“ reliability of passive systems that utilize natural circulation ” m. marquès

Trieste (June 25-29, 2007) 1Natural Circulation in Water-Cooled Nuclear Power Plants, ICTP,

“ Reliability of Passive Systems that utilize Natural Circulation ”

M. Marquès

CEA/Cadarache, DER/SESI Building 212,

13108 Saint-Paul-lez-Durance Cedex, France

[email protected]


Framework

Reliability Methods for Passive Safety Function

(RMPS Project)

EUROPEAN COMMISSION

5th EURATOM FRAMEWORK PROGRAMME 1998-2002

KEY ACTION NUCLEAR FISSION

Acknowledgments

S. Casalta (EC), F. D’Auria (PISA U.),

L. Burgazzi (ENEA), C. Müller (GRS), R. Bolado-Lavin (JRC/IE),

V. La Lumia (TECHNICATOME), I. Ivanov (SOFIA U.)


Objectives of the course

•To tackle the problem of the failure risk of NC systems

• To propose a methodology to evaluate the reliability of these systems and to carry out sensitivity analyses.

•To present an overview of the methodology which has been developed, in insisting on specific points

•To illustrate by an application on a example of passive system.


Content

Introduction, definitions

Example of a NC system

Part 1 : Identification and Quantification of the sources of uncertainties in NC systems

Part 2 : NC systems Reliability evaluations

Part 3 : Integration of NC system reliability in Probabilistic Safety Analysis

Conclusion


Passive System definition

Following the IAEA definition:a passive system is either a system which

is composed of passive components* and structures or a system which uses active components in a very limited way to initiate subsequent passive operation.

* Passive component : a component which does not need any external input to operate.

Ref. [IAEA–TECDOC–626.1991]


Advantages of Passive Systems

simplicity,

reduction of human intervention

reduction or avoidance of external electrical power or signal


Classification of Passive Systems (1/4)

•Category A

- no signal inputs of “intelligence”, no external power sources or forces,

- no moving mechanical parts,

- no moving working fluid.

Exemples: physical barriers against the release of fission products (nuclear fuel cladding and pressure boundary systems), core cooling systems relying only on heat radiation and/or conduction…



•Category B


- no moving mechanical parts, but

- moving working fluids.

The fluid movement is only due to thermal-hydraulic conditions occurring when the safety function is activated.

Exemples: reactor shutdown/emergency cooling systems based on injection of borated water from an external water pool, reactor emergency cooling systems based on air or water natural circulation in heat exchangers immersed in water pools (inside the containment)…



•Category C


- moving mechanical parts, whether or not moving working fluids are also present.

The fluid motion is characterized as in category B; mechanical movements are due to imbalances within the system (e.g., static pressure in check and relief valves, hydrostatic pressure in accumulators) and forces directly exerted by the process.

Examples: emergency injection systems consisting of accumulators or storage tanks and discharge lines equipped with check valves, mechanical actuator, such as check valves and spring-loaded relief valves.



•Category D

intermediary zone between active and passive where the execution of the safety function is made through passive methods except that internal intelligence is not available to initiate the process. In these cases an external signal is permitted to trigger the passive process.

Exemple: emergency core cooling systems, based on gravity-driven flow of water, activated by valves which break open on demand.


Passive Systems with a working moving fluid

•Passive Systems with a working moving fluid (B, C or D) in these designs rely on natural forces, such as natural circulation, to perform their accident prevention and mitigation functions once actuated and started.

•Because the magnitude of the natural forces, which drive the operation of passive systems, is relatively small, counter-forces (e.g., friction) can be of comparable magnitude and cannot be ignored as is usually done with pumped systems.

•Due to the environment and to the physical phenomena that may deviate from expectation, the passive system may fail to meet its required passive function.

•The quantification of the T-H unreliability is often still a difficult process due to the numerous uncertainties


RMPS objectives

Necessity to evaluate the reliability of these passive systems.

to propose a specific methodology to assess the reliability of thermal-hydraulic (T-H) passive systems.

to test the methodology on several examples of T-H passive systems.


RMPS Secondary Objectives

•Identification and quantification of the sources of uncertainties and determination of the important variables.

•Propagation of the uncertainties through a T-H model and reliability evaluation of the T-H passive system.

•Integration of the T-H passive system in an accident sequence.


Example of Passive System that utilizes NC•Residual Passive heat Removal

system on the Primary circuit (or RP2), an innovating system supposed to be implemented on a 900 MWe Pressurized Water Reactor.

•This system is composed of three circuits dedicated to the heat removal, each one being connected on a loop of the primary circuit. Each circuit includes an exchanger immersed in a cooling pool located inside the containment, and a valve to allow its starting. The exchanger is located in height compared to the main piping of the primary circuit to allow a natural convection between the core and the exchanger. On criterion of emergency shutdown, the valve opens and the natural convection starts. The residual power produced by the fuel is transferred to the cooling pool via the RP2 exchanger.

he

h

RP2

he

h

RP2

RP2 : Residual Passive heat Removal system on the Primary circuit


PART 1

Identification and Quantification of the sources of uncertainties in NC systems

Characterisation of the systemMission of the systemFailure modeSuccess/failure criteriaModelling of the system

Identification of the sources of uncertaintiesOverview of uncertainties related to passive systems that utilize NCIdentification of the relevant parameters AHP

Quantification of the uncertaintiesSensitivity analysis

ObjectivesQualitative methods for sensitivity analysisQuantitative methods for sensitivity analysis

Application to the RP2 systemCharacterisation of the RP2 systemModelling of the RP2 systemIdentification of the sources of uncertainties of the RP2 systemQuantification of the uncertainties of the RP2 systemSensitivity analysis of the RP2 system


Characterisation of the system

Mission of the system: The mission(s) of the system are the goal(s) for which the Passive System has been designed and located within the complete system (decay heat removal, cooling of the vessel, pressure decrease of the primary circuit… )

Failure mode: The effect by which a failure is observed qualitative analysis, Failure Mode and Effect Analysis.

