Reliabili O' Engineering and ,~vstem Safety 52 (1996) 297-314 ELSEVIER
© 1996 Elsevier Science Limited Printed in Northern Ireland. All rights reserved 0951-8320/96/$15.00
0951-8320(95)00140-9
The development and application of the accident dynamic simulator for dynamic probabilistic risk assessment of nuclear power plants Kae-Sheng Hsueh* & Ali Mosleh~
Department of Materials and Nuclear Engineering, University of Maryland, College Park, MD 20742-2115, USA This paper describes the principal modelling concepts, practical aspects, and an application of the Accident Dynamic Simulator (ADS) developed for full scale dynamic probabilistic risk assessment (DPRA) of nuclear power plants. Full scale refers not only to the size of the models, but also to the number of potential sequences which should be studied. Plant thermal-hydraulics behaviour, safety systems response, and operator interactions are explicitly accounted for as integrated active parts in the development of accident scenarios. ADS uses discrete dynamic event trees (D-DET) as the main accident scenario modelling approach, and introduces computational techniques to minimize the computer memory requirement and expedite the simulation. An operator model (including procedure-based behaviour and several types of omission and commission errors) and a thermal-hydraulic model with a PC run time more than 300 times faster than real accident time are among the main modules of ADS. To demonstrate the capabilities of ADS~ a dynamic PRA of the Steam Generator Tube Rupture event of a US nuclear power plant is analyzed. © 1996 Elsevier Science Limited.
interactive, time-dependent, probabilistic and deterministic models of (1) plant systems, (2) thermal-hydraulic processes, and (3) operator behaviour in accident conditions.
1 INTRODUCTION In recent years the term Dynamic Probabilistic Risk Assessment ( D P R A ) has been used with several different meanings. Examples are •
• •
•
Tools and techniques have been proposed and developed to address one or more of the above issues. Despite the confusion that the casual use of the term has caused among the 'user community' the level of awareness about the underlying questions has been raised: 1. What are the dynamic effects that need to be considered in estimating the risk level and identifying its important contributors? 2. Do the current P R A s or conventional methodologies correctly address the important dynamic effects? 3. What changes, if any, a m required t9 '~ncorporate the dynamic effects into the P R A methodologies?
'Living P R A ' , i.e., a conventional P R A that is updated periodically to reflect changes in plant physical characteristics a n d / o r to incorporate updated reliability p a r a m e t e r s based on additional data. A P R A in which aging of equipment is explicitly accounted for. A P R A which can be used as an instantaneous or average 'risk m e t e r ' to help operators and plant personnel in making daily decisions regarding plant configuration changes and eventually as a decision aid in accident conditions. A P R A that models accident sequences and calculates their probabilities through integrated,
1.1 What are the dynamic effects?
*Current address: NUS, 1411 Opus Place, Suite 103, Downers Grove, IL 60515, USA. t To whom correspondence should be addressed.
It is clear that accounting for time variations is an essential feature of a dynamic P R A according to all of 297
298
K.-S. Hsueh, A. Mosleh
the above definitions. In order to answer the above questions one would need to investigate the way time enters the problem. An effective method is to classify the time-dependent effects in reference to the time duration of typical accident conditions. This allows an initial assessment of where and how such time dependent effects should be considered in P R A models. Accordingly we have the following grouping of time-dependent effects:
l.l.1 Long time constants. This category includes:
• • • •
Environmental variation (seasonal changes) Plant configuration change and operational phases Aging of passive and active components Organizational, regulatory, economic, and social changes.
1.1.2 Short time constants Examples are:
• • •
Time dependency of physical processes Time dependency of stochastic processes O p e r a t o r response time
1.2 D o e s the current P R A framework address the dynamic effects?
Examination of the current (conventional) P R A models indicates that all dynamic effects with a long time constant can be addressed within the existing framework. The principal modelling tools under the current f r a m e w o r k are the fault tree and event tree logic models which enable construction of accident scenarios as a combination of basic events. Timedependent effects with long time constants can be easily a c c o m m o d a t e d by modifying the estimates of the probabilities of the basic events, development of logic models for different plant configurations, and periodic updating of the P R A models. Current c o m p u t e r tools for performing conventional P R A are typically fast and relatively user-friendly for model modification. The capability of the event tree-fault tree f r a m e w o r k to handle the dynamic effects with long time constants does not mean that the specific models required to address the various effects are well established and ready for use. In particular, methods for more explicit representation of c o m p o n e n t aging effects and the influence of organizational factors are in very early stages of development. In contrast, only a limited, implicit treatment of the dynamic effects with short time constants is possible
with conventional P R A methodologies. In general, conventional P R A s are limited in representing the interactive nature of the roles of the systems, plant physical processes and operators in forming the accident scenarios. Conventional P R A s rely on qogical' rather than temporal event trees. Also, the analyses of the plant behaviour, systems response, and operator actions are largely done separately and based on a broad grouping of many different types of events within each category. For example the thermalhydraulic calculations are done separately for a few broadly defined boundary conditions and then applied in specifying the performance requirements (success criteria) for plant systems during the construction of the event trees. Event trees are essentially hardwaredriven meaning that they are designed primarily to represent the way various combinations of failures and successes of the hardware lead to different outcomes. The operator response models also group wide ranges of accident scenarios and many different types of man-machine interactions into a few categories of response which are in turn added Io the hardware event tree or fault tree models. Some investigators ~ believe that this limitation can lead to an incorrect or incomplete picture of risk significant accident scenarios, and may cause underestimation of their likelihoods, The concerns include the implications of ignoring the effect of time of failure of equipment during an accident condition, the change in the probability of c o m p o n e n t failure, and the potential difference between logically identical but temporally different combinations of events, the apparent dependency of operator response to sequence-specific environment, and the sensitivity of the accident scenarios to operator response time. The importance of the last two items is also echoed by human reliability analysts in the recent push towards developing more advanced human reliability analysis ( H R A ) models. One of the primary requirements of such models is explicit accounting of the context in which cognitive or other types of errors are committed. The context, of course, includes the status of the plant systems, state of the physical process variables, and the operators mental state and prior actions and decisions. Clearly the time history of the sequence of events is a major part of the context. These concerns have motivated the development of new approaches to P R A which have been designed to address at least a subset of the issues. 2 5 1.3 Key characteristics of a dynamic P R A tool Methods and tools proposed for integrated dynamic P R A can be characterized by the following features: •
Event sequences are represented by a forward branching tree where branching occurs in time.
Development of the accident dynamic simulator Therefore time is an explicit parameter in the model. • Branching times coincide with the times at which an important characteristic of the system (e.g., thermal-hydraulic process variables, component states, and operator action) changes. • Event sequences are generated based on the rules describing the behaviour of the various elements of the integrated model of the plant, its systems, and the operating crew. These rules include: --Plant functional dependencies (e.g., front-line to support system) --Failure and success criteria for systems and components --Functional requirements such as initiation and termination set points for systems and components --Probabilistic model of system/component behaviour --Deterministic model of the underlying physical processes at the plant, system, and component levels (e.g., a thermal hydraulics model of the primary loop) - - O p e r a t o r response model including procedural requirements, response time, errors, and recovery from errors.
