Text

Characterizing Previously Unknown Dependencies in Probabilistic Risk Assessment Models of Nuclear Power Plants John David Hanna Region III Office, US Nuclear Regulatory Commission, USA. E-mail: john.hanna@nrc.gov The US Nuclear Regulatory Commission (NRC) maintains a set of Level-1 probabilistic risk assessment (PRA) models, called standardized plant analysis risk (SPAR) models, which are the analytical tools used by the agency to perform risk assessments. The SPAR models include elements of the initiating events (IE), mitigating systems (MS) and to a limited extent barrier integrity (BI) cornerstones.

Over the last 10 to 15 years, several events have occurred at nuclear power plants (NPPs) in the US which had substantial risk and where multiple cornerstones were simultaneously affected. The risk insights from these domestic events may indicate an existing completeness uncertainty, specifically that there are dependencies between certain initiating events and availability/reliability of mitigating systems which are not currently captured in the PRA models.

These previously unrecognized dependencies can be included in the SPAR models and thus captured in subsequent risk assessments. This paper will review several examples from US commercial NPPs where these dependencies manifested themselves and demonstrate that the risk of lower intensity events (far less than a beyond design basis event) can be significant. Further, this paper will describe potential PRA modeling improvements and provide insights that may lead to modifications to existing procedures, plant structures, systems & components such that the previously unmeasured risk might be lowered, providing a benefit to public health and safety.

Keywords: nuclear power, dependency, external event, PRA, sunny day event, Fukushima Dai-ichi.

1. Introduction Guide 1.200, PRA models need to have the appropriate scope, level of detail, and technical acceptability. (1) The The US Nuclear Regulatory Commission (NRC) maintains NRCs 1995 PRA policy statement specified that PRA a set of Level-1 probabilistic risk assessment (PRA) models, evaluations supporting regulatory decisions should be as called Standardized Plant Analysis Risk (SPAR) models, realistic as practicable. (2) Consistent with this realism which are the analytical tools used by the agency to perform principle, these previously unrecognized dependencies can risk assessments. The SPAR models, similar to the PRA be included in the SPAR models and thus captured in models used by owners/operators of nuclear power plants subsequent risk assessments. This paper will review several (NPPs), include elements of the initiating events (IE),

examples of events and/or conditions from the US mitigating systems (MS) and to a limited extent barrier commercial NPPs where these dependencies manifested integrity (BI) cornerstones. These PRA models will themselves and demonstrate that the risk of lower intensity occasionally represent complex scenarios that affect two or events (far less than a beyond design basis event) can still more of these cornerstones (e.g., a loss of component be significant. Further, this paper will describe potential cooling water (CCW) simultaneously results in an initiating PRA modeling improvements and provide insights that may event and an impact on a mitigating system); however, the lead to modifications to existing procedures, plant cornerstones are usually treated independently.

structures, systems & components such that the previously Over the last 10 to 15 years, several events have unmeasured risk might be lowered, providing a benefit to occurred at NPPs in the US which had substantial risk and public health and safety.

where multiple cornerstones were simultaneously affected.

(An extreme international example of this dependency is

2. PRA Modeling and Limitations the case of Fukushima Dai-ichi in Japan on 11 March, 2011 where the initiating external event affected mitigating The SPAR models have event trees that are created to systems, as well as barrier integrity and emergency delineate possible sequences of successes or failures of preparedness (EP) via the impact to evacuation routes.) The systems/functions that lead to specific endstates, (e.g., a risk insights from these domestic events may indicate an safe/stable condition, or core meltdown and/or the release existing completeness uncertainty, specifically that there of radionuclides). Fault trees are used to estimate the failure are dependencies between certain initiating events and probabilities of those systems/functions using information availability/reliability of mitigating systems which are not such as data on the reliability of components, common-currently captured in the PRA models. These accident cause failure likelihood or human error probabilities precursors remind us of the need to re-examine the (HEPs). Using these techniques, thousands of possible core fundamental assumptions used in risk analysis. damage accident sequences are assessed for their likelihood.

