- Email: [email protected]
The development and demonstration of integrated models for the evaluation of severe accident management strategies—SAMEM
Nuclear Engineering and Design 209 (2001) 223– 231 www.elsevier.com/locate/nucengdes
The development and demonstration of integrated models for the evaluation of severe accident management strategies —SAMEM M.L. Ang a,*, K. Peers a, E. Kersting b, W. Fassmann b, H. Tuomisto c, P. Lundstro¨m c, M. Helle c, V. Gustavsson d, P. Jacobsson e a
NNC Limited, Engineering-Project Management Consultancy, Boothsh Hall, Chelford Road, Knutsford, Cheshire WA16 8QZ, UK b GRS mbH, Ko¨ln, Germany c Fortum Engineering Limited, Vantaa, Finland d Vattenfall Energisystem AB, Stockholm, Sweden e Sycon Energikonsult AB, Malmo, Sweden
Abstract This study is concerned with the further development of integrated models for the assessment of existing and potential severe accident management (SAM) measures. This paper provides a brief summary of these models, based on Probabilistic Safety Assessment (PSA) methods and the Risk Oriented Accident Analysis Methodology (ROAAM) approach, and their application to a number of case studies spanning both preventive and mitigative accident management regimes. In the course of this study it became evident that the starting point to guide the selection of methodology and any further improvement is the intended application. Accordingly, such features as the type and area of application and the confidence requirement are addressed in this project. The application of an integrated ROAAM approach led to the implementation, at the Loviisa NPP, of a hydrogen mitigation strategy, which requires substantial plant modifications. A revised level 2 PSA model was applied to the Sizewell B NPP to assess the feasibility of the in-vessel retention strategy. Similarly the application of PSA based models was extended to the Barseback and Ringhals 2 NPPs to improve the emergency operating procedures, notably actions related to manual operations. A human reliability analysis based on the Human Cognitive Reliability (HCR) and Technique For Human Error Rate (THERP) models was applied to a case study addressing secondary and primary bleed and feed procedures. Some aspects pertinent to the quantification of severe accident phenomena were further examined in this project. A comparison of the applications of PSA based approach and ROAAM to two severe accident issues, viz hydrogen combustion and in-vessel retention, was made. A general conclusion is that there is no requirement for further major development of the PSA and ROAAM methodologies in the modelling of SAM strategies for a variety of applications as far as the technical aspects are concerned. As is demonstrated in this project, the generic modelling framework was refined to enable a number of applications. Some recommendations have also been made regarding the applicability of these approaches to existing operating reactors and future reactors. The need for further research * Corresponding author. E-mail address: [email protected] (M.L. Ang). 0029-5493/01/$ - see front matter © 2001 Elsevier Science B.V. All rights reserved. PII: S 0 0 2 9 - 5 4 9 3 ( 0 1 ) 0 0 4 0 5 - 8
224
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
and development in the area of human reliability quantification was identified. © 2001 Elsevier Science B.V. All rights reserved.
1. Introduction
2. Work programme
Severe accident management (SAM) strategies with the potential to terminate or mitigate severe accidents are currently being developed and implemented at nuclear power plants (NPPs) worldwide (OECD/NEA, 1996). A basic understanding of the plant capabilities and limitations during severe accidents is normally achieved through a plant-specific probabilistic safety assessment (PSA). Invariably the PSA is further extended to examine engineering options to further enhance the plant capabilities in the mitigation of severe accidents. Decisions on their implementation are, however, not straightforward as the actions may potentially result in adverse effects and also involve phenomena that are not well understood. Apart from the phenomenological issues, each accident management strategy also requires consideration of other key interrelated issues like operator actions, and equipment/instrumentation availability and performance. A quantification framework to assist decision making should address these issues which entail a high degree of uncertainty in an integrated and systematic fashion. The framework could also be used to demonstrate regulatory compliance. The objectives of this project (contract no. FI4S-CT95-0015, cost shared action, contractual period 1.1.1996– 31.12.1998) are 2-fold. The first objective is to further develop integrated models for the assessment of the effectiveness of existing SAM measures and the feasibility of potential ones. The second objective is, by application in case studies, to contrast the unique features and to understand the limitations of these models such that they may be appropriately applied in relevant situations. Although the emphasis of this project is largely on severe accident mitigation, some aspects on severe accident prevention are also included. The paper provides a summary of the progress made and results obtained in this project.
The study is comprised of the five following tasks: Task A Review of methods and case studies. Task B Formulation of criteria. Task C Development of integrated accident management (AM) models. Task D Demonstration of methodology. Task E Evaluation of results. The assessment of operator response is an essential component of a methodology to provide a realistic evaluation of SAM strategies. A study, specific to severe accident prevention, is described in Section 4.
3. Work performed and results
3.1. Task A: re6iew of methods and case studies A review of current methods and their applications pertinent to SAM was performed initially in this study. The methods reviewed include: risk oriented accident analysis methodology (ROAAM, Theofanous, (1996)), fault tree and event tree methods (including containment event tree and phenomenological fault tree) and influence diagrams. It is clear from the review that there is no unique approach and their applications and scope can differ considerably. The key features were examined and contrasted. The varying emphasis on the different aspects of quantification reflects the intended application, for example, for the purpose of PSA, issue resolution and more recently SAM application. As is illustrated in a number of case studies reviewed in the study, the methods can also be applied in a complementary manner. For example, the use of established PSA methods such as containment event tree (CET) has highlighted the potential impact of a number of key severe accident issues
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
and placed their relevance in the context of an integrated PSA model. The CET approach was illustrated by the development of CETs for a number of level 2 PSAs carried out for the Zion NPP and Sizewell B NPP. This also included the evaluation of the impact of a number of SAM strategies. Some of these issues, in particular the phenomena associated with early containment failure, entail a high degree of uncertainty. This has led to the application of ROAAM to allow the resolution of these issues in a more transparent and acceptable way. Using an example based on the direct containment heating phenomenon, a comparison was provided in the study on the treatment of the key issues based on CET and phenomenological fault tree models, and using the ROAAM approach. The emphasis, as illustrated by the case studies reviewed, has been placed largely on the quantification of phenomenological issues. In some studies, although accident management actions and the related issues (e.g. system availability, system recovery, equipment survivability) have been accommodated within the models, the treatment has either been cursory or taken in the form of simple sensitivity studies. These models (excluding influence diagram) were further developed in this study to provide tools more specific to SAM application. A summary of the results from this task is provided by Ang et al., (1997)a.