1.4 Dynamic modelling approaches and tools Depending on the way the branching times are selected the sequence generation of dynamic PRA can be characterized as Continuous Dynamic Event Tree (C-DET) or Discrete Dynamic Event Tree (D-DET). In the C-DET approach, 5 times of events are selected according to Monte Carlo sampling from the distribution of stochastic variables. D-DET 2'3 selects the branching times by discretizing the times of occurrence according to a set of rules. As such, D-DETs can be viewed as discrete approximations of the corresponding C-DETs. MSAS (Monte Carlo Simulation for Accident Sequences) 6 is a computer program designed for studies according to the C-DET approach. Computer codes designed to implement D-DET include DYLAM, DETAM, and ADS. The purpose of this paper is to report on the development and results of applying a simulation based accident sequence analysis methodology and computer implementation, called the Accident Dynamics Simulator (ADS), for dynamic probabilistic simulation of accidents in complex systems such as nuclear power plants. In its current form ADS has a simulation engine that can be used to simulate accidents in different systems when the systems characteristics and behaviour are incorporated in relevant modules. The modules currently implemented are designed for simulation of accidents in a
299
pressurized water reactor (PWR). The general principles governing the design and development of the software are described in Section 2. Section 3 deals with the model of the physical process which in this case is the thermal-hydraulic model of Westinghouse PWR design. Section 4 presents the key features of the human interaction model implemented in ADS. A case study presenting the application of ADS to full scale PRA of a nuclear power plant is provided in Section 5, followed by concluding remarks in Section 6.
2 THE ADS ACCIDENT DYNAMIC SIMULATION METHODOLOGY 2.1 General concept Transient events in nuclear power plants involve very complex interactions between the reactor core~ primary loop, balance-of-plant, and emergency safeguard systems. The physics involved include reactor neutronics, thermal-hydraulics, heat transfer, and fluid mechanics. In addition, plant response sequences are also affected by discrete events due to the initiation or termination of control or safety systems, either automatically or manually. In a highly interactive environment of this kind, it is evident that a comprehensive accident analysis must include plant physics, operator activities and the behaviour of the safety systems. Accordingly, the proposed modelling approach is simulation-based. The road from proof of concept to full scale implementation of dynamic PRA tool runs through elaborate modelling of complex processes, advanced computational algorithms, and careful optimization between precision and computational resources. The focus of the ADS development has been to pave this road and take a meaningful step in the direction of applied dynamic PRA. The proposed Accident Dynamic Simulation methodology (ADS) is an integrated dynamic simulation approach developed for large scale dynamic accident sequence analysis. Large scale refers not only to the size of the models, but also to the number of potential sequences which should be studied. There are two main challenges in developing a simulation environment for large scale accident sequence investigation. First, models of individual elements and the principles governing their interactions must be identified and formulated. Secondly, in order to make the study of a large number of sequences possible, an appropriate balance between detail and simulation speed must be achieved. The modelling strategy of ADS is based on breaking down the accident analysis model into different parts according to the nature of the processes involved, simplifying each part while retaining its
300
K.-S. Hsueh, A. Mosleh simulation exercises, applies sequence truncation and termination rules and generates accident scenarios.
essential features, and developing integration rules for full scale application. The difficulties in studying dynamic interactions a m o n g safety systems, plant physics, and operator response arise not only from a lack of an underlying integral analysis methodology but also from a lack of appropriate modelling techniques in each individual issue. The A D S analysis framework is modularized as follows (see Fig. 1): •
•
•
•
In the remainder of this section, the general modelling principles of these module are discussed. 2.2 Accident sequence pre-processor The experience gained from D Y L A M exercises shows that the n u m b e r of events which constitute branch points is the key limiting factor in developing the accident scenarios. Without applying frequency cut-off or truncations, the failure modes and the transition modes can easily expand the n u m b e r of accident sequences geometrically. However, accident sequences can be thought of as occurring under a specific set of boundary conditions. Current P R A results can be used as a basis to create sets of initial conditions called the initial state vector sets. Instead of a full scale simulation of all sequences following an initiating event at the same time, simulation experiments to estimate the probability of undesired plant situations are conducted conditional on different ISVs. The underlying motivation is to focus all the computing power to the most important dynamic aspects of accident scenarios. Furthermore, this separation provides a better means of communicating the results of the analysis in explaining
accident sequence pre-processor: the preprocessor considers plant functional dependencies and failures on demand state of systems, arranged in a set of initial state vectors (ISV). Simulation experiments are done conditioned on initial state vectors plant dynamics model: the plant model includes a faster-than-real-time thermal hydraulics code (currently limited to slow transients) and a safety system actuation, operation and run time failure model (including front line and support systems) operator response model: operator actions modelled in this study include the execution of emergency procedures and recovery of failed systems. O p e r a t o r errors, particularly certain types of errors of commission, are simulated accident sequence scheduler: the accident sequence scheduler controls the progression of
I
MAIN PROGRAM Manages Calls to Various Module s / ; /
.~
\4-" ,,',
/
//
/
SCHEDULER
THERMAL-HYDRAULICS
I
OPERATOR MODULE -
I
1. Controls devdopment of sequences.
!. Calculates "initial process
2. Generates branching points.
2. Runs thermal hydraulics calculation over a time step.
3. Saves and retrives information at each branch point.
1. Initializes operator state.
vectors". I
2. Runs operator model over procedures with errors to
deternune new operator state.
\\
COMPONENT STATE MODULE 1. Initializes instrumentation and component states.
2. Changes component/system states due to failures and operator actions.
?. Oenerates?pe:tora??ns (r-~)
Branch Point Information Exchange: ( {Operator State }, {Operator Actions}, {lnstrumentatiotVCornponent States}, {Thermal-hydraulics Variables Value })
Fig. 1. The ADS simulation framework.
Development of the accident dynamic simulator what set of conditions lead to actions taken by the operators. Random hardware failure modes (e.g., failure during operation of a pump), which occur after the initiation of a sequence could be an important dynamic element in the progression of the sequence. In particular, such failures may make it more difficult for the operators to control the situation and might cause confusion about the abnormal events. The effect of this failure mode, if viewed from the hardware side, is almost the same as that caused by an inappropriate human intervention, except the operator's perceptions can be different. Thus, the nature of deterministic and probabilistic dependencies are different. In the consideration of dynamic characteristics of this type, modelling of failures during operation is implemented for all important hardware. This is done by branching all successfully functioning systems into success and failure paths at arbitrary discrete points in time. The level of detail in the system model is determined by the tasks involved. All systems and components which can be affected by the control room personnel must be included. Top events of traditional event trees and safety systems delineated in emergency operation procedures are also considered in ADS. Depending on the resolution required by the analysts, system functional states can either be defined by simply binary success/failure state, as in Event tree/Fault tree methodology, or classified into different functioning states, if partial failures are included. Fault tree analysis, and reliability block diagrams, together with reliability data bases can be used to evaluate system state probabilities and state transition rates.
2.3 Plant dynamics model
2.3.1 Plant physical processes The plant dynamics model includes a plant physics model and a safety system model (including front line and support systems). The physics model is used to predict the development of accident transients in response to various safety system operations. The resulting transient may lead to the actuation of the safety system or operator intervention. In general, computer codes, such as RELAP 7 and RETRAN,S currently employed to analyze the thermal-hydraulic behaviour of nuclear systems in licensing tasks, exploit sophisticated two-fluid or six-equation models with a very detailed control volume nodal scheme. Because of the extreme computational demand, it is very difficult to use standard licensing codes in simulation studies involving a large number of potential accident scenarios. In ADS, a lumped parameter approach is adopted. According to the nature of the physics involved, the
301
nuclear plant is divided into several representative control volumes. Each control volume shares the same physical characteristics and has a smooth property profile. Conservation equations are derived for each control volume and solved under contemporary safety system conditions. Additional assumptions and approximations are needed and are employed to shorten the computing time without losing important information. Accuracy and efficiency are traded off based on the nature and the complexity of the problem. More details of the thermal-hydraulic model implemented in ADS are provided in Section 3.
