Loss of offsite power (LOOP) accident analysis by integration of deterministic and probabilistic approaches in Bushehr-1 VVER-1000/V446 nuclear power plant

2022-07-26 06:05MohsenEsfandiariGholamrezaJahanfarniaKamranSepanlooEhsanZarifi
Nuclear Science and Techniques 2022年5期

Mohsen Esfandiari · Gholamreza Jahanfarnia· Kamran Sepanloo ·Ehsan Zarifi

Abstract The results of an accident analysis for the loss of offsite power (LOOP) scenario in a reference Bushehr-1 VVER-1000/V446 nuclear power plant (NPP) are presented in this paper. This study attempted to provide a better analysis of LOOP accident management by integrating deterministic and probabilistic approaches. The RELAP5 code was used to investigate the occurrence of specific thermal–hydraulic phenomena. The probabilistic safety assessment of the LOOP accident is presented using the SAPHIRE software. LOOP accident data were extracted from the Bushehr NPP final safety analysis reports and probabilistic safety analysis reports. A deterministic approach was used to reduce the core damage frequency in the probabilistic analysis of LOOP accidents. The probabilistic approach was used to better observe the philosophy of defense in depth and safety margins in the deterministic analysis of the LOOP accident. The results show that the integration of the two approaches in LOOP accident investigations improved accident control.

Keywords Loss of offsite power · Deterministic ·Probabilistic · Integration · RELAP5 · SAPHIRE

1 Introduction

When a loss of offsite power(LOOP)accident occurs,the dependence of the power plant’s safety systems on electrical resources disrupts the incident control activities. Particularly, the failure of all instrumentation devices and valves(safety, isolation, etc.) can lead to incomplete accident management. Therefore, the consequences of the impossibility of reducing the pressure and cooling of the reactor core can be irreparable. Many accidents have the potential to convert the onset of an accident into a core damage scenario and, consequently, the release of radioactive material.According to documentation and reports from the international atomic energy agency(IAEA),one of these accidents is the LOOP accident, which can lead to core damage and reactor melting in the nuclear power plant(NPP).