Success/failure criteria: logical and/or numerical relationships which define the failure condition for the Passive System.

Modelling of the system: Due to the lack of available experimental databases for passive systems in operation, the evaluation should rely on numerical modelling, e.g. by means of simulation via best-estimate codes.


Identification of the sources of uncertainties

Identification of the potentially important contributors to uncertainty of the code results: approximations in modelling the physical process, approximations in modelling the system geometry, input variables: initial and boundary conditions,

dimensions, physical properties and thermal-hydraulic parameters.

Identification of the relevant parameters: based on The Expert Opinion of the physical

process and of the thermal hydraulic codes Analytical Hierarchy Process: AHP.


Analytical Hierarchy Process

•Define the top goal•Build the hierarchy in different levels•Place the basic parameters at the bottom•Pair-wise comparison by expert judgment

•Priority vectors•Ranking of the parameters

Top goal

Y1 Y4 Y3 Y2

WY1 WY2 WY3 WY4

A B C

WAY1 WAY2

WAY3

WAY4

1 = A and B equally important,

3 = A slightly more important than B,

5 = A strongly more important than B,

7 = A very strongly more important than B,

9 = A absolutely more important than B.


Quantification of the uncertainties

Selection of: Range of uncertainty. Probability density function.

Based on: Particularity of the data base (amount of data). Physical considerations, correlation between parameters. End use of the uncertainty analysis.


Choice of the distributions

Expert judgment : Minimal and maximal value Mean value Percentiles of the distribution, Choice of the distribution

Necessary to test the influence of the choice of the distribution on the model response

possibility to measure the influence of input distribution changes without running again the T-H code : weighting method, extended rejection method

Uniform

Normal

Loi Weibull de paramètres 2,10

0 5 10 15 20 25 30

Log-Normal


Sensitivity analysis

Goal: identify the main contributors to passive system performance:

Guide further code development.

Prioritize experimental investigation.

Screening of the parameters.


Sensitivity analysis: Qualitative methodGrade Rank for Uncertainty and Sensitivity.

Grade Definition

Uncertainty H

M

L

The phenomenon is not represented in the computer modelling or the model is too complex or inappropriate which indicates that the calculation results will have a high degree of uncertainty.

The phenomenon is represented by simple modelling based on experimental observations or results.

The phenomenon is modelled in a detailed way with adequate validation.

Sensitivity H

M

L

The phenomenon is expected to have a significant impact on the system failure

The phenomenon is expected to have a moderate impact on the system failure

The phenomenon is expected to have only a small impact on the system failure

Failure Modes related Uncertainty and Sensitivity.

TOPIC UNCERTAINTY SENSITIVITY

Envelope failure L H

Cracking L L

Non-condensable gas H H

Thermal stratification H H

Surface characteristics modification (e.g. oxidation)

M L


Sensitivity analysis: Quantitative methods (1/4)

Indices adapted :

for linear models :Pearson Coefficient

Standardized Regression Coefficients (SRC)

Coefficients de corrélation partielle (PCC)

for non linear, but monotonous modelsRank transformation (Spearman coefficient, SRRC, PRCC)

for non linear, nor monotonous modelsSOBOL indices

Determination coefficient :

The closer R2 to unity; the better the model performance.

N

1i

2i

N

1i

2i

2

yy

yyR


Sensitivity analysis: quantitative methods (2/4)

Indices adapted for linear models

Standardized Regression Coefficients (SRC)

Partial correlation coefficients (PCC)

correlation coefficient between:

where

p

1iii0 XY

)Y(Var

)X(Var)X,Y(SRC i

ii

YY and jjXX :

hjh

h0jhjh

h0 xccX,xbbY



Indices adapted for

Non linear, but monotonous models

Rank transformation : The rank transform is a simple procedure, which involves replacing the data with their corresponding ranks.

Standardized rank regression coefficients (SRRCs) and partial rank correlation coefficients (PRCCs).

Coefficient of determination based on the rank R2*.

The R2* will be higher than the R2 in case of non-linear models.



Non linear, but monotonous models The Sobol indices

Decomposition of the total variance of the response D into 2p-1 terms (p random variables).

For instance, with 3 random variables:

Generalization to a model with p inputs:

In dividing the equation by D, we obtain:

where the terms S are called the sensitivity indices.

123231312321 DDDDDDDD

p,...,2,1pji1

j,i

p

1ii D...DDD

p,...,2,1pji1

j,i

p

1ii S...SS1


Example of RP2 system: Characterization

•Accidental scenario: transient of Total Loss of the Power Supplies (or Blackout).

•Mission of the RP2 system to depressurise the primary circuit and to avoid the fusion of the core.

•Failure criterion: if the maximum clad temperature 500°C or fluid temperature at the core output 450°C, in less than 12 hours.


Modelling of the RP2 system

•A modelling with CATHARE of a complete pressurized water reactor PWR 900 MWe with the 3 simulated primary/secondary loops was thus carried out.

•Each loop is equipped with the RP2 system with its exchanger immersed in a pool. The 3 cooling pools are modelled independently.

•The CATHARE version used is the version 1.5a MOD 3.1.

8.175

10.758

18.862

20.484

19.198

23.538

10.758

25.488

18.569

17.481

8.093

11.249

19.698

22.769

18.112

12.981

16.582

16.282

15.782

13.782

13.282

Echanges RP2 -

Piscine

Piscine

Barillet

Circuit RP2

Pressuriseur

GV Secondai

re

GV Primaire

Echanges GV Primaire - Secondaire

28.488

8.093

Cuve Cuve

Branche chaude

Branche froide

Vanne RP2

29.988 30.488 Ligne vapeur

0.0

12.015 12.015


Example of RP2 system: uncertain parameters

For each of the three BOPHR/RP2 systems (i = 1,3):

Ii: instant of opening of the isolation valve of the RP2;

Xi: rate of incondensable at the inlet of the RP2 exchanger;

Li: initial pool level;

Ti: initial temperature of the water of the pool;

Ci: fouling of the tubes of RP2 exchanger;

Ri: number of broken tubes of RP2 exchanger.

