nuclear Power Corporation of India, Ltd., and International Atomic Energy Agency, Kalpakkam, Tamil Nadu, India, August 29 - September 2, 2005.

[25] P. Dupuy, E. Vial, and L. Gollion, Reassessment of the protection of French nuclear power plants against external flooding in the light of the lessons learned during the flooding of the Blayais site in 1999, Proceedings of International Workshop on External Flooding Hazards at Nuclear Power Plant Sites, Atomic Energy Regulatory Board of India, Nuclear Power Corporation of India, Ltd., and International Atomic Energy Agency, Kalpakkam, Tamil Nadu, India, August 29 - September 2, 2005

[26] E. de Fraguier, Lessons learned from 1999 Blayais flood: overview of EDF flood risk management plan, NRC Regulatory Information Conference, Rockville, MD, March 9-11, 2010. (Available from:

https://www.nrc.gov/public-involve/conference-symposia/ric/past/2010/slides/th35defraguierepv.pdf)

[27] Atomic Energy Council, Taiwan, The Station Blackout Incident of the Maanshan NPP unit 1, April 18, 2001. (Available from:

https://www.aec.gov.tw/webpage/control/report/safety/safety_04_002.pdf)

[28] W.S. Raughley and G.F. Lanik, Operating Experience Assessment Energetic Faults in 4.16 kV to 13.8 kV Switchgear and Bus Ducts That Caused Fires in Nuclear Power Plants 1986-2001, U.S. Nuclear Regulatory Commission, February 2002. (ADAMS ML021290358) 34

[29] P. Dupuy, G. Georgescu, and F. Corenwinder, Treatment of the loss of ultimate heat sink initiating events in the IRSN Level 1 PSA, NEA/CSNI/R(2014)9, Probabilistic Safety Assessment (PSA) of Natural External Hazards Including Earthquakes: Workshop Proceedings, Prague, Czech Republic, June 17-20, 2013, Nuclear Energy Agency, Boulogne-Billancourt, France, 2014.

[30] Tennessee Valley Authority, Three-Unit Scram Caused By Loss of All 500-kV Offsite Power Sources, LER 259-2011-001, June 27, 2011.

[31] J.L. Hayes, Service Assessment: The Historic Tornadoes of April 2011, U.S. National Weather Service, 2011. (Available from:

https://www.weather.gov/media/publications/assessments/historic_tornadoes.pdf)

[32] Entergy Nuclear Operations, Inc., Loss of Off-Site Power Events Due to Winter Storm Nemo, LER 293-2013-003, April 8, 2013.

[33] LaSalle County Station, Unusual Event Declared Due to Loss of Offsite Power and Dual Unit Scram, LER 373-2013-002, January 22, 2014.

[34] Florida Power and Light Co., Internal RAB Flooding During Heavy Rain Due to Degraded Conduits Lacking Internal Flood Barriers, LER 335-2014-001, September 22, 2014.

[35] U.S. Nuclear Regulatory Commission, St. Lucie Plant - Final Significance Determination of White Finding and Notice of Violation, NRC Inspection Report 05000335/2014010 and 05000389/2014010, EA-14-131, 2014. (ADAMS ML14323A786)

[36] U.S. Nuclear Regulatory Commission, Degraded Ability to Mitigate Flooding Events, Information Notice IN-2015-01, 2015. (ADAMS ML14279A268)

[37] U.S. Nuclear Regulatory Commission, Status of the Accident Sequence Precursor Program and the Standardized Plant Analysis Risk Models, SECY-15-0124, Washington, DC, USA, 2015. (ML15187A434)

[38] I. Gifford, C. Hunter, and J. Nakoski, U.S. Nuclear Regulatory Commission Accident Sequence Precursor Program: 2016 Annual Report, May 2017. (ADAMS ML17153A366)

[39] J. Primet and E. Panato, Precursor event program at EDF: objectives, method, results and insights, Proceedings of PSAM 10, Tenth International Conference of Probabilistic Safety Assessment and Management, Seattle, WA, June 14-19, 2010.

[40] N. Siu, et al., Accidents, near misses, and probabilistic analysis: on the use of CCDPs in enterprise risk monitoring and management, Proceedings of ANS International Topical Meeting on Probabilistic Safety Assessment (PSA 2017), Pittsburgh, PA, September 24-28, 2017.

[41] R.E. Haskin, A.L. Camp, S.A. Hodge, and D.A. Powers, Perspectives on Reactor Safety, NUREG/CR-6042, Rev. 2, 2002.

[42] Nuclear Energy Agency, Probabilistic Safety Assessment (PSA) of Natural External Hazards Including Earthquakes, NEA/CSNI/R(2014)9, Proceedings of OECD/NEA/CSNI/WGRISK Workshop, Prague, Czech Republic, 17-20 June 2013.

[43] J. Weglian, External Flooding Hazard Analysis: State of Knowledge Assessment, TR 3002005292, Electric Power Research Institute, Palo Alto, CA, 2015.

[44] R.J. Budnitz and H.E. Lambert, An Evaluation of the Reliability and Usefulness of External

-Initiator PRA Methodologies, NUREG/CR-5477, 1990.

[45] G.B. Baecher, Flow control and spillway systems reliability, U.S. Nuclear Regulatory Commission Regulatory Information Conference, Rockville, MD, March 11-14, 2013.

35

(Available from https://www.nrc.gov/public-involve/conference-symposia/ric/past/2013/docs/abstracts/baecherg-hv-t9.pdf)

[46] C. Perrow, Normal Accidents: Living with High Risk Technologies, Basic Books, 1984.

[47] A. Burton, et al., "A stochastic model for the spatial-temporal simulation of nonhomogeneous rainfall occurrence and amounts," Water Resources Research, 46(11):

W11501, (2010).

