lable at ScienceDirect

Journal of Loss Prevention in the Process Industries 32 (2014) 52e62

Contents lists avai

Journal of Loss Prevention in the Process Industries

journal homepage: www.elsevier .com/locate/ j lp

Probabilistic safety assessment of multi-unit nuclear powerplant sites e An integrated approach

Varun Hassija a, C. Senthil Kumar b, *, K. Velusamy a

a Reactor Design Group, IGCAR, Kalpakkam, Tamil Nadu 603 102, Indiab AERB Safety Research Institute, Kalpakkam, Tamil Nadu 603 102, India

a r t i c l e i n f o

Article history:Received 4 April 2014Received in revised form30 July 2014Accepted 30 July 2014Available online 12 August 2014

Keywords:Multi-unit nuclear siteSite core damage frequencyMultiple core damageExternal hazardsShared systems

* Corresponding author.E-mail addresses: varunhassija@gmail.com (V. H

(C. Senthil Kumar), kvelu@igcar.gov.in (K. Velusamy).

http://dx.doi.org/10.1016/j.jlp.2014.07.0130950-4230/© 2014 Elsevier Ltd. All rights reserved.

a b s t r a c t

Multi-unit safety assessment has gained global importance after the Fukushima disaster in 2011. Most ofthe nuclear sites in the world have more than one reactor and hence it is important to evolve a meth-odology to systematically assess the safety of the multi-unit site. In this paper, unique features to beaddressed in multi-unit safety assessment are discussed and an integrated approach is developed toassess the risk contribution of multiple nuclear plants at the site. The paper highlights the importance ofrisks for multi-unit sites arising from shared system, common cause failures, failure correlations, cliff-edge effects, etc. from different hazards. Though the main emphasis on multi-unit safety is onexternal hazards, the proposed approach also includes risk from random internal events. The approachdeveloped not only quantifies the frequency of multiple core damage for a multi-unit site but alsoevaluates site core damage frequency which is the frequency of at least single core damage per site peryear.

© 2014 Elsevier Ltd. All rights reserved.

1. Introduction

The nuclear power generation involves several processes likeextraction of nuclear fuel, refinement, conversion, enrichment andfinally reprocess and waste treatment. Numerous hazards and risksare inherently involved in all these process and it is imperative toensure nuclear and radiological safety to the public andenvironment.

In many industries, quantitative risk analysis (QRA) is per-formed to estimate risk and improve the safety therein. Whenperformed systematically, it can provide a rational basis for evalu-ating process safety and comparing various improvement alterna-tives (Arendt & Lorenzo, 2000). Probabilistic Safety Assessment(PSA) which is similar to QRA is adopted in nuclear industry toestimate risk. The term ‘PSA’ and ‘QRA’ effectively mean the same(Hayns, 1999).

PSA is a systematic methodology and is a well-established toolfor safety analysis and risk assessment in nuclear industry. It iscomplementary to deterministic analysis and provides bothqualitative and quantitative assessment of the risks to enhancesafety. PSA is now mature and individual plant specific PSAs yield

assija), cskumar@igcar.gov.in

major insights to operators and regulators to improve safety of theplant. However, the focus of this paper is risk from multiple unitsof NPP located at a site. Simultaneous failures of systems andcomponents in multiple nuclear plants at a site were earlierconsidered as rare event in PSA but have now proved to be apotential threat and have gained regulatory attention in riskassessment of nuclear power plants (NPPs). Fukushima accidentshave revealed the necessity of multi-unit safety assessment andthe need to develop safety goals, procedures and guidelines toachieve and maintain the basic safety goal to protect public andenvironment. To estimate risk for a multi-unit site, accident like-lihood is to be measured in ‘events per site per year’ instead of‘events per reactor year’. To do this, it is necessary to includevarious inter-unit dependencies and develop an approach tocombine and obtain the overall site risk assessment. In this paper,such an integrated approach is developed to address the uniquefeatures for risk assessment of a multi-unit NPP site. The approachis realistic as it addresses all possible accident scenarios that canresult from different hazards and is demonstrated with typicalinitiating events. Finally, the approach developed quantifies therisk for a multi-unit NPP site and evaluates the risk metric, sitecore damage frequency (SCDF). SCDF is overall risk associated withthe site obtained by means of integrating the risk of core damagein more than one unit at the site. In other words, it is the fre-quency of at least single core damage per site per year.

Nomenclature

SCDF site core damage frequencyHi frequency of external hazard iDijk probability of initiating event j due to definite

external hazard i for unit kdiGjk probability of initiating event j for unit k due to the

impact of definite external hazard i on the sharedsystems group ‘G’

Cij probability of conditional external hazard i directlyaffecting unit j

Cijk probability of conditional external hazard i thatdirectly affects unit j also affects unit k

Aek conditional probability of initiating event e for thespecified/particular unit k due to the direct impactof corresponding conditional external hazard

CiG probability of conditional external hazard i affectingshared systems group ‘G’

pjGk conditional probability of initiating event j for unit kdue to the impact of corresponding conditionalexternal hazard on shared systems group ‘G’.Crn ¼ n!/r!(n � r)!

IEj frequency of internal initiating event jIEjG frequency of conditional internal initiating event j

for the shared systems group ‘G’PjGk probability of conditional internal initiating event j

affecting shared systems group ‘G’ also affects unitk.

IEjk frequency of internal independent event j for unit k

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e62 53

Though the approach developed in the paper is demonstratedfor nuclear power plants, the ideology of the approach can beextended to estimate risk for a site having multiple process orchemical industries. Suitable metric of interest like fatalitiesincurred, monetary loss, etc. can be adopted in such cases.

