the radioactivity release risk of a plutonium laboratory in case of an internal fire
TRANSCRIPT
Reliability Engineering 8 (1984) 63-73
The Radioactivity Release Risk of a Plutonium Laboratory in Case of an Internal Firet
K. Lieber and T. Nicolescu
Swiss Federal Institute for Reactor Research, 5303 Wiirenlingen, Switzerland
(Received: 10 May, 1983)
A BS TRA CT
Within the framework of a study concerning the hazard potential of a nuclear research facility, the plutonium laboratories were investigated by using probabilistic risk assessment methods.
For the initiating event: 'Fire outside the working hours in the plutonium laboratories', the accident sequences have been determined by construction of the relevant event tree. The frequencies of the accident sequences with the consequence of plutonium release were calculated by using fault trees and the component failure data. The results show that the release of even small amounts of plutonium has a low probability.
1 I N T R O D U C T I O N
Risk is generally defined as the product of the probabil i ty of the occurrence of an abnormal event and the consequence of this abnormal event. Fo r the plutonium laboratories we can define the two factors as:
1. 'Abnormal event': initiating event and failure of all safety systems and barriers that prevent the release of plutonium. Its probability is calculated by using PRA methods. 1,2
t A version of this paper was presented at the Fourth Euredata Conference, 23-25 March, 1983, Venice, Italy and is reproduced by kind permission of the organisers.
63 Reliability Engineering 0143-8174/84/$03.00 © Elsevier Applied Science Publishers Ltd, England, 1984. Printed in Great Britain
64 K. Lieher. T. Ni('olescu
. 'Consequence': release of an amount (release fraction) of the plutonium inventory, in the form of aerosols, to the environment. This factor has been taken from literature values that were based on experiment.
In this paper we focus our investigation on the internal initiating event 'Fire in the plutonium laboratories out of working hours', in order to demonstrate the effectiveness of the fire protection system.
2 FIRE PROTECTION SYSTEM
The principal scheme of the fire protection system of the plutonium laboratories is given in Fig. 1.
Proper construction of the scheme required intensive study of drawings and questioning the laboratory personnel. It proved to be useful to divide the whole system into the following subsystems:
1. Fire detection--subsystem C 2. CO 2 fire extinction--subsystem L 3. Fire brigade--subsystem F 4. Fire protection valves--subsystem K 5. Electric power supply--subsystem S
It was essential to record the assumptions which were made for the safety-related models of the subsystems. They depend on the initiating event and are as follows:
1. The fire detection subsystem outside working hours is in the automatic operating mode.
2. If one out of three fire detectors of one line (21 or 22) gives a signal, the fire alarm is transmitted to the Porter's office, to the command room of KWZ (heating and electric power) and to a fire control panel in the building containing the plutonium laboratories.
3. In the case of a fire alarm, one of the two men in the command room (KWZ) inspects the laboratory building and informs the Porter's office by radio telephone whether the fire brigade should be alerted. If there is no communication with the Porter's office within 4 min of the fire alarm, the Porter himself alerts the fire brigade.
Radioactivity release risk 65
[
Z
I,Fr • , , , , ,
i ~lOll I
7,, , ~ l I~,-I.-L~.,. • - - ~ / | 81 . . . . . .
• - - ~ d i i ~ I ',~" " - ' - -
J l lJl ~ '=1 b~tl I . . . . . . . .
l f l - - -
j~i U
. . . . . f . . . .
J
0
¢}
0
1:= o
o
E
c~
0
o
c,~
,m I,q
66
4.
5.
.
7.
.
K. Lieher, T. Nit'olescu
At least three men with protective suits are necessary for fire- fighting. If one of the three detectors of the other group gives a signal, an additional fire alarm is transmitted to the three places mentioned above, the fire protection valves are closed (BK~, BK2, BK3, RK) and the CO 2 fire extinction subsystem is activated. If the C 0 2 fire extinction subsystem is not activated automatically, the fire brigade can use other fire extinction material. If the fire is not extinguished by the CO2 fire extinction subsystem, the fire may damage the glove boxes and their ventilation piping until the fire brigade intervenes. In this case, a filtered release via the stack occurs. If the fire brigade also fails to extinguish the fire, a release via opening-up of the building (damage of windows due to fire expansion) will occur.
