lec11

Operational Reactor Safety

22.091 /22.903

Professor Andrew C. Kadak Professor of the Practice

Probabilistic Safety Analysis Lecture 11

Topics to be Covered

• Probabilistic Basics

• Event Trees

• Fault Trees

• Applications

• Examples

• Safety Goals

• Uses

Deterministic Safety Analysis

Probabilistic Safety Analysis

PWR Engineered Safety Systems

BWR Early Engineered Safety Systems

PSA Applications

The Pre-PRA Era (prior to 1975)

• Management of (unquantified at the time) uncertainty was always a concern.

• Defense-in-depth and safety margins became embedded in the regulations.

• “Defense-in-Depth is an element of the NRC’s safety philosophy that employs successive compensatory measures to prevent accidents or mitigate damage if a malfunction, accident, or naturally caused event occurs at a nuclear facility.” [Commission’s White Paper, February, 1999]

• Design Basis Accidents are postulated accidents that a nuclear facility must be designed and built to withstand without loss to the systems, structures, and components necessary to assure public health and safety.

Prof. Andrew C. Kadak, 2008

Page 8

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008

Potential Offsite Doses

Page 9

Department of Nuclea r S c ien ce & Engineering

Farmer’s Paper (1967)

 Iodine-131 is a major threat to health in a nuclear plant accident.

 Attempting to differentiate between credible (DBAs) and incredible accidents (Class 9; multiple protective system failures) is not logical.

 If one considers a fault, such as a loss-of-coolant accident (LOCA), one can determine various outcomes, from safe shutdown and cooldown, to consideration of delays and partial failures of shutdown or shutdown cooling with potential consequences of radioactivity release.

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 10

Prof. Andrew C. Kadak, 2008

epartment of Nuclea r S c ien ce & Engineering Page 11

D

Historical Risk Studies

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 12

Technological Risk Assessment

• Study the system as an integrated socio-technical system.

Probabilisti c Ris k Assessmen t (PRA ) support s Risk Managemen t b y answerin g th e questions:

• What can go wrong? (accident sequences or scenarios)

• How likely are these scenarios?

• What are their consequences?

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 13

Reactor Safety Study (WASH-1400; 1975)

Prio r Beliefs:

1. Protect against large LOCA.

2. CDF is low (about once every 100 million years, 10 -8 per reactor year)

3. Consequences of accidents would be disastrous. Majo r Findings

1. Dominant contributors: Small LOCAs and Transients.

2. CDF higher than earlier believed (best estimate: 5x10 -5 , once every 20,000 years; upper bound: 3x10 -4 per reactor year, once every 3,333 years).

3. Consequences significantly smaller.

4. Support systems and operator actions very important.

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 14

Risk Curves

Frequency of Fata lities Due to Man-Caused Events (RSS)

Prof. Andrew C. Kadak, 2008 Page 15

Department of Nuclea r S c ien ce & Engineering

CRITICAL SAFETY FUNCTIONS

KEEP FISSION PRODUCTS WITHIN THE FUEL

• Control Reactor Power Control reactivity additions Shutdown reliably

• Cool the Reactor and Spent Fuel Maintain coolant inventory Maintain coolant flow Maintain coolant heat sinks

KEEP RADIOACTIVE MATERIAL OUT OF THE BIOSPHERE

• M aintain Containment Integrity Prevent over-pressurization Prevent over-heating Prevent containment bypass

• Capture Material Within Contain ment Scrubbing

Deposition Chemical capture

SHIELD PERSONNEL FROM RADIATION

Prof. Andrew C. Kadak, 2008 Page 16

Department of Nuclea r S c ien ce & Engineering

The Single-Failure Criterion

• “Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.”

• The intent is to achieve high reliability (probability of success) without quantifying it.

• Looking for the worst possible single failure leads to better system understanding.

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 17

Defense in Depth

“Defense-in-Depth is an element of the Nuclear Regulatory Commission’s safety philosophy that employs successive compensatory measures to prevent accidents or mitigate damage if a malfunction, accident, or naturally caused even t occurs at a nuclear facility.”

