- Email: [email protected]
Development of a systematic sequence tree model for feed-and-bleed operation under a combined accident
Annals of Nuclear Energy 98 (2016) 200–210
Contents lists available at ScienceDirect
Annals of Nuclear Energy journal homepage: www.elsevier.com/locate/anucene
Development of a systematic sequence tree model for feed-and-bleed operation under a combined accident Bo Gyung Kim a, Ho Joon Yoon b, Hyun Gook Kang c,⇑ a
Department of Nuclear and Quantum Engineering, Korea Advanced Institute of Science and Technology, 291 Daehak-ro, Yuseong-gu, Daejeon 305-701, Republic of Korea Department of Nuclear Engineering, Khalifa University of Science, Technology & Research, Abu Dhabi, United Arab Emirates c Department of Mechanical, Aerospace, and Nuclear Engineering, Rensselaer Polytechnic Institute, Troy, NY, USA b
a r t i c l e
i n f o
Article history: Received 9 March 2016 Received in revised form 3 August 2016 Accepted 5 August 2016 Available online 19 August 2016 Keywords: Feed-and-bleed operation Accident sequence Combined accident Total loss of feedwater accident Loss of coolant accident
a b s t r a c t Combined accidents are considered as very rare events and therefore are not usually considered in deterministic or probabilistic safety analyses. Yet, despite being rare, it is necessary to examine combined accidents as their effects could become very large following poor treatment from a lack of information. In a combined accident, the most important safety actions are the functions for heat removal, as initiating and maintaining proper safety actions are critical to prevent core damage. In order to analyze the plant conditions requiring safety action to prevent core damage and the success conditions of the safety actions under a combined accident, sequence tree modeling is suggested. A sequence tree is a branch model to classify the plant condition considering plant dynamics. Since a sequence tree model can reflect the plant dynamics arising from the interaction of different accident timings and plant conditions, and also from the relations between operator action, mitigation systems, and the indicators for operation, it can be used to develop a dynamic event tree model. To develop the sequence tree model, indicators are identified which inform about the availability of heat removal mechanisms and the plant condition. This study develops a sequence tree model to core damage requiring F&B operation under a combined accident, designated here as the combination of a total loss of feedwater accident with a loss of coolant accident. Sequences of the sequence tree model can be categorized according to second accident timing. With a sampling analysis, the practical accident cases are obtained. The sequence tree model can translate into a dynamic event tree model if the initiating event frequency under a combined accident can be quantified. Ó 2016 Elsevier Ltd. All rights reserved.
1. Introduction The 2011 Fukushima accident in Japan revealed that even a very rare event must be considered in order to prevent radioactive release to the environment from poor treatment based on a lack of information (Kim, 2014). A combined accident, defined as two initiating events occurring at the same or different times, is one of these very rare events and thus is not considered in current safety analyses. In a combined accident, the accident sequence is very complicated and it is therefore not easy to identify and perform the proper actions. In order to decide the proper operator actions, it is necessary to identify the sequences to core damage when specific operations fail. With the development of a systematic model to analyze combined accidents, designers can understand accident ⇑ Corresponding author. E-mail address: [email protected] (H.G. Kang). http://dx.doi.org/10.1016/j.anucene.2016.08.006 0306-4549/Ó 2016 Elsevier Ltd. All rights reserved.
sequences in detail and operators can perform the proper safety actions. This study addresses this issue by suggesting a sequence tree model to systematically analyze accident sequences. A sequence tree is a type of branch model that categorizes the plant condition by considering plant dynamics. Using the sequence tree model, all possible scenarios requiring a specific safety action to prevent core damage can be identified, and success conditions of the safety actions performed during a complicated situation, such as a combined accident, will be also identified. As the sequence tree model can reflect the plant dynamics that arise from the interaction of different accident timings with the plant condition, and also from the interactions between operator action, mitigation systems, and the indicators for operation, the model can be used to develop a dynamic event tree model (Hsueh and Mosleh, 1996; Karanki et al., 2015; SNL, 2012). There are various dynamic probabilistic safety assessment (PSA) models to analyze plant dynamics and to quantify the frequencies
201
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
of sequences (Siu, 1994; Swaminathan and Smidts, 1999). Siu (1994) summarized the alternative methodologies for dynamic system analysis, including extensions of the event tree/fault tree methodology, as well as explicit and implicit state transition methods. Swaminathan and Smidts (1999) developed an event sequence diagram (ESD) framework to capture most of the complex dynamic phenomena. These dynamic PSA models for single events include a considerable amount of information, including time. The plant dynamics under combined accidents however are not as easy to understand, resulting in numerous factors to treat in a dynamic PSA model for combined accidents. A sequence tree model is developed here to analyze all possible core damage sequences due to the failure of target safety functions under a combined accident. The sequence tree model focuses on the change points of plant condition, and will be useful for operators and system designers to understand the various plant conditions under a combined accident. ESDs can also be applied to analyze combined accidents. But sequence tree models will provide more visual appeal to appreciate the accident dynamics compared to ESDs (Swaminathan and Smidts, 1999). There is a lack of research related to calculating event probabilities for combined accidents, such as initiating event frequency and timing distribution of the second accident. If these probabilities can be estimated, the core damage frequency of combined accidents can be calculated along with the success criteria for each sequence in the sequence tree model based on Karanki’s study with sampling analysis. Karanki’s approach of dynamic event tree quantification of risk avoids the need to specify a priori the sequence of stochastic events prior to the plant response simulation considering the support system dependencies and operator action timing distribution (Karanki and Dang, 2016). The target safety action for this study is a feed-and-bleed (F&B) operation. F&B operation directly cools down the reactor coolant system (RCS) using the primary cooling system when residual heat removal by the secondary cooling system is not available (Iannello, 1984; Kim et al., 2014). F&B operation is critical as it is the last resort for heat removal to prevent core damage. Related systems include the safety depressurization system (SDS) and the safety injection system (SIS). The SDS provides a manual means of rapidly depressurizing the RCS for the highly unlikely event of a total loss of feedwater (TLOFW). The reduced RCS pressure allows the high pressure safety injection (HPSI) flow to replenish and eventually exceed the mass flow rate out through the SDS prior to core uncovery (KHNP, 2001). It is difficult for operators to recognize the necessity of F&B operation in the case of a combined accident that includes a failure of the secondary cooling system. Operators may spend a considerable amount of time arriving at the entry of a proper emergency operating procedure (EOP) that contains F&B operation, as it is a functional recovery procedure much less familiar than optimal recovery procedures. Previous studies have focused on accidents involving a TLOFW accident to demonstrate the use of F&B operation (Kwon et al., 1995; Kwon and Song, 1996; Pochard et al., 2002; Reventós et al., 2007; Sherry et al., 2013). However, little research has focused on combined accidents requiring F&B operation. In one such study, Kim et al. (2014) indicated that plant conditions requiring F&B operation should not be limited to single events such as a TLOFW accident but also include combined accidents. The plant conditions necessitating F&B operation can be categorized as transients with loss of feedwater and a loss of coolant accident (LOCA), and transients with loss of feedwater. Although transients with loss of feedwater and LOCA are very rare, the resulting highly complicated plant condition makes it difficult for operators to identify the necessity of F&B operation. Yet not every plant condition characterized by transients with loss of feedwater and LOCA require
F&B operation; if sufficient coolant is injected by the SIS, F&B operation would not be necessary. However, if the break size is too small to sufficiently decrease RCS pressure, the SIS cannot inject coolant and so the operator should initiate F&B operation. Thus, a sequence tree model for F&B operation under a combined accident can be developed. This paper is organized as follows. Section 2 includes an identification of the indicators which identify the availability of heat removal mechanisms and the plant condition. Section 3 explains the development process for a sequence tree model considering a TLOFW accident and a TLOFW accident with LOCA. Section 4 gives a sampling analysis using MARS code and MOSAIQUE to identify realistic cases, with discussion and conclusions found in Section 5.
2. Indicators related to heat removal mechanisms and plant condition Available and sufficient heat removal mechanisms are the most important factors to cool down the RCS, as insufficient heat removal mechanisms inevitably lead to core damage (Corcoran et al., 1981). Although combined accident scenarios are complicated, from the viewpoint of heat removal, the sequences to core damage without safety action can be easily identified. Therefore, it is necessary to identify the indicators which recognize the availability of the heat removal mechanisms, as well as plant conditions that are affected by the heat source and heat removal mechanisms. According to accident type and safety function availability, the available heat removal mechanisms can be determined as shown in Table 1. All success sequences are cooled down by single or multiple heat removal mechanisms: secondary side (SS), F&B transient, F&B operation, SS and F&B transient, and F&B transient and F&B operation. Fig. 1 shows all possible sequences from the viewpoint of heat removal mechanism availability. Sequences to core damage are shown in red. Available and sufficient heat removal mechanisms strongly affect core damage. Therefore, indicators (sequence change points) which identify the availability of the heat removal mechanisms should be considered in accident sequences. A flow chart is developed to identify available heat removal mechanisms according to accident sequence (Figs. 2a and 2b), which can categorize all possible scenarios in consideration of heat removal mechanism availability. The flow chart is developed based on EOP and PSA models (KHNP, 2001).
