Dynamic event trees in accident sequence analysis: application to steam generator tube rupture

A dynamic event tree method for analyzing the risk associated with dynamic nuclear power plant accident sequences is presented. The method provides a framework for treating stochastic variations in operating crew states (defined by substrates characterizing the accident diagnosis, the planned actions, and the crew quality) as well as stochastic variations in hardware states. Plant process variables are treated deterministically; they are used when determining the likelihood of stochastic branchings. The method is used in an analysis of a steam generator tube rupture (SGTR) accident; it is shown that a number of important operator behavior patterns can be reasonably represented, and that, comparing with conventional event trees, sources of dependencies between failure events can be better defined.     

The US NRC's accident sequence precursor program: an overview and development of a Bayesian approach to estimate core damage frequency using precursor information

This paper presents an overview of the US Nuclear Regulatory Commission's (NRC) Accident Sequence Precursor Program. The objectives of the program are delineated; the screening, review and analysis methods for events involving an accident initiator are reviewed. The quantitative calculations are illustrated using an ASP event. A Bayesian framework for using ASP information to estimate annual core damage frequencies is then introduced. This method uses both failure and success information to estimate the core damage frequency. In addition, an alternative procedure is proposed to estimate the frequency of severe core damage accidents. The estimated occurrence rate is then used to define a retrospective accident sequence precursor measure of closeness to a core damage accident. The retrospective measure is the a posteriori probability of at least one core damage accident during a given period of time. Expressions for both the conditional and unconditional severe core damage probabilities are developed. The paper also shows that the sum of conditional severe core damage probabilities overestimates the rate at which severe core damage events occur.     

Application of the integrated safety assessment methodology to the emergency procedures of a SGTR of a PWR

This paper describes an application of the Integrated Safety Assessment (ISA) methodology to the safety and reliability assessment of emergency procedures of a nuclear power plant. The concept of ISA has been developed as a result of previous works on safety assessment and dynamic reliability. The method links the physical dynamics of the facility with its operating environment, subject to transitions between different time evolutions due to failures and/or system/operator interventions. For situations dominated by deterministic transitions (i.e. transitions upon deterministic demands as a result, for instance, of exceeding automatic actions or alarm setpoints), the methodology can be considered an extension of PSA and accident analysis techniques that replaces the static event tree with a deterministic dynamic event tree concept (DDET) based on the theory of probabilistic dynamics.In line with current studies carried out jointly by CSN and JRC-Ispra/ISEI, this paper reviews the main features of ISA and describes some of the details of its implementation in the case of a Westinghouse pressurized water reactor (PWR), in particular its application to the assessment of the emergency operating procedure (EOP) to mitigate the steam generator tube rupture (SGTR) initiating event.This application demonstrates the ISA feasibility for risk analysis of operating procedures (OP) by assessing a given set of OPs with a large PWR model of the TRETA-DYLAM-HOI software package, which is able to simulate recovery in a SGTR scenario. Some weak points in the SGTR EOP are identified and suggestions provided for their resolution.     

Calculating conditional core damage probabilities for nuclear power plant operations

A part of managing nuclear power plant operations is the control of plant risk over time as components are taken out of service or plant upsets are caused by initiating events. Unfortunately, measuring risk over time proves to be challenging, even with modern probabilistic risk analyses (PRAs) and PRA tools. In general, the process of measuring the operational risk would satisfy three desires: (1) the measurement would provide the risk magnitude for a particular event or over a period of time; (2) the risk results could be summed for a period of time to obtain a cumulative risk profile; and (3) the measurement process would be tractable while still using the current modeling techniques and tools. This paper demonstrates the calculation of the conditional core damage probability (CCDP) for the two cases of component outages and initiating events. In addition, two potential complications were identified that must be addressed when performing a CCDP calculation. The first complication, determining the appropriate nonrecovery probabilities to be applied to an inoperable component or initiating event, addresses the possibility of the plant operators preventing damage to the plant from their actions. The second complication, adjusting common-cause probabilities specific to the plant configuration, accounts for the fact that the PRA common-cause probabilities built into the model are applicable only during nominal conditions. The examples presented in the paper illustrate the potential under-estimation in CCDP when modifications to common-cause probabilities are ignored. These underestimation errors ranged from a factor of two to over a factor of six underestimation in CCDP.     

