ML21103A355: Difference between revisions

From kanterella
Jump to navigation Jump to search
(StriderTol Bot insert)
 
(StriderTol Bot change)
Line 15: Line 15:


=Text=
=Text=
{{#Wiki_filter:Characterizing Previously Unknown Dependencies in Probabilistic Risk Assessment Models of Nuclear Power Plants John David Hanna Region III Office, US Nuclear Regulatory Commission, USA. E-mail: john.hanna@nrc.gov The US Nuclear Regulatory Commission (NRC) maintains a set of Level-1 probabilistic risk assessment (PRA) models, called standardized plant analysis risk (SPAR) models, which are the analytical tools used by the agency to perform risk assessments. The SPAR models include elements of the initiating events (IE), mitigating systems (MS) and to a limited extent barrier integrity (BI) cornerstones.
{{#Wiki_filter:}}
Over the last 10 to 15 years, several events have occurred at nuclear power plants (NPPs) in the US which had substantial risk and where multiple cornerstones were simultaneously affected. The risk insights from these domestic events may indicate an existing completeness uncertainty, specifically that there are dependencies between certain initiating events and availability/reliability of mitigating systems which are not currently captured in the PRA models.
These previously unrecognized dependencies can be included in the SPAR models and thus captured in subsequent risk assessments. This paper will review several examples from US commercial NPPs where these dependencies manifested themselves and demonstrate that the risk of lower intensity events (far less than a beyond design basis event) can be significant. Further, this paper will describe potential PRA modeling improvements and provide insights that may lead to modifications to existing procedures, plant structures, systems & components such that the previously unmeasured risk might be lowered, providing a benefit to public health and safety.
Keywords: nuclear power, dependency, external event, PRA, sunny day event, Fukushima Dai-ichi.
: 1. Introduction                                                        Guide 1.200, PRA models need to have the appropriate scope, level of detail, and technical acceptability. (1) The The US Nuclear Regulatory Commission (NRC) maintains NRCs 1995 PRA policy statement specified that PRA a set of Level-1 probabilistic risk assessment (PRA) models, evaluations supporting regulatory decisions should be as called Standardized Plant Analysis Risk (SPAR) models, realistic as practicable. (2) Consistent with this realism which are the analytical tools used by the agency to perform principle, these previously unrecognized dependencies can risk assessments. The SPAR models, similar to the PRA be included in the SPAR models and thus captured in models used by owners/operators of nuclear power plants subsequent risk assessments. This paper will review several (NPPs), include elements of the initiating events (IE),
examples of events and/or conditions from the US mitigating systems (MS) and to a limited extent barrier commercial NPPs where these dependencies manifested integrity (BI) cornerstones. These PRA models will themselves and demonstrate that the risk of lower intensity occasionally represent complex scenarios that affect two or events (far less than a beyond design basis event) can still more of these cornerstones (e.g., a loss of component be significant. Further, this paper will describe potential cooling water (CCW) simultaneously results in an initiating PRA modeling improvements and provide insights that may event and an impact on a mitigating system); however, the lead to modifications to existing procedures, plant cornerstones are usually treated independently.
structures, systems & components such that the previously Over the last 10 to 15 years, several events have unmeasured risk might be lowered, providing a benefit to occurred at NPPs in the US which had substantial risk and public health and safety.
where multiple cornerstones were simultaneously affected.
(An extreme international example of this dependency is
: 2. PRA Modeling and Limitations the case of Fukushima Dai-ichi in Japan on 11 March, 2011 where the initiating external event affected mitigating                The SPAR models have event trees that are created to systems, as well as barrier integrity and emergency                    delineate possible sequences of successes or failures of preparedness (EP) via the impact to evacuation routes.) The            systems/functions that lead to specific endstates, (e.g., a risk insights from these domestic events may indicate an                safe/stable condition, or core meltdown and/or the release existing completeness uncertainty, specifically that there              of radionuclides). Fault trees are used to estimate the failure are dependencies between certain initiating events and                probabilities of those systems/functions using information availability/reliability of mitigating systems which are not            such as data on the reliability of components, common-currently captured in the PRA models. These accident                    cause failure likelihood or human error probabilities precursors remind us of the need to re-examine the                      (HEPs). Using these techniques, thousands of possible core fundamental assumptions used in risk analysis.                          damage accident sequences are assessed for their likelihood.
The SPAR models are maintained, frequently                              Some IEs modeled in PRA models are clearly exercised by analysts within the agency, and are used to                linked to mitigating systems (e.g., a loss of offsite power inform regulatory decisions. According to Regulatory                    (LOOP) by definition removes the normal source of
 