The SPAR models are maintained, frequently Some IEs modeled in PRA models are clearly exercised by analysts within the agency, and are used to linked to mitigating systems (e.g., a loss of offsite power inform regulatory decisions. According to Regulatory (LOOP) by definition removes the normal source of

2 John David Hanna electrical power to the nuclear plant). However, for many only 30 minutes advanced warning to the DAEC site due to initiating events, the potential failures of mitigating systems the rapid nature of derecho formation. Simultaneously, the and barrier integrity are treated independently in the PRA derecho with estimated wind speeds of 129-161 km/h (80-models. 100 mph) for more than 30 minutes and gusts up to A limitation of the current PRA models is how they 209 km/h (130 mph), deposited significant amounts of address dependency. Customarily in PRA, the term debris and vegetation in the Cedar River. The river serves dependency is usually used to describe the commonality as the ultimate heat sink for the unit and is the suction source between two or more human actions. In other words, for the service water system, which provides cooling to dependency normally describes the relationship between pumps, heat exchangers and the EDGs. This debris loaded action A and the subsequently performed action B. And both the service water strainers to the point that one reached factors (e.g., whether the actions were taken by the same 103 kPa (15 pounds per square inch (psi)) differential operating crew, whether they happened close in time or pressure requiring it to be bypassed and the other reached whether there are cues to help the operator diagnose or take 76 kPa (11 psi) differential pressure and then stabilized.

the appropriate action) are variables that affect the degree This challenge to the strainers had the potential to stop of dependency. Sometimes the term dependency is cooling to both the EDGs and the other systems which meant to convey the relationships between front-line maintain inventory and remove decay heat from the core in systems and their associated support systems (e.g., a post-accident scenario. Additional challenges to the plant emergency diesel generator dependency (EDG) on service were posed by the derecho in that the secondary water cooling.) However, for the purposes of this paper, a containment was impacted and the potential, though not non-trivial probability relating IEs and either MS or BI will actual, effect on the evacuation routes. Hence this one, be referred to as a dependency. This type of dependency relatively common IE significantly impacted MS, had a is distinguished from a combined event because it is not minor actual impact on BI (secondary containment) and no simply two or more initiating events occurring actual, but some potential impact on EP (evacuation routes).

simultaneously (e.g., strong winds and high sea water levels), but a single event that cuts through and creates additional events and losses of mitigating systems, barrier integrity, emergency preparedness, etc. Wherever possible in this paper, the effects on cornerstones will be noted (e.g.,

MS).

The PRA models used for US commercial NPPs possess both internal events and to some degree external events (e.g., fires, seismic, tornado/high winds, and flooding). (3,4) And while extreme external events have the capacity to create large consequences, the frequencies of those events lower the overall risk results. However, less severe events, referred to as sunny-day events in this Fig. 1. Diagram of derecho frequency in the United States of paper can happen with higher frequencies and may provide America; The frequency of the derecho for the state of Iowa is in less time for warning and mitigative actions to be taken. the range of once/two years - once/year.

Examples, aside from those listed in Section 3 below, would include riverine flooding, not caused by dam failure or a However, it is important to note at this point that large seismic event, that can inundate the plant and affect there was another layer of defense-in-depth (DID) in offsite power via the switchyard, but remains less than a existence. Following the events at Fukushima Dai-ichi on beyond design basis external event (BDBEE). 11 March 2011, the NRC issued Order EA-12-049, Order Modifying Licenses with Regard to Requirements for

3. Recent Examples Mitigating Strategies for Beyond-Design Basis External 3.1. Duane Arnold derecho event Events. This order required all US commercial NPPs to develop diverse strategies for extended losses of alternating On 10 August 2020, a derecho swept through the states of current (AC) power coincident with a loss of the ultimate Iowa and Illinois causing widespread destruction including heat sink. All licensees, including the owner/operator of extensive damage to the electrical grid. (A derecho is a DAEC came into compliance with the order. These diverse widespread, long-lived wind storm with damage typically and flexible strategies (commonly known as FLEX, occurring in one direction along a relatively straight path referring collectively to the procedures, equipment, etc.)

extending for more than ~ 400 kilometers (250 miles), added another layer of DID that is not reliant on existing AC including wind gusts of at least 93km/h (58 mph) along power sources or the normal ultimate heat sink. The FLEX most of its length, and also includes several, well-separated equipment at DAEC could have been deployed if the event 121 km/h (75 mph) or greater gusts.) (5) Duane Arnold had caused the loss of both EDGs.