[Commission’s W h ite Paper, USNRC, 1999]

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 18

PRA Model Overview

Leve l I Leve l II Leve l III

CONTAINMENT MODEL

SITE/CONSEQUENCE MODEL

Results

Public health effects

Results

Containment failure/release sequences

PLANT MODEL

Results

Accident sequences leading to plant damage states

PLAN T MODE

At-power Operation

Shutdown / Transition Evolutions

SCOPE

Internal Events External Events

Uncertainties

Prof. Andrew C. Kadak, 2008 Page 19

Department of Nuclea r S c ien ce & Engineering

Basic Elements of PSA

Prof. Andrew C. Kadak, 2008 Page 20

Department of Nuclea r S c ien ce & Engineering

Transition of a Risk Assessment

Prof. Andrew C. Kadak, 2008 Page 21

Department of Nuclea r S c ien ce & Engineering

Event and Fault Tree Structure

Prof. Andrew C. K

ea r S c ien ce & Engineering Page 22

adak, 2008

Department of Nucl

Loss-of-offsite-power event tree

LOOP Secondary Bleed Recirc. Core Heat Removal & Feed

OK

PDSi PDSj

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 23

CDF and LERF Definitions

• Cor e damag e frequency is defined as the sum of the frequencies of those accidents that result in uncovery and heatup of the reactor core to the point at which prolonged oxidation and seve re fuel damage involving a large fraction of the core (i.e., sufficient, if released from containment, to have the potential for causing offsite health effects) is anticipated.

• L arg e earl y releas e frequency is defined as the frequency of those accidents leading to significant, unmitigated rele ases from containment in a time frame prior to effective evacuation of the close-in population such that there is the potential for early health effects. Such accidents generally include unscrubbed releases associated with ear ly containment failure shortly after vessel breach, containment bypass events , and loss of containment isolation.

Draft Regulatory Guide 1.200 Rev. 1, “An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities”

At Power Level I Results

CDF = 4.5x10 -5 / yr (Modes 1, 2, 3)

Initiator Contribution to CDF Total:

• Internal Events… 56%

• External Events 44%


Seismic Events	24%
Fires	18%
Other	2%

Level I Results

• Functional Sequences

Contribution CDF

– T ransients - Station Blackout/Seal LOCA 45%

– T ransients - L oss of Support Systems/Seal LOCA 29%

– T ransients - L oss of Feedwater/Feed & Bleed 12%

– L OCA - Injection/Recirculation Failure 7%

– A TWS - N o Long Term Reactivity Control 6%

– A TWS - Reactor Vessel Overpressurization 2%

From: K. Kiper, MIT Lecture, 2006

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 26

At Power Level II Results


Release Categories	Conditiona l Probability
Large-Early	0.002
Small-Early	0.090
Large-Late	0.249
Intact	0.659
Large-Early Release Freq (LERF) = 7x10 -8 / yr
Large-Early Failure Mode	Percen t Contribution
Containment Bypass	82%
Containment Isolation Failure	18%
Gross Containment Failure	0.1%
Source unknown . All rights reserved. This content is excluded from our Creative Commons license. For more information, see http://ocw.mit.edu/fairuse .

From: K. Kiper, MIT Lecture, 2006

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 27

SHUTDOWN

Shutdown, Full Scope, Level 3 PSA (1988) Results: Mean CDF shutdow n ~ Mean CDF power

• Dominant CD sequence:

Loss of RHR at reduced inventory .

• Risk dominated by operator actions - c ausing and mitigating events.

• Significant risk reductions with low-cost modifications and controls.

Midloop level monitor, alarm Procedures, training

Administrative controls on outage planning

From: K. Kiper, MIT Lecture, 2006

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 28

Shutdown PRA Issues

• R isk is dominated by operator actions - i mportance of HRA.

• Generic studies give useful insights, but risk- controlling factors are plant-specific .

• Shutdown risk is dynamic - a verage risk is generally low (relative to full power risk), but is subject to risk “spikes.”

• S hutdown risk is more amenable to “management.” At-power risk is designed in.

From: K. Kiper, MIT Lecture, 2006

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 29

Integrated Risk (All Modes) – 2002 Update

Mode Description CDF Percen t o f Total


• Mode 1		Full-power (>70% pwr)	4.28 E-5	63%
• Mode 2		Low-power (<70% pwr)	0.15 E-5	2%
• Mode 3		Hot Standby	0.08 E-5	1%
• Mode 4		Hot Shutdown	0.05 E-5	1%
• Mode 5		Cold Shutdown	0.91 E-5	13%
• Mode 6		Refueling	1.38 E-5	20%
•	Total Core Damage Frequency		6.86 E-5	100%

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 30

From: K. Kiper, MIT Lecture, 2006

Risk Assessment Review Group

 “We a r e unable to define whether the overall probability o f a core melt gi ve n in WASH-1400 is high or low, bu t we ar e certain that the err or ban ds are u n d erstated.”

 WASH-1400 i s "inscrutable."

 "…the f a ul t -tree/event-tree method ology is sound, and b o th can and sh ould be more widely used b y NRC ."

 "PS A me th od s sh ould b e us ed to de al wit h ge neric safe ty iss ues, to formulate new regulatory re quirements , to a ssess and revalid ate exis ting r e gul at or y requirements, and to e v alu ate new designs."