Table 1 Type of heat removal mechanisms in pressurized water reactors. Heat removal mechanism
Necessary safety functions/plant condition
Indicator
Indirect cooling by secondary side
Available secondary side system Natural or forced circulation in primary side
Steam generator (SG) level
Available SIS
Safety injection actuation signal (SIAS), availability of SIS Pressurizer (PZR) pressure Availability of SIS and SDS Entry conditions of F&B operation PZR pressure
Direct cooling at primary side
Break and SIS (F&B transient)
RCS pressure SDS and SIS (F&B operation)
Available SIS and SDS Initiation by operators RCS pressure
RCS inventory
202
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Fig. 1. Scenarios of core damage/cooldown according to safety systems for heat removal. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)
Indicators are necessary to identify the plant condition at each step of the flow chart. For the identification of continuous indirect cooling, steam generator (SG) level and feedwater flow rate are used. Break timing and break size are used to identify LOCA occurrence. Identification of F&B transient failure caused by the failure of the high pressure safety injection system (HPSIS) and the low pressure safety injection system (LPSIS) is through the availability of the HPSIS and LPSIS. To check the termination of F&B transient due to high pressure, RCS pressure should be confirmed. To identify the initiation of aggressive cooldown and F&B operation, atmospheric dump valve (ADV) opening timing, cue of aggressive cooldown and F&B operation, and SDS opening timing are used (Han et al., 2007). In addition, the plant conditions affected by heat sources and heat removal mechanisms need to be considered as change points in accident sequences, as shown in Table 2. To identify core damage, related plant conditions and indicators are also considered as change points in accident sequences, as shown in Table 3 (Karanki et al., 2012; Kim et al., 2016).
As mentioned in Section 1 the current sequence tree is a branch model to divide plant conditions considering plant dynamics. The branch points (condition change points) are accident timing, operation timing of related mitigation system for heat removal, and indicators for operator action and for identifying plant condition. In the sequence trees shown in Figs. 4 and 8, the branch points are safety system starting, termination, and failure timing, represented by green, dark blue, and red circles, respectively. Signals for the safety systems and process parameters to identify the plant condition are used as indicators in the model as inverted triangles. Usually, indicators to identify plant condition are not used as branch points in PSA models; however, in the sequence tree, indicators are important factors to understand the plant condition when a second accident occurs. Triangles represent the cue for target operation by operators. The reference combined accident in this study is a TLOFW accident followed by LOCA. To identify the accident sequence after the first accident occurs, a sequence tree model for a TLOFW accident is developed.
3. Development of the sequence tree model 3.1. Sequence tree model for a TLOFW accident In the present study, sequence tree modeling is adopted to identify the theoretically possible sequences to core damage when the target operation fails, and a sampling analysis with the sequence tree model is used to identify the practical sequences to core damage when the target operation fails. Fig. 3 shows the accident sequence analysis method for a combined accident. In step 2, the designer needs to check the heat source and available heat removal mechanisms after the first accident occurs. In step 3, the designer needs to identify the plant condition using indicators to categorize the occurrence timing of the second accident. In step 4, the designer should check the plant condition when the second accident occurs and the available change points after the second accident. In step 5, the designer should identify the theoretically possible sequences using the sequence tree model. In step 6, the designer can determine practical sequences using the sampling analysis and reflect the results on the sequence tree model.
Based on the conventional PSA model for single events, a sequence tree model can be easily developed as shown in Fig. 4. Branch points are related to the headings of the event tree. A representative TLOFW accident sequence from the PSA model (Sequence #26) is a combination of auxiliary feedwater system failure and the failure of the SDS valves to open due to operator error or SDS malfunction accompanying a loss of main feedwater accident. Based on Sequence #26 in the PSA model, a sampling analysis is performed using MARS code and the MOSAIQUE program (KAERI, 2006, 2011; Chang et al., 2013). MOSAIQUE software supports the uncertainty analysis in thermal-hydraulic analyses. The key functions of MOSAIQUE are: to assign distributions to variables in a computer code input; to create samples for variables based on Latin hypercube sampling or traditional random sampling; to
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
203
Fig. 2a. Flow chart to identify causes of core damage or cool down in respect to heat removal mechanisms (Indirect cooling by secondary side is continuous available).
generate the computer code input files using samples; and to run computer codes automatically. The reference plant model is an OPR1000. The plant conditions are the same as the previous study except for the reactor trip timing and reactor coolant pump (RCP) trip timing (Kim et al., 2014). The reactor (Rx) is tripped by the reactor protection system (RPS) signal. The variable for sampling analysis is RCP trip timing, as they are tripped by operators, and continued operation of the RCPs adds significant energy to the primary system. In the conventional PSA model, RCP trip timing is fixed when the subcooling margin is less than 15 °C, although in a real situation there are various timings. From the EOP, operators can trip the RCPs when the subcooling margin is less than 15 °C by following step 4 in EOP-05 ‘‘Loss of All Feedwater” or following step 3 in the F&B operation procedure in functional recovery. Therefore, in this study, the trip timings of the RCPs are sampled from 600 s, which is the timing to finish a diagnosis action procedure (Jung et al., 2007) before the depletion timing of RCS flow, based on uniform distribution using the Latin hypercube sampling method in MOSAIQUE. A sampling analysis with the sequence tree model can obtain the same results as a dynamic event tree model if the probabilities in the model, e.g. initiating event frequency, can be estimated. From the previous study, the available time for diagnosis is much
more conservatively calculated in the conventional PSA model, where the available time to initiate F&B operation is calculated from the cue (auxiliary feedwater actuation signal) to pressurizer safety value (PSV) opening. However, there is sufficient time between PSV opening and core damage from the thermalhydraulic analysis in the previous study. Therefore, the diagnosis time for the operator to initiate F&B operation is the time from the cue to the Severe Accident Management Guideline (SAMG) entry condition. Core damage frequency (CDF) caused by Sequence #26 in the static conventional PSA model is 1.524e 7. The human error probabilities (HEP) of the cases are calculated based on the K-HRA model. HEP is the summation of diagnosis error probability and execution error probability, and the diagnosis error probability is multiplied by the basic HEP of a diagnosis error and weighting factors. Performance shaping factors (PSFs) are considered, namely primary task, man-machine interface (alarm), decision burden, procedure, and education/training. The execution error probability is multiplied by the basic HEP of an execution error and the recovery HEP of an execution error. The framework of the K-HRA method is shown in Fig. 5 (KAERI, 2005; Lee et al., 2013). The weighting factors of the PSFs are the same as in the previous study (Kim et al., 2016). From the sampling analysis, the available time
204
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Fig. 2b. Flow chart to identify causes of core damage or cool down in respect to heat removal mechanisms (Indirect cooling by secondary side is temporary available or unavailable).