2. Importance of the problem

The Fukushima accident has highlighted that the magnitude ofnatural events can be higher than what is considered in design.During such events, the impact of simultaneous failures of safetysystems in multiple units at a site is catastrophic. It is thereforeprudent to make additional design provisions in order to ensurethat the basic safety functions for the NPPs are not impaired evenunder beyond design basis natural events (or extreme events). Toachieve this, a systematic methodology is needed to address theissue of multi-unit safety and determine safety margin/risk due tocliff-edge effects for extreme events. It should include the identi-fication of rare extreme events that could lead to common causefailures in multiple units at a site, analyze the consequences andevaluate the effects of interrelation between systems and humanactions (SNETP Fukushima Task Group, 2013). Recent studies(Ebisawa, Fujita, Iwabuchi, & Sugino, 2012; Fleming, 2005; IAEAReport GC (56)/INF/2, 2012; Muhlheim & Wood, 2007; Schroer &Modarres, 2013; Yang, 2012) have recommended ideas to dealwith different aspects of a multi-unit risk assessment throughprobabilistic approach. Probabilistic safety assessment (PSA) is apreferred approach as it provides a systematic framework and hasthe potential to provide a deeper understanding of the potentialrisk resulting from an NPP over wide range of conditions. USNRCendorsed an integrated risk analysis using PSA approach in 2005 toquantify the risk of all units on a reactor site (SECY-05-0130, 2005).The outcome of such integrated PSA helps in identification of those

structures, system and components (SSCs) that are inter-unitdependent and play a vital role in multi-unit safety.

3. Unique features in multi-unit safety assessment

Events affecting more than one unit at a time pose an uphill taskto the plant personnel during accidents. The event progression atone unit may affect the neighboring unit and the availability ofcommon shared resources which may include personnel, equip-ment, etc. Following are some of the unique challenges encoun-tered in multi-unit safety assessment and each of the topics needsto be addressed in detail during safety assessment and the subse-quent quantification process.

3.1. Mobility of crew during emergency

It is a general practice to have sharing of manpower at a multi-unit site to render mutual support in the event that a unit developsa problem. However, during an external event, due to situationssuch as high background radiation levels, inaccessibility, etc., it maynot be always possible to assume availability of crew. Hence, duringmulti-unit safety assessment availability of manpower needs to beaddressed appropriately.

3.2. External resources not available during emergency

As part of accident management plan, during emergency situ-ations, external resources can be brought to supplement or replacethe onsite resources such as electricity, water or equipment such aspumps or generators to mitigate severity of accidents. In case of anexternal hazard affecting the whole site and prolonging for longerdurations, it may not be possible to facilitate the access to addi-tional external resources.

3.3. Cliff edge effect

A cliff edge effect in a nuclear power plant is an instance ofseverely abnormal plant behavior caused by an abrupt transitionfrom one plant status to another following a small deviation in aplant parameter (IAEA Specific safety Guide no. SSG-2, 2009).Whileit is true for an individual unit and for internal events, it is moreimportant for some extreme events in which risk may growsignificantly with slight variations in the external event and henceit is imperative to evaluate the cliff edge margin for multi-unitsafety assessment. Therefore, identifying hazard related cliff edgefactors in a multi-unit site is equivalent to avoiding a major acci-dent. Sensitivity studies are required to be performed to identifycliff edge factors.

3.4. Mission time

Another important factor is the use of appropriate mission time.Several external hazards may require a longer mission time forvarious engineered safety systems to prevent the core damage.Hence mission time for the accident sequences should be decidedbased on the nature and severity of the hazard.

4. Concept of site CDF

Before introducing the concept of site core damage frequency,the term core damage needs to be defined. The use of the term“core damage” is subjective and several definitions that differconsiderably with the reactor technology are available (SECY-05-0130, 2005). The IAEA defines core damage for a light water reactoras exceeding the design basis limit of any of the fuel parameters

Table 1List of external hazards.

Definite external hazards Conditional external hazards

Earthquakes Aircraft crashTsunamis ExplosionsExternal floods LightningExternal fires Fouling or clogging in Intake tunnelHigh wind hazards like cyclones

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e6254

(IAEA Specific Safety Guide no. SSG-3, 2010). The NRC's SPARmodels define core damage as the uncovery and heat up of thereactor core to the point where “severe” fuel damage is anticipated(IAEA Report, 2011). The Indian Atomic Energy Regulatory Boarddefines core damage as the state of the reactor brought about by theaccident conditions with loss of core geometry or resulting incrossing of design basis limits or acceptance criteria limits for oneormore parameters: fuel clad strain, fuel clad temperature, primaryand secondary systems pressures, clad oxidation, amount of fuelfailure, radiation dose, etc. (Atomic Energy Regulatory Board,Technical report, 2005). For PHWR type reactor, core damage isdefined as loss of structural integrity of multiple fuel channels(OECD Technical Report NEA/CSNI/R(2009)16, 2009). Very precisedefinition of core damage such as local fuel temperature exceeding1204 �C, the limit for ECCS for light-water reactors are defined in 10CFR 50.46(1b) (Holmberg & Knochenhauer, 2010). Therefore, fornuclear power plants at a multi-unit site, the definition of coredamage will be as per the design and type (PWR/BWR/PHWR/etc)of the unit at the site.

At a multi-unit nuclear power plant site, there is a possibility ofsimultaneous occurrence of core damage formultiple units within ashort interval of time due to external hazards or internal events.Hence, the metric developed or used for multi-unit nuclear powerplant safety assessment should also account for all possible com-binations of multiple core damages, apart from considering singlecore damage. The concept of site core damage frequency (SCDF) isconsidered which accounts for both single core damage and mul-tiple combinations of core damages occurring at the site (Schroer&Modarres, 2013). It is defined as the sum of all possible single andmultiple combinations of core damage per site per year, withconsideration of various inter-unit dependencies.

