PRA Methodology Overview 22.39 Elements of Reactor Design, Operations, and Safety Lecture 9
advertisement
PRA Methodology Overview
22.39 Elements of Reactor Design, Operations, and
Safety
Lecture 9
Fall 2006
George E. Apostolakis
Massachusetts Institute of Technology
Department of Nuclear Science and Engineering
1
PRA Synopsis
Figure removed due to copyright restrictions.
Futron Corp., International Space Station PRA, Dec. 2000
Department of Nuclear Science and Engineering
2
NPP End States
•
•
•
•
•
•
Various states of degradation of the reactor core.
Release of radioactivity from the containment.
Individual risk.
Numbers of early and latent deaths.
Number of injuries.
Land contamination.
Department of Nuclear Science and Engineering
3
The Master Logic Diagram (MLD)
• Developed to identify Initiating Events in a PRA.
• Hierarchical depiction of ways in which system
perturbations can occur.
• Good check for completeness.
Department of Nuclear Science and Engineering
4
MLD Development
• Begin with a top event that is an end state.
• The top levels are typically functional.
• Develop into lower levels of subsystem and component
failures.
• Stop when every level below the stopping level has the
same consequence as the level above it.
Department of Nuclear Science and Engineering
5
Nuclear Power Plant MLD
Excessive
Offsite
Release
Excessive
Release of
Core Material
Excessive
Core Damage
Insufficient
Reactivity
Control
Insufficient
Core-heat
Removal
Insufficient
RCS Inventory
Control
Excessive
Release of
Non-Core Material
RCS pressure
Boundary
Failure
Insufficient
RCS Heat
Removal
Insufficient
RCS Pressure
Control
Conditional
Containment
Failure
Insufficient
Isolation
Insufficient
Pressure &
Temperature
Control
Department of Nuclear Science and Engineering
Insufficient
Combustible
Gas Control
6
NPP: Initiating Events
• Transients
– Loss of offsite power
– Turbine trip
– Others
• Loss-of-coolant accidents (LOCAs)
– Small LOCA
– Medium LOCA
– Large LOCA
Department of Nuclear Science and Engineering
7
ILLUSTRATION EVENT TREE: Station Blackout
Sequences
LOSP
DGs
0.07 per yr
0.993
0.007
Seal
LOCA
EP Rec.
0
1
From: K. Kiper, MIT Lecture, 2006
EFW
0.95
0.99
0.01
0.05
0.94
0.06
Cont.
END
STATE
success
success
success
core melt
core melt w/ release
success
core melt
4.70E-06
core melt w/ release
success
core melt
1.50E-06
core melt w/ release
Courtesy of K. Kiper. Used with permission.
Department of Nuclear Science and Engineering
LOSP Distribution
Epistemic Uncertainties
5th
0.005/yr (200 yr)
Median
0.040/yr (25 yr)
Mean
0.070/yr (14 yr)
95th
0.200/yr ( 5 yr)
From: K. Kiper, MIT Lecture, 2006
Courtesy of K. Kiper. Used with permission.
Department of Nuclear Science and Engineering
Offsite Power Recovery Curves
9 0 t h P e rc e n t ile
5 0 t h P e rc e n t ile
Cumulative Non-Recovery of Power Frequency
1
1 0 t h P e rc e n t ile
0.9
0.8
0.7
0.6
0.5
0.4
0.3
0.2
0.1
0
0
2
4
6
8
10
12
14
16
18
20
22
24
T i m e A fte r P o w e r F a i l u re (H r)
Courtesy of K. Kiper. Used with permission.
From: K. Kiper, MIT Lecture, 2006
Department of Nuclear Science and Engineering
STATION BLACKOUT EVENT TREE
Courtesy of U.S. NRC.
Department of Nuclear Science and Engineering
11
NPP: Loss-of-offsite-power event tree
LOOP
Secondary
Heat Removal
Bleed
& Feed
Recirc.
Core
OK
OK
PDSi
PDSj
Department of Nuclear Science and Engineering
12
Human Performance
• The operators must decide to perform feed & bleed.
• Water is “fed” into the reactor vessel by the highpressure system and is “bled” out through relief valves
into the containment. Very costly to clean up.
