Version 1.0, July 2015 BASIC PROFESSIONAL TRAINING COURSE Module VII Probabilistic Safety Assessment Case Studies This material was prepared by the IAEA and co-funded by the European Union.

Basic Professional Training Course; Module VII Probabilistic safety assessment Available elements for the case study Seven independent exercises are available for use depending on the time available. The lecturer should select which ones to use. At least issues a to c should be addressed. a. Benefits of PSA b. Initiating events and hazards c. Steps in Level 1 PSA and event trees d. Construction of a Fault tree e. Data for PSA f. Level 2 PSA – plant damage states g. Level 2 PSA – source term

Basic Professional Training Course; Module VII Probabilistic safety assessment INTRODUCTION Students should be divided into groups by countries which they represent – presuming it is an international course. If it is a national course, students should be divided into groups. If possible, regulators, operators and representatives from the industry should be in their own groups. All the groups will participate in addressing all the topics. 3

Basic Professional Training Course; Module VII Probabilistic safety assessment Benefits of PSA Each group compiles a list of benefits that can be derived form performing: − Level 1 PSA − Level 2 PSA and − Level 3 PSA. For each benefit examples are identified After half an hour, the groups present the benefits and examples that they have developed to all the groups. Differences are then discussed. 4

Basic Professional Training Course; Module VII Probabilistic safety assessment Initiating events and hazards Each group then identifies some of the initiating events and hazards should be considered in a PSA for a type of a reactor that participants are familiar with (for example PWR). This work should include a list of the methods that are used to identify initiating events and hazards, After giving participants sufficient time, each group presents their list of initiating events and hazards The differences are discussed. 5

Basic Professional Training Course; Module VII Probabilistic safety assessment Steps in Level 1 PSA and event trees Each group then identifies the steps that are performed in a PSA Each group then considers a notional PWR design in which there are two main feedwater pumps, two start up pumps, two emergency core cooling systems and an automatic shutdown system as shown in the next slide. An initiating event is considered in which both feedwater pumps fail as shown in the subsequent slide. Following a reactor scram, core damage can be prevented if one start up feed pump or one emergency feedwater pump are available. 6

Basic Professional Training Course; Module VII Probabilistic safety assessment Fictional Plant Design RPV SG 1SG 2 PRZ MS FW EFW RPV: Reactor Pressure Vessel PRZ: Pressurizer SG: Steam Generator MS: Main Steam FW: Feed Water EFW: Emergency Feed Water MFP: Main Feed Pump SFP: Startup Feed Pump MSSV: Main Steam Safety Valve ADV: Atmospheric Dump Valve TB: Turbine TBCV: Turbine Bypass Control Valve CD: Condenser TBCV SG 1 SG 2 MFP 1 MFP 2 SFP 1 SFP 2 FW Header MS Header TB CD MSSVADV 7

Basic Professional Training Course; Module VII Probabilistic safety assessment MFP 1 MFP 2 SFP 1 SFP 2 FW Header MS Header TB CD MSSVADV SG 1 SG 2 PIE: Loss of Feed Water RPV SG 1SG 2 PRZ MS FW EFW RPV: Reactor Pressure Vessel PRZ: Pressurizer SG: Steam Generator MS: Main Steam FW: Feed Water EFW: Emergency Feed Water MFP: Main Feed Pump SFP: Startup Feed Pump MSSV: Main Steam Safety Valve ADV: Atmospheric Dump Valve TB: Turbine TBCV: Turbine Bypass Control Valve CD: Condenser TBCV X 8

Basic Professional Training Course; Module VII Probabilistic safety assessment Event tree for loss of feedwater Each group constructs an event tree for this fault One safety variable is assumed for the acceptance criterion, which is no fuel rods are in a critical heat flux condition (DNB) When the tree is finished, each group estimates based on their experience (or makes a simple guess, if newcomers) the conditional probabilities associated with each branch. From these a core damage frequency is estimated using simple multiplication (as approximation) Each group decides if its core damage frequency is acceptable and why based on their understanding of current criteria. If not, what mitigating measures can be added to reduce its frequency? Again the results are shared and the differences are discussed. An event tree for this sequence is shown in the next slide 9

Basic Professional Training Course; Module VII Probabilistic safety assessment The event tree Consider the following system functions in analysis: − Scram system − Startup pumps (one or both pumps available) − Emergency feed water system (one of two systems available) Heat is released either by the condenser or by atmospheric dump valves or main steam safety valves, but for simplicity of example, the corresponding system functions are ignored in the following discussion. 10 End state OK CD ATWS One startup feed water pump (out of two) is available A Scram S Loss of feed water LOFW One emergency feed water pump (out of two) is available No. B

Basic Professional Training Course; Module VII Probabilistic safety assessment Fault trees Each group now constructs a fault tree (FT) for a start up feed water pump Consider that the electrical supply is from a bus bar that obtains its electricity from the grid There are two emergency diesels Actuation is when there is a low water level in the steam generator. Again the results are shared and the differences are discussed At the end, lecturer: − Shows how to perform FT logic solution/Boolean reduction/quantification − Shows minimal cutsets − Discusses the obtained/calculated unavailability 11

Basic Professional Training Course; Module VII Probabilistic safety assessment Data for PSA Each group identifies where data can be obtained for: − The frequency of initiating events (a) − The reliability of components (b) − Common cause failures (c) − Pre-accident human errors (d) − Human errors that could lead to an initiating event and post-accident human errors (e) It then lists the six quantified outputs that a Level 1 PSA should provide from Section 3.9 of the Module. (f) And the three major categories of sources of uncertainty (g) Group 1 presents its results for (a); Group 2 for (b) and so on.

Basic Professional Training Course; Module VII Probabilistic safety assessment Plant damage states Each group then makes a list of what it sees as the important outputs from a Level 2 PSA. It then produces a list of Level 2 plant damage states and says what distinguishes each plant damage state from the others, including the status of the containment safeguard systems, and why that difference is important. The plant damage states are identified from the information given in the module Again the results are shared and the differences are discussed

Basic Professional Training Course; Module VII Probabilistic safety assessment Source terms to the environment Similarly, each group considers what categories of source terms would be useful outputs from a Level 2 PSA and why. What in-containment phenomena are likely to determine which of these source terms will occur. Again the results are shared and the differences are discussed The views expressed in this document do not necessarily reflect the views of the European Commission.