Deterministic Safety Analyses for Human Reliability Analysis

Size: px

Start display at page:

Download "Deterministic Safety Analyses for Human Reliability Analysis"

Cecil Carroll
5 years ago
Views:

1 Deterministic Safety Analyses for Human Reliability Analysis Andrej Prošek Reactor Engineering Division Jožef Stefan Institute, Slovenia Marko Čepin Faculty of Electrical Engineering University of Ljubljana, Slovenia

2 1 Introduction The experience accumulated in the last few decades has shown that human factors play a significant role in the risk of system failures and accidents, throughout the life cycle of a system. This explains significant focus on human reliability analysis (HRA) and on its full integration within systematic risk analysis and reliability assessment procedures (Zio, 2009). A major problem in meeting this growing importance of HRA is the lack of empirical plant specific data needed for assessment of human reliability. In general, there are several information requirements for HRA, including the available time for diagnosis and correct execution of a tasks, steps and actions (i.e. time window for action) (Park et al., 2004). This information comes from the deterministic analysis. The time window for human action actually represents the success criteria for the action. It represents the time interval in which operators have to perform the action in order that the plant is put in a safer state, i.e. the plant is put into a scenario that leads to a safe state and not to an accident state. To estimate the time windows for operator actions the results of fast running severe accident code such the MAAP code has been used in the conventional probabilistic safety assessment (PSA). However, information from these is often too conservative to perform a realistic PSA for a risk-informed application (Han et al., 2007). In the last years a few comparative studies were performed to justify the use of MAAP4 for the PSA Level 1 analysis of advanced reactors (Butler et al., 2008; Park et al., 2004). In the comparison between MAAP4.07 and S-RELAP5 for U.S. EPR reactor (Butler et al., 2008) MAAP4 has demonstrated that it is a rather good simulator of nuclear plant transient trends. However, MAAP4 s prediction of clad temperature magnitude is not sufficiently accurate to accept without compensation. For example, shortly after steam generator dryout the MAAP4 predicted much larger core heatup than S- RELAP5. Also, there are certain nuclear plant scenarios for which MAAP4 is clearly not applicable, such as early transient of large-break LOCA (at break sizes beyond the area of the largest attached pipe). In the study for APR1400 (Advanced Power Reactor) (Park et al., 2004) comparison between MAAP4.03 and RELAP5/MOD3.2.2 was done for large break loss-of-coolant accident (LOCA). It was concluded that for a more mechanistic simulation of the initial stage of the LOCA using MAAP4.03, more detailed calculations of the primary system are required. Namely, for the break flow and the emergency core cooling flow rates, MAAP4.03 predicted considerably higher values in the initial stage than RE- LAP5/MOD As a consequence, the two codes predicted different sequences for essentially the same initiating condition. To reduce the undue conservatism, the use of best-estimate thermal hydraulic code has become an essential issue in the latest PSA. An example is the use of MARS code for small break LOCA calculations of Korea standard nuclear power plant (Han et al., 2007) and the use of RELAP5/MOD3.2 code for LOCA calculations of RBMK-1500 (Kaliatka et al., 2007). Also the PSA standard (ASME, 2002) recommends the use of best-estimate code to improve the quality of a PSA. Severe accident codes are needed for simulation of phases with core damage (Leskovar & Mavko, 2006). Therefore for updated human reliability analysis the RELAP5/MOD3.3 best-estimate computer code (USNRC, 2006) was used. IJS-HRA (Institute Jožef Stefan - Human Reliability Analysis) serves as the example method (Čepin, 2008a) for quantification of human error probabilities of specific human actions. The specified time windows are important for HRA to determine the likelihood of operator actions. The human error probability of certain action is lower if operators have more time available. In the control room of a nuclear power plant there is a team of operators, which is supervised by a shift supervi-

3 sor. If operators for example have 10 or more minutes of additional time for action, it can be expected that colleagues or shift supervisor can observe and correct a possible error of their colleague (Čepin, 2008b). Consideration of recovery causes lower human error probability and may cause a different impact of human error to the overall probabilistic safety assessment results. The actual times needed for performing the action were assessed based on real simulator scenarios (Prošek & Čepin, 2007), while the time windows determination is the aim of this study. Calculations were performed for the scenarios in which human actions are supplement to safety systems actuations: establishing auxiliary feedwater in case of small or medium loss of coolant accident (LOCA), establishing auxiliary feedwater in case of transients, and manual actuation of safety injection (SI) signal at LOCA. For calculations the qualified RELAP5 input model representing a two-loop pressurized water reactor, Westinghouse type, was used (Prošek et al., 2004). 2 Human Reliability Analysis within Probabilistic Safety Assessment The operator actions are mostly only backup for the automatic actuations of the safety systems, which mitigate the accident if undesired initiating event occurs. IJS-HRA integrates some features of existing methods and some new features such as contribution of the simulator experience in order to consider the newest requirements and recommendations in the field and in order to be integrated in a modern computerized probabilistic safety assessment. More information about the method is written in (Čepin, 2008a). Only the feature important for the contents of this paper is mentioned here: quantification of human error probability (HEP) is performed with consideration or without consideration of recovery. If additional available time for action is larger than determined time interval, e.g. 10 minutes, than recovery as independent mode of verification is considered. If additional available time for action is shorter than determined time interval, recovery is not considered. Additional available time for action (Ta) is defined as the difference between the time window of the action (Tw) and the actual time needed for performing the action (Tp), which is assessed based on real simulator scenarios: Ta = Tw Tp. The time window of the human action actually represents the success criteria for the action. It represents the time interval in which operators have to perform the action in order that the plant is put in a safer state, i.e. the plant is put into a scenario that leads to a safe state and not to an accident state. The actual time needed for performing the action is the realistic time in which operators perform the action and it can be obtained from the simulator experience. The specified time windows are important for human reliability analysis due to the following reason. The human error probability of certain operator action is lower if operators have more time available. In the control room of a nuclear power plant there is a team of operators, which is supervised by a shift supervisor. If operators have 10 or more minutes of additional time for action, it can be expected that colleagues or shift supervisor can observe and correct a possible error of their colleague. IJS-HRA method assumes that if the difference between the time window, in which the action has to be performed, and the actual time needed for performing the action is 10 minutes or more, a recovery can be modeled

