System-level hazard analysis using the sequence-tree method

A system-level PHA using the sequence-tree method is presented to perform safety-related digital I&C system SSA. The conventional PHA involves brainstorming among experts on various portions of the system to identify hazards through discussions. However, since the conventional PHA is not a systematic technique, the analysis results depend strongly on the experts’ subjective opinions. The quality of analysis cannot be appropriately controlled. Therefore, this study presents a system-level sequence tree based PHA, which can clarify the relationship among the major digital I&C systems. This sequence-tree-based technique has two major phases. The first phase adopts a table to analyze each event in SAR Chapter 15 for a specific safety-related I&C system, such as RPS. The second phase adopts a sequence tree to recognize the I&C systems involved in the event, the working of the safety-related systems and how the backup systems can be activated to mitigate the consequence if the primary safety systems fail. The defense-in-depth echelons, namely the Control echelon, Reactor trip echelon, ESFAS echelon and Monitoring and indicator echelon, are arranged to build the sequence-tree structure. All the related I&C systems, including the digital systems and the analog back-up systems, are allocated in their specific echelons. This system-centric sequence-tree analysis not only systematically identifies preliminary hazards, but also vulnerabilities in a nuclear power plant. Hence, an effective simplified D3 evaluation can also be conducted.     

Model extension and improvement for simulator-based software safety analysis

One of the major concerns when employing digital I&C system in nuclear power plant is digital system may introduce new failure mode, which differs with previous analog I&C system. Various techniques are under developing to analyze the hazard originated from software faults in digital systems. Preliminary hazard analysis, failure modes and effects analysis, and fault tree analysis are the most extensive used techniques. However, these techniques are static analysis methods, cannot perform dynamic analysis and the interactions among systems. This research utilizes “simulator/plant model testing” technique classified in (IEEE Std 7-4.3.2-2003, 2003. IEEE Standard for Digital Computers in Safety Systems of Nuclear Power Generating Stations) to identify hazards which might be induced by nuclear I&C software defects. The recirculation flow system, control rod system, feedwater system, steam line model, dynamic power-core flow map, and related control systems of PCTran–ABWR model were successfully extended and improved. The benchmark against ABWR SAR proves this modified model is capable to accomplish dynamic system level software safety analysis and better than the static methods. This improved plant simulation can then futher be applied to hazard analysis for operator/digital I&C interface interaction failure study, and the hardware-in-the-loop fault injection study.     

Development and diversity and defense-in-depth application of ABWR feedwater pump and controller model

This work developed an advanced boiling water reactor (ABWR) feedwater pump and controller model, which was incorporated into Personal Computer Transient Analyzer (PCTran)-ABWR, a nuclear power plant simulation code. The feedwater pump model includes three turbine-driven feedwater pumps and one motor-driven feedwater pump. The feedwater controller includes a one-element/three-element water level controller and a specific feedwater speed controller for each feedwater pump. The performance tests, including step change of dome pressure, feedwater pumps transfer, inadvertent closure of all turbine control valves, and one feedwater pump trip at 100% power, demonstrate the feasibility of dynamic response of stand-alone model and incorporated model. Furthermore, a diversity and defense-in-depth analysis is performed to demonstrate the feasibility for motor-driven feedwater pump as an emergency core cooling system (ECCS) automatic diverse back-up. In Lungmen nuclear power plant (NPP), a diverse manual initiation means for the high pressure core flooder (HPCF) loop C is designed as the back-up of digitalized engineered safety features actuation system (ESFAS). If the motor-driven feedwater pump (MDFWP) can be an automatic digital diverse back-up for ESFAS, Lungmen NPP would be more robust to defend against software common-cause failure (CCF).     

Developing architecture for upgrading I&C systems of an operating nuclear power plant using a quality attribute-driven design method

This paper presents the architecture for upgrading the instrumentation and control (I&C) systems of a Korean standard nuclear power plant (KSNP) as an operating nuclear power plant. This paper uses the analysis results of KSNP's I&C systems performed in a previous study. This paper proposes a Preparation–Decision–Design–Assessment (PDDA) process that focuses on quality oriented development, as a cyclical process to develop the architecture. The PDDA was motivated from the practice of architecture-based development used in software engineering fields. In the preparation step of the PDDA, the architecture of digital-based I&C systems was setup for an architectural goal. Single failure criterion and determinism were setup for architectural drivers. In the decision step, defense-in-depth, diversity, redundancy, and independence were determined as architectural tactics to satisfy the single failure criterion, and sequential execution was determined as a tactic to satisfy the determinism. After determining the tactics, the primitive digital-based I&C architecture was determined. In the design step, 17 systems were selected from the KSNP's I&C systems for the upgrade and functionally grouped based on the primitive architecture. The overall architecture was developed to show the deployment of the systems. The detailed architecture of the safety systems was developed by applying a 2-out-of-3 voting logic, and the detailed architecture of the non-safety systems was developed by hot-standby redundancy. While developing the detailed architecture, three ways of signal transmission were determined with proper rationales: hardwire, datalink, and network. In the assessment step, the required network performance, considering the worst-case of data transmission was calculated: the datalink was required by 120 kbps, the safety network by 5 Mbps, and the non-safety network by 60 Mbps. The architecture covered 17 systems out of 22 KSNP's I&C systems. The architecture is implementable with the equipment developed in South Korea. The architecture can be used as a model to upgrade the existing I&C systems in a planned, large-scale, and one-shot manner. A more detailed architecture down to software level will be developed in the future.     

