pra methodology overview - mit opencourseware · trend general transients 1998 – 2004 2120...

Department of Nuclear Science and Engineering 1

PRA Methodology Overview

22.39 Elements of Reactor Design, Operations, and Safety

Lecture 9

Fall 2006

George E. ApostolakisMassachusetts Institute of Technology


PRA Synopsis

Figure removed due to copyright restrictions.Futron Corp., International Space Station PRA, Dec. 2000


NPP End States

• Various states of degradation of the reactor core.• Release of radioactivity from the containment.• Individual risk.• Numbers of early and latent deaths.• Number of injuries.• Land contamination.


The Master Logic Diagram (MLD)

• Developed to identify Initiating Events in a PRA.

• Hierarchical depiction of ways in which system perturbations can occur.

• Good check for completeness.


MLD Development

• Begin with a top event that is an end state.

• The top levels are typically functional.

• Develop into lower levels of subsystem and component failures.

• Stop when every level below the stopping level has the same consequence as the level above it.


Nuclear Power Plant MLD

InsufficientReactivityControl

InsufficientCore-heatRemoval

InsufficientRCS Inventory

Control

InsufficientRCS Pressure

Control

InsufficientRCS HeatRemoval

InsufficientIsolation

InsufficientCombustibleGas Control

InsufficientPressure &

TemperatureControl

ExcessiveOffsite

Release

ExcessiveCore Damage

ConditionalContainment

Failure

ExcessiveRelease of

Core Material

ExcessiveRelease of

Non-Core Material

RCS pressureBoundary

Failure


NPP: Initiating Events

• Transients– Loss of offsite power– Turbine trip– Others

• Loss-of-coolant accidents (LOCAs)– Small LOCA– Medium LOCA– Large LOCA

Department of Nuclear Science and Engineering

ILLUSTRATION EVENT TREE: Station Blackout Sequences

LOSP DGsSeal

LOCA EFW EP Rec. Cont.END

STATE

0.07 per yr 0.993 success0.007 0 success

successcore meltcore melt w/ release

1 0.95 0.99 success0.01 core melt 4.70E-06

core melt w/ release0.05 0.94 success

0.06 core melt 1.50E-06core melt w/ release

From: K. Kiper, MIT Lecture, 2006 Courtesy of K. Kiper. Used with permission.


LOSP DistributionEpistemic Uncertainties5th 0.005/yr (200 yr)Median 0.040/yr (25 yr)Mean 0.070/yr (14 yr)95th 0.200/yr ( 5 yr)



Offsite Power Recovery Curves

0

0 .1

0 .2

0 .3

0 .4

0 .5

0 .6

0 .7

0 .8

0 .9

1

0 2 4 6 8 10 12 14 16 18 20 22 24

T im e A fte r P o w e r F a i lu re (H r)

Cum

ulat

ive

Non

-Rec

over

y of

Pow

er F

requ

ency

90 th P erc en t ile50 th P erc en t ile10 th P erc en t ile



STATION BLACKOUT EVENT TREE

Courtesy of U.S. NRC.


NPP: Loss-of-offsite-power event tree

LOOP Secondary Bleed Recirc. CoreHeat Removal & Feed

OK

OK

PDSi

PDSj


Human Performance

• The operators must decide to perform feed & bleed.

• Water is “fed” into the reactor vessel by the high-pressure system and is “bled” out through relief valves into the containment. Very costly to clean up.

• Must be initiated within about 30 minutes of losing secondary cooling (a thermal-hydraulic calculation).


J. Rasmussen’s Categories of Behavior

• Skill-based behavior: Performance during acts that, after a statement of intention, take place without conscious control as smooth, automated, and highly integrated patterns of behavior.

• Rule-based behavior: Performance is consciously controlled by a stored rule or procedure.

• Knowledge-based behavior: Performance during unfamiliar situations for which no rules for control are available.


Reason’s Categories

Unsafe acts– Unintended action

• Slip• Lapse• Mistake

– Intended violation


Latent conditions

• Weaknesses that exist within a system that create contexts for human error beyond the scope of individual psychology.

• They have been found to be significant contributors to incidents.