4 for the investigated action. If additional available time for action is shorter than determined time interval, recovery is not considered. Consideration of recovery causes lower human error probability and may cause a different impact of human error to the overall probabilistic safety assessment results. Determination of the time window, in which operators have to perform the action, is obtained from deterministic safety analysis. Figure 1 shows integration of probabilistic safety assessment and deterministic safety assessment for improvement of human reliability analysis. Full arrows represent dependencies between the items, which are important for understanding this methodology. Dotted arrows on the figure represent dependencies between the items, which are not important for this methodology, but exist as part of processes of specific deterministic and probabilistic safety analysis in a nuclear power plant. The IJS-HRA method described can be used also integrated with other methods than deterministic safety analysis. In that case the parameters for HRA should be provided by other methods than deterministic safety analysis presented in this paper. Figure 1: Integration of probabilistic safety assessment and deterministic safety assessment for improvement of human reliability analysis.

5 3 Deterministic Analysis Methodology Description The RELAP5 input model was applied to the selected scenarios, which were needed to update the HRA. The RELAP5/MOD3.3 Patch 03 was used for the calculations. For the selected scenarios, the analysis determined the time windows for operator action. First brief description of selected pressurized water reactor is given. Next section describes the success criteria for determination of the time windows. Then, the scenario is described for each of the three selected cases in which human actions supplement safety system actuations. The selected cases are (1) a small or medium LOCA requiring manual AFW start, (2) LOFW requiring a manual AFW start, and (3) a LOCA requiring manual actuation of the SI signal. Finally, the RELAP5 computer code and RELAP5 input model are described. 3.1 Brief Description of Pressurized Water Reactor In a typical commercial pressurized light-water reactor the core inside the reactor vessel creates heat, pressurized water in the primary coolant loop carries the heat to the steam generator, inside the steam generator, heat from the steam, and the steam line directs the steam to the main turbine, causing it to turn the turbine generator, which produces electricity. The unused steam is exhausted in to the condenser where it condensed into water. The resulting water is pumped out of the condenser with a series of pumps, reheated and pumped back to the steam generators. The reactor's core contains fuel assemblies that are cooled by water circulated using electrically powered pumps. For more information refer to (Knief, 1992). 3.2 Description of General Core Damage Criterion The typical core cooling success criteria for Westinghouse-type PWR as defined in (Prior et al., 1994) were used. These criteria are defined in terms of the average fuel/clad temperature instead of hot rod fuel/clad temperature, considering also the period of high temperature. It is assumed if the hottest core fuel/clad node temperature in the reactor core exceeds 923K for more than 30 minutes or if temperature exceeds 1348K, the core damage may occur, which may lead to accident state. Based on the core damage criteria the time windows were determined. Sensitivity studies were performed which include variations of timing of human action to determine the latest time, when operators have to perform the needed action in order that the main plant parameters are not exceeded their limits. 3.3 Scenarios Description Three scenarios are described, which were needed for updated human reliability analysis. In these scenarios the human actions are supplement to safety systems actuations. In the first scenario the human action was establishing AFW in case of small or medium LOCA assuming that high pressure safety injection (HPSI) system fails. In the second scenario the human action was establishing AFW in case of loss of feedwater (LOFW) transient. In the third scenario the human action was actuation of SI signal for the most limiting accident (excluding large break LOCA), i.e. small and medium LOCA. For each scenario the success criteria as defined in original HRA analysis are described, while acceptance criteria are core damage criteria described in Section 3.2. Success criteria establish the minimum number or combinations of systems required to operate, during a specified period of time, to ensure that the critical safety functions are met within the limits of the acceptance criteria.

6 3.3.1 LOCA with Manual AFW System Actuation In the case of small or medium LOCA in a nuclear power plant with the assumption that HPSI system fails, one of the means to cool the reactor is through the secondary side depressurization providing that AFW system is operating. Normally, AFW system is automatically put into operation when main feedwater is lost. If the AFW pumps would not start automatically, operators should intervene. The success criterion requires operation of one of three AFW pumps to maintain the flow in order to depressurize the primary system below the accumulator injection setpoint at 4.9MPa and secondary steam relief via one steam generator power operated relief valve (SG PORV). Besides passive accumulators it was assumed that low pressure safety injection (LPSI) is available too. The parameter to indicate depressurization was primary pressure and the parameter to indicate core cooling was average rod cladding temperature of hottest node. As larger breaks can depressurize through the break in any case below accumulator injection setpoint pressure after some time, AFW is not needed for depressurization. Therefore the analysis was performed for a spectrum of break sizes from 1.27cm to 15.24cm to determine, for which break sizes is needed the operation of one AFW pump and for them the time available to start AFW was determined based on the parametric study varying delay of AFW start. The break was located in the cold leg between the reactor coolant pump and the reactor vessel (see Figure 1) LOFW with Manual AFW System Actuation The most limiting transient requiring operation of AFW is LOFW. The success criterion is that capacity of one train of AFW is adequate to remove the decay heat, to prevent over-pressurization of primary system, and to prevent uncovering of the core resulting in core heatup. Success for AFW start also assumes adequate steam relieving capability. The time when the operator succeeds to start AFW pump was varied. When the AFW pump started to inject into the secondary side, cooling of the secondary side caused the pressurizer pressure to drop below the pressurizer PORV closure setpoint and then below the maximum pressure capacity of HPSI pump. The HPSI injection efficiently prevents further core uncovery LOCA with Manual SI Signal Actuation The third considered scenario was LOCA without automatic SI signal actuation. This means that none of the safety systems including HPSI system, LPSI system and AFW system was assumed available. The whole spectrum of LOCAs from 1.91cm to 15.24cm equivalent diameter break size was evaluated. For the most critical break regarding the time available to the operator the manual SI signal was simulated at the time the core started to heatup and at the time the core average temperature approaches the core average temperature criterion. 3.4 Description of RELAP Computer Code The RELAP5 computer code is one of the most widely spread system thermal-hydraulic code in the world. It is a light water reactor transient analysis code developed for the United States Nuclear Regulatory Commission (U.S. NRC) for use in rulemaking, licensing audit calculations, evaluation of operator guidelines, and as a basis for a nuclear plant analyzer. Specific applications of this capability have included simulations of transients in LWR systems, such as loss of coolant, anticipated transients without scram, and operational transients such as loss of feedwater, loss of offsite power, station blackout, and