2    John David Hanna electrical power to the nuclear plant). However, for many      only 30 minutes advanced warning to the DAEC site due to initiating events, the potential failures of mitigating systems the rapid nature of derecho formation. Simultaneously, the and barrier integrity are treated independently in the PRA      derecho with estimated wind speeds of 129-161 km/h (80-models.                                                        100 mph) for more than 30 minutes and gusts up to A limitation of the current PRA models is how they    209 km/h (130 mph), deposited significant amounts of address dependency. Customarily in PRA, the term              debris and vegetation in the Cedar River. The river serves dependency is usually used to describe the commonality        as the ultimate heat sink for the unit and is the suction source between two or more human actions. In other words,              for the service water system, which provides cooling to dependency normally describes the relationship between        pumps, heat exchangers and the EDGs. This debris loaded action A and the subsequently performed action B. And      both the service water strainers to the point that one reached factors (e.g., whether the actions were taken by the same      103 kPa (15 pounds per square inch (psi)) differential operating crew, whether they happened close in time or        pressure requiring it to be bypassed and the other reached whether there are cues to help the operator diagnose or take    76 kPa (11 psi) differential pressure and then stabilized.
the appropriate action) are variables that affect the degree    This challenge to the strainers had the potential to stop of dependency. Sometimes the term dependency is            cooling to both the EDGs and the other systems which meant to convey the relationships between front-line            maintain inventory and remove decay heat from the core in systems and their associated support systems (e.g.,            a post-accident scenario. Additional challenges to the plant emergency diesel generator dependency (EDG) on service          were posed by the derecho in that the secondary water cooling.) However, for the purposes of this paper, a      containment was impacted and the potential, though not non-trivial probability relating IEs and either MS or BI will  actual, effect on the evacuation routes. Hence this one, be referred to as a dependency. This type of dependency    relatively common IE significantly impacted MS, had a is distinguished from a combined event because it is not      minor actual impact on BI (secondary containment) and no simply two or more initiating events occurring                  actual, but some potential impact on EP (evacuation routes).
simultaneously (e.g., strong winds and high sea water levels), but a single event that cuts through and creates additional events and losses of mitigating systems, barrier integrity, emergency preparedness, etc. Wherever possible in this paper, the effects on cornerstones will be noted (e.g.,
MS).
The PRA models used for US commercial NPPs possess both internal events and to some degree external events (e.g., fires, seismic, tornado/high winds, and flooding). (3,4) And while extreme external events have the capacity to create large consequences, the frequencies of those events lower the overall risk results. However, less severe events, referred to as sunny-day events in this Fig. 1. Diagram of derecho frequency in the United States of paper can happen with higher frequencies and may provide        America; The frequency of the derecho for the state of Iowa is in less time for warning and mitigative actions to be taken.      the range of once/two years - once/year.
Examples, aside from those listed in Section 3 below, would include riverine flooding, not caused by dam failure or a                However, it is important to note at this point that large seismic event, that can inundate the plant and affect    there was another layer of defense-in-depth (DID) in offsite power via the switchyard, but remains less than a      existence. Following the events at Fukushima Dai-ichi on beyond design basis external event (BDBEE).                    11 March 2011, the NRC issued Order EA-12-049, Order Modifying Licenses with Regard to Requirements for
: 3. Recent Examples                                              Mitigating Strategies for Beyond-Design Basis External 3.1. Duane Arnold derecho event                                Events. This order required all US commercial NPPs to develop diverse strategies for extended losses of alternating On 10 August 2020, a derecho swept through the states of        current (AC) power coincident with a loss of the ultimate Iowa and Illinois causing widespread destruction including      heat sink. All licensees, including the owner/operator of extensive damage to the electrical grid. (A derecho is a        DAEC came into compliance with the order. These diverse widespread, long-lived wind storm with damage typically        and flexible strategies (commonly known as FLEX, occurring in one direction along a relatively straight path    referring collectively to the procedures, equipment, etc.)
extending for more than ~ 400 kilometers (250 miles),          added another layer of DID that is not reliant on existing AC including wind gusts of at least 93km/h (58 mph) along          power sources or the normal ultimate heat sink. The FLEX most of its length, and also includes several, well-separated  equipment at DAEC could have been deployed if the event 121 km/h (75 mph) or greater gusts.) (5) Duane Arnold          had caused the loss of both EDGs.
Energy Center (DAEC), a General Electric boiling water                    The responsible NRC Regional Office performed reactor-4 with a Mark 1 containment located near Cedar          a risk assessment in an effort to direct the inspectors who Rapids, Iowa experienced a reactor trip and an extended        were responding to the site, and in anticipation that a review LOOP. However, though this was a severe storm, there was        under Management Directive 8.3, NRC Incident
 