• Must be initiated within about 30 minutes of losing
secondary cooling (a thermal-hydraulic calculation).
Department of Nuclear Science and Engineering
13
J. Rasmussen’s Categories of Behavior
•
•
•
Skill-based behavior: Performance during acts that, after a statement
of intention, take place without conscious control as smooth,
automated, and highly integrated patterns of behavior.
Rule-based behavior: Performance is consciously controlled by a
stored rule or procedure.
Knowledge-based behavior: Performance during unfamiliar situations
for which no rules for control are available.
Department of Nuclear Science and Engineering
14
Reason’s Categories
Unsafe acts
– Unintended action
• Slip
• Lapse
• Mistake
– Intended violation
Department of Nuclear Science and Engineering
15
Latent conditions
•
Weaknesses that exist within a system that create contexts for
human error beyond the scope of individual psychology.
•
They have been found to be significant contributors to incidents.
•
Incidents are usually a combination of hardware failures and
human errors (latent and active).
Department of Nuclear Science and Engineering
16
Reason’s model
Line
Fallible
Management
Psychological
Unsafe
Decisions
Deficiencies
Precursors
Acts
J. Reason, Human Error, Cambridge University Press, 1990
Department of Nuclear Science and Engineering
17
Pre-IE (“routine”) actions
Median
EF
Errors of commission
3x10-3
3
Errors of omission
10-3
5
A.D. Swain and H.E. Guttmann, Handbook of Human Reliability Analysis with Emphasis on
Nuclear Power Plant Applications, Report NUREG/CR-1278, US Nuclear Regulatory
Commission, 1983.
Department of Nuclear Science and Engineering
18
Post-IE errors
•
Models still being developed.
•
Typically, they include detailed task analyses, identification of
performance shaping factors (PSFs), and the subjective assessment of
probabilities.
•
PSFs:
System design, facility culture, organizational factors,
stress level, others.
Department of Nuclear Science and Engineering
19
The ATHEANA Framework
ErrorForcing
Context
Plant Design,
Operations
and
Maintenance
Performance
Shaping
Factors
PRA
Logic
Models
Human Error
Error
Mechanisms
Plant
Conditions
Unsafe
Actions
Human Failure
Events
Risk
Management
Decisions
Scenario
Definition
NUREG/CR-6350, May 1996.
Department of Nuclear Science and Engineering
20
Risk Models
IE2
AA
BB
CC
DD
#
END-STATE-NAMES
1
OK
2 T => 4
TRAN1
3
LOV
4 T => 5
TRAN2
5
LOC
6
LOV
AA
A1
A2
BB
B-GATE1
B-GATE2
B-GATE3
EVENT-B1
B-GATE4
EVENT-B2
EVENT-B3
EVENT-B4
B-GATE5
EVENT-B6
EVENT-B5
B-GATE6
EVENT-B7
EVENT-B8
B-GATE7
EVENT-B9
EVENT-B10
EVENT-B11
Department of Nuclear Science and Engineering
21
FEED & BLEED COOLING DURING LOOP 1-OF-3 SI
TRAINS AND 2-OF-2 PORVS FOR SUCCESS
Courtesy of U.S. NRC.
Department of Nuclear Science and Engineering
22
HIGH PRESSURE INJECTION DURING LOOP 1-0F-3
TRAINS FOR SUCCESS
Courtesy of U.S. NRC.
Department of Nuclear Science and Engineering
23
Cut sets and minimal cut sets
• CUT SET: Any set of events (failures of components and
human actions) that cause system failure.
• MINIMAL CUT SET: A cut set that does not contain
another cut set as a subset.
Department of Nuclear Science and Engineering
24
Indicator Variables
1,If
E
j
is T
If E
j
is F
Xj =
0,
Important Note: Xk = X,
k: 1, 2, …
S
___
Venn Diagram
E
E
Department of Nuclear Science and Engineering
25
XT = φ(X1, X2,…Xn) ≡ φ(X)
φ(X) is the structure or switching function.
It maps an n-dimensional vector of 0s and 1s onto 0 or 1.