7 turbine trip. RELAP5 is a highly generic code that, in addition to calculating the behavior of a reactor coolant system during a transient, can be used for simulation of a wide variety of hydraulic and thermal transients in both nuclear and nonnuclear systems involving mixtures of steam, water, non-condensable, and solute. Since release of RELAP5/MOD2 in 1985 the code was continuously improved and extended. Several new models, improvements to existing models, and user conveniences have been added to the RE- LAP5/MOD3.3 Patch 3 release in The RELAP5 hydrodynamic model is a one-dimensional, transient, two-fluid model for flow of a two-phase steam-water mixture that can contain non-condensable components in the steam phase and/or a soluble component in the water phase. The basic RELAP5 thermal-hydraulic model uses six equations: two mass conservation equations, two momentum conservation equations and two energy conservation equations. Closure of the field equations is provided through the use of constitutive relations and correlations. Heat structures provided in RELAP5 permit calculation of the heat transferred across solid boundaries of hydrodynamic volumes. Modeling capabilities of heat structures are general and include fuel pins or plates with nuclear or electrical heating, heat transfer across steam generator tubes, and heat transfer from pipe and vessel walls. The trip system consists of the evaluation of logical statements. The control system provides the capability to evaluate simultaneous algebraic and ordinary differential equations. The capability is primarily intended to simulate control systems typically used in hydrodynamic systems, but it can also model other phenomena described by algebraic and ordinary differential equations. The point reactor kinetics model can be used to compute power behavior in a nuclear reactor. 3.5 RELAP5 Input Model Description To perform this analysis, the base RELAP5 input model of a pressurized water reactor, which has been used for several analyses, including reference calculations for full scope simulator verification (Prošek et al., 2004; Parzer et al., 2003). A full two-loop plant input model has been used for the analysis. The model consists of 469 control volumes, 497 junctions and 378 heat structures with 2107 radial mesh points. Besides, 574 control variables and 405 logical conditions (trips) represent the instrumentation, regulation isolation, safety injection (SI) and auxiliary feedwater (AFW) triggering logic, steamline isolation, and so on. Secondary side is modeled up to the turbine. Figure 2 shows the RELAP5 input model of nuclear power plant. The input model mask has been created by Symbolic Nuclear Analysis Package (SNAP) (APT, 2007). Modeled are important components as the reactor vessel (RV), pressurizer surge line (SL), pressurizer (PRZ) vessel, pressurizer spray lines and spray valves, pressurizer power operated relief valves (PORVs) and safety valves. Primary piping includes hot leg (HL), primary side of steam generator by inlet and outlet plenum, among which a single pipe is representing the U-tube bundle, intermediate leg (IL) and cold leg (CL) with reactor coolant pump (RCP). Loops are symmetrical except for the pressurizer surge line and chemical and volume control system connections layout (charging and letdown). Modeled is emergency core cooling system (ECCS) with high pressure injection system (HPIS), accumulators and low pressure injection system (LPIS). The parts of the steam generator secondary side are represented by riser, separator and separator pool, downcomer and steam dome. Each loop of main steamline has main steam isolation valve (MSIV), five SG safety valves and one SG PORV. Turbine valve and steam dump (SD) flow is regulated by corresponding logic. Main feedwater (MFW) piping is modeled till the MFW pump, which is modeled as

8 time dependent junction. Auxiliary feedwater (AFW) piping is modeled from pumps, which are modeled as time dependent junction. The AFW system is injecting above the SG riser. Figure 2: Nuclear power plant nodalization scheme SNAP hydraulics component view.