• Incidents are usually a combination of hardware failures and human errors (latent and active).


Reason’s model

Fallible

Decisions

Line

Management

Deficiencies

Psychological

Precursors

Unsafe

Acts

J. Reason, Human Error, Cambridge University Press, 1990


Pre-IE (“routine”) actions

Median EFErrors of commission 3x10-3 3

Errors of omission 10-3 5

A.D. Swain and H.E. Guttmann, Handbook of Human Reliability Analysis with Emphasis on Nuclear Power Plant Applications, Report NUREG/CR-1278, US Nuclear Regulatory Commission, 1983.


Post-IE errors

• Models still being developed.

• Typically, they include detailed task analyses, identification of performance shaping factors (PSFs), and the subjective assessment of probabilities.

• PSFs: System design, facility culture, organizational factors, stress level, others.


Performance Shaping Factors

ErrorMechanisms

Unsafe Actions

Human Failure Events

Plant Design,Operations

andMaintenance

RiskManagement

Decisions

Plant Conditions

ScenarioDefinition

Human Error PRALogic

Models

Error-Forcing Context

The ATHEANA Framework

NUREG/CR-6350, May 1996.


Risk Models

DDCCBBAAIE2 # END-STATE-NAMES

1 OK

2 T => 4 TRAN1

3 LOV

4 T => 5 TRAN2

5 LOC

6 LOV

AA

A1 A2

BB

B-GATE1

B-GATE3

EVENT-B1 EVENT-B2 EVENT-B3

B-GATE4

EVENT-B4 EVENT-B5

B-GATE2

B-GATE5

EVENT-B6 EVENT-B7 EVENT-B8 EVENT-B9

B-GATE7

EVENT-B10 EVENT-B11

B-GATE6


FEED & BLEED COOLING DURING LOOP 1-OF-3 SI TRAINS AND 2-OF-2 PORVS FOR SUCCESS



HIGH PRESSURE INJECTION DURING LOOP 1-0F-3 TRAINS FOR SUCCESS



Cut sets and minimal cut sets

• CUT SET: Any set of events (failures of components and human actions) that cause system failure.

• MINIMAL CUT SET: A cut set that does not contain another cut set as a subset.


Important Note: Xk = X, k: 1, 2, …

Indicator Variables

1 , I f E j i s T

0 , I f E j i s F

X j =

S

EVenn Diagram___E


XT = φ(X1, X2,…Xn) ≡ φ(X)

φ(X) is the structure or switching function.

It maps an n-dimensional vector of 0s and 1s onto 0 or 1.

Disjunctive Normal Form:

CN

i

N

iT MM )(X11

11 ≡−−= ∏

∏−∑ ∑∑=

+−

= +==

++−=N

ii

NN

i

N

ijji

N

iiT MMMMX

1

11

1 11)1(...

Sum-of-Products Form:


Dependent Failures: An Example

Component B1

Component B2

B1 and B2 are identicalredundant components

P(fail) = P(XA) + P(XB1 XB2 ) –P(XA XB1 XB2 )

Failure Probability

XS = 1 – (1 – XA)(1 – XB1XB2) = = XA + XB1 XB2 - XA XB1 XB2

System Logic

MCS: M1 = {XA} M2 = {XB1, XB2}


Example (cont’d)

• In general, we cannot assume independent failures of B1 and B2. This means that

P(XB1 XB2 ) ≥ P(XB1) P(XB2 )

• How do we evaluate these dependencies?


Dependencies

• Some dependencies are modeled explicitly, e.g., fires, missiles, earthquakes.

• After the explicit modeling, there is a class of causes of failure that are treated as a group. They are called common-cause failures.

Special Issue on Dependent Failure Analysis, Reliability Engineering andSystem Safety, vol. 34, no. 3, 1991.


