International Conference
N Nu ucclleeaarr E En neerrg gyy ffo orr N Neew wE Eu urro op pee 2 20 00 09 9 Bled / Slovenia / September 14-17
Proposal for a Suitable Strategy of Exceedance Frequency Computation. Implementation on SCAIS Simulation-Based Safety Code Cluster José M. Izquierdo, Javier Hortal, Miguel Sánchez, Enrique Meléndez Consejo de Seguridad Nuclear (CSN), c/ Justo Dorado 11, 28040 Madrid, Spain
[email protected],
[email protected],
[email protected],
[email protected] César Queral, Israel Cañamón Antonio Expósito, Gabriel Rodríguez, Luisa Ibáñez ETSI Minas (Universidad Politécnica de Madrid, UPM), c/ Alenza 4, 28003 Madrid, Spain
[email protected],
[email protected],
[email protected],
[email protected],
[email protected] Jesús Gil, Iván Fernández, Santiago Murcia Indizen Technologies S.L., av/ Pablo Iglesias 2-3ºB-2, 28003 Madrid, Spain
[email protected],
[email protected],
[email protected] ABSTRACT The process of Safety Margin Assessment, as proposed in the SMAP framework [1], is based on the identification of the Risk Space and the extensive application of uncertainty analysis methods with the objective of obtaining an estimation of the Exceedance Frequencies (EF) of specified safety limits. The Risk Space can be understood as an extension of both the PSA (i.e., Probabilistic Safety Assessment) event trees and the design scenarios aimed at including every possible malfunction susceptible to challenge any safety limit of interest. This paper surveys the work performed to extend current capabilities of SCAIS with suitable modules that obtain a realistic estimation of EF as figures of merit of safety margins that merge both deterministic and probabilistic information of the safety case being assessed. SCAIS (Simulation Code System for Integrated Safety Assessment, [2]) is a simulation-based computational framework being developed by CSN with the help of UPM and Indizen, that implements the CSN integrated PSA approach for independent assessment of safety studies. 1
INTRODUCTION.
The process of Safety Margin Assessment, as proposed in the SMAP framework [1], is based on the identification of the Risk Space and the extensive application of uncertainty analysis methods aiming to obtain an estimation of the EF of specified safety limits. The Risk Space can be understood as an extension of both the PSA event trees and the design scenarios aimed at including every possible malfunction susceptible to challenge any safety limit of interest. The additional malfunctions are included in the event trees associated to the combination of each safety limit and initiating event. CSN, with the help of UPM and Indizen, is developing SCAIS [2, 3], a simulationbased computational framework implementing the CSN integrated PSA approach (ISA) for independent assessment of safety studies. Efforts are now being directed to extend its current capabilities (automatic event tree delineation, coupling simulation of plant dynamics and operator actions, coupling of different simulation codes depending on phenomenology requirements) with suitable modules able to obtain a realistic estimation of EF as figures of 306.1
306.2
merit of safety margins, that merge both deterministic and probabilistic information of the safety case being assessed. The theoretical framework that guides the computational approach for the EF calculation is the so called TSD (Theory of Stimulated Dynamics, [4]). The framework: (1) introduces the main concepts of Deterministic and Non-deterministic (Stochastic) Headers, Dynamic Events and Dynamic Sequences, and Damage Domain of a Sequence, and (2) proposes the use of an extensive Uncertainty Analysis considering all the stochastic items within the sequence. These two elements of the approach are represented in SCAIS trough two computational modules, respectively called Path Analysis and Risk Assessment. This paper surveys the work performed to extend current capabilities of SCAIS with these two modules. 2
SCAIS DESCRIPTION.
SCAIS (Simulation Code System for Integrated Safety Assessment) is a simulation software package developed to support the practical application of the Integrated Safety Analysis (ISA) methodology [2]. This diagnostic method is based on advanced dynamic reliability techniques on top of using classical PSA and deterministic tools, and aims to independently check the validity and consistency of many assumptions used by the licensees in their safety assessments. Apart from a theoretical approach that is at the basis of the method [1, 4], application of ISA requires a set of computational tools that comprehensively implies an intensive use of code coupling techniques to combine typical TH analysis, severe accident and probability calculation codes together with modules for the simulation of operator actions. The final goal is to dynamically generate the event tree (Dynamic Event Tree, DET) that stems from an initiating event improving the conventional PSA static approach. This simulation technique is called tree simulation.
Figure 1: Block diagram of the SCAIS general scheme
Proceedings of the International Conference Nuclear Energy for New Europe, Bled, Slovenia, Sept. 14-17, 2009
306.3
2.1
SCAIS Components.