Disjunctive Normal Form:
N
X T = 1 − ∏ (1 − M i ) ≡
1
N
C Mi
1
Sum-of-Products Form:
N
N −1 N
XT = ∑ Mi − ∑
i =1
N +1 N
∑ M i M j + ... + (−1) ∏ M i
i =1 j =i +1
Department of Nuclear Science and Engineering
i =1
26
Dependent Failures: An Example
Component B1
B1 and B2 are identical
redundant components
Component B2
MCS: M1 = {XA} M2 = {XB1, XB2}
System Logic
XS = 1 – (1 – XA)(1 – XB1XB2) =
= XA + XB1 XB2 - XA XB1 XB2
Failure
Probability
P(fail) = P(XA) + P(XB1 XB2 ) –
P(XA XB1 XB2 )
Department of Nuclear Science and Engineering
27
Example (cont’d)
• In general, we cannot assume independent failures of
B1 and B2. This means that
P(XB1 XB2 ) ≥ P(XB1) P(XB2 )
• How do we evaluate these dependencies?
Department of Nuclear Science and Engineering
28
Dependencies
• Some dependencies are modeled explicitly, e.g., fires,
missiles, earthquakes.
• After the explicit modeling, there is a class of causes of
failure that are treated as a group. They are called
common-cause failures.
Special Issue on Dependent Failure Analysis, Reliability Engineering and
System Safety, vol. 34, no. 3, 1991.
Department of Nuclear Science and Engineering
29
The Beta-Factor Model
• The β -factor model assumes that commoncause events always involve failure of all
components of a common cause component
group
• It further assumes that
λ CCF
β=
λ total
Department of Nuclear Science and Engineering
30
R
D
R
G
IP
EN
TR
EL
TO
IS
S
EA
C
ER
BR
AK
ER
S
M
AT
O
BW SAF
T
ET
O
O
R
R
R
Y/
SA
S
V
AL
FE RE
VE
TY LIE
F
S
/R
EL PU
M
IE
P
F
VA S
LV
R
H
ES
R
P
C
U
O
M
N
PS
SI
T
SP
PU
R
AY MP
S
PU
AF
M
PS
SW W
/C PU
M
C
PS
W
PU
M
PS
PW
R
GENERIC BETA FACTOR
(MEAN VALUE)
Generic Beta Factors
0.2
0.18
0.16
0.14
0.12
Average
0.1
0.08
0.06
0.04
0.02
0
Department of Nuclear Science and Engineering
31
Data Analysis
• The process of collecting and analyzing information in
order to estimate the parameters of the epistemic PRA
models.
• Typical quantities of interest are:
•
•
•
•
•
Initiating Event Frequencies
Component Failure Frequencies
Component Test and Maintenance Unavailability
Common-Cause Failure Probabilities
Human Error Rates
Department of Nuclear Science and Engineering
32
General Formulation
XT = φ(X1,…Xn) ≡ φ(X)
N
N
1
1
X T = 1 − ∏ (1 − M i ) ≡ C M i
N
N −1 N
N +1 N
XT = ∑ Mi − ∑ ∑ Mi M j + ... + (−1)
i =1
i =1 j =i +1
∏ Mi
i =1
XT : the TOP event indicator variable (e.g., core melt, system failure)
Mi : the ith minimal cut set (for systems) or accident sequence (for core
melt, containment failure, et al)
Department of Nuclear Science and Engineering
33
TOP-event Probability
N
P (X T ) = ∑ P(M i ) + K + (− 1)
N +1
1
⎛N
⎞
P⎜ ∏ M i ⎟
⎝ 1
⎠
N
P(XT ) ≅ ∑ P (Mi )
Rare-event approximation
1
The question is how to calculate the probability of Mi
P ( M i ) = P ( X ik ... X im )
Department of Nuclear Science and Engineering
34
RISK-SIGNIFICANT INITIATING EVENTS
Period
Number of
Events
Mean
Frequency
1998 – 2004
2120
7.57E-1
BWR General Transients
1997 – 2004
699
8.56E-1
PWR General Transients
1998 – 2004
1421
7.10E-1
Loss of Feedwater
1993 – 2004
188
9.32E-2
Loss of Heat Sink
1995 – 2004
259
1.24E-1
BWR Loss of Heat Sink
1996 – 2004
154
1.88E-1
PWR Loss of Heat Sink
1991 – 2004
105
9.23E-2
Loss of Instrument Air (BWR)
1994 – 2004
19
7.60E-3
Loss of Instrument Air (PWR)
1990 – 2004
17
1.19E-2
Loss of Vital AC Bus
1988 – 2004
43
2.98E-2
Loss of Vital DC Bus
1988 – 2004
3
2.35E-3
Stuck Open SRV (BWR)
1993 – 2004
14
2.07E-2
Stuck Open SRV (PWR)
1988 – 2004
2
2.30E-3
Steam Generator Tube Rupture
1988 – 2004
3
3.48E-3
Very Small LOCA
1988 – 2004
5
3.92E-3
Risk-Significant Initiating Event
General Transients
Trend
Department of Nuclear Science and Engineering
P. Baranowsky, RIODM Lecture, MIT, 2006
Courtesy of P. Baranowsky. Used with permission.