[48] M.G. Schaefer, Stochastic event flood model (SEFM) stochastic modeling of extreme floods, Western Hydropower Dam Owners Workshop, July 2011. (Available from:

http://www.mgsengr.com/damsafetyfiles/Workshop_H&H_SEFM_Overview_Folsom.pdf)

[49] M. Roewekamp, S. Spebeck, and G. Gaenssmantel, Screening approach for systematically considering hazards and hazard combinations in PRA for a nuclear power plant site, Proceedings of ANS International Topical Meeting on Probabilistic Safety Assessment (PSA 2017), Pittsburgh, PA, September 24-28, 2017.

[50] Nuclear Energy Agency, Severe Weather and Storm Surge, NEA/CSNI/R(2017)13, Proceedings of OECD/NEA/CSNI/WGEV Workshop, Paris, France, in publication.

[51] G. Heo, et al., Gap analysis between single-unit and multi-unit PSAs for Korean NPPs, Proceedings of 13th International Conference on Probabilistic Safety Assessment and Management (PSAM 13), Seoul, Korea, October 2-7, 2016.

[52] C.L. Atwood, et al., Handbook of Parameter Estimation for Probabilistic Risk Assessment, NUREG/CR-6823, 2003.

[53] S.M. Cetiner, et al, Level-0 PRA: Risk-informing the nuclear power plant I&C system, Nuclear News, pp. 48-52, February 2015.

[54] D. Dube, et al., Exelon economic enterprise risk modeling of a BWR, Proceedings of ANS International Topical Meeting on Probabilistic Safety Assessment (PSA 2017),

Pittsburgh, PA, September 24-28, 2017.

[55] N. Siu, "Risk assessment for dynamic systems: an overview," Reliability Engineering and System Safety, 43, No. 1, pp. 43-73, (1994).

[56] Advanced Concepts in Nuclear Energy Risk Assessment and Management, T. Aldemir (Ed.), World Scientific Publishing Co (2018). (Available from:

https://www.worldscientific.com/worldscibooks/10.1142/10587)

[57] Z. Ma, C. Smith, and S. Prescott, A case study of simulation-based dynamic analysis approach for modeling plant response to flooding events, Proceedings of ANS International Topical Meeting on Probabilistic Safety Assessment (PSA 2017), Pittsburgh, PA, September 24-28, 2017.

[58] N. Siu, S. Dennis, M. Tobin, P. Appignani, K. Coyne, G. Young, and S. Raimist, Advanced Knowledge Engineering Tools to Support Risk-Informed Decision Making: Final Report (Public Version), December 2016. (ADAMS ML16355A373)

[59] N. Siu, I. Gifford, Z. Wang, M. Carr, and J. Kanney, Qualitative PRA Insights from Operational Events: An Exploratory Study, U.S. Nuclear Regulatory Commission, September 2018. (ADAMS ML18248A117, non-public) 36

APPENDIX A - PRA-ORIENTED EVENT REVIEWS NPP operational experience (OpE) provides a rich source of empirical evidence useful for:

a) PRA analysts aiming to improve the realism of their models through the addition or rejection of hypothesized scenarios or scenario elements (e.g., failure mechanisms), 24 and b) PRA researchers interested in identifying situations where PRA technology development could be warranted. General OpE sources, such as those referenced in this report, provide valuable information on key occurrences (e.g., equipment and safety functions lost) and on key factors behind these occurrences (e.g., the causes of equipment losses), as well as free-form narratives helping readers understand the progression of events. Some of the sources are in the form of structured databases that have fields enabling rapid searching and screening. Of course, most of these sources are not aimed directly at PRA applications, and individual incident reports may not fully address or even include information of potential interest to PRA analysts and developers, including scenario elements that:

- do not directly involve plant response to the storm (e.g., the buildup of a storm, which affects warning times and the ability to prepare; and the offsite effects of a storm, which can be relevant to the offsite consequences of an accident, as well as the plants access to offsite resources);

- affected the success or failure of PRA-relevant SSCs and/or operator actions; or

- were unimportant for the evolution of the actual incident but could be important in other circumstances (e.g., the Fukushima Daiichi Unit 1 operator actions to isolate the isolation condenser [A1-A3]).

The 1999 Blayais and 1981 Hinkley Point incidents illustrate some of these points. (Some points, e.g., regarding the lack of discussion of offsite effects, are not applicable to Blayais and Hinkley Point, but are relevant to other incidents reviewed in this study.)

A.1 Blayais (12/27/1999)

The 1999 Blayais incident, officially classified as an INES Level 2 event, i.e., not even a serious incident (INES Level 3) let alone an accident (INES Level 4 and above), is quite well documented. Public sources of information include, for example:

• a report by the Institut de Protection et de Sûreté Nucléaire (IPSN)25 shortly following the event [A4],

• a follow-on conference paper - largely a direct translation of the IPSN report with a few extensions [A5], and 24 Or course, the occurrence of a scenario at one NPP does not mandate its inclusion in a PRA for another NPP, nor does the lack of occurrences necessarily justify neglect in the PRA model. However, empirical information is useful when deciding how to use available resources in developing a model suitably realistic for its intended application.

25 The IPSN was the predecessor of the current Institut de Radioprotection et de Sûreté Nucléaire (IRSN), which is the technical support organization for the Autorité de Sûreté Nucléaire (ASN) the French nuclear regulatory authority.

37

• numerous subsequent workshop and conference papers and presentations (e.g., [A6, A7]).

We make the following observations. 26 Hazard

• The publicly available sources provide information on the storm strength (pressure drop and wind speeds) and an implicit, qualitative indication of the storm likelihood (e.g., the storm was exceptionally strong).

• None of the sources discuss the conditions preceding the storm. In particular, per Wikipedia, 27 Storm Martin, the storm that affected Blayais, struck Europe only a day after another exceptionally severe storm, Storm Lothar [A8]. From a PRA perspective, prior conditions might be relevant when characterizing the context for operator actions.

Also, they indicate one complexity for future PRA analyses employing stochastic storm simulation modeling.

• Both public and non-public sources (e.g., an INPO report, reports to IAEA) provide considerable information on the spatial extent of flooding within and outside the plant.