3.2. Task B: formulation of criteria Criteria need to be defined for different stages in the practical implementation of SAM. In this task the discussion is centred mainly on the use of criteria in defining the SAM strategy and in justifying the extent of implementation. The starting point is the definition of the national safety goals and additional definitions provided by the utilities in the interpretation of the safety goals. The study considered three key aspects: the safety goals and their interpretation relevant to SAM implementation, the approach to SAM implementation to fulfil the criteria, the role of PSA and supporting analysis and the implication of uncertainties.
225
A study provided by GRS dealt more specifically with the criteria defined to initiate an action and is exemplified by the feed and bleed procedures adopted in the German PWRs. In addition the use of simplified criteria for the assessment of the capability of the instruments is also considered. It is clear from this task, the national safety goals defined by the safety authorities have a major impact on the choice of methodology. This task examined a number of approaches in achieving a meaningful interpretation of regulatory safety principles in the practical implementation of SAM scheme. It is however difficult to generalise the conclusions from this task as they have been derived from a small partnership. This important topic could be addressed as part of a concerted action study involving a wider partnership.
3.3. Task C: de6elopment of integrated AM models 3.3.1. Integrated ROAAM approach The objective of most ROAAM applications to date (Theofanous, 1996) has been to resolve major, isolated severe accident issues related to early containment failure, e.g. the mark-I liner attack and direct containment heating. Resolution in all cases has relied heavily on developing an understanding of the underlying physics of the relevant containment phenomena. This structured approach has been extended to the Loviisa NPP in an integrated context to provide a framework for the evaluation of the adequacy of the overall safety achieved for a plant and to guide further development of SAM strategy. In its implementation, the Integrated ROAAM begins with a complete system analysis along the approach of a level 1 PSA study to define accident classes, success of operator actions and availability of mitigation systems, associated plant damage states and respective frequencies. A screening frequency is used to determine which accident classes can be considered as ‘remote and speculative’, i.e. ignored. For the accident classes whose frequencies exceed the screening frequency, containment failure must be shown to be ‘physically unreasonable’ (or if this is
226
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
not the case, accident management measures or plant (or design) modifications should be considered to achieve this goal). This is done by applying ROAAM in the issue resolution context for all relevant containment-challenging phenomena. To determine the boundary conditions of the severe accident sequences that have to be mitigated (that is, the sequences that are not to be considered as ‘remote and speculative’), the core damage sequences from the level 1 PSA are binned into a smaller number of physically-based accident classes. Seven accident classes with a frequency exceeding the screening frequency (selected to be 1×10 − 6/r − year for Loviisa), and which thus have to be mitigated, were identified. A containment safeguards tree developed for Loviisa, is used to demonstrate that the screening goal has been met for all plant damage states except for those with full mitigation system availability. By this approach three ‘plant damage states’ have been identified which require phenomena mitigation to be demonstrated using ROAAM in an issue resolution context. ROAAM analysis has been applied to the mitigation strategies of in-vessel retention of corium and hydrogen management. In this study, ROAAM has used to show that containment-challenging hydrogen events are ‘physically unreasonable’ for all accident sequences within the ‘accident management window’ when the new hydrogen management strategy is installed in the Loviisa containment. The probabilistic model developed and its quantification are outlined in Section 3.4.
3.3.2. Accident mitigation e6ent tree (AMET) The model development described in Section 3.3.2 and Section 3.3.3 is based on the refinement of existing PSA methodology. A full scope level 3 PSA was carried out for the Sizewell B PWR in support of its pre-operational safety report (POSR). Since the underlying requirement of the PSA was to demonstrate the risk of death to any individual member of the public was less than 10 − 6 per year, the level 2 PSA analysis was initially formulated to provide a robust and conservative analysis of the response of the containment systems to show compliance with this target. In the analysis, little credit was taken for SAM
actions that are prescribed in the Sizewell B severe accident mitigation procedures. Follow on analysis in the form of sensitivity analysis was however performed to demonstrate the effectiveness of some of the SAM measures already implemented. In this study, the POSR level 2 PSA CET model (a 20 node phenomenologically based model) was reviewed and revised to allow a more realistic appraisal of the mitigation effectiveness on existing SAM measures and to provide the basis for the evaluation of additional SAM measures. This led to the development of a 10 node accident mitigation event tree (AMET). A review of the Sizewell B station operating instructions (SOI) objectives and priorities led to three specific SAM issues being included in the AMET and they are: damaged core coolability before RPV failure, water availability in reactor cavity, late containment spray recovery. The quantification is via the application of a combination of decomposition event tree (DET) and phenomenological fault tree (PFT) which consider the following issues: (i) phenomenological aspects (ii) the reliability of operators in carrying out the actions, and (iii) availability of instrumentation and equipment in achieving the actions. This approach of a smaller AMET with more extensive use of DET and PFT provides a more flexible structure for the treatment of the interaction of the aforementioned issues. Potentially, the model can also be adopted in a living PSA. The Sizewell B containment includes a ‘wet’ cavity designed primarily to promote ex-vessel debris cooling. The provisions designed to achieve this will also enable a flooded reactor cavity to be established, if necessary. More recently, the feasibility of ex-vessel cavity flooding to provide invessel core debris cooling as a SAM strategy is clearly recognised (referred to as In-Vessel Retention (IVR) strategy). The feasibility of this strategy was assessed for the Sizewell B PWR in this study.
