IAEA Training Course on Safety Assessment of NPPs to Assist Decision Making Accident Sequence Analysis Lecturer Lesson IV 3_2.2 Workshop Information , Country IAEA Workshop XX City - XX Month, Year Accident Sequence Analysis Contents – Introduction to Accident Analysis – Event Tree Development – Event Trees/Fault Trees Link – Modelling Techniques – Plant Response Familiarisation – Success Criteria – Event Sequence End States IAEA Training Course on Safety Assessment 2 Introduction to Accident Analysis – PSA provides a tool for systematic and logical modelling of accident progression including uncertainties estimation • Design basis accidents (DBA), BDBA, potential accidents, operating experience (near miss events) – Starting point is to identify all initiators, i.e. initiating events (IE) of potential accidents leading to the core damage – Next task is to model realistically how the plant is responding to such initiators – Various accident potential progression paths are modelled in event sequences using Event Tree (ET) method • The selection of IEs and modelling of subsequent plant response is an iterative process IAEA Training Course on Safety Assessment 3 Introduction to Accident Analysis (Cont.) – The event accident sequences consist of: • • • Initiating event (IE) Safety functions mitigating given IE occurrence Potential human actions to mitigate IE and resulting sequences – Safety Functions are performed with safety systems (frontline systems, support systems, engineered safety features) – Safety Functions may result from an automatic or manual actuation of a system, from passive system performance, or from natural feedback – It is important that the Success Criteria of the safety functions (systems) are relevant to the identified IE and the sequence IAEA Training Course on Safety Assessment 4 Introduction to Accident Analysis (Cont.) – The typical Safety Functions used in the Accident Sequence Analysis for PWRs are usually well known from the deterministic approach: • • • • • – Reactivity control Maintaining Reactor Coolant System boundary Reactor Coolant System inventory Decay heat removal Containment integrity Systems must be identified fulfilling those functions as well as system minimal requirements, so called success criteria IAEA Training Course on Safety Assessment 5 Example of Safety Functions. Assignment to Individual Systems SAFETY FUNCTION SYSTEM Reactor Trip Primary RPS, Diverse RPS, control rods Emergency boration system HHI system LHI system Normal charging systems Pressurizer PORV Pressurizer safety valves Accumulators HHI system LHI system Normal charging system Subcriticality RCS Integrity RCS Coolant System Inventory IAEA Training Course on Safety Assessment 6 Introduction to Accident Analysis (Cont.) – All identified dependency types should be modelled adequately • The dependencies of safety systems with the initiating event • Common Cause Failures (CCF) • Functional dependency on other systems, components or operator actions • Environmental dependencies – Human actions might recover the operation of a failed safety function and they should be modelled, where applicable, to avoid unnecessary conservatism IAEA Training Course on Safety Assessment 7 Event Tree Development – Event trees (ET) model the response of the plant to an IE – The IE is usually defined as an event that creates disturbance in the plant and has potential to lead to the core damage (depending on the operation of mitigating systems) – IE often lead to a demand for reactor scram (full power), but some IEs may lead directly to core damage (e.g. some external events, reactivity accidents, etc.) • In shutdown the IEs are usually defined as events that may lead to loss of fuel cooling, such as loss of RHR, LOCA and draindown events, Loss of SFP cooling, drops of heavy loads, etc.) – IEs with a similar plant response and success criteria