Risk implications of digital reactor protection system operating experience

This paper summarizes an in-depth review of the US nuclear operating experience with the first generation of digital reactor protection systems. The accumulated operating experience from 1984 to 2006 on these first generation digital reactor protection system functions exceeds 1.27 million hours (145.5 yr). A review of failure event reports identified 141 specific events associated with these systems on seven US nuclear power plants. Twenty-six of these events involved some type of common cause failure mechanism (predominantly redundant sensors/channels being out of calibration), which temporarily rendered redundant portions of the overall trip function degraded. Most of these failures were found not to be unique to digital systems. Six of the common cause failure events were more severe and involved situations where incorrect addressable constant data sets were systematically loaded into all redundant computer channels due to personnel errors. One of these events involved a latent software design change error introduced during a software update, which would prevent proper operation, given an unlikely event involving failure of three out of four sensors of one type.Based upon this review of digital system operating experience, a series of risk assessment calculations were performed to evaluate the safety significance of the observed failure events. From the insights gained in this work, it is possible to develop a framework for establishing digital reactor protection system reliability requirements that can be related back to regulatory safety goal objectives and operating experience.     

The german precursor study—methodology and insights

Probabilistic Safety Assessment (PSA) yields a systematic and quantitative prediction of possible accident scenarios at technical installations on the basis of data gained from the past experience on similar technical installations. Precursor studies are performed in order to make operational experience, as far as possible, available for support of PSAs. An Accident Sequence Precursor in a Nuclear Power Plant (NPP) is defined as an observed event scenario which could result, in coincidence with additional postulated events, in a potential severe core damage accident. In this paper, the methodology and the insights of the plant-specific German Precursor Study are explained in detail. As the results have demonstrated, the Precursor methodology is applicable for ranking of the safety significance of the observed events and for trending the plant risk level (described by the frequency of potential severe core damage accidents) versus operating time.     

Marked point process framework for living probabilistic safety assessment and risk follow-up

We construct a model for living probabilistic safety assessment (PSA) by applying the general framework of marked point processes. The framework provides a theoretically rigorous approach for considering risk follow-up of posterior hazards. In risk follow-up, the hazard of core damage is evaluated synthetically at time points in the past, by using some observed events as logged history and combining it with re-evaluated potential hazards. There are several alternatives for doing this, of which we consider three here, calling them initiating event approach, hazard rate approach, and safety system approach. In addition, for a comparison, we consider a core damage hazard arising in risk monitoring. Each of these four definitions draws attention to a particular aspect in risk assessment, and this is reflected in the behaviour of the consequent risk importance measures. Several alternative measures are again considered. The concepts and definitions are illustrated by a numerical example.     

The impact of assessing lower head integrity on boiling water reactor probabilistic risk assessments

Over the last several decades, much effort has been directed at estimating the likelihood of a large early release of radioactivity during a nuclear accident. This effort has culminated in the Individual Plant Examinations (IPEs) for the over 100 US nuclear power plants and the NUREG 1150 study. The large early release of radioactivity requires core damage with loss of primary containment integrity during the accident. Given a successful reactor scram, early containment failure coupled with a large release of radioactivity will only occur if the reactor core vessel is breached by core debris. Most IPE/PRA studies performed to date have not considered the possibility of quenching core debris in the lower plenum. Consequently, lower head failure is presumed to closely follow the onset of core damage. Therefore, these assessments did not address the role that in-vessel debris retention plays in preserving primary containment integrity, nor do they propose a criterion for evaluating the integrity of the vessel lower head given that core damage has occurred. Yet preserving the vessel lower head integrity is a necessary condition for satisfying the plant design and licensing basis. Therefore, a more complete treatment of the risk associated with nuclear plant operation includes an evaluation of the ability to retain the core debris in-vessel. This paper presents a performance requirement for vessel integrity to be used in probabilistic risk assessments; evaluates the impact the core damage progression and lower plenum quenching models have on the likelihood of terminating the damage progression in-vessel; documents the significant reduction in BWR containment failure probability that can occur when appropriate core damage and lower head quenching models are used; reviews the implications of core debris quenching in the lower head on BWR PRA modeling; argues why crediting the capability to maintain vessel integrity is necessary from a safety point of view. These results and conclusions are derived from consideration of a BWR 4 plant with a 251 inch vessel. However, the concepts are generally applicable and results specific to other BWR designs can be developed using the methodology presented in this paper.     

