Removing a Blind Spot in Our Safety Culture

Transcription

1 Removing a Blind Spot in Our Safety Culture By: Karl N. Fleming, President KNF Consulting Services LLC KarlFleming@comcast.net Presented to: American Nuclear Society PSA 2017 Pittsburgh, PA September, 2017

2 Is this just hindsight? Importance of multi-unit accidents seems obvious now that we have experienced Fukushima Daiichi But looking back we should have known but could not see into our

3 Current Approach to Nuclear Safety1 Deterministic Safety Approaches General Design Criteria Conservative Design Basis Accidents Conservative Safety Margins Defense-in-depth Severe accident management Emergency planning Incorporation of lessons from service experience and accidents

4 Current Approach to Nuclear Safety2 Probabilistic Risk Analysis Comprehensive treatment of operating states Comprehensive treatment of internal and external hazards Use of risk metrics to determine safety significance Risk management strategies to improve safety Complementary use of PRA and deterministic principles in risk-informed decision making

5 What weakness do all these safety approaches share? They all share a common a one reactor (accident) at-a-time mindset

6 What is the One-Reactor-At- Time (ORAT) Mindset? the non-conservative assumption when performing a safety analysis of a nuclear reactor unit, module, or radionuclide source (one at a time) that all other units, modules, or sources on the site are safe.

7 What is the evidence this practice is a blind spot? Insights from existing albeit limited multi-unit PRAs showing multi-unit accidents are risk significant to dominant are ignored Fukushima Daiichi multi-unit accident with multi-site effects Other operating experience on multi-unit sites 1976 Oconee internal flood 1999 Le Blayais external flood Almost all experienced loss of offsite power events Multi-unit common cause failure events Common cause nature of external hazards Foundation of deterministic safety analyses and supporting design criteria Safety goals and associated risk metrics do not consider the risk of a multi-unit accident

8 Single Unit NPP Sites are Rare

9 General Design Criterion 5 Criterion 5 Sharing of structures, systems, and components. Structures, systems, and components important to safety shall not be shared among nuclear power units unless it can be shown that such sharing will not significantly impair their ability to perform their safety functions, including, in the event of an accident in one unit, an orderly shutdown and cooldown of the remaining units. It is questioned how this GDC has been applied to multi-unit plants with shared support systems and structures: Wording of GDC reflects a single reactor accident mindset; what about an accidents involving multiple units? All multi-unit plants have shared electrical grid, switchyard, and heat sink Some U.S. plants also share safety systems and structures among units Essentially all the external hazards impact all units and sources concurrently

10 NRC Safety Goal QHOs The risk to an average individual in the vicinity of a nuclear power plant of prompt (cancer) fatalities that might result from reactor accidents should not exceed the.1% of the sum of prompt (cancer) fatality risks resulting from other accidents to which members of the U.S. public are generally exposed

11 QUESTIONS IN INTERPETING THE QHOs 1. Do the safety goal QHOs apply to the entire site or to individual reactors for the currently licensed reactors? What is the meaning of nuclear power plant? Plain English interpretation: individuals are exposed to all risk sources on the site. What s the point of applying them to individual reactor units? 2. How are the risks from accidents involving more than one reactor on the same site to be taken into account? This issue seems to have been ignored. 3. How are the risks from currently licensed reactors and proposed new reactors, modular or otherwise to be combined if the safety goal is to be applied to the site? Integrated risk for existing multi-unit sites is not being addressed Integrated risk is now limited to future modular reactor plants but not the site 4. How can PRA results that have been limited to scenarios involving single reactor accidents be used to justify the current single reactor treatment of the safety goal? Technical basis for linking QHOs to surrogate risk metrics such as CDF and LERF is only valid for single reactor sites One-reactor-at-a-time mindset strikes again!

