Extensive use of an Event Tree model to define
the reference accident sequences for ITER plant
R. Caporalia, T. Pinnab and N.P. Taylorc
aANPA, Via Vitaliano Brancati 48, 00144 Roma, Italy
ENEA CRE Frascati, Via E. Fermi 27 - 00044 Frascati, Rome, ITALY
cITER Joint Central Team, 11025 North Torrey Pines Rd., La Jolla, CA 92037
b
Abstract
To demonstrate compliance with the safety requirements fixed for the International
Thermonuclear Experimental Reactor (ITER) an exhaustive set of reference
accident sequences had to be defined. After a comprehensive identification of
Potential Initiating Events (PIEs), each one grouping many accident initiators, an
Event Tree model has been developed to define the overall set of possible accident
sequences. Each accident sequence has been classified in a so called “sequence
family” on the basis of similarity of systems, overall plant response and expected
consequences in terms of radioactive releases and release modalities. The ET
model quantification allowed for a first categorization of the accident sequences in
frequency classes. For each sequence family the list of high level (system or
function) Minimum Cut Sets (MCS), corresponding to the concurrent sequences,
have been investigated so that it has been possible to assign a representative
sequence to each family. The relevant representative sequences have been pointed
out as reference accident sequences. Accidents related to the Heat Transfer
Systems (PHTS) have been chosen to illustrate the methodology.
1 Introduction
An essential part of the Engineering Design Activities (EDA) for ITER is the
assurance that the design meets strict safety criteria. In order to demonstrate
compliance with the safety requirements an exhaustive set of reference accident
sequences had to be defined. Transient analyses performed for such sequences will
assure that the overall range of possible plant damages has been assessed against
targets for releases and other criteria. Due to the unavailability of consistent
operational experience for fusion plant, systematic techniques, as Failure Mode and
Effects Analyses, both at functional level (FFMEA) [1], and at component level
(FMEA) [2], have been used to provide a comprehensive identification of
Postulated Initiating Events (PIEs), each one grouping many accident initiators.
This paper describes how the PIEs have been developed in accident sequences
through an Event Tree model and how the reference accident sequences have been
defined. Accidents related to ITER Primary Heat Transfer Systems (PHTS) are
treated to illustrate the methodology.
2. Methodology
A first screening of the PIEs has been done pruning out the initiators with very low
probability to occur and implying low radiological consequences. For the
remaining PIEs an Event Tree (ET) analysis has been performed to systematically
define the possible accident sequences [3].
Every ET branch ending in a plant status characterized by unconfined release
conditions is a sequence of interest (accident sequence). To each one of them a
given consequence class (or sequence family or plant status) has been assigned,
characterized by the mobilized inventory and failed confinement barriers.
Sequence families include sequences coming from different ETs.
The ET model defines the complete set of the sequence families; i.e. all the
possible faulted conditions of the plant implying outside release. Through the
quantitative evaluation of the ET model performed by sequence families the full set
of the concurring sequences will be defined by the Minimal Cut Sets (MCSs) list,
each sequence being a MCS, together with the total expected frequency of such
family. The combination of all these data will help in defining the safety relevant
sequence families. For each family, the representative sequences for the transient
analyses have to focus on, taking into account frequencies, barriers and mitigating
features involved in the accidents, radioactive inventories of mobilized and
released products, and energy inventories.
In this way the radiological consequences belonging to the worst sequence of the
family will be considered applicable to the overall family. By coupling such
consequences with the overall frequency of the sequence family, it is
straightforward to judge if safety limits are met.
3. Event Tree Development
A large number of ETs have been developed, since it was difficult to judge a
priori about the possible evolution of the selected PIE in order to make a further
grouping.
The ETs headings include both success or failure of mitigating features and
occurrence or non-occurrence of phenomenological events, such as integrity of
Plasma Facing Components (PFCs) with violent plasma shutdown, H2 detonation
and so on. All the events appear in the ET picture as ET headings (see Figure 1).