Many studies have investigated the data on LOOP or offsite power restoration. Wierman analyzed LOOP events based on the experience of operating for the fiscal years 1998 through 2012 [1]. This study introduces an engineering and statistical analysis of LOOP frequencies and periods at nuclear power plants in the United States.Johnson et al. [2] analyzed LOOP events based on the experience of operating within calendar years 1987 through 2016. A summary report on events related to LOOP and station blackout (SBO) at NPPs was prepared by Volkanovski et al. [3]. The results of an extensive study on LOOP and SBO events recorded by the Institut de Radioprotection et de Suˆrete´ Nucle´aire (IRSN) and Gesellschaft fu¨r Anlagen- und Reaktorsicherheit mbH (GRS) during 1992 to 2011. Sun et al. investigated a new thermal optimization scheme for power modules in solid-state amplifiers [4]. In this study, for higher heat transfer, specific measures are presented. Power losses caused by longitudinal high-order modes (HOMs) in 1.3-GHz cryomodule of extreme light facility (SHINE) was presented by Guo et al. [5]. They considered and computed several parameters of the power losses.Ling et al.[6]considered a fault prediction method for nuclear power machinery based on a Bayesian PPCA recurrent neural network model. In this study,a new procedure for fault prediction,a main part analysis of probabilistic integration, and other parameters for nuclear power systems are presented, that discuss the uncertainty of data and disordered time series. Li et al.investigated fast nuclide identification based on a sequential Bayesian method [7]. Using the event mode sequence data of target radionuclides, a new identity procedure is proposed in this study. Additionally, the integrated risk informed decision-making (IRIDM) approach and investigation of the combination of probabilistic and deterministic approaches are important issues, which have attracted significant attention in recent years. Borysiewicz et al. [8]investigated the IRIDM in the nuclear industry. They described a new IAEA concept by applying an approach of integration by combining probabilistic safety assessment(PSA)with deterministic safety assessment(DSA)insights and other provisions affecting the decision-making process.The INSAG has also published a framework for an IRIDM process (INSAG 25, 77) [9]. Additionally, the INSAG identified the principles and key elements of the IRIDM and described their interrelationship. Esfandiari et al.,considered the importance of integrating deterministic and probabilistic approaches in the IRIDM framework for nuclear reactors [10]. Cetiner et al. applied the IRIDM to an advanced liquid–metal reactor (ALMR) power reactor inherently safe module (PRISM) [11]. They documented the development of a probabilistic model of a candidate an ALMR that mimics the actions of a plant operator given a component failure. Their model can be coupled with the deterministic portion of the autonomous risk-informed decision-making process within a supervisory control system. In a study by Zio et al., the concepts, challenges and research directions were considered for integrated deterministic and probabilistic safety assessments [12]. In this paper, for analyzing the evolution of accident scenarios in complex dynamic systems, they provided an overview of safety evaluation by deterministic and probabilistic integration and consider the related implications in terms of research aspects. Bellaera et al., considered the integrated deterministic and probabilistic safety assessment of the cooling circuit of a superconducting magnet for nuclear fusion applications [13]. Safety assessment methods that incorporate phenomenological models of system dynamics with models of stochastic processes are applied. Additionally, a semi-supervised, self-organizing map for postprocessing the scenarios of an integrated safety analysis are considered by Maio et al. [14]. An approach to grouping and classification of scenarios in an integrated DSA analysis, are considered by Galushina et al. [15]. In this paper,an approach is expanded for grouping and describing failure domains. The illustration of an application of the integrated safety assessment methodology to safety margins is considered by Iba´nez et al. [16]. This methodology presents the loss exceedance frequency increase in power uprates. Izquierdo et al. investigated the current status of the unified approach known as integrated safety assessment[17]. Using case studies, they presented the feasibility of this approach for application in NPP. Combining insights from probabilistic and deterministic safety analyses for a risk-informed safety analysis was investigated by Dusic et al. [18]. Heo et al. investigated recent research on integrated deterministic-probabilistic safety assessments in Korea [19]. This method may be assumed as a primary invention to acquire the bridging points between deterministic and probabilistic approaches on the pillars of big data technology.

Both deterministic and probabilistic approaches are systematic approaches that aim to ensure that the risk to nuclear facilities to workers and members of the community is adequately controlled. However, these approaches use different evaluation techniques and boundary conditions and have different limitations and strengths. The purpose of the accident investigation with the deterministic approach is to observe the philosophy of defense in depth and safety margins at the time of the accident. Moreover,when considering an accident with the probabilistic approach, the core damage frequency and the risk of the accident should be within the permissible range.Therefore,a DSA is used to reduce the core damage frequency and risk of the accident in PSA.

This study aims to provide an improved analysis of the LOOP accident management and improve IRIDM by integrating deterministic and probabilistic approaches. This study can initiate an extensive revision of other design-basis accidents and beyond design-basis accidents in a NPP.

This study presents the results of an accident analysis for a hypothetical LOOP scenario in a reference Bushehr-1 VVER-1000 reactor. The LOOP event data were extracted from the Bushehr NPP final safety analysis reports(FSAR)[20].The thermal–hydraulic system code RELAP5 was used to investigate the occurrence of specific thermal–hydraulic phenomena that appeared during the LOOP event[21].

For the PSA analysis of the LOOP accident, the initiating event and relative event tree should be determined,and subsequently,the failure analysis of the safety systems should be performed using the fault tree analysis. The event tree and fault tree analysis of the LOOP event was considered using SAPHIRE code [22]. The fault tree analysis determines the probability occurrence of top events by determining the minimal cut sets of basic events for the top events. The probability of a fault tree was applied to calculate the probability of the sequences of the event tree. These sequences can be used to determine the frequencies of the core damage states (CDS) and core successful states (CSS). The LOOP event data were extracted from the Bushehr nuclear power plant probabilistic safety analysis reports(PSAR)[23].The SAPHIRE code results were compared with the PSAR results.