There is also information indicating when the flood waters receded. However, none of the sources provide information on the onsite duration of the storm itself. Such information would help indicate the duration of hazardous, non-flooding conditions onsite (e.g., wind speeds, which can affect the feasibility and success likelihood of various operator actions). Perhaps more importantly, none of the sources indicate the potential effects of a longer-lasting flooding event (e.g., whether such an event could have caused the failure of additional key SSCs such as the AFW pumps, the EDGs, or Train B of ESW). A longer-lasting flood would also have further delayed the arrival of offsite personnel. 28

• Both public and non-public sources indicate the multiple hazards posed by a storm, including flooding, high winds, and dynamic flooding forces. As discussed in the main body of this report, the treatment of multiple hazards is a challenge for current PRA technology.

26 Note that Ref. 25 of our main report provides useful additional information on Blayais. However, we received this paper too late to perform a detailed review. Recognizing that the lead authors of that paper have also authored documents included in our analysis, we expect that our findings would not be substantially changed by such a detailed review.

27 We recognize that in general, Wikipedia articles are not necessarily authoritative. However, regarding articles on major storms, we find their factual information on dates, intensities, etc. to be sufficiently reliable for the purposes of this report. We also recognize that the naming of storms, although useful for general readers, tends to be frowned upon by the meteorological community.

28 Note that a typical, game over PRA modeling approach that assumes that a flood reaches its maximum height instantaneously and lasts indefinitely is reasonable for a bounding analysis aimed at determining whether flooding might be risk-important for the site. However, such an approach will not provide many insights helpful to the development or improvement of actual flood response procedures, training, etc.

38

Fragility

• A plants staff may judge an SSC to be inoperable (e.g., due to partial immersion), even if it is not known to be failed.

• Most of the sources identify SSCs that were failed (or considered to be failed) and key SSCs that were not failed. However, for the non-failed SSCs, they do not indicate the degree to which SSCs in partially flooded rooms were actually exposed to the hazard (e.g., if they experienced some degree of wetting).

• The discussions of storm-related damage to flood mitigation features are mixed. Most of the sources identify flood-caused damage to internal barriers (particularly a fire door),

but only a few mention damage to the plant dike.

Response

• The publicly available sources provide a good discussion on the general method used to achieve long-term, stable conditions. They also identify a number of considerations (the possibility of subsequent relief valve failures and concerns with potential Y2K challenges) in determining this method and discuss the role of offsite technical experts consulted.

• The mobilization of national crisis teams indicate a degree of concern at the time that appears to be beyond the post-event characterization of the event as an Incident (INES Level 2). Note that the assessed conditional core damage probability (CCDP) for this event is 2E-3 [A6], 29 which corresponds to a significant precursor by the standards of the NRCs Accident Sequence Precursor program.

• On a similar vein, none of the sources provide any information on the psychological state of the plant operators. In addition to the challenges of dealing with an unexpected, serious storm, it can be expected that plant operators were worried about the impact of the storm on family and communities offsite. As indicated in the main body of this report, such concerns were a factor during Hurricane Andrew. Such concerns were also a factor during the Fukushima Daiichi reactor accident.

A.2 Hinkley Point (12/13/1981)

The 1981 Hinkley Point flooding incident appears to have been a much less serious challenge than Blayais, and the incident has far less notoriety. Information on that event is provided by:

• a technical report supporting the siting of a new reactor at Hinkley Point [A8]; 30

• a retrospective report on the storm that caused site flooding [A9];

29 Ref. A6 does not provide the basis for the assessed CCDP. For example, it does not indicate if the value includes the possibility of flooding-induced failure of the EDGs and, if so, how the probability of such an event was estimated.

30 Although the report cover indicates limited distribution, the report is now available for download from a UK government website.

39

• suggestive if not necessarily authoritative Wikipedia articles on weather conditions at the time [A10-A12]; and

• official, non-public reports provided to the IAEA IRS.

We make the following observations.

Hazard

• The retrospective report on the storm [A9] provides useful information on the storm buildup and severity, but does not provide information on potentially relevant conditions preceding the storm.

• The reports indicate flooding of the cooling water (CW) pump house and wide-scale flooding. There is no discussion of the extent of flooding elsewhere onsite, or the degree of potential threat to any other equipment (notably for Station B).

Fragility

• No information is provided on SSCs affected beyond the six CW pump motors for Station A. Lacking positive statements regarding unaffected equipment, it is unclear if other SSCs were not failed, or if some failed but were not judged important enough to report.

• There is some discussion of sea wall damage away from the plant, and an indication that the plant sea wall was not damaged.

Response

• The reports indicate the loss of CW for Station A (leading to a prolonged outage).

• None of the reports mention any outdoor actions during the storm, or the use of line washing (apparently a standard post-storm procedure to clear salt deposits from station power lines).

A.3. Summary The Blayais and Hinkley Point examples above show that non-PRA oriented event reports provide information valuable to: a) the interpretation of the risk-significance of an operational incident (e.g., how close a plant came to an actual accident); and b) the identification of features that should be considered in a PRA for other facilities. They also show that there are gaps in the information that would likely be identified and prioritized in a PRA-oriented review.

This suggests the potential value of: a) additional incident reviews along the lines of those conducted in this project; and b) the revision of OpE incident reporting guidelines that more explicitly address key PRA elements.

40

A.4 References

[A1] Government of Japan, Investigation Committee on the Accident at the Fukushima Nuclear Power Stations of Tokyo Electric Power Company, Interim Report, December 26, 2011. (Available from: http://icanps.go.jp/eng/interim-report.html)

[A2] Tokyo Electric Power Company, Inc., Fukushima Nuclear Accident Analysis Report, June 20, 2012. (Available from http://www.tepco.co.jp/en/press/corp-com/release/2012/1205638_1870.html)

[A3] N. Siu, et al., PSA technology challenges revealed by the Great East Japan Earthquake, Proceedings of PSAM Topical Conference in Light of the Fukushima Daiichi Accident, Tokyo, Japan, April 15-17, 2013.

