System-level hazard analysis using the sequence-tree method

A system-level PHA using the sequence-tree method is presented to perform safety-related digital I&C system SSA. The conventional PHA involves brainstorming among experts on various portions of the system to identify hazards through discussions. However, since the conventional PHA is not a systematic technique, the analysis results depend strongly on the experts’ subjective opinions. The quality of analysis cannot be appropriately controlled. Therefore, this study presents a system-level sequence tree based PHA, which can clarify the relationship among the major digital I&C systems. This sequence-tree-based technique has two major phases. The first phase adopts a table to analyze each event in SAR Chapter 15 for a specific safety-related I&C system, such as RPS. The second phase adopts a sequence tree to recognize the I&C systems involved in the event, the working of the safety-related systems and how the backup systems can be activated to mitigate the consequence if the primary safety systems fail. The defense-in-depth echelons, namely the Control echelon, Reactor trip echelon, ESFAS echelon and Monitoring and indicator echelon, are arranged to build the sequence-tree structure. All the related I&C systems, including the digital systems and the analog back-up systems, are allocated in their specific echelons. This system-centric sequence-tree analysis not only systematically identifies preliminary hazards, but also vulnerabilities in a nuclear power plant. Hence, an effective simplified D3 evaluation can also be conducted.     

Integrated software safety analysis method for digital I&C systems

The digitalized Instrumentation and Control (I&C) system of Nuclear power plants can provide more powerful overall operation capability, and user friendly man-machine interface. The operator can obtain more information through digital I&C system. However, while I&C system being digitalized, three issues are encountered: (1) software common-cause failure, (2) the interaction failure between operator and digital instrumentation and control system interface, and (3) the non-detectability of software failure. These failures might defeat defense echelons, and make the Diversity and Defense-in-Depth (D3) analysis be more difficult. This work developed an integrated methodology to evaluate nuclear power plant safety effect by interactions between operator and digital I&C system, and then propose improvement recommendations. This integrated methodology includes component-level software fault tree, system-level sequence-tree method and nuclear power plant computer simulation analysis. Software fault tree can clarify the software failure structure in digital I&C systems. Sequence-tree method can identify the interaction process and relationship among operator and I&C systems in each D3 echelon in a design basis event. Nuclear power plant computer simulation analysis method can further analyze the available backup facilities and allowable manual action duration for the operator when the digital I&C fail to function. Applying this methodology to evaluate the performance of digital nuclear power plant D3 design, could promote the nuclear power plant operation safety. The operator can then trust the nuclear power plant than before, when operating the highly automatic digital I&C facilities.     

Two types of a passive safety containment for a near future BWR with active and passive safety systems

The paper presents two types of a passive safety containment for a near future BWR. They are named Mark S and Mark X containment. One of their common merits is very low peak pressure at severe accidents without venting the containment atmosphere to the environment. The PCV pressure can be moderated within the design pressure. Another merit is the capability to submerge the PCV and the RPV above the core level. The third merit is robustness against external events such as a large commercial airplane crash. Both the containments have a passive cooling core catcher that has radial cooling channels. The Mark S containment is made of reinforced concrete and applicable to a large power BWR up to 1830 MWe. The Mark X containment has the steel secondary containment and can be cooled by natural circulation of outside air. It can accommodate a medium power BWR up to 1380 MWe. In both cases the plants have active and passive safety systems constituting in-depth hybrid safety (IDHS). The IDHS provides not only hardware diversity between active and passive safety systems but also more importantly diversity of the ultimate heat sinks between the atmosphere and the sea water. Although the plant concept discussed in the paper uses well-established technology, plant performance including economy is innovatively and evolutionally improved. Nothing is new in the hardware but everything is new in the performance.     