For the primary circuit:

PUI: percentage of the nominal power of the core;

PP: pressure in the pressurizer;

ANS: decay of residual power according to the ANS law.

For the secondary circuit (i = 1,3):

NGVi: real secondary level in the three steam generators.


Example of RP2 system: Quantification of uncertainties

Variable Distribution Average Standard deviation

Xmin Xmax

I1, I2, I3 Composed

X1, X2, X3 Exponential 182 0

L1,L2,L3 Truncated normal

4.5 0.6 2 5

T1, T2, T3 Truncated normal

303 20 280 368

C1, C2, C3 Truncated normal

15 5 0 30

R1, R2, R3 Exponential 7 0

PUI Truncated normal

100 1 98 102

PP Truncated normal

155 4 153 166

ANS Truncated normal

10 5 0 20

NGV1, NGV2, NGV3

Truncated normal

12.78 0.30 12.08 13.91


Instant of opening of the RP2 ValveThe valve is supposed to be a pneumatic valve opened by default of

power supply: •a default of power supply implies the closure of the valve of compressed air

supply which causes the opening of the pneumatic valve.•we suppose that the failure of opening of the pneumatic valve is due to the

failure of closure of the valve of compressed air supply. •after half an hour, we suppose that the action of an operator is possible in

case of non-opening of the valve. •we have considered only two states for the valve, completely open or

completely close.The state of the valve (open/close) is then modeled by :

•a discrete variable with two values, giving the state of the valve at the initial time just after the black-out :Ot=0 : P(Ot=0) = 0.95Ft=0 : P(Ft=0) = 0.05•a continuous variable giving the instant of opening of the valve after the time t= 30 mn ,in the case the valve fails to open at the initial timeP(Ot>30/F0)= Log(1.0607t + 0.809) (--> P=1 à t=5heures)

Probabilité d'ouverture d'une vanne refusant de s'ouvrir à l'instatnt initial

-0,2

0

0,2

0,4

0,6

0,8

1

1,2

0 2000 4000 6000 8000 10000 12000 14000 16000 18000 20000

Temps (s)Pr

obab

ilité

d'o

uver

ture


Example of RP2 system: sensitivity analysis

Sensitivity on total energy extarcted by RP2's

-0,7

-0,6

-0,5

-0,4

-0,3

-0,2

-0,1

0

0,1

0,2

l1 l2 l3 X1 X2 X3 L1 L2 L3 T1 T2 T3 C1 C2 C3 PUI PP ANS NGV1 NGV2 NGV3

Input variables

Se

ns

ivit

y i

nd

ex

es

Sensitivity on total energy extarcted by RP2's

-0,05

0

0,05

0,1

0,15

0,2

0,25

0,3

0,35

0,4

0,45

0,5

l1 l2 l3 X1 X2 X3 L1 L2 L3 T1 T2 T3 C1 C2 C3 PUI PP ANS NGV1 NGV2 NGV3

Input variables

Se

ns

ivit

y i

nd

ex

es

Standardised Regression Coefficients (SRC)

SOBOL indices

corethebyproducedEnergy

2RPbyextractedenergy

=ratio

3

1=ii∑


Summary of the part 1

Definition of the accidental scenario.

Characterization: missions of the system, its failure modes and the failure criteria are defined.

Evaluation by qualified thermal-hydraulic system code performing best estimate calculations.

Identification of the potentially important contributors to uncertainty of the code results.

Identification of the relevant parameters.

Sensitivity analysis: guidance as to where to improve the state of knowledge in order to reduce the output uncertainties most effectively.


PART 2

Reliability evaluations of passive systems that utilize NC

Propagating the uncertainties

Uncertainty range

Density of probability

Conclusion on the methods for propagating uncertainties

Evaluating the reliability

Reliability evaluations using Monte-Carlo simulation

Approximated methods (FORM/SORM)

Conclusion on the methods for evaluating the reliability

Application to the RP2 system


Loi Weibull de paramètres 2,10

0 5 10 15 20 25 30

Propagating the uncertainties (1/3)

Y=g(X1,…,Xn)

X1

X2 Xn

…

Evaluation of Y performance of the passive system

Thermal-hydraulic code

mY MY

Range of variation of Y Distribution of Y



Uncertainty range of the response

A two-sided tolerance interval [m,M] of a response Y, for a fractile and a confidence level is given by:

Number of calculation given by Wilks formula:

MYmPP

1NN 1N1

Two-sided statistical tolerance limit

/ 0.90 0.95 0.99

0.90 38 77 388

0.95 46 93 473

0.99 64 130 662



Empirical distribution are fitted by theoretical pdf Choice of the pdf based on goodness-of-fit tests

Kolmogorov-Smirnov 2 Cramer Von Mises

Monte-Carlo simulation Response surface method Method of moments

0,00

0,10

0,20

0,30

0,40

0,50

0,60

0,70

0,80

0,90

1,00

0,4 0,5 0,6 0,7 0,8 0,9 1 1,1 1,2

IC power integral ratio

Prob

abili

ty

RELPA5/mod3.2

CATHARE

ATHLET

RELAP5/mod3.1


Reliability evaluations (1/6)

Performance function of a passive system for a specified mission:

M = performance criterion – limit = g(X1, X2,…,Xn)

M = 0: limit state, or failure surface, M < 0: failure state, M > 0: safe state.

