program/abstract book - meetings and conferences online home

1

Dear Colleagues:

Welcome to Wilmington, North Carolina, the site of the 2011 International Topical Meeting on Probabilistic Safety Assess-ment, (PSA 2011). This is the most recent of a series of topical meetings on PSA sponsored by the American Nuclear So-ciety Nuclear Installation Safety Division. The Wilmington Local Section of American Nuclear Society is proud to act as the host for this important meeting.

In addition to the society sponsorship we would like to recognize our other sponsors. Our major sponsors include ERIN Engineering and Research, GE Hitachi Nuclear Energy, and Scandpower. Additional exhibitors and sponsors include Engi-neering, Planning & Management, Inc. (EPM), Curtiss Wright Flow Control (Scientech), Maracor, Nuclear Safety Associates (NSA), Sandia National Labratories, and Westinghouse.

The purpose of PSA 2011 is to provide a world stage for presenting and discussing the development and evolution of proba¬bilistic methods and their use in the risk management of nuclear facilities. Although we consider PSA to be a mature technology, we continue to see changes and improvements in the methods and standards as a result of new applications, particularly as it applies to the development of risk management methods and approaches, as well as, in advanced reactor design. The changes in PSA methods are evident in technical areas such as Fire PSA, Seismic PSA, Passive Design PSA, and Dynamic PSA, all of which are focus areas for PSA 2011. These changes highlight the importance of the PSA 2011 conference, where many of the PSA advancements will be shared and discussed. Important issues such as aging workforce and translating PSA insights to organizational risk management approaches are important aspects for improving and matur-ing our technology for the next generation of risk practitioners. The PSA conference will continue to grow in importance for knowledge management and learning, which is why we have sponsored additional student participation and a best student paper award for the conference.

We encourage you to take some time and attend a session or two outside of your area of specialty and learn about the diversity of applications of Probabilistic Safety Assessment. We also encourage you to ask questions and get into extensive dialogue with other attendees, which helps build new bridges and broadens our field of thinking while making some new friends in the process.

Approximately 250 full papers have been contributed from the international community, and we are proud of the additional international participating from outside the US including papers from over 25 countries and registrants from over 30 coun-tries. We appreciate our Technical Program Co-Chairs’ efforts to organize this expanded participation.

On behalf of the members of the organizing committee we invite you to actively participate in the conference and wish you a great stay in Wilmington. We hope you can experience true southern hospitality during your stay, so feel free to call upon any of the local participants to assist you during your visit.

Rick Grantom Dennis HennekeGeneral Chair Technical Program Chair

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMarch 13-17, 2011

Foreword

2

The Probabilistic Safety Analysis (PSA) 2011 Conference Organizing Committee wishes to express our gratitude to the many people and organizations that have contributed to this conference. The ANS’ Nuclear Installation Safety Division (NISD) and the Wilmington Local Section of the ANS provided volunteers that organized and managed the Wilmington, NC, topical meeting. The financial and logistical support provided by contributing sponsors significantly enhanced the confer-ence experience.

In particular, the NISD acknowledges each author and participant for your interest, technical contributions and willingness to actively participate. Each participant’s paper and presentation represents a significant investment, sometimes summarizing years’ worth of effort by the authors. These authors’ efforts are invaluable in the PSA community.

The PSA 2011 Conference organizing committee acknowledges the significant contributions of our sponsors, ERIN Engi-neering and Research, GE Hitachi Nuclear Energy and Scandpower, along with Curtiss Wright Flow Control (Scientech), Engineering Planning & Management, Inc. (EPM), Maracor, Nuclear Safety Associates (NSA), Sandia National Laboratories (SNL) and Westinghouse.

There were numerous individuals that disseminated the notice of this meeting and encouraged submission of technical pa-pers. This support facilitated a very strong performance by the Technical Program Committee with nearly 260 papers from over 30 countries.

In particular, the ANS NISD acknowledges the following individuals for their volunteer efforts and dedication to facilitate the technical program of this conference; Dennis Henneke, Dr. Enrico Zio, Kohei (Kevin) Hisamochi, Joon-Eon Yang, David Johnson, Dr. Nathan Siu and Dr. Bulent Alpay.

The management and organization of PSA 2011 was made possible by the volunteer effort and dedication of the following individuals, Drs. Phillip & Karen Ellison, Dr. Theron Marshall, Dr. Kurshad Muftuoglu, Rick Grantom, Matthew Warner, Dr. John Bennion, Lisa Marshall, Dr. Jonathan Li, Tyler & Lauren Schweitzer, Glen Seeman, Randy Morrill, Jim Fawks, Eliza-beth Dunn, Jesus G Diaz-Quiroz, Benjamin Schmidt, James Young and Jose Caro.

In addition, the conference organization committee acknowledges insights provided from the PSA 2008 organization com-mittee and the NISD PSA steering committee members: Dr. Robert Budnitz, Dr. Charles Martin, Dr. Ian Wall and Dr. Kevin O’kula. These insights and the contributions from Drs. George Apostolakis, Michael Corradini and John Kelly are seen throughout the program’s organizations.

Of particular note are the invaluable contributions made by Mrs. Hanna Shapira of Techno-Info Comprehensive Solutions (TICSs) on the Web Site design and Online Software. The conference organization committee expresses our sincere ap-preciation for the professionalism, technical skill, and patience she provided.

Best Regards

Dr. Phillip G. EllisonCo-Chair: PSA 2011 Conference


Acknowledgement

3


Welcome

March 2011

SCIENTECH WELCOMES YOU TO PSA 2011

Welcome to Wilmington! Scientech, a business unit of Curtiss-Wright Flow Control Company,is pleased you are here. As the sponsor of the golf outing, we look forward to seeing you on the links and throughout the conference.

Scientech is a worldwide provider of expert services and products to the nuclear power industry and is dedicated to providing solutions to the current and future fleet. We are currently participating in full scope internal event upgrade and fire PRA projects for several sites. The fire PRA projects are full-scope risk-informed performance-based projects for transitioning from Appendix R to NFPA-805 (10CFR 50.48 (c)). We have successfully completed internal event and fire PRA peer reviews. For the fire PRAs we have developed reasonable (albeit conservative)and defensible results without implementing major plant modifications. We have been able to implement a standardized approach, improving our efficiency and addressing the uncertainties inherent in the modeling approaches contained in NUREG/CR-6850. In addition to US clients, international clients are pursuing this area; and we expect additional international projects to start very soon.

Future opportunities abound for using risk informed, performance based approached to support further improvements in safety focus and performance.

Scientech and our sister nuclear-focused companies in Curtiss-Wright Flow Control (EES, EMD, Enertech, EST Group, NETCO, Nova Machine, QualTech NP, Solent & Pratt and Target Rock)have the resources to support the critical needs of the nuclear power industry… today and in the future.

We look forward to a great week with many engaging conversations and technical sessions.

Sincerely,

Jim ChapmanDirector Safety and RiskScientech, Curtiss Wright Flow Control1540 International ParkwaySuite 2000Lake Mary, Florida 32746Phone: 407-536-5338Fax: 407-536-5156Cell: [email protected]

4


Welcome

March 2011

Dear PSA 2011 Attendee,

Maracor welcomes you to PSA 2011. We are pleased to be a sponsor of this important conference, and a number of our staff will be presenting papers throughout the next few days. With such a diverse spectrum of presentation topics, we are sure that you will leave the conference with information that will help you to do your work more efficiently and effectively.

Maracor provides analytical consulting services and technical software development, primarily for the electric utility industry. For more than eight years, we have provided high-quality products and services to over one-half of the nuclear power stations in the US, as well as other clients around the world. Our experienced staff has a proven track record of technical capability, customer service, and on-time product delivery. We provide PSA development and update support, Configuration Risk Management, PSA applications, reliability analysis, maintenance optimization, software applications, and cost-benefit analysis services.

We hope that you will stop by our exhibit booth on Sunday or Monday. We would be happy to discuss our capabilities and experience with you.

Sincerely,

Thomas Morgan President

3615 Westchester Ct., Middletown, MD 21769 1-301-371-3260 www.maracor.com

5


Welcome

6


Welcome

March 2011

Welcome to PSA 2011!

To our fellow Risk Management Professionals:

EPM welcomes you to Wilmington and to the 12th International Topical Meeting on Probabilistic Risk Assessment and Analysis.

Engineering Planning and Management was founded more than 30 years ago to provide consulting services to the nuclear industry, primarily in the areas of fire protection, Appendix R, equipment qualification and licensing support. With the industry move toward a risk informed regulatory environment and the transition of many plants to NFPA 805 in particular, EPM has evolved and now provides risk management services as well. A little more than two years ago, the EPM Risk Solutions Division was formed to enable EPM to provide the full spectrum of services for plants making the move from Appendix R to NFPA 805 as the basis for their fire protection program. The core team of the Risk Solutions Division is made up of industry professionals that have been providing PRA and safety analysis expertise to the nuclear industry close to three decades. The Risk Solutions Division is currently developing Fire PRAs for several clients and has also provided support for SDPs, HRA, thermal hydraulics and other general PRA support. EPM developed the GENESIS software suite for managing cable and raceway, safety systems, and fire protection information, and for performing safe shutdown / nuclear safety system analyses. The EPM Risk Solutions Division is also developing the PRISM software to visually display equipment damage due to fire scenarios and prepare the files necessary for quantification of the Fire PRA.

As a new addition to the nuclear risk analysis community, EPM is excited to be a part of PSA 2011. We feel that we bring a fresh perspective to the industry with additional insights from the utility perspective. We will be presenting several papers on topics dealing with Fire PRA and Fire HRA, and we intend to establish a long tradition of participation in these events.

We hope you enjoy the conference and the beautiful Wilmington area this week!

James Masterlark

Division Manager Risk Solutions Division

7

Organizing CommitteeHonorary Chair Dr. George Apostolakis, Commissioner, US Nuclear Regulatory CommissionGeneral Chair Rick Grantom, South Texas ProjectGeneral Co-Chair Dr. Phillip G Ellison, GE Hitachi Nuclear Energy (GEH)Technical Program Chair Dennis Henneke, PE, GEH Co-chair Europe Dr. Enrico Zio, Ecole Centrale Paris-Supelec, France & Politecnico di Milano, Italy Co-chair Korea Dr. Joon-Eon Yang, KAERI (Korea) Co-chair Japan Kohei (Kevin) Hisamochi, Hitachi GE Nuclear Energy (Japan)Finance Dr. Theron Marshall, GEHPublications Dr. Kurshad Muftuoglu, GEHHotel & Exhibits Dr. Karen Ellison, GEHRegistration Matthew Warner, GEH Student Coordinators Ms. Lisa Marshall, NC State and Dr. John Bennion, GEHTours and Special Events: Tyler Schweitzer, Glen Seeman, and Randy Morrill, WLSANS Local Section Coordinator Jose Caro and Jim Fawks, Wilmington Area Local Section of ANS (WLS) Web site Bulent Alpay, GEHWeb Site, Online Software Hanna Shapira, Techno-Info Comprehensive Solutions (TICSs), Oak Ridge, TN

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWilmington, NC March 13-17, 2011

Hisamochi T. Marshall Muftuoglu K. Ellison Warner

Grantom P. Ellison Henneke Zio Yang

L. Marshall Schweitzer Seeman Morrill Shapira

Apostolakis

8

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWilmington, NC March 13-17, 2011

Technical Program CommitteeTechnical Program ChairsGeneral Dennis Henneke, GE Hitachi Nuclear EnergyCo Chair Europe Dr. Enrico Zio, Ecole Centrale Paris-Supelec, France & Politecnico di Milano, ItalyCo Chair Korea Dr. Joon-Eon Yang, KAERICo Chair Japan Kohei (Kevin) Hisamochi, Hitachi GE Nuclear Energy Craig Smith, NPS

Steering Committee Dr. Robert Budnitz Lawrence Berkley National LaboratoryDr. Charles Martin Defense Nuclear Facilities Safeguards BoardDr. Kevin O’Kula URS Safety Management Solutions, LLCDr. Ian Wall Consultant

Technical Program Committee Members

Ana Gomez-Cobo, NII (UK)Andrea Maioli, WestinghouseArtur Lyubarskiy, IAEABarbara Baron, WestinghouseBill Burchill, Consultant (Past President ANS)Bulent Alpay, GE Hitachi Nuclear EnergyChang-Ju Lee, KINS (Korea)Dana Kelly, Idaho National LaboratoryDave Miskiewicz, Progress EnergyDavid Finnicum, WestinghouseDavid Johnson, ABS ConsultingDerek Muliin, NB Power (Canada)Dominique Vasseur, EDF (France)Dragan Komljenovic, Hydro-Quebec, Nuclear Generating Station Gentilly-2 (Canada)Elmira Popova, University of Texas at AustinEnrique Lopez Droguett, Universidade Federal de Pernam-buco (Brazil)Eric Jorgenson, MaracorFrancesco Cadini, Politecnico di Milano (Italy)Francisco Mackay, (Chile)Gareth Parry, Consultant/RetiredGerry Kindred, ScientechGopika Vidod, BARC, Trombay (India)Greg Krueger, ExelonGunnar Johanson, ES-Konsult (Sweden)Hitoshi Muta, Japan Nuclear Energy Safety OrganizationIgor Bodnar, Argonne National LaboratoryJames Reeves, Global Nuclear FuelsJan Vanerp, Argonne National LaboratoryJeff LaChance, Sandia National LaboratoryJerry Phillips, Idaho National LaboratoryJim Chapman, ScientechJim Young, GE Hitachi Nuclear EnergyJohn Andrews, University of NottinghamJonathan Li, GE Hitachi Nuclear EnergyJonathan Rohner, Global Nuclear FuelsKen Canavan, Electric Power Research InstituteKevin O’Kula, URS Corporation, LLCLemmer Lusse, PBMR (South Africa)

Luca Podofillini, Paul Scherrer Institute (Switzerland)Mariano J. Fiol, Iberdrola (Spain)Marina Röwekamp, GRS (Germany)Marty Sattison, Idaho National LaboratoryMatt Warner, GE Hitachi Nuclear EnergyMichael Golay, MITMike Snodderly, US NRCMohammad Pourgol-Mohammad, FM GlobalMoosung Jae, Hanyang University (Korea)Nathan Siu, US NRCOleg Kocharyants, Zaporozhye Nuclear Power Plant (Ukraine)Pamela Nelson, UNAM (Mexico)Parviz Moieni, Southern California EdisonPiero Baraldi, Politecnico di Milano (Italy)Pierre-Etienne Labeau, Universite’ Libre de Bruxelles (Belgium)Ranbir Parmar, NSS Limited (Canada)Raymond Gallucci, US NRCSee Meng Wong, US NRCShahen Poghosyan, NRSC (Armenia)Stanley Levinson, AREVA NPSteve Nowlen, Sandia National LaboratoryStuart Lewis, Electric Power Research InstituteTerje Aven, University of Stavanger (Norway)Tim Wheeler, Sandia National LaboratoryTodd Paulos, Alejo EngineeringTom Morgan, MaracorTsu-Mu Kao, INER (Taiwan)Vesna Dimitrijevic, AREVA NPVesselina Ranguelova, Joint Research Centre, European Commission (Netherlands)Vincent Ho, MTR (Hong Kong)Wolfgang Kroger, ETH Zurich (Switzerland)Woo Sik Jung, KAERI (Korea)Yolanda Akl, Canadian Nuclear Safety Commission (Canada)Young In, MaracorYukihiro Kirimoto, CRIEPI


General Information

9

Registration

Registration is required for all attendees and presenters. Badges are required for admission to all events.

Full Conference Registration Fee includes: Technical ses-sions, continental breakfast, morning & afternoon breaks (Mon. through Thu.), and proceedings’ CD. Special events included are Sun. night reception (heavy hors d’oeuvres), Mon. afternoon reception, Tuesday night banquet, Wednesday Student Awards Lunch and Wednesday night Social.

1D Registration Fee includes: Continental breakfast, morning & afternoon breaks, proceedings’ CD, and the evening event for that day (based on availability).

Student Registration Fee includes: All technical sessions, continental breakfast, morning & afternoon breaks (Mon. through Thu.), Proceedings’ CD, the Wednesday Student Awards Lunch, and the Wednesday night Social.

Retiree Registration Fee includes: Same as student plus Sunday night reception.

Guest Registration Fee includes: Hospitality suite for all days, the Sunday night reception and Wed. night Social. Registra-tion for additional guest events and the Tuesday night banquet is optional.

Conference Proceedings

Conference Proceedings, in CD-ROM format, are included with the program book. Please check the vinyl pocket inside the back cover of the program book.

Meeting Registration Desk

Next to the Grand Ballroom

Sunday 2:00 PM – 6:00 PMMonday 7:00 AM – 4:00 PMTuesday 7:00 AM – 4:00 PMWednesday 7:00 AM – 4:00 PMThursday 7:00 AM – Noon

Guidelines for Speakers

There will be six parallel sessions. Each presentation will last 15 minutes, followed by a five minutes for questions. The remaining time in the session will be used for further discussion on the topic. In order to allow conference partici-pants to attend the presentation of papers in different ses-sions in a timely manner, we, as organizers, will request the chairpersons to comply with the time schedule rigorously. In view of the given time constraints, please make sure that your presentation fits within the prescribed 20-minute limit leaving adequate time for questions from the audience.

The conference rooms will be equipped with a laptop computer, an LCD projector, and a microphone. Microsoft Windows XP, MS Office (PowerPoint) 2010, and the latest Adobe Acrobat Reader (PDF reader) will be installed on the computers. Presenters using the provided computer are expected to preload their presentation slides in the compu-ter at the beginning of the respective session. All presenters are to report to the Session Chair at the as-signed room 10 minutes before the start of the session. On the day of your presentation, you may load and test your presentation slides on the computer at the assigned room during the tea/coffee/lunch break before the session.It is highly encouraged to test the presentation (especially if you have animation) at the lobby area where two comput-ers with the same settings as that in the session room will be provided.

We highly recommend that you create a PDF version of the presentation so that you can switch to the PDF in case of a problem with the PowerPoint.

A microphone will be used for the presentation, please make sure that you keep close to the microphone during your talk.

When developing your presentation slides and material, please keep in mind the diversity of the audience at PSA 2011. Many of the attendees are new to PSA, and almost half of the attendees are non-US. We recommend two simple guidelines you keep in mind: 1) Try to include 2-3 in-troduction slides, which provide background on the subject area. This might be as simple as “What is Proliferation Risk Assessment?” or “How is Fire Modeling use in a Fire PRA,” or however you can easily introduce your subject area; and 2) Spell out all acronyms and abbreviations. You may know what an SRP from the NRC is, but half the audience will likely not. Keeping the diversity of the audience in mind when developing your presentation will help communicate your presentation material to the largest audience.

10


Things to do in WilmingtonFrom the Hilton, take a walk on the River Walk along the Cape Fear River, take a ride on a Cape Fear Riverboat or catch the free downtown trolley. Other attractions include:

Cape Fear Museum of History and Science 814 Market StreetFeatured Exhibits include Photography in Focus and Going to the Movieswww.capefearmuseum.com

Battleship North Carolina#1 Battleship RdMoored in quiet dignity and majesty the Battleship NORTH CAROLINA, across the river from downtown Wilmington, beckons visitors to walk her decks. Envision the daily life and fierce combat her crew faced in the Pacific Theatre during World War II.http://www.battleshipnc.com/

Airlie GardensEstablished in 1901, Airlie Gardens is a valuable cultural and ecological component of New Hanover County and North Carolina history. After celebrating more than a century of gardens by the sea, Airlie continues to amaze visitors with its breathtaking combination of formal gardens, wildlife, historic structures, walking trails, sculptures, views of Bradley Creek, 10-acres of freshwater lakes, and the grandeur of the 462-year-old Airlie Oak. The Gardens are known for a collection of over 100,000 azaleas and count-less camellia cultivars, which bloom throughout the winter and early spring.http://www.airliegardens.org/

Bellamy MansionThe Bellamy Mansion is one of North Carolina’s most spec-tacular examples of antebellum architecture built on the eve of the Civil War by free and enslaved black artisans, for John Dillard Bellamy (1817-1896) physician, planter and business leader; and his wife, Eliza McIlhenny Harriss (1821-1907) and their nine children. After the fall of Fort Fisher in 1865, Federal troops commandeered the house as their headquarters during the occupation of Wilmington. Now the house is a museum that focuses on history and the design arts and offers tours, changing exhibitions and an informative look at historic preservation in action.http://www.bellamymansion.org/

Greenfield Park and GardensThe park is located on Burnett Boulevard off South 3rd Street. A 5-mile scenic drive surrounds the 250-acre city park with lake, 20-acres of gardens, nature trail and a walk-ing/biking trail looped through dense cypress swamp. Skate park, canoe and paddleboat rentals. http://www.wilmingtonnc.gov/community_services/parks_landscaping/parks/city_parks.aspx

North Carolina Aquarium at Fort Fisher900 Loggerhead Road, Kure Beachwww.ncaquariums.com/fort-fisherGhost Walk of Old WilmingtonRiverfront at Market & Water StreetsJoin locally renowned actors and ghost hunters on a jour-ney into the depths of Old Wilmington. www.hauntedwilmington.com

Cameron Art Museum3201 S. 17th StreetMuseum committed to arts education, and presents exhibi-tions and public programs of both historical and contempo-rary significance.www.cameronartmuseum.com

Nearby beaches include:

Wrightsville (12 miles away)A clean, uncluttered stretch of white sand and sparkling water just begs for swimming, sunbathing, beachcombing, and fishing. The athletic at heart can take on the Loop, a fitness trail that circles the inner island. Bargain hunters gravitate to the beachside stores and distinctive, welcoming shopping village. Boaters launch from full-service marinas, and history buffs soak up the local museum and narrated scenic cruises along the Intracoastal Waterway that of-fer a glimpse into the island’s past. And clustered around the bridge are some of the finest seafood restaurants on the coast, along with vibrant nightspots. It’s all enough to make visitors feel as if Wrightsville is still their own private getaway island. http://www.visitwrightsville.com/

Carolina Beach (16 miles away)It’s all here: the fishing piers filled with kids and old-timers alike angling for their first big one. The boardwalk, perfect for evening strolls and ice cream cones. The arcades, as challenging and addictive as when you were a teenager. The gazebo, paddleboats and miniature golf. And of course the clean, uncrowded ribbon of beach by the warm ocean waters. In addition to its nostalgic charm, Carolina Beach also boasts an active charter boat basin – home to offshore fishing excursions and nightly party cruises – a state park full of coastal vegetation (think Venus Flytrap!), fine locally owned restaurants, and shopping for everything from sun-glasses to surfboards to area souvenirs. http://www.carolinabeachgetaway.com/

Cotton Exchange321 N Front Street

11


Things to do in Wilmington - continued

Nearby Restaurants *Open for Lunch

Circa 19228 North Front StreetSouthern, International Cuisinewww.circa1922.com

Caffe Phoenix*35 North Front StreetFresh, innovative cuisine in a comfortable bistro style atmo-spherewww.caffephoenix.com

Deluxe-Casual Upscale Dining114 Market StreetNew American style dinners, with the largest selection of fine wines in the region, and one of Wilmington’s superior brunches.www.deluxenc.com

George On the Riverwalk128 South Water StreetAmerican, Pasta, Seafood, Southern, Steak Cuisine

Elijah’s Restaurant*2 Ann StreetCasual American Grill and Oyster Bar on the Cape Fear Riverwww.Elijahs.com

Pilot House Restaurant2 Ann StreetInnovation in Southern Cuisinewww.pilothouserest.com

Front Street Brewery*9 North Front StreetThe only microbrew pub in Southeastern North Carolina serving 9 handcrafted beers on tap and delicious food for the entire family.www.frontstreetbrewery.com

Eat Spot*34 North Front StreetGreat selection of good food and great service.

Slice of Life122 Market StreetPizza and casual Italian Food

Fat Tony’s131 N. Front StreetCasual American Food

25 Unique Shops and 4 Distinct Restaurants (German Café*, Paddy’s Hollow*, The Basics* and The Scoop Ice Cream and Café*) directly across from the Hiltonwww.shopcottonexchange.com

Nearby Golf Courses

(average March high temp 66°F/19°C)

Echo Farms Golf & Country Club4114 Echo Farms Boulevardwww.echofarmsnc.com

Wilmington City Golf Course311 South Wallace AvenueDonald Ross designedwww.wilmington.nc.us

Cape Fear National1281 Cape Fear National DriveLeland, NC www.capefearnational.com

Magnolia Greens1800 Linkwood DrLeland, NCwww.manoliagreensgolf.com

Carolina National1643 Goley Hewett Road SoutheastBolivia, NCwww.carolinanationalgolf.com

Farmstead Golf Links541 McLamb Rd NWCalabash, NCwww.farmsteadgolflinks.com


Meeting Rooms

12

13

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 8:00 AM - Grand Ballroom

Plenary Session I

Edward D. Halpin is President and Chief Executive Officer for the South Texas Project (STP) Nuclear Operating Company. In this role, he is responsible for the overall strategic direction of the company. Halpin also serves as the companyʼs Chief Nuclear Officer, responsible for the safe and reliable operation of Units 1 & 2 as well as the oversight of licensing and con-struction for Units 3 & 4. Upon completion of new construction, he will be responsible for the overall operation of one the nationʼs largest commercial nuclear facilities – STP Units 1-4. In his 22 years with the company, Halpin has advanced through positions of increasing respon-sibility and leadership, including site vice president, vice president of oversight, vice president and assistant to the CEO, plant general manager, operations manager, maintenance manag-er, systems engineering manager and design manager. He joined STP in 1988 as a start up engineer in the initial commercial operations of Unit 1 and the completion of Unit 2. His role as system certification recovery manager in the 1993 NRC diagnostic evaluation was instru-mental in moving STP in the direction of operational excellence. He also played a key role in developing and sustaining the companyʼs strong collaborative culture, which has been critical to STPʼs transition to excellence.

Halpin served as an officer in the U.S. Navyʼs Nuclear Power Submarine Service.

In 1983, Halpin graduated with honors from the U.S. Naval Academy earning a Bachelor of Science in Ocean Engineer-ing. In 2002, he graduated as valedictorian with a masterʼs degree in Strategic Communication and Leadership from Seton Hall University. He also recently earned a masterʼs degree in Human Development from Fielding Graduate Univer-sity (2010).

Additionally, Halpin has a Senior Reactor Operator Certification and is a graduate of the Institute of Nuclear Power Operationsʼ Senior Nuclear Plant Management course, and the Senior Nuclear Executives Seminar.

Current & Past Memberships

• NEI Board of Directors• Executive Advisory Group Institute of Nuclear Power Operations• Community Incident Response Executive Advisory Committee (Nuclear Energy Institute)• Communications Advisory Committee (Institute of Nuclear Power Operations)• Nuclear Safety Review board for Callaway• Council of the National Academy for Nuclear Training• Westinghouse Customer First Advisory Board• Brazosport Community College Foundation Board

Honors & Awards

• Valedictorian, Seton Hall University• Engineering Honor Society United States Naval Academy (USNA)• Phi Kappa Phi Honor Society (USNA)• National Collegiate Boxing Association All-American (1983)• Numerous awards and recognition as a submarine officer

Certifications

• Certified and active instructor for Crucial Conversations & Facilitative Leadership

Ed Halpin - CEO STPNOC

14

10:00 AMModeling the Impact of Digital System Failure Into Probabilis-tic Safety AssessmentGopika Vinod, Santosh, V. V. S. Sanyasi Rao, K. K. Vaze and A. K. GhoshBhabha Atomic Research Centre, Trombay, Mumbai

Nuclear power plants (NPPs) traditionally relied upon analog instrumentation and control (I&C) systems for monitoring, control, and protection functions. With a shift in technology from analog systems to digital systems with their functional advantages, plants have begun such replacement, while new plant designs fully incorporate digital I&C systems. However, digital systems have some unique characteristics, such as using software, and may have different failure causes and/or modes than the analog systems; hence, their incorporation into NPP probabilistic safety assessments (PSA) entails special challenges. This paper highlights our recent work in incorporating con-tribution of software in digital I&C reliability analysis.

10:25 AMCritical Digital Review Procedure Proposal and Its Prelimi-nary ExperienceHui-Wen Huang, Tsu-Mu Kao and Ming-Huei ChenInstitute of Nuclear Energy Research (INER), Taiwan (R.O.C.)

This paper describes the critical digital review (CDR) procedure, which was developed by Institute of Nuclear Energy Research (INER), and sponsored by Taiwan Power Company (TPC). A preliminary CDR application experience which was performed by INER, is also described in this paper. Currently, CDR becomes one of the poli-cies for digital Instrumentation and Control (I&C) system replacement in TPC. The contents of this CDR procedure include: Scope, Responsibility, Operation Procedure, Operation Flow Chart, CDR review items. The “CDR Review Items” chapter proposes optional review items, including the comparison of the design change, Software Verifi-cation and Validation (SV&V), Failure Mode and Effects Analysis (FMEA), Evaluation of Watchdog Timer, Evaluation of Electromagnetic Compatibility (EMC), Evaluation of Grounding for System/Component, Seismic Evaluation, HFE Evaluation, Witness and Inspection, Lessons Learnt from the Digital I&C Failure Events. Since CDR has become a TPC policy, Chin Shan Nuclear Power Plant (NPP) performed the CDR practice of Automatic Voltage Regulator (AVR) digital I&C replacement, even though the project had been on the half way. The major review items of this CDR were: the comparison of the design change, SV&V, FMEA, Evaluation of Watchdog Timer, Evaluation of Electromagnetic Compatibility (EMC), Evaluation of Grounding for Sys-tem/ Component, Witness and Inspection, Lessons Learnt from the Digital I&C Fail-ure Events. The experience of the CDR showed the importance of preparation of the documents by the vendor. This means the communication with the vendors for the bid preparation is crucial.

10:50 AMEstimating Failure Probabilities in High Reliability Digital Sys-temsDave Blanchard (a), Thuy Nguyen (b), and Ray Torok (c)a) Applied Reliability Engineering, Inc. San Francisco, California, b) EdF R&D, Chatou, France, and c) EPRI, Palo Alto, California

Among the debates regarding the modeling of digital safety systems and their com-ponents in PRA is what sources of data are appropriate for use in quantification of the models. Chief among the differences with the hardware commonly included in PRA is that digital equipment is systematic in nature rather than probabilistic (that is they fail deterministically and are not subject to wear out or random failures). In addition, the available operating experience on which to base failure probabilities is scarce, particularly in the US where the installation of digital safety systems in nuclear power plants has been limited.In this paper, an overview of the various failure mechanisms that may affect elements making up a typical digital safety system is presented. The failure mechanisms which are concluded to dominate the reliability of the system are identified and design fea-tures and defensive measures which result in these being dominant are discussed. Given the dominant failure mechanisms, quantitative techniques currently available to develop failure probabilities for digital I&C failure modes modeled in PRA are dis-cussed. Also discussed are possible common-cause factors that may affect multiple divisions of digital I&C. Both the failure probabilities and common-cause factors are developed considering the defensive measures that are used in the design of the digital system.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 10:00 AM - Azalea

Digital I&C in PSA 1Session Chair: Carol Smidts

15

10:00 AMA look at the ABWR Design from a PRA ProspectiveCalin Eftimie, Jyh-Tsair Hwu, and Dennis HennekeGE Hitachi

The Advanced Boiling Water Reactor (ABWR) is a Generation III reactor designed by GE Hitachi Nuclear Energy (GEH) and certified by the NRC in 1997. The ABWR design includes improved features compared to previous GE designs, e.g., a more balanced ECCS consisting of three high-pressure systems and three low-pressure systems, a diverse instrumentation and control system, reactor internal pumps for recirculation, and a new containment design. The ABWR certification submittal includ-ed a Probabilistic Risk Assessment (PRA) that demonstrated the exceptionally high safety of the design. The certified ABWR design was implemented by GEH for the first time at Lungmen, units 1 and 2, in Taiwan. An updated, more detailed, PRA was prepared for the Lungmen Final Safety Analysis Report (FSAR). This PRA includes additional detail that emerged during the detailed design phase of the project, and was updated to satisfy the latest PRA standards. At the same time, the PRA was used as a tool for making detailed design decisions. This paper will present the advantages, from a PRA point of view, of the ABWR design, as implemented at Lungmen, as well as explain some of the challenges encountered when developing the PRA in parallel with the design. Additional supporting analyses based on the PRA will also be sum-marized. (Presentation only)

10:25 AMModifying the Risk-Informed Regulatory Guidance for New ReactorsCJ Fong and Donald A. DubeUS Nuclear Regulatory Commission, Rockville, MD

Since the U.S. Nuclear Regulatory Commission (NRC) published its probabilistic risk assessment (PRA) policy statement in 1995, the NRC staff has developed or endorsed many guidance documents to support risk-informed changes to the licensing basis and the Reactor Oversight Process (ROP). In September, 2010, the staff requested Commission approval of the staff’s recommendation to modify the risk-informed regu-latory guidance to (1) recognize the lower risk profiles of new, large light-water reac-tors (LWRs) and (2) prevent a significant decrease in the enhanced levels of safety provided by these new reactors. With the implementation of an enhanced level of severe-accident prevention and mitigation design capability being confirmed through the review of applications for design certification for new LWRs, the staff is identifying potential issues that may arise with the transition to operations and the use of the ex-isting risk-informed framework. Although Regulatory Guide (RG) 1.174 and the current ROP have no specific provisions precluding their application to new reactor designs, the NRC experience with implementing both RG 1.174 and the ROP has only involved currently operating plants. As discussed in a 2009 white paper, the staff identified a number of potential issues posed by the lower risk estimates of new reactors using the current risk informed guidance that could potentially allow for a significant erosion of the enhanced safety of new reactors as originally licensed. As a result, the staff is con-sidering whether changes to RG 1.174 and the ROP are needed in light of the differing risk profiles and the 10 CFR Part 52 process (e.g., design certification rulemaking on enhanced severe-accident features per Section VIII.B.5 of appendices for each certi-fied design). A number of industry representatives have expressed interest in pursuing risk-managed technical specifications and risk-informed inservice inspection of piping for new reactors, and the staff expects additional risk-informed applications for new reactors in the future.

10:50 AMIRSN Review of EPR Level 1 PSAG. Georgescu and F. CorenwinderInstitute for Radiological Protection and Nuclear Safety, Fontenay-aux-Roses, France

The PSA was used for early design verification of EPR Reactor, several design im-provement being defined based on these PSA insights and following the discussions with the French and German safety authorities. Now, in the frame of the construction and licensing of Flamanville 3 NPP the PSA is playing an important role for the EPR Project assessment. There are many uses of PSA in this context. PSA is used firstly for the verification of the plant safety level, since the “Technical Guidelines” for EPR re-quire that the probabilistic approach should be used in order to show the achievement of a significant reduction of the global core melt frequency comparing with the existing NPPs. The PSA is used to support the demonstration of “practical elimination” of the large early releases, equally requested by the “Technical Guidelines”. The PSA is also involved in the verification of the completeness of the deterministic multiple failures situation (Risk Reduction Categories) features. IRSN, as the French Safety Authority (ASN) technical support organization, performs the review of the PSA developed by the plant operator (EDF). The paper presents the main issues regarding the using of “design PSA”, identified by IRSN following the review of the internal events Level 1 PSA transmitted by EDF in the frame of the anticipated instruction of the application for operating license of the Flamanville 3 reactor.

11:15 AMPSA Insights of the New Nuclear Power PlantsAndrija VolkanovskiReactor Engineering Division, Jožef Stefan Institute, Ljubljana, Slovenia

Four designs of generation III+ pressurized water reactors were analyzed in the frame-work of the project entitled “Safety characteristics of potential reactors for JEK 2”. The project was done at the Reactor Engineering Division of the Jožef Stefan Institute for the Slovenian utility. The analyzed designs selected as potential designs for construc-tion of the second unit at the Krško Nuclear Power Plant are: Westinghouse AP1000, AREVA EPR, Mitsubishi APWR and ATMEA1 from AREVA and Mitsubishi.The goal of the project was identification and description of the safety characteristics of analyzed reactor designs. The identification of safety characteristics was based on de-scription of the structures, systems, components and their integral performance given in the design documentation of the vendors. The identification was supported by the review of the safety analyses including the Probabilistic Safety Assessment (PSA) or-ganized according to the classifications of the U.S. Nuclear Regulatory Commission.The paper presents results of the review of the PSA section of the Final Safety Analy-sis Report of the corresponding designs. The obtained results include identification and description of the usage of PSA in design phase for the decrease of the risk measures and elimination of the significant risk contributors. The obtained results for the risk indices, namely the core damage frequency and large release frequency are identified and compared against each other and against requirements of the regula-tor. The comparison with the currently operating nuclear power plants is done and the major contributors to the decrease of the risk indices are identified.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 10:00 AM - Camelia/Dogwood

Next Generation Reactor PSA - 1Session Chair: Donald Helton

16

10:00 AMReducing the Risk of Turbine Missiles in a Nuclear Power PlantAlexander KnollConsultant, Wyomissing, PA, USA

The presentation will identify the risk contributors to turbine missiles and other turbine blade failures. It will provide tangible recommendations to reduce the risk of turbine missiles and other turbine blade failures. Turbine missiles are very expensive to repair and might have impact on safety risks, because: They are almost always accompanied by fire (Both Combustibles & Igni-tion sources are in the impact area), Vital electrical supplies are close in the turbine building area (offsite lines, 4KV vital buses), The Control Rooms might be close to the impacted area (plant specific location and orientation of the turbine-generator).Turbine missiles have impact on financial risks: Hundreds of Millions in Repairs (and no on-the-shelf components), Hundreds of Millions in Generation Losses (up to two years of forced outage).A generic Turbine Generator layout in a power plant will be presented, including the Control Room between twin units. The layout will show the High pressure turbine, three stages of Low Pressure turbines and the generator, which are all on the same shaft. The Failure Modes and Effects that could lead to turbine damage or missiles will be clarified, including: What turbine components may fail, Blade failures that required removal of damaged blades and rebalancing turbine for short term runs, What Human errors may induce failures, during operation (operator errors), or - during (engineering design), or - during oversight (QA and administration), What is the contribution of the Protective System (automatic or manual).The turbine missile events at Salem-2 (November 1991) and DC Cook-1 -(Sept. 2008) will be described. Temporary modifications of degraded blades in aging turbines will be provided. Based on the Risk Assessment, recommendations will be provided how to reduce the risk of turbine missiles. (Presentation only)

10:25 AMTreatment of the Loss of Heat Sink initiating events in the IRSN PSAF. CorenwinderInstitute for Radiological Protection and Nuclear Safety, Fontenay-aux-Roses, France

Loss of ultimate heat sink is an initiating event which, even it is mainly of external origin, is considered in the frame of internal events Level 1 PSA by IRSN. Moreover, according to the French PSA fundamental safety rule this kind of initiators should be considered by the plant operator in the frame of the “Reference PSA”. Nevertheless, the modelling of this initiating event is not always easy and the associated uncer-tainties are still quite important. The occurrence frequency, the restoration time, the impact on more than one plant, the impact on the emergency organisation, etc. are some of the aspects, for which, today there is not a full consensus between different PSA teams (IRSN, EDF). Recently, two events of loss of heat sink occurred in France (Cruas and Fessenheim). This recent operating experience should be fully used in order to ameliorate the modelling of the loss of heat sink initiating event in the PSA. The paper presents the methods used today by IRSN to model the loss of heat sink initiating event and the historical perspective. The two events will be shortly presents as well as the foreseen evolution of the PSA methods and models to best incorporate the operating experience.

10:50 AMAn Assessment of Large Dam Failure Frequencies Based on US Historical DataF. Ferrante, S. Sancaktar, J. Mitman, and J. WoodUS Nuclear Regulatory Commission, Rockville, MD

Flooding events are part of the hazard categories commonly considered in assessing the design of industrial facilities. The failure of large upstream dams is one category of flooding event that can challenge the safety of these facilities. Additionally, the failure of dams downstream of facilities that depend on external water sources for their op-erations could also represent a concern from a safety standpoint. Generic dam failure estimates based on historical data are commonly relied on as screening values for use in design and risk assessment. This paper presents an in-depth analysis of currently available databases with information on US historical dam failure events and the dam population in order to estimate generic large dam failure rates while also addressing the challenges in deriving values supportable by historical data. Items such as com-pleteness of data, applicability of generic values versus site-specific considerations, and screening criteria including dam types, construction vintage, and failure modes, are addressed via independent failure frequency point estimates. The work highlights the limitations of the derivation of a defensible screening value for dam failure fre-quency estimates.

11:15 AMApplication of FRANX Software to External EventsJeff RileyElectric Power Research Institute, Palo Alto, CA

The EPRI FRANX software has been used for several years as a tool to assist the PRA analyst in incorporating fire related impacts and modeling attributes into existing PRA models. This simplifies the process of performing a Fire PRA and the ultimate incorporation of the fire model into a configuration risk model.Recent developments in FRANX have increased the capabilities to model numerous other spatially-dependent and scenario-dependent situations. More recent applica-tions of the tool have included the modeling of flooding scenarios, thereby including these scenarios into the PRA in model in a structured and automated manner, avoiding laborious hand development of models.Of particular note are improvements in the tool to support seismic analysis in a highly structured manner. These seismic add-ons allow for the simple development of seis-mic scenarios from the hazard curve, automatic implementation of the appropriate fragility information, and integration with the full Level 1 PRA model.This paper discusses the expanded capabilities of the FRANX software tool, with par-ticular emphasis on external event coverage such as flooding and seismic capabili-ties.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 10:00 AM - Magnolia

Other External EventsSession Chair: Michael Golay

17

10:00 AMEstimating Fire-Induced DC Circuit Hot Short DurationDennis Henneke, James Young, Jonathan LiGE Hitachi, Wilmington, NC

The purpose of this paper is to interpret the results of draft test results reported in “Di-rect Current Electrical Shorting in Response to Exposure Fire (DESIREE-FIRE): Test Results” [1], in order to determine the factors and probabilities on Fire-Induced DC Circuit Hot Short duration with respect to time. The impact of Cable Type, Circuit Type and Fire-Damage Conditions is reviewed for potential impact on the hot short duration. The analysis presented does not include an analysis of the hot short probabilities for tested cable types, circuit types or fire-damage conditions. The analysis of the results shows that for the most part, DC Hot Shorts have a short duration, of less than 2 minutes. The one exception appears to be a hot short involving thermal-plastic cable where the source temperature is near the cable damage temperature, and direct flame impact does not occur. The hot short for these damage scenarios can be much longer, averaging over 15 minutes. The analysis in this paper is considered preliminary, await-ing both the final issuance of the DESIREE-FIRE report, as well as completion of the industry review of the results through an NRC and Industry Phenomena Identification and Ranking (PIRT) expert panel, scheduled for completion in mid-2011.

10:25 AMLessons Learned From Electrical Circuit Analysis in Support of a Fire Probabilistic Risk AssessmentCyrus N. VadoliSouthern California Edison – San Onofre Nuclear Generating Station, San Clemente, CA

Following the methodology presented in NUREG/CR-6850 “Fire PRA Methodology for Nuclear Power Facilities”, this paper focuses on the electrical-specific tasks com-pleted to support the upgraded Fire Probabilistic Risk Assessment for the San Onofre Nuclear Generating Station (SONGS) Units 2 and 3. The SONGS Electrical Design Engineering team supporting the Fire PRA utilized a three-phase approach to com-plete these tasks. Each phase of the electrical circuit analysis is presented in this pa-per with a general over-view of the task and how the task was completed. In addition, a discussion of key lessons learned and strategies utilized to maximize efficiency and minimize time delays is presented.

10:50 AMConcurrence Probability and Duration for Fire-Induced Cable “Hot Shorts:” Alternating (AC) Vs. Direct Current (DC)Raymond H.V. GallucciU.S. Nuclear Regulatory Commission (NRC), Washington, D.C.

In 2008, the author presented the results of a probabilistic/statistical examination of cable “hot shorts” due to nuclear plant fires for alternating current (AC) circuits based on two sets of cable fire tests: (1) the Nuclear Energy Institute (NEI) and Electric Power Research Institute (EPRI) series of 18 cable fire tests in 2001; and (2) the U.S. Nuclear Regulatory Commission (NRC) complementary series of electrical per-formance and fire-induced failure cable tests, consisting of 78 small-scale tests and 18 intermediate-scale open burn tests in 2006 (the CAble Response tO Live FIRE [CAR-OLFIRE] Program). In 2010, the NRC, in collaboration with the EPRI, as representa-tive of the nuclear industry, completed a follow-up to CAROLFIRE by performing a “series of fire tests ... to assess cable failure modes and effects behavior for DC [direct current]-powered control circuits ... known as the Direct Current Electrical Shorting in Response to Exposure Fire (DESIREE-FIRE) test program.” As with the previous NEI/EPRI and CAROLFIRE tests, the DESIREE-FIRE tests similarly produced data on the occurrence and duration of electrical “hot shorts,” this time for DC circuits, in terms of the type of cable (thermoplastic [TP] and thermoset [TS]) and equipment supported by the circuits (both motor- and solenoid-operated valves [MOVs and SOVs]). As a follow-up to the 2008 analysis, the author presents a parallel analysis of the probability and duration for concurrence of two and three “hot shorts” for DC circuits, based on the DESIREE-FIRE results, and compares this to the previous analysis for AC “hot shorts.”

11:15 AMFire Induced Multiple Spurious Operation Review Methodol-ogy Developed for Application to Fire PRAsGregory P. Rozga (a), and Paul D. Knoespel and John R. Olvera (b)a) MARACOR Software and Engineering, Inc., Middletown, MD, b) EPM, Inc., Risk Solutions Division, Hudson, WI

Multiple spurious operations (MSOs) of equipment due to fire induced electrical shorts must be evaluated as part of the development of Fire PRA models. This paper will describe a methodology to identify and document valid MSO combinations for future inclusion into a Fire PRA by performing a systematic system-by-system review. This process has been used during development of Fire PRAs at three plants to date. The methodology employs a set of rules at the system level to determine which systems can potentially impact the plant CDF given spurious operations within the system. Once the systems are identified, piping & instrumentation drawing reviews identify single components which are susceptible to spurious operation. Identified compo-nents are evaluated to determine the impact their spurious operation has on the mod-eled functions of the screened-in systems. If it can be determined that the component cannot impact the modeled function under any circumstance, that component can be screened. Unscreened components are then evaluated with respect to multiple spu-rious operations using a component matrix to identify couplets, triplets, and further combinations if necessary. The result is the identification of non-minimal potential MSO groups. For component groups where cable location information is already avail-able, screening can be performed to eliminate groups where cables for all components are never within the same fire area. Remaining MSO groups now undergo detailed circuit analysis, and the final MSO groups are modeled in the PRA. This systematic MSO identification process can also provide useful input to plant expert panel reviews of MSOs.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 10:00 AM - Salon A

Fire PSA Methods - 1Session Chair: Eric J Jorgenson

18

10:00 AMEstablishing a Community of Practice to Address PSA Knowl-edge Management IssuesDonald P. Remlinger, Stacy A. Zarewczynski, and Camille T. ZozulaWestinghouse Electric Company LLC, Cranberry Twp., USA

The resurgence of the nuclear industry and the increased use of Probabilistic Safety Assessment (PSA) in existing plant regulatory affairs, utility operations, and new plant licensing have created opportunities to improve the reliability, cost, and safety of nu-clear power plants. However, many organizations in the nuclear industry are faced with an aging workforce, resource shortages, and gaps in technical skills, specifically in PSA methodologies. Improving communication and information management com-bined with utilizing a global workforce are challenges to successfully addressing these issues. A knowledge-based initiative that provides these solutions is the organization of a community of PSA professionals; a PSA centered community of practice. A Com-munity of Practice (CoP) is an effective aid for storing critical task-related knowledge, for allowing open discussions and knowledge exchanges, and for finding explanations of commonly used methods and practices. The PSA CoP within Westinghouse Electric Company, LLC consists of a network of members from different geographical locations with diverse experiences, skills, and backgrounds who work in PSA-related areas. The PSA CoP’s objectives are to share information, solve common problems, mentor, and develop an awareness of methods and tools. Within Westinghouse, the PSA CoP ex-ists outside of the boundaries of specific organizational structure and project teams.

10:25 AMExperience in PRA TrainingRoss C. Anderson (a), and Robert W. Fosdick (b)a) Virginia Commonwealth University, Richmond, VA, b) R&B Nuclear LLC, Maidens, Virginia

As with all disciplines within the nuclear industry, the PRA workforce is aging and will continue to suffer significant losses to retirement over the next 5-10 years. Unfortu-nately, these losses will occur at a time when the demands upon the PRA staff are not holding steady but are actually increasing. The NRC evaluates the quantitative risk of licensing actions such as Technical Specifications changes and licensee activi-ties (via the Significance Determination Process, for example). Program and system inspections are often risk-informed or risk-based. In addition, new plants are likely to be added to the existing U.S. fleet over the next 5-10 years. The combination of experienced workforce losses and increasing demand poses substantial challenges to existing PRA groups and their management.Virginia Commonwealth University has addressed some of these concerns on a local level by developing both a graduate course and a professional workshop in PRA ap-plications. The graduate course proved to be surprisingly popular, as students devel-oped a subset of a North Anna PRA model with WinNUPRA software donated by Sci-entech. Students, mostly without prior PRA experience, built their own models from the ground up; solved them, learned to use the descriptive statistics, and performed representative calculations such as (a)(4) compliance and potential Significance De-termination Process applications. Those course notes are currently being compiled for a textbook.The workshop followed a similar strategy but has not yet been widely marketed.In summary, the need for PRA training for users at all levels remains substantial. Training for both existing and future PRA engineers should emphasize practical ap-plications and the incorporation of plant knowledge.

