Integrated Deterministic and Probabilistic Safety Analysis for Safety Assessment of Nuclear Power PlantsView this Special Issue
Delayed Station Blackout Event and Nuclear Safety
The loss of off-site power (LOOP) event occurs when all electrical power to the nuclear power plant from the power grid is lost. Complete failure of both off-site and on-site alternating current (AC) power sources is referred to as a station blackout (SBO). Combined LOOP and SBO events are analyzed in this paper. The analysis is done for different time delays between the LOOP and SBO events. Deterministic safety analysis is utilized for the assessment of the plant parameters for different time delays of the SBO event. Obtained plant parameters are used for the assessment of the probabilities of the functional events in the SBO event tree. The results show that the time delay of the SBO after the LOOP leads to a decrease of the core damage frequency (CDF) from the SBO event tree. The reduction of the CDF depends on the time delay of the SBO after the LOOP event. The results show the importance of the safety systems to operate after the plant shutdown when the decay heat is large. Small changes of the basic events importance measures are identified with the introduction of the delay of the SBO event.
The main purpose of the nuclear safety is to prevent the release of radioactive materials formed in the fuel and to ensure that the operation of nuclear power plants (NPP) does not contribute significantly to individual and societal health risk . The nuclear safety is assured in all situations with the provision of the basic safety functions: control of reactivity, removal of decay heat to the ultimate heat sink, and confinement of radioactive materials . The systems, structures, and components providing the basic safety functions shall be protected from hazards that may threaten their integrity and intended function. A set of design criteria are defined and required for the protection of the safety functions  in all situations.
The currently operating nuclear power plants have reliable active safety systems realizing the basic safety functions. The electrical energy is necessary for powering and controlling the active safety systems. Both off-site and on-site power systems shall be provided, each independent of the other and capable of providing power for all safety functions . The NPP should be designed to sustain a complete loss of off-site power and a single failure within the on-site power system. The complete loss of off-site power is designated as loss of off-site power (LOOP). The NPP has multiple (at least two) redundant sources of alternate electrical power that are normally emergency diesel generators. These sources of alternate electrical power start automatically after LOOP event and deliver power to the corresponding safety systems. The failure of the emergency diesel generators, concurrent with loss of off-site power, is named station blackout event (SBO). During the SBO the batteries with limited capacity provide electrical power to the essential NPP instrumentation and control systems . The station blackout coping time considered in the design is plant specific and depends on multiple factors .
The common-cause failures of all on-site and off-site electric power sources resulting from naturally occurring external events, such as earthquakes and flooding, are not considered in the design of the current plants . Failure to restore electrical power within the station blackout coping time is named extended SBO and results in the loss of all instrumentation and control and ultimately in core damage .
The Tohoku-Taiheiyou-Oki Earthquake, which occurred near the east coast of Honshu, Japan , resulted in the power grid failure and consequential LOOP at the six units of the Fukushima Daiichi NPP. The subsequent tsunami caused, due to the flooding, significant damage to the on-site distribution system to at least four of the six units of the Fukushima Daiichi NPP . Following the loss of electric power to normal and emergency core cooling systems and the subsequent failure of back-up decay heat removal systems, water injection into the cores of all three reactors was compromised resulting in core damage . The batteries of Unit 1 and Unit 2 were available for one hour until arrival of tsunami and their submerge . The batteries of Unit 3 were available and provided power for at least 35 hours after the tsunami, resulting in operation of the safety cooling system.
The standard PSA is analysing LOOP and SBO as two separate and independent events. The LOOP event followed by SBO after certain delay is not analysed in the standard PSA.
This paper analyses combined LOOP and SBO events for four assumed time delay intervals. The NPP parameters are assessed with deterministic safety analyses.
The description of the NPP model in deterministic safety analyses and developed case scenarios are given in Section 2.1. The description of the PSA model is given in Section 2.2. The implications of the delay on the functional events in the SBO event tree are also discussed in Section 2.2. The main results of the deterministic safety analyses utilized as input to PSA are given in Section 3.1. Obtained PSA results are given in Section 3.2. Main conclusions of the study are presented in Section 4.
2. NPP Models
2.1. Reference Deterministic Model
The RELAP5 input model of the pressurized water reactor (PWR) nuclear power plant is used for the assessment of the nuclear power plant parameters. The RELAP5 input model of an operational two-loop PWR plant is described in detail in studies [5, 12].