Two types of a passive safety containment for a near future BWR with active and passive safety systems

The paper presents two types of a passive safety containment for a near future BWR. They are named Mark S and Mark X containment. One of their common merits is very low peak pressure at severe accidents without venting the containment atmosphere to the environment. The PCV pressure can be moderated within the design pressure. Another merit is the capability to submerge the PCV and the RPV above the core level. The third merit is robustness against external events such as a large commercial airplane crash. Both the containments have a passive cooling core catcher that has radial cooling channels. The Mark S containment is made of reinforced concrete and applicable to a large power BWR up to 1830 MWe. The Mark X containment has the steel secondary containment and can be cooled by natural circulation of outside air. It can accommodate a medium power BWR up to 1380 MWe. In both cases the plants have active and passive safety systems constituting in-depth hybrid safety (IDHS). The IDHS provides not only hardware diversity between active and passive safety systems but also more importantly diversity of the ultimate heat sinks between the atmosphere and the sea water. Although the plant concept discussed in the paper uses well-established technology, plant performance including economy is innovatively and evolutionally improved. Nothing is new in the hardware but everything is new in the performance.     

Two viewpoints for software failures and their relation in probabilistic safety assessment of digital instrumentation and control systems

As the use of digital systems in nuclear power plants increases, the reliability of the software becomes one of the important issues in probabilistic safety assessment. In this paper, two viewpoints for a software failure during the operation of a digital system or a statistical software test are identified, and the relation between them is provided. In conventional software reliability analysis, a failure is mainly viewed with respect to the system operation. A new viewpoint with respect to the system input is suggested. The failure probability density functions for the two viewpoints are defined, and the relation between the two failure probability density functions is derived. Each failure probability density function can be derived from the other failure probability density function by applying the derived relation between the two failure probability density functions. The usefulness of the derived relation is demonstrated by applying it to the failure data obtained from the software testing of a real system. The two viewpoints and their relation, as identified in this paper, are expected to help us extend our understanding of the reliability of safety-critical software.     

Variations of a passive safety containment for a BWR with active and passive safety systems

The paper presents variations of a certain passive safety containment for a near future BWR. It is tentatively named Mark S containment in the paper. It uses the operating dome as the upper secondary containment vessel (USCV) to where the pressure of the primary containment vessel (PCV) can be released through the upper vent pipes. One of the merits of the Mark S containment is very low peak pressure at severe accidents without venting the containment atmosphere to the environment. Another merit is the capability to submerge the PCV and the reactor pressure vessel (RPV) above the core level by flooding water from the gravity-driven cooling system (GDCS) pool and the upper pool. The third merit is robustness against external events such as a large commercial airplane crash owing to the reinforced concrete USCV. The Mark S containment is applicable to a large reactor that generates 1830 MW electric power. The paper presents several examples of BWRs that use the Mark S containment. In those examples active safety systems and passive safety systems function independently and constitute in-depth hybrid safety (IDHS). The concept of the IDHS is also presented in the paper.     

Combining disparate sources of information in the safety assessment of software-based systems

The main topic of the paper is a discussion on how to combine disparate sources of information in the safety assessment of software-based systems. This is based on experience gained through the licensing process of a programmable system in the Swedish nuclear power plant Ringhals, where a guideline for reviewing software in safety-related systems was applied. One lesson learned from this activity is that the approval of a programmable safety critical system, in particular one which is based on Commercial-Off-The-Shelf software, is based on a combination of disparate sources of information. This combination of information is made in a diagrammatic framework. An emerging methodology to combine information about disparate evidences in a systematic way is based on Bayesian Belief Networks. The objective is to show the link between basic information and the confidence one can have in a system.     

