Text

Initiating Events Lecture 4-1 1

Key Topics

• NPP PRA definition of initiating event

• Methods to identify initiating events

• Fundamental ethos: search for failures 2

Resources

• American Nuclear Society and the Institute of Electrical and Electronics Engineers, PRA Procedures Guide, NUREG/CR-2300, January 1983

• H. Kumamoto and E.J. Henley, Probabilistic Risk Assessment and Management for Engineers and Scientists, Second Edition, IEEE Press, New York, 1996.

• T.A. Kletz, Improving Chemical Engineering Practices: A New Look at Old Myths of the Chemical Industry, Second Edition, Hemisphere Publishing, New York, 1990.

• H. Petroski, To Engineer is Human: The Role of Failure in Successful Design, Random House, New York, 1992.

3

Context for Initiating Event Analysis Risk {si , Ci , pi }

NPP PRA - The What Hazards

• Levels

- Level 1 (core/fuel damage)

Initiating

- Level 2 (radioactive release) Level 1 Events

- Level 3 (offsite consequences)

• Hazards Plant Damage

- Internal events (hardware, human, LOOP) States

- Internal hazards (flood, fire, heavy load drops, )

- External hazards (seismic, flood, wind, ) Source Level 2

• Operating Mode Term Groups

- At power

- Low power/shutdown Release

• Sources Categories

- Core Level 3

- Spent fuel pool Offsite

- Other (e.g., dry cask storage) Consequences 4

Context for Initiating Event Analysis NPP PRA - The How (Big Picture)

Spent Fuel Pool Units Reactor Units All Hazards At-Power Level 1/2,3 PRA Internal Hazards Level 1,2,3 PRA Integrated Site Model Reactor Units Reactor Units All Sources Low Power/Shutdown All Operating States All Operating States All Hazards All Hazards All Hazards Level 1,2,3 PRA Level 1,2,3 PRA Level 1,2,3 PRA Reactor Units At-Power Dry Cask Storage External Hazards All Hazards Level 1,2,3 PRA Level 1/2,3 PRA 5

Formulation

• Develop understanding

- Possible scenarios The General -

-

Key processes and parameters Modeling issues Modeling *

- Interactions with other analyses Select scenarios for analysis Process - One

• Select computational tool(s)

View Analysis

• Collect data

- Generic

- Plant-specific

• Build model(s)

- Direct input

- External submodels

• Perform computations Interpretation

• Results for analyzed scenarios

• Implications for other scenarios 6

Context for Initiating Event Analysis The Modeling Process - A More Detailed View Sequence = Initiating Event AND Mitigating System Response Critical First Step American Nuclear Society and the Institute of Electrical and Electronics Engineers, PRA Procedures Guide, NUREG/CR-2300, January 1983.

7

Initiating Event Definition Where to start? Before the storm*

Its Christmas Eve at the Bunbury Bay Nuclear Power Plant, Old Reliable to the crew and local residents, most of whom have friends or family working at the plant.

A severe Noreaster took down powerlines a month ago, but, as with past blizzards, the plant rode it out, providing needed power to the region. Most of the workers, who had put in long hours to cope with the November storm and its aftermath, are home for a well-deserved rest over the holiday, and Old Reliable is purring along with a nearly minimum crew. (Some unlucky workers are earning overtime working on the plants newer, air-cooled EDG, which is down for emergency repairs.) A low pressure area, formed in the Atlantic some two days ago, is being tracked but the disturbance is small. Although there are indications of intensification, weather forecasts provide no cause for serious alarm. Theres snow on the ground and chestnuts are roasting

• Thanks to Pierre LeBot (EDF) for parts of this story.

8

Initiating Event Definition Where to start? The storm hits At around 3 pm, winds in the region start to rise; blowing snow cuts visibility and trees are swaying. The plant receives a warning that the disturbance had become a storm but its intensity and direction are unclear. Considering the conditions of the roads and crew, past plant performance, and the uncertainty in the weather model predictions, the plant manager decides to alert off-duty senior staff, but not to recall any workers.

At 5 pm, the storm hits the coast. Around 8:30 pm, severe wind gusts take down multiple power lines, disrupting the grid. The plant loses offsite power and trips at 8:32, and the water-cooled EDG starts and loads as designed. At 11:16 pm, wind-driven waves, on top of severe storm surge and an abnormally high tide (a beyond-design basis hazard combination), overtop and damage the protective seawall and start flooding the pump house, endangering service water (normal and emergency). The plant (an old, isolation condenser design) starts preparing to enter SBO conditions. Fortunately, an offsite power line is recovered at 11:34. Recognizing the unreliability of the grid under storm conditions, the plant starts reviewing its procedures to stay at hot shutdown conditions until grid stability can be assured. However, offsite power remains available and the plant achieves cold shutdown early Christmas morning.

9

Initiating Event Definition Possible Choices Event Why?

November storm Sets up plant workforce, activities, and attitudes, and offsite conditions. Could support risk-informed post-storm operations decisions Low pressure formation Natural starting point if using storm simulation modeling. Could support risk-informed early storm preparations.

Storm warning (3 pm) Deteriorating conditions; warning triggers decision (whether to recall staff). Could support risk-informed response.

Storm hits coast Natural event for storm-oriented analysis.

LOOP Start of nuclear transient.

Pumphouse flooding Not a great choice for a literal analysis, but could be moved up to coincide with LOOP in a PRA.

10

11 Initiating Event Definition Convention for Initiating Event

- Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking, NUREG-2122, 2013

12 Identification Methods Identifying Initiating Events

• Tools/approaches include:

- Failure Modes and Effects Analysis (FMEA)

- Hazard and Operability Studies (HAZOPS)

- Master Logic Diagrams (MLD)

- Heat Balance Fault Trees

- Review of past events

- Comparison with other studies

- Feedback from plant model

• If its not in the model, it cant be analyzed.