Failure Probability:

n21n21 dx,...,dx,dx)x,...,x,x(Xf f...P



Direct Monte-Carlo simulation techniques

N

NP f

f

Failure domain

Safe domain

N

PP1)P(Var ff

f



Variance reduction techniques

Importance sampling

Stratified sampling, Latin Hypercube sampling

Other : directional simulation…

N

1i nii1X

nii1Xff )x,...,x(h

)x,...,x(fI

N

1P



Response surface

Types: • polynomial, • thin plate splines , • neural network…

Quality of approximation and prediction

0,8

0,85

0,9

0,95

1

1,05

1,1

0,8 0,85 0,9 0,95 1 1,05 1,1

Observed

Pre

dic

ted



Approximated methods (FORM/SORM)

1. the transformation of the space of the basic random variables X1, X2,…,Xn into a

space of standard normal variables,

2. the research, in this transformed space, of the point of minimum distance from the origin on the limit state surface (design point),

3. an approximation of the failure surface near the design point,

4. a computation of the failure probability corresponding to the approximating failure surface.

FORM method SORM method

0

Failuredomain

U1

U2

U*

G(U) = 0

HL

Safedomain

Pf = (-HL)

1N

1i iHLf

1

1P HL


Reliability evaluations (6/6)Conclusion on the methods for evaluating the reliability

Simulations FORM/SORM RESULTS

FAILURE PROBABILITY ERROR ON THE ESTIMATION PROBABILITY DISTRIBUTION OF THE RESPONSE

ASSUMPTIONS

NO ASSUMPTION ON THE RANDOM VARIABLES (DISCRETE, CONTINOUS, DEPENDANCY…) NO ASSUMPTION ON THE LIMIT STATE FUNCTION

DRAWBACKS

COMPUTATION COSTS (depends on the probability level)

RESULTS

FAILURE PROBABILITY MOST INFLUENTIAL VARIABLES (PROBABILITY) EFFICIENCY (depends on the number of random variables)

ASSUMPTIONS

CONTINOUS RANDOM VARIABLES CONTINOUS LIMIT STATE FUNCTION

DRAWBACKS

NO ERROR ON THE ESTIMATION GLOBAL MINIMUM


Global reliability analysis of the RP2 system (1/3)

Broad ranges of variation for the characteristic parameters, supposed to represent the whole set of initial configurations:

Advantage: • single reliability analysis of the system,• limited number of uncertainty calculations.

Drawbacks • conservative,• does not give the influence of the passive system

on different accidental situations.



M = Core outlet temperature12 hours – 450°C = g(X1, X2,…,X24)

Monte-Carlo simulation Evaluation of M with the CATHARE code

Failure of the system in 7% of the cases. All corresponding to cases with one tube rupture in one of the

RP2’s. Limit core output temperature is reached between 4100s and

7100s.

Evolution of the outlet temperature of the core

0

50

100

150

200

250

300

350

400

450

500

0 1000 2000 3000 4000 5000 6000 7000

Time (s)

Tem

per

atu

res

(°C

)

Core oulet temperature

Saturation Temp.

Example

of a failure case



Example of response surface fitted of performance criterion

0,8

0,85

0,9

0,95

1

1,05

1,1

0,8 0,85 0,9 0,95 1 1,05 1,1

Observed

Pre

dic

ted

0,8

0,85

0,9

0,95

1

1,05

1,1

0,8 0,85 0,9 0,95 1 1,05 1,1

Observed

Pre

dic

ted



=ratio

3

1=ii∑

Neural network 21_30_1

R2 = 0.90

3rd degree polynomial

R2 = 0.93


Specific reliability analyses of the RP2 system (1/4)

In order to test the influence of the passive system on different accidental situations :

• specific ranges of variation and specific PDFs of the characteristic parameters for each studied sequence.

•specific failure criteria•specific reliability and sensitivity analyses for

each studied sequences.

Example of the sequence with two RP2 available and no broken tube in the RP2 exchanger.



Probabilistic model of the 14 parametersVariable Distribution Par 1 Par 2 Xmin Xmax

X1, X2 Rate of

incondensable

Truncated log-normal

0.12 0.43 0 1

L1, L2 Pool level

Truncated normal

4.5 0.5 4 5

T1, T2 Pool temperature

Truncated normal

30 20 10 50

C1, C2 Tube fouling


12 0.4 0 30

PUI Percentage of

nominal power

Truncated normal

100 2 98 102

PP Primary pressure

Truncated normal

155 2 153 157

ANS Residual power

decay


6 0.4 0 20

NGV1, NGV2, NGV3

Secondary level in SG

Truncated normal

12.78 0.70 12.08 13.91



M = Core outlet temperature12 hours – 450°C = g(X1, X2,…,X14)

Monte-Carlo simulation Evaluation of M with the CATHARE code

Conditional failure probability p1 (failure of the T-H process when

only two RP2 are available) evaluated to to 0.24

Example of a failure case


Specific sensitivity analyses of the RP2 system (4/4)

•sensitivity analyses in order to determine the parameters whose uncertainty influence the most the failure or the performance of the system.

•the most influential parameters are the percentage of the residual power decay curve (ANS) and the initial pool levels (L1, L2)

-3,00E-01

-2,00E-01

-1,00E-01

0,00E+00

1,00E-01

2,00E-01

3,00E-01

4,00E-01

5,00E-01

6,00E-01

X1 X2 L1 L2 T1 T2 C1 C2 PUI PP ANS NGV1 NGV2 NGV3

SRC

PCC

2 RP2 , no broken tubes

-6,00E-01

-5,00E-01

-4,00E-01

-3,00E-01

-2,00E-01

-1,00E-01

0,00E+00

1,00E-01

2,00E-01

3,00E-01

X1 X2 L1 L2 T1 T2 C1 C2 PUI PP ANS NGV1 NGV2 NGV3

SRC

PCC

FailureSystem performance



=ratio

2

1=ii∑


Summary of the part 2

The uncertainty in the physical response of the T-H code can be evaluated by a confidence interval or by a pdf.

Methods giving an uncertainty range of the system performance are not very useful for reliability estimation.