2 Material and method

In order to investigate the LOOP accident,a DSA and PSA were performed, and the accident results were extracted[24,25].Then,an appropriate method based on the individual accident analysis was applied to integrate the DSA and PSA approaches and improve the IRIDM process(Fig. 1).

Owing to the complexity of coupling the RELAP5 and SAPHIRE code, several assumptions were used in the study:

· The effect of the control systems is ignored, and it is assumed that the reactor scram occurs 1.5 s after the accident according to the FSAR of the Bushehr nuclear power plant.

· It is assumed that most of the electrical equipment,such as pumps and valves, failed and their condition is extracted from the FSAR of the Bushehr nuclear power plant.

· Regarding the one-dimensional RELAP5 code, most loop equipment such as the steam generators and reactor pressure vessels, are modeled only in the axial direction using control volumes. To present the results along the horizontal direction (vertical to the flow), a cross-flow junction was used to produce two-dimensional results.

· Because of the limited number of meshes in the RELAP5 code (999 volumetric units), only the steam generators (SG) were modeled instead of the entire second loop of the reactor. The different conditions of the flow, pressure, and temperature variation from the FSAR were used as the input control volume with a time-dependent component in the boundary conditions.

· Based on the cut-off criteria (1.0 × 10–81/year)mentioned in the FSAR and PSAR, the development of sequences 5,6,and 9 were withdrawn.Additionally,the assumption is that heat removal is performed only through the secondary circuit,and heat removal through the primary circuit by the bleed and feed system is not considered for sequences 3 and 4.

· The discrepancy between the FSAR and PSA results and our results is due to some simplifications, uncertainty in modeling, uncertainty in code calculation,limitation in assignment in the RELAP5 code, and restrictions in the SAPHIRE code.

3 Summary of the probabilistic analysis

The LOOP event represents approximately more than 26% of the core damage (CD) in the Bushehr-1 VVER-1000 reactor. To increase the reliability of the auxiliary power supply system and emergency supply system,transmission lines with different grid voltages are commonly used. Two grids of 400 kilovolt (kV) (main grid),230 kV (auxiliary grid), and 10 kV buses of the normal power supply system were used in the Bushehr NPP.

Fig.1 The LOOP consideration process by integration of DSA and PSA approaches

LOOP is an event linked with the loss of the power supply in the Bushehr-1 VVER-1000 NPP,of 10 kV buses from the on-site normal operation sources and off-site sources (400 and 230 kV of grid). A dependent failure of the system of normal heat removal through the turbine condensers is a result of the LOOP.

To achieve a cold shutdown, the following safety functions must be performed [23].

· Actuation of reactor protection system (RPS) and a reactor power reduction to the residual heat release level (function A).

· Provision of mainstream collector (MSC) tightness(function T).

· Restriction of the pressure increase in the secondary circuit (function O′).

· Provision of the SG steam line tightness after the actuation of the SG steam releasing valves (SRD)(functions C4, C3, C2, C1).

· Bringing the reactor plant into the cold shutdown state(CUSS) (function CS).

· Heat removal from the core via the secondary circuit(function HO′′).

The event tree can be constructed according to safety functions and safety systems(Fig. 2).There were ten states for the accident sequences.

· Sequence 1 occurs under the actuation of the reactor emergency protection, provision of MSC tightness,restriction of pressure increment in the secondary loop,provision of the SG steam line tightness after the actuation of FASD-A (fast-acting steam dump valve with discharge to atmosphere (BRU-A)) or SGSV and after the reactor plant is brought into the cold shutdown state (realization of functions A, T, O′, C4, CS). The final reactor plant was in a cold state.

· Sequence 2 occurs when the reactor plant fails to enter the cold shutdown state (failure to perform the CS function). In this case, heat removal from the core through the secondary circuit was performed through the FASD-A or SGSV for 24 h, with the water being supplied to the SG from the feed water pump (FWP),auxiliary feed water pump(AFWP),or emergency feed water pump (EFWP) (realization of the HO′′function).The final reactor plant was in a hot state.