To achieve this goal the SCAIS scheme (Figure 1) couples at each time step [2]: a) simulation of nuclear accident sequences, resulting from an initiating event (i.e., simulation of TH, severe accident phenomenology and fission product transport); b) simulation of operating procedures and severe accident management guidelines; c) automatic delineation (with no a-priori assumptions) of event and phenomena trees; d) probabilistic quantification of fault trees and sequences; and e) integration and statistic treatment of risk metrics. Current SCAIS development includes as main elements (Figure 2): (1) Event Scheduler (DENDROS). It drives the dynamic simulation of the different incidental sequences. Its design guarantees modularity of the overall system and the parallelization of the event tree generation. Designed as a separate process, it controls the branch opening and coordinates the different processes that play a role in the generation of the DET. The idea is to use the full capabilities of a distributed computational environment, allowing the maximum number of processors to be active. The scheduler arranges for the opening of a new branch whenever certain conditions are met, and stops the simulation of any particular branch that has reached an absorbing state. It must also know the branch probability in order to decide which branch is suitable for further development. Each new branch is started in a separate process, spawning a new transient simulator process initialized from the transient conditions at the time of the branching. This saves a substantial amount of computation time, since common parts of the sequences are not recomputed. (2) Probability Calculator module. It incrementally performs the Boolean product of the fault trees corresponding to each system that intervenes in the sequence, additionally computing its probability. The fault trees that will be used for the probability calculations are of the same type of those of PSA studies, which in some cases are indeed directly applicable. This imposes a strong computational demand that is optimized by preprocessing the header fault trees as much as possible. The current approach is trying to use fast on-line probability computation based on the representation of fault trees using the Binary Decision Diagram (BDD) formalism, fed from the industry models [5]. (3) Simulation Driver (BABIECA). This is the consolidated simulation driver that solves step by step topologies of block diagrams. A standardized (i.e., non code-specific) linkage method has also been defined and implemented to incorporate as block-modules other single-application oriented codes, using parallel techniques. BABIECA driver allows also changing the simulation codes at any time to fit the model to the instantaneous conditions, depending on the need of the given simulation. Two coupling approaches, namely by boundary and initial conditions, have been implemented [6] providing useful flexibility for an easier management of large simulation models. (4) Plant Models. Sequences obtained in ISA involve very often a wide range of phenomena, not covered by a single simulation code. A plant model suitable for ISA purposes does not comprise then a single input deck for just one code, but several inputs for several codes, each one being responsible for the simulation of certain phenomena. Codes as MELCOR, MAAP, RELAP, TRACE can be adapted to perform tree simulations under control of the scheduler. At present, MAAP4 and TRACE are coupled to BABIECA to build up a distributed plant simulation. MAAP4 performs the calculation of the plant model when the transient reaches the severe accident conditions, being then initialized with the appropriate transient conditions. Some parts of the simulation (specially the operator actions, but also control systems) may still be performed by the original code and the appropriate signals be transferred as boundary conditions. Proceedings of the International Conference Nuclear Energy for New Europe, Bled, Slovenia, Sept. 14-17, 2009
306.4
(5) Simulator of Procedures (SIMPROC). Emergency Operation Procedures (EOPs) are a very complex set of prescriptions, essential to the sequence development and branching and hard to represent in detailed codes. SIMPROC is the tool that simulates events related with human actions [7].
Figure 2: Current SCAIS architecture
3
PATH ANALYSIS AND RISK ASSESSMENT MODULES.
As above referred the process of Safety Margin Assessment proposed in SMAP, has the objective of obtaining an estimation of the EF of specified safety limits, as figures of merit of safety margins collecting and merging deterministic and probabilistic information. Given a sequence, i.e., an ordered set of discrete events, there are several or many possible plant transients matching the specified sequence and differing in the timing of the events or in the initial and boundary conditions. From this point of view, a sequence can be considered as a group of plant transients in which the same events occur in the same order. In the context of level 1 PSA, event tree sequences are classified as “success” or “core damage” depending on whether the safety limits representing sequence success criteria are expected to be exceeded or not. However, the end state of a sequence is actually uncertain because, in general, it could be different depending on the particular transient within the sequence. Given a particular safety limit, the objective of the uncertainty analysis applied to the Risk Space sequences is to calculate the contribution of each sequence to the limit EF. When all these contributions are aggregated, the EF of the safety limit is obtained, i.e., the collective frequency of all possible plant transients resulting in consequences beyond the specified limit. Differences between transients (also called paths in the context of TSD) of the same sequence result from the consideration of the uncertainty in timing of operator actions (mainly due to their decision taking process) and/or stochastic phenomena, or from uncertainty in the values of model parameters, initial and boundary conditions. According to the TSD formulation, dynamic events can only occur if a specific stimulus has been previously activated. In order to calculate the contribution of a path to the EF, it is necessary to characterize the type and timing of stimuli activation events, as well as the timing and type of the dynamic events of the path. Each single path, identified by a particular sample of uncertain items, corresponds to a single deterministic transient that may be simulated with standard simulation tools which provide the required information. The identification and characterization of paths within a sequence is designated within TSD as Path Analysis. The Proceedings of the International Conference Nuclear Energy for New Europe, Bled, Slovenia, Sept. 14-17, 2009
306.5
main objective is to identify the set of paths of each sequence that result in exceedance of the analyzed limit. This set is called the “damage domain” of the sequence. As the outlined process would eventually demand simulation of a huge number of paths, the door is open for developing simulation techniques that may be very fast at exploring the generation of damage and/or the activation of stimuli of dynamic events, starting from a few representative sequence path simulations. Finally, the Risk Assessment module would compute the contribution of each sequence to the limit EF by integrating TSD equations along the identified damage domain. This integration process would be fed with both: a) the stochastic header information collected during the Path Analysis phase, b) the deterministic headers information characterized by classical PSA FT models. This computation implies a sort of uncertainty analysis applied to the Risk Space sequences. Aggregation of all the contributions from this uncertainty analysis (i.e., collective frequency of all the possible plant transients with consequences beyond the limit) leads to the computation of the EF of the safety limit.