Use your imagination

13 Identification Methods but

• Frame as a search (more active, directed than imagining)

• Screen out unimportant events to enable practical solution and avoid distractions

- Limited analysis resources

- Risk masking from overly conservative analyses

• Recognize challenges

- Completeness

- Data relevance (and rectifiability)

Identification Methods Steam Flow Example for Sensor Demonstrations: Main Steam L Valve A Simple Boiler a2 Level Sensor a1 Drain Feedwater Valve Hot Pump Gas Desired State Steam Flow Liquid Level MS Valve FW Pump Hot Gas 1 < < 2 Open On On 2 Open Off On 1 Closed On Off

> - Closed Off Off 14

Identification Methods FMEA - Principles

• Inductive approach - postulate failures and determine effects

• Apply to all elements in system

• Uses standardized terms

• FMECA: add criticality analysis From H. Kumamoto and E.J.

Henley, Probabilistic Risk Assessment and Management for Engineers and Scientists, Second Edition, IEEE Press, New York, 1996.

15

Identification Methods FMEA Partial Example (Boiler Problem)

Failure Component Mode Cause(s) Effects Pressure Rupture a. Overpressure a. Stops operation Vessel b. Impact b. Hazards to operators,

c. Corrosion other components

d. Faulty materials i. Steam

e. Faulty construction ii. Flooding

f. Faulty installation iii. Missile(s)

g. iv. Displacement Feedwater Fails to a. Mechanical failure (e.g., a. Stops system operation Pump run binding, rotor crack) b. Creates demand for

b. Clogging system response

c. Loss of power

d. Incorrect control signal

e. Incorrect operator action

f.

16

Identification Methods HAZOP - Principles

• Extension of FMEA

• Includes process parameter deviations

• Guide words to stimulate creative thinking

• Used extensively in chemical process industry From H. Kumamoto and E.J. Henley, Probabilistic Risk Assessment and Management for Engineers and Scientists, Second Edition, IEEE Press, New York, 1996.

17

Identification Methods HAZOP Partial Example (Boiler Problem)

Process Parameter Deviation Effects Gas Flow No Flow a. Stops operation

b. Creates demand for system response (stop feedwater). If response fails, could lead to overfilling and possible flooding elsewhere Gas Flow More Flow a. Increases steam generation rate. Depending on steam flow setpoint, could trigger system shutdown.

b. Increases water boiloff rate. If feedwater cant compensate and steam flow setpoint isnt reached, could cause dryout and gas tube rupture.

18

Identification Methods Master Logic Diagram - Principles

• Deductive approach

• Basically a fault tree; shows how a top event can occur

• Heat Balance Fault Tree is similar concept Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking, NUREG-2122, 2013 19

Identification Methods A Classic NPP MLD PRA Procedures Guide, NUREG/CR-2300, 1983 20

Identification Methods MLD for a Space Application Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners, NASA/SP-2011-3421, 2nd ed., 2011 21

Identification Methods High Steam Flow Trip MLD Partial Example (Boiler Problem)

Spurious High Steam Trip Flow Trip Logic Insufficient Excessive Failure Feedwater Heat Sensor Failure T1 T2 Loss of FW Source Pump Pump Flow Path Failure Tripped Blocked T3 22

Identification Methods Other Frameworks

• Different representations of causality can:

- Stimulate imagination

- Facilitate communication with like-minded

• Example: bowtie diagrams are advocated for process applications W. Nelson, How Things Fail - e.g. Deepwater Horizon and Fukushima - and Occasionally Succeed, Nov. 2, 2011 23

Identification Methods Operational Experience (OpE)

• Illustrates mechanisms and complexities that might otherwise be missed

• Examples

- Water hammer in fire main causes reactor building flood

- Lighted candle causes cable fire

- Boat wake rocks submarine and causes reactivity accident

• OpE also can indicate where imagination might be going too far

• Non-NPP experience is potentially valuable (e.g., see Kletz) 24

Identification Methods Other Studies (NPP)

LOHVAC LOCCW LOCA

• Loss of offsite power ISLOCA

- Plant-centered LO1DC SGTR

- Switchyard

- Grid

- Severe weather

• Loss of safety-related bus

• Loss of instrument or control air

• Loss of safety-related cooling water

• Loss of feedwater

• General transient

• Steam generator tube rupture

• Loss of coolant accident

- Very small LOCA LOOP Transients

- Small LOCA

- Medium LOCA

- Large LOCA

- Excessive LOCA

- Interfacing system LOCA

- Stuck-open relief valve

• High energy line break Example CDF Contributions (Internal Events) 25

Identification Methods Including External Hazards Chemical Flood ISLOCA SGTR

• Internal events LOCA Fire

• Internal floods

• Internal fires

• Seismic events Transients

• External floods Seismic

• High winds LO1DC LOOP LOHVAC LOCCW Further discussion in Lecture 6-2 26

Comments

• NPP PRA is a systems modeling enterprise => uses divide and conquer approach => caution needed at task interfaces (e.g., between initiating event analysis and event sequence analysis)

- Gaps

- Mismatches

• Iteration (which fuzzifies interfaces) is important. Examples:

- Initiating event analysis considers importance of postulated event; early judgments needed to start other tasks can/should be revisited

- Internal and external hazards analyses use internal events models (Lecture 6-2); can suggest model modifications based on results and insights 27

Comments (cont.)

• To postulate how things might fail, first need to know how things are supposed to work =>

Initial Information Collection step (a.k.a.

Plant Familiarization) is critical

• Checklists (e.g., based on past studies) are useful, but concept of active searching is key, especially for new systems.

• Multiple approaches/tools provide different perspectives and can help ensure completeness.

28