This is usual for a level 2 PSA (for a fission reactor, for instance, phenomena such
as steam explosion and similar are taken into account). In this case, both for the
nature of the ITER plant itself, whose safety is mainly based on confinement
barriers more then on mitigating feature and, for the objective of the study, which
requires also to define the modalities of release, this is a consequence.
The outcome of the sequences leading to no releases or confined releases has been
classified as “OK”. The accident sequences with radiological impact on the
outside have been classified in the above mentioned sequence families (or class of
consequences or plant status). An identifier has been given to each sequence
family.
Data used for the ET probabilistic analysis have been:
♦
for the PIE frequencies, those evaluated by the FMEA studies performed
with detail at component level
♦
for mitigating features (generally treated as basic events), the probability of
failure are referred to the failure of the relevant components performing the
function
♦
for the headings referring to the occurrence of physical phenomena, such as
H2 explosion or confinements failure, a screening probability as been used
basing on engineering judgement of the circumstances, as usual with Level 2
PSAs
A more refined analysis could be performed through Fault Tree (FT) analysis for
the major part of the systems performing accident mitigation, but it has been
thought as not strictly needed at this level of the safety assessment.
Each ETs drawn for the set of PIEs as usual have been described from the general
point of view of the accident evolution to give an exact overview on the events
involved in sequences. Also, the ET headings have been discussed too, even if not
at system FT analysis level. The following paragraph reports a condensed
description of the ET for FF1 PIE, “Loss of flow in a First Wall (FW) cooling
circuit because of pump seizure”, which is shown in Figure 1.
3.1 Loss of flow in a FW cooling circuit because of pump seizure
The initiator concerns an immediate stop of cooling water flow in a FW loop. The
first concern is a timely plasma shutdown, which is necessary to avoid melting of
the FW within the Vacuum Vessel (VV). Given plasma shutdown success,
challenges to the FW could come also from the thermal-mechanical loads due to
the shutdown itself, which has to be a controlled fast plasma disruption, or could
come from circuit pressurization. In any case, after a FW failure within the VV,
there could be the impairment of the VV boundary integrity, which will generate a
bypass towards a generic bypass room or the cryostat. A bypass to the cryostat will
imply a loss of magnet superconductivity, so that the extraction of the magnetic
energy from the cryostat through the energy damping system is required to avoid
challenge to the cryostat structures.
Failure to shutdown the plasma will include, in the course of the possible
challenges to the confinement barriers, also the possibility of a H2 explosion,
because in this case the water entering the VV will meet the FW material at
melting temperature, which will generate a diverging Be-water reaction.
4. Results from Event Tree model
A set of relevant sequences in terms of expected frequencies and radioactive
releases have been pointed out for each PIE through the sequence level ET model
quantification. Also, through the sequence family level quantification, the most
representative sequence of each sequence family has been selected too, taking into
account the list of MCSs, which are ranked in each family.
The results by sequences appear within the related ET picture (see Figure 1); the
results by sequence families are summarized in tables as the sample reported in
Table 1.
For the ET related to the FF1 PIE drawn in Figure 1 it is clear that all the
sequences generating radioactive release result in low frequency values. At any
rate, the non-negligible sequences from a safety point of view are those labeled 4,
10, 12, 13, 25, 32 and 33. The radioactive releases due to these sequences,
respectively, are:
♦
For n° 4 and 25, VV dusts and T, and activated corrosion products (ACPs)
contained in one PFC cooling loop released to outside of the cryostat because
of normal leakage.
♦
For n° 10 and 32, the same products as the previous ones through leakages
from rooms surrounding the cryostat.
♦
For n° 33, the same products as those for sequences n° 4 and 25 released to
outside the containment through a breach of a room surrounding the cryostat.