35
INITIATING EVENT TRENDS
PWR General Transients
BWR General Transients
5
5
4
BWR general transients, and 90% intervals
Maximum likelihood estimate (n/T) (baseline period)
90% interval (prediction limits)
Fitted line
Events / reactor critical year
Events / reactor critical year
PWR general transients, and 90% intervals
Maximum likelihood estimate (n/T) (baseline period)
90% interval (prediction limits)
Fitted line
3
2
1
0
4
3
2
1
0
1988
1990
1992
1994
1996
1998
2000
2002
Year
Log model p-value <= 0.00005
2004
1988
PWR Loss of Heat Sink
1992
1994
1996
1998
2000
2002
Year
2004
BQPL Nov. 1, 2005
BWR Loss of Heat Sink
0.5
1.2
PWR loss of heat sink, and 90% intervals
Maximum likelihood estimate (n/T) (baseline period)
90% interval (prediction limits)
Fitted line
0.4
0.3
0.2
0.1
BWR loss of heat sink, and 90% intervals
Maximum likelihood estimate (n/T) (baseline period)
90% interval (prediction limits)
Fitted line
1.0
Events / reactor critical year
Events / reactor critical year
1990
Log model p-value <= 0.00005
PQPL Nov. 1, 2005
0.8
0.6
0.4
0.2
0.0
0.0
1988
Log model p-value = 0.020
1990
1992
1994
1996
Year
1998
2000
2002
2004
PLPL Nov. 9, 2005
1988
1990
Log model p-value <= 0.00005
1992
1994
1996
Year
1998
2000
2002
2004
BLPL Nov. 1, 2005
Courtesy of P. Baranowsky. Used with permission.
P. Baranowsky, RIODM Lecture, MIT, 2006
Department of Nuclear Science and Engineering
36
INITIATING EVENTS INSIGHTS
• Most initiating events have decreased in
frequency over past 10 years.
• Combined initiating event frequencies are 4 to 5
times lower than values used in NUREG-1150
and IPEs.
• General transients constitute majority of
initiating events; more severe challenges to plant
safety systems are about one-quarter of events.
P. Baranowsky, RIODM Lecture, MIT, 2006
Courtesy of P. Baranowsky. Used with permission.
Department of Nuclear Science and Engineering
37
ANNUAL LOOP FREQUENCY TREND
Occurrence Rate
(per reactor critical year)
0.25
0.20
0.15
0.10
0.05
0.00
97-02 Low er Bound
Department of Nuclear Science and Engineering
P. Baranowsky, RIODM Lecture, MIT, 2006
2004
97-02 Upper Bound
2003
97-02 Trend
2002
86-96 Upper Bound
2001
86-96 Trend
2000
1999
1998
1997
1996
1995
1994
1993
1992
1991
1990
1989
1988
1987
1986
Yearly
86-96 Low er Bound
38
Courtesy of P. Baranowsky. Used with permission.
ANNUAL LOOP DURATION TREND
1000.00
Duration (hrs.)
