Risk of Core Damage in Risk-Informed Decision Making

ML22145A316
Person / Time
Issue date:	05/03/2021
From:	Yuri Orechwa NRC/NRR/DSS/SFNB
To:
Yuri Orechwa NRR/DSS 301-415-1057
Shared Package
ML22145A298	List: ML22145A315 ML22145A316 ML22145A317
References
Download: ML22145A316 (13)
v • d • e

Text

,.r II

(;/

The Risk of Core Damage in Risk-Informed Decision Making: The Original Sin and the Road to Redemption Yuri Orechwa NRR/DSS/SFNB May 3, 2021

==

Introduction:==

The Original Sin The foundational paper on the fonnulation of risk in the context of nuclear reactor opera-tion by Kaplan and Garrick (Ref.6),when first published, drew some serious critique in the subsequent issues. See "Some Misconceptions About the Foundations of Risk Analy-sis", Ref. 9, "Some Misconceptions About Misconceptions: A Response to Abramson",

(Ref. I 0), and "A Rejoinder to Kaplan and Garrick", (Ref. 11 ). Ref. 11 states " I leave it to the reader to judge how responsive Kaplan and Garrick have been to my comments."

We agree with Abramson! In particular, from today' s perspective Abramson ' s critique, with regard to Kaplan and Garrick' s introduction of ' subjective probability' or ' degrees of belief for assessing the likelihood of events in the real world. In our view the confu-sion introduced by ' subjective probability' and/or ' degree of belief' is based, as Abram-son points out, on the relationship between their notions of frequency, probability den-sity, and the probability of an event. With regard to their definition of risk, Kaplan and Gan-ick state; "One often hears it said that 'risk' is probability times consequence. We find this definition misleading and prefer instead, in keeping with the set of triples idea, to say that 'risk ' is probability and consequence." Their argument is based on the fact that " In case of a single scenario the probability times consequence viewpoint would equate a low-probability high-damage scenario with a high-probability low-damage scenario - clearly not the same thing at all." (Ref. 6) The observation, in principle, is mathematically true for point estimates, but irrelevant in risk analysis ofevents. Risk is associated with the event in the tail of the probability density function of the figure of merit, where the damage is greatest. (see Ref. 12) We believe that their methodology, based on the triplet fonnulation fonnally contains the con-ect ingredients, while the word

' and' is the wrong recipe. This has has relegated, the result of a Level l PRA of the CD to risk transfonnation, to a purgatory as two end states - 0 and I. (Ref. 7)

We note in passing, with regard to the issue of correct recipe for risk (+/x ,?), a ' slip of the tongue' in Ref. 7 (p. C- 105). "The other definition of risk is aggregate risk , 25 which is defined as the sum of the products of the scenario frequencies and the scenario conse-quences:

R = 4 ~1 lFdx[Ci], where Fi is events/time and C is consequences/event."

Footnote 25 says "This tenn is not commonly recognized nomenclature but is used here

2 I Text_Develpment.nb to discus the concept." We find this curious, since FxC ~ [# events/time]x[conse-quence/event] = consequence/time a recognized measure of risk, while F + C has no clear interpretation. (See Ref. 16 for an example)

It is time to atone for not taking into account Abramson's critique!

The Road to Redemption Let us recall the three sequential levels of analysis into which current risk assessments of light - water reactors are broken . (Refs 7 and I 3) This allows us to identify the necessary ingredients of the CD for the analytic fonn of the risk transfonnation for a PRA reactor analysis (Ref. 7) .

A. Heuristic Probabilistic Structure of PRA Reactor Analysis Level 1(L1). System analysis - An assessment of plant design and operation consisting of the definition and quantification of accident sequences, component data, and human reliability that could lead to core melt. (Ref. 14)

Level 2 (L2). Containment analysis - An analysis, conditional on LI , of the response of the reactor containment to core damage.

Level 3 (L3). System consequence analysis - An assessment, conditional on L 1 and L2, of the transport of radio-nuclides through the environment and the public-health consequences.

Let us consider a simple L 1 PRA based on the elements in Fig. 1.

Initiating Event Safety System 1 Safety System 2 Event Sequence i Conse-quence IE SSJ SS2 ESi PRA & LBA Fig. 1 Generic Linked Structural Elements of a LJ PRA

Text_ Oevelpment.nb I 3 The unifying structure for the simple PRA of Fig. l is depicted for our discussion in Fig.2 by an event tree that orders the safety functional responses (SS 1 and SS2) that mitigate the initiating event. A function event tree is, in general, developed for each postulated initiating event, since each initiator may require a unique plant response.

Similarly all LBAs also have the same basic fonnal postulated initiating event and safety system structure. There are 4 end states in Fig. 2 for the particular initiating event.