♦
For n° 12 and 13, ACPs contained in one PFCs cooling loop released to
outside the heat transfer vault. For the former through normal leakage while
for the latter through vault breach.
4.1 Sequence families and reference accident sequences
As said above, the overall set of sequence families will encompass all the possible
modalities of outside release from the plant. A high number of them have been
defined because of the distributed nature of the hazard within the plant.
As a consequence, the set of representative sequences chosen for each sequence
family will assure exhaustiveness of the safety evaluation.
To easily select the most representative sequence of each family tables like Table 1
have been used. In fact, in these tables are summarized by the MCS of all the
sequences grouped in a family. Looking at frequencies and related percentage
weight of the sequences in the total frequency assigned to the family, and looking
at the energy and radioactive inventories involved in each sequence grouped in the
family, the most representative sequences have been pointed out. For instance, for
the sequence family VV1-B1 “VV dusts and T, and ACPs contained in one PFCs
cooling loop released to building around cryostat through normal leakage”, all the
sequences come from LOFA accident in PFCs cooling loops. They are more
precisely those developing as in-VV LOCA because of failure to shutdown the
plasma or failure to depressurize the loop followed by rupture of a VV penetration
towards a cryostat surrounding room. All the sequences terminate with failure of
the detritiation system. Releases are towards the annular part of the building
surrounding the cryostat, and then to outside through normal leakage (one pit
volume per day).
The representative sequence to be evaluated by deterministic analysis, which
includes consequences related to the overall set of sequences grouped in the
family, judged by energy, water and radioactive inventories, is the sequence
labeled with n° 14 in the list of Table 1. It comes from a FW cooling loop pump
seizure, with failure of plasma shutdown, because this initiator is the one, which
maximizes the mass and energy of the incoming coolant
Of course not all of the representative sequences have been studied through
deterministic transient analyses, but only the ones challenging the fulfillment of the
safety objectives, i.e. to meet the appointed limits for consequence-expected
frequency: those selected for the analyses represent, properly speaking, the
reference accident sequences.
5. Conclusions
This study allows for the definition of an exhaustive set of accident sequences that
can result from the initiators related to plant systems and for their grouping within
sequence families, with the consequent definition of reference accidents sequences
to be deterministically studied in the course of a licensing process. Such definition
is absolutely needed to limit to a reasonable set the safety accident analyses. In
fact, it is possible to limit such deterministic analyses to the representative
sequence of each family and, also, to eliminate some of the sequence families in
further studies on the basis of the related impact on the plant in terms of frequencyconsequences. In the meantime the process will keep track of the sequences which
have been screened out. This will allow for a close monitoring of the safety
assessment process.
Also it will be possible to include in the deterministic analysis of other sequences,
if different safety criteria are imposed, as for instance ‘’no evacuation for every
credible accident’’.
It is important to underline that the representative sequence of a sequence family is
chosen in a conservative way in order to maximize the accident consequences.
Such consequence maximization introduces a large conservatism in evaluating the
acceptability of the sequence family in terms of frequency-consequences.
The study performed for ITER HTSs has demonstrated that the already performed
accident analyses treat a comprehensive range of event sequences, and give
confidence that the ITER engineering design will achieve its safety targets.
References
1. Caporali R, Ciattaglia S, Cambi G, Pinna T: “ITER plant functional breakdown,
FFMEA, IE identification, qualitative ET and preliminary list of accident
sequences” ENEA FUS TECN S&E 27/94, Dec. 1994.
2 Pinna T, Caporali R, Cambi G, Burgazzi L: “Failure Mode and Effect Analysis
for ITER Heat Transfer Systems” ENEA FUS TECN S&E 30/96, Sep. 1996.
3 Caporali R, Pinna T “Reference Accident Sequences Identification for ITER
Primary Heat Transfer Systems” ENEA FUS-TN-SIC 19/97, Dec. 1997.
