Fault trees (FT) and event trees (ET) are widely used in industry to model and evaluate the reliability of safety systems. This work seeks to analyze and estimate the core damage frequency (CDF) due to flow blockage (FB) and loss of coolant accident (LOCA) due to large rupture of primary circuit pipe with respect to a specific 10 MW Water-Water Research Reactor in Ghana using the FT and ET technique. Using FT, the following reactor safety systems: reactor protection system, primary heat removal system, isolation of the reactor pool, emergency core cooling system (ECCS), natural circulation heat removal, and isolation of the containment were evaluated for their dependability. The probabilistic safety assessment (PSA) Level 1 was conducted using a commercial computational tool, system analysis program for practical coherent reliability assessment (SAPHIRE) 7.0. The frequency of an accident resulting in severe core damage for the internal initiating event was estimated to be 2.51e − 4/yr for the large LOCA as well as 1.45e − 4/yr for FB, culminating in a total core damage frequency of 3.96e − 4/yr. The estimated values for the frequencies of core damage were within the expected margins of 1.0e − 5/yr to 1.0e − 4/yr and of identical sequence of the extent as found for similar reactors.

1. Introduction

Following the Fukushima accident, the International Scientific Community’s attention to unmitigated nuclear power plant (NPP) accidents and their mitigation has become a major highlight [1, 2]. Interest in accident progression, which generally starts with a thermal-hydraulic analysis of transient for evaluating their consequences in terms of core damage frequency (CFD), has induced the study of different unmitigated accidents in NPPs and research reactors using probabilistic safety analysis (PSA) techniques.

Yazdi, Hafezi, and Abbassi in 2019 demonstrated the relevance and viability of the probabilistic safety analysis methodology in a high-tech industry. The study also compared its results with common conventional approaches [3]. The prime target of the study in 2019 by Yazdi, Hafezi, and Abbassi was to lay out a suitable and dependable technique to expand the reliability of an adept structured approach in probabilistic risk assessment.

This paper uses the probabilistic safety analysis (PSA) technique to examine the probability of occurrence of an accident and evaluate its consequences, providing a numerical estimate to indicate how safe the water-water reactor (VVR) 10 MWth is. The PSA analysis is also employed in approximating the risk cutback that could be accomplished by making alterations to the nuclear reactor design or the operation and maintenance practices.

The series of occurrences that could result in fuel integrity loss or core damage and their frequency of occurrence were identified and quantified in PSA Level 1. This paper presents the results obtained as part of the probabilistic safety assessment (PSA) Level 1 conducted for the 10 MWth VVR research reactor. Accident-causing initiating events (flow blockage and loss of primary coolant) were identified, described, and evaluated.

The event involving the blockage of one channel only has the greatest probability of occurrence with the possibility of resulting in the meltdown of fuel elements. From the initiating events in the loss of primary coolant category, large loss of coolant accident (LOCA) is the one that causes the largest consequences due to the possibility of uncovering the core in less time than all other events in the category. It was for the abovementioned reasons that analysis of the sequences of the accident for the two initiating events was selected. The selection criteria took cognizance of the event with the highest frequency/probability of occurrence and the one that results in more severe consequences for the reactor core and the events analyzed were loss of flow due to blocked channel and loss of coolant accident (LOCA) due to large rupture.

The paper also focused on the estimation of core damage frequency in the 10 MWth VVR in the eventuality of the selected initiating events. The progression of the accident and performance of the systems to mitigate each event were analyzed employing the event tree (ET). Furthermore, the reliability of these systems was quantified using the fault tree (FT).

Moreover, there are only two reactors in the West African subregion. The size and nature of the reactors do not warrant PSA since they are inherently safe and have only a few IEs that could be prescribed. The PSA was performed to find severe accident weaknesses and provide quantitative results to support the decision-making for 10 MW VVR based on Russia and Ghana intergovernmental proposal for NPP and research reactor. Again, the skills and expertise acquired from this work are useful to the Nuclear Power Program Ghana is pursuing. This work will also aid in the identification of safety issues and cost-effective solutions to safety problems which arise during the design of 10 MW VVR. Moreover, it will also provide valuable guidance to the areas in which additional funds available for improvement of the overall safety of the reactor can most effectively be spent. Regardless of all innovations performed by the new generation of reactors, the likelihood of accidents and faults in the safety systems remains. Consequently, PSA is performed to examine the reliability of reactors concerning design basis accidents, which considers the likelihood of damage to the reactor core in the most different accident scenarios [4].