for diagnosis ranges from 51.5 to 54.5 min, giving a diagnosis error probability range from 9.52e 5 to 1.13e 4, and an execution error probability of 2.0e 3. The HEP of F&B operation during a TLOFW accident changes from 1.43e 1 to between 2.10e 3 and 2.11e 3. Since 100 cases from the sampling analysis are selected by uniform distribution, the probability of RCP timing is assumed to be 0.01 in each case. The other mitigation system failure probabilities are the same as in the conventional PSA model. Based on these results, the branch probabilities of each case are 3.044e 11 to 3.074e 11. The CDF caused by Sequence #26 in the sequence tree model with sampling analysis is the summation of all branch probabilities: 3.049e 9. This value is only 2% of the static conventional PSA model. 3.2. Sequence tree model for a TLOFW accident with LOCA Important factors in a combined accident include the different accident timings and the relationship between the accidents, safety
functions, and operator action. The sequence tree model systematically categorizes the plant condition based on plant dynamics, where the branches can be classified according to the order of the branch points. As mentioned in the previous section, the branch points are accident timing and the timing of indicators which inform operation timing of the mitigation system for heat removal, cues of operator, or plant condition. Subsequently, the theoretically possible sequences using the sequence tree model can be identified. In this study, the target combined accident is an initial TLOFW accident followed by LOCA. From previous studies, the numerous plant conditions requiring F&B operation to cool down the reactor are very complicated in this particular combined accident case; there are a considerable number of parameters which should be checked. Based on the branch of Sequence #26, second accident timing can be categorized according to plant condition as shown in Fig. 6. The first sequence group is maximum heat release to the
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
205
Table 2 Plant conditions related to heat sources and heat removal mechanisms. Plant condition
Indicator (change point)
Power (core)
Full Decay heat
Max. heat is released After rector trips, the decay heat is released
Rx Trip signal (trip timing)
Power (RCP)
Full operation
RCS in forced circulation and additional heat is released RCS in forced circulation and additional heat is released
Status of RCPs (termination timing)
Trip
SG Inventory
Remaining Dry-out
Indirect cooling is available Indirect cooling is unavailable
SG level (dry-out timing)
RCS Pressure
Very high
SIS is not able to inject coolant and PSVs need to be opened
High
SIS is not able to inject coolant SIS is able to inject coolant
PZR pressure, status of PSVs (opening timing) PZR pressure
Injectable
PZR pressure, SIAS (SIS actuation timing)
Table 3 Plant conditions related to the identification of core damage. Plant condition
Indicator (change point)
Core Inventory
Cover Uncover
Core is safe Core will be damaged
Core level (core uncovery timing)
RCS Temperature
Decreasing Stable Increasing CET is 650 °C PCT is 1200 °C
Plant becomes safe Plant is unsafe Core will be damaged SAMG entry condition is reached Core is damaged
PCT/CET (increasing/ decreasing timing) CET (SAMG entry timing) PCT (core damage timing)
primary side after a TLOFW accident occurs. The second sequence group is SG inventory decrease and decay heat release. The third sequence group is SS heat removal depletion and RCS pressure increase. The fourth sequence group is RCS pressure between the PSV opening and closing set points. The fifth sequence group is core uncovery under very high pressure. After LOCA occurs, sequences (including the amount of heat removal by F&B transient) are strongly affected by RCS condition at break timing, the break size, and SIS availability. Using the flow chart in Fig. 1 and Tables 1 and 2, the indicators can be selected. Fig. 7 demonstrates a section of Fig. 2 with corresponding indicators. The orange arrow in Fig. 7 shows one of the sequences to core damage when F&B operation fails under a TLOFW accident with LOCA. The indicators for the paths leading to core damage are the branch points of the sequence tree, and are related to plant condition as affected by heat source, heat removal mechanisms, and core damage. After LOCA occurs, the plant conditions requiring F&B operation can be categorized. In the first case, RCS pressure will not decrease below the high pressure safety injection pump (HPSIP) shutoff head until core damage, so in this situation the SIS cannot inject coolant after LOCA occurs. In this plant condition, the PSVs would open or not according to RCS pressure. In the second case, the SIS can temporarily inject coolant before core damage, and the PSVs are opened after the SIS stops coolant injection. Third, the SIS can
Fig. 3. Process of accident sequence analysis for a combined accident.
temporarily inject coolant before core damage, but the PSVs are not opened after the SIS stops coolant injection. If the amount of residual heat removed by the SIS and the secondary cooling system is insufficient, RCS pressure will increase and the F&B transient will be terminated. Therefore, the timing of SI termination can be treated a branch point in the second and third conditions. In the fourth case, the SIS can inject coolant continuously until core damage, but due to an insufficient amount of heat removal by F&B transient, the core would be damaged. The starting point of all sequences to core damage is TLOFW occurrence, and the end point of all sequences to core damage is core damage timing. The first sequence group (Sequence 1) includes the sequences when LOCA occurs before reactor trip and after a TLOFW accident. The plant condition in Sequence 1-1 involves no safety injection until core damage due to high RCS pressure. The indicators in Sequence 1-1 are Rx trip, SG dryout, PSV opening, and core uncovery. In Sequence 1-2, the SIS can temporarily inject coolant and the PSVs are opened after the SIS stops injection, with indicators of Rx trip, SG dryout, SI start, SI stop, PSV opening, and core uncovery. In Sequence 1-3, the SIS can temporarily inject coolant and the PSVs are not opened after the SIS stops injection, with indicators of Rx trip, SG dryout, SI start, SI stop, and core uncovery. In Sequence 1-4 the SIS can inject coolant continuously, with indicators of Rx trip, SG dryout, SI start, and core uncovery. The second group (Sequence 2) includes the sequences when LOCA occurs before SG dryout and after Rx trip. The four plant conditions of Sequence 2 after LOCA occurs are the same as the four in Sequence 1, with indicators as follows. Sequence 2-1: SG dryout, PSV opening, and core uncovery; Sequence 2-2: SG dryout, SI start, SI stop, PSV opening, and core uncovery; Sequence 2-3: SG dryout, SI start, SI stop, and core uncovery; Sequence 2-4: SG dryout, SI start, and core uncovery. The third group (Sequence 3) includes the sequences when LOCA occurs before the PSVs first open and after SG dryout. The four plant conditions of Sequence 3 after LOCA occurs are also the same as in Sequences 1 and 2, with indicators as follows. Sequence 3-1: PSV opening and core uncovery; Sequence 3-2: SI start, SI stop, PSV opening, and core uncovery; Sequence 3-3: SI start, SI stop, and core uncovery; Sequence 3-4: SI start and core uncovery.
206
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Fig. 4. Sequence tree model of a TLOFW accident. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)
Fig. 5. Framework of the human reliability analysis (HRA) method (Lee et al., 2013).
The fourth group (Sequence 4) includes the sequences when LOCA occurs before core uncovery and after the PSVs first open. The plant conditions in this sequence after LOCA occurs can be divided into three types. The plant condition of Sequence 4-1 involves no safety injection until core damage due to high RCS pressure, with an indicator of core uncovery. In Sequence 4-2, the SIS can temporarily inject coolant, with indicators of SI start, SI stop, and core uncovery. In Sequence 4-3, the SIS can inject coolant continuously, with indicators of SI start and core uncovery. The fifth group (Sequence 5) includes the sequences when LOCA occurs before core damage and after core uncovery. The three plant conditions of Sequence 5 after LOCA occurs are the same as Sequence 4. There are no other indicators in the case of Sequence
5-1. The indicators in Sequence 5-2 are SI start and SI stop, and the indicator in Sequence 5-3 is SI start. After identification of the indicators in all sub-sequence groups, a permutation of indicators is performed to obtain all sequences, yielding 1115 permutation groups. Then, any impossible sequences should be eliminated by the following rules to eliminate impossible sequences. To start this process, consider that while the termination of safety injection should follow its initiation, the PSVs cannot be opened after the occurrence of LOCA or before the beginning of safety injection or during safety injection. After the reactor is tripped, the other indicators are followed in case of Sequence 1. The steam generators dry out before termination of safety injection in Sequence groups 1 and 2 since RCS pressure will increase after
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
207
Fig. 6. Categorization of second accident timing.
the loss of heat removal by the secondary side. In the end, there are 95 sequences in the sequence tree model. Fig. 8 shows Sequence group 3, where all sequences result in core damage due to the failure of F&B operation.
4. Sampling analysis Practical cases to core damage due to the failure of F&B operation are identified based on a sampling analysis. From these results, plant designers or regulators can focus on the possible sequences of a combined accident. Variables first need to be identified to perform the sampling analysis; to do so we consider the relationship between accidents, mitigation functions, and plant condition. As mentioned in previous sections, a TLOFW accident scenario is simpler than one of a TLOFW accident with LOCA. In this single accident case, the reactor will trip after a loss of feedwater. The steam generators will dry out following auxiliary feedwater system (AFWS) failure, with SG dryout timing affected by the timing of AFWS failure. As SS heat removal is terminated, RCS pressure will increase and if it reaches the PSV set point, the PSVs will open. Since the heat removal system is unavailable until operators initiate F&B operation, RCS pressure is between the set points of PSV opening and closing. The coolant becomes saturated and superheated. Subsequently, the core will be uncovered causing PCT to rise abruptly because of the heat generation associated with fuel cladding oxidation. Finally, the core will be damaged. When a TLOFW accident is combined with LOCA, the relationship changes. After the TLOFW accident occurs, the reactor trips and the AFWS fails. Pressure will drop any time a break occurs according to the break size and timing; after the break, if pressure is low and the amount of SI is sufficient, the plant becomes safe to shut down. But if pressure is high, operators need to open the SDS valves. Ultimately, the success of F&B operation is determined by whether the core is damaged or not. The core damage sequences related to failure of the F&B operation under a TLOFW accident with LOCA are strongly affected by break size, break timing, and SIS availability, which are therefore selected as variables. In
addition, RCP trip timing is selected as a variable since the continued operation of the RCPs adds significant energy to the primary system. MARS code is used in the sampling analysis with an OPR1000 as the example plant model. MOSAIQUE is employed to generate inputs for 50 sampling cases with the Latin hypercube sampling method. Break size, RCP trip timing, and break timing are assumed to have uniform distribution, as there is a lack of sufficient studies that calculate the distributions of break size, RCP trip timing, and break timing for a combined accident. If a realistic distribution for the variables can be obtained, much more realistic accident sequences can be described and the unrealistic sequences in the sequence tree model can be ignored. The range of break timing is 0–4270 s. As a combined accident is defined as two initiating events occurring at the same or different times, the lower bound of break timing is 0 s. The upper bound is assumed as 4270 s as that is the core damage timing in a TLOFW accident. The range of break size is 0–3.5 in. The lower bound of break size is 0 in to cover very small-break LOCA. If a 3.5 in break occurs right before core damage and the SIS is available, F&B operation is not necessary. Thus, the upper bound of break size distribution is 3.5 in. The trip timings of the RCPs are sampled from 600 s as the lower bound of sampling, which is the timing to finish a diagnosis action procedure (Jung et al., 2007) before the depletion timing of RCS flow, as similar to the sampling analysis of a TLOFW accident. To identify the transitions of the sequences according to SIS availability, three conditions of SI flow rate according to SIS availability have the same 50 sampling cases: two HPSIPs and all valves in four lines are available, one HPSIP and all valves in four lines are available, and one HPSIP and all valves in two of the four lines are available. Eleven sequences are observed from the sampling analysis. Three of them are seen when safety injection is not possible due to high RCS pressure, and F&B operation fails due to SDS valve opening failure. In the remaining eight sequences, safety injection is possible but F&B operation fails due to SDS valve opening failure according to SIS availability. The HEP of F&B operation under a TLOFW accident with LOCA is 7.01e 5 to 8.14e 3 based on the K-HRA model (KAERI, 2005). From the sampling analysis, the
208
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Fig. 7. Selection of the indicators for core damage sequence using the flow chart.