5. Development of an integrated approach

An integrated approach is developed to address both externaland internal events that can affect a single/multiple units at a site.Each event is further classified into bins as the severities fromvarious events may differ significantly. For e.g. earthquakes for asite can be categorized into bins such as 0e0.1g, 0.1e0.2g, etc. forevaluation. For internal events, identification of various initiatingevents takes into account the severity. For e.g. LOCA is categorizedas small LOCA, medium LOCA and large LOCA. Techniques such asfailure modes effects analysis can be adopted to identify the po-tential failure modes for all the components under each category ofhazards/events.

This section describes the methodology or approach followed toevaluate SCDF.

5.1. Identification of external hazards for the site

External hazards are both natural and man-made which origi-nate outside the plant and create extreme environment conditionsat the site. They are always site-specific and design dependent. As afirst step for the multi-unit risk assessment, all possible site specificexternal hazards that can affect the multiple units of nuclear plantsite needs to be identified (Khan & Abbasi, 1998; Papazoglou,Nivolianitou, Aneziris, & Christou, 1992). These hazards could alsobe a result of correlated failures. However, during this process,those initiators that simply do not occur at a site or have a very lowprobability may be eliminated. The final list of external hazards iscategorized as either definite or conditional (Schroer & Modarres,2013; IAEA-TECDOC-1341, 2003; Zerger, Ramos, & Veira, 2013;Lowe & Garrick, Inc., 1983). The hazards that will always affectmultiple units are called definite hazards and those which onlyunder certain circumstances affect multiple units are called

conditional hazards. An illustrative list of both hazards is given inTable 1.

5.2. Identification of internal initiating events for the site

Internal events are abnormal conditions generated within theplant as a result of failure or faulty operation of plant componentthrough random failures, human errors, etc. The internal initiatingevents that have the potential to affect multiple units are calleddefinite internal initiating events. And those which only undercertain circumstances will affect multiple units are called condi-tional internal initiating events. An illustrative list of various in-ternal definite and conditional initiating events (Schroer &Modarres, 2013) that could affect multiple units is given in Table 2.

5.3. Identification of internal independent initiating events

Internal independent events are those events whose occurrenceand effect are limited to a single unit and will not extend to otherunits of the site e.g. Loss of coolant accidents, transients, etc.

5.4. Event tree/fault tree models

After the initiating events for external hazards and internalevents are identified and categorized, event tree/fault tree modelsare developed for each hazard category for further analysis (Saleh,Marais, & Favar�o, 2014; Tixier, Dusserre, Salvi, & Gaston, 2002). Thetotal core damage frequency of multi-unit site is obtained bysumming the frequencies of all possible single and multiple coredamage. The detailed evaluation method for each category is givenin Section 5.6.

5.5. Parameters/key issues

Schroer and Modarres (2013) have identified the key issueswhich need to be addressed while modeling event trees and faulttrees for a multi-unit site safety assessment. The issues are classi-fied as shared systems or connections, identical components, hu-man dependencies and proximity dependencies. The issuesaccount for dependencies between the units arising from sharedphysical links, similarity in the design, installation and operationalapproach for a component/system, same or related environment ofpositioning the systems and associated dependencies for varioushuman interactions. The approaches to account for such de-pendencies are described in the following section. Further, uniquefeatures as described in Section 3 of the paper, should also beconsidered for evaluation of multi-unit safety.

5.6. Safety assessment methodology/strategy

5.6.1. Quantification of CDF from the hazardThe quantification approach to account for the abovementioned

four key parameters is explained below:

Table 2List of internal initiating events.

Definite internal initiating events Conditional internal initiating events

Loss of offsite power Loss of emergency service waterLoss of ultimate heat sink Loss of feed water

Loss of DC busStation blackout (SBO)Turbine missileLoss of instrument air

Table 3Boolean expressions for CDF due to direct initiating events induced by definiteexternal hazard.

Unit 1 Unit 2 Unit 3 Unit 4

H1 (D111.BExp111) H1 (D112.BExp112) H1 (D113.BExp113) H1 (D114.BExp114)H1 (D121.BExp121) H1 (D122.BExp122) H1 (D123.BExp123) H1 (D124.BExp124)H1 (D131.BExp131) H1 (D132.BExp132)

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e62 55

5.6.2. Modeling of key parametersShared Connections or Systems: Modeling and evaluation for

shared systems is as follows:

� Single SSC shared between multiple units will be assigned thesame name in fault trees/event trees and will be treated as acommon component in all the respective units where it isshared. Thus, the shared component failure for one plant willautomatically be reflected in the evaluation of all the fault treesor event trees of the other unit having the component.

� Time sequential sharing and Standby system sharing: Suchtypes of sharing between the units can be modeled by assigningpreference of the system for a particular unit (Schroer &Modarres, 2013). The same SSC will not be modeled in the ETsand FTs of other units. Such modeling can be done by adoptingtechniques such as use of dynamic gates in fault trees.

Identical components: From the Boolean expression of all eventtrees of a particular hazard, identical components can be groupedfor common cause failures and Beta factor model can be used.

Human dependencies: DEPEND-HRAmethod developed by �Cepin(2008) for evaluation of human error probabilities can be extendedto model the dependencies associated with human actions be-tween multiple units. The method is fully capable to account andevaluate the dependency for both type of human actions pre-initiators and post initiators. It uses different parameters for de-pendency determination for pre-initiators and post-initiators asthe two are quite different scenarios.

Proximity dependencies: Similar treatment as that of identicalcomponents can be made here. SCDF of each hazard is evaluatedfrom the Boolean expression of all event trees of a particular hazardand components that share the same proximities can be groupedtogether for common cause failures with C factor model or Betafactor model.

