Text

Dynamic PRA: The vision anda peek under the hood*The views expressed in this presentation are not necessarily those of the U.S. Nuclear Regulatory CommissionN. Siu and K. CoyneNRC Internal SeminarCommission Hearing RoomFebruary 5, 2019 (1:30

-3:30)it really work?Abstractreactions within the PRA community. This seminar provides a high

-level view of dynamic PRA (what is it? why is it of interest? what are the general characteristics of current approaches and activities?) and a more detailed look at key issues likely to be of interest to NRC reviewers.

2OutlineOverviewMotivation for DPRAWhat is DPRA?Potential benefitsChallenges to reviewersLooking forwardIllustrationsHRA Empirical Study: dynamic PRA V&VAccident precursor analysis: a potential regulatory application 3March 11, 2011 (Fukushima Dai-ichiUnit 1: 1F1)LOOP EPSISOEXTDCLOPRDGR LTC LOOP(Earthquake)EmergencyPower(EDGs)IsolationCondenser(IC)Actions toExtendIC OpsActions toShedDC LoadsOffsitePowerRecoveryEDGRecoveryLong-TermCooling CD CD CD CD CD CD CD CD CD CD CD CD CD 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22Background and Motivation 4 1F1, 3/11/2011TimeRelative TimeHazardSystemsIndicationsOperators/WorkersERC/ER team EPEarthquakeScramMSIVs close, turbine trips, EDGs start and loadRx level dropsICs start automaticallyRV pressure decreases; RV level in normal rangeICs removed from serviceCooldown rate exceeding tech spec limitsManually remove IC from serviceDisaster HQ established in TEPCO TokyoDetermine only 1 train IC needed; cycle A trainFirst tsunami arrivesSecond tsunami arrivesLoss of AC1537-1550: Gradual loss of instrumentation, indications (including IC valve status, RV level), alarms, MCR main lightingDetermine HPCI unavailableTEPCO enters emergency plan (loss of AC power); ERC establishedD/DFP indicator lamp indicates "halted"Review accident management procedures, start developing procedure to open containment vent valves without powerCannot determine RV level or injection status; work to restore level indication; do not put IC in serviceReview accident management procedures, start developing procedure to open containment vent valves without powerDeclared emergency (inability to determine level or injection)Dynamic PRA40 minutes between earthquake and tsunami; transition from confident control to disbeliefBackground and MotivationDegradation and failure over time, gradually affecting operator information and ability to control 5TimeRelative TimeHazardSystemsIndicationsOperators/WorkersERC/ER team EPDetermine RV levelEmergency cancelledTsunami alertWorkers on way to check D/DFP had to turn backLose ability to determine RV level or injection statusReentered emergency planSite superintendent directs investigation of using fire protection to inject waterEstimated core uncoveryin 1 hrTsunami alert clearedDiesel-driven fire pump started and left to idlePressure above 100 psiManually open valves (in dark) from fire protection system to core spray system; take turns holding D/DFP switch to keep in standbyDC power partially returned MO-3A and MO-2A indicate closedMO-3A and MO-2A openedOpen IC valves MO

-3A and 2A. Steam from condenser observedMO-3A closedRemove IC from service (concerned about failing lines). Entered R/B and T/B to manually open MOV for FP lineup. Hard time finding valve, had wrong key, hard to operate hand wheel. Long time.Dynamic PRAError of commission (disabling passive safety system) possibly based on assumed low inventory (usage)1F1, 3/11/2011 (cont.)Background and MotivationExternal influence triggering work stoppage, temporary evacuation, accountability 6TimeRelative TimeHazardSystemsIndicationsOperators/WorkersERC/ER team EPCore damage (4-5 hrafter trip)Close valves for broken outdoor FP pipes. Broke lock to allow passage between Units 2 and 3.Ask Tokyo for more fire enginesGovt. declaresnuclear emergencyNo pressure indication in MCR; Reactor pressure =

6.89MPa (1000 psi)local indicationSmall portable generator installedMCR has temporary lightingLocal authorities order evacuation within 2 kmLevel indicationrestored; TAFPrimeminister orders evacuation within 3 km; sheltering out to 10 kmMO-3A openedPlace IC in service; steam observedAccess to RB restricted due to dose rates indirect indication of core uncoveryLevel =above TAFDrywell pressure = 0.50 MPa (87 psi) above designRestoration team from ERC enables readingOffsite power supply trucks arrive by midnightDynamic PRAIn hindsight, core damage continuing 1F1 recovery activities and events impact other units (1F2 and 1F3 core uncoveryon 3/14)1F1, 3/11/2011 (cont.)Background and Motivation 7Might the details matter?Imagine the horseBackground and Motivation 8Different perspectives => Different challenges and needsBackground and MotivationDevelopersAnalysts/ReviewersUsersUnderstandingUncertaintiesHeterogeneity and aggregationConfidenceOther Factors (e.g., DID, safety margins)StakeholdersTimeResourcesBiases/heuristicsCommunicationDataBounding/screeningGuidanceIntegrationImaginationOperational experienceIntended users/applicationsComputational limitsRewards 9Late 70s/early 80s fast reactor analysesIspraJRC (Amendola, Reina, Cacciabue)Event Sequences and Consequence Spectrum/Logical Analytical Methodology (ESCS/LAM) => DYLAMRecognize different time scales (ageing, transients)EUROPA LMBR (channel

