1.24k likes | 1.58k Views
Level 1 PSA training. English version. Program. Introduction Generalities Initiating events Event Trees Fault Trees / Systems analysis Parameter estimation Common Cause Failures Human Reliability Analysis (HRA) Accident sequences quantification Results / Importance analysis
E N D
Level 1 PSA training English version
Program • Introduction • Generalities • Initiating events • Event Trees • Fault Trees / Systems analysis • Parameter estimation • Common Cause Failures • Human Reliability Analysis (HRA) • Accident sequences quantification • Results / Importance analysis • PSA role • Conclusion • PSA project example (Risk Spectrum presentation)
Level 1 PSA • First study published in USA in 1975 : WASH 1400 (RASMUSSEN Report) • Many implications for nuclear safety (after TMI) : PSAs developed in all countries having a nuclear power program • In France : • The design basis is deterministic • PSA represents an analysis and a safety improvement tool • First PSAs published in 1990 (EDF 1300 MWe, IRSN 900 MWe) Bases de conception déterministes History
Nuclear Reactors safety principles • In France, as in other countries having a nuclear power program, the nuclear safety is based on deterministic principles (barriers, defense in depth, etc.) • The safety demonstration is then based on deterministicapproach • The probabilistic approach, due to its particular investigation methods, progressively completes the deterministic approach
Deterministic approach • Takes into account, a priori, all the incidents and accidents which can occur in a nuclear installation and provides appropriate prevention and mitigation means • Conventional list of a limited number of plant condition categories (PCC), beginning with normal operating conditions up to hypothetical accidents • Examples: • Loss of Offsite Power (PCC 2) • Large LOCA (PCC 4) • The consequences of each condition are studied with conventional rules, including the provision for sufficient margins (example: additional failure criteria) • The studies have to demonstrate that the consequences are acceptable, i.e. specific category criteria are fulfilled (the criteria are more stringent for more probable conditions)
Deterministic approach – Farmer Diagram magnitude of consequences To be practically eliminated Unacceptable Risk Residual Risk Design basis accidents PCC4 PCC3 PCC2 Normal Operation 0 10-6 10-4 10-2 1 frequency (/y)
Probabilistic approach • Objective : • To asses the probability that the nuclear plant originates undesired consequences • Undesired consequences : • Reactor core melt (Level 1 PSA) • criteria should be defined in order to characterize the core damage • Level 1+ PSA : Level 1 PSA completed with containment systems assessment • Outside containment radioactive releases (Level 2 PSA) • Consequences for the population and for the environment (Level 3 PSA) • emergency plan definition • costs-benefit methods
Probabilistic approach • Method : • Exhaustive research of all accident scenarios leading to undesired consequences: • PSA considers also initiators and accident sequences which are beyond design basis • The accident scenarios are combination of component failures and human errors • The plant behavior modeling is based on “best estimated” functional and physical studies (the excessive conservatisms are usually avoided) • An extensive spectrum of human actions is considered: • crisis team role is modeled, • In addition to safety systems, the non safety systems which play a role during the accident are also modeled
Probabilistic approach benefits • Provides a rigorous and systematic analysis of complex systems • Considers complex interactions (like component failure induced hazards for other components; ex: impact of the primary circuit pump thermal barrier rupture on CCWS, impact of steam line break on the steam isolation valves, etc.) • Provides quantitative risk information, • Integrates multidisciplinary knowledge: • Thermo-hydraulic, accident procedures, systems design, reliability, crisis organization, operational experience, etc.) • Provides information on plant weak points • Provides a tool to perform sensitivity studies • Highlights the missing or incomplete knowledge
Important aspects for PSA application • Independent verification • In France the PSA for power reactors is developed in parallel by IRSN and EDF • IRSN project organization (Steering committee, Technical committee) • While applying the PSA for decision making the deterministic and defense in depth rules prevail • It is necessary to perform sensitivity studies on dominant data and assumptions • It is necessary to understand the PSA results before any application
Generalities • Terminology: • Frequency: number of occurrence / time units: • positive value (can be > 1) • used for: • initiating events (“events / year”, “events / year x reactor”) • failure rates (“failures/hour”) • Probability: event likelihood • value between 0 and 1 • always a conditional value (context related) • used for all the PSA modeled events, except the initiating events
Generalities • Terminology: • Consequence : the final result of a accident scenario: • finale consequence : on the public, on the environment, on the economy (Level 3 PSA) • intermediary : core damage, early releases, late releases, etc. (Level 1 PSA, Level 2 PSA, Level 1+) • Risk : the consequence occurrence frequency Risk (magnitude of consequences / time) = Frequency (events / time ) x Consequence (magnitude/event) In general “/ reactor x year”
Probabilistic approach principle • Defined by Wash 1400 • Confirmed by subsequent PSAs • Principle: The infrequent event (reactor core damage) is decomposed in frequent events (component failures, human errors, hazards, etc.) • Challenges : • to be exhaustive • to consider the dependencies between the individual events
Probabilistic approach principle Infrequent events (no statistics) Event Trees + Failure Trees Accident sequences PSA model Individual observable events (failure data, HRA)
PSA overview Level 1 PSA Level 2 PSA Level 3 PSA Initiating events: • LOCA • SGTR • etc. Consequences quantification source term consequences CD PDS L1/L2 Interface Accident progression trees Event Trees (ET) Core damage Plant Damage States (PDS)
Level 1 PSA overview Event Tree (ET) ET Heading N°1 ET Heading N°2 OK Initiator OK CD Initiating Event Fault Tree (FT) (frequency quantification) Level 1 PSA consequence Mitigation and support systems FT