available time for diagnosis is from 35.1 to 73.0 min. The diagnosis error probability is 5.33e 5 to 4.29e 4, and execution error probability is 2.0e 3 or 8.0e 3. Among the sampling cases, if one SDS valve is available and the operator succeeds to initiate F&B operation by the last entry condition timing based on the EOP (650 °C as SAMG entry condition), the RCS is successfully cooled down without core damage (Park et al., 2011). The SAMG entry condition is still reasonable to be the last entry condition timing of F&B operation under a TLOFW accident with LOCA. If the results of the sampling analysis are reflected in the sequence tree model and initiating event frequency of a combined accident, the CDF caused by failure of F&B operation under a TLOFW accident with LOCA can be estimated. 5. Discussion and conclusions Sequence tree modeling was suggested to identify the plant conditions which require systematic safety actions to prevent core
damage under a combined accident. Using the sequence tree model, all possible scenarios necessitating a specific safety action to prevent core damage can be identified, and the safety action success conditions in a complicated situation such as a combined accident can also be identified. From the viewpoint of heat removal, the sequences of a combined accident can be analyzed more simply as there are only five types of combinations of heat removal mechanisms to cool down the reactor; if the amount of heat removal is insufficient, the core will be damaged. Accident sequences under a combined accident were analyzed considering the relationship between the available heat removal mechanisms and plant condition. Indicators were used to recognize the availability of the heat removal mechanisms and the plant condition with flow charts. The theoretically possible accident sequences under a combined accident were identified and systematically categorized using the sequence tree model. In this study, a TLOFW accident and a TLOFW accident with LOCA were the target accidents. Based on the
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
209
Fig. 8. Sequence 3 of the sequence tree model for sequences to core damage due to failure of F&B operation under a TLOFW accident with LOCA. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)
conventional PSA model and indicators, a sequence tree model for a TLOFW accident was developed. Based on the results of a sampling analysis and data from the conventional PSA model, the CDF caused by Sequence #26 can be realistically estimated. For a TLOFW accident with LOCA, second accident timings were categorized according to plant condition. Indicators were selected as branch points using the flow chart and tables, and a corresponding sequence tree model was developed. There are 95 types of sequences to core damage caused by the failure of F&B operation in the sequence tree model. Based on the sampling analysis, practical accident cases were obtained. Eleven types of practical accident sequences were observed. The distribution for the sampling analysis was assumed as uniform due to a lack of information. If a realistic distribution for the variables can be obtained, much more realistic accident sequences can be described. Moreover, if the initiating event frequency under a combined accident can be quantified, the sequence tree model can translate into a dynamic event tree model based on the sampling analysis results. Among the sampling cases, if one SDS valve is available and the operator succeeds to initiate F&B operation by the last entry condition timing based on the EOP (SAMG entry condition), the RCS was successfully cooled down without core damage. However, in a real situation there are several uncertainties leading to possible core damage if F&B operation is initiated at the SAMG entry condition. It will be necessary to estimate the safety margin in further studies in consideration of the uncertainties and the availability of the F&B components. Particularly, if the availability of standby safety equipment can be monitored (Shin et al., 2015), then the safety margin can be estimated according to component availability.
Acknowledgements This research was supported by the KUSTAR-KAIST Institute, Korea, under the R&D program supervised by KAIST. References Chang, S.H. et al., 2013. Design of integrated passive safety system (IPSS) for ultimate passive safety of nuclear power plants. Nucl. Eng. Des. 260, 104–120. Corcoran et al., 1981. The critical safety functions and plant operation. Nucl. Technol. 55, 690–712. Hsueh, K.-S., Mosleh, A., 1996. The development and application of the accident dynamic simulator for dynamic probabilistic risk assessment of nuclear power plants. Reliab. Eng. Syst. Saf. 52, 297–314. Han, S.J. et al., 2007. An estimation of an operator’s action time by using the MARS code in a small break LOCA without a HPSI for a PWR. Nucl. Eng. Des. 237, 749– 760. Iannello, V., 1984. Feed and Bleed in Pressurized Water Reactors Analyzed under Uncertainty. Massachusetts Institute of Technology. KAERI, 2005. Development of a Standard Method of Human Reliability Analysis (HRA) of Nuclear Power Plant. Korea Atomic Energy Research Institute, KAERI/ TR-2961/2005, Daejeon, Korea. KAERI, 2006. MARS Code Manual Volume II: Input Requirements. Korea Atomic Energy Research Institute, KAERI/TR-2811/2004, Daejeon, Korea. KAERI, 2011. MOSAIQUE Users Guide. KAERI-ISA-MEMO-MOSAIQUE-01. Karanki, D.R. et al., 2012. The Impact of Dynamics on the MLOCA Accident Model – An Application of Dynamic Event Trees. PSAM11/ESREL2012, Helsinki, Finland. Karanki, D.R. et al., 2015. A dynamic event tree informed approach to probabilistic accident sequence modeling: dynamics and variabilities in medium LOCA. Reliab. Eng. Syst. Saf. 142, 78–91. Karanki, D.R., Dang, V.N., 2016. Quantification of dynamic event trees – a comparison with event trees for MLOCA scenario. Reliab. Eng. Syst. Saf. 147, 19–31. KHNP, 2001. Emergency Operation Guideline of OPR1000. Korea Hydraulic and Nuclear Power Co.. Kim, B.G. et al., 2014. Dynamic sequence analysis for feed-and-bleed operation in an OPR1000. Ann. Nucl. Energy 71, 361–375.
210
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Kim, B.G. et al., 2016. Advanced operation strategy for feed-and-bleed operation in an OPR1000. Ann. Nucl. Energy 90, 32–43. Kim, M.C., 2014. Insights on accident information and system operations during Fukushima events. Sci. Technol. Nucl. Install. 2014, 1–12. Kwon, Y.M. et al., 1995. Comparative simulation of feed and bleed operation during the total loss of feedwater event by RELAP5:MOD3 and CEFLASH-4AS:REM computer codes. Nucl. Technol. 112, 181–193. Kwon, Y.M., Song, J.H., 1996. Feasibility of long term feed and bleed operation for total loss of feedwater event. J. Korean Nucl. Soc. 28 (3), 257–264. Lee, S.J. et al., 2013. Quantitative estimation of the human error probability during soft control operations. Ann. Nucl. Energy 57, 318–326. Park, R.J. et al., 2011. Effect of SAMG entry condition on operator action time for severe accident mitigation. Nucl. Eng. Des. 241, 1807–1812. Pochard, R. et al., 2002. Analysis of a feed and bleed procedure sensitivity study, performed with the SIPACT simulator, on a French 900 MWe NPP. Nucl. Eng. Des. 215, 1–14.
Reventós, F. et al., 2007. Analysis of the feed & bleed procedure for the Ascó NPP first approach study for operation support. Nucl. Eng. Des. 237, 2006–2013. Jung, W. et al., 2007. Analysis of an operators’ performance time and its application to a human reliability analysis in nuclear power plants. IEEE Trans. Nucl. Sci. 54 (5), 1801–1811. Sherry, R. et al., 2013. Pilot application of risk informed safety margin characterization to a total loss of feedwater event. Reliab. Eng. Syst. Saf. 117, 65–72. SNL, 2012. Discrete Dynamic Probabilistic Risk Assessment Model Development and Application. Sandia National Laboratories, SAND2012-9346, USA. Shin, S.M. et al., 2015. Surveillance test and monitoring strategy for the availability improvement of standby equipment using age-dependent model. Reliab. Eng. Syst. Saf. 135, 100–106. Siu, N., 1994. Risk assessment for dynamic systems: an overview. Reliab. Eng. Syst. Saf. 43, 43–73. Swaminathan, S., Smidts, C., 1999. The event sequence diagram framework for dynamic probabilistic risk assessment. Reliab. Eng. Syst. Saf. 63, 73–90.