Model extension and improvement for simulator-based software safety analysis

One of the major concerns when employing digital I&C system in nuclear power plant is digital system may introduce new failure mode, which differs with previous analog I&C system. Various techniques are under developing to analyze the hazard originated from software faults in digital systems. Preliminary hazard analysis, failure modes and effects analysis, and fault tree analysis are the most extensive used techniques. However, these techniques are static analysis methods, cannot perform dynamic analysis and the interactions among systems. This research utilizes “simulator/plant model testing” technique classified in (IEEE Std 7-4.3.2-2003, 2003. IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations) to identify hazards which might be induced by nuclear I&C software defects. The recirculation flow system, control rod system, feedwater system, steam line model, dynamic power-core flow map, and related control systems of PCTran–ABWR model were successfully extended and improved. The benchmark against ABWR SAR proves this modified model is capable to accomplish dynamic system level software safety analysis and better than the static methods. This improved plant simulation can then futher be applied to hazard analysis for operator/digital I&C interface interaction failure study, and the hardware-in-the-loop fault injection study.     

Variations of a passive safety containment for a BWR with active and passive safety systems

The paper presents variations of a certain passive safety containment for a near future BWR. It is tentatively named Mark S containment in the paper. It uses the operating dome as the upper secondary containment vessel (USCV) to where the pressure of the primary containment vessel (PCV) can be released through the upper vent pipes. One of the merits of the Mark S containment is very low peak pressure at severe accidents without venting the containment atmosphere to the environment. Another merit is the capability to submerge the PCV and the reactor pressure vessel (RPV) above the core level by flooding water from the gravity-driven cooling system (GDCS) pool and the upper pool. The third merit is robustness against external events such as a large commercial airplane crash owing to the reinforced concrete USCV. The Mark S containment is applicable to a large reactor that generates 1830 MW electric power. The paper presents several examples of BWRs that use the Mark S containment. In those examples active safety systems and passive safety systems function independently and constitute in-depth hybrid safety (IDHS). The concept of the IDHS is also presented in the paper.     

An analytical comparative exercise on the OECD-SETH PKL E2.2 experiment

The “First Workshop on Analytical Activities related to the SETH-OECD project” was held in Barcelona at the UPC's Institute of Energy Technologies (INTE), from 2nd to 3rd September 2003. The workshop gave the participants an opportunity to present the main results of the calculations performed as pre- and post-test simulations of SETH experiments. Among all the post-tests that were both presented and discussed, PKL experiment E2.2 holds special interest as it has been widely studied. Test E2.2 examined the most conservative case in terms of the maximum size that condensate slugs can reach and how far boron concentration can drop on resumption of natural circulation following a cold-side SB-LOCA. The analyses were performed by different working groups belonging to different countries and different codes were used.This paper goes deeper into the comparison of results of the different authors. Its aim is to both show and compare the results obtained by different working groups in their simulation of the experiment and to analyse the main parameters involved in order to draw conclusions on improvements that can be made in the analytical approach to such tests. All the participants managed to successfully predict the overall thermal-hydraulic system behaviour. Vessel fill-up together with slug build-up by reflux-condensation are phenomena that were correctly predicted, while simulation of natural circulation restart and transport of low-borated water slugs still need some improvement.     

Design evaluation of emergency core cooling systems using Axiomatic Design

In designing nuclear power plants (NPPs), the evaluation of safety is one of the important issues. As a measure for evaluating safety, this paper proposes a methodology to examine the design process of emergency core cooling systems (ECCSs) in NPPs using Axiomatic Design (AD). This is particularly important for identifying vulnerabilities and creating solutions. Korean Advanced Power Reactor 1400 MWe (APR1400) adopted the ECCS, which was improved to meet the stronger safety regulations than that of the current Optimized Power Reactor 1000 MWe (OPR1000). To improve the performance and safety of the ECCS, the various design strategies such as independency or redundancy were implemented, and their effectiveness was confirmed by calculating core damage frequency. We suggest an alternative viewpoint of evaluating the deployment of design strategies in terms of AD methodology. AD suggests two design principles and the visualization tools for organizing design process. The important benefit of AD is that it is capable of providing suitable priorities for deploying design strategies. The reverse engineering driven by AD has been able to show that the design process of the ECCS of APR1400 was improved in comparison to that of OPR1000 from the viewpoint of the coordination of design strategies.     

