Fault Trees and Accident Sequences (Task 11)

From Seismic PRA
Revision as of 09:31, 30 July 2024 by SeismicAdmin (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Task Overview

Objective

This task is to integrate seismic initiating events and seismic-induced failures into the system and functional (nodal) fault tree structures and accident sequence structures (event trees) of the SPRA.

Purpose

This section describes processes for the following:

  • Seismic Initiating Events
  • Seismic Sequence Models
  • Incorporating fragilities and fragility correlations for SSCs into System Fault Trees
  • Treatment of Seismically Induced Consequential Hazards
  • Treatment of Seismically Induced Small-Small Loss of Coolant Accident (SSLOCA)
  • Developing a Level 2 (LERF) model for use in an SPRA.

Guidance

Background

The heart of a seismic probabilistic risk assessment is the combination of:

  • the definition of the seismic initiating events,
  • an event tree that models the sequence of events from an initiating event, such as an earthquake, to an end state, and
  • a fault tree that models the failure of mitigating functions, including equipment dependencies to function as required.

Each of these elements is described below.

Seismic Initiating Events

The frequency of earthquakes at the site is based on site-specific probabilistic seismic hazard analysis (PSHA) (Seismic Hazard Analysis (Task 6)). The results of this site-specific PSHA have the form of annual probabilities of exceedance of various levels of ground motion. The resulting hazard curves are based on a comprehensive up-to-date database of geological data and site properties.

The approach taken in the SPRA model for the integration of the seismic hazard curve generally follows these steps:

  • The base seismic hazard for the SPRA is identified by a plant-specific parameter such as the mean PGA ground motion.
  • The plant-specific parameter is divided into a series of initiating events using discrete ground motion intervals of the hazard curve.
  • The very low ground motion end of the hazard curve need not be explicitly incorporated into the accident sequence quantification because the SSC probability of failure at those low ground motions is very small. The upper end of the hazard curve (highest ground motion) is typically defined with a single interval defined as, for example, 1.50g or greater, and leading directly to core damage, because the probability of failure for many of the SSC is very high, approaching 1.0.

In a typical SPRA, the mean hazard curve is divided into eight to ten ground motion ranges that are used in developing and quantifying the SPRA. Each seismic hazard range in the seismic evaluation is assigned an initiator ID (for example, %G4, “Seismic Initiating Event: 0.6g to <0.8g PGA”) and an initiator frequency from the hazard curve. These ranges are typically called seismic hazard bins or seismic intensity bins. The frequency for the seismic initiator is calculated as the exceedance frequency of the ground motion at the beginning point range minus the exceedance frequency at the end point of the ground motion range. The frequency of the last (high) ground motion range is the exceedance frequency of the representative ground motion of the highest bin.

Seismic Accident Sequences

One way to incorporate seismic accident sequences uses a seismic initiating event tree (SIET) as a pre-tree to disposition the more pervasive effects of a seismic event that can lead directly to core damage or to a degraded plant condition. The second tier of the event trees are systemic event trees (similar to those in the internal events PRA) that evaluate the plant response and mitigation capability, given the preconditions established in the SIET. Sequence logic transfers directly from the SIET into the systemic event trees to ensure that no information is lost in these transfers. The event trees are used to define the accident sequence progression and the assigned end state of the event trees.

  • Top events modeled in an SIET (see example in the figure) are based on the following two criteria:
- the SSC has potentially high median capacity (e.g., low probability of failure) over the spectra of the hazard curve and
- the SSC has significant consequential failures.
  • Seismically induced accident sequence functional event trees are developed for each applicable SIET end state transfer.

These event trees are like event trees developed for the internal events model (ATWS, LOOP, small LOCA, and so on). The systemic accident sequence structure from the Level 1 internal events PRA is maintained in the SPRA.

  • Event trees typically have three principal end states:
- “OK” end states, which lead to a safe stable end state
- Core damage end states
- Transfers between event trees


Figure 11-1 Typical seismic probabilistic risk assessment seismic initiating event tree (from EPRI 3002000709)


Fragility Incorporation into System and Nodal Fault Trees

Seismic fragilities are considered as basic event failure probabilities (and associated fault tree logic) of plant SSCs as a function of ground motion. Small fault tree logic models are developed to specify the fragility basic events and their associated seismic interval initiators. These fragility fault trees are appropriately linked, throughout the SPRA model.

SSC fragility basic events are ANDed with the associated seismic interval initiating events and grouped under an OR gate. This process effectively slices the seismic hazard into defined ground motion bins (initiating events) and uses a slice of the SSC fragility at the same ground motion level to define the SSC failure probability. An example is provided in the figure below.