Contents lists available at ScienceDirect
Annals of Nuclear Energy journal homepage: www.elsevier.com/locate/anucene
Development of a systematic sequence tree model for feed-and-bleed operation under a combined accident Bo Gyung Kim a, Ho Joon Yoon b, Hyun Gook Kang c,⇑ a
Department of Nuclear and Quantum Engineering, Korea Advanced Institute of Science and Technology, 291 Daehak-ro, Yuseong-gu, Daejeon 305-701, Republic of Korea Department of Nuclear Engineering, Khalifa University of Science, Technology & Research, Abu Dhabi, United Arab Emirates c Department of Mechanical, Aerospace, and Nuclear Engineering, Rensselaer Polytechnic Institute, Troy, NY, USA b
a r t i c l e
i n f o
Article history: Received 9 March 2016 Received in revised form 3 August 2016 Accepted 5 August 2016 Available online 19 August 2016 Keywords: Feed-and-bleed operation Accident sequence Combined accident Total loss of feedwater accident Loss of coolant accident
a b s t r a c t Combined accidents are considered as very rare events and therefore are not usually considered in deterministic or probabilistic safety analyses. Yet, despite being rare, it is necessary to examine combined accidents as their effects could become very large following poor treatment from a lack of information. In a combined accident, the most important safety actions are the functions for heat removal, as initiating and maintaining proper safety actions are critical to prevent core damage. In order to analyze the plant conditions requiring safety action to prevent core damage and the success conditions of the safety actions under a combined accident, sequence tree modeling is suggested. A sequence tree is a branch model to classify the plant condition considering plant dynamics. Since a sequence tree model can reflect the plant dynamics arising from the interaction of different accident timings and plant conditions, and also from the relations between operator action, mitigation systems, and the indicators for operation, it can be used to develop a dynamic event tree model. To develop the sequence tree model, indicators are identified which inform about the availability of heat removal mechanisms and the plant condition. This study develops a sequence tree model to core damage requiring F&B operation under a combined accident, designated here as the combination of a total loss of feedwater accident with a loss of coolant accident. Sequences of the sequence tree model can be categorized according to second accident timing. With a sampling analysis, the practical accident cases are obtained. The sequence tree model can translate into a dynamic event tree model if the initiating event frequency under a combined accident can be quantified. Ó 2016 Elsevier Ltd. All rights reserved.
1. Introduction The 2011 Fukushima accident in Japan revealed that even a very rare event must be considered in order to prevent radioactive release to the environment from poor treatment based on a lack of information (Kim, 2014). A combined accident, defined as two initiating events occurring at the same or different times, is one of these very rare events and thus is not considered in current safety analyses. In a combined accident, the accident sequence is very complicated and it is therefore not easy to identify and perform the proper actions. In order to decide the proper operator actions, it is necessary to identify the sequences to core damage when specific operations fail. With the development of a systematic model to analyze combined accidents, designers can understand accident ⇑ Corresponding author. E-mail address: [email protected] (H.G. Kang). http://dx.doi.org/10.1016/j.anucene.2016.08.006 0306-4549/Ó 2016 Elsevier Ltd. All rights reserved.
sequences in detail and operators can perform the proper safety actions. This study addresses this issue by suggesting a sequence tree model to systematically analyze accident sequences. A sequence tree is a type of branch model that categorizes the plant condition by considering plant dynamics. Using the sequence tree model, all possible scenarios requiring a specific safety action to prevent core damage can be identified, and success conditions of the safety actions performed during a complicated situation, such as a combined accident, will be also identified. As the sequence tree model can reflect the plant dynamics that arise from the interaction of different accident timings with the plant condition, and also from the interactions between operator action, mitigation systems, and the indicators for operation, the model can be used to develop a dynamic event tree model (Hsueh and Mosleh, 1996; Karanki et al., 2015; SNL, 2012). There are various dynamic probabilistic safety assessment (PSA) models to analyze plant dynamics and to quantify the frequencies
201
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
of sequences (Siu, 1994; Swaminathan and Smidts, 1999). Siu (1994) summarized the alternative methodologies for dynamic system analysis, including extensions of the event tree/fault tree methodology, as well as explicit and implicit state transition methods. Swaminathan and Smidts (1999) developed an event sequence diagram (ESD) framework to capture most of the complex dynamic phenomena. These dynamic PSA models for single events include a considerable amount of information, including time. The plant dynamics under combined accidents however are not as easy to understand, resulting in numerous factors to treat in a dynamic PSA model for combined accidents. A sequence tree model is developed here to analyze all possible core damage sequences due to the failure of target safety functions under a combined accident. The sequence tree model focuses on the change points of plant condition, and will be useful for operators and system designers to understand the various plant conditions under a combined accident. ESDs can also be applied to analyze combined accidents. But sequence tree models will provide more visual appeal to appreciate the accident dynamics compared to ESDs (Swaminathan and Smidts, 1999). There is a lack of research related to calculating event probabilities for combined accidents, such as initiating event frequency and timing distribution of the second accident. If these probabilities can be estimated, the core damage frequency of combined accidents can be calculated along with the success criteria for each sequence in the sequence tree model based on Karanki’s study with sampling analysis. Karanki’s approach of dynamic event tree quantification of risk avoids the need to specify a priori the sequence of stochastic events prior to the plant response simulation considering the support system dependencies and operator action timing distribution (Karanki and Dang, 2016). The target safety action for this study is a feed-and-bleed (F&B) operation. F&B operation directly cools down the reactor coolant system (RCS) using the primary cooling system when residual heat removal by the secondary cooling system is not available (Iannello, 1984; Kim et al., 2014). F&B operation is critical as it is the last resort for heat removal to prevent core damage. Related systems include the safety depressurization system (SDS) and the safety injection system (SIS). The SDS provides a manual means of rapidly depressurizing the RCS for the highly unlikely event of a total loss of feedwater (TLOFW). The reduced RCS pressure allows the high pressure safety injection (HPSI) flow to replenish and eventually exceed the mass flow rate out through the SDS prior to core uncovery (KHNP, 2001). It is difficult for operators to recognize the necessity of F&B operation in the case of a combined accident that includes a failure of the secondary cooling system. Operators may spend a considerable amount of time arriving at the entry of a proper emergency operating procedure (EOP) that contains F&B operation, as it is a functional recovery procedure much less familiar than optimal recovery procedures. Previous studies have focused on accidents involving a TLOFW accident to demonstrate the use of F&B operation (Kwon et al., 1995; Kwon and Song, 1996; Pochard et al., 2002; Reventós et al., 2007; Sherry et al., 2013). However, little research has focused on combined accidents requiring F&B operation. In one such study, Kim et al. (2014) indicated that plant conditions requiring F&B operation should not be limited to single events such as a TLOFW accident but also include combined accidents. The plant conditions necessitating F&B operation can be categorized as transients with loss of feedwater and a loss of coolant accident (LOCA), and transients with loss of feedwater. Although transients with loss of feedwater and LOCA are very rare, the resulting highly complicated plant condition makes it difficult for operators to identify the necessity of F&B operation. Yet not every plant condition characterized by transients with loss of feedwater and LOCA require
F&B operation; if sufficient coolant is injected by the SIS, F&B operation would not be necessary. However, if the break size is too small to sufficiently decrease RCS pressure, the SIS cannot inject coolant and so the operator should initiate F&B operation. Thus, a sequence tree model for F&B operation under a combined accident can be developed. This paper is organized as follows. Section 2 includes an identification of the indicators which identify the availability of heat removal mechanisms and the plant condition. Section 3 explains the development process for a sequence tree model considering a TLOFW accident and a TLOFW accident with LOCA. Section 4 gives a sampling analysis using MARS code and MOSAIQUE to identify realistic cases, with discussion and conclusions found in Section 5.
2. Indicators related to heat removal mechanisms and plant condition Available and sufficient heat removal mechanisms are the most important factors to cool down the RCS, as insufficient heat removal mechanisms inevitably lead to core damage (Corcoran et al., 1981). Although combined accident scenarios are complicated, from the viewpoint of heat removal, the sequences to core damage without safety action can be easily identified. Therefore, it is necessary to identify the indicators which recognize the availability of the heat removal mechanisms, as well as plant conditions that are affected by the heat source and heat removal mechanisms. According to accident type and safety function availability, the available heat removal mechanisms can be determined as shown in Table 1. All success sequences are cooled down by single or multiple heat removal mechanisms: secondary side (SS), F&B transient, F&B operation, SS and F&B transient, and F&B transient and F&B operation. Fig. 1 shows all possible sequences from the viewpoint of heat removal mechanism availability. Sequences to core damage are shown in red. Available and sufficient heat removal mechanisms strongly affect core damage. Therefore, indicators (sequence change points) which identify the availability of the heat removal mechanisms should be considered in accident sequences. A flow chart is developed to identify available heat removal mechanisms according to accident sequence (Figs. 2a and 2b), which can categorize all possible scenarios in consideration of heat removal mechanism availability. The flow chart is developed based on EOP and PSA models (KHNP, 2001).