I-PSS2 ESI P{X>LI ESI}

I-PSS I PSS2 P{X>LI ES2}

ES2 flE I-PSS2 ES3 P(X>LI ES31 PSSI PSS2 P{X>LI ES4l ES4 Fig. 2. Generic Simple Event Tree for PRA and LBA Analysis for Lt We define:

flE - Initiating Event frequency PSS I - Conditional Probability of SS 1 failure

4 I Text_ Develpment. nb PSS2 - Conditional Probability of SS2 failure PESI = (I-PSSI)*(I-PSS2)-Conditional Probability of Event Sequence I PES2 = ( I-PSS I )*PSS2 - Conditional Probability of Event Sequence 2 PES3 = PSS l *(l-PSS2) - Conditional Probability of Event Sequence 3 PES4 = PSS I *PSS2 - Conditional Probability of Event Sequence 4 P {X> LI ES I} - Probability of a damage surrogate X exceeding limit L given ES I, etc.

Note: The computation of the point estimates of the conditional branching probabilities of the event tree are assumed to have been derived for each safety system by a separate fault tree analysis and are not at issue in our argument.

The guidance for NRC staff uses of probabilistic risk assessment proffered in NUREG

- 1489 (Ref. 7) is as follows: "Regardless of the method that is chosen to perform a transformation from a core damage frequency estimate to a risk estimate, the NRC staff must be fully aware of the constituents of the PRA (i.e. scope, models, and assumptions) yielding the numerical quantities used in a transfonnation from core damage frequency to risk." The current state of Level I PRA end-state success criteria is given in NUREG/CR- 7177 ( Ref. 14) as Table 4.1 page45. lt lists 13 different CD surrogates!

These are based on experience with MELCOR models and "informed" by regulatory guidance such as NUREG- 1465 and the 2012 revision of IO CFR 50.46.

We put forward one criterion as the numerical quantity of interest in the estimation of CD: The number offailedfi,1el elements in the core. The failure of each element is based on the local thennal-hydraulic state variables at the pin cell level. (Ref. 8) Thus, from our perspective, core damage (CD) is functionally related to the number of failed fuel elements and is estimate via methods such as those presented in Ref. 2.

B. Representations of JP>irolbalbiiistic §trunctunre of Risk The basic expression for Risk consists of three tenns. (Ref.7) For an LI analysis as shown in Fig. 2, the three tenns are:

flE - the frequency per year of an initiating event, (for example one from a set lfa={LBLOCA, SBLOCA, SBO, ATWS, etc.})

Text_ Develpment.nb I 5 ES - an event scenario (i.e. a sequence of safety system actions (failure/non-failure))

X>L - an outcome, generally a surrogate for core damage (CD) where the surrogate value X has exceeded the acceptance limit L.

Based on the notation of the event tree in Fig. 2, we can formulate the Risk Rij of an adverse event (Xij>L) due to an initiating event IE; and an activation of a sequence of safety systems resulting in an event sequence ESij, that occurs with frequency f!E;, which can be expressed as a joint probability distribution function R**lJ = f!E-*P{

/ ES**IJ, X**>L}

IJ * (I)

The total risk for the reactor, therefore, is given as (2) where N is the number of postulated initiating events and M the number of safety sys-tems.

The joint probability distribution function for the contribution to the total risk R by a specified initiating event IE; and event sequence ESij can be decomposed into the prod-uct of three tenns, (3)

This expression can be viewed in the context of Fig. 2 as having two components:

First, we can consider f!E analogous to a multiplicative constant and drop its contribu-tion to risk from further analysis without loss of the probabilistic content of our argu-ment.

R PRA = P { ESij I IE; } - probabilistic methods that focus on the probabiity of operation of the plant safety systems that define the event sequences.

6 I Text_ Develpment. nb R LBA = P { Xij>L IIE;, ESij, } - deterministic methods concerned with the probability of the transient behavior ofthe reactor core exceeding a specified limit for a particular sequence of events.

Thus, in the expression for the plant risk (Eq. 3), the link between the PRA analysis component and the LBA analysis component is through the event sequence ES for a given initiating event IE. That is, the probability of the event {X>L}, i.e. core damage, is dependent on the probability of the event {ES}, which is specified by a particular safety system failure sequence. Here an important dichotomy between L l PRA risk analysis and a best-estimate plus uncertainty LBA is revealed. Two distinct analyses are per-formed that exhibit a clear symmetry. (Ref. 16)

In a traditional PRA analysis we have:

P {ESI IE} = a probability density function of the failure of the safety systems in ES.

P {X~LIES,IE} = 0/ 1 (indicating no-CD/CD, based on events {X::;L} / {X>L}.

On the other hand, in a best-estimate plus uncertainty LBA analysis we have:

P {ES I IE} = l (failure of only the limiting safety system)

P {X>LIES,IE} = a probability density function of core damage.

