Presentation on theme: "Epistemic Aleatory Despite over 50 years of nuclear plant operation, not all phenomenological processes to which a nuclear plant may be exposed are rigorously."— Presentation transcript:
Epistemic Aleatory Despite over 50 years of nuclear plant operation, not all phenomenological processes to which a nuclear plant may be exposed are rigorously understood. Risk-related questions linger with regard to: (1) the likelihood of boric acid precipitation following a Large Break loss-of-coolant accident (LOCA), (2) the likelihood and impact of debris accumulation at the ECCS sump as at least a function of break size, (3) steam generator tube flaw growth, (4) reactor coolant pump seal performance under degraded conditions, (5) performance of pressure relief mechanisms following anticipated transients without scram and (6) issues associated with pressurized thermal shock. Nevertheless, a skilled PRA analyst is able to characterize relative risks of various design features and operating practices at the plant. Accurate risk insights (used to advocate an operating practice like increasing technical specification allowed outage times) must be based on a full understanding of the contributors to the PRA results and the impacts of the uncertainties. Epistemic uncertainty is the consequence of adding or removing features from the model. Modeling simplifications introduce biases and epistemic uncertainty into PRA calculations. But, even the most artful modeling will not eliminate all model uncertainty as increased model detail often relies on less precisely understood failure-modes. Raymond Schneider, Westinghouse; Steven Farkas, Hudson Global Resources
Breaks can occur at any location around the typical RCS. While this is an obvious statement, many analyses used for setting success criteria are based on the limiting break location, i.e., at the bottom of the cold leg. Large breaks can occur at Hot Leg Cold Leg Crossover Leg (SG to RCP) ECCS injection nozzles Surge Line Bolted Flanges Shutdown Cooling Suction RPV Head (Upper and Lower) Smaller breaks can also appear at RCP Seals Pressurizer spray lines Charging nozzles SG manway seals CRD Nozzle Penetrations Safety relief valve seats Drain lines RPV instrument nozzles; RCS thermo-wells, and welded attachments Pressurizer Heater sleeves The likelihood of breaks is a function of the pipe and weld properties and dimensions. Westinghouse main coolant loops are constructed from stainless steel pipe. Hot leg, cross-over leg, and cold leg pipe are similar in most respects in Westinghouse plants. CE PWRs employ stainless steel clad carbon steel main coolant loops. The CE two- loop design employs a single thick walled hot leg for each loop. As a result of the heavy walled hot leg pipe, hot leg LOCAs for CE PWRs are expected to be less likely than for similar (rated thermal power) sized WEC PWRs. Fort Calhoun Station has a unique design by having a CE design (configuration, dimensions) with an all stainless steel main coolant loop. Fractional Distribution of LBLOCA Failure Frequencies for RCS Piping W-3 Loop PWRW-4 Loop PWRCE PWR Surry 2Millstone 3Palisades Hot ‑ side Connected Piping 0.110.0090.02 Hot Leg Primary Piping0.060.10~0.001 Cold ‑ side Connected Piping 0.570.820.94 Cold Leg Primary Piping0.260.070.04 Preliminary Assessment of Expert Elicitation Frequency of Pipe Break vs. Pipe Size and Leakage (considers failure of attached pipe) (25 year average plant life)* Approximate Break Size Range (diameter, inches) Break Area RangeMean Frequency (per calendar year) AreaPRA LOCA Designation ½-2 <0.02 ft 2 VS to SBLOCA 6.2 E-03** 2 to 3 >0.02 to 0.05 ft 2 MBLOCA 2.3E-04 > 3 to 6.75 > 0.05 to 0.25 ft 2 MBLOCA 1.6E-05 > 6.75 to 14 > 0.25 to 1.07 ft 2 MBLOCA 2.3E-06 > 14 to 31.5 > 1.07 to 5.41 ft 2 LBLOCA 3.9E-08 > 31.5 > 5.41 ft 2 LBLOCA 2.3E-08
Highlights of LOCA PSA Sources of Uncertainty Model Feature/Assumption Sources of Uncertainty LOCA Frequency The appropriate set of LOCA frequencies to use in the PSA has fluctuated over time. An expert elicitation has been in progress to finally establish the range of LOCA frequencies. The expert elicitation does not consider difference of piping materials and thickness between CE and WEC designed units. Break Location From a deterministic viewpoint, the location of a break (particularly the smaller breaks), is significant as this parameter dictates the extent and rate of inventory loss, thus controlling the ability to refill the RCS. Uncertainty in break location (e.g., top versus bottom of piping) has significant potential risk impact as breaks in the upper portion of piping may allow long term RCS recirculation, while breaks at the bottom of the RCS piping may require using the emergency sump for long term heat removal. Break location considerations can also impact success criteria. Definition of Success Criteria Event success criteria are