5.6.3. Estimation of site CDFAs discussed earlier, SCDF accounts for both single and multiple

core damages occurring at the site. Hence for a multi-unit site it canbe expressed as.

SCDF¼Xn

i¼1

Frequencyof inumberof coredamagepersiteperyear

(1)

where n is the number of units at the site. The frequency of eachnumber of core damage will be evaluated considering all internaland external hazards with consideration of various inter-unitdependencies.

The proposed method for quantification is explained in thesubsequent sections, with a representative multi-unit sitewith fournuclear plants. Unit 1 & 2 are identical and share some systems/resources (e.g. switchyard, sea water pump house, instrument air,feed water) and unit 3 & 4 are identical and share some systems(e.g. switchyard, sea water pump house, DC bus). The shared

systems between unit 1 & 2 are denoted by ‘Group A’ and theshared systems between unit 3 & 4 are denoted by ‘Group B’.

Frequency of conditional initiating events is obtained based onlikelihood of the initiating event that can affect various units. Forexample, based on operating experience/engineering judgment, ifloss of instrument air for unit 1 has 40% chance of affecting unit 2for the same event, then conditional initiating event frequency forunit 2 is 0.4*(IE frequency). Similarly all conditional initiatingevents in case of external or internal hazards for the site can beaccounted.

5.6.4. Methodology for definite external hazardsIn case of a definite external hazard, firstly the hazard induced

initiating events are identified. Core damage expression for aninitiating event induced by definite external hazard is denoted asHi(Dijk.BExpijk), where Hi denotes frequency of (definite) externalhazard i, Dijk denotes the probability of initiating event j due todefinite external hazard i for unit k, BExpijk denotes the Booleanexpression for jth initiating event due to definite external hazard ifor unit k. For e.g., if we postulate three initiating events that affectunit 1 & 2 and two initiating events that affect unit 3 & 4, theBoolean expressions are as given in Table 3. In case of a definiteexternal hazard, initiating events for the units can also ariseindirectly i.e. due to failure of shared SSCs between the units. Thecore damage expression for a definite external hazard inducedindirect initiating event (due to failure of shared SSCs between theunits) is denoted as Hi(diGjk.BExpiGjk) where diGjk denotes theprobability of initiating event j for unit k due to the impact ofhazard i on the shared system group G. The Boolean expressionsobtained due to indirect initiating events are presented in Table 4with consideration of two such events for unit 1 & 2 and one forunit 3 & 4 (Fig. 1).

1. Four simultaneous core damage for the site can be obtained asthe sum of {Boolean expression (core damage of unit 1 by any ofits direct or indirect initiating events)*Boolean expression (coredamage of unit 2 by any of its direct or indirect initiating events)*Boolean expression (core damage of unit 3 by any of its direct orindirect initiating events)*Boolean expression (core damage ofunit 4 by any of its direct or indirect initiating events)}Total number of ways, four simultaneous core damages for thesite can occur ¼ C1

5 � C15 � C1

3 � C13 ¼ 225.

2. Three simultaneous core damage for the site is the sum of thefollowing four expressions:A. Sum of {Boolean expression(core damage of unit 1)*Boolean

expression (core damage of unit 2)*Boolean expression (coredamage of unit 3)}

Total number of such cases ¼ C1

5 � C15 � C1

3 ¼ 75B. Sum of {Boolean expression(core damage of unit 1)*Boolean

expression (core damage of unit 2)*Boolean expression (coredamage of unit 4)}Total number of such cases ¼ C1

5 � C15 � C1

3 ¼ 75C. Sum of {Boolean expression(core damage of unit 1)*Boolean

expression (core damage of unit 3)*Boolean expression (coredamage of unit 4)}

Table 4Boolean expressions for CDF due to indirect initiating events induced by definiteexternal hazard.

Unit 1 Unit 2 Unit 3 Unit 4

H1 (d1A11.BExp1A11) H1 (d1A12.BExp1A12) H1 (d1B11.BExp1B13) H1 (d1B12.BExp1B14)H1 (d1A21.BExp1A21) H1 (d1A22.BExp1A22)

Fig. 1. Schematic of definite external hazard for multi-unit site.

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e6256

Total number of such cases ¼ C15 � C1

3 � C13 ¼ 45

D. Sum of {Boolean expression(core damage of unit 2)* Booleanexpression (core damage of unit 3)*Boolean expression (coredamage of unit 4)}Total number of such cases ¼ C1

5 � C13 � C1

3 ¼ 45

Therefore, number of ways three simultaneous core damage forthe site can occur ¼ 2$(C15 � C1

5 � C13)þ2$(C15 � C1

3 � C13) ¼ 240

3. Similarly, number of two simultaneous core damage for thesite ¼ {(C15 � C1

5) þ 4$(C15 � C13) þ (C13 � C1

3)} ¼ 944. And number of single core damage for the

site ¼ C15 þ C1

5 þ C13 þ C1

3 ¼ 16.

After simplification of Boolean expression for the cases of single,double, triple and quadruple core damage and quantification of thehazard and SSC failures, we get the value of corresponding site coredamage frequency for a specific hazard. Repeating this process andsumming CDFs for all definite external hazards of varying intensity,SCDF of a multi-unit site due to definite external hazards isobtained.

Probability of multiple definite external hazards occurringsimultaneously is very low and hence it is not considered.

5.6.5. Methodology for conditional external hazardsIn this case also like the definite external hazards, each condi-

tional external hazard induced initiating events are identified and

Table 5Boolean expressions for CDF due to impact of conditional external hazard on each of the

Unit 1 Unit 2

H1 (C11.A11.BExp11) H1 (C112.A12.BExp112)H1 (C121.A11.BExp121) H1 (C12.A12.BExp12)

Hi denotes frequency of (conditional) external hazard i.