for mitigating safety functions can be grouped together and modelled in the same ET (e.g. LOCAs) IAEA Training Course on Safety Assessment 8 Event Tree Development (Cont.) – – The initiators are grouped together in order to facilitate the use of PSA and to reduce the number of required ETs Major IE groups categories: • • • • • Loss of Coolant Accidents (LOCA) Transients Steam/Feedwater line breaks Loss of Off-Site Power (LOSP) Support systems failures (CCI), e.g. I&C failure events power supply failure events service water failure events loss of ventilation system events • CCF events (e.g. multiple equipment actuation due to CCF) IAEA Training Course on Safety Assessment 9 Event Tree Development (Cont.) • The Event Trees are graphic models that order and reflect events according to safety functions and systems success criteria for each initiating event group • ETs are graphical representations of Boolean algebra equations • The Event Tree headings are normally arranged in chronological or causal order • These headings (TOPs) represent IE and “events”, which failures or successes define the way of accident sequence progression and may include: safety functions front-line systems, systems trains or specific equipment human errors IAEA Training Course on Safety Assessment 10 Event Tree Development (Cont.) – Failures and successes of safety functions/systems constitute possible event sequences (accident progression) – Event sequences lead either to a successful safe (OK) state or to core damage (CD) – Event tree top events (headings) • Should be modelled at least on the level of Safety Functions • Should be modelled to correspond to timing or occurrence of events • Can be divided into several headers with different success criteria or timing – Detailed modelling leads often to a large number of accident sequences sometimes optimization and simplification is required important that no qualitative dependency is lost IAEA Training Course on Safety Assessment 11 Modelling Techniques – PSAs are mainly developed with following approaches: • • • • Small ET - Large FT (the most extended method) Large ET - Small FT Fault Tree only Event Sequence Diagrams (ESD) and Cause-Consequence Diagram (CCD) can also be applied in the event sequence delineation modeling All methods are capable of producing valid results when applied adequately and consistently (depending on objectives) – In a small ET - large FT approach the safety functions, and sometimes also IEs, are modelled using a fault tree (FT) IAEA Training Course on Safety Assessment 12 Example of Event Sequence Diagram FIGURE 3.1.3-3: S2 - Large LOCA ESD (350 - 850mm) S2 GROUP LARGE LOCA 850-350 MM COLD/HOT LEG 2/4 ACCUMULATORS REQUIRED TO INJECT INVENTORY 50 m3 EACH AND ISOLATE WHEN LEVEL DROPS TO 120 mm 1/3 LHI PUMPS TQ 12,22,32 REQUIRED TO INJECT 800 T/H Y BY PRESSURE 2.26 MPa FOR LONG TERM DECAY HEAT REMOVAL Y REACTOR TRIP BY RPS SIGNALS 1-4 N Y COLD SHUTDOWN NO FLOW FROM ACCUMULATORS A LOCAL CD OCCURES STILL FLOW FROM LHI PUMPS POSSIBLE ALL ECCS (EXCEPT TQ14) ACTUATED BY ESFAS SIGNALS 1 OR 2 Y CONTAINMENT ISOLATION BY ESFAS SIGNALS 1 or 2 AND TRIP OF RCPs TK IN OPERATION N Y TURBINE TRIP BY REACTOR TRIP Y 1/3 LHI PUMPS TQ 12,22,32 REQUIRED TO INJECT 800 T/H BY PRESSURE 2.26 MPa TO LIMIT CD IMPACT ON CONTAINMENT Y 1/3 SPRAY PUMPS TQ 11,21,31 AVAILABLE FOR CONTAINMENT Y HEAT REMOVAL, PRESSURE AND FISSION PRODUCT RELEASE SUPPRESSION NOT DEVELOPED LEVEL 2 CD N N TRANSFER TO ATWS NOT DEVELOPED OK N N PRESSURIZER WATER LEVEL DECREASE AND RCS INVENTORY RELEASE UP TO 66-29 T/S. BLOWDOWN PHASE WITHIN 15-20 SEC. RCS PRESSURE DROPS UP TO 0.2 MPA COOLING DOWN PROVIDED BY HEAT REMOVAL VIA CIRCUIT: SUMP-TQ10,20,30S01-TQ10,20,30W01-TQ12,22,32D01-RCS-LEAKAGE-SUMP NOT DEVELOPED TURBINE STOP VALVES AND CONTROL VALVES FAILURE WILL CAUSE MSIVs CLOSURE AND TURBINE BYPASS UNAVAILABILITY FOR STEAM DUMP 