3.3.3. Coupled e6ent tree/fault tree technique The model developed for this study is based on the existing PSA models for level 1 and level 2
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
developed for Barseba¨ ck (BWR) and Ringhals 2 (PWR). These models have been used mainly in a conservative way (e.g. a high degree of manual operations as instructed in the emergency operating procedures (EOPs) is not included in the PSA model). A generic CET, supplemented by a fault tree at each node, was initially constructed. This generic CET is adapted to provide a plant damage state (PDS) specific CET. For the Ringhals PWR, for example, the following SAM procedures are currently included: cooling of the corium ex-vessel, hydrogen management, use of containment spray, activation of filtered venting system. The revised event tree model refers to both the initiating event tree and the CET. The content of the new event tree model can either be limited to the elements represented in the PSA studies and the EOP’s but can also be developed further to a more detailed structure if needed. The demonstration of this improved model is outlined in Section C.4.
3.4. Task D: demonstration of methodology The case studies fall in two groups according to the application area and are summarised in Table 1. The applications thus cover a wide range from improving accident management procedures to actual plant modifications. A summary of the results achieved in this task is as follows:
3.4.1. Integrated ROAAM: hydrogen management at Lo6iisa NPP The conclusion of the study is that mitigation of containment loads due to hydrogen combustion can be made reliably with a new hydrogen management strategy. The suggested hydrogen management strategy consists of three different components, which entail significant plant modifications: A capability to open up ice condenser doors to promote efficient mixing in the containment. Installation of passive catalytic recombiners in the containment. Installation of deliberate ignition capability in the containment lower compartment The probabilistic quantification of the ROAAM-framework, shown in Fig. 1, has demonstrated that a containment failure due to hydrogen deflagration is ‘physically unreasonable’ if the hydrogen management strategy is implemented at the plant. Sensitivity analyses indicated that the only significant scenario dependence stems from the hydrogen source. The sensitivity studies showed that an oversized recombiner system could mitigate a prolonged, slow source, but not a hydrogen release spike. Deliberate ignition capability in the vicinity of the hydrogen source in the containment, on the other hand, would serve to mitigate both prolonged sources and release spikes. Therefore, it is recommended that a base case passive catalytic recombiner system, supplemented with some surplus capacity in the lower compartment to compensate for lost capacity due
Table 1 Case study groups Area
Partner
Reference plants
Method
Applications
Preventive accident management
GRS
GKN-2(Konvoi-type PWR)
HRA/HCR
Bleed and feed (primary and secondary)
Vattenfall and Sycon
Barseba¨ ck (BWR), Ringhals 2 (PWR)
PSA1-2/ET
Improvement in procedures (condensation pool cooling, secondary bleed and feed)
NNC
Sizewell B (PWR)
PSA2/AMET
Fortum
Loviisa (VVER)
ROAAM
Feasibility of SAM options to improve mitigation capability (in-vessel retention strategy) Plant modifications (hydrogen management)
Mitigative accident management
227
228
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
Fig. 1. Probabilistic framework for containment failure in H2 combustion.
to e.g. missiles or jet forces, be installed with a passive deliberate ignition system in the lower compartment, if source uncertainties are considered important. This framework was quantified with the help of experiments performed at the VICTORIA facility and detailed analyses.
3.4.2. AMET: feasibility of IVR strategy at Sizewell B NPP Node 3 of the AMET considers the issue ‘damaged core coolability before reactor pressure vessel failure’. Achievement of debris coolability at this node would preclude RPV failure. This node examines the potential of establishing debris coolability via different cooling mechanisms including ex-ves-
sel cooling for a variety of accident sequences. In this study an IVR logic model based on fault tree concept was developed. It considers a number of issues including system related issues, water accessibility to RPV surface, structural integrity and phenomenological aspects. Further development and modification of supplementary tools to assist the quantification of node 3 also formed part of this study. This included further improvement of some MAAP4 models and the development of a parametric model HOTPOOL for the purpose of sensitivity calculations. The human error assessment was based on a combination of the Human Error Assessment and Reduction Technique (HEART) method and the Technique for Human Error Rate Prediction (THERP) method.
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
More specifically, this study provides an interim statement on the assessment of the feasibility of the IVR strategy for Sizewell B PWR. The balance of evidence, based mainly on preliminary analysis suggests positively the feasibility of the IVR strategy for a large and higher power density reactor as represented by Sizewell B. There are however key uncertainties and limitations to these preliminary calculations and they could be addressed by a structured programme of sensitivity calculations. In addition detailed evaluations specific to Sizewell B need to be performed to examine the water accessibility and structural integrity issues.
3.4.3. PSA le6el 1 and le6el 2 modified e6ent trees: condensation pool cooling at Barseba¨ck NPP and secondary bleed and feed at Ringhals 2 NPP For the Barseba¨ ck NPP, a case study based on a medium size LOCA sequence was selected as it provided a major contribution to the core damage frequency. In this sequence it was assumed that the containment spray worked, but the cooling of the condensation pool failed and it could not be restored. In the new event tree, it was assumed that systems could be started manually to recover the cooling of the condensation pool. The quantification was supported by analysis using the MAAP code. The revised model resulted in a significant reduction in core damage frequency. The conclusion from this study is that the Emergency Operator Procedures should be extended to cover repair of vital support systems. This case study provides an illustration of the application of PSA based models to guide future refinement of operator procedures. This type of application was further extended to another case study based on a station blackout sequence for Ringhals 2 NPP. This considered the possibility of restoring the heat sink by use of secondary feed and bleed using the fire water system.The main focus in the application of the revised event and fault trees models has been on preventive measures. The actions aiming to prevent core damage include repair of systems, manual restart of safety systems and non-safety systems. In this study, no detailed human reli-
229
ability analysis was performed on the manual actions and this needs further investigation in the future.