100.00
10.00
1.00
0.10
0.01
2004
2003
2002
2001
2000
1999
1998
1997
1996
1995
1994
5% Low er Bound
Trend 1997-2003
Department of Nuclear Science and Engineering
P. Baranowsky, RIODM Lecture, MIT, 2006
1993
1992
1991
1990
1989
1988
1987
1986
1985
Trend 1986-96
Observed w ith Bounds
95% Upper Bound
95% Upper Bound
5% Low erBound
Courtesy of P. Baranowsky. Used with permission.
39
LOOP FREQUENCY INSIGHTS
• Overall LOOP frequency during critical operation has
decreased over the years (from 0.12/ry to 0.036/ry)
• Average LOOP duration has increased over the years:
– Statistically significant increasing trend for
1986–1996
– Essentially constant over 1997–2004
• 24 LOOP events between 1997 and 2004; 19 during the
“summer” period
• No grid-related LOOP events between 1997 and 2002; 13 in
2003 and 2004
• Decrease in plant-centered and switchyard-centered LOOP
events; grid events are starting to dominate
Department of Nuclear Science and Engineering
P. Baranowsky, RIODM Lecture, MIT, 2006
40
Courtesy of P. Baranowsky. Used with permission.
SYSTEM RELIABILITY STUDY RESULTS
STUDY
MEAN
UNRELIABILITY
AFW
(1987–2004)
5.19E-4
EDG
(1997–2004)
2.18E-2
HPCI
(1987–2004)
6.25E-2
HPCS
(1987–2004)
9.48E-2
HPI
(1987–2004)
1.09E-3
IC
(1987–2004)
2.77E-2
RCIC
(1987–2004)
5.18E-2
UNPLANNED
DEMAND
TREND
FAILURE RATE
TREND
N/A
N/A
Department of Nuclear Science and Engineering
P. Baranowsky, RIODM Lecture, MIT, 2006
UNRELIABILITY
TREND
Courtesy of P. Baranowsky. Used with permission.
41
PWR SYSTEM RELIABILITY STUDIES
AFW Unavailability (FTS)
0.030
0.0014
EDG unavailability (no recov.) (FTS model) and 90% intervals
Fitted model
90% confidence band
0.020
0.015
0.010
0.005
AFW unavailability (FTS model) and 90% intervals
Fitted model
90% confidence band
0.0012
0.025
AFW unavailability (FTS model)
EDG unavailability (no recov.) (FTS model)
EDG Unavailability (FTS)
0.000
0.0010
0.0008
0.0006
0.0004
0.0002
0.0000
1997
1998
1999
2000
2001
2002
2003
Fiscal Year
Log model p-value = 0.00062
2004
1988
HPI Unreliability (8 hr mission)
1990
1992
1994
1996
1998
2000
Fiscal Year
Log model p-value = 0.44
U0nrL Aug. 31, 2005
2002
2004
U0L Aug. 30, 2005
AFW Unreliability (8 hr mission)
0.0040
0.007
AFW 8-hour unreliability and 90% intervals
Fitted model
90% confidence band
HPI 8-hour unreliability (CN) and 90% intervals
Fitted model
90% confidence band
0.006
0.005
AFW 8-hour unreliability
HPI 8-hour unreliability (CN)
0.0032
0.004
0.003
0.002
0.0024
0.0016
0.0008
0.001
0.0000
0.000
1988
Log model p-value = 0.029
1990
1992
1994
1996
Fiscal Year
1998
2000
2002
2004
U8L Jan. 31, 2006
1988
Log model p-value = 0.23
1990
1992
1994
1996
Fiscal Year
1998
2000
2002
2004
U8L Oct. 11, 2005
Courtesy of P. Baranowsky. Used with permission.
P. Baranowsky, RIODM Lecture, MIT, 2006
Department of Nuclear Science and Engineering
42
PWR SYSTEM INSIGHTS
•
EDG
– EDG start reliability much improved over past 10 years.
– Failure-to-run rates lower than in most PRAs.
•
AFW
– Industry average reliability consistent with or better than Station
Blackout and ATWS rulemaking.
– Wide variation in plant specific AFW reliability primarily due to
configuration.
– Failure of suction source identified as a contributor (not directly
modeled in some PRAs).
