Modeling of Portable Equipment in PSA: History, Current Activities and Challenges

ML20043F545
Person / Time
Issue date:	02/14/2020
From:	Nathan Siu Office of Nuclear Regulatory Research
To:
References
Download: ML20043F545 (31)
v • d • e

Text

Modeling of Portable Equipment in PSA:

History, Current Activities, and Challenges N. Siu U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research WGRISK Annual Meeting Paris, France February 26-28, 2020

Outline

• History: past analyses and actual events

• FLEX: NRC activities

• Personal perspectives

- Analysis considerations

- Analysis technologies 2

History Portable Equipment and Improvised Measures: Selected Events Fukushima TMI Chernobyl 9/11 Daiichi Greifswald Armenia Turkey Point Blayais PRA Policy Statement Indian IPE/IPEEE SAMA Point 1980 1990 2000 2010 2020 3

History Early Perspectives and Analyses

• ACRS (1955): nuclear fire-fighters

• Indian Point 3 PSA (1983)

• IPE/IPEEE (1988-2002) plant improvements:

- Portable pumps (e.g., isolation condenser makeup)

- Portable generators (battery chargers)

- Portable fans (room cooling, smoke removal) 4

History SAMA Analyses

• Identify and assess potentially cost-beneficial severe accident management alternatives*

• Staff reviews: plant-specific supplements to NUREG-1437 (2002-2018)

• Alternatives include portable:

- Generators (battery chargers, direct power)

- Pumps

- Air compressors

- Fans

• Typically bounding analyses (no operator errors) to maximize potential risk reduction (CDF, population dose, offsite economic cost)

• Alternatives sometimes not considered or screened because:

- portable equipment already implemented (FLEX)

- intent covered (e.g., manual control of TDAFW)

• Broader analyses also consider environmental impact of license renewal (e.g., air quality and noise effects) 5

NRC Activities Recent NRC FLEX Activities

• Focus on key Risk-Informed Decision Making (RIDM) programs

- Significance Determination Process (SDP)

- Notices of Enforcement Discretion (NOEDs)

- License Amendment Requests (LARs)

• Staff engaged with industry

• Challenges

- Access to operational experience (OpE) data

- HRA methods for challenging actions

- Incorporating FLEX actions into NRC SPAR models (success criteria, modeling variations, )

6

NRC Activities Recent NRC FLEX Activities: HRA (1 of 2)

• Integrated Human Event Analysis System (IDHEAS)

- Finalize general methodology (IDHEAS-G)

- Event and condition assessment tool (IDHEAS-ECA) now available: RIL-2020-02 (ML20016A481)

- Under development: IDHEAS-DATA (documentation)

• Expert elicitation

- 2018 Workshop

• 6 experts (NRC and industry)

• Formal process (SSHAC Level 2+/3-)

• 2 scenarios (FLEX- and non-FLEX designed), 5 FLEX actions

• Largest HEP: Extended Loss of AC Power (ELAP) declaration

• Important PIFs: training, scenario familiarity, FSG entry conditions 7

NRC Activities Recent NRC FLEX Activities: HRA (2 of 2)

• Expert elicitation (cont.)

- 2019 Workshop

• 6 experts (NRC and industry)

• Prioritized Industry Support

• Developed several FLEX scenarios

• 2 Site visits (PWR and BWR)

• Both FLEX and non-FLEX scenarios

• Used the IDHEAS-ECA tool

• Developed HEPs for several FLEX actions in specific scenarios 8

NRC Activities Recent NRC FLEX Activities: SPAR Models (1 of 3)

• Ongoing incorporation into Standardized Plant Analysis Risk (SPAR) models

- SPAR models

• Maintained for all U.S. operating NPPs (Level 1, at-power)

• Some models address fire, external hazards, low power and shutdown operations, Level 2

• Many staff uses; principal applications: Reactor Oversight Program (ROP) and Accident Sequence Precursor (ASP) Program

- FLEX scenarios are added when actions are proceduralized.

- FLEX added to all hazard categories where applicable.

- Most SPAR models updated with modeling variations (affecting results).

9

NRC Activities Recent NRC FLEX Activities: SPAR Models (2 of 3)

• Results and insights to date:

- FLEX strategies and equipment can provide alternative success paths when called by plant procedures

- Effectiveness strongly affected by modeling choices:

success criteria, mission times, accident sequence termination

- Effectiveness is plant specific; depends on

• Percentage of contribution of SBO CDF w/o FLEX

• AC power recovery capabilities, AC power recovery model assumptions, and failure probabilities for FLEX equipment (running beyond the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />)

- Effectiveness varies according to hazard category and initiating event 10

NRC Activities Recent NRC FLEX Activities: SPAR Models (3 of 3)

• Challenges

- Operator action modeling and HEP calculations

- Failure data for portable equipment

- Success criteria

• Sequence success criteria (declaration of success)

• Equipment success criteria

- Extension to shutdown operations

- Justification and variations (by event/hazard type) for time windows currently apportioned for various FLEX strategies

- Maturity of newly created FLEX procedure steps (for MCR and for local actions)