10:50 AMPSA Knowledge Transfer - Approaches in OECD/NEA WGRisk Member StatesMarina Röwekamp (a) and Kevin Coyne (b)a) Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany, b) U.S. Nuclear Regula-tory Commission (NRC), Washington, DC, USA

The OECD/NEA Working Group Risk (WGRisk) has initiated in 2010 a task on PSA (probabilistic safety assessment) knowledge transfer in member states. The objective of this task is to develop a common understanding of the current needs and ongoing activities in organizations in the member states on PSA knowledge transfer, including other ongoing international activities in this technical area.In this context a survey has been developed focusing on knowledge transfer activi-ties such as training courses, on-the-job training, seminars, mentoring. This survey places less emphasis on other aspects of knowledge management (e.g., knowledge representation, capture, storage, retrieval). Furthermore, it is limited to knowledge re-garding the performance, review, and use of nuclear power plant (NPP) PSA studies in risk-informed decision making.The survey results are being documented in a NEA report discussing lessons learned and best practices. Furthermore the survey shall be used to identifying potential follow-on activities (e.g., knowledge transfer seminars on specified topics) that could be per-formed to efficiently and effectively preserve the current PSA know-how.

11:15 AMCurrent PRA Knowledge Management Activities at the NRCM. Tobin, K. Coyne, and N. SiuU.S. Nuclear Regulatory Commission, Washington, DC

Probabilistic Risk Assessment knowledge management programs at the Nuclear Reg-ulatory Commission are becoming increasingly important as experienced members of the field prepare for retirement. The US Nuclear Regulatory Commission, which views knowledge management as the broad set of activities capturing critical information and making the right information available to the right people at the right time, has developed or is in the process of developing a number of knowledge management mechanisms and tools including: databases and electronic reading rooms, formal and informal training, interviews, procedures, desk references, communities of practice, websites, and portals. This paper, which is based largely on NRC’s response to an OECD Working Group on Risk Assessment (WGRISK) survey described in a separate paper at this conference, describes the NRC’s PRA-related applications of both formal and informal knowledge management activities, as well as lessons learned to date from these activities.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 10:00 AM - Salon B

PSA Knowledge Management - 1Session Chair: Nathan Siu

19

10:00 AMPractical Refinements to Human Action Dependency Analy-sis for Probabilistic Safety Assessment

James K. Liming, Thomas J. Mikschl (a), and Shawn S. Rodgers (b)a) ABSG Consulting Inc. (ABS Consulting), Irvine, CA, b) STP Nuclear Operating Company, Wadsworth, TX

This paper summarizes the results of an evaluation of human action dependency for the STP Nuclear Operating Company (STPNOC) South Texas Project Electric Gener-ating Station (STPEGS) Units 1 and 2 low power and shutdown (LPSD) probabilistic risk assessment (PRA). Specifically, this paper focuses on the potential impact of refinements to current industry PRA human reliability analysis (HRA) methods (e.g., the EPRI HRA Calculator® methods) for human action dependency evaluation. These potential refinements were conceptualized during the performance of the STPNOC LPSD PRA HRA. The scope of this evaluation included a thorough post-processing evaluation of over 37,000 PRA event sequences (or cut sets) for combinations of human failure events (HFEs) that could result in potential HEP interdependence, and thus, could significantly impact the results of the PRA and any associated risk-informed applications. The paper presents a discussion of the importance of human action dependency analysis (HADA) in PRA or probabilistic safety assessment (PSA), and presents an overview of current methods typically applied. The paper also pres-ents general results from the STPNOC LPSD PRA HRA HADA, and it provides select-ed examples of how potential HADA refinements could impact the rigor and accuracy of HADA results, and thus, overall PRA or PSA results.

10:25 AMGuidance on Use of Limiting Values for Human Error Prob-abilities in PRAs

Gareth Parry (a), and Stuart Lewis (b)a) ERIN Engineering and Research, Inc., Walnut Creek, CA, b) Electric Power Research Institute, Knox-ville TN

Human reliability analysis, as it is conducted in probabilistic risk assessments, relies on the use of various models of human performance, informed by relatively sparse data from actual experience. Such an approach can give rise to a degree of skepti-cism, especially when the methods produce very low probabilities of failure. At some level, there is a perception that there is a limit to the reliability of operating crews, and that available methods do not necessarily capture all the important causes of failure. As a result, a variety of approaches has been taken to defining limiting or minimum values that should be used in lieu of low calculated human error probabilities (HEPs). Up to this point, there has been no consensus practice in setting or using such mini-mum values. This paper summarizes the issues associated with the development and use of limiting values for HEPs. The proposed limiting values are presented in EPRI 1021081, Establishing Minimum Acceptable Values for Probabilities of Human Fail-ure Events Practical Guidance for Probabilistic Risk Assessment. It is expected that the guidance provided in that report may be applied in probabilistic risk assessments performed by the nuclear industry, and that it may be revised or refined as a result of insight gained from that experience.

10:50 AMA Context Based Approach to Human Reliability Analysis for Seismic PSAPaul Amico (a), Andreas Strohm and Jörg Rattke (b)a) Energy Research, Inc., Rockville, MD, USA, b) EnBW Kernkraft GmbH, Neckarwestheim, Germany

This paper suggests an approach to seismic HRA that addresses some of the deficien-cies of the “shock model” approach commonly used for seismic HRA. The problem with the shock model approach is that it places too much emphasis on the acceleration associated with the seismic event and not enough on the extent of damage caused by the event. Logic suggests that the effects of the acceleration are short-lived as regards human performance (i.e., due to disorientation) and that after a short initial period performance would return essentially to normal other than for the need to deal with the impact of the actual seismic failures. Because of this, the shock model does not adequately allow credit for increased seismic design capacity or long coping times before operator action is required. In this paper, the authors suggest the use of a more context based approach that does account for these influences. The emphasis of this approach is on the overall context under which an action is performed, of which the acceleration is only one part. This allows for better consideration of the broader range of performance influencing factors that result from the actual seismic damage to the plant. The paper presents the methodology and the process for application, and also presents a specific application from the SPSA of the German NPP Kernkraftwerk Neckarwestheim Unit 2 (GKN II). It is concluded that the approach was successful in that application to provide a more realistic treatment of human reliability and so a more accurate risk profile. As such, the approach clearly has promise, but further develop-ment is required beyond this first application.

11:15 AMQualitative Human Reliability Analysis of Dry Cask Storage Operations

Jeffrey D. Brewer, Stacey M. L. Hendrickson (a), and Susan E. Cooper (b)a) Sandia National Laboratories, Albuquerque, NM, USA, b) United States Nuclear Regulatory Commis-sion, Rockville, MD, USA

Human reliability analysis (HRA) methods have been developed primarily to provide information for use in probabilistic risk assessments of nuclear power plant control room operations. The HRA method of A Technique for Human Event Analysis (ATHEA-NA) has been proposed for use in diverse applications outside the control room due to its particular approach for systematically examining the dynamic, contextual conditions influencing human performance. This paper describes aspects of a recently completed project in which the qualitative analysis within ATHEANA was successfully used to prospectively examine how unsafe actions may contribute to a cask drop and gener-ate ideas for avoiding cask drops. Through the investigation of previous analyses as well as discussion with subject matter experts, cask drop scenarios were generated that might occur within dry cask storage operations. The development of these sce-narios led to the development of human performance vulnerabilities meant to describe performance shaping factors as well as plant conditions that generate a context that may ultimately contribute to human failure events (HFEs). After analyzing the human performance vulnerabilities, illustrative guidance was developed for avoiding or miti-gating them so that HFEs involving cask drops may be avoided or mitigated. This paper provides a description of the qualitative HRA process followed, a listing of HFE scenario groupings, discussion of selected human performance vulnerabilities, and illustrative approaches for avoiding or mitigating human performance vulnerabilities that may contribute to dropping a spent fuel cask.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 10:00 AM - Carolina

Human Reliability Analysis - 1Session Chair: Dave Gertman

20

1:30 PMOverview and Impact of RG 1.97 Rev 4, Accident Monitoring Instrumentation, on New Reactor ReviewsDeirdre W. Spaulding-YeomanUSNRC, Washington, DC

Some new reactor applicants have committed to Regulatory Guide 1.97 Revision 4 which endorses IEEE standard 497-2002, IEEE Standard Criteria for Accident Moni-toring Instrumentation for Nuclear Power Generating Stations. 10 CFR 52.79(a)(30) indicates that the submitted final safety analysis report include proposed technical specifications. In keeping with RG 1.97 Revision 4, and IEEE 497, accident monitor-ing variable selection must be consistent with the plant specific emergency operat-ing procedures and the abnormal operating procedures. Meeting RG 1.97 Revision 4 has presented challenges to new reactor applicants such that the USNRC allows applicants to pursue one of three options in regard to their tech specs pertaining to accident monitoring instrumentation; provide a plant specific instrumentation value, provide a value that bounds the plant specific value, or, establish an administrative controls program or report. This presentation provides an overview of Reg Guide 1.97 Revision 4 and discusses the approaches that have been submitted to the Office of New Reactors for staff review. Specific discussion will be provided in regard to the implications of Reg Guide 1.97 Revision 4, using the staff guidance, Standard Review Plan Section 7.1, Instrumentation and Controls, Overview of Review Process, and Section 7.5, Information Systems Important to Safety, for new reactor staff reviews. (Presentation Only)

1:55 PMError Modeling and Analysis of DIgital I&C System Failure ModesCarl Elks, Nishant George,and Barry JohnsonUniversity of Virginia

Over the last ten years rigorous approaches to safety analysis and assessment have been of particular interest to safety community, motivated mainly by the increasing complexity of safety critical systems across a wide range of applications. Although there are commercial software and tools available that assists engineers in performing clerical tasks, such as forming tables and filling in data, the essential and critical part of an FMEA process remains a difficult and elusive challenge – that is, a systematic and comprehensive means to characterize failure modes of the system and identify significant failure paths associated with these potential failure modes. Current ap-proaches using operating plant, commercial, and vendor databases certainly aid in the identification and classification of what component failures have happened, but they are limited in their utility in determining what could happen. As newer I&C systems and micro-technology is introduced, failure data is sparsely available on these new technologies. These problems naturally become more acute as I&C systems grow in scale and complexity and criticality, which is the trend that is now emerging. This paper presents a unique modeling and analysis method based on the concepts of error modeling and error propagation analysis. The concept we present is based on an information theory approach, where the functional representation of the digital system is viewed as a composition of information channels. More precisely, information flow in a computer is characterized by symbols, and the interpretation and manipulation of those symbols. Errors can corrupt symbols, rendering them into different symbols, non-symbols or reconstitute the interpretation of symbols. Errors in the information universe are usually manifested as bit flips in the data and/or instruction symbols. Our approach defines an error behavior function which allows information flow in digital I&C system to be corrupted according to a context fault model. A context fault model is based on what vulnerabilities are perceived to be relevant in the environment of the digital I&C systems. These include, common mode faults and errors, bit flips, software flaws, intentional security faults, and byzantine faults. (Presentation Only)

2:20 PMAdvanced Risk Modeling and Risk-informed Testing of Digital Instrumentation and Control SystemsSergio B. Guarro, Michael Yau and Scott DixonASCA, Inc., Redondo Beach, CA

Assuring the reliability and safety of Digital Instrumentation & Control (DI&C) systems presents special challenges. Their potential complexity, associated with the multi-fac-eted functionality of the software, makes testing the various combinations of logic ex-ecution paths “exhaustively” very difficult. A rigorous process of analytical partitioning of the test space is generally necessary to guide a meaningful process of risk-informed test and assessment for these systems.The Context-based Software Risk Model, applied in combination with the Dynamic Flowgraph Methodology (CSRM/DFM) is an extension of the traditional Probabilistic Risk Assessment (PRA) approach. It provides a modeling and analysis platform that can be applied to risk-inform the testing and verification of DI&C, and more in general software driven and/or controlled systems. The basic principle of the approach is that DI&C systems and software driven systems can be analyzed and tested in effective and convincing fashion, only if the software is analyzed and tested with the actual “bal-ance of system” in the loop, and the test and analysis process includes a risk-informed set of off-nominal scenarios.This paper summarizes and discusses a few recent applications of the CSRM/DFM ap-proach to both space and nuclear power plant DI&C systems. The projects discussed demonstrate several modes of use of the risk-informed analytical and test procedures enabled by the CSRM/DFM process, and more specifically how the methodology can serve both as a stand-alone DI&C test driving resource and as an advanced risk-modeling and quantification extension of traditional PRA models and procedures.

2:45 PMApplication of Fault Tree Methodology to Modeling of The Ap1000® Plant Digital Reactor Protection SystemDavid S. Teolis, Stacy A. Zarewczynski, Heather L. DetarWestinghouse Electric Company LLC, Cranberry Twp., USA

The reactor trip system (RTS) and engineered safety features actuation system (ES-FAS) in nuclear power plants utilizes instrumentation and control (I&C) to provide au-tomatic protection against unsafe and improper reactor operation during steady-state and transient power operations. During normal operating conditions, various plant parameters are continuously monitored to assure that the plant is operating in a safe state. In response to deviations of these parameters from pre-determined set points, the protection system will initiate actions required to maintain the reactor in a safe state. These actions may include shutting down the reactor by opening the reactor trip breakers and actuation of safety equipment based on the situation. The RTS and ESFAS are represented in probabilistic risk assessments (PRAs) to reflect the impact of their contribution to core damage frequency (CDF). The reactor protection systems (RPS) in existing nuclear power plants are generally analog based and there is gen-eral consensus within the PRA community on fault tree modeling of these systems. In new plants, such as AP1000® plant, the RPS is based on digital technology. Digital systems are more complex combinations of hardware components and software. This combination of complex hardware and software can result in the presence of faults and failure modes unique to a digital RPS. The United States Nuclear Regulatory Com-mission (NRC) is currently performing research on the development of probabilistic models for digital systems for inclusion in PRAs; however, no consensus methodology exists at this time. Westinghouse is currently updating the AP1000® plant PRA to sup-port initial operation of plants currently under construction in the United States. The digital RPS is modeled using fault tree methodology similar to that used for analog based systems. This paper presents high level descriptions of a typical analog based RPS and of the AP1000® plant digital RPS. Application of current fault tree modeling techniques to the digital system is reviewed, and unique issues related to accounting for common cause failures and software failures are discussed.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 1:30 PM - Azaleca

Digital I&C in PSA - 2Session Chair: Sergio Guarro

21

1:30 PMInvestigation of Risk-Informed Methodologies to Improve So-dium-Cooled Fast Reactor Economics With Safety, and Non-Proliferation ConstraintsGeorge Apostolakis, Michael Driscoll, Michael Golay, Andrew Kadak, Neil Todreas (a), Tunc Aldemir, Richard Denning (b), and Michael Lineberrya) Massachusetts Institute of Technology, Cambridge, MA, b) The Ohio State University, Columbus, OH, c) Idaho State University, Idaho Falls, ID

A substantial barrier to the implementation of Sodium-cooled Fast Reactor (SFR) technology is that they would not be economically competitive relative to advanced light water reactors. With increased acceptance of risk-informed regulation, the op-portunity exists to reduce the costs of a nuclear power plant at the design stage with-out applying excessive conservatism that is not needed in treating low risk events. In NUREG-1860, the U.S. Nuclear Regulatory Commission describes developmental activities associated with a risk-informed, technology neutral framework (TNF) for regulation that provides quantitative yardsticks against which the adequacy of safety and proliferation resistance can be judged. The objective of this project is to develop a design process for minimizing the cost of electricity generation within constraints of adequate safety and proliferation resistance. This paper describes the proposed de-sign optimization process within the context of reducing the capital cost and levelized cost of electricity production for a small (possibly modular) SFR. The project provides not only an evaluation of the feasibility of a risk-informed design process but also a practical test of the applicability of the TNF to an actual advanced, non-LWR design. The report provides results of two safety related case studies of design alternatives, as well as an assessment of measures to improve proliferation resistance.

1:55 PMThe Evolution from a Design Certification Pra to an As-Built As-Operated PRAYunlong Li, Dennis Henneke, Glen Seeman and Gary MillerGE Hitachi Nuclear Energy, Wilmington, NC

A number of uncertainties exist in the development and updating of PRAs for new reactors, such as the amount of information available, applicability of the failure data to the components, and the availability of details of the design and operation. As it gets closer to operation, some of these uncertainties are removed. This paper addresses the evolution of the PRA during the reactor design process and in the various stages of design certification, licensing, and plant operation. While only one peer review is required for the new reactors to be licensed for operation, the evolution path that each vendor and licensee adopts could significantly affect the time and efforts involved in the PRA model development and updates, the quality of the PRA, and the safety, reli-ability and availability of the new reactor’s design and operation. This paper discusses the logical division of the stages for the development of PRA models, the purposes of the PRA at each stage, and major deliverables. The pros and cons of the different evolutions are also included. Based on GEH’s extensive experience in developing and updating PRA models for advanced BWRs that span across all stages, reasonable evolution paths are recommended.

2:20 PMPRA Analysis for a New Reactor Design: The B&W MPOWER™ Small Modular ReactorThomas A. Morgan (a) and Kenneth W. Baity (b)a) Maracor Software & Engineering, Inc., Middletown, MD, b) Babcock & Wilcox Nuclear Energy, Inc., Lynchburg, VA

The B&W mPower™ reactor is a small modular PWR with numerous evolutionary design concepts, including passive safety systems, an integrated reactor pressure vessel, and a below-grade containment building. To support Design Certification, a complete probabilistic risk assessment (PRA) must be performed that meets industry standards and regulatory requirements.Sufficient design and operational details must be available to develop PRA models and data. However, it is also desirable to obtain risk estimates for the plant early in the design process and to feed back risk insights into design decisions. If such insights are not developed until after the PRA is completed (and the design is largely finalized), it can be costly to backfit beneficial changes. Therefore, PRA tasks are being performed concurrently with design activities, using an iterative approach that incorporates de-sign changes as they occur.For example, alternative concepts have been proposed for the emergency core cool-ing systems as the plant’s design has evolved. PRA personnel participated in design discussions to evaluate the alternatives and offered reliability insights that improved these designs. A “risk insights” training course was also developed for the designers so that the ongoing development tasks could incorporate beneficial features that would improve safety and reliability.The internal events PRA is underway, and work on the external events and low power/shutdown modes PRAs will begin in early 2012. Because of the plant’s innovative features, it is expected that the B&W mPower reactor will have a low core damage frequency and should pose minimal risk to the public.

2:45 PMRisk-Informed Design and Safety Review of HTR-PMJiejuan TONG, Tao LIU, and Jun ZHAOInstitute of Nuclear and New Energy Technology, Tsinghua University, P.R China

HTR-PM is the abbreviation of the demonstration plant project which will be built in China with a pebble bed high temperature gas cooled reactor design. Due to the unique features of the reactor, the Chinese safety authority recognizes the big chal-lenge it will bring to the current regulation and decides to launch the pilot use of PSA in the design and in the safety review in an extensive way, based on the consensus that PSA should be the necessary and efficient key to solve the puzzles. This paper will present and discuss the aspects which PSA has been successfully used during the design and safety review of HTR-PM project, including safety goal, plant operating modes definition, beyond design accidents, emergency planning and so on. Every aspect may require some philosophically innovative efforts, however moving to the risk-informed decision making and regulation will be adhered as the common opinion arrived by the authority and the designer. Working processes and results for some of the aspects will also be explained. The paper will also address the methodological is-sues for performing design PSA. Although most of the traditional PSA techniques are still valid for HTR-PM, a few new techniques are introduced.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 1:30 PM - Camelia/Dogwood

Next Generation Reactor PSA - 2Session Chair: Karl Fleming

22

1:30 PMDevelopment of Risk Communication Sheet for Daily Opera-tional Focus Meetings at STPGeorge C. R. Grantom P.E., Fatma Yilmaz, and Ernie KeeSouth Texas Project Electric Generating Station, Wadsworth, TX

South Texas Project (STP) uses a work week planning concept that is based on a cycle of train weeks. The work week risk is planned well in advance of the actual work week by the Work Control organization and is updated as needed during the week by the on-shift Control Room operators. The actual maintenance configurations are entered in the station’s risk monitoring tool, the Risk Assessment Calculator (RAsCal) application, [1] by the Control Room Operators. The planned work week ICDP (Incre-mental Core Damage Probability) and ITP (Incremental Trip Probability) values along with the actual ICDP and ITP values from RAsCal are communicated every morning at Daily Operational Focus (DOF) Meetings at STP in the form of numeric values. STP has developed a tool to better communicate online maintenance risk by assigning colors to maintenance configurations based on numeric thresholds to the ICDP and ITP. Associating colors to each maintenance state in terms of the quantitative values of ICDP and ITP on a bar graph provides a clear indication of when, how long, and what maintenance activities increased station risk occur [2]. This paper describes the development, usage and further applications of this new risk communication report providing examples.

1:55 PMNuclear Power Plant Configuration Risk Management: Recent EPRI CRMF ResearchThomas A. Morgan, Diane M. Jones (a), and Doug Hance (b)Maracor Software & Engineering, Inc., Middletown, MD, b) Electric Power Research Institute, Risk and Safety Management, Charlotte, NC

The Configuration Risk Management Forum was established in 2003 by EPRI to serve as a venue to discuss Configuration Risk Management issues applicable to commer-cial nuclear power plants. The Forum’s activities include identification and sponsor-ship of research on current and emerging CRM issues. The CRMF has recently fo-cused on the development of two guideline documents to assist plants in addressing evolving expectations concerning activities that should be considered under Section (a)(4) of the maintenance rule, 10CFR50.65. In 2008, a CRMF working group devel-oped guidance for the evaluation of heavy load lifts. A screening approach categorizes each planned lift into one of four classes of scenarios. A series of flow charts indicate how the screening would proceed, and suggestions are provided for possible Risk Management Actions that could be considered for implementation during lifts/move-ments that might incur some additional risk to the plant. Most recently, the CRMF has provided support to the Nuclear Energy Institute (NEI) in the development of updated Maintenance Rule guidance concerning the evaluation of fire risk impacts during plant configuration changes. NEI has drafted proposed guidance and this guidance is now being tested by several pilot plants. CRMF, in collaboration with the PWR Owners Group, is assisting in the development of supporting implementation guidance, in-corporating insights gained from the pilot plants. The supporting guidance highlights possible approaches that could be used to implement each of the specific objectives noted in the draft NEI guidance.

2:20 PMA Study for the Reliability Evaluation Method for The Mainte-nance Plan Using the Risk InformationNaoki CHIGUSA (a), Yoshiyuki NARUMIYA (b), Takahiro KURAMOTO (c)a) The Kansai Electric Power Company, Fukui, Japan, b) The Kansai Electric Power Company, Osaka, Japan, c) Nuclear Engineering, Ltd., Osaka, Japan

This paper discusses the development of the quantitative method to evaluate the reli-ability for the maintenance plan with respect to the risk impact both for Core Damage Frequency and Plant Trip Frequency. The quantitative approach includes the consid-erations for the effect of the Condition Based Maintenance (CBM) changing in addition to the Time Based Maintenance (TBM), and the reliability for the maintenance plan is evaluated using the actual plant-specific maintenance information collected in the plant. In this study, overhaul and surveillance test for the components are considered as TBM. The objective components should include “Prevention System (PS)” in addi-tion to “Mitigation System (MS)”. Therefore, in this quantitative reliability evaluation, it is necessary to cover both PS and MS, and the Plant Trip Frequency in addition to Core Damage Frequency should be introduced as the risk index. The conventional PSA method is enough to confirm the plant overall risk level and the risk profile, however, this quantitative approach should have the extended method such as extension of the objective component sphere and detailed analysis for the component failure data. In this paper, the developed method to evaluate the reliability for the maintenance plan using the risk information is described. And, the tested evaluation to confirm the ef-fectiveness of this quantitative method is also described. And furthermore, the require-ments for the plant-specific maintenance information to be used in this quantitative method are described.

2:45 PMLicensee Experience With the ATWS VulnerabilityRobert W. Fosdick (a), Ross C. Anderson (b)a) R&B Nuclear LLC, Maidens, Virginia, b) Virginia Commonwealth University, Richmond, VA

The process and circumstances leading to the calculation of the ATWS UET contribu-tion to core for the Surry plant were reviewed to determine key lessons learned. Key points included the effects of the ongoing work environment, focus on regulatory com-pliance, and effort required to perform the calculation vs. the worth of the results. The conclusions are presented in a generalized form as lessons learned for the benefit of the entire U.S. industry. The numeric results of the ATWS UET theoretical calculation were previously presented at the ANS 2009 Winter meeting; this paper focuses upon the field experience with its results.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 1:30 PM - Magnolia

Configuration Risk Management - 1Session Chair: Gerry Kindred

23

1:30 PMTEPCO’s Effort for Pursuing Further Safety Against Niigatak-en-Chuetsu-Oki Earthquake at Kashiwazaki-Kariwa NPSMasayuki YamamotoTokyo Electric Power Co., Japan

On July 16,2007, Tokyo Electric Power’s Kashiwazaki-Kariwa nuclear power station (KKNPS), the world’s largest generation capacity of 8,212MWe, was near the cen-ter of a 6.8 Richter scale earthquake. The earthquake is known as the Niigataken-Chuetsu Oki Earthquake (NCOE). All the essential nuclear safety functions, automatic shutdown, cooling and containment, worked as designed, and all the nuclear reactors shut down safely. While all seven units at the site have remained safely shut down, TEPCO continues inspections and safety evaluations of these plant facilities, includ-ing a thorough geological survey to establish a new design basis ground motion. As of September 2010, TEPCO has completed and resumed commercial operation for unit 6, 7 and 1. Unit 5 is expected to follow soon as of September 2010.Although the observed acceleration of the NCOE exceeded the design value for dy-namic seismic force, the quake generated forces applied to safety significant SSCs were of about the same strength as the design basis, taking into account the static seismic force which is required to be set at three times the strength of general fa-cilities. Other conservatisms were already embedded in the design process, and the safety significant SSCs possessed sufficient design margin that kept the facilities and their safety functions intact.TEPCO is determined to strengthen its nuclear power stations with added seismic safety and emergency preparedness and committed to sharing the lessons learned with the nuclear community worldwide. (Presentation Only)

1:55 PMDevelopment of Seismic Risk Evaluation Model for New Nu-clear Power PlantKohei HISAMOCHI, Daisuke TANIGUCHI, and Shingo ODAHitachi-GE Nuclear Energy, Ltd., Ibaraki-ken, Japan

Seismic isolators have been studied and applied to the basic design of a nuclear pow-er plant to improve the seismic capacity and design standardization. As an alternative approach, diversified mitigation systems have been also considered to withstand the common load from earthquakes. While these two options are considered, a seismic risk evaluation model has been developed and the seismic margin has been evaluated to assess the effectiveness of seismic isolators and/or diversified mitigation system.In this study, plant level HCLPF (High Confidence - Low Probability of Failure) accel-erations have been calculated by using seismic margin analysis methodology. Firstly, the simplified seismic risk evaluation model has been developed for ABWR (Advanced Boling Water Reactor) as the base configuration. The ABWR has three divisional safe-ty systems for core cooling and decay heat removal. Each division has a high pres-sure injection system, a residual heat removal system, and support systems includ-ing diesel generator system. Then, the risk evaluation model has been expanded to model the configuration of IC (Isolation Condenser) and passive containment cooling systems, which have relatively large pools on the upper part of the building, as the diversified mitigation systems.Using this model and generic fragility parameter values, the plant level HCLPF accel-erations have been quantified to compare the seismic isolator case, diversified mitiga-tion systems case, and the combination case. As a result of margin analysis, these cases have larger margin than base case. According to the sensitivity analyses, it is indicated that the scope of the capacity increase in case of the seismic isolator and the capacity of the additional systems are important to increase the seismic margin.Throughout this model development and demonstration of margin calculation, we have discussed the applicability of this seismic risk evaluation model to choose a seismic isolator option in the view point of the seismic risk.

2:20 PMAddressing Accident Sequence Over-Counting in the Kernk-raftwerk Mühleberg Seismic PSAR.F. Kirchner (a), E.T. Burns, V.M. Andersen (b), O. Zuchuat and Y. Bayrak-tarli (c)a) RFK Dynamics, Inc., Niskayuna NY, b) ERIN Engineering and Research, Inc., Campbell, CA, c) BKW FMB Energie AG, Kernkraftwerk Mühleberg, Mühleberg, Switzerland

Due to the high conditional failure probabilities that can occur given seismic initiating events, the quantification approximations typically employed in Seismic Probabilis-tic Safety Assessment (SPSA) models result in significant over-counting of accident sequence frequencies. Over-counting of sequence frequency by a factor of ten or more has been observed during the quantification of seismic models using algorithms which employ the rare event or minimum cutset upper bound (MCUB) approximations. This can occur when the constituent basic events of a system or functional gate in the model sum to greater than one due to high basic event failure probabilities. This paper describes the methods developed to reduce seismic sequence overcounting via use of “AND-NOT” modeling as well as the Advanced Cutset Upper Bound Estimator (ACUBE) computer code.

2:45 PMUse of Seismic PRA for Risk-Informed Decision Making by Utilities and Regulatory AgenciesRobert J. Budnitz (a), Nilesh C. Chokshi (b), and M.K. Ravindra (c)a) Lawrence Berkeley National Laboratory, University of California, Berkeley CA, b) US Nuclear Regula-tory Commission, Rockville MD, c) MK Ravindra Consulting, Irvine CA

The methodology for seismic PRA (SPRA) has existed for over three decades, over which time it has evolved and matured, like the rest of PRA. It has been applied at several dozen nuclear power plants worldwide. SPRA has been used to support risk-informed decision-making to upgrade the safety of existing plants, to help prioritize which proposed backfits are most urgent , to help regulatory agencies like he USNRC and international agencies like the IAEA to develop regulations and regulatory guid-ance related to seismic risk, to support the prioritization of safety research projects, and to develop insights into the overall seismic risk from an individual plant and from an entire fleet of plants. In this latter role, it has been the principal vehicle for informing decision-makers and the general public about the risk from earthquakes at a typical nuclear plant. What emerges from the ensemble of SPRAs is that typically the seismic part of the overall reactor risk is a major contributor, sometimes dominant, almost always important, although sometimes negligible. However, seismic PRA is subject to a major misconception on the part of some PRA analysts who can be heard continuing to profess the view that SPRA is not mature enough for routine use for risk-informed applications. This view is inconsistent with the current status of the SPRA methodol-ogy and its uses in regulatory and plant-specific applications. This paper describes the evolution of the SPRA methodology and its components, and provides examples of some specific applications.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 1:30 PM - Salon A

Seismic PSA - 1Session Chair: Andrea Maioli

24

1:30 PMOn Considering Safety Culture and Probabilistic Risk Assess-mentCharles T Ramsey (a), David H Johnson (b), and C. Richard Grantom (c)a) Oak Ridge National Laboratory, Oak Ridge, TN, b) ABS Consulting, Irvine, CA, c) STP Nuclear Operat-ing Company, Wadsworth, TX

The current generation of nuclear power plants operating in the United States has an impressive safety record. This record is a result of successful design, effective regulation and, perhaps most importantly, skilled operating staff. When compared to their original design and operation, today’s plants have undergone hardware modifica-tions, procedure improvement and changes in operation to help achieve this success. Application of modern probabilistic risk assessment methods and the integration of risk analysis in the form of risk-informed regulation and into operations have been central to improving safety. Probabilistic assessment provides the bases for estimat-ing the risk at commercial nuclear power plants; direct actuarial data is not sufficient. A number of assumptions – both explicit and implicit – underpin PRA. These include assuming, for example, the plant design meets the general design criteria, various industry standards, the safety limits and the limiting system safety settings. It is also assumed that plant is managed and operated in a safety-focused environment. This last aspect can be thought of as ‘safety culture.’ These assumptions together describe an envelope outside of which the results of the PRA, and therefore risk management programs based on the PRA, may no longer be valid. In recent years, much progress has been made in investigating the nature of an effective safety culture, including at-tempts to measure changes in this environment. This paper explores the relationship of safety culture to PRA focusing on how plant-specific safety culture analyses relate to effective risk-management programs. (Presentation Only)

1:55 PMDevelopment of Safety Culture Assessment Model Using Safety Culture Maturity Model and 4P-4C MATRIXCheol SHEEN and Dae-Wook CHUNGKorea Institute of Nuclear Safety, Daejeon, Republic of Korea

It has been assumed that safety culture is one of the fundamental elements to maintain safety of nuclear facilities and to achieve safety goals in the nuclear industries. Safety culture assessment is indispensible factor to diagnose safety culture deficiencies of organization and to advance level of safety culture. However, the intrinsic attributes of culture have been an obstacle to measure level of safety culture quantitatively and objectively. Therefore, we tried to make a nuclear safety culture assessment model applying the safety culture maturity model and 4P-4C matrix to evaluate the inherent characteristic of safety culture quantitatively with maintaining objectivity. The safety culture maturity model is proposed by Professor Patrick Hudson who improved Ron Westrum’s model. Hudson applied the model for the organizations of oil and gas in-dustries. The 4P-4C model is originally developed by aerospace psychology research group in Trinity College, University of Dublin to evaluate human and organizational factors. As the assessment models are originated from other industries, we performed comparison study to IAEA SCART’s model to examine the nuclear applicability. The differences between assessment models were derived and analyzed. The analysis study demonstrates the limitation of IAEA’s models to assess safety culture. And we developed a 4P-4C matrix as a safety culture evaluation tool using NRC safety culture attributes.

2:20 PMNuclear Power: Too Risky for Risk Management? Facing the Limits of Doublet Risk ModelingWilliam P. MullinsBetter Choices Consulting, Mission Hills, KS

The paper explores, from a systems perspective, inherent limitations in the current US nuclear energy regulatory framework (i.e. NRC) owing to predication of “risk” as a two element trade space (i.e. likelihood, consequence). For purposes of analysis the following hypothesis is given: With the emergence of a US national energy security risk integration space, effective portfolio risk management cannot be achieved absent consideration of variation in scenarios upstream of all but the most general principles of eventual technology regulation. NRC’s one-sizefits- all, and tradition-bound reliance upon doublet risk leads predictably to unwieldy metaphysical compensating mecha-nisms such as “positive nuclear safety culture” which become constraints on portfolio risk performance improvement with no offsetting value for the exclusive investments they require. Assumptions in the NRC’s current predication of “risk” far predate current best practice for risk-balanced portfolio decision-making and have not been adapted to the evolution of such practice. The author demonstrates that the management of goal conflicts at national energy security enterprise level is necessarily more complex (i.e. multivariate) than, and seriously at odds with, the inherently “reliability-assessment” character of NRC’s institutional sense of “risk.” In the paper, analysis includes a com-parison with evolving concepts principles, and practices for “riskinformed decision-making as practiced by NASA.

2:45 PMImpact of Viable System Model (VSM) Type of Organizational Concept on Safety Regulation of the Nuclear IndustryAnthony J Spurgin (a), and David Stupples (b)a) City University of London, San Diego, CA, b) School of Engineering & Mathematical Sciences, City University of London, London, UK

VSM is based upon a holistic concept of a cybernetic biological model for organisms. Beer [1.] used this concept to construct a model for businesses. The VSM approach has been used to model the interactions between the NPP utilities, INPO and the NRC in this paper. In reality, one has to consider the competitive aspects between economics and safety, as far as NPP managements are concerned, but the paper focuses on safety issues in considering the equivalence between VSM and the cur-rent state of the nuclear industry. In the context of VSM, the role of management and outside organizations on improvements in safety culture of NPPs are considered. Various operations within a power plant organization can be modeled in a manner like similar autonomic functions in living animals. Such an autonomic function might be plant maintenance, however because of safety considerations, the role of safety culture must be considered in how they are modeled in VSM. This paper examines the enhancement of nuclear power plant (NPP) safety based upon three aspects, namely Regulation by US NRC, NPP self regulation and by INPO and their effectiveness. It appears that the organization of the US nuclear power has responded to accidents by making changes in its organizational structures. The current safety related structure, of the inter-relationships between the NPP utilities, NRC and INPO, is compared to a modified VSM [1.] approach. The industry’s organization seems to developed towards a VSM approach. The paper is based upon a more detailed study made by the authors on the impact of regulation and control on safety using a VSM approach. Under Safety Regulations, limited safety variations are permitted under NRC rules. It is virtually impossible to produce power without equipment or human failures. The objective is to limit the accident consequences to values acceptable to the public. The design and operation of the NPPs should be such as to limit radioactive releases to as low as possible commensurate with public acceptability and this should achievable within the rules of the NRC and the guidance and help given by INPO. How the management structure of the industry is examined here. In order to give some context to understand the current state of the US nuclear Industry, the paper provides a brief commentary on the developments in safety awareness and implementation over the period from circa 1960 to present, including reference to Three Mile #2 accident and other incidents and how these accidents and incidents have influenced the industry.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 1:30 PM - Salon B

Safety CultureSession Chair: David Johnson

25

1:30 PMUpgrade to Seabrook Station Flood Risk Assessment Sum-mary and InsightsRichard Turcotte and Kenneth KiperSeabrook Station, NextEra Energy Seabrook, LLC,, Seabrook, NH

Although the total plant risk is extremely low, the relative contribution of internal flood-ing risk at Seabrook has increased based on a recent PRA update. This paper exam-ines the reasons for the relative change in flood risk compared to previous assess-ments. The change in risk was identified through a recent revision to the internal flood PRA, using comprehensive and systematic methods. It concludes that low frequency / high consequence scenarios may be missed in a risk assessment that does not have a developed methodology. The SBK 2010 internal flood PRA study was performed to meet the latest ASME PRA Standard (specifically Part 3 regarding internal flood) and also to take advantage of the latest available EPRI data and guidance for performing internal flood risk assessments. The latest generic internal flood analysis guidance is significantly more comprehensive than guidance used in the previous flood analyses. As a result, the upgraded internal flood risk assessment evaluated over 200 flood initiating events. Of these, all but 32 events were screened from detailed quantitative assessment. The 32 unscreened events are included in the SBK PRA model and quantitatively evaluated for impact on plant risk. This compares to just 3 internal flood events evaluated in the previous model. This paper presents a summary of the up-graded SBK 2010 internal flood risk assessment key scope and method areas. The noteworthy differences between the previous flood study for IPE and the updated study are summarized. The quantitative results and risk insights of the update study are presented.

1:55 PMElectrical Switchgear Flood Area Impact AssessmentAlexander Rubbicco and Rupert WestonWestinghouse Electric Company, LLC, Windsor, CT

This paper examines specific topics that relate to propagation modeling and credit for drains in assessing flood-induced failure of electrical switchgear equipment. The design philosophy of most nuclear power plants (NPPs) is to eliminate or minimize flood sources inside electrical switchgear areas, but total elimination of flood sources in the Class 1E electrical switchgear areas is not always practical. Certain electrical equipment associated with switchgears, load centers and motor control centers are generally located within close proximity of the floor. Flood events in electrical switch-gear areas can cause complete or partial flood-induced failures of mitigating systems causing certain flood scenarios to dominant overall plant risk. The modeling of water propagating from an originating flood area to an adjacent flood area containing electri-cal switchgear equipment is examined in this paper. A quasi-static method is used to estimate the flow rate from the originating flood area to the adjacent area. The method assumes that flooding loads do not cause structural failure of doors or other flood barriers and propagation from the originating flood area to the adjacent flood areas is achieved through door gap(s). Credit for the drain system in the adjacent flood areas is taken into consideration in assessing the flood heights and the potential for flood-induced failures of electrical equipment. This method is considered to be a more real-istic approach in determining the components impacted in adjacent flood areas in the propagation path for a given scenario. Depending on the flow rate, recovery strategies can be developed for isolating the flood source.

2:20 PMInternal Flood PRA Case Study at Exelon Nuclear’s Limerick Generating Station for 4 Kv Safeguard Room CorridorPhilip Tarpinian (a), Robert Wolfgang (b)a) Exelon Nuclear, Pottstown, PA, b) ERIN Engineering and Research, Inc., West Chester, PA

A newly-identified internal flooding Probabilistic Risk Assessment (PRA) scenario, located in a 4kV safeguard corridor, having an impact on core damage frequency (CDF) was discovered during an update of the flooding PRA model in 2008-2009. The update of the internal flooding analysis was performed to meet the requirements of the American Society of Mechanical Engineers (ASME) PRA standard, ASME RA-S-2002 (and addenda and subsequent revisions). Application of recent internal flooding criteria contained in the ASME PRA standard and an Electric Power Research Institute (EPRI) internal flooding analysis guideline imposes different pipe rupture probabilities and a more rigorous methodology than previously considered. This issue does not rep-resent a design-basis issue but rather is associated with potential plant risk insights. The previously unidentified flooding scenario had the ability to result in the potential loss of much of the 4 kV switchgear for Unit 1 and Unit 2. No event occurred, but the identified potential flooding configuration had existed for approximately 10 years after a plant modification was installed to meet licensing requirements. The plant conse-quences of the identified scenario, although unlikely, could be significant, i.e., poten-tially resulting in a loss of safety-related power for Unit 1 and Unit 2. Incorporation of the new scenario into the PRA yielded a preliminary calculated increase in LGS’ CDF of 160%. However, since the overall CDF was extremely small, the calculated increase represented a large change and therefore helped focus plant attention on the potential consequences of a pipe break and the operator actions and plant changes needed to mitigate this risk contributor. The risk was mitigated by implementation of a plant modification that reduced the impacts of a potential pipe rupture and yielded a net reduction in CDF.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 1:30 PM - Carolina

Flooding PSA - 1Session Chair: Ray Dremel

26

3:45 PMReliability Prediction of Passive Systems Based on Multiple Failure Measures ModelingLuciano BurgazziReactor Safety and Fuel Cycle Methods Technical Unit, ENEA, Italian National Agency for New Technolo-gies, Energy and Sustainable Economic Development, Bologna, Italy

This paper illustrates a modeling and analysis approach for reliability prediction based on degradation modeling, considering multiple degradation measures and with re-spect to the t-h (thermal-hydraulic) passive systems.Previous research on the topic has pointed out the susceptibility of the passive sys-tem to several modes of failure. In fact it has been recognized that a system may have, in addition to component mechanism failures, multiple degradation paths, so it is necessary to simultaneously consider multiple degradation measures. Also, many research efforts on degradation analysis were initiated by making assumptions about the degradation mechanism. In reality often there is very limited understanding about the concerned degradation mechanisms together with their interdependencies.In this paper, an analysis procedure is developed to address this aspect. Simulated data have been used to illustrate the applicability of this approach. Results on the ap-plication of the methods to a simplified model of the passive residual heat transport system in water cooled reactors are presented.It was verified that, when the multiple degradation measures in a system are corre-lated, an incorrect independence assumption may overestimate the system reliability.

4:10 PMCritical Issues Pertaining to the Evaluation of Passive System ReliabilityA.K. Nayak, Vikas Jain, and D. SahaReactor Engineering Division, Bhabha Atomic Research Centre, Mumbai, India

Passive systems are playing prominent role in the design and development of innova-tive reactor systems because of generally perceived enhanced safety and reliability on account of reduced human intervention and ample grace period for the operator in case of accidental conditions. These systems are considered to be more reliable than the active systems, due to their dependence solely on the natural phenomena based on simple physical laws. However, assessing their reliability in a transparent manner is an unresolved issue as the natural phenomena based on simple physical laws too undergo the degradation and may not be able to fulfil the desired function for the mission time in a satisfactory manner. Currently existing methodologies for the as-sessment of passive system reliability suffer the lack of universal acceptability due to unrealistic assumptions to account for uncertainty and over-dependence on the expert elicitation. This paper provides a general perspective on the evolution of state-of-art methodologies and examines the critical issues pertaining to the evaluation of passive system reliability which need to be considered to resolve the ambiguities surrounding the issue of passive system reliability assessment.

4:35 PMUsing Importance Sampled RELAP5-3D Simulations to Evalu-ate Radioactive Material Release Frequencies for the Tech-nology Neutral FrameworkM. Denman, N. Todreas, M. DriscollDepartment of Nuclear Science and Engineering, MIT, Cambridge, MA

NUREG-1860, more commonly known as the Technology Neutral Framework (TNF), is a risk-informed licensing process drafted by the Nuclear Regulatory Commission’s (NRC) Office of Nuclear Regulatory Research. The TNF determines the acceptability of accident sequences by examining the 95th percentile estimate of both the frequency and quantity of radioactive material release and compares this value to predetermined limits on the Frequency-Consequence Curve. Estimating the 95th percentile of fre-quency and consequence of accident sequences can be difficult, as many advanced reactors are designed to have high reliability when confronted with licensing basis transients. While statistical techniques such as importance sampling exist to estimate the mean and variance of an estimate, frequentist statistics does not provide insight into the shape, and thus 95th percentile, of the distribution around that estimate. This paper proposes that the evidence derived from importance sampling of epidemic un-certainties in RELAP5-3D simulations may be used in Bayesian updating to provide a posterior distribution with which a 95th percentile value can be estimated. While both metal and oxide fuel types will be shown to meet the TNF requirements, the frequency of radiation release for metallic fuel will be shown to be orders of magnitude lower than that for oxide fuel.

5:00 PMInsights from PSA Applications of the OECD Nuclear Energy Agency (OECD/NEA) OPDE DatabaseBengt Lydell (a), Alejandro Huerta (b), Karen Gott (c)a) Scandpower Inc., Houston, TX, USA, b) OECD Nuclear Energy Agency, Issy-les-Moulineaux, France, c) Swedish Radiation Safety Authority, Dept. of Nuclear Power Plant Safety, Stockholm, Sweden

The OECD Pipe Failure Data Exchange (OPDE) Project has established an interna-tional database on pipe degradation and failure in commercial nuclear power plants. During its third term of operation (2008-2011) methods & techniques for systematic evaluation of piping service experience data have been developed and explored. In-cluded in the third term work scope is a conversion to an entirely web-based system both for entering new records and also for the development of an enhanced web-based database for the collection and evaluation of service induced pipe degrada-tion and failure. The lessons learned from database applications performed during the period 1994- 2010 have been summarized in an Applications Handbook (OPDE-AH). Included in this paper is an overview of how the application-specific database queries are utilized to reflect unique combinations of piping reliability attributes and influence factors that are considered for anticipated applications. Three types of applications are considered: 1) ‘advanced application’ in support of structural integrity assessments including fracture mechanics considerations, 2) risk-informed applications that involve probabilistic safety assessment (PSA) considerations (e.g., internal flooding PSA), and 3) ‘high-level’ database reviews for the purpose of simple trend analyses.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 3:45 PM - Azalea

Passive Reliability - 1Session Chair: Enrico Zio

27

3:45 PMInsights from Quantitative Risk Analysis Applications for Non-reactor Nuclear FacilitiesKevin R. O’KulaURS Safety Management Solutions LLC, Aiken, SC

U.S. Department of Energy (DOE) directives provide a deterministic approach for per-forming hazards analysis at DOE’s nuclear facilities and selecting hazards controls to provide reasonable assurance of adequate public protection. In particular, DOE Stan-dard (STD)-3009-94, is a “safe harbor” in terms of methodology for compliance with Code of Federal Regulations (CFR) Title 10, Part 830, Nuclear Safety Management, Subpart B. DOE-STD-3009-94 provides direction on the analyses that are required to support safety basis decisions and states that the Department’s approach does not require or expect the level of detail analysis necessary for a quantitative risk assess-ment (QRA). Nonetheless, risk assessment-related polices, standards, guides, and other controls used by other government organizations, as well as by industry, are being evaluated by DOE and its contractors for applicability to its nuclear facilities. Ul-timately, a standards-based approach is the goal for use of risk tools, as supplements to deterministic methods, and taking full advantage of the available risk assessment tools, best practices, and lessons learned from across the spectrum of experienced practitioners. In this paper, three specific QRA applications are described as potential prototypes for supplementing deterministic approaches in DOE safety basis applica-tions, and include: (1) the probabilistic safety assessment (PSA) performed for the Defense Waste Processing Facility (DWPF) at the Savannah River Site (SRS); (2) a SEN-35-91 compliance evaluation of replacement tritium facilities at SRS; and (3) an ongoing QRA of hydrogen events in Hanford Site’s Waste Treatment and Immobiliza-tion Plant (WTP), as a design guidance application. (Presentation Only)

4:10 PMChallenges Developing a FECA For a Supporting System Dur-ing Conceptual DesignStanley H. Levinson (a), Michael W. Kelly, Salvatore J. DiGiovanni (b), and Timothy W. Dodson (c)a) AREVA, Lynchburg, VA, b) AREVA, Charlotte, NC, c) AREVA, Marlborough, MA

The United States (US) is participating in an international effort to design and build the International Thermonuclear Experimental Reactor (ITER). The responsibility as-signed to the US is the design and construction of the Tokamak Cooling Water System (TCWS). Part of this effort includes conducting a series of design optimization stud-ies that will ultimately include Reliability, Availability, Maintainability, and Inspectability (RAMI) analyses, Hazard Analysis, Failure Modes, Effects, and Criticality Analysis (FMECA), and Human Engineering. This paper discusses the FMECA approach, and three challenges to its implementation. These are: status of the design, analysis of a supporting system, and scope and schedule limitations. A conceptual design is not a complete design and requires many assumptions. A FMECA performed for a support-ing system creates uncertainty when developing global and safety effects. The scope and schedule required five analysts to divide the TCWS systems, potentially creating inconsistencies among the FMECA tables. Work-arounds, templates, and assump-tions were used to try to ameliorate the impact of these challenges. The final FMECA can provide high-level insights on design; it can also provide a preliminary basis for developing operating and maintenance procedures. The conceptual design FMECA will require significant review and modification during the transition to the preliminary design FMECA. Nonetheless, developing the conceptual design FMECA establishes the process, provides some insights, and creates the foundation for future work as the design matures.