Energy Center (DAEC), a General Electric boiling water The responsible NRC Regional Office performed reactor-4 with a Mark 1 containment located near Cedar a risk assessment in an effort to direct the inspectors who Rapids, Iowa experienced a reactor trip and an extended were responding to the site, and in anticipation that a review LOOP. However, though this was a severe storm, there was under Management Directive 8.3, NRC Incident

3 Investigation Program would be performed. (6) The shorts or flooding the ECCS pump room if isolation valve(s) incremental conditional core damage probability (ICCDP) failed.

was calculated to be approximately 2x10-4 to 2x10-3, which A detailed risk evaluation (DRE) was performed to is one of the most risk significant events in the US since the assess the increase in risk due to the performance deficiency reactor vessel head degradation issue that occurred at Davis- (i.e., unsealed penetrations in the RAB enclosure). During Besse Nuclear Power Station in 2002. (7) The Accident the risk assessment process, the licensee performed a mass-Sequence Precursor (ASP) analysis estimated the ICCDP to flow balance evaluation of the RAB in order to assess the be 8x10-4. (8) The NRC evaluated the risk significance of amount of rainfall necessary to overwhelm the sump drain this event for other US commercial NPPs using procedure system and/or submerge critical components. In the most LIC-504, Integrated Risk-Informed Decision Making limiting case, a rainfall amount of approximately 30 cm (12 Process for Emergent Issues and is evaluating generic inches) versus the amount experienced of 15 cm (6 inches) correspondence to the industry on risk and operational would have led to a submergence of all ECCS pumps. The insights. (9) It is also important to note that neither the external LIP event became an internal flooding event (IE) licensees model nor the NRCs SPAR model included high and threatened all the ECCS pumps (MS), the sources of winds. inventory addition and decay heat removal.

3.2. St. Lucie external/internal flooding event Exceedance Rainfall Probability Equipment On 9 January 2014 an extreme localized intense Amount of Rainfall Affected precipitation (LIP) event occurred at the St. Lucie NPP, a of Concern two unit site with Combustion Engineering pressurized One train of high water reactors (PWRs) with large dry containments. The 24.5 cm pressure safety thunderstorm was not part of a hurricane and the LIP 3.30E-02 injection (HPSI)

(9.66 inches) occurred with little or no warning. The rainfall amounts are and low pressure listed in Table 1 below. safety injection (LPSI) 27.8 cm Both trains of 1.92E-02 (10.95 inches) HPSI and LPSI Time Cumulative Both trains of Rainfall Amount 31.0 cm 1.19E-02 HPSI and LPSI 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br /> 13 cm (5 inches) (12.24 inches) and charging injection 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> 17 cm (6.5 inches) 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> 19 cm (7.3 inches) Table 2. Hypothetical rainfall amounts with exceedance probabilities & equipment affected; case shown with floor drain Table 1. Actual rainfall totals for Port St. Lucie on valves open during a LOOP. The amounts & recurrence intervals 9 January 2014. are based on National Oceanic Atmospheric Administration (NOAA) data. (11)

Blocked pipes in the storm drain system within the owner-controlled area caused rainwater to backup into the South Florida routinely has large rainfall events Unit 1 CCW pit area. The water subsequently entered non- (e.g., the probable maximum precipitation event = 119 cm safety-related electrical conduits in the emergency core (47 inches)) and this is reflected in the relatively large cooling system (ECCS) pipe tunnel. Missing flood seals in exceedance probabilities shown in Table 2. The DRE also conduits then allowed water estimated to be approximately considered the following factors: 1) various rainfall events, 189,000 liters (50,000 gallons) to enter the reactor auxiliary whether due to a LIP or a hurricane, 2) whether a reactor building (RAB). (10) Both units remained at 100 percent trip or a LOOP might occur due to the event, 3) the potential power and no safety-related equipment was submerged critical components and their various elevations in the RAB, during the event. 4) the HEPs for operator actions to mitigate the flood, and The water accumulated on the lower level of the 5) the failure probabilities for the drain valves, especially RAB, approximately 0.15 meter (0.5 feet) below mean sea the failure-to-close on demand. The increase in core damage level, on the level immediately above the various ECCS frequency for the exposure time period was initially pumps approximately 3 meters (10 feet) below mean sea 2x10-5/year but later was estimated at 3x10-6/year, due in level. The upper floor is separated from the lower by means part to the crediting of the FLEX mitigating strategies. (12) of walls, watertight doors, and isolation valves on the floor Neither the licensees model nor the NRCs SPAR model drains. These valves are designed to allow water to be addressed external flooding, especially the ability of an admitted to the lower level such that sump pumps can then external flood to become an internal one.

discharge them to waste hold-up tanks. During the event, the operators chose to open the drain valves in order to move 3.3. H.B. Robinson fire event the water from the upper level, to the lower so it could then On 28 March 2010, H.B. Robinson Steam Electric Plant, be pumped to the hold-up tanks. The accumulated water on Unit 2, a Westinghouse 3-loop PWR with a large dry the upper level had accumulated to a depth of several inches containment, experienced a high energy arc fault (HEAF) and any increases threatened the lower portions of electrical and subsequent fire on an electrical bus. (As is usually the cabinets in the area. In this scenario, both inaction and case with larger, more violent fires, it occurred with no action carried some potential risk in either causing electrical warning.) An automatic reactor trip occurred due to a

