47
Application of a Level 2 PSA to Advanced Gas-cooled Reactors: A Hunterston B Power Station pilot study Dr Charles Shepherd & Andrew Butcher
Application of a Level 2 PSA to
Advanced Gas-cooled Reactors:
A Hunterston B Power Station pilot
study
Dr Charles Shepherd & Andrew Butcher
2
Background
March 2011 - Fukushima Daiichi Nuclear disaster
following earthquake and tsunami.
September 2011 - Dr Weightman report on the
implications for the UK nuclear reactors.
– Specifically Recommendation FR4 related to
PSAs
September 2013 – To support EDF Energy’s
response to FR4, CRA develops the UK’s first
Level 2 PSA for an Advance Gas-cooled Reactor.
Introduction
This presentation with be in two parts:
The methodology developed by CRA to
produce the UK’s first Level 2 PSA for an
AGR.
The application of this methodology to the
development of a pilot Level 2 PSA for
Hunterston B Power Station.
3
Development of the Level 2 PSA
Methodology for the AGRs
Dr Charles Shepherd, BSc (Hons), MSc, Phd
Chief Consultant, CRA
5
Level 2 PSA
methodology
LEVEL 2 PSA
Input from Level 1 PSA
1. Plant Familiarisation
2. Grouping into Plant Damage States
3. Accident Sequence Modelling/ Event Trees
Output to Level 3 PSA
4. Containment/ PCPV Performance Analysis
5. Grouping into Release Categories
6. Source Term Analysis
7. Quantification of the Analysis
8. Uncertainty Analysis and Sensitivity Studies
9. Use of the Results of the Level 2 PSA
10. Documentation of the Analysis
An
aly
sis
to s
up
port
Lev
el 2
PS
A
6
Aims of the Level 2 PSA for the AGRs
• To gain insights into how severe accidents progress, the operator
actions that could be carried out to mitigate the consequences and the
physical events that could occur
• To identify the accident sequences that make a significant
contribution to a large release of radioactive material to the
environment
• To identify plant specific vulnerabilities
• To determine whether there are sufficient provisions to manage
severe accidents
• To investigate the effectiveness of the Severe Accident Guidelines
(SAGs) and suggest improvements
7
PWR severe accidents
Core melt, relocation in vessel
H2 / steam explosion in reactor pressure vessel
Vessel failure/ high pressure melt ejection
H2 / steam explosion in containment
Molten core-concrete interaction
Operation of safety systems
• Containment isolation, H2 igniters/ re-combiners,
containment coolers/ sprays, filtered containment vent
• Molten core catcher/ cooling system
Challenges to barriers to release
• Reactor pressure vessel
• Containment building
8
AGR severe accidents
Prompt criticality
• Positive moderator coefficient/ recriticality at
about 1150oC with all control rods in
• Failure of core support structures/ reactivity
addition if control rods remain suspended
Steam explosion
• Following boiler tube leakage where there is
water in basement of pressure vessel
Molten core-concrete interaction
Challenges to PCPV
• Failure of penetrations
• Gross failure under pressure
9
Plant Damage States - PWR
PDSs form the interface between Level 1 PSA and Level 2 PSA
• Level 1 PSA identifies accident sequences that would lead to core damage
• Starting point/ boundary conditions for progression of severe accident
PDSs defined in terms of attributes
• Type of initiating event (intact circuit, LOCA, containment bypass)
• Primary system pressure at time of core damage (high, low)
• Status of the safety systems (SG feed, emergency core cooling) and support
systems (electrical power, cooling water)
• Status of containment systems (isolation, fan coolers, spray, H2 systems)
• Integrity of the containment (intact, failed, bypassed)
Used to define full set of PDSs; grouped/ condensed into set used in
analysis
10
Plant Damage States - AGR
Level 1 PSA identifies accident sequences that would lead to a Dose
Band 5 (DB5) release
PDSs defined in terms of attributes
• Type of initiating event (intact circuit, depressurisation fault, boiler tube leakage)
• Operation of reactor trip/ shutdown/ hold-down systems
• Operation of boiler feed systems for post trip cooling
• Availability of equipment (gas circulators, pressure vessel cooling, boiler
depressurisation)
Used to define full set of PDSs; grouped/ condensed into set used in
analysis
• 10 PSA attributes identified; 60 PDSs defined by attributes; grouped/ 15 APETs
produced
11
Containment Event Trees - PWR
Nodes presented in time sequence
• Core melt before vessel failure; at vessel failure; shortly after vessel failure;
longer term; very long term
Number of nodes
• Needs to be sufficient to model all mitigating actions/ physical events
• Small CETs with 20 to 30 nodes; Large CETs with >30 nodes
Operator actions to mitigate severe accident