4:35 PMRisk -Informing Safety Reviews for Non-Reactor Nuclear Fa-cilitiesV. Mubayi, A. Azarm, M. Yue, W. Mukaddam, G. Good, F. Gonzalez and R.A. BariBrookhaven National Laboratory, Upton, NY

This paper describes a methodology used to model potential accidents in fuel cycle facilities that employ chemical processes to separate and purify nuclear materials. The methodology is illustrated with an example that uses event and fault trees to estimate the frequency of a specific energetic reaction that can occur in nuclear material pro-cessing facilities. The methodology used probabilistic risk assessment (PRA)-related tools as well as information about the chemical reaction characteristics, information on plant design and operational features, and generic data about component failure rates and human error rates. The accident frequency estimates for the specific reaction help to risk-inform the safety review process and assess compliance with regulatory requirements.

5:00 PMNuclear PRA and Defense-in-Depth Insights into the Deepwa-ter Horizon AccidentDennis Henneke, Matt Warner, Paul NicholsGE Hitachi, Wilmington, NC

Nuclear Defense-in-Depth (DID) is a principle of long standing for the design, con-struction and operation of nuclear reactors, and may be thought of as requiring a concentric arrangement of protective barriers or means, all of which must be breached before a hazardous material or dangerous energy can adversely affect human be-ings or the environment. The classic three physical barriers to radiation release in a reactor— fuel cladding, reactor pressure vessel, and primary containment —are an example of defense-in-depth.Probabilistic Risk Assessment (PRA) has been performed for all US Nuclear Plants, and most nuclear plants around the world. Insights from the PRAs have been incorpo-rated into the plant designs. For new nuclear reactors, PRA has been used to dramati-cally improve the designs and lower the analyzed plant risk prior to construction.Oil drilling rigs used for drilling for oil in very deep water, such as the Gulf of Mexico, have been designed using standard engineering design approaches, with improve-ments made to the design over time. However, lessons learned from the Deepwater Horizon accident have shown that the design and operation of deepwater drilling may not be sufficient to prevent an accident. The purpose of this paper is to review the Deepwater Horizon Accident, and provide insights to possible contributing factors and improvements using Nuclear Probabilistic Risk Assessment (PRA) and Nuclear De-fense-in-Depth (DID) principals. While there are certainly applicable lessons learned from this accident for the nuclear industry, this report is focused on insights from Nu-clear PRA and DID.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 3:45 PM - Camelia/Dogwood

Non-Reactor PSA - 1Session Chair: Jim Young

28

3:45 PMConsideration of Fire Risk in Configuration Risk Management ProgramsVictoria K. Anderson (a), Bradley W. Dolan (b), Leo B. Shanley (c), Denis P. Shumaker (d)a) Nuclear Energy Institute, b) Tennessee Valley Authority, c) Erin Engineering and Research, Inc., d) PSEG Nuclear LLC.

US nuclear utilities base their configuration risk management processes on guidance found in NUMARC 93-01. The current revision of NUMARC 93-01 does not require consideration of risk associated with potential fire initiators. The Nuclear Energy Insti-tute (NEI) has proposed a set of changes to NUMARC 93-01 which, if implemented, would describe approaches that utilities could use to incorporate consideration of risk associated with potential fire initiators into their configuration risk management and work scheduling processes. The proposed changes would encourage development and implementation of a focused approach involving identification of key components, components whose removal from service could have a material impact on core dam-age risk. The proposed changes to NUMARC 93-01 would also encourage develop-ment of risk management actions to limit or mitigate the associated risk when key components are taken out of service. In addition, enhanced communications would be encouraged between work scheduling groups, risk management personnel, and station personnel involved with maintaining and operating fire protection programs and systems. This paper discusses potential approaches for identifying key compo-nents with respect to fire risk, including an approach based on using risk information from a fire PRA and an approach using risk information from an internal events model combined with information from a safe shutdown equipment list. The paper also dis-cusses approaches for identification of possible risk management actions which could be considered when key components with respect to fire risk are made unavailable. In addition this paper discusses ways to ensure adequate communications between the various affected plant organizations so that fire risk can be adequately managed. Insights and experience gained in performing a “tabletop pilot” of a proposed approach are also discussed. (Presentation Only)

4:10 PMLessons Learned in (A)(4) ComplianceRoss C. Anderson (a), Robert W. Fosdick (b)a) Virginia Commonwealth University, Richmond, VA, b)R&B Nuclear LLC, Maidens, Virginia

Ten years after 10 CFR 50.65(a)(4) first required utilities to perform configuration risk analysis in support of risk management, the Dominion compliance program was reviewed to identify key lessons learned. Key points included the effort required to sustain an effective program; the number of approaches to the regulatory action threshold, and actual risk performance; expected and unexpected contributors to risk significance; and regulatory experience. The conclusions are presented in a general-ized form for the benefit of the entire U.S. industry.

4:35 PMUse of U.S. On-Line Maintenance Experience with Non-U.S. UtilitiesKen Huffman and Stephen HessElectric Power Research Institute (EPRI), Charlotte, NC

U.S. nuclear power plants routinely apply on-line maintenance (OLM) to improve plant reliability, safety and economic performance. In EPRI report 1018422 [1], which is available to the public, we provide a detailed discussion of the U.S. experience since the use of OLM became widespread in the mid-1990’s. Recognizing the performance improvements achieved by U.S. plants facilitated by the use of OLM, a number of non-U.S. nuclear utilities are exploring the expanded use of OLM in their plants. The use of U.S. experience in initiating or expanding use of OLM by non-U.S. utilities will be discussed in this paper.There are several elements of the U.S. experience base that can serve as effective models, yield valuable lessons-learned and / or can be directly adapted outside of the U.S. These include application of risk assessment methods to plant configuration man-agement and the expanded use of condition based maintenance strategies to manage the health and performance of plant structures, systems and components. However, there are aspects of the U.S. experience base that may not be optimum for plants that are just initiating OLM. In the U.S., plant work practices and organizations are struc-tured to support a large amount of maintenance that can be performed on-line. Adop-tion of these practices and organizational structures may not be optimum in all cases; particularly if limited OLM activities are to be conducted. To support non-U.S. plants in initiating or expanding their use of OLM, EPRI has developed a phased approach that is effective for different quantities and complexity of OLM activity.

5:00 PMOptimizing Planned Maintenance and On-Line RiskGerry W. KindredCurtiss-Wright/Scientech, Madison, OH

Title 10 of the Code of Federal Regulations (CFR), Part 50.65(a)(4) provides an al-lowance for performing plant maintenance during power operations. A key aspect to this provision is to assess and manage risk prior to taking risk-significant equipment out-of-service. Four principles govern optimization of planned maintenance with re-spect to nuclear risk; 1) ensuring nuclear safety (CDF/LERF) by understanding the impact of equipment unavailability, including combinations of equipment, 2) manag-ing risk (CDP/LERP) by limiting the duration equipment is unavailable, 3) maximizing the efficiency and effectiveness of the plant staff and other resources by integrating risk-insights into the work management schedule, and 4) by identifying the impact of work by effectively communicating to the plant staff. Several components to optimizing planned maintenance include integration of PRA risk-insights into the work manage-ment process, a process to evaluate scenarios (what-ifs), and a real-time assessment tool (e.g., Safety Monitor, EOOS, etc.). To optimize maintenance it is important that PRA insights begin early in the process, i.e., approximately twelve weeks or more in advance of the workweek. What-if capability is important to allow the Planner/Sched-uler/PRA Engineer to move work activities around in the schedule early in the process to best determine how to minimize the overall instantaneous risk (CDF) as well as the overall cumulative risk (CDP). Another aspect of optimizing maintenance is to provide the plant operator with real-time capability of assessing risk. Real-time capability al-lows for unplanned conditions, such as severe weather to be taken into account with planned activities, in addition to providing allowance for the dynamics of a complex schedule involving several risk-significant activities to be performed simultaneously. Both qualitative and quantitative approaches must be considered to manage the risk associated with on-line maintenance activities. A review of the as-performed workweek can provide additional risk-insights that may prove beneficial in the future. Integrating lessons-learned will strengthen the on-line risk program significantly if risk-insights are included. The performance of the on-line risk assessment need not be performed by a PRA Engineer; however, prudence dictates inclusion of the PRA Staff commensurate with the magnitude of risk (CDF/LERF) associated with a given workweek schedule. Optimization of on-line maintenance cannot be performed effectively without integra-tion of PRA.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 3:45 PM - Magnolia

Configuration Risk Management - 2Session Chair: Tom Morgan

29

3:45 PMSeismic PRA Modeling and Quantification ApproachesAndrea Maioli (a), Martin W. McCann, Jr. (b), David J. Finnicum (c)a) Westinghouse Electric Company LLC, Cranberry Township, PA, b) Jack R. Benjamin & Associates, Inc., Menlo Park, CA, c) Westinghouse Electric Company LLC, Windsor, CT

The inter-relationship between component and system fragilities and hazard curves is a defining characteristic of a Seismic Probabilistic Risk Assessment (S-PRA) and dictates the unique needs for both modeling and quantification techniques and tools associated with this specific hazard group. In this paper, S-PRA modeling and quan-tification techniques are discussed in the framework of the current S-PRA trend of developing one comprehensive and integrated plant system model and performing hazard-fragility integration over all ground motions for the full plant model. Given the current inability (or at best difficulty) of the majority of the PRA software packages to fully integrate seismic hazard and fragility curves, the preferred S-PRA modeling and quantification approach would require a breakdown of the hazard curves into a limited number of intervals, and the offline integration of hazard and fragility curves for each interval. This is the only approach that would allow a “one-top” fault tree linked model including seismic hazard. The need for an improved seismic modeling and quantifica-tion approach as applied to S-PRA is discussed considering the importance of the seismic hazard to support risk-informed applications. In addition, the seismic risk pro-file as a function of the characterization of earthquake ground motions (e.g., PGA or SA), is binned into the same limited number of intervals into which the seismic hazard curve is broken down. This approach potentially adds uncertainties and unnecessarily complicates the risk analysis quantification. A more integrated quantification approach for the integration of the hazard and fragilities and quantification of seismic risk is here-in discussed that would; not require an apriori breakdown of the hazard and fragility, properly (seamlessly) addresses event successes in the quantification process, and provide a set of results of higher intrinsic value not only for the PRA end-user, but for the system analyst, seismic design and qualification engineers, with the possibility of identifying not only the CDF and/or release frequencies as a function of the parameter used for seismic event characterization but also potentially seismic sequence, system and plant level fragility curves.

4:10 PMA Comprehensive Database Application to Support Seismic PSA ModelingSilvio T. Sperbeck, Michael Türschmann (a), Matias Krauß (b)a) Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Berlin, Germany, b) Bundesamt für Strahlenschutz Postfach, Salzgitter, Germany

The German PSA Guideline and its technical document on PSA methods published in 2005 require probabilistic safety analyses (PSA) to be carried out in the frame of periodic safety reviews for nuclear power plants. This also includes a seismic PSA (SPSA) forsites with design earthquake intensities exceeding the value VII (MSK or EMS scale). Based on the specifications in the PSA Guideline, a comprehensive database <DBSPSA>is conceived, which can be used for performing and applying SPSA. <DBSPSA>can be also applied as a tool in the frame of SPSA reviews for all queries regarding the plant specific SPSA to be evaluated. Some enlargements and concretions of the requirements in the PSA Guideline were implemented to en-sure an adequate quality as well as the traceability and reproducibility of a SPSA. Therefore, a two-stage screening process of structures, systems and components (SSC) is developed that may be used to compile and complete the seismic equipment list (SEL). Moreover, the seismic robustness of allSSC of the SEL can be evaluated with respect to their safety significance. In addition, a general model is developed for modeling dependencies of seismic failures for different SSC. It is planned to config-ure <DBSPSA>for an automatic parameter transfer (e.g. fragilities of all SSC of the SEL and correlation parameters for the description of seismic dependent SSC failure behavior) in order to quantify the plant model for arbitrary seismic intensities. The paper outlines the detailed structure of the <DBSPSA>database. The application of <DBSPSA>during accomplishment of the SSC screening process, for description and modeling of dependencies and, finally, for quantification of the plant model is eluci-dated by means of selected examples.

4:35 PMMethods for Seismic Analysis Using RiskspectrumOla Bäckström and Johan SörmanScandpower - Lloyds Register, Sundbyberg, Sweden

Seismic analysis requires that the PSA model must be able to represent some specific reliability parameters. These are representation of the hazard and fragility curve. This paper will describe one method for performing seismic analysis using RiskSpectrum, within the existing framework. The focus will be:• To enable basic understanding of how seismic PSA model is developed inRiskSpectrum• How is it related to the existing PSA model for internal initiating events• How are seismic hazard and fragility data input into RS model• How seismic risk is (in terms of CDF) quantified with RSThe paper will describe how the extended uncertainty definition in RiskSpectrum can be used to perform uncertainty analysis. To facilitate the seismic analysis a new mod-ule is also being developed. The module will include representation of all necessary elements within a seismic analysis. This paper will also describe the ideas and meth-ods for this new seismic module.

5:00 PMAdvanced Quantification Methods Applied to Seismic Risk AssessmentKen Canavan, Jeff RileyElectric Power Research Institute, Palo Alto, CA

Until recently, one of the key limitations in a Seismic Probabilistic Risk Assessment (PRA) has been quantification of the seismic logic model itself. While the quantification or calculation of the model is similar to the calculations required for an internal-events PRA, the seismic assessments add unique challenges to the calculations of very large models.Over that last several years, enhancements to quantification tools and techniques to address each of these issues have been made. A significant enhancement has been the development of an advanced quantification method and associated tool (Ad-vanced Min Cut Upper Bound Estimator (ACUBE)). Previous to the development of this method, the calculation of the plant risk was subject to conservatisms that could lead a plant to over-state the risk and thus inappropriately determining the significance of various plant systems, structures and components as well as plant configurations and operations.The advancement in the quantification methods allows for the effective removal of over- approximation for the dominant cutsets. The dominant cutsets typically contain the largest magnitude overstatement in the results. In addition, successive model runs can also establish event importance for the seismic model.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 3:45 PM - Salon A

Seismic PSA - 2Session Chair: Robert Budnitz

30

3:45 PMRisk Communication: A PRA in Your Pocket?Greg Krueger (a), Duane Wilson (b)a) Exelon, b) ERIN Engineering & Research, Inc., Walnut Creek, CA

Today, PRA results are used in a wide variety of utility decision-making settings. One of the key challenges for the PRA community today is the communication and adop-tion of risk management principles within a utility organization. Unfortunately, in many cases, the understanding of PRA and PRA results is limited to the PRA organization. As the PRA has become a key input to utility and regulatory decision-making, there is an increasing need to expand the level of understanding outside of the cubicles of the PRA engineers and into the broader utility organization. In order to help communicate risk results within the organization many utilities have adopted a four quadrant poster. Typically, these posters include information on initiating events, systems, and operator actions. While beneficial, these posters are static and leave much to the interpreta-tion of the reader. Furthermore, while they do serve to raise the visibility of risk within the organization, they are often out-of-sight-out-of-mind and not available to support all levels of decision-making. Two utilities have embarked on an effort to deploy this information electronically, in order to facilitate more timely and complete communica-tion of risk information across the utility organization. The vehicle for this is a mobile ‘app’, Risk VisualizerTM. Risk VisualizerTM provides access to the PRA results poster, and more, on a real-time basis, in the palm of your hand via a Smart Phone or other mobile device. To date, it has been successfully deployed on Blackberry, iPhone, and iPad devices to support use across the entire utility organization. This will allow all organizations to have access to the information on demand, as well as more detailed data and explanations of the data. (Presentation Only)

4:10 PMPSA Insights of the New Nuclear Power PlantsAndrija VolkanovskiLjubljana, Slovenia

Four designs of generation III+ pressurized water reactors were analyzed in the frame-work of the project entitled “Safety characteristics of potential reactors for JEK 2”. The project was done at the Reactor Engineering Division of the Jožef Stefan Institute for the Slovenian utility. The analyzed designs selected as potential designs for construc-tion of the second unit at the Krško Nuclear Power Plant are: Westinghouse AP1000, AREVA EPR, Mitsubishi APWR and ATMEA1 from AREVA and Mitsubishi.The goal of the project was identification and description of the safety characteristics of analyzed reactor designs. The identification of safety characteristics was based on description of the structures, systems, components and their integral performance given in the design documentation of the vendors. The identification was supported by the review of the safety analyses including the Probabilistic Safety Assessment (PSA) organized according to the classifications of the U.S. Nuclear Regulatory Com-mission.The paper presents results of the review of the PSA section of the Final Safety Analy-sis Report of the corresponding designs. The obtained results include identification and description of the usage of PSA in design phase for the decrease of the risk measures and elimination of the significant risk contributors. The obtained results for the risk indices, namely the core damage frequency and large release frequency are identified and compared against each other and against requirements of the regulator. The comparison with the currently operating nuclear power plants is done and the major contributors to the decrease of the risk indices are identified.

4:35 PMDevelopment of Entergy Fleet PSA Guidance Documents for Model DevelopmentLoys Bedell and John BrettiEntergy Services Inc., Jackson, MS

Entergy Nuclear is a large diverse nuclear fleet that consists of nine nuclear sites and two regional headquarters offices. The PSA models for these plants were generally de-veloped and maintained separately until the early 2000’s. Therefore, much of the orga-nizational learning and best practices from one site were not implemented at another site due to time constraints, plant demands, lack of communication, or lack of exper-tise. In 2007, Entergy Nuclear management requested that guidelines be developed to standardize PSA processes and to better address the requirements of the ASME PSA Standard. Twelve guidelines were scheduled to be developed. These guides were based on the nine major Full Power Internal Events (FPIE) ASME Standard elements with additional guidelines for Loss of Offsite Power analyses, Risk Monitor develop-ment, and Uncertainty Analysis. The majority of these guidelines were scheduled to be completed by the end of 2008. These guidelines had to be developed while still meeting the model update schedules, IPEC License Renewal, and various plant PSA applications. In addition to the compressed schedule for developing these guidelines, the completion of these reports were complicated by other factors. The amount of detail necessary for the guidelines was a significant challenge. More detail would likely force some plants to make major changes to the models or the documentation with unacceptable impacts on model update schedules. However, some amount of detail is necessary to help new PSA engineers in performing these tasks. The PSA software tools were generally consistent across the sites (all sites use CAFTA for fault tree modeling). However, other methodologies and tools varied throughout the fleet. These variations are acceptable within the ASME Standard and had to be accounted for in the guidelines. Despite the compressed schedule and the significant challenges and com-promises necessary, the PSA guidelines were able to be completed and have been useful to both the experienced and new PSA engineers across the Entergy Nuclear fleet. The guideline development has also fostered more cooperation between the two regional offices and has led to more discussions and sharing of information across the fleet.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 3:45 PM - Salon B

PSA Knowledge Management - 2Session Chair: Mike Lloyd

31

3:45 PMMethodology for Parsing Cumulative Rupture Frequencies for Internal Flood InitiatorsRobert J. WolfgangERIN Engineering and Research, Inc., West Chester, PA

EPRI data for pipe rupture frequencies published in 2006 subdivided the flooding flow rates into three major categories, namely sprays (< 100 gpm), general floods (be-tween 100 and 2000 gpm), and major floods (> 2000 gpm). For large capacity water systems, it was customary to assign the maximum flooding flow rate to the major flooding frequencies. However, this was overly conservative in that it did not recognize that a range of equivalent break sizes (EBS) were possible that could give rise to much lower flow rates. The revised EPRI pipe rupture frequencies developed in 2010 propose a methodology to parse the rupture frequency for pipe ruptures of varying sizes that give rise to corresponding flow rates, which in essence subdivide the cat-egories into any desired range of flow rates. For example, the rupture frequencies for a given break size or larger are presented in the 2010 EPRI report, and can be parsed to represent a particular frequency or likelihood for a given range of break sizes, and hence range of flow rates. The methodology presented in this paper was applied to the Fire Protection system at a particular nuclear plant in order to provide three ranges for major flooding flow rates in order to provide a greater opportunity for isolation and mitigation response instead of assuming the maximum flow rate for a single rupture frequency, which tends to minimize the time available for mitigation.

4:10 PMA Method to Identify and Calculate the Frequency of High En-ergy Line Break-Induced Flooding EventsRaymond Dremel, Russell Sharpe, Todd Reichardt (a), Jayne Ritter, Dave Malek (b)a) Maracor Software & Engineering, Inc., Batavia, IL, b) Xcel Energy, Prairie Island Nuclear Plant, Welch, MN

In a qualification to supporting requirement (SR) IFSN-A6 of ASME/ANS RA-Sa-2009, Regulatory Guide 1.200, Revision 2 states that the effects of high energy line breaks be considered in flooding analyses in order to meet Capability Category II. An evalu-ation of the turbine building at the Prairie Island Nuclear Generating Plant (PINGP) identified the potential for break in a high energy line to impact another system and initiate flooding from a source in addition to the system that experienced the initial break. Because high-energy line break-induced flooding was being Authors’ names, use et al. if more than 3 Page 2 of 6 considered in the significance determination process (SDP), there was a need to determine an initiating event frequency for these HELB-induced floods so that their impact on core damage frequency (CDF) could be assessed. Little documentation of factors affecting HELB-induced flooding events was available and data to support any numerical evaluations of initiating event frequency was even more sparse than the other documentation. Because hundreds of potential interactions between high energy lines and lines with the potential to cause significant flooding existed, detailed evaluations such as finite element analyses for each poten-tial interaction were impractical. Therefore, it was necessary to develop a method to identify potential HELB-induced flooding events, determine potential flooding effects from each event, and quantify frequency for each event. This paper details the method used to develop and quantify the HELB-induced floods for events in the PINGP turbine building. The method used a set of assumptions that, when taken as a group, result in a consistent and easily reproducible method. The method can be used to limit the high energy piping that must be considered as contributing to HELB-induced floods and gives a basis for eliminating the need for detailed stress or finite element analyses of high energy pipe. This method provides a reasonable estimate for HELB-induced flooding initiating events consistent with the qualification of Regulatory Guide 1.200 to use conservative assumptions. The method makes use of the latest published pipe break data from the Electric Power Research Institute (EPRI)

4:35 PMEffects of Alternative Leak Detection Methods on Internal Flooding Initiating Event Frequencies in Flooding PSARussell SharpeMaracor Software & Engineering, Inc., Louisville, TN

It is not unusual for the initial quantification of an internal flooding PSA to result in sequences that offer an unreasonably high contribution to the overall core damage frequency. Typically, such sequences are analyzed further and conservatisms are re-moved. Such analysis might include replacing HEP screening values with detailed HRA values, applying directional factors to spray events, or performing detailed flow calculations to obtain a less conservative picture of flood propagation. If such analysis still does not provide reasonable results, leak detection methods may be credited. The most well-known methods of leak detection include non-destructive examination (NDE) and system leak surveillance. Non-destructive examination typically involves ultrasonic testing of pipe walls to detect hidden flaws in the piping material. The fre-quency of such NDE can vary but is commonly performed every 10 years. System leak surveillance programs usually involve visual examination of the piping for leaks. It is important to note that visual examination in the context of this paper includes actual inspection of the piping itself and not simply a search for pools of water on the floor due to a leaking pipe. The frequency of such leak surveillance can vary, but typically more credit is awarded as the frequency increases. For service water and fire protec-tion system piping, crediting such alternative leak detection methods typically results in an order-of-magnitude reduction in the initiating event frequency and, therefore, the CDF contribution. For some very large pipe breaks the reduction can be two orders of magnitude. The application of such leak detection factors eliminates conservatism and results in a more realistic result.

5:00 PMEnhanced Piping Reliability Models for Use in Internal Flood-ing PSABengt Lydell (a), Ali Mosleh, and Danielle Chrun (b)a) Scandpower Inc., Houston, TX, b) University of Maryland, ENGR-Mechanical Engineering, College Park, MD

The likelihood of a pipe flaw propagating to a significant structural failure (SF) is ex-pressed by the conditional failure probability pSF|DC where “DC” represents degraded condition. With no service data available to support a direct statistical estimation of the conditional probability the assessment can be based on probabilistic fracture mechan-ics (PFM), expert judgment, or a combination of service data insights, expert judgment and PFM. Different PFM algorithms have been developed, but with a focus on fatigue growth and stress corrosion cracking. There remain issues of dispute with respect to reconciliation of results obtained through statistical estimation versus the physical models of PFM, however. Results from studies to benchmark PFM calculations against field experience have shown PFM computer codes to over-predict pipe failure rates by more than an order magnitude relative to statistical estimates of field experience data. In general, the results obtained with PFM computer codes are quite sensitive to assumptions about weld residual stresses, crack growth rates, and correlations of crack initiation times and growth rates. In earlier applications a simple Beta distribution formulation has been used to estimate the conditional probability of flood modes. The main issue with assuming a prior Beta distribution is the estimation of its parameters. Several “constrained” approaches have been proposed. Methods to determine the parameters of the prior Beta distribution include: the method of moments, the PERT approach or the Pearson-Tukey approach. In the absence of data, non-informative priors appear to be a straightforward solution. However, there is often a good knowl-edge on one constraint, such as the mean probability. The approach described in this paper is the use of a constrained non-informative prior. This approach seems to be especially relevant to situations where limited failure data are available to assess the probability that a structural failure occurs, given a degraded condition. In the Pearson-Tukey approach a subject matter expert (SME) is asked to provide the 5th, 50th, 95th percentiles (noted C05, C50 and C95, respectively) and these statistical estimates are used to determine the parameters of a Beta prior distribution. Included in this paper are the results from practical applications of the Pearson-Tukey approach to estimating conditional flood modes for Service Water piping.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisMonday March 14, 2011 - 3:45 PM - Carolina

Flooding PSA - 2Session Chair: Richard Turcotte

32

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 8:00 AM - Grand Ballroom

Plenary Session II

The Honorable George Apostolakis was sworn in as a Commissioner of the U.S. Nuclear Regulatory Commission (NRC) on April 23, 2010, to a term ending on June 30, 2014.

Dr. Apostolakis has had a distinguished career as an engineer, professor and risk analyst. Before joining the NRC, he was the Korea Electric Power Corporation professor of Nuclear Science and Engineering and a professor of Engineering Systems at the Massachusetts Institute of Technology. He was also a member and former chairman of the statutory Advisory Committee on Reactor Safeguards of the NRC.

In 2007, Dr. Apostolakis was elected to the National Academy of Engineering for “innovations in the theory and practice of probabilistic risk assessment and risk management.” He has served as the Editor-in-Chief of the International Journal Reliability Engineering and System Safety and is the founder of the International Conferences on Probabilistic Safety Assess-ment and Management. He received the Tommy Thompson Award for his contributions to im-provement of reactor safety in 1999 and the Arthur Holly Compton Award in Education in 2005 from the American Nuclear Society.

Dr. Apostolakis has published more than 120 papers in technical journals and has made numerous presentations at national and international conferences. His research interests include the use of Probabilistic Risk Assessment (PRA) in reactor design; uncertainty analysis; decision analysis; infrastructure security; risk-informed and performance-based regu-lation; human reliability; and risk management involving multiple stakeholders. He has edited or co-edited eight books and conference proceedings and has participated in many PRA courses and reviews.

Dr. Apostolakis received his diploma in electrical engineering from the National Technical University in Athens, Greece in 1969. He earned a master’s degree in engineering science from the California Institute of Technology in 1970 and a Ph.D. in engineering science and applied mathematics in 1973, both from the California Institute of Technology.

George Apostolakis - US NRC Commissioner

33

9:00 AMA Probabilistic Physics of Failure Approach to Prediction of Steam Generator Tube Rupture FrequencyKaushik Chatterjee and Mohammad ModarresCenter for Risk and Reliability, Department of Mechanical Engineering, University of Maryland College Park, PA

In probabilistic safety assessments of pressurized water reactors, it is imperative to assess the potential and frequency of steam generator tube rupture failures. Estima-tion of frequency of steam generator tube ruptures has traditionally been based on historical occurrences, which are not applicable to new designs of steam generators with different geometries, material properties, degradation mechanisms and thermal-hydraulic behaviors. This paper presents a new probabilistic mechanistic-based ap-proach for estimating steam generator tube rupture frequencies that is based on the principle that failure of passive systems is governed by degradation or unfavorable conditions created through the underlying operating conditions and underlying me-chanical, electrical, thermal, and chemical processes. As opposed to using the histori-cal data for reliability prediction, the developed probabilistic physics-offailure based approach identifies, probabilistically models, and simulates potential degradations in new and existing steam generator designs to assess degradation versus time, until such degradation exceeds a known endurance limit. An example application of pro-posed probabilistic physics-of-failure based reliability prediction approach has been presented for a new design of steam generators consisting of helical tubes and more advanced tube material. The developed probabilistic physics-of-failure based ap-proach when combined with probabilistic safety assessment techniques can provide an effective tool for the evaluation of safety and reliability of steam generators, particu-larly new steam generator designs used in advanced reactors.

9:25 AMPassive System Accident Scenario Analysis by SimulationFrancesco Di Maio (a), Enrico Zio (a,b), Tao Liu and Jiejuan Tong (c)a) Energy Department, Politecnico di Milano, Milano, Italy, b) Ecole Centrale Paris and Supelec, Chat-enay-Malabry Cedex, France, c) Institute of Nuclear and New Energy Technology, INETTsinghua University, Beijing, China

In this paper, a simulation framework of analysis is presented aiming at evaluating the safety performance of the Residual Heat Removal system (RHRs) of the Chinese High Temperature Gas- Cooled Reactor – Pebble Bed Modular (HTR-PM) under uncertain operation conditions, and components and equipments failures. A transparent and fast model of the passive system has been implemented in MATLAB to reproduce the three-interconnected natural circulation trains of the RHRs, for removing the residual heat of the reactor core after a reactor shut-down. The model is characterized by a one-dimensional mono-phase moving fluid, whose operation is based on thermal-hydraulic (T-H) principles. The model is coded into a Monte Carlo (MC) failure engine for sampling single and multiple components faults at random times and of random magnitudes. Accidental transients of the system are simulated, highlighting equipment contribution to system failure.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 9:00 AM - Azalea

Passive Reliability - 2Session Chair: Bill Burchill

34

9:00 AMDevelopment of a Generation Risk Assessment Model for a Fossil-Fueled Power StationThomas A. Morgan (a), Wayne Crawford and Frank Rahn (b)a) Maracor Software & Engineering, Inc., Middletown, MD, b) Electric Power Research Institute, Palo Also, CA

Generation Risk Assessment (GRA) has been used at several US nuclear power plants to estimate the frequency of a plant shutdown or power reduction due to equip-ment failures or plant configuration changes. A GRA model would also be of value to fossil-fueled stations by identifying key contributors to plant unreliability and can assist maintenance planning by highlighting inter-system relationships.A GRA model was developed for a coal-fired power station. EPRI’s Equipment Out of Service (EOOS) software was used to provide the user interface to the model. The likelihood of a plant shutdown or power reduction of greater than 10% within two hours of a failure or adverse plant configuration change was considered. About 25 systems were modeled, including steam cycle systems, coal handling systems, boiler systems, combustion air and ash handling systems, and various plant support systems.Simplified system models were developed, using generic failure estimates for ma-jor components. System interdependencies were modeled and plant conditions were considered that could affect operation (such as winter conditions, the quality of the coal, etc.). Status panel displays were developed to graphically display system/com-ponent status, and to provide an easy-to-use interface for staff to input component and alignment status changes.The plant staff plans to use the GRA model to assist in the review of proposed main-tenance work during daily planning meetings. The software’s graphical system status display will be helpful to the shift supervisor. Lastly, the tool can be used to assist in the training of new plant personnel.

9:25 AMStudy of Risk Assessment Programs at Federal Agencies and Commercial Industry Related to the Conduct or Regulation of High Hazard OperationsRobert A. Bari (a), Samuel Rosenbloom and James O’Brien (b)a) Brookhaven National Laboratory, Upton, NY, b)U. S. Department of Energy, Washington, DC

In the Department of Energy (DOE) Implementation Plan (IP) for Defense Nuclear Facilities Safety Board’s Recommendation 2009-1, the DOE committed to studying the use of quantitative risk assessment methodologies at government agencies and industry. This study consisted of document reviews and interviews of senior manage-ment and risk assessment staff at six organizations. Data were collected and analyzed on risk assessment applications, risk assessment tools, and controls and infrastruc-ture supporting the correct usage of risk assessment and risk management tools. The study found that the agencies were in different degrees of maturity in the use of risk assessment to support the analysis of high hazard operations and to support deci-sions related to these operations. Agencies did not share a simple, “one size fits all” approach to tools, controls, and infrastructure needs. The agencies recognized that flexibility was warranted to allow use of risk assessment tools in a manner that is com-mensurate with the complexity of the application. The study also found that, even with the lack of some data, agencies’ application of the risk analysis structured approach could provide useful insights such as potential system vulnerabilities. This study, in combination with a companion study of risk assessment programs in the DOE Offices involved in high hazard operations, is being used to determine the nature and type of controls and infrastructure needed to support risk assessments at the DOE.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 9:00 AM - Camellia/Dogwood

Non-Reactor PSA - 2Session Chair: Paul Amico

35

9:00 AMA Method of Implementing NEI (A)(4) Fire Risk GuidanceEdward Parsley and Leo ShanleyERIN Engineering and Research, Inc., West Chester, PA

Since November, 2000, Licensees have been using their Configuration Risk Man-agement programs to meet federal regulation 10CFR 50.65(a)(4). These programs generally evaluate risk of internal events quantitatively with supporting qualitative as-sessments. Regarding External Event Risk, the NRC has stated that it would be ac-ceptable for the industry to add only internal fire hazards to the (a)(4) program, and can be accomplished by [generally] following the guidance provided by NEI in June 2006. Although the guidance has not yet been endorsed by the NRC, NEI-sponsored pilot efforts have been undertaken to demonstrate possible methods. In general, the approach will be qualitative, which is consistent with the NEI guidance. One such pilot’s method for addressing fire risks in (a)(4) will utilize the plant’s fire PRA to focus attention and risk management actions to fire scenarios for which there is no mitiga-tion available.This presentation discusses one such pilot’s method for addressing fire risks in (a)(4). The method utilizes the plant’s fire PRA to focus attention and risk management actions to fire scenarios for which there is no mitigation available. An overview of the equipment scoping methodology will be described, and will include discussion of is-sues encountered. Additionally, the presentation discusses items to consider when identifying Risk Management Actions for candidate fire scenarios. Finally, the pre-sentation highlights items to consider when implementing this approach with a risk monitor, with examples using the PARAGON software.

9:25 AMOn Crediting a 10CFR50.54(X) Proceduralized Operator Ac-tion in SONGS PRA Used for Maintenance Rule (A)(4) Risk As-sessmentsParviz Moieni, Michelle P. Carr, and Dean R. GoodwinSouthern California Edison

The purpose of this paper is to discuss an issue that was raised recently by the NRC residents at San Onofre Nuclear Generating Station (SONGS) with regard to crediting a 10CFR50.54(x) operator action in PRA used for Maintenance Rule (MR) (a)(4) risk assessments. The operator action is to manually cross-tie an emergency diesel gen-erator (EDG) from one unit to the same train EDG of the other unit. The EDG manual cross-tie credit for the baseline PRA was not challenged because this is a feasible, proceduralized, and trained-on operator action. There were three key questions asso-ciated with this issue: 1) is the risk impact on the opposite unit assessed correctly, 2) is it clear in the EOIs that this is a last resort action, and 3) are there adequate risk man-agement actions in place when an EDG is taken OOS? Following many discussions with the residents, the region SRAs, NRC headquarters’ PRA staff, other utilities, and NEI, the use of EDG cross-tie for MR (a)(4) risk assessments remained acceptable given some procedural changes are made. These included addition of formalized risk management actions to the MR (a)(4) procedure and a note to the SBO EOI informing the operators that the preferred strategy for restoring AC power is from the switchyard or unit specific EDGs. The 10CFR50.54(x) EDG cross-tie action should be utilized af-ter normal actions have been proven unsuccessful, or Safety Functions are challenged by being in danger of becoming not satisfied.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 9:00 AM - Magnolia

Configuration Risk Management - 3Session Chair: Ross Anderson

36

9:00 AMA Comparison of the MQH Method and CFAST for Scoping Fire ModelingTom ElicsonWorleyParsons Polestar, Inc., Hudson, OH

The EPRI/NRC fire PRA methodology presented in NUREG/CR-6850 recommends using the method of McCaffrey, Quintiere, and Harkleroad (MQH) for hot gas layer Zone of Influence (ZOI) calculations as part of Task 8: Scoping Fire Modeling.Compared to measured temperatures for prototypical cable spreading room fires with a peak heat release rate of 1 MW (International Fire Model Benchmarking Exercise # 3, Tests 2 and 3), the MQH method shows errors relative to the measured gas temperatures from 47% to 1190%. In contrast, CFAST shows errors of less than 1%, which is within the expanded uncertainty of the temperature measurements.The MQH method deviation from experimental data increases as the room ventilation size decreases. Yet for totally enclosed rooms, NUREG/CR-6850 recommends using the MQH method with a 0.5” high leakage path. With this approach, the error relative to measured temperatures is 1190%.Benchmark results suggest that the MQH method is inadequate for predicting smoky layer temperatures for closed compartments as part of the fire PRA scoping fire mod-eling task. In contrast, CFAST provides reasonable predictions of gas temperature and appears to be a better choice for smoky layer ZOI scoping calculations.

9:25 AMDevelopment and Application of a Large Scale Fire Dynamics Simulator Model for BWR Reactor Building Fire ScenariosJeffrey MillerReliability & Safety Consulting Engineers, Inc. , Knoxville, TN

To gain a more realistic evaluation of fire scenarios in a BWR reactor building, a so-phisticated Fire Dynamics Simulator (FDS) model was created that would simulate as close as possible the actual building openings, passages, and structural features of the entire building. The result was a FDS model of approximately 40 meters (131 ft) in diameter and approximately 55 meters (180 ft) in height. From the completed model, various large fire scenarios were evaluated with significant result improvements from other more bounding estimations or other model simulations that only focused on por-tions of the building structure size. In addition to use on this project, the same FDS model can be utilized for other future scenario evaluations throughout the building structure in a very easy manner by adding a new fire source to the base building model and performing the evaluations. Data is captured through the use of FDS outputs as well as added outputs for temperatures at various building locations, and presented using graphical plots for easier, clearer understanding of estimated room temperatures and potential component impacts. While it is vital to capture details as close as pos-sible to the actual structure and fire scenario being modeled, as well as to not make gross over assumptions, ever present resource limitations must be managed. Key model development efficiencies were gained by using a model construction approach similar to solid three dimensional CAD modeling rather than typical piece by piece FDS modeling. Model simulations were able to be made overnight with approximately twelve (12) hour run times while staying within the suggested FDS model grid size us-ing an off the shelf multi-processor server style computer. Lessons learned and future work suggestions will also be discussed.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 9:00 AM - Salon A

Fire PSA Methods - 2Session Chair: Raymond H Gallucci

37

9:00 AM

The two presentations in this session cover the history of development of probabilistic risk (safety) assessment (PRA or PSA) and its application to domestic US nuclear power plants. It actually begins before publication of WASH 1400, con-sidered to be the birth of PRA, and continues through the early development and acceptance stages to the long saga of specific application to real power plant situations and regulatory application. Key milestones in policy and development are cited together with specific examples to help realistically portray this four decade story.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 9:00 AM - Salon B

History of Nuclear PSASession Chair: Earl Page, Ian Wall

38

9:00 AMSimulator Use in Support of Human Reliability Analysis – Where do we stand?Vinh N. DangOHSA/D16, Paul Scherrer Institut, Villigen, Switzerland

Full-scope simulators are the primary means to observe operating crews respond-ing to most of the major accident scenarios treated in the Probabilistic Safety As-sessments of nuclear power plants. Worldwide, many plants operate plant-specific simulators, where they are an essential element of training. With regard to HRA, such simulators offer the means to conduct the walk-throughs of key operator actions as recommended in the THERP guidance (NUREG/CR-1278), and much more. They are frequently used to characterize the demands of the operators’ tasks, to estimate typi-cal values of the time taken to perform tasks, and to determine the plant information available during the scenario evolution. Although some of this information is used as input to (some) HRA quantification methods, simulator observation remains primar-ily a support for qualitative analysis. This paper will examine the outlook and issues for more extended use of simulator studies and data for HRA. To what extent are the limitations inherent? Which sources of potential biases are of most concern and what can be done about them? What are some features of a state-of-the-art simulator study methodology? The paper will draw on the broader results and implications re-cent efforts, in particular on the International HRA Empirical Study and the NEA CSNI WGRISK work related to HRA data (Nuclear Energy Agency, Committee on the Safety of Nuclear Installations, Working Group on Risk Assessment).

9:25 AMHuman Error Probabilities Derived From German Operational Experience -Methodology and Results-Wolfgang PreischlGesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Garching, Germany

The results of German PSA studies for nuclear power plants and their uncertainties are considerably affected by the assessment of human reliability. According to the German PSA Guideline and its supplementary documents on PSA methods and data, databas-es containing data gained with the ASEP and THERP methodologies shall preferably be used to provide error probabilities for human actions. The amount of these data is too limited to evaluate all human actions considered in a modern state-of-the-art PSA adequately. The recommended data are not sufficiently validated and rely as well as the proposed uncertainty bounds on expert judgment. The paper summarizes the investigations of GRS on human performance data col-lection and data evaluation during the past three years. In order to derive human er-ror probabilities from the available operational experience from reportable events oc-curred in German nuclear power plants almost 6000 events have been reviewed. More than 100 events with human errors have been screened out as potential candidates for the application of the Bayesian methodology. The method of Bayes is widely accepted to calculate error rates and error probabilities of mechanical and electrical components based on the error frequencies observed within samples taken from operational ex-perience. To get suitable samples describing human reliability it is necessary to know with sufficient accuracy the number of opportunities for an error, the number of errors really occurred and the relevant performance shaping factors. Approximately 50 % of the identified candidates have been sufficiently reinvestigated and evaluated with the Bayesian methodology.The calculated probabilistic data are establishing the first human reliability database derived from the German operational experience. They have been used to validate recommended human error probabilities as well as to review predicted impact of per-formance shaping factors (e.g. ergonomic features or stress), to extend the amount of available data (e.g. activities out of main control room) and to get some preliminary data to cognitive tasks (e.g. to remember knowledge). Finally, the paper outlines the next steps of the ongoing project. All remaining candidates will be evaluated and a new approach for using human performance experience from events below the reporting threshold will be developed and tested.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 9:00 AM - Carolina

Human Reliability Analysis - 2Session Chair: Parviz Moieni

39

10:05 AMReliability of the EPR Fuel Pool Cooling System Using a Dy-namic ApproachMarie Sordelet (a), Mohamed Hibti (b)a) EDF SEPTEN, Lyon, France, b) EDF R&D, Clamart, France

One of the important issues for PSA analysis is to fully consider safety systems with their dynamic behaviour and the possibility to include operational properties and pro-cedures. In the static traditional approach, it is not easy to introduce such dynamic phenomena in a the event tree model and one may need to use some dynamic frame-work to solve such problems. In this paper, we consider the Boolean Markov Driven Processes (BDMP) to model a safety system of a nuclear power plant. The main objective is to model functional dependencies, component recoveries, time dependant or conditional failures/recoveries and the possibility to use special congurations with \extra”-alignments. Thanks to a declarative knowledge based tool, these features can be embedded in such models in a compact form that may be instantiated in dier-ent ways with respect to the conguration or state of the system. Indeed, the BDMP framework allows to dene such dynamic models using a fault-tree like construction with interesting mathematical properties. In particular, the possibility to reduce the combinatorial explosion problems inherent to Markov models. This allows to quantify the models and get the dierent reliability measures in reasonable times. The dynamic approach oered by the BDMP is particularly useful to model very redundant systems such as FA3 EPR FCPS (Fuel Pool Cooling System). The FCPS consists in three trains: two identical main trains, each equipped with two pumps in parallel, and a third train, fully independent. The complexity of the dependencies between each line can only be apprehended by a dynamic model and the BDMP allows a more realistic approach to model accident scenarios. The BDMP model of the FCPS as well as the reliability results obtained are presented in this article.

10:30 AMData Processing Methodologies Applied to Dynamic PRA: an OverviewDiego Mandelli, Alper Yilmaz and Tunc AldemirThe Ohio State University

The use of dynamic event trees (DETs) can serve as a powerful tool for the dynamic probabilistic risk assessment (DPRA) of nuclear power plants. The DETs have the capability to more accurately model the complex interactions and events which may occur during a transient. One of the challenges of DPRA through DETs is the manage-ment of the resulting very large data sets. Hence, the need for a methodology able to handle high volumes of data in terms of both cardinality (due to the high number of uncertainties included in the analysis) and dimensionality (due to the complexity of systems) arises. Hierarchical and partitional clustering methodologies are compared and evaluated with regard to their potential to analyze large scenario datasets gener-ated by DETs using several different data sets.

10:55 AMA Monte Carlo Algorithm for Dynamic PSA Based on the Con-cept of StimulusA. Jourdain and P.E. LabeauUniversité Libre de Bruxelles (CP 165/84), Brussels, Belgium

The theory of probabilistic dynamics (TPD) was first introduced in order to overcome some of the limitations of the classical PSA methodology, by incorporating the coupling between the deterministic evolution of the process variables and discrete stochas-tic transitions in the delineation process of accident sequences. The Stimulus-Driven Theory of Probabilistic Dynamics (SDTPD) enriches the TPD framework by modeling in a finer fashion the competing process defining the next branching in an event tree. Each possible next event is modeled as a two-stage process: first, a so-called stimulus must be activated, i.e. conditions necessary for the event to take place must be satis-fied; then a delay must elapse before the actual event occurrence.An analog Monte Carlo game can easily be implemented to solve these problems. Yet it usually turns out to be inefficient, as rare scenarios with potentially high damage are not or insufficiently sampled. To tackle this issue, an innovative algorithm properly uses the outputs of a pre-simulation of the mother branch of the event tree and the SDTPD to sample more systematically various types of branching events out of this mother branch. Compared with a classical analog simulation, this new algorithm leads to a better identification of rare sequences and a more accu-rate estimation of their frequency. This method is illustrated on a pressurization transient in con-tainment. Dif-ferent sampling methods of branching points along the mother branch are considered and their efficiency compared with that of the analog Monte Carlo game.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 10:05 AM - Azelea

Dynamic PSA - 1Session Chair: Bulent Alpay

40

10:05 AMContainment Source Terms in SFR AccidentsM. Umbel, A. Brunett and R. DenningThe Ohio State University, Columbus, OH

In order to support the demonstration of a risk-informed approach to the design optimi-zation of an SFR, it was necessary to make realistic estimates of the consequences of severe accident scenarios. This paper describes the database and assumptions used to estimate the magnitude and characteristics of representative containment source terms for characteristic accident scenarios. The reference plant design is a 1,000 MWt pool-type design with metallic fuel. An integrated analysis tool comparable to MEL-COR does not exist for SFR accident scenario analysis that is capable of predicting radionuclide release and transport and the assessment of offsite doses. In order to perform the analysis of an entire sequence, it was necessary to write a computer code, RCS, that could examine the in-pool aspects of the release and transport of radionuclides. The offsite consequences for the different scenarios are presented in a companion paper that examines containment transport processes and environmental release.

10:30 AMContainment Processes in Sodium-Cooled Fast Reactor Ac-cidentsA. Brunett, W. Wutzler and R. DenningDepartment of Nuclear Engineering, The Ohio State University, Columbus, OH

In order to support the demonstration of a risk-informed approach to the design opti-mization of an SFR, it was necessary to make realistic estimates of the consequences of severe accident scenarios. This paper describes the containment transport, deposi-tion and release to the environment of radionuclides escaping the sodium pool region in characteristic scenarios as calculated by the MELCOR code. The models used in the development of these containment source terms are described in a companion pa-per. The reference plant design is a 1,000 MWt pool-type design with metallic fuel and a conventional dry containment. The offsite dose at one mile from the plant boundary is calculated using conservative meteorology for scenarios involving different modes of failure of the primary system and the containment system. For perspective, the con-ditional probability of early fatalities within one mile and latent cancer fatalities within ten miles was calculated with the MACCS code for each scenario. Comparisons are made with the NRC’s Quantitative Health Objectives.

10:55 AMRisk-Informed Approach for Design of Korean Demonstration Fusion ReactorsGyunyoung Heo, Myoung-suk Kang (a), Young-seok Lee and Hyuck Jong Kim (b)a) Kyung Hee University, Yongin-si, Gyeonggi-do, South Korea, b) National Fusion Research Institute, Yusung-gu, Daejeon-si, South Korea

The Korean fusion technology roadmap is aggressively pushing ahead the realization of a demonstrative-scale fusion power plant (FPP) around 2030. While many of the critical design parameters are not technically verified and the regulatory requirements are, therefore, not specified, it is generally agreed that engineering phases should be initiated to create a design framework and prioritize related R&D needs. For fusion technology to settle down as an industry, radiological safety should be guaranteed even though the risk from fusion reactors may not be as serious as that of the fission-based power plants. On the other hand, excessively controlled regulation may delay commercialization and make generation cost higher. Conventionally the deterministic approach has been primarily utilized to evaluate nuclear safety. On the other hand, the application of the probabilistic approach is being emphasized for, particularly, ad-vanced fission-based reactors. This technical trend should be applicable to FPPs. This study articulates the conceptual design of the Korean demonstration FPP under the framework of a risk-informed design. We aimed at (1) embracing uncertainties in se-lecting design parameters, (2) investigating the list of initiating events, and (3) evaluat-ing design weaknesses. Due to technical status and the lack of available failure data, the qualitative aspect was focused. In this study the principles of axiomatic design were followed to setup a bare-bone FPP, and a risk-informed approach based on fault trees, event trees, and failure modes & effects analysis were conducted to determine the list of initiating events and scenarios.