The following scenarios with or without reactor coolant pumps (RCP) seal leakage and with or without available turbine driven auxiliary feedwater system (TD AFWS) and pressurizer power operated relief valve (PRZ PORV) stuck open are developed and analysed:(i)SBOS0-SBO with RCPs, seal loss of coolant accident (LOCA) and TD AFWS operational for 0 h;(ii)SBONP-SBO without RCPs, seal LOCA and TD AFWS operational and PRZ PORV stuck open after first opening;(iii)SBOS4-SBO with RCPs, seal LOCA and TD AFWS operational for 4 h.
The modelled NPP has station blackout coping time of 4 hours equal to the TD AFW operational time.
The case scenarios are modified with the consideration of the SBO delay of 15, 30, 60, and 75 minutes following the LOOP. Motor driven AFW pump and instrumentation and control are assumed to be operational for the delay interval in the analysed case scenarios resulting from the availability of alternate current from the emergency diesel generators. Operation of the motor driven AFW pumps results in the injection of water in steam generators after the reactor scram when the decay heat is the largest. This results in the delay of core damage and extension of the available time for restoration of electrical power during station blackout.
The only operator action assumed in the deterministic model is that the steam generator narrow range level is maintained at around 69%.
Obtained results from the analysed scenarios are used as input to the PSA model.
2.2. Reference Probabilistic Model
The reference PSA model has 18 event trees, 171 fault trees, and 581 basic events. The CDF is assessed for internal initiating events during the power operation.
The SBO event is modelled in separate event tree given in Figure 1. The SBO event tree, as shown in Figure 1, contains all functional events of a representative SBO event tree for the Westinghouse PWR [5, 14].
The plant coping features successfully mitigate most of such events. Therefore a fraction of the SBO events will lead to the core damage. Feed and bleed is not included in the SBO event tree because pumps available for the feed function require alternate current (AC) power. During the SBO conditions, only the AFW turbine driven pump (TDP) is available for core cooling on the secondary side over the steam generators. Reactor coolant pumps are equipped with staged shaft seals which are provided with cooling system designed to maintain seal integrity. Cooling system is not available during the SBO event resulting in exposure of seals materials to elevated reactor coolant system (RCS) temperatures. Increased temperature result in degradation of the seals materials and increased leakage rate. The sequences in the SBO event tree ending with “CD” contribute to the SBO CDF. The functional events that are affected by the delay of the SBO following the LOOP are marked with red squares in Figure 1.
The SBO event is the first event in the SBO event tree. The frequency of this event is termed the SBO frequency. The SBO frequency is assessed as top event in the SBO fault tree given in Figure 2. The station blackout fault tree, as shown in Figure 2, considers failure of both emergency diesel generators (EDGs) to start and operate, the maintenance unavailability, and failure of the associated circuit breakers. The common-cause failure of both EDGs is considered in addition to the individual EDG failures.
The second functional event NRAC-SGDR in the station blackout event tree corresponds to the restoration of AC power to the plant safety busses before the drying of the coolant on the secondary side of the steam generators (SG). The results of the deterministic analysis for scenarios SBOS0 in Figure 4 show the available time before the SG number 1 is emptied because of drying (i.e., drying time). For SG number 2 the drying times are similar. Figure 4 shows that introduction of the delay between the LOOP and SBO results in a large increase of the SG drying time.
The third functional event RCI-SBO in the SBO event tree corresponds to the preserving of the RCS inventory until AC power is restored. The failure to reclose the pressurizer power operated relief valves (PORV) results in LOCA.
The fourth functional event SGI-SBO represents the secondary side integrity functional event. In the reference PSA model it is assumed that the steam generator atmospheric relief valves will be inoperable during the station blackout due to the unavailability of control power. The steam relief will be through the safety valves. The safety valves failure to reclose results in uncontrolled depressurization jeopardizing the steam generators integrity.
The fifth functional event AFW-SBO is the top event of a fault tree corresponding to the AFW failure. The input to this functional event is the fault tree representing the AFW failure considering multiple failures of the AFW system.
The sixth functional event NRAC-PRZBV corresponds to the restoration of AC power to the plant safety busses and isolation by the pressurizer block valve before start of the core heatup. The available time before the core heatup for this functional event is obtained from scenario SBONP with results given in Figure 6.
