Risk Assessment, Management and Application in Nuclear Power Plant Operation

2014-08-12 02:31:06SHENGGuolong圣国龙QIUYanrong邱艳荣LIQiongzhe李琼哲

SHENG Guo-long(圣国龙), QIU Yan-rong(邱艳荣), LI Qiong-zhe(李琼哲)

1. Suzhou Nuclear Power Research Institute, Shenzhen 518028, China 2. Nuclear and Radiation Safety Center, Beijing 10082, China

Risk Assessment, Management and Application in Nuclear Power Plant Operation

SHENG Guo-long(圣国龙)1, QIU Yan-rong(邱艳荣)2*, LI Qiong-zhe(李琼哲)1

1.SuzhouNuclearPowerResearchInstitute,Shenzhen518028,China2.NuclearandRadiationSafetyCenter,Beijing10082,China

To introduce the basic concepts of technical specification of nuclear power plant, a risk assessment and management technique based on the probabilistic safety analysis (PSA) method was proposed. The risk-informed method was used, and an example was given to show how to use some specific risk metrics like CDF/LERF/ICDP/ILERP to analyze and manage the risk associated with activities in nuclear power plant operation. The advantage of this technique can be concluded from this paper, and this technique should be used more widely and deeply in nuclear industry.

technicalspecification;probabilisticsafetyanalysis(PSA);riskassessment;riskmanagement

Introduction

Probabilistic safety analysis (PSA), also named probabilistic risk assessment, is a logical tool, based on both probabilistic methodology and reliability engineering, for deriving numerical estimates of risk from nuclear power plant (or indeed any plant in general). PSA was firstly applied extensively into nuclear plant safety in 1975. After being developed rapidly, it has been recognized as an effective tool of risk assessment and integrated gradually into plant operation management, resulting in the formation of risk informed regulation that combines both deterministic methodology and probabilistic methodology. In 1998, U.S. Nuclear Regulation Committee (NRC) issued a series of regulatory guidelines, advocating the use of the risk-informed management which gained a positive response among the nuclear industry[1]. Technical specification defines the basic rules that can guarantee the safety of nuclear power plant operation. The use of PSA to optimize technical specification is a very important activity following NRC’s regulatory guidelines with a purpose of improving the security and economy of nuclear power plant.

However, use of PSA to optimize technical specification has not been implemented detailed in the nuclear industry, one reason is that it’s difficult to incorporate this technique into the actual plant activities. This paper focuses on the meaning of risk management and how to use risk metrics and insights to support plant operation decisions. In addition, we also discuss the relationship between different applications, and how to improve the applications in a more reasonable way.

1 Probabilistic Safety Analysis (PSA)

Based on the probabilistic methodology and reliability engineering, PSA can build a logical model for a nuclear power plant by conducting fault tree analysis, event tree analysis, human reliability analysis, data analysis, and so on. After building this logical model, qualification and quantification analysis can be conducted with the model. With a number of characteristics, PSA method is able to largely remedy the weaknesses of traditional deterministic methodology, among which the core feature is that PSA can make a quantitative evaluation on risk.

There are three levels of PSA. Level 1 PSA studies the accident progress and accident sequences which lead to core damage, and the main result of Level 1 PSA is core damage frequency (CDF, its unit is per year); Level 2 PSA, based on the analysis results from Level 1, researches the accident process and containment response after core damage, and the main result of Level 2 PSA is large early release frequency (LERF, its unit is per year); Level 3 PSA analyzes the dispersion of radionuclides to the surrounding environment, analyzing the potential effects for both environment and health.

Generally, PSA includes the following major technical elements[2].

(1) Initiating events analysis

Identification of initiating events is the starting point of PSA. Initiating events are the incidents which may potentially lead to core damage if additional failures of the safety systems to perform safety functions occur. Identified initiating events which have similar plant response need to be grouped.

