Embed Size (px)
Citation preview
Chapter 10
Assembling and Interpreting the PSA
10.1 Putting It Together
At this point, following the chapters, the objectives have been defined, the effect of government regulations and standards are known, accidents have been identified and analyzed by various methods to determine the probability of an accident, and the accident consequences have been calculated. These parts must be assembled to present the risk and the analysis of the risk according to its various contributors.
10.1.1 Integrated and Special PSAs
The scope and complexity of a PSA depends on its purpose. Large, expensive PSAs of a whole plant or group of plants (e.g., Canvey Island, Indian Point 2) are designated as integrated, meaning that the objective is the assessment of the overall accident"' risk of a complex process. Integrated PSAs may be done to determine the financial exposure of a process as it is presently being conducted, or it may be in response to regulatory pressure. A special PSA is an accident risk analysis that is limited to a component, system, group of systems or a type of problem (e.g. DB-50 contactors, chlorine rail-loading facility, stress corrosion cracking, thermal shock, etc). We will address the problem of assembling an integrated PSA with the understanding that a special PSA is a subset of this and steps that are not needed for a smaller analysis may be excluded.
10.1.2 Assembling the PSA
The assembly process (Figure 10-1) brings together all of the assessment tasks to provide the risk, its significance, how it was found, its sensitivity to uncertainties, confidence limits, and how it may be reduced by system improvements. Not all PSAs use fault trees and event trees. This is especially true of chemical PSAs that may rely on HAZOP or FMEA/FMECAs. Nevertheless the objectives are the same: accident identification, analysis and evaluation. Figure 10-1 assumes fault tree and event tree techniques which should be replaced by the equivalent methods that are used.
"~There is little point in calculating the routine risk of an operating plant because it can be measured, however, there is good reason to calculated the routine risk of a plant before it is constructed or before restarting after major modifications to determine if the risk is tolerable.
375
AssembSng and Interpreting the PSA
Fault tree analysis Event tree analysis
Operation and function I analysis and review J
I Systems and interface interelationships
(A) I Failure definition and ~ selection of top events
1
Initiator selection I
I ISystem operations review I
[ i ~176176176176 [ i T
Heading identification I i
----[Functional and system >jinterrelationships
I Event tree construction
+ I Fault tree construction J
i
I Fault tree reduction
u IF,u. tree quantification ]
I t
, L Dependent failure extemal I events
T Identification of common cause contributors
Identification of contributors needlng i detailed evaluation
(to A)
~ Accident sequence quantification I
I V
I I sequence categ~ quantification I
V fRisk qumtificaUon
! Y
I D~176 I
Fig. 10-1 PSA Assembly Process
Accident analysis
I I I Containment failure modes I I
I I Containment analysis I
I I "J Containment eventtree I
L. Ijj. "1
r ill - I "1 Degraded core analysis I
Radionuclide release and transport
i i
J Key sequence release "7 category definition
[ I
r 1
l Source term evaluation I
lHealth economic effects l<
T I Environmental analysis II Dem~ characteristics]
/ -
Transportation evaluation I
Event Tree Development delineates the various accident sequences. This activity includes: an identification of initiating events and the systems that respond to each initiating event. Systems that serve to mitigate, but do not contribute to the prevention of a core melt accident, may be excluded, depending upon the purposes of the PSA. Separate event trees are generally constructed for each initiating event or class of initiating events having a unique event tree structure. System Analysis consists of five subtasks: 1) Link system event tree sequences to a contain- ment event tree, 2) Eliminate unnecessary combinations, 3) Group remaining sequences by
376
Insights and Criticisms
release category, 4) Calculate sequence probabilities, and 5) Calculate release category frequencies. In the RSS method of PSA construction, a major task links system event trees with the for containment response. As illustrated in Figure 10-1 different end-points in the event tree may require different containment trees. It is also clear that the number of discrete sequences when the containment failure modes are considered can become quite large. This is treated in several ways. First, the end points in which the containment does not fail or fails by containment by-pass through the basemat are not considered further, because the offsite consequences are small compared with the consequences of containment. Also, end points of low relative probability and low consequences may be grouped with similar low-risk end points. Finally, the sequences must be grouped into release categories to reduce the number of consequence calculations to practicality.