1/3 SPRAY PUMPS TQ 11,21,31 AVAILABLE FOR CONTAINMENT Y HEAT REMOVAL, PRESSURE AND FISSION PRODUCTS RELEASE SUPPRESSION N CD CD N CD PRPS SIGNALS: 1. RCS subcooling ( Tsat < 10C) 2. Low RCS pressure < 12 MPa 3. Low pressurizer level < 4600 mm 4. Containment pressure > 30 kPa DPS SIGNALS: 1. Low hot leg subcooling 2. Low pressurizer pressure Setpoints relaxed, not fixed yet Containment isolation by ESFAS SIGNALS: ESFAS signals 1 or 2 1. Large LOCA (subcooling < 5C) 2. Large Accident (containment pressure > 30 kPa) 3. Steam Line Break (steamline pressure > 5 MPa coincident with Tsat(RCS) - Tsat(SG) > 75C and coincident with Thot > 200C) 4. LOSP (Voltage on emergency buses < 0.25 Unom for 2 sec) IAEA Training Course on Safety Assessment TURBINE TRIP by reactor trip ACCs inject when RCS pressure drops below 5.9 MPa (NO ESFAS signal), ACCs isolate on low (120 cm) level to prevent Nitrogen release into RCS 13 Event Tree Structure INITIATING EVENT Safety Functions/Systems I SUCCESS A B C A SEQUENCE IS A PATH THROUGH THE EVENT TREE No. Sequence End State 1 2 3 4 I*/A I*A*/B*/C I*A*/B*C I*A*B OK OK CD CD TREE BRANCH POINT FAILURE BOOLEAN EXPRESSION OF THE SEQUENCE IAEA Training Course on Safety Assessment CD = CORE DAMAGE OK = CORE SAFE STATE 14 Example of Event Tree - Very Small LOCA S5 initiator Reactor Scram Normal charging AFW 1/2 EFW 1/3 Human Action Feed & Bleed HP injection Core status Frequency (CDF) OK OK 5.00E-3 4.79E-3 Success CD OK OK 5.00E-3 4.91E-1 4.79E-3 Failure CD 7.50E-2 1.79E-06 5.82E-3 OK 3.59E-2 2.40E-1 3.00E-5 8.79E-07 7.69E-06 Transfer Transfer CD 1.80E-02 S4 2.25E-06 ATWS CDF = 9.48E-06 ATWS Anticipated Transient Without Scram event tree S4 Small LOCA initiator group event tree CD = Core Damage State S5 Initiating event (Very Small LOCA) of following accident sequences OK = Core Safe State IAEA Training Course on Safety Assessment 15 Event Tree /Fault Tree Link – Fault tree (FT) is a graphical representation and analytical method whereby an undesired event (e.g. state of a system) is specified through the ET heading, and the system is then analyzed to find out all potential ways how the undesired event can occur – FT is a systematic way to determine all failure combinations of the system leading to the undesired “TOP” event – In PSA, FT is used to model the failure of events in the accident sequence event trees • Fault Trees are used to model failures of the system success criteria • FT provides the link between the plant safety functions and failures of the actual plant systems, equipment and human actions required to perform such functions IAEA Training Course on Safety Assessment 16 Plant Response Familiarisation How does the plant respond to an initiating event? • Baseline information for starting accident sequence definition and system modeling Information sources, e.g.: • Final Safety Analysis Report (FSAR) • LERs • Operator training manuals, Emergency Operating Procedures (EOPs) • Plant visits/walkdowns • Topical Reports • Interview with the plant staff • Plant design information (P&IDs, electric diagrams, layout drawings, control logic diagrams, interlocks list, etc.) IAEA Training Course on Safety Assessment 17 Plant Response Familiarisation (Cont.) – In order to consolidate correct branching in the ET´it is necessary to seek mutual interaction of the systems providing safety functions by consistently asking for questions like: • • • • Does the system operate in this ET branch or at this sequence point under such conditions? Does the success or failure of the system impact the plant end state (core damage, fission product release, containment failure)? Could the operation of a given system in this point of accident sequence lead to success of a safety function? Does the operation of this system impact the operation of other systems? IAEA Training Course on Safety Assessment 18 Plant Response