RELAP5/MOD3.2 sensitivity calculations of loss-of-feed water (LOFW) transient at Unit 6 of Kozloduy NPP

This paper provides a comparison between the real plant data obtained by Unit 6 of Kozloduy nuclear power plant (NPP) during the loss-of-feed water (LOFW) transient and the calculation results received by RELAP5/MOD3.2 computer model of the same NPP unit.RELAP5/MOD3.2 computer model of the VVER-1000 has been developed at the Institute for Nuclear Research and Nuclear Energy-Bulgarian Academy of Sciences (INRNE-BAS) based on Unit 6 of Kozloduy NPP. This model has been used for simulation the behavior of the real VVER-1000 NPP during the LOFW transient. Several calculations have been provided to describe how the different boundary conditions reflect on the prediction of real plant parameters.This paper discusses the results of the thermal–hydraulic sensitivity calculations of loss-of-feed water transient for VVER-1000 reactor design. The report also contains a brief summary of the main NPP systems included in the RELAP5 VVER model and the LOFW transient sequences.This report was possible through the participation of leading specialists from Kozloduy NPP and with the assistance of Argonne National Laboratory (ANL) for the United States Department of Energy (US DOE), International Nuclear Safety Program (INSP).     

An overview of instrumentation and control systems of a Korea standard nuclear power plant: A signal interface standpoint

This paper presents an overview of instrumentation and control (I&C) systems of a pressurized water reactor (PWR) type nuclear power plant (NPP) in Korea. Yonggwang unit 3, which was constructed as a basis model for a Korea standard nuclear power plant (KSNP), is selected as an example for the presentation. This overview is derived from analyzing the I&C systems based on a top-down approach. The I&C systems consist of 30 systems. The 183 I&C cabinets are also analyzed and mapped to the systems. The overview is focused on an interface between the systems and the cabinets. This information will be used to understand the implementation of the I&C systems and to group the systems for an upgrade.     

Analysis of different containment models for IRIS small break LOCA, using GOTHIC and RELAP5 codes

Advanced nuclear water reactors rely on containment behaviour in realization of some of their passive safety functions. Steam condensation on containment walls, where non-condensable gas effects are significant, is an important feature of the new passive containment concepts, like the AP600/1000 ones.In this work the international reactor innovative and secure (IRIS) was taken as reference, and the relevant condensation phenomena involved within its containment were investigated with different computational tools. In particular, IRIS containment response to a small break LOCA (SBLOCA) was calculated with GOTHIC and RELAP5 codes. A simplified model of IRIS containment drywell was implemented with RELAP5 according to a sliced approach, based on the two-pipe-with-junction concept, while it was addressed with GOTHIC using several modelling options, regarding both heat transfer correlations and volume and thermal structure nodalization. The influence on containment behaviour prediction was investigated in terms of drywell temperature and pressure response, heat transfer coefficient (HTC) and steam volume fraction distribution, and internal recirculating mass flow rate. The objective of the paper is to preliminarily compare the capability of the two codes in modelling of the same postulated accident, thus to check the results obtained with RELAP5, when applied in a situation not covered by its validation matrix (comprising SBLOCA and to some extent LBLOCA transients, but not explicitly the modelling of large dry containment volumes).The option to include or not droplets in fluid mass flow discharged to the containment was the most influencing parameter for GOTHIC simulations. Despite some drawbacks, due, e.g. to a marked overestimation of internal natural recirculation, RELAP5 confirmed its capability to satisfactorily model the basic processes in IRIS containment following SBLOCA.     

Developing architecture for upgrading I&C systems of an operating nuclear power plant using a quality attribute-driven design method

