Expanding Capabilities of PSA To Address Multi-Unit Sites

Transcription

1 Expanding Capabilities of PSA To Address Multi-Unit Sites By: Karl N. Fleming, President KNF Consulting Services LLC Presented to: CRA s 6 th Risk Forum Warwick UK September 16 and

2 Discussion Topics A blind spot in our safety culture Risk insights from service data Risk insights from PSAs Multi-unit PSA risk metrics Implications for operating reactors and small modular reactors CRA 6th Risk Forum 2

3 Is this just hindsight? Importance of multi-unit accidents seems obvious now that we have experienced Fukushima Daiichi But looking back we should have known but could not see into our CRA 6th Risk Forum 3

4 Current Approach to Nuclear Safety1 Deterministic Safety Approaches General Design Criteria Conservative Design Basis Accidents Conservative Safety Margins Defense-in-depth Severe accident management Emergency planning Incorporation of lessons from service experience and accidents CRA 6th Risk Forum 4

5 Current Approach to Nuclear Safety2 Probabilistic Risk Analysis Comprehensive treatment of operating states Comprehensive treatment of internal and external hazards Use of risk metrics to determine safety significance Risk management strategies to improve safety Complementary use of PRA and deterministic principles in risk-informed decision making CRA 6th Risk Forum 5

6 What do all these safety approaches have in common? They all share a common a one reactor (accident) at-a-time mindset CRA 6th Risk Forum 6

7 Why Blind Spot? Most reactor sites are multi-unit Deterministic and probabilistic safety analyses, with few exceptions, are performed on each reactor independently Accidents postulated on each unit are analyzed with the implicit and non-conservative assumption that other reactors on the site are safe Accidents involving multiple reactors are not included in the safety analysis (deterministic or probabilistic) A single reactor accident that could propagate into a multi-unit accident is not considered Use of risk metrics such as core damage frequency that do not capture multi-unit effects CRA 6th Risk Forum 7

8 Evidence that was overlooked Population of multi-unit sites Reactor operating experience with multi-unit events and accidents Results of (the few) multi-unit PRAs Side wide nature of external hazards Design practice on the use of shared sites, systems, and structures CRA 6th Risk Forum 8

9 World Wide Multi-Unit Sites CRA 6th Risk Forum 9

10 Selected Experience with Multi-Unit Events Great Japan Earthquake and Tsumami (2011) Loss of offsite power Tsunami site inundation at two sites Core damage on three reactor units and major challenge to protect 3 Units and spent fuel storage Le Blayais External Flood (1999) Degradation of safety systems at 4 reactor units Loss of Offsite Power events ( ) Many site wide and several regional events Oconee Turbine Building Flood (1976) Near miss core damage on three units CRA 6th Risk Forum 10

11 Great Japan Earthquake Multi-Unit Insights Tsunami inundated the Daiini and Daiichi sites and caused major damage at both sites; seismic induced loss of power at several other sites Core damage at Daiichi Units 1, 2, 3 experienced core damage; containment breach; site contamination; large releases of radioactive material; accident management resources overwhelmed Key causes of accident included flood damage to emergency switchgear in Units 1-4; lack of emergency preparedness for multi-unit loss of AC and DC power; questionable containment venting procedures, chaos in the government/utility/plant command and control; multi-unit interactions Ad hoc and heroic operator actions instrumental in protecting cores and spent fuel in Units 4,5, and 6 and preventing releases during evacuation Missed opportunities to identify and fix vulnerabilities from PRA Ample evidence from tsunami hazard studies not heeded Internal flood PRA would have identified issue with lack of flood protection inside plant CRA 6th Risk Forum 11

12 Oconee Internal Flood 1976 Turbine building shared by three units Units 1 and 2 operating at full power Unit 3 shutdown manways on condenser waterbox removed to allow cleaning of waterbox Isolation of waterbox accomplished by Shutting down of circulating water pumps and closing of pump outlet MOVs Closing manual valves at condenser inlet (six) Closing air-operated valves at condenser outlet (six) Valves are designed to be fail-open Jackscrew inserted in operator to keep valve closed CRA 6th Risk Forum 12