Figure 3: Flow diagram of the exceedance frequency computation Proceedings of the International Conference Nuclear Energy for New Europe, Bled, Slovenia, Sept. 14-17, 2009
306.6
3.1
Flow Diagram.
The whole process of EF computation is summarized in [8] and in Figure 3, where treatment of both (timing and parameter) type of uncertainties are taken into account. The whole diagram represents a multiple-level, iterative process, as indicated by several feedback loops. The first iteration of the outermost loop begins with the specification of an initiating event and a set of possible subsequent events, the safety limit to be analyzed and the initial simulation model with its relevant uncertain parameters. From the specified set of events, a particular dynamic sequence is selected. It is advisable to calculate sequences in increasing order of the number of events. Note that if an event EN+1 is added to a sequence composed by events E1 to EN and the new event is a protection intervention, the search for the damage domain of the new sequence can be initiated from the damage domain of the previous sequence. It is assumed that a safe transient can never become a damage transient as a result of the intervention of a non spurious protection. In some cases, it is possible to conclude from a qualitative analysis that all the transients in the sequence are safe or that all of them result in damage. In these cases, the sequence contribution is either 0 or the whole sequence frequency, which can be calculated with traditional PSA methods. In these cases, no additional analysis is required and the analysis may proceed with the next sequence. When a sequence needing detailed analysis is found, it is necessary to define an initial sampling of the stochastic event times. In parallel, once the adequate simulation model has been selected, its uncertain parameters must be identified, characterized by their probability distributions, and sampled. 3.2
Components of SCAIS Path Analysis and Risk Assessments Modules.
The Path Analysis Module manages the whole path generator process, aiming at the precise characterization of the damage domain (size, shape, limits) for the selected sequence. Its main components are: (1) Path Analysis Parser, that reads the Path simulation definition file, checks its syntax, writes in DB and loads the Path Generator module. (2) Path Generator Module, that loads the nominal path, and opens new simulations branches by applying different delays defined by the Path Analysis scheduler. (3) Mesh-Time Module, that manages the density of the time grid used to generate uncertain time samples. (4) The Data Base, currently the one used in the SCAIS system. This architecture allows all components to share and transfer data, in the same way as other SCAIS components. Figure 4 shows how SCAIS will share and handle specific data through the new components that will be developed to implement the Path Analysis features. The Risk Assessment Module finally obtains the EF by integrating TSD equations on the generalized volume represented by the damage domain identified at the previous stage of Path Analysis.
Proceedings of the International Conference Nuclear Energy for New Europe, Bled, Slovenia, Sept. 14-17, 2009
306.7
Figure 4: Path Analysis and Risk Assessment object model 4
APPLICATION TO LOSS OF CCW INITIATOR
A full scale test application of this integrated software package is being developed within SM2A project. The specific objective of this analysis is to demonstrate the methodology and to check the tool, by assessing changes in EF, as an indication of changes in safety margins, in the case of a power up-rate to 110% in Zion NPP. Due to strong time constraints, the exercise is limited to the effect on the EF of the 1204 ºC limit for PCT. The initiator being assessed by CSN is the Loss of Component Cooling Water (CCW). The analysis performed so far has focused on finding the damage domain of two sequences where a seal LOCA is assumed to occur after the loss of CCW. Safety injection and/or depressurization and cooling through the secondary side are required to avoid the limit exceedance. Availability of high pressure and low pressure safety injection depends on the recovery of the CCW system. The recovery time has been one of the uncertain items considered in the analysis. Depressurization and cooling through the secondary side is an operator action, also occurring at uncertain time. Using these two uncertain times as coordinate axes, it is possible to represent the damage domains of the two analyzed sequences. As an example, Figure 5 shows the damage domains of the sequence where no failure is assumed except eventually for accumulators. None of the paths grouped in this sequence includes accumulator water injection, either because it is not actually demanded (the system pressure remaining above the injection pressure) or because it is demanded but fails. Figure 5a corresponds to the initial power conditions (100%) while Figure 5b shows the impact of the power uprate on the damage domain boundaries.
