spatial hazards and dependencies · • external floods – explicit analyses and important...
TRANSCRIPT
Spatial Hazards and
DependenciesLecture 6-2
1
Key Topics
• Spatial dependencies – concept and potential
importance
• General approaches for selected hazards
– Internal fires
– Internal floods
– Seismic events
– External floods
2
Overview
Resources
• American Nuclear Society and the Institute of Electrical and Electronics Engineers, “PRA
Procedures Guide,” NUREG/CR-2300, January 1983
• Electric Power Research Institute and U.S. Nuclear Regulatory Commission Office of
Nuclear Regulatory Research, “EPRI/NRC-RES Fire PRA Methodology for Nuclear
Power Facilities,” EPRI 1011989 and NUREG/CR-6850, Electric Power Research
Institute (EPRI), Palo Alto, CA and U.S. Nuclear Regulatory Commission, Washington,
DC, 2005.
• K.N. Fleming and B. Lydell, “Guidelines for Performance of Internal Flooding Probabilistic
Risk Assessment,” EPRI 1019194, Electric Power Research Institute, Palo Alto, CA,
December 2009.
• V.M. Andersen, et al., “Seismic Probabilistic Risk Assessment Implementation Guide,”
EPRI 3002000709, Electric Power Research Institute, Palo Alto, CA, December 2013.
• L. Shaney and D. Miller, “Identification of External Hazards for Analysis in Probabilistic
Risk Assessment: Update of Report 1022997,” EPRI 3002005287, Electric Power
Research Institute, Palo Alto, CA, October 2015.
• Subcommittee on Disaster Reduction https://www.sdr.gov/
3
Overview
Other References
• Electric Power Research Institute and U.S. Nuclear Regulatory Commission Office of
Nuclear Regulatory Research, “Fire Probabilistic Risk Assessment Methods
Enhancements: Supplement 1 to NUREG/CR-6850 and EPRI 1011989,” EPRI 1019259
and NUREG/CR-6850 Supplement 1, Electric Power Research Institute (EPRI), Palo
Alto, CA and U.S. Nuclear Regulatory Commission, Washington, DC, 2009.
• M. Kazarians, N. Siu, and G. Apostolakis, “Fire risk analysis for nuclear power plants:
methodological developments and applications, Risk Analysis, 5, 33-51, 1985.
• N. Siu, N. Melly, S. P. Nowlen, and M. Kazarians, “Fire Risk Assessment for Nuclear
Power Plants,” The SFPE Handbook of Fire Protection Engineering, 5th Edition,
Springer-Verlag, New York, 2016.
• Siu, N., K. Coyne, and N. Melly, “Fire PRA maturity and realism: a technical evaluation,”
U.S. Nuclear Regulatory Commission, March 2017. (ADAMS ML17089A537)
• U.S. Nuclear Regulatory Commission, “Workshop on Probabilistic Flood Hazard
Assessment,” Rockville, MD, 2013. https://www.nrc.gov/public-involve/public-
meetings/meeting-archives/research-wkshps.html
4
Overview
Other References (cont.)
• K.N. Fleming, “Development of Pipework System Failure Rates: Where Do the
Numbers Come From and Why Should We Believe Them?,” CRA UK 5th
Probabilistic Safety Analysis and Human Factors Assessment Forum, September
17-18, 2014.
• Lydell, B., K.N. Fleming, and J.-F. Roy, “Analysis of possible aging trends in the
estimation of piping system failure rates for internal flooding PRA,” Proceedings of
14th International Conference on Probabilistic Safety Assessment and Management
(PSAM 14), Los Angeles, CA, September 16-21, 2018.
• N. Siu, et al., “Qualitative PRA insights from operational events,” Proceedings of
14th International Conference on Probabilistic Safety Assessment and Management
(PSAM 14), Los Angeles, CA, September 16-21, 2018.