Table 6Boolean expressions for CDF due to impact of conditional external hazard on shared sys

Unit 1 Unit 2

H1 (c1A.p1A1.BExp1A1) H1 (c1A.p1A2.BExp1A2)H1 (c1A.p2A1.BExp1A1) H1 (c1A.p2A2.BExp1A2)

corresponding ET and FT for each of the twin units are modeledtogether. If Cij denotes the probability of a conditional externalhazard ‘i’ that directly affects unit j then Cijk denotes the probabilitythat it affects unit k (k ¼ 1, 2, 3, …, n and k s j) also. Then Aej

corresponds to conditional probability of initiating event e for thespecified/particular unit k due to a direct impact of conditionalexternal hazard. Also, ciG denotes the probability of conditionalexternal hazard i affecting shared systems group ‘G’ whereas peGjcorresponds to conditional probability of initiating event e for unit jdue to the indirect impact of corresponding conditional externalhazard on shared systems group ‘G’.

Case 1 & 2 below describe the analysis for single conditionalexternal hazard and two simultaneously occurring conditionalexternal hazards respectively, occurring at a site. Each conditionalexternal hazard that impacts a pair of units is assumed to cause onedirect initiating event and two indirect initiating events. Tables 5and 6 present the Boolean expressions for conditional externalhazards (Fig. 2).

Case 1: Single conditional external hazard for any one pair of units.

1. Four simultaneous core damage for the site due to a conditionalexternal hazard ¼ sum of all possible combinations {Booleanexpression (core damage of all 4 units by the conditionalexternal hazard)}Total number of ways four simultaneous core damage due to aconditional external hazards at the site ¼ 0

2. Three simultaneous core damage for the site due to a condi-tional external hazard is ¼ sum of all possible combinations{Boolean expression(core damage of any three units by theconditional external hazard)}Total number of ways three simultaneous core damage due to aconditional external hazard at the site ¼ 0

3. Two simultaneous core damages for the site due to a conditionalexternal hazard is ¼ sum of all possible combinations {Booleanexpression (core damage of any two units by the conditionalexternal hazard)}Total number of ways two simultaneous core damage due to aconditional external hazard at the site ¼ 20

4. Total number of ways single core damage for the site due to aconditional external hazard at the site ¼ 12

Case 2: Two simultaneous conditional external hazards.Simultaneous occurrence of conditional external hazards is an

extremely rare possibility but for the sake of completeness weconsider the case of two conditional external hazards like aircraftcrash and offsite explosion on twin unit pair-1 and twin unit pair-2respectively. Same number of initiating events from each hazardare assumed and the table containing Boolean expressions for coredamage remains similar for each hazard like that of Tables 5 and 6(Fig. 3).

units.

Unit 3 Unit 4

H2 (C23.A13.BExp23) H2 (C234.A14.BExp234)H2 (C243.A13.BExp243) H2 (C24.A14.BExp24)

tems between the units.

Unit 3 Unit 4

H2 (c2B.p1B3.BExp1B3) H2 (c2B.p1B4.BExp1B4)H2 (c2B.p2B3.BExp1B3) H2 (c2B.p2B4.BExp2B4)

Fig. 2. Schematic of single conditional external hazard at multi-unit site.

Fig. 3. Schematic of two simultaneous conditional external hazards at multi-unit site.

Fig. 4. Schematic of definite internal initiating events at multi-unit site.

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e62 57

1. Four simultaneous core damage for the site due to the twoconditional external hazards ¼ sum of all possible combinations{Boolean expression (core damage of all 4 units by the twoconditional external hazards)}

This can occur due to all possible combinations of two CDFs fromfirst hazard and 2 CDFs due to second hazard.

Total number of ways four simultaneous core damage due to thetwo conditional external hazards for the site ¼ 124

2. Three simultaneous core damage for the site due to the twoconditional external hazards is ¼ sum of all possible combina-tions {Boolean expression(core damage of any three units by thetwo conditional external hazards)}

This can occur due to all possible combinations: one CDF fromfirst hazard and 2 CDFs due to second hazard, two CDFs from firsthazard and 1 CDF due to second hazard.

Total number of ways three simultaneous core damage due tothe two conditional external hazards for the site ¼ 140

3. Two simultaneous core damage for the site¼ Sum of all possiblecombinations {Boolean expression(core damage of any twounits by the two conditional external hazards)}

This can occur due to one CDF due to first hazard and one CDFdue to second hazard or two CDF from any of the hazard.

Total number of ways two simultaneous core damage due to theconditional external hazards for the site ¼ 56

4. Total number of ways for single core damage due to twosimultaneous conditional external hazards ¼ 12

After simplification of Boolean expression for all possible waysof double, triple and quadruple core damage and quantification ofthe external hazard and SSC failures, SCDF of amulti-unit site due toconditional external hazards is obtained.

5.6.6. Methodology for definite internal initiating events for the siteAll definite internal initiating events are to be modeled and

analyzed together. The event trees and fault trees are developed forthese initiating events in the same manner as done for initiatingevents in case of definite external hazards (Fig. 4).

If we consider one definite initiating event affecting unit 1 & 2and one definite initiating event affecting unit 3 & 4, Boolean ex-pressions are obtained as shown in Table 7.

Further, if single initiating event is considered, two CDFs canoccur in two ways and no other combination of core damage ispossible. Simultaneous occurrence of multiple definite internalinitiating events affecting multiple units is not considered as it is anextremely rare event.

5.6.7. Methodology for conditional internal initiating events for thesite

All conditional initiating events are to be modeled together forall units. As in the earlier cases, here also number of Booleanexpression for single and multiple core damage are analyzed withconditional internal initiating events under both scenarios i.e. oneconditional internal initiating events occurring at the site and morethan one conditional internal initiating events occurring simulta-neously on the site. Methodology for obtaining various core dam-age configurations in this case is explained with an example.