The pdf of the system performance can be directly used for reliability estimation once a failure criterion is given.

For the evaluation of the pdf, the existing methods are generally based on Monte-Carlo simulations.

Monte-Carlo simulations require a large number of calculations and can be often prohibitive when each calculation involves a long and onerous computer time.

To avoid this problem, two approaches are possible: the variance reduction techniques in Monte-Carlo methods or the use of response surfaces

Possible to use approximate methods such as First and Second Order Reliability Methods (FORM/SORM).


Part 3

Integration of NC system reliability in Probabilistic Safety Analysis

Overview of PSA

Levels of PSA

PSA structure

Benefits of PSA

Limitation and drawbacks of PSA

Interface between PSA and passive system reliability model

Application to the RP2 system

Approach used

Specific reliability analyses for the PSA integration

Integration of the reliability of the RP2 passive system in PSA


Overview of PSA

The first comprehensive application of the PSA dates back to 1975, to the United States Nuclear Regulatory Commission's (U.S. NRC) Reactor Safety Study [WASH-1400].

Since that pioneering study, PSA techniques have become a standard tool in the safety evaluation of the nuclear power plants (NPPs) and industrial installations in general.

Levels of PSA:

Level 1: The assessment of plant failures leading to core damage and the estimation of core damage frequency. Level 1 PSA provides estimates of the accidents frequency and the main contributors.

Level 2: PSA at this level provides estimates of off-site\ release frequencies, based on the containment response and severe accident management possibilities. The results obtained in Level 1 are the basis for Level 2 quantification.

Level 3: The assessment of off-site consequences leading to estimates of risks to the public. Level 3 incorporates results from both previous levels.

Level 1 PSA is the most important level and creates the background for further risk assessment, therefore it has been used for the development of the methodology.


Phases of a PSA projectPlanning phase:•scope of the study, assumptions, limitations,

level of detail and other boundary conditions•Physical boundaries of the system : which parts

are to be included in the analysis and which are not?

•Operational state of the system have to be fixed, at which capacity the system is analyzed (full or reduced), what are the equipment states (valves open or closed etc.)?

•What external factors are to be analyzed (e.g. earthquake, extreme wind etc.)?

• The level of detail is also an important issue, e.g. is it enough to identify the reason as a ''pump failure'' or the detailed classification is required as pump failure at start, while running, due to cooling failure or oil leak and so forth. The level of detail is often restricted by the amount of information available.

Model Construction consists of selection of initiating events (IE), modeling of accident sequences by FT/ET and quantification of the model components (initiating events, basic events, success criteria).

Calculations is a broad area of PSA work. It includes calculations of top event probabilities, importance, sensitivity and uncertainty analysis, quantification of sequences and consequences.

The last phase is to draw conclusions, provide recommendations and support for safety improvement decisions.


Initiating event, accidental sequences

•The initial step in the construction of the model is to select initiating events (IE).

•The initiating event is an event (e.g. equipment failure, transient) that can lead to the accident if no protective actions are taken.

•The protective actions can be either automatic (most safety systems are actuated in this way) or manual (operator intervention is required).

•For each selected IE, detailed examination of the accident progression has to be made and accident sequences as logical combinations of success/failure conditions of functions or systems are identified.

• Each accident sequence ends with certain consequence, which also have to be defined.

•Consequences in the case of Level 1 PSA of NPPs are usually defined as degrees of reactor core damage, including 'safe' state and 'severe' accident state.


Event Trees

•Event trees are used for the graphical and logical presentation of the accident sequences.

•Starting from the initiating event•Combining the success/failure conditions of functions or

systems (usually safety systems, also called front-line systems)•Terminating by the consequences


Fault trees

•The logical combinations of success/failure conditions of functions or systems in the event tree are modeled by the fault trees.

•A fault tree logically combines the top event (e.g. complete failure of a support system) and the causes for that event (e.g. equipment failure, operator error etc.).

•The fault tree mainly consists of the basic events (all possible causes of the top event that are consistent with the level of detail of the study) and logical gates (OR, AND, M out of N and other logical operations).


Interface between PSA and passive system reliability model

•RMPS is developed to produce reliability estimate of a specific passive safety system, based on phenomenological process (e.g. natural circulation). Failure of the physical process itself is the major contributor to the failure of the whole system together with some activating components (e.g. valves, actuation signal).

•In principle, the physical phenomenon could be represented as a basic event in a system fault tree, like any other component, which failure contributes to failure of the whole system. The system fault tree in a case of passive systems would be very simple, consisting of several basic events, representing failure of physical phenomena (natural circulation) and failure of activating valve or other means of initial system activation. The difference could be only in failure model, as exponential model conventionally used to model component failures is not applicable.

•A suitable alternative would be to use directly failure probability obtained in the reliability analysis of the passive system in the event tree.

Passive System Failure

1.1.1.1.11.1.1.1.Passive System Fa

Failure of components (i.e. activating valves,

piping failure)

Failure of physical processes to complete its function (e.g. instability of natural circulation)


Classification of the RP2 System malfunctions

Malfunctions which could affect the RP2 system are of 3 types.

Passive system components failures:

•Non opening per demand of the RP2 valve,

•Broken tubes in the RP2 exchanger.

Occurrence of an initial non standard configuration for the passive system, detectable by a monitoring system:

•Pool level lower than the low level threshold,

•Pool water temperature higher than the high temperature threshold,

•Steam generator level lower than the low level threshold,

•Primary pressure level higher than the high level threshold.

Occurrence of an initial non standard configuration for the passive system, undetectable by any monitoring system:

•The rate of incondensable at the inlet of the RP2 exchanger,

•The fouling of the tubes of the RP2 exchanger.


Quantification of the failure probabilities

Failure of Components of the system

(valves, tubes)Monitoring systems (pool water

level and temperature) Safety injection system : analogy with similar

components or systems existing on PWR reactors

Failures of the monitoring systems for steam generator level and primary pressure

negligible because they are safety system of the reactor.