11:20 AMPartitioning of LOCA Initiating Event Frequencies to Support PRA Modeling of Debris-Induced Failure of Long Term Core Cooling Via Recirculation SumpsDavid S. Teolis, Heather L. Detar, Robert J. Lutz, Jr., and Rachel A. So-lanoWestinghouse Electric Company LLC, Cranberry Twp., PA

Generic Safety Issue GSI-191 identified that the methodology used for assessing con-tainment sump screen debris loading at Pressurized Water Reactor (PWR) nuclear power plants may not be conservative. All PWR licensees have been required to re-assess their design basis for long term core cooling (LTCC) and make necessary modifications. NEI 04-07 provided a conservative methodology for assessing PWR sump screen performance and the impact on LTCC. These studies were acceptable for conservative design basis assessments; however, a probabilistic risk assessment (PRA) model was necessary to enable utilities to model the potential for debris-induced failure of LTCC and to allow for the determination of the risk significance of any non-conformances to their licensing basis. A probabilistic risk assessment model for debris-induced LTCC was developed, as reported in WCAP-16882-NP Revision 1, based on the conservatisms, margins and uncertainties in the licensing basis methodology and provides implementation guidance. Changes to the PRA are recommended prior to implementation of the debris-induced LTCC model to permit development of a model that more realistically represents the potential for failure of LTCC due to debris genera-tion. A key part of the recommendations in the WCAP was to use decreasing failure probabilities for failure of LTCC as loss of coolant accident (LOCA) size decreases. A general exception to this guidance was made for those plants that have determined that some smaller breaks are within the limiting breaks assessed for the licensing ba-sis. For example, some plants have a small line directly above the containment sump screens where transport of all of the debris generated by the break is highly likely. In such cases, a higher probability for failure of LTCC should be used for that portion of the small break initiating event frequency represented by the limiting pipe break location. A separate small break initiating event should be defined and assessed for that break location. No guidance was provided in the WCAP on how to partition the initiating event frequency (IEF). This paper discusses two methods that could poten-tially be used to partition the total IEF in such instances based on pipe dimensions. The first method is based on the assumption that the conditional probability of a break within a specific portion of pipe is proportional to the total length of pipe that a break could occur in. The second approach is based on a methodology, referred to as the “Thomas-approach”, which was developed several years ago in the United Kingdom to estimate the frequency of pipe leaks and catastrophic failures. An example is provided that demonstrates application of both methods and compares the results between the two methods. Extension of this partitioning approach to more general applications is also discussed for cases where it may be beneficial to partition LOCA IEFs based on the impact on mitigating equipment such as accumulators in legacy plants or passive safety systems in advanced plants.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 10:05 AM - Camellia/Dogwood

Next Generation Reactor PSA - 3Session Chair: Matthew Warner

41

10:05 AMMethodology to Rank BOP Components at STPFatma Yilmaz and Ernie KeeSouth Texas Project Electric Generating Station, Wadsworth, TX

STP developed a categorization process to aid in communicating the overall impor-tance of components. The components are ranked under Graded Quality Assurance (GQA) program with input from STP PRA model. The GQA program is approved by Nuclear Regulatory Commission (NRC) under 10CFR50.69. Components are also ranked under Plant Generation Risk (PGR) categorization process communicating components’ importance in supporting maximum electrical generation output. Catego-rization for both processes is performed by an Integrated Working Group. Currently, the Integrated Working Group uses heuristics for PGR ranking. This process can be improved by using the STP Balance of Plant Performance Predictor (BOPPP) model to provide ranking of the components it models (those that have a potential to lead to a power reduction event including turbine trip, manual shutdowns and reduced power operations) [1]. In this article, it is proposed to rank equipment modeled in STP BOPPP for PGR using the triggering event probabilities [2] and the consequence of a failure in terms of dollar amounts. The results of this ranking process has been used for creating a poster for the maintenance shop at STP. Results of this application are summarized for some components in production-critical systems.

10:30 AMAn Improved Generation Risk Assessment (GRA) Model Con-sidering Degradation of Components in a Nuclear PlantM.I. Jyrkama and M.D. Pandey (a), S.M. Hess (b)a) Department of Civil and Environmental Engineering, University of Waterloo, Waterloo, Ontario, Cana-da, b) Electric Power Research Institute, West Chester, PA

The objective of generation risk assessment (GRA) is to predict the potential eco-nomic losses from forced outages and derates due to equipment degradation and failure. The primary challenge with the current GRA approach is the inability to model explicitly any temporal changes in the underlying parameters or processes, i.e., failure rates are assumed to be constant over time.This paper illustrates how time-dependent equipment reliability and availability in-formation can be integrated with a system reliability model to quantitatively predict the generation risk associated with various operating and maintenance scenarios, including life extension and refurbishment. The analysis is performed in a standard spreadsheet based on the cut set output and basic event information from a fault tree program. The impact of aging degradation can be modeled separately for each com-ponent, assuming the events are independent. In order to capture the joint contribution of equipment failure and unavailability to generation risk, new risk-based importance measures are also developed based on the concept of net present value.The developed methodology is applied to the risk assessment of the main turbine/generator system at a nuclear station. The results of the study readily demonstrate the benefits and cost-savings realized from the integrated GRA methodology, and also the resulting improvement in flexibility and long range stability of the budget for plant improvement.

10:55 AMGRA Model Development at Bruce PowerR. Parmar and K. Ngo (a), I. Cruchley (b)a) AMEC NSS Limited, Toronto, Ontario, Canada, b) Bruce Power, Tiverton, Ontario, Cananda

In 2007, Bruce Power undertook a project, in partnership with AMEC NSS Limited, to develop a Generation Risk Assessment (GRA) model for its Bruce B Nuclear Generat-ing Station. The model is intended to be used as a decision-making tool in support of plant operations. Bruce Power has recognized the strategic importance of GRA in the plant decision-making process and is currently implementing a pilot GRA application. The objective of this paper is to present the scope of the GRA model development project, methodology employed, and the results and path forward for the model imple-mentation at Bruce Power. The required work was split into three phases. Phase 1 involved development of GRA models for the twelve systems most important to elec-tricity production. Ten systems were added to the model during each of the next two phases. The GRA model development process consists of developing system Failure Modes and Effects (FMEA) analyses to identify the components critical to the plant reliability and determine their impact on electricity production. The FMEAs were then used to develop the logic for system fault tree (FT) GRA models. The models were solved and post-processed to provide model outputs to the plant staff in a user-friendly format. The outputs consisted of the ranking of components based on their production impact expressed in terms of lost megawatt hours (LMWH). Another key model output was the estimation of the predicted Forced Loss Rate (FLR).

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 10:05 AM - Magnolia

Generation Risk AssessmentSession Chair: James Liming

42

10:05 AMPost-Processing Franc Results to Determine Fire Risk Impor-tance Measures and UncertaintyDavid MiskiewiczProgress Energy, Raleigh, NC

FRANC is a software tool developed as part of the EPRI Risk and Reliability worksta-tion for quantifying fire PRAs. It is a scenario based tool that computes conditional core damage probabilities (CCDP) for individual scenarios. The CCDPs can be combined with predetermined ignition frequencies and non-suppression probabilities to produce scenario core damage frequencies (CDF). The individual scenario results contain cut-sets that use the same basic event names but with different values as determined by the sequence. For example, depending on the scenario, the same basic event can be set to 1.0 (failed), 0.6 (hot short induced spurious), or retain the base random failure probability. The cutsets may also use the same initiating event name although each scenario can have a unique frequency. These factors prevent the analyst from simply combining the scenario cutsets for evaluation. An additional software tool is needed to facilitate the combining of scenario results into a single cutset file such that the tradi-tional CAFTA analysis tools can be used to determine various importance measures and uncertainty. A prototypical software tool has been developed for this purpose. This paper presents details of the issues and challenges for the PRA analyst, development and use of the software, and relevant findings.

10:30 AMProgress Energy Fire PRA: Putting Our Tools to Work Use of Linked Databases in Development of the Progress Energy HNP Fire PRARicardo Davis-ZapataProgress Energy, Raleigh, NC

For the pilot NFPA805 submittal for Harris Nuclear Plant, Progress Energy developed a set of linked database tools to bring together the data necessary to process the Fire PRA. This linked database method is being implemented with development of our subsequent Fire PRAs, providing consistency among the fleet for creation of the Fire PRAs as well as simplifying the process for future PRA updates. The linked database format is based on creating a series of tables, queries, and visual basic coding to link each of the Fire PRA data gathering tasks, Safe Shutdown Analysis, cable routing information, and the Fire PRA model.The linked database method is expected to facilitate many applications, including future updates to the Fire PRA. Updates to data can be as simple as adding new lines to the linked tables and re-running the associated queries. This also simplifies sensitivities, by allowing the data to be treated in aggregate as well as with individual modeling. Progress Energy’s utilization of the linked databases allows us to put our tools to work for us.

10:55 AMCooper Nuclear Station Fire Risk Evaluations – Insights and ChallengesOle Olson (a), Stephen P Meyer (b), Jim Chapman (c)a) Nebraska Public Power District, Cooper Nuclear Station, Brownsville, NE, b) Scientech, Curtiss Wright Flow Control, Madison, OH, c) Scientech, Curtiss Wright Flow Control, Lake Mary, FL

Cooper Nuclear Station (CNS) is a single unit BWR 4. A Fire PRA was developed, us-ing guidance from NUREG/CR-6850, Frequently Asked Questions (FAQs) and recent EPRI technical evaluations, such as fire ignition frequency updates. The fire PRA was developed to support the NFPA 805 project and other risk informed initiatives. Detailed fire modeling, cable and circuit analysis and Human Reliability Analyses (HRA) were needed to achieve results which were not clearly extraordinarily conservative. The results achieved are believed to be conservative but a factor of 5 to 10; and there are plans to further refine the results as Industry and NRC research and development programs provide improved methods and data in areas including fire frequency, fire development and propagation, heat release rate and detection and suppression. Even though the results are conservative, the insights obtained are being successfully used to evaluate variances from deterministic requirements (VFDRs) and support identifica-tion and evaluation of potential safety enhancements.Each VFDR is evaluated using a risk informed approach which considers the calcu-lated change in risk if the VFDR was eliminated, as measured by delta CDF and delta LERF and defense in depth and safety margin. The paper discusses the approach to evaluating VFDRs in the fire risk evaluations (FREs) using the fire PRA. For a sample of VFDRs critical aspects of the evaluation, such as reviewing the base case fire PRA for sufficiency for evaluating the VFDR case and the compliant case, changes needed and the insights and sensitivity of results to alternative assumptions or model refine-ments, where performed, will be provided. Finally the challenges in conducting the analyses, including lessons learned are provided.

11:20 AMSummary of Fire PRA Development Activities at Kewaunee Power StationJohn Spaargaren (a), Francisco Joglar (b)a) Dominion Resources Services, Millstone Power Station, Waterford CT, b) SAIC, Mclean VA

Kewaunee Power Station is currently transitioning to NFPA 805. This process includes the development of a Fire PRA. The fire PRA is currently in the final quantification stages of its development process. The Fire PRA has been developed following the guidance in NUREG/CR-6850 and subsequent supplemental material. The purpose of this paper is to describe the Fire PRA development activities including: 1. The use of the EPRI’s Fire Modeling Database. This topic includes description of the data collec-tion process, the fire modeling analysis to complete key input fields in the database, and the development and automation of input tables to the FRANX software. 2. The description of the quantification process including treatment of single compartment, multi-compartment, main control room scenarios and individual fixed ignition source fire scenarios.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 10:05 AM - Salon A

Fire PSA Methods - 3Session Chair: Marina L Röwekamp

43

10:05 AMProcedures and Tools Comparing PSA in the Frame of Peri-odic Safety ReviewsJoachim Herb and Joachim von LindenGesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Garching b. München, Germany

Different procedures and tools have been developed by GRS for improving efficiency and comprehensibility of PSA review tasks. They are based on the database interface of a widely applied PSA software tool using SQL queries and the scripting language Ruby. Changes in fault and event trees are identified and presented as “difference graphs” by drawing an overlay of the fault/event trees of the different versions and flagging the differences. It is also possible to trace the influence of changes of a speci-fied fault tree to all corresponding TOP-gates, to the affected function events and event trees. For a given fault tree an “expanded” view can be created consisting of all fault trees connected to it by transfer gates either “upwards” to all affected TOP-gates or “downwards” to the basic events. Another feature of the GRS tools is the merging of data from different sources such as specifications of basic events (e.g. failure rates, test intervals, repair times). For quantifying the changes in the core damage frequency (CDF) between different versions of a PSA the quantitative differences are split up in contributions by the changes of the initiating event frequencies, changes in the model-ing of fault trees and event trees respectively, as well as changes in the reliability data for the basic events.

10:30 AMUsing a Modern PRA Documentation System to Facilitate Re-viewOla Bäckström, Wei Wang and Johan Sörman (a), Andrea Maioli (b)a) Scandpower - Lloyds Register, Sundbyberg, Sweden, b) Westinghouse Electric Company LLC, Cran-berry Township, PA

The PRA documentation is written to make the PRA traceable and understandable. The documentation is normally very comprehensive, since it shall cover several dif-ferent purposes. The main purpose is that the study shall be possible to understand and reproduce.A review, and especially a peer review process, shall make sure that the study meets some defined criteria. It can be a tedious task to verify that the requirements are met due to that the verification of a specific task may be spread over several documents. A review is also normally done with restrictions in time. Therefore, due to the compre-hensiveness, the limitations in time and the need to focus on the correct things – the existing PRA documentation should be improved to facilitate PRA review.This paper proposes a dynamic PRA documentation and presents features and advan-tages of the new system, and discusses how it can help in PRA review.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 10:05 AM - Salon B

PSA Knowledge Management - 3Session Chair: Doug True

44

10:05 AMPre-Initiator HRA using the PRA StandardJoshua Beckton, Barbara Baron, Stephen Nass (a), William Etzel and Jason Hall (b)a) Westinghouse Electric Company LLC, Cranberry Township, PA, b) First Energy Nuclear Operating Company, Shippingport, PA

Pre-initiator Human Failure Events (HFEs) occur when an operator fails to return equipment to its Normal System Alignment (NSA) during calibration, maintenance, or test activities. Pre-initiator HFEs result in the unavailability of equipment/functions in-cluded in the Probabilistic Risk Assessment (PRA). There are two types of pre-initiator HFEs: (1) instrument miscalibrations and (2) system/train misalignments following maintenance or test activities. Human Reliability Analysis (HRA) is used to determine the pre-initiator Human Error Probabilities (HEPs). This paper presents a method and assumptions applied to identify HFEs and quantify pre-initiator HEPs for the Beaver Valley Power Station, a Westinghouse Electric Company LLC designed plant with two units, which occur during maintenance or test activities. The method of identifying potential misalignments to be included in the PRA as pre-initiator HFEs involved a process of assigning each PRA component manipulation from the maintenance or test activity to a category representing a specific criterion. Pre-initiator HFEs that occur due to instrument miscalibrations are addressed in common cause failure rates [1]. The method considers the supporting requirements included in the ASME/ANS PRA Standard [2]. The Technique for Human Error Rate Prediction (THERP), as included in the EPRI HRA Calculator, Version 4.1.1 [3] is used to quantify the pre-initiator HEPs. The results show that when the method is applied to identify pre-initiator HFEs for each unit, a similar number of HFEs are identified for each unit. 12 pre-initiator HFEs were identified for Unit 1, and 13 pre-initiator HFEs were identified for Unit 2. The HEPs ranged between 3.80E-06 and 1.30E-03 for Unit 1 and between 2.00E-07 to 1.30E-03 for Unit 2. Per NUREG-1792 [4], pre-initiator HEPs should typically fall be-tween 1.00E-02 and 1.00E-05, and HEPs outside that range should be justified. Fur-ther review of the application indicated that when using the THERP as included in the EPRI HRA Calculator, HEPs that were outside of the typical range involved infrequent tests (i.e., 18 months) with frequent position verification checks (i.e., monthly). The difference between these two intervals results in relatively few chances for misaligning equipment with a far greater number of opportunities to identify the misalignment and minimize the duration. Thus, the low HEPs were justified.

10:30 AMPost-initiator Human Reliability Analysis and Documentation Approach for Atypical Accident ScenariosCharlene Greene, Raymond J. Dremel (a), Jayne Ritter & Dave Malek (b)a) Maracor Software and Engineering, Maple Valley, WA, b) Prairie Island Nuclear Generating Plant, Welch, MN

A significance determination process (SDP) evaluation of turbine building flooding for Unit 1 and Unit 2 at the Prairie Island Nuclear Generating Plant (PINGP) identified the need to perform a detailed post-initiator human reliability analysis (HRA) for actions that are anticipated to be taken as a result of pipe breaks in the turbine building that would cause a reactor trip and also cause a failure of the plant equipment required to mitigate the event. Three broad categories of human failure events were created: flooding events resulting from random pipe breaks, flooding events resulting from high energy line break (HELB) interactions with other plant systems, and seismically-induced dual unit flooding events. Documentation is essential in the creation of any human failure event (HFE), however when modeling highly unusual situations, the documentation is often as important as the numerical value obtained. Further, com-munication between the main control room (MCR) operators and the turbine building operators is essential to the successful outcome for many of the flooding scenarios analyzed. Because this communication affects a specific response, it is an important consideration when ensuring the HFE reflects the as-operated plant. Finally, assess-ing each HFE for reasonableness within categories of events as well as a comparison of events across categories is a useful check to ensure the human error probabilities (HEP) generated are reasonable, given the context. This paper will discuss a docu-mentation approach used to analyze atypical accident scenarios, identify consider-ations for ensuring that the HFE reflects the as-operated plant, and present insights from interviews with control room personnel, turbine building operators, training, and security.

10:55 AMCalculation of Human Error Probabilities for Initiating Event Fault TreesLoys BedellEntergy Services Inc., Jackson, MS

As the Probabilistic Risk Assessment technology grows and the uses for the technol-ogy increase, the ability to calculate the likelihood of support system initiating events has become a more important and more detailed. One of the issues in developing de-tailed initiating event fault trees is the calculation of human error probabilities. Detailed initiating event fault trees generally include operator actions for aligning redundant equipment to prevent an automatic or manual reactor scram. Initiating event-related interactions, the so-called Type B human errors, have not been explicitly addressed in most human error techniques. This paper discusses the use of post-initiator hu-man error techniques for calculating the Type B human errors developed for the River Bend support system initiating event fault trees. Similar to the post-initiator event, the operator actions to prevent an initiating event will be evaluated based on the cues that indicate a problem, the available procedural guidance, and other performance shaping factors. However, some of the performance shaping factors may not be ap-plicable to Type B actions. The stress from the accident mitigation will generally not be present for these support system initiating events. In many instances, the plant will be trending various performance measures, such as increases in pump vibration or gradual degradation in heat exchanger performance that will result in a swap from one train to another. This paper will review some of the similarities and differences in the performance shaping factors for post-accident events and provides some insight into how the post-accident HRA techniques can be applied with caution to develop the hu-man error probabilities for initiating event fault trees. Entergy Nuclear is a large diverse nuclear fleet that consists of nine nuclear sites and two regional headquarters offices. The PSA models for these plants were generally developed and maintained separately until the early 2000’s. Therefore, much of the organizational learning and best prac-tices from one site were not implemented at another site due to time constraints, plant demands, lack of communication, or lack of expertise.

11:20 AMRe-Writing Fire Response Procedures to Reduce Fire Re-sponse Human Failure Event ProbabilitiesThomas J. AsmusEPM Inc., Risk Solutions Division, Hudson, WI

Fire response procedures describe what actions an operator may need to perform in order to ensure a credited path exists for safe shutdown. These procedures are not typically written to mimic existing Emergency Operating Procedures (EOP) and may be written as a guidance document. In many cases, the equipment that is credited for the safe shutdown path in fire areas is not listed along with instrumentation that may be needed in order to confirm proper equipment operation. Actions contained within the procedure are also not ordered such that time sensitive actions may not be performed before other actions that have a much longer time frame. With these shortcomings in mind, calculation of an acceptable fire response Human Failure Event (HFE) is very challengingA method to remove these shortcomings is to re-write the fire response procedures into a format with which operators are more familiar. Fire response procedures can be re-written to mimic the current Pressurized Water Reactor two column format such that these documents can then be used to supply cues and definitive instructions as to what actions to perform to reduce the impact of fire induced failures, or to recover failed equipment. Instrumentation can also be specified so operators will know what instruments may be available for diagnosis and recovery. The equipment that is cred-ited to satisfy the various safe shutdown functions such as Reactor Coolant System (RCS) Inventory Control, or AC power can be listed. The needed operator actions can also be ordered such that time critical actions are performed first. Recovery steps can also be provided to ensure equipment is operating correctly after performance of a fire response action.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 10:05 AM - Carolina

Human Reliability Analysis - 3Session Chair: Luca Podolfillini

45

1:30 PMAn Approach to Validation of Dynamic PRA Methods against Past EventsKaspar Kööp (a), Yury Vorobyev (b), Pavel Kudinov (b)a) Division of Nuclear Power Safety, Royal Institute of Technology, Stockholm, Sweden, b) Department of Nuclear Power Plants, Moscow Power Engineering Institute, Russia

The paper is concerned with the validation of the deterministic/probabilistic risk as-sessment tools. Specifically we address validation of Genetic Algorithm (GA) based Dynamic Probabilistic Risk Analysis (DPRA). GA-DPRA is developed for exploration of the plant scenario space with the goal to identify failure domains in which at least one of the safety limits is violated. GA-DPRA approach is based on the combination of (i) a deterministic system code for modeling of the plant transients, (ii) GA for solution of the global optimization problem on identification of the failure domains and (iii) im-portance sampling (IS) method for probabilistic characterization of the identified failure domains. Straightforward validation of the GA-DPRA approach in terms of comparison of probabilistic characteristics of the failure domains against a reality is impossible because of the rareness of the adequate plant data in abnormal behaviors.In order to increase confidence in the GA-DPRA analysis results we propose a hierar-chical, separate effect approach to verification and validation of the GA-DPRA. At the first level each component of the GA-DPRA (deterministic code, GA, IS) are verified and validated separately. At the second level we propose to validate coupled GA-DPRA on the base of analysis of the past plant events. Main idea of such validation is to check if past events which have happen in the existing plants can be identified by GA-DPRA in the process of exploration of the plant scenarios space. As a benchmark case for validation of the GA-DPRA we propose to use data from high power oscilla-tions event occurred in the Oskarshamn-2 nuclear power plant in 1999 (O2-99). This event was a result of complex interaction between plant physics (BWR instability), control logic, and operator actions. The first step in the validation process is optimi-zation of the uncertain parameters in the RELAP5 system code input model. At this step a combination of uncertain plant parameters is selected by solving optimization problem to minimize discrepancy between available plant transient data and system code predictions. At the second step GA-DPRA is used to find O2-99 type scenarios in the plant events space. Each free parameter forming the event space (e.g. closing/opening of the valves, start/stop/reduction of the pump flow, partial/full scram, etc.) is characterized by a certain time window within which changes of the parameter can occur. Results of the validation and an approach to selection of the fitness function for guiding global optimum search process towards scenarios of safety importance are discussed in the paper. (Presentation Only)

1:55 PMBayesian Network Representing System Dynamics in Risk Analysis of Nuclear SystemsAthi Varuttamaseni, John C. Lee (a), Robert W. Youngblood (b)a) Department of Nuclear Engineering and Radiological Sciences, University of Michigan, Ann Arbor, MI, b) Idaho National Laboratory, Idaho Falls, ID

Conventional probabilistic risk assessment using fault trees (FTs) and event trees (ETs) is inefficient when dealing with systems having more than two states and with scenarios where the timing of the event is critical. A Markov approach can be ap-plied to cases in which the FT/ET structure proves inadequate, but as the number of components grows, the number of system states grows exponentially. This paper pro-poses the use of a dynamic Bayesian network (DBN) as an alternative to Markov chain analysis. The DBN uses conditional independence to simplify the factorization of the system joint probability function, leading to a problem that can be analyzed piecewise instead of globally. We demonstrate the use of the DBN by analyzing a feed and bleed procedure in a nuclear power plant.

2:20 PMDevelopment and Application of a Genetic Algorithm Based Dynamic PRA Methodology to Plant Vulnerability SearchYury Vorobyev (a), Pavel Kudinov (b)a) Department of Nuclear Power Plants, Moscow Power Engineering Institute Krasokazarmennaya, 14, 111250, Moscow, Russia, b) Division of Nuclear Power Safety, Royal Institute of Technology, Sweden

The paper describes recent achievements in development and application of the Dy-namic Probabilistic Risk Analysis (DPRA) methodology based on the Genetic Algo-rithm (GA). The aim of the GA-DPRA approach is to enable identification of safety vulnerabilities and quantification of accident risks related to operation of nuclear power plants (NPP). The approach combines a system code as a deterministic model of the plant and a GA search engine for the exploration of the plant scenarios space. A point in this space represents a scenario (transient) which is defined by unique combina-tion of initial plant state and time dependent sequence of changes in the plant state parameters implemented in the system code input. The GA-DPRA is used to address two main types of safety analysis problems: (i) identification of a “worst case” scenario with most severe violation of safety limits (failure of safety barriers); (ii) identification of “failure domains” (sub-domains in the space of plant scenarios where at least one of the safety limits (barriers) is violated). Safety critical parameters (safety limits) are used by GA as fitness functions to guide selection of the system code input parameters in process of the global optimum search. The GA controls selection of system code input parameters within predefined diapasons and time windows. Unlike “brute force” approaches or Monte Carlo type methods the GA-DPRA is much less demanding to computational resources due to intelligent and adaptive resolution in the exploration of the plant scenarios space. Stochastic properties of GA and Importance Sampling technique are applied to estimate probabilistic characteristics of the identified vulner-abilities. Solutions of benchmark problems and comparison with other methods are discussed in the paper.

2:45 PMHybrid Fault Tree Markov Chain (HFT-MC) Probabilistic Risk Assessment Methodology with ApplicationMohammad Pourgol-Mohammad (a), Kamran Sepanloo (b), and Kaveh Ka-rimi (c)a) FM Global, Norwood, MA, USA, b) AEOI, Vienna Office, Vienna, Austria, c) Science and Research Branch, Islamic Azad University, Tehran, Iran

The Hybrid Fault Tree-Markov Chain (HFT-MC) methodologies is developed in frame-work of dynamic and hybrid PRA methods as new generation of the probabilistic risk assessment methodologies. An overall description of proposed hybrid fault tree (FT)/ continuous time Markov chain methodology is given with an application example for demonstration of methodology on the steps, assumptions and the results. HFT-MC is a localized dynamics methodology for assessment of the temporal behavior of the safety-critical systems in case of an accident e.g., anticipated Loss of Coolant Acci-dent (LOCA). The fault tree is used for localized component/subcomponent failure rate estimation assessment. Markov chain, coupled by the results from fault tree for each node, provides overall unavailability/dependability estimation of the system over the time for either repairable or non-repairable system. The methodology has capability to consider common cause failure, and effect of operators. The methodology is applied to simulation of emergency power system of the Bushehr nuclear power plant with com-bined construction of two different design technologies (Western KWU PWR design and Russian WWER PWR design).

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 1:30 PM - Azalea

Dynamic PSA - 2Session Chair: Pierre-Etienne Labeau

46

1:30 PMReliability Analysis of 2400 Mwth Gas-Cooled Fast Reactor Natural Circulation Decay Heat Removal SystemM. Marquès, C. Bassi (a), F. Bentivoglio (b)a) CEA, DEN, SESI, Cadarache, Saint-Paul-lez-Durance, France, b) CEA, DEN, SSTH, Grenoble, France

In support to a PSA performed at the design level on the 2400 MWth Gas-cooled Fast Reactor, the functional reliability of the decay heat removal system working in natural circulation has been estimated in two transient situations corresponding to an “aggravated” Loss of Flow Accident (LOFA) and a Loss of Coolant Accident (LOCA). The reliability analysis was based on the RMPS methodology. Reliability and global sensitivity analyses use uncertainty propagation by Monte Carlo techniques. The re-sults obtained on the reliability of the DHR system and on the most important input parameters are very different from one scenario to the other showing the necessity for the PSA to perform specific reliability analysis of the passive system for each consid-ered scenario. The analysis shows that the DHR system working in natural circulation is a very reliable system in case of LOFA situations even when only one DHR loop is available. On the other hand, its reliability has to be improved in LOCA situations. This analysis shows the way to make this improvement in specifying the main uncertain-ties, which could to be reduced.

1:55 PMOptions for Defining Large Release Frequency for Applica-tions to the Level-2 PRA and Licensing of SMRSMohammad Modarres (a), Mark Leonard (b), Kent Welter, Jason Pottorf (c)a) University of Maryland, Center for Risk and Reliability, College Park, MD, b) Dycoda, LLC, Los Lunas, NM, c) NuScale Power, Inc., Corvallis, OR

Large release frequency (LRF) is used in Probabilistic Risk Assessments (PRAs) as a risk metric for advanced LWR Design Certification (DC) and Combined Construc-tion and Operating License (COL) applications. While the Commission requested the Nuclear Regulatory Commission (NRC) staff to provide a definition of LRF, in SECY- 93-138 the Staff recommended to the Commission that work on a definition be termi-nated. As a result, the definitions of LRF in the Design Control Document (DCD) and COL applications of advanced Light Water Reactors (LWRs) differ to varying degrees. In the absence of a unique regulatory definition for LRF, the Small Modular Reactors (SMRs), including NuScale’s PRA and DCD, must define and adopt one. The purpose of this paper is to highlight possible options for LRF measures along with the pros and cons of each. The paper will propose one of such options for consideration. The most challenging part of LRF definition is to describe what is meant by “large” to measure the scale of release. There are three possible bases for describing the scale of re-lease: number of fatalities, amount of radionuclide release, or state and integrity of the reactor pressure boundary and containment at the time of release. These options will be discussed in this paper.

2:20 PMAchievement of the Level 1 PSA in Support to the CEA 2400 MWTH Gas-Cooled Fast ReactorM. BALMAIN (a), C. BASSI, P. AZRIA (b)a) EDF R&D Division, Industrial Risks Management Department, Clamart, FRANCE, b) CEA, Nuclear Energy Directorate, Reactor Studies Department, Innovative Systems Service CEA, Saint-Paul-Lez-Durance, FRANCE

Within Generation IV International Forum, the CEA has developed since 2006 a Level 1 PSA to support the design of the 2400 MWth GFR. A first period, with insights pub-lished in 2008, consisted in a model with few initiators representative of medium and high pressure situations, those used for the deterministic design of the Decay Heat Removal dedicated loops. In a second period, an iterative work reached the proba-bilistic targets used for generation III reactors, with prior use of normal loops, and increase of DHR reliability in high pressure conditions. The PSA team covered all the internal initiators, and supported the design of components with instrumentation and control and electrical supplies, and the shutdown operating modes of secondary, tertiary circuits, with possible re-alignment to dedicated DHR loops. Besides, the com-pleted PSA integrated more realistic success criteria than the preliminary model and than the deterministic approach, thanks to CATHARE2 code. In case of loss of Forced Convection, the probability of success of the Natural Convection DHR was assessed by a reliability method for passive systems. The paper underlines the PSA methodol-ogy knowledge from the EdF expertise, the improvements co-developed with CEA, and the iteration design-PSA-design.

2:45 PMU.S. Regulatory Lessons Learned from New Nuclear Power Plant Applications on Evaluating Degraded Voltage Protec-tionRobert G. Fitzpatrick, Ronaldo V. Jenkins, Malcolm D. Patterson, and Nich-olas T. SaltosUnited States Nuclear Regulatory Commission, Rockville, Maryland

This paper addresses one of the lessons learned from regulatory review of applica-tions for new nuclear power plants. It discusses U.S. regulations and implementing guidance related to applications for a design certification (DC) or a combined operat-ing license (COL). Regulations require applicants for a design certification to perform a design-specific probabilistic risk analysis (PRA). Applicants for a COL must have a plant-specific PRA. Each application must include a description of the associated PRA and its results. This paper describes a method used to assess the safety significance of degraded grid voltage and to confirm that a particular passive design meets General Design Criterion 17, “Electric power systems.” The staff of the Nuclear Regulatory Commission (NRC) used insights from the PRA to evaluate the effects of degraded grid voltage. The PRA insights provided by the applicant, deterministic considerations, and the evaluation of safety issues under degraded voltage conditions are discussed in the context of new reactors. The paper also discusses some of the technical issues that the NRC staff has encountered in reviewing recent applications and the staff’s need for additional information to make appropriate safety determinations.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 1:30 PM - Camellia/Dogwood

Next Generation Reactor PSA - 4Session Chair: Jonathan Li

47

1:30 PMDynamical and Hierarchical Criticality Matrixes-Based analy-sis of Power Grid SafetyEugene Brezhnev (a), Vyacheslav Kharchenko (b), Alexandr Siora (c), Vladi-mir Sklyar (b)a) National Aerospace University KhAI, Kharkiv, Ukraine, b) Centre for Safety Infrastructure Oriented Research and Analysis, National Aerospace University KhAI, Kharkiv, Ukraine, c) Research and Produc-tion Company Radiy, Kirovograd, Ukraine

This paper presents the technique for the power grid safety assessment based on accident risk-analysis by use of the dynamical and hierarchical criticality matrixes (D&HCM). The technique is founded on principles suggested for the power grid safety assessment. The basic tool is Failure Modes, Effects and Criticality Analysis (FMECA) supplemented with changes in procedure according to the features of safety assess-ment process. The power grid safety assessment model is presented as a graph of criticality with edges connecting the nodes corresponding with subsystems of next higher and lower levels. The nodes are described by criticality matrixes. The changes of subsystems’ failures criticality during the power grid operation are the results of sequential changes of subsystems’ states (transition to state of nonoperability) or the changes of failures probabilities caused by influence of the operational environment or factor of time (physical or automaton time). This approach suggests considering the interaction and mutual influence among subsystems which results to multiple failures, change of the criticality and risk values. In this way the capacities of FMECA-based safety assessment may be expanded. The accident in Sayano–Shushenskaya hy-droelectric power station was investigated on dynamical and hierarchical criticality matrixes-based analysis.

1:55 PMTowards an Integrated Probabilistic Analysis of the Blackout Risk in Transmission Power SystemsPierre Henneaux, Pierre-Etienne Labeau, Jean-Claude MaunService de Métrologie Nucléaire, Service Beams-Energy, Université Libre de Bruxelles, Brussels, Bel-gium

In our modern society, the electrical grid has become one of the most critical infrastruc-tures. Even if feedback from the electrical sector is very positive, electricity generation and transmission cannot be considered as totally reliable activities. A residual black-out risk remains, especially as new ways of generating electricity and operating the grid develop. To study the grid reliability, deterministic criteria are usually considered. Probabilistic risk assessment methods have also been developed, but they usually neglect the dependencies between failures and the dynamic evolution of the grid in the course of a transient: yet a blackout is due to cascading failures in the grid. There is a strong coupling between events, since the loss of an element increases the stress on others and, hence, their probability to fail. Our purpose is therefore to develop an in-tegrated probabilistic approach to blackout analysis, capable of handling the dynamic response of the grid to stochastic initiating perturbations and the event sequences they possibly entail. This approach is adapted from dynamic reliability methodologies, by accounting for the different characteristic times and processes of different cascad-ing phases leading to a blackout. This paper focuses on the modeling adopted for the first phase, ruled by thermal transients. The goal is to identify dangerous cascading scenarios (possibly leading to a blackout) and calculate their frequency. A Monte Carlo code derived from this methodology is validated on a test grid. Some dangerous sce-narios are presented and their frequency calculated by this method is compared with the classical estimation.

2:20 PMProbabilistic Risk Assessment of a Transmission and Distri-bution SystemFrank Rahn, Jeff Riley (a), Alan Ross (b)a) Jean-Francois Roy, and Alexander Bonilla, Electric Power Research Institute, Palo Also, CA, b) Con-sultant, Pleasanton, CA

Probabilistic Risk Assessment (PRA) tools and modeling techniques can be used to evaluate a wide variety of complex systems and facilities. This paper presents an ap-plication of PRA techniques to an electric transmission and distribution system. The work focuses on the reliability of a small utility system and examines the probability of loss of system-wide service, as well loss of power to critical facilities. The evaluation is both qualitative and quantitative in nature.The work was originally motivated by an unfortunate event that caused a complete city-wide blackout that lasted approximately 12 hours and was close to exceeding the coping time of vital services, such as fire water. The outage also resulted in a high economic loss.For this project, the EPRI CAFTA software tool was used to examine the fault trees representing the transmission system. Also modeled were the underground transmis-sion cables feeding a central substation that was configured in a breaker and a half ar-rangement, and a transmission system that encircled the service area. The evaluation also considered other risks including earthquakes, flooding, gas pipeline ruptures, and aircraft crashes that could disrupt the system.

2:45 PMReliability Forecasting Modeling for Distribution System Infra-structure DecisionsShan (Sam) H. Chien, Zoilo S. Roldan, Roger J. LeeSouthern California Edison Company, Santa Ana, CA

Transmission and distribution (T&D) infrastructure is aging in electric utilities through-out the U.S. as indicated by upward trends in average equipment ages. There are sig-nificant implications ahead in system reliability and customer service. The magnitude of these future challenges can only be revealed by probabilistic reliability modeling. Such models have been developed to forecast future distribution system reliability and to evaluate the value of various asset management strategies. Three key insights which would be of value to reliability practitioners in the area of distribution system asset and reliability management are 1) the understanding that the systems are ag-ing and declining in reliability, 2) the appreciation that there are major benefits from developing reliability models, and 3) the understanding that there are many levels of reliability modeling complexity, all of which are useful.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 1:30 PM - Magnolia

Grid ReliabilitySession Chair: Shan Chien

48

1:30 PMAchieving Realism in Fire PRA: Insights and Challenges based on Fire Damage States and Associated FrequenciesJames R ChapmanScientech, Lake Mary, Florida

About half the US fleet has developed or is developing fire PRAs to support NFPA 805 licensing basis transition. These fire PRAs, or adapted versions of these fire PRAs, can also support other risk informed applications, such as risk informed completion times. Many other units are also developing fire PRAs for risk informed applications other than NFPA -805. The Fire PRAs have been or are being developed using guid-ance from NUREG/CR-6850, Industry Frequently Asked Questions (FAQs) and recent EPRI technical evaluations, such as fire ignition frequency updates. Many of these fire PRAs have used detailed fire modeling, cable and circuit analysis and Human Reliability analyses (HRA) to improve the calculated results. However, even with such detailed analyses, the calculated results are believed to be conservative by a factor in the range of 5 to 10 (or perhaps higher) overall. This belief is based on comparison of calculated results, such as the frequency of fire damage states to operating experi-ence, as provided by the NRC’s Accident Sequence Precursor (ASP) program. This paper will discuss the results of a comparison of calculated fire damage state frequen-cies, at the cumulative level, and associated consequences in terms of damage level (at the conditional core damage probability level and availability of mitigating systems and actions level) to actual industry experience. The comparison is based on calculat-ed results for several US units. This comparison provides additional evidence that the calculated results overall are conservative because the calculated frequencies of fire scenarios leading to the failure of safety significant equipment are too high. Industry and NRC have plans to provide improved methods and data in technical areas includ-ing fire frequency, fire development and propagation, heat release rate and detection and suppression. Comparison to operating experience needs to be considered when benchmarking the integrated effect of changes in methods and data intended to refine the conservative results presently being developed and when making decisions on plant changes. (Presentation Only)

1:55 PMCollective Insights from NFPA-805 Fire PRAs and Related Fire Risk EvaluationsEdward Simbles and Usama FarradjERIN Engineering, Inc., Walnut Creek, CA

Completion of a series of Fire Probabilistic Risk Assessments (FPRAs) for NFPA 805 transitioning plants has provided insights with respect to the fire PRA methodology as defined by NUREG/CR-6850 as well as insights with respect to contributors to plant fire risk and modifications identified for addressing these risks. The Fire Risk Evalu-ation (FRE) methodology for calculation of the risk of variances from deterministic requirements (VFDRs) and risk of recovery actions is also addressed. Insights associ-ated with the FRE process, methodology and the impact of FREs as opposed to over-all fire risk on decisions regarding plant modifications are addressed. The methods of defining the compliant plant condition for the plant including alternative shutdown fire areas (e.g., control room, cable spreading room) are discussed. Based on the insights identified, recommendations for refinements in NUREG/CR-6850 methodologies and FRE process requirements and methodologies are proposed. (Presentation Only)

2:20 PMHow Immature and Overly Conservative is Fire PRA? - A Com-parison of Early Vs. Contemporary Fire PRAS and MethodsRaymond H.V. GallucciU.S. Nuclear Regulatory Commission (NRC), Washington, D.C.

There is a prevailing cognition, at least among an apparently significant portion of the commercial nuclear power industry, that the current methods available for fire PRAs are still relatively immature, at least when compared to internal events PRA methods, and produce overly conservative predictions of risk (core damage frequency [CDF] and large early release frequency [LERF]). This paper compares “conservatism” is-sues from the “early” era of fire PRA to contemporary issues to answer three ques-tions: Is fire PRA conservative? Is it immature? Is it too conservative?

2:45 PMFire Modeling in PSA with EdF/EPRI Magic CodeIsabel Viniegra, Mariano J. Fiol, Miguel Á. CelayaIBERDROLA, Ingeniería y Construcción, Madrid, Spain

The MAGIC software is a fire simulation code developed and maintained by EdF and sponsored by EPRI. It uses a typical two homogeneous zones model where the solu-tion of the mass and energy balances accumulated on each zone, together with the ideal gas law and equation of heat conduction into the walls, results in the environ-mental conditions generated by the fire. Several rooms and their interactions can be modeled, including doors opening, hatches, forced or natural ventilation, sprinkler ac-tuation and trigger of some fire detectors. A useful set of outcomes (temperatures, heat fluxes, hot gas layer thickness, etc.) can be obtained to determine the time to targets’ damage in a variety of scenarios. It has been broadly validated and verified.IBERDROLA, Ingeniería y Construcción has used the MAGIC code in one Spanish Fire PSA for calculate available times to credit manual extinguishment on Fire Brigade actuation. The use of the code is conveniently simple, compared with CFD codes, al-lowing a high number of scenarios to be modeled in a restricted project schedule and results sound credible and realistic with a coherent nearness to intuitive expectations.Finally, it is important to note that MAGIC features related with its input data definition (Heat Release Rate of fire load sources specially) permit a good fulfillment of NUREG/CR-6850 methodological and data provisions.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 1:30 PM - Salon A

Fire PSA Methods - 4Session Chair: David N Miskiewicz

49

1:30 PMEnhanced Defence-in-Depth features during the design phase of Olkiluoto 3Matti Lehto, Jouko Marttila, Ari Julin, Reino VirolainenSTUK, Helsinki, Finland

The first EPR, Olkiluoto 3, is under construction in Finland and the unit is expected to be commissioned in 2013. Detailed, full-scope PSA of Olkiluoto 3 will be a part of the required documentation to be attached to the operation license application. Finnish regulatory requirements include e.g. separation principle applied to parallel parts of the safety systems and diversity principle applied to the systems related to the most important safety functions. The probabilistic design objectives in Finland are the following:- The mean value of the PSA Level 1 result must be < 1E-05/a (core damage fre-quency).- The mean value of the PSA Level 2 result must be < 5E-07/a (major radioactive release frequency).Previous review of the Olkiluoto 3 Preliminary Safety Analysis Report and the prelimi-nary PSA revealed some deficiencies in the plant design. Thereafter, several improve-ments have been done to fulfil Finnish regulatory requirements, as well as to assure on adequacy of safety margins. For example, following improvements have been done in the design considering Defence-in-Depth features:- Additional heat exchangers were applied to certain room cooling systems in safe-guard buildings to provide two diverse heat sinks for the cooling function.- Structural modification was applied to protect diesel engine combustion and cooling air intakes against weather phenomena and external fires.- Additional measures were applied to prevent or limit leakage of primary coolant pump motor’s lubrication oil system to mitigate impact of assumed oil fires inside the con-tainment.- Additional measures were applied to prevent or limit leakage of fire water system to mitigate impact of assumed flooding in the reactor building annulus.Considering fire safety of the typical fire retardant cables to be installed in Olkiluoto 3, fire research and some specific fire tests were performed. Thereafter, several fire simulations of a cable spreading room have been done based on a new model taking into account the fire properties of the typical cables. The study was performed to be able to quantify cable fire spreading and to assure on the adequacy of the designed fire protection concept, especially considering the cable rooms containing big fire loads. (Presentation Only)

1:55 PMRecent Trends In Risk-Informed Safety Margin Characteriza-tionStephen M. Hess (a), Robert Youngblood (b), Dominique Vasseur (c)a) Electric Power Research Institute, West Chester, PA, b) Idaho National Laboratory, Idaho Falls, ID, c) Electricité de France, Clamart, France

The design and maintenance of adequate safety margins has served as a foundational principle for the safe operation of commercial nuclear power plants since the inception of the commercial nuclear power industry. During the original licensing of the current fleet of plants, adequate safety margins were established by performing conservative analyses and using conservative engineering judgment to specify appropriate safety limits for critical plant parameters. However, over time, plant operation and ageing of plant structures systems and components (SSCs) has the potential to impact these original design margins. Due to the recent emphasis on extended plant operation, it will become imperative that effective methods be developed to manage age-related degradation of plant SSCs, prevent the occurrence of safety-significant operational events, and demonstrate maintenance of acceptable (and even improved) nuclear safety risk. In this paper, we summarize the current state of research to develop a risk-informed approach to characterize and manage nuclear plant safety margins. We describe the basic safety margin concept and summarize research performed under the Nuclear Energy Agency Committee on the Safety of Nuclear Installations Safety Margins Working Group to investigate such an approach for use by regulatory au-thorities. We also describe collaborative safety margin research sponsored by the Electric Power Research Institute Long Term Operation initiative and the United States Department of Energy’s Light Water Reactor Sustainability program being conducted to support decision making by plant owner/operators. Finally, we provide some pre-liminary conclusions and suggestions for further investigation.

2:20 PMExperiences in Describing PRA Technical Adequacy in Risk Informed SubmittalsVictoria A. Warren, Donald E. Vanover (a), Lawrence K. Lee (b)a) ERIN Engineering and Research, Inc., West Chester, PA, b) ERIN Engineering and Research, Inc., Campbell, CA

With the advent of Revision 2 of Regulatory Guide 1.200, the technical adequacy of Probabilistic Risk Assessments (PRAs) used for risk informed submittals has come to the forefront. The type of submittal from the very specific, such as a change to the completion time of a single system to very broad process changes such as the surveil-lance frequency control program (i.e., Risk Informed Technical Specification (RITS) Initiative 5B) affects how technical adequacy is determined and described. The level of internal assessment and external review of the PRA is also a factor. The informa-tion content involving the impact of a gap to fully meeting the PRA standard (ASME/ANS RA-Sa-2009) must allow independent determination of acceptability. It is rela-tively straightforward to address PRA technical adequacy for a narrow application but more complex for a broad application where the specific instances are not defined. The broad application may need to rely on the methodology used to address certain technical adequacy issue. An example of this is the RITS 5B methodology which re-quires data sensitivities as part of the surveillance test interval analysis. Forethought about the intended use of the PRA technical adequacy assessment will lead to a better assessment leading to a better analysis and a better submittal.

2:45 PMInsights from the SM2A Pilot Study Towards Quantification of a Change of Plant Safety Margin After a Hypothetical Power Up-RateMartin A. Zimmermann, Vinh N. Dang (a), Jeanne-Marie Lanore, Pierre Probst (b), Javier Hortal (c), Abdallah Amri (d)a) Paul Scherrer Institute, Villigen, Switzerland, b) Institut de Radioprotection et de Sûreté Nucléaire, Fontenay aux Roses, France, c) Consejo de Seguridad Nuclear, Madrid, Spain, d) OECD/NEA / Nuclear Safety Division, Issy-les-Moulineaux, France

During recent years, many nuclear power plants underwent significant modifications, e.g. power up-rating. While compliance with all the deterministic acceptance criteria must be shown during the licensing process, the larger core inventory and the facts that the plant response might get closer to the limits after a power up-rate, suggest an increase of the core damage frequency (CDF) and other possible risk indicators. Hence, a framework to quantitatively assess a change in plant safety margin becomes very desirable. The Committee on the Safety of Nuclear Installations (CSNI) mandated the Safety Margin Action Plan expert group (SMAP) to develop a framework for the assessment of such changes to safety margin. This framework combines PSA and the analytical techniques developed in BEPU. CSNI then mandated the SM2A expert group to especially explore the practicability of the SMAP framework. This pilot study was completed end of 2010. An increase of the (conditional) probability of exceedance for a surrogate acceptance limit (PCT) indicating core damage was successfully evalu-ated for the selected sequences from several initiating event trees, and it was found that only a restricted number of sequences need to be analyzed. The impact of power up-rate could also be assessed for scenarios where no violation of the surrogate cri-terion was observed. The modeling of human actions was found to be of particular importance as the sequences related to scenarios including a time delay for a recovery action or for a repair correspond to the more visible risk increase.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 1:30 PM - Salon B

Risk-Informed Safety MarginsSession Chair: Dominique Vasseur

50

1:30 PMTowards an Improved HRA Quantification ModelGareth W Parry (a), John A Forester, Katrina Groth, and Stacey M L Hen-drickson (b), Stuart Lewis (c), Erasmia Lois (d)a) ERIN Engineering and Research Inc., Walnut Creek, CA, b) Sandia National Laboratories, Albuquer-que, NM, c) Electric Power Research Institute, Knoxville, TN, d) U.S. Nuclear Regulatory Commission, Washington DC

The U.S. Nuclear Regulatory Commission and the Electric Power Research Institute are working together under a memorandum of understanding to improve the state of the art in human reliability analysis (HRA) by incorporating an understanding of the causes of human failures and the contextual factors that influence the likelihood of failures based on a review of relevant behavioral science and cognitive psychology literature. This paper outlines a decision-tree approach that is being developed for the estimation of human error probabilities (HEPs) that is consistent with that under-standing.