9 In order to accurately represent the nuclear power plant behavior, a considerable number of control variables and general tables are part of the model. They represent protection, monitoring and simplified control systems used only during steady state initialization, as well as the following main plant control systems: (a) rod control system, (b) PRZ pressure control system, (c) PRZ level control system, (d) SG level control system, and (e) steam dump. It must be noted that rod control system has been modeled for point kinetics. The reactor protection system was based on trip logic. It includes reactor trip signal, safety injection signal, turbine trip signal, steam line isolation signal, MFW isolation signal, and AFW start signal. 3.6 RELAP5 Animated Model Description Animation model for RELAP5 calculations was developed by SNAP (APT, 2007) and consists of several masks. By describing the animation model the main systems modeled by RELAP5 as shown in Figure 1 are described. Three kinds of masks were created: masks of plant systems and components, plant signals and time sequence of events masks, and control systems masks. The reader should be aware, that in addition to this masks the hydraulic components and control system (including logic trips) views are automatically generated by SNAP, when importing ASCII RELAP5 input model. In the hydraulic component view the nodalization layout is generated, usually requiring some manual editing. With the control system view the block diagrams of control variables (e.g. collapsed levels, pressure drops, heat losses, control systems) and trip cards (signals, setpoints etc.) are generated. Plant systems and components animation masks were created for the plant, the reactor vessel, the pressurizer with pressurizer relief tank, both steam generators (primary and secondary side), the emergency core cooling system, the main steam system, the main feedwater and the auxiliary feedwater system. The masks were based on plant original drawings and RELAP5 nodalization scheme. The signals masks were developed for the reactor trip, the turbine trip, the main feedwater no. 1 and 2 isolation, the main steamline no. 1 and 2 isolation, the auxiliary feedwater start and the reactor coolant pump trip. In addition, sequence of events masks was added for better understanding of the transient progression. Finally, the main control systems masks were developed for the rod control system, the pressurizer pressure control system, the pressurizer level control system, the steam generator level control system (both loops), the turbine power control (artificial), and the steam dump. More detailed description of some representative masks and the figures, how they look like, are described in (Prošek & Mavko, 2011). The following Figures 3 to 6 shows the initial conditions at time 0s. Figure 3 shows the global plant mask using fluid condition color map at time 0s. The bar with time showed the total calculation time. Namely, steady-state was run 1,000s with transient option to confirm, that steady-state was achieved. Blue and orange color are for subcooled water and saturated steam, respectively, and green and red color for saturated water and superheated steam, respectively. Global plant mask as such gives information on nodalization detail and shows important plant parameters like primary and secondary pressure, power, pressurizer level, steam generator level, etc. The status of pumps and valves is shown by color, green indicating open valve and running pump, and red the opposite. On right side is color map for core temperatures. Main plant parameters at normal operation are shown. It may be seen that reactor power is 1994 MW. The level in pressurizer is 56% and the narrow-range level in steam generators is 69% (widerange level 77%). The accumulators are filled with water, while at the top is nitrogen gas, which acts as driving force. The liquid in the reactor coolant system is subcooled. In the steam generators the bottom

part is saturated liquid, while at the top is saturated steam, exiting to the turbine. None of the steam generator (SG) power operated relief valve (PORV) and safety valves is opened.

10 part is saturated liquid, while at the top is saturated steam, exiting to the turbine. None of the steam generator (SG) power operated relief valve (PORV) and safety valves is opened. Main steamline isolation valves (MSIVs) are opened. Of the safety injection systems high pressure safety injection (HPSI) and low pressure safety injection (LPSI) are not activated. Figure 3: SNAP global animation mask for plant, showing fluid conditions and core temperature at 0s. Figure 4 shows detailed mask of reactor vessel. The reactor vessel mask gives details about the phenomena in the reactor vessel, especially during uncovery. First of all, the geometry of the reactor vessel is shown detailed comparing to the plant mask from which separate volumes are not seen. On the left side, bottom, description of reactor vessel parts is given. Main parameters about total reactor power are presented, and its fraction of fission and decay power. The cold leg (CL) flows which enter reactor vessel and the hot leg (HL) flows exiting reactor vessel are shown, while for flows inside reactor vessel the arrows indicate the direction of the flow. Besides, the directions of flows are also shown. When the flow direction changes, the color changes (in our case green color means normal flow direction and red the opposite direction). Given is also position of the core level and control rod position. Core uncovery can be seen from void fraction color map and also from fluid level indicator, where 609 steps mean fully withdrawn control rods and 0 steps reactor scram. Two color maps are shown, one for void fraction of fluid inside the vessel and the temperature map showing temperature of the core.

11 Figure 4: SNAP animation mask of reactor vessel at 0s. Figure 5 shows the pressurizer with pressurizer relief tank. It can be seen that pressurizer is filled to two thirds and the system is at nominal pressure (15.5MPa). Two pressurizer power operated relief valves (PORVs) and two pressurizer safety valves are shown. It may be also seen that safety valves loop seal are filled with water. Finally, no reactor coolant system mass was discharged to the pressurizer relief tank (PRT). To control the pressurizer pressure, the pressurizer proportional and backup heaters are used to increase and pressurizer sprays to reduce pressure. The artificial pressure control (valve) and the artificial level control (pump) do not exist in reality and they are off at the transient start. They are used to achieve the desired initial pressurizer pressure and level. The pressurizer mask is important for pressurizer pressure and level control, and for transient with emptying and filling the pressurizer. One can clearly see the loop seal filled with the water before safety valves. From the main plant parameters are shown pressures, temperatures and flows. From flows are shown flow through surge line, sprays and PORVs and safety valves. Shown is also pressurizer level as measured in the plant. The mask is useful especially for heat-up events with over-pressurization. Figure 6 shows the main steam system at time 0s, i.e. initial conditions. The steam generator masks end on the secondary side, where the main steam system mask starts. Shown are the main steamlines from the steam generator up to the turbine and steam dump system. Included are main steam isolation valves and SG PORVs and safety valves. For each relief valve the flow and mass discharged are shown. Other parameters shown are steam flows, turbine flow, feedwater flow, auxiliary feedwater flow and steam dump flow. For each steam generator are shown total mass discharged, pressure and level. Finally, turbine power is given.