13 Condenser cooling water at Oconee

14 Flood experience Oconee, 1976 (cont.) Flood initiated by Failure of static inverter, causing loss of control power to outlet AOVs Jackscrew for one AOV sheared off when valve tried to go to failedopen position; Valve opened, allowing flood at a rate of ~63,000 gpm Flooding continued for about 32 min, until static inverter was bypassed, restoring control power and allowing AOV to reclose, operators not aware of flood until much later Flood depth reached ~17 If flood depth had reached Emergency feedwater pumps for all three units lost Auxiliaries for main feedwater flooded; loss of MFW likely Water would spill over curbs into auxiliary building; Significant probability of core damage on all 3 units CRA 6th Risk Forum 14

15 PSA Insights on Multi-Unit Risks Seabrook Level 3 Multi-unit PSA (mid 1980s) Integrated Level 3 PSA of two unit station Seabrook had minimal use of shared systems Full scope treatment of internal and external hazards and plant operating states PWR Level 1 PSA of Two Unit Plant with Shared Systems (late 1990 s) Integrated Level 1 PSAs of two unit stations These plants have shared systems and structures Internal events and internal floods from full power Modular HTGR PSAs (mid 1990 s) Integrated Level 3 PRA of four reactor module plant Risk informed safety design approach CANDU PRAs ( ) CRA 6th Risk Forum 15

16 Seabrook Multi-unit PSA Performed in 1983 Contract required for integrated risk of two-unit station Units are slide along layout with minimal use of shared systems PRA performed to address emergency planning (EP) issues Internal and external hazards Level 3 with extensive emergency planning sensitivity studies All modes and states including operation at 100%, 40%, 25%, and LPSD Results inspired current accepted definitions of large early release Second unit not completed so multi-unit PRA model was not carried forward and updated as with Unit 1 PRA CRA 6th Risk Forum 16

17 Seabrook MUPSA Level 1 Results CRA 6th Risk Forum 17

18 Major Contributors to Multi- Unit Core Damage CRA 6th Risk Forum 18

19 Comparison of Consequences for Large Early Containment Failure Non-linear increase Release from one reactor Release from two reactors Linear increase CRA 6th Risk Forum 19

20 Seabrook Multi-Unit Insights Relative frequency of core damage involving both reactors unexpectedly high (CPMA =.14); likely higher today with lower internal event CDF Cannot scale Level 3 results due to dose-thresholds for early health effects Single unit risk metrics e.g. CDF and LERF not adequate for addressing multi-unit risk Technical basis for linking CDF and LERF to site safety goals is flawed Contribution of multi-reactor events at Seabrook significant despite lack of shared support systems and structures Issue of multi-unit vs. single unit common cause failures addressed for EDGs and MOVs Seismic induced blackout and LOCAs dominated multi-reactor events Addressing multi-unit risk did not require significant advancement of the state of the art but rather state of practice of PRA CRA 6th Risk Forum 20

21 Case Study 2: Level 1 PSA of Two Unit PWRs with Shared Systems Dual Unit Westinghouse 4-loop PWR built and Licensed in one safety analysis report Plant has two reactor units with highly shared support systems (service water and AC power) and co-located equipment in a common structure Single reactor PRA models developed for each of the 2 units with explicitly modeled dual unit dependencies Out of curiosity the PRA team decided to flag all the sequences and cut-sets involving dual reactor accidents (nobody ever asked for this information but key results from this were identified and presented) Level 1 PSA included internal floods but excluded internal fires and seismic Sharing of support systems evident in Level 1 PSA results Single unit CDF (5 x 10-5 /Rx-yr) benefits from increased redundancy of SSCs for each unit Conditional probability of multi-unit accident (CPMA =.67) much higher than for Seabrook CPMA approaches 1 when internal fires and seismic events are included CRA 6th Risk Forum 21

22 Single Unit and Multi-Unit Contributions to Core Damage Frequency CPMA=.67 CRA 6th Risk Forum 22

23 Lessons for Improving PSA Deterministic bases for multi-unit accidents needs to be established. More experience needed with multi-reactor PSAs Need to incorporate multi-unit accident sequence models Single reactor risk metrics such as CDF and LERF are inadequate to capture integrated risks of multi-unit sites ; site level metrics needed Current PRA treatment of accident management is limited to prevention of severe accidents on a single reactor Impact of site contamination on operator actions has not been addressed Initiating events for each reactor need to include accidents on other units Treatment of common cause failures involving components in different units needs to be addressed. Seismic correlation issue already addressed in single reactor PRAs needs to be addressed in multi-unit context; significant multi-unit seismic events do not require correlation CRA 6th Risk Forum 23

