To estimate the success criteria time windows of operator actions the conservative approach was used in the conventional probabilistic safety assessment (PSA). The current PSA standard recommends the use of best-estimate codes. The purpose of the study was to estimate the operator action success criteria time windows in scenarios in which the human actions are supplement to safety systems actuations, needed for updated human reliability analysis (HRA). For calculations the RELAP5/MOD3.3 best estimate thermal-hydraulic computer code and the qualified RELAP5 input model representing a two-loop pressurized water reactor, Westinghouse type, were used. The results of deterministic safety analysis were examined what is the latest time to perform the operator action and still satisfy the safety criteria. The results showed that uncertainty analysis of realistic calculation in general is not needed for human reliability analysis when additional time is available and/or the event is not significant contributor to the risk.

1. Introduction

The experience accumulated in the last few decades has shown that human factors play a significant role in the risk of system failures and accidents, throughout the life cycle of a system. This explains significant focus on human reliability analysis (HRA) and on its full integration within systematic risk analysis and reliability assessment procedures [1]. A major problem in meeting this growing importance of HRA is the lack of empirical plant specific data needed for assessment of human reliability. In general, there are several information requirements for HRA, including the available time for diagnosis and correct execution of a tasks, steps, and actions (i.e., time window for action) [2]. This information comes from the deterministic analysis.

The time window for human action actually represents the success criteria for the action. It represents the time interval in which operators have to perform the action in order that the plant is put in a safer state, that is, the plant is put into a scenario that leads to a safe state and not to an accident state.

To estimate the time windows for operator actions the results of fast running severe accident code such as the MAAP code have been used in the conventional probabilistic safety assessment (PSA). However, information from these is often too conservative to perform a realistic PSA for a risk-informed application [3]. In the last years a few comparative studies were performed to justify the use of MAAP4 for the PSA Level 1 analysis of advanced reactors [4, 5]. In the comparison between MAAP4.07 and S-RELAP5 for U.S. EPR reactor [4] MAAP4 has demonstrated that it is a rather good simulator of nuclear plant transient trends. However, MAAP4’s prediction of clad temperature magnitude is not sufficiently accurate to accept without compensation. For example, shortly after steam generator dryout the MAAP4 predicted much larger core heatup than S-RELAP5. Also, there are certain nuclear plant scenarios for which MAAP4 is clearly not applicable, such as early transient of large-break LOCA (at break sizes beyond the area of the largest attached pipe). In the study for APR1400 (Advanced Power Reactor) [5] comparison between MAAP4.03 and RELAP5/MOD3.2.2 was done for large break loss-of-coolant accident (LOCA). It was concluded that for a more mechanistic simulation of the initial stage of the LOCA using MAAP4.03, more detailed calculations of the primary system are required. Namely, for the break flow and the emergency core cooling flow rates, MAAP4.03 predicted considerably higher values in the initial stage than RELAP5/MOD3.2.2. As a consequence, the two codes predicted different sequences for essentially the same initiating condition.

To reduce the undue conservatism, the use of best-estimate thermal hydraulic code has become an essential issue in the latest PSA. An example is the use of MARS code for small break LOCA calculations of Korea standard nuclear power plant [3] and the use of RELAP5/MOD3.2 code for LOCA calculations of RBMK-1500 [6]. Also the PSA standard [7] recommends the use of best-estimate code to improve the quality of a PSA. Severe accident codes are needed for simulation of phases with core damage [8].