Table 1 – VV1-B1 sequence family by MCS events. Total frequency 1.4 E-7
N°
1
Frequency
8.5E-08
2
4.0E-08
3
1.3E-08
4
5.3E-10
5
4.1E-10
6
2.3E-10
7
1.8E-10
8
5.1E-11
9
3.9E-11
%
60.96 DD
GBR
IVV2
LFV2
28.69 DD
GBR
IVV
LDV1
9.32 DD
GBR
IVV
LFV1
0.38 PZR
DD
GBR
IVV
FF2
0.29 DD
GBR
IVV
PSD
FF2
0.16 PZR
DD
GBR
IVV
FD2
0.13 DD
GBR
IVV
PSD
FD2
0.04 PZR
DD
GBR
IVV
FF1
0.03 DD
GBR
IVV
PSD
FF1
Minimal Cut Set Events
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity in slow transients
FW small LOCA inside VV
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity
Divertor LOCA inside VV
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity
FW LOCA inside VV
Pressure relief at pressurizer
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity
FW cooling circuit main pump trip
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity
Fault on timely shutdown the plasma
FW cooling circuit main pump trip
Pressure relief at pressurizer
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity
Divertor cooling circuit main pump trip
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity
Fault on timely shutdown the plasma
Divertor cooling circuit main pump trip
Pressure relief at pressurizer
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity
FW cooling circuit main pump seizure
Fault on liquid drainage and gas detritiation
Integrity of penetration towards generic bypass room
VV boundary integrity
Fault on timely shutdown the plasma
FW cooling circuit main pump seizure
Figure 1 – ET for FF1 (Loss of flow in a FW loop due to pump seizure) PIE
FW loop
main
pump
seizure
Timely
plasma
shutdown
Integrity
of other
cooling
loops
FF1
PSD
IOL
Pressure Integrity
VV
Penetr. to
relief at of loop in boundary generic
pressuriz. out-VV
integrity
bypass
part
room
PZR
OVL
IVV
GBR
Integrity
of upper
vault
Energy
dumping
Cryostat
integrity
No H2
detonat.
Drainage
and gas
detrit.
IUV
ED
ICV
H2D
DD
1.0E-02
1.0E-02
1.0E-03
1.0E-03
n°
Freq.
Cons.
1
2.6E-02 OK
2
1.0E-05 OK
3
5.0E-09 OK
4
5.0E-11 VV1-C1
5
4.5E-12 OK
6
4.5E-14 VV1-C1
7
5.0E-13 OK
1.0E-01
1.0E-02
3.9E-04
8
5.0E-15 VV1-B1
9
5.0E-09 OK
5.0E-01
1.0E-02
1.0E-02
1.0E-02
1.0E-03
1.0E-02
2.6E-02
1.0E-06
1.0E-02
1.0E-03
1.0E-03
10
5.0E-11 VV1-B1
11
1.0E-07 OK
12
1.0E-09 VL1-V1
13
1.0E-10 VL1-V2
14
2.6E-08 OK
15
1.3E-11 OK
16
1.3E-13 VV2-C1
17
1.2E-14 OK
18
1.2E-16 VV2-C1
19
1.3E-15 OK
1.0E-01
1.0E-02
20
1.3E-17 VV2-B1
21
1.3E-11 OK
5.0E-01
1.0E-02
1.0E-02
22
1.3E-13 VV2-B1
23
7.8E-06 OK
24
3.9E-09 OK
25
3.9E-11 VV1-C1
26
3.5E-12 OK
3.0E-04
1.0E-02
1.0E-03
1.0E-03
1.0E-01
1.0E-02
1.0E-02
5.0E-01
1.0E-02
1.0E-02
27
3.5E-14 VV1-C1
28
3.8E-13 OK
29
3.9E-15 VV1-B1
30
3.9E-15 VV1-B2
31
3.8E-09 OK
32
3.9E-11 VV1-B1
33
3.9E-11 VV1-B2