• RPV depressurised in timeframe x
• Containment filtered vent operated in timeframe y
Occurrence of physical events
• Does a steam explosion in timeframe z (in-vessel or ex-vessel)
12
Differences between analysis for PWR and AGR
Endpoints of Level 1 PSA different
• PWR – core damage
• AGR – sequence would lead to a DB5 release
– Need to take account of other possibilities to restore post trip cooling
– Equipment stored off-site that can be brought in following the declaration of a
site incident; includes pumps and power supplies
Barriers to the release of radioactive material for a severe accident
• PWRs have two barriers and protection for these barriers
– Reactor pressure vessel: primary circuit depressurisation; flooding vessel cavity
to prevent vessel failure/ in-vessel retention
– Containment: fan coolers; sprays; H2 control; filtered containment vent
• AGRs have one barrier – concrete pressure vessel
– Protection depends on core cooling and primary circuit depressurisation
13
Accident Progression Event Trees – AGR (1)
Possible operator actions identified from SAGs
• {Plant integrity management} close gas domes to protect boilers
• {Restore PTC using on-site equipment} by identification/ recovery of operator
errors
• {Restore operation of the pressure vessel cooling water system} to protect the
penetrations
• {Depressurisation of primary circuit} to protect the pre-stressed concrete
pressure vessel
• {Water injection into the primary circuit and steam venting} to provide core
cooling and protect boiler supports
Operator actions that are not possible
• Feed and bleed cooling using CO2 or N2 – heat removal rate not high enough
• All methods of inserting negative reactivity
14
Accident Progression Event Trees – AGR (2)
Physical events identified from SAGs/ BDB analysis
• <Stuck open SRV> opened due to accident sequence being modelled
• <Prompt criticality>
• <Failure of core support structures>
• <Steam explosion>
• <Molten core-concrete interaction> which would occur in the long term
following core relocation to basement of PCPV
• <Failure of the PCPV> where the possible outcomes are PCPV intact, pre-
existing depressurisation fault, penetration failure, gross failure
Physical events not included
• Combustible gas explosion inside or outside the PCPV
• Graphite fire
15
Accident Progression Event Trees – AGR (3)
APETs presented in two parts
APET1 Timeframe 1 – from start of accident sequence to irrecoverable loss of core
cooling
Operator actions: restoration of core cooling
Physical events: failure of boiler supports/ boiler penetration failure
APET2 Timeframe 2 – from irrecoverable loss of core cooling to substantial core
relocation
Timeframe 3 – long term after core relocation
Operator actions: none
Physical events: prompt criticality (T2), steam explosion (T2), molten core-
concrete interaction (T3), failure of pressure vessel (T2/T3)
16
Release Categories/ Source Term Analysis - PWR
Endpoints of the CETs grouped into Release Categories (RCs)
Aim is to define the quantity of radioactive material and the
characteristics of the release for each of the RCs
Attributes used to define the RCs
• Time at which the release starts; retention of radioactive material
• Mode and time of failure of the RPV/ containment
• Operation of the active mitigating systems/ passive mitigating systems
• Duration of the release; release rate; location of the release; energy content (for
Level 3 PSA)
Full set of RCs condensed into the set used for the analysis
Source term analysis carried out for one or more bounding/
representative sequence in each RC
Source Term Analysis done using one of the integral codes – MAAP,
MELCOR, ASTEC
17
Source Term/ Release Categories - AGR
Endpoints of the APETs grouped into Release Categories (RCs)
Attributes used to define the RCs
• Accident sequence type: failure to shutdown, total loss of all core cooling
• PCPV failure mode: intact, pre-existing breach, penetration failure, gross failure
• Energetic event: prompt criticality, steam explosion inside PCPV
• Molten core-concrete interaction
Attributes define 32 RCs; grouped into 5 RC Groups • PCPV intact
• PCPV failed/ no energetic events/ no MCCI
• PCPV failed/ energetic event occurs/ no MCCI
• PCPV failed/ no energetic events/ MCCI occurs
• PCPV failed/ energetic event occurs/ MCCI occurs
RC attributes/ RCs/ RC Groups defined using judgement
No Source Term Analysis has been carried out for the severe accident
sequences identified by the APETs
18
Analysis to support the Level 2 PSA - PWRs
Integral codes available - MAAP, MELCOR, ASTEC
Able to model all aspects of the severe accident behaviour in an
integrated analysis