Therefore for updated human reliability analysis the RELAP5/MOD3.3 best-estimate computer code [9] was used. The specified time windows are important for HRA to determine the likelihood of operator actions. The human error probability of certain action is lower if operators have more time available. In the control room of a nuclear power plant there is a team of operators, which is supervised by a shift supervisor. If operators, for example, have 10 or more minutes of additional time for action, it can be expected that colleagues or shift supervisor can observe and correct a possible error of their colleague [10]. Consideration of recovery causes lower human error probability and may cause a different impact of human error to the overall probabilistic safety assessment results. The actual times needed for performing the action were assessed based on real simulator scenarios [11], while the time windows determination is the aim of this study. Calculations were performed for the scenarios in which human actions are supplement to safety systems actuations by establishing auxiliary feedwater in case of small or medium loss of coolant accident (LOCA), establishing auxiliary feedwater in case of transients, and manual actuation of safety injection (SI) signal at LOCA. For calculations the qualified RELAP5 input model representing a two-loop pressurized water reactor, Westinghouse type, was used [12].

2. Deterministic Analysis Methodology Description

The realistic code calculations were performed by RELAP5/MOD3.3 Patch 03 thermal hydraulic computer code [9]. The parameters selected were best-estimate values. No conservative assumptions were taken into account such as single failure criterion. The systems performance was in accordance with the assumptions specified for scenarios. The core damage criteria used for determination of time windows are described first. Then the input model for the RELAP5 is described. Finally, each scenario is briefly described.

2.1. Description of General Core Damage Criterion

The typical core cooling success criteria for Westinghouse-type PWR as defined in [13] were used. These criteria are defined in terms of the average fuel/clad temperature instead of hot rod fuel/clad temperature, considering also the period of high temperature. It is assumed if the hottest core fuel/clad node temperature in the reactor core exceeds 923 K for more than 30 minutes or if temperature exceeds 1348 K, the core damage may occur, which may lead to accident state. Based on the core damage criteria the time windows were determined. Sensitivity studies were performed which include variations of timing of human action to determine the latest time, when operators have to perform the needed action in order that the main plant parameters are not exceeded their limits.

2.2. RELAP5 Input Model Description

To perform this analysis, Krško nuclear power plant (NPP) has provided the base RELAP5 input model, so-called “Master input deck,” which has been used for several analyses, including reference calculations for Krško full scope simulator verification [12, 14]. A full two-loop plant input model has been used for the analysis. It includes the new Siemens-Framatome (now Areva) replacement steam generators type SG 72 W/D4-2. The model consists of 469 control volumes, 497 junctions, and 378 heat structures with 2107 radial mesh points. Besides, 574 control variables and 405 logical conditions (trips) represent the instrumentation, regulation isolation, safety injection (SI) and auxiliary feedwater (AFW) triggering logic, steamline isolation, and so on. Secondary side is modelled up to the turbine.

Figure 1 shows animation mask of RELAP5 input model. Animation mask has been created by Symbolic Nuclear Analysis Package (SNAP) [15]. Modelled are important components as the reactor vessel (RV), pressurizer surge line (SL), pressurizer (PRZ) vessel, pressurizer spray lines and spray valves, pressurizer power operated relief valves (PORVs), and safety valves. Primary piping includes hot leg (HL), primary side of steam generator by inlet and outlet plenum, among which a single pipe is representing the U-tube bundle, intermediate leg (IL), and cold leg (CL) with reactor coolant pump (RCP). Loops are symmetrical except for the pressurizer surge line and chemical and volume control system connections layout (charging and letdown). Modelled is emergency cooling system (ECCS) with high pressure injection system (HPIS), accumulators, and low pressure injection system (LPIS).

The parts of the steam generator secondary side are represented by riser, separator and separator pool, downcomer, and steam dome. Each loop of main steamline has main steam isolation valve (MSIV), five SG safety valves, and one SG PORV. Turbine valve and steam dump (SD) flow are regulated by corresponding logic. Main feedwater (MFW) piping is modelled till the MFW pump, which is modelled as time dependent junction. Auxiliary feedwater (AFW) piping is modelled from pumps, which are modelled as time dependent junction. The AFW system is injecting above the SG riser.

Besides the model layout, in Figure 1 are shown initial conditions of the main plant parameters at full power, status of the pumps and valves, and how the systems are filled. Green colour means operating pump and open valve, while red colour means stopped pump and closed valve. Besides, void fraction is shown across the primary and secondary systems. Blue colour represents a fluid, white colour represents a steam, while the colours between represent a two-phase mixture.

