Text

Modeling of Portable Equipment in PSA:

History, Current Activities, and Challenges N. Siu U.S. Nuclear Regulatory Commission Office of Nuclear Regulatory Research WGRISK Annual Meeting Paris, France February 26-28, 2020

2 Outline

• History: past analyses and actual events

• FLEX: NRC activities

• Personal perspectives

- Analysis considerations

- Analysis technologies

3 Portable Equipment and Improvised Measures: Selected Events 1980 1990 2000 2010 2020 TMI Chernobyl 9/11 Fukushima Daiichi IPE/IPEEE SAMA Indian Point PRA Policy Statement Armenia Greifswald Blayais Turkey Point History

4 Early Perspectives and Analyses

• ACRS (1955): nuclear fire-fighters

• Indian Point 3 PSA (1983)

• IPE/IPEEE (1988-2002) plant improvements:

- Portable pumps (e.g., isolation condenser makeup)

- Portable generators (battery chargers)

- Portable fans (room cooling, smoke removal)

History

5 SAMA Analyses Identify and assess potentially cost-beneficial severe accident management alternatives*

Staff reviews: plant-specific supplements to NUREG-1437 (2002-2018)

Alternatives include portable:

- Generators (battery chargers, direct power)

- Pumps

- Air compressors

- Fans Typically bounding analyses (no operator errors) to maximize potential risk reduction (CDF, population dose, offsite economic cost)

Alternatives sometimes not considered or screened because:

- portable equipment already implemented (FLEX)

- intent covered (e.g., manual control of TDAFW)

• Broader analyses also consider environmental impact of license renewal (e.g., air quality and noise effects)

History

6 Recent NRC FLEX Activities

• Focus on key Risk-Informed Decision Making (RIDM) programs

- Significance Determination Process (SDP)

- Notices of Enforcement Discretion (NOEDs)

- License Amendment Requests (LARs)

• Staff engaged with industry

• Challenges

- Access to operational experience (OpE) data

- HRA methods for challenging actions

- Incorporating FLEX actions into NRC SPAR models (success criteria, modeling variations, )

NRC Activities

7 Recent NRC FLEX Activities: HRA (1 of 2)

• Integrated Human Event Analysis System (IDHEAS)

- Finalize general methodology (IDHEAS-G)

- Event and condition assessment tool (IDHEAS-ECA) now available: RIL-2020-02 (ML20016A481)

- Under development: IDHEAS-DATA (documentation)

• Expert elicitation

- 2018 Workshop

• 6 experts (NRC and industry)

• Formal process (SSHAC Level 2+/3-)

• 2 scenarios (FLEX-and non-FLEX designed), 5 FLEX actions

• Largest HEP: Extended Loss of AC Power (ELAP) declaration

• Important PIFs: training, scenario familiarity, FSG entry conditions NRC Activities

8 Recent NRC FLEX Activities: HRA (2 of 2)

• Expert elicitation (cont.)

- 2019 Workshop

• 6 experts (NRC and industry)

• Prioritized Industry Support

• Developed several FLEX scenarios

• 2 Site visits (PWR and BWR)

• Both FLEX and non-FLEX scenarios

• Used the IDHEAS-ECA tool

• Developed HEPs for several FLEX actions in specific scenarios NRC Activities

9 Recent NRC FLEX Activities: SPAR Models (1 of 3)

• Ongoing incorporation into Standardized Plant Analysis Risk (SPAR) models

- SPAR models

• Maintained for all U.S. operating NPPs (Level 1, at-power)

• Some models address fire, external hazards, low power and shutdown operations, Level 2

• Many staff uses; principal applications: Reactor Oversight Program (ROP) and Accident Sequence Precursor (ASP) Program

- FLEX scenarios are added when actions are proceduralized.

- FLEX added to all hazard categories where applicable.

- Most SPAR models updated with modeling variations (affecting results).

NRC Activities

10 Recent NRC FLEX Activities: SPAR Models (2 of 3)

• Results and insights to date:

- FLEX strategies and equipment can provide alternative success paths when called by plant procedures

- Effectiveness strongly affected by modeling choices:

success criteria, mission times, accident sequence termination

- Effectiveness is plant specific; depends on

• Percentage of contribution of SBO CDF w/o FLEX

• AC power recovery capabilities, AC power recovery model assumptions, and failure probabilities for FLEX equipment (running beyond the first 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />)

- Effectiveness varies according to hazard category and initiating event NRC Activities

11 Recent NRC FLEX Activities: SPAR Models (3 of 3)

• Challenges

- Operator action modeling and HEP calculations

- Failure data for portable equipment

- Success criteria

• Sequence success criteria (declaration of success)

• Equipment success criteria

- Extension to shutdown operations

- Justification and variations (by event/hazard type) for time windows currently apportioned for various FLEX strategies

- Maturity of newly created FLEX procedure steps (for MCR and for local actions)

- Potential downsides to declaration of ELAP NRC Activities

12 Recent NRC FLEX Activities: Further Reading M. Humberstone, Crediting Mitigating Strategies in Risk-Informed Decision Making, June 28, 2017. (ML17174B290)