The seventh functional event DEP-SBO corresponds to the operator initiated cooling and depressurization of the reactor coolant system during a long-term station blackout.
The eighth functional event SLOCA-NR-ST corresponds to the RCP seal LOCA.
The last two functional events NRAC-OFFSITE and NRAC-ONSITE correspond to the restoration of AC power to the plant safety busses from off-site and on-site power sources before start of the core heatup. The available time for restoration of AC power is assessed from the results of the SBOS4 case scenarios given in Figure 8.
Table 1 shows the probabilities of nonrecovery of AC power within the restoration time in reference PSA model. The available restoration time for analyzed case scenarios is assessed from the results of the deterministic analyses presented in Section 3.1.
Probabilities of nonrecovery of AC power within given time are obtained as probability of exceedance versus duration curve fits of the off-site power to bus recovery times assessed from the statistical data given in . The loss of off-site power initiating event frequency of events/yr equal to the value in reference model is used .
Figure 3 shows that the LOCA is dominant contributor to the plant CDF. The LOOP with share of 21% and the SBO with share of 3% contribute to one-quarter of the overall CDF.
3.1. Results of the Deterministic Model
The main parameters characterizing the RELAP5 computer code calculations are given in Figures 4–8. These parameters are the pressurizer pressure, average fuel cladding temperature at the top of the core, and SG number 1 wide range level. The pressurizer pressure is important in order to know when pressurizer relief valves open. The fuel cladding temperature gives information if the core integrity is challenged. Finally, cooling through secondary side could be performed when there is sufficient water inventory (level) in the steam generators.
The pressurizer pressure for SBONP case scenarios is given in Figure 5. The PRZ PORV opens when setpoint of 16.4 MPa is reached and it is assumed that it remains in the stuck open position. This results in the sudden drop of the pressure as shown in Figure 5.
The available time before the core heatup, if PRZ PORV is stuck open after first opening, related to NRAC-PRZBV functional event, is assessed from Figure 6 for SBONP case scenario and is given in Table 4.
The pressurizer pressure for analysed SBOS4 case scenarios is given in Figure 7. The pressurizer safety valve opens when setpoint of 17.2 MPa is reached. This results in the loss of reactor coolant system inventory and start of the core heatup.
3.2. Results of the Probabilistic Model
Table 6 shows the basic events representing nonrecovery of AC power within the restoration time used in the PSA model, given in the second column. The probabilities obtained from the statistical data are given in the third column. Composite probability of exceedance for all LOOP categories  is selected as representative data for NRAC-SGDR and NRAC-PRZBV functional event. The grid related LOOP categories that include switchyard, grid, and weather are selected as relevant for the NRAC-OFFSITE functional event. The plant LOOP category is selected as representative data for the NRAC-ONSITE functional event.
The obtained CDF for the reference PSA model and change of ΔCDF for different time delays are given in Table 7.
Table 7 shows that introduction of the delay of the SBO following the LOOP results in a small decrease of the CDF equal for all assumed time delays. This is result of the small share of the SBO event in the overall CDF of the plant. In the NPP that has larger share of the SBO event in the CDF the obtained ΔCDF will be larger and will depend on the delay of the SBO following the LOOP.
Table 8 and Figure 9 show that 15-minute delay of the SBO, after the LOOP, results in 45% decrease of the SBO CDF. The obtained result is expected considering the importance of the provision of effective core cooling after the reactor trip.
The first 10 basic events identified with largest Fussell-Vesely (FV) importance measure in reference PSA model are given in Table 9. The second column in Table 9 contains basic events with description given in the third column, unavailability in the fourth column, and FV importance measure in the fifth column. The last two columns contain values of risk decrease factor (RDF) and risk increase factor (RIF) importance measures.
Table 9 shows that basic events with largest FV importance measure in reference model, together with the LOOP and S1 initiating events (IE), are basic events representing the AFW failure to start and operate.
Table 10 shows basic events with largest FV in the model with the 15-minute delay between the LOOP and the SBO. The same events with identical ordering as in reference model given in Table 9 are identified.
The basic events with the largest FV importance measure in SBO event are given in Table 11.
Table 11 shows that the power restoration events from off-site (power grid) and on-site (emergency diesel generators) electric power sources are most important in the SBO event tree.
Table 12 shows basic events with the largest FV importance measure in SBO event tree with 15-minute delay between LOOP and SBO. The same basic events as in Table 11 are identified, with small changes in the obtained FV importance measure.