Familiarisation (Cont.) – The understanding of the plant response should be based on the plant as built and as operated or, for new plants, as designed – Best estimate information or reasonable conservatism should be used consistently • To avoid different levels of conservatism which would distort the PSA results and might lead to misleading results and conclusions – The expert team needed to conduct a PSA should consist of at least: • System analysts, PSA experts and practitioners, operators and operational analysts, data analysts, human reliability analysts IAEA Training Course on Safety Assessment 19 Success Criteria for Safety Functions Minimum level of performance required from the system in a required time window (number of redundant trains, relief valves, isolation valves, human actions, etc.) – The requirements for support systems are based on success criteria for frontline systems – Success criteria may depend on an different accident progression and timing – Recoveries should be modelled with extreme care • Applied only when possible within available time window • No “hero operator” actions modelling IAEA Training Course on Safety Assessment 20 Example of Success Criteria for Systems Initiator S3 Function RCS Inventory Secondary Heat Removal System HHI Success Criterion 1/3 LHI 1/3 YT11-14 1/4 + isolation Auxiliary Feedwater (RL) 1/2 Emergency Feedwater (TX) 1/3 + alignment of another TX tank ADV (RL) 1/4 T1 ... ... ... ... ... ... ... IAEA Training Course on Safety Assessment 21 Success Criteria (Cont.) – Success criteria should be based on realistic engineering calculations (T/H, mechanistic, heat-up curves,…) – FSAR analysis could be a base, however usually too conservative and their accident definitions may differ from PSA – Qualified computer codes should be used by qualified users – Codes should be V&Ved for the relevant area of their application – Thermal-hydraulic and other supporting analyses should be well documented and reproducible Conservative assumptions could affect plant’s risk profile and decrease the usability of PSA for applications IAEA Training Course on Safety Assessment 22 Success Criteria (Cont.) What are the criteria for the core damage? – In order to develop accident sequences the term “Core Damage” should be clearly defined: • The limiting peak cladding temperature is below 1204 oC (LOCA) • The localized cladding oxidation limits of 17% are not exceeded during or after quenching • The amount of fuel element cladding that reacts chemically with water or steam does not exceed 1% of the total amount of zircalloy in the reactor • The core remains amenable to cooling during and after break • Possibility for core relocation following an accident IAEA Training Course on Safety Assessment 23 Event Sequence End States – Event sequences leading to core damage are grouped into Plant Damage States (PDS) • PDSs form the starting point for the Level 2 PSA (accident progression after core damage) – PDSs have different severity levels • high pressure CD scenario, low pressure CD scenario, CD due to loss of RHR, CD with containment bypass, CD with loss of offsite power, loss of spray system, etc. • In some PSAs even some non core damage sequences have been grouped to PDSs, especially the ones with high economic impacts on the plant, e.g. • Fuel cladding failure (only one or few fuel rods), rapid depressurization of RPV, fuel pool boiling, etc. IAEA Training Course on Safety Assessment 24 Event Sequence End States LEVEL 1 ETs LEVEL 2 CD/PDS PDS 1 IE1 1 PDS 2 . 3 IE2 7 . 11 PDS 7 . 7 . . 5 . 4 . 23 PDS X IE X PDS DIAGRAM 1 2 3 . The sequences from all ETs ending in the same CD end states (PDSs) are grouped based upon the PDS logic diagram criteria, similarly to IE grouping in Level 1 PSA to form a starting point for Level 2 analysis. 7 . 23 IAEA Training Course on Safety Assessment 25
© Copyright 2026 Paperzz