3 Investigation Program would be performed. (6) The              shorts or flooding the ECCS pump room if isolation valve(s) incremental conditional core damage probability (ICCDP)        failed.
was calculated to be approximately 2x10-4 to 2x10-3, which                A detailed risk evaluation (DRE) was performed to is one of the most risk significant events in the US since the  assess the increase in risk due to the performance deficiency reactor vessel head degradation issue that occurred at Davis-  (i.e., unsealed penetrations in the RAB enclosure). During Besse Nuclear Power Station in 2002. (7) The Accident          the risk assessment process, the licensee performed a mass-Sequence Precursor (ASP) analysis estimated the ICCDP to        flow balance evaluation of the RAB in order to assess the be 8x10-4. (8) The NRC evaluated the risk significance of      amount of rainfall necessary to overwhelm the sump drain this event for other US commercial NPPs using procedure        system and/or submerge critical components. In the most LIC-504, Integrated Risk-Informed Decision Making              limiting case, a rainfall amount of approximately 30 cm (12 Process for Emergent Issues and is evaluating generic          inches) versus the amount experienced of 15 cm (6 inches) correspondence to the industry on risk and operational          would have led to a submergence of all ECCS pumps. The insights. (9) It is also important to note that neither the    external LIP event became an internal flooding event (IE) licensees model nor the NRCs SPAR model included high        and threatened all the ECCS pumps (MS), the sources of winds.                                                          inventory addition and decay heat removal.
3.2. St. Lucie external/internal flooding event                                      Exceedance Rainfall        Probability    Equipment On 9 January 2014 an extreme localized intense                      Amount          of Rainfall    Affected precipitation (LIP) event occurred at the St. Lucie NPP, a                          of Concern two unit site with Combustion Engineering pressurized                                              One train of high water reactors (PWRs) with large dry containments. The              24.5 cm pressure safety thunderstorm was not part of a hurricane and the LIP                                3.30E-02      injection (HPSI)
(9.66 inches) occurred with little or no warning. The rainfall amounts are                                        and low pressure listed in Table 1 below.                                                                            safety injection (LPSI) 27.8 cm                        Both trains of 1.92E-02 (10.95 inches)                  HPSI and LPSI Time                        Cumulative                                                      Both trains of Rainfall Amount                    31.0 cm 1.19E-02      HPSI and LPSI 2 hours                  13 cm (5 inches)                  (12.24 inches) and charging injection 4 hours                17 cm (6.5 inches) 24 hours                19 cm (7.3 inches)              Table 2. Hypothetical rainfall amounts with exceedance probabilities & equipment affected; case shown with floor drain Table 1. Actual rainfall totals for Port St. Lucie on          valves open during a LOOP. The amounts & recurrence intervals 9 January 2014.                                                are based on National Oceanic Atmospheric Administration (NOAA) data. (11)
Blocked pipes in the storm drain system within the owner-controlled area caused rainwater to backup into the                  South Florida routinely has large rainfall events Unit 1 CCW pit area. The water subsequently entered non-        (e.g., the probable maximum precipitation event = 119 cm safety-related electrical conduits in the emergency core        (47 inches)) and this is reflected in the relatively large cooling system (ECCS) pipe tunnel. Missing flood seals in      exceedance probabilities shown in Table 2. The DRE also conduits then allowed water estimated to be approximately      considered the following factors: 1) various rainfall events, 189,000 liters (50,000 gallons) to enter the reactor auxiliary  whether due to a LIP or a hurricane, 2) whether a reactor building (RAB). (10) Both units remained at 100 percent        trip or a LOOP might occur due to the event, 3) the potential power and no safety-related equipment was submerged            critical components and their various elevations in the RAB, during the event.                                              4) the HEPs for operator actions to mitigate the flood, and The water accumulated on the lower level of the      5) the failure probabilities for the drain valves, especially RAB, approximately 0.15 meter (0.5 feet) below mean sea        the failure-to-close on demand. The increase in core damage level, on the level immediately above the various ECCS          frequency for the exposure time period was initially pumps approximately 3 meters (10 feet) below mean sea          2x10-5/year but later was estimated at 3x10-6/year, due in level. The upper floor is separated from the lower by means    part to the crediting of the FLEX mitigating strategies. (12) of walls, watertight doors, and isolation valves on the floor  Neither the licensees model nor the NRCs SPAR model drains. These valves are designed to allow water to be          addressed external flooding, especially the ability of an admitted to the lower level such that sump pumps can then      external flood to become an internal one.
discharge them to waste hold-up tanks. During the event, the operators chose to open the drain valves in order to move  3.3. H.B. Robinson fire event the water from the upper level, to the lower so it could then  On 28 March 2010, H.B. Robinson Steam Electric Plant, be pumped to the hold-up tanks. The accumulated water on        Unit 2, a Westinghouse 3-loop PWR with a large dry the upper level had accumulated to a depth of several inches    containment, experienced a high energy arc fault (HEAF) and any increases threatened the lower portions of electrical  and subsequent fire on an electrical bus. (As is usually the cabinets in the area. In this scenario, both inaction and      case with larger, more violent fires, it occurred with no action carried some potential risk in either causing electrical warning.) An automatic reactor trip occurred due to a
 