Table 1 Type of heat removal mechanisms in pressurized water reactors. Heat removal mechanism
Necessary safety functions/plant condition
Indicator
Indirect cooling by secondary side
Available secondary side system Natural or forced circulation in primary side
Steam generator (SG) level
Available SIS
Safety injection actuation signal (SIAS), availability of SIS Pressurizer (PZR) pressure Availability of SIS and SDS Entry conditions of F&B operation PZR pressure
Direct cooling at primary side
Break and SIS (F&B transient)
RCS pressure SDS and SIS (F&B operation)
Available SIS and SDS Initiation by operators RCS pressure
RCS inventory
202
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Fig. 1. Scenarios of core damage/cooldown according to safety systems for heat removal. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)
Indicators are necessary to identify the plant condition at each step of the flow chart. For the identification of continuous indirect cooling, steam generator (SG) level and feedwater flow rate are used. Break timing and break size are used to identify LOCA occurrence. Identification of F&B transient failure caused by the failure of the high pressure safety injection system (HPSIS) and the low pressure safety injection system (LPSIS) is through the availability of the HPSIS and LPSIS. To check the termination of F&B transient due to high pressure, RCS pressure should be confirmed. To identify the initiation of aggressive cooldown and F&B operation, atmospheric dump valve (ADV) opening timing, cue of aggressive cooldown and F&B operation, and SDS opening timing are used (Han et al., 2007). In addition, the plant conditions affected by heat sources and heat removal mechanisms need to be considered as change points in accident sequences, as shown in Table 2. To identify core damage, related plant conditions and indicators are also considered as change points in accident sequences, as shown in Table 3 (Karanki et al., 2012; Kim et al., 2016).
As mentioned in Section 1 the current sequence tree is a branch model to divide plant conditions considering plant dynamics. The branch points (condition change points) are accident timing, operation timing of related mitigation system for heat removal, and indicators for operator action and for identifying plant condition. In the sequence trees shown in Figs. 4 and 8, the branch points are safety system starting, termination, and failure timing, represented by green, dark blue, and red circles, respectively. Signals for the safety systems and process parameters to identify the plant condition are used as indicators in the model as inverted triangles. Usually, indicators to identify plant condition are not used as branch points in PSA models; however, in the sequence tree, indicators are important factors to understand the plant condition when a second accident occurs. Triangles represent the cue for target operation by operators. The reference combined accident in this study is a TLOFW accident followed by LOCA. To identify the accident sequence after the first accident occurs, a sequence tree model for a TLOFW accident is developed.
3. Development of the sequence tree model 3.1. Sequence tree model for a TLOFW accident In the present study, sequence tree modeling is adopted to identify the theoretically possible sequences to core damage when the target operation fails, and a sampling analysis with the sequence tree model is used to identify the practical sequences to core damage when the target operation fails. Fig. 3 shows the accident sequence analysis method for a combined accident. In step 2, the designer needs to check the heat source and available heat removal mechanisms after the first accident occurs. In step 3, the designer needs to identify the plant condition using indicators to categorize the occurrence timing of the second accident. In step 4, the designer should check the plant condition when the second accident occurs and the available change points after the second accident. In step 5, the designer should identify the theoretically possible sequences using the sequence tree model. In step 6, the designer can determine practical sequences using the sampling analysis and reflect the results on the sequence tree model.
Based on the conventional PSA model for single events, a sequence tree model can be easily developed as shown in Fig. 4. Branch points are related to the headings of the event tree. A representative TLOFW accident sequence from the PSA model (Sequence #26) is a combination of auxiliary feedwater system failure and the failure of the SDS valves to open due to operator error or SDS malfunction accompanying a loss of main feedwater accident. Based on Sequence #26 in the PSA model, a sampling analysis is performed using MARS code and the MOSAIQUE program (KAERI, 2006, 2011; Chang et al., 2013). MOSAIQUE software supports the uncertainty analysis in thermal-hydraulic analyses. The key functions of MOSAIQUE are: to assign distributions to variables in a computer code input; to create samples for variables based on Latin hypercube sampling or traditional random sampling; to
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
203
Fig. 2a. Flow chart to identify causes of core damage or cool down in respect to heat removal mechanisms (Indirect cooling by secondary side is continuous available).
generate the computer code input files using samples; and to run computer codes automatically. The reference plant model is an OPR1000. The plant conditions are the same as the previous study except for the reactor trip timing and reactor coolant pump (RCP) trip timing (Kim et al., 2014). The reactor (Rx) is tripped by the reactor protection system (RPS) signal. The variable for sampling analysis is RCP trip timing, as they are tripped by operators, and continued operation of the RCPs adds significant energy to the primary system. In the conventional PSA model, RCP trip timing is fixed when the subcooling margin is less than 15 °C, although in a real situation there are various timings. From the EOP, operators can trip the RCPs when the subcooling margin is less than 15 °C by following step 4 in EOP-05 ‘‘Loss of All Feedwater” or following step 3 in the F&B operation procedure in functional recovery. Therefore, in this study, the trip timings of the RCPs are sampled from 600 s, which is the timing to finish a diagnosis action procedure (Jung et al., 2007) before the depletion timing of RCS flow, based on uniform distribution using the Latin hypercube sampling method in MOSAIQUE. A sampling analysis with the sequence tree model can obtain the same results as a dynamic event tree model if the probabilities in the model, e.g. initiating event frequency, can be estimated. From the previous study, the available time for diagnosis is much
more conservatively calculated in the conventional PSA model, where the available time to initiate F&B operation is calculated from the cue (auxiliary feedwater actuation signal) to pressurizer safety value (PSV) opening. However, there is sufficient time between PSV opening and core damage from the thermalhydraulic analysis in the previous study. Therefore, the diagnosis time for the operator to initiate F&B operation is the time from the cue to the Severe Accident Management Guideline (SAMG) entry condition. Core damage frequency (CDF) caused by Sequence #26 in the static conventional PSA model is 1.524e 7. The human error probabilities (HEP) of the cases are calculated based on the K-HRA model. HEP is the summation of diagnosis error probability and execution error probability, and the diagnosis error probability is multiplied by the basic HEP of a diagnosis error and weighting factors. Performance shaping factors (PSFs) are considered, namely primary task, man-machine interface (alarm), decision burden, procedure, and education/training. The execution error probability is multiplied by the basic HEP of an execution error and the recovery HEP of an execution error. The framework of the K-HRA method is shown in Fig. 5 (KAERI, 2005; Lee et al., 2013). The weighting factors of the PSFs are the same as in the previous study (Kim et al., 2016). From the sampling analysis, the available time
204
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Fig. 2b. Flow chart to identify causes of core damage or cool down in respect to heat removal mechanisms (Indirect cooling by secondary side is temporary available or unavailable).
for diagnosis ranges from 51.5 to 54.5 min, giving a diagnosis error probability range from 9.52e 5 to 1.13e 4, and an execution error probability of 2.0e 3. The HEP of F&B operation during a TLOFW accident changes from 1.43e 1 to between 2.10e 3 and 2.11e 3. Since 100 cases from the sampling analysis are selected by uniform distribution, the probability of RCP timing is assumed to be 0.01 in each case. The other mitigation system failure probabilities are the same as in the conventional PSA model. Based on these results, the branch probabilities of each case are 3.044e 11 to 3.074e 11. The CDF caused by Sequence #26 in the sequence tree model with sampling analysis is the summation of all branch probabilities: 3.049e 9. This value is only 2% of the static conventional PSA model. 3.2. Sequence tree model for a TLOFW accident with LOCA Important factors in a combined accident include the different accident timings and the relationship between the accidents, safety
functions, and operator action. The sequence tree model systematically categorizes the plant condition based on plant dynamics, where the branches can be classified according to the order of the branch points. As mentioned in the previous section, the branch points are accident timing and the timing of indicators which inform operation timing of the mitigation system for heat removal, cues of operator, or plant condition. Subsequently, the theoretically possible sequences using the sequence tree model can be identified. In this study, the target combined accident is an initial TLOFW accident followed by LOCA. From previous studies, the numerous plant conditions requiring F&B operation to cool down the reactor are very complicated in this particular combined accident case; there are a considerable number of parameters which should be checked. Based on the branch of Sequence #26, second accident timing can be categorized according to plant condition as shown in Fig. 6. The first sequence group is maximum heat release to the
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
205
Table 2 Plant conditions related to heat sources and heat removal mechanisms. Plant condition
Indicator (change point)
Power (core)
Full Decay heat
Max. heat is released After rector trips, the decay heat is released
Rx Trip signal (trip timing)
Power (RCP)
Full operation
RCS in forced circulation and additional heat is released RCS in forced circulation and additional heat is released
Status of RCPs (termination timing)
Trip
SG Inventory
Remaining Dry-out
Indirect cooling is available Indirect cooling is unavailable
SG level (dry-out timing)
RCS Pressure
Very high
SIS is not able to inject coolant and PSVs need to be opened
High
SIS is not able to inject coolant SIS is able to inject coolant
PZR pressure, status of PSVs (opening timing) PZR pressure
Injectable
PZR pressure, SIAS (SIS actuation timing)
Table 3 Plant conditions related to the identification of core damage. Plant condition
Indicator (change point)
Core Inventory
Cover Uncover
Core is safe Core will be damaged
Core level (core uncovery timing)
RCS Temperature
Decreasing Stable Increasing CET is 650 °C PCT is 1200 °C
Plant becomes safe Plant is unsafe Core will be damaged SAMG entry condition is reached Core is damaged
PCT/CET (increasing/ decreasing timing) CET (SAMG entry timing) PCT (core damage timing)
primary side after a TLOFW accident occurs. The second sequence group is SG inventory decrease and decay heat release. The third sequence group is SS heat removal depletion and RCS pressure increase. The fourth sequence group is RCS pressure between the PSV opening and closing set points. The fifth sequence group is core uncovery under very high pressure. After LOCA occurs, sequences (including the amount of heat removal by F&B transient) are strongly affected by RCS condition at break timing, the break size, and SIS availability. Using the flow chart in Fig. 1 and Tables 1 and 2, the indicators can be selected. Fig. 7 demonstrates a section of Fig. 2 with corresponding indicators. The orange arrow in Fig. 7 shows one of the sequences to core damage when F&B operation fails under a TLOFW accident with LOCA. The indicators for the paths leading to core damage are the branch points of the sequence tree, and are related to plant condition as affected by heat source, heat removal mechanisms, and core damage. After LOCA occurs, the plant conditions requiring F&B operation can be categorized. In the first case, RCS pressure will not decrease below the high pressure safety injection pump (HPSIP) shutoff head until core damage, so in this situation the SIS cannot inject coolant after LOCA occurs. In this plant condition, the PSVs would open or not according to RCS pressure. In the second case, the SIS can temporarily inject coolant before core damage, and the PSVs are opened after the SIS stops coolant injection. Third, the SIS can
Fig. 3. Process of accident sequence analysis for a combined accident.
