Science and Technology of Nuclear Installations

Volume 2015, Article ID 238723, 10 pages

http://dx.doi.org/10.1155/2015/238723

## Improved Modelling and Assessment of the Performance of Firefighting Means in the Frame of a Fire PSA

GRS gGmbH, Boltzmannstraße 14, 85748 Garching, Germany

Received 31 October 2014; Accepted 15 January 2015

Academic Editor: Francesco Di Maio

Copyright © 2015 Martina Kloos and Joerg Peschke. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

An integrated deterministic and probabilistic safety analysis (IDPSA) was carried out to assess the performances of the firefighting means to be applied in a nuclear power plant. The tools used in the analysis are the code FDS (Fire Dynamics Simulator) for fire simulation and the tool MCDET (Monte Carlo Dynamic Event Tree) for handling epistemic and aleatory uncertainties. The combination of both tools allowed for an improved modelling of a fire interacting with firefighting means while epistemic uncertainties because lack of knowledge and aleatory uncertainties due to the stochastic aspects of the performances of the firefighting means are simultaneously taken into account. The MCDET-FDS simulations provided a huge spectrum of fire sequences each associated with a conditional occurrence probability at each point in time. These results were used to derive probabilities of damage states based on failure criteria considering high temperatures of safety related targets and critical exposure times. The influence of epistemic uncertainties on the resulting probabilities was quantified. The paper describes the steps of the IDPSA and presents a selection of results. Focus is laid on the consideration of epistemic and aleatory uncertainties. Insights and lessons learned from the analysis are discussed.

#### 1. Introduction

IDPSA—frequently also called Dynamic PSA—can be regarded as a complementary analysis to the classical deterministic (DSA) and probabilistic (PSA) safety analyses [1, 2]. It makes extensive use of a deterministic dynamics code and applies advanced methods for an improved modeling and probabilistic assessment of complex systems with significant interactions between a process, hardware, software, firmware, and human actions [3]. An IDPSA is particularly suitable in the frame of a fire PSA, since sequences of a fire interacting with the means to be applied for firefighting can be realistically modelled while aleatory uncertainties due to the stochastic aspects of the performances of the firefighting means can be simultaneously taken into account. Besides aleatory uncertainties, epistemic uncertainties can be considered as well. They may refer to parameters of the applied deterministic dynamics code and to the reliability parameters used to quantify the stochastic performances of the firefighting means.

An appropriate tool to conduct an IDPSA is MCDET (Monte Carlo Dynamic Event Tree) which allows for performing Monte Carlo (MC) simulation, the Dynamic Event Tree (DET) approach or a combination of both [4, 5]. Since MCDET can in principal be coupled to any deterministic dynamics code, the open source and freely available code FDS (Fire Dynamics Simulator) from NIST [6] was selected to be applied for fire simulation. What makes MCDET particularly useful for a fire safety analysis is its Crew Module which allows for considering human actions such as those applied for firefighting as a time-dependent process [7, 8] which can interact with the process modelled by any dynamics code chosen to be combined with MCDET such as FDS.

In the past, MCDET was already applied to analyse and assess the plant behaviour during a station black-out scenario with power supply recovery [4]. In that application, MCDET was combined with the code MELCOR (version 1.8.5, [9]) for integrated severe accident simulation. In another application, MCDET was coupled to the thermal-hydraulics code ATHLET (mod 2.0, [10]) to assess the emergency operating procedure “Secondary Side Bleed and Feed” [7]. This procedure is to be employed in a pressurized water reactor (PWR) to achieve the protection goal of steam generator injection after the loss of feed-water supply.

The fire event selected to be analysed was assumed to occur in a compartment of a German reference nuclear power plant (NPP). The main question to be answered by the IDPSA was whether the plant specific firefighting means to be applied in case of a fire are able to protect those structures, systems, and components (SSC) in the compartment which are important to nuclear safety. Therefore, the most important analysis result was the probability of safety related SSC to be damaged by the fire. The influence of epistemic uncertainties on the probability was quantified.

Section 2 of this paper gives an overview on the methods implemented in MCDET. It is explained how these methods can be used to treat the aleatory and epistemic uncertainties of an IDPSA and how the influences of both types of uncertainties can be quantified. Details on the considered fire event, the plant specific firefighting means and on the modelling assumptions can be found in Section 3. The steps of the analysis and a selection of results are described in Section 4. Conclusions and lessons learned are presented in Section 5.

#### 2. Methods Implemented in MCDET

The tool MCDET allows for performing Monte Carlo (MC) simulation, the Dynamic Event Tree (DET) approach, or a combination of both. How these methods can be used to consider aleatory uncertainties and to quantify their influence on the results of a deterministic dynamics code is described in Section 2.1. The method to handle epistemic uncertainties in addition to aleatory uncertainties and to get a quantification of their influence is topic of Section 2.2.