2.3.2 Systems actuation model The safety system model characterizes system behaviour under various plant conditions. In the evolution of the accident, safety systems can be actuated by automatic control circuits or by operators. The outputs or responses from the safety systems are explicitly formulated and used as boundary conditions for the thermal hydraulic calculation. These include set points at which components are turned on or off, the actual state of the component (available, unavailable), and logical output. Functional dependencies between safety systems are also modeled. Examples of the functional dependencies include dependence of 'front line systems' (those directly needed to prevent or mitigate threats against the primary system) and 'support systems' such as component cooling and electric power. Some operator repair actions are also considered in ADS. Depending on the nature of the system failure, a failed system may be assumed to be recovered after some time delay, if control room operators detect the failure. In addition to the conventional safety systems mentioned earlier, instrumentation failures are also modelled in ADS. Instrumentation failures, which are typically ignored in conventional PRAs, may have substantial impacts on reactor safety. Instrumentation conveys the plant physical conditions and the system function status to control room operators. If failed or faulty, instrumentation will either present no information or incorrect information to the operators. Nuclear control room operators rely on symptom-related instruments, and if these fail, operators may have extreme difficulty in selecting the correct procedure. Failure may also affect operator decisions in several procedure steps which depend on the value of plant physical parameters. Safety and support system modelling is performed at the train level. Major front line systems related to the mitigation of SGTR and LOHS events such as pressurizer spray, heater, reactor trip, charging and letdown systems, safety injection signals, high pressure injection, residual heat removal system, PORVs, main feedwater and emergency feedwater systems, air-
K.-S. Hsueh, A. Mosleh
302
operated valves (ARVs), and steam dump systems are explicitly modelled in ADS. As mentioned above, instrumentation (i.e., hardware providing the status of systems and values of key physical parameters) is of particular interest in the study of operator response. Instrumentation for major symptoms which are the key to diagnosis of the events are explicitly modelled in ADS. In the determination of the symptom values, engineering judgement is applied when necessary. In summary, each system is described in terms of the following characteristics: • • • •
•
•
probability data which characterizes the system's demand unavailability and run time failure rates hardware state which represents the actual system status (e.g., failed, operable) functional status which represents the functional status of the system (e.g., up, down) the governing physical equations and actuation criteria which determine the functional status of the system and the amount of system output (e.g., flow rate) the repair time which decides how much time the operator needs in order to recover an unavailable system support system vector which describes the systems needed to support its operation.
Similar to D Y L A M 2 and D E T A M , 3 failure during operation is assumed to happen at discrete points in time. These times are internally selected within ADS based on probabilistic criteria defined by the user. The recovery of failed hardware is simulated in two different ways. The immediate recovery covers the cases where control room operators immediately restart a halted system via the control panel. On the other hand, hardware repair actions usually involve substantial field work and require a much longer time.
2.4 Operator response model Two operator models are implemented: 1) "perfect operator' who follows procedures and does not make any errors, and 2) an operator who might commit certain types of omission and commission errors while following procedures. The latter is explained in the following:
2.4.1 Error modes considered The operating environment in the control room during an accident has several important features. First, nuclear plants provide guidelines and procedures to assist the operators during accident conditions. According to t h e guidelines, control room personnel, as required by regulations, have to follow emergency operating procedures (EOPs). Although operator behaviour is not completely bounded by EOPs. it is
assumed that the emergency operating procedures are the major infuencing factor for operator behaviour. Types of procedure-related errors that are currently considered in ADS include'~: 2.4.1.1 Skip. Skip as an error form refers to a failure to perform a specific action. Skipping can be intentional or unintentional. Unintentionally skipping an action or a step in following procedures has been extensively discussed in the current human reliability models. The probability of a particular task being skipped depends on the nature of the task, its importance, especially to plant safety, stress of the work environment and the available time. The intentional skip is related to the operator's perception of the plant/system condition. In the case of rising steam generator water level, for instance, the operators may have the impression that they are faced with an excess of feed flow. This can result in an increased probability of failing to verify auxiliary feed flow.
2.4.1.2 Short cut. The operators in NPPs are trained to handle different types of plant conditions. They know (or they think they know) the actions that can alleviate or resolve the perceived abnormal conditions. It is a natural tendency to find the path of least (cognitive) resistance to achieve their desired goals. This implies that when the operators recognize a symptom, they may directly take an action related to the symptom without considering other system conditions.
2.4.1.3 Misdiagnosis. In the symptom based procedures, symptoms are the key to operators in diagnosing the root cause of the abnormal incident. When an instrument failure occurs, operators may receive a wrong symptom leading to misdiagnosing of the event.
2.4.1.4 Delayed actions. Even when operators successfully diagnose the true cause of a transient, they may not initiate the recovery procedures dictated in the EOP. In the case of a loss of heat sink event, for example, operators may keep trying to recove the AFWs instead of initiating feed and bleed operation, as procedures specify, because it will lead to an extended and costly period of plant shutdown. Each error category described above may include several subcategories. For instance, delayed actions include delayed diagnosis and delayed recovery. The broad grouping presented here is based on common characteristics involving operator mental states, accident phases and types of actions to be generated.
Development of the accident dynamic simulator EOPs can be used as the prescribed action sequences of operator behaviour. The types of errors identified in this section are, therefore, considered as alternative actions that lead to various accident scenarios. These errors are included at the stage where they occur. It is conceivable that operator behaviour can be described as the consequence of the interactions of the operator's thinking processes and the EOPs' underlying recovery schemes. Intentional deviations from procedural guidance are often generated by the mismatch between operator interpretations and expectations and E O P guidance. Although guided by the EOPs, operators may form their own interpretations and predictions from their perception of the plant status and system response and of the evolution of the event. Based on their knowledge and experience, control room personnel may feel enough confidence to deviate from EOPs. Accordingly, at least one broad category of operator commission errors can be the result of deviation. It is believed that the error categories described here when implemented as a part of the human cognitive model can capture a significant portion of human errors in the proceduredriven environment of nuclear power plant control rooms. Characterizing operator actions as procedurefollowing with various ways of deviation, ADS defines the operator state in terms of the following factors: •
•
•
•
Diagnosis: the operator's perception of the functional status of plant systems and the perceived accident symptoms. Selected procedure: the specific procedure and corresponding steps selected or being followed by the operator. Urgency factor: similar to PSFs, to represent a measure of operator psychological stress and operator's confidence of diagnosis. Action index: denotes which correct or erroneous action path is being followed.
When implemented in the simulation model, various types of errors, analogous to hardware failures, can lead to different accident scenarios. More details of a operator model currently programmed in ADS are provided in Section 4. 2.5 Accident sequence scheduler
In the execution of a simulation exercise, the accident sequence scheduler controls the development and generation of accident sequences. As shown in Fig. 2, ADS simulation always begins under one of the initial state vectors corresponding to a particular support and front line system initial status together with different operator characteristics (e.g., slow crew), if needed. After initializing the ADS simulation modules under the chosen initial state vector, the accident sequence
303
INITIAL C O N D I T I O N S _ _ ]
BOUNDARY CONDITIONS
!
MOMENTUM EQUATIONS
j
V PRESSURIZER AND RCS MATRIX STATE EQUATIONS .
.
.
.
.
2
_
]
i I
_
NEW PROCESS STATE VECTOR I ,¢I COMPONENT FAILURE OR - • OPERATOR ACTION UPDATE i EVENT SEQUENCE GENERATOR (SCHEDULLER) [-Yes L
i
v
----!
NEW STATE ?