a function of several parameters including: Selection of the core decay heat model Deterministic break and two-phase modeling assumptions Assumptions associated with selection of the thermo-hydraulic model including the power profile Power profile selections are important because of the reliance of the acceptability on the Peak Cladding Temperature (PCT), which focuses the analysis on the worst fuel pin in the core. Typical power profiles with high peaks occur after xenon transients and represent only a small fraction of the core operating history (e.g., < 5%). There exists a 5% potential that combinations of initial conditions and plant parameters can result in the PCT potentially exceeding 2200 o F. Even under these extreme PCT conditions, there is still additional margin to the conditions needed to cause rapid zirconium-water oxidation. Therefore, the consequences of partial reduction in equipment performance may imply a small potential of localized fuel failure, but with low to modest radionuclide releases and not the more significant global core failures typically associated with “core damage” Selection of Mission Times In most instances selection of a 24-hour mission time conservatively biases-high component failure rates. AFW is only needed in MBLOCA and SBLOCA until the RCS is in shutdown cooling conditions (the typical end-state for a no-core-damage sequence). The AFW mission time will vary depending on how long the operators take to depressurize the RCS, particularly following MBLOCA and SBLOCA initiators. Using AFW to cool the RCS at 50oF/hour to shutdown cooling conditions implies a mission time on the order of four hours. In cases where RHR is not available, extended AFW operation is likely. The LOCA event progresses through several stages. Each stage has one or more sets of successful SSC sets and associated operating durations. Time to RAS varies based on plant design. For these small breaks, the time to RAS is primarily determined by the time spray(s) actuate(s). Sprays actuate for small breaks for all PWRs when fan coolers are unavailable. Many CE PWRs and ice-condenser WEC PWRs will actuate sprays upon SBLOCA as the containment-pressure actuation-setpoint is relatively low. At those plants, containment pressure comes up to the setpoint regardless of containment fan cooler status. Operator Actions As a result of the rapidity of the LOCA event, operator actions are few; operators are well trained in their implementation. In some instances, actions that are implemented are not required. Consequently, they are not usually a significant contributor to uncertainty. Equipment Characterization and Repair Likelihood In all but the most rigorous models, the ECCS pump fail-to-run is the likelihood that the pump does not meet its surveillance test (ASME Section XI, IWP) acceptance criteria. The IWP acceptance criteria are directly related to the Technical Specification requirement which in-turn is driven by the Appendix K analysis. Thus, a criteria based on declared INOPERABILITY over-predicts the likelihood that the pump fails to perform a realistically credible mitigating function. In LBLOCA, LPSI pumps start with the goal of rapidly refilling the lower plenum of the reactor pressure vessel as well as providing a continuous flow of coolant through the core. The lower reactor vessel plenum may (or may not) be empty following the blowdown phase. The amount of water in the lower plenum affects the amount of water injected by ECCS needed to achieve success.  As is typical in DBA studies. HVAC models typically neglect to credit the timing of the core-damage sequence and the transient nature of some of the room heat loads. Lack of room heat-up models often results in upwardly biased prediction of component failure. The likelihood of a relief valve failing to re-close is very low and this failure mode may not be explicitly modeled in PRAs. Stuck open relief valves in ECCS may lead to flow diversion problems. As the sites of flow diversion paths are typically small, the impact of flow diversion is not significant. LOCAs result in rapid inventory losses. Therefore, repair of equipment is not normally considered. However, analyses suggest that double-sequencing of EDG loads can be successfully completed. Timely EDG restarts make avoiding core damage possible for selected small LOCAs. PSAs assume high reliability of the ECCS sump. This evaluation is primarily based on a review of the plant design basis. Recent sump evaluations suggest the potential for sump clogging following larger LOCAs. This issue is not fully included in the scope of PSAs contemporary with this report. LOCA Phenomenology The design analyses conclude that control rods would insert following a licensing basis LOCA for W-3 and W-4 plants. The presence of rods may extend the time available for the operator to successfully implement alternate injection. In a