We, therefore, have four ways of expressing risk of CD dependent on the level of infornia-tion content:

I. (P{ESI IE} = l)*(P{X<LIES,IE} = I) which would imply no CD for a bounding ES and bounding calculate mechanistic result. That is Appendix K like analysis.

2.. (P{ESI IE} = I )*P{X>LIES ,IE} which is a best-estimate plus uncertainty result of CD for the limiting ES.

3. P{ESI IE} *(P{X>LI ES,IE} = I) which is the traditional PRA result of CD frequency where the unce11ainty is based on the failure probabilities of the safety systems ES.

Text_ Oevelpment.nb I 7

4. P{ESI IE}*P{X>LIES,IE} which is a risk based PRA, where both the probability of failure of the ES and the best-estimate plus uncertainty of CD form a quantified joint uncertainty probability function P{IE,ES,X>L}.

It is the fourth representation we shall address. For discussions and examples see Refs.

16 and 4.

C. Consnstency of lil]Joirmatnon foir the Exnt from Puirgatory Let us consider the infomrntion content of the above four expressions of risk at level LI as follows: The first is a detenninistic bounding statement of the risk. The fourth a more realistic probabilistic statement of the risk; and two as an improvement over one, and three as an approximation to four.

We previously indicated, that the integrated overall risk analysis of a plant is based on three separate but coupled analyses L 1, L2 and L3, and, thereby, requires well defined interfaces of the damage states between the three parts. Our focus is limited to the I st interface between L 1 and L2. Clearly any decision with regard to a consistent analysis with regard to the safety of the reactor that takes all available information (such as defense-in-depth) into account is critically dependent on the probability of the estimate of CD at LI.

The guidance for NRC staff uses of probabilistic risk assessment proffered in NU REG

- 1489 (Ref 7) is as follows "Regardless of the method that is chosen to perfonn a transformation from a core damage frequency estimate to a risk estimate, the NRC staff must be fully aware of the constituents of the PRA (i.e. scope, models, and assumptions) yielding the numerical quantities used in a transfonnation from core damage frequency to risk." We put forward as the numerical quantity of interest the number o.ffailed.fuel elements in the core as a measure of CD. The failure of each element is based on the local thennal - hydraulic state variables at the pin cell. (Ref. 8) Thus, from our perspec-tive, core damage (CD) is functionally related to the number of failed fuel elements, the

'sine qua non' for a reacctor accident, irrespective of frequency.

Let us deconstruct the statement of the risk of CD as a function of the number of failed fuel elements. It may be instructive for this discussion, with nuclear engineers in mind, as an analogy to first recall the computation and interpretation of multi-group parameters in neutron transport calculations. To this end, let us consider the computational ana logy

8 I Tex t_Develpment.nb with risk analysis.

ln the analysis of nuclear reactor cores, the key infonnation of the economic and safety perfonnance is contained in the calculated neutron flux ¢(r,E,t). This tenn is not a point function, but rather a density function. Thus, it only makes physical sense as a differen-tial ¢(r,E,t)dVdEdt and gives the number of neutrons in volume dV at point r, with ener-gies in energy interval dE at E, during time period dt. Due to the complicated analytic forms of the coefficients of the governing neutron transport equation, the equation is discretize in neutron energy via the multi-group fonnalism. To this end, we define for example, a group cross section ergin the energy interval [Eg, Eg_i] as (4) where cr(E) is the extent to which a neutron interacts with a nucleus at energy E.

Whereas ¢(E) is the neutron density i11 the energy interval dE. Thus, erg is the mean number of reactions that occur due to neutrons in the energy interval [Eg, Eg_ i]; in proba-bility theory parlance the "event".

In nuclear reactors with cores consisting of fuel pins, that are not only the source of the power generated, but also the first and primary barrier to the radioactive material gener-ated in the operation of the reactor of reaching the environment. The risk of a breach of this barrier, during accident conditions, is central to decision making with regard to the safety of operating such an energy source. The key figure of merit in assessing this risk is the estimate of the pin cladding temperature (PCT). (REf. 4)

We can apply a similar approach, as in multi-group theory, to computing the level of core damage (CD) due a reactor transient, as follows. Let the role played by the neutron energy be the peak cladding temperature T. (It is recognized that PCT is not the only variable that comes into play. However, the required multivariate analysis is a straightfor-ward extension.) Then, given an estimated clad failure probability density f(T) of cladding temperature in temperature interval dT. We can define f(T)dT as the probabiity of clad failure at clad temperature T in the interval dT of a fuel element. Furthennore, let CD(T) be the function of the number failed fuel elements in the core at T. ( For the logic in the construction of this function see Ref. I 2.) The the mean number of failed fuel elements in the peak clad temperature interval [ h , oo ) is then given as

Text_ Develpment.nb I 9 (5)

The peak fuel cladding temperature density function f(T) is a prope1ty of the fuel pin design, and estimated via a BEPU computation of the fuel pin. The damage is a function of peak cladding temperature and is a property of the core; and reflects the number of fuel pins with peak cladding temperature T or higher, and is computed by the core calcula-tion . .