Consider three conditional internal initiating events.

1. Loss of instrument air2. Loss of feed water3. Loss of DC bus

Table 7Boolean expressions for CDF of each of the units.

Unit 1 Unit 2 Unit 3 Unit 4

Definite initiating event 1 affectingunits 1 & 2

Definite initiatingevent 2 affecting units 3 & 4

IE1 (BExp11) IE1 (BExp12) IE2(BExp13) IE2 (BExp14)

IEi denotes ith initiating event.

Fig. 5. Schematic of conditional internal initiating events at multi-unit site.

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e6258

As done earlier, for illustration purpose, let us consider unit 1& 2to be identical and have some sharing of resources (e.g. instrumentair and feed water) and 3 & 4 are identical and have sharing ofresources (e.g. DC bus) (Fig. 5). Case 1 describes the analysis forsingle conditional internal initiating event and Case 2 describes theanalysis for multiple conditional internal initiating events occur-ring simultaneously at a site. The two variables defined are IEiGdenoting the frequency of conditional internal initiating event i forthe shared systems group ‘G’ and PiGk which represents the prob-ability of conditional internal initiating event i affecting sharedsystems group ‘G’ affects unit k.

The Boolean expressions for corresponding conditional internalinitiating events are shown in Table 8.

Case 1: Single conditional internal initiating event occurring at thesite.

1. Four simultaneous core damages on the site due to single con-ditional internal initiating event is not possible as one initiatingevent affects a maximum of two units only.

Table 8Boolean expressions for CDF of each of the units.

Unit 1 Unit 2 Unit 3 Unit 4

Cond. initiating event 1 for unit1 & 2

Cond. initiating event 3 for unit3 & 4

P1A1 IE1A (BExp1A1) P1A2 IE1A (BExp1A2) P1B3 IE1B (BExp1B3) P1B4 IE1B (BExp1B4)Cond. initiating event 2 for unit 1 & 2P2A1 IE2A (BExp2A1) P2A2 IE2A (BExp2A2)

2. Similarly, three simultaneous core damages on the site due tosingle conditional internal initiating event is also not possible.

3. Two simultaneous core damage for the site can occur in thefollowing three waysA. Sum of all possible combinations {Boolean expression (core

damage of unit 1 by the single conditional internal initiatingevent)* Boolean expression (core damage of unit 2 by thesingle conditional internal initiating event)}

Total number of combinations ¼ 2

B. Sum of all possible combinations {Boolean expression (coredamage of unit 3 by the one single conditional internal initi-ating event)* Boolean expression (core damage of unit 4 bythe single conditional internal initiating event)}Total number of combinations ¼ 1

4. Single core damage on the site due to single conditional internalinitiating event can occur in 6 ways.

After simplification of Boolean expression for the cases of single,double, triple and quadruple core damage and quantification ofinternal initiating event and SSC failures, SCDF due to conditionalinternal initiating events for the site is obtained.

Case 2: Multiple conditional internal initiating events occurringsimultaneously on the site.

If all three IEs occur simultaneously, then.

1. Four simultaneous core damages are sum of all possible com-binations {Boolean expression (core damage of all 4 units byrespective conditional initiating events)}Total number of ways four simultaneous core damages for thesite ¼ 4

2. Three simultaneous core damage for the site due to the threeconditional internal initiating events is the sum all possiblecombinations {Boolean expression(core damage of any threeunits by the three conditional initiating event)}

This can occur due to all possible combinations: one CDF fromfirst/second IE and two CDFs from third IE or two CDFs from first/second IE and one CDF from third IE.

Total number of ways three simultaneous core damage due tothe three conditional internal events for the site ¼ 12

3. Two simultaneous core damage for the site due to the threeconditional internal initiating events is the sum all possiblecombinations {Boolean expression(core damage of any twounits by the two conditional initiating event)}

This can occur due to all possible combinations: Two CDFs fromfirst/second IE or two CDFs from third IE or one CDF from first/second IE and one CDF from third IE.

Total number of ways two simultaneous core damage due to thethree conditional internal events for the site ¼ 13

4. Total number of ways single core damage for the site due tothree conditional internal events for the site ¼ 6

After simplification of Boolean expression for the cases of single,double, triple and quadruple core damage and quantification ofinternal initiating events and SSC failures, SCDF due to multipleconditional internal initiating events for the site is obtained.

5.6.8. Methodology for internal independent eventsEvent Trees and corresponding fault trees developed for internal

Level-1 PSA are used and the Boolean expressions are obtained(Table 9) to evaluate single core damage frequency only, since

Table 9Boolean expressions for CDF of each of the units due to internal independent events.

Unit 1 Unit 2 Unit 3 Unit 4

IE11 (BExp11) IE12 (BExp21) IE31 (BExp13) IE14 (BExp14)IE21 (BExp21) IE22 (BExp22) IE32 (BExp23) IE24 (BExp24)IE31 (BExp31) IE32 (BExp32) IE33 (BExp33) IE34 (BExp34)IE41 (BExp41) IE42 (BExp42)

IEij denotes the ith initiating event for unit j.

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e62 59

occurrence of multiple internal independent events is an extremelyrare possibility.

Total number of ways for single core damage on the site dueinternal in dependent events in all units¼ sum of all the Booleanexpressions in Table 9 ¼ 14

5.6.9. Complete expression for site core damage frequencyThe integrated approach explained in earlier sections for multi-

unit safety assessment considering all categories of hazards isdepicted in Fig. 6. Extended mission time as appropriate may beused for accident sequences in case of external hazards and forinternal events mission times used in internal PSA may be adopted.Thus, the integrated approach presented in this paper leads to theformulation of site core damage frequency from equation (1) asfollows:

Sitecoredamagefrequency; SCDF¼Xn

i¼1

X5

j¼1

Xm

k¼1

CDFði;j;kÞ (2)

Where

i denotes the number of simultaneous core damagesn denotes the number of units at the sitej denotes the category of hazard or eventk denotes the type of hazard in jth categorym denotes the total number of types of hazard in jth category.