Commission Actions (Jan. 18, 1979)

• “…the Commission has reexamined its views regarding the Study in light of the Review Group’s critique.”

• “The Commission withdraws any explicit or implicit past endorsement of the Executive Summary.”

• “…the Commission does not regard as reliable the Reactor Safety Study’s numerical estimate of the overall risk of reactor accidents.”

Zion and Indian Point PRAs (1981)

• First PRAs sponsored by the industry.

• Comprehensive analysis of uncertainties (Bayesian methods).

• Detailed containment analysis (not all accidents lead to containment failure).

• “External” events (earthquakes, fires) may be significant contributors to risk.

Seabrook PRA Results

Prof. Andrew C. Kadak, 2008

Department of Nuclea r S c ien ce & Engineering Page 34

M.I.T. Dept. of Nuclea r Engineering

SUNNAPY OF A CC I I EN T SC ) UENCE5 NITA SIGN1FICA%T RISf ANO CODE HEtT FkE4UENC¥ CONTRI8UTI0£S

fheet I af 8

Csunt

sddl ttqna \ Systee Ft t lures/

firequincy

5sqvgAce ktnk t ^ 1

Lost gf 0I'fsl tg

Onclte At Pecyr, ita lttcovory” of AC Air

aayonan cea 11 •f• hJ 9 8 retcure aeyeup

He ) I

HCel th

kt st

Hey ) €h

gl ek

. ( . E . C ‹ C . t ‹ ) u ” .›’ › t ‹›‹..t ‹ I .. . I .i4‹.‹* ..I,

txt s tf 0f /t I te

Oncl te AC

conPeMnt *oo1 f *9 • hl gk 2 2

Feeds a ttr

Str as L I n0

9¥4”ñ tor ml p

L0t s of Offsl te

”P0u0 F

ins s of 0f fs I tt

P0•0r

P.C C Are3 I‘ \ te

?oxrr

lies ldu‹ \ heat 8eeoY¥t

Sri id Stilt 8rotcctJon System

Operator F allure to Ext. b1 I s1 Long Yera

tmponint too ) I nt

Tra In A Onsf ta Pover, Trafn b Srrrfce

vattr, ilo Recovery .qf 8£ Fover Safari

Trt I n B Ons I te Power, 7rt in A SrrYfce

U0 t0F, 'fl9 R0CO¥8Fg 4 I Afi F0tfez' g0 f0rfi

‹na 1av Pressure •zteuy hct8 ) , racctor

coolant puup real L0cA, centalna#n”t ft tr‹t1on end hact rmeva \ .

tfon6.

C#aponent ceot Ing, Iilg8 and J sv pressure ctktup lEt8S ) , rescuer ceotsnt. puaP satl L0cA, contslnesnt Ill trtt \ ea end heat

I!1gh and 10 \ I yrcGsure ai¥keuy IEGCS ) , nectar coolant puap seal L06A, cen4ajn• cant IN I trstieu end heit resovil ,

hJqh and \ ov pressure azkeuy fECC5 ) , rtxctor rc«Jcnt yvsy s»zl LttcA, centaln- eont IN \ Bretton 2nd heel r0‹s0ra] ,

Trtfn A onst te plier, conp0nent coot log, high and 1ov pry svr4 etteup I OC85 ) ,

sent fl I tration tnd but rfnoial.

OfllPDftOfi CDO flg g 5 nd , 1 OU §F05 5tI r nzLctip tEtCS ) , reactor coolant yusy sent L0Ch, conta Invent tll trstl rim, to4 hest

0. 9•g

g.7- 5

8‹3•0

‹,i.s

j s s

4 3 •

IO •

‘Hegl tg \ b1e contr tbut,tgn ie. r Isk.

x0TE : Exp tjal not‹tjon I s Indfcctrd I n ahbrcv1.ated fern,

NUREG-1150 and RSS CDF for Peach Botto m

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 36

Comparison of Iodine Releases (Peach Bottom)

Prof. Andrew C. Kadak, 2008

Department of Nuclea r S c ien ce & Engineering

Page 37

Quantitative Safety Goals of the

US Nuclear Regulatory Commission (August, 1986)

E a r l y a nd l a t e nt c a nc e r m o r t a l i t y

r i s k s t o an i n d i v i d u al l i v i n g n e ar t h e

p l a n t s h o u l d n o t ex cee d 0 . 1 p ercen t o f t h e ba c k g r o u nd a c c i de nt o r c a nc e r

m o r t a l i t y r i s k , a p p r o x i m a t e l y

5 x 10 -7 / y ear f o r ea r l y d e a t h a n d

2 x 10 -6 / y ear f o r d e a t h f r o m ca n c e r .