[A4] Institut de Protection et de Sûreté Nucléaire, Rapport Sur LInondation Du Site Du Blayais, Fontenay-aux-Roses, France, January 2000. (Available from:

http://www.irsn.fr/FR/expertise/rapports_expertise/Documents/surete/rapport_sur_l_inon dation_du_site_du_blayais.pdf)

[A5] A. Gorbatchev, et al., Report on flooding of Le Blayais power plant on 27 December 1999, Proceedings of EUROSAFE 2000, Cologne, Germany, November 6-7, 2000, Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) Gmbh, Cologne, Germany, 2000.

[A6] E. Vial, V. Rebour, and B. Perrin, Severe storm resulting in partial plant flooding in Le Blayais nuclear power plant, Proceedings of International Workshop on External Flooding Hazards at Nuclear Power Plant Sites, Atomic Energy Regulatory Board of India, Nuclear Power Corporation of India, Ltd., and International Atomic Energy Agency, Kalpakkam, Tamil Nadu, India, August 29 - September 2, 2005.

[A7] E. de Fraguier, Lessons learned from 1999 Blayais flood: overview of EDF flood risk management plan, NRC Regulatory Information Conference, Rockville, MD, March 9-11, 2010. (Available from:

https://www.nrc.gov/public-involve/conference-symposia/ric/past/2010/slides/th35defraguierepv.pdf)

[A8] https://en.wikipedia.org/wiki/Cyclones_Lothar_and_Martin (accessed June 13, 2018).

[A9] R. Kirby, Hinkley Point Sediment Transport - Potential Impacts of and on New Structures, BEEMS Technical Report 149, Ravensrodd Consultants, Ltd., September 2010. (Available from https://infrastructure.planninginspectorate.gov.uk/projects/south-west/hinkley-point-c-new-nuclear-power-station/?ipcsection=docs&stage=app&filter1=Environmental+Statement)

[A10] United Kingdom Environmental Agency, Somerset and the Sea: The 1981 Storm - 25 Years On, 2006.

[A11] https://en.wikipedia.org/wiki/1981-82_United_Kingdom_cold_wave (accessed June 11, 2018).

[A12] https://en.wikipedia.org/wiki/1981_United_Kingdom_tornado_outbreak (accessed June 11, 2018).

41

APPENDIX B - EVENT TIMELINES AND DESCRIPTIONS This appendix provides timeline information for the U.S. incidents listed in Table 1 of this report.

Timeline information for international events can be obtained from the IAEA IRS.

B.1 Dresden (12/3/1982)

Time Time from first Alert Water Elevation in Crib Height above Service House Water Pump Floor 12/3/1982: 1940 509 2 -4 12/4/1982: ~0600 10 hr 20 min 509 11.5 5.5 12/4/1982: ~2000 24 hr 20 min 509 0 -6 Date/Time Event or Step Description Prior to event Unit 2 at 50% power, Unit 3 at 100% power December 2-3 Heavy rainfall event of 3 in over 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> (locally), peaking at 0.6 in/hr. Precipitation affects much of contributing basin for both Illinois and Kankakee Rivers (see Fig B.2-1)

December 2 Flow starts to increase in river December 3 During a routine Crib House inspection, intake water level at the Crib House was 1940 observed at 509 2 which is 4 below the service water pump floor.

1940 General Station Emergency Plan (GSEP) Alert was declared based on procedure 200-

11. Emergency Procedure Implementation Plan 200-T1 was initiated.

2237 Units 2 and 3 in cold shutdown condition December 4 Elevation in Crib House rises to 509 11.5. This is 5.5 inches above the service water early hours pump floor. Pumps do not fail.

0600 Illinois River peaks above record flow/stage, estimated as 90 year return period (AEP

~1.1*10-2). Exceeded previous maximum stage at Marseilles by 1.5 Flood level has dropped to 509, no future rain predicted. Onsite review conducted.

~2000 Units 2 and 3 restarted.

42

Figure B.1-1. 24 hour2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> total precipitation maps during 1982 Dresden area event. Approximate location of station shown by red circle. (From https://pubs.er.usgs.gov/publication/wsp2362) 43

Figure B.1-2. Measured and estimated rainfall and elevations in the Illinois River and the Crib House during the 1982 Dresden event. Horizontal lines indicate service water pump elevation and load dispatcher contact elevation established after the event. Vertical line indicates timing of Plant Response to event, including Alert, Shutdown and Restart. (Derived from https://www.ncdc.noaa.gov/cdo-web/datasets/LCD/stations/WBAN:14819/detail and http://rivergages.mvr.usace.army.mil/.)

44

B.2 Turkey Point (8/24/1992)

Time Sustained wind speed (mph) Wind gusts (mph) 0000 10 15 0200 24 35 0300 30 45 0330 40 55 0400 60 85 0410 - 98 0440 (eye passes over site) 20 -

0705 (winds subside)

Date/Time Event or Step Description August 17 Turkey Point staff began tracking Tropical Storm Andrew in the control room.

August 21 Plant staff began implementing the Emergency Plan Implementing Procedure (EPIP),

including moving equipment inside, tying down equipment, and preparing for storm surge.

Equipment was moved from the Unit 3 diesel fuel oil tank, which did not have missile protection.

August 23 An Unusual Event was declared due hurricane warning issued by the National Hurricane Center.

1800 Units 3 began shutting down. Turkey Point operators estimated that it would take 8 hours9.259259e-5 days <br />0.00222 hours <br />1.322751e-5 weeks <br />3.044e-6 months <br /> to complete an orderly shutdown and wanted to stagger the shutdown on each unit by 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

There was concern over the main turbines and balance of plant supporting equipment being located on an open air deck (risking personnel if they needed to be outside).

Unit 3 reached Mode 3 at 1940 and Mode 4 at 0213 on Aug 24th.