The Beta-Factor Model

• The -factor model assumes that common-cause events always involve failure of all components of a common cause component group

• It further assumes that

total

CCF

λλ

=β

β


Generic Beta Factors

00.020.040.060.080.1

0.120.140.160.180.2

GEN

ERIC

BET

A F

AC

TOR

(M

EAN

VA

LUE)

REACTOR TRIP B

RAKERS

DISSEL G

ENERATORS

MOTOR VALVES

PWR S

AFETY/RELIE

F PUMPS

BWR S

AFETY/RELIE

F VALVES

RHR PUMPS

SI PUMPS

CONT SPRAY PUMPS

AFW PUMPS

SW/C

CW P

UMPS

Average


Data Analysis

• The process of collecting and analyzing information in order to estimate the parameters of the epistemic PRA models.

• Typical quantities of interest are: • Initiating Event Frequencies• Component Failure Frequencies • Component Test and Maintenance Unavailability • Common-Cause Failure Probabilities• Human Error Rates


General Formulation

XT = φ(X1,…Xn) ≡ φ(X)

CN

1i

N

1iT M)M1(1X ≡∏ −−=

∏−∑∑∑=

+−

= +==

++−=N

ii

NN

i

N

ijji

N

iiT MMMMX

1

11

1 11)1(...

XT : the TOP event indicator variable (e.g., core melt, system failure)

Mi : the ith minimal cut set (for systems) or accident sequence (for core melt, containment failure, et al)


TOP-event Probability

( ) ( ) ( )∑ ∏ ⎟⎠⎞

⎜⎝⎛−++= +N

1

N

1i

1NiT MP1MPXP K

( ) ( )∑≅N

1iT MPXP

)X...X(P)M(P im

iki =

Rare-event approximation

The question is how to calculate the probability of Mi


RISK-SIGNIFICANT INITIATING EVENTSRisk-Significant Initiating Event Period Number of

EventsMean

Frequency Trend

General Transients 1998 – 2004 2120 7.57E-1

BWR General Transients 1997 – 2004 699 8.56E-1

PWR General Transients 1998 – 2004 1421 7.10E-1

Loss of Feedwater 1993 – 2004 188 9.32E-2

Loss of Heat Sink 1995 – 2004 259 1.24E-1

BWR Loss of Heat Sink 1996 – 2004 154 1.88E-1

PWR Loss of Heat Sink 1991 – 2004 105 9.23E-2

Loss of Instrument Air (BWR) 1994 – 2004 19 7.60E-3

Stuck Open SRV (BWR) 1993 – 2004 14 2.07E-2

Stuck Open SRV (PWR) 1988 – 2004 2 2.30E-3

Loss of Instrument Air (PWR) 1990 – 2004 17 1.19E-2

Loss of Vital AC Bus 1988 – 2004 43 2.98E-2

Loss of Vital DC Bus 1988 – 2004 3 2.35E-3

Steam Generator Tube Rupture 1988 – 2004 3 3.48E-3

Very Small LOCA 1988 – 2004 5 3.92E-3

P. Baranowsky, RIODM Lecture, MIT, 2006 Courtesy of P. Baranowsky. Used with permission.


INITIATING EVENT TRENDSPWR General Transients BWR General Transients

PWR Loss of Heat Sink BWR Loss of Heat Sink

1988 1990 1992 1994 1996 1998 2000 2002 2004Year

0.0

0.2

0.4

0.6

0.8

1.0

1.2BWR loss of heat sink, and 90% intervalsMaximum likelihood estimate (n/T) (baseline period)90% interval (prediction limits)Fitted line

Eve

nts

/ rea

ctor

crit

ical

yea

r

Log model p-value <= 0.00005 BLPL Nov. 1, 2005

1988 1990 1992 1994 1996 1998 2000 2002 2004Year

0

1

2

3

4

5BWR general transients, and 90% intervalsMaximum likelihood estimate (n/T) (baseline period)90% interval (prediction limits)Fitted line

Eve

nts

/ rea

ctor

crit

ical

yea

r

Log model p-value <= 0.00005 BQPL Nov. 1, 2005

1988 1990 1992 1994 1996 1998 2000 2002 2004Year

0.0

0.1

0.2

0.3

0.4

0.5PWR loss of heat sink, and 90% intervalsMaximum likelihood estimate (n/T) (baseline period)90% interval (prediction limits)Fitted line

Eve

nts

/ rea

ctor

crit

ical

yea

r

Log model p-value = 0.020 PLPL Nov. 9, 2005

1988 1990 1992 1994 1996 1998 2000 2002 2004Year

0

1

2

3

4

5PWR general transients, and 90% intervalsMaximum likelihood estimate (n/T) (baseline period)90% interval (prediction limits)Fitted line

Eve

nts

/ rea

ctor

crit

ical

yea

r

Log model p-value <= 0.00005 PQPL Nov. 1, 2005



INITIATING EVENTS INSIGHTS

• Most initiating events have decreased in frequency over past 10 years.