M. Montecalvo,, Crediting Mitigating Strategies in Regulatory Applications, August 16, 2018. (ML18228A834)

J. Xing, M. Kichline, J. Hughey, and M. Humberstone, The use of expert judgment to support human reliability analysis of implementing FLEX equipment, Proceedings ANS International Meeting on Probabilistic Safety Assessment (PSA 2019), Charleston, SC, April 28-May 3, 2019. (ML19023A508)

M. Humberstone, Crediting FLEX Equipment in Risk Assessments:

Case Study, July 31, 2019. (ML19228A063)

M. Montecalvo, M. Humberstone, and J. Xing, Role of human reliability analysis in post-Fukushima risk-informed decision making, ESREL 2019 (ML19080A109).

NRC Activities

13 FLEX Analysis: Some Considerations Affected by intended purpose

- Bounding analysis of potential benefits (no human error)

- Simple risk-informed applications (conservative Game Over)

- Emergency response planning and training (realistic)

Context: situation likely to be challenging

- Failures of preferred or portable equipment

- Possibly missing/misleading indications

- Possibly unclear effectiveness

- Possibly unforeseen situation

- Possibly damaged crew confidence Potential downsides (real or perceived)

- Declaration of Extended Loss of AC Power (ELAP)

- RCS depressurization Potential changes over time

- Equipment qualification

- Crew deep knowledge

- Technology advances and potential vulnerabilities Personal Perspectives Analyst caution: beware omniscient, PRA-model informed point of view

14 More Analysis Considerations*

Scenario Dynamics

• Progressive deterioration of situation

• Multiple shocks over time

• Needed enabling actions

- Post-hazard safety surveys/inspections

- Radiation measurements

- Pre-firefighting actions (e.g.,

N2 inerting)

- Firefighting to allow access Crew Workarounds

• Bypass damaged (real or suspected) instrument lines

• Temporary cables

• Scavenged batteries

• Courier systems

• Break/bypass fire barriers

• Trial and error problem solving

• Bypass safety interlocks Personal Perspectives

• Not FLEX-specific but relevant to challenging scenario response (including FLEX)

15 Perspectives on Analysis Technology Behavioral (non-cognitive execution): well suited for task-analysis simulation Advanced modeling: see wargames, security-related simulations (discrete event, object-oriented)

Early resources:

A. Siegel, et al., Maintenance Personnel Performance Simulation (MAPPS) Model: Summary Description, NUREG/CR-3626, Vol. 1, 1984.

M.T. Lawless, K.R. Laughery, and J.J. Persensky, Using Micro Saint to Predict Performance in a Nuclear Power Plant Control Room: A Test of Validity and Feasibility, NUREG/CR-6159, 1995.

NUREG/CR-6159 Personal Perspectives

16 Summary

• Long history: successful use of portable equipment in actual events, credit in analyses

• NRC is actively engaged in efforts to appropriately credit FLEX in current risk-informed applications

• Simple analyses can be useful for some applications

• Detailed analyses (e.g., using simulation) are likely to be feasible and useful; need to account for observations from actual events

17 Acknowledgments Thanks to Matthew Humberstone, Selim Sancaktar, and Jing Xing for their input to this presentation.

18 BACKUP SLIDES

19 Very Early Vision Specific concerns

- Nuclear runaway

- Delayed energy production

- Chemical reactions Features for decay heat removal

- Standby gravity flow/natural convection emergency cooling system

- Standby emergency services (analogous to fire-fighters)

- Standby forced convection cooling (special power supply, special separate piping)

With all the inherent safeguards that can be put into a reactor, there is still no fool-proof system. Any system can be defeated by a great enough fool. The real danger occurs when a false sense of security causes a relaxation of caution.

- C.R. McCullough, M.M. Mills, and E. Teller, The Safety of Nuclear Reactors Backup

20 Example Events Before 3/11 Major External Events

- Hurricane Andrew/Turkey Point 3&4 (1992)

- Winter Storm Martin/Blayais 1&2 (1999)

Major Internal Fires

- Greifswald 1 (1975)

- Armenia 1&2 (1982)

Lesser events

- San Onofre 1 (1982): submersible pump for intake structure

- Diablo Canyon (2000): generator for switchyard battery charger Non-Nuclear Events

- Northridge Earthquake, M 6.7 (1994)

- Kobe Earthquake, M 6.9 (1995)

Loss of power and control, smoke, explosions (A);

temporary cables Onsite damage, loss of site access, offsite damage; portable fire pumps, debris removal Facility and infrastructure damage, fires, emergency service demands; portable generators, pre-planning, workarounds https://commons.wikimedia.org/wiki/File:Metsamor_nuclear_

power_plant,_cooling_towers_(Armenia,_June_2015).jpg Backup

21 FLEX HRA Elicitation (1) 2018 workshop Participants

- 3 NRC staff, 3 industry experts

- Expertise: PRA/HRA, implementation/audits of FLEX strategies, use of portable equipment, maintenance operations Process Guidance: NRC White Paper (ML16287A734)