2000 Unit 4 began shutting down. Both units were kept in Mode 4, rather than Mode 5, to retain steam-driven auxiliary feedwater pumps as an option for removing decay heat.

Unit 4 reached Mode 3 at 2245 and Mode 4 at 0405 on Aug. 24th.

August 24 Hurricane Andrew passed directly over Turkey Point, with sustained winds of 145 mph and 0400 gusts of at least 175 mph. Spurious alarms received for the spent fuel pool low level and instrument air pressure low.

0415 Offsite electronic communications were lost. Onsite communication remained available.

0440 Unit 3 lost offsite power. Emergency diesel generators (EDGs) started and loaded the safety buses.

The breaker for the residual heat removal (RHR) discharge valve to cold legs failed because of water damage from rain infiltration. A battery charger failed as well. In both cases, the redundant system was not affected.

0522 Unit 4 lost offsite power. EDGs started and loaded the safety buses.

0800 Health physics begin surveying for radiation. Offsite communication was established.

0900 Offsite communications were lost again for 6.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />. Helicopters were used for communication.

1000 Radiation surveys are complete. Water intrusion caused slight contamination of the RHR equipment areas.

1100 Unit 4 EDG A tripped while trying to isolate a ground on the direct current (DC) control power supply. The EDG was restarted shortly after.

August 27 Unit 3 EDG A tripped and was restarted 2.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> later.

August 28 The Davis 1 line of offsite power was restored, but remained unreliable for several hours.

August 30 The startup transformers (SUTs) for Units 3 and 4 were energized.

August 31 A second offsite line was established.

45

Figure B.2-1. Timeline of Events at Turkey Point during August 1982 before and after Hurricane Andrew 46

Figure B.2-2. Timeline of Events at Turkey Point during August 1982 close to the time of passing of Hurricane Andrew 47

B.3 Browns Ferry (4/27/2011)

Date/Time Event or Step Description April 27 Operations personnel were notified that the site was under a tornado warning. The actions of 1401 Procedure 0-A01-107, Severe Weather, were addressed.

1636 Loss of all 500 kV offsite power sources occurred. All units automatically scrammed and 7 of 8 emergency diesel generators (EDGs) started and loaded to their respective 4kV shutdown boards. EDG 3B was unavailable due to planned maintenance. The 161 kV offsite power (Athens) source remained available, but was not used until May 2nd.

1701 Browns Ferry declared an Unusual Event due to the loss of normal and alternate supply voltage to all unit-specific 4 kV shutdown boards.

April 28 Unit 3 entered Mode 4 (cold shutdown).

0243 0545 Unit 2 entered Mode 4.

2330 A EDG C governor hydraulic oil piping leak was observed by operations personnel.

Maintenance personnel were notified to prepare to add oil. Operations personnel prepared to switch from residual heat removal (RHR) pumps.

2338 Operations personnel performed emergency shutdown of EDG C due to the hydraulic oil piping leak. Shutdown cooling (SDC) was lost to Unit 1 and Unit 2. Unit 1 SDC was lost due to the loss of power to 4 kV Shutdown Board C (which was being powered by EDG C) and resulted in a loss of power to the reactor protection system (RP)S Train B, causing a primary containment isolation system (PCIS) actuation. Unit 2 SDC was lost because the running RHR Pump 2B lost power.

2342 Unit 2 SDC was restored by starting RHR Pump 2D.

April 29 Unit 1 SDC was restored by resetting the PCIS signal and establishing SDC.

0025 May 2 The output breaker of EDG A tripped and power was lost to 4 kV Shutdown Board A, causing a 0626 loss of Unit 1 SDC. A half-scram (due to loss of RPS A) and PCIS Group 2, 3, 6, and 8 signals were received.

0643 Power was restored to 4 kV Shutdown Board A from the 161 kV offsite power source.

0652 Half-scram and PCIS signals were reset.

0723 Unit 1 SDC restored.

2010 All shutdown boards were powered from two qualified 161 kV offsite power sources, and all EDGs were secured and in standby readiness.

48

B.4 Pilgrim (2/8/2013)

Date/Time Event or Step Description February 8 A major fault occurred on offsite line 342, which remained de-energized for the remainder of 2102 the storm.

2117 A fault on line 355 occurred, resulting in a full load reject of the main generator, subsequent reactor scram, and loss of the startup transformer (SUT). The emergency diesel generators (EDGs) automatically started and provided power to safety buses A5 and A6. Reactor core isolation cooling (RCIC) was placed in service to maintain reactor vessel water level. High pressure coolant injection (HPCI) was placed in service to control reactor pressure. All systems performed as designed to bring the reactor to Mode 3, including initiation of reactor water cleanup isolation, reactor building isolation, and the standby gas treatment system.

2200 An Unusual Event was declared for a loss of offsite power (LOOP) to the safety buses.

2211 Offsite line 355 was restored and breaker ACB-102 was closed manually to re-energize the SUT.

2340 A phase 'B' fault on the SUT bus tripped the SUT bus lockout relay. The relays that initiated the bus trip indicated the fault was within the SUT protection scheme, but external to the SUT.

February 9 Line 355 was re-energized and the SUT was energized. Non-safety buses A1, A2, A3, and 1815 A4 were powered by the SUT.

February 10 Offsite power was restored to safety bus A5 through the SUT via a single 345kV line.

0400 0830 Offsite power was restored to safety bus A6 through the SUT. The EDGs were secured and placed in standby. RHR was in shutdown cooling mode to maintain the reactor in cold shutdown. Fuel pool cooling was in service with fuel pool temperatures trending down.

1055 Pilgrim terminated the Unusual Event.

1401 With all control rods fully inserted and the reactor in cold shutdown conditions, the plant experienced a second LOOP with a flashover fault on the phase B bus work of the SUT due to salt contaminated ice bridging on the phase insulator. This resulted in the tripping of breaker ACB-102 and loss of power to the safety buses. Both EDGs auto-started as designed and provided power to the safety buses. This LOOP resulted in de-energization of both reactor protection system channels, resulting in a reactor scram signal and loss of shutdown cooling.