5
Overview
Some Well-Known Operational Events
• Browns Ferry (1975)– Candle used to check penetration sealing ignites sealant
(polyurethane foam)
– Fire spreads to multiple cable trays in Units 1 and 2
– Fire fighters reluctant to use water on electrical fire; fire burns 7 hours
– Complicated shutdown using non-safety injection source
• Fukushima Dai-ichi (2011)– Earthquake trips operating reactors (Units 1-3)
– Subsequent tsunami causes SBO, eventual core melt and release
– Non-operating units (Units 5 and 6) also severely challenged
– Varying challenges (some severe) at other plants (Fukushima Dai-ni,
Onagawa, Higashidori, Tokai Dai-ni)
6
Concept
Some Other Notable Operational Events
• Gundremmingen (1977) – Cold-weather LOOP led to RCS overfill, flow through safety relief valves, 3m water in containment
• Narora (1983) – 17 hour SBO caused by turbine blade failure, subsequent hydrogen explosion and fire
• Blayais (1999) – multi-unit LOOP and LOSW due to beyond-design basis hazard combination (high winds, wind-driven waves, storm surge, high tide)
• Maanshan (2001) – salt spray caused LOOP; subsequent HEAF led to 2-hour SBO
• Arkansas One (2013) – main generator stator drop caused multi-unit LOOP, auxiliary and turbine building flooding in Unit 2
• St. Lucie (2014) – local intense precipitation flooded auxiliary building through unsealed conduits
7
Concept
Spatial Dependencies
• Multiple components and their supporting components
(cables, pipes, etc.) can be vulnerable to shared
environmental hazards
• Defenses against specific hazards might/might not be
effective against others. Examples:
– Fire doors and seals might fail against hydrostatic loads
– Watertight doors designed against hydrostatic loads might not
withstand dynamic loadings (e.g., from an incoming tsunami)
• “Spatial interactions analysis” identifies potentially
important locations and combinations of locations
(where failure of barriers is possible)
8
“Dependency” => failure
events are not independent
Concept
Cautions
• Large variations in plant layouts, even for “standardized designs”
(if designers are not thinking of spatial dependencies)
• Natural collection points (e.g., control room, cable spreading
room, switchgear rooms, cable vaults, penetration areas) are of
special interest
• Important risk contributors can come from detailed layout features
(e.g., space between cable trays for redundant divisions,
elevations and obstacles affecting likely flooding paths)
9
Concept
A well-documented walkdown is a critical element of
internal and external hazards analyses
Simplified Plant Layout (Schematic)
10
N
Plan View
Main Control
Room
Turbine Building
Auxiliary Building
Fuel & Radwaste Building
Containment
(Unit 1)
Containment
(Unit 2)
Section View
N
Main Control
Room
Cable Spreading
Room
Switchgear
Room
Safety Pumps
Concept
Potential Importance – Old Studies
11
NUREG-1407
Importance
Potential Importance – IPEEEs
12
0.00
0.10
0.20
0.30
0.40
1.00E-07 1.00E-06 1.00E-05 1.00E-04 1.00E-03
Fra
ction
CDF (/ry)
IPE
IPEEE
1.0E-08
1.0E-07
1.0E-06
1.0E-05
1.0E-04
1.0E-03
1.0E-08 1.0E-07 1.0E-06 1.0E-05 1.0E-04 1.0E-03
IPE
EE
CD
F (
/yr)
IPE CDF (/yr)
Importance
Recent CDFs: External Hazards Effect
13
0.00
0.05
0.10
0.15
0.20
0.25
0.30
0.35
Fra
ction
10-6 10-5 10-4 10-3
Frequency (/ry)
All Initiators
BWR
PWR
0.00
0.05
0.10
0.15
0.20
0.25
0.30
0.35
10-6 10-5 10-4 10-3
Frequency (/ry)
Internal Events
BWR
PWR
Importance
Current Framework
• Internal hazards and external hazards
• Terminology and conventions
– “External events” => “External hazards”
– Fire: “external event” => “internal hazard”
– Internal flood: release point is within plant (even if
ultimate source is outside of the plant)
• Caution: NPP PRA frameworks are plant-
centric – hazards are treated as statistically-
occurring threats to the plant
14
Concept
Example Complexities
• A series of storms deposits an unusually heavy amount of snow in
the mountains, which is subsequently melted by unusually warm
weather which then leads to unusually high reservoir levels. To
prevent dam failures, flood managers decide to open flood gates,
causing extensive and extended flooding downstream that
surrounds a U.S. NPP. [Intentional human action leads to flooding.]
• Salt spray caused a LOOP at Unit 1 of a 2-unit Taiwanese NPP.
Emergency Diesel Generator (EDG) A started but tripped. Heavy
smoke from a high energy arcing fault (HEAF) occurring during
plant response prevented access to the switchgear room to align
EDG B, resulting in a station blackout. [Model as a LOOP with
possible subsequent HEAF, or model as HEAF with possibility of
LOOP?]