Level 1 PSA method • The major steps to develop a Level 1 PSA are: • Initiating events identification and grouping • Accident sequences modeling • Event Trees development • Systems success criteria definition (deterministic analyses / expert judgment) • Fault Trees development • Parameter estimation (failure data and human factor) • Accident sequences quantification • Documentation and results interpretation • Always iterative
Initiating events TH Calculations Functional analysis Accident sequences definition Systems analysis Human factor Accident sequences quantification Reliability data Uncertainties Level 1 PSA results
Initiating Events (IE) • Definition : • Initiating event: event which disturbs the plant normal operation, leading to some plant parameters deriving and for which an accident sequence can be developed • Can occur in all reactor states (power, shutdown) • Expressed in “occurrences / year” or “occurrences / reactor x year” • The initiator recovery time is sometime indicated if the initiator recovery impact is important for the probabilistic assessment (ex: loss of offsite power, loss of heat sink, ec.)
Initiating Events (IE) • Scope: • Internal initiating events: • component failure AND / OR • human errors • Internal hazards: • fire • flooding • explosion, etc. • External hazards: • earthquake • external flooding • extreme climatic conditions (heat wave, low temperatures, drought, extreme wind, etc.) • Observation: the “Loss of offsite power” and “Loss of heat sink” initiators are often included in the internal initiating events
Initiating Events (IE) • Objective of the initiating events identification: to be exhaustive • The IE list is not a conventional and frozen list • Raw IE list: • Safety Report initiators • Other PSA • Operating experience • Operating documentation • International experience • “Feedback” during itself PSA development • Systematic analysis (FMEA, Master Logic Diagram, etc.) • Final list, after screening and regrouping
Initiating Events (IE) • Some initiators are screened-out (the reasons are always documented) • Very low frequency (ex: meteorite crash) • The impact on the plant is slow, easy to identify and to recover • ex: loss of control room cooling for 900 Mwe plant • The impact is already covered by other initiators: • ex: loss of one CCWS pump is covered by loss of one CCWS train, • this criteria should be applied with precautions and only after analysis (ex: is the loss of instrumental air covered by the loss of Feedwater?) • The initiator occurrence do not impose the immediate plant shutdown (automatic or manually as imposed by TechSpecs) • ex: loss of one CCWS pumps; the TechSpecs allow for 3 days allowed outage time)
Initiating Events (IE) • Initiating events regrouping : • It is necessary to identify for each initiator : • safety functions needed to avoid the core damage • degraded safety function following the initiator • systems witch are available to perform the available safety functions • Grouping of initiators if the impact on the plant is “similar” • The process is iterative while developing the Event Trees: • the identical event trees will be identified and grouped • only one ET can be used for the whole group • if the accident sequences development is not possible for the group: dissociation in subgroups • In general, for the easy presentation of results and documenting, the initiating events are classed in families (ex: LOCA, Secondary transients, SGTR, etc.)
Initiating Events (IE) • Initiators quantification : • Only one data source is never enough: • Specific data (for frequent events) • For rare events: • worldwide operating experience • industry events • CHi2 at 50% (0,7/T) • ! – can lead to unify the frequency of all initiating events • modeling (Fault Tree, Markovian chain,…) • expert judgment: • elicitation • sensitivity studies • Important : • the initiating events frequency can be specific for each site or plant • if this specificity is not considered for the initiators in the reference PSA, it is important take it into account while using the PSA results for decision making
Initiating events TH Calculations Functional analysis Accident sequences definition Systems analysis Human factor Accident sequences quantification Reliability data Uncertainties Level 1 PSA results
The failures and the success of the initiator mitigation systems as well as the operator actions are considered while tracing the “scenario” Each ET branch is analyzed: Type of consequences Definition of the success criteria for the identified mitigations Accident sequences definition – Event Tree (ET) Logical diagram displaying the accident sequences • An initiating event is the root of each Event Tree • The development of the ET is base on: Functional Analysis Calcul TH
Initiator (LMFW) F&B Operator Consequence AFWS SIS LDP CHRS Success OK OK Fusion Fusion Fusion Failure Fusion Event Tree example: Loss of Main Feedwater System
Event Trees • Steps: • Definition of the analysis borders: • final states (success and failure states) • accident sequences time (generally 24 hours) • intended PSA applications • Identification of the safety functions needed to mitigate the initiator • Identification of the available systems to fulfill the safety functions • Decide the ET “headings” definition • One heading can group more than one system or/and human action • Identification of the systems success criteria • Decide the ET “headings” order: • logical order • accident procedures • simplification / optimization of the model • Develop the accident sequences and assign the consequences
Event Trees • In general, the safety functions for a Level 1 PSA are: • Reactivity control: • reactor shut-down • long term reactivity control • Primary circuit inventory control: • primary circuit integrity • primary circuit make-up (SIS, CVCS) • Heat sink: • Residual heat removal (AFWS, RHR, F&B, etc.) • Primary circuit cooling /depressurization (depending on the safe state for the initiator; ex: V-LOCA)
Heat Sink Success Inventory Shut-down Core Damage Initiator Core Damage Core Damage Event Trees: functional example
Difficulties to develop the Event Trees • Physical : • Accident sequence consequences precise identification • Systems success criteria definition • Identification of the operator “zero” moment and available time • Identification of the applicable signals thresholds • Human behavior: • Applicable accident procedures • Possible/Credible strategies • Components behavior: • Behavior beyond qualification domain (closing of secondary safety valves in water, CVCS pumps operating without ventilation, etc.)
