Text

Dynamic PRA: The vision and Thats so cool a peek under the hood but how does it really work?

N. Siu and K. Coyne NRC Internal Seminar Commission Hearing Room February 5, 2019 (1:30-3:30)

Abstract The term Dynamic PRA sparks many reactions within the PRA community. This seminar provides a high-level view of dynamic PRA (what is it? why is it of interest?

what are the general characteristics of current approaches and activities?) and a more detailed look at key issues likely to be of interest to NRC reviewers.

• The views expressed in this presentation are not necessarily those of the U.S. Nuclear Regulatory Commission

Outline

• Overview

- Motivation for DPRA

- What is DPRA?

- Potential benefits

- Challenges to reviewers

- Looking forward

• Illustrations

- HRA Empirical Study: dynamic PRA V&V

- Accident precursor analysis: a potential regulatory application 2

Background and Motivation March 11, 2011 (Fukushima Dai-ichi Unit 1: 1F1)

Emergency Isolation Actions to Actions to Offsite LOOP EDG Long-Term Power Condenser Extend Shed Power (Earthquake) Recovery Cooling (EDGs) (IC) IC Ops DC Loads Recovery LOOP EPS ISO EXT DCL OPR DGR LTC 1

2 CD 3

4 CD 5

6 CD 7 CD 8

9 CD 10 11 CD 12 CD 13 14 CD 15 16 CD 17 CD 18 19 CD 20 21 CD 22 CD 3

3

Background andDynamic Motivation PRA 1F1, 3/11/2011 Relative Time Hazard Systems Indications Operators/Workers ERC/ER team EP Time 14:46 0:00 Earthquake Scram MSIVs close, turbine trips, Rx level drops 14:47 0:01 EDGs start and load ICs start automatically RV pressure decreases; RV 14:52 0:06 level in normal range 40 minutes between earthquake and tsunami; ICs removed from service Cooldown rate exceeding Manually remove IC from 15:03 0:17 transition from confident control to disbelief tech spec limits service Disaster HQ established in 15:06 0:20 TEPCO Tokyo Determine only 1 train IC 15:10 0:24 needed; cycle A train First tsunami 15:27 0:41 arrives Second tsunami 15:35 0:49 arrives 15:37 0:51 Loss of AC 1537-1550: Gradual loss of Degradation Determine HPCI and failure over time, instrumentation, unavailable 15:37 0:51 indications (including IC gradually affecting operator valve status, RV level),

alarms, MCR main lighting information and ability to control TEPCO enters emergency 15:42 0:56 plan (loss of AC power);

ERC established D/DFP indicator lamp 16:35 1:49 indicates "halted" Review accident Cannot determine RV level Review accident Declared emergency management procedures, or injection status; work to management procedures, (inability to determine start developing restore level indication; do start developing level or injection) 16:36 1:50 procedure to open not put IC in service procedure to open containment vent valves containment vent valves without power without power 4 4

Background andDynamic Motivation PRA 1F1, 3/11/2011 (cont.)

Relative Time Hazard Systems Indications Operators/Workers ERC/ER team EP Time 16:45 1:59 Determine RV level Emergency cancelled Tsunami alert Workers on way to check 16:55 2:09 D/DFP had to turn back Lose ability to determine Reentered emergency plan 17:07 2:21 External influence RV level or injection status Site superintendent directs 17:12 2:26 triggering work investigation of using fire protection to inject water 17:15 2:29 stoppage, temporary Estimated core uncovery in 1 hr Tsunami alert evacuation, 17:19 2:33 cleared accountability Diesel-driven fire pump Pressure above 100 psi Manually open valves (in started and left to idle dark) from fire protection system to core spray 17:30 2:44 system; take turns holding D/DFP switch to keep in standby Error3:32 18:18 of commission (disabling DC power returned partially MO-3A and MO-2A indicate closed passive safety system) MO-3Apossibly and MO-2A Open IC valves MO-3A and 18:18 3:32 opened 2A. Steam from condenser based on assumed low inventory observed MO-3A closed Remove IC from service (usage) (concerned about failing lines). Entered R/B and T/B to manually open MOV for 18:25 3:39 FP lineup. Hard time finding valve, had wrong key, hard to operate hand wheel. Long time.

5 5

Background andDynamic Motivation PRA 1F1, 3/11/2011 (cont.)