Procedures and applications to enlarge the level 1+ PSA to internal fires in German nuclear power plants

Investigations have shown that the consequences from fires in nuclear power plants can be significant. Methodologies considering fire in probabilistic safety analyses have been evolving in the last few years. In order to provide a basis for further discussions on benefits and limits of such an analysis in Germany, current methods are investigated. As a result a qualitative screening process is proposed to identify critical fire zones followed by a quantitative event tree analysis in which the fire caused frequency of initiating events and different core damage states will be determined. The models and data proposed for a probabilistic fire risk analysis have been successfully applied in complete and partial fire risk assessments in German nuclear power plants.     

Materials Selection for a Finite Life Time

Classical methods for materials selection only poorly account for the need of incorporating time into the design requirements. Corrosion, fatigue, wear and creep are phenomena that can lead to an accumulation of damage with time, ultimately causing failure. The first step in dealing with this is an evaluation of the potential risk for delayed damage followed by a qualitative ranking of the possible candidates. Beyond this point, both quantitative estimates and design rules have to be used to make the appropriate selection. Examples involving corrosion and creep will illustrate the possibility of and the need for under the form of.     

核电厂HRA定性评价及应用

核电厂人的可靠性分析(HRA：Human Reliability Analysis)定性评价的目的是在定性分析的基础上,确定HRA边界条件和引入HRA模型的人因事件的数量,使得HRA的量化分析得以实施。定性评价的基本原则是确定边界假设条件,辨识出所有对安全和运行具有显著影响的人因事件序列。本文以某压水堆核电厂蒸汽传热管破裂(SGTR)为具体实例,详细分析了HRA定性评价过程,确定了分析始发事件题头的基本方法,为核电厂HRA的具体实施提供了理论指导和实践说明。     

Development of a framework for the risk assessment of Na-Tech accidental events

Natural events impacting on chemical and process plants may cause severe accidents, triggering the release of relevant quantities of hazardous substances. The present study focused on the development of the tools needed to build up a general framework allowing the extension of quantitative risk assessment procedure to include the analysis of the industrial accidents caused by natural events. Specific methods and models were developed to allow the quantitative assessment of risk caused by two categories of “Na-Tech” accidents: accidents triggered by earthquakes and accidents triggered by floods. The approach allows the identification of the different damage modes expected for process equipment and of the accidental scenarios that may be triggered. The damage models developed allow the calculation of the damage probability of equipment items due to the natural events. A specific methodology was issued to take into account the consequences of the possible contemporary failure of several process units due to the impact of the natural event. The procedure allows the calculation of the overall individual and societal risk indexes including the multiple-failure scenarios caused by the impact of natural events. The overall methodology was applied to the analysis of specific case studies.     

Development of a dynamical systems model of plant programmatic performance on nuclear power plant safety risk

Application of probabilistic risk assessment (PRA) techniques to model nuclear power plant accident sequences has provided a significant contribution to understanding the potential initiating events, equipment failures and operator errors that can lead to core damage accidents. Application of the lessons learned from these analyses has resulted in significant improvements in plant operation and safety. However, this approach has not been nearly as successful in addressing the impact of plant processes and management effectiveness on the risks of plant operation. The research described in this paper presents an alternative approach to addressing this issue. In this paper we propose a dynamical systems model that describes the interaction of important plant processes on nuclear safety risk. We discuss development of the mathematical model including the identification and interpretation of significant inter-process interactions. Next, we review the techniques applicable to analysis of nonlinear dynamical systems that are utilized in the characterization of the model. This is followed by a preliminary analysis of the model that demonstrates that its dynamical evolution displays features that have been observed at commercially operating plants. From this analysis, several significant insights are presented with respect to the effective control of nuclear safety risk. As an important example, analysis of the model dynamics indicates that significant benefits in effectively managing risk are obtained by integrating the plant operation and work management processes such that decisions are made utilizing a multidisciplinary and collaborative approach. We note that although the model was developed specifically to be applicable to nuclear power plants, many of the insights and conclusions obtained are likely applicable to other process industries.     