2. The Russian 10 MWth Water-Water Research Reactor (VVR) Description

The water-water reactor (VVR) is a pool-type reactor. The research reactor has a thermal power of 10 MWth. It has a light water coolant and moderator together with a Beryllium reflector surrounding the active core. It is 19.7% enriched with a peak neutron flux of 1014 cm−2·s−1. It has eleven horizontal channels (with each channel being a double open-ended channel with a diameter of 150 mm). The reactor contains fifty sample irradiation positions. A critical facility with a peak neutron flux of 107 cm−2·s−1 is also constructed to function as a mock-up of the reactor. The cylindrical reactor vessel which contains the core has an inner diameter of 0.652 m and a height of approximately 2.8 m. It is located off-centre in a shielded central tank with the same height as the central tank with an outer diameter of 2.3 m. The nominal flow rate is 1250 m3/h. The water flows downward under forced convection induced by the primary cooling pumps. The water flows upwards from beneath the central tank through a single 0.35 m diameter pipe. It flows further up and is directed towards the centre and trickles down through the core. It finally exits the core from the centre of the reactor vessel through a single 0.35 m diameter pipe. There is no other piping penetration in the reactor vessel and central tank. A cross section of the 10 MWth research reactor is shown in Figure 1 and a block diagram of the reactor cooling system and the connected system is also shown in Figure 2.

3. Theory

This section outlines the summary of the concepts of probability associated with the uncertainty analysis used in the PSA. The discussion shall present the basic concepts and principles as used in the SAPHIRE 7.0 code [69]. The fundamentals of Boolean Logic involved in fault tree and event tree analysis were reviewed. Fault trees and event trees are interpreted as Boolean formulas created for a defined group of variables, referred to as basic events and logical connectives “+” (OR), “·” (AND), and “− ” (NOT). A literal (either a basic event or its negation) assignment satisfies (SAT) a Boolean formula if the formula evaluates to true. A positive product defines a cut set of a Boolean formula F, such that . A cut set is nominal if no subproduct of is a cutset of F. For instance, formula F reveals the subsequent cutset and nominal cutsets (MCS) as shown in

MCS can be explained as a summation of products. F and MCS may differ. The individual cutset probabilities are determined by multiplying the probabilities of the applicable basic events as shown in where is the probability of cutset I and is the probability of the kth basic event in the ith cutset.

A common approach to calculating the probability for a top event is to add together the probabilities for the cutsets where the cutset probability is given by (3); thus, the rare event approximation is given by where is nominal cutset upper bound for the system unavailability, is the probability of the ith cutset, and m is the number of nominal cutsets in the fault tree. This approximation is an acceptable estimation when the cutset probabilities are small. In screening analysis when relatively large screening values are used to bound the component failure probabilities, the rare event approximation can exceed 1.

4. Methodology

This paper focuses on Level 1 PSA studies and seeks to use the knowledge acquired to establish and consolidate methodologies for future reliability studies. The following plant operation states were considered: nominal full-power operation (10 MWth); reduced power operation; start-up operation; reactor subcritical, reactor pool availability. From the safety point of view, when a plant operating state brackets all others, it is referred to as a nominal full-power operation. This is attributed to the fact that the reactor pool constitutes a large heat sink that is always available, regardless of the operating state of the reactor. Figure 3 is a brief description of the methodical process and the description is as in session 4.2.

4.1. Initiating Event Selection

The accident-causing initiating events, loss of coolant accidents (LOCA) and flow blockage (FB), were chosen for this study. LOCA consists of every single event that directly generates loss of integrity of the primary coolant pressure boundary whiles FB is the entrance blockage of the primary coolant through the fuel element channel or channels.