12 Figure 5: SNAP animation mask of pressurizer at 0s. Figure 6: SNAP animation mask of main steam system at 0s.

13 Figure 7 shows in more detail the steam generator no. 1. Similar is mask for steam generator no. 2. Two color maps are shown, void fraction color map on left and flow regime color map on right. Each steam generator receives one half of power generated by primary system. The pressure in steam generator is saturation pressure. It may also be seen that there are almost 50 tons of mass in the steam generator secondary side. Steam generator U-tubes belong to the primary side. In the inside is flowing primary coolant, which is cooled by secondary water. In this way 541kg of steam per second is generated. The steam flow is balanced with main feedwater flow. The recirculation ratio is around 4. The circulation ratio of a steam generator is defined as the ratio between the total flowrate circulating in the riser and the steam flowrate at the outlet of the steam generator. It may also be seen that the primary side inlet temperature is 597K and when the liquid leaves the steam generator, it has the temperature at 560K. The primary flow through one loop is 4782kg/s. When looking flow regime color map, the bubbly flow is prevailing in steam generator U-tubes and in the downcomer of steam generator. In the steam generator riser there is slug flow, indicating strong boiling and steam is separated from water in the separator. In the dryers the steam is additionally dried. Shown are also the inlets for main feedwater (J pipes) and auxiliary feedwater. Figure 7: SNAP animation mask of steam generator no. 1 at 0s. Finally, Figures 8 and 9 show main and auxiliary feedwater system. The main feedwater systems shows piping from the main feedwater (MFW) pump modeled as time dependent junction to the J-ring tubes in the steam generator. Shown are the control and isolation valve with their status, green indicating open valve and red indicating closed valve. From parameters are shown MFW control valve area, flow and temperature. For each SG are shown main parameters like SG pressure and level, and steam flow.

The mask is useful when we are interested on status of the feedwater system (pump running or not, control valve opening, status of feedwater isolations valves and the value and temperature of the

14 The mask is useful when we are interested on status of the feedwater system (pump running or not, control valve opening, status of feedwater isolations valves and the value and temperature of the flow). Figure 8: SNAP animation mask of main feedwater system at 0s. Auxiliary feedwater (AFW) is safety system and it is needed when main feedwater is lost or for startup and shutdown. From the mask shown in Figure 9 it can be seen that there are three AFW pumps. Two are motor driven AFW pumps each injecting into one steam generator and one is turbine driven (TD) AFW pump, injecting to both steam generators through header. Each pump is modeled by time dependent junction. Besides injecting flow path is modeled also recirculation flow path to condensate storage tank (CST). For each steam generator are given parameters on SG pressure and level, main feedwater flow and steam flow. For each AFW pump is given flow, temperature of the flow and integrated mass flow to each SG, recirculation flow and discharge pressure of the pumps. All values of parameters are shown at time 0s.

15 Figure 9: SNAP animation mask of auxiliary feedwater system at 0s. 4 Results In the next three subsections the results for the selected scenarios are shown, based on which the time windows for operator actions were determined. In figures are shown the most important variables to understand the scenario progression. The time available to perform operator action was determined from average core cladding temperature. Finally, the obtained time windows were compared to the actual times needed for performing the actions, which was assessed based on real simulator scenarios (Prošek & Čepin, 2007). 4.1 Calculations of LOCA with Manual Actuation of AFW The spectrum of break sizes was analyzed to find the most limiting case. For the most limiting break regarding time available it was shown that operation of AFW is not enough if not supported by manual opening of steam generator (SG) power operated relief valve (PORV). These two actions were assumed to be performed with the same time delay LOCA Break Spectrum Calculations The results for a spectrum of break sizes are shown in Table 1 and Figures 9 through 12. Table 1 shows the sequence of main events. After break occurrence the reactor trips on low pressurizer pressure and it is followed by turbine trip. The SI signal is actuated on low-low pressurizer signal what cause main feedwater isolation and LPSI pumps running with 10s delay. Next reactor coolant pumps are tripped by operator on subcooling criterion. After turbine trip and steam dump closure the SG pressure started to increase, resulting in discharging the SG mass.

16 Figures 9 through 12 show the results for a spectrum of break sizes. From Table 1 and Figure 9 (left) it can be seen that breaks of 5.08cm and larger depressurize (through the break), after some time, when the pressure falls below the accumulator injection setpoint pressure of 4.93MPa. In this case, AFW system is not needed for depressurization, as evidenced by the steam generator no. 1 wide-range level shown in Figure 12 (left) and the mass released through the steam generators power operated relief valves shown in Figure 12 (right). After the initial decrease in steam generator level and the opening of the steam generator power operated relief valve, the steam generator no. 1 pressure shown in Figure 11 (right) drops below the opening setpoint of the steam generator power operated relief valve. Therefore, steam generator no. 1 is not further emptied. The trends for steam generator no. 2 pressure and widerange level are similar to those for steam generator no. 1 and are therefore not shown. On the other hand, breaks of 2.54cm equivalent in diameter and smaller require reactor coolant system depressurization performed through secondary side depressurization. Because core heatup (Figure 10 (left)) occurs earlier for the 2.54cm break than for the 1.91cm and 1.27cm break, the 2.54cm break was identified as the most critical regarding the time available to start AFW pump. Figure 9 (right), which shows reactor coolant system mass inventory, and Figure 12 (left), which shows the steam generator no. 1 wide-range level, confirm this finding. In the case of the 1.91cm and 1.27cm break, the reactor coolant system even repressurizes. However, the operator has more time before the reactor coolant system inventory is depleted, the steam generators are dried, and the core is uncovered and heated up. Figure 12 (left) shows that for a break of 2.54cm (and smaller), the steam generators begin to dry out and their inventory is lost through the steam generators power operated relief valves (Figure 12 (right)). To establish cooling by the secondary side, AFW system would be needed to fill at least one steam generator. Event Break sizes Time (s) 1.27cm 1.91cm 2.54cm 5.08cm 7.62cm 15.24cm Break occurrence Rx trip signal generation turbine trip SI signal generation MFW isolation LPSI no. 1 and no. 2 pump running RCP 1 and 2 trip SG PORVs first discharge N.A. PRZ PORV no. 2 first discharge 8340 N.A. N.A. N.A. N.A. N.A. accumulator no. 1 injection N.A. N.A. N.A accumulator no. 2 injection N.A. N.A. N.A accumulator no. 1 isolation N.A. N.A. N.A accumulator no. 2 isolation N.A. N.A. N.A LPSI no. 1 and no. 2 first injection N.A. N.A. N.A. N.A Table 1: Sequence of main events for LOCA calculations.