4    John David Hanna reactor coolant pump trip which resulted from an                                          Mean          5%          95%
undervoltage condition on a non-safety related 4kV bus.                                    Frequency      Value      Value The licensee responded and the first fire was extinguished        HEAF for at 7:05 p.m. Several other concurrent electrical failures,        medium-voltage 2.13x10-3      6.36x10-5  5.93x10-3 including a unit auxiliary transformer malfunction caused a        electrical unit lockout to occur. The event had significant                cabinets complexities and dependencies and because of that the event is decomposed into discrete themes below:                  Table 3. Fire initiation frequencies for HEAFs. Note that the mean frequency is comparable to other relatively frequent events,
* The initial fire (an IE) and subsequent electrical failures e.g., loss of DC power (1x10-3 per year) or steam generator tube caused reactor coolant pump (RCP) B to lose power        rupture (1x10-3 per year). (13) and this created a power-to-flow reactor trip (another IE). Following the reactor trip, an inadvertent safety                The responsible NRC Regional Office performed injection (another IE) occurred due to low pressurizer      a risk assessment in accordance with Management Directive pressure caused by an excessive cooldown due to            8.3, NRC Incident Investigation Program. The ICCDP valves on the secondary side being left open. The          was initially calculated to be approximately 7.2x10-6 but excessive cooldown could have challenged the                was subsequently revised to 4.2x10-5 when the proximity to integrity of the reactor coolant system (BI) through        RCP seal failure became understood. (14) An NRC brittle fracture. This portion of the event was            Augmented Inspection Team followed up on the event and terminated when instrument bus #3 was accidentally        assessed the operator performance and compliance aspects deenergized which then caused the main steam                to the event. The ASP analysis later concluded the isolation valves to close.                                  conditional core damage probability was 4x10-4. (15)
Neither the licensees model nor the NRC SPAR model
* The event also impacted CCW and the centrifugal            included fire at that time, but recently many models have charging pumps (CCPs) both MS. Specifically, the fire      been updated as plants have transitioned to requirements and electrical failures caused a loss of instrument bus    under National Fire Protection Association (NFPA)-805
    #4 which caused the combined return isolation valve      code Performance Based Standard for Fire Protection for from the RCPs to shut, and thereby terminated seal          Light Water Reactor Electric Generating Plants.
cooling. Due to an unrelated design issue, the CCPs failed to automatically swap from the normal suction        4. Significant Attributes of these Events source to the alternate. As a result, the supply tank was depleted, seal injection had decreased to less than the    Some of the risk insights that may be gleaned from these minimum required and was at risk of being lost              and similar examples at US commercial NPPs include the completely. This condition existed for approximately        following:
17 minutes until RCP seal cooling/injection was
* These events demonstrate that there may be restored. But if that had not occurred, or had happened unrecognized dependencies where one initiating later, an RCP seal loss of coolant accident (a joint IE event can slice through what are believed to be robust and BI impact) might have occurred.
layers of defense-in-depth. The affected DID may
* During the transient, power was lost to the safety                include redundant trains within a single system, like the related E-2 bus requiring its associated EDG to power          service water impact in Section 3.1 above, or multiple the bus. In an effort to restore a normal electrical              systems designed with similar purposes, as in alignment and transfer the bus E-2 off its emergency            Section 3.2 above. PRA modeling changes that add power supply and onto a normal source the reactor                coupling factors or transfers between existing event operators reset the generator lockout and inadvertently          trees, e.g., LOOP and loss of service water, could reenergized the fault. This created another HEAF, a fire          address these unrecognized dependencies.
on 4kV bus #4, and electrical grounds on both trains
* The external events of concern are occurring at of the 125 Volt DC system (another IE). An EP Alert infrequent but not rare intervals. The risk of these more declaration was made for a fire lasting greater than 15 frequent, but less intensive events may exceed the risk minutes. The licensees fire brigade responded to the from BDBEE. Guidance from the US Bureau of second fire and extinguished it.
Reclamation (who is responsible for management of many dams, powerplants and canals in the US) indicates that sunny day failures may be higher contributors to risk than severe storms and seismic events. (16)
* The three examples that are the focus of this paper are considered sunny day events in that little or no warning was provided, including the cases of the LIP rainfall event and the derecho.
 