Relative Time Hazard Systems Indications Operators/Workers ERC/ER team EP Time Core damage (4-5 hr 18:50 4:00 after trip)

Close valves for broken Ask Tokyo for more fire outdoor FP pipes. Broke engines 19:00 4:14 lock to allow passage between Units 2 and 3.

Govt. declares nuclear 19:03 4:17 emergency InNohindsight, core damage pressure indication in MCR; Reactor pressure =

20:07 5:21 Game 6.89 MPa (1000Over psi) local for 1F1; indication Small portable generator continuing 1F1 MCR recovery has temporary lighting 20:49 6:03 installed 20:50 6:04 activities and events impact Local authorities order evacuation within 2 km other units Level indication (1F2 and 1F3 core restored; 21:19 6:33 level = 0.20 m (8) above uncovery TAF on 3/14)

Prime minister orders 21:23 6:37 evacuation within 3 km; sheltering out to 10 km MO-3A opened Place IC in service; steam 21:30 6:44 observed Access to RB restricted due 21:51 7:05 to dose rates - indirect indication of core uncovery Level = 0.55 m (21.7) 22:00 7:14 above TAF Drywell pressure = 0.50 Restoration team from 23:50 9:04 MPa (87 psi) above design ERC enables reading Offsite power supply 23:59 9:13 trucks arrive by midnight 6

6

Background and Motivation Might the details matter?

Imagine the horse as a sphere It depends 7

Background and Motivation Different perspectives =>

Different challenges and needs

• Understanding

• Data

• Uncertainties

• Bounding/screening

• Heterogeneity and

• Guidance

• Holes Analysts/ Users aggregation Reviewers

• Confidence

• Integration

• Other Factors (e.g., DID,

• Imagination safety margins)

• Stakeholders

• New science/engineering

• Operational experience

• Time

• Intended users/applications

• Resources Developers

• Computational limits Rewards

• Biases/heuristics

• Communication 8

Background and Motivation Late 70s/early 80s fast reactor analyses

• Ispra JRC (Amendola, Reina, Cacciabue)

- Concern with dynamic interaction of transient physics and system logical response: physics trigger response which affects physics, etc.

- Event Sequences and Consequence Spectrum/Logical Analytical Methodology (ESCS/LAM) => DYLAM

- Recognize different time scales (ageing, transients)

- EUROPA LMBR (channel-type) - phenomenological driver or target of opportunity?

• CEA (Lanore, Villeroux, et al.)

- Concern with proper repair (recovery) credit considering large thermal inertia of Super-Phénix (pool-type LMFBR)

- Damage concern: creep rupture of RPV on LODHR

- State-transition (Markov) model; transition probabilities from standard fault tree analysis 9

Background andDynamic Motivation PRA Mid-late 80s: treat errors of commission?

OPERATOR STOPS RCIC

• Can always add a basic event Operator Stops RCIC

• Possible but sufficiently probable? Why or why not?

10 10

Background and Motivation Bounded Rationality Model

• Operator actions are not completely random events

• Reasons for decisions and actions (and inaction) affected by context, including

- scenario evolution

- past decisions/actions

• Dynamic PRA provides a framework for treating such context; major challenges in modeling and implementation 11

Definition and Illustration What is dynamic PRA?

• Risk {scenarios, Dy*nam*ics, n. a branch of consequences, likelihoods} mechanics that deals with forces and their relation primarily to the

• PRA: likelihood expressed using motion but sometimes also to the probabilities equilibrium of bodies

• Dynamic PRA:

- A simple view: PRA that explicitly models system dynamics

- Typically envisioned as a form of direct simulation but doesnt have to be

- Not intended to address dynamically changing PRAs (e.g.,

risk monitors) 12

Definition and Illustration Typical Modeling Approaches

• State-Transition Models (cell-to-cell)

• Dynamic Event Trees

• Direct Simulation 13

Definition and Illustration A Simple Example - The Aldemir Tank L

Pump 2 Pump 1 a2 a1 Valve Liquid level Control unit state (L)

Valve Pump 1 Pump 2 1 < < 2 Open On Off 2 Open Off Off 1 Closed On On 14

Definition and Illustration Tank Problem: State-Transition Model First transition 15

Definition and Illustration Tank Problem: Dynamic Event Tree Adapted from N. Siu, Risk assessment for dynamic systems: An overview, Reliability Engineering and System Safety, 43, 43-73 (1994).

16

Definition and Illustration Tank Problem: Discrete Event Simulation Adapted from N. Siu, Risk assessment for dynamic systems: An overview, Reliability Engineering and System Safety, 43, 43-73 (1994).