12 Defense-in-Depth Regulatory documents include a rich collection of works on defense-in-depth including recent revision to RG These also suffer from the ORAT mindset, e.g. prevention and mitigation of core damage accidents Modern definitions of defense-in-depth should include the goal of preventing and mitigating multi-unit accidents

13 Relevant Multi-Unit Interactions Most external hazards, loss of offsite power, and loss of heat sink events impact all the units on the site A single unit accident could propagate to affect other units and SF facilities on the site If systems and structures are shared (beyond sharing the grid and heat sink) the potential for a multi-unit accident is increased For seismic events the issue of seismic fragility correlation is magnified when considering a seismically induced multi-unit accident A significant fraction of common cause failures has involved components on different units Post-initiator human actions and accident management resources are greatly challenged by multi-unit events

14 Flood experience Oconee, 1976 Turbine building shared by three units Units 1 and 2 operating at full power Unit 3 shutdown manways on condenser waterbox removed to allow cleaning of waterbox Isolation of waterbox accomplished by Shutting down of circulating water pumps and closing of pump outlet MOVs Closing manual valves at condenser inlet (six) Closing air-operated valves at condenser outlet (six) Valves are designed to be fail-open Jackscrew inserted in operator to keep valve closed

15 Condenser cooling water at Oconee

16 Flood experience Oconee, 1976 (cont.) Flood initiated by Failure of static inverter, causing loss of control power to outlet AOVs Jackscrew for one AOV sheared off when valve tried to go to failedopen position; Valve opened, allowing flood at a rate of ~63,000 gpm Flooding continued for about 32 min, until static inverter was bypassed, restoring control power and allowing AOV to reclose, operators not aware of flood until much later Flood depth reached ~17 If flood depth had reached Emergency feedwater pumps for all three units lost Auxiliaries for main feedwater flooded; loss of MFW likely Water would spill over curbs into auxiliary building; Significant probability of core damage on all 3 units

17 Fukushima Daiichi Multi-Unit Insights Tsunami caused by Great Japan earthquake inundated the site and caused major damage to all 6 reactor units; other sites affected Units 1, 2, 3 experienced core damage and containment breach resulting in large releases of radioactive material; core damage at Unit 4 largely averted due to shutdown/defueled state; Units 5 and 6 averted core damage due to one EDG being protected from flooding and heroic operator actions. Key cause of accident was flood damage to emergency switchgear and EDGs located in basement of turbine buildings and resulting station blackout to Units 1-4 An internal flooding PRA was never done but would have likely identified flood vulnerability and improved flood protection Flood vulnerability also exposed by 1991 flood event

18 Lessons from Fukushima Fundamental causes included Inadequate protection of site against tsunami despite evidence that tsunami risk was high Location of safety related switchgear and EDGs in basement of turbine building was a critical vulnerability and contributing cause Lack of protection of equipment from internal flooding amplified this vulnerability Inadequate planning and procedures for accident management Lack of clear command and control among plant, utility and government agencies Multi-unit interactions and dependencies, loss of infrastructure, and site contamination made major contributions to accident progression Lack of appreciation that PRA can be used to identify safety improvements; no internal or external flood PRAs performed

19 Historical Perspective Probabilistic Safety Analyses Nearly all existing PRAs performed one reactor at-a-time Shared equipment modeled taking credit for extra redundancy Increased likelihood of a single reactor accident due to multiple units ignored Potential for multi-unit accidents not considered Impact of a severe accident on one unit on the other units ignored Risk metrics e.g. core damage frequency (CDF) and large early release frequency (LERF) fail to capture integrated site risk NRC Safety Goal Issues Single reactor PRAs used to justify that safety goals have been met Safety goals used to calibrate surrogate risk metrics such as CDF and LERF Essentially all risk-informed regulation applications based on these single unit metrics; risk impacts of multi-unit accidents ignored.

20 PRA Insights on Multi-Unit Risks Seabrook PRA (mid 1980s) Integrated Level 3 PRA of two unit station Seabrook had minimal use of shared systems Full scope treatment of internal and external hazards and plant operating states US PWR PRA (late 1990 s) Integrated Level 1 PRA of two unit station Extensive sharing of systems and structures Internal events and internal floods from full power Modular HTGR PRAs (mid 1990 s) Integrated Level 3 PRA of four reactor module plant PBMR and NGNP safety design approach for multi-modules Licensing Modernization Project building on approach CANDU PRAs ( ) SMR PRAs ( )