Figure 11-2 Typical fragility modeling in system fault tree (from EPRI 3002000709)

Two methods for incorporating seismic fragilities into the models include:

  1. use software (such as EPRI FRANX) to automatically overlay fragilities into the single-top model, or
  2. manually incorporate them into nodal fault trees.

Fragility Correlations

Seismic fragility correlation accounts for the idea that two or more similar SSCs subjected to the same earthquake motions have the same probability of failure. For example, in a two-train system the A train and B train pumps may be from the same manufacturer and located side-by-side in the plant where they would be subjected to the same seismic motions. In this case, their seismic probability of failure may be at least partially correlated.

The bases for seismic fragility correlation modeling assumptions originates from information from the seismic fragility analyses. The seismic fragility experts provide recommendations to the PRA modeling personnel regarding what equipment can likely be assumed to be correlated or uncorrelated.

Typical industry practice is to assume that specific SSCs are either completely correlated or completely uncorrelated for the base SPRA model, depending upon the similarity of the equipment.

  • Equipment located within a building is typically assumed 100% correlated with structural failure of that building
  • Identical equipment in the same or very nearby location and elevation, with the same or similar orientation and anchorage, are typically assumed 100% correlated.
  • Design and functionality differences
- Systems with similar but not identical design and functionality are typically assumed to be uncorrelated, however in some cases a lower degree of failure correlation may apply (e.g. HPCI, RCIC in a BWR)
  • Dissimilar systems are typically assumed uncorrelated

Additional guidance for identifying potential relay chatter correlation modeling include relays which have all or many of the following characteristics:

  • Relays in the same cabinet or in identical cabinets located in the same area and oriented in the same direction may be considered for correlation. (Additional characteristics that should be considered for potential correlation of relays are discussed in the bullets below.) Where the cabinets are in a large area, they should be within a portion of the floor that has the same seismic response to be correlated. That is, they should be on the same structural element (common slab between walls or beams that support the slab). If the cabinets are not correlated, the relays are not correlated.
  • The relays are the same model number, have the same capacity and are expected to have similar demands.
  • The relays are oriented in the same direction with respect to north-south and east-west directions.
  • The relays are located at similar locations within the panel. That is, they are located such that the in-cabinet amplification factors are similar.
  • There are no unique characteristics that would affect a subset of components that would otherwise be correlated.

The seismic fragility analysts can determine if all or only some of the above characteristics need to be met to support relay chatter correlation on a case-by-case basis.

Example incorporation into the base PRA model is illustrated with the figure below:


Figure 11-3 Seismically induced emergency diesel generator failures (from EPRI 3002000709)


Treatment of Consequential Hazards

Seismic initiating events have the potential to cause both direct damage to plant SSCs through the seismic event itself and indirect damage to SSCs through the initiation of additional hazards.

A five-stage approach is suggested for consequential hazard analysis in seismic PRAs:

  1. Identification of potential consequential hazards
  2. Qualitative screening of consequential hazards
  3. Quantitative screening of consequential hazards
  4. Treatment of non-screened consequential hazards in the SPRA
    • Seismic induced fire and flood (SIFF) are typically incorporated, as noted in Task 3.
  5. Documentation

Treatment of seismically induced small-small loss of coolant (SSLOCA) into the SPRA

A seismic event may cause minor cracks or leaks in small piping connected to the reactor coolant system pressure boundary resulting in a leak with rate between 10 and 100 gallons per minute (38 to 380 liters per minute) or an area from about 0.15 to 0.5 square inches (1 to a few square cm). These leaks are referred to as small-small (or very small) loss of coolant accidents (SSLOCA). Small-small LOCAs typically do not result in a loss of pressure to the RCS system but may result in an automatic or manual reactor scram. Success of safety systems is not expected to be affected by very small LOCAs.