temporarily inject coolant before core damage, but the PSVs are not opened after the SIS stops coolant injection. If the amount of residual heat removed by the SIS and the secondary cooling system is insufficient, RCS pressure will increase and the F&B transient will be terminated. Therefore, the timing of SI termination can be treated a branch point in the second and third conditions. In the fourth case, the SIS can inject coolant continuously until core damage, but due to an insufficient amount of heat removal by F&B transient, the core would be damaged. The starting point of all sequences to core damage is TLOFW occurrence, and the end point of all sequences to core damage is core damage timing. The first sequence group (Sequence 1) includes the sequences when LOCA occurs before reactor trip and after a TLOFW accident. The plant condition in Sequence 1-1 involves no safety injection until core damage due to high RCS pressure. The indicators in Sequence 1-1 are Rx trip, SG dryout, PSV opening, and core uncovery. In Sequence 1-2, the SIS can temporarily inject coolant and the PSVs are opened after the SIS stops injection, with indicators of Rx trip, SG dryout, SI start, SI stop, PSV opening, and core uncovery. In Sequence 1-3, the SIS can temporarily inject coolant and the PSVs are not opened after the SIS stops injection, with indicators of Rx trip, SG dryout, SI start, SI stop, and core uncovery. In Sequence 1-4 the SIS can inject coolant continuously, with indicators of Rx trip, SG dryout, SI start, and core uncovery. The second group (Sequence 2) includes the sequences when LOCA occurs before SG dryout and after Rx trip. The four plant conditions of Sequence 2 after LOCA occurs are the same as the four in Sequence 1, with indicators as follows. Sequence 2-1: SG dryout, PSV opening, and core uncovery; Sequence 2-2: SG dryout, SI start, SI stop, PSV opening, and core uncovery; Sequence 2-3: SG dryout, SI start, SI stop, and core uncovery; Sequence 2-4: SG dryout, SI start, and core uncovery. The third group (Sequence 3) includes the sequences when LOCA occurs before the PSVs first open and after SG dryout. The four plant conditions of Sequence 3 after LOCA occurs are also the same as in Sequences 1 and 2, with indicators as follows. Sequence 3-1: PSV opening and core uncovery; Sequence 3-2: SI start, SI stop, PSV opening, and core uncovery; Sequence 3-3: SI start, SI stop, and core uncovery; Sequence 3-4: SI start and core uncovery.
206
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Fig. 4. Sequence tree model of a TLOFW accident. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)
Fig. 5. Framework of the human reliability analysis (HRA) method (Lee et al., 2013).
The fourth group (Sequence 4) includes the sequences when LOCA occurs before core uncovery and after the PSVs first open. The plant conditions in this sequence after LOCA occurs can be divided into three types. The plant condition of Sequence 4-1 involves no safety injection until core damage due to high RCS pressure, with an indicator of core uncovery. In Sequence 4-2, the SIS can temporarily inject coolant, with indicators of SI start, SI stop, and core uncovery. In Sequence 4-3, the SIS can inject coolant continuously, with indicators of SI start and core uncovery. The fifth group (Sequence 5) includes the sequences when LOCA occurs before core damage and after core uncovery. The three plant conditions of Sequence 5 after LOCA occurs are the same as Sequence 4. There are no other indicators in the case of Sequence
5-1. The indicators in Sequence 5-2 are SI start and SI stop, and the indicator in Sequence 5-3 is SI start. After identification of the indicators in all sub-sequence groups, a permutation of indicators is performed to obtain all sequences, yielding 1115 permutation groups. Then, any impossible sequences should be eliminated by the following rules to eliminate impossible sequences. To start this process, consider that while the termination of safety injection should follow its initiation, the PSVs cannot be opened after the occurrence of LOCA or before the beginning of safety injection or during safety injection. After the reactor is tripped, the other indicators are followed in case of Sequence 1. The steam generators dry out before termination of safety injection in Sequence groups 1 and 2 since RCS pressure will increase after
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
207
Fig. 6. Categorization of second accident timing.
the loss of heat removal by the secondary side. In the end, there are 95 sequences in the sequence tree model. Fig. 8 shows Sequence group 3, where all sequences result in core damage due to the failure of F&B operation.
4. Sampling analysis Practical cases to core damage due to the failure of F&B operation are identified based on a sampling analysis. From these results, plant designers or regulators can focus on the possible sequences of a combined accident. Variables first need to be identified to perform the sampling analysis; to do so we consider the relationship between accidents, mitigation functions, and plant condition. As mentioned in previous sections, a TLOFW accident scenario is simpler than one of a TLOFW accident with LOCA. In this single accident case, the reactor will trip after a loss of feedwater. The steam generators will dry out following auxiliary feedwater system (AFWS) failure, with SG dryout timing affected by the timing of AFWS failure. As SS heat removal is terminated, RCS pressure will increase and if it reaches the PSV set point, the PSVs will open. Since the heat removal system is unavailable until operators initiate F&B operation, RCS pressure is between the set points of PSV opening and closing. The coolant becomes saturated and superheated. Subsequently, the core will be uncovered causing PCT to rise abruptly because of the heat generation associated with fuel cladding oxidation. Finally, the core will be damaged. When a TLOFW accident is combined with LOCA, the relationship changes. After the TLOFW accident occurs, the reactor trips and the AFWS fails. Pressure will drop any time a break occurs according to the break size and timing; after the break, if pressure is low and the amount of SI is sufficient, the plant becomes safe to shut down. But if pressure is high, operators need to open the SDS valves. Ultimately, the success of F&B operation is determined by whether the core is damaged or not. The core damage sequences related to failure of the F&B operation under a TLOFW accident with LOCA are strongly affected by break size, break timing, and SIS availability, which are therefore selected as variables. In
addition, RCP trip timing is selected as a variable since the continued operation of the RCPs adds significant energy to the primary system. MARS code is used in the sampling analysis with an OPR1000 as the example plant model. MOSAIQUE is employed to generate inputs for 50 sampling cases with the Latin hypercube sampling method. Break size, RCP trip timing, and break timing are assumed to have uniform distribution, as there is a lack of sufficient studies that calculate the distributions of break size, RCP trip timing, and break timing for a combined accident. If a realistic distribution for the variables can be obtained, much more realistic accident sequences can be described and the unrealistic sequences in the sequence tree model can be ignored. The range of break timing is 0–4270 s. As a combined accident is defined as two initiating events occurring at the same or different times, the lower bound of break timing is 0 s. The upper bound is assumed as 4270 s as that is the core damage timing in a TLOFW accident. The range of break size is 0–3.5 in. The lower bound of break size is 0 in to cover very small-break LOCA. If a 3.5 in break occurs right before core damage and the SIS is available, F&B operation is not necessary. Thus, the upper bound of break size distribution is 3.5 in. The trip timings of the RCPs are sampled from 600 s as the lower bound of sampling, which is the timing to finish a diagnosis action procedure (Jung et al., 2007) before the depletion timing of RCS flow, as similar to the sampling analysis of a TLOFW accident. To identify the transitions of the sequences according to SIS availability, three conditions of SI flow rate according to SIS availability have the same 50 sampling cases: two HPSIPs and all valves in four lines are available, one HPSIP and all valves in four lines are available, and one HPSIP and all valves in two of the four lines are available. Eleven sequences are observed from the sampling analysis. Three of them are seen when safety injection is not possible due to high RCS pressure, and F&B operation fails due to SDS valve opening failure. In the remaining eight sequences, safety injection is possible but F&B operation fails due to SDS valve opening failure according to SIS availability. The HEP of F&B operation under a TLOFW accident with LOCA is 7.01e 5 to 8.14e 3 based on the K-HRA model (KAERI, 2005). From the sampling analysis, the
208
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Fig. 7. Selection of the indicators for core damage sequence using the flow chart.