17

Definition andDynamic Illustration PRA Predominant Approach: Dynamic Event Trees*

One concept Historical One Moreimplementation Recently Adapted from: N. Siu, "Risk assessment for dynamic systems: an overview,"

Reliability Engineering and System Safety, 43, 43-73, 1994 J. LaChance, et al., Discrete Dynamic Probabilistic Risk Assessment Model Development and Application, SAND2012-9346, Sandia National Laboratories, October 2012.

• Sometimes referred to as discrete dynamic event trees 18 18

Definition and Illustration Comments

• Many related terms inside and outside NPP PRA community (A rose by any other name)

- Integrated Deterministic-Probabilistic Safety Assessment (IDPSA)

- Integrated Safety Assessment (ISA)

- Computational risk assessment (CRA)

- Integrated PRA (I-PRA)

- Simulation modeling (e.g., discrete event simulation)

• Academic community has focused on tightly coupled problems; tools could be useful for more loosely coupled problems, e.g.,

- Recovery time (e.g., power, portable equipment)

- Force-on-force

- Storm preparation 19

Potential Benefits Dynamic PRA Why?

• As with simulation approaches in general

- Improved realism (e.g., elimination of some intermediate modeling approximations)

- Improved insights (e.g., going beyond game over)

- Improved use of available information (what we know)

• Phenomena

• Operational experience

- Broader acceptance outside PRA community

• Natural language framework for integrating multiple disciplines

• Consistency with current directions in engineering

• For PRA/RIDM, potential to address sources of completeness uncertainty, e.g.,

- Errors of commission

- Passive system reliability 20 20

Challenges to Reviewers General Challenges

• Understanding

• Data

• Uncertainties

• Bounding/screening

• Heterogeneity and

• Guidance

• Holes Analysts/ Users aggregation Reviewers

• Confidence

• Integration

• Other Factors (e.g., DID,

• Imagination safety margins)

• Stakeholders

• New science/engineering

• Operational experience

• Time

• Intended users/applications

• Resources Developers

• Computational limits Rewards

• Biases/heuristics

• Communication 21

Challenges to Reviewers Fundamental Question for Reviewers Its a probabilistic simulation, but is it a dynamic PRA?

• Search for what can go wrong?

• Address unlikely events (e.g., distribution tails)?

• Treat important dependencies?

22

Challenges to Reviewers Searching for Failures: The Red Team

• Examples

- Procedures prevent operation in undesirable regimes =>

what might prompt procedural violations?

- Natural circulation, convection, and conduction will remove decay heat => what might disrupt heat transfer?

- Timely evacuation reduces exposure => how can evacuation be hindered?

• Does the model consider such questions?

23

Challenges to Reviewers Other Challenges

• Data for model parameters

- Source and interpretation

- Sub-model range

• Sub-model heterogeneity

• Verification and validation

• Completeness uncertainty

- Focus on risk or on whats solvable?

Interesting?

- Whats outside of the model?

• Sensemaking 24

Looking Forward Not If But When?

Not Why But Why Not?

Its tough to make predictions, especially about the future.

- Yogi Berra Practical applications of dynamic PRA are here and will be increasing Resistance is futile

• Consistent with engineering trends

• Attractive to students and researchers (industry feedstock)

• Supports exploration of model uncertainties, diverse views

• Tools are available

• Challenges are recognized and are being addressed 25

SOME ILLUSTRATIVE EXAMPLES Illustrations Expanding on the why?

• Human performance insights

- Available time for action

- Improved realism of context

- Compounding impact of actions

- Explore error forcing contexts

• System insights

- Complex dependencies

- Success criteria

- Event sequence

• Interface between man and Machine 27

Illustrations ADS-IDAC - UMD/UCLA

• ADS-IDAC - Accident Dynamics Simulator with the Information Decision and Action in a Crew Context operator model

- Discrete Dynamic Event Tree (DDET)

Simulation Method

- Model-based HRA approach

- Integrates a thermal hydraulic nuclear plant model with a control room crew human performance model

- Provides rich situational context for evaluating factors that may influence decision-making performance (e.g.,

identifying error forcing contexts) 28

Illustrations IDAC Model - Controlling AFW

• Mental model links: (1) indicators &

alarms; (2) beliefs; and (3) actions.