A quantitative evaluation of reliability of passive systems within probabilistic safety assessment framework for VHTR

This article presents a quantitative evaluation of the reliability of passive systems (RoPS) within the probabilistic safety assessment (PSA) framework for very high temperature reactors (VHTR). VHTRs have unfavorable features in regard to defining a robust failure state. From the viewpoint of PSA, the evaluation of the RoPS as a part of VHTR’s PSA should carefully consider the correct status of a passive system in order to resolve these unfavorable features. This article focuses on the application of multiple states criteria to determine the status of a passive system. Two approaches, i.e., the exceedance probability (EP) model and the stress–strength interference (SSI) model were proposed for the multiple states of the system. A feasibility study has examined the basic features of the proposed approaches by using the reactor cavity cooling system (RCCS) for Korean VHTR. The primary condition for the usefulness of the proposed approaches is that sufficient information should be provided in order to determine the system strengths for the multiple states. With regard to the engineering practice, the EP approach for the multiple states can provide a practical solution concerning the evaluation of the RoPS for VHTR’s PSA.     

Design evaluation of emergency core cooling systems using Axiomatic Design

In designing nuclear power plants (NPPs), the evaluation of safety is one of the important issues. As a measure for evaluating safety, this paper proposes a methodology to examine the design process of emergency core cooling systems (ECCSs) in NPPs using Axiomatic Design (AD). This is particularly important for identifying vulnerabilities and creating solutions. Korean Advanced Power Reactor 1400 MWe (APR1400) adopted the ECCS, which was improved to meet the stronger safety regulations than that of the current Optimized Power Reactor 1000 MWe (OPR1000). To improve the performance and safety of the ECCS, the various design strategies such as independency or redundancy were implemented, and their effectiveness was confirmed by calculating core damage frequency. We suggest an alternative viewpoint of evaluating the deployment of design strategies in terms of AD methodology. AD suggests two design principles and the visualization tools for organizing design process. The important benefit of AD is that it is capable of providing suitable priorities for deploying design strategies. The reverse engineering driven by AD has been able to show that the design process of the ECCS of APR1400 was improved in comparison to that of OPR1000 from the viewpoint of the coordination of design strategies.     

Probabilistic safety analyses developments resurgence in Bulgaria—Kozloduy nuclear power plant example

This paper presents some of the main technical features and insights of the Kozloduy nuclear power plant (NPP) units 5 and 6 probabilistic safety analysis (PSA) level 1. Probabilistic analyses and their applications in Bulgaria were given further impetus in recent years. More than 17 years after the first PSA study in Bulgaria in 1992 today probabilistic analyses receive increasing attention and application than ever before. The Bulgarian regulatory body (BNRA) is also interested in expanding their capability of reviewing and using PSA in plant safety assessments. In November 2008 within the framework of the program financed by European Union (PHARE), a project for assisting the BNRA in establishing the regulatory requirements on the base of PSA was completed. One of the objectives of this project was performance of the independent review of Kozloduy NPP units 5 and 6 PSA. This review was a new impulse for the authors to present in more details of Kozloduy NPP probabilistic assessment studies in the present paper.     

An overview of instrumentation and control systems of a Korea standard nuclear power plant: A signal interface standpoint

This paper presents an overview of instrumentation and control (I&C) systems of a pressurized water reactor (PWR) type nuclear power plant (NPP) in Korea. Yonggwang unit 3, which was constructed as a basis model for a Korea standard nuclear power plant (KSNP), is selected as an example for the presentation. This overview is derived from analyzing the I&C systems based on a top-down approach. The I&C systems consist of 30 systems. The 183 I&C cabinets are also analyzed and mapped to the systems. The overview is focused on an interface between the systems and the cabinets. This information will be used to understand the implementation of the I&C systems and to group the systems for an upgrade.     

An estimation of an operator's action time by using the MARS code in a small break LOCA without a HPSI for a PWR

To estimate the success criteria of an operator's action time for a probabilistic safety/risk assessment (PSA/PRA) of a nuclear power plant, the information from a safety analysis report (SAR) and/or that by using a simplified simulation code such as the MAAP code has been used in a conventional PSA. However, the information from these is often too conservative to perform a realistic PSA for a risk-informed application. To reduce the undue conservatism, the use of a best-estimate thermal hydraulic code has become an essential issue in the latest PSA and it is now recognized as a suitable tool. In the same context, the ‘ASME PRA standard’ also recommends the use of a best-estimate code to improve the quality of a PSA. In Korea, a platform to use a best-estimate thermal hydraulic code called the MARS code has been developed for the PSA of the Korea standard nuclear power plant (KSNP). This study has proposed an estimation method for an operator's action time by using the MARS platform. The typical example case is a small break loss of coolant accident without the high pressure safety injection system, which is one of the most important accident sequences in the PSA of the KSNP. Under the given accident sequence, the operator has to perform a recovery action known as a fast cooldown operation. This study focuses on two aspects regarding an operator's action; one is how they can operate it under some restrictions; the other is how much time is available to mitigate this accident sequence. To assess these aspects, this study considered: (1) the operator's action model and (2) the starting time of the operation. To show an effect due to an operator's action, three kinds of control models (the best-fitting, the conservative, and the proportional-integral) have been assessed. This study shows that the developed method and the platform are useful tools for this type of problem and they can provide a valuable insight related to an operator's actions.     