~ No Push Pop
First In - Last Out Memory
Fig. 2. The ADS code computation flow chart. scheduler advances the simulation exercise forward in time. Whenever a hardware system state transition point or an operator interaction point is reached, the accident sequence scheduler chooses one path to follow. In the meanwhile, the scheduler also puts all of the information (including the plant model, operator model and system model parameter) defining this branch point into memory. It continues the simulation process in this manner until an end point is reached, which is either a successful recovery, or an undesired state. The scheduler then directs the simulation exercise one step back to the previous branch point, retrieves the branch information from memory and re-initializes every simulation module back to this time point and follows the other branch point path. Once all sequences from the branch point have been explored, the accident sequence scheduler will step back once again. To guarantee the re-initialization, it is imperative to carefully define the state vector (i.e., independent variables) characterizing individual modules and design an appropriate data structure for memory management. Analysing the nature of this recursive forward-backward simulation scheme suggests the first-in-last-out memory structure can satisfy this requirement. In the first-in-last-out structure, branch
304
K.-S. H s u e h , A . M o s l e h
point information is allowed to be inserted and r e m o v e d from the top end only. When moving forward in time, the accident sequence scheduler always saves the most recently encountered branch point information above the previous points. To return to an earlier time step, scheduler removes all of the information blocks beyond this point and retrieves the required information to re-initialize simulation modules. This recursive forward-backward simulation scheme has two very important features. First, it can always retrieve the information saved in the scheduler m e m o r y to re-initialize simulation models back to any preceding branch points. This means that, after reaching an end state, the sequence scheduler can recall the plant physics, system status and operator mental state and reset the simulation back to any previous branch point. Therefore, the time consuming thermal hydraulics calculation will not be repeated for sequence segments which have already been passed through. Assume there are n interactions and each interaction takes T seconds to process and will generate two new subsequent paths. Without applying the recursive simulation scheme, every accident sequence will need ( n T ) seconds. Accordingly, the total simulation time will take 2" * ( n T ) to explore all scenarios. However, A D S will only travel each sequence segment once. Therefore, the total simulation time for A D S will be: 2T + 22T + .-. + 2 ''~ = 2T(2"
1).
If n is a large number, the A D S simulation time can be a p p r o x i m a t e d as 2,,+1.T. Thus, the A D S simulation scheme will reduce the computation time by a factor of (n/2) c o m p a r e d with a breath-first sequence generation and tracking approach. Secondly, in any instant of time. the accident sequence scheduler only keeps the information of the accident sequence being simulated in the computer m e m o r y . Consequently, the m e m o r y d e m a n d increases in a linear rather than a geometrical order. This feature has enabled A D S to be applied for large size models such as those required in full scope PRAs. A n o t h e r implication of the m e m o r y m a n a g e m e n t structure is that the whole scenario history including past plant reactions, system responses, and operator mental activity history, is always available for assessment of human error probabilities. In relation to errors of commission, it is widely believed that operator reasoning process can be an important influencing factor in the d e v e l o p m e n t of accident scenarios. The lack of scenario history information can lead to erroneous estimations of the level of dependence l~etween actions. Therefore, with this capability, the A D S accident sequence scheduler, when integrated with an operator cognitive model can
result in more accurate conditional probabilities for human error dominated events.
3 THE ADS THERMAL MODEL
HYDRAULICS
3.1 The model A lumped p a r a m e t e r control volume model is used for the simulation of thermal hydraulics behaviour of pressurized water reactors (PWR). Several assumptions and simplifications have been made to minimize the computational demand. Figure 3 shows the control volume scheme for a single loop RCS. The RCS is divided into the following nodes: reactor core, reactor upper plenum, hot leg, reactor lower plenum and pressurizer. In each of the four loops, the hot leg, the primary side of the U-tube steam generator and the cold leg are lumped into one control volume. The 4-loop P W R is lumped as a 2-loop structure. The three loops without the connection line to the pressurizer are lumped as a single loop. Further simplifications made to speed up the program are based on the assumption that, in the same flow loop, every control volume has the same mass flow rate. The m o m e n t u m balance equation is not considered separately for individual control volumes, but is averaged over an entire loop. Introduction of this assumption implies that the propagation of pressure waves in the RCS is much smaller than the transient of interest, m The single loop mass flow rate assumption is considered appropriate for analysing slow transients of a PWR. The state space variables for characterizing each control volume are the primary pressure, P, and the average mixture enthalpy, /~. A typical RCS control volume is shown in Fig. 4. The mass flow rate and flow enthalpy from the (I 1)th nodal are denoted as Wi and hi 1. The Qi, W, and h~ represent the external heat flow rate, fluid flow rate and enthalpy across the boundary. With the single mass flow rate assumption, the conservation equations of each RCS control volume can be written as: M dh, ' dt
dP V~ dtt = W~(hi , - hi) + W,(h, - hi) + Q , dfii
=w,.
where hi and Pi are the m e a n enthalpy and the mean density of the ith nodal, respectively. By semi-implicit differencing of the mass and energy equations and rearranging as a vector difference equation, the system of equations for the RCS flow path c o m p o n e n t s is: A(X,,~
1
X") = Fr~,
305
D e v e l o p m e n t o f the accident d y n a m i c simulator
~ , Pressurizer
~
Z [
/
L
Upper Plenum
S~am
Hot Leg
Steam Generator
Core Feed Water
Lower Plenum
Fig. 3. The control volume scheme for a RCS loop.
where X is the state vector, F,~ is the boundary condition vector, A is the RCS coefficient 6 x 6 matrix, and n refers to the time step. The state vector X in the ADS code is designated as X = [P,h,,pp,~,hl,,,,,.r,h,. ...... hi,,, I,'g l,hhot/"s," 2]-
m o m e n t u m equations of each loop are simplified by the steady state approximation. The loop mass flow rate is determined by the balance of the friction loss, buoyancy head and pump head. The thermal centres of RCS and hot legs are evaluated based on the linear temperature models from Todreas & Kazimi.11 Similarly, the state vector _P is selected as:
To solve the pressurizer and RCS systems of equations, the Gauss reduction method is used to reduce pressurizer and RCS vector difference equations as algebraic equations of the system pressure P and the surge flow IV,,,, respectively, as: (P"+~ - P") : Kpz, W",,+1 + Kp=2
The
(p,,+l _
p . ) = K,~., 1W!~,+, + Kr~.~2
where K's are constants. Simultaneously solving these two equations gives P and W~.. Then, the rest of state variables can be obtained by back substitution. 3.2 Computational procedure
P = [P,h,,hv, Vv].
The system of equations of the pressurizer can be expressed as the following vector difference equation: Z ( P ''+l -- P") = Fp=. where Z is a matrix of constants. Donor-Cell Differencing Scheme
Nodal i-1
Nodal i
hi-I Wi-1
Nodal i+l
hi
)-
h' p
Wi
Fig. 4. A typical RCS control volume.
The thermal hydraulic computation procedure primarily consists of three numerical routines. For each time step, the new boundary conditions are updated based on the safety system configuration and operator actions. The loop mass flow rates and steam generator power are determined first. Then, the reactor cooling system and pressurizer state space matrices are constructed using the updated fluid properties. The new system pressure P and surge flow rate W,, are solved simultaneously. Substituting P and W,, back into the state space vector equations gives the rest of the RCS and pressurizer state variables. At the end of each time step, new steam generator state variables are resolved. Currently, a default fixed time step of one second is used as the simulation time step size. Smaller or larger step sizes may be selected, depending on the natures of the transients, by the user.
306
K.-S. Hsueh, A. Mosleh
A D S thermal hydraulics models can simulate accident sequences about 300 times faster than real time on a 486 PC.
6O
/
3.3 Model validation
The A D S thermal-hydraulic module provides a reasonable substitute for more accurate codes when applied to slow transients such as small loss of coolant accidents. As a demonstration of its performance the steam generator tube rupture event at North A n n a Nuclear Power Plant was simulated and c o m p a r e d with PRISM which is a more sophisticated PC-based P W R simulator. ~2 Figures 5 and 6 are the simulation results from A D S and PRISM based on the operator action sequences of the North Anna event. The comparisons indicate that the A D S thermal hydraulics model predictions match the PRISM results within a ten percent range.
4 OPERATOR
>
30-
r'r t3...
20-
10-
0 30
I I l l ~ l l
I
330
ir~ll~ll,ll,.t
630 930 1230 Time (Sec.)
