SEVERE ACCIDENT RISK IMPORTANCE MEASURES
IN THE CONTEXT OF PRA APPLICATIONS
Juan Carlos de la Rosa
Westinghouse Electric Company
ERMSAR 2012, Cologne March 21 – 23, 2012
Outline

To depict a picture about how safety culture is applied in NPPs by
means of the Defence-in-Depth concept.

Once the different DiD barriers are analyzed, a particular gap in the
area of preventive measures in Severe Accidents is detected.

To address this issue, a new risk-oriented metrics is proposed.

This new parameter enables to track risk all through the transient
developed in the NPP site.

In order to be consistent (and objective) with the current risk metrics
underlying the DiD barriers, a switch from the most severe to the most
frequent scenario in the SA figures-of-merit is advisable.
ERMSAR 2012, Cologne March 21 – 23, 2012
Introduction

Usually, DiD barriers are spatially considered, i.e., they are placed in
a one-dimensional map and intended to meet their function just as a
physical wall would.

This drawing yields a balanced, well equilibrated picture of how safety
measures are spread all along the nuclear plant.
ERMSAR 2012, Cologne March 21 – 23, 2012
Introduction
•
Actually, DiD encompass all “different levels of equipment and
procedures (which applies to both the design and the operation
of the facility) in order to maintain the effectiveness of physical
barriers”:
ERMSAR 2012, Cologne March 21 – 23, 2012
Introduction

Barriers could also be classified according to their time-to-act:
–
Three different time thresholds are usually recognized: before the event is
triggered, during the event evolution, and once the event has occurred (after the
event measures do not fall under the NPP site).
–
In accordance with maintenance and surveillance practices, predictive,
preventive, and corrective barriers are considered.
ERMSAR 2012, Cologne March 21 – 23, 2012
Introduction


Even if not explicitly declared, in order to define a barrier, two
milestones are needed: the Initial and Final Event (which by the way
is the Aristotle's efficient and final cause):
–
Where the barrier is coming from? What has to be challenged?
–
Where the barrier is looking at? What has to be prevented?
NPP initial design and practices have been directed towards the
definition of the former issues as follows:
–
The Initial Events have been those of the DBAs.
–
The Final Event is a set of dependent consequences undergone by the
core (peak temperature, cladding oxidation) usually referred as Core
Damage (CD).
ERMSAR 2012, Cologne March 21 – 23, 2012
Introduction

With the aim of removing the bias contained in the NPP initial design
regarding the set of accidents that had to be challenged, PRA tool
started to be taken into account.

Thus the IE issue was tackled, switching from a subset of transients
to a global perspective, where all the events could become an IE.

If the FE is extended in time from CD to the next risk milestone, i.e., a
radiological release to the off-site environment (usually Release
Category, RC), the state of the DiD barriers drammatically diminishes.

The key point is that almost all barriers are looking at preventing
CD. Then the question arises as to what if CD is exceeded?
ERMSAR 2012, Cologne March 21 – 23, 2012
DiD barriers beyond CD

Corrective (active) measures in SA conditions
–
Values: active components have not usually been considered to mitigate
post-CD scenarios (several exceptions are found by means of backfitting
designs).
–
Practices: Large uncertainties overcome the current possibility of moving
from guidelines to procedures (improvements are expected from
research).

After the Fukushima event, several steps have been taken towards
fulfilling this gap.
ERMSAR 2012, Cologne March 21 – 23, 2012
DiD barriers beyond CD

Preventive measures in SA conditions
–
–

Values:

Only variations on the two classical L2 PRA figures-of-merit are tracked.

Only related with backfitting designs.
Practices: No one (some exception is found in the Maintenance Rule).
The key point is that even if corrective actions are going to be
taken, both by means of new SA mitigating systems, and by
improving the SAMGs, a gap regarding preventive actions looking
at the RC (last FE in the NPP site) will still be an issue.
ERMSAR 2012, Cologne March 21 – 23, 2012
LERF / LRF as an issue

Preventive measures could be tackled just by giving the role currently
occupied by the CDF to some of the usual SA (PRA) measures.

This way, SSCs would receive an attention proportional to their
contribution to the final risk.

Then risk will be redefined in terms of the (total) RCF instead of CDF.

Currently, risk is conceived as CDF * consequences.