· Sequence 3 occurs in the non-performance (by the operator) of putting the reactor plant into a cold state and the failure of systems for heat removal via a secondary circuit through an open cycle.

· Sequences 4,5,and 6 occur in the failure of closing the steam dump(discharge)devices(SDD)at 1,2,or 3 SGs and a failure of the water supply to SGs from AFWP and EFWP. These sequences led to core damage in the absence of a functional heat removal system.

· Sequence 7 occurs in the non-closure(after opening)of the steam dump devices of all four SGs, which led to core damage owing to the complete loss of heat removal via the secondary circuit.

· Sequence 8 occurs in the failure to open all the steam dump devices FASD-A and SG SV, which led to a complete loss of heat removal via the secondary circuit.

· Sequence 9 occurs at the non-closure of the turbine stop valve (TSV), turbine control valve (TCV), and main steam valve (MSV) which led to leakage in sections of the steam lines that are isolated from the SG.

· Sequence 10 occurs in a reactor emergency protection system failure,which was conservatively considered as core damage.

Allocated event trees should be constructed to achieve the final core damage frequency (CDF). An event tree can be developed due to the safety functions and safety systems.Evaluating the frequency of initiation events and top events in event tree can be calculated by using appropriate fault trees. The failure probability of the top events were evaluated using the appropriate fault trees shown in Table 1.The failure probability of each top event must be evaluated using a logical combination of basic events through logic gates. For this purpose,the fault trees of all safety systems were considered. The information of basic events for fault tree analysis were entered using code. Additionally, the common cause failures (CCFs) were evaluated using the alpha factor model.

The final core damage states (CDS) and their corresponding frequencies are listed in Table 3. There are ten end states for the sequences.Two of the end states resulted in a successful core state and eight of the end states resulted in a core-damaged state. The highest frequency of the CDSs related to sequence 3. The total core damage frequency considered by frequencies of eight CDSs.The total annual CDF is 3.40 × 10–6. The full event tree diagram is shown in Fig. 2. The results of this section were obtained in other similar studies [24].

4 Summary of the deterministic analysis

In the DSA modeling, all the main components of the primary and secondary loop of the reactor coolant system,the emergency reactor protection and safety injection systems are simulated by the RELAP5 code. The optimized nodalizations of the VVER-1000 reactor are presented in Fig. 3. Real parameters and dimensions were used in themodeling to depict the flow areas, volumes, hydraulic diameters,elevations,heat transfer area, and heat structure masses. On the primary loop, the reactor core, pressure vessel, main circulation pipes and pumps, pressurizer, and relief and safety valves have been modeled. Special attention was given to the modeling of the steam generators and their related safety systems on the secondary loop.

Table 1 A fault tree analysis for top events occurrence probability

Before performing a transient simulation, a steady-state calculation was performed to adjust the boundary conditions that are essential for the analysis of the aforementioned accident sequences. The primary loop conditions as reactor power, SG power, temperature, water mass, and mass flow rates were calculated. The steady-state calculation was carried out for 100 s.The conditions at the end of the steady state simulations are summarized in Table 2.

In the case of a complete loss in the alternating current(AC) power supply, including the failure of diesel-generators,the accident was more severe as all active parts of safety system such as the emergency feed water and emergency core cooling system (ECCS) water failed. However, if the AC electrical power either from the grid or from the dieselgenerators is not restored quickly, the consequences to the plant and the public can potentially be extreme.Considering that it is not possible to remove decay heat from the primary circuit, the accident develops and leads to high primary pressure and the periodical opening and closing of the pressurizer safety valves.The loss of primary coolant in the pressurizer safety valve leads to core dry out and further heat buildup and this loss and the transition of the accident into a severe stage,happens as follows:

1. Power supply to the main coolant pumps(MCP)is cut.

2. A reactor scram (control rods drop) occurs owing to the functional loss of three (out of four) of the MCPs.

3. The main and auxiliary feed water systems of the secondary side are switched off.

4. Switch off makeup / letdown system of the primary system.

5. Disconnection of pressurizer (PRZ) system power supply (PRZ heaters).

6. Closing of turbine stop valve (TSV).

7. The fast-acting steam dump valve with discharge to the turbine condenser(BRU-K)connection is blocked due to loss of condenser vacuum.

