Expanding Capabilities of PSA To Address Multi-Unit Sites · Deterministic bases for multi-unit...

Expanding Capabilities of PSA To Address Multi-Unit Sites

By:

Karl N. Fleming, President

KNF Consulting Services LLC

[email protected]

Presented to:

CRA’s 6th Risk Forum Warwick UK

September 16 and 17 2015

Discussion Topics

A blind spot in our safety culture Risk insights from service data Risk insights from PSAs Multi-unit PSA risk metrics Implications for operating reactors and small modular reactors

CRA 6th Risk Forum 2

Is this just 20-20 hindsight?

Importance of multi-unit accidents seems obvious now that we have experienced Fukushima Daiichi But looking back we should have known but could not see into our


Current Approach to Nuclear Safety1

Deterministic Safety Approaches General Design Criteria Conservative Design Basis Accidents Conservative Safety Margins Defense-in-depth Severe accident management Emergency planning Incorporation of lessons from service experience and accidents


Current Approach to Nuclear Safety2

Probabilistic Risk Analysis Comprehensive treatment of operating states Comprehensive treatment of internal and external hazards Use of risk metrics to determine safety significance Risk management strategies to improve safety

Complementary use of PRA and deterministic principles in risk-informed decision making


What do all these safety approaches have in common?

They all share a common

a one reactor (accident) at-a-time mindset


Why Blind Spot? Most reactor sites are multi-unit Deterministic and probabilistic safety analyses, with few exceptions, are performed on each reactor independently

Accidents postulated on each unit are analyzed with the implicit and non-conservative assumption that other reactors on the site are safe Accidents involving multiple reactors are not included in the safety analysis (deterministic or probabilistic) A single reactor accident that could propagate into a multi-unit accident is not considered Use of risk metrics such as core damage frequency that do not capture multi-unit effects


Evidence that was overlooked Population of multi-unit sites Reactor operating experience with multi-unit events and accidents Results of (the few) multi-unit PRAs Side –wide nature of external hazards Design practice on the use of shared sites, systems, and structures


World Wide Multi-Unit Sites


Selected Experience with Multi-Unit Events

Great Japan Earthquake and Tsumami (2011) Loss of offsite power Tsunami site inundation at two sites Core damage on three reactor units and major challenge to protect 3 Units and spent fuel storage

Le Blayais External Flood (1999) Degradation of safety systems at 4 reactor units

Loss of Offsite Power events (1970-2015) Many site wide and several regional events

Oconee Turbine Building Flood (1976) Near miss core damage on three units


Great Japan Earthquake Multi-Unit Insights

Tsunami inundated the Daiini and Daiichi sites and caused major damage at both sites; seismic induced loss of power at several other sites Core damage at Daiichi Units 1, 2, 3 experienced core damage; containment breach; site contamination; large releases of radioactive material; accident management resources overwhelmed Key causes of accident included flood damage to emergency switchgear in Units 1-4; lack of emergency preparedness for multi-unit loss of AC and DC power; questionable containment venting procedures, chaos in the government/utility/plant command and control; multi-unit interactions Ad hoc and heroic operator actions instrumental in protecting cores and spent fuel in Units 4,5, and 6 and preventing releases during evacuation Missed opportunities to identify and fix vulnerabilities from PRA

Ample evidence from tsunami hazard studies not heeded Internal flood PRA would have identified issue with lack of flood protection inside plant


Oconee Internal Flood 1976 Turbine building shared by three units

Units 1 and 2 operating at full power Unit 3 shutdown—manways on condenser waterbox removed to allow cleaning of waterbox

Isolation of waterbox accomplished by Shutting down of circulating water pumps and closing of pump outlet MOVs Closing manual valves at condenser inlet (six) Closing air-operated valves at condenser outlet (six)

Valves are designed to be fail-open Jackscrew inserted in operator to keep valve closed


Condenser cooling water at Oconee

Flood experience – Oconee, 1976 (cont.)

