Disaster by Design/ Safety by Intent #45
Disaster by Design
Disaster by Design/Safety by Intent #44 described how diverse, independent barriers (DIBs) can be used to promote nuclear power plant safety. That commentary cited the various pumps for providing makeup water to the reactor vessel for core cooling as an example. This commentary uses this same example to illustrate how probabilistic risk analyses (PRAs) are used to better understand, and manage, nuclear power’s risks.
Safety by Intent
The control rod drive (CRD), reactor core isolation cooling (RCIC), high pressure coolant injection (HPCI), core spray, and residual heat removal (RHR) pumps can supply water to the reactor vessel. PRAs construct trees for the things that must happen for each pump to fulfill this role and assign probabilities for each thing happening. Take the RCIC system as an example.
The RCIC system uses steam produced within the reactor vessel to spin a turbine. The steam leaving the turbine is routed into the water inside the suppression chamber, or torus. The turbine rotates a metal shaft connected to a pump. The pump transfers water from the condensate storage tank, or alternatively from the suppression pool, through a feedwater pipe into the reactor vessel.
The RCIC system tree develops branches to account for things that must happen for the system to supply makeup water to the reactor vessel:
(1) the steam supply shutoff valve must open and remain open,
(2) the turbine control valve must partially close so as to regulate the amount of steam entering the turbine to achieve the desired makeup flow rate set by the flow indicating controller (FIC),
(3) the suppression pool water temperature must remain low enough to continue absorbing the steam exiting the turbine,
(4) the suction valve from the condensate storage tank or the suction valves from the suppression pool must open and remain open,
(5) the flow element (FE) must send an accurate flow signal to a properly functioning flow indicating controller (FIC) so that the turbine works as hard as needed for the pump to deliver the desired makeup flow rate, and
(6) the injection valve must open to allow the pump to send water to the feedwater pipe and then the react vessel.
These branches develop sub-branches. For example, the steam supply shutoff valve requires an electronic signal to open it. It must then be physically capable of opening (i.e., not mechanically bound in place and not have its disc broken from its traveling stem). And it must not receive a false or spurious signal to re-close.
Once the probabilities for successful operation of all the systems have been determined, the probabilities of the reactor successfully mitigating postulated initiating events can be evaluated. Returning to the example from Disaster by Design/Safety by Intent #44, the PRA trees for the CRD, RCIC, HPCI, core spray, and RHR systems can be used to create a PRA tree for a postulated loss of feedwater event.
This event tree is for illustration only and the numbers are inflated to avoid the 3.8E-05 or 3.8 x 10-5 nomenclature.
The first branch in this event tree explores whether the CRD pump can provide sufficient makeup flow to compensate for the loss of normal feedwater flow. For this illustration, the CRD pump can meet this need only 5 percent of the time. To be fair to the CRD system, it is not designed to substitute for the feedwater system. But if the energy output of the reactor core were low enough (such as following a refueling outage and if the event starts from a low power level), the CRD pump might be enough.
The event tree moves through the other four systems. If any system’s pump(s) can provide sufficient makeup flow, adequate core cooling is the outcome. For this illustration, it takes failure of all five systems for core damage due to inadequate core cooling to occur.
The 0.3 percent chance of core damage in this case results from multiplying all the “no” values: 0.95 x 0.26 x 0.12 x 0.32 x 0.28 equals 0.003 or 0.3 percent.
The loss of normal feedwater flow event examined in this case is but one of many initiating events that could result in reactor core damage. Other initiating events include loss of offsite power, rupture of a pipe that drains cooling water from the reactor vessel (i.e., a loss of coolant accident), internal flooding that disables safety equipment, de-energization of in-plant electrical power circuits, and station blackouts (i.e., loss of offsite power complicated by unavailability of the onsite emergency diesel generators). When PRA trees for initiating events are combined to make a PRA forest, care must be taken to avoid “double-counting.” For example, a loss of offsite power triggers a loss of normal feedwater flow event. The PRA forest must account for associated risks once to avoid distorting the risk picture.
Specific Event Risk Insights (e.g., looking in the rear-view mirror)
The NRC also uses PRAs to determine the significance of safety equipment problems and near misses at nuclear plants and assign colors (green, white, yellow, and red) to NRC inspection findings. With one exception over the past four decades, safety equipment problems and near misses have not resulted in reactor core damage. Thus, the core damage probability for these actual incidents and events was zero percent, except for the March 1979 meltdown at Three Mile Island Unit 2 which was 100 percent. The NRC uses the PRAs to calculate the conditional core damage probabilities from safety equipment problems and near misses to estimate where the actual incidents and events fell between these two endpoints.
It’s an over-simplification of an overly simplified example, but consider an event where the HPCI system either failed or was removed from service at the time. HPCI would have a zero percent chance of supplying sufficient makeup flow. HPCI’s status would not impair the ability of the other four systems to fulfill the mission. But HPCI being unable to do its thing increases the risk of core damage resulting from a loss of feedwater event.
Safety equipment problems and near misses seldom involve the total loss of system capability (i.e., chance of success becoming zero). More frequently, the system(s) capability is impaired by the malfunction. In this illustrative case, some problem lessened the likelihood that the RCIC system would be able to provide sufficient flow to the reactor vessel during a loss of normal feedwater flow event from 74 percent to 65 percent. That sizeable system impairment had little effect on the overall risk of core damage resulting from a loss of feedwater event.
The NRC will adjust the inputs to the PRA to account for systems out of service and component impairments and then run the PRA model (computer code) to determine the risk consequences.
The NRC reports on events involving higher risks through its Accident Sequence Precursor (ASP) program. The NRC used PRAs to estimate the elevated risks from events such as winter storm Juno at Pilgrim, winter storm Nemo at Pilgrim, loss of the turbine building closed cooling water system at Fermi Unit 2, an earthquake near the North Anna nuclear plant that caused both reactors to trip, a widespread grid outage in August 2003 that affected several nuclear power plants, and reactor vessel head degradation at Davis-Besse.
General Risk Insights (e.g, looking at the road ahead)
PRAs also provide insights that are helpful for managing risks in the future.
The PRAs show which initiating events have the largest risks of resulting in core damage. In this graphic fairly representative of U.S. pressurized water reactors, the loss of offsite power is the primary threat, accounting for 39 percent of the core damage frequency (CDF) at this reactor while loss of instrument poses only a 2 percent risk of core damage. Spending money to improve the reliability of the instrument air system will not have the risk impact obtainable from making the reactor more resistant to loss of offsite power events.
For the same reasons, the PRAs help allocate finite inspection resources. With this graphic, it should not be surprising to learn that NRC’s inspectors devote way more time and attention to the emergency diesel generators—which have a key role to play during loss of offsite power events—than checking out the instrument air system.
In the loss of feedwater event above, the failure of the HPCI system was examined to evaluate the effect on core damage risk. PRAs can also shed insight on the value of “perfect attendance” by systems. This chart shows how much the overall core damage frequency (CDF) would be reduced if individual systems were 100 percent reliable. “Perfect” emergency diesel generators would reduce the CDF by slightly more than 25 percent. A “perfect” emergency service water (ESW) system would reduce the CDF by even more; nearly 37 percent. And a “perfect” instrument air/nitrogen supply system (IA/N2) would reduce the CDF by two, maybe three, percent. (Sorry Instrument Air System Engineers. This is not to imply that your work is not important; just that it’s not as important as nearly all other System Engineers’ work.)
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.