1530
Fig. 6. The pressurizer level history of the North Anna SGTR event simulated by ADS.
MODEL
This section describes the implementation of an operator action model and emergency procedures in the A D S code. As discussed in Section 2, the emergency procedures have been assumed to be the driving factor in the formulation of operator behaviour. The operator actions included in the p r o g r a m arc those called for by the emergency procedures and the alternative actions identified in the procedures. The principal Westinghouse emergency procedures have been p r o g r a m m e d , including the
reactor trip response procedure (E-0), the L O C A procedure (E-l), the Faulted SG isolation procedure (E-2), the S G T R procedure (E-3), and response to loss of secondary heat sink (FR-H1). Alternative actions are essentially those identified in Ref. 9 with minor modifications. They include skips (intentional and unintentional), short cuts, and delayed actions framed either as transitions among procedure steps or as delayed E O P execution. Similar actions are also implemented in Ref. 3.
16
4.1 Mapping of errors
15-
Investigation of types of human actions in nuclear accidents shows that post-accident human actions can be divided into different task phases in terms of the objectives of tasks and susceptibilities to types of error. Based on a review of the EOPs, abnormal operating procedures (AOPs), plant information and operating experience, operator post-accident actions arc categorized into task phases as discussed below. The following discussion of error mapping is for P W R accidents, and for steam generator tube rupture and small break L O C A events in particular. However, the same simple mapping approach can be easily used for other events. In this approach the operator response guidelines of EOPs are divided into the following response phases: Pre-EOP, EOP-0 (including subphases of Verification, Diagnosis, and Monitoring), and Optimal Recovery Procedures (EOP-1, 2, etc., which will include subphases such as Rediagnosis, Verification, and Action) and the Critical Safety Function Tree (CSF).
14.
~" 13
IX. 0")
rr
/
40-
10 9 87
]]IIII)LLKIIIIILL
30
330
IEIll
[11i1111]1111LIII
630
IIIll
930 1230 Time (Sec.)
IIIIIl]lllllLILl[
1530
li]ll
1830
Fig. 5. The RCS pressure history of the North Anna SGTR event simulated by ADS.
Development of the accident dynamic simulator
307
4.2 Pre-EOP phase
4.3.2 Diagnosis
In slow transient, the operator would have enough time to take mitigation actions for anomalous conditions. Such actions would include taking manual control of automatic control systems, turning on additional charging pumps, reducing power level, etc. If these actions do not alleviate the trend toward a reactor trip or safety injection, the operator is permitted to trip the reactor and, if necessary, to actuate safety injection. Operator intention and perception at this stage have a strong influence in determining subsequent behaviour while following the EOPs. During the pre-EOP phase, human actions are modelled as the necessary mitigation actions complicated by skips and short cuts to trip the reactor.
In the diagnosis phase, operators will try to diagnose the event based on the symptoms delineated in the EOPs. Similar symptoms between different accident sequences, which have been recognized as major contributors to misdiagnosis, are not dominant in symptom based operating procedures. The symptom based procedures designate the unique symptoms of each event as the key to diagnosis of the incident. Therefore, confusion because of similar symptoms is less likely for current nuclear reactor operations. Instrumentation failures, which are generally not analyzed in current PRAs, can produce various human errors. A misdiagnosis can occur because of faulty instruments. Delayed diagnosis may happen if operators do not receive the necessary information.
4.3 E-0 (reactor trip and safety injection response procedure) phase The E-0 procedure is entered on a reactor trip or safety injection, whether the signal was automatic or a result of manual actuation. E-0 consists of actions to verify proper response of automatic protection systems following a reactor trip or safety injection, to diagnose and assess plant conditions, and to identify the appropriate recovery guideline. Once entered, it is not exited until there is a direct transition to a recovery procedure as directed by the symptoms being monitored. A review of the structure of the procedure suggests that E series procedures can be further divided into the following phases:
4.3.1 Verification Skips, both intentional and unintentional, as well as short cuts, are suggested to be the dominant error forms in the verification phase. The probability of skipping is strongly influenced by the external conditions. A rapidly decreasing RCS pressure, for example, may give the operator extremely high stress so that he may intentionally skip one or several verification actions specified in E-0. Short cuts may arise because of either premature judgement or the stress. The activities in the pre-EOP phase may give the operator a long enough time to observe key symptoms or related indications. It is a natural tendency of human beings to take the path of least cognitive resistance for managing difficult situations like nuclear accidents. A short cut to related optimal recovery procedures is modelled in an action path in the first step of E-0. On the other hand, the consecutive omissions of several verification actions can occur as a result of excessive operator psychological and physiological stresses. When it occurs, ADS assumes the operator will immediately jump to the diagnosis phase or the recovery procedure, if there is a diagnosis.
4.3.3 Continuous monitoring If the event can not be diagnosed in the diagnosis phase, the operator would continue to evaluate plant conditions, maintain steam generators within the narrow range and secure low-head SI while continuing to diagnose the event. Skips and misdiagnosis because of instrument failures are the most likely error forms causing the operator to take wrong actions or fail to assure the operation of safeguard systems.
4.4 Use of optimal recovery procedures Following a diagnosis of the fault, the operator is directed to one of the optimal recovery guideline procedures (SI Termination, Loss of Reactor Coolant, Loss of Secondary Coolant, Steam Generator Tube Rupture, etc.) to facilitate optimal recovery. In general, optimal recovery procedures consist of a re-diagnosis phase to confirm the diagnosis and check for other failures and a recovery action phase. It is assumed that skips and short cuts are the dominant error modes in the re-diagnosis phase. Misdiagnosis can happen if the instrument is failed. Operator actions delineated in the action phase are, in general, context dependent. The decision of modelling various error forms are made by judging the contextual information of the procedures.
4.5 Use of critical safety function tree (CSF) Parallel to the execution of emergency operating procedures, the Critical Safety Function Tree (CSF) is periodically monitored by a specific control room crew member, usually a senior operator. The concept of the CSF is created for multiple event/multiple failure scenarios. For those scenarios, the implementation of optimal recovery guideline procedures may be insufficient to secure the nuclear system. Instead, critical safety function trees and associate function restoration guidelines are suggested. If the physical
308
K.-S. Hsueh, A. Mosleh for a short period of time and will recover or respond to the failed system before moving to next step. The long time repair action path addresses those cases where the control room operators are unable to fix the failed system from the control room, and send other plant personnel to repair the system locally. It is obvious that this repair action will take much longer and the control room operators would have to move to the next step before the system is recovered. Table 1 summarizes the mapping of human errors to the Westinghouse symptom based emergency operating procedures. The state variables chosen for the operator model are the following: which procedure is being used, which step is being executed, and which action path is being followed. When the operator model reaches a new procedure step (branch point), the accident scheduler will choose .one of the appropriate action paths to follow and mark down this action path. When the scheduler arrives at this procedure step the next time, the action path variable will instruct the scheduler to choose the unused path. This is repeated until no new action path can be found. An 'urgency factor' has been defined to simulate the effect of operator psychological stress in the determination of operator action probabilities. For example, a confirmed failed system is assumed to always increase the urgency value by one. This factor is used to increase error probabilities. The base values reflect generic classes of situations without the added stress (e.g., an initiating event with no safety system failure). Depending on what kind of diagnosis the operator has made, the urgency factor will also be a function of the plant physical parameters. In the case of the loss of heat sink event, the steam generator water level is the primary concern and will increase the urgency function value by 2, if the level is low. The conditional operator action probability is determined by adjusting the nominal probability value in accordance with the urgency factor value. In the ADS program, a stepwise functional relationship is assumed between the urgency value and the conditional probability. Whenever the urgency reaches a higher level, the probability is multiplied by an adjustment factor, which is a user input.