2.3. Scenarios Description

Three scenarios are described, which were needed for updated human reliability analysis. In these scenarios the human actions are supplement to safety systems actuations. In the first scenario the human action was establishing AFW in case of small or medium LOCA assuming that high pressure safety injection (HPSI) system fails. In the second scenario the human action was establishing AFW in case of loss of feedwater (LOFW) transient. In the third scenario the human action was actuation of SI signal for the most limiting accident (excluding large break LOCA), that is, small and medium LOCA. For each scenario the success criteria as defined in original HRA analysis are described, while acceptance criteria are core damage criteria described in Section 2.1. Success criteria establish the minimum number or combinations of systems required to operate, during a specified period of time, to ensure that the critical safety functions are met within the limits of the acceptance criteria.

In the case of small or medium LOCA in a nuclear power plant with the assumption that HPSI system fails, one of the means to cool the reactor is through the secondary side depressurization providing that AFW system is operating. Normally, AFW system is automatically put into operation when main feedwater is lost. If the AFW pumps would not start automatically, operators should intervene. The success criterion requires operation of one of three AFW pumps to maintain the flow in order to depressurize the primary system below the accumulator injection setpoint at 4.9 MPa and secondary steam relief via one SG PORV. Besides passive accumulators it was assumed that low pressure safety injection (LPSI) is available too. The parameter to indicate depressurization was primary pressure and the parameter to indicate core cooling was average rod cladding temperature of hottest node. As larger breaks can depressurize through the break in any case below accumulator injection setpoint pressure after some time, AFW is not needed for depressurization. Therefore the analysis was performed for a spectrum of break sizes from 1.27 cm (0.5 inch) to 15.24 cm (6 inch) to determine, for which break sizes is needed the operation of one AFW pump and for them the time available to start AFW was determined based on the parametric study varying delay of AFW start. The break was located in the cold leg between the reactor coolant pump and the reactor vessel (see Figure 1).

The most limiting transient requiring operation of AFW is LOFW. The success criterion is that capacity of one train of AFW is adequate to remove the decay heat, to prevent overpressurization of primary system, and to prevent uncovering of the core resulting in core heatup. Success for AFW start also assumes adequate steam relieving capability. The time when the operator succeeds to start AFW pump was varied. When the AFW pump started to inject into the secondary side, cooling of the secondary side caused the pressurizer pressure to drop below the pressurizer PORV closure setpoint and then below the maximum pressure capacity of HPSI pump. The HPSI injection efficiently prevents further core uncovery.

The third considered scenario was LOCA without automatic SI signal actuation. This means that none of the safety systems including HPSI system, LPSI system, and AFW system was assumed available. The whole spectrum of LOCAs from 1.91 cm (0.75”) to 15.24 cm (case 6”) equivalent diameter break size was evaluated. For the most critical break regarding the time available to the operator the manual SI signal was simulated at the time the core started to heatup and at the time the core average temperature approaches the core average temperature criterion.

3. Results

In the next three subsections the results for the selected scenarios are shown, based on which the time windows for operator actions were determined. In Figures 1 through 7 are shown the most important variables to understand the scenario progression. The time available to perform operator action was determined from average core cladding temperature. Finally, the obtained time windows were compared to the actual times needed for performing the actions, which was assessed based on real simulator scenarios [11].

3.1. LOCA Calculations with Manual Actuation of AFW

The spectrum of break sizes was analyzed. For the most limiting break regarding time available it was shown that operation of AFW is not enough if not supported by manual opening of steam generator (SG) power operated relief valve (PORV). These two actions were assumed to be performed with the same time delay. The results for a spectrum of break sizes are shown in Table 1 and Figure 2.