3 CONSTRUCTION OF THE EVENT TREE
With the help of the five above-mentioned subsystems and of the logical block diagram (Fig. 2), which shows the connections between these subsystems, the event tree was constructed (Fig. 3).
Fi re
[xtlnction I
- Subsyst~ L "I
F+r, VJ_,IF'- +onl - Subsyst~ C - ~ -- l" Subsyst~ K -
I
I Electric P~r
- Subsyst~ S -
Brigade
- Subsyst~ F -
Fire Extinction
Fig. 2. Logical block diagram of the fire protection system for the plutonium laboratories.
Init
iati
ng
E
vent
B
Fir
e in
the
P
luto
nium
La
bora
tori
es
~B.1
.10 "
3 l/y
ear
Fig.
3.
Sub
syst
ems
of t
he F
ire
Pro
tect
ion
Sys
tem
Ele
ctrt
c F
tre
CO 2
Ftr
e F
tre
Ftr
e P
ow
er
Oet
ectio
n E
xtin
ctio
n P
rote
ctio
n B
rtgad
e V
alve
s
C
L K
Suc
cess
Suc
cess
Fat
lure
PC
.1,4
S.IO
~2
Fst1
ure
Ps.
1,61
.10
"4
Suc
cess
Suc
cess
PK
'7, 3
5"10
"21
Fai
lure
PL.
8.32
.10
"2
Suc
cess
Fat
lure
PF.
3,11
.10
"3
Suc
cess
I F
atlu
re
PF.3,
11.10
"3
Acc
tden
t
Seq
uenc
e I Fr
eque
ncy
El/y
ear]
B
| ,0
0.10
-3
BK
7,3S
.10
"S
BKF
2.29
-10
-7
BL
8.32
-10
°S
BLF
2,59
.10
.7
BC
1.45
.10
"S
BS
1,61
.10
-7
Con
sequ
ence
s
P1u
tont
un R
elH
se
vtJ
StA
ck
But
ld|n
g (F
tltA
r)
no
no
yes*
no
yes
yes
yes*
no
yes
yes
yes
yes
no**
.y
es
Eve
nt t
ree
and
cons
eque
nces
for
the
ini
tiat
ing
even
t: '
Fir
e in
the
plu
toni
um l
abor
ator
ies
outs
ide
wor
king
ho
urs'
. *,
Tem
pora
ry r
elea
se;
**,
stac
k ve
ntil
ator
doe
s no
t w
ork.
e~
~.
68 K. Lieber, 7". Nicolescu
From the event tree one can extract the following important information:
1. If the electric power supply fails, no fire extinction is possible due to lack of information about the fire. This means that all the other subsystems have no further influence (accident sequence BS).
2. If the fire detection subsystem fails, the CO2 fire extinction subsystem and the fire protection valve subsystem are not activated and the fire alarm is not given to the fire brigade subsystem (accident sequence BC).
3. If the fire protection valve subsystem and the CO2 fire extinction subsystem fail, respectively, it is of great importance whether or not the fire brigade subsystem fails (accident sequences BK/BKF, BL/BLF, respectively).
4 ACCIDENT SEQUENCES WITH CONSEQUENT PLUTONIUM RELEASE
In order to assess the risk, i.e. in our study the release of plutonium to the environment in case of an internal fire, we have to look for the relevant accident sequences which are specified in the event tree. These accident sequences can cause plutonium release in two modes (Fig. 3):
1. Release of plutonium aerosols due to opening-up of the building (damage of windows) by fire expansion.
2. Filtered release of the plutonium via the stack when the glove box exhaust system is opened.
In the following section these two modes of accident sequence are discussed separately.
4.1 Release of plutonium via opening-up of the building
Opening-up of the building is possible when the fire is not extinguished and it expands to other rooms with windows. There are four possible cases:
1.
.
The fire is not detected by the fire detection subsystem (accident sequence BC). The electric power supply subsystem (including emergency supply) fails (accident sequence BS).