(2) Accident sequence analysis

This technical element is to determine the response of the plant to each initiating event group identified above. The response of the plant includes safety functions of safety systems and operator actions. Success criteria of each safety system need to be determined by thermal hydraulic analysis or expert judgment.

(3) Systems analysis

This technical element is to model the systems failures which are identified in the accident sequence analysis, by using the fault tree analysis technique. Fault trees are developed to provide a logical failure model for different systems.

(4) Human reliability analysis

This technical element is to identify human errors which may contribute to core damage. Human errors include three types which occur before the initiating events occur, which lead to the occurrence of an initiating event, and which occur after the initiating events occur.

(5) Data analysis

Data required for PSA include initiating events frequencies, equipment reliability, and availability data, human reliability data, common cause failure data,etc., are used to implement the quantification analysis of PSA model.

(6) Quantification analysis

This technical element employs a computer code to calculate the numerical results of the PSA model. Results derived from PSA include: CDF, LERF, uncertainty results of CDF and LERF, importance measures, and sensitivity measures.

CDF and LERF can be regarded as the metrics of plant safety level. Based on CDF and LERF, other risk metrics such as incremental core damage probability (ICDP), and incremental large early release probability (ILERP) can be calculated.

These results, so-called the risk insights, are mainly used to support the decision-making of plant safety issues, plant operation and maintenance as well as the optimization of relevant management programs or procedures involving technical specification, testing or maintenance program.

2 Technical Specification and Nuclear Power Plant Operation

Technical specification is an important document used for nuclear safety regulation in nuclear power plant, and the technical specification defines the basic technical requirements for the unit to meet. It has the following functions:

(1) define the limits for normal operation to ensure that the reactor is operated as it is designed;

(2) define the essential safety functions;

(3) when the reactor runs out of the limits or some safety functions are inoperable, the required control strategies are defined to modify the situation. A completion time and a mode according to fallback to are also usually defined.

Figure 1[3]below is an example to show how technical specification is used in nuclear power plant operation.

Fig.1 Part of a technical specification

Technical specification requires that both the two trains(X and Y) of a system shall be operable. When the plant fails to meet this requirement, which means that one or two trains become inoperable, the requirements in Fig.1 shall be met to ensure that the plant keeps sufficient safety margin. The requirements in Fig.1 include actions need to be taken and the allowed outage time (the same as the completion time), for each condition.

According to Fig.1:

if one function X train is inoperable, then the condition A is entered and the operator shall restore the X train to operable status within 7 d;

if one function Y train is inoperable, then the condition B is entered and the operator shall restore the Y train to operable status within 72 h;

if both of the two trains are inoperable, then the condition C is entered and the operator shall restore one of the two trains within 72 h. If required action C.2 is completed within the specified completion time, then conditions B and C are exited, and the plant enters condition A; operator shall continue to follow the requirements for condition A.

At present, technical specification is basically developed on the basis of traditional deterministic methodology. With the operational experience accumulated and safety analysis technique developed, the traditional deterministic methodology has increasingly exposed its inherent limitation and conservation. For instance, this traditional method considers the system and equipment reliability as well as the frequency of accident occurrence too conservative. Besides, it is not able to comprehensively and systematically evaluate the entire risk of the nuclear power plante. In addition, for some cases, following the traditional technical specification may even lead the plant to a more dangerous condition. Actually, the practical experience has indicated that the traditional technical specification integrated with the deterministic methodology shows too conservative and possesses unreasonable clauses that severely restrict the flexibility of plant operation and are not conducive to improving the plant achievements.

3 Application of Risk Assessment and Management in Nuclear Power Plant Operation

The risk assessment and risk management technology combined with PSA have been put into use at a large scale in the nuclear industry, of which one crucial application is the exertion into technical specification. The technology connected PSA with technical specification is called risk informed technical specification whose overall objective is to extend the plant operational flexibility with risk assessment and risk management, making the operational mode change and shutdown more reasonable.