Flood initiated by Failure of static inverter, causing loss of control power to outlet AOVs Jackscrew for one AOV sheared off when valve tried to go to failed-open position; Valve opened, allowing flood at a rate of ~63,000 gpm

Flooding continued for about 32 min, until static inverter was bypassed, restoring control power and allowing AOV to reclose, operators not aware of flood until much later Flood depth reached ~17If flood depth had reached 20-21

Emergency feedwater pumps for all three units lost Auxiliaries for main feedwater flooded; loss of MFW likely Water would spill over curbs into auxiliary building; Significant probability of core damage on all 3 units


PSA Insights on Multi-Unit Risks Seabrook Level 3 Multi-unit PSA (mid 1980s)

Integrated Level 3 PSA of two unit station Seabrook had minimal use of shared systems Full scope treatment of internal and external hazards and plant operating states

PWR Level 1 PSA of Two Unit Plant with Shared Systems (late 1990 s)Integrated Level 1 PSAs of two unit stations These plants have shared systems and structures Internal events and internal floods from full power

Modular HTGR PSAs (mid 1990’s)Integrated Level 3 PRA of four reactor module plant Risk informed safety design approach

CANDU PRAs (2011-2012)


Seabrook Multi-unit PSA Performed in 1983 Contract required for integrated risk of two-unit station Units are slide along layout with minimal use of shared systemsPRA performed to address emergency planning (EP) issues

Internal and external hazards Level 3 with extensive emergency planning sensitivity studies All modes and states including operation at 100%, 40%, 25%, and LPSD Results inspired current accepted definitions of “large early release”

Second unit not completed so multi-unit PRA model was not carried forward and updated as with Unit 1 PRA


Seabrook MUPSA Level 1 Results


Major Contributors to Multi-Unit Core Damage


Comparison of Consequences for Large Early Containment Failure


Release from one reactor

Release from two reactors

Non-linear increase

Linear increase

Seabrook Multi-Unit Insights Relative frequency of core damage involving both reactors unexpectedly high (CPMA = .14); likely higher today with lower internal event CDF Cannot scale Level 3 results due to dose-thresholds for early health effects Single unit risk metrics e.g. CDF and LERF not adequate for addressing multi-unit risk Technical basis for linking CDF and LERF to site safety goals is flawed Contribution of multi-reactor events at Seabrook significant despite lack of shared support systems and structures Issue of multi-unit vs. single unit common cause failures addressed for EDGs and MOVs Seismic induced blackout and LOCAs dominated multi-reactor events Addressing multi-unit risk did not require significant advancement of the state of the art but rather state of practice of PRA


Case Study 2: Level 1 PSA of Two Unit PWRs with Shared Systems

Dual Unit Westinghouse 4-loop PWR built and Licensed in one safety analysis report Plant has two reactor units with highly shared support systems (service water and AC power) and co-located equipment in a common structure Single reactor PRA models developed for each of the 2 units with explicitly modeled dual unit dependencies Out of curiosity the PRA team decided to flag all the sequences and cut-setsinvolving dual reactor accidents (nobody ever asked for this information but key results from this were identified and presented)Level 1 PSA included internal floods but excluded internal fires and seismic Sharing of support systems evident in Level 1 PSA results

Single unit CDF (5 x 10-5/Rx-yr) benefits from increased redundancy of SSCs for each unit Conditional probability of multi-unit accident (CPMA =.67) much higher than for Seabrook CPMA approaches 1 when internal fires and seismic events are included


Single Unit and Multi-Unit Contributions to Core Damage Frequency


CPMA=.67

Lessons for Improving PSA Deterministic bases for multi-unit accidents needs to be established. More experience needed with multi-reactor PSAs Need to incorporate multi-unit accident sequence models Single reactor risk metrics such as CDF and LERF are inadequate to capture integrated risks of multi-unit sites ; site level metrics needed Current PRA treatment of accident management is limited to prevention of severe accidents on a single reactor Impact of site contamination on operator actions has not been addressed Initiating events for each reactor need to include accidents on other units Treatment of common cause failures involving components in different units needs to be addressed. Seismic correlation issue already addressed in single reactor PRAs needs to be addressed in multi-unit context; significant multi-unit seismic events do not require correlation