available time for diagnosis is from 35.1 to 73.0 min. The diagnosis error probability is 5.33e 5 to 4.29e 4, and execution error probability is 2.0e 3 or 8.0e 3. Among the sampling cases, if one SDS valve is available and the operator succeeds to initiate F&B operation by the last entry condition timing based on the EOP (650 °C as SAMG entry condition), the RCS is successfully cooled down without core damage (Park et al., 2011). The SAMG entry condition is still reasonable to be the last entry condition timing of F&B operation under a TLOFW accident with LOCA. If the results of the sampling analysis are reflected in the sequence tree model and initiating event frequency of a combined accident, the CDF caused by failure of F&B operation under a TLOFW accident with LOCA can be estimated. 5. Discussion and conclusions Sequence tree modeling was suggested to identify the plant conditions which require systematic safety actions to prevent core
damage under a combined accident. Using the sequence tree model, all possible scenarios necessitating a specific safety action to prevent core damage can be identified, and the safety action success conditions in a complicated situation such as a combined accident can also be identified. From the viewpoint of heat removal, the sequences of a combined accident can be analyzed more simply as there are only five types of combinations of heat removal mechanisms to cool down the reactor; if the amount of heat removal is insufficient, the core will be damaged. Accident sequences under a combined accident were analyzed considering the relationship between the available heat removal mechanisms and plant condition. Indicators were used to recognize the availability of the heat removal mechanisms and the plant condition with flow charts. The theoretically possible accident sequences under a combined accident were identified and systematically categorized using the sequence tree model. In this study, a TLOFW accident and a TLOFW accident with LOCA were the target accidents. Based on the
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
209
Fig. 8. Sequence 3 of the sequence tree model for sequences to core damage due to failure of F&B operation under a TLOFW accident with LOCA. (For interpretation of the references to color in this figure legend, the reader is referred to the web version of this article.)
conventional PSA model and indicators, a sequence tree model for a TLOFW accident was developed. Based on the results of a sampling analysis and data from the conventional PSA model, the CDF caused by Sequence #26 can be realistically estimated. For a TLOFW accident with LOCA, second accident timings were categorized according to plant condition. Indicators were selected as branch points using the flow chart and tables, and a corresponding sequence tree model was developed. There are 95 types of sequences to core damage caused by the failure of F&B operation in the sequence tree model. Based on the sampling analysis, practical accident cases were obtained. Eleven types of practical accident sequences were observed. The distribution for the sampling analysis was assumed as uniform due to a lack of information. If a realistic distribution for the variables can be obtained, much more realistic accident sequences can be described. Moreover, if the initiating event frequency under a combined accident can be quantified, the sequence tree model can translate into a dynamic event tree model based on the sampling analysis results. Among the sampling cases, if one SDS valve is available and the operator succeeds to initiate F&B operation by the last entry condition timing based on the EOP (SAMG entry condition), the RCS was successfully cooled down without core damage. However, in a real situation there are several uncertainties leading to possible core damage if F&B operation is initiated at the SAMG entry condition. It will be necessary to estimate the safety margin in further studies in consideration of the uncertainties and the availability of the F&B components. Particularly, if the availability of standby safety equipment can be monitored (Shin et al., 2015), then the safety margin can be estimated according to component availability.
Acknowledgements This research was supported by the KUSTAR-KAIST Institute, Korea, under the R&D program supervised by KAIST. References Chang, S.H. et al., 2013. Design of integrated passive safety system (IPSS) for ultimate passive safety of nuclear power plants. Nucl. Eng. Des. 260, 104–120. Corcoran et al., 1981. The critical safety functions and plant operation. Nucl. Technol. 55, 690–712. Hsueh, K.-S., Mosleh, A., 1996. The development and application of the accident dynamic simulator for dynamic probabilistic risk assessment of nuclear power plants. Reliab. Eng. Syst. Saf. 52, 297–314. Han, S.J. et al., 2007. An estimation of an operator’s action time by using the MARS code in a small break LOCA without a HPSI for a PWR. Nucl. Eng. Des. 237, 749– 760. Iannello, V., 1984. Feed and Bleed in Pressurized Water Reactors Analyzed under Uncertainty. Massachusetts Institute of Technology. KAERI, 2005. Development of a Standard Method of Human Reliability Analysis (HRA) of Nuclear Power Plant. Korea Atomic Energy Research Institute, KAERI/ TR-2961/2005, Daejeon, Korea. KAERI, 2006. MARS Code Manual Volume II: Input Requirements. Korea Atomic Energy Research Institute, KAERI/TR-2811/2004, Daejeon, Korea. KAERI, 2011. MOSAIQUE Users Guide. KAERI-ISA-MEMO-MOSAIQUE-01. Karanki, D.R. et al., 2012. The Impact of Dynamics on the MLOCA Accident Model – An Application of Dynamic Event Trees. PSAM11/ESREL2012, Helsinki, Finland. Karanki, D.R. et al., 2015. A dynamic event tree informed approach to probabilistic accident sequence modeling: dynamics and variabilities in medium LOCA. Reliab. Eng. Syst. Saf. 142, 78–91. Karanki, D.R., Dang, V.N., 2016. Quantification of dynamic event trees – a comparison with event trees for MLOCA scenario. Reliab. Eng. Syst. Saf. 147, 19–31. KHNP, 2001. Emergency Operation Guideline of OPR1000. Korea Hydraulic and Nuclear Power Co.. Kim, B.G. et al., 2014. Dynamic sequence analysis for feed-and-bleed operation in an OPR1000. Ann. Nucl. Energy 71, 361–375.
210
B.G. Kim et al. / Annals of Nuclear Energy 98 (2016) 200–210
Kim, B.G. et al., 2016. Advanced operation strategy for feed-and-bleed operation in an OPR1000. Ann. Nucl. Energy 90, 32–43. Kim, M.C., 2014. Insights on accident information and system operations during Fukushima events. Sci. Technol. Nucl. Install. 2014, 1–12. Kwon, Y.M. et al., 1995. Comparative simulation of feed and bleed operation during the total loss of feedwater event by RELAP5:MOD3 and CEFLASH-4AS:REM computer codes. Nucl. Technol. 112, 181–193. Kwon, Y.M., Song, J.H., 1996. Feasibility of long term feed and bleed operation for total loss of feedwater event. J. Korean Nucl. Soc. 28 (3), 257–264. Lee, S.J. et al., 2013. Quantitative estimation of the human error probability during soft control operations. Ann. Nucl. Energy 57, 318–326. Park, R.J. et al., 2011. Effect of SAMG entry condition on operator action time for severe accident mitigation. Nucl. Eng. Des. 241, 1807–1812. Pochard, R. et al., 2002. Analysis of a feed and bleed procedure sensitivity study, performed with the SIPACT simulator, on a French 900 MWe NPP. Nucl. Eng. Des. 215, 1–14.
Reventós, F. et al., 2007. Analysis of the feed & bleed procedure for the Ascó NPP first approach study for operation support. Nucl. Eng. Des. 237, 2006–2013. Jung, W. et al., 2007. Analysis of an operators’ performance time and its application to a human reliability analysis in nuclear power plants. IEEE Trans. Nucl. Sci. 54 (5), 1801–1811. Sherry, R. et al., 2013. Pilot application of risk informed safety margin characterization to a total loss of feedwater event. Reliab. Eng. Syst. Saf. 117, 65–72. SNL, 2012. Discrete Dynamic Probabilistic Risk Assessment Model Development and Application. Sandia National Laboratories, SAND2012-9346, USA. Shin, S.M. et al., 2015. Surveillance test and monitoring strategy for the availability improvement of standby equipment using age-dependent model. Reliab. Eng. Syst. Saf. 135, 100–106. Siu, N., 1994. Risk assessment for dynamic systems: an overview. Reliab. Eng. Syst. Saf. 43, 43–73. Swaminathan, S., Smidts, C., 1999. The event sequence diagram framework for dynamic probabilistic risk assessment. Reliab. Eng. Syst. Saf. 63, 73–90.