- Potential downsides to declaration of ELAP 11

NRC Activities Recent NRC FLEX Activities: Further Reading

• M. Humberstone, Crediting Mitigating Strategies in Risk-Informed Decision Making, June 28, 2017. (ML17174B290)

• M. Montecalvo, , Crediting Mitigating Strategies in Regulatory Applications, August 16, 2018. (ML18228A834)

• J. Xing, M. Kichline, J. Hughey, and M. Humberstone, The use of expert judgment to support human reliability analysis of implementing FLEX equipment, Proceedings ANS International Meeting on Probabilistic Safety Assessment (PSA 2019), Charleston, SC, April 28-May 3, 2019. (ML19023A508)

• M. Humberstone, Crediting FLEX Equipment in Risk Assessments:

Case Study, July 31, 2019. (ML19228A063)

• M. Montecalvo, M. Humberstone, and J. Xing, Role of human reliability analysis in post-Fukushima risk-informed decision making, ESREL 2019 (ML19080A109).

12

Personal Perspectives FLEX Analysis: Some Considerations

• Affected by intended purpose

- Bounding analysis of potential benefits (no human error)

- Simple risk-informed applications (conservative Game Over)

- Emergency response planning and training (realistic)

• Context: situation likely to be challenging

- Failures of preferred or portable equipment

- Possibly missing/misleading indications Analyst caution: beware

- Possibly unclear effectiveness omniscient, PRA-model

- Possibly unforeseen situation informed point of view

- Possibly damaged crew confidence

• Potential downsides (real or perceived)

- Declaration of Extended Loss of AC Power (ELAP)

- RCS depressurization

• Potential changes over time

- Equipment qualification

- Crew deep knowledge

- Technology advances and potential vulnerabilities 13

Personal Perspectives More Analysis Considerations*

Scenario Dynamics Crew Workarounds

• Progressive deterioration of

• Bypass damaged (real or situation suspected) instrument lines

• Multiple shocks over time

• Temporary cables

• Needed enabling actions

• Scavenged batteries

- Post-hazard safety

• Courier systems surveys/inspections

• Break/bypass fire barriers

- Radiation measurements

- Pre-firefighting actions (e.g.,

• Trial and error problem N2 inerting) solving

- Firefighting to allow access

• Bypass safety interlocks

• Not FLEX-specific but relevant to challenging scenario response (including FLEX) 14

Personal Perspectives Perspectives on Analysis Technology

• Behavioral (non-cognitive execution): well suited for task-analysis simulation NUREG/CR-6159

• Advanced modeling: see wargames, security-related simulations (discrete event, object-oriented)

• Early resources:

- A. Siegel, et al., Maintenance Personnel Performance Simulation (MAPPS) Model: Summary Description, NUREG/CR-3626, Vol. 1, 1984.

- M.T. Lawless, K.R. Laughery, and J.J. Persensky, Using Micro Saint to Predict Performance in a Nuclear Power Plant Control Room: A Test of Validity and Feasibility, NUREG/CR-6159, 1995.

15

Summary

• Long history: successful use of portable equipment in actual events, credit in analyses

• NRC is actively engaged in efforts to appropriately credit FLEX in current risk-informed applications

• Simple analyses can be useful for some applications

• Detailed analyses (e.g., using simulation) are likely to be feasible and useful; need to account for observations from actual events 16

Acknowledgments Thanks to Matthew Humberstone, Selim Sancaktar, and Jing Xing for their input to this presentation.

17

BACKUP SLIDES 18

Backup Very Early Vision With all the inherent safeguards that can be put into a reactor, there is still no fool-proof system. Any system can be defeated by a great enough fool. The real danger occurs when a false sense of security causes a relaxation of caution.

- C.R. McCullough, M.M. Mills, and E. Teller, The Safety of Nuclear Reactors

• Specific concerns

- Nuclear runaway

- Delayed energy production

- Chemical reactions

• Features for decay heat removal

- Standby gravity flow/natural convection emergency cooling system

- Standby emergency services (analogous to fire-fighters)

- Standby forced convection cooling (special power supply, special separate piping) 19

Backup Example Events Before 3/11

• Major External Events Onsite damage, loss of site access,

- Hurricane Andrew/Turkey Point 3&4 (1992) offsite damage; portable fire pumps,

- Winter Storm Martin/Blayais 1&2 (1999) debris removal

• Major Internal Fires

- Greifswald 1 (1975) Loss of power and control, smoke, explosions (A);

- Armenia 1&2 (1982) temporary cables

• Lesser events

- San Onofre 1 (1982): submersible pump for intake structure

- Diablo Canyon (2000): generator for https://commons.wikimedia.org/wiki/File:Metsamor_nuclear_

power_plant,_cooling_towers_(Armenia,_June_2015).jpg switchyard battery charger

• Non-Nuclear Events Facility and infrastructure damage,

- Northridge Earthquake, M 6.7 (1994) fires, emergency service demands;

- Kobe Earthquake, M 6.9 (1995) portable generators, pre-planning, workarounds 20

Backup FLEX HRA Elicitation (1)