Actions to Advance Multi-Unit PSAs

IAEA Technical Approach to MUPSAs and external hazards PSAs (in publication) CNSC Workshop on Multi-unit PSA Nov 2014 OECD WGRisk MUPSA project U.S. NRC Level 3 Research Project ASME/ANS PRA Standards for LWR and Non-LWR PRAs Active University Research at University of Maryland and UCLA


Site Risk Metrics CPMA = conditional probability of multiple reactor accident given core damage on specific unit; intended for use with single reactor CDF metric Site CDF (SCDF) = frequency of core damage involving one or more reactor facilities on the site Multi-unit CDF (MUCDF) = frequency of core damage involving two or more reactor units concurrently Site LERF (SLERF) = frequency of a large early release from an accident involving one or more reactor facilities on the site Site Level 3 Risks = Level 3 risk metrics (e.g. CCDFs) for the integrated risks from all site facilities Individual risks to people in vicinity of site (QHOs) may now reflect the integrated risks from all the facilities on the site Change frequency basis from reactor-year to site-year


MULTI-UNIT SEISMIC PSA


Seismic Induced LOCAs at Two Unit Seabrook Site


Introduce Seismic “Common Cause” Model for Correlation


OR

Independent Seismic Failure of

Component Gk

at Intensity j

Seismic Induced Failure of

Component Gk at Intensity j

Correlated Seismic Failure of

All Group G Components at

Intensity j

(1- j)fj jfj

Definition of Alpha

= seismic correlation split fraction Defined as the fraction of seismic events that produce correlated fragilities where f is the probability that two (or more) components with correlated fragilities will fail 1- = fraction of earthquakes in which seismic components fail independently Generally increases with increasing pgaCorrelation arises from common ground motion input, shared location in building, common design features, anchorages, and failure modes


Fragility and Alpha Parameter from IAEA MUPSA Report


Impact of Seismic Correlation on Dual Unit LOCA Frequency


Impact of Seismic Correlation for a Small Modular Reactor


Seismic Multi-Unit Insights A seismic event at a multi-unit site can produce a multi-unit accident

Due to independent combinations of component failures Due to seismically correlated failures

If the earthquake intensity challenges or exceeds the seismic capacity the probability of independent combinations of component failures is high If the seismic failures cause initiating events then one must consider the potential for multiple initiating events

Multiple initiating events on a given unit Concurrent initiating events on multiple units Beware of the “one initiating event at-a-time mindset” from internal events

Methods for treatment of partial correlation are available to replace the current package of perfectly correlated-perfectly uncorrelated assumptions Influence of seismic correlation is rather complex and not as big of an impact as expected


SummaryThe risk of multi-unit accidents on multi-unit sites is significant to dominant for:

All the external hazards for all multi-unit plants Loss of offsite power/Station blackout for all multi-unit plants Other Internal events on multi-unit plants with shared systems

Single reactor PSAs on multi-unit sites yields misleading and optimistic risk insights; should be discontinued We cannot expect to manage multi-unit risks if they are left out of PRAs This is not a state of the art limitation but rather a weakness in the state of practice Site based risk metrics should be used in risk-informed decision making Deterministic safety principles such as defense-in-depth need to be revisited to address prevention and mitigation of multi-unit accidents The safety significance of shared systems and structures and application of GDC 5 needs to be rethought in the context of a multi-unit safety assessment No fundamental reason why this should only be an issue for modular reactors


Expanding Capabilities of PSA To Address Multi-Unit Sites · Deterministic bases for multi-unit...

Documents

Transcript of Expanding Capabilities of PSA To Address Multi-Unit Sites · Deterministic bases for multi-unit...