•
HPI
– Wide variation in plant specific HPI reliability due to configuration.
– Various pump failures are the dominant failure contributor.
P. Baranowsky, RIODM Lecture, MIT, 2006
Courtesy of P. Baranowsky. Used with permission.
Department of Nuclear Science and Engineering
43
BWR SYSTEM RELIABILITY STUDIES
RCIC Unavailability (FTS)
HPCI Unreliability (8 hr mission)
0.08
0.40
HPCI 8-hour unreliability and 90% intervals
Fitted model
90% confidence band
RCIC unavailability (FTS model) and 90% intervals
Fitted model
90% confidence band
RCIC unavailability (FTS model)
0.35
HPCI 8-hour unreliability
0.30
0.25
0.20
0.15
0.10
0.06
0.04
0.02
0.05
0.00
0.00
1988
1990
1992
1994
1996
1998
2000
Fiscal Year
Log model p-value = 0.0011
2002
2004
1988
HPCS Unreliability (8 hr mission)
1990
1992
1994
1996
1998
2000
Fiscal Year
Log model p-value = 0.11
U8L Oct. 11, 2005
2002
2004
U0L Sept. 1, 2005
RCIC Unreliability (8 hr mission)
0.32
0.25
HPCS 8-hour unreliability and 90% intervals
Fitted model
90% confidence band
0.28
RCIC 8-hour unreliability and 90% intervals
Fitted model
90% confidence band
0.20
RCIC 8-hour unreliability
HPCS 8-hour unreliability
0.24
0.20
0.16
0.12
0.08
0.15
0.10
0.05
0.04
0.00
0.00
1988
p-value = 0.41
1990
1992
1994
1996
Fiscal Year
1998
2000
2002
2004
U8 Oct. 11, 2005
1988
Log model p-value = 0.14
1990
1992
1994
1996
Fiscal Year
1998
2000
2002
2004
U8L Oct. 11, 2005
P. Baranowsky, RIODM Lecture, MIT, 2006
Courtesy of P. Baranowsky. Used with permission.
Department of Nuclear Science and Engineering
44
BWR SYSTEM INSIGHTS
•
HPCI
– Industry-wide unreliability shows a statistically significant
decreasing trend.
– Dominant Failure: failure of the injection valve to reopen during
level cycling.
•
HPCS
– Industry average unreliability indicates a constant trend.
– Dominant Failure: failure of the injection valve to open during
initial injection.
•
RCIC
– Industry average unreliability indicates a constant trend.
– Dominant Failure: failure of the injection valve to reopen during
level cycling.
Courtesy of P. Baranowsky. Used with permission.
P. Baranowsky, RIODM Lecture, MIT, 2006
Department of Nuclear Science and Engineering
45
COMMON-CAUSE FAILURE (CCF) EVENTS
•
Criteria for a CCF Event:
– Two or more components fail or are degraded at the same plant
and in the same system.
– Component failures occur within a selected period of time such
that success of the PRA mission would be uncertain.
– Component failures result from a single shared cause and are
linked by a coupling mechanism such that other components in the
group are susceptible to the same cause and failure mode.
– Equipment failures are not caused by the failure of equipment
outside the established component boundary.
P. Baranowsky, RIODM Lecture, MIT, 2006
Courtesy of P. Baranowsky. Used with permission.
Department of Nuclear Science and Engineering
46
CCF OCCURRENCE RATE
0.40
0.35
Occurrence Rate
0.30
0.25
0.20
0.15
0.10
0.05
0.00
1980
1985
1990
1995
2000
2005
Fiscal Year
Yearly Rate
Long-term Trend
P. Baranowsky, RIODM Lecture, MIT, 2006
Short-term Trend
95% Bound
5% Bound
Courtesy of P. Baranowsky. Used with permission.
Department of Nuclear Science and Engineering
47
ADDITIONAL CCF GRAPHS
Coupling Factors - Complete CCF Events
Environment
14.2%
Operations
13.7%
Maintenance
28.8%
Department of
Nuclear
Hardware
43.4%
P. Baranowsky, RIODM Lecture, MIT, 2006
Science and Engineering
Courtesy of P. Baranowsky. Used with permission.
48