4.2. Safety Function

The design of the 10 MWth VVR incorporates five basic safety functions. The safety functions are aimed at preventing core damage following an initiating event. Event tree for IE loss of coolant accident (LOCA) (ET1) was used to model the reply of the reactor to coolant loss. In this work, the sequence of events resulting in coolant accident loss was detected and modelled in SAPHIRE. The safety systems and safety functions that could sequentially happen to mitigate the LOCA are briefly described as follows.

It was supposed that, in the case of reactor usage at full-power, there was a decapitate break of the biggest (12 inches) pipe joined to the lowest part of the reactor culminating in the outset of the succession of events.

The reactor protection system (RPS) was mechanized and labor-intensive systems shut down the reactor after LOCA. The accomplishment of this event led to scram and therefore stoppage of the fission chain reaction.

The pool was cut off from the system for cooling in the event of a malfunction of the RPS. This happened when the butterfly valves were shut, either physically or mechanically, around only some minutes after the accident. Effective pool isolation from the break location leads to the core being deepened in the pool water. Therefore, if reactor pool isolation (RPI) is achieved, coolant supply continues to be accessible (coolant loss curtails). The interest currently was if natural circulation of the pool water was accessible.

During natural circulation heat removal (NCHR), the flapper valve opened when the pool water was available and this enabled natural cooling of the core. Natural cooling was enough to avoid core impairment because there was effective scram. Therefore, sequence number 1 was successful. If the flapper had failed to unlock to allow natural circulation, sufficient heat elimination would have been unlikely. It was expected that core impairment would happen. Similarly unlikely was the sufficiency of heat elimination with or without natural heat removal competency in case the reactor was not closed through the RPS. Once more it was expected that if a shutdown was not realized, after complete loss of flow, core damage would happen. A distinct amount of core inventory discharge was expected contingently on whether the fission chain reaction was halted and on whether natural circulation was likely.

The handiness of natural pool water circulation was immaterial if the pool was not isolated, and the emergency cooling system starts functioning to spray water on the core. It was supposed that, with the reactor shutdown, core spraying was enough to take away decay heat and consequently circumvent core damage. Therefore, sequence number 5 was deemed a successful sequence. If the emergency core cooling system (ECCS) had failed, natural cooling in just air would not have been enough to take away decay heat and therefore core damage will happen and radioactivity will be discharged inside the reactor building. Outcomes though are contingent on the radioactivity quantity discharged out of doors of the containment and therefore the ensuing events necessarily must be involved in the tree. Given that ECCS was not working, then isolation of the reactor building was likely, and every gate and door stay shut. This action has the objective of having to stop any discharge of radioactivity into the surroundings. Effective containment isolation (CI) needs an emergency ventilation system to operate to release the pressure and take away the maximum amount of the discharged radioactivity through the filters. The severest accident sequence, from the discharge viewpoint, develops when the containment is unsuccessful at isolating as it signifies the discharge of the largest amounts of radioactivity from the entire accident sequences (accident sequences number 8 and number 17).

In case ECCS is unsuccessful, NEV (LOCA) was employed to model the emergency ventilation systems operation in the event of LOCA. This system working effectively signified retaining most of the radioactivity in the containment and the filters. System failure (accident sequences number 7 and number 16) signified larger amounts of radioactivity discharge when the system functions but lesser than when the containment isolation (CI) failed (sequence number 8 and number 17). This event tree determined seventeen (17) sequences. Two sequences culminated in a safe state (sequence numbers 1 and 5). All other sequences (sequence number 2, 3, 4, 6 to 17 as shown in Figure 4) led to a disaster with a percentage core impairment of 10%, 30%, 50%, or 100% and various extents of discharges to the surrounding. Significantly, the shutdown system operation did not realistically affect the results of the sequence in relation to the outcomes. It did, however, influence the likelihood of the sequences because several of the instrumentation and alarms were joint with the RPS, pool isolation via closure of the butterfly valve, and the beginning of the ventilation system.