D. Consistency of Information Co1111tent with the Risk Triplet Recall the definition of risk Ri at NRC as defined by the risk triplet (Refs.6 and 7):

Rij = -< Sij , ./iJ, Xij >-, where Si is the i-th scenario (sequence, progression) associated with the j-th initiating event, .h the associated frequency, and Xij the resulting consequence.

In our notation (Eq. 3) in the analysis, we define the three tem1s in the risk triplet as follows :

f; ~ P(IEJ In tenns of our analogy with the energy group fonnalisrn, we have:

CD(T) ~ cr(T)

Thus, the risk of event [T::::: L], is given by the expression

10 I Text_ Develpment.nb E. Computational Sources of Inputs to One Risk Estimate The calculational machinery for the input to Eq. 6 is exemplified to a great extent by approach to reactor safety analysis as exemplified Ref. 1 and applied in Ref. 8. This machinery is illustrated by an analysis of the OECD-NEA Multi-Physics Pellet Cladding Mechanical Iteration Validation (MPCMJV) benchmark using coupled codes: rector physics (MOLTRES+SERPENT), thermal-hydraulics (SAM) and fuel perfonnance (BISON) on the MOOSE framework.This type of multi-physics calculational frame-work, together with uncertainty propagation and quantification, would generate all the necessary ingredients to compute the risk as presented in Eq. 6.

Relfeirences

1) Carlo Parisi, et al. "Risk - lnfonned Safety Analysis for Accident Tolerant Fuels,"

Nuclear Science and Engineering, Vol. 194, p748 - 770, August - September 2020.

2) Maria Avramova, et al. "Innovation in Multi-Physics Methods Development, Valida-tion, and Uncertainty Quantification,", J. Nucl. Eng. 2021 , 2, p44-36.

3) U. S. Nuclear Regulatory Commission, "Guidance on the Treatment on Uncertainties Associated with PRA' s in Risk-Infonned Decision-making: Final Report,"NUREG-1855, Revision 1 (March 2017).

4) Y. Orechwa, "Some Formal Considerations in the Application of Best_Estimate Plus Uncertainty Results in Licensing Basis Analysis to Risk " Informed" Decision Making for Reactor Safety," Internal NRC/NRR/DSS White Paper, June 14, 2018.

5) Y. Orechwa, "Best-Estimate Analysis and Decision Making Under Uncertainty,"

Proc. Int. Mtg. Updates in Best-Estimate Methods in Nuclear Installations Safety Analy-sis (BE-2004), November 14-18, Washington D. C., American Nuclear society (2004).

6) Stanley Kaplan and B. John Garrick, "On the Quantitative Definition of Risk," Risk Analysis, Vol 1, no. I (] 981 ).

7) A Review of NRC Staff Uses of Probabilistic Risk Assessment, NUREG - 1489, March 1994.

8) Travis Mui, Tomasz Koslowski , "Preliminary Fuel Perfonnance and Thennal Hydraulic Modeling of the MPCMIV Benchmark," Trans. of the ANS , Vol 123, Nov.

16-19, 2020.

9) Letter Lee R. Abramson to Editor, " Some Misconceptions About the Foundations of Risk Analysis," Risk Analysis, Vol 1, no. 4 (1981).

I0) Letter Stanley Kaplan and 8. John Garrick to Editor, " Some Misconceptions About the Foundations of Risk Analysis," Risk Analysis, Vol 1, no. 4 ( 1981 ).

11) Letter Lee R. Abramson to Editor, "A Rejoinder to Kaplan and Garrick" Risk Analy-sis, Vol 1, no. 4 (1981).

2 I References_ CD_Risk_ WP.nb

12) Y. Orechwa, "The 95/95 Acceptance Criterion in Risk-lnfonned Regulation: The 95/95 Delusion," Internal NRC/NRR/DSS White Paper, September 15, 2019.

13) U.S. Nuclear Regulatory Commission, "PRA Procedures Guide,"NUREG/CR-2300, Vol. I (January 1983).

14) U.S. Nuclear Regulatory Commission, "Compendium of Analyses to Investigate Level I Probabilistic Risk Assessment End-State Definition and Success criteria Mod-elling Issues," NUREG/CR-7177 (May2014).

15) U.S. "Confirmatory Thennal-Hydraulic Analysis to Support Specific Success Crite-ria in the Standardized Plant Analysis Risk Models - Byron Unit 1," NUREG_ 2187 (January 2016).

16) H. F. Martz, et al.,"Combining mechanistic best-estimate analysis and Level 1 proba-bilistic risk assessment. Reliability Engineering and System Safety, Vol. 39 (1993).