15
Concept
Notable Internal Hazards Analyses
• Internal Fires
– Long history with NPP PRA
– With regulatory application (Lecture 8-3), strong input
from fire protection community
– Performed for many plants
– Can be an important or even dominant risk contributor;
analysis realism a major source of debate
• Internal Floods
– Also long history
– Often tied with internal events
– Less controversial than fire16
Internal Hazards
Internal Fire PRA• Cable spreading room analyses: WASH-1400
and General Atomic HTGR PRA (1978)
• Current framework developed after 1975
Browns Ferry fire, used in Zion (1981) and
Indian Point (1982) studies (Lecture 8-3).
• Uses information from operational experience,
models, and experiments
• Involves fire protection engineering, fire
science, PRA as integrator
17
• Focused on Level 1 PRA (CDF):
– Includes high energy arc faults (HEAF) as well as flames
– Includes fires involving transient as well as in situ combustibles
Internal Fires
Fire PRA Methodological Framework
• Elements mirror NPP fire
protection defense-in-depth
• Basic methodology
developed and applied in
early 1980s
• Refinements added over
time (NUREG/CR-6850)
• Analysis is iterative
• Current work focused on
improving data and specific
models
18
Internal Fires
Fire Frequency Analysis
• Objectives
– Identify and characterize
potentially significant fire
scenarios
– Estimate scenario
frequencies
• Data: historical fire events
• Estimation
– Generic
– Plant-specific
19
Internal Fires
Equipment Damage Analysis
• Objectives– Identify potentially significant
combinations of equipment that can be damaged by a fire scenario
– Estimate conditional probabilities of equipment failure modes, given a fire scenario
• Underlying model: competition between damage and suppression processes
20
Damage occurs if tdamage < tsuppression
Internal Fires
Equipment Damage Analysis Elements
21
Internal Fires
Equipment Damage Analysis (cont.)
• Prediction of fire environment
– Correlations
– Zone models
– CFD models
• Equipment response/component fragility
– Temperature and/or heat flux thresholds
– Empirical data and probabilistic models for specific failure
modes (e.g., spurious operation, high-energy arc faults)
• Fire suppression
– Historical data
– Fire brigade drills
22
Internal Fires
Plant Response Analysis
• Objectives– Identify potentially significant
fire-induced accident scenarios
– Estimate fire-induced core damage frequency (CDF)
• General approach: propagate fire-induced losses through event tree/fault tree model– Start with internal events model
– Modify to include effects on equipment availability and operator actions
23
Internal Fires
Internal Flood PRA
• Includes all wetting mechanisms
(including spray, dripping, steam), not
just inundation
• Includes floods from external sources
(e.g., intake canals, rivers, lakes) that
enter plant through a plant system
(e.g., failed expansion joint)
• Analysis approach analogous to
treatment of internal fires– propagation physics simpler
– minor amounts can cause trouble
• Can be an important or event dominant
risk contributor
24
L. Armstrong, “Internal Flooding Background,” Regulatory Meeting, Internal
Flooding Risk Reduction Activities, November 30, 2006. (ADAMS
ML063460495)
Internal Floods
Internal Flooding Analysis Process
25
Internal Floods
K.N. Fleming and B. Lydell, “Guidelines for Performance of Internal Flooding Probabilistic
Risk Assessment,” EPRI 1019194, Electric Power Research Institute, Palo Alto, CA,
December 2009
Internal Flooding Frequencies
26
PIPExp Data* Pipe Rupture Model*
Pipe Aging** Plant-Level Data*
*Adapted from K.N. Fleming, “Development of
pipework system failure rates: where do the
numbers come from and why should we
believe them?,” CRA UK 5th Probabilistic
Safety Analysis and Human Factors
Assessment Forum, September 17-18, 2014.
**Adapted from B. Lydell, K.N. Fleming, and
J.-F. Roy, “Analysis of possible aging trends in
the estimation of piping system failure rates for
internal flooding PRA,” Proceedings of 14th
International Conference on Probabilistic
Safety Assessment and Management (PSAM
14), Los Angeles, CA, September 16-21,
2018.