A model for estimation of reactor spurious shutdown rate considering maintenance human errors in reactor protection system of nuclear power plants

Modeling of spurious activations in safety instrumented systems has been studied for over a decade. The spurious activation of a plant protection system in nuclear power plants (NPPs) leads to increased electricity generation cost. An in-depth view on spurious activation of digital plant protection systems of NPPs for human errors in maintenance tasks is presented in this paper. A new model which considers human errors in maintenance and periodic tests to predict component failure rates is presented. The model has been applied to OPR-1000 reactor protection system for quantification of spurious trip frequency by fault-tree analysis. The major causes of spurious activation in a nuclear reactor protection system are identified. A set of case studies has been performed with the variation of magnitudes of human errors probability and maintenance strategies, in which, the human errors in maintenance are found to significantly influence reactor spurious trip frequency. This study is expected to provide a useful mean to designers as well as maintainers of the digital reactor protection system to improve plant availability and safety.     

Analysis of different containment models for IRIS small break LOCA, using GOTHIC and RELAP5 codes

Advanced nuclear water reactors rely on containment behaviour in realization of some of their passive safety functions. Steam condensation on containment walls, where non-condensable gas effects are significant, is an important feature of the new passive containment concepts, like the AP600/1000 ones.In this work the international reactor innovative and secure (IRIS) was taken as reference, and the relevant condensation phenomena involved within its containment were investigated with different computational tools. In particular, IRIS containment response to a small break LOCA (SBLOCA) was calculated with GOTHIC and RELAP5 codes. A simplified model of IRIS containment drywell was implemented with RELAP5 according to a sliced approach, based on the two-pipe-with-junction concept, while it was addressed with GOTHIC using several modelling options, regarding both heat transfer correlations and volume and thermal structure nodalization. The influence on containment behaviour prediction was investigated in terms of drywell temperature and pressure response, heat transfer coefficient (HTC) and steam volume fraction distribution, and internal recirculating mass flow rate. The objective of the paper is to preliminarily compare the capability of the two codes in modelling of the same postulated accident, thus to check the results obtained with RELAP5, when applied in a situation not covered by its validation matrix (comprising SBLOCA and to some extent LBLOCA transients, but not explicitly the modelling of large dry containment volumes).The option to include or not droplets in fluid mass flow discharged to the containment was the most influencing parameter for GOTHIC simulations. Despite some drawbacks, due, e.g. to a marked overestimation of internal natural recirculation, RELAP5 confirmed its capability to satisfactorily model the basic processes in IRIS containment following SBLOCA.     

Safety analysis of LBLOCA in BDBA scenarios for the Bushehr's VVER-1000 nuclear power plant

This paper presents the results of thermal-hydraulic calculations of a large break loss of coolant accident (LBLOCA) analysis for a VVER-1000/V446 unit at Bushehr nuclear power plant (BNPP). LBLOCA is analysis in two different beyond design basis accident (BDBA) scenarios using the RELAP5/MOD3.2 best estimate code. The scenarios are LBLOCA with station blackout (SBO) and LBLOCA with pump re-circulation blockage which have been evaluated in the final safety analysis report (FSAR) of BNPP. A model of VVER-1000 reactor based on Unit 1 of BNPP has been developed for the RELAP5/MOD3.2 thermal-hydraulics code consists of 4-loop primary and secondary systems with all their relevant sub-systems important to safety analysis. The analysis is performed without regard for operator's actions on accident management. The safety analysis is carried out and the results are checked against the acceptance criteria which are the possibility of using water inventory in the emergency core cooling system (ECCS) accumulators and the KWU tanks for core cooling and the available time to operators before the maximum design limit of fuel rod cladding damage is reached. These kinds of analyses are performed to provide the response of monitored plant parameters to identify symptoms available to the operators, timing of the loss of critical safety functions and timing of operator actions to avoid the loss of critical safety functions of core damage. The results of performed analyses show that the operators have 2.9 and 3.1 h for LBLOCA with SBO and LBLOCA with pump re-circulation blockage scenarios, respectively, before the fuel rod cladding rupture. The results are also compared with the BNPP FSAR data.