barriers, the fuel rod, the cooling system, and the containment remain intact, radioactive material will not be released to the environment. Critical safety functions are the sets of functions that must be continuously satisfied to guarantee the integrity of these physical barriers. For those extremely rare events which go beyond the design basis of the safeguard systems and the scope of the optimal recovery guidelines, CSF trees and functional restoration guidelines provide operators with: (1) a means of directly monitoring the critical safety functions and (2) guidance for restoring any critical safety function which might be in jeopardy. In the ADS code, CSF is assumed to be monitored in a fixed period of time. If any imminent challenge is detected, known as the red path, operators will immediately perform the associated procedure. However, instrument failures may lead to misdiagnosis and delayed diagnosis and delayed actions. Currently, only the heat sink function tree is implemented. This simplification is only to limit the scope of the analysis. There is no fundamental obstacle in modelling and implementing other Critical Safety Function trees. 4.6 Implementation in A D S
Various operator actions are explicitly programmed as different action paths in each emergency procedure step when appropriate. An error mapping approach provides the general principles in the formulation of operator action paths. However, the context information of each procedure step must be carefully examined when selecting the set of likely operator actions. The immediate verification step in the E-0, for example, directs the operators to verify the operation of the safeguard system. If they are not functioning, the operators can either try to restart them or follow the prescribed action. The error mapping analysis suggests that there are short cut and skip error modes in the E-0 immediate verification steps. However, if the operator follows the instructions and finds out about the failures of systems, ADS models this situation by branching the sequence into one short term repair path and one long term repair path. The former implies the operators will remain in this step
Table 1. The mapping of errors to emergency operating procedures (EOP)
EOP AOP E-0 E-n
EOP Phase
Verification Diagnosis Re-diagnosis Action
Skip
Short Cut
* * * * *
* * *
Misdiagnosis
Delayed Action
Delayed Diagnosis
* * *
* *
Development of the accident dynamic simulator Time to perform an action (e.g., performing a procedural step) depends on the nature of the action. In ADS, nominal action times are assumed for several different types of actions. These values are user input. In the current version, ADS assumes that the operator actions take place on a nominal action time. Each type of action is sampled in one action path. However, it is straightforward to add action paths at different action time points.
Table 2. Typical error probability values used in the example
Likelihood Very Unlikely
Unlikely Likely
5 CASE STUDY 5.1 Scope
The S G T R event analyzed for the Seabrook Nuclear Power Generating Station ~3 is used as an example to explore the capabilities of ADS. The emergency operating procedures implemented are the Reactor Trip Response Procedure (E-0), L O C A Procedure (E-l), Faulty Steam G e n e r a t o r Isolation Procedure (E-2), Steam G e n e r a t o r Tube Rupture Procedure (E-3), Post L O C A Cooldown and Depressurization (ES-1.2), and Loss of H e a t Sink Restoration Procedure (FR-H1). 5.2 Operator behaviour variables
Various operator error forms are mapped into the procedures as shown in Table 1. If the failure of safety systems is judged to be recoverable during the accident, operator recovery actions for the failed systems are explicitly modelled as 'short' and 'long' recovery actions. These times vary depending on component or system types. Short time recoveries represent actions such as pushing a button again, while an example of a long recovery is the case where a local action is needed. Since the cognitive-based human modelling methodologies and the supporting data are still in the early stages of development, the branching probabilities and operator actions are assigned subjectively based on the characteristics of each step in the operating procedures, the nature of actions, and the operators' mental states. For instance, if the operators have already diagnosed the L O C A event, and have transitioned to the recovery actions in the E-1 procedure, the likelihood of failure to take the L O C A recovery actions is assumed to be very low. Table 2 presents the typical probabilities used in this study. In its current version, ADS also requires the user to provide the nominal branching probabilities and operator response times as part of the input. In this case study to account for the impact of stress on error probabilities, ADS uses an urgency function which is a discrete relative scale and is determined as
309
Very Likely
Value
Example Action
1E-4 Operators diagnose the SGTR event but fail to perform the recovery actions while in the SGTR procedure 1E-2 Operators fail to reset SI when they are performing the SGTR recovery actions 1E-1 Operators take shortcut action to SGTR procedure in E-0 due to the early diagnosis before entering EOPs 4E-1 Operators take the skip actions in the event restoration procedures
a function of the operators' diagnosis and perception concerning the plant status. For example, if the operator finds a failed safety system, the urgency factor is increased by 1. Or, in the case of a S G T R event, if the operators perceive that the ruptured steam generator level is reaching the wide range high level warning, the urgency factor will be increased by 2. Then, at each human interaction point, ADS will adjust the error probabilities based on the types of actions and the relevant urgency factors. One typical example is when the operators diagnose the event as a small L O C A , the chance of a short cut to the L O C A procedure will be increased by a factor of 4 and the likelihood of skipping actions in the E-0 procedure will be increased by a factor 2. ADS continuously evaluates the accident conditions and adjusts the urgency factor to account for the dependence of human actions on the accident sequence progression. The operator response times are modelled as fixed input values in the current implementation. If desired, operator action times could also be modelled as sequence dependent variables in the same way as the error probability without changing the code architecture. The analysis starts with the selection of the set of initial state vectors (1SVs) from the Seabrook P R A 13 event tree, as well as additional assumptions about instrumentation status, operator state, and response time. For each ISV, a separate dynamic simulation run is made. 5.3 Initial state vectors
The P R A event tree models were used as the starting point for development of the hardware portion of the ISVs. The analysis of the Seabrook nuclear station system design shows that there are 36 support system states and 305 front line train states. Since no single train failure of any given front line system constitutes
K.-S. Hsueh, A. Mosleh
310
a system failure, systems operating under the failure of a single train and the fully functional state of both trains are grouped into the same initial state vector. A value of 10 -6 has been chosen as the cut-off probability to screen out low probability initial state vectors. During this screening process, the initiating event frequency is not included. After probability screening and grouping, there are 17 initial state vectors (Table 3) based on the systems modelled. In addition to these 17 safety system related initial states, ADS also considers the occurrence of instrumentation failures which are not modelled in the Seabook PRA. To simplify the analysis the instrumentations are categorized by their functions such as instruments for diagnosing LOCA (INST-LOCA), instruments for diagnosing SGTR (INST-SGTRRAD), instruments for diagnosing faulty steam generators (INST-PSG), and instruments for diagnosing LOHS (INST-LOHS).
Table 3. The initial state vectors selected for the example A D S run for the Seabrook SGTR event
Failed systems
Probability
None Powered Operated Relief Valves (PORV) Air Operator Valves (ARV) in Steam Generator (SG) Air Operator Valves (ARV), Powered Operated Relief Valves (PORV) Emergency Feedwater System (EFW) Emergency Feedwater System (EFW), Powered Operated Relief Valves (PORV) High Pressure Safety Injection (HPSI) Steam Dump System of Secondary Side (SD) Steam Dump System of Secondary Side (SD), Powered Operated Relief Valves (PORV) Steam Dump System of Secondary Side (SD), Emergency Feedwater System (EFW) Residual Heat Removal (RHR) Residual Heat Removal (RHR), Powered Operated Relief Valves (PORV) Residual Heat Removal (RHR), Air Operator Valves (ARV) Residual Heat Removal (RHR), Emergency Feedwater System (EFW) Residual Heat Removal (RHR), Emergency Feedwater System (EFW), Powered Operated Relief Valves (PORV) Residual Heat Removal (RHR), Steam Dump System of Secondary Side (SD) Residual Heat Removal (RHR), Steam Dump System of Secondary Side (SD), Powered Operated Relief Valves (PORV)
9.5E-1 1.0E-2 1.7E-4 1.8E-6 4.1E-4 4.4E-6 9.8E-7 2.9E-4 3.1E-6 1.3E-7 4.1E-2 4.4E-4 7.5E-6 1.8E-5 1.9E-7 1.3E-5 1.4E-7
Instrumentation failures are not considered in the initial state vector screening process due to the lack of data. Safety System Initial State Vector: [PORV, ARV, EFW, HPSI, SD, RHR]. Instrumentation Initial State Vector: [INST-LOCA, INST-SGTRRAD].
