slide1 n.
Skip this Video
Loading SlideShow in 5 Seconds..
rache PowerPoint Presentation
Download Presentation
rache

Loading in 2 Seconds...

  share
play fullscreen
1 / 83
Download Presentation

rache - PowerPoint PPT Presentation

oshin
649 Views
Download Presentation

rache

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

    1. Reliability of Passive Systems that utilize Natural Circulation M. Marqus CEA/Cadarache, DER/SESI Building 212, 13108 Saint-Paul-lez-Durance Cedex, France michel.marques@cea.fr

    2. Framework Reliability Methods for Passive Safety Function (RMPS Project)

    3. Objectives of the course To tackle the problem of the failure risk of NC systems To propose a methodology to evaluate the reliability of these systems and to carry out sensitivity analyses. To present an overview of the methodology which has been developed, in insisting on specific points To illustrate by an application on a example of passive system.

    4. Content Introduction, definitions Example of a NC system Part 1 : Identification and Quantification of the sources of uncertainties in NC systems Part 2 : NC systems Reliability evaluations Part 3 : Integration of NC system reliability in Probabilistic Safety Analysis Conclusion

    5. Passive System definition Following the IAEA definition: a passive system is either a system which is composed of passive components* and structures or a system which uses active components in a very limited way to initiate subsequent passive operation. * Passive component : a component which does not need any external input to operate. Ref. [IAEATECDOC626.1991]

    6. Advantages of Passive Systems simplicity, reduction of human intervention reduction or avoidance of external electrical power or signal

    7. Classification of Passive Systems (1/4) Category A -no signal inputs of intelligence, no external power sources or forces, -no moving mechanical parts, -no moving working fluid. Exemples: physical barriers against the release of fission products (nuclear fuel cladding and pressure boundary systems), core cooling systems relying only on heat radiation and/or conduction

    8. Classification of Passive Systems (2/4) Category B -no signal inputs of intelligence, no external power sources or forces, -no moving mechanical parts, but -moving working fluids. The fluid movement is only due to thermal-hydraulic conditions occurring when the safety function is activated. Exemples: reactor shutdown/emergency cooling systems based on injection of borated water from an external water pool, reactor emergency cooling systems based on air or water natural circulation in heat exchangers immersed in water pools (inside the containment)

    9. Classification of Passive Systems (3/4) Category C -no signal inputs of intelligence, no external power sources or forces, -moving mechanical parts, whether or not moving working fluids are also present. The fluid motion is characterized as in category B; mechanical movements are due to imbalances within the system (e.g., static pressure in check and relief valves, hydrostatic pressure in accumulators) and forces directly exerted by the process. Examples: emergency injection systems consisting of accumulators or storage tanks and discharge lines equipped with check valves, mechanical actuator, such as check valves and spring-loaded relief valves.

    10. Classification of Passive Systems (4/4) Category D intermediary zone between active and passive where the execution of the safety function is made through passive methods except that internal intelligence is not available to initiate the process. In these cases an external signal is permitted to trigger the passive process. Exemple: emergency core cooling systems, based on gravity-driven flow of water, activated by valves which break open on demand.

    11. Passive Systems with a working moving fluid Passive Systems with a working moving fluid (B, C or D) in these designs rely on natural forces, such as natural circulation, to perform their accident prevention and mitigation functions once actuated and started. Because the magnitude of the natural forces, which drive the operation of passive systems, is relatively small, counter-forces (e.g., friction) can be of comparable magnitude and cannot be ignored as is usually done with pumped systems. Due to the environment and to the physical phenomena that may deviate from expectation, the passive system may fail to meet its required passive function. The quantification of the T-H unreliability is often still a difficult process due to the numerous uncertainties

    12. RMPS objectives Necessity to evaluate the reliability of these passive systems. to propose a specific methodology to assess the reliability of thermal-hydraulic (T-H) passive systems. to test the methodology on several examples of T-H passive systems.

    13. Identification and quantification of the sources of uncertainties and determination of the important variables. Propagation of the uncertainties through a T-H model and reliability evaluation of the T-H passive system. Integration of the T-H passive system in an accident sequence.

    14. Example of Passive System that utilizes NC Residual Passive heat Removal system on the Primary circuit (or RP2), an innovating system supposed to be implemented on a 900 MWe Pressurized Water Reactor. This system is composed of three circuits dedicated to the heat removal, each one being connected on a loop of the primary circuit. Each circuit includes an exchanger immersed in a cooling pool located inside the containment, and a valve to allow its starting. The exchanger is located in height compared to the main piping of the primary circuit to allow a natural convection between the core and the exchanger. On criterion of emergency shutdown, the valve opens and the natural convection starts. The residual power produced by the fuel is transferred to the cooling pool via the RP2 exchanger.