The problem is that consequences can be very low in many situations
where CD has been considered, whether because of conservatism
assumption in the PRA model or because damage has been arrested.
ERMSAR 2012, Cologne March 21 – 23, 2012
LERF / LRF as an issue

In order to set down the main category stated in the NRC R.G. 1.174,
LERF, an agreement is held where the Spanish NRC and NPP
utilities come together and adequately specify this release category.
R.G. 1.174 says that
This qualitative statement is converted to
numbers considering a 3% volatile threshold

This qualitative statement is converted to
numbers considering a 12 hours period
LRF is defined as LERF but at 24 hours.
ERMSAR 2012, Cologne March 21 – 23, 2012
LERF / LRF as an issue

LERF / LRF shortcomings (1/3):
–
Very low frequency scenarios: the associated risk value will not likely
be the highest one... bear in mind that when considering SA, a low
consequence means always a high consequence, thus the second risk
equation term should not be the most advisable way to identify the
highest risk sequences.
–
Many of these scenarios are unreasonable considering the current
SOA of containment phenomena and IPE analysis, thus in a near future
most of them could be neglected.
–
Regulation: very low values; in the most of cases, nothing must be done
once L2 PRA has been submitted.
–
L2 PRA has been conceived as a back-end analysis, i.e., it only
focuses on containment SSCs.
ERMSAR 2012, Cologne March 21 – 23, 2012
LERF / LRF as an issue

LERF / LRF shortcomings (2/3):
–
Biased!
• Same design philosophy than DBA: the worst scenario must be addressed
(LBLOCA was discovered not to be the issue).
• But the worst case could have a negligible probability (first term of risk
concept): like SBLOCA, Reactor & Turbine Trip, SBO, etc., other less severe
scenarios have a much higher frequency, and therefore they should be
addressed the first (in many PRA models all LBLOCA sequences are
truncated).
• The conclusion is that a switch in SA analysis is needed, just the same
undergone in accidents concerned with CD after PRA outcomes started to
be accounted for: risk should be a frequency-driven concept.
ERMSAR 2012, Cologne March 21 – 23, 2012
LERF / LRF as an issue

LERF / LRF shortcomings (3/3):
–
Timing vs Actions:
• Sequences falling under LERF/LRF figures-of-merit are usually the result of
a few terms contribution (Boolean equation representing containment failure
means the failure of just a small set of actions): this could be seen in terms
of the number of DiD barriers that are present in each sequence
• These contributions do not usually depend on human or mechanical actions
(considering that Level 2 is a back-end analysis).
• Therefore, the more rapid evolves a sequence the less can be done, both
regarding recovery actions or human actions.
ERMSAR 2012, Cologne March 21 – 23, 2012
LERF / LRF as an issue

The key points are the followings:
•
LERF is not the best tool to track the highest risk sequences related with
NPPs accidents.
•
Currently, the regulator (and therefore the utility) would probably skip the
most useful information about how to deal with SA.
•
LERF/LRF should be replaced by RCF: frequency should be the point,
not consequence (as this is almost an inelastic term within the field of
SA).
ERMSAR 2012, Cologne March 21 – 23, 2012
New metrics for tracking SA in preventive actions

Taking up the two issues mentioned above, a risk measure index is
generated by extending the Fussel-Vesely measure factor to the SA
scenarios, by means of weighting their contribution from CD to RC:
FV (i ) 
 f (MCS
j
*
j
( BE i ; PDS j ))  f c ( RC l ( PDS j ))
l
STF
ERMSAR 2012, Cologne March 21 – 23, 2012
Conclusions (1/2)

A concern has been raised about the underlying basis of the DiD
barriers.

DiD barriers usually rely on arguments related with preventing Core
Damage by means of either deterministic assumptions or CDF.

Even if SA mitigating systems are going to be taken into consideration,
a gap related with preventive actions looking at SA will still be an issue.
ERMSAR 2012, Cologne March 21 – 23, 2012
Conclusions (2/2)

Typical L2 PRA figures-of-merit have several shortcomings that make
them not suitable for being implemented in SA preventive actions.
The point is to use a frequency-driven parameter (as the total RCF).

A new metrics based on an extension of F-V index has been
proposed, allowing to identify what are the main contributors to risk
since the early beginning to the last end of the accident (thereby
performing a front-end analysis).
ERMSAR 2012, Cologne March 21 – 23, 2012