4 John David Hanna reactor coolant pump trip which resulted from an Mean 5% 95%

undervoltage condition on a non-safety related 4kV bus. Frequency Value Value The licensee responded and the first fire was extinguished HEAF for at 7:05 p.m. Several other concurrent electrical failures, medium-voltage 2.13x10-3 6.36x10-5 5.93x10-3 including a unit auxiliary transformer malfunction caused a electrical unit lockout to occur. The event had significant cabinets complexities and dependencies and because of that the event is decomposed into discrete themes below: Table 3. Fire initiation frequencies for HEAFs. Note that the mean frequency is comparable to other relatively frequent events,

• The initial fire (an IE) and subsequent electrical failures e.g., loss of DC power (1x10-3 per year) or steam generator tube caused reactor coolant pump (RCP) B to lose power rupture (1x10-3 per year). (13) and this created a power-to-flow reactor trip (another IE). Following the reactor trip, an inadvertent safety The responsible NRC Regional Office performed injection (another IE) occurred due to low pressurizer a risk assessment in accordance with Management Directive pressure caused by an excessive cooldown due to 8.3, NRC Incident Investigation Program. The ICCDP valves on the secondary side being left open. The was initially calculated to be approximately 7.2x10-6 but excessive cooldown could have challenged the was subsequently revised to 4.2x10-5 when the proximity to integrity of the reactor coolant system (BI) through RCP seal failure became understood. (14) An NRC brittle fracture. This portion of the event was Augmented Inspection Team followed up on the event and terminated when instrument bus #3 was accidentally assessed the operator performance and compliance aspects deenergized which then caused the main steam to the event. The ASP analysis later concluded the isolation valves to close. conditional core damage probability was 4x10-4. (15)

Neither the licensees model nor the NRC SPAR model

• The event also impacted CCW and the centrifugal included fire at that time, but recently many models have charging pumps (CCPs) both MS. Specifically, the fire been updated as plants have transitioned to requirements and electrical failures caused a loss of instrument bus under National Fire Protection Association (NFPA)-805

1. 4 which caused the combined return isolation valve code Performance Based Standard for Fire Protection for from the RCPs to shut, and thereby terminated seal Light Water Reactor Electric Generating Plants.

cooling. Due to an unrelated design issue, the CCPs failed to automatically swap from the normal suction 4. Significant Attributes of these Events source to the alternate. As a result, the supply tank was depleted, seal injection had decreased to less than the Some of the risk insights that may be gleaned from these minimum required and was at risk of being lost and similar examples at US commercial NPPs include the completely. This condition existed for approximately following:

17 minutes until RCP seal cooling/injection was

• These events demonstrate that there may be restored. But if that had not occurred, or had happened unrecognized dependencies where one initiating later, an RCP seal loss of coolant accident (a joint IE event can slice through what are believed to be robust and BI impact) might have occurred.

layers of defense-in-depth. The affected DID may

• During the transient, power was lost to the safety include redundant trains within a single system, like the related E-2 bus requiring its associated EDG to power service water impact in Section 3.1 above, or multiple the bus. In an effort to restore a normal electrical systems designed with similar purposes, as in alignment and transfer the bus E-2 off its emergency Section 3.2 above. PRA modeling changes that add power supply and onto a normal source the reactor coupling factors or transfers between existing event operators reset the generator lockout and inadvertently trees, e.g., LOOP and loss of service water, could reenergized the fault. This created another HEAF, a fire address these unrecognized dependencies.

on 4kV bus #4, and electrical grounds on both trains

• The external events of concern are occurring at of the 125 Volt DC system (another IE). An EP Alert infrequent but not rare intervals. The risk of these more declaration was made for a fire lasting greater than 15 frequent, but less intensive events may exceed the risk minutes. The licensees fire brigade responded to the from BDBEE. Guidance from the US Bureau of second fire and extinguished it.

Reclamation (who is responsible for management of many dams, powerplants and canals in the US) indicates that sunny day failures may be higher contributors to risk than severe storms and seismic events. (16)

• The three examples that are the focus of this paper are considered sunny day events in that little or no warning was provided, including the cases of the LIP rainfall event and the derecho.