Figure 10: Core cladding temperature (left) and core collapsed liquid level Figure 11: Mass

17 Figure 9: Reactor coolant system pressure (left) and reactor coolant system mass inventory (right) for a spectrum of LOCA break sizes. Figure 10: Core cladding temperature (left) and core collapsed liquid level (right) for a spectrum of LOCA break sizes. Figure 11: Mass discharged through break (left) and steam generator no. 1 pressure (right) for a spectrum of LOCA break sizes.

$Figure 13: SNAP global animation mask for plant, showing void fraction and$

18 Figure 12: Steam generator no. 1 wide-range level (left) and mass discharged through steam generators power operated relief valves (right) for a spectrum of LOCA break sizes. Figure 13: SNAP global animation mask for plant, showing void fraction and core temperature at 8000s for 2.54cm LOCA calculation.

Finally, Figure 13 shows the plant mask at 8000s for 2.54cm LOCA calculation. It can be seen that primary system is emptied and there is liquid only in the bottom of reactor vessel.

19 Finally, Figure 13 shows the plant mask at 8000s for 2.54cm LOCA calculation. It can be seen that primary system is emptied and there is liquid only in the bottom of reactor vessel. The rods are uncovered, what resulted in significant heatup. Both steam generators are dried, providing no heat sink for the primary side. Accumulators are full of water. However, the pressurizer pressure is higher than accumulator injection setpoint. Finally, Figure 14 shows the steam generator no. 1 mask at 8000s for 2.54cm LOCA calculation. Steam generator is completely empty, providing no heat sink for the primary side. Figure 14: SNAP animation mask of steam generator no. 1 at 8000s for 2.54cm LOCA calculation LOCA Calculations of 2.54cm Break Size As was explained in Section 4.1.1, the break size of 2.54cm was selected as the limiting. To establish the depressurization by cooling through the secondary side, one AFW pump is needed. It has been already mentioned that for the most limiting break regarding time available the AFW pump injection should be supported by manual opening of steam generator power operated relief valve. However, as shown in Figure 15 (left), by AFW pump injection and automatic SG PORV operation the reactor coolant system pressure could not be depressurized and the core heated up (see Figure 15 (right)). The reason is that the SG PORV is cycling to keep pressure at setpoint value and the mass discharged through the valves does not empty the steam generator (see Figure 16 (left)) for the considered AFW start time delays. With the AFW injection the steam generator is filled to normal level, and later the AFW injected intermittently following cycling of the SG PORV. Depressurization of reactor coolant system could be efficiently achieved by manual full opening of SG PORV providing that steam generator level is maintained by

20 AFW system above the minimum level. Therefore two operator actions were considered in the LOCA analyses. Figure 15: Reactor coolant system pressure (left) and core cladding temperature (right) for 2.54cm break size LOCA with AFW start delays. Figure 16: Steam generator no. 1 wide-range level (left) and mass discharged through steam generator no. 1 power operated relief valve (right) for 2.54cm break size LOCA with AFW start delays. Figure 17 shows the reactor vessel mask at 8000s for 2.54cm LOCA calculation without AFW start delay. Steam generator shown in Figure 18 is full, but it cannot provide heat sink due to empty U- tubes and not sufficient liquid in the reactor vessel to have natural circulation.

21 Figure 17: SNAP animation mask of reactor vessel at 8000s for 2.54cm LOCA calculation without AFW start delay. Figure 18: SNAP animation mask of steam generator no. 1 at 8000s for 2.54cm LOCA calculation without AFW start delay.

22 4.1.3 LOCA Calculations of 2.54cm Break Size with Two Operator Actions As can be seen from Table 2 six cases were analyzed for the selected 2.54cm break size. Case t0 was analyzed in order to determine how long cooling can last with available steam generator inventory. In the cases t30 to t120 different delays of manual AFW pump no. 1 start and full steam generator no. 1 PORV opening were analyzed. Case Operator action AFW start delay (min.) SG PORV full opening delay (min.) t0 Not available 0 t t t t t Table 2: Operator actions delay for 2.54cm LOCA calculations. Table 3 shows the time sequence of main events. Scenario t0 is different from scenarios t30 to t120, as it was performed with the intention to see how long does it take that the steam generator no. 1 dries out, when steam generator no. 1 PORV is opened. Initially only steam generator no. 1 was emptying until steamline isolation due to fully open PORV. Due to secondary cooling the primary pressure dropped below the accumulator injection setpoint. The accumulator emptied in approximately 1100s. Later no inventory replacement by injecting water in the reactor coolant system is available leading to core heatup. The results for scenario t0 showed that SG no. 1 dries out in approximately 40 minutes. When accumulators stop to inject, the steam generator no. 2 start to heatup up, therefore PORV starts to cycle to control the steam generator pressure at set value. Analyzed cases Time (s) t0 t30 t50 t80 t100 t120 Break occurrence Rx trip signal generation turbine trip SI signal generation MFW isolation steamline isolation accumulator no. 1 injection accumulator no. 2 injection accumulator no. 1 isolation accumulator no. 2 isolation Table 3: Sequence of main events for LOCA calculations.