Analysis of External Events uses the models developed in the plant system analysis with considerations for seismic, fire, flood, high winds and missiles on the plant. Additional event trees or their equivalent may be needed for the external events.
Source Terms and In.Plant Transport the fraction of the inventory that makes it to the environment must be estimated. Computer models are to track the hazardous materials that are released from their process confinement through transport and deposition inside the plant to their release into the environment as a source term for atmospheric and aquatic dispersion.
Consequence Analysis the effects of the in the plant on the workers and the dispersed hazardous materials on the public and environment is assessed using computer models.
Uncertainty Analysis determines the effects on the overall results from uncertainties in the database, assumptions in modeling, and the completeness of the analysis. Sensitivity analyses determine the robustness of the results; importance calculations are useful for identifying and prioritizing plant improvements.
Assembling this material is a large data management task to assure the availability and traceability of all needed information with the output of one task fitting the input of another. This requires that quality assurance has been adhered to throughout the PSA project.
10.2 Insights and Criticisms
Whether constructing a new PSA, modifying or using an old PSA it is worthwhile to ask what has been learned from previous works and some of the criticisms that have been levied against them. Fortunately the insights were largely supplied by NUREG-1050 from which the bulk of the following information is taken. The criticisms cover some of the same ground presented in Chapter 1 except with the bulk of PSA completed, the criticisms are more relevant.
377
Assembling and Interpreting the PSA
10.2.1 Insights from Past PSAs
0
0
0
0
11,
.
0
The estimated probability of accidents leading to a hazardous release is higher than thought before PSAs were applied. PSAs estimate that the frequency of reactor damage cover about two orders of magnitude: from about 1E-5/y to 1E-3/y. This variation is attributable to: plant design, construction, and operation, to site characteristics, scope of the PSAs, and methods and analytical assumptions. Such comprehensive studies of comparable chemical process plants do not exist. For accidents to affect the public, containment and off-gas processing must fail, such as occurred at Bhopal and Chemobyl and did not occur at TMI-2. Plants meeting all applicable NRC regulatory requirements have been found to vary significantly in calculated risk and in terms of the key accident sequences. PSAs calculate that accidents more severe than those postulated in the design basis are the principal risk contributors. This indicates that safety designed with a specific goal is successful. Latent cancer is calculated to be the primary risk from a nuclear accident (this may be due to the conservatism in the low-dose models). At Chernobyl, most of the deaths were from fire and impact. Chemical process risk depends on the chemicals being processed. Experience shows that processing poisons poses the highest risk to public and workers. Most of the financial risk of a process accident is suffered by the plant, not by offsite property, although unemployment may be a major contributor to the financial loss. Demography has a large effect. At Bhopal, the surrounding population was dense, considering the hazardousness of the operation, and impeded emergency action.
10.2.2 Criticism of Past PSAs
This section reflects on the limitations of the PSA process and draws extensively from NUREG-1050. These subjects are discussed as plant modeling and evaluation, data, human errors, accident processes, containment, fission product transport, consequence analysis, external events, and a perspective on the meaning of risk.
10.2.2.1 Completeness
Nuclear PSAs tend to accept a set of initiators such as the WASH-1400 set or the EPRI set and proceed with little introspection as to completeness of the set for a specific plant. A well-known omission is sabotage. In general, earthquake and fire is treated poorly; tornado is usually not addressed nor are other aspects of adverse weather such as freezing and ice storms which may have common cause potential. The record has not been too good. After the Browns Ferry fire, it was claimed that such was addressed in WASH-1400. If so, attention was only brought after the fact. The TMI-2 sequence was not addressed in the PSAs to an extent that action was taken to prevent it.
378
Insights and Criticisms
10.2.2.2 Representativeness
Representativeness can be examined from two aspects: statistical and deterministic. Any statistical test of representativeness is lacking because many histories are needed for statistical significance. In the absence of this, PSAs use statistical methods to synthesize data to-represent the equipment, operation, and maintenance. How well this represents the plant being modeled is not known. Deterministic representativeness can be answered by full-scale tests on like equipment. Such is the responsibility of the NSSS vendor, but for economic reasons, recourse to simplified and scaled models is often necessary. System success criteria for a PSA may be taken from the FSAR which may have a conservative bias for licensing. Realism is more expensive than conservatism.
