EXPERIENCE ON SHUTDOWN PSA AND RISK MONITORING STRATEGY IN TEPCO GROUP

Transcription

1 EXPERIENCE ON SHUTDOWN PSA AND RISK MONITORING STRATEGY IN TEPCO GROUP Toshiteru Saito 1, Koichi Miyata 1 and Tatsuya Taminami 2 1 Nuclear Engineering Department, TEPCO SYSTEMS CORPORATION, Tokyo, Japan 2 Nuclear Power Engineering Quality & Safety Management Department, TOKYO ELECTRIC POWER COMPANY, Tokyo, Japan 1. Introduction At an overseas nuclear power plants, maintenance of some safety systems is carried out during plant operation. In Japan, most of maintenance activity is conducted during plant shutdown which is required by nuclear regulation. Therefore, shutdown risk changes greatly due to complicated configuration patterns. Under these circumstances, rational and safe maintenance is being discussed in Nuclear and Industrial Safety Agency (NISA). The application of risk information is considered to be one of solutions to realize rational and safe maintenance. In parallel, various guidelines necessary for risk information application are being prepared by Atomic Energy Society of Japan (AESJ). Similar activities are performed in U.S. As described in technical report of Electric Power Research Institute (EPRI) [1], Entergy s River Bend nuclear station uses shutdown risk monitor based on EOOS to improve safety and to shorten outage length. With the EOOS shutdown model in place, staff can evaluate the outage schedule variation quickly and review an outage-wide safety within a few minutes. In Japan, a risk evaluation of nuclear power plant has been carried out in Periodic Safety Review (PSR) which is performed every 10 years Probabilistic Safety Assessment (PSA). After 2001, shutdown risk evaluation has been added in PSR activity. Each of these evaluations considers only internal events (i.e. transients, LOCA, LOPA). Up to now, TEPSYS has conducted shutdown PSA for 12 plants out of 17 plants of Tokyo Electric Power Company (TEPCO), and various risk information has been obtained. However, these evaluations are insufficient for representation of shutdown risk because these models are only for standard outage schedules. Therefore, development of shutdown risk monitor is considered indispensable in Japan especially. 2. Results of shutdown PSA 2.1 Difference of facilities TEPCO has 17 BWRs which are categorized into four reactor types of BWR3,4,5 and ABWR. Table 1 shows the difference of safety related systems among each reactor type. Table 1 Difference of safety related systems among each reactor type Reactor type BWR3 BWR4 BWR5 ABWR Heat removal system SHC 1 Injection system CS 2 (E) (E):Emergency system MUWC 2(N) (N):Normal system RHR 2 CS 2(E) LPCI 2(E) MUWC 2(N) RHR 2 HPCS 1(E) LPCS 1(E) LPCI 3(E) MUWC 3(N) RHR 2 HPCF 2(E) LPCI 3(E) MUWC 3(N) As shown in this table, characteristic of reactor type difference appears mostly on injection systems. BWR3 has injection systems of 2 emergency (denoted E) and 2 normal (denoted N) ones. On the other hand, injection systems of BWR5 and ABWR are consists of 5 emergency and 3 normal systems; more redundant than BWR3 and 4.

2 The authors have experienced shutdown risk evaluation for all the reactor types above. 2.2 POS slice Even if some changes exist in plant parameters during plant operation, there is little difference in system configuration. Consequently, only one plant state is considered when at-power PSA is done. On the other hand, during outage, plant operational state (POS) changes with configuration, decay heat level, reactor water level and maintenance condition of essential service water (ESW) intake channel. With these changes, success criteria, time margin to core damage and combination of active equipment change. Therefore, in shutdown PSA, POS is defined according to these characteristics for economic evaluation. Table 2 shows a sample of typical POS slice in BWR plants. Table 2 Sample of typical POS slice POS Plant state Reactor water level Unavailable system S Reactor cold shutdown Normal - A Reactor vessel open (before refueling) Normal - B Refueling (pool gate open) B-1 Full System B B-2 Full System A C Reactor vessel open (after refueling) Normal System A D Plant start up preparation Normal Evaluation result Figure 1 shows the evaluation results of shutdown PSA of TEPCO 12 plants. This shows the maximum and the minimum CDF out of each POS (denoted,, respectively) and the average over outage (denoted ). CDF(/outage) M ax. M in. Ave. 1.0E-16 BWR3-1 BWR4-1 BWR4-2 BWR5-1 BWR5-2 BWR5-3 BWR5-4 BWR5-5 Nuclear Power Plant Figure 1 Evaluation results of shutdown PSA in TEPCO 12 plants The average core damage frequencies (CDFs) is about (/outage), and there is little difference among the reactor types. But, the minimum CDF in BWR3 and 4 is smaller by 1 order in comparison with BWR5 and ABWR. This tendency is caused by multitude of injection systems, which means that more injection systems can decrease CDF. Figure 2 shows evaluation results of each POS in representative nuclear plants. BWR5-6 BWR5-7 BWR5-8 ABWR