CE-PWR, control rod insertion is not required for the larger break LOCAs as core power level is controlled in the short-term by rapid core voiding and in the long-term by injection of large amounts of boron via the ECCS. During a small LOCA core heat must be removed for some time and insertion of rods is considered required for event success at the lower end of the break range. Example calculations developed for advanced PWRs indicated that recriticality following RCP restart late in a SBLOCA event is unlikely. The concern is that an unborated slug from the sump goes into an unrodded (post-LOCA) RCS, or driven in upon a RCP restart. This event is of low significance and is not included in PRA models. The importance of post-LOCA hot-side/cold-side injection cooling schemes is uncertain. While the physics of precipitation is plausible, analyses performed for WEC PWRs suggest that mixing of core liquid with the downcomer liquid through the nozzle gap provides sufficient boric acid removal so as to avoid reaching the precipitation limit. Size of the LOCA, core peak power profile, component sequence order, and pipe line fill time determines the significance of the delayed AC power to the ECCS. The amount of delayed AC time allowed changes the way failures are counted for EDGs, e.g., the failure to start and connect the first load block in ten seconds is likely too restrictive of a criterion for PSA purposes. This may have a small impact on plant CDF. The RCS heat removal mechanisms vary according to LOCA break size. For large and medium LOCAs, the break size is large enough to remove energy at a rate higher than the decay heat rate plus heat transfer from RCS internals. The break flow is a two-phase mixture. Towards the smaller break range, energy removal through the break needs to be augmented by steam generator cooling. CE small break LOCA analyses indicate that RCP operation can alter the break range associated with success criteria. Continued pump operation drives increased amounts of inventory from the RPV while cooling the core in a frothy mixture. Following RCP shutdown, the low density froth rapidly collapses liquid level to well below the top of the core. The precise demarcation break-size (source of uncertainty) between small and medium depends upon equipment availability as well as equipment mitigation requirements. For example, increased injection of SI flow via more than one high head pump may increase the effectiveness of heat removal and hence decrease the range of break sizes that requires steam generator cooling as a means to depressurize the RCS. Depressurization is an extremely important aspect of mitigating a LOCA as the ECCS pumps for some plants are designed with shutoff heads only several hundred psi above steam generator secondary pressure.  The DBA LOCAs assume only one train of ECCS pumps is available. Other Signals and instrumentation: Some uncertainty may exist resulting from the level of detail related to SIAS generation; the high reliability of the ESFAS (SSPS) system suggests the impact on uncertainty is small. ReportDateSmall LOCA Medium LOCA Large LOCA Very Large LOCA (DEGB) WASH-140019751.0E-03   3.0E-04   1.0E-04   Subsumed into the Large LOCA 2.7E-038.0E-042.7E-04 NUREG/CR ‑ 3663 1984Plant Design CE PWR(primary coolant piping) WEC PWR(primary coolant piping) DEGB< 4.5E-13DEGB <6.3E-12 Leak< 2.3E-08Leak<2.0E-07 NUREG/CR ‑ 4550 19901.0E-03 5.0E-04-- NUPEC paper   19932.0E-046.0E-052.0E-05-- EPRI TR-10226619933.37E-031.08E-057.54E-06-- CEOG Task 94119973.0E-034.3E-054.4E-05 Based on NUREG/CR ‑ 3663 WCAP ‑ 15049 19987.0E-038.0E-043.0E-04For WEC Accumulator success criteria study NUREG/CR ‑ 5750 19995.0E-044.0E-055.0E-06-- RI-ISI results2001-- 1.57E-05-- NRC Revision2002-- 7.2E-06-- Expert Elicitation   2003, 2004 6.2E-03   1.6E-05<2.3E-06--   Median value   Median value   Median value   Includes Japanese plant data   Estimated values adjusted for mean (NOT FINAL). Results based on Calendar year. Lowered breaks impacted by inclusion of SGTR. Based on BWRs small piping should account for a ~ 5 x 10 -4 per calendar year LOCA frequency.   Estimate includes SGTRs. WEC estimates that SGTR frequency to be between 0.007 to 0.019 per operating year. Variation reflects the number of SGs per plant. It is estimated that, per calendar year values decrease from SGTR. (See WCAP ‑ 15955, “Steam Generator Tube Rupture PSA Notebook,” December 2002. Evolution of Mean LOCA Frequencies (Events per Plant Year) (Pipe break Contribution only) For the ECCS, the SI flow is directed into a common header, high or low pressure header (dependent on injection pump under consideration). The header accepts the pumped inventory and distributes the flow to the various RCS cold legs. This consideration is important when a valve located in the injection line is closed or a flow control valve (normally closed) does not open. WEC PWRs do not have flow control valves and the likelihood of an unavailable injection path is low. The header concept is important from several perspectives. 