5.4 A n a l y s i s results
Various simulation runs are performed to demonstrate the capabilities of ADS. In general, each simulation for each initial state vector may involve more than thirty operator interactions and thousands of sequences. Because of the differences in the operator modelling and the significant uncertainty about the operator actions times and probabilities, a precise quantitative comparison of simulation results with the Seabrook study is not very meaningful. The results shown here are only used for demonstration purposes. The operator modelling and human error data are still too immature to support a full application of the dynamic PRA methodology. As expected, ADS generates a much large number of sequences compared with the traditional PRA studies. Any conventional event tree sequence may be analyzed as hundreds of accident sequences in ADS. For example, the immediate action phase of E-0 alone can produce up to 4,000 sequences. Therefore, a pictorial representation of all sequences generated by ADS is not practical. A post processor module is being developed for organizing, tracking, and displaying the results of ADS runs. One way of presenting the sequences generated by ADS is to summarize the simulation processes by the EOP phases with characteristic transition modes. In the 12-0 procedure, the major phases include E-0-VER steps (Immediate VERification), E-0-Dia (Diagnosis) step 1 and step 2, and 12-0-Delayed-Dia (Delay Diagnosis). Recovery procedures (E01, I2-3, etc.) include 12-1-Redia (E-0 Rediagnosis), E-i-Act (E-1 Action), 12-3-Redia (12-3 Rediagnosis), and E-3-Act (W-3 Action) as shown in Fig. 7. The major transition modes are the skip actions in the E-0-VER (12-0-Skip), short cut actions (12-0- > E-3-SC, 12-0- > E1-SC, and AOP-SC), delay actions (E-0-Delay), procedures driven transitions (E-0->E-1-Dia, (12-1> E-3-Redia, and E-0-> E-3-Dia). Figure 8 depicts the detail simulation process of the E-1 rediagnosis step. When entering the E-1 procedure (node 1), the operators are instructed to reconfirm that there is no SGTR event. However, following a skip error (node 4), the operators may skip this step and perform the first step of the 12-1 Action phase which is to check PORV. If the operators do not skip the E-1 Redia step, then it is very likely, depending on the stress level and instrumentation conditions, that they will be able to diagnose the SGTR event (node 2) and transit to the E-3 procedure (E -l ->E -3-Redi a). Node 3 represents the first step of the E-3 procedure. It should be noted that this figure only represents a small portion of the ADS simulation. Similar structure and transitions can be seen for each procedure step. The following summary of some of the ADS results
ff3
El->E3-Redia
Skip
~Step 1-::'~
Detailsin Fig. 8
E0->E3-SC
Skip
............
E-O-Vet
EI->E3-RedIa Skip
-•t
-l'godi"
+'°'-F
-I
Skip
_~:3_~. ~_~_Ao. ep l->n IT
1 EI->E3-Redia
Skip
E0->E3-DiaL - - ~ e p 3"Redi" l->n ~ -@3-Action
Skip
-¢~Ao,-l ~--@bA~on E0->EI-Diat ep l->n J ~
Skip E3-SC ~-3-Redia
EI-Dia ~ - l-Redia
-3-Action
- 1-Action
Fig. 7. The ADS simulation phase sequence diagram.
Skip
Skip
Skip
_~E-3-Action I
I~
L~
t~
e~
e~
~2
K.-S. Hsueh, A. Mosleh
312
E- l-Redia Continue E- 1 Action Phase Skip
>[ E-3-Rediagnosis
Continue E-3 Action Phase
]
( ~ >[E-l-Action PORV }--
Node
Procedures
Time
Instrument Reading
1 Entering E- 1
E-I Rediagnosis Phase - Verify no S G T R
1242 Sec
Radiation Alarm in SG RCS pressure droping Pressurizer Level droping
• Continue E-1 Action Phase
Operator Mental State
Safety System State
Diagnosis is L O C A Pressurizer level low RCS pressure low
Pressurizer heater on Charging p u m p on
No P O R V L O C A Pressurizer level low RCS pressure low
Pressurizer heater on Charging pump on Reactor trip SI actuated P O R V closed
Diagnosis is SGTR Radiation Alarm in SG Pressurizer level low RCS pressure droping Pressurizer Level droping RCS pressure low SG level high
Pressurizer heater on Charging pump on Reactor trip SI actuated
2 i Entering E- 1 Action
1272 Sec
E-I Action Phase - Verify P O R V closed
1272 Sec
E-3 Rediagnosis Phase - Acknowledge the SGTR event - Verify no faulted SGs
1242 Se¢
E- 1 Action Phase - Verify PORV closed
3 Recover to SGTR 4 Skip to E-1 Action
P O R V closed N o radiationin pressurizer relief tank
PORV closed No radiation in pressurizer relief tank
No PORV LOCA Pressurizer level low RCS pressure low
]
. . . . . . . . .
Reactor trip Sl actuated
Pressurizer heater on Charging pump on Reactor trip SI actuated PORV closed
Fig. 8. Detailed simulation branching of E-1-Rediagnosis step. for the case studies is provided to show examples of some of the things that can be done using an integrated tool for P R A analysis. Again since the values used for error probabilities are very subjective, the numerical results are only used for illustrative purposes.
5.5 The effect of system failures Table 4 summarises the results of the A D S simulation exercises for various initial vectors with operating EFW. The probabilities listed in the table represent the conditional probability of each end state obtained
from the A D S simulation exercise. The column ES-1.2 represents the probability of operator going to the p o s t - L O C A procedure without recovery from the rediagnosis phase dictated in the ES-1.2. One of the undesired end states of this particular case study is the steam generator overfill condition ( S G O V F L ) . It is c o m m o n in P R A s to assume that overfill will lead to an uncontrolled loss of primary coolant through the breach in the steam generator. Therefore, A D S is p r o g r a m m e d to recognize this as an undesired state. In general, the steam generator overfill probability in these cases does not change appreciably under various initial vectors. This is because the S G T R is a slow
Table 4. Simulation runs for SGTR with EFW operating Failed System Residual Heat Removal (RHR) Air Operator Valves (ARV) Air Operator Valves (ARV), Residual Heat Removal (RHR) Air Operator Valves (ARV), Powered Operated Relief Valves (PORV) Powered Operated Relief Valves (PORV) Powered Operated Relief Valves (PORV), Residual Heat Removal (RHR) High Pressure Safety Injection (HPSI) Steam Dump System of Secondary Side (SD) Steam Dump System of Secondary Side (SD), Residual Heat Removal (RHR) Steam Dump System of Secondary Side (SD), Powered Operated Relief Valves (PORV) Steam Dump System of Secondary Side (SD), Residual Heat Removal (RHR), Powered Operated Relief Valves (PORV)
ES-12 8.7E-3 9.8E-3 9.6E-3 9.6E-3 9.8E-3 9.6E-3 9.8E-3 9.2E-3 9.0E-3 9.2E-3 8.9E-3
SGOVFL NORHR 3.1E-4 2.8E-4 1.8E-4 2.0E-4 2.0E-4 3.1E-4 1.0E-4 1.5E-4 1.4E-4 1.5E-4 1.3E-4
1.8E-I 1.9E-1 1.SE-I 1.8E-1 1.BE-1
Development of the accident dynamic simulator transient so that the failure(s) of front line systems in the initial state vector set do not have a substantial impact on the successful depressurization and cooldown actions. On the other hand, the failures of these systems could actually increase the short cut probabilities of starting the necessary actions earlier. In general, the application of symptom based procedures not only reduces the amount of diagnosis burden and lowers the impact of the system failures on operator performance, but also provides opportunities for early recovery. However, dependencies between errors can reduce the effectiveness of the procedures. For example one result of a short cut or skip action in E-0 is the increased probability of failing to start of the residual heat removal system ( N O R H R ) . The probability of failure to recover an initially failed R H R in the early phase of the S G T R event (E-0-VER-Skip or E-0-VER-SC) is in the range of 1.8E-1 from ADS analysis. Limited by the scope of procedures and operator actions modelled in the current version of the code, ADS cannot analyze recovery actions beyond the early phase of the accident. ADS ends the simulation with the end state of successful recovery from S G T R with failed R H R systems ( N O R H R ) . One insight from this case study is that it appears that the current S G T R recovery procedures lack guidance for verifying the availability of the R H R system. 5.6 I m p a c t o f operator r e s p o n s e t i m e and i n s t r u m e n t a t i o n failures