1:55 PMThe Value of Upgrading the HRA MethodP.F. NelsonDepartamento de Sistemas Energéticos, Facultad de Ingeniería, Universidad Nacional Autónoma de México, Mexico DF, CP

Human Reliability Analysis (HRA) is a very important part of Probabilistic Risk Analysis (PRA), and constant work is dedicated to improving methods, guidance and data in order to approach realism in the results as well as reducing uncertainties. In order to advance in these areas, several HRA studies are being performed globally. Mexico has participated in the recent HRA Empirical studies with the objective of “benchmark-ing” HRA methods by comparing HRA predictions to actual crew performance in a simulator. The experience of participating in these efforts is being incorporated in the updating of the Laguna Verde PRA to comply with the ASME/ANS PRA standard. In order to be considered an HRA with technical adequacy for PRA risk-informed ap-plications, the methodology used for the HRA in the original PRA is not considered sufficiently detailed, and the methodology had to upgraded. The HCR/CBDT/THERP method was chosen, since this is used in many nuclear plants with similar design. The HRA update includes the evaluation of human errors that can occur during an accident, known as post initiating events. Due to the results, it does not appear to be necessary to use a more detailed existing HRA method for the quantification of the human error probabilities; however, there is room for qualitative assessment enhance-ment. It is also expected that if new methods are employed with new data, there could be advances in the quantitative HRA predictions as well.

2:20 PMDevelopment and Use of a Bayesian Network to Estimate Hu-man Error ProbabilityKatrina Groth and Ali MoslehCenter for Risk and Reliability, University of Maryland, College Park, MD

In Human Reliability Analysis (HRA), Performance Influencing Factors (PIFs) are used to represent the various factors that influence individual behavior and to predict the outcome of human cognitive processes. PIFs have been used in many HRA methods as a means to estimate Human Error Probability (HEP). Recently there has been an interest in replacing “linear models” of accounting for the impact of PIF on estimates for HEPs with model-based approach that include the interdependencies among PIFs. Addressing the PIFs in a model is expected to provide more refined HEP estimates and reduce the amount of information required to assess HEPs.A previous paper [1] has proposed a Bayesian Network (BN) model of the relationships among PIFs. The model structure and probabilities were developed based on analysis of available data. The BN provides a natural framework to assess the impact of differ-ent combinations of the same PIFs. This paper describes an extension of the original model to estimate HEPs. This paper discusses how to the model was modified and how it can be used to make inferences in the BN. It also demonstrates how to integrate the PIF model into traditional PRA.

2:45 PMFirst Results From A Study For Errors Of Commission For A Boiling Water ReactorLuca Podofillini, Vinh N. Dang (a), Olivier Nusbaumer, Dennis Dres (b)a) Paul Scherrer Institut, Villigen, Switzerland, b) Leibstadt Nuclear Power Plant, Leibstadt, Switzerland

Errors Of Commission (EOCs) refer to carrying out inappropriate, undesired actions that aggravate an accident scenario. The challenges to their systematic treatment in PSA relate to both the identification (which error events should be included in the PSA) as well as to the quantification of their probability. This paper presents the first re-sults from a plant-specific study performed to identify potential EOC vulnerabilities and quantify their risk significance. The study addresses a Boiling Water Reactor (BWR) in Switzerland and is one of the first EOC analyses ever done for BWRs. The Commis-sion Error Search and Assessment (CESA) method was used to identify EOC events. The application shows that CESA is effective in narrowing the EOC search down to a limited number of events to be included in the PSA – six events in the present case. This demonstrates the feasibility of a systematic treatment of EOCs for large-scale applications. A preliminary analysis shows that the contribution to risk of the most important EOCs is comparable to that of the most important errors of omission. This highlights the significance of EOCs in the overall risk profile of the plant.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 1:30 PM - Carolina

Human Reliability Analysis - 4Session Chair: Gareth Parry

51

3:45 PMResearch Activities of Germany’s GRS in the Field of Dynam-ic PSAMartina KloosGesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Garching, Germany

GRS started its research activities in the field of dynamic PSA with the development of the MCDET method which considers discrete aleatory uncertainties (referring, for instance, to the occurrence of system function failures or of human errors) by the Discrete Dynamic Event Tree (DDET) approach and continuous aleatory uncertainties (e.g. failure-to run times of system functions or execution times for human actions) by MC simulation. The method is implemented as a module system which can in principal be coupled with any deterministic dynamics code. Since the MCDET modules can ac-count for epistemic uncertainties as well, two approaches for an epistemic uncertainty analysis were developed. They are useful for complex long running applications. Last step of the research activities until now was the development of a so-called crew module. It enables calculating the dynamics of crew actions depending and acting on the uncertainties as considered in the MCDET modules and on the dynamics as mod-eled in the deterministic code. The combination of the MCDET and crew modules with an appropriate deterministic code allows for evaluating complex accident scenarios where human actions, technical installations, the physical process and aleatory uncer-tainties are the main interacting parts in the course of time. Accident sequences are generated automatically and supplied together with probabilistic assessments which account for the spectrum of sequences that may actually evolve. This paper describes the current state of development, some large scale applications and future research projects in the context of the MCDET method.

4:10 PMOnline State Estimation in Dynamic Event Trees for a Level Controller DatasetDaniya Zamalieva and Alper Yilmaz (a), Tunc Aldemir (b)a) Photogrammetric Computer Vision Lab., The Ohio State University, Columbus, OH, b) Department of Mechanical and Aerospace Engineering, The Ohio State University, Columbus, OH

The large amount of data produced by dynamic event tree generation algorithms intro-duces the need for new methods and software tools that are capable of analyzing the data and extracting useful information. The classification of each transient produced by dynamic event tree generation algorithms as normal or failure (i.e. situation that has to be avoided) is addressed. The classification is carried out in an online manner, i.e. using the part of the scenario that is available, while the rest is still being generated. The classification can be used for more efficient utilization of computing resources by discontinuing scenarios with normal transient behavior. Learning the behavior of nor-mal scenarios is accomplished using a Hidden Markov Model. Experiments show that using the proposed model, it is possible to continue the execution of 100% of failed scenarios while identify more than 50% of normal scenarios for termination.

4:35 PMDiscrete Dynamic Event Tree Analysis of MLOCA Using Ads-TraceDurga R. Karanki, Vinh N. Dang, Tae-Wan KimPaul Scherrer Institute, Villigen, Switzerland

In current practice, success criteria analyses for Probabilistic Safety Assessments (PSAs) primarily use thermal-hydraulic simulation (transient analysis) codes. In dy-namic event tree (DET) simulations, a stochastic model is coupled to such codes. The stochastic model allows the variability of system failures (number of trains, timing) and of operator responses (response strategies, timing of actions) to be considered. Consequently, DET simulations provide the means to examine the combined influence of such variabilities on success criteria. This paper presents initial results from DET analyses performed for Medium Loss of Coolant Accident (MLOCA) scenarios in a Pressurized Water Reactor (PWR). The analyses focus in particular on the interac-tion of break size, number of high pressure safety injection trains, and the timing and rate of primary cooldown and depressurization over the secondary, in terms of their impacts on sequence success.

5:00 PMDynamic Event Tree Analysis of Competing Creep Failure Mechanisms in a Station Blackout AccidentKyle Metzroth, Richard S. Denning, and Tunc AldemirThe Ohio State University, Columbus, OH

The ADAPT (Analysis of Dynamic Accident Progression Trees) methodology is a dy-namic event tree (DET) methodology capable of accounting for the uncertainty in the modeling of complex stochastic phenomena which may take place during the course of a severe accident. In this work, the ADAPT methodology is applied to a station-blackout (SBO) scenario and the competition of creep failure mechanisms of several components of reactor coolant system (RCS) is analyzed. Special attention is paid to the modeling of steam generator tube rupture and approximations are used to ac-count for the possible temperature stratification in the steam generator tubes that may not be captured by lumped parameter models. Timings of the creep failure of various components are estimated.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 3:45 PM - Azelea

Dynamic PSA - 3Session Chair: Tunc Aldemir

52

3:45 PMRisk Informed Optimization of Fatigue RulesAlexander KnollConsultant, Wyomissing, PA

Various PRAs in the nuclear and other industries identified human errors as a sig-nificant contributor to undesired events and accidents. Fatigue is one of the factors included in human reliability analyses of PRAs. This paper will compare the existing and proposed fatigue rules in various industries and will provide tangible recommen-dations to optimize the procedural and regulatory requirements for reducing the risk of fatigue errors to an acceptable level.High risk industries have work hour limitations based on current or planned regula-tions. These limitations need to comply also with new regulations to help mitigating the risks of fatigued personnel. The current fatigue rules and limitations are constantly and frequently revised because there is no consistent methodology that satisfies all the impacted stakeholders: public (safety), employee unions, employers, regulators, government, etc. This is a Risk Informed Optimization Problem: If the Fatigue Rules are extremely le-nient, allowing key employees work continuously an unacceptable number of hours, public safety might be reduced, employees might be exposed to accidents and the resultant company losses might be unacceptably high. If the Fatigue Rules are ex-tremely demanding, exaggerated in their levels of reduced work-hour requirements, the risk reduction might not be tangible but the implementation costs might be unac-ceptably high as well. This is a classical Risk Informed Optimization problem (see Reference 1): Identifying fatigue rules and procedural guidance that are optimal (not exaggerated in demand and not lenient. Published industry experience of fatigue errors in various industries will be reviewed and translated into statistical data. Then they will be correlated with previous work (see Reference 2) and the Risk Informed methodology of Reference 1. Recommenda-tions will be provided how to optimize fatigue rules and procedural requirements in various industries. References: 1.A. Knoll, “Risk Informed Optimization, Theory and Applications”, Proc. ANS PSA ’05, International Topical Meeting on Probabilistic Safety Assessment, San Francisco, 2005. 2. A. Knoll & Al., “Event Tree Methodology for Analyzing the Risk of Fatigue Errors During Flight”, Proc. PSAM 5 Topical Meeting on PSA and Manage-ment, Osaka, Japan, 2000. (Presentation Only)

4:10 PMApplication of Analytic-Deliberative Decision-Making Pro-cess (ADP) to the Design of Advanced Reactor Passive Re-sidual Heat Removal SystemLIU TAO, Tong jiejuan, Zheng YanhuaINET, Tsinghua University

Analytic-Deliberative Decision-Making Process (ADP) is a process that helps stake-holders make risk-informed decisions. It has been used in variety of decision-making problems since has been worked out. The paper describes the application of the ADP to the selection of Residual Heat Removal System (RHRS) design which will work for an advanced reactor. Two RHRS options are identified and evaluated, which are 3 trains, 50% load per train and 2trains, 70% load per train. (Presentation Only)

4:35 PMWGRISK Activities: What’s New?Jeanne-Marie Lanore (a), Marina Röwekamp (b), Nathan O. Siu (c), Abdallah Amri (d)a) Institut de Radioprotection et de Sûreté Nucléaire (IRSN), Fontenay-aux-Roses Cedex, France, b) Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany, c) U.S. Nuclear Regula-tory Commission (NRC), Washington, DC, USA, d) OECD Nuclear Energy Agency, Issy-les-Moulineaux, France

The main objective of the Working Group on Risk Assessment (WGRISK) of the OECD Nuclear Energy Agency (NEA) Committee for the Safety of Nuclear Installations (CSNI) is to advance the PSA understanding and to enhance its utilization for improv-ing the safety of nuclear installations. The main products of WGRISK are state-of-the-art reports, workshops, technical notes and technical opinion papers (available to all NEA member countries and in some cases to the public). The integrated plan of the WGRISK is prepared in order to help ensure the Working Group addresses important safety issues identified by the CSNI. It also helps ensure that WGRISK is appropriately coordinated with other international activities. A number of past products of WGRISK have been presented to international experts at various meetings. The objective of this paper is to focus on recently completed and ongoing activities: - Recent topic areas include: Probabilistic risk criteria and safety goals, non-seismic external events, low power and shutdown PSA, digital I&C risk, severe accident management, human reli-ability analysis data. - Currently active topic areas include: PSA for advanced reactors, PSA knowledge transfer, PSA for new plants, digital system failure modes, and PSA use and development.

5:00 PMExperiences from the project on Validity of Safety goalsGöran HultqvistForsmark Nuclear Power plant, Sweden

A guidance document has been developed as part of a four-year Nordic project dealing with the use of probabilistic safety criteria for nuclear power plants. The project have been supported by NPSAG, NKS (the Nordic utilities and regulators). The Guidance sums up, on the basis of the work performed throughout the project, issues to consider when defining and applying probabilistic safety criteria. The Guidance describes the terminology and concepts involved, levels of probabilistic safety criteria and relations between these, how to define a criterion, how to apply a criterion, on what to apply the criterion, and how to interpret the result of the application. It specifically deals with what makes up a probabilistic safety criterion, i.e., the risk metric, the frequency criterion, the PSA used for assessing compliance, and the application procedure for the criterion. It will also discuss the concept of subsidiary criteria, i.e., different levels of safety goals, their relation to defense in depth and to a primary safety goal in terms of health effects or other off-site consequences.

The project has included 4 different parts in which different assessment have been performed. These includes the following- Historical use of safety goals and the experiences of this- The historical basis for setting safety goals- International use of safety goals historical and today and trends- Quality demands on PSA methodologies and data to be used for safety goals- Uncertainties/Variance in PSA outputs in assessing the safety level of a specific plant (important parameters for low variance) - Use of safety goals in other industries- Development of recommendations of using safety goals in the Nuclear industry.

The project has been developed in parallel with a similar project in OECD. The project leaders have been involved in both these projects. The Nordic project has included a broader scope. The presentation will include information from the different phases of the project and important outputs from the work.


Risk-Informed Decision Making - 1Session Chair: Stanley Levinson

53

3:45 PMMapping of Fire Events to Multiple Internal Events PRA Initiat-ing EventsRichard C. AnobaAnoba Consulting Services, LLC, Raleigh, NC

Probabilistic Risk Assessments (PRAs) are increasingly being used as a tool for devel-oping a Fire PRA model to support NFPA 805. Most PRAs have the capability to ad-dress internal events including internal floods. As more demands are being placed for using the PRA to support risk-informed applications, there has been a growing need to quantitatively address external events such as fire. The NFPA pilot applications have implemented the guidance provided in NUREG/CR-6850 and the ANS/ASME PRA Standard to develop a Fire PRA that adequately addressees the unique impact of a fire event initiating event. A fire event that results in damage to electrical cables could cause potentially unique plant demands and responses beyond the scope of the Internal Events PRA model. The current PRA practice provides alternate methods and approaches to address unique initiating events. One method is to develop an event tree model for each unique initiating event. For a Fire PRA, this method could be im-practical since the number of unique compartment/scenario fire initiating events could number in the hundreds and possibly in the thousands. Recent Fire PRA model devel-opment experience has demonstrated that cable damage translates to nuclear power plant demands and responses that can be characterized by multiple Internal Events PRA initiating events. From this perspective, a fire event can be mapped to multiple In-ternal Event PRA initiating events that already exist in the logic models. Consequently, an alternate approach would be to map the fire event to multiple Internal Event PRA initiating events, while utilizing the existing structure of the Internal Events PRA event tree models. This methodology presents new challenges for addressing simultaneous and sequential occurrences of plant demands and responses chased by a single fire initiating event. The intent of this paper is to provide an overview of a modeling ap-proach for mapping fire events to multiple Internal Events PRA initiating events.

4:10 PMApplying Hierarchical Bayes Methods to Fire Ignition Fre-quency EstimationPatrick Baranowsky and Krisnandito Hardjoko (a), Corwin Atwood (b)a) ERIN Engineering and Research, Inc., Bethesda, MD, b) Statwood Consulting, Silver Spring, MD

This paper provides a brief description of the methodology that is currently being considered for derivation of fire ignition frequency distributions for use in fire PRA (Probabilistic Risk Assessment) applications when updated fire events data becomes available. The approach uses a hierarchical Bayesian methodology to account for be-tween plant variability of the fire ignition frequencies that is more data driven and uses analytic techniques that are well established nuclear power risk assessment methods and used broadly in many other technological and medical research applications. This paper summarizes the application methodology, evaluation and validation analyses that were performed, and recommends implementation details for the proposed meth-odology. A more extensively detailed report has been prepared for peer review.

4:35 PMUse of Computational Fluid Dynamic Fire Models to Evaluate Operator Habitability for Manual Actions in Fire Compart-mentsRobert L. LaddEngineering Planning and Management, Inc., Hudson, WI

Conduct of a Fire PRA may identify situations that require the performance of op-erator manual actions (OMA) to mitigate the consequences of a fire. In cases where OMAs are required within the affected fire compartment or the action requires transit through the compartment to access components, human reliability analysis has tradi-tionally assigned little to no credit for their performance. These situations typically re-quire the performance of additional analysis to credit additional system options or the performance of modifications to relocate/protect affected circuits and/or equipment. However with the advent of advanced computational fluid dynamic (CFD) fire model-ing tools such as Fire Dynamics Simulator (FDS), such cases can be evaluated to estimate feasibility and demonstrate the ability to perform necessary actions or transit through the fire environment. FDS fire models used to show feasibility of manual ac-tions in a fire environment are designed much like those used to evaluate Fire PRA target damage. Feasibility of OMAs is demonstrated by establishing reasonable ac-ceptance criteria and a means to measure the fire environment against those criteria. The acceptance criteria must ensure that the fire environment to which the operator is exposed, is acceptable for the performance of the required action and that it poses no immediate danger to the operator. In addition the model is designed to measure the time when equipment damage would precipitate performance of the action as well as the time when the required action must take place for successful mitigation of undesir-able affects. This allows measurement of the expected environmental conditions when the operator would be required to be in the affected fire compartment to perform the required actions.

5:00 PMExpanding the Use of Generic Fire Model TreatmentsGregory T. Zucal (a), Jeffrey L. Voskuil (b), Donald E. Vanover (c), Sean Hunt (d)a) ERIN Engineering and Research, Inc., West Chester, PA, b) Entergy, Covert, MI, c) ERIN Engineering and Research, Inc., West Chester, PA, d) Hughes Associates, Bingham, ME

Generic fire models provide an efficient method to determine fire scenario zones of influence in support of development of fire probabilistic risk assessments. These fire models generally assume static conditions and therefore limit the ability to consider time in the fire risk analysis. This paper explores an approach to adapt the results of a generic fire model in order to perform a timed based analysis. This facilitates the ability to analyze the growth phase of selected fires and provides a method for manual sup-pression to be credited during fire PRA scenario development. This approach includes input parameters that have known uncertainties. These parameters include fire growth rates, heat release rate distributions, and cable damage delay times. The approach utilizes various features of Mathcad® to calculate an overall non-suppression probabil-ity for a given fixed distance to an initial target. The method accounts for each of the heat release rate distribution bins, the vertical zone-of-influence from each bin, the fire growth time to reach the peak release rate, and the time it takes for cable damage to occur once the heat flux at a given distance exceeds the threshold heat flux criteria.


Fire PSA Methods - 5Session Chair: Robert L Ladd

54

3:45 PMAdvancing Performance-Based and Risk-Informed Design Methods for the Seismic Design and Regulation of SSCs in NPPsRobert J. BudnitzLawrence Berkeley National Laboratory, University of California, Berkeley CA

The current NRC regulations for design and analysis of nuclear power plants to resist large earthquakes use a framework that is partially risk-informed, in the sense that a target performance goal of 10-5 per year is the design target for the design of ev-ery individual SSC (structure, system, or component) that contributes significantly to the safety performance of the plant. However, the current framework does not admit design-specific or plant-specific PSA information directly as a part of the technical ba-sis used to determine whether an SSC should be approved. Instead, the design rules and analysis provisions have used information from the body of seismic PSAs already in the literature to inform how the design process and analysis provisions themselves are framed. This is “risk informed” but not fully so, and it is also not fully performance-based because although the target is framed in probabilistic terms, most of the design rules are prescriptive, rather than allowing the designer to choose his/her own design approach. This paper will discuss a group of several proposals, any one of which could advance the situation significantly toward a more fully performance-based and risk-informed framework. This paper will discuss the technical basis for each of the several proposals, what valid reasons stand in the way of their early implementation, and what research could be undertaken to help move the seismic design and approval process along toward a more nearly risk-informed and performance-based framework.

4:10 PMCalculation of Seismic Fragility Parameters for Flatbottom Vertical Liquid Storage Tanks by Numerical SimulationJohn J. O’Sullivan and Tsiming TsengStevenson and Associates, Woburn, MA

Seismic probabilistic risk assessments for nuclear power plants will normally include a fragility analysis of one or more flat-bottom vertical liquid storage tanks and these tanks will often rank high for risk-significance. Typically a tank’s function is to provide a reliable source of cooling water and the consequence of failure is of high impor-tance. In this paper, seismic fragility parameters are calculated for storage tanks using a Monte Carlo analysis procedure. A range of tank geometries is investigated, with tank design parameters chosen to be representative of water storage tanks at older nuclear power plants. Following common practice, probabilistic variables are taken to follow a lognormal distribution. The Latin hypercube procedure is used to sample probabilistic variables. By performing the capacity analysis many times, each time with newly sample variables, the underlying probability distribution of the seismic capac-ity is estimated. Three lightly anchored example tanks were analyzed with height to radius (H/R) ratios of 1.41, 2.13 and 2.84. The logarithmic standard deviation (β) val-ues produced by the simulation vary from 0.334 to 0.360. This is within the expected range. The trend is for β to increase with tank height. It was judged that the trend is a consequence of increasing ductility (μ) values. Calculations were also performed using a conservative deterministic failure margin procedure (CDFM) with a single set of input parameters. The CDFM and simulation are in very good agreement for the lower H/R ratios (within about 5%). The CDFM produced moderately conservative results compared to the simulation results for the tallest tank (11% lower HCLPF). The higher capacity values produced by the simulation for the tallest tank are attributed to the computed inelastic energy absorption factor, which was conservatively fixed at unity in the CDFM.

4:35 PMEPRI Pilot Application of the ASME/ANS Seismic PRA Stan-dardGreg Hardy (a), Robert Kassawara (b), Divakar Bhargava (c), David Moore (d)a) Simpson Gumpertz and Heger, Newport Beach, CA, b) Electric Power Research Institute, Palo Alto, CA, c) Dominion Resources Inc., Glen Allen, VA, d) Consultant, Mercer Island, WA

The American Society of Mechanical Engineers (ASME) and the American Nuclear Society (ANS) have developed a “Standard for Level 1/Large Early Release Frequen-cy Probabilistic Risk Assessment for Nuclear Power Plant Applications.” The objective of the Standard is to provide basic requirements for performing probabilistic risk as-sessments that would support future risk informed decisions. The Standard limits its requirements to performing a Level 1 analysis of the core damage frequency (CDF) and a limited Level 2 analysis of Large Early Release Frequency (LERF). The Stan-dard also provides requirements for a graded approach to risk assessment. These requirements are set for three “Capability Categories” representing three levels of detail. Guidance is not provided as to which capability category is appropriate for risk-informed decisions. This is left to the judgment of the risk analyst.The probabilistic risk assessment (PRA) standards for internal events and for fire have been piloted and updated in past studies and are further along in terms of common usage, regulatory review, and familiarity by nuclear industry engineers than is the case for seismic risk. While seismic PRAs (SPRAs) have been conducted for research pur-poses and in response to the Individual Plant Evaluation for External Events (IPEEE), no systematic SPRA has been conducted using the new SPRA standard requirements. Dominion Generation teamed with Electric Power Research Institute (EPRI) to con-duct this Pilot study of the Surry nuclear plant.The purpose of the EPRI pilot project was twofold: To evaluate the process, require-ments, and results involved in updating the Surry SPRA developed for the IPEEE program using modern SPRA methods such that it can meet regulatory approval and be used in future risk-based decision making. To review the requirements in the ASME/ANS SPRA Standard to determine if they are reasonable or require clarification rela-tive to the current state of the art in performing SPRAs.This paper focuses on the key results from this SPRA Pilot project.

5:00 PMSeismic PSA of Kernkraftwerk Neckarwestheim Unit 2P. Amico, A. Lubarsky, I. Kouzmina and M. Khatib-Rahbar (a), M. Ravindra (b), W. Tong (c), A. Strohm, J. Rattke, W. Schwarz (d), D. Rittig (e)a) Energy Research, Inc., Rockville, MD, b) Consultant, Irvine, CA, c) Simpson, Gumpertz & Heger, Newport Beach, CA, d) EnBW Kernkraft GmbH, Neckarwestheim, Germany, e) GKN Consultant, Köln, Germany

In accordance with German nuclear regulations, a seismic PSA (SPSA) was performed on Kernkraftwerk Neckarwestheim Unit 2 (GKN II), a PWR located in Germany near Stuttgart. The study was conducted using techniques that comply with both German PSA guidelines and the ANS (now ASME/ANS) standard requirements for SPSA. The study found that the seismic design of the plant is quite high given the seismic hazard at the site. As a result, seismic core damage frequency contributes approximately 1% to total core damage risk of the plant. The risk is dominated by seismically-induced plant shutdown (no loss of offsite power) followed by random failures and human er-rors, and the dominant seismic events are at the low end of the hazard curve. The results are essentially insensitive to most seismic-related inputs, but are sensitive to the human error probabilities used. The walkdown did indentify few housekeeping items that could compromise the seismic performance of a few components, which the plant is addressing.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 3:45 PM - Salon A

Seismic PSA - 3Session Chair: Kohei Hisamochi

55

3:45 PMDevelopment of a Standard for Risk-Informed Decision Mak-ingYoshiyuki Narumiya and Munehiro Yasuda (a), Akira Yamaguchi (b), Masashi Hirano (c)a) The Kansai Electric Power Co., Inc., Osaka, Japan, b) Department of Energy and Environment Engi-neering, Osaka University, Osaka, Japan, c) Japan Atomic Energy Agency, Tokai, Japan

Atomic Energy Society of Japan (AESJ) has developed a standard which provides the underlying requirements and procedures commonly applicable to Risk-Informed Decision Making (RIDM) applications for facilitating changes in safety-related activi-ties of all kinds. The Nuclear and Industrial Safety Agency (NISA) that is the Japa-nese regulatory body issued Basic Guideline bearing Risk Informed Regulation (RIR) applications in mind. It is noted that NISA gives encouragement in the Guideline to the utilization of risk information in safety related activities of Nuclear Power Plants (NPPs). Accordingly, it is a matter of course that the risk information is useful and trust-able not only for the licensees to submit applications but also for the regulatory agency to review and examine the application from the licensees. The AESJ standard, “the Standard of Implementation on the Use of Risk Information in Changing the Safety Related Activities” has been developed. In the standard, the basic idea and common concept on the rules and requirements that should be implemented by the utilities are described in consistent with the requirements stated in the NISA Basic Guideline. Individual standards with specific applications will be expected to be developed in the future according to RIDM applications.

4:10 PMTechnical Overview of Japan’s Standards for Riskinformed Decision MakingAkira Yamaguchi (a), Yoshiyuki Narumiya (b), Mitsumasa Hirano (c)a) Osaka University, Osaka, Japan, b) Kansai Electric Power Co. Ltd., Osaka, Japan, c) Tokyo City University, Tokyo, Japan

The paper presents the Japanese practice of the probabilistic safety assessment (PSA) technology development and its application to the safety design/operation and the safety regulation. The Nuclear Safety Commission has issued the safety goal, performance objectives and the basic policies toward the risk informed decision mak-ing. The Nuclear and Industry Safety Agency has published the guidelines for the risk informed regulation and the for the PSA quality. Conforming to the movement of the regulatory agencies, standards have been developed by the Atomic Energy Society of Japan. The AESJ has developed the Standards Committee in 1999 and has made a number of PSA standards. At present, the AESJ has issued standards for Level 1, 2, and 3 PSA, seismic PSA at power, Level 1 PSA during shutdown state, and estimation of PSA parameters and data. Additionally standard concerning the usage of the risk information in changing the safety related activities has been issued. Hence the stan-dards for internal PSAs have been completed and are ready for extensive use in the risk-informed decision making (RIDM) process. Development of standards for other dominant risk contributors, e.g. fire risk and internal flood risk are under consideration. Moreover, we recognize the necessity of developing the standard for individual RIDM applications in opportune occasions.

4:35 PMNPSAG- Nordic PSA-Group – Performed and Ongoing Re-search ProgramGöran HultqvistForsmark Kraftgrupp AB, Östhammar Sweden

The Nordic PSA Group NPSAG was founded in December 2000 by the nuclear utilities in Finland and Sweden. In addition, the Swedish Nuclear Power Inspectorate (SKI) participates as an observer, and also takes part in the funding of many of the projects. NPSAG is intended to be a common forum for discussion of issues related to proba-bilistic safety assessment (PSA) of nuclear power plants, with focus on research and development needs. The group follows and discusses current issues related to PSA nationally and internationally, as well as PSA activities at the participating utilities. The group initiates and co-ordinates research and development activities and discusses how new knowledge shall be used. Important on-going activities concern CCF and dependent failures in general, as well as applications of PSA. In addition, a general and quite extensive discussion has been initiated about data for PSA models. The discussion concerns a number of issues, ranging from types of data needed to future procedures for data collection, processing and analysis. Over the years, international contacts have increased, especially with partners in Europe (initiated by BWROG As-sociate program and EU-research contacts). This is in line with the group’s aim to create a common and lasting basis for the performance of PSA and for risk informed applications of PSA in Europe. One important result is a common pilot project with VGB (Germany) on multi-national CCF data analysis. The paper gives an overview of NPSAG projects – past and present, and of the types of international contacts and information collection activities of the group.

5:00 PMRecent Advances in Developing Guides and Standards for In-ternal Flooding PRAKarl N. Fleming and Jean Francois RoyKNF Consulting Services LLC, Spokane, WA

The Electric Power Research Institute has sponsored many projects to improve and upgrade the technology for Probabilistic Risk Assessments (PRAs) and associated ap-plications at nuclear power plants as part of their PRA Scope and Quality Program. The focus of this paper is to highlight some recent advances in the development of guides and standards in the evaluation of accident sequences initiated by internal flooding. The topics addressed include the development of guidelines for the performance of a PRA in a manner that meets the technical requirements in the ASME/ANS PRA standard, and the development of a data base of piping system failure rates for use in estimating flood-induced initiating event frequencies. Examples are shown of how these methods and tools have been used to support the evaluation of design, inspec-tion, and surveillance strategies to reduce the risk of internal-flood induced accident sequences. Progress made recently in the enhancement of PRA standards for internal flooding PRA (IFPRA) that take advantage of these developments is also discussed.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 3:45 PM - Salon B

PSA Standards - 1Session Chair: Barry Sloane

56

3:45 PMProposed Approach for Simple Support System Initiating Event (SSIE) Fault TreesMichael Lloyd (a), Heather L. Detar (b), Ashley Peterman (c)a) Risk Informed Solutions Consulting Services, Inc., b) Westinghouse Electric Corporation, c) Xcel En-ergy Company

This paper introduces several new support system initiating event (SSIE) modeling methods. Incentive for developing these methods was provided by inadequacies in those currently used and difficulty in implementing the Explicit Event method recom-mended in EPRI Technical Update Report 1016741. One of these new SSIE modeling methods, the Composite method, was found to have valuable characteristics: it can accurately estimate the SSIE frequency, is relatively easy to implement, use, maintain, and document, can be used as a stand-alone SSIE model or integrated into a PRA model, is consistent with existing PRA software capabilities, and meets all applicable requirements of the PRA Standard and Reg. Guide 1.200. As such, the Composite SSIE method is recommended for general use in the industry. This method should be considered a tool available to PRA analysts who have immediate need for a practical and easily implemented SSIE modeling method which can be integrated with a full PRA model and applied in risk applications. This paper describes the Composite SSIE model in detail and briefly describes two other SSIE methods developed in support of this paper. It describes applicable PRA requirements related to SSIEs and describes limitations of the Composite and other models. The paper also provides a detailed example application of the Composite modeling method to create a SSIE fault tree from a post-initiator support system fault tree of a simplified hypothetical but realistic Service Water (SW) plant support system. The Composite SSIE model was quanti-fied and its cutset and frequency results were verified to be reasonable by comparing them with the results obtained from the other two new methods. Example sensitivity analyses were performed using the Composite model results to demonstrate the effect of varying SSIE model assumptions.

4:10 PMUpdated and Improved Methodology for treating Interfacing System LOCAsC.H. Matos and R.J. Wolfgang (a), D.E. Gaynor (b)a) ERIN Engineering, West Chester, PA, b) Entergy Nuclear

Interfacing system loss of coolant accidents (ISLOCAs) are caused by the failure of piping and other components designed for low pressures as a result of their exposure to high pressure reactor coolant. Because piping susceptible to ISLOCAs is routed both inside and outside containment, the potential exists for unmitigated LOCAs and for containment bypass and subsequent radionuclide release to the primary auxiliary building (PAB). Due to the need for quantification of risk caused by an interfacing sys-tem LOCA, it was necessary for a methodology to be developed that met the ASME PRA Standard. This was done for a specific plant and followed NUREG/CR-5744 in providing screening criteria. Using the criteria from NUREG/CR-5744, all lines that penetrate containment were checked. Lines were checked against the screening cri-teria if they directly connected an interfacing system and the reactor coolant system. Lines that did not meet the screening criteria were retained as susceptible to ISLOCA. Additional lines were susceptible if valves in the line were periodically stroke-tested. Using this list, ISLOCA pathways were determined. Some were screened out after qualitative and quantitative reasoning. The remaining lines were modeled in a fault tree using CAFTA software. Values for component failure were obtained from either generic or plant specific sources. Finally, pipe fragilities were determined. NUREG/CR-5603 was used to determine the line rupture frequency given the identifying char-acteristics of the pipe from piping schedules. Quantification of this model gave an ac-curate representation of the risk due to an ISLOCA event for this specific plant.

4:35 PMSupport System Initiating Events – Selection of a Modeling Method for the Columbia Generating Station PSAEric J. Jorgenson (a), Albert T. Chiang (b)a) Maracor Software & Engineering, Inc., Seattle, WA, b) Energy Northwest, Columbia Generating Sta-tion, Richland, WA

This paper examines the considerations made to select the most suitable method to model and quantify the support system initiating events for the Columbia Generating Station Probabilistic Safety Assessment (Columbia PSA). EPRI 1016741 [1], which was utilized as the primary resource for these considerations, documents selection considerations and technical approaches for the three generally known methodolo-gies: 1) explicit event method, 2) point-estimate fault tree method, and 3) multiplier method. The Columbia PSA development team sought specific features for the SSIE modeling, with a primary goal of meeting Capability Category II of the ASME / ANS Combined Standard. This work was performed in 2008 and 2009 as part of an internal events PSA upgrade to meet Capability Category II of the ASME/ANS Probabilistic Risk Assessment (PRA) Standard [2], in accordance with Regulatory Guide 1.200 [3]. Although the EPRI 1016741 SSIE guidance encourages using the explicit event method, the multiplier method was found to offer overwhelming advantages for the Columbia PSA and provided the specific features that the PSA development team sought. To develop the SSIE multiplier modeling, the methodologies recommended by EPRI 1016741 were utilized. This paper does not detail the methodologies, as this would be duplicative, but instead provides the highlights of implementing the multiplier method. This paper also examines the concerns that PSA developers have cited for the multiplier method, and provides an assessment / resolution of each concern.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 3:45 PM - Carolina

Fault Tree Initiating EventsSession Chair: Mike Lloyd

57

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisTuesday March 15, 2011 - 6:30 PM - Grand Ballroom

Banquet

Kevin C. Walsh was named Senior Vice President, GE Hitachi Nuclear Energy (GEH) and Chief Executive Officer of Global Nuclear Fuel, LLC, the legal entity that manages the Global Nuclear Fuel joint venture of GE, Hitachi and Toshiba, headquartered in Wilmington, North Carolina in October 2009. In his role Kevin leads all nuclear fuel cycle activities for GEH, including the global BWR fuel business and the recently formed laser enrichment business.

Kevin joined GEH from his most recent role as General Manager-Nuclear Services on Sep-tember 4, 2006. Kevin is located at GE Nuclear Headquarters in Wilmington, NC where he is responsible for managing the Parts, Services and Repair work associated with GE’s Nuclear business globally.

Kevin joined GE as a Field Engineer in 1984. He subsequently served as Project Manager, Plant Manager of a 50 MW Cogeneration Power Plant in Bethpage, NY and later as Plant Manager of 250 MW Cogeneration Plant in Springfield, MA.

Kevin went on to positions in GE Energy Services as Manager-Long Term Service Agreements, General Manager-Opera-tions for Contractual Services, General Manager- Performance Services, and General Manager-Field Services where he had responsibility for over 1,500 Field Engineers leading the installation, uprate, and maintenance activities for both GE and non-GE large gas turbines, steam turbines and generators as well as supporting Industrial power delivery and drives and controls activities.

Kevin has 29 years experience in the Power Industry with an extensive background in Operations and Maintenance. He began his career sailing on ships in the Merchant Marine as a Licensed Engineer before joining GE. He attended the United States Merchant Marine Academy where he received a B.S. Degree in Marine Engineering.

Kevin C. Walsh - Senior Vice President, Nuclear Fuel Cycle, GE Hitachi Nuclear Energy

58

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 8:00 AM - Grand Ballroom

Plenary Session III

Dr. John E. Kelly was appointed Deputy Assistant Secretary for Nuclear Reactor Technolo-gies in the Office of Nuclear Energy in October 2010. He is responsible for the Department of Energy’s nuclear reactor research and development programs for Light Water Reactors, Gas Cooled Reactors, Small Modular Reactors, and advanced reactor concepts. His office is also responsible for the advanced modeling and simulation program within DOE-NE.

Prior to joining the Department of Energy, Dr. Kelly spent 30 years at Sandia National Labo-ratories where he was engaged in a broad spectrum of research programs in nuclear reactor safety, advanced nuclear energy technology, and national security. In the reactor safety field, he led efforts to establish the scientific basis for assessing the risks of nuclear power plant operation and specifically those risks associated with potential accident scenarios. His re-search focused on core melt progression phenomena and led to an improved understanding of the Three Mile Island accident. In the advanced nuclear energy technology field, he led Sandia’s efforts to develop advanced concepts for space nuclear power, Generation IV reac-tors, and proliferation-resistant and safe fuel cycles. These research activities explored new technologies aimed at improving the safety and affordability of nuclear power. In the national security field, he led national efforts to evaluate the safety and technical viability of tritium production technologies.

Dr. Kelly is an active member of the American Nuclear Society and has served on the Nuclear Installations Safety Division for the last 2 decades in a number of leadership positions. His committee work has focused on increasing the publication of scientific work in the nuclear safety field and in developing national positions on the safety of nuclear power.

Dr. Kelly received his B.S. in nuclear engineering from the University of Michigan in 1976 and his Ph.D. in nuclear engi-neering from the Massachusetts Institute of Technology in 1980.

John Kelly - DOE Deputy Assistant Secretary for Nuclear Energy

59

9:00 AMExtension of CAFTA with Dymonda Module To Analyze Dy-namic Accident ScenariosScott Dixon, Michael Yau, Sergio GuarroASCA, Inc., Redondo Beach, CA

This paper discusses the development and applications of an advanced Probabilistic Risk Assessment (PRA) tool. This tool is an integration of the ASCA, Inc. developed Dymonda software and the EPRI managed CAFTA software. This integrated tool extends the “conventional PRA” capabilities of the CAFTA software to solve time-dependent accident scenarios completely within the CAFTA environment. The class of time-dependent scenarios targeted contains recovery actions and time dependencies. Solutions to this class of scenarios traditionally require calculations external to CAFTA which are generally difficult to manage. The integrated tool permits the modeling and analysis of the aforementioned time-dependent scenarios entirely within the CAFTA environment without doing any external calculations. Under EPRI sponsorship, this integrated tool was applied to the Loss of Offsite Power (LOSP) time-dependent risk scenario for the Turkey Point Nuclear Facility. In the first phase, a loosely coupled method was applied which used DFM models to identify “recovery rules” and correc-tion factors to account for the possibility of time-dependent offsite power and/or diesel power recovery. In the second phase, a closely coupled solution was implemented. The dynamically consistent LOSP cut-sets were identified and quantified by means of DFM models. The cut-set information was then transmitted into CAFTA in standard-PRA-compatible format. Ongoing work is being done to apply this integrated tool to a case study involving fire risk scenarios with HRA (Human Reliability Analysis) as-pects.

9:25 AMHeartbeat Model for Component Failure Time in Simulation of Plant BehaviorR. W. Youngblood, R. R. Nourgaliev, D. L. Kelly, C. L. Smith, and T-N. DinhIdaho National Laboratory, Idaho Falls, ID

As part of the Department of Energy’s “Light Water Reactor Sustainability Program” (LWRSP), we are developing a methodology and associated tools for risk-informed characterization of safety margin that can be used to support decision-making about plant life extension beyond the first license renewal. Beginning with the traditional dis-cussion of “margin” in terms of a “load” (a physical challenge to system or component function) and a “capacity” (the capability of that system or component to accommodate the challenge), we are developing the capability to characterize realistic probabilistic load and capacity spectra, reflecting both aleatory and epistemic uncertainty in system behavior. This way of thinking about margin comports with work done in the last 10 years. However, current capabilities to model in this way are limited: it is currently pos-sible, but difficult, to validly simulate enough time histories to support quantification in realistic problems, and the treatment of environmental influences on reliability is rela-tively artificial in many existing applications. The INL is working on a next-generation safety analysis capability (widely referred to as “R7”) that will enable a much better integration of reliability- and phenomenology-related aspects of margin. In this paper, we show how to implement cumulative damage (“heartbeat”) models for component reliability that lend themselves naturally to being included as part of the phenomenol-ogy simulation. Implementation of this modeling approach relies on the way in which the phenomenology simulation implements dynamic time step management. Within this approach, component failures influence the phenomenology, and the phenom-enology influences the component failures.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 9:00 AM - Azalea

Dynamic PSA - 4Session Chair: Martina Kloos

60

9:00 AMUsing PRA to Improve Safety Through Design and Operation-al ChangesRobert LutzWestinghouse Electric Company, Cranberry Township, PA

The design and operation of the existing fleet of nuclear power plants was based on conservative design basis analyses to show reasonable assurance of compliance with regulatory requirements. These conservative analyses were often focused on meeting singular requirements using very detailed, focused analyses without consideration of the overall safety impact. With the maturing of Probabilistic Risk Assessment (PRA) as a tool for risk-informed decision making, the opportunity exists to re-visit some of design and operational features of the plants in light of their overall impact on safety as measured by risk metrics of core damage frequency (CDF) and large early release frequency (LERF).Using risk assessment techniques, several changes to existing design features and emergency procedures can be identified that would result in a decrease in either CDF or LERF, but just as importantly reduce uncertainties and provide additional defense in depth. Thus an overall improvement in safety can be obtained. One of the most risk significant changes identified is elimination of automatic initiation of containment spray on high containment pressure. Another key change that has been identified is the elim-ination of rapid starting and loading of the diesel generators. Insights from the PRA have also been used to change Emergency Operating Procedures to decrease the potential for operator errors in performing key actions that impact CDF or LERF. The barrier to implementation of these changes is, in some cases, the approved analysis methods to show compliance with various deterministic regulatory requirements. This paper describes the basis for recommending these design and operational changes as well as regulatory barriers to change.

9:25 AMAn Approach for Holistic Consideration of Defence in Depth for Nuclear Installation Using Probabilistic TechniquesI. Kuzmina, M. El-Shanawany, M. Modro, and A. LyubarskiyInternational Atomic Energy Agency, Vienna, Austria

The concept of defence in depth (DiD) is fundamental to the safety of nuclear instal-lations. DiD is referred in the safety standards produced by the International Atomic Energy Agency (IAEA) as the primary means of preventing and mitigating the con-sequences of accidents in nuclear installations. DiD provides a hierarchical deploy-ment of quality independent different levels of equipment and procedures in order to maintain the effectiveness of physical barriers placed between radioactive materials, the workers, public, and the environment during normal operation states and potential accident conditions. DiD ensures that a high level of safety is achieved with sufficient margins to compensate for potential equipment failures and human errors. Several publications were produced by the IAEA on DiD over the last twenty years that summa-rized the basic principles for DiD and provided high-level guidance on the assessment of defence in depth for nuclear power plants (NPP). The IAEA is further developing the approach for the representation and assessment of DiD in nuclear installations em-phasizing the need for a holistic consideration of the levels of DiD in conjunction with deterministic and probabilistic goals and success criteria. Particularly, an investigation is being conducted by the IAEA to explore on the use of probabilistic techniques for the assessment of compliance with DiD for new NPP designs. Different categories of initiating events are considered in conjunction with equipment reliability requirements. The paper summarizes the available outcome of the work and outlines a possible holistic approach for effective application of DiD principles.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 9:00 AM - Camellia/Dogwood

Risk-Informed Decision Making - 2Session Chair: Dana Kelly

61

9:00 AMThe Past and Current Proliferation Resistance R&D Activities in KAERIHo-Dong Kim, Hong-Lae Chang, Won Il Ko, Hee-Sung Shin, Seong-Kyu AhnKorea Atomic Energy Research Institute, Daejeon, Republic of Korea

The Republic of Korea has carried out vigorous research and development activities on nuclear fuel cycle technology options such as direct disposal, Direct Use of PWR Spent fuel in CANDU Reactors (DUPIC), and pyroprocessing for the management of spent fuel. Since the proliferation resistance is one of the key issues in the fuel cycle option studies, the Koran Atomic Energy Research Institute (KAERI) has engaged in R&D to develop methodologies to evaluate the proliferation resistance of nuclear fuel cycles, as well as to enhance the level of proliferation resistance. This paper intro-duces the past and current R&D activities undertaken at the KAERI on the evaluation of proliferation resistance of direct disposal, DUPIC and pyroprocessing fuel cycles, as well as on international collaboration within the framework of INRPO and Generation IV International Forum in the area of proliferation resistance of nuclear energy sys-tems. KAERI is currently performing an IAEA Member State Support Program (MSSP) on the safeguards approach development for the pyroprocessing facility. Even though the pyroprocessing technology is still in the development stage, efforts to make a vulnerability assessment of pyroprocessing with available design information are cur-rently undertaking. (Not included in proceedings)

9:25 AMThe Need for Proliferation Risk AssessmentWilliam E. BurchillConsultant, Past President, American Nuclear Society

This paper presents the need for quantitative assessment of proliferation risk. Current non-proliferation methodologies provide a basic taxonomy of proliferation pathways. However, the relative likelihood of these pathways is currently known only qualitatively, subjectively, incompletely, and in many cases arguably, i.e., there is disagreement among experts. Therefore, efforts to quantify all elements of proliferation pathways including the effectiveness of various proliferation barriers would provide significant insights with which to guide policies and actions to deter potential proliferators. PRA (probabilistic risk assessment) techniques could be applied to close this knowledge gap. This paper refers to this application as “proliferation PRA.”

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 9:00 AM - Magnolia

Proliferation Risk - 1Session Chair: William E. Burchill

62

9:00 AMFire Analyses Performed by Empresarios Agrupados for some Spanish NPPsPedro Fernández RamosEmpresarios Agrupados, Madrid, Spain

Spanish nuclear power plants are undergoing a process of updating their fire risk analyses as part of the requirements for updating the probabilistic safety analyses in the framework of periodic safety revisions. In some cases, this is also part of the transition process to NFPA 805 as an alternative to the current licensing bases for fire protection.Because part of the transition process requires carrying out analyses such as: A deterministic fire analysis A probabilistic fire analysisEmpresarios Agrupados has undertaken to carry out both the deterministic and proba-bilistic analyses for the nuclear power plants at Almaraz, Ascó and Vandellós 2, all of which are Westinghouse PWR plants.

9:25 AMApplication of the NUREG/CR-6850 EPRI/NRC Fire PRA Meth-odology to a DOE FacilityHeather Lucek, Jim Bouchard, Tom Elicson, Ray Jukkola, Duan Phan (a), Bentley Harwood and Richard Yorg (b)a) WorleyParsons Polestar, Inc, Idaho Falls, ID, b) Battelle Energy Alliance, LLC, Idaho Falls, ID

The application NUREG/CR-6850 EPRI/NRC fire PRA methodology to DOE facility presented several challenges. This paper documents the process and discusses sev-eral insights gained during development of the fire PRA. A brief review of the tasks performed is provided with particular focus on the following:• Tasks 5 and 14: Fire-induced risk model and fire risk quantification. A key lesson learned was to begin model development and quantification as early as possible in the project using screening values and simplified modeling if necessary.• Tasks 3 and 9: Fire PRA cable selection and detailed circuit failure analysis. In retro-spect, it would have been beneficial to perform the model development and quantifica-tion in 2 phases with detailed circuit analysis applied during phase 2. This would have allowed for development of a robust model and quantification earlier in the project and would have provided insights into where to focus the detailed circuit analysis efforts.• Tasks 8 and 11: Scoping fire modeling and detailed fire modeling. More focus should be placed on detailed fire modeling and less focus on scoping fire modeling. This was the approach taken for the fire PRA.• Task 14: Fire risk quantification. Typically, multiple safe shutdown (SSD) components fail during a given fire scenario. Therefore dependent failure analysis is critical to ob-taining a meaningful fire risk quantification. Dependent failure analysis for the fire PRA presented several challenges which will be discussed in the full paper.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 9:00 AM - Salon A

Fire PSA Methods - 6Session Chair: Pedro Fernández Ramos

63

9:00 AMRecent Updates of Risk Assessment Standardization Proj-ect (RASP) Handbook for Risk Assessment of Operational EventsS.M. Wong, C.S. Hunter, and F.P. BonnettU.S. Nuclear Regulatory Commission, USNRC, Washington, D.C.