24 Actions to Advance Multi-Unit PSAs IAEA Technical Approach to MUPSAs and external hazards PSAs (in publication) CNSC Workshop on Multi-unit PSA Nov 2014 OECD WGRisk MUPSA project U.S. NRC Level 3 Research Project ASME/ANS PRA Standards for LWR and Non- LWR PRAs Active University Research at University of Maryland and UCLA CRA 6th Risk Forum 24

25 Site Risk Metrics CPMA = conditional probability of multiple reactor accident given core damage on specific unit; intended for use with single reactor CDF metric Site CDF (SCDF) = frequency of core damage involving one or more reactor facilities on the site Multi-unit CDF (MUCDF) = frequency of core damage involving two or more reactor units concurrently Site LERF (SLERF) = frequency of a large early release from an accident involving one or more reactor facilities on the site Site Level 3 Risks = Level 3 risk metrics (e.g. CCDFs) for the integrated risks from all site facilities Individual risks to people in vicinity of site (QHOs) may now reflect the integrated risks from all the facilities on the site Change frequency basis from reactor-year to site-year CRA 6th Risk Forum 25

26 MULTI-UNIT SEISMIC PSA CRA 6th Risk Forum 26

27 Seismic Induced LOCAs at Two Unit Seabrook Site CRA 6th Risk Forum 27

28 Introduce Seismic Common Cause Model for Correlation Seismic Induced Failure of Component G k at Intensity j OR Independent Seismic Failure of Component G k at Intensity j Correlated Seismic Failure of All Group G Components at Intensity j (1- j )f j CRA 6th Risk Forum 28 j f j

29 Definition of Alpha = seismic correlation split fraction Defined as the fraction of seismic events that produce correlated fragilities where f is the probability that two (or more) components with correlated fragilities will fail 1- = fraction of earthquakes in which seismic components fail independently Generally increases with increasing pga Correlation arises from common ground motion input, shared location in building, common design features, anchorages, and failure modes CRA 6th Risk Forum 29

30 Fragility and Alpha Parameter from IAEA MUPSA Report CRA 6th Risk Forum 30

31 Impact of Seismic Correlation on Dual Unit LOCA Frequency CRA 6th Risk Forum 31

32 Impact of Seismic Correlation for a Small Modular Reactor CRA 6th Risk Forum 32

33 Seismic Multi-Unit Insights A seismic event at a multi-unit site can produce a multi-unit accident Due to independent combinations of component failures Due to seismically correlated failures If the earthquake intensity challenges or exceeds the seismic capacity the probability of independent combinations of component failures is high If the seismic failures cause initiating events then one must consider the potential for multiple initiating events Multiple initiating events on a given unit Concurrent initiating events on multiple units Beware of the one initiating event at-a-time mindset from internal events Methods for treatment of partial correlation are available to replace the current package of perfectly correlated-perfectly uncorrelated assumptions Influence of seismic correlation is rather complex and not as big of an impact as expected CRA 6th Risk Forum 33

34 Summary The risk of multi-unit accidents on multi-unit sites is significant to dominant for: All the external hazards for all multi-unit plants Loss of offsite power/station blackout for all multi-unit plants Other Internal events on multi-unit plants with shared systems Single reactor PSAs on multi-unit sites yields misleading and optimistic risk insights; should be discontinued We cannot expect to manage multi-unit risks if they are left out of PRAs This is not a state of the art limitation but rather a weakness in the state of practice Site based risk metrics should be used in risk-informed decision making Deterministic safety principles such as defense-in-depth need to be revisited to address prevention and mitigation of multi-unit accidents The safety significance of shared systems and structures and application of GDC 5 needs to be rethought in the context of a multi-unit safety assessment No fundamental reason why this should only be an issue for modular reactors CRA 6th Risk Forum 34