• Thermal-hydraulic response of the reactor, heat-up of the core
• Fuel damage/ melting/ relocation
• Containment loadings/ response
• Release of radioactive material from the fuel, transport through reactor coolant
system/ containment, release to the environment
19
Analysis to support the Level 2 PSA - AGRs
No integral codes
Limited analysis for the accident sequences identified in the APETs
Depends on existing analysis for severe/ Beyond Design Basis accidents
Expert Judgements made in many areas:
• Steam explosion is possible after a boiler tube leakage fault and is “likely” to cause
gross failure of the PCPV
• Probability of core slump before moderator temperature heats and causes prompt
criticality is 0.5
• Prompt criticality would lead to a rapid release of energy and gross failure of the
PCPV
20
Expert judgement - PWR
Formal structured process used for NUREG-1150
Used for issues where uncertainties large, no widely accepted models,
risk significant including:
• Probability of temperature-induced reactor coolant hot leg failure and SGTR
• Magnitude of in-vessel hydrogen generation
• Mode of temperature-induced reactor vessel bottom head failure
• Containment pressure increase at reactor vessel breach;
Steps in the process:
• Selection of issues; selection of experts; training
• Presentation of material; review/ analysis by experts
• Elicitation of expert’s conclusions; derivation of probability distributions;
documentation
Current practice is to use an expert judgement process
21
Expert judgement - AGR
Used extensively due to large uncertainties in severe accident
phenomena/ possibilities for mitigating consequences
Expert judgement fora include:
• AGR PSA Level 2 Extension Expert Judgement Panel
• EDF/CRA Level 2 PSA Workshops
• CRA internal model development meetings
Issues addressed by EDF Expert Panel include:
• Beyond design basis initiating events and internal/ external hazards
• Recovery of pressure vessel cooling system
• Feasibility of accident mitigating actions included in Severe Accident Guidelines
• Water injection into the reactor following irrecoverable loss of core cooling
Judgements documented with reasoning in minutes of meetings/
analysis reports
Development of a pilot Level 2 PSA for
Hunterston B Power Station
Andrew Butcher, BSc, MSc, CPhys
Consultant, CRA
Level 1 PSA Overview
Design Basis Faults >1E-7 per reactor year.
Beyond Design Basis Faults <1E-7 per
reactor year.
Current HNB Level 1 PSA only models
Design Basis Faults.
A number of new Beyond Design Basis
Level 1 ETs have been created so that
these faults can be included in the Level 2
PSA.
23
Level 1 PSA Event Tree Fundamentals
Fault Schedule => Bounding Fault Schedule.
Level 1 PSA model has an Event Tree per
Bounding Fault.
24
Example of fault schedule??
Forced Gas Circulation
(FGC) Based PTC
Natural Circulation
(NC) Based PTC
BF01.0 1.1 1.87E+00 2 2.09E+00
1.2 3.39E-02
1.3 1.50E-01
3.3(a)(i) 1.40E-03
5.1(a)(i) 1.00E-04
5.1(b)(i) 2.00E-02
6.4 2.00E-02
10.8.1 1.74E-03
2011 PSA
Update
Bounding
Fault
Frequency
Bounding
Fault
Bounding
Fault Title
Criteria for Successful
Reactor Trip and
Shutdown used for
the PSA
2011 PSA
Update
Estimated
Error
Factor
Fault Freq.
(pry)
(see App
C&E, Table 1)
Faults
Bounded
Criteria for Successful Post Trip Cooling (PTC) used for
the PSA Availability and Configuration of
Post-trip Cooling Systems
Modelled in the Event Tree
All quadrants available for PTC.
FGC provided by RSSE/ operator
initiated ‘No.2’ GCs.
FGC provided by operator
initiated ‘No.1’ GCs.
Boiler feed provided by the HP
feed system or LP feed system,
or BUCS.
Operator action to reduce HP
and LP feed flow to 2 quadrants
at 1 hour has also been credited
in order to conserve feed stocks.
The Station Fire Tender Pump
manually connected to the BUCS
pumphouse is available to be
commissioned within recovery
timescales.
Spurious
trip.
Not applicable - for
faults bounded by this
bounding fault the
main guardlines have
already been tripped
following the
initiating event.
With PVCW available:
RSSE/operator
establishes FGC by at
least one gas circulator
(GC) with the IGVs
correctly set, in a
quadrant supplied with
HP or emergency LP feed
within 60 minutes of
reactor trip (RT) to
prevent the lifting of the
lowest set CPV SRV.
With PVCW available:
NC of CO2 gas in at least 1
quadrant fed by HP, LP feed
or BUCS within 90 minutes
of RT to prevent the lifting
of the lowest set CPV SRV.
NC of CO2 gas in at least 1
quadrant fed by the Station
Fire Tender Pump within 8
hours of RT with the lowest
set CPV SRV reseating
following successful l ift.
CPV SRV reseat failure
requires manual isolation
within 90 minutes to
maintain successful NC
PTC.