1426 Shutdown cooling was returned to service. All other plant systems responded as designed.

Station personnel established backup power to safety buses A5 and A6 in accordance with plant procedures.

February 12 Offsite power was restored to the non-safety buses via the main/unit auxiliary transformers.

0405 2147 Offsite power was restored to all buses through the SUT.

49

B.5 LaSalle (4/17/2013)

Date/Time Event or Step Description April 17 With LaSalle Units 1 and 2 operating on Mode 1 at 100% power, lightning struck 138 kV 1457 line 0112, resulting in a phase-to-ground fault which subsequently cleared.

1459 A second phase-to-ground fault on line 0112 occurred and all 345 kV oil circuit breakers in the main switchyard opened, resulting in a loss of offsite power (LOOP). Units 1 and 2 automatically scrammed.

The stations five emergency diesel generators (EDGs) immediately started, successfully loaded onto their respective safety-related buses, and began supplying power to the buses to support operation of essential loads, as expected. Plant systems on both units responded as expected. All control rods fully inserted. The main steam isolation valves closed, with decay heat being removed via the safety relief valves. High pressure core spray (HPCS) automatically started on both units on low reactor water level; reactor core isolation cooling (RCIC) was used for level control.

1511 LaSalle declared an Unusual Event due to a LOOP for greater than 15 minutes.

1721 Unit 2 primary containment isolation was activated due to increased primary containment pressure. Primary containment pressure was increasing as expected, given the loss of containment cooling from the loss of non-safety alternating current (AC) power.

1924 The licensee was able to restore offsite power to the Unit 2 Station Auxiliary Transformer, TR-242, and begin unloading the EDGs.

2004 Unit 1 primary containment isolation was activated due to increased primary containment pressure.

2301 Offsite power was restored to all safety busses.

April 18 Primary containment cooling was restored.

0055 0230 Unit 1 primary containment isolation was cleared.

0814 Unit 2 primary containment isolation was cleared. The Unusual Event was terminated.

50

B.6 St. Lucie (1/9/2014)

Date/Time Event or Step Description January 9 St. Lucie Unit 1 was in Mode 1 operation at 100% reactor power, the site was experiencing a 1400 severe local intensive precipitation (LIP) began at 14:00 PM. In the early afternoon the site storm system was challenged as the storm water basis started to rise.

1610 Operations personnel reported that water was backing up through the -0.5 foot elevation floor drains in the reactor auxiliary building (RAB) through two degraded electrical conduits and entering into the Emergency Core Cooling System (ECCS) sump pump room at the -10 feet elevation which was below the elevation which the RAB flood protection was designed.

1620 The control room received the B Safeguards Pump Room Sump Level High/High alarms.

1628 The operators entered procedure 1-AOP-24.0, RAB Flooding,, and immediately closed the ECCS sump isolation valves to preclude flooding of the ECCS pump room. The water level in the RAB -0.5 foot elevation continued to rise, 1635 After deliberation between the field operators and the control room, the operators decided to control the RAB flooding by cycling the ECCS sump isolation valves to allow batch removal of RAB water via the ECCS sump pumps.

1732 A higher capacity temporary pump at the yard sump was used to reduce the rate of water entry into the RAB.

1803 An Unusual Event (UE) was declared as the sufficient rainfall exceeded the site storm drain system capacity.

2100 The storm water stopped at leaking from the degraded conduits to RAB; the 5-hour event where 7 inches of rain fell in the area between 1400 and 1900.

January 10 The UE was terminated, after the significant rains stopped and the storm drain were observed 0001 draining site water accumulation.

51

APPENDIX C - LESSONS FOR DEVELOPMENT OF DYNAMIC PRA C.1 Dynamic PRA Background Dynamic PRA is a form of PRA in which driving forces on modeled system elements and the element behaviors resulting from these forces are explicitly modeled over time [C1]. 31 Originally developed to incorporate forces and energies associated with plant thermal hydraulic behavior

[C2], the concept of dynamic PRA was soon expanded to include more general drivers, notably motivators and moderators (influencing factors) for control room crew decision making, both static (e.g., procedures, training) and dynamic (e.g., information on current situation, stress levels) [C3, C4]. Nowadays, the term is generally used to refer to PRA approaches that simulate accident scenario development over time. Another term referring to same general concept is Integrated Dynamic-Probabilistic Safety Assessment (IDPSA) [C5].

Dynamic PRA has been topic of interest in the academically-oriented PRA advanced methods community for many years. Perhaps the earliest workshop was held in the mid-1980s [C6].

Currently, multiple sessions at typical international PRA conferences are devoted to the latest developments, and multiple journal papers and books have been written (e.g., [C1, C7]). The general concept of explicit dynamic analysis has considerable allure: a) it provides a natural, holistic framework for representing accident scenarios and integrating the multiple scientific and engineering disciplines engaged in a PRA, b) it is consistent with the increasing use of simulation-based methods in engineering (and associated education and training of new engineers), and c) it appears capable of addressing important but difficult problems (e.g., the identification and treatment of cognitive and team behaviors leading to errors of commission).

With improving computer speed and supporting software advances, the field appears to be nearing sufficient maturity to support practical, risk-informed decision making applications (when those applications have a sufficiently narrow scope to balance the significant additional effort required to set up and execute dynamic PRA models).

The NRC supported early development efforts [C3] through university grants to the Massachusetts Institute of Technology (MIT) and more recent studies at Sandia National Laboratories (SNL) [C8] and the University of California at Los Angeles (UCLA). The U.S. Department of Energy (DOE), through its Light Water Reactor Sustainability Programs (LWRS) pathway on Risk-Informed Safety Margin Characterization (RISMC) at the Idaho National Laboratory (INL), is making a significant investment in software and model 31 It is important to recognize that conventional event tree/fault tree-based PRA models dont ignore scenario dynamics. For example, various time-dependent phenomena and model element interactions are treated explicitly or implicitly via thermal-hydraulic success criteria modeling, fire scenario analyses (modeling of fire growth, suppression, and plant response), and the modeling of time-critical human actions (including the recovery of offsite power following a LOOP, as well as various main control room operator actions). Unlike a conventional PRA, a dynamic PRA will explicitly model the behavior of an entire system over time, rather than use a dynamic analysis as a feeder for logical events in a static (non-time dependent) event tree/fault tree model.