##### 2.1. Consideration of Aleatory Uncertainties

Coupled with a deterministic dynamics code such as the FDS code, the tool MCDET can perform Monte Carlo (MC) simulation, the Dynamic Event Tree (DET) approach, or a combination of both [4, 5].

The DET approach is quite useful, if rare events like, for instance, the failures of safety systems which generally occur with small probabilities have to be considered. The first tool presented in literature which applied the DET approach is DYLAM [11, 12]. Other tools using the DET approach are, for instance, ADS-IDAC [13, 14], SCAIS [15, 16], ADAPT [17], and RAVEN [18].

The simulation of a DET starts with the calculation of a sequence running from the initial event until the occurrence of the first event for which aleatory uncertainties are to be taken into account (e.g., success/failure of a safety system). When this happens, a branching point is generated meaning that the calculations of all branches (alternative situations) which may arise at the corresponding point in time are launched, even those of low probabilities. For instance, at the point in time, when a safety system is demanded, both successful and failed operations of the system are considered and the corresponding simulation processes are launched. Each time when another event subjected to aleatory uncertainty occurs during the calculation of a branch, another branching point is generated and the simulations of the new branches are launched.

With MCDET, a conditional occurrence probability is assigned to each branch constructed in the course of a DET simulation. Multiplication of the conditional probabilities of all branches which made up a whole sequence finally gives the sequence probability. The probabilities of all sequences of a DET in general sum up to 1. If a probabilistic cut-off criterion was applied, the sum is smaller than 1, because all sequences with a conditional probability less than a given threshold value are ignored.

The DET approach avoids repeated calculations of dynamic situations shared by different sequences. Except for the first (root) sequence, any other sequence is calculated only from the time on where a corresponding branching occurs. The past history of a sequence is given by the parent sequence from which the sequence branches off, then, by the parent sequence of the parent sequence and so on.

One drawback of the DET approach is that a continuous variable like the timing of an event (e.g., the failure of a passive component) has to be discretized, if it is subjected to aleatory uncertainty. A coarse discretization would provide less accurate results. A detailed time discretization would lead to an exponential explosion of the number of branches. The accuracy of results derived from a more or less detailed discretization is difficult to quantify. To overcome this difficulty, MCDET allows for applying a combination of MC simulation and the DET approach which can adequately handle the aleatory uncertainty of any discrete or continuous variables and provide output data appropriate for quantifying the accuracy of the results, for instance, in terms of confidence intervals.

With MCDET coupled to a dynamics code, each DET is constructed on condition of values each randomly sampled for a continuous aleatory variable. Each new set of values for the continuous aleatory variables contributes to the generation of another DET. Result of this method is a sample of individual DETs, each constructed from a distinct set of values sampled for the continuous aleatory variables. The sampling of values for the continuous aleatory variables is not performed a priori, that is, before the calculation of a DET is launched. It is performed when needed in the course of the calculation. In this way, it is possible to treat not only the influence of aleatory uncertainties on the dynamics as calculated by the code but also the influence of the dynamics on aleatory uncertainties and to consider, for instance, a higher failure rate of a component, if a high temperature seriously aggravates the condition of the component.

From the conditional probabilities assigned to each sequence and the corresponding curves of safety related output quantities calculated by the dynamics code, the post-processing modules of MCDET can calculate the conditional DET-specific and the unconditional scenario-specific distributions of safety related quantities. These scenario-specific distributions are the means over the corresponding DET-specific distributions. The accuracy of the resulting mean distributions and probabilities can be quantified in terms of 90% or 95% confidence intervals.

Figure 1 comprises two schematical illustrations of the sample of DETs generated by MCDET. In Figure 1(a), each DET of the sample is represented in the time-event space with focus on the events subjected to aleatory uncertainty (e.g., failure-on-demand of the systems S1, S2, and S3, error of human actions HA1, or failure of a passive component PC). Timing and order of events might differ from DET to DET due to the influence of the different values sampled for MC simulation. Associated with each sequence of events is the process state at each point in time as calculated by the applied dynamics code and the corresponding conditional probability. In Figure 1(a), the state of a process variable and the corresponding probability are exemplarily considered at the end of problem time. The probabilities over the range of (e.g., from 0 to 10) obtained from all sequences of a DET constitute a distribution at each point in time (e.g., at the end of problem time as shown in Figure 1(a)). Figure 1(b) shows each DET in the time-state space where the focus is laid on the temporal evolution of the process variable for each sequence of event.