Event tree for IE flow blockage (FB) (ET2) was used to model the reaction of the reactor system to an event culminating in blockage of the coolant flow in one of the channels. Moreover, the reaction that separated this event tree from the former ones is the reaction of the RPS, the irrelevance of the primary heat removal system, as well as the emergency ventilation system. The events comprising the event tree (ET2) are flow blockage (the IE), reactor protection system (RPS), primary heat removal, natural circulation heat removal, containment isolation, and emergency ventilation system.

With the flow blockage event tree (ET4), the assumption made was that there was blockage of a fuel coolant channel, in which case there was an incomplete loss of flow leading to an accident condition. When the flow blockage accident scenario was initiated, only manual scram as a RPS was available to manually shutdown the reactor because there were no mechanized signals for either shutdown or reverse.

Because of the failure of the RPS to mitigate the accident scenario, there was a need to isolate the reactor building. In the event of the failure of the reactor building to isolate, the emergency ventilation system was applied to model the functioning of the emergency ventilation system (NEV) in the event of ‘flow blockage’. Again, only manual initiation was possible. ET4 consisted of four event sequences as shown in Figure 5. One of them (sequence number 1) led to a safe situation and three (sequence number 2, 3, 4) were expected to lead to 3 percent core loss.

Quantitative risk (a systematic approach for evaluating likelihoods, consequences, and risk of adverse events) analysis based on event and fault tree used in this work employed two basic assumptions; the first assumption was related to likelihood values of input events, whilst the other assumption was concerning interrelation among basic events. Traditionally, event trees and fault trees both use probabilities; however, to tackle the issue of uncertainties, the assumption of probability distributions of input event likelihoods is employed [10].

The event tree was used to define the initiating event within the reference research reactor. It was then employed in analyzing the course of events that follow as determined by the operation or failure of the safety systems provided to prevent the core from melting and to stop the release of radioactivity to the surroundings [11]. The fault trees started with the definition of an undesired event and in this work LOCA, and then it determines how the system can fail using engineering and mathematical logic. Using data covering the failure of components such as pumps, pipes, and valves; the likelihood of operator errors; and the likelihood of maintenance errors, it was possible to estimate the likelihood of system failure [11].

4.3. Description of Large Break LOCA Application Methodologies

PSA involves several analytical methods. These include the development of event tree and fault tree logic models used for the analysis of accident sequences. Large break LOCA (loss of coolant accident) was chosen as an initiating event for application in this paper. The assumption made for the chosen initiating event was that during full-power operation; there is a double-ended rupture of the largest (12 in) pipe connected to the base of the reactor [12]. PSA typically covers every method of operation for which other accident initiators might occur or success criteria for and/or the unavailability of some systems might differ from those of full-power operation. These criteria define the basis for establishing plant operating states to be modelled. However, only one plant operating state (normal full-power operation) in which an accident could be initiated was considered for the probabilistic safety assessments (PSA) in this work. After the reactor operating state had been considered, the next step in the methodology was the selection of important initiating event—an event that generates interference in the plant and could result in core damage, depending on the successful operation of the diverse mitigating systems in the plant—for the reference research reactor design that was chosen. Initiating events are generally classified into internal IEs (LOCA and transient Initiators) and hazards (internal and external). For purposes of this work, internal IEs hardware failures in the reference research reactor or faulty operations of the reference reactors hardware through human error or software deficiencies were considered. Having been able to select the important initiating event for this work, the next step was showing the logical models of fault combinations that could cause a mitigating system to fail to perform its function when required and this was done using fault trees. Logical gates (e.g., Boolean operators) were used to illustrate how faults of the system can combine to result in the failure described in the gate’s associated events. A linked fault tree (FT) PSA model where the individual fault trees were linked to the function events of the event tree (ET) was considered. The event trees (ET) developed were meant to depict the potential event sequences from the initiating event to the associated consequences. The ET also depicted the phenomenological, time-dependent mitigation function of the accident progression. The event tree was built from left to right. The ET began with the initiating event and, for this paper, the IE was loss of coolant accident (LOCA). Next to the initiating event were the successive function events that define the success or failure of mitigating functions; branches on the event tree showed where the progression of the accident goes depending on the success or failure of the corresponding mitigating function. The headings of the event tree are usually set out in either chronological or causal order. In this paper, it was arranged in a chronological order meaning that events were considered in the consecutive order they were expected to occur in an accident. If a mitigating function is not appropriate to an event sequence, there is no branch at its top event node. In a linked fault tree model, the probabilities of the function events (e.g., split fraction) are evaluated using fault trees; this is where the fault tree (FT)/event tree (ET) coupling takes place. The event tree as shown in Figure 4 comprises the following events:(1)LOCA (initiate event (IE)): it is assumed that during full-power operation, there is a double-ended rupture of the largest (12 inches) pipe connected to the base of the reactor.(2)Availability of reactor protection system: following LOCA, the reactor protection system, both automatic and manual systems, should shut down the reactor. The success of this event results in scram and hence in interruption of the fission chain reaction.(3)Pool isolation: following LOCA, the pool should be isolated from the cooling system.