1.Failure or unavailability of a flowpath will increase the net system hydraulic resistance and reduce the SI flow to the vessel. Loss of injection flow may compromise event success. 2.Distribution of SI to all cold legs will assume that, for a cold leg LOCA, there are liquid inventory losses of injection water from the break. For example, during a large cold leg break LOCA in the ECCS headered plant with N cold legs, something greater than 1/N fractions of the injected inventory will spill directly into the containment (lower flow resistance into containment). PSAs typically consider 3 or 4 break size designations, i.e., VSLOCA, SBLOCA, MBLOCA and LBLOCA. The largest break is associated with the DBA DEGB. VSLOCAs may be important to ice-condenser PWRs as a result of low containment pressure actuation setpoints for the containment-spray system as well as the need for high-pressure recirculation to mitigate the event Key Uncertainties
Key Assumptions The simplest PRA would estimate the frequency of any type of LOCA – lumping the very smallest hole in the RCS to the very largest. That is, make a frequency estimate of any event that directly or indirectly caused water to exit from the RCS faster than the pressurizer level control system could accommodate. SGTRs and ISLOCAs are special classes of LOCA because instead of discharging RCS water into containment (available for recirculation), RCS water escapes into the atmosphere or into the auxiliary building respectively. The PRA model would then have to determine the availability and reliability of the SSCs that can allow the operators to restore inventory control and establish long-term cooling. At a simple level, to achieve success (because the LOCA could be of any size), the event tree would have to include AFW and all the ECCS SSCs from HPSI to LPSI to CS to the safety-injection tanks, not to mention the support systems like air, cooling water, and electric power. PRA analysts with even limited experience in estimating core-damage frequency (CDF) can see that this model could come up with a valid estimate of CDF, but that the model would assign nearly equal importance to all of the SSCs designed to help the operators restore inventory control and establish long-term RCS cooling. In fact, this is the situation in deterministic modeling that simplifies the PRA problem by employing “defense-in-depth” and guarding against “the worst single-active-failure.” Some of the LOCAs are so small that the availability and reliability of accumulator tanks are not relevant to a large fraction of the LOCAs captured by the lumped LOCA frequency. A sophisticated PRA model will not penalize the results by requiring all SITs to be available and reliable for SBLOCAs and SGTRs. In fact, including SITs in the SSC success set for small LOCAs has the perverse effect of lowering the core-damage frequency estimate because the SITs are inherently reliable. The PRA model can instead set up LOCA initiators that occur at a nearly infinite number of locations around the RCS. Fortunately for the PSA analyst, there relatively few permutations of AFW and ECCS equipment that can successfully restore RCS inventory and maintain long-term cooling. A rigorous model would be built by determining the frequency of LOCA break sizes that can be accommodated by each permutation of SSCs that can successfully restore RCS inventory and maintain long-term cooling. The LOCA break sizes that can be accommodated by a particular set of SSCs depends on assumptions surrounding the behavior of the water contained in the RCS after the break occurs. There are a few key features of a thermo-hydraulic model that dictate whether or not an SSC will be helpful in restoring inventory control and establishing long-term cooling. For instance the size of the hole dictates how quickly RCS pressure falls below the shutoff head of HPSI pumps. The location of the break changes how fast the water level in the core barrel drops (e.g., cold-leg breaks empty the reactor pressure vessel faster than a hot-leg break). More subtle assumptions in the thermo-hydraulic model determine the mass of water in the lower plenum of the reactor vessel at the end of the blowdown phase. That amount of water determines how much water the ECCS has to put back into the RCS to recover the core. Of course, neutronics dictates how long the fuel can remain uncovered yet retain its structural integrity, and thus the flow rate ECCS needs to achieve in order to avoid core-damage. Some of the LOCAs are a result of general transients that cause the primary safety-relief valves to lift. As those types of valves have a random chance of sticking open, the general transient can induce a LOCA putting demands on the same large set of SSCs mentioned above.