5
* Note also that these events were not single IEs, but    2. US Nuclear Regulatory Commission, Use of rather multiple, complex events where one event              Probabilistic Risk Assessment Methods in Nuclear cascaded to another with a synergistic effect. While the    Activities: Final Policy Statement, Federal Register, PRA models typically approach IEs individually the          Vol. 60, p. 42622 (60 FR 42622), 16 August 1995 actual events are demonstrating that the real world    3. ASME/ANS RA-S-2008, Standard for Level 1 / Large does not follow these constraints. These complexities        Early Release Frequency Probabilistic Risk can have an impact on diagnosis which may: 1) further        Assessment for Nuclear Power Plant Applications, complicate event response, 2) stretch operator/licensee      Revision 2019 resources in ways that were not expected in emergency    4. US Nuclear Regulatory Commission, NUREG/CR-operating procedures, and 3) may require operators to        5042 Evaluation of External Hazards to Nuclear take actions that may increase the risk in order to          Power Plants in the United States, Lawrence respond to the event, for example:                          Livermore National Laboratory, Livermore, USA, 1998 Admit unfiltered service water to EDGs during      5. Corfidi, Stephen, About Derechos, 15 May 2018, a LOOP event                                          https://www.spc.noaa.gov/misc/AbtDerechos/derechof Open drain valves to allow water to enter spaces      acts.htm with ECCS components that are important to        6. US Nuclear Regulatory Commission, Management protect                                              Directive 8.3 Analysis, Duane Arnold Energy Center, 22 January 2021 - ML21022A415 Re-energizing a bus for the purpose of restoring  7. NRC Inspection Report 05000346/2002-008, Davis-the electrical system to a normal line-up, yet        Besse Control Rod Drive Mechanism Penetration ultimately causing another fire/explosion            Cracking and Reactor Pressure Vessel Head Degradation Preliminary Significance Assessment,
: 5. Conclusion                                                    25 February 2003
: 8. Final Accident Sequence Precursor Analysis, Loss of The US commercial NPPs are managed by well-trained                Offsite Power Caused by High Winds During operators, designed with multiple layers of DID, engineered      Derecho, 4 March 2021, ML21056A382 to have significant safety margins, and have feedback loops  9. Duane Arnold Energy Center LIC-504 Team of corrective actions that seek not merely to fix short-term      Recommendations, 30 March 2021, ML21084A010 problems but prevent recurrence of more significant ones. 10. Licensee Event Report 50-335/2014-001, Revision 1, However, these examples above show that there should not          Internal RAB Flooding During Heavy Rain Due to be overconfidence in the estimation of plant safety. They        Degraded Conduits Lacking Internal Flood Barriers, are accident precursors that remind