3.5. Task E: e6aluation of results and recommendations In the course of this study it became evident that the starting point to guide the selection of methodology is the intended application. Accordingly, such features as the type, area and confidence requirements of the applications were addressed in this project. The selected case studies are based entirely on existing reactors. On the applications based on the refinement of existing PSA models, the results can be interpreted in the context of a PSA. This allows the demonstration of the risk reduction potential of a SAM option, and comparison, within a consistent framework, with other options. More importantly this framework could also allow the cost–benefit principle to be applied. This approach further allows a number of key system related issues to be addressed in a consistent manner. They include, for example, safety system initiation (or recovery) and operator response. It also allows the consistent evaluation of a number of scenarios (represented by the event pathways in the event tree) evolved from a number of accident initiators. The perceived limitations of level 2 PSA modelling are well discussed by Theofanous, 1996. ROAAM has been especially devised to overcome some of these limitations. The plant-specific Integrated ROAAM approach should be considered in situations where the national safety requirements aim at deterministic goals, e.g. at maintaining containment integrity in severe accidents. Also when major modifications of an operating plant are considered, ROAAM could be the method of choice. In this study, a detailed comparison of the application of PSA based approach and ROAAM to two severe accident issues, viz IVR and hydrogen combustion, was further examined. It considered the approach and scope in the generation of experimental and analytical information necessary to support the quantification of a number of issues pertinent to the phenomena.
230
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
PSA currently plays a major role in the licensing process for both existing reactors and future reactor designs. The interaction of level 2 PSA and ROAAM for existing reactors is best exemplified in the NUREG-1150 study and post NUREG-1150 issue resolution studies. Issues that were perceived to entail a high degree of uncertainty were further examined in issue resolution studies using the ROAAM approach. For new reactor design in which severe accidents form part of the design provisions, the complementary role of level 2 PSA and ROAAM is best illustrated in the AP600 application. In the PSA for the AP600 design, credit was claimed for ex-vessel cooling to prevent vessel failure during postulated severe accidents with successful RCS depressurisation and reactor cavity flooding. A corresponding USA DOE funded study based on the ROAAM concept was instigated to support this claim. This complementary framework can be maintained for future reactor design application, in particular on novel design features that could provide significant severe accident mitigation potential (e.g. core catcher). The application of Integrated ROAAM in the design phase would provide an opportunity for achieving a consistent and comprehensive approach and can thus be strongly recommended. The results of the study can be directly incorporated into the plant design, and thus circumvent the need for a separate SAM strategy, as is the case for existing reactors.
4. Human reliability assessment method for preventive accident management An essential component of a methodology to provide a realistic evaluation of severe accident management strategies is the evaluation of operator response. It was concluded in Task A that no specific model for the quantification of human reliability for severe accident management has yet been developed. For this project, the quantification is based on the human cognitive reliability (HCR) model and the THERP(Technique for Human Error Rate Prediction) model. A brief summary of the method developed by
GRS is described by Ang et al., 1997b. Appropriate methods for providing necessary information about personnel’s actions and performance shaping factors to be considered in human reliability quantification were also provided. They comprise the following steps: definition of an accident scenario, identification and description of tasks to be performed, walkthrough and/or observations on site and/ or at a simulator to get information about personnel’s behaviour, inspection of work places, work aids and work environments, analysis and modelling of actions and performance shaping factors to be quantified. The human reliability quantification method developed in this project was applied in a case study, which was carried out in close co-operation with GKN-2 NPP (Konvoi-type PWR). The scenario required the use of a secondary and, if this measure fails, a primary bleed and feed procedure. The secondary bleed and feed procedure is composed of several submeasures whose failure can lead to a more or less rapid transition to primary bleed and feed. An event tree was developed which represents these different paths. Human reliability was quantified by applying the HCR-model, the probability not to manage the scenario selected for the case study with these two redundant measures was found to be 6.3E-03. The case study provided a demonstration of the usefulness and efficiency of combining the HCR model and the human event tree method. Further research and development in the following areas were identified: The human reliability quantification method has so far been applied only to preventive accident management. It has to be extended to mitigative measures The method has to be further developed to cover cognitive errors and repair actions A practical method for including accident management measures in probabilistic safety analyses should be developed to reduce potentially a large number of assessments.
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
5. Conclusions Further improvements to existing models have been achieved in this project for SAM applications. During the course of this study it became evident that the starting point to guide the selection of methodology and any further improvement is the intended applications. The revised models have been applied to a number of case studies covering the whole accident management spectrum, from prevention to mitigation. The applications have ranged from the refinement of operator procedures to justification for the implementation of SAM strategies, some of which could involve substantial plant modifications. A general conclusion is that there is no requirement for further major development of the PSA and ROAAM methodologies in the modelling of SAM strategies for different applications. As is demonstrated in this project, the generic modelling framework was refined to look at a number of applications. Some recommendations have also been made regarding the applicability of the modelling approaches to existing operating reactors and future reactors. The need for further research and development in the area of human reliability quantification was also identified. This project has demonstrated that ROAAM
231
could be the method of choice when dealing with SAM issues in the mitigation regime, especially when a high level of residual uncertainty cannot be tolerated. PSA methods are usually selected when the demonstration of compliance of the safety goals require risk estimates for environmental consequences of an accident or frequencies of core damage to be provided. PSA is also the obvious choice in the preventive regime, where the recovery of key safety systems, invariably involving operator actions, is often the key issue.
References Ang, M.L., Gustavsson V., Jacobsson P., Kersting E., Martin Bermejo J., Tuomisto H., 1997. Structured approach for the assessment of severe accident management strategies: some methods and case studies. Proc. Int. Conf. on the Commercial and Operational Benefits of PSAs, Edinburgh, Scotland, 7 – 9 October 1997. Ang, M.L., Gustavsson, V., Kersting, E., Jacobsson, P., Tuomisto, H., 1997. Development of methodology for the evaluation of severe accident management strategies. FISA-97 Symp., Luxembourg, 17 – 19 November 1997. OECD/NEA, 1996. Implementing Severe Accident Management in Nuclear Power Plants. OECD/NEA Report. Theofanous, T.G., 1996. On the proper formulation of safety goals and assessment of safety margins for rare and highconsequence hazards. Reliab. Eng. Syst. Safety 54, 243 – 257.