• The prompt fatality goal applies to an average individual living i n the region betw een the site boundary and 1 mile beyond this boundary.

• The latent cancer fatality goal applies to an average i ndividual living in the region betw een the site boundary and 10 miles beyond this boundary.

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 38

Societal Risks

• Annual Individual Occupational Risks

• All industries 7x10 -5

• Coal Mining: 24x10 -5

• Fire Fighting: 40x10 -5

• Police: 32x10 -5

• US President 1,900x10 –5 (!)

• Annual Public Risks

• Total 870x10 -5

• Heart Disease 271x10 -5

• All cancers 200x10 -5

• Motor vehicles: 15x10 -5

Department of Nuclea r S c ien ce & Engineering

Prof. Andrew C. Kadak, 2008 Page 39

From: Wilson & Crouch, Risk/Benefit Analysis, Harvard University Press, 2001.

Subsidiary Goals

• The average core damage frequency (CDF) should be less than 10 -4 /ry (once every 10,000 reactor years)

• The large early release frequency (LERF) should be less than 10 -5 /ry (once every 100,000 reactor years)

Large Early Release Frequency

 LERF is being used as a surrogate for the early fatality QHO.

 It is defined as the frequency of those accidents leading to significant, unmitigated releases from containment in a time frame prior to effective evacuation of the close-in population such that there is a potential for early health effects.

 Such accidents generally include unscrubbed releases associated with early containment failure at or shortly after ve ssel breach, containment bypass events, and loss of containment isolation.

PRA Model Overview and Subsidiary O bjective s

CONTAINMENT MODEL

PLANT MODEL

CDF

10 -4 /ry

SITE/CONSEQUENCE MODEL

QHOs

LERF

10 -5 /ry

Leve l I Leve l II Leve l III

Results

Public health effects

Results

Accident sequences leading to plant damage states

Results

Containment failure/release sequences

PLAN T MODE

At-power Operation Shutdown / Transition

SCOPE

Internal Events External Events

Evolution s

Uncertainties

Prof. Andrew C. Kadak, 2008

Department of Nuclea r S c ien ce & Engineering

Page 42

“Acceptable” vs. “Tolerable” Risks (UKHSE)

Ris k ca nnot be jus tifie d sa v e in e x tra or dina ry ci r c u ms ta nc es

Contro l me as ur es mus t be i n t r od u ced f o r ri sk i n t h is r e gion to dr ive r e s i d u al r i sk tow a r ds the b r oa dly accept ab le reg ion

Le vel of r e s i d u a l r i sk re gar de d a s in si gnifi ca nt - - fur the r e ffor t to r e du ce r i s k not l i k e l y t o be r e qu ir e d

In creasin g individ ual risk s and so cietal concerns

UNA CCEPTA BLE REGI ON

TOLERA BLE REGIO N

BROA DLY A CCE P T A B LE RE GION

PRA Policy Statement (1995)

• The use of PRA should be increased to the extent supported by the state of the art and data and in a manner that complements the defense-in-depth philosophy.

• PRA should be used to reduce unnecessary conservatisms associated with current regulatory requirements.

f. Andrew C. Kadak, 2008

Risk Decrease, Neutral , or Small Increase

Monitor Performance

Department of Nuclea r S c ien ce & Engineering

Pro Page 45

Integrated Decision Making

Risk-Informed Decision Making

Compl y wit h

Regulation s

Maintain Defense-in- Depth Philosophy

Maintain Safety Margins

for Licensin g Basi s Change s (R G 1.174 , 1998 )

 CDF

Region I

- No changes

10 -5

Regio n I I

- S mall Changes

- T rack Cumulative Impacts Region III

- V ery Small Changes

10 -6

Region II

Region III

- More flexibility with respect to Baseline

- T rack Cumulative Impacts

10 -5

10 -4

CDF

Accep tanc e Guideline s fo r Cor e Damag e Frequenc y

R isk-Informe d Framewor k

Traditional “Deterministic” Approaches

• Unquantified Probabilities

• Design-B asis Accidents

• Structuralist Defense in Depth

Risk- Informed Approach

• Combination of traditional and

risk-based

Risk-Based Approach

• Quantified Probabilities

• Scenario Based

• Realistic

Can impose heavy regulatory burden

• Incomplete

approaches

• Rationalist Defense in Depth

• Incomplete

• Quality is an issue

Homework

• Knief

– P roblems: 14.16, 19, 24, 28

MIT OpenCourseWare http://ocw.mit.edu

22.091 Nuclear Reactor Safety

Spring 200 8

For information about citing these materials or our Terms of Use, visit: http://ocw.mit.edu/terms .