This occurs if the butterfly valves close, either manually or automatically, within 16 min following the accident. Successful isolation of the pool from the location of the break results in the core being immersed in the pool. The probability of failure is generally less than 0.1 and therefore the probability of success is always close to 1. Thus, the probability associated with the upper (success) branches in the tree is assumed to be 1 [13].

The frequency of occurrence in a sequence of events is the product of the conditional probabilities of the individual events in that chain. In this study, if the successive events in a sequence are independent, then the frequency of a sequence was the product of unconditional probabilities of the individual events (so each front-line system has P failures as identical) [14]. The results are expressed in terms of probabilities for all the sequences, no. 1–17, in the event tree, and can be determined to multiply each value of probabilities in the branch. All probabilities of failure of each system are calculated using the fault tree methodology as shown in Figures 612 . The final upper value of the fault tree (FT) is named the top event and expressed by the probability calculated using the minimal cutset (MCS). In analyzing the fault tree, many events that interact to produce other events were related using simple logical relationships (AND, OR, etc.,). These relationships allow a methodical building structure that represents the system. Symbols called GATES (AND, OR) are used to graphically arrange the events into a tree structure, during the synthesis of the fault tree as represented in Figures 612. Applying this concept in the expressions defined from the event tree (ET), the result of each sequence is obtained. Frequencies of initiating event (IE) appearing in event trees (ET) are estimated according to values from International Atomic Energy Agency (IAEA) [15]. Event trees have been employed in studying the feedback from the installation to diverse initiating events whereas fault trees have been employed in modeling safety system failures. In this section, seven fault trees were developed to model the failure of safety systems as shown in Figures 612 below comprising system fault trees with the following top events: reactor protection system failure; no containment isolation; emergency core cooling system; no emergency ventilation system; natural circulation heat removal; and no reactor pool isolation. Component failures appearing in the fault trees are failures of front-line and support systems. The first category of failures comprises failures of components that are usually online and thus their failure is immediately detectable. The second category of component failures corresponds to systems that must operate on demand and hence the unavailability on demand is of interest.

4.4. Description of Flow Blockage

The entrance blockage of the primary coolant through the fuel element channel or channels can occur when objects unintentionally fall on the reactor core which results in the coolant flow reduction. The coolant flow reduction can cause a local overheating of the fuel element plate followed by failure of the cladding. The flow blockage (FB) can be detected by the operator, visual inspection during the operation, a significant increase in pressure loss in the core, measured by pressure transducer located at the top of the pool (corresponding to a value above 10% of nominal flow), a significant increase in coolant temperature at the out of the core, or the radiation detectors positioned below the movable platform supporting the core in the worst-case scenario.

There are no available resources in the reactor to allow the automatic detection of the flow blockage when few channels are blocked because in this situation the detectors of differential pressure and temperature increase at the out of the coolant system cannot detect small variations. If there is no detection by the operators (visually), the reactor will not be shut down and may cause local damage to the fuel element plates.