This paper presents the architecture for upgrading the instrumentation and control (I&C) systems of a Korean standard nuclear power plant (KSNP) as an operating nuclear power plant. This paper uses the analysis results of KSNP's I&C systems performed in a previous study. This paper proposes a Preparation–Decision–Design–Assessment (PDDA) process that focuses on quality oriented development, as a cyclical process to develop the architecture. The PDDA was motivated from the practice of architecture-based development used in software engineering fields. In the preparation step of the PDDA, the architecture of digital-based I&C systems was setup for an architectural goal. Single failure criterion and determinism were setup for architectural drivers. In the decision step, defense-in-depth, diversity, redundancy, and independence were determined as architectural tactics to satisfy the single failure criterion, and sequential execution was determined as a tactic to satisfy the determinism. After determining the tactics, the primitive digital-based I&C architecture was determined. In the design step, 17 systems were selected from the KSNP's I&C systems for the upgrade and functionally grouped based on the primitive architecture. The overall architecture was developed to show the deployment of the systems. The detailed architecture of the safety systems was developed by applying a 2-out-of-3 voting logic, and the detailed architecture of the non-safety systems was developed by hot-standby redundancy. While developing the detailed architecture, three ways of signal transmission were determined with proper rationales: hardwire, datalink, and network. In the assessment step, the required network performance, considering the worst-case of data transmission was calculated: the datalink was required by 120 kbps, the safety network by 5 Mbps, and the non-safety network by 60 Mbps. The architecture covered 17 systems out of 22 KSNP's I&C systems. The architecture is implementable with the equipment developed in South Korea. The architecture can be used as a model to upgrade the existing I&C systems in a planned, large-scale, and one-shot manner. A more detailed architecture down to software level will be developed in the future.     

Development of the FHR advanced natural circulation analysis code and application to FHR safety analysis

The University of California, Berkeley (UCB) is performing thermal hydraulics safety analysis to develop the technical basis for design and licensing of fluoride-salt-cooled, high-temperature reactors (FHRs). FHR designs investigated by UCB use natural circulation for emergency, passive decay heat removal when normal decay heat removal systems fail. The FHR advanced natural circulation analysis (FANCY) code has been developed for assessment of passive decay heat removal capability and safety analysis of these innovative system designs. The FANCY code uses a one-dimensional, semi-implicit scheme to solve for pressure-linked mass, momentum and energy conservation equations. Graph theory is used to automatically generate a staggered mesh for complicated pipe network systems. Heat structure models have been implemented for three types of boundary conditions (Dirichlet, Neumann and Robin boundary conditions). Heat structures can be composed of several layers of different materials, and are used for simulation of heat structure temperature distribution and heat transfer rate. Control models are used to simulate sequences of events or trips of safety systems. A proportional-integral controller is also used to automatically make thermal hydraulic systems reach desired steady state conditions. A point kinetics model is used to model reactor kinetics behavior with temperature reactivity feedback. The underlying large sparse linear systems in these models are efficiently solved by using direct and iterative solvers provided by the SuperLU code on high performance machines. Input interfaces are designed to increase the flexibility of simulation for complicated thermal hydraulic systems. This paper mainly focuses on the methodology used to develop the FANCY code, and safety analysis of the Mark 1 pebble-bed FHR under development at UCB is performed.     

Safety analysis of LBLOCA in BDBA scenarios for the Bushehr's VVER-1000 nuclear power plant

This paper presents the results of thermal-hydraulic calculations of a large break loss of coolant accident (LBLOCA) analysis for a VVER-1000/V446 unit at Bushehr nuclear power plant (BNPP). LBLOCA is analysis in two different beyond design basis accident (BDBA) scenarios using the RELAP5/MOD3.2 best estimate code. The scenarios are LBLOCA with station blackout (SBO) and LBLOCA with pump re-circulation blockage which have been evaluated in the final safety analysis report (FSAR) of BNPP. A model of VVER-1000 reactor based on Unit 1 of BNPP has been developed for the RELAP5/MOD3.2 thermal-hydraulics code consists of 4-loop primary and secondary systems with all their relevant sub-systems important to safety analysis. The analysis is performed without regard for operator's actions on accident management. The safety analysis is carried out and the results are checked against the acceptance criteria which are the possibility of using water inventory in the emergency core cooling system (ECCS) accumulators and the KWU tanks for core cooling and the available time to operators before the maximum design limit of fuel rod cladding damage is reached. These kinds of analyses are performed to provide the response of monitored plant parameters to identify symptoms available to the operators, timing of the loss of critical safety functions and timing of operator actions to avoid the loss of critical safety functions of core damage. The results of performed analyses show that the operators have 2.9 and 3.1 h for LBLOCA with SBO and LBLOCA with pump re-circulation blockage scenarios, respectively, before the fuel rod cladding rupture. The results are also compared with the BNPP FSAR data.