• Combined initiating event frequencies are 4 to 5 times lower than values used in NUREG-1150 and IPEs.

• General transients constitute majority of initiating events; more severe challenges to plant safety systems are about one-quarter of events.



ANNUAL LOOP FREQUENCY TREND

0.00

0.05

0.10

0.15

0.20

0.25

1986

1987

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004O

ccur

renc

e Ra

te

(per

reac

tor

criti

cal y

ear)

Yearly 86-96 Trend 86-96 Upper Bound 86-96 Low er Bound

97-02 Trend 97-02 Upper Bound 97-02 Low er Bound


Department of Nuclear Science and Engineering39

ANNUAL LOOP DURATION TREND

0.01

0.10

1.00

10.00

100.00

1000.00

1985

1986

1987

1988

1989

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

2001

2002

2003

2004Du

ratio

n (h

rs.)

Trend 1986-96 5% Low er Bound 95% Upper BoundObserved w ith Bounds Trend 1997-2003 5% Low erBound95% Upper Bound

P. Baranowsky, RIODM Lecture, MIT, 2006Courtesy of P. Baranowsky. Used with permission.


LOOP FREQUENCY INSIGHTS

• Overall LOOP frequency during critical operation has decreased over the years (from 0.12/ry to 0.036/ry)

• Average LOOP duration has increased over the years:– Statistically significant increasing trend for

1986–1996– Essentially constant over 1997–2004

• 24 LOOP events between 1997 and 2004; 19 during the “summer” period

• No grid-related LOOP events between 1997 and 2002; 13 in 2003 and 2004

• Decrease in plant-centered and switchyard-centered LOOP events; grid events are starting to dominate


Department of Nuclear Science and Engineering41

SYSTEM RELIABILITY STUDY RESULTS

STUDY MEAN UNRELIABILITY

UNPLANNEDDEMANDTREND

FAILURE RATE TREND

UNRELIABILITY TREND

AFW (1987–2004)

5.19E-4

EDG(1997–2004)

2.18E-2 N/A N/A

HPCI (1987–2004)

6.25E-2

HPCS (1987–2004)

9.48E-2

HPI (1987–2004)

1.09E-3

IC (1987–2004)

2.77E-2

RCIC (1987–2004)

5.18E-2

P. Baranowsky, RIODM Lecture, MIT, 2006Courtesy of P. Baranowsky. Used with permission.


PWR SYSTEM RELIABILITY STUDIESEDG Unavailability (FTS) AFW Unavailability (FTS)

HPI Unreliability (8 hr mission) AFW Unreliability (8 hr mission)

1988 1990 1992 1994 1996 1998 2000 2002 2004Fiscal Year

0.0000

0.0002

0.0004

0.0006

0.0008

0.0010

0.0012

0.0014

AFW

una

vaila

bilit

y (F

TS m

odel

)

AFW unavailability (FTS model) and 90% intervalsFitted model90% confidence band

Log model p-value = 0.44 U0L Aug. 30, 2005

1988 1990 1992 1994 1996 1998 2000 2002 2004Fiscal Year

0.0000

0.0008

0.0016

0.0024

0.0032

0.0040

AFW

8-h

our u

nrel

iabi

lity

AFW 8-hour unreliability and 90% intervalsFitted model90% confidence band

Log model p-value = 0.23 U8L Oct. 11, 2005

1997 1998 1999 2000 2001 2002 2003 2004Fiscal Year

0.000

0.005

0.010

0.015

0.020

0.025

0.030

ED

G u

nava

ilabi

lity

(no

reco

v.) (

FTS

mod

el)

EDG unavailability (no recov.) (FTS model) and 90% intervalsFitted model90% confidence band

Log model p-value = 0.00062 U0nrL Aug. 31, 2005

1988 1990 1992 1994 1996 1998 2000 2002 2004Fiscal Year

0.000

0.001

0.002

0.003

0.004

0.005

0.006

0.007

HP

I 8-h

our u

nrel

iabi

lity

(CN

)

HPI 8-hour unreliability (CN) and 90% intervalsFitted model90% confidence band

Log model p-value = 0.029 U8L Jan. 31, 2006



PWR SYSTEM INSIGHTS

• EDG– EDG start reliability much improved over past 10 years.– Failure-to-run rates lower than in most PRAs.