Where there is a deterioration of fuel element plates cooling, where channels are blocked, it can lead the plates to their melt. In this case, there will be the release of fission products to the pool water and the atmosphere of the containment, with its detection by radiation monitors and automatic shutdown of the reactor through the protection system. The regular ventilation system will be off and the emergency ventilation system will be activated and thereby isolating the containment area. The emergency ventilation system, therefore, pushes the air to the filters decreasing the release of radioactive material to the environment. To mitigate a blocked channel, the following are necessary safety functions so that there is no destruction of the core, and the release of radioactivity to the surroundings does not come to be above the permissible limits in shutdown of the reactor by the operator on the reactor protection system; maintenance of the containment is through turning off the regular ventilation system and activation of the emergency and isolation ventilation system.

The expected sequences of events, in this case, are blockage of few cooling channels of a fuel element caused by some object, without the possibility of automatic detection; visual detection of the event by the operators and manual shutdown of the reactor; turning off the regular exhaustion and insufflating the containment area, and the start of the emergency exhaustion of this area; and isolation of the containment area.

Figure 5 is the ET that shows the accidental sequence processes. Only one sequence leads to a state without damage to the core (sequence number 1), where the reactor shutdown starts by the action of the operator if the blockage is detected by visual inspection. The other sequences (sequence numbers 2, 3, and 4) lead to a state with local damage to the core. In these sequences, the actions of the emergency exhaustion and isolation of containment area do not avoid core damage, but only act to minimize the consequences of the accident.

The frequency of occurrence of the channel blockage IE was obtained per year. The Greek reactor frequency is equal to 10−2/year [16] and the Australian reactor frequency was 1.3 × 10−5/year. In this study, the largest value was adopted. Both VVR-10 and Australian reactors are open-pool type research reactors and they use plate-type fuel assemblies.

Using the SAPHIRE program [17] and failure data obtained from [13, 15, 18], the probability of failure in the shutdown of the reactor in case of channel blockage was calculated and the value of 1.45 × 10−4/year was obtained. This value is strongly influenced by the probability of error of the operator. The main human errors which contribute more than 99% of the estimated value are attributed to the fact that the operator does not detect the channel blockage during visual inspection; that the operator does not proceed with the visual inspection; and that the operator does not initiate the reactor shutdown process, after detecting the channel blockage.

The estimated CDF value can be considered OK and acceptable because this type of accident would cause only minor damage to the core which would not cause large releases of radionuclides to the environment. It is only local damage to few fuel plates and the VVR-10 reactor has containment and systems that mitigate potential releases of radiation above the limits permissible for the population. Furthermore, when this result is compared with other research reactors, it is of the identical order of magnitude as the Greek reactor [13].

Both the flow blockage and the large break LOCA could lead to damage to the core and this conclusion is based on the consideration that the establishment of natural circulation of coolant through the core would be enough to mitigate the circumstance of the other initiating events, removing the residual heat of it. However, this depends on the decoupling of the convection valve that can fail. If there is no establishment of natural circulation, there might be damage to the reactor core for some of the initiating events described. Considering the failure in establishing the natural circulation, the most critical situation would be the initiating event of locking the pump shaft, because the flywheel would not act and the forced circulation would be interrupted, and consequently there would be a greater amount of residual heat to be removed.

5. Results and Discussion

The studies presented in this paper considered a large break LOCA and channel flow blockage of the 10 MW VVR research reactor. We have used the fault of the system tree approach to determine the top event probabilities in each system, i.e., reactor protection system (RPS), pool isolation (PI), natural circulation heat removal (NCHR), emergency core cooling system (ECCS), containment isolation (CI), and emergency ventilation (EV). Applying the values of the probabilities assigned to each basic event in each front-line system as shown in Tables 16, SAPHIRE 7.0 code suit was employed to compute the top event probability to each system considered in the fault tree presented in Figures 612. In Table 7, we can see the results obtained for end state calculated for each sequence of the event tree both for large LOCA and flow blockage initiating events. The results obtained for each front-line system to the probability of the top events were utilized to calculate the probability of the end state frequency by using the expressions given previously for the calculation using ET. The probability of initiating event for large break LOCA was 2.51 × 10−4/year and 1.45 × 10−4/year for flow blockage culminating in a total frequency of release of 3.96 × 10−4/year [13]. An attempt was made to analyze further the result gotten from the event tree ET1 and ET2 to associate the frequency of each sequence to the percentage of core damage (100%, 50%, 30%, 10%, and less than 5%) to ascertain whether there will be individual sequence frequency that would go beyond acceptable limits as shown in Tables 812. It was, however, found out that the core damage frequency of the sequences as presented in Tables 812 was also within limits of accepted core damage frequency. The source of the failure rates is the IAEA database [15]. Concerning the overall probabilistic safety evaluation of the research reactor (VVR), it must be mentioned that no prescribed probabilistic safety criteria exist in Ghana. A guiding principle was obtained by the results of already existing international PSA guidance and performed PSAs [19]:(i)Total frequencies of beyond design basis accident sequences (plant damage states) are typically in the range of 1.0 × 10−5–1.0 × 10−4/plant and year. Evaluated higher frequencies are seen as indicators for safety improvements.(ii)Total frequencies of accident sequences with a potential of early and high activity releases caused by bypassing of the containment shall be of one order of magnitude lower than the abovementioned frequency values.