-type) phenomenological driver or target of opportunity?CEA (Lanore , Villeroux, et al.)thermal inertia of Super

-Phénix(pool-type LMFBR)Damage concern: creep rupture of RPV on LODHRState-transition (Markov) model; transition probabilities from Background and Motivation 10 Mid-Possible but sufficiently probable? Why or why not?Dynamic PRAOPERATORSTOPS RCICBackground and Motivation 11Operator actions are not completely random eventsReasons for decisions and actions (and inaction) affected by context, including scenario evolutionpast decisions/actionssuch context; major challenges in modeling and implementationBackground and Motivation 12consequences, likelihoods}PRA: likelihood expressed using probabilitiesA simple view: PRA that explicitly models system dynamicsTypically envisioned as a form of to beNot intended to address dynamically changing PRAs (e.g., risk monitors)

Dynamics , n.a branch of mechanics that deals with forces and their relation primarily to the motion but sometimes also to the equilibrium of bodies 13Typical Modeling ApproachesState--to-Dynamic Event TreesDirect Simulation 14A Simple Example The Aldemir TankLiquid level (L)Control unit stateValvePump 1Pump 2Open OnOffOpenOffOffClosed On OnPump 1ValvePump 2 L 1 2 15Tank Problem: State

-Transition ModelFirst transition 16Tank Problem: Dynamic Event TreeReliability Engineering and System Safety , 43, 43-73 (1994).

17Tank Problem: Discrete Event SimulationReliability Engineering and System Safety , 43, 43-73 (1994).

18Predominant Approach: Dynamic Event Trees*Dynamic PRAAdapted from: N. Siu, "Risk assessment for dynamic systems: an overview," Reliability Engineering and System Safety , 43, 43-73, 1994HistoricalJ. LaChance-9346, Sandia National Laboratories, October 2012.More RecentlyOne conceptOne implementation 19CommentsMany related terms inside and outside NPP PRA Integrated Deterministic

-Probabilistic Safety Assessment (IDPSA)Integrated Safety Assessment (ISA)Computational risk assessment (CRA)Integrated PRA (I

-PRA)Simulation modeling (e.g., discrete event simulation)Academic community has focused on tightly coupled problems; tools could be useful for more loosely coupled problems, e.g.,Recovery time (e.g., power, portable equipment)Force-on-forceStorm preparation 20Why?As with simulation approaches in generalImproved realism (e.g., elimination of some intermediate modeling approximations)PhenomenaOperational experienceBroader acceptance outside PRA communityNatural language framework for integrating multiple disciplinesConsistency with current directions in engineeringFor PRA/RIDM, potential to address sources of completeness uncertainty, e.g.,Errors of commissionPassive system reliabilityDynamic PRAPotential Benefits 21General ChallengesChallenges to ReviewersDevelopersAnalysts/ReviewersUsersUnderstandingUncertaintiesHeterogeneity and aggregationConfidenceOther Factors (e.g., DID, safety margins)StakeholdersTimeResourcesBiases/heuristicsCommunicationDataBounding/screeningGuidanceIntegrationImaginationOperational experienceIntended users/applicationsComputational limitsRewards 22Fundamental Question for ReviewersAddress unlikely events (e.g., distribution tails)?Treat important dependencies?Challenges to Reviewers 23ExamplesProcedures prevent operation in undesirable regimes => what might prompt procedural violations?Natural circulation, convection, and conduction will remove decay heat => what might disrupt heat transfer?Timely evacuation reduces exposure => how can evacuation be hindered?Does the model consider such questions?Challenges to Reviewers 24Other ChallengesData for model parametersSource and interpretationSub-model rangeSub-model heterogeneityVerification and validationCompleteness uncertaintyInteresting?SensemakingChallenges to Reviewers 25Practical applications of dynamic PRA are here and will be increasingConsistent with engineering trendsAttractive to students and researchers (industry feedstock)Supports exploration of model uncertainties, diverse viewsTools are availableChallenges are recognized and are being addressed-Yogi BerraResistance isLooking Forward SOME ILLUSTRATIVE EXAMPLES 27Human performance insightsAvailable time for actionImproved realism of contextCompounding impact of actionsExplore error forcing contextsSystem insightsComplex dependenciesSuccess criteriaEvent sequenceInterface between man and MachineIllustrations 28 ADS-IDAC UMD/UCLAADS-IDAC -Accident Dynamics Simulator with the Information Decision and Action in a Crew Context operator modelDiscrete Dynamic Event Tree (DDET) Simulation MethodModel-based HRA approachIntegrates a thermal hydraulic nuclear plant model with a control room crew human performance modelProvides rich situational context for evaluating factors that may influence decision-making performance (e.g., identifying error forcing contexts)Illustrations 29IDAC Model Mental model links: (1) indicators & alarms; (2) beliefs; and (3) actions.Actions include control manipulations and active information gatheringIllustrations 30HRA Empirical StudySGTR ScenariosBase secondary radiation alarms availableComplex SGTR w/ MSLB and MSIV isolation (no secondary radiation alarms)LOFW ScenariosBase LOFW, no AFW/MFComplex LOFW, no AFW/MF, but degraded condensate pump availableIllustrations 31HRA Empirical StudyIllustrations 32HRA Empirical StudyKey drivers for crew