Fig. 6. Overall schematic for mu

Therefore, CDF(i,j,k) denotes the frequency of i number ofsimultaneous core damages due to jth category of hazard type k;

j ¼ 1 refers to definite external hazards for the sitej ¼ 2 refers to conditional external hazards for the sitej ¼ 3 refers to definite internal events for the sitej ¼ 4 refers to conditional internal events for the sitej ¼ 5 refers to internal independent events considering for allunits

6. The case study of a twin unit site

The integrated approach is illustrated with a hypotheticalexample of a twin unit PHWR site (Fig. 7) consisting of thefollowing safety systems as described below:

Reactor protection system: Each unit is equipped with twodiverse and independent shutdown systems:

� Primary shutdown system: It consists of mechanical shutoffrods which get quickly inserted in the reactor core following areactor trip signal. Whenever a trip signal is received, solidcadmium absorber elements drop into the core under gravity,initially assisted by spring thrust (Bajaj & Gore, 2005).

� Secondary shutdown system: The system consists of verticalempty tubes located in the reactor core into which liquid poisonis injected when required. Fast-acting valves between a highpressure helium tank and the poison tanks open to pressurizeand inject the liquid poison into the reactor whenever the sys-tem is called upon due to a trip signal (Bajaj & Gore, 2005).

Diesel generators: Each of the two NPPs has dedicated DGs(DG1 and DG2 for unit 1 whereas DG3 and DG4 for unit 2). Apartfrom these, one more diesel generator (DG5) is also available whichcan be connected to any of the two units. Successful operation ofone diesel generator is sufficient for meeting emergency loads ofany one unit.

lti-unit safety assessment.

Fig. 7. Schematic of twin unit PHWR site.

Table 10Various identified hazards and initiating events.

Category of hazard Hazard Initiating event

Definite external hazards Earthquakes Loss of offsite powerTsunami Station blackout

Conditional external hazards Fouling orclogging inintake tunnel

Loss of ultimate heat sink

Definite internal initiating events e Loss of offsite powerConditional internal initiating events e Loss of instrument airInternal independent events e Primary-LOCA

e TOPA/LORA

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e6260

Diesel engines: The twin NPP share four diesel engines for firewater injection. Two diesel engines (DE1 and DE3) are placed at anelevation of 8 mwhile the other two (DE2 and DE4) are placed at anelevation of 12 m. All diesel engines share a common header for dis-charging water for feed water injection. Availability of one diesel en-gine will ensure sufficient supply of water for DHR for any one unit.

Sea water pump house: A common sea water pump househouses condenser cooling water, process sea water and emergencyprocess sea water pumps for both the units. Each unit is deployedwith five condenser cooling water pumps and three process seawater pumps which are driven by class 4 power supply. But thethree emergency process sea water pumps for each of the units aredriven by class 3 power supply and availability of any one of themwill ensure sufficient supply of water for DHR for any one unit.

Switchyard: Both the units are connected to a commonswitchyard comprising of three buses. Unit 1 is usually connected toBUS A whereas unit 2 is connected to BUS B. BUS C serves as astandby option for each of the two units and provision also exists tointerconnect each of the three buses.

Seawater intake tunnel: The two units share a common tunnelfor the intake of seawater which serves as the ultimate heat sink forboth units.

Compressed air system: The twin units share a common com-pressed air station where four compressors deployed for supplyingcompressed air to both the units. Operation of one compressor en-sures sufficient supply of all air (Instrument, Service andMask air) forone unit. The outlet of each of the compressor is connected to acommonheader and one line goes to eachof theunit fromtheheader.

Like in most of the multi-unit site, NPPs have the followingshared systems among others:

1. Sea water pump house2. Switchyard3. Fire water system4. Compressed air system5. Diesel generator6. De-mineralized water plant

For the twin unit site given in Fig. 7, representative list of initi-ating events under each category of hazard considered for theanalysis is given in Table 10.

Event trees are developed for the representative initiating event.Following are the major engineered safety and support systemsmodeled:

1. Primary shutdown system2. Secondary shutdown system3. Shutdown cooling system4. Fire water injection system5. Diesel generators

A representative event tree viz., LOSP caused by definiteexternal hazard such as earthquake is shown for each of the twounits in Fig. 8. Fault tree of one of the mitigating system viz., Feedwater System corresponding to each of the unit is shown in Fig. 9. Itis apparent form the fault trees that both the units share a commonsupport system viz., diesel engines. There could be more suchsharing systems at a multi-unit site.

The Boolean expressions are obtained for single and double coredamage for the loss of offsite power and by substituting appropriatecomponent fragility for each of the hazard, site core damage fre-quency is obtained by applying equation (2). For the case studyconsidered, common components that appear in the Boolean ex-pressions of site core damage are given below:

� CCF of diesel generators� CCF of emergency process sea water pumps� CCF of feed water header connected to diesel engines� CCF of diesel engines at 8 m elevation� CCF of diesel engines at 12 m elevation

Fig. 8. A representative event tree (LOSP) for both the units caused by earthquake.

FWS UNIT 1

FWS UNIT 1FAILS

DEFAIL

DIESELENGINES FAIL

FWHEADERFAILS

FEED WATERHEADER

FAILS

CCFDE8M

CCF FOR DEAT 8M

CCFDE12M

CCF FOR DEAT 12M

FWS UNIT 2

FWS UNIT 2FAILS

DEFAIL

DIESELENGINES FAIL

FWHEADERFAILS

FEED WATERHEADER

FAILS

CCFDE8M

CCF FOR DEAT 8M

CCFDE12M

CCF FOR DEAT 12M

Fig. 9. Fault tree of the feed water system for both the units.