3 CDF/outage BWR3 BWR4 BWR5 ABWR 1.0E-16 S A B C D Total POS Figure 2 Evaluation results of each POS in representative nuclear plant About POS-S, CDF of BWR3 is larger than those of other reactor types. This is because one emergency diesel generator (EDG) is out of service in BWR3. When a loss of power accident occurs, injection to a reactor and decay heat removal becomes inoperable with single failure of EDG, and probability to core damage increases. Looking into POS-A, CDF of ABWR is larger than those of other reactor types. This is because EDG and injection systems maintenance begins early and time margin to recovery for an abnormal event is short due to low water level. As a result, CDF becomes bigger than that of BWR5 by about 3 orders. As for POS-B, CDF of BWR5 is large in comparison with other reactor types. Water injection systems such as HPCS and MUWC become out of service for maintenance in this period, and there is only 2 LPCI systems remaining for injection function. Loss of decay heat removal function, with failure of reactor injection, becomes the biggest contributor to CDF. As a result, CDF of BWR5 becomes about 2 orders bigger than that of BWR3. About POS-C, CDFs are large in all reactor types. In this period, operation to decrease reactor water level from filled well level to normal water level is performed. If operators fail to recognize abnormal drop in water level, core damage would occur. Furthermore, one division of safety system is out of service due to performance of ESW intake maintenance and reactor water level is normal for this period, so if loss of Residual Heat Removal (RHR) system or loss of power supply occur, it could contribute to core damage due to short time margin to recovery for an abnormal evens. Because of these conditions, CDF of POS-C is evenly high. On the other hand, CDF is low in all reactor types in POS-D. This is because that most of safety system become in service with the end of ESW intake maintenance, although reactor water level is normal. In summary, except that the CDF of POS-C during which reactor water level is normal is relatively large in any reactor type, shutdown risk is influenced by variation in outage schedule rather than a difference in plant design. 2.4 Comparison with CDF during power operation Figure 3 shows comparison of plant shutdown CDF and plant operating CDF with the unit of per day except for total CDF. BWR3 BWR4 At-power At -power S B1 B1 B2 B2 B3 B3 B3 B4 C C C D1 D1 D2 T otal POS S A A B1 B1 B1 B1 B1 B1 B2 B2 B2 B3 B3 B3 B3 B3 B3 C C C D D D D T ot al P OS