Regulators and utilities in many countries have identified several initiatives to optimize technical specification by using PSA technique. Some of these initiatives are described as below[4].

Preferred end states: this initiative allows, after a risk assessment, some systems to enter hot shutdown rather than cold shutdown to repair equipment.

Risk-informed treatment of missed surveillances: this initiative allows licensee to use a structured, objective process to evaluate the risk implications of the missed surveillance test which is required by the technical specification; if the risk impact is not significant, the plant is allowed to continue operating.

Risk-informed mode change: licensees can justify a mode change when not all of the requirements for this mode change are met. This process allows concurrent operational activities to continue to make a more effective mode change plan.

Risk-informed allowed outage times(AOT): this initiative allows licensees to extend the AOTs for some components in technical specification, or provides a process to allow the licensees to control the AOTs in technical specification, which means that change in AOTs will not need the approval of the regulator.

Risk-informed surveillance frequencies control program(RISFCP): this initiative is similar to the risk-informed AOT. The RISFCP allows licensees to extend the surveillance test intervals (STIs) for some components, or provides a licensee-controlled process to determine the STIs.

This paper emphasizes on the introduction to the risk informed AOT.

3.1 Use of PSA to extend allowed outage time in technical specification

Technical specification specifies the allowed outage time when some components are inoperable, the AOTs in the traditional technical specification are determined in a very conservative way. On one hand, this may limit the flexibility of plant operation; on the other hand, unnecessary mode change will increase unexpected transient risk.

The AOTs in technical specification can be optimized with the help of PSA. A four-step approach is identified to evaluate proposed changes to AOTs in the technical specification, which is shown as follows.

Step 1: define the proposed changes.

The first step is to determine the proposed change to the AOT, and the affected systems, components, or parameters modeled in the PSA model and all elements in the PSA that the change impacts should be determined. A description of the proposed change should include the information above.

Step 2: perform engineering analysis.

The second step is to perform an engineering analysis on the impact of the proposed change. Engineering analysis include two aspects: traditional deterministic analysis and probabilistic analysis.

For the traditional deterministic analysis, the proposed AOT change should be examined to verify that it meets the existing applicable rules and regulations. And the licensee should determine how the change impacts defense-in-depth aspects of the plant’s design and operation and determine the impact on the adequacy of safety margins. In addition, the licensee should consider how plant and industry operating experience relates to the proposed change.

For the probabilistic analysis, the licensee should perform risk-informed evaluations of the proposed change to determine the impact on plant risk. In the evaluation, the specific plant equipment affected by the proposed AOT change should be explicitly considered, and also the impacts of the proposed change on the functionality, reliability, and availability of the affected equipment, and also human error probabilities.

A three-tier analysis approach[1]is developed to perform the probabilistic analysis, and each of these three tiers is described below.

Tier 1: quantitative analysis of risk impact

Quantitative analysis of the impact on plant risk of AOT change is calculated by the PSA model, and ICDP and ILERP are the risk metrics which are needed to extend the AOT. The equations are as follows:

ICDP=(CDF1-CDF0)△T,
ILERP=(LERF1-LERF0)△T,

where △Tis the individual allowed outage time;CDF0is the baseline CDF with nominal expected equipment unavailability; CDF1is the conditional CDF with the subject equipment out of service and nominal expected equipment unavailability for other equipment permitted to be out of service by the Technical Specification; LERF0is the baseline LERF with nominal expected equipment unavailability; LERF1is the conditional LERF with the subject equipment out of service and nominal expected equipment unavailability for other equipment permitted to be out of service by the technical specification.

The meaning of ICDP is the incremental probability of the occurrence of core damage event during the time when the component is inoperable. ILERP is similar to ICDP and refers to the large early release event. The acceptable criterion for ICDP and ILERP is: ICDP<1.0E-6 with ILERP<1.0E-7.

If the proposed AOT can satisfy the above acceptable criterion, the AOT is considered reasonable.