Table 1 shows the sequence of main events. After break occurrence the reactor trips on low pressurizer pressure and it is followed by turbine trip. The SI signal is actuated on low-low pressurizer signal what cause main feedwater isolation and LPSI pumps running with 10 seconds delay. Next reactor coolant pumps are tripped by operator on subcooling criterion. After turbine trip and steam dump closure the SG pressure started to increase, resulting in discharging the SG mass.

From Table 1 and Figure 2(a) it can be seen that 5.08 cm (2 inch) and larger breaks depressurize (through the break) in any case below accumulator injection setpoint pressure at 4.9 MPa after some time and therefore AFW is not needed for depressurization. When accumulators are emptied after some time the primary pressure drops below the LPSI pumps shutoff head. On the other hand, 2.54 cm (1 inch) equivalent diameter break size and smaller need depressurization. As reactor coolant system (RCS) mass depletion (see Figure 2(c)) and core heatup (see Figure 2(b)) are earlier for 2.54 cm (1 inch) break than for 1.91 cm (0.75 inch) and 1.27 cm (0.5 inch) break, the 2.54 cm break was identified as the most critical regarding the time available to start AFW. Figure 2(d) shows that for break 2.54 cm (and smaller), the steam generators start to dry out as their inventory is lost through SG PORVs, what caused core heatup. This can be seen from Figures 2(e) and 2(f) for SG pressure and SG PORV flow for steamline no. 1, respectively. Similar is situation in the steamline no. 2. In the case of 15.24 cm break LPSI pump injection removes decay heat through the break. This cooling is sufficient to cool the secondary side what can be seen from SG no. 1 pressure shown in Figure 2(e).

To establish the depressurization by cooling through the secondary side, one AFW is needed. However, as shown in Figure 3(a), just by operating AFW and automatic SG PORV operation the RCS pressure could not be depressurized and the core heated up (see Figure 3(b)). The reason is that the SG PORV is cycling. Once SG is filled to normal level, the AFW injected intermittently following cycling of the PORVs. Depressurization could be efficiently achieved by manual full opening of SG PORV providing that SG level is maintained above the minimum level by AFW.

As can be seen from Table 2 six cases were analyzed for the selected 2.54 cm break size. Case A was analyzed in order to determine how long cooling can be done with available SG inventory. In the cases B to F different delays of manual AFW start and full PORV opening were analysed.

Table 3 shows the time sequence of main events. Scenario A is different from scenarios B to F, as it was performed with the intention to see how long it takes the SG to dry out with assumed SG PORV opened. Due to opened SG no. 1 PORV both steam generators were emptying until steamline isolation. Later each steam generator was discharging its inventory through its PORV. In the case of SG no. 2 the PORV was cycling. Due to secondary cooling the primary pressure droped below the accumulator injection setpoint. The accumulator emptied in approximately 1100 seconds. Later no cooling is available leading to core heatup. The results for scenario A showed that SG no. 1 drys out in approximately 40 minutes. In scenarios B to F the time available to the operators was determined. Until AFW no. 1 is started both SG PORVs cycled. After full opening of SG no. 1 PORV, the SG no. 2 PORV remains closed. It is important to note that it takes approximately 5 to 10 minutes that the secondary cooling reduces the pressure below the accumulator injection setpoint.

Figure 4(a) shows that RCS depressurization with SG no. 1 PORV fully open is efficient in preventing the core heatup (see Figure 4(b)), when delay of AFW pump start is not too large. Following the AFW pump no. 1 injection the RCS pressure depressurized below the accumulator injection setpoint and the RCS system started to fill as shown in Figure 4(c). Case A was analyzed in order to see how long inventory in SG is available for cooling through fully open SG PORV. The SG is emptied in 40 minutes and core started to heat up 25 minutes after SG is emptied. In another 20 minutes the core temperature exceeds the criterion. From Figure 4(d) it can be seen that for cases B to D the SG no. 1 level is dropping approximately linearly and that cooling is sufficient, because the SG is not completely emptied. In cases A, E, and F both SGs emptied below the minimum needed level for cooling and the core heatup was therefore unavoidable. The SG pressure is shown in Figure 4(e) and SG PORV discharge in Figure 4(f). From Figure 4(f) it can be seen that after full SG no. 1 PORV opening the mass discharge rate initially increased and later stabilized when the pressure drops to stable value. It should be also noted that both steam generators emptied through SG no. 1 PORV until main steamline isolation. Main steamline isolation resulted from low steamline pressure after full SG no. 1 PORV opening.