This paper provides an overview of recent updates and ongoing activities to enhance the NRC Risk Assessment Standardization Project (RASP) Handbook for risk assess-ment of operational events. This RASP Handbook was developed to provide consis-tent methods for use by NRC staff in performing risk assessments in various risk-in-formed regulatory applications. The Handbook describes methods that are used in risk analysis of plant conditions for Significance Determination Process (SDP) Phase 3 analyses, and for the Accident Sequence Precursor (ASP) program and Management Directive (MD) 8.3 event assessments. Revision 1 of the RASP Handbook containing Volumes 1, 2 and 3 has been updated on a periodic and as-needed basis, based on user comments and insights gained from field application of the documents. In concert with ongoing activities to enhance the RASP Handbook, new topics are being added to future revisions of the Handbook to streamline risk assessments performed by NRC staff.

9:25 AMExamples of Risk Assessments in Support of Significance Determination Process (SDP) Evaluations at San Onofre Nu-clear Generating Station (SONGS)Parviz Moieni, Michelle P. Carr, Craig F. NierodeSouthern California Edison

The purpose of this paper is to describe a few examples of risk assessments in support of significance determination process (SDP) evaluations at SONGS. The SDP uses probabilistic risk assessment (PRA) methods to assess the safety significance of vari-ous findings or events at nuclear power plants (NPPs). The focus of this paper is on Phase 3 SDPs, where detailed PRA evaluations performed by the NRC’s senior reac-tor analysts (SRAs) and plant PRA staff, are used to determine the safety significance of the findings or events. SDPs are typically used to assess the safety significance of events documented in Licensee Event Reports (LERs), inspection findings, and equipment failures or deficiencies impacting the plant risk. The examples discussed in this paper include the safety significance evaluations of: 1) a loss of emergency core cooling system (ECCS), 2) a loss of main feedwater (LMFW) event, 3) a seismically unrestrained 4.16 kV breaker, and 4) potential inadequate Maintenance Rule (a)(4) risk assessment due to erroneous room heat up calculation results used in the PRA model.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 9:00 AM - Salon B

Significance Determination ProcessSession Chair: Greg Krueger

64

9:00 AMApplication of Low Power and Shutdown PSA Insights to Development and Implementation of Full Scope Severe Ac-cident Management Guidelines Covering All Plant Operating States for VVER And PWR in EuropeOleg Solovjanov (a), Robert Lutz (b), Antoine Rubbers (a)a) Westinghouse Electric Belgium S.A., Nivelles, Belgium, b) Westinghouse Electric Company LLC, Cranberry, PA

Over the past fifteen years many of the nuclear power plants worldwide have been equipped with a capability for severe accident management. This has been driven partly by the Severe Accident Management Guidance (SAMG) developed by owners groups in the USA for plant specific applications. At the same time Probabilistic Safety Analyses (PSA) have been extended to shutdown and low power operation modes in many countries [1]. Many studies such as the shutdown PSA for Beznau, Koeberg, EdF 900/1300, and VVER plants in Central Europe (Hungary, Slovak and Czech Re-public) as well as latest industry events, such as Paks NPP shutdown fuel damage ac-cident [2], demonstrated that the core damage frequency from an accident occurring when at shutdown or low power operation modes was of the same order of magnitude and even higher (up to 80% of CDF for some plants) than the one at power.In response to the needs of the European community, Westinghouse has developed Shutdown SAMG (SSAMG) that is integrated into at-power Westinghouse Owners Group (WOG) SAMG to form a complete symptom-based SAMG package applicable to all Plant Operational States (POS). The development of the SSAMG is based on the shutdown and low power PSA studies performed for the European plants. The principal changes required in the entry conditions, diagnostic parameters, diagnostic prioritization, as well as specific severe accident guidelines and development of new guideline. The SSAMG methodology based on this approach is matured and has been implemented at several operating plants with different reactor types: Westinghouse PWR, AREVA PWR, and VVER.The impact of SSAMG has also been included in a number of recent PSAs for plants that have implemented the SSAMG and this has tended to lead to a reduction in the core damage frequency, large early release frequency, and source term frequencies.The Westinghouse methodology to extend the applicability of the WOG SAMG to shutdown and low power conditions and the basis derived from the low power and shutdown PSA studies is described.

9:25 AMQuantification of A 3 Loops Westinghouse PWR Outage Key Safety Functions Using Probabilistic Safety AssessmentM.M. Cid, J.Dies, C.Tapia, O.ViñalsNuclear Engineering Research Group (NERG), Department of Physics and Nuclear Engineering (DFEN), Technical University of Catalonia (UPC), Barcelona, Spain

The developed methodology provides a guidance of the systematic of using Proba-bilistic Safety Assessment (PSA) for the evaluation of guides or procedures which ensure the compliment of the Outage Key Safety Functions (OKSF) in nuclear power plants. As a pilot experience, the methodology has been applied to the 3th and 13th Operational Plant State (OPS), always within the operational mode 4 of a 3 loops Westinghouse Pressurized Water Reactor. The analyzed procedure requires the oper-ability of just one charge pump as boric acid supply source. PSA gives a Core Damage Frequency increase (DCDF) of 1.19·10-6 year-1 for the pump in standby, consequent-ly, an exposure time T= 53.6 hours. Given an average time for the OPS of 40 hours, it is concluded the correct treatment of the procedure. However, it could be improved with the inclusion of an additional inventory replacement function. This would limit the charge pump unavailability. On the other hand, the availability of the external electri-cal sources is ratified. The procedure requires the operability of both supplies during the OPS. The unavailability of one of them (transformer fail) involves a DCDF equal to 1.64·10-5 year-1 and a T= 3.89 hours. Then, it is considered appropriate the treatment of the procedure from the PSA point of view.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 9:00 AM - Carolina

Shutdown PSA - 1Session Chair: Robert Budnitz

65

10:05 AMThe Performance And Importance Analysis Of Power Sys-tems Based On Bayesian NetworksShubin SI, Caitao LI, Zhiqiang CAI, Wei HUMinistry of Education Key Laboratory of Contemporary Design and Integrated Manufacturing Technology, School of Mechantronics, Northwestern Polytechnical University, Shaanxi, P.R. China

Because the power systems are becoming more gigantic, it is important for the power corporations to monitor the performance of power systems and determine which ob-ject needs maintenance most in the operation. With the advantages of describing uncertain variables and conditional independence relationships, we introduce the Bayesian network (BN) to build the performance and importance analysis model of power systems in this paper. The standard multilayer BN (MLBN) unit is put forward at first to represent different kinds of inner or outer factors in the power system. Then, the special meanings of nodes and edges in the equipment layer, station layer and network layer of MLBN are discussed in detail. Third, the integration method of MLBN in these three layers is also described to facilitate the modeling and inference process. Based on the built MLBN model of power system, the system performance and impor-tance analysis approaches are demonstrated with corresponding posterior probability distributions. At last, the case study based on the Yunnan electric power corporation (China) is implemented. The practical transformer model shows that the proposed MLBN method can describe the inner & outer factors and relationships well to provide useful performance and importance analysis helps.

10:30 AMFast Calculation Methods of Importance Measures in the Fault Tree AnalysisWoo Sik Jung and Joon-Eon YangKorea Atomic Energy Research Institute, Daejeon, South Korea

This paper explains improved methods to calculate importance measures that are based on Rare Event Approximation (REA) and Min Cut Upper Bound (MCUB) prob-abilities. The new methods were developed to accelerate the importance measure cal-culation of enormous Minimal Cut Sets (MCSs). The new methods embody one-time accessing of the MCSs and individual quantification of MCSs. By the new methods for the importance measure calculations of huge MCSs, the MCSs are individually accessed and quantified just one time regardless of their location in a hard disk or computer memory. By virtue of the individual quantification of MCSs, these methods do not require a large computer memory and they can be used even when the huge MCSs cannot be loaded into a memory.Additionally, a fast computing method of the importance measures by the Zero-sup-pressed Binary Decision Diagram (ZBDD) structure is introduced in this paper. The ZBDD-based importance measure calculation also realizes the one-time accessing of the MCSs. However, the acceleration with the ZBDD is limited to the case of impor-tance measure calculation using REA probabilities and the case when the ZBBD can be loaded into a memory. That is, there is no available acceleration method for the importance measures using MCUB probabilities.

10:55 AMUtilizig Degradation Monitorig for Operatioal Risk AssessmetBulent Alpay and James Paul HollowayDepartment of Nuclear Engineering and Radiological Sciences, University of Michigan, Ann Arbor, MI

System/component degradations in nuclear power plants lead to reduction in system performance and plant economy, and further challenge safe operation of a plant by reducing the safety margins if they remain undetected. In many instances, it is hard to observe the signatures of degradation on the system behavior directly due to inef-ficient sensor placement, small disturbances as compared to measurement uncertain-ties, etc. Simultaneous multicomponent degradations may also mask the signatures of the degradations. For the cases when degradations in components/systems are detected and estimated, quantifying the operational risk associated with these degra-dations in that NPP in a timely manner is essential.We propose a degradation monitoring technique that is capable of detecting and es-timating simultaneous multicomponent degradations for high dimensional and highly nonlinear systems. We present a degradation monitoring technique based on sequen-tial Monte Carlo filtering with an adaptive Markov chain Monte Carlo (MCMC) step. This step works as a multiple hypotheses testing algorithm in which the hypotheses are constructed by utilizing a degradation database, which is compiled via past opera-tional experience and manufacturer specifications. The adaptation scheme is based on a comparison of reproducibility of the limited number of measurements of the par-ticles coming from the filter itself and from the degradation database to estimate the degradations in the components. A loworder model of a balance of plant of a boiling water reactor (BWR) is chosen as a demonstrative application. We show tests of our degradation monitoring algorithm for the estimation of nominal states, and multicom-ponent degradations.In addition, we utilize the resistancestress model taken from structural reliability analy-sis to evaluate the functional/performance failure probability of a degraded system and further assess its risk on plant operation.

11:20 AMQuantitative Risk Assessment Using Hybrid Causal Logic ModelYan Fu Wang, Min Xie, Shahrzad Faghih RoohiDepartment of Industrial & Systems Engineering, National University of Singapore, Singapore

This paper presents a hybrid causal logic model, which integrates the traditional Quantitative Risk Assessment (QRA) models with Bayesian Network (BN) incorpo-rating human and organizational factors. The multi-phase model allows different risk assessment methods to be applied to different parts. In the first phase, Event Tree (ET) defines the base scenarios for the source of risk issues. In the second phase, Fault Tree (FT) is used to model the factors how to contributing to the final failures. BN comprise the third phase, which extends the causal chain of basic events to potential human and organizational roots and provide a more precise quantitative links between the event nodes. The new model integrates the power of typical QRA for modeling de-terministic causal paths with the flexibility of BN for modeling non-deterministic cause-effect relationships. The integration algorithm is demonstrated on an offshore fire case study. It clearly shows the new model is more flexible and useful than traditional QRA models.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 10:05 AM - Azalea

Advanced PSA MethodsSession Chair: Jeff Riley

66

10:05 AMRisk-Managed Technical Specifications Application At STP: More Than Three Years Of ExperienceFatma Yilmaz, Ernie Kee, and Rick GrantomSouth Texas Project Electric Generating Station, Wadsworth, TX

South Texas Project (STP) implemented Risk-Managed Technical Specifications (RMTS) in 2007. The overall objective of the RMTS initiative is to provide a risk-based approach to assign the amount of time allowed (allowed outage time, AOT) for certain equipment important to safety to be out of service. Classically, Technical Specifica-tions have been written with AOTs based on heuristics or deterministic criteria. As a consequence, maintenance events unimportant to safety have caused unneces-sary plant shutdowns or significant Regulator and plant staff resources to determine a more reasonable time (for example, Notice of Enforcement Discretion). Three and a half years after implementation, the STP RMTS program has proved its worth, giving unprecedented operational flexibility to STP by delivering possibly the largest operat-ing envelope with respect to Technical Specifications in any US commercial nuclear electric generating station. From the perspective of the STP Risk Management group, there have been some lessons learned about the program’s implementation. In this article, we focus primarily on experience with the plant application, Risk Informed Completion Time Calculator (RICTCal), which provides Operators the tool needed to accurately determine the limiting times associated with RMTS.

10:30 AMA Proposed Framework for Integrated Risk-Informed Perfor-mance-Based Regulation for Nuclear Power PlantsJames K. Liming and David H. Johnson (a), C. Richard Grantom (b)a) ABSG Consulting Inc. (ABS Consulting), Irvine, CA, b) STP Nuclear Operating Company, Wadsworth, TX

This paper summarizes a refreshed perspective on a proposed integrated risk-informed performance-based regulatory framework via the application of probabilistic safety as-sessment (PSA). This perspective is refreshed, in that it is based on the considerable industry experience gained during the last decade in the implementation of important risk-informed applications (e.g., risk-managed technical specifications (RMTS), risk-informed surveillance frequency control programs (RI-SFCPs), risk-informed in-ser-vice testing programs (RI-IST), risk-informed in-service inspection (RI-ISI) programs, risk-informed graded quality assurance (RI-GQA) programs, etc.) and in the area of PSA standards development and implementation. The focus of this paper is to provide an integrated framework of proposed practical safety management metrics that can be effectively and efficiently applied in the regulation of commercial nuclear power plant design, construction, operation, maintenance, and decommissioning. The scope of the discussion in this paper includes treatment of conventional deterministic safety criteria as well as probabilistic risk criteria. The paper addresses both qualitative and quantitative aspects relating to this proposed regulatory framework.

10:55 AMInterpretation and Evaluation of the TS Criteria – Develop-ment of a Guidance DocumentOla Bäckström, Anna Häggström and Anders OlssonScandpower - Lloyd’s Register, Stockholm, Sweden

A nuclear power plant’s Technical Specifications (TS) define the limits and conditions for plant operation. The original TS were based on deterministic analyses and engi-neering judgments, but as the Probabilistic Safety Assessment (PSA) has developed it has shown to constitute a useful tool for evaluating many aspects of the TS from a risk point of view. The US NRC has fully adopted a risk informed decision process, in which PSA plays an important role. In the Nordic countries the use of risk informed methods has been discussed since the early nineties, but on the whole the methods have only been applied on a case by case basis.It is however expected that the use of risk informed decision making will increase sig-nificantly in the coming years with on-going modernization and power uprate projects, which require TS to be updated. Within a co-operation project between Nordic Nuclear Safety Research (NKS) and the Nordic PSA Group (NPSAG) the different aspects that must be taken into account in a risk based evaluation process of TS changes have been studied. The aim has been to produce a guidance document covering the most important issues to consider, but not to point out a single method as the only accept-able one.

11:20 AMFleet Wide Pursuit of Risk-Informed Initiative 5B - Surveil-lance Frequency Control Program (SFCP) at Exelon Nuclear StationsPhilip Tarpinian (a), Glenn Stewart (b), Victoria Warren (c)a) Exelon Nuclear, Limerick Generating Station, Pottstown, PA, b) Exelon Nuclear, Licensing & Regula-tory Affairs, Kennett Square, PA, c) ERIN Engineering and Research, Inc., West Chester, PA

Exelon Nuclear’s Limerick Generating Station (LGS) became the first plant to receive Nuclear Regulatory Commission (NRC) approval in September of 2006 to control its own surveillance test intervals via a Surveillance Frequency Control Program (SFCP). Exelon is now pursuing a fleet wide strategic initiative to implement the SFCP at its other nine (9) nuclear stations utilizing the regulatory framework established by the NRC. Exelon submitted license amendment requests (LARs) to the NRC for these nine stations in the 2009 and early 2010 timeframe. These LARs utilize Technical Specification Task Force (TSTF) traveler TSTF-425, “Relocate Surveillance Frequen-cies to Licensee Control - RITSTF Initiative 5b” that was subsequently developed based on the LGS pilot and NEI methodology and was approved by the NRC. The NRC granted approval to Exelon’s Peach Bottom Atomic Power Station in August of 2010, Oyster Creek Generating Station in September of 2010 and Three Mile Island Nuclear Station in January 2011. Exelon expects to receive approval from the NRC for the balance of its nuclear stations by early 2011. Implementation of the SFCP oc-curs within the timeframe approved by the NRC as specified in each site’s respective license amendment request (LAR) and is typically sixty (60) or one hundred twenty (120) days. Implementation of the SFCP at all Exelon sites is expected to be complet-ed by the mid 2011. Exelon will be adapting the SFCP process and procedures initially developed for Limerick to apply toward its entire nuclear fleet by the end of 2011. In the interim, sites are implementing the SFCP on a site-specific basis. This paper is sequel to a topical paper presented by Philip Tarpinian et al, titled “Implementation of a Risk-Informed Surveillance Frequency Control Program - A PRA Perspective” (Reference 1) at ANS PSA 2008 conference.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 10:05 AM - Camellia/Dogwood

Risk-Informed Technical SpecificationsSession Chair: Mike Snoderly

67

10:05 AMMethodology for Developing a Probabilistic Risk Assessment Model of Spacecraft Rendezvous and DockingsSteven J. Farnham II and Warren C. Grant (a), Michael G. Lutomski (b)a) ARES Corporation, League City, TX, b) NASA-JSC

In 2007 NASA was preparing to send two new visiting vehicles carrying logistics and propellant to the International Space Station (ISS). These new vehicles were the Eu-ropean Space Agency’s (ESA) Automated Transfer Vehicle (ATV), the Jules Verne, and the Japanese Aerospace and Explorations Agency’s (JAXA) H-II Transfer Vehicle (HTV). The ISS Program wanted to quantify the increased risk to the ISS from these visiting vehicles. At the time only the Shuttle, the Soyuz, and the Progress vehicles rendezvoused and docked to the ISS. The increased risk to the ISS was from a po-tential catastrophic collision during the rendezvous and the docking or berthing of the spacecrafts to the ISS. A universal method of evaluating the risk of rendezvous and docking or berthing was created by the ISS’s Risk Team to accommodate the increasing number of different spacecrafts, as well as the future arrival of commercial spacecraft, and the increasing number of rendezvous and docking or berthing opera-tions. Before the first docking attempt of ESA’s ATV and JAXA’s HTV to the ISS, a probabilistic risk model was developed to quantitatively calculate the risk of collision between each spacecraft and the ISS. Building on ATV’s rendezvous and docking risk model, probabilistic risk models for Soyuz and Progress were developed. These 5 rendezvous and docking models have been used to build and refine the methodol-ogy for rendezvous and docking of spacecrafts. This risk modeling methodology will be NASA’s basis for evaluating future spacecrafts’ hazards including the SpaceX’s Dragon, Orbital Science’s Cygnus, and NASA’s own Orion spacecraft. This paper will describe the methodology for developing a visiting vehicle risk model.

10:30 AMCommand Process Modeling for Safety during OperationsLeila MeshkatCalifornia Institute of Technology - Jet Propulsion Laboratory, Pasadena, CA

The design of the command generation process for the spacecraft during operations often occurs long before launch. The different phases of the spacecraft lifecycle during design, development and operations and the applicable command products for each phase are considered and the process needed for the development of these com-mands are then designed and documented. A command error is when the commands sent do not match the operator intent. Exam-ples include sending the wrong command, sending the right command twice, incorrect parameter settings, and sequence errors. Root causes include transcription errors, inadvertently selecting the wrong command because the names are non-intuitive, fail-ing to notice an error caught by an automated checker, lax execution of processes, incomplete awareness of the spacecraft state, and operations complexity.Although current processes catch 99.5% of all command errors, they account for an alarming fraction of spacecraft anomalies and near misses. This paper explains an ap-proach for more explicitly considering the trades involved during the design of the com-mand processes, in terms of risk and cost, in order to reduce commanding errors. The thesis is that this approach helps to reduce the commanding errors without increasing the costs associated with the command generation process. (Presentation Only)

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 10:05 AM - Magnolia

Space/Aircraft PSASession Chair: Steve Farminham

68

10:05 AMStudy on Seismic PSA for A BWR in Shutdown StateMasahide Nishio and Haruo FujimotoJapan Nuclear Energy Safety Organization, Tokyo, Japan

A seismic PSA was performed for a BWR4 plant in shutdown state, assuming that it is located in relatively high earthquake ground motion site. During periodic inspection, core decay heat decreases with time and reactor system configuration changes in accordance with maintenance work. Taking into consideration plant thermal-hydraulic situation and system configuration, periodic inspection period was divided into 6 plant operating states (POS). Earthquake-induced initiating events in shutdown state were selected for analysis. They were listed in the order of the extent of severity on core damage and their occurrence probability was calculated using hierarchy tree model. Seismic shutdown PSA models were constructed and accident sequence analysis was performed for each POS. As a result, the characteristics of core damage fre-quency such as dominant accident sequences, core damage probability per seismic acceleration, contributing factors to core damage frequency and important compo-nents with high FV importance were obtained. Comparison of core damage frequency between in shutdown state and in full power operation was performed, considering duration time of periodic inspection and full power operation in a year. Core damage frequency in periodic inspection was shown to be smaller enough than that in full power operation.

10:30 AMHuman Reliability Modeling in the Kernkraftwerk Mühleberg Seismic PSAR.F. Kirchner (a), E.T. Burns and V.M. Andersen (b), O. Zuchuat and Y. Bayraktarli (c)a) RFK Dynamics, Inc., Niskayuna NY, b) ERIN Engineering and Research, Inc., Campbell, CA, c) BKW FMB Energie AG, Mühleberg, Switzerland

The modeling of human interactions (HI) in a Seismic Probabilistic Safety Assessment (SPSA) is more difficult than in other types of PSA models because seismic events involve additional performance shaping factor considerations. Factors such as the magnitude of the seismic event, timeframe for actions, and location of actions all must be considered in operator reliability modeling. A seismic impact matrix method was developed for the Kernkraftwerk Mühleberg (KKM) SPSA in order to realistically model operating crew performance in seismic event response. In addition, the seismic fragil-ity of support structures that could impact operators was also considered. This paper describes the method developed for the KKM SPSA Human Reliability Assessment (HRA) including seismic performance shaping factors and quantification of related impacts.

10:55 AMA Procedure for The Computation of Seismic Fragility Of NPP Buildings with Base IsolationG. Bianchi, M. Domaneschi, D.C. Mantegazza and F. Perotti (a), L. Corradi dell’Acqua (b)a) Department of Structural Engineering, Politecnico di Milano, Milan, Italy, b) Energy Department, Po-litecnico di Milano, Milan, Italy

The research work here described is devoted to the development and testing of a nu-merical procedure for the computation of seismic fragilities for equipment and structural components in Nuclear Power Plants (NPP). Given the very low damage probabilities which are required in modern nuclear industry, attention is focused on the comparison between the performance of traditional and seismically isolated buildings. The proce-dure is based on the hypothesis, typical of nuclear structures, of linear behaviour of the building in the traditional case; the behaviour of isolation devices, on the other hand, is modelled taking mechanical non-linearities into account. The proposed procedure for fragility computation makes use of the Response Surface (RS) Methodology to model the influence of the random variables on the dynamic response. To account for sto-chastic loading the latter is computed by means of a simulation procedure. Given the RS, the Monte Carlo method is used to compute the failure probability; a risk-based procedure for refining the RS is also proposed and tested in an illustrative example. For the isolated case, an overall experimental/numerical methodology for fragility as-sessment is summarized and an example of fragility estimation is finally shown.

11:20 AMSeismic PSA in GermanyRalf Obenland, Holger Ulrich, Theodor Bloem, Wolfgang TietschWestinghouse Electric Germany GmbH, Mannheim, Germany

The German regulatory guide for nuclear power plants demands plant specific Proba-bilistic Safety Analyses (PSA) including External Events. In 2005, a new Methodology Guideline (Methodenband) based on the current state of science and technology was released to provide the analyst with a set of suitable tools and methodologies for the analysis of all PSA events. In the case of earthquakes a staggered procedure is sug-gested which requires a probabilistic analysis only for those nuclear power plants with an intensity for the design basis earthquake above IDBE > 6. For earthquake intensi-ties IDBE between 6 and 7, a reduced analysis is possible. For earthquake intensities IDBE above 7, a full scope analysis is mandatory.In Germany the seismic hazard curve is determined as a function of the intensity of the earthquakes. Compared to a procedure suggested in the Methodenband, a more realistic procedure to implement the hazard curve in a seismic PSA by using realistic site specific response spectra is presented, as well as the procedure to consider these spectra in the fragility analysis. Also an approach for the reduced analysis will be pre-sented. Additionally, experiences from performed seismic PSA are discussed.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 10:05 AM - Salon A

Seismic PSA - 4Session Chair: Andrea Maioli

69

10:05 AMU.S. NRC Confirmatory Level 1 PRA Success Criteria Activi-tiesDonald Helton and Hossein Esmaili (a), Robert Buell (b)a) U.S. Nuclear Regulatory Commission, Washington, DC, b) Idaho National Laboratory, Idaho Falls, ID

The U.S. Nuclear Regulatory Commission’s standardized plant analysis risk (SPAR) models are used to support a number of risk-informed initiatives. The fidelity and re-alism of these models are ensured through a number of processes including cross-comparison with industry models, review and use by a wide range of technical experts, and confirmatory analysis. This paper will describe a key activity in the latter arena. Specifically, this paper will describe MELCOR analyses performed to augment the technical basis for confirming or modifying specific success criteria of interest. The analyses that will be summarized provide the basis for confirming or changing suc-cess criteria in a specific 3-loop pressurized-water reactor and a Mark-I boiling-water reactor. Initiators that have been analyzed include loss-of-coolant accidents, loss of main feedwater, spontaneous steam generator tube rupture, inadvertent opening of a relief valve at power, and station blackout. For each initiator, specific aspects of the accident evolution are investigated via a targeted set of calculations (3 to 22 distinct accident analyses per initiator). Further evaluation is ongoing to extend the analyses’ conclusions to similar plants (where appropriate), with consideration of design and modeling differences on a scenario-by-scenario basis. This paper will also describe future plans.

10:30 AMPeer Review of NRC Standardized Plant Analysis Risk Mod-elsJames Knudsen, Robert Buell, John Schroeder, Anthony Koonce (a), Pete Appignani (b)a) Idaho National Laboratory, Idaho Falls, Idaho, b) U.S. Nuclear Regulatory Commission, Washington, DC

The Nuclear Regulatory Commission (NRC) Standardized Plant Analysis Risk (SPAR) Models underwent a Peer Review using ASME PRA standard (Addendum C) as en-dorsed by NRC in Regulatory Guide (RG) 1.200. The review was performed by a mix of industry probabilistic risk analysis (PRA) experts and NRC PRA experts. Represen-tative SPAR models, one PWR and one BWR, were reviewed against Capability Cat-egory I of the ASME PRA standard. Capability Category I was selected as the basis for review due to the specific uses/applications of the SPAR models. The BWR SPAR model was reviewed against 331 ASME PRA Standard Supporting Requirements; however, based on the Capability Category I level of review and the absence of inter-nal flooding and containment performance (LERF) logic only 216 requirements were determined to be applicable. Based on the review, the BWR SPAR model met 139 of the 216 supporting requirements. The review also generated 200 findings or sugges-tions. Of these 200 findings and suggestions 142 were findings and 58 were sugges-tions. The PWR SPAR model was also evaluated against the same 331 ASME PRA Standard Supporting Requirements. Of these requirements only 215 were deemed appropriate for the review (for the same reason as noted for the BWR). The PWR re-view determined that 125 of the 215 supporting requirements met Capability Category I or greater. The review identified 101 findings or suggestions (76 findings and 25 suggestions). These findings or suggestions were developed to identify areas where SPAR models could be enhanced. A process to prioritize and incorporate the findings/suggestions supporting requirements into the SPAR models is being developed. The prioritization process focuses on those findings that will enhance the accuracy, com-pleteness and usability of the SPAR models.

10:55 AMPotential Enhancements to the PRA Peer Review ProcessEdward T. Burns (a), Gregory A. Krueger (b), Barry D. Sloane, Donald E. Vanover (c)a) ERIN Engineering and Research, Inc., Campbell, CA, b) Exelon Nuclear, KSA 2-N Kennett Square, PA, c) ERIN Engineering and Research, Inc., West Chester, PA

A common industry PRA peer review process has been in use in the US for the past decade for internal events at-power PRAs. This method of PRA model review began with the process originally developed by the BWR Owners Group (BWROG) and sub-sequently documented in Nuclear Energy Institute (NEI) report NEI 00-02, and has evolved slightly to the current process, documented in NEI 05-04 [Ref. 1]. At the same time, the criteria against which a PRA is assessed during a peer review have become more codified (i.e., via the ASME/ANS PRA Standard, which provides limited guidance in application of the criteria), and the pool of PRA practitioners being called upon to participate in peer reviews has become broader, bringing in reviewers less familiar with the mechanics of a successful peer review.This paper identifies an alternative focus to that defined in NEI 05-04. This alternative focus places a greater emphasis during the peer review week (and preparation) on the PRA results and quantification process as the appropriate means to focus the team’s attention on the plant specific details that are of importance in the determination of PRA technical capability. The objective is to maintain the team’s focus on technical adequacy of the PRA in areas critical to the development of insights and calculation of risk metrics, while still addressing the scope of PRA technical requirements defined in the PRA Standard. The review team’s deeper understanding of the whole PRA then provides a more insightful perspective for delving into each PRA technical element in a manner that highlights the critical aspects of the PRA element.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 10:05 AM - Salon B

PSA Standards - 2Session Chair: Jim Chapman

70

10:05 AMUpdates to EPRI/NRC-RES Fire HRA GuidelinesSusan E. Cooper and Kendra Hill (a), Stuart Lewis (b), Jeffrey A. Julius, Jan Grobbelaar, and Kaydee Kohlhepp (c), John Forester and Stacey Hendrick-son (d), Bill Hannaman and Erin Collins (e), and Mary R. Presley (f)a) U.S. Nuclear Regulatory Commission, Washington, DC, b) Electric Power Research Institute, Knox-ville TN, c) Scientech, Tukwila, WA, d) Sandia National Laboratory, Albuquerque, NM, e) Science Applica-tions International Corporation, Campbell, CA, f) ARES Corporation, Albuquerque, NM

Over the past several years, the nuclear power plant (NPP) fire protection commu-nity in the United States and overseas has been transitioning towards risk-informed and performance-based (RI/PB) practice in design, operation and regulation. In or-der to make more realistic decisions for risk-informed regulation, fire probabilistic risk analysis (PRA) methods needed to be improved. To address this need, in 2001, the NRC Office of Nuclear Regulatory Research (RES) and Electric Power Research In-stitute (EPRI) collaborated under a joint Memorandum of Understanding (MOU), to develop NUREG/CR-6850 (EPRI101989), “EPRI/NRC-RES Fire PRA Methodology for Nuclear Power Facilities,” a state-of-art Fire PRA methodology. The fire human reli-ability analysis (HRA) guidance provided in NUREG/CR-6850 included: 1) a process for identification and inclusion of the human failure events (HFEs), 2) a methodology for assigning quantitative screening values to these HFEs, and 3) initial considerations of performance shaping factors (PSFs) and related fire effects that might need to be addressed in developing best-estimate human error probabilities (HEPs). However, NUREG/CR-6850 did not identify or produce a methodology to develop these best-estimate HEPs given the PSFs and the fire-related effects.In 2007, EPRI and RES embarked upon another cooperative project to develop ex-plicit guidance for estimating HEPs for human error events under fire generated condi-tions, building on existing HRA methods. It is anticipated that such guidance will be used by the industry as part of transition to the risk-informed, performance-based fire protection rule, 10CFR50.48c, which endorsed National Fire Protection Association (NFPA) 805, “Performance-Based Standard for Fire Protection for Light Water Reac-tor Electric Generating Plants” and possibly in response to other regulatory issues such as multiple spurious operation (MSO) and operator manual actions (OMAs). As the methodology is applied at a wide variety of NPPs, the guidance may benefit from future improvements to better support industry-wide issues being addressed by fire PRAs.The collaborative project produced a draft report for public comment, “EPRI/NRC-RES Fire Human Reliability Analysis Guidelines,” (NUREG-1921, EPRI TR 1019196). The draft guidelines address the range of fire procedures used in existing plants, the range of strategies for main control room (MCR) abandonment, and the potential impact of fire-induced electrical spurious actuation effects on crew performance. The draft guidelines also present a three tiered, progressive approach for fire HRA quantifica-tion. The quantification approaches included are: a screening approach per NUREG/CR-6850 guidance (modified somewhat to clarify certain aspects and to account for long-term events), a scoping approach, and detailed quantification using either EPRI’s Cause Based Decision Tree (CBDT) and HCR/ORE or the NRC’s ATHEANA approach with modifications to account for fire effects.In the spring of 2010, the joint EPRI/NRC-RES team received public comments on the draft guidelines. These comments were reviewed by the team and are currently being addressed. (Presentation Only)

10:30 AMLessons Learned During Recent Application of Draft EPRI/NRC Fire HRA GuidelinesJeffrey A. Julius, Jan F. Grobbelaar, and Kaydee KohlheppScientech

The fire human reliability analysis (HRA) guidelines [1] developed jointly by the Elec-tric Power Research Institute (EPRI) and the U.S. Nuclear Regulatory Commission (NRC) are intended to provide methodology as well as guidance for identifying, model-ing and quantifying human failure events under post-fire conditions. The methodology includes qualitative analysis and three tiers of quantification. The three tiers of quan-tification consist of a screening level similar to that presented in NUREG/CR-6850 [2], a new scoping fire HRA quantification approach, and two detailed HRA quantification approaches. This presentation discusses examples of the practical application of the EPRI/NRC Fire HRA Guidelines to recent Fire PRA/HRA projects and the associated insights. (Presentation Only)

10:55 AMLessons Learned from Fire HRA ApplicationsErin P. Collins, Pierre Macheret, Paul Amico, and G. William HannamanSAIC

The fire human reliability analysis (HRA) guidelines developed jointly by the Electric Power Research Institute (EPRI) and the U.S. Nuclear Regulatory Commission (NRC) are intended as explicit guidance for identifying, modeling and quantifying human fail-ure events under fire-generated conditions. A three tiered approach to quantification is offered including a screening level similar to that presented in NUREG/CR-6850, a new scoping fire HRA quantification approach, and two detailed HRA quantification approaches. This presentation discusses examples based on the application of the EPRI/NRC Fire HRA Guidelines to recent Fire PRA/HRA and NFPA 805 transition projects and the insights gained from this experience.. (Presentation Only)

11:20 AMPanel Discussion: Draft EPRI/NRC Fire HRA Guidelines

Following the presentations, there will be an discussion of current technical issues and potential treatment, to include methodology, guidance, and other aspects related to implementation in a fire PRA supporting a plant transitioning to NFPA-805.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 10:05 AM - Carolina

Panel - Joint EPRI/NRC-RES Fire HRA GuidelinesSession Chair: Susan Cooper

71

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 11:45 AM - Cape Fear Ballroom

Student Awards Luncheon

Chief Operating Officer (COO), Hitachi-GE Nuclear Energy, Ltd.

Mr. John Yoshinari, Chief Operating Officer, Hitachi-GE Nuclear Energy Ltd, is responsible for its US nuclear business. John has been in the current position since the GE Hitachi Nuclear Alliance formed in 2007.

Prior to joining the GE Hitachi Alliance as COO, John experience includes the Japanese fast reactor programs including the Prototype Fast Reactor MONJU and the Demonstration Fast Breeder Reactor (FBR). In addition, he has extensive knowledge of the Advanced Boil-ing Water Reactors (ABWR) including the design of Shika 2 and Shimane 3 and extensive background in the digitization of design information. Outside of the FBR and ABWR reactor programs, John’s background includes the nuclear fuel cycle including fuel reprocessing in Japan.

John holds the BS degree in Mechanical Engineering from The University of Tokyo and MS degree in Management Science from A. P. Sloan School of Massachusetts Institute of Technology.

With his US assignment, he currently resides in New Jersey.

John Yoshinari

72

1:30 PMCommon Cause Failure Modeling Using Probabilistic Physics-Of-Failure (POF) Analysis: A Mechanistic ApproachZahra Mohaghegh and Mohammad ModarresCenter for Risk and Reliability, University of Maryland, College Park, MD

One of the most important topics in Probabilistic Risk Assessment (PRA) is model-ing dependent failures. In general, dependent failures are defined as events in which the probability of each failure depends on the occurrence of other failures. The ma-jor causes of dependence among a set of systems or components can be explicitly modeled using system reliability methods (e.g. fault trees). Other dependent failures, where root causes are not known or are difficult to model explicitly in the system or component reliability analysis, are called Common Cause Failures (CCFs). Current-ly, CCFs are treated using parametric modeling based on historical common cause events. This research leads to a shift of paradigm in the assessment of CCFs and seeks to model such events utilizing the underlying phenomena of failure, called the Probabilis-tic Physics-Of-Failure (POF) analysis. For this, we propose a methodology for the in-tegration of POF models into PRA frameworks in a way that is capable of depicting the interactions of physical failure mechanisms and, ultimately, the dependencies between the component failures. The proposed steps of this methodology can be summarized as follows: 1. Modeling the deterministic phenomena of failures (at the material-level) due to the interactions of two failure mechanisms. A mechanistic approach (i.e. based on semi-empirical models of failure mechanisms) is suggested in this paper. 2. Devel-oping advanced uncertainty characterization and propagation methods (probabilistic assessment of model errors, aleatory and epistemic uncertainty modeling considering the dynamic interactions of diverse equations and a large number of parameters) and Bayesian updating to make the deterministic POF models (developed in step 1) proba-bilistic and ready to be linked to the PRA frameworks. 3. Expanding material-level probabilistic POF models to the component-level in order to create physics-based CCF models 4.Developing appropriate modeling techniques to link the physics-based CCF models (at the component-level) to the system-level PRA.The potential applications of this research include the abilities to (a) incorporate op-erational and environmental conditions in hardware failure models, (b) model aging and degradation processes, (c) model CFFs in PRAs of operating plants , (d) model CCFs in PRAs of plants at design level, (e) use retrospective assessments intended to estimate the risk significance of single or multiple equipment failures (degrada-tion) accompanied by a deficiency in design, operating conditions, and/or a process such as maintenance scheduling (the so-called Significant Determination Process by Nuclear Regulator Commission (NRC) inspectors), (f) schedule accurate maintenance intervals based on more precise estimates of time to failure (and, ultimately, reduce maintenance costs) , (g) facilitate the connection between POF models and CCF mod-els and the harsh post-accident environment in a nuclear power plant (using common physical variables) , (h) extend the notion of dependence beyond identical redundant components and into diverse components and applications. This research also forms a good basis for passive system reliability for advanced reactor concepts. (Presenta-tion Only)

1:55 PMA Stochastic Transition Model for Evaluating fhe Effects of Common Cause Failure Events on System ReliabilityDae-Wook ChungKorea Institute of Nuclear Safety (KINS), Taejon, Republic of Korea

A stochastic transition model is developed to evaluate the effects of common cause events on system reliability. It is assumed in this study that there are several common cause events which occur in sequence and affect system reliability individually and independently and each common cause event has its own probability of occurrence and probability of component failure. The changes in system states (i.e., number of failed components) due to common cause events are modeled using finite Markov chain theory. The inter-arrival times between common cause events are determined using Poisson process. For every common cause event, the transition probabilities between system states are derived using Bernoulli process considering both the com-mon cause and independent cause of component failure. By applying the transition probabilities, Markov transition matrix for each common cause event is constructed and then multiplied one by one to produce final probability distribution of system states after all common cause events hit the system. Since there is no backward transition and self-transition is dominant, our Markov transition matrix is upper triangular and di-agonal dominant and, therefore, approximately commutative. Thanks to this property, the occurrence sequence of common cause events can be arranged randomly with negligible effects on the final probability distribution. For the case that common cause events are indistinguishable, the stationary Markov transition model is developed, which assumes all common cause events have the same probability of occurrence and probability of component failure. The reliability of a redundant system consisting of three identical components is evaluated using the developed stochastic transition models which are the stationary and the non-stationary Markov transition models. The BFR model which is a special case of stationary Markov transition model with only

one aggregate transition is also used for comparison. The final probability distribution of system states and corresponding system unreliability are computed. Conclusively, both the stationary and non-stationary Markov transition models produce more conser-vative results than the BFR model in general. It is noticeable that, for system consisting of small number (3 or 4) of components, both the stationary and non-stationary Markov transition models produce almost the same results, which implies that the stationary Markov transition model can be used in place of the non-stationary Markov transition model when data problems exist. This is not true for system having large number of components.

2:20 PMFinding A Minimally Informative Dirichlet Prior Using Least SquaresDana Kelly (a), Corwin Atwood (b)a) Idaho National Laboratory, Idaho Falls, ID , b) Statwood Consulting, Silver Spring, MD

Abstract In a Bayesian framework, the Dirichlet distribution is the conjugate distribution to the multinomial likelihood function, and so the analyst is required to develop a Di-richlet prior that incorporates available information. However, as it is a multiparameter distribution, choosing the Dirichlet parameters is less straightforward than choosing a prior distribution for a single parameter, such as p in the binomial distribution. In particular, one may wish to incorporate limited information into the prior, resulting in a minimally informative prior distribution that is responsive to updates with sparse data. In the case of binomial p or Poisson \lambda, the principle of maximum entropy can be employed to obtain a so-called constrained noninformative prior. However, even in the case of p, such a distribution cannot be written down in the form of a standard distribution (e.g., beta, gamma), and so a beta distribution is used as an approxima-tion in the case of p. In the case of the multinomial model with parametric constraints, the approach of maximum entropy does not appear tractable. This paper presents an alternative approach, based on constrained minimization of a least-squares objective function, which leads to a minimally informative Dirichlet prior distribution. The alpha-factor model for common-cause failure, which is widely used in the United States, is the motivation for this approach, and is used to illustrate the method. In this approach to modeling common-cause failure, the alpha-factors, which are the parameters in the underlying multinomial model for common-cause failure, must be estimated from data that are often quite sparse, because common-cause failures tend to be rare, especially failures of more than two or three components, and so a prior distribution that is re-sponsive to updates with sparse data is needed.

2:45 PMAdjustment of a Dirichlet Prior Distribution for Multiple Greek Letter Parameters Estimation in Bayesian Approach at EDFThi Thuy Linh Nguyen, Christophe Bérenguer, Mitra Fouladirad (a), Anne-Marie Bonnevialle (b)a) Troyes University of Technology Institut Charles Delaunay & UMR STMR CNRS, Troyes Cedex, France, b) Department of Management of Industrial Risks, Electricité de France – R&D, Clamart Cedex, France

Common cause failure (CCF) is the simultaneous failure of several components due to a shared cause. The assessment of CCF parameters deserves an important at-tention at EDF due to their high influence on the results of the Probabilistic Safety Analysis. Use of the classical (frequentist) approach does not permit to update the CCF parameters in case of no observed data. Bayesian approach is a suitable alter-native partly because of this and it is also used as a natural way to incorporate the variety of forms of information in the estimation process. In the Bayesian inference, the analyst’s uncertainties in the parameters due to lack of knowledge are expressed via a probability distribution. In our case, the Dirichlet distribution is used as a prior distri-bution. The problem is how to quantify the parameters of this prior distribution based on minimal available information which is specified in term of expected value and the error factor determining by expert judgment. Using the moment matching will lead to the over-specified problem. In case of the Alpha model, to overcome this issue, Kelly and Atwood propose an approach based on the constrained noninformative (CNI) prior to build a minimally informative Dirichlet prior distribution and they use a constrained minimization of a least squares objective function. This paper investigates how this proposal can match EDF needs. A case study is presented in order to compare the performance of various estimators for the Multiple Greek Letter model.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 1:30 PM - Azelea

Common Cause - 1Session Chair: Gareth Parry

73

1:30 PMPhased Approach PSA in Support of CANDU License Renew-alPaul Lawrence (a), Sugata Ganguli (b), Doug True (c), Greg Hardy (d), Kiang Zee, Barry Sloane (c), Alexander Trifanov (b), Wen Tong (d), Thomas Dan-iels, Steven Mays (c)a) Ontario Power Generation, b) Kinectrics, Inc., c) ERIN Engineering and Research, Inc., d) SGH, Inc.

In support of the license renewal requirements for its Darlington Nuclear Generating Station (DNGS), Ontario Power Generation (OPG) has embarked on development of broad scope Level 1 and 2 probabilistic safety assessment (PSA) to meet the require-ments of Canadian Nuclear Safety Commission (CNSC) regulatory standard S-294. The DNGS PSA will ultimately address: Internal events at power, Internal events at shutdown, Internal fires, Internal floods, Seismic events, Other pertinent events.Darlington is a four-unit CANDU plant, and this is the first application of PSA to ad-dress a broad set of hazards at a multi-unit CANDU station. In developing the PSAs for the set of “complicated” spatial hazards, i.e., internal fire, internal flood, and seis-mic events, OPG and their PSA services consultants (Kinectrics-ERIN-SGH) have adopted a “phased approach”, which entails performing a screening PSA phase and a more refined PSA phase to establish the extent to which a final comprehensive PSA phase may be needed. The phased approach is equivalent to the traditional PSA de-velopment approach, but is implemented in steps of increasing detail using the design specifics of the Darlington station to optimize the screening process and focus efforts on the most risk-significant areas. Existing guidance (e.g., NUREG/CR-6850, IAEA SSG-3) recognizes that development of any “hazard”-PSA always involves some de-gree of initial screening and gradual addition of detail. At the outset, there is significant uncertainty in the analysis and potentially large associated development cost. Com-mitting to an “all-inclusive” PSA requires resources not always justified by the benefits. This is particularly the case for the latest multi-unit Candu designs, which include unique design feature such as physically separated and diverse grouping (Group 1 - Group 2) of safety systems, which are further separated into odd and even divisions. These features provide the opportunity to apply the graded process for increasing the level of analysis detail based on insights and risk significance of contributors. Three phases have been defined for each hazard: Phase 1 – Screening PSA (or PSA-based Seismic Margin Assessment for seismic risk); initial focus is on “pinch points” where both Group 1 and Group 2 safety features are affected by the hazard. Phase 2 – Refined PSA; where needed, build on the Phase 1 results and insights to fur-ther develop PSA models for important contributors and to reflect additional detail for potential interactions between Groups or divisions. Phase 3 – Comprehensive PSA; continue PSA development to the degree desired to support risk-informed decision-making for the plant. The concept is to systematically identify and address the key risk contributors in a manner that is cost-effective, timely, and acceptable to CNSC. In all cases, appropriate technical bases and methods are applied; the difference among the phases is in the degree to which simplifying assumptions are employed to reduce time and resources to develop the PSA. A hazard or contributor is evaluated to the degree necessary to support acceptance by CNSC and the degree of operational decision-making needed by OPG. This proactive methodology, as applied by an expe-rienced PSA team, has provided the following advantages to OPG in meeting its regu-latory requirements for the DNGS PSA: gradual scope control based on intermediate assessment results and input from OPG and CNSC; the possibility of early CNSC acceptance and, thus, early removal of PSA-related activities from the license renewal critical path; efficient cost control by focusing on risk significant areas during transition from one phase to the next; and ability to extend the models cost-effectively to support development of operational decision-making tools if desired. This paper describes the phased approach to PSA development being applied for Darlington, and provides a summary of the experience to date in development of the seismic, internal fire, and internal flood PSAs. (Presentation Only)

1:55 PMA Study on Methodology for Identifying Correlations Between LERF and EFKyungmin Kangb (b), Moosung Jae (a)a) Department of Nuclear Engineering, Hanyang University, Korea, b) Korea Institute of Nuclear Safety, Daejeon, Korea

The correlations between Large Early Release Frequency (LERF) and Early Fatal-ity need to be investigated for risk-informed application and regulation. In RG-1.174, there are decision-making criteria using the measures of CDF and LERF, while there are no specific criteria on LERF. Since there are both huge uncertainty and large cost need in off-site consequence calculation, a LERF assessment methodology need to be developed and its correlation factor needs to be identified for risk-informed deci-sion-making. This regards, the robust method for estimating offsite consequence has been performed for assessing health effects caused by radioisotopes released from severe accidents of nuclear power plants. And also, MACCS2 code are used for vali-dating source term quantitatively regarding health effects depending on release char-acteristics of radioisotopes during severe accidents has been performed. This study developed a method for identifying correlations between LERF and Early Fatality and

validates the results of the model using MACCS2 code. The results of this study may contribute to defining LERF and finding a measure for risk-informed regulations and risk-informed decision-making.

2:20 PMRisk Informed Safety Margin Characterization: Trial Applica-tion to a Loss of Feedwater EventRichard Sherry and Jeff GaborERIN Engineering and Research, Inc., West Chester, PA

This paper presents the results of a trial application to assess safety margins using a risk informed approach. The trial application focused on a PWR loss of feedwater event with failure of AFW where feed and bleed cooling is required to prevent core damage. For this trial application the main parameters which impact core damage for the scenario were identified and distributions were constructed to represent the uncertainties associated with the parameter values. These distributions were sampled from using a Latin Hypercube Sampling technique to generate sets of sample cases to simulate using the MAAP4 code. Simulation results were evaluated to determine the safety margins relative to PRA modeling (success criteria) assumptions.