The initial conditions and availability of systems are as follows:

· NPP at normal operating conditions (100% reactor power).

· SG pressure regulation is available(BRU-A(fast-acting steam dump valve with discharge to atmosphere)).

· For VVER-1000: BRU-A stops at 7200 s (batteries depletion).

Fig. 3 VVER-1000 reactor/nodalization scheme

Table 2 Steady state parameters of the VVER-1000 plant

· Pressurizer relief and safety valves are available.

· Active ECCS (high-pressure injection system (HPIS),low-pressure injection system(LPIS))are not available.

· Passive ECCS (accumulators) are available.

The calculation was performed for up to 10,000 s when the cladding temperature reaches the safety criteria.

4.1 Results of the DSA analysis

The relative power of the reactor is shown in Fig. 4.The initial event led to all the MCPs being switched off and the activation of the reactor protection system after 1.5 s,owing to three out of the four MCPs being switched off.Subsequently, after 4 s, all the control rods dropped to the bottom of the core. Thus, there was a sudden decrease in the reactor power, but power generation continued owing to the decay heat.

The pressures of the primary and secondary sides for the aforementioned scenario is shown in Figs.5 and 6,respectively.Shortly after the event,the pressure of secondary loop increased to the set point pressure thresholds of the steam dump to atmosphere(SDA),and after the opening the BRUA valve. This caused a continuous decrease in the water inventory on the secondary side of the SGs(Fig. 8).

Due to the reduction in the core decay heat,the pressure of the primary loop decreased during the first initial seconds of the accident.The water inventory of the secondary loop continuously evaporated and reduced the liquid level in the secondary loop of the SG, due to the heat being transferred from the primary to the secondary loop (see Fig. 8).With the reducing levels in the SGs,the SG power also decreased and the pressure of the primary loop increased after reaching its minimum. Thereafter, the pressure of the primary loop reached the threshold for opening the PRZ relief valve and there was a blow-down via the valve. After 6500 s, the SG reached its minimum level because of the larger water inventory in the secondary loop. After the SG depletion, the heat transfer from the primary to the secondary loop breaks down and the opening and closing of pressurizer relief valve is much faster(Fig. 7). The pressurizer level increased with the actuation of the pressurizer relief valve. A transition from a twophase to single-phase water flow through the valve is observed when the level reaches the position of the relief valve.

The mass inventory of the primary loop decreases and bubbles cover the reactor pressure vessel,due to increasing loss of primary coolant through PRZ relief valves. The natural circulation in the primary loop is interrupted,when the water level in reactor vessel drops below hot nozzles elevation.

The results indicate that although there is a difference between the present study and the references, the behavior of the systems as observed in diagrams,is nearly the same.

The main reason for deviations in these simulations is attributed to the use of different codes and models. Additionally,only the steam generators and their safety systems are modeled in the present model in the secondary side,while other components of the secondary side including turbines are also modeled in the reference study.

The core starts to heat because there is no water supply to the primary loop. The decrease in mass of primary loop leads to the core being uncovered,which results in core dry out.However,the temperature of the fuel cladding does not exceed the safety margin of 1200 °C (Fig. 9). The results of this section are obtained in other studies [25].

5 Analysis of the LOOP accident by integrating deterministic and probabilistic approaches

In the first step, separate deterministic and probabilistic approaches are used to consider the LOOP accident.In the case of nuclear accidents,the accurate and complete analysis of an accident is possible by integrating the deterministic and probabilistic approaches. In the second step, the results obtained from the integration of the two approaches resulted in an improvement of the IRIDM process.In this case,one approach is used as a base approach and the other is used to improve the results of the base approach.

