Text

Initiating EventsLecture 4-11 Key TopicsMethods to identify initiating eventsFundamental ethos: search for failures2 ResourcesAmerican Nuclear Society and the Institute of Electrical and NUREG/CR-2300, January 1983H. Kumamoto and E.J. Henley, Probabilistic Risk Assessment and Management for Engineers and Scientists, Second Edition, IEEE Press, New York, 1996.T.A. Kletz, Improving Chemical Engineering Practices: A New Look at Old Myths of the Chemical Industry, Second Edition, Hemisphere Publishing, New York, 1990.H. Petroski, To Engineer is Human: The Role of Failure in Successful Design, Random House, New York, 1992.3 NPP PRA LevelsLevel 1 (core/fuel damage)Level 2 (radioactive release)Level 3 (offsite consequences)HazardsInternal events (hardware, human, LOOP)Operating ModeAt powerLow power/shutdownSourcesCoreSpent fuel poolOther (e.g., dry cask storage)4HazardsInitiatingEventsPlant DamageStatesSourceTerm GroupsReleaseCategoriesOffsiteConsequencesLevel 1Level 2Level 3Context for Initiating Event Analysissi,Ci ,pi }

NPP PRA 5Spent Fuel Pool UnitsAll HazardsLevel 1/2,3 PRADry Cask StorageAll HazardsLevel 1/2,3 PRAIntegrated Site ModelAll SourcesAll Operating StatesAll HazardsLevel 1,2,3 PRAReactor UnitsAt-PowerInternal HazardsLevel 1,2,3 PRAReactor UnitsAt-PowerExternal HazardsLevel 1,2,3 PRAReactor UnitsLow Power/ShutdownAll HazardsLevel 1,2,3 PRAReactor UnitsAll Operating StatesAll HazardsLevel 1,2,3 PRAContext for Initiating Event Analysis The General Modeling Process One View6FormulationDevelop understandingPossible scenariosKey processes and parametersModeling issuesInteractions with other analysesSelect scenarios for analysisSelect computational tool(s)AnalysisCollect dataGenericPlant-specificBuild model(s)Direct inputExternal submodelsPerform computationsInterpretationResults for analyzed scenariosImplications for other scenarios The Modeling Process A More Detailed View7NUREG/CR-2300, January 1983.Sequence = Initiating Event ANDMitigating System Response Context for Initiating Event AnalysisCritical First Step or family working at the plant.past blizzards, the plant rode it out, providing needed power to the region. Most of the workers, who had put in long hours to cope with the November storm and its aftermath, are home for a well-deserved rest over the holiday, and Old Reliable is purring along with a nearly minimum crew. (Some unlucky workers are earning overtime working -cooled EDG, which is down for emergency repairs.) A low pressure area, formed in the Atlantic some two days ago, is being tracked but the disturbance is small. Although there are indications of intensification, weather forecasts provide no cause for 8Initiating Event Definition*Thanks to Pierre LeBot(EDF) for parts of this story.

At around 3 pm, winds in the region start to rise; blowing snow cuts visibility and trees are swaying. The plant receives a warning that the disturbance had become a storm but its intensity and direction are unclear. Considering the conditions of the roads and crew, past plant performance, and the uncertainty in the weather model predictions, the plant manager decides to alert off-duty senior staff, but not to recall any workers. At 5 pm, the storm hits the coast. Around 8:30 pm, severe wind gusts take down multiple power lines, disrupting the grid. The plant loses offsite power and trips at 8:32, and the water-cooled EDG starts and loads as designed. At 11:16 pm, wind-driven waves, on top of severe storm surge and an abnormally high tide (a beyond-design basis hazard combination), overtop and damage the protective seawall and start flooding the pump house, endangering service water (normal and emergency). The plant (an old, isolation condenser design) starts preparing to enter SBO conditions. Fortunately, an offsite power line is recovered at 11:34. Recognizing the unreliability of the grid under storm conditions, the plant starts reviewing its procedures to stay at hot shutdown conditions until grid stability can be assured. However, offsite power remains available and the plant achieves cold shutdown early Christmas morning.9Initiating Event Definition Possible ChoicesEventWhy?November stormSets up plant workforce, activities, and attitudes, and offsite conditions. Could support risk-informed post-storm operations decisionsLow pressure formation Natural starting point if using storm simulation modeling. Could support risk-informed early storm preparations.Storm warning (3 pm)Deteriorating conditions; warning triggers decision (whether to recall staff). Could support risk-informed response.Storm hits coast-oriented analysis.LOOPStart of nuclear transient.Pumphouse floodingNot a great choice for a literal analysis, but could 10Initiating Event Definition