Furthermore, the results of Table 13 show some renowned PSA results for large break LOCA. From Table 13, the results acquired for this work compares well with other PSAs.

5.1. Uncertainty Analysis

The SAPHIRE computed the minimal cutset upper bound (top event) for the fault trees and a set of random samples from the uncertainty distribution of the basic events. SAPHIRE then computed the first few moments of the distribution and the mean, and 95th percentile values among others. The moments were calculated as a basis for comparison of the calculated distribution with other distributions from the first few moments, the sample mean and sample variance. The set of all possible executions of all the basic events (BE) in the model for the work was regarded as a population and any subset of those possible executions as a sample. A sample of values for one of the model response variables drawn from the population of all possible executions of the model was obtained by executing the model and recording the values, and the sample mean and the standard deviation were calculated from the sample values. From the sample statistics and a confirmed assumption about the distribution of the population’s response variable values, it was possible to calculate a confidence interval for the mean value of the response variable for the population, i.e., for all possible executions of the model. But it is worth noting that such confidence interval was for the model (the population of all possible model executions), not for the research reactor. Nevertheless, the conventional validation interpretation of the confidence interval is that if the observed research reactor value for the response variable was included in the model confidence interval, then the model was considered valid (or not invalid) for that response variable. There is no statistical justification or refutation for this interpretation. Statistically, the calculated confidence interval relates to the population of possible model executions. Table 14 shows the results for the uncertainty analysis. Uncertainty analysis calculates the variability of the sequence frequency resulting from uncertainties in the basic event probabilities and the initiating event frequency. Such analyses provided a deeper insight into the results of risk analyses, added to the credibility of the results.

For each of the columns in Table 14, the table lists the sample mean and sample standard deviation for the model executions, and the lower and upper bounds for the calculated confidence interval. The upper 95% confidence limit was 1 × 10−2. This means that, for mean values greater than 1 × 10−2, the observed data were in the extreme 5% of possible outcomes; such point estimate (mean) values are not very consistent with the data. Values less than 1 × 10−2 are less inconsistent with the data. Both upper and lower confidence limits, at any specified confidence level, were obtained and the interval between these limits termed a “statistical confidence interval” has the property that, in repeated sampling, the probability that the confidence interval will contain the parameter of interest is at least the specified confidence level. As indicated, the approximate confidence limits on a parameter were obtained from a point estimate for binomial distributions using the SAPHIRE suit code.

The confidence intervals were calculated using the t distribution, and the sample standard deviation was an estimate for the population standard deviation. Inspection of Table 14 reveals that the observed mean was within the confidence interval for the model mean. Despite this consideration, the discrepancies were small and therefore the model was considered valid. In effect, the confidence limit provided information about how precise the given numerical values obtained from a sample were. The confidence limits helped to judge the importance of the result. The confidence limits were small and therefore there was a high degree of assurance that the research result was true, or nearly true. Conversely, if the confidence limits had been large, then the usefulness of the results would have become more tentative. It might even be that a large confidence limit for a result relating to an important variable would lead to requesting a replication of the study, but with a larger sample.