The results in the tables show that, in the analyzed PSA model, the introduction of the delay of the SBO following LOOP is not affecting the basic events importance measures.
The results show that the introduction of the time delay results in large decrease of the SBO CDF and corresponding risk. The decay heat is large at the initial period after the reactor shutdown and effective cooling in the initial time period will increase available time before core heatup and core damage.
With different modifications in the NPP the essential safety systems and power supplies can be protected from extreme events that can result in the extended SBO. Those modifications include placement of the safety systems in protected structures or their allocation to the higher elevation.
The coping strategies proposed by the nuclear industry in response to the Fukushima Daiichi accident are based on installed NPP equipment for initial managing of the beyond-design-basis external events . The protection of the installed equipment, as shown by the results of this study, will result in improvement of the plant safety.
In this paper the consequences of the delay of the SBO event following the LOOP event are analysed and the results presented. The analysis is done with standard deterministic and probabilistic safety analysis methods and tools for different assumed time delays between the LOOP and the SBO event. The available restoration times are assessed from the deterministic safety analyses results. The probability of nonrecovery of alternate electric power in the restoration times is assessed from the statistical data and inserted in the station blackout event tree.
The results show that small decrease of the overall CDF is obtained with the introduction of the SBO delay following the LOOP. This is because of small share of the SBO event in the overall CDF of the plant. Large decrease of the SBO CDF is obtained with the introduction of the delay. Increase of the delay results in the decrease of the SBO CDF. Introduction of the delay in the analysed model results in small changes of the importance measures.
Conflict of Interests
The authors declare that there is no conflict of interests regarding the publication of this paper.
This research was partly supported by the Slovenian Research Agency (Research Program P2-0026) and partly by the European Atomic Energy Community’s (Euratom) Seventh Framework Programme FP7/2007–2011 under Grant Agreement no. 605001.
IAEA, Fundamental Safety Principles, Safety Standards Series SF-1, International Atomic Energy Agency, Vienna, Austria, 2006.
IAEA, Safety of Nuclear Power Plants: Design, Specific Safety Requirements No. SSR-2/1, International Atomic Energy Agency, Vienna, Austria, 2012.
NRC. Code of Federal Regulations, “Title 10, ‘energy,’ part 50, ‘licensing of production and utilization facilities,’,” in Appendix A, ‘General Design Criteria for Nuclear Power Plants’, U.S. Nuclear Regulatory Commission, Washington, DC, USA, 2013.View at: Google Scholar
NRC, “Criterion 17: electric power systems, NRC regulations, title 10, code of federal regulations, part 50: domestic Licensing of production and utilization facilities,” in General Design Criteria for Nuclear Power Plants, NRC, Washington, DC, USA, 2010.View at: Google Scholar
NRC, “Station Blackout,” Final Rule, NRC Regulations, Title 10, Code of Federal Regulations, § 50.63 Loss of all alternating current power, US, Nuclear Regulatory Commission, Washington, DC, USA, 1988.View at: Google Scholar
USGS, The 03/11/2011 Mw9.0 Tohoku Japan Earthquake-Educational Slides, U.S. Geological Survey, National Earthquake Information Center, Denver, Colo, USA, 2011.
TEPCO, Overview of the Earthquake & Tsunami and Nuclear Accident: The Great East Japan Earthquake and Current Status of Nuclear Power Stations, Tokyo Electric Power Company, 2011.
NRC, “NRC Information Notice on Tohoku-Taiheiyou-Oki Earthquake Effects on Japanese Nuclear Power Plants,” Information Notice 2011-05, Washington, DC, USA, 2011.View at: Google Scholar
The National Diet of Japan, The Official Report of the Fukushima Nuclear Accident Independent Investigation Commission, The National Diet of Japan, 2012.
R. C. Bertucio, J. A. Julius, and W. R. Cramond, “Analysis of core damage frequency, Surry, Unit 1 internal events appendices,” Tech. Rep. NUREG/CR-4550, 1990.View at: Google Scholar
NRC, “Reevaluation of station blackout Risk at nuclear power plants,” Tech. Rep. NUREG/CR 6890, NRC, Washington, DC, USA, 2005.View at: Google Scholar
NEI, Diverse and Flexible Coping Strategies (FLEX) Implementation Guide, Nuclear Energy Institute, Washington, DC, USA, 2012.