• Actions include control manipulations and active information gathering 29

Illustrations HRA Empirical Study

• SGTR Scenarios

- Base - simple SGTR with secondary radiation alarms available

- Complex - SGTR w/ MSLB and MSIV isolation (no secondary radiation alarms)

• LOFW Scenarios

- Base - LOFW, no AFW/MF

- Complex - LOFW, no AFW/MF, but degraded condensate pump available 30

Illustrations HRA Empirical Study

• Crew to crew variability LOFW Base Scenario 80 70 SG A WR Level (%)

60 50 40 30 20 10 0

0 500 1000 1500 2000 2500 3000 3500 4000 4500 time (seconds) 31

Challenges to Reviewers HRA Empirical Study

• Key drivers for crew-to-crew variability

- Pacing (fast crew, slow crew)

- Preferences

• Control inputs

• Goals and strategies

- Capabilities

• Knowledge

• Crew communication

• Situational awareness 32

Illustrations HRA Empirical Study

• SGTR Base Scenario

- Trip reactor early (Crew M) or reduce power to troubleshoot (Crew G)

- Slower (G) or faster (M) pacing

- Faster (G) or slower (M)

RCS cooldown rate 33

Illustrations HRA Empirical Study HAMMLAB ADS-IDAC 34

Illustrations Better understanding of error forcing contexts 35

Illustrations Dynamic Performance Influencing Factors (PIFs)

Time TimeConstraint ConstraintLoad Load Dynamic PIFs Time Constraint Load Time Available: System Time System Criticality Constraint Load Criticality Information Load Low PZR Level Time Available: Low Information InformationLoad Load Info Load: Post Trip Alarm Cascade RCS Pressure 10 Isolate SG A High SCM &

8 SG A Level, PIF Value Lo PZR Level 6

4 2 Time Available:

Hi SG A Level 0

0 500 1000 1500 2000 2500 3000 3500 4000 Briefing Hi SG A &

Hold time (seconds) PZR Levels 36 36

Illustrations Robinson Fire (3/28/2010) 37

Illustrations Robinson Fire (cont)

• Several issues:

- Impact of secondary cooldown

- Impact of RCP seal leakage

- Time available to initiate RCS cooldown 38

Illustrations Robinson Fire (cont)

• Some insights

- Time to CD with 480 gpm RCP seal leak

- Significant time available with 21 gpm RCP seal leak

- Cooldown has limited impact 39

Illustrations Dynamic PRA - Opportunities and Challenges Some Advantages of Dynamic Approaches

• Does not require traditional pinch points and other constraints

- Flexible truncation times

- Easier integration of non-binary information (e.g., degraded equipment)

- No need to identify representative sequences

• Increases focus on physical system behavior

- Reduces reliance on intermediate assumptions (e.g., success criteria)

- Forces explicit treatment of timing

- Improves realism and ability to extrapolate results

• Integrates hardware and human performance models

- Richer context for evaluating human performance

- Realistic plant modeling (e.g., explicit consideration of control system interaction and procedures)

• Avoids game over modeling assumptions

- End states can be readily tailored to scenarios and not limited to discrete bins

- Recovery and mitigation actions can be explicitly modeled, including partially successful mitigation and timing variability 40

Illustrations Dynamic PRA - Opportunities and Challenges and some challenges

• Developing and validating models

- Development of physical models can be resource intensive

- Validation/accreditation of models can be difficult, particularly for rare events

• Obtaining a complete risk profile

- Ensuring a complete solution space is examined

- Choosing representative samples

- Pruning and truncation to avoid sequence explosion

• Aggregating, interpreting, and communicating results

- Simulation-based approaches can produce expansive amounts of data

- Identifying and focusing on key accident scenarios can be difficult

- Confidence in simulation results (either overly high or low)

- No state of practice for calculating importance measures

• Vertical vs. horizontal slice

• Evaluating Uncertainty

- Applying and interpreting uncertainty can difficult - particularly in the absence of a standard state-of-practice.