Failures of the physical process :

quantitative reliability analysis with CATHARE

CATEGORIES OF FAILURE

FAILURE TYPE FAILURE PROBABILITY

(/demand)

Non opening per demand of the RP2 valve (defined for each RP2 loop)

3.10-3

Component failure Broken tubes in the RP2 exchanger (for at least 1 of the 3 RP2 loop)

3.10-3 / hypothesis : 10-3 per RP2 loop

Failure of the pool level measure (captor, calculator)

3.10-3

Failure of the pool water temperature measure (captor, calculator)

3.10-3

Failure of the steam generator level measure (captor, calculator)

Initial non standard configuration

detectable by a monitoring system

Failure of the primary pressure measure

Negligible (reactor safety system)

T-H process failure (p1) with 1 RP2 loop not available and no broken tubes

0.24

T-H process failure T-H process failure (p2) with 1 RP2 loop not available and broken tubes

0.04

Safety injection system Failure of safety injection by accumulators

10-3


Initiating and basic events

A simplified event tree is built starting from :•Initiating Event of Total Loss of the Power supplies

(reactor in full power) The probability of occurrence of this IE is 10-5/year (value obtained by

a fault tree analysis carried out on an analog real reactor)

And considering the 4 basic events: •Failure on solicitation of the RP2 system,The failure probability is obtained in cumulating the failure probabilities

of the monitoring systems for pool level and pool temperature, and the probability for the non-opening of the valve 10-2/demand for each RP2 loop.

•Failure of a tube in at least one of the 3 RP2 exchangers•Failure of the physical process•Failure of the Safety Injection System.


Order of the basic events

•The RP2 systems are solicited after the Initiating event, because normal means (active safety systems), which requires an energy source, are not available.

•The safety injection system is usable if the primary system is sufficiently depressurised (40 bars), i.e. if at least one tube of exchanger is broken.

•Exchanger tube can break only if the RP2 is available (valve is opened)•Physical process (natural circulation) is possible only if the RP2 is

available (valve is opened)

-->The order is :

•Failure/Availability on solicitation of the RP2 system,•Failure/Availability of a tube of exchanger•Failure/Availability of the physical process•Failure/Availability of the Safety Injection System

•Possible competition between RP2 system and Safety Injection System


Simplified event tree of total loss of power supply

Loss of electrical

supply

10-5/year

Number of RP2 available

Failure on solicitation 10-2/demand/RP2 loop

Broken tubes in, at least, one of 3

RP2 loops 3.10-3/for 3 RP2

Failure of the T-H

Process

Safety injection

10-3/demand

Number of the sequence

3 RP2 loops P = 1 - 3.10-2 -

2 RP2 loops P = 3.10-2

1 RP2 loop P = 3.10-4

0 RP2 loop P = 10-6

p1

p2

1

2 3 4 5 6

7 8 9 10

11

12


Missions of the RP2

2 different missions for the RP2 depending on the scenario :

•For scenarios where no exchanger tube is broken (and thus for those the RP2 system must manage the situation alone) : the RP2 mission is to cool sufficiently the core in order to avoid its damage in pressure (the criterion is a limit temperature of the clad)

•For scenarios where at least one exchanger tube is broken : the RP2 mission is to depressurize sufficiently the primary circuit in order to allow the starting of the Safety Injection System (this system is not modelled by CATHARE : we suppose that if it start it will fulfil its mission which is to cool sufficiently the core)

•Possible competition between RP2 system and Safety Injection System : when the IS start, the RP2 continue to remove the residual power, but we cannot analyze more this competition in the lack of IS modelling. One can simply suppose that, as the two systems take part in the core cooling, their simultaneous action can be beneficial.


Uncertain parameters Servicing situation

Parametersof

RP2

Name(unit)

Abbreviation Nominal value

Minimal value

(if control system failure)

Minimal value

Maximal value

Maximal value

(if control system failure)

Non-condensable fraction at the

inlet of the RP2 exchanger

X 0.1 No control system

0 1 No control system

Initial pool level (m)

L 4.5 0.8(level control

failure)

4 5 ?(level control

failure)

Initial pool temperature

(°C)

T 30 7(temperature

control failure)

10 50 95(temperature

control failure)

Exchanger tubes fouling(%)

C 7.5 No control system

0 15 No control system

Parameterof the reactor

Percentage of the nominal power

(%)(Nominal power

= 2775 MW)

PUI 100 - 98 102 -

Pressurizer pressure (bar)

PP 155 ?(On-off heater)

154 157 166(spray)

Residual power decay

(ANS curve + N%)

ANS 5 - 0 20 -

Secondary level in the steam

generator (m)

NGV 12.78 11.17(Tube sheet

level)

12.08(25% narrow

range)

13.91(75% narrow

range)

14.83(100% narrow

range)


Deterministic evaluation with CATHARE

Loss of electrical

supply

10-5/year





Failure of the T-H

Process

Safety injection

10-3/demand


Final situation of the reactor

3 RP2 loops P = 1 - 3.10-2 -

2 RP2 loops P = 3.10-2

1 RP2 loop P = 3.10-4

0 RP2 loop P = 10-6

p1

p2

1

2 3 4 5 6

7 8 9 10

11

12

Safe situation

Safe situation

Core fusion

Safe situation

Core fusion

Safe situation

Core fusion

Core fusion

Core fusion

Core fusion (envelop effect)

Core fusion

Core fusion


Sequence 1: 3RP2, no broken tube


Uncertainty analysis with CATHARE

Loss of electrical

supply

10-5/year





Failure of the T-H

Process

Safety injection

10-3/demand



3 RP2 loops P = 1 - 3.10-2 -

2 RP2 loops P = 3.10-2

1 RP2 loop P = 3.10-4

0 RP2 loop P = 10-6

p1=0.24

p2=0.04

1

2 3 4 5 6

7 8 9 10

11

12

Safe situation

Safe situation

Core fusion

Safe situation

Core fusion

Safe situation

Core fusion

Core fusion

Core fusion


Core fusion

Core fusion


Non-condensable fraction X

0

1

2

3

4

5

6

7

8

9

0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1

X

Pro

ba

bil

ity

Sequences 4 and 5: 2 RP2 available, no broken tube

Reliability analysis with CATHARE

p1 = 0.24Residual power decay (ANS curve + p%)

0

0,02

0,04

0,06

0,08

0,1

0,12

0,14

0,16

0,18

0,2

0 2 4 6 8 10 12 14 16 18 20

p (%)

Pro

ba

bil

ity

X

ANS

Objective :

Evaluate the probability “p1” of failure of the

thermal-hydraulic process when only two RP2 are available (sequence 5).