The development and demonstration of integrated models for the evaluation of severe accident management strategies —SAMEM M.L. Ang a,*, K. Peers a, E. Kersting b, W. Fassmann b, H. Tuomisto c, P. Lundstro¨m c, M. Helle c, V. Gustavsson d, P. Jacobsson e a
NNC Limited, Engineering-Project Management Consultancy, Boothsh Hall, Chelford Road, Knutsford, Cheshire WA16 8QZ, UK b GRS mbH, Ko¨ln, Germany c Fortum Engineering Limited, Vantaa, Finland d Vattenfall Energisystem AB, Stockholm, Sweden e Sycon Energikonsult AB, Malmo, Sweden
Abstract This study is concerned with the further development of integrated models for the assessment of existing and potential severe accident management (SAM) measures. This paper provides a brief summary of these models, based on Probabilistic Safety Assessment (PSA) methods and the Risk Oriented Accident Analysis Methodology (ROAAM) approach, and their application to a number of case studies spanning both preventive and mitigative accident management regimes. In the course of this study it became evident that the starting point to guide the selection of methodology and any further improvement is the intended application. Accordingly, such features as the type and area of application and the confidence requirement are addressed in this project. The application of an integrated ROAAM approach led to the implementation, at the Loviisa NPP, of a hydrogen mitigation strategy, which requires substantial plant modifications. A revised level 2 PSA model was applied to the Sizewell B NPP to assess the feasibility of the in-vessel retention strategy. Similarly the application of PSA based models was extended to the Barseback and Ringhals 2 NPPs to improve the emergency operating procedures, notably actions related to manual operations. A human reliability analysis based on the Human Cognitive Reliability (HCR) and Technique For Human Error Rate (THERP) models was applied to a case study addressing secondary and primary bleed and feed procedures. Some aspects pertinent to the quantification of severe accident phenomena were further examined in this project. A comparison of the applications of PSA based approach and ROAAM to two severe accident issues, viz hydrogen combustion and in-vessel retention, was made. A general conclusion is that there is no requirement for further major development of the PSA and ROAAM methodologies in the modelling of SAM strategies for a variety of applications as far as the technical aspects are concerned. As is demonstrated in this project, the generic modelling framework was refined to enable a number of applications. Some recommendations have also been made regarding the applicability of these approaches to existing operating reactors and future reactors. The need for further research * Corresponding author. E-mail address: [email protected] (M.L. Ang). 0029-5493/01/$ - see front matter © 2001 Elsevier Science B.V. All rights reserved. PII: S 0 0 2 9 - 5 4 9 3 ( 0 1 ) 0 0 4 0 5 - 8
224
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
and development in the area of human reliability quantification was identified. © 2001 Elsevier Science B.V. All rights reserved.
1. Introduction
2. Work programme
Severe accident management (SAM) strategies with the potential to terminate or mitigate severe accidents are currently being developed and implemented at nuclear power plants (NPPs) worldwide (OECD/NEA, 1996). A basic understanding of the plant capabilities and limitations during severe accidents is normally achieved through a plant-specific probabilistic safety assessment (PSA). Invariably the PSA is further extended to examine engineering options to further enhance the plant capabilities in the mitigation of severe accidents. Decisions on their implementation are, however, not straightforward as the actions may potentially result in adverse effects and also involve phenomena that are not well understood. Apart from the phenomenological issues, each accident management strategy also requires consideration of other key interrelated issues like operator actions, and equipment/instrumentation availability and performance. A quantification framework to assist decision making should address these issues which entail a high degree of uncertainty in an integrated and systematic fashion. The framework could also be used to demonstrate regulatory compliance. The objectives of this project (contract no. FI4S-CT95-0015, cost shared action, contractual period 1.1.1996– 31.12.1998) are 2-fold. The first objective is to further develop integrated models for the assessment of the effectiveness of existing SAM measures and the feasibility of potential ones. The second objective is, by application in case studies, to contrast the unique features and to understand the limitations of these models such that they may be appropriately applied in relevant situations. Although the emphasis of this project is largely on severe accident mitigation, some aspects on severe accident prevention are also included. The paper provides a summary of the progress made and results obtained in this project.
The study is comprised of the five following tasks: Task A Review of methods and case studies. Task B Formulation of criteria. Task C Development of integrated accident management (AM) models. Task D Demonstration of methodology. Task E Evaluation of results. The assessment of operator response is an essential component of a methodology to provide a realistic evaluation of SAM strategies. A study, specific to severe accident prevention, is described in Section 4.
3. Work performed and results
3.1. Task A: re6iew of methods and case studies A review of current methods and their applications pertinent to SAM was performed initially in this study. The methods reviewed include: risk oriented accident analysis methodology (ROAAM, Theofanous, (1996)), fault tree and event tree methods (including containment event tree and phenomenological fault tree) and influence diagrams. It is clear from the review that there is no unique approach and their applications and scope can differ considerably. The key features were examined and contrasted. The varying emphasis on the different aspects of quantification reflects the intended application, for example, for the purpose of PSA, issue resolution and more recently SAM application. As is illustrated in a number of case studies reviewed in the study, the methods can also be applied in a complementary manner. For example, the use of established PSA methods such as containment event tree (CET) has highlighted the potential impact of a number of key severe accident issues
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
and placed their relevance in the context of an integrated PSA model. The CET approach was illustrated by the development of CETs for a number of level 2 PSAs carried out for the Zion NPP and Sizewell B NPP. This also included the evaluation of the impact of a number of SAM strategies. Some of these issues, in particular the phenomena associated with early containment failure, entail a high degree of uncertainty. This has led to the application of ROAAM to allow the resolution of these issues in a more transparent and acceptable way. Using an example based on the direct containment heating phenomenon, a comparison was provided in the study on the treatment of the key issues based on CET and phenomenological fault tree models, and using the ROAAM approach. The emphasis, as illustrated by the case studies reviewed, has been placed largely on the quantification of phenomenological issues. In some studies, although accident management actions and the related issues (e.g. system availability, system recovery, equipment survivability) have been accommodated within the models, the treatment has either been cursory or taken in the form of simple sensitivity studies. These models (excluding influence diagram) were further developed in this study to provide tools more specific to SAM application. A summary of the results from this task is provided by Ang et al., (1997)a.