Proceedings of the International Conference Nuclear Energy for New Europe, Bled, Slovenia, Sept. 14-17, 2009
306.8
Although the EF quantification has not been performed yet, some remarks are noteworthy. Most of the damage domains are expected to be located in low probability regions (otherwise, the plant would be very unsafe). In this case, however, the damage domain includes paths where no equipment failure is assumed. They are still low probability paths due to the long values of recovery and/or depressurization times, but the lack of failed equipment could result in a noticeable contribution to the EF. On the other hand, the unexpected complexity of the damage domain boundaries indicates that bounding approaches to the calculation of EF are, in principle, not recommendable but, if they are used, extreme care should be applied.
a) Damage domain at 100 % power
b) Impact of power uprate on damage domain
Figure 5: Loss of CCW. Damage domains of sequences with no accumulator injection. 5
CONCLUSIONS
An overview of CSN methods and simulation packages to perform independent safety assessments to judge nuclear industry PSA related safety cases has been presented. These developments arise on the need for development of diagnosis tools and methods for TSO to perform their own computerized analysis to verify quality, consistency, and conclusions of day to day individual industry safety assessments, in such a way that the consistency of probabilistic and deterministic aspects can be maintained. Emphasis has been done in the development of the new SCAIS modules (Path Analysis and Risk Assessment modules) to compute the Exceedance Frequency, the figure of merit for safety margin assessment proposed as a result of the SMAP CSNI/NEA task group activities. Preliminary results of the application of the method to the assessment of a power uprate in a PWR plant, currently being performed within the CSNI/NEA SM2A task group, have been also reported to illustrate the method. REFERENCES [1] SMAP Task Group (2007). Safety Margins Action Plan. Final Report. Technical Report NEA/CSNI/R(2007)9, Nuclear Energy Agency. Committee on the Safety of Nuclear Installations, http://www.nea.fr/html/nsd/docs/2007/csni-r2007-9.pdf [2] J.M. Izquierdo, J. Hortal, M. Sanchez-Perea, E. Melendez, R. Herrero, J. Gil, L. Gamo, I. Fernandez, J. Esperón, P. Gonzalez, C. Queral, A. Exposito and G. Rodríguez. “SCAIS (Simulation Code System for Integrated Safety Assessment): Current status and applications”. Proc. ESREL 08, Valencia, Spain.
Proceedings of the International Conference Nuclear Energy for New Europe, Bled, Slovenia, Sept. 14-17, 2009
306.9
[3] J.M. Izquierdo, J. Hortal, M. Sanchez-Perea, E. Melendez, R. Herrero, G. Rodríguez, C. Queral, A. Exposito, F. J. Elorza, J. Gil, I. Fernandez, J. Esperón. "Status of the Integrated Safety Assessment Methodology and its Applications ", Proc. Int. Conf. Nuclear Energy for New Europe 2008, Portorož, Slovenia, September 8-11, 2008. [4] J. M. Izquierdo, I. Cañamón, "TSD, a SCAIS suitable variant of the SDTPD", Proc. Int. Conf. of the European Safety and Reliability ESREL 2008, Valencia, Spain, . [5] C. Ibañez, E. Meléndez, "Variable Ordering Schemes to apply to the Binary Decision Diagram methodology for Event Tree Sequences Assessment", Proc. Int. Conf. of the European Safety and Reliability, ESREL 06, Estoril, Portugal. [6] R. Herrero. “Standardization of code coupling for integrated safety assessment purposes. Technical meeting on progress in development and use of coupled codes for accident analysis”. IAEA. Viena, 26-28 November 2003. [7] I. Fernández, J. Gil, S. Murcia, J. Gomez, J.M. Izquierdo, J. Hortal, M. Sánchez, E. Meléndez, C. Queral, A. Expósito, G. Rodríguez, L. Ibañez. "A Code for Simulation of Human Failure Events in Nuclear Power Plants: SIMPROC", Proc. Int. Conf. Nuclear Energy for New Europe 2008, Bled, Slovenia, September 14-16, 2009. [8] J. Hortal, J.M. Izquierdo, “Exceedance Frequency Calculation Process in Safety Margin Studies”, SM2A project, Internal document, 2008.
Proceedings of the International Conference Nuclear Energy for New Europe, Bled, Slovenia, Sept. 14-17, 2009