2:45 PMAnalysis of BWR CRDH System to Provide Supportable PRA Basis in Support of EPU EvaluationBenjamin Jessup (a), Julie Weber (b)a) ABZ, Inc., Chantilly, VA, b) Xcel Energy, Monticello, MN

The Nuclear Regulatory Commission (NRC) requires Probabilistic Risk Assessment (PRA) models to have a documented methodology to support engineering judgments or assumptions made on a system’s performance. One important system in a PRA model for a Boiling Water Reactor (BWR) is the Control Rod Drive Hydraulic (CRDH) system. The CRDH system includes a complex set of pumps, pipes, and valves that provides motive force for the control rods, but can also be used to provide cooling water during emergencies. Accurately determining the flow rates and pressures under alternate system conditions to provide supportable bases for PRA calculations is dif-ficult given the system’s complexity. To address these issues for the Extended Power Uprate (EPU) at the Monticello Nuclear Generating Plant (MNGP), a computerized fluid system model of the CRDH system was developed. First, the model was de-signed and validated to replicate normal operating conditions using operating log data. The validated model then allowed for evaluation of various alternate conditions by ma-nipulating system lineups and the status of operating equipment. Fluid flow models al-low efficient, reliable, and reproducible characterization of alternate system conditions, thus eliminating the time necessary for complex hand calculations while meeting PRA requirements for documented methodology. The CRDH model was used to simulate various plant conditions consistent with plant procedures. The Monticello PRA model includes logic for both the normal configuration as well as an enhanced flow configura-tion. Results were compared to previous MAAP calculations and previous assump-tions. The calculated flow rates for both the normal and enhanced flow configuration showed that makeup capacity to the reactor from the CRDH system is greater than that assumed in the PRA model based on the previous evaluations.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 1:30 PM - Camellia/Dogwood

Risk-Informed Decision Making - 3Session Chair: Marty Sattison

74

1:30 PMPanel: Next Generation Rx Risk MetricslMohammad Modarres, Matt Warner (GEH), Biff Bradley, Victoria Anderson (NEI), Donald Dube (NRC), Ed Wallace, Jim Kinsey

The issue of alternative risk metrics for new LWRs has been under consideration by the NRC and industry for the last two years. The central issue is, given the lower risk numer-ics (CDF, LRF) for new reactors compared to operating plants, how to assure that the level of enhanced safety believed to be achieved with new reactors will be maintained over the life of these reactors. The alternative risk metric focus to date has been on large, single-shaft LWRs. The purpose of this session is to address the alternative risk metric issue for advanced LWRs, considering such issues as the even lower risk numerics and multiple modules in SMRs.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 1:30 PM - Magnolia

Panel: Next Generation Rx Risk MetricsSession Chair: Mohammad Modarres

75

1:30 PMFire PRA Maintenance and UpdateBrandi T. WeaverDuke Energy, Charlotte, NC

The fire PRA is a living document that must be in synch with the internal events PRA and the as-built configuration of the plant. As the Fire PRA changes the analyst, along with interested parties at the sites, need to take action to ensure that Fire Risk related NFPA 805 conclusions are not adversely impacted. This paper will detail Duke’s ap-proach to meeting these requirements. (Presentation Only)

1:55 PMApplication of Fire PSA in Nuclear ReactorsFatemeh Karimi Dehcheshmeh (a), K. Sepanloo (b), M. Zohrehbandian (c)a) School of industrial and mechanical engineering Qazvin Islamic Azad University, Iran, b) Atomic En-ergy Organization, Iran, c) karaj Islamic Azad University, Iran

The occurrence of fire accident is among the most serious accidents which might happen in a nuclear (or nonnuclear) facility. Thus analysis of fire accident and deter-mination of level of safety and reliability of systems and components provide valuable information for the designers and the operating organizations. Probabilistic safety as-sessment (PSA) of the fire accident or “fire PSA” is a method which quantitatively analyzes the systems and equipment and based on the input data and the fire propa-gation models assess the consequences of the fire and the amount of exposure of the operating personnel. To achieve the above goals, it is needed firstly to analyze the structures, systems and components and their inter links and secondly the event is modeled by the PSA technique (Event trees and Fault trees) to estimate the fire accident consequences. In this paper, probability that the fire ignited in the given fire compartment will burn long enough to cause the extent of damage defined by each fire scenario is calculated by means of detection-suppression event tree. As a part of detection-suppression event trees quantification, and also for generating the neces-sary input data for evaluating the frequency of core damage states by SAPHIRE 7.0 or Risk Spectrum, CFAST fire modeling software is applied. The results provide a proba-bilistic measure of the quality of existing fire protection systems in order to maintain a typical research reactor at a reasonable safety level.

2:20 PMUnderstanding Plant Fire Risk and Visualizing a Safe Shut-down Strategy Using PRISM - a Case StudyMitchell A. TheisenEPM, Inc., Risk Solutions Division, Hudson, WI

To successfully quantify risk impacts of a fire within a nuclear power plant, PRA ana-lysts need to compile various drawings, flow diagrams, cable routing information, and procedures along with a complete Fire PRA model. The evaluation process can be time consuming since the process needs to be performed for many possible fire sce-narios. The Plant Risk Informed Systems Model (PRISM) can streamline this process. The development of PRISM has been used to lower plant risk and improve the safe shutdown strategy process that EPM has incorporated into various NFPA 805 Transi-tions projects. PRISM is being used to visually depict fire damage using electrical distribution and system diagrams. An analyst can quickly see where cable damage disrupts power supply alignments as well as alternate cross-ties.Once a plant-specific Fire PRA is complete, PRISM is still an effective tool that can be used by PRA Engineers, Safe Shutdown Engineers, and Plant Operations. The tool can be used to create ‘What-If’ scenarios, understand impacts of plant modifications (such as new cable routings or electrical cabinets) to analyze risk insights for a fire in a new location, and understand impacts of equipment that is out-of-service. PRISM has provided the guidance

2:45 PMCooper Nuclear Station Fire PRA Results, Insights and Chal-lengesOle Olson (a), Stephen P Meyer (b), Jim Chapman (c)a) Nebraska Public Power District, Cooper Nuclear Station, Brownsville, NE, b) Scientech, Curtiss Wright Flow Control, Madison, OH, c) Scientech, Curtiss Wright Flow Control, Lake Mary, FL

Cooper Nuclear Station is a single unit BWR 4 with a Mark I containment. A Fire PRA was developed, using guidance from NUREG/CR-6850, Industry Frequently Asked Questions (FAQs) and recent EPRI technical evaluations, such as fire ignition fre-quency updates. The fire PRA was developed to support the NFPA 805 project and other risk informed initiatives. Detailed fire modeling, cable and circuit analysis and Human Reliability Analyses (HRA) were needed to achieve results which were not clearly extraordinarily conservative. The results achieved are estimated to be conser-vative by a factor of 5 to 10; and there are plans to further refine the results as Industry and NRC research and development programs provide improved methods and data in areas including fire frequency, fire development and propagation, heat release rate and detection and suppression.Even though the results are conservative, the insights obtained are being success-fully used to evaluate variances from deterministic requirements (VFDRs) and support identification and evaluation of potential safety enhancements.The paper discusses the methods used, and the results obtained including significant fire damage states and area specific results. In addition the insights and sensitivity of results to alternative approaches are provided. Finally the challenges in conducting the analyses, including lessons learned are provided.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 1:30 PM - Salon A

Fire PSA Methods - 7Session Chair: Richard M Wachowiak

76

1:30 PMPanel: PRA Standards Development, International ConsiderationsRick Grantom, Karl Fleming, Biff Bradley, Göran Hultqvist, Donnie Harrison (NRC)

This panel discussion will examine the role and expectations of PSA standards used to support risk management programs and risk informed applications for nuclear facilities. PSA standards identify what the requirements are for an acceptable PSA; however, many risk informed applications require PSAs to go beyond what the typical standard’s requirements. PSA Standards have evolved over the last decade and their scope has expanded. This panel will discuss this as well as items such as: How should standards be used for risk informed applications? What does it mean to “meet the standard”? How does regulatory endorsement impact the processing of risk informed applications? What are the international uses and expectations for PSA standards? Should standards go beyond PSA and address risk management methods? What metrics can be used to assess the effectiveness of a PSA Standard, a risk informed application, a risk management method?

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 1:30 PM - Salon B

Panel: PRA Standards Development, International ConsiderationsSession Chair: Rick Grantom

77

1:30 PMModel Uncertainty of Empirical Metallic Fuel/Clad Eutectic Predictive RelationshipsM.R. Denman (a), M. Zucchetti (b)a) Department of Nuclear Science and Engineering, MIT, Cambridge, MA, b) Department of Radiation Protection, DENER - Politecnico di Torino, Turino, Italy

Sodium-cooled Fast Reactors (SFRs) remain a strong contender amongst the Gen-eration IV reactor concepts. Many U.S. SFR designs utilize binary or ternary metallic fuel with stainless steel cladding. At high temperatures, iron from the cladding will diffuse into the fuel, and uranium, plutonium and rare earth fission products from the fuel will diffuse into the cladding to form a low melting point fuel/clad eutectic. The ero-sion of the cladding due to this eutectic formation may accelerate creep rupture, thus allowing the radioactive fission products to escape into the sodium coolant. Accurate modeling of this phenomenon may be important to making the SFR more economi-cally competitive, but currently the eutectic formation rate is predicted using only the temperature of the fuel/clad interface. This paper improves the modeling accuracy of eutectic formation through the application of a multivariable linear regression with a database of fuel/clad eutectic experimental results.

1:55 PMUncertainty Analysis and Sensitivity Calculations for Reliabil-ity Assessment of a Digital Feedwater Control SystemMeng Yue, Tsong-Lun Chu, Gerardo Martinez-Guridi, and John Lehner (a), Alan Kuritzky (b)a) Brookhaven National Laboratory, Upton, New York, b) Division of Risk Analysis, Office of Nuclear Regulatory Research, U. S. Nuclear Regulatory Commission, Washington, D. C.

This paper provides an analysis of three types of uncertainties for a digital feedwater control system (DFWCS) reliability model; namely, parameter uncertainty, modeling uncertainty, and completeness uncertainty. Parameter uncertainty is directly addressed by propagating the parameter associated uncertainties throughout the reliability model and explicitly considering the state-of-knowledge-correlation (SOKC) in the parameter values. Important assumptions that contribute to the modeling and completeness un-certainties are identified and discussed. Software modeling was considered out of the scope of developing the DFWCS reliability model. Still, a placeholder was provided to account for the failure of the software in the model. The software contributes to all three types of uncertainty. Finally, sensitivity calculations are performed to evaluate the importance of different design features to the reliability of the DFWCS, which pro-vides a practical means to evaluate the digital design features.

2:20 PMIdentification of Single Point Vulnerability Using a Blended MethodKwang Nam Lee and Jin Kyu Han (a), Moon Goo Chi and Eun Chan Lee (b)a) KEPCO Engineering & Construction Company, Inc., Gyeonggi-do, Korea, b) Korea Hydro & Nuclear Power Company, Limited, Daejeon, Korea

A Single Point Vulnerability (SPV) may cause plant transients like reactor trip, turbine/ generator trip, or derated power under 50% of full power. In order to improve plant reliability and performance by preventing unexpected plant transients, we, KHNP and KEPCO E&C, are developing an SPV evaluation program. To have a better result of the SPV identification and evaluation, we used a blended method comprised of quali-tative and quantitative approaches. This blended method and SPV evaluation program are described herein.

2:45 PMAn Integrated Methodology for Assessing Model Uncertainty in Fire Simulation CodesVictor Ontiveros and Mohammad ModarresUniversity of Maryland, Center for Risk and Reliability, Department of Mechanical Engineering

The use of fire simulation models has increased with the growth of risk-informed and performance-based approaches to regulatory decision-making for the fire protection of current and advanced light water reactors. These simulation codes (considered simulation fire models) rely on various sub-models such as correlations and empirical relations to describe the underlying phenomena and processes. Most fire Probabilistic Risk Assessments (PRAs) rely on the results of the simulation codes to estimate fire-induced core damage frequency. It is, therefore, imperative to properly account for uncertainties in the simulation code results and properly account for them in the fire PRAs. This paper will review an expansion of earlier research reported by the authors for characterizing the total code output uncertainty for applications to fire simulation codes (i.e., the research considered the simulation code as a closed “black-box”). In this paper the simulation code will be opened up and considered a “white-box”, in which the uncertainties associated with the code’s inner sub-models can be accounted for in the code outputs. With this information, a more complete determination of the fire risk can be obtained when using a fire simulation model. Results of this methodology will be demonstrated by an example using the plume mass flow rate sub-model in the fire simulation code CFAST. These results will be compared with the results obtained from an earlier uncertainty estimation approach.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 1:30 PM - Carolina

Uncertainty Analysis & Methods - 1Session Chair: M.Pourgol-Mohammad

78

3:45 PMDevelopment of an Integrated Program and Database System for the Estimation of CCF ProbabilitiesJ. C. Stiller, L. Gallner, H. Holtschmidt, A. Kreuser, M. Leberecht, C. Ver-stegenGesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany

In order to handle the large amounts of information necessary to quantify common cause failure (CCF) probabilities for probabilistic risk assessments (PRA) efficiently, consistently and in a traceable way, GRS has developed the integrated program sys-tem POOL for carrying out the necessary steps in the CCF quantification process. Information is managed in a project structure, where a project corresponds to a spe-cific PRA. The user is guided through different menus to create datasets and enter the necessary information on the component groups to be modeled. The possibility to copy and change datasets at different levels of hierarchy facilitates the reuse of infor-mation. Since each CCF event in the data bank is assessed by multiple experts, the group of experts whose assessments are to be used can be defined as well. The time interval for which operating experience shall be considered also can be selected. The CCF events that occurred in the chosen time interval are automatically selected and the observation times are also calculated automatically. These features also facilitate carrying out trend analyses regarding CCF with very little effort. To actually calculate the CCF probabilities an interface to the program “PEAK” has been created. PEAK estimates the CCF probabilities using the coupling model [1][2]. Both the complete input data and the results are written to a project-specific database, which thus serves as documentation for the process of CCF quantification. Using the program POOL is much more efficient than the previous procedures which included significant manual data handling efforts, provides comprehensive documentation and – by extensive au-tomation and user guidance – facilitates the quality assurance of the results [3].

4:10 PMInvestigations of Inter-System Common Cause Failures: An UpdateMarie Gallois, Dominique Vasseur, Philippe Nonclercq, Jean Primet (a), Stuart Lewis (b)Ia) Electricité de France Recherche & Développement, CLAMART, France, b) Electrical Power Research Institute, Knoxville, TN

Intra-system common-cause failures (CCFs) are widely studied and addressed in ex-isting PSA models, but the information and studies that incorporate the potential for inter-system CCFs are limited. However, the French Safety Authority has requested that EDF investigate the possibility of common-cause failure across system boundar-ies for Flamanville 3 (an EPR design). Also, the modeling of inter-system CCF, or the determination that their impact is negligible, would satisfy Capability Category III for one of the requirements in the ASME/ANS PRA standard in the U.S.EDF and EPRI have presented at PSA ‘08 the proposition of a method to assess when it is necessary to take into account inter-system CCF in a PSA model. This method is based both on the likelihood of inter-system CCF and on its demonstrated potential impact on core-damage frequency (CDF). This method had been applied for pumps in different systems using a PSA model for an operating plant.Since that application was completed, the method has been applied to address the potential for failure of motor-operated valves across different systems, using the same PSA model. More recently, this application has been extended to consider the high-voltage circuit breakers in a PSA model of Flamanville 3.This paper describes the results of these last two studies and shows how they helped in refining the methodology. All three studies have shown either that components in different equipment are not susceptible to common causes of failure, or that the poten-tial for inter-system common-cause failure had a negligible impact on the overall risk.

4:35 PMOmmon Cause Failure Data Exchange (ICDE) ProjectAlbert Kreuser (a), Gunnar Johanson (b)a) GRS - Gesellschaft für Anlagen- und Reaktorsicherheit(GRS) mbH, Schwertnergasse, Köln, GER-MANY, b) ES-Konsult - ES konsult, Solna, SWEDEN

The objective of this paper is to give generic information about the ICDE activities and lessons learnt.Common-cause-failure (CCF) events can significantly impact the availability of safety systems of nuclear power plants. In recognition of this, CCF data are systematically being collected and analysed in most countries. A serious obstacle to the use of na-tional qualitative and quantitative data collections by other countries is that the criteria and interpretations applied in the collection and analysis of events and data differ among the various countries. To overcome these obstacles, the preparation for the international common cause data exchange (ICDE) project was initiated in August of 1994. Since April 1998, the OECD/NEA has formally operated the project. The objec-tives of the ICDE project are: to provide a framework for a multinational co-operation; to collect and analyze CCF events over the long term so as to better understand such events, their causes, and their prevention; to generate qualitative insights into the root causes of CCF events which can then be used to derive approaches or mechanisms for their prevention or for mitigating their consequences; to establish a mechanism for the efficient feedback of experience gained in connection with CCF phenomena, including the development of defenses against their occurrence, such as indicators for risk based inspections; and to record event attributes to facilitate quantification of CCF frequencies when so decided by the member countries of the Project.

5:00 PMProbabilistic Failure Analysis of a Residual Heat Removal Heat Exchanger During a Postulated Loss of Coolant AccidentZeaid Hasan and Matthew King (a), Jordan Green, Alan Lee, and Christo-pher Pannier (b)a) Mechanical Engineering Department, Texas A&M University, College Station, Texas, b) Nuclear Engi-neering Department, Texas A&M University, College Station, Texas

The primary function of the residual heat removal system (RHRS) is to remove heat from the core and the reactor coolant system (RCS) during plant cooldown, safety grade cold shutdown, and refueling operations when reactor coolant temperature and pressure are significantly lower than normal RCS operating conditions. During normal reactor operation, the RHRS is isolated from the RCS by two isolation valves in series. The RHRS consists of multiple independent trains, each with a pump, heat exchanger and associated piping, valves, and instrumentation. The RHR heat exchanger contains thousands of U-bend pressure tubes which are periodically sampled and examined for cracks and flaws. Otherwise, such a cracking mechanism could lead to an unstable rupture of a pressure tube. This paper describes a means to quantify the conditions and probability of an RHRS heat exchanger failure given an interfacing system loss of coolant accident (ISLOCA) in which the RHR heat exchanger is exposed to normal op-erating RCS temperature and pressure by a failure of the two isolation valves between the systems. If the RHR heat exchanger fails such that flow enters the component cooling water (CCW) loop and exits containment, it could empty the refueling water storage tank (RWST) and cause core damage. It is advantageous to know the condi-tions that will cause RHR heat exchanger failure as well as the probability of such a failure. In the analysis, heat exchanger pressure tube failure probabilities are calcu-lated using the Monte Carlo simulation. As a result of the analysis, failure probabilities are calculated and the flow rate resulting from the failure is quantified.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 15, 2011 - 3:45 PM - Azelea

Common Cause - 2Session Chair: Jeanne-Marie Lanore

79

3:45 PMEvolution of Canadian Reliability Requirements in a Risk-In-formed EnvironmentC. MorinCanadian Nuclear Safety Commission, Ottawa, Ontario, Canada

This paper will discuss the evolution of design, safety and reliability requirements in Canada over the last fifty years. Specifically, we will discuss the recent advancement of reliability requirements in light of the progress in probabilistic safety analysis. The role of Safety Goals within the past and current regulatory framework will be dis-cussed. The development of the Canadian nuclear power safety philosophy is traced from its early roots in the 1960s to the current development of more modern require-ments in the risk and reliability area. The paper will link the traditional single and dual failure criteria for safety analysis which led to the reliability requirements for special safety systems, with the modern advances in probabilistic safety assessments that are contributing to the current reliability requirements. Within the last few years, the Canadian Nuclear Safety Commission (the nuclear regulator) has developed a new reliability program regulatory guide whereby the program would not only encompass the four traditional special safety systems, but a more comprehensive list of systems that are deemed important due to their contribution to safety as determined by the probabilistic safety analysis. Some details of the implementation of this new regulatory guide will be discussed.

4:10 PM“How Safe Is Safe Enough?”: A PRA Perspective on GSI-191Robert Lutz, Heather Detar, Rachel Solano and David TeolisWestinghouse Electric Company, Cranberry Township, PA

Probabilistic Risk Assessment (PRA) can be used to provide insights to the ques-tion of “How Safe is Safe Enough?” The three key traditional keystones of safety are compliance with regulatory requirements; ensuring that defense in depth for accident prevention and mitigation; and maintaining safety margins. The methods used to show compliance with regulatory requirements can significantly impact the design and op-eration of the plant, especially the conservatisms included in the analysis methods to address uncertainties in knowledge. The PRA can be used to show that, at some point the degree of conservatisms in the analysis methods does not increase safety as measured by the core damage frequency (CDF) and large early release frequency (LERF) risk metrics.A series of PRA analyses have been performed to show the sensitivity of the risk metrics to various key assumptions used to drive the design and operational features of long term core cooling using containment sump recirculation. This directly ties to the NRC acceptance of plant modifications to respond to Generic Issue 191 to en-sure long term core cooling via sump recirculation. These sensitivity analyses show that wholesale insulation change-out and further containment sump re-design may not improve safety as measured by risk. Additional focus on other aspects of accident prevention and mitigation such as leak detection and containment water manage-ment strategies provide additional defense in depth and decrease overall risk metrics. Thus, the fundamental keystones of safety may not be optimized by only considering conservatisms in methods used for regulatory compliance. This paper describes the analyses and results along with recommendations for improving the probability of suc-cessful long term core cooling via sump recirculation and the NRC acceptance of the current plant modifications to address GSI-191.

4:35 PMMSPI False Indication Probability SimulationsDana Kelly, Kurt Vedros, Robert YoungbloodIdaho National Laboratory, Idaho Falls, ID

This paper examines false indication probabilities in the context of the Mitigating Sys-tem Performance Index (MSPI), in order to investigate the pros and cons of different approaches to resolving two coupled issues: (1) sensitivity to the prior distribution used in calculating the Bayesian-corrected unreliability contribution to the MSPI, and (2) whether (in a particular plant configuration) to model the fuel oil transfer pump (FOTP) as a separate component, or integrally to its emergency diesel generator (EDG). False indication probabilities were calculated for the following situations: (1) all component reliability parameters at their baseline values, so that the true indication is green, meaning that an indication of white or above would be false positive; (2) one or more components degraded to the extent that the true indication would be (mid) white, and “false” would be green (negative) or yellow (negative) or red (negative). In key respects, this was the approach taken in NUREG-1753. The prior distributions ex-amined in this paper are 1) the constrained noninformative (CNI) prior used currently by the MSPI, 2) a mixture of conjugate priors, 3) the Jeffreys noninformative prior, 4) a nonconjugate log(istic)-normal prior, and 5) the minimally informative prior investi-gated in [1]. Results are presented for a set of base case parameter values, and three sensitivity cases in which the number of FOTP demands was reduced, along with the Birnbaum importance of the FOTP.

5:00 PMCCI or CCF incident at Forsmark NPP 25 of July 2006Göran HultqvistForsmark Nuclear power plant, Sweden

On Tuesday the 25 of July a two phase short circuit occurred when a breaker was operated in the 400 kV switch gear that connects Forsmark units 1 and 2 with the outer grid. Unit 2 was at the occurrence shut down for annual maintenance. Unit 1 was op-erating on full power. Each unit has two turbines. As a consequence of the short circuit the unit 1 generator bus bar voltages dropped substantially whereupon the induced magnetization in the generator tried to compensate for this. At the same time the 400 kV unit breakers was opened due to under- voltage. This resulted in a voltage peek of about 120% during approximately 1 second on the generator bus bars. The voltage transient resulted in the failure of two out of four UPS, sub divisions A and B. Both the rectifier and the inverter in the UPS tripped because of over-voltage. Normally the rectifiers shall trip before the inverters but in this case the voltage changed in such an unfortunate way that transient was let through the rectifiers and caused also the invert-ers to trip. UPS for sub division C and D functioned as expected. Unit 1 then went into house turbine operation but both turbines tripped within approximately 30 seconds. As the turbine speed decreased the voltage and frequency of the generator fell.When the frequency reached 47 Hz the circuit breakers for the 500 V bus bars opened resulting in a loss of power for sub divisions A and B because of the failure of UPS. As a result of the power loss in two sub divisions the reactor protection system initiated a reactor scram and isolation of the containment. Two out of four electrically operated pressure relief valves opened and two out of four high pressure emergency core cooling pumps started. The diesel generators for all four sub divisions started but in sub divisions A and B the diesel generators were not connected to the 500 V bus bars because of loss of information about the motor speed. The information was missing because of the failure of the two UPS. In the control room many alarms and other information from trains A and B was missing because of the loss of power in these two trains. Approximately 22 minutes after the initial incident the power for the 500 V bus bars in all four sub divisions was restored manually by connecting the station to the 70 kV grid. Two protections that should have prevented/restricted the effects of the incident did not work as expected due to inappropriate parameter settings (UPS) and incorrect installations (under frequency relays) performed when the plant electrical systems was modernized in 2005. The incident has led to a number of changes and adjustments in order to prevent that a similar event has the same consequences in the future. A com-prehensive corrective action plan was developed and approved by the management and the authority. The plan includes actions and improvements in the following areas: - Improvements in the management decision making process - Improvements in the plant modification/modernization process and in the maintenance process. - Improved safety culture - A sixty item hardware improvement action plan, including e.g. improve-ments in the Human-Machine interface in the main control room.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 3:45 PM - Camellia/Dogwood

Risk-Informed Decision Making - 4Session Chair: Robert Lutz

80

3:45 PMInvestigation of Probabilistic Risk Assessment for Safeguards Inspection VerificationBrent Randall Beatty, Man-Sung Yim (a), Michael D Zentner (b), George F Flanagan, Michael David Muhlheim (c)a) NCSU, North Carolina State University, Raleigh, NC, b) PNNL - Pacific Northwest National Laboratory, Richland, WA, c) ORNL - Oak Ridge National Laboratory, Oak Ridge, TN

Since the IAEA experiences in Iraq and DPRK highlighted the limitations of the Com-prehensive Safeguards Agreement (CSA) implementation, a major shift of focus in safeguards inspections has been made. The implementation of safeguards for states with CSA’s are focused on verifying the nuclear material and activities which are de-clared. However, this ‘nuclear material accountancy’, which is similar to financial ac-counting, lacks the structure necessary to quickly and consistently provide assurance of facility capability and purpose with regard to undeclared material processing and production. With more facilities coming under safeguards every day without a cor-relating increase in the number of inspectors or the inspection capacity by domestic entities or the IAEA, it has become necessary for the inspections themselves to be-come more efficient. Despite the addition of targeted training for the complexities of Complimentary Access, the inspection is very dependent on the knowledge base and proclivities of the individual inspectors. The current inspection process relies heav-ily on the individual inspector’s experience and wisdom to identify areas of risk. It is necessary to require consistency in the application of different mix of skills of various inspection teams to consistently identify the same major risk area.The objective of this research work is to investigate the use of probabilistic risk as-sessment to help safeguards inspectors understand and analyze the complexity of a nuclear facility for investigatory inspection. Development of such tool will be through the application of probabilistic risk assessment (PRA) technique. The proposed ap-plication will provide the ability to identify the potential high risk areas and evaluate the sensitivity to characteristic perturbations in the analysis in order to identify which areas of the facility would have the greatest impact on the proliferation risk if they deviated from the declared design. The Graphite Reactor at the ORNL site is chosen for the application of PRA for safe-guards inspections in this study. The choice was due to its accessibility, potential proliferation vulnerabilities, and potential for an immediate applicability of the results. Graphite reactors are particularly at risk for proliferation because they don’t require enriched uranium. Implementation of the PRA methodology, results of the analysis, and implications of the results will be discussed.. (Presentation Only)

4:10 PMAn Assessment of the Terrorists Attack Risk for a BWR Nu-clear Power Plant Using Monte Carlo SimulationMin Lee and Yi-Chang TianInstitute of Nuclear Engineering and Science, Nation Tsing Hua University, Hsin Chu, Taiwan

The risk of operating a nuclear power plant associated with the terrorist attack risk can be quantified as the summation of the risk of each individual region within the vital area of the plant. The risk of each individual region can be viewed as the product of five factors. These factors are the frequency of terrorist attack, the probability that the terrorist can break into vital area of the plant, the probability of a specific area within the vital area becomes the target of the attack, the probability that terrorist can reach the area successfully, and the conditional core damage probability (CCDP) of the spe-cific area once the terrorists reach the area. In the present study, a mathematical model is developed to quantify the probability of a specific region within the vital area of the plant becomes the target of the attack. It is assumed that the terrorists’ acts in the plant are purely random, i.e. their behavior can be simulated using Monte Carlo method with assumed probability distribution functions. The Monte Carlo simulations are performed separately for each important floor of almost all the buildings within the vital area. The probability of invaders leave the floor through a particular entrance or exit can also be determined in the simulations. Another set of Monte Carlo simulation based on these probabilities is performed to determine the probability that a particular floor and building will become the target of the attack. The surrogate plant used in the present study is Kuoshen Nuclear Power Station of Taiwan Power Company. The sta-tion employs a General Electric designed BWR VI (Boiling Water Reactor) reactor with Mark III containment. The model has identified the specific regions within the vital area of the plant that have higher risk and also the regions with higher probability that terror-ist will appear. The latter regions are also the areas that the security force can arrest the invaders. The results demonstrate that the risk of terrorist attack is dominated by the CCDP of the specific area. The results of the present study can used to enhance the security of the plant.

4:35 PMSimiting Future Proliferation and Security RiskRobert A. BariBrookhaven National Laboratory, Upton, NY

A major new technical tool for evaluation of proliferation and security risks has emerged over the past decade as part the activities of the Generation IV Interna-tional Forum. The tool has been developed by a consensus group from participating countries and organizations and is termed the Proliferation Resistance and Physical Protection (PR&PP) Evaluation Methodology. The methodology defines a set of chal-lenges, analyzes system response to these challenges, and assesses outcomes. The challenges are the threats posed by potential actors (proliferant states or sub-national adversaries). It is of paramount importance in an evaluation to establish the objectives, capabilities, resources, and strategies of the adversary as well as the design and pro-tection contexts. Technical and institutional characteristics are both used to evaluate the response of the system and to determine its resistance against proliferation threats and robustness against sabotage and terrorism threats. The outcomes of the sys-tem response are expressed in terms of a set of measures, which thereby define the PR&PP characteristics of the system. This paper summarizes results of applications of the methodology to nuclear energy systems including reprocessing facilities and large and small modular reactors. The use of the methodology in the design phase a facility will be discussed as it applies to future safeguards concepts.

5:00 PMSecurity System Designs Via Games of Imperfect Information and Multi-Objective Genetic AlgorithmsIsis Didier Lins (a), Leandro Chaves Rêgo (b), Márcio das Chagas Moura and Enrique López Droguett (a)a) Departamento de Engenharia de Produção, Centro de Estudos e Ensaios em Risco e Modelagem Am-biental, Universidade Federal de Pernambuco, Recife, PE, Brasil, b) Departamento de Estatística, Centro de Ciências Exatas e da Natureza, Universidade Federal de Pernambuco, Recife, PE, Brasil

The investments in security systems are of great importance to protect industrial plants from intentional attacks. An exhaustive analysis of the security resources’ allocation is sometimes prohibitive given its combinatorial complexity when there are several subsystems to protect and various potential security alternatives with different charac-teristics of reliability and cost. Alternatively, a multi-objective genetic algorithm is used to determine the optimal security system’s configurations representing the tradeoff between the probability of a successful defense and the acquisition and operational costs. Games with imperfect information are considered, in which the attacker has limited knowledge about the actual security system. The types of security alternatives are readily observable, but the number of redundancies actually implemented in each security subsystem is not known. In this way, this work analyzes the strategic interac-tion between a defender and an intelligent attacker by means of a game and reliability framework involving a multi-objective approach and imperfect information so as to support decision-makers in choosing efficiently designed security systems. The game equilibria are obtained via a backward induction procedure and a criterion for a single equilibrium selection is adopted. The proposed methodology is applied to an illustra-tive example considering power transmission lines in the Northeast of Brazil, which are often targets for attackers who aims at selling the aluminum conductors. The empirical results show that the framework succeeds in handling this kind of strategic interaction between defender and attacker.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 3:45 PM - Magnolia

Proliferation Risk - 2Session Chair: William Burchill

81

3:45 PMRoadmap for Attaining Realism in Fire PRAsBrent Doug True (a), Ken Canavan (b), Rick Wachowiak (c), Jim Chapman (d)a) ERIN Engineering and Research, Inc., Walnut Creek, CA, b) EPRI, Charlotte, NC, c) EPRI, Thor, IA, d) Curtiss-Wright Flow Control, Boxborough, MA

Over the past several years, U.S. nuclear power industry has undertaken a large number of plant-specific Fire Probabilistic Risk Assessment (FPRAs). Many of these FPRAs are based on NUREG/CR-6850 and have been performed in support of a transition to the risk-informed, performance-based fire protection requirements under 10 CFR 50.48(c). As these fire PRAs have moved toward completion, it has become evident to the industry practitioners that:• The manner in which fire are characterized does not appear to conform with operating experience,• The level of quantified risk appears to be overstated, as compared to operating experience, and• There appears to be an unevenness in the level of conservatism in the results that may mask key risk insights and result in inappropriate decision-making.

The need for realistic FPRAs is one that should be felt by both the NRC and licencees. Conservatively-biased PRAs do not support good decision-making:• Conservatisms in the results can mask important risk contributors• Conservatisms in the characterization of fire damage can mask the significance of plant changes• Conservatisms can lead to improper decision-making by misleading decision-makers

This paper summarizes work performed by EPRI to identify the specific areas where the current methods are departing from realism and provide a roadmap for a 3 year research and development effort in this area.

The panel and audience will discuss the issues associated with Fire PSA methods, and proposed improvements, if planned.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 3:45 PM - Salon A

Panel: Fire PSA ImprovementsSession Chair: Doug True

82

3:45 PMA Dynamic Flowgraph Methodology Approach Based on Bi-nary Decision DiagramsKim Björkman and Ilkka KarantaVTT Technical Research Centre of Finland , VTT, Finland

The dynamic flowgraph methodology (DFM) is an approach to model and analyze the behavior of dynamic systems for reliability assessment. The methodology can be utilized to identify how certain postulated top events may occur in a system. The result is a set of prime implicants which represent system faults resulting from diverse combinations of software logic errors, hardware failures, human errors, and adverse environmental conditions. A binary decision diagram (BDD) is a data structure used to represent Boolean functions applied, e.g., in fault tree analysis and model checking. This paper presents an alternative DFM approach based on BDD called YADRAT. The objective of a YADRAT model analysis is to find the root causes of the query (top event) of interest, similarly to traditional fault tree analysis. The main difference of YADRAT compared to the existing DFM approach is that YADRAT employs a BDD to represent a DFM model. Two different approaches to solving a BDD model have been implemented for exact computation of prime implicants. These approaches have previously been applied in static failure tree analysis. In this work the ideas for prime implicant calculation are adapted to a dynamic reliability approach combined with the multi-valued logic of DFM. In this paper the basic concepts and algorithms of YADRAT and the identified strengths and limitations of the employed approach are discussed. Also a case study illustrating the usage of YADRAT and a comparison of computa-tional effort between two BDD implementations is presented.

4:10 PMUse of Advanced Cutset Upper Bound Estimator (ACUBE) Software to Avoid Limitations Due to Use of Non-Rare EventsV.M. Andersen, E.T. Burns and J.R. StenderERIN Engineering and Research, Inc., Campbell, CA

Probabilistic Safety Assessment (PSA) software, such as the CAFTA suite of codes, uses approximation algorithms (such as the Minimum Cut Upper Bound (MCUB), as well as other alternative approximations) to calculate the frequency results. These approximations are acceptably accurate when the constituent probabilities in the model are small. However, when the PSA model contains a significant number of comparatively high probability (i.e., 0.1 to 1.0) basic events, such as in Level 2 PSAs, seismic PSAs, or fire PSAs, the approximation algorithms can produce unacceptable over-counting of Core Damage Frequency (CDF) or Large Early Release Frequency (LERF) results. For example, it is not uncommon for Level 2 PSAs to over-predict LERF results by 10-25%; fire PSAs to over predict CDF results by 50%, and for seis-mic PSAs to over predict CDF by factors of 2-10 depending upon the modeling ap-proach used. The Advanced Cutset Upper Bound Estimator (ACUBE) software can be used to reduce this overcounting. ACUBE processes cutsets using a binary decision diagram (BDD) algorithm to return a refined cutset result. This paper provides lessons learned and insights into the use of ACUBE to address over-counting in Level 1 PSAs, Level 2 PSAs, fire PSAs, and seismic PSAs. Practical examples from actual PSA ap-plications are presented.

4:35 PMData for Equipment and System Reliability (DESREL)Derek S. Mullin (a), Dan Morehouse (b)a) New Brunswick Power Corporation Point Lepreau Generating Station, Lepreau, NB, Canada, b) Syn-tact Consulting Inc., Saint John, NB, Canada

Since Point Lepreau Generating Station (PLGS), a CANDU™ 600 MWe nuclear facil-ity owned and operated by New Brunswick Power (NBP) in eastern Canada, began first power operation, information pertaining to experienced component failures, sys-tem unavailability and the equipment that comprised the site reliability program was stored on a VAX mainframe and in MSAccess databases. The program requirement was to quantify fault tree analyses on an annual basis to incorporate up-to-date com-ponent failure rates, update system probability of failure estimates for comparison to prescribed targets, and to adjust surveillance programs as necessary or raise other corrective actions to resolve emerging issues. This became a labor-intensive effort. In 2001 NBP began development of a full-scope Level 2 Probabilistic Safety Assessment (PSA) to meet the requirements of Canadian Regulatory Standard S-294, “Probabilis-tic Safety Assessment for Nuclear Power Plants.” To manage both the PSA and site re-liability program, efficiency in the generation of plant-specific failure rates was needed to reduce that effort and to enhance capabilities. Consequently, NBP has developed a new intranet-based software system called Data for Equipment and System Reliability (DESRel), to support both the PSA and reliability programs using the C# programming language with a .NET framework. The software is scalable, developed in a modular fashion, has been validated and allows failure rates to be generated for user-defined type code patterns required by the EPRI Risk & Reliability Workstation (i.e. CAFTA). This paper describes how the DESRel system integrates with the PSA and reliability program at NBP, its features and capabilities, and identifies possible enhancements for the future.

5:00 PMQuantifying Truncation Errors and Approximation Errors in PSA QuantificationJongsoo ChoiKorea Institute of Nuclear Safety, Daejeon, Korea

The quantification of Probabilistic Safety Assessment (PSA) of Nuclear Power Plants (NPPs) is a complicated process and always has the following two limitations: (1) Truncation Errors (TEs) in deleting low-probability cut sets and (2) Approximation Er-rors (AEs) in quantifying Minimal Cut Sets (MCSs). In practice, it has been impossible to quantify NPP PSA models without TEs and AEs. The purpose of this study is to develop a practical method which can exactly quantify the risk measures of NPP PSAs through evaluating TEs and AEs. Firstly, in order to deal with the TEs, the iterative process of reducing cutoff values and proving the convergence of risk measures is chosen. Using the plot of risk increment vs. cutoff value and the exponential fitting of risk increments caused by successive reductions in cutoff value, we can evaluate the truncation error. Secondly, the approach chosen here to deal with the AEs is “Semi-SDP method” which provides a practical solution to time-consuming SDP algorithms. Similarly to the cutoff value in MCS generation, Semi-SDP method also uses a param-eter CBA related to accuracy and computing time. Under a sufficient low CBA values, Semi-SDP method provides a good estimate of MCS quantification within a reason-able time. This paper shows that this proposed approach is successfully applied to Level 1 PSAs for internal events of NPPs.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 3:45 PM - Salon B

Computer Methods - 1Session Chair: Louis Chu

83

3:45 PMProbability of Events with Failing Control RodsGöran HultqvistForsmark Nuclear Power Plant, Sweden

Within the NPSAG group several projects have been performed to position the risk for failing control rod insertion in BWR-reactors.In a separate project 3D- thermo hydraulic code have been developed and validated for assessing the effects of failing control rods in scram scenarios. Scrams ending in hot standby or in cold shut down and even in scenarios with slowly decreasing pressure have been assessed. The changes of reactivity, water level, power, heat transfer to the condensation pool have been assessed by 2 different methods. The codes have been adjusted after assessing and comparing results from the 2 different methods. Based on verified 3D-codes the calculations have been performed to assess the consequences of- 7 , 15, 30, 64, 128 failing adjacent control rods- Failing control rods in 2 of 4 trains and in 3 of 4 trainsBased on this knowledge specific cases for needs of Boron system in PSA can be specified as- No boron needed- Boron needed after 30 minutes- Boron needed within 30 minutesThe output from this indicates that many rods can be failing without large consequenc-es. Therefore it was needed to develop methods to specify the risk for having many rods failing- as adjacent rods- as spread out rodsICDE data collected for failures in scram system and in control rod screw insertion functions have been assessed for the Nordic plant. Detailed assessments of the root cause of the failures have been developed. Based on this knowledge the indepen-dence between the two different systems has been assessed. Failure data for each function and for combined functions of these systems for insertion of control rods have been specified.. The data have also been assessed concerning risk for CCF and the degree of (incipient) CCF in each event. Based on this the CCF-factors have been developed for these functions. A specific project has been performed to develop such data including the effects of CCF. This study has been based on the ICDE-data study performed earlier.

4:10 PMA Simplified Methodology to Generate MGL-Parameter Un-certainty Distributions Using Alpha-Parameter Data from NUREG/CR-5497Joshua M. ReinertAREVA NP Inc., Marlborough, MA

This paper describes a simplified methodology to convert uncertainty in common-cause failure (CCF) data in alpha-parameter format from NUREG/CR-5497 into MGL-parameter data uncertainty. A simplified methodology is proposed that assumes a large amount of uncertainty in the beta parameter and none in the remaining MGL-parameters. This leads to overestimation of the uncertainty for CCF of two-out-of-four redundant components and a more realistic estimate of uncertainty in CCF of more redundant components, with the most realistic level of uncertainty estimated for CCF of all redundant components. Since PRA results are generally dominated by CCF of all redundant components, this proposed methodology has the advantage of producing the most realistic estimate of uncertainty for the failure mode of concern. This work describes the use of different types of uncertainty distributions. The adequacy of this approach is evaluated using simulation of a four-train system and various system success criteria.

4:35 PMParameter and Model Uncertainty Analysis using Dempster-Shafer Theory in Nuclear Probabilistic Risk Assessment.Tu Duong Le Duy, Dominique Vasseur, Mathieu Couplet (a), Laurence Dieulle, Christophe Bérenguer (b)a) Risk Management Department, Electricity of France R&D, Clamart cedex, France, b) University of Technology of Troyes, UMR STMR, Institut Charles Delaunay/LM2S, Troyes Cedex, France

In Nuclear Power Plants, Probabilistic Risk Assessment (PRA) insights contribute to achieve a safe design and operation. In this context, decision making process must be robust and uncertainties must be taken into account and controlled. In the current PRA practice, the model uncertainty due to different alternative assumptions made in logical structures of event or fault trees may be neglected or addressed only through sensi-bility studies. In this paper, two approaches for dealing with the model uncertainty: the weighted mixing approach and the enveloping approach will be presented in the Dempster-Shafer Theory framework which is used to take account of parameter un-certainty at the same time. The weighted mixing approach is recognized to be suitable only to cases where the experts have sufficient information to express their degrees of belief in terms of probabilities with regard to alternative models. On the contrary, the enveloping approach will be more appropriate to apply when no information is avail-able. This approach will be illustrated through a practical example in the context of level 1 PRA application at EDF.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisWednesday March 16, 2011 - 3:45 PM - Salon Carolina

Uncertainty Analysis & Methods - 2Session Chair: Göran Hultqvist

84

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 8:00 AM - Grand Ballroom

Plenary Session IV

Dr. Robert J. Budnitz has been involved with nuclear-reactor safety and radioactive-waste safety for many years. Bob earned a Ph.D. in experimental physics from Harvard in 1968.

Dr. Budnitz is on the scientific staff at the University of California’s Lawrence Berkeley Na-tional Laboratory (LLNL), where he works on nuclear power safety, security and radioactive-waste management. From 2002 to 2007 he was at UC’s Lawrence Livermore National Laboratory, during which period he worked on a two-year special assignment (late 2002 to late 2004) in Washington to assist the Director of DOE’s Office of Civilian Radioactive Waste Management to develop a new Science & Technology Program.

Prior to joining LLNL in 2002, Dr. Budnitz ran a one-person consulting practice in Berkeley CA for over two decades. In 1978-1980, he was a senior officer on the staff of the U.S. Nuclear Regulatory Commission, serving as Deputy Director and then Director of the NRC Office of Nuclear Regulatory Research.

Cheri CollinsCheri Collins is general manager of external alliances in Southern Nuclear’s Nuclear Develop-ment organization.

She is responsible for establishing and maintaining relationships with companies building AP-1000’s including the plants in China. Additionally, she is a primary spokesperson for new nuclear development and is responsible for developing and sustaining key alliances that ben-efit Southern Company’s nuclear operations.

Prior to her current position, Collins served as Plant Manager at the Joseph M. Farley Nuclear Plant in southeast Alabama where she oversaw all aspects of plant operations. Collins began her career with Southern Company in 1978 as a summer intern in Alabama Power’s Clanton District office. In 1982, she accepted a full-time position as a junior engineer in the safety, audit and engineering review department at Plant Farley. In 1987, Collins earned a senior re-actor operator license from the Nuclear Regulatory Commission and was promoted to opera-tions shift foreman. Collins progressed through positions of increasing responsibility at Plant Farley including licensing supervisor and shift supervisor. From 1993 to 1994 she served as a loaned employee to the Institute of Nuclear Power Operations (INPO) where she had the opportunity to observe nuclear plant operations across the country. After serving as a loaned employee to INPO, Collins’ responsibility continued to increase at Plant Farley. In 1995, she became operations support superintendent and in 1999 she was promoted to operations manager. In 2002 she became plant support assistant general manager responsible for engineering, security and training. In 2004 Collins left Plant Farley to assume the position of general manager of nuclear support at the Southern Nuclear corporate offices in Birmingham. As a general manager, she traveled to Germany to visit two nuclear plants. In 2005, while still in Birmingham, she served as Human Resources director for Southern Company Generation. In 2006, Collins was named general man-ager of Southern Nuclear’s supply chain organization.

Collins holds a bachelors of science degree in structural engineering from the University of Alabama at Birmingham. She is regularly asked to speak at industry conferences addressing various aspects of leadership. In 2001, she was a keynote speaker at the annual CEO conference of INPO. She is a member of the Women in Nuclear Organization (WIN) and has spoken at a number of the organization’s conferences.

Collins calls Eufaula, Alabama home. Her hobbies include reading and golf.

Robert J. Budnitz

85

9:00 AMApplications Guidance Document for the MAAP4 Accident Analysis CodeBarbara J. Schlenger-FaberERIN Engineering and Research, Inc., West Chester, PA

The Modular Accident Analysis Program Version 4 (MAAP4) is a computer code used by nuclear utilities and research organizations to predict the progression of LWR ac-cidents. The code simultaneously models the dominant thermal-hydraulic and fission product phenomena in both the primary system and the containment. The MAAP4 Ap-plications Guide provides detailed information to enable code users to optimize their efforts and generate high-quality Level 1 analyses for probabilistic risk assessments (PRAs). The guide also contains a compilation of summary information on the bench-marking of MAAP4 models and an assessment of the code’s ability to adequately predict significant Level 1 PRA phenomena. In addition, it specifies the code’s range of applicability and provides a comprehensive list of limitations, precautions and recom-mendations. The portions of the guide related to best practices for performing analy-ses and addressing uncertainties and sensitivities were presented at the PSA 2008 conference. The current paper contains representative highlights and insights from the portions that focus on specific guidance for BWR and PWR analyses. It describes the process and summarizes the conclusions of the review of more than 30 benchmarks by a team of MAAP4 experts. It also discusses the portion of the guide that delineates the applicability of the code, its limitations, and recommended precautions as a func-tion of sequence type and plant feature.

9:25 AMConversion of Fault Tree and Event Tree Models for PSAJohan Sörman and Ola BäckströmScandpower - Lloyds Register, Sundbyberg, Sweden

There are today 5 computer codes that are used by a majority of the world´s Nuclear Power Plant´s for Fault Tree and Event Tree modeling and PSA. The computer codes display differences in the way fault trees and event trees are realized, but in particular they include many advanced features that have been implemented based on different philosophies.In a transition from one code to another it is therefore important to have knowledge about each codes special and advanced features to best translate them, making opti-mal use of the advanced features in the code you are moving to.Most nuclear power plants continue to use the PSA software code they started using when first developing their PSA, but in some occasions transitions from one code to another is done including a conversion of the fault tree and event tree models. National regulatory authorities may have to be able to convert from one fault tree and event tree model in one software to another, because they have chosen to use one of them for their regulatory process and the fault tree and event tree models they receive are made in different PSA software.This paper discusses technical issues moving a fault tree and event tree model from one software to another. What are the similarities and what are the differences in the fault tree and event tree model software of today?

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 9:00 AM - Azalea

Computer Methods - 2Session Chair: Kyle Metzroth

86

9:00 AMDevelopment of Core Damage Frequency Evaluation Code for NPP Due to Components Aging DegradationMasajiro Sugawara, Hitoshi Muta and Haruo FujimotoJapan Nuclear Energy Safety Organization (JNES), Tokyo, JAPAN

A part of accidents has the potential to be induced by the age-degradation of compo-nents. The feature of failure rate of components has bathtub curve, i.e., initial failure rate (decreasing rate in time), random failure rate (constant rate in time) and wear-out failure rate (increasing rate in time). However, in many probabilistic safety assess-ments (PSAs), core damage frequency (CDF), containment failure frequency (CFF) and large early release frequency (LERF) are estimated using only component’s ran-dom failure rate. This is because of difficulty of treating aging-effect directly into the ordinary fault trees. In this situation, CDF, CFF and LERF have cyclic feature and never grows its value even in the end of nuclear power plant (NPP) life time.This paper shows the development of analysis model, computer code and sample calculation of aging-effects for PSA use.