3.2. Task B: formulation of criteria Criteria need to be defined for different stages in the practical implementation of SAM. In this task the discussion is centred mainly on the use of criteria in defining the SAM strategy and in justifying the extent of implementation. The starting point is the definition of the national safety goals and additional definitions provided by the utilities in the interpretation of the safety goals. The study considered three key aspects: the safety goals and their interpretation relevant to SAM implementation, the approach to SAM implementation to fulfil the criteria, the role of PSA and supporting analysis and the implication of uncertainties.
225
A study provided by GRS dealt more specifically with the criteria defined to initiate an action and is exemplified by the feed and bleed procedures adopted in the German PWRs. In addition the use of simplified criteria for the assessment of the capability of the instruments is also considered. It is clear from this task, the national safety goals defined by the safety authorities have a major impact on the choice of methodology. This task examined a number of approaches in achieving a meaningful interpretation of regulatory safety principles in the practical implementation of SAM scheme. It is however difficult to generalise the conclusions from this task as they have been derived from a small partnership. This important topic could be addressed as part of a concerted action study involving a wider partnership.
3.3. Task C: de6elopment of integrated AM models 3.3.1. Integrated ROAAM approach The objective of most ROAAM applications to date (Theofanous, 1996) has been to resolve major, isolated severe accident issues related to early containment failure, e.g. the mark-I liner attack and direct containment heating. Resolution in all cases has relied heavily on developing an understanding of the underlying physics of the relevant containment phenomena. This structured approach has been extended to the Loviisa NPP in an integrated context to provide a framework for the evaluation of the adequacy of the overall safety achieved for a plant and to guide further development of SAM strategy. In its implementation, the Integrated ROAAM begins with a complete system analysis along the approach of a level 1 PSA study to define accident classes, success of operator actions and availability of mitigation systems, associated plant damage states and respective frequencies. A screening frequency is used to determine which accident classes can be considered as ‘remote and speculative’, i.e. ignored. For the accident classes whose frequencies exceed the screening frequency, containment failure must be shown to be ‘physically unreasonable’ (or if this is
226
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
not the case, accident management measures or plant (or design) modifications should be considered to achieve this goal). This is done by applying ROAAM in the issue resolution context for all relevant containment-challenging phenomena. To determine the boundary conditions of the severe accident sequences that have to be mitigated (that is, the sequences that are not to be considered as ‘remote and speculative’), the core damage sequences from the level 1 PSA are binned into a smaller number of physically-based accident classes. Seven accident classes with a frequency exceeding the screening frequency (selected to be 1×10 − 6/r − year for Loviisa), and which thus have to be mitigated, were identified. A containment safeguards tree developed for Loviisa, is used to demonstrate that the screening goal has been met for all plant damage states except for those with full mitigation system availability. By this approach three ‘plant damage states’ have been identified which require phenomena mitigation to be demonstrated using ROAAM in an issue resolution context. ROAAM analysis has been applied to the mitigation strategies of in-vessel retention of corium and hydrogen management. In this study, ROAAM has used to show that containment-challenging hydrogen events are ‘physically unreasonable’ for all accident sequences within the ‘accident management window’ when the new hydrogen management strategy is installed in the Loviisa containment. The probabilistic model developed and its quantification are outlined in Section 3.4.
3.3.2. Accident mitigation e6ent tree (AMET) The model development described in Section 3.3.2 and Section 3.3.3 is based on the refinement of existing PSA methodology. A full scope level 3 PSA was carried out for the Sizewell B PWR in support of its pre-operational safety report (POSR). Since the underlying requirement of the PSA was to demonstrate the risk of death to any individual member of the public was less than 10 − 6 per year, the level 2 PSA analysis was initially formulated to provide a robust and conservative analysis of the response of the containment systems to show compliance with this target. In the analysis, little credit was taken for SAM
actions that are prescribed in the Sizewell B severe accident mitigation procedures. Follow on analysis in the form of sensitivity analysis was however performed to demonstrate the effectiveness of some of the SAM measures already implemented. In this study, the POSR level 2 PSA CET model (a 20 node phenomenologically based model) was reviewed and revised to allow a more realistic appraisal of the mitigation effectiveness on existing SAM measures and to provide the basis for the evaluation of additional SAM measures. This led to the development of a 10 node accident mitigation event tree (AMET). A review of the Sizewell B station operating instructions (SOI) objectives and priorities led to three specific SAM issues being included in the AMET and they are: damaged core coolability before RPV failure, water availability in reactor cavity, late containment spray recovery. The quantification is via the application of a combination of decomposition event tree (DET) and phenomenological fault tree (PFT) which consider the following issues: (i) phenomenological aspects (ii) the reliability of operators in carrying out the actions, and (iii) availability of instrumentation and equipment in achieving the actions. This approach of a smaller AMET with more extensive use of DET and PFT provides a more flexible structure for the treatment of the interaction of the aforementioned issues. Potentially, the model can also be adopted in a living PSA. The Sizewell B containment includes a ‘wet’ cavity designed primarily to promote ex-vessel debris cooling. The provisions designed to achieve this will also enable a flooded reactor cavity to be established, if necessary. More recently, the feasibility of ex-vessel cavity flooding to provide invessel core debris cooling as a SAM strategy is clearly recognised (referred to as In-Vessel Retention (IVR) strategy). The feasibility of this strategy was assessed for the Sizewell B PWR in this study.