Radioactivity release risk 69
3. The CO2 fire extinction and the fire brigade subsystems fail (accident sequence BLF).
4. The fire protection valve subsystem fails to close (the necessary CO 2 concentration is not reached) and the fire brigade subsystem fails (accident sequence BKF).
4.2 Filtered release of plutonium via the stack
A filtered release via the stack is possible when the fire brigade extinguishes the fire with a time delay of 20 min. It is assumed that within
CO2-Release
) I I
Monitor Alarm
Devices
I
Field18 I
Manual I Time Switch
Test Switch (Manual)
Line 21 Line 22
Fire Detectors
Fig. 4. Block diagram of the fire detection subsystem. Functioning conditions: No signal on line: , generally; , in case of automatic operation. FP
Valves = Fire Protection Valves.
r FI
OF E
OFC
TIO
q ~l
~r~T
~rW
I N0
sl~m. TO Fl~
FIOF
EI"~CTIOll ~
ET
(C.
(~W
TRR
L
FIO
F ET
ECTO
P~
~qlt
,.u~
E
T~
FT
E E
TLrC
TIO
N
NO
FlaTly4
SIIISTS;I~
~Ur ILLI~
NO
slm
TO FIE
ET
EC
TIO
N C
~T
~t
LIT-IT S
3.'J
NO $
1GI~
I. vo
I
LIX
-SE
T 53
,3
flllil
!qog
lkl.l
l~q
p
....
....
- II
....
....
t.lX
-:~,
r s~
.3
F -~"
'~1~
.0 5
11ql
INV
Om
- FR
ILS
GI~ ~
$1
M
~lof
ET
~CrO
~
I
1 ......... I ......... i
.........
CF I.|IE 21
0 ~ l.lI([ Zl
OF LIN
E ;~
1 FR
IL$
IN~O
FNO
~NTL
Y
FRIL
5 II~
F..F
l[IF.
.~N
TL~
FRII.
S I
~II
~IT
~.~
Fig.
5(a
).
1 ~0 S
lil~
TO
FIE
E
IIC
TI0
1I
Fil
l
/X
#T ~"
Fll ~
TORS
Fll E
'TEC~
OF
BOTH
LIk
eS
rolL
~
©-
©.
I FIE E
TEC
TO~
of n
l L
IN~ ~
FA
IL I
Ik~P
I~O
~TLY
[ vie E
TICTE I
~IE E
TI~
2 [ 1
FIOF
E~CT~
~ ]
....
....
..
II
....
. I
FA;L
S ]
NI]~
P~F
.NTL
T FR
|L3
I~
Ly
FA
ILS
]N
O[P
I~N
TLI
Fau
lt t
ree
of t
he d
etec
tion
sub
syst
em a
nd t
he s
ubtr
ee 1
02.
I vl
oF ~
TOFC
. ~Q
m~T
.
~,E
@,,,
<
),
I I
AU
mnM
IC G
~e
~T
I~
~.E
~T~I
CX
C CQ
~TAC
T N
O I
IWlC
Tro
t
I I
~IT
O4
1E
N
Eq
YO
41
N; ~
1 ] Fl
llI.S
I,v
I~
..J
I I
IIl~
c(?l
C~e
t OF
LII~.
21
!IA IL
3 Il
llr~
lllf
~.y
(._)2
I
OF
~ LI
ME
21
(n_)
"
I F1
11~ ~
rF.C
Tm 2
I I
FI
ME
OLI
ll~TO
~ $
OF~
'ME~
' I!
......
IF
AIL
S IZ
lflI~
IIIIT
ffLy
FALL
S II
I~Ii
I~T
©,
©.
I
I N O t:
Olll
l(9
$1~m
l. TO
FIM
E O
IT~
lm
~'W
TML
mO
l~
Mil
l L I
ME-
~
m S
16m
L TO
LI
X~F~
ItS3,
S
JFll
ME
Re,
CSC
gm.
/~,
~r~
l" I
I
....
...
II ...
...