4 BWR5 ABWR S A B1 B1 B1 B1 B1 B2 B2 B3 B3 C C C D1 D1 D2 D2 T otal P OS At -power S A A B1 B1 B1 B1 B2 B2 B2 B2 B2 B2 C C C D1 D1 D1 D2 D2 T otal P OS At-power Figure 3 Comparison of plant shutdown CDF and plat operating CDF As for total CDF (notes: unit is per year), shutdown CDF is lower than at-power CDF for all plant types. However, if we look into detailed shut down risk distribution of BWR5 and ABWR, it happens that the shutdown CDF is higher than at-power CDF in some period of outage. As shown in BWR5, shutdown CDF of POS-B is higher than at-power CDF. The reason is already described above; only 2 LPCI is available. The number of systems to prevent core damage dominates CDF extremely. In ABWR, shutdown CDF of POS-A is higher than at-power CDF. Usually, maintenance of safety systems such as EDG and water injection systems is performed after well filled up with water; after POS- B. But, in this outage schedule, maintenance of these systems is started early. The plant condition of this POS is normal water level with high decay heat level. Therefore, CDF becomes high because there is little time margin for accident mitigation and many safety systems are out of service. Furthermore, shutdown CDF of POS-C is higher than at-power CDF in ABWR, too. In this period, an operator performs operation to decrease reactor water level from filled well level to normal water level during maintenance of single ESW intake channel. Consequently, if operators fails in recognition of an abnormal water level decrease, the possibility to the core damage becomes high. In this POS, CDF of ABWR exceeds that of at-power, whereas, in the other plants, shutdown CDF does not exceed at-power CDF. But still CDF for POS-C is relatively higher than those for other POS. Therefore, POS-C is found to be high risk period without depending on a reactor type. 2.5 Lessons Learned from shutdown PSA As shown above, although difference in plant design does not have large sensitivity to shutdown risk, risk changes greatly with plant condition of reactor water level, decay heat level and safety systems availability. Even if it is in plant outage, there is a case that shutdown risk exceeds at-power risk due to configuration change. Based on these lessons learned, following activities are found to be sensitive to shutdown risk. (1) Availability of MUWC Condensate Make Up Water (MUWC) pumps, which needs no support system except for electric power, are not affected by ESW water intake channel maintenance, and are available as one of injection system throughout outage. Therefore, management to minimize MUWC pumps maintenance activity is effective. (2) Recognition of reactor water level During outage, reactor water level changes greatly. In the case of plant operation, when reactor level abnormally drops, operators can recognize it by alarms. But during outage, because it is very likely that these monitoring instrumentations are out of service, probability of failure to recognize water drain down increases. Therefore, the establishment of alternative water level monitor or frequent water level monitoring by operators are effective. Injection systems in relatively new plant such as BWR5 and ABWR are more multiplexed. Consequently, at-power risk is extremely low. However, shutdown risk changes with reactor water

5 level, decay heat level and state of safety system greatly. For this reason, TEPCO recognizes that it is necessary to manage shutdown risk well so that instantaneous shutdown risk can not exceed at-power risk. In other words, consistent risk management of nuclear plants are important irrespective of plant operating state. 3 Introduction of risk monitor The authors understand that consistent risk management throughout outage is important for improvement in safety of nuclear power plant. Introduction of risk- informed regulation is actively discussed now in Japan, and nuclear industry feels the necessity of risk evaluation, its application and establishment of framework for execution. Under these circumstances, TEPCO SYSTEMS; subsidiary to TEPCO, developed risk monitor FT- FREE [2]. Figure 4 shows sample output of the risk monitor. Reactor water level CDF results Equipment state Figure 4 Sample output of the risk monitor Recently TEPCO has made its policy for introduction of risk monitor as follows; During 2006, pilot introduction in each nuclear power station; Fukushima dai-ich, dai-ni and Kashiwazaki-Kariwa. While feeding back the experience from pilot introduction, gradual introduction to all plant; total of 17 BWRs. In the future at-power risk monitor will be introduced for online maintenance evaluation. 4. Conclusion Figure 5 shows CDF change according to the plant configuration. Current situation is that at-power CDF is stable and shutdown risk fluctuate in which sometimes CDF exceeds at power CDF.

6 Current Future Average CDF per year Risk increase by OLM Risk decrease by out of service cancellation CDF CDF Operation Operation Figure 5 Change of CDF in plant operating and outage When, online maintenance is introduced in the future, maintenance of safety system is performed at power, it becomes possible quantitatively and objectively to evaluate risk with risk monitor, and to level the risk. The authors believe that the risk monitor becomes the effective measure for scientifically rational maintenance activity. 8. References [1] Bedell L.K.,et al., Development of Shutdown Probabilistic Safety Analysis (PSA) / Shutdown Equipment Out Of Service (EOOS) for River Bend Station, EPRI, Technical Report [2] Tomizawa S.,et al., Development of Safety Management Support Tool Using FT-FREE, PSA2002, pp.290, Detroit, MI, October, 2002.