3.3.3. Coupled e6ent tree/fault tree technique The model developed for this study is based on the existing PSA models for level 1 and level 2
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
developed for Barseba¨ ck (BWR) and Ringhals 2 (PWR). These models have been used mainly in a conservative way (e.g. a high degree of manual operations as instructed in the emergency operating procedures (EOPs) is not included in the PSA model). A generic CET, supplemented by a fault tree at each node, was initially constructed. This generic CET is adapted to provide a plant damage state (PDS) specific CET. For the Ringhals PWR, for example, the following SAM procedures are currently included: cooling of the corium ex-vessel, hydrogen management, use of containment spray, activation of filtered venting system. The revised event tree model refers to both the initiating event tree and the CET. The content of the new event tree model can either be limited to the elements represented in the PSA studies and the EOP’s but can also be developed further to a more detailed structure if needed. The demonstration of this improved model is outlined in Section C.4.
3.4. Task D: demonstration of methodology The case studies fall in two groups according to the application area and are summarised in Table 1. The applications thus cover a wide range from improving accident management procedures to actual plant modifications. A summary of the results achieved in this task is as follows:
3.4.1. Integrated ROAAM: hydrogen management at Lo6iisa NPP The conclusion of the study is that mitigation of containment loads due to hydrogen combustion can be made reliably with a new hydrogen management strategy. The suggested hydrogen management strategy consists of three different components, which entail significant plant modifications: A capability to open up ice condenser doors to promote efficient mixing in the containment. Installation of passive catalytic recombiners in the containment. Installation of deliberate ignition capability in the containment lower compartment The probabilistic quantification of the ROAAM-framework, shown in Fig. 1, has demonstrated that a containment failure due to hydrogen deflagration is ‘physically unreasonable’ if the hydrogen management strategy is implemented at the plant. Sensitivity analyses indicated that the only significant scenario dependence stems from the hydrogen source. The sensitivity studies showed that an oversized recombiner system could mitigate a prolonged, slow source, but not a hydrogen release spike. Deliberate ignition capability in the vicinity of the hydrogen source in the containment, on the other hand, would serve to mitigate both prolonged sources and release spikes. Therefore, it is recommended that a base case passive catalytic recombiner system, supplemented with some surplus capacity in the lower compartment to compensate for lost capacity due
Table 1 Case study groups Area
Partner
Reference plants
Method
Applications
Preventive accident management
GRS
GKN-2(Konvoi-type PWR)
HRA/HCR
Bleed and feed (primary and secondary)
Vattenfall and Sycon
Barseba¨ ck (BWR), Ringhals 2 (PWR)
PSA1-2/ET
Improvement in procedures (condensation pool cooling, secondary bleed and feed)
NNC
Sizewell B (PWR)
PSA2/AMET
Fortum
Loviisa (VVER)
ROAAM
Feasibility of SAM options to improve mitigation capability (in-vessel retention strategy) Plant modifications (hydrogen management)
Mitigative accident management
227
228
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
Fig. 1. Probabilistic framework for containment failure in H2 combustion.
to e.g. missiles or jet forces, be installed with a passive deliberate ignition system in the lower compartment, if source uncertainties are considered important. This framework was quantified with the help of experiments performed at the VICTORIA facility and detailed analyses.
3.4.2. AMET: feasibility of IVR strategy at Sizewell B NPP Node 3 of the AMET considers the issue ‘damaged core coolability before reactor pressure vessel failure’. Achievement of debris coolability at this node would preclude RPV failure. This node examines the potential of establishing debris coolability via different cooling mechanisms including ex-ves-
sel cooling for a variety of accident sequences. In this study an IVR logic model based on fault tree concept was developed. It considers a number of issues including system related issues, water accessibility to RPV surface, structural integrity and phenomenological aspects. Further development and modification of supplementary tools to assist the quantification of node 3 also formed part of this study. This included further improvement of some MAAP4 models and the development of a parametric model HOTPOOL for the purpose of sensitivity calculations. The human error assessment was based on a combination of the Human Error Assessment and Reduction Technique (HEART) method and the Technique for Human Error Rate Prediction (THERP) method.
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
More specifically, this study provides an interim statement on the assessment of the feasibility of the IVR strategy for Sizewell B PWR. The balance of evidence, based mainly on preliminary analysis suggests positively the feasibility of the IVR strategy for a large and higher power density reactor as represented by Sizewell B. There are however key uncertainties and limitations to these preliminary calculations and they could be addressed by a structured programme of sensitivity calculations. In addition detailed evaluations specific to Sizewell B need to be performed to examine the water accessibility and structural integrity issues.
3.4.3. PSA le6el 1 and le6el 2 modified e6ent trees: condensation pool cooling at Barseba¨ck NPP and secondary bleed and feed at Ringhals 2 NPP For the Barseba¨ ck NPP, a case study based on a medium size LOCA sequence was selected as it provided a major contribution to the core damage frequency. In this sequence it was assumed that the containment spray worked, but the cooling of the condensation pool failed and it could not be restored. In the new event tree, it was assumed that systems could be started manually to recover the cooling of the condensation pool. The quantification was supported by analysis using the MAAP code. The revised model resulted in a significant reduction in core damage frequency. The conclusion from this study is that the Emergency Operator Procedures should be extended to cover repair of vital support systems. This case study provides an illustration of the application of PSA based models to guide future refinement of operator procedures. This type of application was further extended to another case study based on a station blackout sequence for Ringhals 2 NPP. This considered the possibility of restoring the heat sink by use of secondary feed and bleed using the fire water system.The main focus in the application of the revised event and fault trees models has been on preventive measures. The actions aiming to prevent core damage include repair of systems, manual restart of safety systems and non-safety systems. In this study, no detailed human reli-
229
ability analysis was performed on the manual actions and this needs further investigation in the future.