II I
m~r
~T
n
FrilL
S S
lOl~
F~
LI
X 9
~ <
>'
I I
I I
FIR
E ~
FIR
E D
ETE
[MS
'
LIX
9 ~
SI
C..'
~.
I O
F TM
I LIM
E 22
FAIL
I~
O
F -T
I~T
M41
TI~ 1
~1
LI
X 9
Ol~
FA
IL I
ME
~¥
0
01
~
I~
FMIL
LMIS
-4
~
TIM
E MdI
?CK
/ A
JdRO
I4G Sl
GM
L
I I
B.I
~P
IC~
$10
~qL
IN ~
tq
o0~
J
I TH
E II
.~TM
ICM
L I
~ TI
I~I l
ldlT
04
©,,,
<>
,, I
im
$10m
L Lm
P F
OR
N"
....
. I .
..
..
..
<>
" (D
" Su
btre
e 10
8--t
ire
dete
ctio
n su
bsys
tem
.
1M
~ 8
FIR
E ~
I F
I~ O
ETEC
TOR 2
FI
RE
OUR
CTO
R 3
~F L
IIE 2
2 O
F L
II!
22
gl r
LIM
E
©,
©.
~,
Fig.
5(b
).
72 K. Lieber, T. Nicolescu
this time, due to fire extension, the glove boxes and the piping of their exhaust system are damaged.
There are two possible cases:
1. The fire is not extinguished by the CO 2 fire extinction subsystem because of not closing the fire protection valves. It is extinguished by the fire brigade with c. 20 min delay (accident sequence BK).
2. The fire is not extinguished because of the CO2 fire extinction subsystem failure. It is extinguished by the fire brigade with c. 20 min delay (accident sequence BL).
5 DATA PROBLEMS
In order to calculate the frequencies of these two accident sequence modes with consequent plutonium release, the failure probabilities of the subsystems (Fig. 3) are needed.
The failure probability of the detection subsystem plays a dominant role in the event tree because the frequency of the accident sequence BC (failure of the fire detection subsystem) has a 96 ~o contribution to the total frequency of all accident sequences with plutonium release via the building. Figure 4 shows the block diagram containing the components of the fire detection subsystem and, with the help of the corresponding fault tree (Figs. 5(a) and 5(b)), the following relevant minimum cut set was found:
Minimum cut set Component Failure probability
1 Fire detection central 1.45 x 10-2
This means that the failure probability of the fire detection central is dominant for the total subsystem which belongs to the most important accident sequence.
The search for failure data for the fire detection central shows that failure statistics were only available for all failure modes. From experience we know that the fire detection subsystem fails more often in the 'good' (for our use) direction by 'detecting' a fire although there is no fire (spurious signal). We therefore reduced the failure rate of the fire detection central by a factor of five. A more significant reducing factor could not be justified because of the failure experience with comparable electronic equipment, e.g. failure rates for electronic control units. 3
Radioactivity release risk 73
6 RESULTS
For the fire scenario which includes opening of the building, we calculated the total frequency of the accident sequence to be 1.51 x 10-5/year. The plutonium release fraction taken from UCRL-527864 is 1.15 x 10 -2 Ci and therefore we found for this case the radioactivity release risk to be 1.7 x 10- 7 Ci/year.
For the fire scenario which includes filtered release via the stack, the resulting frequency was 1.56 x 10-4/year, and for a plutonium release fraction of 1.14 x 10-6Ci a radioactivity release risk for this accident sequence mode of 1.80 x 10- l°Ci /year results.
REFERENCES
1. PRA Procedures Guide NUREG/CR-2300, Office of Nuclear Regulatory Research, US NRC, April 1982.
2. Gesellschaft fiir Reaktorsicherheit, Deutsche Risikostudie, Verlag TUV Rheinland, 1980.
3..H6mke, P. and Krause, H. Der Modellfall IRS-RWE zur Ermittlung yon Zuoerliissigkeitskenngri~ssen im praktischen Betrieb, IRS-W- 16, 1975.
4. Tokarz, F. J. and Shaw, G. Seismic safety of LLL plutonium facility (Building 332), UCRL-52786, 1980.