-Glossary of Risk-Related Terms in Support of Risk-Informed Decisionmaking, NUREG-2122, 201311Initiating Event Definition Identifying Initiating EventsTools/approaches include:Failure Modes and Effects Analysis (FMEA)Hazard and Operability Studies (HAZOPS)Master Logic Diagrams (MLD)Heat Balance Fault TreesReview of past eventsComparison with other studiesFeedback from plant model12Identification Methods Screen out unimportant events to enable practical solution and avoid distractionsLimited analysis resourcesRisk masking from overly conservative analysesRecognize challengesCompletenessrectifiability13Identification Methods Example for Demonstrations: A Simple Boiler14Desired StateSteam FlowLiquid LevelMS ValveFW PumpHot GasOpenOnOnOpenOffOnClosedOnOff-ClosedOffOffFeedwaterPumpDrainValveLevelSensorL12MainSteamValveSteam FlowSensorHotGasIdentification Methods FMEA PrinciplesInductive approach postulate failures and determine effectsApply to all elements in systemUses standardized terms15From H. Kumamoto and E.J. Henley, Probabilistic Risk Assessment and Management for Engineers and Scientists, Second Edition, IEEE Press, New York, 1996.Identification Methods FMEA Partial Example (Boiler Problem)ComponentFailure ModeCause(s)EffectsPressure VesselRupturea.Overpressureb.Impactc.Corrosiond.Faulty materialse.Faulty constructionf.Faulty installationg.a.Stops operationb.Hazards to operators, other componentsi.Steamii.Floodingiii.Missile(s)iv.DisplacementFeedwater PumpFails to runa.Mechanical failure (e.g., binding, rotor crack)b.Cloggingc.Loss of powerd.Incorrect control signale.Incorrect operator actionf.a.Stops system operationb.Creates demand for system response16Identification Methods HAZOP PrinciplesExtension of FMEAIncludes process parameter deviationsUsed extensively in chemical process industry17From H. Kumamoto and E.J. Henley, Probabilistic Risk Assessment and Management for Engineers and Scientists, Second Edition, IEEE Press, New York, 1996.Identification Methods HAZOP Partial Example (Boiler Problem)18Process ParameterDeviationEffectsGas FlowNo Flowa.Stops operationb.Creates demand for system response (stop feedwater). If response fails, could lead to overfilling and possible flooding elsewhereGas FlowMore Flowa.Increases steam generation rate. Depending on steam flow setpoint, could trigger system shutdown.b.could cause dryoutand gas tube rupture.Identification Methods PrinciplesDeductive approachBasically a fault tree; shows how a top event can occuris similar concept19-Related Terms in Support of Risk-Informed DecisionmakingNUREG-2122, 2013Identification Methods A Classic NPP MLD20NUREG/CR-2300, 1983Identification Methods MLD for a Space Application21NASA/SP-2011-3421, 2nded., 2011Identification Methods MLD Partial Example (Boiler Problem)22High SteamFlow TripInsufficientFeedwaterSensorFailureLoss ofFW SourceTrip LogicFailureHigh SteamFlowSpuriousTripT3T2T1ExcessiveHeatPumpTrippedPumpFailureFlow PathBlockedIdentification Methods Other FrameworksDifferent representations of causality can:Stimulate imaginationFacilitate communication with like-mindedapplications23e.g. Deepwater Horizon and Fukushima and Occasionally Identification Methods Operational Experience (OpE)Illustrates mechanisms and complexities that might otherwise be missedExamplesWater hammer in fire main causes reactor building floodLighted candle causes cable fireBoat wake rocks submarine and causes reactivity accidentOpEalso can indicate where imagination might be going too farNon-NPP experience is potentially valuable (e.g., see Kletz)24Identification Methods Other Studies (NPP)Loss of offsite powerPlant-centeredSwitchyardGridSevere weatherLoss of safety-related busLoss of instrument or control airLoss of safety-related cooling waterLoss of feedwaterGeneral transientSteam generator tube ruptureLoss of coolant accidentVery small LOCASmall LOCAMedium LOCALarge LOCAExcessive LOCAInterfacing system LOCAStuck-open relief valveHigh energy line break25LOCAISLOCASGTRTransientsLOOPLO1DCLOCCWLOHVACExample CDF Contributions(Internal Events)Identification Methods Including External HazardsInternal eventsInternal floodsInternal firesSeismic eventsExternal floodsHigh winds26LOOPTransientsFireSeismicLOCALO1DCLOCCWLOHVACSGTRISLOCAChemicalFloodFurther discussion in Lecture 6-2Identification Methods Comments(e.g., between initiating event analysis and event sequence analysis)GapsMismatchesfuzzifiesearly judgments needed to start other tasks can/should be revisitedInternal and external hazards analyses use internal events models (Lecture 6-2); can suggest model modifications based on results and insights27 Comments (cont.)28To postulate how things might fail, first need to know how things are supposed to work => Checklists (e.g., based on past studies) are useful, but concept of active searching is key, especially for new systems.Multiple approaches/tools provide different perspectives and can help ensure completeness.