9:25 AMInclusion of Passive Failures in a PRA System for Long Term Operation ConsiderationsL. L. Genutis, B. R. Baron, S. A. Nass (a), D. M. Tirsun (b)a) Westinghouse Electric Company LLC, Cranberry, PA, b) Westinghouse Electric Company LLC, Co-manche Peak Nuclear Power Plant, Glen Rose, TX

Passive failures, such as pipe failures in mitigating and support systems, are not typi-cally explicitly included in a Probabilistic Risk Assessment (PRA) model; however, passive failures are considered for aging management decisions and evaluations. As utilities begin to consider plant life extension beyond 60 years, it is useful to include PRA as potential input to plant decision making related to aging management and long term operation. One way to jointly consider PRA and aging management is to evaluate the sensitivity of PRA results to the addition of passive failures that are not typically in-cluded in the PRA but could impact aging management decisions. This paper presents a study of the risk impact of passive failures in the Station Service Water (SW) support system for the Comanche Peak Nuclear Power Plant (CPNPP) PRA model. Piping segments within the current CPNPP PRA model’s SW flowpath were added to the CP-NPP PRA model of record to create a base Aging Management model. Core Damage Frequency (CDF), SW Initiating Event Frequency, and impact on failure probability of the Auxiliary Feedwater System (AFW) (SW is AFW’s backup supply) were quantified using the Aging Management model. Sensitivity studies were then performed.The results demonstrated that the addition of new failures shows a measurable in-crease in results. This is expected because the SW System provides cooling to a number of mitigating systems including the Emergency Core Cooling System, Diesel Generator, and Auxiliary Feedwater.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 9:00 AM - Camellia/Dogwood

Aging in PSA - 1Session Chair: Karl Fleming

87

9:00 AMEffect of Testing Coverage on Software Reliability - An Ex-perimental InvestigationSergiy VilkomirEast Carolina University, Greenville, NC

Logical expressions are often used to formalize software specifications of safety-criti-cal systems. These logical expressions can be tested using software testing methods (criteria) that include Decision Coverage (DC), Condition Coverage (CC), Decision/Condition (D/CC), and Modified Condition/Decision Coverage (MC/DC). Selection of the appropriate testing method is an important practical task. A significant characteris-tic for this selection process is understanding the effect of testing methods on software reliability, specifically their ability to reveal faults. This paper provides experimental results for determining the probabilistic characteristics of effectiveness of testing cri-teria. A logical expression, which is typical for nuclear reactor protection system logic, is used as a case study for this research. Probabilities for a test set to reveal a fault in the logical expression are evaluated for DC, CC, D/CC, and MC/DC. Our experimental results show that, when compared with random testing, using DC, CC, or D/CC criteria do not provide significant benefits. At the same time, the results confirm that MC/DC is a reasonable and effective technique to test logical expressions in software.

9:25 AMReview of Quantitative Software Reliability MethodsTsong-Lun Chu, Meng Yue, Gerardo Martinez-Guridi, and John LehnerBrookhaven National Laboratory, Upton, New York

For several years, Brookhaven National Laboratory (BNL) has worked on Nuclear Regulatory Commission (NRC) projects to investigate methods and tools for the prob-abilistic modeling of digital systems. However, the scope of this research principally focused on hardware failures, with limited reviews of software failure experience and software reliability methods. An important identified research need is to establish a commonly accepted basis for incorporating the behavior of software into digital instru-mentation and control (I&C) system reliability models for use in PRAs. To address this need, BNL is exploring the inclusion of software failures into the reliability models of digital I&C systems, such that their contribution to the risk of the associated nuclear power plant (NPP) can be assessed. Two tasks were undertaken towards this objec-tive: (1) establishment of a philosophical basis for incorporating software failures into digital system reliability models for use in PRAs and (2) review of quantitative software reliability methods (QSRMs).The objective of this paper is to summarize the work accomplished under the second task and documented in a BNL report. The objective of reviewing the QSRMs was to gain comprehensive knowledge of available methods, especially those emphasizing the quantification of software failure rates and probabilities that might be employed in reliability models of digital systems used in NPP PRAs. The review was built upon BNL‟s previous reviews of software reliability methods, and on leveraging earlier work sponsored by the NRC and by the National Aeronautics and Space Administration (NASA).

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 9:00 AM - Magnolia

Software ReliabilitySession Chair: Mike Yau

88

9:00 AMA Holistic Approach for Performing Level 1 Fire PRAMarina Röwekamp and Michael Türschmann (a), Heinz-Peter Berg (b)a) Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany, b) Department of Nucle-ar Engineering, Bundesamt für Strahlenschutz (BfS), Salzgitter, Germany

For performing a state-of-the-art Fire PRA it is essential to establish and apply a comprehensive database in a well-structured and easily traceable manner. Such a database structure has been developed and the compilation of data and information needed has been demonstrated for performing a Level 1 Fire PRA for full power states to a German nuclear power plant with boiling water reactor (BWR). To achieve a holis-tic approach this database has been enhanced such that it can also be used to derive a Level 1 Fire PRA for low power and shutdown states. For an easier application by external users, the user interface of the database has also been improved.A thoroughly investigated database provides a suitable tool to assist the Fire PRA ana-lyst by means of its implemented functions such as data examination and preparation, analysis and application as well as in the review of a Fire PRA.It is demonstrated that the general methodology for performing Fire PRA as described in the German Probabilistic Safety Analysis Guide can be applied both for full power as well as for low power and shutdown plant operational states. However, some dif-ferences in the data (e.g., unavailability of systems, transient fire loads, and hot work) must carefully be regarded. In the contribution, the structure and use of the fire data-base established is explained in detail. Two aspects are particularly emphasized. First, it is outlined how the database is used to provide the input data for PRA modeling software in case of screening analyses in a systematic and mainly automatic manner. This is compared to the preparation of input data for calculating the conditional core damage frequency for selected fire sources in the detailed analyses. Secondly, the stepwise process of determining fire occurrence frequencies during screening and detailed analyses is depicted and the support which can be provided by a comprehen-sive, traceable and integral database is described.

9:25 AMCalculation of Fire Severity Factors and Fire Non-Suppres-sion Probabilities for a DOE Facility Fire PRATom Elicson (a), Jim Bouchard and Heather Lucek (b), Bentley Harwood (c)a) WorleyParsons Polestar, Inc., Hudson, OH, b) WorleyParsons Polestar, Inc., Idaho Falls, ID, d) Idaho National Laboratory, Battelle Energy Alliance, LLC, Idaho Falls, ID

Over a 12 month period, a fire PRA was developed for a DOE facility using the NUREG/CR-6850 EPRI/NRC fire PRA methodology. The fire PRA modeling included calcula-tion of fire severity factors (SFs) and fire non-suppression probabilities (PNS) for each safe shutdown (SSD) component considered in the fire PRA model. The SFs were developed by performing detailed fire modeling through a combination of CFAST fire zone model calculations and Latin Hypercube Sampling (LHS). Component damage times and automatic fire suppression system actuation times calculated in the CFAST LHS analyses were then input to a time-dependent model of fire non-suppression probability. The fire non-suppression probability model is based on the modeling ap-proach outlined in NUREG/CR-6850 and is supplemented with plant specific data.This paper presents the methodology used in the DOE facility fire PRA for modeling fire-induced SSD component failures and includes discussions of modeling techniques for:• Development of time-dependent fire heat release rate profiles (required as input to CFAST),• Calculation of fire severity factors based on CFAST detailed fire modeling, and• Calculation of fire non-suppression probabilities.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 9:00 AM - Salon A

Fire PSA Methods - 8Session Chair: Brandi T Weaver

89

9:00 AMDealing with System Recoveries in Event TreesMohamed Hibti and Anne DutfoyEDF R&D, cedex Clamart, France

PSA models are generally supported by a classical event tree approach. For level 2 applications, there is a need to integrate system recoeveries to reduce conservatism and allow consideration of some dynamic phenomena. In this paper, we propose an apprach to model system recoveries in event tree sequences such that automated treatment can be done for quantication issues without post-treatments which may be very convenient for models that are dedicated to uncertainty and sensitivity analysis. Three methods are proposed : the rst is based on integration of recovery events for some signicant components, the second consider what we call functional groups, and the third is based on the combination of the event tree approach with a dynamic frame-work. In the last approach, to model recovery, sequences, obtained from a Boolean driven Markov processes quantication, are integrated in the form of trees representing their minimal content.

9:25 AMThe Plant Damage States Analysis for CPR1000 at Power Op-erationPENG Changhong and ZHANG NingChina Nuclear Power Technology Research Institute, Shenzhen, China

In PSA model, the quantification of Level 2 consists of two distinctive stages: 1) propa-gation of Level 1 core damage sequences to plant damage states (PDS) and 2) map-ping of PDS to Level 2 release categories. The Level 1 PSA identifies a large number of accident sequences which lead to core damage. Accident sequences should be grouped together into plant damage states (PDS) so that all accidents within a given PDS can be treated in the same way for the purposes of the Level 2 PSA. The first stage is performed by means of interfacing event trees or, so called, bridge trees. The PDS analysis and bridge tree for CPR1000 at power operation should consider the following attribution: Status of RCS at onset of core damage; Status of Emergency Core Cooling system (ECCS); Status of Containment Spray Injection and Recircula-tion; heat removal and status of the Steam Generators; Status of AC Power and Ac-cumulator. For each of these sequences with frequency of at least 1E-10 /yr in which not all the attribution can be indentified in Level 1 model, a specific bridge tree should be developed. The end states of bridge tree or Level 1 model sequences represent plant damage states (PDS). The PDS with similar accident progression can be binned into a same group, PSDG. At last, the frequency and attribution of top five PDSG can be provided.

9:50 AMA Monte Carlo Approach for Categorizing LERF Scenarios in Loss of Decay Heat Removal Accident SequencesDonald E. Vanover and Robert J. WolfgangERIN Engineering and Research, Inc., West Chester, PA

Recent Emergency Planning (EP) inputs have indicated that guidance is now provided to not to call for a General Emergency (GE) until multiple barriers are determined to be lost (unless there is a scenario specific alternative, e.g., Station Blackout). If these recent EP interpretations of the Emergency Action Levels (EALs) are used and applied to the Class II long term severe accident sequences, then the LERF risk metric would increase significantly for most BWRs. Alternatively, credit for the ERO, the state, the NRC, and vendor inputs into the decision making process can be anticipated and legitimately integrated into the LERF assessment process. Additional considerations regarding the potential variability of evacuation times with respect to variations in the magnitude of the releases and when they become a candidate for a large release can also be integrated into the LERF assessment process.The intent of this paper is to describe an approach that was developed to assess the various inputs that go into the determination of a “Large” and “Early” release for long term loss of decay heat removal scenarios. Once these inputs are assessed, each of the inputs are integrated using a Monte Carlo approach factoring in the uncertainty as-sociated with each key input to determine the overall probability that a large and early release occurs in these scenarios.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 9:00 AM - Salon B

Level II/III PSA - 1Session Chair: Paul Boneham

90

9:00 AMApproaches for Addressing Parametric and Modeling Uncer-tainties in a Refernce PWR PRAYoung G. Jo and Beomhee JeongSouthern Nuclear Operating Company, Birmingham AL

In this paper, approaches used in a reference PWR PRA for addressing paramet-ric and modeling uncertainties were discussed. A challenge in performing parametric uncertainty analysis is to properly treat the state-of-knowledge correlations among basic event probabilities. An approach was developed and applied successfully for treating the state-of- knowledge correlations effectively in CAFTA and UNCERT codes environment. The basic strategy for reducing modeling uncertainties in the reference PWR PRA was to perform accident analysis as many as possible using MAAP code from the early stage of the PRA modeling and use the results and insights from such MAAP analyses in PRA modeling , especially in determining success criteria, event progresses, timings for operator actions, and timings for recoveries. In some cases, sensitivity studies were performed to address uncertainties. Insights from uncertainty analyses included a potentially significant under estimation of interfacing system loss of coolant accident risk if the-state-of-knowledge correlations are ignored, significant difference in plant responses to a different break sizes in a same loss of coolant ac-cident category or steam generator tube rupture initiating event, and the significant impacts of steam generator tube condition on large early release frequency. Since steam generator tube condition affects large early release frequency significantly, it is needed to re-evaluate the steam generator tube condition during the future updates of the reference PWR PRA to reflect such impacts properly. Also, even though much ef-forts had been made beforehand to reduce modeling uncertainties, when it is required to evaluate the risk associated with a very specific case, like a loss of coolant accident with a known break size, it may be desirable to perform additional case specific ac-cident analysis and PRA modeling in order to evaluate the associated risk more ac-curately and to support a proper risk informed decision making.

9:25 AMUncertainty Assessment Methodology for Probabilistic Risk Assessment (PRA); Data, Methods, Models, and InputsMohammad Pourgol-Mohammad (a), Seyed Mohsen Hosseini (b)a) FM Global, Norwood, MA, b) Science and Research Branch, Islamic Azad University, Tehran, Iran

Uncertainty analysis is a crucial step in process of probabilistic risk assessment (PRA) for better management and decision making purposes. This paper reviews the process of uncertainty analysis and methodologies for characterization of the uncertainties and their treatment in probabilistic risk assessment (PRA). This research is limited to Fault Tree (FT) and Event Tree (ET) methodologies only and deals with all uncertainties in process of PRA level I. A literature review was conducted on the subject to evaluate the state of the art on the topic. Uncertainty taxonomy is reviewed in this research to better address different sources of uncertainty. A hybrid method of maximum Entropy approach supported by Bayesian Updating is proposed to quantify the parameters’ uncertainties effectively by using all relative and partially relative data and informa-tion. Bayesian approach is utilized for the inference of the parameter uncertainties. Examples from applications are provided for greater clarification of the proposed un-certainty analysis techniques.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 9:00 AM - Carolina

Uncertainty Analysis & Methods - 3Session Chair: Gabriel Georgescu

91

10:15 AMExperiences from Implementation of Updated Reliability Data for Piping Components Using the R-BookAnders Olsson and Vidar Hedtjärn Swaling (a), Bengt Lydell (b)a) Scandpower-Lloyd’s Register, Sundbyberg, Sweden, b) Scandpower-Lloyd’s Register, Houston, Texas

The Nordic PSA Group (NPSAG) has undertaken to develop a piping reliability pa-rameter handbook – the so-called R-Book – for use in risk-informed applications. The scope of R-Book is to establish high quality reliability parameters that account for the Nordic and Worldwide service experience with safety-related and non-safety-related piping systems in a consistent and realistic manner. The first version of R-Book was released at the beginning of 2010 and covers ASME Code Class 1 or 2 piping com-ponents.This paper presents the whole process from start to finish: (1) The derivation of ap-plication-specific event populations and corresponding exposure terms, as input to R-Book. (2) The methodology for deriving rupture/leakage frequencies from raw data and some examples of results. (3) The first experiences gained from using R-Book data for assessment of LOCA frequencies in Swedish PSA’s.

10:40 AMComponent Failure Rate Refinement Using RADS/EPIX/IEDB for Prairie Island PRAS. Eide (a), A. Peterman, D. Malek, and J. Ritter (b)a) Scientech, A Curtiss-Wright Flow Control Company, Idaho Falls, ID, b) Xcel Energy, Welch, MN

The RG 1.200 probabilistic risk assessment (PRA) upgrade project for the Prairie Island Nuclear Generating Plant (PINGP) included the use of NUREG/CR-6928 as the main source for industry-average component failure rates. Plant-specific data were collected for significant events to use in Bayesian updates of the industry-average priors. Preliminary quantification results indicated that several component type codes were dominating the results. For those cases, both the applicability of the prior and the plant-specific data (if available) were reviewed. This paper deals with refinements of the prior distributions using more specific searches of the Equipment Performance and Information Exchange (EPIX) data and the Initiating Event Database (IEDB) using the Reliability and Availability Data System (RADS) software. For each of seven com-ponent failure modes, a RADS/EPIX or RADS/IEDB search was conducted to obtain a more specific or applicable prior distribution. The search in some cases also included a review of the failure events identified in the search to eliminate events that were not applicable. Also, in one case the trend over 1988 – 2007 was significant so only data over 2003 – 2007 were used. The result of this effort was a greater than 50% reduction in the internal event core damage frequency.

11:05 AMPSA Generic Component Failure Rate Database Update Meth-odologyAaron M. LeeReliability and Safety Consulting Engineers, Inc., Knoxville, TN

There are many methods of combining different types of data while updating the data with new sources of data recently made available. This paper presents the methodol-ogy used for combining multiple sources of generic data with multiple sources of his-torical data while simultaneously updating the data with the most current data available from NUREG/CR-6928. Also, the methodology provides a way of reconciling some of the NUREG/CR-6928 data with how the data is presented in previous generic sources. An example of this is the addition of “running” and “standby” component failure rates in the NUREG/CR-6928 report. The NUREG/CR-6928 also came with the added benefit of adding many new components and failure modes to the database while the other generic databases and plant experience included components and failure modes that were not included in NUREG/CR-6928. The overall results of the work show that after changing methodology and inclusion of NUREG/CR-6928 data that the estimate for the rate of failure of each failure mode is relatively unchanged when compared to the original values. or example, a motor-operated valve fails to open or close failure in the previous version of the database had a failure rate of 3.00E-3/demand. After the update, it had a value of 3.89E-3/demand. However, the added benefit of having ad-ditional components and component failure modes to include in the database makes updating a database with NUREG/CR-6928 data in it worthwhile.

11:30 AMUse of RADS/IEDB To Refine Initiating Event Prior Distribu-tions for the Calvert Cliffs PRAR. Marlow and S. Eide (a), J. Stone and J. Landale (b)a) Scientech, A Curtiss-Wright Flow Control Company, Idaho Falls, ID, b) Constellation Energy Nuclear Group (CENG), Lusby, MD

The RG 1.200 probabilistic risk assessment (PRA) upgrade project for the Calvert Cliffs Nuclear Power Plant (CCNPP) included a large number of initiating events (IEs) and the use of NUREG/CR-6928 as the main source of industry-average frequency distributions. Those IE frequency distributions can be used as prior distributions in Bayesian updates incorporating plantspecific data as the evidence. Many of the IE distributions in NUREG/CR-6928 were generated using the Reliability and Availability Data System (RADS) and the Initiating Event Database (IEDB). However, the IE cat-egories in NUREG/CR-6928 are general in scope and do not include the more spe-cific IEs often modeled in current industry PRAs. This paper describes the additional RADS/IEDB analyses performed to develop priors for the detailed IE categories used in the CCNPP PRA. Methods in NUREG/CR-6928 were used to determine the ap-propriate periods to use for CCNPP-specific IE data when trends existed. Finally, the method used to determine whether the prior distributions developed were consistent with the CCNPP data is explained.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 10:15 AM - Azalea

PSA Data AnalysisSession Chair: Dana Kelly

92

10:15 AMInvestigation of Ageing Impact on Safety Systems’ ReliabilitySh. Poghosyan and A. AmirjanyanNuclear and Radiation Safety Center, Yerevan, Armenia

Safety performance of nuclear installations mostly depends on risk-significant safety systems’ reliability. PSA studies show that final results are very sensitive to the reli-ability parameters of safety-related components. So factors influencing reliability of particular components could also have significant impact on plant risk and play im-portant role in riskinformed decision making process. One of the main factors which could affect component reliability is ageing process. Ageing issue is becoming more important as average age of operating nuclear plants is about 25 years. This paper is devoted to the numerical evaluation of ageing impact on safety-related components reliability. Time-dependent reliability models have been used to investigate behavior of safety systems’ reliability.

10:40 AMMulti-State Physics Models of Aging Passive Components in Probabilistic Risk AssessmentStephen D. Unwin, Peter P. Lowry, Robert F. Layton, Jr., Patrick G. Heasler, and Mychailo B. ToloczkoPacific Northwest National Laboratory, Richland, WA

Understanding the long-term reliability performance of passive components and the extent to which safety margins are preserved will be critical to decisions on reactor life extension. Multi-state Markov modeling has proved to be a promising approach to estimating the reliability of passives - particularly metallic pipe components - in the context of probabilistic risk assessment (PRA). These models consider the progres-sive degradation of a component through a series of observable discrete states, such as detectable flaw, leak and rupture. Service data then generally provides the basis for estimating the state transition rates. Research in materials science is producing a growing understanding of the physical phenomena that govern the aging degradation of passive pipe components. As a result, there is an emerging opportunity to incorpo-rate these insights into PRA. In this paper a state transition model is described that addresses aging behavior associated with stress corrosion cracking in ASME Class 1 dissimilar metal welds – a component type relevant to LOCA analysis. The state transition rate estimates are based on physics models of weld degradation rather than service data. The resultant model is found to be non-Markov in that the transition rates are time-inhomogeneous and stochastic. Numerical solutions to the model provide insight into the effect of aging on component reliability.

11:05 AMEvaluation Of Pipe Rupture Frequency For NPP Goesgen Us-ing Markov ModelsKozlik, T., Klügel, J.-U. (a), Dinu, I.P. (b)a) NPP Goesgen-Daeniken, Switzerland, b) CNE Cernavoda, Romania

Based on information from the International OPDE pipe failure database and from plant specific information, a Markov model was developed for estimating pipe rupture frequency to support PSA LOCA and internal flood analysis. The main purpose of the model is to obtain more realistic pipe rupture frequencies based on plant-specific information including ageing effects. The model was applied to evaluate LOCA fre-quencies and pipe rupture frequencies for ASME class 1 piping. The results obtained were compared with results derived from traditional Bayesian approaches. Significant conservatism of current LOCA frequency estimation methods was demonstrated. The model was also used to study alternate In-Service-Inspection practices for ASME class I piping. The method is intended to be used for estimating pipe rupture frequency of high pressure piping located in the secondary containment of the plant that have a potential to cause internal floods and harmful environmental conditions. The paper presents the essential step of model development and the results of its application. The paper presented is a contribution of NNP Goesgen-Daeniken to the Ageing PSA research network of the European Union.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 10:15 AM - Camellia/Dogwood

Aging in PSA - 2Session Chair: Hitoshi MUTA

93

10:15 AMPsa and Risk Monitor for the Electrical GridZoltan Kovacs and Pavol HlavacRELKO Ltd, Bratislava, Slovakia

The deregulated power market has already contributed to conditions that challenge the stability of the grid. Restructuring of power systems to promote market-based dis-patch was designed, in part, to increase utilization of existing assets. It has resulted in greater power transfers over longer distances. This has increased the loading of the transmission grid and also made local reliability more dependent on distant events. On the other side, the customer expectations of reliability are increasing and the con-sequences of power outages have never been greater. Even small weak points in the power transmission system, if undetected and uncorrected, might eventually lead to costly outages or trigger cascading failures that affect large regions. The traditional approach to electrical grid reliability is based on deterministic analyses for conges-tion and transient response under normal conditions or a condition that satisfies a single failure criterion. However, under the changed conditions this approach is not enough. The probabilistic approach should be used which can help to identify and cor-rect potential weak points in the power system long before they trigger costly failures. Powerful reliability methods (PSA) have been developed over the past three decades, which can be tailored for use in evaluating the reliability of the existing and the future electrical grid system. Given a PSA model of the grid constructed, the risk monitor can be developed. This is a specific real-time analysis tool of the grid which can be used to determine the instantaneous risk based on the actual status of its systems and components. At any given time, the risk monitor reflects the current grid configuration in terms of the known status of the various systems and components. For example, whether there are any components out of service for maintenance or tests. The risk monitor is based on the PSA model. It can be used by the staff in support of opera-tional decisions. PSA and risk monitor is being developed for the Slovak transmission grid within a project supported by the Slovak Research and Developing Agency. This paper describes the preliminary results of this project.

10:40 AMDevelopment of the Risk Monitoring System “COSMOS” and Application for the Risk Evaluation During Online Mainte-nanceHirohisa TANAKA (a), Junji NYUUI (b), Akira HASHIMOTO and Takahiro KURAMOTO (c)a) The Kansai Electric Power Company, (Currently belong to International Atomic Energy Agency), b) The Kansai Electric Power Company, Fukui, JAPAN, c) Nuclear Engineering, Ltd., Osaka, JAPAN

The Japanese utilities have been applying risk monitoring system. It was first intended to introduce risk monitoring system for outage work planning. In addition, the utilities are considering the possibility of applying risk monitoring system to on-line mainte-nance (OLM) in the near future, and making necessary preparations in a steady man-ner. The Kansai Electric Power Company (KANSAI) and Nuclear Engineering Ltd. (NEL) are jointly working to develop the risk monitoring system “COSMOS” aiming at the utilization of the system to optimize nuclear power plant (NPP) operation and maintenance activities. COSMOS, which is intended for level 1 PSA at power and during shutdown, has the complete linkage with the comprehensive PSA tool, RISK-MAN, which is widely adopted by NPPs at home and abroad. This paper explains how KANSAI and NEL are working on the application of risk monitoring system in planning the outage work and on-line maintenance activities. Regarding the outage work plan-ning, KANSAI’ s plants are conducting Level 1 shutdown PSA by using a simplified risk monitoring system now, and planning to introduce COSMOS for the future outage work planning. In planning OLM activities, it is necessary to evaluate the risk levels of individual configurations in advance in which specific systems and components are placed out-of-service according to the predetermined scope of isolation. It is planned to apply COSMOS to the evaluation of risk levels. We will make a continuous effort to extend COSMOS functions considering experience with the actual application of risk monitoring system in OLM and outage work planning.

11:05 AMDevelopment of OLM Configuration Risk Management Ac-tions for Potential Use by Japanese UtilitiesHidetaka Imai, Ken-ichi Bando, Koichi MiyataTokyo Electric Power Company, Tokyo, Japan

In Japan, an overarching objective of nuclear power plant (NPP) operators is to achieve enhanced operational performance. One significant component of meeting this objective is to initiate the performance of on-line maintenance (OLM) throughout the fleet of commercial NPPs in Japan. Because Japanese NPPs currently do not per-form voluntary maintenance activities that remove plant safety systems from service, the development, approval and implementation of this strategy is a complex evolu-tion requiring the participation of the nuclear operating companies and the Japanese regulatory authority. Implementing a strategy that will safely and effectively permit the conduct of OLM requires a comprehensive and coordinated effort among all Japanese NPP operators. To achieve this objective, the Japanese Federation of Electric Power Companies formed a task force that consists of members from each nuclear operat-ing company in Japan to develop the requirements for performing OLM. In this paper, we describe the development of a process to evaluate and manage configuration risk during the conduct of OLM at Japanese NPPs. The proposed approach was initially modeled based on the approach utilized by many NPP operators in the United States. However, there are numerous significant cultural and regulatory differences between Japan and the US (for example, there is no regulation in Japan comparable to the Maintenance Rule). As a result, the initial requirements have evolved to address the unique circumstances associated with application of OLM within the Japanese con-text. In this paper we describe the approach and requirements for OLM configuration risk management that have been developed for application in Japan.

11:30 AMImplementation of Risk Monitoring Technology at Russian Federation VVER-1000 Reactors With Risk WatcherFrancisco Osorio, Carlos López and Alfonso SánchezIberdrola Ingeniería y Construcción, Madrid, SPAIN

Risk monitoring technology has been widely used both to determine the instantaneous risk depending on the availability of the plant components, and to help on plant safety manage over the time. This is the first Risk Monitor developed in Russia according to international Standards. In order to implement this technology, three main phases has been developed. Phase 1: Improving the PSA quality to achieve IAEA Standards for this kind of application. Phase 2: Developing the risk monitor model using Risk Watch-er software. Phase 3: Transfer the know-how on risk monitoring technology. Balakovo NPP has been selected by the Russian utility Rosenergoatom as the pilot plant, and Risk Watcher (ScandPower risk monitor software) as the software toolbox.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 10:15 AM - Magnolia

Risk MonitorsSession Chair: Tom Morgan

94

10:15 AMExamination of the Efficacy of the NFPA-805 “Fire Modeling” Approach (Comparison Between “Maximum Expected” and “Limiting” Fire Scenarios)Raymond HV GallucciU.S. Nuclear Regulatory Commission (NRC), Washington, D.C.

National Fire Protection Association Standard 805 permits the use of fire modeling to quantify the fire risk and margin of safety when using the performance-based ap-proach to demonstrate compliance, provided that there is a “sufficiently large” margin between the “maximum expected” and “limiting” fire scenarios. This paper attempts to develop quantitative insight to determine what might constitute this “sufficiently large” margin based on heat release rates (HRRs) typical of ignition sources (combustibles) at nuclear power plants. The results indicate that this comparative approach may be practical only for “low” HRRs (say on the order of 100 kW), for which there is relatively small uncertainty (narrow variability) in the HRR distribution. In general the efficacy of this comparative approach increases as the uncertainty in the HRR decreases and the magnitude of the “limiting” HRR relative to the “maximum expected” HRR increases.

10:40 AMFailure Mode and Effect Analysis of Cable Failures in The Context of a Fire PSAJoachim Herb and Ewgenij PiljuginGesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, München, Germany

A computer aided methodology based on the principles of FMEA (failure mode and effect analysis) has been developed to systematically assess the effects of cable fail-ures caused by fire in a nuclear power plant. It is intended to use this method as an integral part of Level 1 Fire PSA in Germany. The main purpose of the methodology and its supporting tools is to improve the comprehensibility and completeness of cable failure analysis within the context of Fire PSA. The main objective of the presented methodology is the standardization of the FMEA for similar components of affected electrical circuits. Cable FMEA (CaFEA) consists of two phases of analysis: In the first phase an analysis of generic cable failures of standardized electrical circuits of the nuclear power plant is performed. In the second phase for each cable those generic failure modes are identified which could affect safety relevant components. The spe-cific effects identified in the second phase of the FMEA are mapped to basic events used as initiating events and/or component failures in the Fire PSA. The suitability of the presented methodology has been already successfully demonstrated by an exemplary application for the cables within a selected fire compartment of a nuclear power plant.

11:05 AMThermal Hydraulic Parametric Studies of Multiple Spurious Operations Using MAAPJohn R. OlveraEPM, Inc., Risk Solutions Division, Hudson, WI

The potential for fire-induced multiple spurious operations (MSOs) of equipment is included as part of the Fire PRA analysis. MSOs could result in a number of adverse conditions including various loss of reactor coolant events, loss of reactor coolant sys-tem pressure control, and loss of decay heat sink. Although not all of these scenarios result in a risk significant outcome, it is instructive to determine the bounding limits of the reactor coolant system and associated emergency cooling systems in order to provide guidance for the fire PRA and human reliability analysts.The MAAP code is used to analyze various combinations of MSOs in order to provide bounding information on system capability and operator action timing. The MSOs that are studied that affect the primary system at a pressurized water reactor include the spurious opening of a pressurizer power operated relief valves, letdown valves, and reactor vessel and pressurizer head vents. In combination with these types of MSOs, studies also include the impact of excessive reactor coolant pump seal leakage. Fi-nally, the spurious operation of the primary system pressure control systems is also examined.These studies provide useful information regarding the feasibility of recovering from various MSO combinations, and the related timing to prevent escalation to more chal-lenging transients up to and including core damage. The results demonstrate the de-gree of importance of potential MSO scenarios to the Fire PRA.

11:30 AMEvaluation of Heat Release Rates of Vertical Electrical Cabi-net FiresPierre Macheret and Paul J. AmicoScience Applications International Corporation, Las Vegas, NV

Two models calculating the peak heat release rate (HRR) in vertical cabinet fires were developed, based on existing fire test data published in the literature. The first model establishes proportionality between the peak HRR and the energy released through combustion when there is no limitation on oxygen availability, and further relates this energy to the initial fuel loading of the cabinet. The effect of IEEE-383-type cable quali-fication on the HRR is taken into account. Dependencies between random parameters are captured via a hierarchical Bayes model, which is run using Markov Chain Monte Carlo sampling. The model is used to produce scoping HRR values, which are found to be compatible with predictions of an alternative model published in the literature. Taking the cabinet volume as a proxy for fuel loading, the model is used to produce HRR values based on overall cabinet dimensions. The second model modifies exist-ing analytical formulations of the peak HRR under ventilation-restricted conditions, by probabilistically accounting for random variables such as variations in the vent area due to the formation of gaps from cabinet door warping by thermal stress. With this model, scoping HRR values are calculable based on simple cabinet geometry pa-rameters including information on inlet and outlet vent areas. Limitations to the model validity are explored. The scoping HRR values of both models are viewed as refining those given in Table G-1 of NUREG/CR-6850-EPRI 1011989.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 10:15 AM - Salon A

Fire PSA Methods - 9Session Chair: Dennis Henneke

95

10:15 AMExamination Deterministic Analysis of Severe Accidents to Support Design Certification of the Nuscale PWRJason Pottorf, Kent Welter, Wendell Wagner (a), Mark Leonard (b)a) NuScale Power, Inc., Corvallis, OR, b) dycoda, LLC, Los Lunas, NM

The analysis of accidents that result in physical damage to the reactor core is an es-sential element of the design certification process for the NuScale PWR. The type and frequency of such accidents is determined by Probabilistic Risk Assessment (PRA). The physical and temporal progression of damage to the reactor core, as well as the quantitative assessment of fission product release and transport away from fuel, is cal-culated in an integrated computational model developed with the MELCOR computer code. MELCOR provides a convenient framework for modeling the innovative design features of NuScale due to the modular “building block” architecture of the code. An overview of the NuScale MELCOR model is provided, which highlights the technical challenges and progress made to validate the important features of calculated results. Foremost among these features is retention and cooling of debris within the lower head of the reactor pressure vessel (RPV). The physical configuration of the steel containment pressure vessel, which is fully-submerged in a large reactor cooling pool, ensures an adequate source of water for RPV lower head heat transfer and passively cooled surfaces for condensation of resulting steam. Another unique and important feature of the NuScale design is enhanced in-vessel retention of fission products via efficient deposition on twin helical coil steam generators that are mounted within the RPV. The manner in which these design features are modeled is discussed, and their impact on radiological source terms is quantified.

10:40 AMA Methodology for the Characterization of Severe Accident Consequences and the Results Presentation in Level 2 Proba-bilistic Safety AssessmentN. Rahni, Y. Guigueno, E. Raimond, J. Denis, M. Baichi, T. Durin, B. Lau-rentInstitut de Radioprotection et de Sûreté Nucléaire, Fontenay-aux-Roses - France

To provide a better understanding of the results of its L2 PSA and to facilitate their adoption for decision making, IRSN has developed a methodology for the charac-terization of the severe accident risks identified in the L2 PSA. A dedicated very fast running code has been developed for the calculation of radioactive releases, while ra-diological consequences assuming standard meteorological conditions are estimated using software originally developed for crisis management. These tools are integrated within the L2 PSA APET (Accident Progression Event Tree) through the KANT proba-bilistic software. The global L2 PSAs results now offer many keys for the risk analysis and help IRSN to formalize positions in the field of severe accident NPP robustness.

11:05 AMApplication of Regional Environmental Code HARP in the Field of Off-Site Consequence AssessmentR. Hofman and P. PechaInstitute of Information Theory and Automation of the ASCR, Prague 8, Czech Republic

The environmental code HARP (HAzardous Radioactivity Propagation) estimates con-sequences of accidental radioactivity releases from a nuclear facility and on basis of simulation of dispersion in atmosphere, deposition of radionuclides on the ground and further propagation through the food chains towards human body. Classical Gauss-ian approach in the form of hybrid puff-plume segmented model SGPM is introduced for simulation of pollution dissemination in the atmosphere. The ingestion pathway is modeled dynamically. The system architecture consists of the inner kernel designated for deterministic calculations and outer probabilistic shell, which ensures application of probabilistic approach in the consequence assessment. Propagation of uncertain-ties through the model towards the output values of interest is realized through the multiple recalling procedure of the inner kernel, which is optimized for such intensive Monte Carlo (MC) computations. The HARP code is primarily designed for application of advanced statistical data assimilation techniques based on sequential MC methods (SMCM) allowing an improvement of model predictions using real measurements in-coming from terrain. In this paper we shall demonstrate two additional specific applica-tions of the HARP code based on the repeated sampling. Firstly, a partial PSA-Level3 study of ecological risk assessment is accomplished taking into account variability of meteorological inputs represented by historical long sequences of archived values (for each hour in the years 2008 and 2009). Output radiological quantities are then processed statistically. Secondly, a long term release of radioactive material is simu-lated through the superposition of a large number of one-hour fractional release rates. The procedure is applied on annual radioactivity releases from a nuclear power plant (NPP) during its routine normal operation when each partial hourly release is driven by the real meteorology archived at that time.

11:30 AMAn Updated Economic Model for Level-3 PRA Consequence Analysis Using MACCS21Pierre Vanessa N. Vargas, Nathan E. Bixler, Alexander V. Outkin, Verne W. Loose, Prabuddha Sanyal, and Shirley StarksSandia National Laboratories, Albuquerque, NM

This paper presents the preliminary findings for updating the estimation of economic consequences in MACCS2. The objective of this effort is to include a more represen-tative set of costs in the MACCS2 economic model. The original model included the losses associated with evacuating and relocating the public, interdiction and decon-tamination, loss of use of property, loss of crops, and, potentially, permanent loss of property. The new economic model is intended to include those costs, but to extend them by capturing the effect of an accident on the gross domestic product (GDP) pro-duced in the affected area to create a more comprehensive picture of the economic impacts. The team determined the GDP reductions by using the REAcct analysis tool developed at Sandia National Laboratories. This paper outlines the motivation for the proposed improvements; the economic methodology used, including a description of the REAcct tool; and an implementation outline.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 10:15 AM - Salon B

Level II/III PSA - 2Session Chair: Glen Seeman

96

10:15 AMOutage PRA METHODOLOGY for Multi-Unit Candu Generat-ing StationsKrist Papadopoulos, Ben Hryciw and Steve Kaasalainen (a), Ian Beith (b), Rob McLean (c)a) AMEC NSS Ltd., Toronto, Ontario, Canada, b) Ontario Power Generation, Pickering, Ontario, Canada, c) Bruce Power, Tiverton, Ontario, Canada

A Level 1 Internal Events Outage Probabilistic Risk Assessment (PRA) methodol-ogy was developed by AMEC NSS Ltd. for multi-unit Canadian Deuterium Uranium (CANDU) nuclear generation stations. The methodology was developed in coopera-tion with utilities, Ontario Power Generation and Bruce Power, owners and operators of multi-unit CANDU stations in Ontario, Canada. The methodology provides a generic framework that examines the plant operating states (POSs) where one unit is shut-down and placed in a guaranteed shutdown state (GSS) for outage maintenance while at least one adjacent unit is operating. The POS, initiating event, event tree, fault tree, reliability data and human reliability analyses methodologies are defined with the aim of determining the risk of core damage resulting from internal events occurring at the outage unit while in GSS.The scope of the analysis is limited to internal events, e.g. process and human interac-tion related events, for the outage unit in GSS and the adjacent units. Events originat-ing in the adjacent units can be analyzed for their impact on the risk of core damage for the outage unit in GSS. The methodology is applicable to different CANDU designs and outage configurations, allowing each station to develop a comprehensive and detailed PRA for plant outage maintenance operation in GSS. This PRA can then be used to provide support for maintaining station Safety Goals, risk informed decision making and outage maintenance planning.This paper gives an overview of the methodology.

10:40 AMDominion Experience in Shutdown Risk AnalysisRoss C. Anderson (a), Robert W. Fosdick (b)a) Virginia Commonwealth University, Richmond, VA, b) R&B Nuclear LLC, Maidens, VA

Between 2004-2007, Dominion used a shutdown PRA model to support compliance with the requirements of 10 CFR 50.65(a)(4) at the Surry Power Station. Dominion did so in order to cultivate experience with shutdown PRA, and because the available, deterministic methods tended to be excessively conservative and limited in providing risk insights. At that time several risk profiles at the “sister” North Anna plant were also analyzed, with similar results.During this time, the Dominion staff observed that all refueling outages exhibited the same basic risk profile. There were only minor variations from one cycle to the next. A significant risk plateau occurred after the unit cooled below 200oF (Mode 5 in the Westinghouse Standard Technical Specification convention), until the refueling cavity was flooded for fuel offload. Afterward, risk dropped to an almost negligibly low level until restart.Shutdown risk was dominated by diversion LOCA events and, to a lesser extent, loss of RHR. Potential human error was significant because of the unavailability of auto-matic safety injection (SI).Another major insight from the analysis is that the majority of excess risk is incurred during the time between SI deactivation and cavity flood-up. (After the cavity is flood-ed, the long time to boil-off reduces the Core Damage Frequency by about an order of magnitude.) Risk could be reduced by decreasing the time until cavity flood occurs. However, Technical Specifications require a minimum of four days for decay heat re-duction before fuel may be moved. While TS compliance normally provides a measure of risk reduction, in this case, it added additional risk by delaying cavity flood.Previously, the site had used a deterministic method for shutdown risk assessment. In comparison, the deterministic method was extremely conservative, resulting in most of the outages being classified as “non-green” approximately three quarters of the time. As a result, the plant staff tended to be desensitized to “non-green” conditions during shutdown. Further, the assessment tended to mask the actual period of legitimately elevated risk. This “masking” can divert focus from the genuinely risk significant evolu-tions.It should also be noted that the NRC staff has reasonably commented, in informal dis-cussions, that they would be less likely to challenge a probabilistic shutdown analysis than a deterministic one.

11:05 AMTransition Risk Model for PWRZoulis, AU.S. Nuclear Regulatory Commission, Washington, DC

Low-Power and shutdown risk analyses, in addition to the at-power risk models, of commercial pressurized light-water reactors (PWRs) in the United States have been performed in the past. However, the risk associated with the transition between low-power and full power has been more challenging in terms of modeling and quantifica-tion. This paper documents the transitional risk model developed to quantify the risk associated with transitioning from lowpower to full-power operations of a 4-loop PWR commonly operated in the US as part of the US Nuclear Regulatory Commission’s (NRC) Significance Determination Process. Potential initiators for all modes were eval-uated while the plant transitions between different operational states. Through this ap-proach, each mode is divided into specific plant operating states to account for specific plant conditions, equipment availability, and plant response, which change as the tran-sition between full-power, low-power, and shutdown configurations occur. The analysis was performed using the Standardized Plant Analysis Risk (SPAR) Model used by the Nuclear Regulatory Commission (NRC), and developed and maintained by the Idaho National Laboratory (INL). The existing at-power SPAR model was modified to develop the transitional model used for this analysis. This paper presents the results observed as the core damage frequency changes as a function of the plant progression between the different operational modes from shutdown to fullpower conditions.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and AnalysisThursday March 17, 2011 - 10:15 AM - Carolina

Shutdown PSA - 2Session Chair: Jonathan Li

PSA 2011 Program/Proceedings CD-ROMAbout this CD-ROMThe material in this CD-ROM was published using Adobe© technology.Included on the CD-ROM are versions of Acrobat Reader for Microsoft© WindowsTM, Apple© MacintoshTM (Mac OS X), and Unix©

InstallationTo view files on this CD-ROM you must have Adobe Reader installed on your hard drive. Installation instructions can be found in the README.TXT file.

Getting StartedWindows users: Software included in this CD-ROM should automatically launch the proceedings. You can always start viewing the content by opening the Start.pdf file provided Adobe Reader has been installed on your hard drive.MacOS X and Unix users: To start open the Start.pdf file.

Copyright © 2011American Nuclear Society - ANS

Program Book, CD-ROM, WebSite, Online Paper Submission and Review, and Online Registration are services/products of Techno-Info Comprehensive Solutions.

http://techno-info.com

PSA 2011 Program

Azalea Camellia/Dogwood Magnolia Salon A Salon B Carolina

SUNDAY

1:00 pm-‐ 5:00 pm WORKSHOP Dynamic PSA Tunc Aldemir DeRosset

6:00-8:00 PM

MONDAY

7:00 – 8:00 AM8:00-9:45 AM

9:45-10:00 AM10:00-11:45 Digital I&C in PSA - 1 Next Generation Rx PSA - 1 Other External Events Fire PSA Methods - 1 PSA Knowledge Management - 1 Human Reliability Analysis - 1

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Carol Smidts Donald Helton Michael Golay Eric Jorgensen Nathan Siu Dave Gertman

11:45 - 1:30 PM1:30 - 3:15 PM Digital I&C in PSA - 2 Next Generation Rx PSA - 2 Configuration Risk Management -

1: Seismic PSA - 1 Safety Culture Flooding PSA - 1

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Sergio Guarro Karl Fleming Gerry Kindred Andrea Maioli David Johnson Ray Dremel

3:15 - 3:45 PM3:45 - 5:30 PM Passive Reliability - 1 Non-Reactor PSA - 1 Configuration Risk Management -

2Seismic PSA - 2 PSA Knowledge Management - 2 Flooding PSA - 2

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Enrico Zio Jim Young Tom Morgan Robert Budnitz Mike Lloyd Richard Turcotte

6:00 - 8:00 PM

TUESDAY

7:00 – 8:00 AM8:00-9:00 AM

9:00 - 9:50 AM Passive Reliability - 2 Non-Reactor PSA - 2 Configuration Risk Management - 3

Fire PSA Methods - 2 History of Nuclear PSA Human Reliability Analysis - 2

Session Chair: Session Chair: Session Chair: Session Chair: Session Chairs: Session Chair:William Burchill Paul Amico Ross Anderson Raymond H Gallucci Earl Page, Ian Wall Parviz Moieni

9:50-10:05 AM10:05-11:45 Dynamic PSA - 1 Next Generation Reactor PSA - 3 Generation Risk Assessment Fire PSA Methods - 3 PSA Knowledge Management - 3 Human Reliability Analysis - 3

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Bulent Alpay Matthew Warner James Liming Marina L Roewekamp Doug True Luca Podolfillini

11:45 - 1:30 PM1:30 - 3:15 PM Dynamic PSA - 2 Next Generation Rx PSA - 4 Grid Reliability Fire PSA Methods - 4 Risk-Informed Safety Margins Human Reliability Analysis - 4

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:Pierre-Etienne LABEAU Johnathan Li Shan Chien David N Miskiewicz Dominique Vasseur Gareth Parry

3:15 - 3:45 PM3:45 - 5:30 PM Dynamic PSA - 3 Risk-Informed Decision Making - 1 Fire PSA Methods - 5 Seismic PSA - 3 PSA Standards - 1 Fault Tree Initiating Events

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:Tunc Aldemir Stanley Levinson Robert Ladd Kohei Hisamochi Barry Sloane Mike Lloyd

6:30 - 9:00 PM

WEDNESDAY

Azalea Camellia/Dogwood Magnolia Salon A Salon B Carolina

7:00 – 8:00 AM8:00-9:00 AM

9:00 - 9:50 AM Dynamic PSA - 4 Risk-Informed Decision Making - 2 Proliferation Risk - 1 Fire PSA Methods - 6 Significance Determination Process Shutdown PSA - 1

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Martina Kloos Dana Kelly Bill Burchill Pedro Fernandez Greg Krueger Robert Budnitz

9:50-10:05 AM10:05-11:45 Advanced PSA Methods Risk-Informed Technical

SpecificationsSpace/Aircraft PSA Seismic PSA - 4 PSA Standards - 2 Panel - Joint EPRI/NRC-RES Fire

HRA GuidelinesSession Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:Jeff Riley Mike Snoderly Steve Farminham Andrea Maioli Jim Chapman Susan Cooper

11:45 - 1:30 PM1:30 - 3:15 PM Common Cause - 1 Risk-Informed Decision Making - 3 Panel: Next Generation Rx Risk

MetricsFire PSA Methods - 7 Panel: PRA Standards

Development, International Considerations

Uncertainty Analysis & Methods - 1

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Gareth Parry Marty Sattison Mohammad Modarres Richard M Wachowiak Rick Grantom M.Pourgol-Mohammad

3:15 - 3:45 PM3:45 - 5:30 PM Common Cause - 2 Risk-Informed Decision Making - 4 Proliferation Risk - 2 Panel: Fire PSA Improvements Computer Methods - 1 Uncertainty Analysis & Methods - 2

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:Jeanne-Marie Lanore Bob Lutz William Burchill Doug True Louis Chu Goran Hultqvist

THURSDAY

7:00 – 8:00 AM8:00-9:00 AM

Speakers: Robert Budnitz and Cheri Collins9:00 - 10:00 AM Computer Methods - 2 Aging in PSA - 1 Software Reliability Fire PSA Methods - 8 Level II/III PSA - 1 Uncertainty Analysis & Methods - 3

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Kyle Metzroth Karl Fleming Mike Yau Brandi T Weaver Paul Boneham Gabriel Georgescu

10:00 - 10:15 AM10:15-12:00 PSA Data Analysis Aging in PSA - 2 Risk Monitors Fire PSA Methods - 9 Level II/III PSA - 2 Shutdown PSA - 2

Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:Dana Kelly Hitoshi MUTA Tom Morgan Dennis Henneke Glen Seeman Jonathan Li

1:00 PM1:00 pm - 5:00 pm WORKSHOP Risk Phenomenology, TMI & Accident Management Insights Robert Henry Dudley

1:00 pm - 5:00 pm WORKSHOP Level 3 Consequence Evaluations - MACCS2 Nathan Bixler DeRosset

FRIDAY

8:00 am - 12:00 pmWORKSHOP Level 3 Consequence Evaluations - MACCS2 Nathan Bixler DeRosset

Continental Breakfast - Grand Concourse

John Kelly, DOE Deputy Assistant Secretary for Nuclear Energy

Global Nuclear Fuels Tour


Grand Ballroom Cape Fear Ballroom

Plenary Session IV

Coffee Break

Registration Starting at 7:00 next to the Grand Ballroom

Coffee Break

Student Awards Luncheon - Cape Fear Ballroom

Coffee Break

Plenary Session III

Plenary Session II

Coffee Break

George Apostolakis - US NRC Commissioner


Coffee Break

Banquet - Speaker Kevin Walsh

Plenary Session I


Coffee Break


Welcome Reception 6:00-8:00 - Grand Ballroom



Ed Halpin, CEO STPNOC

Lunch Break

Grand Ballroom Cape Fear Ballroom

Coffee Break

NETWORKING RECEPTION - Grand Concourse

Lunch Break