Initiating events TH Calculations Functional analysis Accident sequences definition Systems analysis Human factor Accident sequences quantification Reliability data Uncertainties Level 1 PSA results
Level 1 PSA overview Event Tree (ET) ET Heading N°1 ET Heading N°2 OK Initiator OK CD Initiating Event Fault Tree (FT) (frequency quantification) Level 1 PSA consequence Mitigation and support systems FT
Fault Trees • Deductive analysis • “Top-Down” approach: • the « Top event” is defined by the negation of the success criteria identified in the Event Tree: • ex: success criteria: 1/2 pumps operating failure criteria : 2/2 pumps failed • all intermediary events are decomposed up to the basic events (by definition can not be further decomposed)
Fault Trees • Arborescence decomposition of the system failure using: • logical gates (AND, OR, 2/3..) • basic events : • component failures • component unavailability for maintenance • human errors • … • logical structuring (house events)
Fault Trees - symbols Gates: n/m AND OR Vote transfert AND OR Basic events: House event: Basic event Undeveloped event “True” or “False” Basic event with CCF
M V2 V1 M T1 P1 V4 V3 P2 Fault Trees - example S S
TRUE the whole white page Boolean logic A A or B (A + B) B A and B (A x B) False nothing
A A and B B Boolean logic • Commutativity A x B = B x A A + B = B + A • Associativity A + (B + C) = (A + B) + C = A + B + C A x (B x C) = (A x B) x C = A x B x C • Distributivity A x (B + C) = A x B + A x C A + B X C = (A + B) x (A + C) • Idempotent A x A = A A + A = A • Absorption A x (A + B) = A A + A x B = A Boolean reduction -> -> Minimal Cut Sets (MCS)
Fault trees – Minimal Cut Sets Fault tree initial equation: (V1+(P1+S)+V2+T1) x (V3+(P2+S)+V4+T1)= Associative propriety: (A + B) + C = A + B + C = (V1+P1+S+V2+T1) x (V3+P2+S+V4+T1) = Distributive propriety: A x (B + C) = A x B + A x C =V1xV3+V1xP2+V1xS+V1xV4+V1xT1+P1xV3+P1xP2+P1xS+P1xV4+ P1xT1+SxV3+SxP2+SxS+SxV4+SxT1+V2xV3+V2xP2+V2xS+V2xV4+ V2xT1+T1xV3+T1xP2+T1xS+T1xV4+T1xT1=
Fault trees – Minimal Cut Sets Idempotent propriety: (A x A = A) =V1xV3+V1xP2+V1xS+V1xV4+V1xT1+P1xV3+P1xP2+P1xS+P1xV4+P1xT1+SxV3+SxP2+S+SxV4+SxT1+V2xV3+V2xP2+V2xS+V2xV4+V2xT1+T1xV3+T1xP2+T1xS+T1xV4+T1= Absorption propriety: (A+ AB = A) MCS =V1xV3+V1xP2+V1xV4+P1xV3+P1xP2+P1xV4+S+ V2xV3+V2xP2+V2xV4+T1= Commutative property: sorting based on order (how many basic events in the cut): S+T1+V1xV3+V1xP2+V1xV4+P1xV3+P1xP2+P1xV4+V2xV3+V2xP2+V2xV4 first order MCS second order MCS MCS = Minimal Cut Sets = Minimal failures combination leading to the system failure
A A and B B Fault trees – House Event TRUE the whole white page AND Gate Behavior A x TRUE = A A x FALSE = FALSE OR Gate behavior A + TRUE = TRUE A + FALSE = A False nothing • used to structure / optimization of the model : • one Fault Tree for different accident sequences • easy to assign system or component failures • largely employed in PSA model