It is also important to recognize that a dynamic PRA need not take a high-fidelity approach to modeling time dependence. For example, phased mission analyses in which a scenario is divided into a small number of coarse phases can be considered to be one form of dynamic PRA.

52

development, designed for U.S. industry use [C9, C10]. 32 As evidenced by international surveys on the use and development of PRA [C10] and by numerous papers at recent international conferences, a number of international organizations (e.g., the European Union - EU, Electricité de France - EDF, GRS, and the Nordic PSA Group - NPSAG) have also funded development work on dynamic PRA and IDPSA.

C.2 A Potential Application for Dynamic PRA To date, work on dynamic PRA has largely remained within the PRA methods development community. Unfortunately, it appears that that communitys emphasis on difficult technical problems, both phenomenological and computational, has overlooked simpler problems where dynamic PRA approaches could provide practical, improved risk management solutions. 33 This projects operational experience review has identified a problem where a simpler yet still dynamic approach could be helpful: the treatment of plant preparations in advance of a storm.

Consider the Hinkley Point and Blayais incidents discussed in Appendix A. Recognizing the very different natures of the Hinkley Point (Magnox) and Blayais (pressurized water reactor - PWR) designs, nevertheless it can be reasonably hypothesized that the differences in the timing of hazard arrivals significantly affected the severity of the challenge to plant operations.

The Turkey Point/Hurricane Andrew incident discussed in Section 3.3.1 of this report provides another example of the importance of event timing. In this incident, the hurricane arrived two hours earlier than initially expected, with high winds (exceeding 48 km/h - 30 mph) starting roughly one hour after Unit 3 achieved Mode 4 but one hour before Unit 4 achieved Mode 4. It can be hypothesized that if the plant staff had not started their storm preparations as early as they did, plant shutdown operations, some of which involved outdoor actions, could have been significantly more challenging.

Nuclear power plants have, of course, procedures for responding to severe storm warnings.

However, we do not know the extent to which contingencies built into these procedures are informed by considerations of potentially impactful time-dependent possibilities (e.g., changes in storm behavior, additional random or storm-induced failures of key functions that might preclude some shutdown options). It might be argued that such possibilities need not be identified and addressed if a plant takes a conservative approach biased toward early, precautionary shutdowns. However, such an approach, although desirable from a plant-centric point of view, might actually be undesirable from a regional emergency response point of view. It appears that 32 Some of the INL literature refers to computational risk assessment instead of dynamic PRA.

33 Note that outside the PRA community, the vulnerability assessment community has been developing and using simulation-oriented tools to treat practical security-related issues. These tools, which have been announced in various public meetings and conferences, and which dont require detailed cognitive models for the humans involved, may be useful for topics of interest to the PRA community (e.g., the treatment of diverse and flexible mitigation strategies - FLEX).

53

dynamic PRA might be a useful tool for identifying risk-significant possibilities and suggesting risk-informed refinements to existing plant procedures. 34 We note that the dynamic analysis might not need to be very complicated from a phenomenological point of view. It is conceivable that a fairly high-level task analysis approach that addresses such factors as the time and resources required to perform various tasks and the sequencing of these tasks, but not necessarily more complicate considerations (e.g., decision maker cognition) could provide useful results. On the other hand, the analysis would need to consider practical complexities (e.g., the staging of activities at multi-unit sites, economic as well as public-health consequences, offsite emergency response resources and needs) faced by actual decision makers.

C.3 References

[C1] N. Siu, "Risk assessment for dynamic systems: an overview," Reliability Engineering and System Safety, 43, 43-73, 1994.

[C2] A. Amendola, Accident sequence dynamic simulation versus event trees, Reliability Engineering and System Safety, 22, 3-25, 1988.

[C3] C. Acosta and N. Siu, "Dynamic event trees in accident sequence analysis: application to steam generator tube rupture," Reliability Engineering and System Safety, 41, 135-154, 1993.

[C4] K.S. Hsueh and A. Mosleh, The development and application of the accident dynamic simulator for dynamic probabilistic risk assessment of nuclear power plants, Reliability Engineering and System Safety, 52, 297-314, 1996.

[C5] Y. Adolfsson, J.E. Holmberg, I. Karanta, and P. Kudinov, Proceedings of the IDPSA-2012 - Integrated Deterministic-Probabilistic Safety Analysis Workshop, Stockholm, Sweden, November 19-21, 2012. (Available from:

https://www.vtt.fi/inf/julkaisut/muut/2012/VTT-R-08589.pdf)

[C6] T. Aldemir, N. Siu, A. Mosleh, P.C. Cacciabue, and G. Goktepe, Reliability and Safety Assessment of Dynamic Process Systems, Springer-Verlag, 1994.

[C7] Advanced Concepts in Nuclear Energy Risk Assessment and Management, T. Aldemir (Ed.), World Scientific Publishing Co (2018). (Available from:

https://www.worldscientific.com/worldscibooks/10.1142/10587)

[C8] J. LaChance, et al., Discrete Dynamic Probabilistic Risk Assessment Model Development and Application, SAND2012-9346, Sandia National Laboratories, October 2012. (ADAMS ML12305A351) 34 Note that operational choices made during the Blayais and Turkey Point incidents considered potential future failures as well as the current plant conditions. However, at least in the case of Blayais and possibly in the case of Turkey Point, these choices were made as the incident evolved, and did not benefit from detailed, systematic analyses prior to the incident.

Note also that some plants account for weather contingencies in their maintenance planning.