21 INSIGHTS FROM MULTI-REACTOR PRA PERFORMED FOR SEABROOK Seabrook Level 3 PSA completed in 1983 Level 3 PRA Full treatment of internal events, internal hazards, and external hazards from full power operating states Integrated risk of two unit station (prior to the cancellation of Unit 2) and prior to the plant licensing and startup Slide along design with minimal sharing of plant structures and support systems Shared common switchyard Shared intake structure for CW and SW systems Systematic search for initiating events impacting each unit independently and both units concurrently Full Level 3 treatment of event sequences involving single reactors and both reactors concurrently More recent updates of PSA do not include integrated risk as second unit was cancelled Current PSA has significantly lower CDF due to changes in design, PRA modeling and updated generic and plant specific data 1983 results to be taken with a grain of salt but relative risk insights are still meaningful

22 Technical Approach to Seabrook Multi-unit PRA Technically sound single unit Level 3 PRA performed initially Initiating events were analyzed to resolve single and dual reactor impacts (internal and external) Event trees expanded to include accident sequences involving releases from each reactor and both reactors concurrently Accident sequence frequencies quantified realistically; common cause failure models modified to address multi-unit events; frequencies re-baselined to events per site year Correlation of seismic fragilities addressed For dual reactor accidents, source terms simplistically doubled Radiological consequences evaluated probabilistically using state of the art Level 3 models and site specific meteorology and evacuation; impact on emergency planning addressed

23 COMPARISON OF RISK METRICS 200% 180% 160% Accident Frequency per Site Year 140% 120% 100% 80% 60% Dual Reactor Accident Single Reactor Accident 40% 20% 0% Single Reactor PRA Integrated Site PRA

24 Integrated Plant Risk Metrics- Level 1 Version Model Type Single Reactor PRA Integrated Site PRA of both Units Risk Metric CDF per reactor year Single reactor CDF per site year Dual reactor CDF per site year Total Site CDF per site year Core Damage Frequency Uncertainty Distribution* Mean Value 5% 50% 95% 2.3x x x x x x x x x x x x x x x x10-3 * Values listed from 1983 study prior to plant operation; current CDF at Seabrook is less than 2x10-5 per reactor year; reductions mostly for internal events CPMA = Conditional probability of multiple core accident given core damage on either unit CPMA =.14

25 Seabrook Dual Reactor CDF Contributions* Initiating Event Dual Unit Site CDF (Per Site Year) % of Total Seismic Events (SBO, LOCA) 2.80E-05 88% Loss of Offsite Power 2.80E-06 9% External Flooding 1.60E-06 5% Truck Crash into Transmission Lines 1.00E % Total 3.20E % * Values listed are from 1983 study prior to plant operation; current CDF at Seabrook is less than 2x10-5 per reactor year

26 Conceptual Two Unit Station Risk Profile Frequency of Exceedance of Damage Level D Events per Station-Year Accident Consequence or Damage Level

27 Doubling the Source Term for a Large Early Release More than Doubles the Early Health Effects Factor of 5 increase in expected consequences

28 Results For Site Level 3 Risk Metric Latent Cancer Fatality Risk Risk Dominated by Single Reactor Events Risk Dominated by Multi-Reactor Events

29 PWR with Shared Systems CDF Contributions by Initiating Event CPMA=.67

30 CPMA Data Points

31 Help is on the way Guidance and standards for multi-unit PRA IAEA TECDOC 1804 Attributes for PSA Applications for MUPRA IAEA Technical Approach for Multi-Unit PSA Guidance on how to perform multi-unit PRA Pilot study in progress on existing European 4-Unit site ASME/ANS PRA Standard for non-lwrs Requirements for multi-module PRA ASME/ANS PRA Standard-Non-Mandatory Appendix for Multiunit PRA Requirements for multi-unit PRA NRC Level 3 PRA Includes integrated risks of two units and spent fuel storage

32 Summary The one reactor-at-a-time mindset has inhibited our safety culture Based on available evidence the risk of multi-unit accidents: Is likely dominant for all the external hazards Is surely significant for Loss of offsite power/station blackout for all sites Is likely dominant on plants with shared systems and structures Single reactor PRAs on multi-unit sites yield misleading and optimistic risk insights due to the one reactor at a time mindset Site based risk metrics should be used in risk-informed decision making Deterministic safety principles such as defense-in-depth need to be revisited to address prevention and mitigation of multi-unit accidents The safety significance of shared systems and structures needs to be rethought in the context of a multi-unit safety assessment Multi-unit risk is getting some interest for modular reactors but remains an open issue for operating plants