3.5. Task E: e6aluation of results and recommendations In the course of this study it became evident that the starting point to guide the selection of methodology is the intended application. Accordingly, such features as the type, area and confidence requirements of the applications were addressed in this project. The selected case studies are based entirely on existing reactors. On the applications based on the refinement of existing PSA models, the results can be interpreted in the context of a PSA. This allows the demonstration of the risk reduction potential of a SAM option, and comparison, within a consistent framework, with other options. More importantly this framework could also allow the cost–benefit principle to be applied. This approach further allows a number of key system related issues to be addressed in a consistent manner. They include, for example, safety system initiation (or recovery) and operator response. It also allows the consistent evaluation of a number of scenarios (represented by the event pathways in the event tree) evolved from a number of accident initiators. The perceived limitations of level 2 PSA modelling are well discussed by Theofanous, 1996. ROAAM has been especially devised to overcome some of these limitations. The plant-specific Integrated ROAAM approach should be considered in situations where the national safety requirements aim at deterministic goals, e.g. at maintaining containment integrity in severe accidents. Also when major modifications of an operating plant are considered, ROAAM could be the method of choice. In this study, a detailed comparison of the application of PSA based approach and ROAAM to two severe accident issues, viz IVR and hydrogen combustion, was further examined. It considered the approach and scope in the generation of experimental and analytical information necessary to support the quantification of a number of issues pertinent to the phenomena.
230
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
PSA currently plays a major role in the licensing process for both existing reactors and future reactor designs. The interaction of level 2 PSA and ROAAM for existing reactors is best exemplified in the NUREG-1150 study and post NUREG-1150 issue resolution studies. Issues that were perceived to entail a high degree of uncertainty were further examined in issue resolution studies using the ROAAM approach. For new reactor design in which severe accidents form part of the design provisions, the complementary role of level 2 PSA and ROAAM is best illustrated in the AP600 application. In the PSA for the AP600 design, credit was claimed for ex-vessel cooling to prevent vessel failure during postulated severe accidents with successful RCS depressurisation and reactor cavity flooding. A corresponding USA DOE funded study based on the ROAAM concept was instigated to support this claim. This complementary framework can be maintained for future reactor design application, in particular on novel design features that could provide significant severe accident mitigation potential (e.g. core catcher). The application of Integrated ROAAM in the design phase would provide an opportunity for achieving a consistent and comprehensive approach and can thus be strongly recommended. The results of the study can be directly incorporated into the plant design, and thus circumvent the need for a separate SAM strategy, as is the case for existing reactors.
4. Human reliability assessment method for preventive accident management An essential component of a methodology to provide a realistic evaluation of severe accident management strategies is the evaluation of operator response. It was concluded in Task A that no specific model for the quantification of human reliability for severe accident management has yet been developed. For this project, the quantification is based on the human cognitive reliability (HCR) model and the THERP(Technique for Human Error Rate Prediction) model. A brief summary of the method developed by
GRS is described by Ang et al., 1997b. Appropriate methods for providing necessary information about personnel’s actions and performance shaping factors to be considered in human reliability quantification were also provided. They comprise the following steps: definition of an accident scenario, identification and description of tasks to be performed, walkthrough and/or observations on site and/ or at a simulator to get information about personnel’s behaviour, inspection of work places, work aids and work environments, analysis and modelling of actions and performance shaping factors to be quantified. The human reliability quantification method developed in this project was applied in a case study, which was carried out in close co-operation with GKN-2 NPP (Konvoi-type PWR). The scenario required the use of a secondary and, if this measure fails, a primary bleed and feed procedure. The secondary bleed and feed procedure is composed of several submeasures whose failure can lead to a more or less rapid transition to primary bleed and feed. An event tree was developed which represents these different paths. Human reliability was quantified by applying the HCR-model, the probability not to manage the scenario selected for the case study with these two redundant measures was found to be 6.3E-03. The case study provided a demonstration of the usefulness and efficiency of combining the HCR model and the human event tree method. Further research and development in the following areas were identified: The human reliability quantification method has so far been applied only to preventive accident management. It has to be extended to mitigative measures The method has to be further developed to cover cognitive errors and repair actions A practical method for including accident management measures in probabilistic safety analyses should be developed to reduce potentially a large number of assessments.
M.L. Ang et al. / Nuclear Engineering and Design 209 (2001) 223–231
5. Conclusions Further improvements to existing models have been achieved in this project for SAM applications. During the course of this study it became evident that the starting point to guide the selection of methodology and any further improvement is the intended applications. The revised models have been applied to a number of case studies covering the whole accident management spectrum, from prevention to mitigation. The applications have ranged from the refinement of operator procedures to justification for the implementation of SAM strategies, some of which could involve substantial plant modifications. A general conclusion is that there is no requirement for further major development of the PSA and ROAAM methodologies in the modelling of SAM strategies for different applications. As is demonstrated in this project, the generic modelling framework was refined to look at a number of applications. Some recommendations have also been made regarding the applicability of the modelling approaches to existing operating reactors and future reactors. The need for further research and development in the area of human reliability quantification was also identified. This project has demonstrated that ROAAM
231
could be the method of choice when dealing with SAM issues in the mitigation regime, especially when a high level of residual uncertainty cannot be tolerated. PSA methods are usually selected when the demonstration of compliance of the safety goals require risk estimates for environmental consequences of an accident or frequencies of core damage to be provided. PSA is also the obvious choice in the preventive regime, where the recovery of key safety systems, invariably involving operator actions, is often the key issue.
References Ang, M.L., Gustavsson V., Jacobsson P., Kersting E., Martin Bermejo J., Tuomisto H., 1997. Structured approach for the assessment of severe accident management strategies: some methods and case studies. Proc. Int. Conf. on the Commercial and Operational Benefits of PSAs, Edinburgh, Scotland, 7 – 9 October 1997. Ang, M.L., Gustavsson, V., Kersting, E., Jacobsson, P., Tuomisto, H., 1997. Development of methodology for the evaluation of severe accident management strategies. FISA-97 Symp., Luxembourg, 17 – 19 November 1997. OECD/NEA, 1996. Implementing Severe Accident Management in Nuclear Power Plants. OECD/NEA Report. Theofanous, T.G., 1996. On the proper formulation of safety goals and assessment of safety margins for rare and highconsequence hazards. Reliab. Eng. Syst. Safety 54, 243 – 257.