Acoustic emission based tensile characteristics of sandwich composites

Sandwich composite static and fatigue testing results indicated the predominant failure to be the core damage followed by interfacial debonding, resin cracking and fiber rupture. Under static testing, crack was observed to initiate in the core and ensue planar propagation near the interface with the facesheets; whereas, onset of crack initiation in the facesheets served as a precursor to the catastrophic failure. Multiple failure initiation and propagation sites in the core and intermittent interfacial debonding were consistently observed under fatigue. An acoustic emission based stiffness reduction model is presented that seems to accurately identify the extent of damage in sandwich composites subjected to fatigue loading conditions.     

A systematic approach to analysing errors of commission from diagnosis failure in accident progression

The accident scenarios of a nuclear power plant are composed of an initiating event (IE), additional events/failures and human inappropriate actions, the combinations of which lead to irreversible consequences. In such a dynamic situation, operators should diagnose the occurring events/failures (including an initiating event and additional events) and assess the related situations utilising the available resources such as operating procedures or human–machine systems to control and maintain the plant in a stable condition. The misdiagnosis or diagnosis failure of the occurring events could cause critical human inappropriate actions that aggravate the plant condition, which is termed as errors of commission (EOCs). This paper presents a methodology for analysing the potential for diagnosis failure of the initiating and additional events and the consequent EOC events, based on the operating procedures, in the accident scenarios of nuclear power plants. The method to be presented categorizes the diagnostic situations in the accident scenarios into three cases according to the structure of the emergency operating procedures (EOPs) and the time of the occurring events: (1) the diagnosis of an initiating event, (2) the diagnosis of both an initiating event and an additional event when an additional event occurs prior to the performance of the diagnosis procedure, and (3) the diagnosis of an additional event when an additional events occurs after the performance of the diagnosis procedure. The application of the method is illustrated through three case example scenarios: (1) the power-operated relief valve (PORV) or the pressurizer safety valve (PSV) LOCA, (2) the loss of all feedwater (LOAF) event (loss of main feedwater*loss of auxiliary feedwater), (3) the sequence of<the station blackout (SBO)*loss of turbine-driven (or diesel-driven) auxiliary feedwater*PSV stuck-open*recovery of AC power>.     

Risk-based spacecraft fire safety experiments

This paper utilizes the scenario approach of risk assessment to identify modeling needs and, in turn, experiments that would aid in the development of models that would meet these needs. Due to the closed environment of a spacecraft and the lack of egress, fire on-board may pose a severe problem. There are many differences between a fire on-board the spacecraft and one in a terrestrial facility and they must be accounted for in the assessment of risk. Both the risk assessment methodology and the phenomena-based models must be modified. This paper discusses some of the methodology modifications, as well as special experimental results. Multiple experiments have been conducted in terrestrial and microgravity environments in order to construct and validate models required for the assessment and management of risk on-board spacecraft. A logic diagram analyzing the ways in which the crew may be injured and/or the spacecraft may be damaged, as well as operating experience, have identified wire overheating events as being potentially significant accident initiators. As a result, the experiments have concentrated on quantifying the pyrolysis event of a wire being overheated with excessive current. A preliminary set of experiments at the 2·2-second NASA Lewis Drop Tower has led to several observations. The event is violent due to the high heating rates. At these high heating rates, a jet of hot gases and smoke was observed. Frequently the conductor would melt down, sometimes ejecting molten pieces of the copper conductor. The event poses a threat to targets in the near vicinity and further away. Also, the smoke particle size distribution is shifted towards larger sizes in a microgravity environment. This may prove very important in designing a smoke detector. While significant results were obtained from these tests, longer durations of microgravity are required for further quantification to be possible.     