23 In scenarios t30 to t120 the time available to the operators to start cooling was determined. The events are similar, however they are time delayed. Until AFW pump no. 1 is started both steam generators s PORV cycled. After full opening of steam generator no. 1 PORV, the steam generator no. 2 PORV remain closed, as one steam generator is sufficient to cool the reactor. It is important to note that it takes approximately 5 to 10 minutes that the cooling by steam generator reduces the pressure below the accumulator injection setpoint. Figures 19 through 22 showing some time trends are the basis to determine available time for operator actions. Figure 19 (left) shows that reactor coolant system depressurization with steam generator no. 1 PORV fully open is efficient in preventing the sufficient reactor cooling system mass inventory (see Figure 19 (right)) and core heatup (see Figure 20 (left)), when delay of AFW pump start is not too large. The core uncovery shown in Figure 20 (right) is not too big. Following the AFW pump no. 1 injection the reactor coolant system pressure depressurized below the accumulator injection setpoint and the reactor cooling system started to fill as shown in Figure 19 (right). Case t0 was analyzed in order to see how long inventory in steam generator is available for cooling through fully open steam generator PORV. The steam generator is emptied in 40 minutes and core started to heat up 25 minutes after steam generator no. 1 is emptied. In another 20 minutes the core temperature exceeds the criterion. From Figure 21 (left) it can be seen that steam generator no. 1 pressure started to drop at the time of full PORV opening. From Figure 21 (right) it can be seen that for cases t30 to t80 the steam generator no. 1 level is dropping approximately linearly and that cooling is sufficient, because the steam generator is not completely emptied. In cases t0, t100 and t120 both steam generators emptied below the minimum needed level for cooling and the core heatup was therefore unavoidable. When steam generator PORV opens, it started to discharge, causing level drop, therefore AFW injection started as shown in Figure 22 (left). From Figure 22 (right) it can be seen, that after full steam generator no. 1 PORV opening the mass discharge rate initially increased and later stabilized when the pressure drops to stable value. It should be also noted that both steam generators emptied through steam generator no. 1 PORV until main steamline isolation (see nodalization shown in Figure 2). Main steamline isolation resulted from low steamline pressure after full steam generator no. 1 PORV opening. From case t100 it can be seen that if operator actions are performed immediately after steam generators emptying the further heat up could still be prevented. Based on the set criteria 100 minutes are available to the operators. Figure 19: Reactor coolant system pressure (left) and reactor coolant system mass inventory (right) for 2.54cm break size LOCA with manual opening of steam generator no.1 PORV.

Figure 20: Core cladding temperature (left) and core collapsed liquid level (right) for 2.54cm break size LOCA with manual opening of steam generator no.1 PORV. Figure 21: Steam generator no.

24 Figure 20: Core cladding temperature (left) and core collapsed liquid level (right) for 2.54cm break size LOCA with manual opening of steam generator no.1 PORV. Figure 21: Steam generator no. 1 pressure (left) and (right) steam generator no. 1 wide-range level for 2.54cm break size LOCA with manual opening of steam generator no.1 PORV. Figure 22: Auxiliary feedwater pump no. 1 injected mass (left) and mass discharged through steam generators power operated relief valves (right) for 2.54cm break size LOCA with manual opening of steam generator no.1 PORV.

25 4.2 Calculations of LOFW with Manual Actuation of AFW The delays of AFW pump no. 1 start from 30 minutes to 70 minutes were simulated to determine the time window for manual AFW pump start (any AFW pump could be started). Table 4 shows the sequence of main events. The reactor trips on low steam generator level, followed by turbine trip. SI signal is generated on low steamline pressure, which also actuates main steamline isolation. The reactor coolant pumps were tripped manually by operator on subcooling criterion. At the time when one AFW pump started to inject into the secondary side, cooling of the secondary side caused the pressurizer pressure to drop below the pressurizer PORV closure setpoint and then below the maximum pressure capacity of HPSI pump (see Figure 23 (left)). Scenario Time (s) Analyzed cases (AFW delay) 30 min. 40 min. 50 min. 60 min. 70 min. Main feedwater closure Rx trip signal generation Turbine trip Steam dump discharge SI signal generation Steam line 1 and 2 isolation RCP 1 and 2 trip AFW 1 start (by assumption) SG PORV first discharge HPSI pump injection start HPSI termination Table 4: Sequence of main events for LOFW calculations. Figures 23 through 26 show the important plant and safety variables that are factors in determining the time window. Parametric analyses were performed to get information how influences the delayed manual start of the AFW No. 1 pump on satisfying acceptance criteria described in Section 3.2. Figure 23 (left) shows that the reactor coolant system is not overpressurized. When one AFW pump starts to inject into the secondary side, cooling of the secondary side causes the pressurizer pressure to drop below the pressurizer PORV closure setpoint and then below the maximum pressure capacity of the HPSI pump. Figure 23 (right) shows the reactor coolant system mass inventory. Depletion occurs because of the pressurizer PORV discharge, but HPSI pump injection efficiently recovers the reactor coolant system mass. When the reactor coolant system mass is depleted to approximately one-third, the core starts to heat up, as shown in Figure 24 (left). The parametric analysis shows that the core heats up significantly when the AFW pump start is delayed more than 50 minutes. Figure 24 (right) shows that mass injected by HPSI pump into the reactor coolant system, which is approximately balanced with the mass discharged through the pressurizer PORVs shown in Figure 25 (left). The operator terminates safety injection when the criteria are met. Figures 25 (right) and 26 show the secondary-side parameters for steam generator no. 1, into which AFW is injected. Figure 25 (right) shows the steam generator no. 1

26 pressure. At turbine trip, the pressure initially increases and then starts to slowly drop during steam dump operation. On SI signal generation at 617 seconds, the pressure again increases to the steam generator no. 1 PORV setpoint and then oscillates because of steam generator no. 1 PORV cycling until the flow of AFW is started. Figure 26 (left) shows the steam generator no. 1 wide-range level. The level starts to increase when the AFW flow is established. Finally, Figure 26 (right) shows the mass released by the steam generator no. 1 PORV cycling. The maximum available time to start the AFW pump according to the success criteria is 60 minutes. When action is taken faster, benefits are evident. Based on simulator experience (Pro!ek & "epin, 2007), the operator needs from 1 to 10 minutes to start the AFW system. Figure 23: Reactor coolant system pressure (left) and reactor coolant system mass inventory (right) for LOFW transient. Figure 24: Core cladding temperature (left) and mass injected by high pressure safety injection system (right) for LOFW transient.