5

• Note also that these events were not single IEs, but 2. US Nuclear Regulatory Commission, Use of rather multiple, complex events where one event Probabilistic Risk Assessment Methods in Nuclear cascaded to another with a synergistic effect. While the Activities: Final Policy Statement, Federal Register, PRA models typically approach IEs individually the Vol. 60, p. 42622 (60 FR 42622), 16 August 1995 actual events are demonstrating that the real world 3. ASME/ANS RA-S-2008, Standard for Level 1 / Large does not follow these constraints. These complexities Early Release Frequency Probabilistic Risk can have an impact on diagnosis which may: 1) further Assessment for Nuclear Power Plant Applications, complicate event response, 2) stretch operator/licensee Revision 2019 resources in ways that were not expected in emergency 4. US Nuclear Regulatory Commission, NUREG/CR-operating procedures, and 3) may require operators to 5042 Evaluation of External Hazards to Nuclear take actions that may increase the risk in order to Power Plants in the United States, Lawrence respond to the event, for example: Livermore National Laboratory, Livermore, USA, 1998 Admit unfiltered service water to EDGs during 5. Corfidi, Stephen, About Derechos, 15 May 2018, a LOOP event https://www.spc.noaa.gov/misc/AbtDerechos/derechof Open drain valves to allow water to enter spaces acts.htm with ECCS components that are important to 6. US Nuclear Regulatory Commission, Management protect Directive 8.3 Analysis, Duane Arnold Energy Center, 22 January 2021 - ML21022A415 Re-energizing a bus for the purpose of restoring 7. NRC Inspection Report 05000346/2002-008, Davis-the electrical system to a normal line-up, yet Besse Control Rod Drive Mechanism Penetration ultimately causing another fire/explosion Cracking and Reactor Pressure Vessel Head Degradation Preliminary Significance Assessment,

5. Conclusion 25 February 2003

8. Final Accident Sequence Precursor Analysis, Loss of The US commercial NPPs are managed by well-trained Offsite Power Caused by High Winds During operators, designed with multiple layers of DID, engineered Derecho, 4 March 2021, ML21056A382 to have significant safety margins, and have feedback loops 9. Duane Arnold Energy Center LIC-504 Team of corrective actions that seek not merely to fix short-term Recommendations, 30 March 2021, ML21084A010 problems but prevent recurrence of more significant ones. 10. Licensee Event Report 50-335/2014-001, Revision 1, However, these examples above show that there should not Internal RAB Flooding During Heavy Rain Due to be overconfidence in the estimation of plant safety. They Degraded Conduits Lacking Internal Flood Barriers, are accident precursors that remind us of the need to re- 12 May 2014 examine the fundamental assumptions used in risk analysis, 11. NOAA Atlas 14, Volume 9, Version 2, Precipitation and use the risk insights from PRA to monitor performance Depth for Partial Duration at Hutchinson Island South, of our facilities, inform our activities (e.g., maintenance, Florida, US inspection, etc.) and maintain DID. 12. US Nuclear Regulatory Commission Inspection Report These examples are not presented here to purport 05000335/389/2014-009, Preliminary White Finding that they are representative of all recent external events or and Apparent Violations, 24 September 2014 -

that they typify the risk increases due to owner/operator ML14267A337 performance deficiencies at NPPs. These cases are meant to 13. US Nuclear Regulatory Commission, NUREG-2169, show initiating events with dependencies that Nuclear Power Plant Fire Ignition Frequency and simultaneously affect mitigating systems, barrier integrity, Non-Suppression Probability Estimation Using the etc. can cut through design basis assumptions, perceived Updated Fire Events Database for the fire Initiating DID, safety margins, etc. The Fukushima-Dai-ichi incident Event frequencies, US NRC, Office of Research, was an extreme event but should not be dismissed as an Washington, USA, January 2015 isolated episode that cant happen here. These events have 14. US Nuclear Regulatory Commission, Management occurred at infrequent - but not rare intervals - and have Directive 8.3 Analysis, Revision 1, HB Robinson, revealed specific weakness in the DID of NPP facilities. As 14 April 2010 regulators and risk analysts we should pay attention to these 15. Robinson Final Accident Sequence Precursor Analysis lessons. Therefore, the reaction to these events should not - Electrical Fault Causes Fire and Subsequent Reactor be limited to isolated, plant specific changes alone, but the Trip with a Loss of Reactor Coolant Pump Seal industry should consider responses that bolster those Injection and Cooling, 23 September 2011 -

barriers to core damage for all NPPs for the long term. ML112411359 (3)

16. US Department of Interior, Bureau of Reclamation, References Dam Safety Risk Analysis Best Practices Training

1. Regulatory Guide 1.200, An Approach for Manual, USBR, Denver, USA, 2010 Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, March 2009