Internal Floods
Internal Flood Propagation
27
K.N. Fleming and B. Lydell, “Guidelines for Performance of Internal Flooding Probabilistic Risk Assessment,” EPRI
1019194, Electric Power Research Institute, Palo Alto, CA, December 2009
Internal Flood
Propagation
28
Simulation from Idaho National Laboratory research supported
by the U.S. Department of Energy https://safety.inl.gov/public/
Internal Flooding Video
Notable External Hazards Analyses
• Seismic– Long history with NPP PRA; strong input from geotechnical and
structural engineering communities
– Performed for all plants (full SPRA or margins analysis)
– Can be an important or even dominant risk contributor
• External Floods– Explicit analyses and important contributors for some plants
– IPEEE guidance allowed screening based on deterministic grounds; reviews focused on seismic and fire, treated floods as part of “HFO” (high winds, floods, and other)
– Renewed interest post-Fukushima
• High Winds– Similar history as external floods
– Need to consider wind-driven missiles => simulation analysis
29
External Hazards
External Hazards – General Approach
• Probabilistic Hazards Analysis
• Fragility Analysis
• Plant Response Analysis
30Adapted from NUREG/CR-6042
External Hazards
Probabilistic Hazards Analysis – Seismic
• Source strength
• Propagation to site
• Site response
• Structural response
• Multiple hazards
– Acceleration
– Displacement
31https://earthquake.usgs.gov/earthquakes/
North Anna NPP
NRC HQ
Seismic Events
V.M. Andersen, et al., “Seismic Probabilistic Risk
Assessment Implementation Guide,” EPRI
3002000709, Electric Power Research Institute,
Palo Alto, CA, December 2013
Fragility Analysis – Seismic
• Sources
– Models
– Shake table data
– Expert judgment
• Informed by post-earthquake investigations
• Considers frequency and failure mode
• Addresses both aleatory and epistemic uncertainties
• Considers correlation
32
Seismic Events
V.M. Andersen, et al., “Seismic Probabilistic Risk Assessment Implementation Guide,” EPRI
3002000709, Electric Power Research Institute, Palo Alto, CA, December 2013
Plant Response Analysis – Seismic
• Modify internal events model to
address effects of different
magnitude earthquakes
• Seismic Equipment List (SEL)
• Induced hazards (internal floods
and fires)
• Solution considers
– Correlation between SSCs
– Relatively high conditional
probability of events => can’t use
rare event approximations
33
Seismic Events
Example SEL HeadingsV.M. Andersen, et al., “Seismic Probabilistic Risk Assessment
Implementation Guide,” EPRI 3002000709, Electric Power Research
Institute, Palo Alto, CA, December 2013
Seismic PRA Notes
• Technical community is generally comfortable with state of analyses
• Need to consider induced effects*– Fires
– Floods
– Human (distractions, access limitations, worker safety, psychological impacts)
• Need for expert judgment
• Dominant risk not from biggest earthquakes.
34
*Example: pipes moved aboveground following the 2007 Kashiwazaki-
Kariwa earthquake were swept away by the 2011 seismically-induced
tsunami at Fukushima Dai-ichi.
Seismic Events
Probabilistic Hazards Analysis - Flooding
• “Flooding” is a potential effect of multiple
phenomena, sometimes in combination.
Examples:
– Wind-driven waves, storm surge, intense
precipitation
– Seiche
– Tsunami
– Floods from upstream flood management decisions
• Multiple hazards, e.g.,
– Water levels (low and high)
– Dynamic forces
– Debris
• Important considerations
– Timing: warning, duration
– Site location and design
• Multiple sources (historical, paleoflood, simulation
models) 35
Example Tsunami Propagation PredictionFrom V. Titov, et al., “Tsunami Hazard Assessment Based
on Wave Generation, Propagation, and Inundation
Modeling for the U.S. East Coast,” NUREG/CR-7222, July
2016.
External Floods
Probabilistic Hazards Analysis – Flooding
36
External Floods
Simulation from Idaho National Laboratory research supported by the U.S. Department of
Energy https://safety.inl.gov/public/
Tsunami Video
Fragility Analysis - Flooding
• Multiple hazards
• Multiple damage mechanisms
(not just overtopping)
• Need to consider barrier
elements (not just reactor
systems)
– “Permanent” (e.g., dikes, doors,
penetration seals, drainage
systems)*
– Temporary (e.g., sand bags,
inflatable barriers)
37*States can change over time
Overtopping Slope Instability
PIping Erosion
Levee Failure Modes
Adapted from T. Schweckendiek, “Dutch approach to levee reliability
and flood risk,” Workshop on Probabilistic Flood Hazard Assessment,
Rockville, MD, January 29-31, 2013.