Variable Distribution Par 1 Par 2 Xmin Xmax

X1, X2 Truncated log-normal

0.12 0.43 0 1

L1, L2 Truncated normal 4.5 0.5 4 5

T1, T2 Truncated normal 30 20 10 50

C1, C2 Truncated log-normal

12 0.4 0 30

PUI Truncated normal 100 2 98 102

PP Truncated normal 155 2 153 157

ANS Truncated log-normal

6 0.4 0 20

NGV1, NGV2, NGV3

Truncated normal 12.78 0.70 12.08 13.91


Sequences 6, 7 and 8: 2 RP2 available, one broken tubeCATHARE calculation with the

nominal values of the parameters Dewatering of the core before

depressurisation of the primary circuit reaches 40 bars, it is not possible to conclude to a success or to a failure of the RP2 systems for this situation.

Reliability analysis with CATHARE

In this case, we have considered that the system fails if the primary pressure has not reached the value of 40 bars at the end of the calculation, when the limit temperature is reached.

p2 = 0.04


Evaluation of core damage probabilities

Loss of electrical

supply

10-5/year





Failure of the T-H

Process

Safety injection

10-3/demand



Occurrence yearly frequency

3 RP2 loops P = 1 - 3.10-2 -

2 RP2 loops P = 3.10-2

1 RP2 loop P = 3.10-4

0 RP2 loop P = 10-6

p1

=0.24

p2=0.04

1

2 3 4 5 6

7 8 9 10

11

12

Safe situation

Safe situation

Core fusion

Safe situation

Core fusion

Safe situation

Core fusion

Core fusion

Core fusion


Core fusion

Core fusion

3.10-11/year

7.2.10-8/year

9.10-13/year

3.6.10-11/year

3.10-9/year

10-12/year

9.10-15/year

10-11/year


PSA results and analysis

Core damage frequency, after a blackout evaluated at 7.5.10-8/year Sum of the probabilities of each accident sequence leading to the

core melt in pressure for the transient of blackout on the assumption that all the events are independent.

The probabilistic objectives of 10-7/year for all the transient families, which corresponds for a transient family to 10-8/year, is not respected

Sequence 5 represents 96% of the core damage frequency Necessary to re-examine the dimensioning of the RP2 system The probabilistic objective to reach for the T-H process

failure in case of 2 RP2 loops available is 0.03 (instead of 0.24)

These results underline the importance to take into account the T-H process failure probability to evaluate the reliability of a safety passive system


Specific limitation of the PSAThis analysis concerns only one initiating event, the Total Loss of

Power supplies, other initiating events have to be analysed,

The initiating events created by a failure of the RP2, when it is not in demand are not taken into account,

No aggravating event is considered, relative to the initiating event of Total Loss of Power supplies, else than the RP2 passive system failures (component failures or T-H process failure) and the safety injection,

Human factor (operator errors) are not explicitly taken into account,

No “mechanical” common cause failure between the 3 RP2 loops have been considered.

But the “thermal-hydraulic” common cause failure has been taken into account through the global CATHARE modelling of the 3 RP2 loops.

The common cause failure between the monitoring systems of the RP2 loop are considered as negligible,

No common cause failure is considered between the RP2 passive system and the safety injection.


Conclusion on this application

•Proposal of a methodology to integrate the passive systems unreliability in PSA and application to an example.

•Positive effect of the RP2 passive system on the reactor safety.

• Proposal of a new dimensioning of the RP2 in order to fully satisfy the reactor safety objectives.

•These results confirm that the development and the validation of a methodology of reliability analysis relative to the safety passive systems are a precondition to the implementation of such systems on a nuclear reactor.


Summary of the part 3There is a number of different ways how to integrate passive system reliability

model into the whole plant PSA model. It could be done directly in the event tree of relevant accident sequence as a single basic event, or a separate fault tree could be developed.

The new element in the probabilistic modeling of the passive system is the methodology to quantify reliability of the physical process, represented as a single basic event, from thermal-hydraulic modeling calculations.

In a first approach, applied to a simplified PSA carried out on a fictive reactor equipped with two types of safety passive systems, we have chosen an Event Tree (ET) representation of the accidental scenario.

The failures analyses performed on this reactor have allowed the characterisation of the technical failures and the ranges of variation of uncertain parameters which influence the physical process.

The majority of the sequences of this event tree have been analysed by deterministic evaluations with envelope values of the uncertain parameters.

For some sequences where the definition of envelope cases was impossible, basic events corresponding to the failure of the physical process have been added and uncertainty analyses have been performed to evaluate the corresponding probability of failure.

This methodology allows the probabilistic evaluation of the influence of the passive system on an accidental scenario and could be used to test the interest to replace an active system by a passive system on specific situations.