• 2018 workshop

• Participants

- 3 NRC staff, 3 industry experts

- Expertise: PRA/HRA, implementation/audits of FLEX strategies, use of portable equipment, maintenance operations

• Process Guidance: NRC White Paper (ML16287A734)

• Objectives

- Quantify HEPs for a few typical actions using FLEX

- Identify unique PSF attributes

- Assess impact of PSFs on HEPs

• Outcomes

- Definition of FLEX-designed and non-FLEX designed scenarios

- HEP distributions for 5 actions with justifications

- FLEX-specific PSFs with attributes

- Effect of PSFs on HEPs 21

Backup FLEX HRA Elicitation (2)

• Scenarios

- Non-FLEX designed: 1 DG OOS (maintenance), LOOP, SBO due to DG failure, nominal conditions

- FLEX-designed: SBO caused by high wind and flooding (affects access, visibility, debris location)

• Actions

- Transport, connect, operate portable generators

- Transport, connect, operate portable pumps

- Refill storage tank with alternate sources

- Declare ELAP

- Deep DC load shed 22

Backup FLEX HRA Elicitation (3)

• Challenging context

- System and environment

• Environmental factors Scenario-specific in analysis

• Information

• Tools and parts

• Ergonomics (indications and controls)

- Personnel and organization

• Training Scenario-specific in analysis

• Procedure

• Teamwork factors

- Tasks

• Scenario familiarity Scenario-specific in analysis

• Task complexity

• Multitasking

• Mental fatigue and stress

• Physical demands 23

Backup IDHEAS-ECA: Overview 24

Backup IDHEAS-ECA: Process 25

Backup IDHEAS-ECA Software Tool* (1)

• Contact Dr. James Y. Chang (James.Chang@nrc.gov, 301-415-2374) 26

Backup IDHEAS-ECA Software Tool* (2)

• Contact Dr. James Y. Chang (James.Chang@nrc.gov, 301-415-2374) 27

Backup SACADA*

• Contact Dr. James Y. Chang (James.Chang@nrc.gov, 301-415-2374) 28

Backup Some Challenging Fires and Recoveries Beyond Date Plant Short Description Procedures/

Training? [1]

Browns Ferry Multi-unit cable fire; multiple systems lost, spurious operations; non-proceduralized 3/22/1975 Yes 1&2 recovery.

Electrical cable fire; station blackout (SBO), 5 hr loss of normal core cooling, loss of 12/7/1975 Greifswald 1 Probably [2]

coolant; recovered with cross-tie with Unit 2.

Turbine lube oil fire , collapsed turbine building roof, main control room (MCR) 12/31/1978 Beloyarsk 2 damage, secondary fires; extinguished in 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />; damage to multiple safety Probably [2, 3]

systems and instrumentation.

Electrical cable fire (multiple locations), smoke in Unit 1 MCR, secondary explosions 10/15/1982 Armenia 1 & 2 and fire; SBO, loss of instrumentation and reactor control; recovery using temporary Yes cable.

Turbine failure, burning oil cascaded down to lower floors. Smoke in MCR. Turbine 10/19/1989 Vandellos 1 Partially [4]

and reactor building flooded; recovery actions in darkened and smoke filled rooms.

Turbine failure and fire, collapsed turbine building roof; loss of generators, loss of 10/11/1991 Chernobyl 2 Yes feedwater; makeup from seal water supply.

Turbine failure, explosion and fire, smoke forced abandonment of shared MCR; SBO, 3/31/1993 Narora 1 Yes loss of instrumentation; shutdown cooling pump energized 17 hours1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br /> later.

Notes on basis:

[1] Yes indicates explicit mention in NUREG/CR-6738

[2] Extensive losses (safety systems, power, control)

[3] Per NUREG/CR-6738, reactor was saved mainly by good luck.

[4] No specific written procedures; operator action based on 15 years experience in plant operations, periodic training on auxiliary feedwater control.

29

Backup Station U1: only primary P Blackout at local station Loss of MCPs, MCR lights, readouts, alarms, phones, power, Operators manually open SG dump normal and emergency MU valves, upper TB (breathing masks, 4 hr)

Manual SG SRV Temp power cable from Power to U1 MU Power to U1 trip U1&2 opened U2 DG to U1 EMU pump pump from DG FW pump Offsite Break CSR wall Fire out FBs arrive to access fire FB arrives, open MCR TB, Xfmr fires Fire hatch to spray vault under control controlled H2, Xfmr explosions Armenia 1&2 Fire start, spread Smoke in MCR MCR smoke unbearable 1982-10-15 0 2 4 6 Time from Start (hr) 30

Backup Equipment Qualification

• January 6, 2010: Diesel Fuel Oil Transfer Pump FO-37 inoperable (local area flooding)

• June 24, 2010: portable back up pump found to be incorrect for application.

- Discovered by engineering evaluation.

- Subsequent test (August 30): pump diaphragm ruptured during functional test

- Pump had been in place since March 29, 1994.

• Root cause: failure to perform appropriate design change evaluation (LER 285/2010-005-R01) 31