For the 5000-sample size taken, the 95% confidence interval computed for each sample means that 95% of the intervals contained the population mean. Naturally, 5% of the intervals did not contain the population mean.

Consequently, the larger confidence levels made it more likely that the research reactors response variable was inside the model confidence interval for that variable and thus results in a less rigorous validation test [22].

6. Conclusions

The core damage frequency (CDF) obtained for the channel blockage was 1.45 × 10−4/year, which can be considered to be within acceptable limits and so would cause only minor local damage to the core and consequently without large releases of radionuclides to the environment. Comparing the estimated frequency with some research reactors, the result obtained can be considered satisfactory, as it is of the identical order of magnitude as the Greek research reactor [13]. Some of the sequences were successful during LOCA as shown in Figure 4. Sequences number 1 and 5 were successful and what that means is that, with pool water available, the flapper opened and enabled natural cooling of the core and this was sufficient to prevent core damage if there was successful scram. However, if the pool could not be isolated, then the availability of natural pool water circulation was irrelevant and the emergency core cooling system (ECCS) would start operating to spray the core. At shutdown, spraying of the core is sufficient to remove decay heat to avoid core damage. In the event where the ECCS is not operational, the reactor building should be isolated and all gates and doors closed to prevent radioactive release to the environment. The successful operation of containment isolation (CI) requires the operation of emergency ventilation (EV) to relieve the pressure and remove most of the radioactivity released through the filters. Failure of the containment to isolate results in the most severe accident sequence from the release point of view since it implies the release of the largest quantities of radioactivity from all accident sequences (sequence numbers 8 and 17 (100% releases)). Availability of emergency ventilation (EV) helps to retain most of the radioactivity released, but the failure of the EV leads to accident sequences number 7 and 16 but with a release smaller than when the containment failed to isolate. The data shown in Table 7 help to bring to the fore the conclusion that the front-line systems introduced by the research reactor in the event tree (ET) have significantly elevated the reactors’ safety level. The case study presented here has confirmed the great advantage of applying this methodology to Large Break LOCA and channel flow blockage initiating events in the current research reactors and future reactor projects for electricity generation and radioisotopes production. The experience and expertise gained in these areas have a potential for further use in Ghana, in industrial facilities and in future power reactor safety assessments. Concerning the guiding principle for the evaluation of the results, the idea was to assess the frequency of plant hazard states first and see whether the range 1.0 × 10−5/year to 1.0 × 10−4/year can be met. In this case, it can certainly be concluded that the smaller frequency of damage states is adequate.

The paper only considered level 1 PSA; however, level 2 PSA must be applied to the reference reactor studied in this work to model sequences of accident leading to accident progression phenomena analysis and estimating the frequency of different accident release categories (large early radioactivity releases to the environment). Furthermore, developing PSA Level 3 for the reference 10 MW Russian research reactor to model the potential impact on the environment assessed based on offsite accident management measures, population distribution, and predominant meteorological conditions will enhance the safety of the reactor. Another issue worth analyzing would be to investigate whether binary decision diagrams (BDDs) allow fault trees and event trees in performing PSA, thus allowing better estimates of components at the same time conserving proportionate computational time.


AC:Alternating current
BDD:Binary decision diagrams
CDF:Core damage frequency
ET:Event tree
FA:Fuel assembly
FB:Flow blockage
FT:Fault tree
GRR:Greek research reactor
IE:Initiating event
IAEA:International atomic energy agency
LOCA:Loss of coolant accident
MCS:Minimum cutset
NPP:Nuclear power plant
NUREG 4550:Nuclear Regulatory Guide 4550
PSA:Probabilistic safety analysis
PWR:Pressurized water reactor
RPS:Reactor protection system
RSS:Reactor safety study (reported in WASH-1400)
SAPHIRE:Software Application Programme for Hands-on Integrated Reliability Evaluation
VVR:Water-water reactor
WASH-1400:The report of the Rasmussen study that effectively started the use of probabilistic safety assessment.

Data Availability

The raw data supporting the conclusions of this research will be made available by the authors without undue reservation.

Conflicts of Interest

The authors declare that they have no conflicts of interest.