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e62 61

V. Hassija et al. / Journal of Loss Prevention in the Process Industries 32 (2014) 52e6262

In addition, since external hazards are considered in the casestudy, identical components in both the units may be affected dueto CCF. Hence, the following CCFs also appear in the Booleanexpression of site core damage.

� CCF of process sea water heat exchanger� CCF of shutdown cooling pumps� CCF of shutdown heat exchanger

Thus, a multi-unit safety assessment indicates that these com-mon components play a vital role for the safety of the site andproviding alternate arrangement to prevent failure of these com-ponents will enhance the safety at the site.

7. Conclusions

A holistic risk-informed approach is demonstrated to assess thesafety of a multi-unit nuclear power plant site. It not only quantifiesthe frequency of multiple core damage for a multi-unit site but alsoevaluates site CDF considering both external and internal hazards.The methodology proposed accounts for most of the dependencyclasses and key issues applicable for amultiple unit NPP site such asinitiating events, shared connections, identical components, prox-imity dependencies and human dependencies.

The outcome of such integrated PSAwill help in identification ofthose structures, systems and components (SSCs) that playimportant role in safety of multiple units. It will also provideadditional severe accident scenarios for carrying out Level-2 PSAstudies for the multi-unit site. Finally, the approach developed isexpected to be useful in developing safety goals, procedures andguidelines for a multi-unit NPP site.

References

AERB. (2005). Glossary of terms for nuclear and radiation safety. Technical report.Atomic Energy Regulatory Board.

Arendt, J. S., & Lorenzo, D. K. (2000). Evaluating process safety in the chemical in-dustry: A user's guide to quantitative risk analysis.

Bajaj, S. S., & Gore, A. R. (2005). The Indian PHWR. Nuclear Engineering and Design,236, 701e722.

�Cepin, M. (2008). DEPEND-HRAda method for consideration of dependency inhuman reliability analysis. Reliability Engineering & System Safety, 93,1452e1460.

Ebisawa, K., Fujita, M., Iwabuchi, Y., & Sugino, H. (2012). Current issues on PRAregarding seismic and tsunami events at multi units and sites based on lessonslearned from Tohoku earthquake/tsunami. Nuclear Engineering and Technology,44, 437e452.

Fleming, K. N. (2005). On the issue of integrated risk e a PRA practitioner'sperspective. In Proceedings of the ANS international topical meeting on probabi-listic safety analysis. San Francisco, CA.

Hayns, M. (1999). The evolution of probabilistic risk assessment in the nuclearindustry. Transactions of IChemE, 77(Part B), 117e142.

Holmberg, J. E., & Knochenhauer, M. (2010). Guidance for the definition and appli-cation of probabilistic safety criteria.

IAEA. (2011). A methodology to assess the safety vulnerabilities of nuclear power plantsagainst site specific extreme natural hazards.

IAEA Report GC(56)/INF/2. (2012). Nuclear safety review for the year 2012.IAEA Specific safety Guide no. SSG-2. (2009). Deterministic safety analysis for nuclear

power plants.IAEA Specific Safety Guide no. SSG-3. (2010). Development and application of level 1

probabilistic safety assessment for nuclear power plants.IAEA-TECDOC-1341. (2003). Extreme external events in the design and assessment of

nuclear power plants.Khan, F. I., & Abbasi, S. A. (1998). Techniques and methodologies for risk analysis in

chemical process industries. Journal of Loss Prevention in the Process Industries,11, 261e277.

Lowe, P., & Garrick, Inc.. (1983). Seabrook station probabilistic safety assessmentsection 13.3 risk of two unit station. Prepared for Public Service Company of NewHampshire, PLG-0300.

Muhlheim, M. D., & Wood, R. T. (2007). Design strategies and evaluation for sharingsystems at multi-unit plants phase-I (ORNL/LTR/INERI-BRAZIL/06-01). Oak RidgeNational Laboratory.

OECD. (2009). Probabilistic risk criteria and safety goals. Technical report NEA/CSNI/R(2009)16. Organization for Economic Co-operation and Development.

Papazoglou, I. A., Nivolianitou, Z., Aneziris, O., & Christou, M. (1992). Probabilisticsafety analysis in chemical installations. Journal of Loss Prevention in the ProcessIndustries, 5, 181e191.

Saleh, J. H., Marais, K. B., & Favar�o, F. M. (2014). System safety principles: a multi-disciplinary engineering perspective. Journal of Loss Prevention in the ProcessIndustries, 29, 283e294.

Schroer, S., & Modarres, M. (2013). An event classification schema for evaluating siterisk in a multi-unit nuclear power plant probabilistic risk assessment. ReliabilityEngineering and System Safety, 117, 40e51.

SNETP Fukushima Task Group report. (2013). Identification of research areas inresponse to the Fukushima accident.

Tixier, J., Dusserre, G., Salvi, O., & Gaston, D. (2002). Review of 62 risk analysismethodologies of industrial plants. Journal of Loss Prevention in the Process In-dustries, 15, 291e303.

U.S. Nuclear Regulatory Commission (SECY-05-0130). (2005). Policy issues related tonew plant licensing and status of the technology-neutral framework for new plantlicensing.

Yang, J. E. (2012). Development of an integrated risk assessment framework forinternal/external events and all power modes. Nuclear Engineering and Tech-nology, 44, 459e470.

Zerger, B., Ramos, M. M., & Veira, M. P. (2013). European clearinghouse: Report onexternal hazard related events at NPPs. Joint Research Centre of the EuropeanCommission.