Objectives

- Quantify HEPs for a few typical actions using FLEX

- Identify unique PSF attributes

- Assess impact of PSFs on HEPs Outcomes

- Definition of FLEX-designed and non-FLEX designed scenarios

- HEP distributions for 5 actions with justifications

- FLEX-specific PSFs with attributes

- Effect of PSFs on HEPs Backup

22 FLEX HRA Elicitation (2)

• Scenarios

- Non-FLEX designed: 1 DG OOS (maintenance), LOOP, SBO due to DG failure, nominal conditions

- FLEX-designed: SBO caused by high wind and flooding (affects access, visibility, debris location)

• Actions

- Transport, connect, operate portable generators

- Transport, connect, operate portable pumps

- Refill storage tank with alternate sources

- Declare ELAP

- Deep DC load shed Backup

23 FLEX HRA Elicitation (3)

Challenging context

- System and environment Environmental factors Information Tools and parts Ergonomics (indications and controls)

- Personnel and organization Training Procedure Teamwork factors

- Tasks Scenario familiarity Task complexity Multitasking Mental fatigue and stress Physical demands Scenario-specific in analysis Scenario-specific in analysis Scenario-specific in analysis Backup

24 IDHEAS-ECA: Overview Backup

25 IDHEAS-ECA: Process Backup

26 IDHEAS-ECA Software Tool* (1)

Backup

• Contact Dr. James Y. Chang (James.Chang@nrc.gov, 301-415-2374)

27 IDHEAS-ECA Software Tool* (2)

Backup

• Contact Dr. James Y. Chang (James.Chang@nrc.gov, 301-415-2374)

28 SACADA*

Backup

• Contact Dr. James Y. Chang (James.Chang@nrc.gov, 301-415-2374)

29 Some Challenging Fires and Recoveries Date Plant Short Description Beyond Procedures/

Training? [1]

3/22/1975 Browns Ferry 1 & 2 Multi-unit cable fire; multiple systems lost, spurious operations; non-proceduralized recovery.

Yes 12/7/1975 Greifswald 1 Electrical cable fire; station blackout (SBO), 5 hr loss of normal core cooling, loss of coolant; recovered with cross-tie with Unit 2.

Probably [2]

12/31/1978 Beloyarsk 2 Turbine lube oil fire, collapsed turbine building roof, main control room (MCR) damage, secondary fires; extinguished in 22 hours2.546296e-4 days <br />0.00611 hours <br />3.637566e-5 weeks <br />8.371e-6 months <br />; damage to multiple safety systems and instrumentation.

Probably [2, 3]

10/15/1982 Armenia 1 & 2 Electrical cable fire (multiple locations), smoke in Unit 1 MCR, secondary explosions and fire; SBO, loss of instrumentation and reactor control; recovery using temporary cable.

Yes 10/19/1989 Vandellos 1 Turbine failure, burning oil cascaded down to lower floors. Smoke in MCR. Turbine and reactor building flooded; recovery actions in darkened and smoke filled rooms.

Partially [4]

10/11/1991 Chernobyl 2 Turbine failure and fire, collapsed turbine building roof; loss of generators, loss of feedwater; makeup from seal water supply.

Yes 3/31/1993 Narora 1 Turbine failure, explosion and fire, smoke forced abandonment of shared MCR; SBO, loss of instrumentation; shutdown cooling pump energized 17 hours1.967593e-4 days <br />0.00472 hours <br />2.810847e-5 weeks <br />6.4685e-6 months <br /> later.

Yes Notes on basis:

[1] Yes indicates explicit mention in NUREG/CR-6738

[2] Extensive losses (safety systems, power, control)

[3] Per NUREG/CR-6738, reactor was saved mainly by good luck.

[4] No specific written procedures; operator action based on 15 years experience in plant operations, periodic training on auxiliary feedwater control.

Backup

30 0

2 4

6 Operators manually open SG dump valves, upper TB (breathing masks, 4 hr)

Power to U1 FW pump Power to U1 MU pump from DG U1: only primary P at local station SG SRV opened Temp power cable from U2 DG to U1 EMU pump Station Blackout Loss of MCPs, MCR lights, readouts, alarms, phones, power, normal and emergency MU Manual trip U1&2 Offsite FBs arrive Break CSR wall to access fire Fire out FB arrives, open MCR hatch to spray vault TB, Xfmr fires under control Fire controlled Fire start, spread Smoke in MCR MCR smoke unbearable H2, Xfmr explosions Armenia 1&2 1982-10-15 Time from Start (hr)

Backup

31 Equipment Qualification January 6, 2010: Diesel Fuel Oil Transfer Pump FO-37 inoperable (local area flooding)

June 24, 2010: portable back up pump found to be incorrect for application.

- Discovered by engineering evaluation.

- Subsequent test (August 30): pump diaphragm ruptured during functional test

- Pump had been in place since March 29, 1994.

Root cause: failure to perform appropriate design change evaluation (LER 285/2010-005-R01)

Backup