Tier 2: identification of risk-significant plant configurations

Based on Tier 1 analysis, an identification of potential high-risk configurations that could exist if equipment, in addition to that associated with the AOT change, was to be taken out of service simultaneously, was also involved. The objective of this analysis is to ensure that appropriate restrictions on risk-significant configurations associated with the change are in place, then the risk-significant configurations can be eliminated.

Tier 3: risk-informed configuration risk management

Because many random failures of equipment and many emergency events may happen during the plant operation, not all of the risk-significant configuration can be identified in the Tier 2 analysis. This requires the plant to have the ability to access the real time risk based on the different configurations, and also the ability to manage the risk. A software called risk monitor is developed to provide this ability and a program called configuration risk management program is developed to guide the plant how to use the risk monitor.

Step 3: define implementation and monitoring program

This step is to ensure that no adverse safety degradation occurs because of the AOT change and also to ensure that the engineering evaluation conducted to examine the impact of the proposed changes continues to reflect the actual reliability and availability of related component. The licensee should consider implementation and performance monitoring strategies.

Step 4: submit proposed change

The final step is about documentation of the above analysis and submitting the license amendment request.

3.2 Risk managed Tech-Spec

After many successful cases of AOT extension by using PSA, much experience has been gained by both the industry and regulators; it is time to develop a new method which can give the plant more flexibility to use Tech-Spec, and this new method is called risk managed Tech-Spec[5]. By use of RMTS, plant can control the AOT by itself based on the calculation of plant risk.

ICDP is the risk metric in RMTS, and two thresholds are set for ICDP. 1E-5 is used to calculate a risk-informed CT(RICT, notice that when RICT is larger than 30 d, 30 d is set as the RIAOT); 1E-6 is used to calculate a risk management action time (RMAT), which means that when ICDP is larger than 1E-6, the plant should implement some actions to control the risk.

Figure 2 below provides a simple example of the RMTS process, and this example is intended to explicitly demonstrate the application of these metrics in an RMTS program.

Fig.2 The RMTS process

At the beginning, component A becomes inoperable for a duration anticipated to exceed the AOT in the Tech-Spec. In this configuration, RMAT and RICT are calculated. As evident in the figure, the RMAT would be exceeded at day 7. If the anticipated duration of the activity exceeds this time, appropriate compensatory risk management actions will be developed and implemented. Since the 1E-5 ICDP threshold is not reached within 30 d, the RICT is revised to be 30 d.

At day 5, component B becomes inoperable which makes the plant enter a new configuration. At this time, the RMTS requires recalculation of the RMAT and RICT to apply to this new plant configuration. RMAT now occurs very soon after the emergent event occurs, approximately 6 d. Since the 1E-5 ICDP threshold is reached at day 27, the RICT is revised to be 27 d.

At day 21, component B is back to be operable. At this time, the RICT may be recalculated to reflect the new plant configuration. In this configuration, the 1E-5 ICDP is not reached until the 30 d back-stop CT. The RICT for system 1 may now be reset to 30 d from the time the first system became inoperable. Also, notice that since ICDP is greater than the 1E-6 threshold, no need to recalculate the new RMAT but implementation of appropriate risk management actions continues to be required.

4 Application Case

This section elaborates the application of risk assessment and risk management in the plant operation mentioned above through a specific case.

Auxiliary feedwater system (AFW) is a vital system in the plant. When losing the main feedwater, AFW system can provide feedwater to steam generator to remove the heat generated from primary reactor coolant system. AFW system has two motor-driven pumps and one turbine driven pump with two parallel steam inlet lines for supplying steam to the turbine. Both of the two steam inlet lines can assure the steam supply for the turbine. If both the two lines fail to work, the turbine will lose steam supply, which makes the turbine driven pump breakdown.