-to-crew variabilityPacing (fast crew, slow crew)PreferencesControl inputsGoals and strategiesCapabilitiesKnowledgeCrew communicationSituational awarenessChallenges to Reviewers 33HRA Empirical StudySGTR Base ScenarioTrip reactor early (Crew M) or reduce power to troubleshoot (Crew G)Slower (G) or faster (M) pacingFaster (G) or slower (M) RCS cooldown rateIllustrations 34HRA Empirical StudyIllustrationsHAMMLAB ADS-IDAC 35Illustrations 36 36Dynamic Performance Influencing Factors (PIFs)Illustrations 37Robinson Fire (3/28/2010)Illustrations 38Several issues:Impact of secondary cooldownImpact of RCP seal leakageTime available to initiate RCS cooldownIllustrations 39Some insightsTime to CD with 480 gpm RCP seal leakSignificant time available with 21 gpm RCP seal leakCooldown has limited impactIllustrations 40Dynamic PRA Opportunities and ChallengesSome Advantages of Dynamic ApproachesDoes not require traditional pinch points and other constraintsFlexible truncation timesEasier integration of non

-binary information (e.g., degraded equipment)Increases focus on physical system behaviorReduces reliance on intermediate assumptions (e.g., success criteria)Forces explicit treatment of timingImproves realism and ability to extrapolate resultsIntegrates hardware and human performance modelsRicher context for evaluating human performanceRealistic plant modeling (e.g., explicit consideration of control system interaction and procedures)End states can be readily tailored to scenarios and not limited to discrete binsRecovery and mitigation actions can be explicitly modeled, including partially successful mitigation and timing variabilityIllustrations 41Dynamic PRA Opportunities and ChallengesDeveloping and validating modelsDevelopment of physical models can be resource intensiveValidation/accreditation of models can be difficult, particularly for rare eventsObtaining a complete risk profileEnsuring a complete solution space is examinedChoosing representative samplesPruning and truncation to avoid sequence explosionAggregating, interpreting, and communicating resultsSimulation

-based approaches can produce expansive amounts of dataIdentifying and focusing on key accident scenarios can be difficultConfidence in simulation results (either overly high or low)No state of practice for calculating importance measuresVertical vs. horizontal slice Evaluating UncertaintyApplying and interpreting uncertainty can difficult particularly in the absence of a standard state

-of-practice.Ensuring efficient sampling scheme for uncertainty evaluation (e.g., identifying parameters and capturing dependenciesIllustrations BACKUP SLIDES 43PSAM 14 (2018)

TitleOrgs*Norwegian University of Science and Technology 44PSA 2017 TitleOrgs 45Challenges to DevelopersTechnical (many being addressed)Phenomenological sub

-modelsDataV&VComputational resourcesAids to support searchesAids to support sensemakingEconomicDemonstrating added valueDemonstrating acceptable resource requirementsDynamic PRA 46Challenges to Developers (cont.)Socio-organizationalPerception that dynamic PRA is necessarily complexDeveloper community mindset Importance of insights (vs. bottom line results)Openness to concerns raised by skepticsUser community mindsetPotential value of different approachesAwareness of trends outside NPP PRATargeting of development activitiesR&D => product developmentIncreased emphasis on actual problem solving (beyond demos)Role in PRA toolboxWhat expertise is needed, how to develop and maintainDynamic PRA