- Ensuring efficient sampling scheme for uncertainty evaluation (e.g., identifying parameters and capturing dependencies 41

BACKUP SLIDES PSAM 14 (2018)

Title Orgs Case Study of Major Accident to Demonstrate the Possibility of Prediction of Conditions for Accidents NUST*

Addressing Critical Dependencies in the Probabilistic Performance Assessments of Multi-Purpose Systems with EDF PyCATSHOO Mitigation Coverage Evaluation of Passive Systems Based on Causality Estimation Using Multi-Level Flow Model RPI EMRALD, Dynamic PRA for the Traditional Modeler INL Dynamic Modelling of Severe Accident Management for CANDU Reactors in Probabilistic Safety Assessment Kinectrics Using Microworlds to Support Dynamic Human Reliability Analysis INL Code Surrogate Development for Dynamic PRA Using Anisotropic Taylor Kriging Methodology RPI Development of an Online Operator Tool to Support Real-Time Emergency Planning Based on the Use of Dynamic OSU Event Trees and Deep Learning Pattern Identification of Dynamic Event Tree Scenarios with Clustering RPI Severe Accident Scenario Uncertainty Analysis using the Dynamic Event Tree Method JAEA A Method for Modeling Human Behavior as a Dynamic Process in the Context of External and Internal Hazards GRS Aggregation of Autocalculated Human Error Probabilities from Tasks to Human Failure Events in a Dynamic Human INL/NTNU Reliability Analysis Implementation Integrating Classical PRA Models Into Dynamic PRA INL Convergence of Varied Surrogate Models for Seismic Dynamic PRA/PSA OSU A Dynamic Coupled-Code Assessment of Mitigation Actions in an Interfacing System Loss of Coolant Accident OSU/SNL Performing an Accident Sequence Precursor Analysis with the ADS-IDAC Dynamic PSA Software Platform UCLA Discrete Dynamic Event Tree Uncertainty Quantification in the ADS-IDAC Dynamic PSA Software Platform UCLA The Backtracking Process Algorithm: A Dynamic Probabilistic Risk Assessment Method for Autonomous Vehicle Control OSU Systems Comparison of Dynamic Event Trees with and without a Human Reliability Interface in a PWR Station Blackout using OSU Severe Accident Management Guidelines Results of an IDPSA Aimed to Assess the Potential of a Thermally Induced Steam Generator Tube Rupture GRS Recent Analysis and Capability Enhancements to the ADAPT Dynamic Event Tree Driver OSU/SNL

• Norwegian University of Science and Technology 43

PSA 2017 Title Orgs Dynamic Event Tree Generation With RAVEN-MAAP5 Using Finite State Machine System Models OSU/EDF Local Fusion of an Ensemble of Semi-Supervised Self Organizing Maps for Post-Processing Accidental Politecnico Scenarios di Milano IDPSA Approach to Assess the Potential of a Thermally Induced Steam Generator Tube Rupture GRS Dynamic Approach on Multi-Unit Probabilistic Risk Assessment Using Continuous Markov and U. Tokyo Monte Carlo Method Surrogate Model Selection in RAVEN for Seismic Dynamic PRA/PSA OSU Timed-Fault Tree Generation from Dynamic Flowgraph Method The ADS-IDAC Dynamic Platform with Dynamically Linked System Fault Trees UCLA Development of Integrated Site Risk Using the Multi-Unit Dynamic Probabilistic Risk Assessment UMD/UCLA (MU-DPRA) Methodology Dynamicizing the SPAR-H Method: A Simplified Approach to Computation-Based Human Reliability INL/NTNU Analysis A Dynamic Assessment of an Interfacing System Loss of Coolant Accident OSU/SNL Dynamic PRA of a Multi-Unit Plant INL Measuring Risk Importance in a Dynamic PRA Framework INL Dynamic PRA with Component Aging and Degradation Modeled Utilizing Plant Risk Monitoring INL Data Passive System Reliability Analysis Using APSRA+ Methodology and Its Application to Passive BARC Isolation Condenser System of an Advanced Reactor A Case Study of Simulation-Based Dynamic Analysis Approach for Modeling Plant Response to INL Flooding Events 44

Dynamic PRA Challenges to Developers

• Technical (many being addressed)

- Phenomenological sub-models

- Data

- V&V

- Computational resources

- Aids to support searches

- Aids to support sensemaking

• Economic

- Demonstrating added value

- Demonstrating acceptable resource requirements 45 45

Dynamic PRA Challenges to Developers (cont.)

• Socio-organizational

- Perception that dynamic PRA is necessarily complex

- Developer community mindset

• Increased detail > increased realism

• Importance of insights (vs. bottom line results)

• Openness to concerns raised by skeptics

- User community mindset

• Potential value of different approaches

• Awareness of trends outside NPP PRA

- Targeting of development activities

• R&D => product development

• Increased emphasis on actual problem solving (beyond demos)

• Role in PRA toolbox

• What expertise is needed, how to develop and maintain 46 46