Fig. 4 Reactor relative power

Fig. 5 (Color online) Primary side pressure

Fig. 6 (Color online)Secondary side pressure

In first step, if the DSA is taken as the base approach after the accident analysis by the probabilistic approach and the analysis of the event tree and related fault trees,the branches that lead to core damage in the event tree are identified.Since core damage is associated with a failure of the top event and its safety system, the importance of the success of the safety system in the accident control is obvious.By considering the fault trees of safety system,the parameters or so-called basic events that affect the system’s failure are determined. Subsequently, the role of these basic events in the DSA analysis is determined by considering their importance and all aspects of safety and cost–benefit considerations, and the necessary changes for improving the methods for DSA studies. The results of these changes are considered to better observe the philosophy of defense and safety margins.As shown in the probabilistic analysis and appearing in the related event tree(Fig. 2),all sequences after sequence 3, can lead to reactor core damage based on the assumptions. By considering these sequences, the safety systems,whose function is important for safe operation without core damage, are as follows:

Fig. 7 (Color online) Water level of pressurizer

Fig. 8 (Color online) Water level of SG

· Heat removal system from the core by secondary circuit(HRSO).

· SG Steam Release valves System (SRD),

· System related to main steam valves performance(MSV),

· TCV and TSV.The following are important considerations in the HRSO system: the fault tree, the role of the AFWP and FWP, the function of the relevant check valves, the steam generator safety valves, and the function of the vapor bypass valves to the condenser, particularly, the function of the BRU-A valve. In the case of the SRD system, the vapor generator safety valves and especially the BRU-A valve function are very important.

Therefore, core cooling by the secondary circuit is important. Moreover, the secondary circuit pressure must remain within the acceptable range and vapor depletion should be done in a timely manner,to prevent the increase in vapor pressure in the steam generator. In addition, the

Fig. 9 (Color online) Fuel cladding temperature

water level in the secondary circuit should not be lower than the permissible range in order for it to cool the main primary circuit. Because of the power disconnection in the power plant, the role of passive systems is very important.Several suggestions can be made to improve the performance of safety systems for the removal of excess residual heat from the core and for the prevention of additional damage. For this reason, to achieve better steam depletion and suitable conditions for feed water supply to the secondary circuit, the following changes were made in the DSA simulation.

· Two passive valves(one to the atmosphere(as BRU-A)and one to the condenser (as BRU-K)) were added for further depletion of steam and reduction in the excess pressure imposed on the steam generator.These passive valves were proportional to the pressure variations.

· To prevent the premature reduction in the water level in the secondary circuit,two passive check valves for feed water supply to the secondary circuit was added at the inlet of the feed water to the steam generator and auxiliary feed water to the steam generator according to the variation in the pressure and water level of the steam generator.This is the minimum possible activity, which is less costly to maintain the normal conditions and requires more time to control the accident.Due to these changes,the condenser modeling was also added to this section to observe any improvements of the DSA results.

5.1 Results of integration of deterministic and probabilistic approaches on deterministic studies

The relative power of the reactor is presented in Fig. 4.As mentioned above, the reactor scram occurred after the LOOP accident. After this event, the reactor power decreased suddenly but power generation continued owing to the heat decay.

Figure 5 shows the pressure variations in the primary circuit. A pressure drop occurs after the reactor scram.Thereafter, the pressure of the primary loop drops because of the reduction in the core decay heat during the initial seconds of the accident. Because of the operation of the added steam depletion valves and the transfer of water to the steam generator by the added check valves, it was observed that the primary circuit pressure loss is greater than the DSA calculation, and the primary circuit pressure increase occurs later than the DSA calculation.

As shown in Fig. 6, for the integration condition, the secondary circuit pressure oscillation decreased and remained within the safe limits when considering the changes in the secondary circuit pressure. This behavior is due to better steam depletion in the steam generator.