One aspect of this case study was the investigation of the impact of time to diagnosis. To simplify the analysis, only the diagnosis times of E-0 were changed. Three types of action times were chosen: 60 seconds (Nominal), 180 seconds (Slow), and 300 seconds (VSlow). For the nominal operators, (see Table 5), ADS predicts that the change of steam generator overfill ( S G O V F L ) is 2.04E-4 which mainly comes from the delayed diagnosis branch in E-0-Delay. Another main contributor to S G O V L is the set of sequences in which the operators use the wrong procedure (LOCA), with the probability 9.22E-3, which in turn leads to steam generator overfill. For a slower crew (Slow), the steam generator overfill probability increases to 2.0E-2. In the case of Table 5. Simulation runs with different response time for SGTR event under no safety system failures
Operator Speed
INSTLOCA
INSTSGTRRAD
ES-12
Nominal Slow Very Slow
Normal Normal Normal
Normal Normal Normal
9.2E-3 9.0E-3 8.3E-3
313
the very slow operators (VSlow), the overfill probability increases to 6.6E-2. The results show that the nominal operator spent about 1700 seconds following the procedures to perform the cooldown and depressurization. It can be illustrated by the action path which starts at AOP, goes through the E-0-VER and transits to E-3 via the E-0- > E-3-Dia action in the E-0-Dia-1. If the operator performs the short cut action ( E - 0 - > E - 3 - S C ) any time within E-0-VER, it will lead to an early recovery in about 1300 seconds. Any misdiagnosis or delayed diagnosis occurring in the E-0-Dia steps will lead to late recovery or steam generator overfill end states. For slow and very slow operators, since the decision time spent in the E-0-Dia step is longer, the probability to see an undesired state ( S G O V F L ) will be higher. The misdiagnosis end state (ES-1.2) means that operators make a diagnosis error leading to the use of the ES-1.2 procedure (Post LOCA). The human model implemented in this case study does not have the capability to capture the potential errorrecovery actions if operators spend more time in the diagnosis step without the explicit guidance from procedures. Therefore, the impact of change in operator decision time on the likelihoods of this end state is not significant. For the nominal operators, ADS also tests for the impact of instrumentation failures as shown in Table 6. Since the initiating event considered in this case is the steam generator tube rupture event, only two types of instrument failures can have important consequences for the development of events, namely the failure of steam generator radiation monitors ( I N S T - S G T R - R A D ) , and a false signal generated from either containment radiation monitors or high containment pressure alarms (INST-LOCA). The steam generator radiation monitor signals are the key symptoms used by EOPs for the diagnosis of a S G T R event. The failure of steam generator radiation monitors will prolong the time to diagnose the event and going to the recovery procedure. The ADS simulation results show the likelihood of steam generator overfill will be increased to 1 . 3 E - 1. The chance for misdiagnosis (ES-1.2) is also increased to 2 . 9 E - 2 . Another test is performed to see the effect of a false L O C A signal. This accident condition ( S G T R with false LOCA alarms) results in an increase in the probability of committing misdiagnosis Table 6. Simulation runs with instrumentation tailures for SGTR event under no safety system failures
SGOVEL Operator Speed 2.0E-4 2.0E-2 6.6E-2
INSTLOCA
Nominal Normal Nominal False Signal
INSTSGTRRAD
ES-12
SGOVEL
Failed Normal
2.9E-2 5.5E-2
1.3E-1 1.8E-2
K.-S. Hsueh, A. Mosleh
314
errors in E-0-Dia-1 and in E-0-Dia-2 steps leading to using the wrong procedure (ES-12). The rediagnosis steps in the E-1-Redia are supposedly designed to capture this misdiagnosis mode. However, skips, short cuts, and other misdiagnosis actions may breach the redundant defence barrier, leading to end state ES-1.2.
6 CONCLUDING
REMARKS
This paper presents the conceptual basis and implementation techniques of a simulation based accident sequence analysis computer code (ADS). Results of application of A D S to perform a dynamic P R A of the steam generator tube rupture of an actual power plant are also discussed. These exercises show that the A D S and similar tools can be used successfully for large scale dynamic P R A applications. Even though the current capabilities of the code is limited to slow transients, particularly the small L O C A and S T G R initiators, extending the application to other initiators is a matter of adding additional emergency operating procedures, support system models, and some modification to the thermalhydraulic model. Nevertheless, the present version of A D S should be considered as a proof-of-concept rather than a ready to run software. Other than performing dynamic PRAs, A D S can be used: •
• • •
as a framework to study the impact of timing and sequencing of failure events on accident progression to create a fully integrated dynamic P R A to create a test environment for study of new generation H R A models to create a test environment for the assessment of robustness of EOPs under different accident situations
to provide a tool for the pre-screening of important scenarios in designing operator training programs.
REFERENCES I. Siu, N., Risk assessment for dynamic systems: an overview. Reliab. Engng System Safety, 43 (1994) 43-73. 2. Amendola, A., Accident sequence dynamic simulation vs event trees. Reliab. Engng System Safety, 22 (1988). 3. Acosta, C. G. & Siu, N., Dynamic event tree analysis method (DETAM) for accident sequence analysis. NUREG/CR-5608, prepared for US Nuclear Regulatory Commission, 1992. 4. Hsueh, K. S. & Mosleh, A., Dynamic accident sequence simulator for probabilistic safety assessment. In 1993 PSA lnt. Topical Meeting, Florida, 26-29 January 1993. 5. Devooght, J. & Smidts, C., Probabilistic reactor dynamics-I: the theor.y of continuous event trees. Nucl. Sci. Engng, 111 (1992) 229-240. 6. Smidts, C., MSAS: description and how-to-use commission of the European Communities. Technical reports ISE1/SER 2318/92, ISPRA, Italy, 1992. 7. Ransom, V. H. et al., R E L A P / M O D 2 Code Manual, US Nuclear Regulator Commission, NUREG/CR-4312, EGG-2396, 1985. 8. Paulsen, M. P., et al., RETRANS-02: a program for transient thermal-hydraulic analysis of complex fluid flow systems. ERPI NP-1850-CCM, 1984. 9. Hsueh, K. S. & Mosleh, A., Categorization of operator errors in the context of symptom-based emergency operating procedures. In SMiRT, Tokyo, August, 1991. 10. Meyer, J.E. Hydrodynamic models for the treatment of reactor thermal transients. Nucl. Sei. Engng, 19 (1961). 11. Todreas, N. & Kazimi, M., Nuclear System, Hemisphere Publishing Corporation, New York, 1990. 12. Kao, K., Seabrook simulator model upgrade: implementation and validation of two-phase, nonequilibrium RCS and steam generator models. In Proc. Conf. Power Plant Simldators and Modelling, EPRI GS/NP-667(/, 1988. 13. Seabrook station probabilistic safety assessment. PLG0300, prepared for Public Service Company of New Hampshire and Yankee Atomic Electric Company by Pickard Lowe and Garrick, Inc.. California, 1983.