Failure Analysis and Remaining Life Assessment of Methanol Reformer Tubes

High-quality failure analysis and good engineering judgment can turn plant shutdowns resulting from methanol reformer tube failures into an opportunity to improve the future performance of the reformer furnace. The plant down time can be used to evaluate remaining tube life and provide some insight into the effect of tube operating history, especially tube metal temperature on tube performance. The results can be used to minimize potential future failures and economic losses because of reformer shutdowns. In this article, the failure mechanism of a ruptured reformer tube is determined and an assessment of the remaining life of non-ruptured tubes in the reformer is discussed. Two assessment methods are reviewed (1) metallographic examination of ex-service material to characterize microstructure and creep damage and (2) modeling of creep damage accumulation using special-purpose finite-element software (WinTUBE^TM).     

A methodology for the quantitative risk assessment of major accidents triggered by seismic events

A procedure for the quantitative risk assessment of accidents triggered by seismic events in industrial facilities was developed. The starting point of the procedure was the use of available historical data to assess the expected frequencies and the severity of seismic events. Available equipment-dependant failure probability models (vulnerability or fragility curves) were used to assess the damage probability of equipment items due to a seismic event. An analytic procedure was subsequently developed to identify, evaluate the credibility and finally assess the expected consequences of all the possible scenarios that may follow the seismic events. The procedure was implemented in a GIS-based software tool in order to manage the high number of event sequences that are likely to be generated in large industrial facilities. The developed methodology requires a limited amount of additional data with respect to those used in a conventional QRA, and yields with a limited effort a preliminary quantitative assessment of the contribution of the scenarios triggered by earthquakes to the individual and societal risk indexes. The application of the methodology to several case-studies evidenced that the scenarios initiated by seismic events may have a relevant influence on industrial risk, both raising the overall expected frequency of single scenarios and causing specific severe scenarios simultaneously involving several plant units.     

Damage Characterization of Thermal Barrier Coatings by Acoustic Emission and Thermography

Thermal barrier coatings allow increasing the operating temperature and efficiency of land‐, sea‐, or air‐based turbines. As failure of the coating may result in serious damage of the turbine, reliable estimation of its lifetime is essential. To assess the lifetime, cyclic tests are conceived to combine thermal loading by heating the surface of the coating with laser irradiation and nondestructive methods for damage determination. Using laser irradiation allows a high reproducibility of the thermal load. The temperature of the sample surface during thermal loading is determined by an infrared‐camera which also enables the possibility to detect damage in the coating via thermography. Additionally, four acoustic sensors, attached to the experimental setup, are used to detect damage in the sample and determine the source of acoustic events. Results of acoustic emission correlate well with thermographic images that visualize the formation and evolution of damage through delaminations in the samples.     

Compression after impact assessment of self-healing CFRP

The development of advanced fibre-reinforced polymer’s (FRP’s) to achieve performance improvements in engineering structures focuses on the exploitation of the excellent specific strength and stiffness that they offer. However, the planar nature of an FRP’s microstructure results in relatively poor performance under impact loading. Furthermore, significant degradation in material performance can be experienced with minimal visual indication of damage being present, a scenario termed Barely Visible Impact Damage (BVID). Current damage tolerant design philosophies incorporate large margins to account for reduction in structural performance due to impact events, resulting in overweight and inefficient structures. An alternative approach to mitigate impact damage sensitivity can be achieved by imparting the ability for these materials to undergo self-healing. Self-healing composites would allow lighter, more efficient structures and would also offer a potentially substantive increase in design allowables and reduction in maintenance and inspection schedules and their associated costs. This paper considers the development of autonomic self-healing within a carbon fibre-reinforced polymer (CFRP), and demonstrates the significant strength recovery (>90%) possible when a resin filled hollow glass fibre system is distributed at specific interfaces within a laminate, minimising the reduction in mechanical properties whilst maximising the efficiency of the healing event.