us of the need to re-        12 May 2014 examine the fundamental assumptions used in risk analysis,    11. NOAA Atlas 14, Volume 9, Version 2, Precipitation and use the risk insights from PRA to monitor performance        Depth for Partial Duration at Hutchinson Island South, of our facilities, inform our activities (e.g., maintenance,      Florida, US inspection, etc.) and maintain DID.                          12. US Nuclear Regulatory Commission Inspection Report These examples are not presented here to purport        05000335/389/2014-009, Preliminary White Finding that they are representative of all recent external events or    and Apparent Violations, 24 September 2014 -
that they typify the risk increases due to owner/operator        ML14267A337 performance deficiencies at NPPs. These cases are meant to    13. US Nuclear Regulatory Commission, NUREG-2169, show initiating events with dependencies that                    Nuclear Power Plant Fire Ignition Frequency and simultaneously affect mitigating systems, barrier integrity,      Non-Suppression Probability Estimation Using the etc. can cut through design basis assumptions, perceived        Updated Fire Events Database for the fire Initiating DID, safety margins, etc. The Fukushima-Dai-ichi incident        Event frequencies, US NRC, Office of Research, was an extreme event but should not be dismissed as an            Washington, USA, January 2015 isolated episode that cant happen here. These events have  14. US Nuclear Regulatory Commission, Management occurred at infrequent - but not rare intervals - and have        Directive 8.3 Analysis, Revision 1, HB Robinson, revealed specific weakness in the DID of NPP facilities. As      14 April 2010 regulators and risk analysts we should pay attention to these 15. Robinson Final Accident Sequence Precursor Analysis lessons. Therefore, the reaction to these events should not      - Electrical Fault Causes Fire and Subsequent Reactor be limited to isolated, plant specific changes alone, but the    Trip with a Loss of Reactor Coolant Pump Seal industry should consider responses that bolster those            Injection and Cooling, 23 September 2011 -
barriers to core damage for all NPPs for the long term.          ML112411359 (3)
: 16. US Department of Interior, Bureau of Reclamation, References                                                        Dam Safety Risk Analysis Best Practices Training
: 1. Regulatory Guide 1.200, An Approach for                    Manual, USBR, Denver, USA, 2010 Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities, Revision 2, March 2009}}

Revision as of 19:59, 17 January 2022

Characterizing Previously Unknown Dependencies in Probabilistic Risk Assessment Models of Nuclear Power Plants - European Safety and Reliability Conference
ML21103A355
Person / Time
Issue date: 09/19/2021
From: John Hanna
NRC/RGN-III
To:
Wayne Davis, OIS
References
Download: ML21103A355 (5)
v  d  e


Text

Retrieved from "https://kanterella.com/w/index.php?title=ML21103A355&oldid=3397723"