Methodology overview Identification of the system

Mission of the system Failure mode (FMEA) Success/failure criteria

Identification of the relevant parameters

(EJ, AHP)

Modeling of the System B-E Code selection Model development Model testing on reference scenarios Definition of model limitations Validation of the model Refinement of success/failure criteria

Sensitivity analysis

(B-E code runs) Linear

Non-linear

Quantification of the uncertainties of the relevant parameters

(EJ)

Screening of the uncertain parameters

Propagation of the uncertainties

Quantitative Reliability Evaluation Monte-Carlo simulation

(direct or accelerate) FORM/SORM

Direct propagation through the B-E code

Propagation through a response

surface

Choice of the response surface and experimental

design

Calculation with the B-E code for each

points of the experimental design

Determination of the coefficients of

the response surface


Conclusion (1/3)

A specific methodology is necessary for the evaluation of the reliability of passive system and its integration into the probabilistic analyses of accidental sequences

The Analytical Hierarchy Process has been chosen for the identification of the relevant parameters

Interest of sensitivity analysis for the determination, among the uncertain parameters, of the main contributors to the risk of failure of the passive system.

Quantification of the uncertainties is an fundamental step, but methods exist to measure the influence of input distribution changes without running again the T-H code


Conclusion (2/3)

Evaluation of the reliability of the systems for specific situations, once the probability density functions of the input parameters is defined, in using Monte-Carlo or FORM method. The use of response surface methods where the physical model is approximated by a simpler mathematical model is often necessary in order to reduce the number of calculations with the physical model.

Possibilities to integrate passive system reliability in a PSA sequence have been tested on an example. In a first approach, applied to a simplified PSA carried out on a fictive reactor equipped with two types of safety passive systems, we have chosen an Event Tree (ET) representation of the accidental scenario.

This methodology allows the probabilistic evaluation of the influence of the passive system on an accidental scenario and could be used to test the interest to replace an active system by a passive system on specific situations.


Conclusion (3/3)

The developed methodology participates to the safety assessment of reactors equipped with passive systems.

The development and the validation of a methodology of reliability analysis relative to the safety passive systems are a precondition to the implementation of such systems on a nuclear reactor. This methodology is required to gain the necessary confidence of:

The designers who define the architecture of reactors and safety systems. Indeed, the designers will accept new safety systems only if these systems remain at reasonable costs and with same efficiencies in comparison with the existing safety systems,

Regulatory authorities who will have to accept the implementation of such systems on a nuclear reactor.


Possible improvements (1/3)

Two items of the methodology roadmap deserve closer attention: the identification of the relevant parameters and the quantification of uncertainties

Rules, which guarantee a rationale approach to the problem and, which demonstrate that the procedure is based on realistic assumptions, would justify the choice of the uncertain parameters and moreover should convince the designer.

In the selection of the relevant input parameters, a clear distinction for the various kinds of uncertainties should be introduced distinguishing between modelling uncertainties on one side and uncertainties dealing with the state of knowledge about the passive systems and their characteristic parameters on the other side.



An other important item of improvement is the integration of the passive systems reliability in the PSAs.

•The first attempts performed within the framework of RMPS have taken into account as well the failures of the components of the passive system as the failures of the physical process involved like basic events in static event trees.

•This last choice might seem unsuitable because it does not appear to consider the dynamic aspects of the transient progression including dynamic system interactions, T-H induced failure, and operator actions in response to system dynamics. In fact, we have treated in the RMPS project, examples where the overall reactor, including the safety systems and in particular the passive system, is modelled by the T-H code. This leads to the fact that the dynamic system interactions are taken into account by the T-H calculation itself.

•In addition, we have not considered human intervention during the studied sequences, which is coherent with the usual utilization of the passive systems in innovative reactors. So, for a first approach, the event tree presentation seems a good and simple representation for the assessment of accident sequences, including the passive systems.

•In order to generalise the methodology, it is important to take into account the dynamics aspects differently than by their alone modelling into the T-H code. Indeed in complex situations where several safety systems are competing and where the human operation cannot be completely eliminated, this modelling should prove to be impossible or too expensive in computing times. It is thus interesting to explore other solutions already used in the dynamic PSA like the method of the dynamic event trees.



A very important issue is on the human factors, which play an important role in the reliability assessment of a passive system.

•Indeed the periodic maintenance and inspection of such systems introduce particular constraints ; unlike an active system that can be more easily isolated or inspected during the shutdown periods, a passive system requires to be tested under its real physical conditions of utilization, and this can generate new specific implementation in the global architecture and safety problems.

• In addition, the question of whether it is an advantage or a disadvantage that passive systems do not allow operator intervention during its operation, should be investigated.

•Before comparing a passive and an active system on the same mission, it is necessary to make sure that the passive system design is optimised in terms of performance. Methods have to be developed to ensure the optimisation.

•Technical-economical evaluations of the systems must be carried out to provide information that is essential for the comparison between passive and active systems.


A LIST OF REFERENCES RELATED TO THIS TOPIC

Note : all deliverables of the RMPS project are available on www.rmps.info

•OECD, 2002. Passive system reliability. A challenge to reliability engineering and licensing of advanced nuclear power plants. In Proceedings of an International Workshop, OECD/NEA/ CSNI/R(2002)10, Cadarache, France, 4–6 March.

•L. Burgazzi, “Evaluation of Uncertainties Related to Passive Systems Performance,” Nucl. Eng. Design, 230, 93 (2004)

•B. Papin. Principle of an operational complexity index for the characterization of the human factor relevance of future reactors concepts. Proceedings of EHPGM’2004, Sandefjord (2004).

•M. Marquès et al. Methodology for the reliability evaluation of a passive system and its integration into a Probabilistic Safety Assessment. Nuclear Engineering and Design 235 (2005) 2612–2631

•C. Kirchsteiger. A new approach to quantitative assessment of reliability of passive systems. Safety Science 43 (2005) 771 –777

•L.P. Pagani et al. The impact of uncertainties on the performance of passive systems. Nuclear Technology. Vol. 149 (2005)

•IAEA-TECDOC-1474. Natural circulation in water cooled nuclear power plants phenomena, models, and methodology for system reliability assessments. November 2005

“ reliability of passive systems that utilize natural circulation ” m. marquès

Documents