27 Figure 25: Integrated pressurizer PORVs flow (left) and steam generator no. 1 pressure (right) for LOFW transient. Figure 26: Steam generator no. 1 wide-range level (left) and mass discharged through steam generators power operated relief valves (right) for LOFW transient. Figure 27 shows fluid condition of plant at 3600s, the moment when auxiliary feedwater pump was started. At this time one of the pressurizer PORVs is open. It can be seen that high pressure safety injection pump is running and same is true for low pressure safety injection pump. At the pressure 15.3MPa none of the pumps are injecting. However, as shown in Table 4, this occurred only 30s after AFW start, which depressurizes primary pressure. Finally, Figure 28 shows that one auxiliary feedwater pump is running and till 5000s about 18 tons of water is injected.

28 Figure 27: SNAP animation mask showing fluid condition of plant at 3600s for LOFW with manual actuation of AFW at 60 minutes. Figure 28: SNAP animation mask showing auxiliary feedwater system at 5000s for LOFW with manual actuation of AFW at 60 minutes.

29 4.3 Calculations of LOCA with Manual SI Signal Actuation The sequence of events for LOCA spectrum calculations with manual SI signal actuation is shown in Table 5. The only safety system operating were passive accumulators. For 5.08cm and larger breaks they emptied in the calculated time interval of 10000s. Time (s) Analyzed break sizes 1.91cm 2.54cm 5.08cm 7.62cm 10.16cm 15.24cm Break occurrence Rx trip signal generation turbine trip conditions for automatic SI signal generation accumulator no.1 injection N.A. N.A accumulator no.2 injection N.A. N.A accumulator no.1 isolation N.A. N.A accumulator no.2 isolation N.A. N.A Table 5: Sequence of main events for LOCA calculations without SI signal. Figure 29 shows the results of LOCA calculations with manual actuation of SI. At breaks smaller than 5.08cm, the RCS was not sufficiently depressurized (Figure 29 (left)) to enable accumulator injection, while larger breaks depressurize the reactor coolant system. Figure 29 (right) shows that the temperature criterion 1348K is first exceeded for a break of 15.24cm, then for a break of 10.16cm, 7.62cm, 1.91cm and the last for 5.08cm. The reason is that for 5.08cm break the accumulators were sufficient to cool the core until they emptied. At breaks larger than 5.08cm the core starts to significantly heatup after the accumulators emptied. In general it can be concluded, the larger is the break the faster is the core uncovery. For the 15.24cm break, the core starts to heat up at 20 minutes. For the 5.08cm break, the core cladding temperature could exceed the criterion at first peak, if uncertainty is considered. When the SI signal is actuated after 20 minutes, further core heatup is prevented (Case 15.24cm SI). This is also true in the case of the 5.08cm break (Case 5.08cm SI). Therefore, at least 20 minutes are available for operator action. In this scenario, the treatment of uncertainty is unnecessary because the time window is the shortest for the largest break in the spectrum. In general it can be concluded, the larger is the break the faster is the core uncovery. From the point of operator action the 15.24cm break size calculation is therefore limiting. Figure 30 shows mask of emergency core cooling system, consisting of high and low pressure safety injection system and accumulators. It can be seen that one train of emergency core cooling system is injecting, and that both accumulators are already empty at 2000s. Due to emergency core cooling system operation there is no danger to the core, as can be seen from Figure 31, showing reactor vessel. The rods are sufficiently covered and cooled.

Figure 29: Reactor coolant system pressure

condition of emergency core cooling system at

30 Figure 29: Reactor coolant system pressure (left) and reactor coolant system mass inventory (right) for LOCA with manual SI signal actuation. Figure 30: SNAP animation mask showing fluid condition of emergency core cooling system at 3600s for LOCA with manual actuation of SI after 20 minutes.

31 Figure 31: SNAP animation mask showing reactor vessel at 2000s for LOCA with manual actuation of SI after 20 minutes. 4.4 Uncertainty of Times for Human Reliability Analysis The times needed for performing operator actions were determined based on the simulator experience (Prošek & Čepin, 2007). For starting the AFW the operator needs from 1 to 10 minutes, while for SI signal actuation 2 minutes are needed. When the time window is large, much of the additional time is available and there is no need to very accurately determine the time window even if the human factor event is an important contributor to the risk. For example, the time needed to start SI signal is 2 minutes and there is additional 18 minutes to perform this action. Considering typical uncertainties in the peak cladding temperatures of 200K based on previous uncertainty evaluations (Prošek & Mavko, 1999a) and adiabatic heatup rate for 15.24cm break, the criterion would be reached 3 minutes earlier. Equally important is also time uncertainty of reaching maximum temperature which is approximately 2 minutes according to (Prošek & Mavko, 1999b). The additional time considering uncertainties is still sufficient. In the case of small and medium break LOCAs with the assumption that high pressure safety injection system is not available, the depressurization is needed for breaks smaller than 5.08cm. The break 5.08cm is limiting as for this and larger breaks the reactor coolant system depressurizes by itself. However, when the pressure drops below the accumulator injection setpoint, the core is already heated up for 5.08cm break. Considering the typical cladding temperature uncertainty of the best estimate calculation to be 200K (Prošek & Mavko, 1999a) the criterion 1348K could be exceeded. The recovery action would be questionable because of short time window. The uncertainty analysis was not needed, as the risk contribution of this event to the plant risk is insignificant. On the other hand, establishing auxiliary feedwater system at LOFW event is significant contributor to the risk, but the calculated time window gives suffi-