  • Determine Whether a Qualitative or Quantitative Evaluation Is Appropriate
- Review plant information and walkdown evaluations to identify potential vulnerabilities from a seismically induced SSLOCA.
- If a qualitative evaluation is pursued, the qualitative bases are typically documented and the additional steps discussed below for modeling and implementation of the SSLOCA impacts in the SPRA may be bypassed.
  • Model the Fragility of a SSLOCA (4 options). The choice depends on vulnerabilities assessed in Step 1 or other available information.
- Assume that a seismically induced SSLOCA occurs (i.e., probability of 1.0) for the entire range of seismic initiating events modeled in the SPRA. (conservative)
- Justify that a seismically induced SSLOCA does not occur for lower initiating events modeled in the SPRA (for example, less than 2 times the SSE) and assume that they do occur (i.e., probability of 1.0) for higher initiating events.
- Define a representative seismic fragility curve for SSLOCA
- Perform plant-specific fragility calculations for seismically induced failures that could lead to a SSLOCA
  • Implement Treatment of SSLOCA in the SPRA
- Identify accident types for modeling SSLOCA (e.g., Seismic LOOP, Seismic small-small LOCA (PWR), Seismic LOCA, Seismic ATWS)
- Qualitative definition of SSLOCA size and location
- SSLOCA modeling impacts vary depending on the plant and the model. See EPRI 3002000709, Seismic Probabilistic Risk Assessment Implementation Guide.

Seismic Large Early Release Frequency (LERF)

The NRC LERF definition refers to a time frame “prior to effective evacuation of the close-in population such that there is a potential for early health effects.” It does not mention a specific, numerical time period.

The magnitude of the release is important because there is a threshold below which the doses from the early exposure pathways will be unlikely to cause an early fatality. Consistent with the NRC definition, a release magnitude consistent with LERF must be large enough to create a threat of early health effects.

Section 6.5.1 of EPRI 1025287 provides guidance on the evaluation of LERF for an SPRA model.

An optional approach regarding the seismic effect on the LERF definition includes the following interpretation of this definition:

  • Magnitude—large. The release magnitude in the internal events PRA for a given accident is assessed based on the size of the containment failure and the presence of scrubbing. These characteristics apply equally whether the event is initiated by internal events or by a seismic event. Seismic scenarios that involve seismically induced structural failures of the primary containment are directly classified as containment bypass scenarios. All other seismic scenarios that would involve accident progression phenomena are the same as those for internally initiated scenarios. Therefore, typically no changes are made to the internal events LERF assessment with respect to the magnitude aspect of the release.
  • Timing—early. The definition of timing for the LERF calculation may be affected by the seismic event. This relates primarily to the following:
- Failure of infrastructure
- Failure of communication
- Failure of transportation routes

Supplemental Guidance

Related Element of ASME/PRA Standard

Part 5, Seismic Plant-Response (SPR)

EPRI Guidance

Seismic Probabilistic Risk Assessment Implementation Guide (3002000709).

  • Appendix C, Section C.1 provides additional information on modifying the internal events sequence and system models for the SPRA model
  • Appendix D provides guidance for seismic failure correlation.
  • Appendix G provides guidance for identification and treatment of potential seismically induced internal fires and internal floods.
  • Appendix F includes outlines for documentation of Seismic PRAs.
  • Section 5.4 provides guidance related to treatment of SSLOCA
  • Section 5.8 provides guidance related to seismic LERF.

Identification of External Hazards for Analysis in Probabilistic Risk Assessment (1022997)

  • Section 4 provides a list of power plant hazards
  • Section 5 provides guidance on screening of consequential hazards (both qualitative and quantitative)

Methodology for Seismically Induced Internal Fire and Flood Probabilistic Risk Assessment (3002012980)

Screening, Seismic Evaluation Guidance: Screening, Prioritization and Implementation Details (SPID) for the Resolution of Fukushima Near-Term Task Force Recommendation 2.1: Seismic (1025287)

  • Section 6.5.1 provides details on identifying the potential impacts of seismic events on LERF scenarios and describes how to integrate a seismic core damage model with a LERF model.

Other Guidance

[NUREG CR-5042], “Evaluation of External Hazards to Nuclear Power Plants in the United States.” provides guidance on treatment of consequential hazards

IAEA Safety Guide SSG-3, “Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants” provides guidance on treatment of SSLOCA

IAEA Safety Guide NS-G-2.13, "Evaluation of Seismic Safety for Existing Nuclear Installations" provides guidance on treatment of SSLOCA

[IAEA Safety Series 50-P-7], "Treatment of External Hazards in Probabilistic Safety Assessment for Nuclear Power Plants: A Safety Practice" provides guidance on treatment of consequential hazards

[SKI Report 02:27], "Guidance for External Events Analysis" provides guidance on treatment of consequential hazards

[ENSI-A05/e], “Probabilistic Safety Assessment (PSA): Quality and Scope” provides guidance on treatment of SSLOCA

Retrieved from "https://seismicpra.epri.com/index.php?title=Fault_Trees_and_Accident_Sequences_(Task_11)&oldid=133"