The change in the pressurizer water level was proportional to the variation in the primary circuit pressure. As shown in Fig. 7, the pressurizer water level was proportional to the changes in the pressure of the primary and secondary circuits. Due to the higher-pressure drop in the primary circuit, the pressurizer water level was lower than that for the DSA calculation. In addition, the primary circuit pressure increase occurred later than in the DSA calculation. Therefore, the pressurizer water level increased later. Finally, there was a sharp drop in the pressurizer water level due to heating of the core.

Fig. 10 A section of the fault tree diagram of the heat removal system from the core by secondary circuit

Figure 8 shows the decrease in water level of the steam generator over time. The water evaporated and reached a minimum level because of the heat transfer from the primary circuit to the secondary circuit. The slope of the secondary circuit water level is softer than the previous calculation because of the operation of the added changes.The reduction in the secondary circuit water level is associated with a slower rate. Therefore, the minimum water level was reached over a greater time than 6500 s were.

The decrease in the water level in the steam generator had an effect on the core heat up; therefore, the clad temperature increase is associated with a slope of less than that in the DSA study(Fig. 9).Because heat removal from the primary circuit was improved by the secondary circuit,the water level in the steam generator reached its minimum level after the DSA calculation time.

The results of the deterministic approach were improved by using a probabilistic approach and applying appropriate changes. Alternatively stated, the study showed a better observation of the defense in depth philosophy and safety margin maintenance.

5.2 Results of the integration of the deterministic and probabilistic approaches on probabilistic studies

In the second step, the PSA approach is based on the analysis of the accident using the DSA approach, and identifying the most important success criteria in this approach.The required changes in the PSA approach were implemented. Additionally, its effect on the core damage frequency was investigated.

By considering a deterministic study,it is evident that the most important success criterion in this approach is the performance of the BRU-A valve. In the probabilistic study,described above,the performance of the HRSO from the secondary circuit had the greatest effect on the final core damage frequency. However, the performance of the BRU-A valve directly affected the success or failure of the system(Fig. 10).

Fig. 11 A section of the fault tree diagram of the HRSO after applying the changes

Fig. 12 Event tree for the LOOP analysis and occurrence frequency of sequences (under the integration condition)

The changes in the HRSO system were investigated.Owing to equipment redundancy, this change was applied as an ‘‘AND’’ gate in the fault tree of the HRSO system.The corresponding fault tree was obtained after applying the desired change as shown in Fig. 11.

Table 3 Frequencies of the core damage states

After the fault tree and event tree analyses, it was observed that the failure probability of the top event, relative to the secondary circuit heat removal (HO′′)decreased by 0.12,reaching 1.59 × 10–3.The core damage frequency in sequence 3 changed to 2.52 × 10–6(Fig. 12).The total core damage frequency reached 3.21 × 10–6, as shown in Table 3.

It can be concluded that the results of the probabilistic approach were improved by using a deterministic approach and applying appropriate changes. The core damage frequency decreased, and thus, the result of this change was acceptable.

6 Conclusion

In this study, several deterministic and probabilistic assessments of LOOP accidents were performed to better analyze LOOP accidents.The study showed thatdeterministic studies can be completed using the probabilistic method,and vice versa.The deterministic analysis does not consider many of the contributing factors, whereas the probabilistic safety assessment considers the probable factors in determining the occurrence frequency and overall risk.

Moreover, the results demonstrated that DSA and PSA coupling improved the accident analysis by delaying the start of an extended core dry-out. Additionally, core cooling was ensured for a longer time and the core damage frequency decreased. This method can be used to improve other nuclear accident sequences.

Author’s contribution All authors contributed to the study conception and design.Material preparation,data collection,and analysis were performed by Mohsen Esfandiari, Gholamreza Jahanfarnia,Kamran Sepanloo,and Ehsan Zarifi.The first draft of the manuscript was written by Mohsen Esfandiari and all authors commented on previous versions of the manuscript. All authors read and approved the final manuscript.