Certainly errors should be conservative, but cumulative conservatism reduces accuracy and usefulness while raising costs.
10.2.2.3 Data Adequacy
The nuclear equipment failure rate database has not changed markedly since the RSS and chemical process data contains information for non-chemical process equipment in a more benign environment. Uncertainty in the database results from the statistical sample, heterogeneity, incompleteness, and unrepresentative environment, operation, and maintenance. Some PSAs use extensive studies of plant-specific data to augment the generic database by Bayesian methods and others do not. No standard guidance is available for when to use which and the improvement in accuracy that is achieved thereby. Improvements in the database and in the treatment of data requires substantial industrial support but it is expensive.
10.2.2.4 Human Errors
Human actions can initiate accident sequences or cause failures, or conversely rectify or mitigate an accident sequence once initiated. The current methodology lacks nuclear-plant-based data, an experience base for human factors probability density functions, and a knowledge of how this distribution changes under stress.
The analysis of human actions is complicated because a human is a responsive system like a servo. Such analysis does not lend itself to simple models as do inanimate components. Classifying human actions into the success or failure states used in logic models for plant equipment does not account for the wide range of possible human actions. A generally applicable model of the parameters that affect human performance is not yet available.
The uncertainties in human error rates may be within the stated uncertainty bounds, but such is not demonstrated from sparse experiments. Both the qualitative description of the human interaction logic and the quantitative assessment of those actions rely on the virtually untested judgment of experts.
379
Assembling and Interpreting the PSA
10.2.2.5 Accident Analysis
Nuclear PSAs contain considerable uncertainty associated with the physical and chemical processes involved in core degradation, movement of the molten core in the reactor vessel, on the containment floor, and the response of the containment to the stresses placed upon it. The current models of these processes need refinement and validation. Because the geometry is greatly changed by small perturbations after degradation has commenced, it is not clear that the phenomena can be treated.
Full-scale core melt-water and core melt-concrete experiments are not feasible, but considerable progress has been made since the RSS in theoretical work, model development, and small-scale experiments using nonradioactive molten metal. There is increasing evidence that steam explosions in the reactor vessel and in the containment are incapable of failing the containment. There is still much to be done in characterizing the dispersal of the debris bed that may follow reactor vessel failure, the size of the corium particles formed, and the coolability of the resulting debris bed.
10.2.2.6 Containment Analysis
Chemical process plants do not have a large domed containment but rely on vessel integrity and offgas processing. Most nuclear plants have such containment for which the stresses may be calculated if a scenario is defined. However such calculations are uncertain regarding the time of failure, the hole size, and location.
Computer sensitivity studies show that hole size strongly affects the fraction of fission products released from the containment. The failure location determines mitigation due to release into another building in which condensation and particulate removal occur. The quantity released depends on the time of containment fails relative to reactor vessel failure. If containment integrity is maintained for several hours after core melt, then natural and engineered mechanisms (e.g., deposition, condensation, and filtration) can significantly reduce the quantity and radioactivity of the aerosols released to the atmosphere.
It has also been shown that heat radiation may heat and weaken the containment. The failure of penetration seals due to high temperature has been investigated, but full scale containment failure test have not been done.
10.2.2.7 Hazardous Material Transport Analysis
Chapters 8 and 9 presented computer codes that are available for computer hazardous material release and transport. Many of these codes have been tested using controlled experiments with varying agreement depending upon the code's applicability to the phenomena. In the author's opinion, the accuracy of the consequence calculation is not much better than the calculation of accident probabilities.
10.2.2.8 External Events
Insights and Criticisms
The methodology for assessment of external events is qualitatively satisfactory but not quantitatively. Little confidence should be placed in any estimates of the risk from external initiators compared to those from internal initiators. This is exacerbated by the fact that the external risk is the larger of the two in many cases.
10.2.2.9 Risk
The validity of the risk of nuclear that was estimated by the Reactor Safety Study was questioned when the TMI-2 accident occurred. This showed a misunderstanding of the probabilistic nature of risk. A single event neither proves nor disproves a statistical result; it may, however, question the usefulness of risk as a safety measure.
381