From case E it can be seen that if operator actions are performed immediately after SGs emptying the further heat up could still be prevented. Based on the set criteria 100 minutes are available to the operators.

3.2. LOFW Calculations with Manual Actuation of AFW

The delays of AFW pump start from 30 minutes to 70 minutes were simulated to determine the time window for manual AFW start. Table 4 shows the sequence of main events. The reactor trips on low SG level, followed by turbine trip. SI signal is generated on low steamline pressure, which also actuates main steamline isolation. The RCPs were tripped manually by operator on subcooling criterion. At the time when one AFW pump started to inject into the secondary side, cooling of the secondary side caused the pressurizer pressure to drop below the pressurizer PORV closure setpoint and then below the maximum pressure capacity of HPSI pump (see Figure 5(a)). The closure of the pressurizer PORV and coolant injection into primary system resulted in recovering the RCS inventory as shown in Figure 5(c) and quenching the core as shown in Figure 5(b). From Figure 5(c) it can be seen that the RCS mass depletion depends mainly on the delay of AFW pump start. The parametric analysis showed that the core significantly heats up when the start of AFW pump is delayed for 60 minutes or more. The case with start of AFW pump delayed for 50 minutes cause small core heatup and with delay of 60 minutes the core temperature is still below the criterion 1348 K for core damage, while in the case with delay of 70 minutes this value is exceeded. In Figure 5(d) is shown the steam generator no. 1 wide range level. As already mentioned the start of AFW caused filling of steam generator no. 1 and RCS system depressurization. Initial filling of steam generator is slower due to SG PORV discharge. As HPSI pump is also injecting, the SG PORV cooling is not needed until SI is terminated. SI termination can be done as the primary system is refilled and there is no break on the primary side. After SI termination the secondary pressure started to increase again (see Figure 5(e)) until SG PORV setpoint is reached causing further steam release as shown in Figure 5(f).

3.3. LOCA Calculations with Manual Actuation of SI

The sequence of events for LOCA spectrum calculations is shown in Table 5. The only safety system operating was passive accumulators. For 5.08 cm and larger breaks they emptied in the calculated time interval of 10 000 seconds. The results for RCS pressure and core cladding temperature are shown in Figure 6. At breaks smaller than 5.08 cm the RCS was not sufficiently depressurized as shown in Figure 6(a) to enable accumulator injection, while larger breaks depressurize the RCS. Figure 6(b) shows that the temperature criterion 1348 K is first exceeded for 15.24 cm (case 6”), then for 10.16 cm break (case 4”), 7.62 cm (case 3”), 1.91 cm (case 0.75”), and the last for 5.08 cm (case 2”). The reason is that for 5.08 cm break the accumulators were sufficient to cool the core until they emptied. At breaks larger than 5.08 cm the core starts to significantly heatup after the accumulators emptied. In general it can be concluded that the larger is the break the faster is the core uncovery. From the point of operator action the 15.24 cm break size calculation is therefore limiting.

Table 6 shows for 5.08 cm and 15.24 cm break size the times of emergency core coolant injections. Passive accumulators injected in all cases, while HPSI and LPSI pumps injected after manual SI signal was actuated and the primary pressure was below the shutoff pressure of the injection pumps. For 15.24 cm break size the pressure is sufficiently low to allow injection of both HPSI and LPSI pumps once SI signal is manually actuated. In the case of 5.08 cm break size only HPSI pumps started to inject at the time of SI signal actuation. For both break sizes the injection is sufficient to terminate the core heatup as shown in Figure 7. It can also be seen that when delay of SI signal actuation is 20 minutes, there is negligible core heatup, while in the case of 30 minutes delay of SI signal actuation the criterion is not exceeded, but consideration of uncertainties could cause the criterion to be exceeded. Therefore 20 minutes time window was conservatively selected as time available to the operators.