• AFW– Industry average reliability consistent with or better than Station

Blackout and ATWS rulemaking.– Wide variation in plant specific AFW reliability primarily due to

configuration.– Failure of suction source identified as a contributor (not directly

modeled in some PRAs).• HPI

– Wide variation in plant specific HPI reliability due to configuration.– Various pump failures are the dominant failure contributor.



HPCS Unreliability (8 hr mission) RCIC Unreliability (8 hr mission)

HPCI Unreliability (8 hr mission) RCIC Unavailability (FTS)

1988 1990 1992 1994 1996 1998 2000 2002 2004Fiscal Year

0.00

0.02

0.04

0.06

0.08

RC

IC u

nava

ilabi

lity

(FTS

mod

el)

RCIC unavailability (FTS model) and 90% intervalsFitted model90% confidence band

Log model p-value = 0.11 U0L Sept. 1, 2005

1988 1990 1992 1994 1996 1998 2000 2002 2004Fiscal Year

0.00

0.05

0.10

0.15

0.20

0.25

RC

IC 8

-hou

r unr

elia

bilit

y

RCIC 8-hour unreliability and 90% intervalsFitted model90% confidence band


1988 1990 1992 1994 1996 1998 2000 2002 2004Fiscal Year

0.00

0.04

0.08

0.12

0.16

0.20

0.24

0.28

0.32

HP

CS

8-h

our u

nrel

iabi

lity

HPCS 8-hour unreliability and 90% intervalsFitted model90% confidence band

p-value = 0.41 U8 Oct. 11, 2005

1988 1990 1992 1994 1996 1998 2000 2002 2004Fiscal Year

0.00

0.05

0.10

0.15

0.20

0.25

0.30

0.35

0.40

HPC

I 8-h

our u

nrel

iabi

lity

HPCI 8-hour unreliability and 90% intervalsFitted model90% confidence band


BWR SYSTEM RELIABILITY STUDIES



• HPCI– Industry-wide unreliability shows a statistically significant

decreasing trend.– Dominant Failure: failure of the injection valve to reopen during

level cycling.

• HPCS– Industry average unreliability indicates a constant trend.– Dominant Failure: failure of the injection valve to open during

initial injection.

• RCIC– Industry average unreliability indicates a constant trend.– Dominant Failure: failure of the injection valve to reopen during

level cycling.

BWR SYSTEM INSIGHTS



• Criteria for a CCF Event:– Two or more components fail or are degraded at the same plant

and in the same system.– Component failures occur within a selected period of time such

that success of the PRA mission would be uncertain.– Component failures result from a single shared cause and are

linked by a coupling mechanism such that other components in thegroup are susceptible to the same cause and failure mode.

– Equipment failures are not caused by the failure of equipment outside the established component boundary.

COMMON-CAUSE FAILURE (CCF) EVENTS



CCF OCCURRENCE RATE

0.00

0.05

0.10

0.15

0.20

0.25

0.30

0.35

0.40

1980 1985 1990 1995 2000 2005

Fiscal Year

Occ

urre

nce

Rat

e

Yearly Rate Long-term Trend Short-term Trend 95% Bound 5% Bound



ADDITIONAL CCF GRAPHS

Coupling Factors - Complete CCF Events

Environment14.2%

Operations13.7%

Maintenance28.8%

Hardware43.4%

P. Baranowsky, RIODM Lecture, MIT, 2006

Courtesy of P. Baranowsky. Used with permission.

pra methodology overview - mit opencourseware · trend general transients 1998 – 2004 2120...

Documents