The current technical specification[6]only requires that the unit should fall back to a lower mode within 24 h (AOT) when the turbine driven pump is inoperable. However, in practical operation, the operators often meet the situation that only one steam inlet line fails, and this situation will lead to two different views. Some operators think that AFW system is an important safety system, and one steam inlet line failure can degrade the system, so the turbine pump should be considered inoperable from a conservative perspective; other operators deem that one steam inlet line failure does not lead to inoperable of turbine driven pump because there’s still another inlet line, it’s too conservative to consider the pump inoperable, and the unnecessary unit mode change will cause unexpected transient risk. The inconsistent standpoints may cause some problems to the safety operation of the plant.

Thus, the plant uses the risk assessment and management technique mentioned in Section 3.1 to optimize technical specification. A specific term is added in the technical specification, which requires the unit to fall back to a lower mode within 7 d when only one steam inlet line is inoperable. The AOT of 7 d is set by calculating plant risk using PSA.

Another factor that should be taken into account is that the steam inlet line needs to be isolated when it is maintained, and the isolation of one inlet line will cause another line inoperable, which leads to the inoperable of turbine driven pump.

For this situation, the plant can use the RMTS technique described in Section 3.2. For example, one steam inlet line is found inoperable at 8:00 am on day 1, the turbine driven pump will be inoperable when the operators maintain the inlet line. But, the meteorological department forecasts that the typhoon would land in the area of this plant at 12:00 on day 1 and the typhoon will last for about one day, until 12:00 on day 2. According to the plant procedures, no maintenance activity should be carried out during typhoon.

In this case, if the steam inlet line is maintained immediately after being found inoperable, it will cause the turbine driven pump being inoperable for a time period larger than 24 h, and this will violate the requirement of technical specification. By using RMTS technique, the plant can temporarily stay at the configuration with the steam inlet line inoperable until the typhoon is gone (e.g., 18:00 on day 2), then the operators can isolate and maintain the inlet line; during the maintenance the plant is at a configuration with the turbine driven pump inoperable.

Now we look back at Fig.2, we can find that, one steam inlet line inoperable can be regarded as component A inoperable, and turbine driven pump inoperable can be regarded as components A and B inoperable, because the inoperable of the pump is caused by the inoperable of both two inlet lines.

This is a typical use of RMTS to support plant operation.

Besides the external factors (e.g., weather), there are some other conditions which can influence plant operation, such as the shortage of manpower may occur when dealing with some emergency events. During that time, the plant can also use risk assessment and management technique to allocate resources more reasonably and effectively.

All of these applications of risk assessment and risk management will improve the safety and flexibility of plant operation.

5 Conclusions

Via the description of each section mentioned above in this paper, the risk assessment and risk management on the basis of PSA play an important role in the operation of nuclear power plants. This technique can improve the flexibility of plant operation, and increase the efficiency of plant resources. It can also ensure that the plant has the ability to analyze and manage plant risk, and enhance the safety level of plant operation. Application of risk assessment and risk management in nuclear power plant operation has been widely implemented all over the world, and it is also proved that the performance of nuclear power plant has been largely improved. So we believe that in the future, this technique will be more widely applied in the nuclear industry.

[1] RG1.177. U.S. NRC, An Approach for Plant Specific, Risk Informed Decision-making: Technical Specifications[S].

[2] DS394. Development and Application of Level 1 Probabilistic Safety Assessment for Nuclear Power Plants[S].

[3] NUREG-1431. Standard Technical Specifications Westinghouse Plants[S].

[4] SECY-07-0191. Update of the Risk-informed Regulation Implementation Plan[S].

[5] NEI 06-09. Risk-Managed Technical Specification Guidelines[S].

[6] D-TD/GNP/310. GNPS Document Justification of the Operating Technical Specifications[S].

1672-5220(2014)06-0895-04

Received date: 2014-08-08

*Correspondence should be addressed to QIU Yan-rong, E-mail: qiuyanrong@chinansc.cn

CLC number:TL 364.+5 Document code: A