3.4. Results Discussion

The times needed for performing operator actions were determined based on the simulator experience [11]. For starting the AFW the operator needs from 1 to 10 minutes, while for SI signal actuation 2 minutes are needed. When the time window is large, much of the additional time is available and there is no need to very accurately determine the time window even if the human factor event is an important contributor to the risk. For example, the time needed to start SI signal is 2 minutes and there is additional 18 minutes to perform this action. Considering typical uncertainties in the peak cladding temperatures of 200 K based on the previous uncertainty evaluations [16] and adiabatic heatup rate for 15.24 cm break, the criterion would be reached 3 minutes earlier. Equally important is also time uncertainty of reaching maximum temperature which is approximately 2 minutes according to [17]. The additional time considering uncertainties is still sufficient.

In the case of small and medium break LOCAs with the assumption that HPSI is not available, the depressurization is needed for breaks smaller than 5.08 cm. The break 5.08 cm is limiting as for this and larger breaks the RCS depressurizes by itself. However, when the pressure drops below the accumulator injection setpoint, the core is already heated up for 5.08 cm break. Considering the typical cladding temperature uncertainty of the best estimate calculation to be 200 K [16] the criterion 1348 K could be exceeded. The recovery action would be questionable because of short time window. The uncertainty analysis was not needed, as the risk contribution of this event to the plant risk is insignificant.

On the other hand, establishing AFW at LOFW event is significant contributor to the risk, but the calculated time window gives sufficient additional time, even if conservative time window is considered in the human reliability analysis.

For the case of LOCA with delayed SI signal actuation it was shown that the additional time available is sufficient, therefore uncertainty analysis is not needed in spite of the fact that event is significant contributor to the risk.

All these examples showed that uncertainty analysis was not needed, as additional time was available and/or the event was not significant contributor to the risk. If the event is significant contributor to the risk or not, it is answered by PSA. Based on this it can be concluded that uncertainty analysis may be valuable only for significant risk contributors, when additional available time is small. For the cases needed for updated human reliability analysis it was demonstrated that PSA reduces the number of uncertainty analysis. So there was no case requiring uncertainty analysis. If uncertainty analysis would be needed same approach could be followed as for licensing LOCA calculations, for example, [18]. On the other hand, the authors in [19] are of the opinion that the uncertainty is a less important issue for the treatment of an operator’s action in a thermal hydraulic simulation and that better approach is to estimate the time window conservatively. Nevertheless, such a statement could be used only when additional available time is sufficient to take into account conservatism.

4. Conclusions

The operator action success criteria time windows were estimated using the RELAP5/MOD3.3 Patch 03 thermal-hydraulic computer code for updated human reliability analysis. For the three selected cases the results of deterministic safety analysis were examined in sense how late after the required human intervention the operator performs its action that the safety criteria are not exceeded. This gives available time for operator to act. The results of deterministic analyses showed that in some cases the treatment of uncertainty for variables compared with safety criterion could significantly change the time window. However, based on the information from PSA regarding the contribution to the risk, uncertainty analysis was not needed, what greatly support the use of best estimate codes for probabilistic safety assessment. It can be concluded that uncertainty evaluation of realistic safety analysis may be needed only when there is little time for recovery action and the affected human factor event is an important contributor to risk.


The authors acknowledge the financial support from the state budget by the Slovenian Research Agency Program no. P2-0026 and the financial support from Slovenian Nuclear Safety Administration and Krško NPP by Project no. POG-3473. The RELAP5/MOD3.3 Krško NPP base input model is courtesy of Krško NPP.