54

[C9] C. Smith, C. Rabiti, and R. Szilard, Light Water Reactor Sustainability Program: Risk-Informed Safety Margins Characterization (RISMC) Pathway Technical Program Plan, INL/EXT-17-43243, Rev. 0, Idaho National Laboratory, Idaho Falls, ID, September 2017.

(Available from: http://www.inl.gov/lwrs)

[C10] D. Mandelli, et al., Mining data in a dynamic PRA framework, Progress in Nuclear Energy, 108,99-110(2018).

[C11] Nuclear Energy Agency, Use and Development of Probabilistic Safety Assessment: An Overview of the Situation at the End of 2010, NEA/CSNI/R(2012)11, December 2012.

55

APPENDIX D - OTHER POTENTIALLY INTERESTING EVENTS As discussed in the main body of this report, this exploratory study has reviewed only ten incidents. There are, of course, many more incidents and near incidents that may be worth investigating in a similar fashion for both PRA- and knowledge-management related reasons.

Table D1 provides a short list of events of potential interest, identified by both the team and reviewers of a conference paper written in the course of the project.

56

Table D1. Additional Candidate Events for PRA-Oriented Reviews Year Plant(s) Scenario Type* Notes 1975 Greifswald 1 Fire Power cable fire, loss of main feedwater, pressurizer safety valves fail to re-seat. This event was described in NUREG/CR-6738 [D1]. Additional detailed information now available on operator actions (causing both a LOOP and fire, and later to loss of power and instrumentation in the main control room), concerns with heavy smoke (prevented venting of leaking hydrogen, leading to operator concerns regarding explosion), reliance on bleed and feed cooling through failed-open pressurizer safety valves [D8].

1977 Gundremmingen A LOOP/LOCA Offsite power lines failure followed by internal flood. Operator errors during rapid shutdown following loss of two power lines. RCS overfill led to relief valves opening, 3 meters of radioactive coolant water in reactor building. Water and gases later released from the building into the environment. Reactor decommissioned due to accident. [D2]

2003 Fermi 2 LOOP (weather) Northeast Blackout. Power line contacts overgrown trees (line had softened due to heat from Fitzpatrick current). Subsequent power line failures over next 1.5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />; grid operator situation awareness Ginna hindered by computer failures. Widespread grid failure causes trips at nine U.S. plants and non-Indian Point 2 and 3 significant transients (responses managed through normal control systems) at 64 others. 13 of Nine Mile Point 1 and 2 15 operating Canadian units disconnected from grid; 11 of these were tripped automatically or Oyster Creek manually. Trip complications at multiple plants [D3].

Perry Pickering 4-8 Darlington 1, 2, and 4 Bruce 3, 4, and 6 2004 Madras (Kalpakkam) 2 External Flood Indian Ocean Tsunami. Sea water entered pump house, all seawater pumps eventually unavailable due to water and/or debris. Cooldown using firewater. Offsite power available but EDGs started as precaution. Some damage to structures [which could have but apparently didnt act as missiles to other structures]. Telecommunications severely degraded. [D4]

2011 Fort Calhoun External Flood Missouri River flooding. Less-than-design basis flooding during shutdown significantly challenged Cooper operation at Fort Calhoun. Challenges included penetration seal failures, an electrical breaker fire, rupture of a temporary flood barrier, and issues with site access and security, and with communication with offsite dam operators. [D5]. Cooper plant affected (to a lesser degree [D6]).

2014 Kori 2 External Flood Circulating Water Pump (CWP) room flood. Severe storm causes flooding, plant shutdown [D7].

57

Table D1 References

[D1] S.P. Nowlen, M. Kazarians, and F. Wyant, Risk Methods Insights Gained from Fire Incidents, NUREG/CR-6738, U.S. Nuclear Regulatory Commission, 2001.

[D2] Gundremmingen Nuclear Power Plant, Wikipedia article, https://en.wikipedia.org/wiki/Gundremmingen_Nuclear_Power_Plant , accessed July 2, 2018. 35

[D3] U.S.-Canada Power System Outage Task Force, Final Report on the August 14, 2003 Blackout in the United States and Canada: Causes and Recommendations, April 2004.

Available from https://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/BlackoutFinal-Web.pdf.

[D4] International Atomic Energy Agency, The Fukushima Daiichi Accident, Director Generals Report: Detailed Description of Relevant Operating Experience, Annex III of Technical Volume 2, 2015. Available from https://www-pub.iaea.org/MTCD/Publications/PDF/SupplementaryMaterials/P1710/TV2/AnnexIII.pdf.

[D5] U.S. Nuclear Regulatory Commission, Integration of Mitigating Strategies for Beyond-Design-Basis External Events and the Reevaluation of Flooding Hazards, Enclosure 3, COMSECY-14-0037, November 21, 2014. (ADAMS ML14321A572)

[D6] U.S. Nuclear Regulatory Commission, Unusual Event Declared Due to Missouri River Flooding, Unusual Event Notification Event Number 46969, June 19, 2011. (Available from https://www.nrc.gov/reading-rm/doc-collections/event-status/event/2011/20110620en.html#en46969)

[D7] Heavy rain, flash floods and landslides hit South Korea, The Watchers, 2014. Available from https://watchers.news/2014/08/26/heavy-rain-flash-floods-and-landslides-hit-south-korea/.

[D8] M. Rwekamp and E. Gelfort, Sicherheitsrelevanter Kabeltrassenbrand im Kernkraftwerk Greifswald - Beschreibung und Einschtzung, GRS-V-SR 2449-1, Gesellschaft für Anlagen und Reaktorsicherheit (GRS) mbH, Kln, Germany, 2004.

35 Details likely come from a UK Safety in Mines Research Establishment translation (SMRE-TRANS7340, August 1977) of a GRS report Stoerfall im Kernkraftwerk Gundremmingen am 13. Januar 1977, RS I 3 -514 009/2, included as Reference Number 10441799 in the IAEA International Nuclear Information System (INIS)

(https://inis.iaea.org).

58