Integrating the Level 1 and 2 PSAs
The Level 1 PSA simply assigns a Doseband
5 (DB5) consequence to the end of the
accident sequences (assumed releases > 1
Sievert), without making any distinction of the
size of this DB5 release.
The Level 2 PSA examines how these
releases could come about to understand the
nature and magnitude of these releases.
26
First step is to assign a Plant Damage State
(PDS) to each DB5 sequence.
The PDSs are the input to the Level 2 PSA
APETs and form the boundary between the
Level 1 and 2 PSAs.
27
Linking the Level 1 – Level 2 PSAs (1)
Scale of the PSAs
APET1 a
APET1 b
APET1 c
…
APET1 g
APET1 h
29
~200 BF ETs ~15 APET1s ~10 APET2s
BF01.0
BF02.0
BF02.1
BF03.0
….
….
BF45.0
BF46.0
APET2 a
APET2 b
…
APET2 d
APET1s – Recovery APETs
APET1s consider the recovery actions that
may be claimed to limit the accident
progression.
Operator recovery actions are fundamental
for this stage of the accident progression.
Existing plant systems are claimed along
with off-site back up emergency equipment.
30
Level 2 APET1 – Example 1
APET1 (IN).(C)
– All Intact Circuit Faults, e.g. Spurious trip,
electrical faults, feed faults, etc.
– Trip & Shutdown Successful
– Total loss of Post Trip Cooling
– Pressure Vessel Cooling Water Available
31
Level 2 APET1 – Example 1
The focus of APET1 (IN).(C) is to:
Blowdown the reactor and prevent failure of
the Pressure Vessel.
And
Re-establish core cooling to control core
temperatures and prevent fuel/clad melt or
failure of the core support structures.
32
Level 2 APET1 - Example 2
APET1 (DVSB).(C)
– Depressurisation Fault
– Trip & Shutdown Successful
– Post Trip Cooling Failure
– Very Small Breach
34
Level 2 APET1 - Example 2
The focus of APET1 (DVSB).(C) is to:
Seal the breach and contain any radioactive
release from the primary circuit.
And
Re-establish core cooling to control core
temperatures and prevent fuel/clad melt or
failure of the core support structures.
35
APET1 Sequence Consequences
The end-points of the APET1 sequences have been
assigned new consequences.
Where the severe accident has been:
– mitigated by successful recovery actions, the
sequence is assigned DB1 to DB4;
– limited by some successful recovery actions, the
sequence is assigned ‘FML’ or Fuel Melt Limited.
These sequences are terminated at this point;
Where the severe accident has resulted in an
irrecoverable loss of core cooling, the accident
progression is continued in the APET2s.
37
APET2s – Physical APETs
APET2s consider the physical phenomena that
may occur in the core.
No operator recovery actions are considered
effective at this stage of the accident progression.
Split fractions are assigned to the sequence
branch points to provide a judgement, in the
absence of any other information, on how likely the
phenomena will be to occur.
E.g. Highly Likely (0.99), Likely (0.75), Medium
(0.5), Unlikely (0.25) etc.
39
APET2 Example 1
APET2 (I-A-D)
– Pressure Vessel Intact
– Reactor at Atmospheric Pressure (Depressurised)
– Total Loss of Core Cooling
– No In-Vessel Water (Dry)
40
APET2 Example 1
APET2 (I-P-W)
– Pressure Vessel Intact
– Reactor Pressurised
– Total Loss of Core Cooling
– In-Vessel Water (applicable for Boiler Tube
Leakage faults)
42
Release Categories
Each sequence end-point in the APET2s has been
assigned a Release Category consequence.
A total of 32 Release Categories have been
identified.
The 5 Release Category Groups will be used to
assess the likelihood, for these severe accidents, of:
– PCPV intact
– PCPV failed/ no energetic events/ no MCCI
– PCPV failed/ energetic event occurs/ no MCCI
– PCPV failed/ no energetic events/ MCCI occurs
– PCPV failed/ energetic event occurs/ MCCI occurs
44
Insights from the HNB Level 2 PSA
Provides an understanding of how severe accidents
progress.
Identifies the important recovery actions, the physical
events and potential vulnerabilities.
Provides an input to the future development of:
– The Symptom Based Emergency Response
Guidelines (SBERGs), and;
– The Severe Accident Guidelines (SAGs).
Identifies areas where there is a high level of uncertainty
and a lack of knowledge about how severe accidents
would progress.
45
Conclusions
CRA has produced the UK’s first Level 2 PSA
for an AGR.
Supporting EDF Energy in responding to the
UK Regulator’s FR4 recommendation.
46
47
OUR MISSION:
To be the premier risk management consultancy
of the 21st century and beyond.