External Floods
Plant Response Analysis - Flooding
• Modify internal events model to address flooding effects
• For unscreened floods, assume instantaneous maximum hazard levels
• Potential effects on operators– Ability to access areas
– Psychological impacts
• Mitigation systems– Drainage
– Pumping38
External Floods
External Flood PRA Notes
• Multiple technical communities
– Growing agreement on meaningfulness of and need for quantitative risk assessment
– Performing analyses not focused on but relevant to NPPs
– Varying viewpoints on meaningfulness of frequency of very rare events
• “Cliff edge” characterization potentially misleading
– Damage mechanisms beyond overtopping
– Progressive damage states
– “Unlikely confluence of likely events” can be more important than overwhelming
floods
• Non-stationarity concerns
– Climate
– Human-induced changes to landscape => runoff
• Should consider correlated (and possibly concurrent) non-flooding effects
(e.g., LOOP due to high winds)
39
External Floods
“Other” Hazards – Example List*
40*See ASME/ANS PRA Standard for current list.
External Hazards
Aircraft impact Local intense precipitation
Avalanche Low lake or river water level
Biological events Low winter temperature
Coastal erosion Meteor or satellite strike
Drought Onsite chemical release
External fire Pipeline accident
External flooding River diversion
Extreme winds and tornadoes Sandstorm
Fog Seiche
Forest fire Seismic activity
Frost Severe temperatures
Hail Snow
High summer temperature Soil shrink-swell
High tide Space weather
Hurricane Storm surge
Ice cover Transportation accident
Industrial/military facility accident Tsunami
Internal flooding Turbine-generated missiles
Landslide Volcanic activity
Lightning
A Structured View
• Unstructured lists– Can have potentially
important gaps (e.g., heavy
load drops)
– Can have overlaps (e.g.,
external flooding and
tsunamis)
– Include slowly developing
conditions as well as
“events”
– Don’t show connections
between phenomena (e.g.,
multiple storm-related
hazards)
• Explicit display of
causality might help– Gaps
– Dependencies
– Screening41
External Hazards
Observations
• Results highly plant specific (e.g., location of major equipment,
cable routings, natural hazards occurrences and plant design)
• Maturity and realism a long-running issue; increased importance
with current approaches to RIDM (e.g., per Regulatory Guide
1.174)
42
Cautions
• Overly rapid dismissal based on personal intuition (e.g.,
potential magnitudes and consequences) – Lecture 2-3
• Potential violations of fundamental assumptions (e.g.,
aleatory model and concept of frequency)
– Non-stationary processes
– Observation-based predictions (e.g., Near-Earth Objects,
earthquakes?)
• Implementation assumptions
– Environmental qualifications
– Barrier existence, integrity
– Effectiveness of mitigation features (e.g., pumping, drainage)
43
Current Challenges
• “New” hazards (space weather, high-
energy arc faults – HEAF, …)
• Combinations of hazards
• Changing conditions (“non-
stationarity”)
• Different technical disciplines, views on
important issues, and heterogeneous
analyses
44
Subcommittee on Disaster Reduction, “Space
Weather” www.sdr.gov
Knowledge Check
At one plant, an unfortunate rodent caused a
loss of offsite power by bridging two phases of
a 3-phase AC power bus. For the purpose of
NPP PRA, should this be considered a
dependent failure?
45
Thought Exercise: Emergency Diesel
Generator (EDG) Redundancy
• NPPs have two or
more redundant
EDGs to supply
power if offsite
power is lost.
• How might
redundancy be
threatened by
spatial hazards?
46
USNRC, “Diesel Generators as Emergency Power Sources” (ADAMS ML11229A065)
Thought Exercise – EDG Addition
A plant is planning
on adding a new,
air-cooled EDG to
supplement its
water-cooled EDG
(located in the
Turbine Building).
From a spatial
hazards viewpoint,
what are some
pros and cons of
the proposed
update?
47
Section View
N
Main Control
Room
Cable Spreading
Room
Switchgear
Room
Safety Pumps
water-cooled EDG
(existing)
EDG switchgear
(existing)
EDG switchgear (new)
air-cooled EDG (new)
Thought Exercise
In a recent news story, scientists from LANL have
indicated that they are on the path to predicting
earthquakes (using Big Data and AI). Should they
be successful, should this change the way we
approach seismic PRA? If so, how?
48