    15. PART 1 Identification and Quantification of the sources of uncertainties in NC systems Characterisation of the system Mission of the system Failure mode Success/failure criteria Modelling of the system Identification of the sources of uncertainties Overview of uncertainties related to passive systems that utilize NC Identification of the relevant parameters AHP Quantification of the uncertainties Sensitivity analysis Objectives Qualitative methods for sensitivity analysis Quantitative methods for sensitivity analysis Application to the RP2 system Characterisation of the RP2 system Modelling of the RP2 system Identification of the sources of uncertainties of the RP2 system Quantification of the uncertainties of the RP2 system Sensitivity analysis of the RP2 system

    16. Characterisation of the system Mission of the system: The mission(s) of the system are the goal(s) for which the Passive System has been designed and located within the complete system (decay heat removal, cooling of the vessel, pressure decrease of the primary circuit ) Failure mode: The effect by which a failure is observed qualitative analysis, Failure Mode and Effect Analysis. Success/failure criteria: logical and/or numerical relationships which define the failure condition for the Passive System. Modelling of the system: Due to the lack of available experimental databases for passive systems in operation, the evaluation should rely on numerical modelling, e.g. by means of simulation via best-estimate codes.

    17. Identification of the sources of uncertainties Identification of the potentially important contributors to uncertainty of the code results: approximations in modelling the physical process, approximations in modelling the system geometry, input variables: initial and boundary conditions, dimensions, physical properties and thermal-hydraulic parameters. Identification of the relevant parameters: based on The Expert Opinion of the physical process and of the thermal hydraulic codes Analytical Hierarchy Process: AHP.

    18. Analytical Hierarchy Process Define the top goal Build the hierarchy in different levels Place the basic parameters at the bottom Pair-wise comparison by expert judgment Priority vectors Ranking of the parameters

    19. Quantification of the uncertainties Selection of: Range of uncertainty. Probability density function. Based on: Particularity of the data base (amount of data). Physical considerations, correlation between parameters. End use of the uncertainty analysis.

    20. Choice of the distributions Expert judgment : Minimal and maximal value Mean value Percentiles of the distribution, Choice of the distribution Necessary to test the influence of the choice of the distribution on the model response possibility to measure the influence of input distribution changes without running again the T-H code : weighting method, extended rejection method

    21. Sensitivity analysis Goal: identify the main contributors to passive system performance: Guide further code development. Prioritize experimental investigation. Screening of the parameters.

    22. Sensitivity analysis: Qualitative method

    23. Sensitivity analysis: Quantitative methods (1/4) Indices adapted : forlinear models : Pearson Coefficient Standardized Regression Coefficients (SRC) Coefficients de corrlation partielle (PCC) for non linear, but monotonous models Rank transformation (Spearman coefficient, SRRC, PRCC) for non linear, nor monotonous models SOBOL indices Determination coefficient : The closer R2 to unity; the better the model performance.

    24. Sensitivity analysis: quantitative methods (2/4) Indices adapted forlinear models Standardized Regression Coefficients (SRC) Partial correlation coefficients (PCC) correlation coefficient between: where

    25. Sensitivity analysis: Quantitative methods (3/4) Indices adapted for Non linear, but monotonous models Rank transformation : The rank transform is a simple procedure, which involves replacing the data with their corresponding ranks. Standardized rank regression coefficients (SRRCs) and partial rank correlation coefficients (PRCCs). Coefficient of determination based on the rank R2*. The R2* will be higher than the R2 in case of non-linear models.

    26. Sensitivity analysis: Quantitative methods (4/4) Non linear, but monotonous models The Sobol indices Decomposition of the total variance of the response D into 2p-1 terms (p random variables). For instance, with 3 random variables: Generalization to a model with p inputs: In dividing the equation by D, we obtain: where the terms S are called the sensitivity indices.

    27. Example of RP2 system: Characterization Accidental scenario: transient of Total Loss of the Power Supplies (or Blackout). Mission of the RP2 system to depressurise the primary circuit and to avoid the fusion of the core. Failure criterion: if the maximum clad temperature ? 500C or fluid temperature at the core output ? 450C, in less than 12 hours.

    28. Modelling of the RP2 system A modelling with CATHARE of a complete pressurized water reactor PWR 900 MWe with the 3 simulated primary/secondary loops was thus carried out. Each loop is equipped with the RP2 system with its exchanger immersed in a pool. The 3 cooling pools are modelled independently. The CATHARE version used is the version 1.5a MOD 3.1.

    29. Example of RP2 system: uncertain parameters For each of the three BOPHR/RP2 systems (i = 1,3): Ii: instant of opening of the isolation valve of the RP2; Xi: rate of incondensable at the inlet of the RP2 exchanger; Li: initial pool level; Ti: initial temperature of the water of the pool; Ci: fouling of the tubes of RP2 exchanger; Ri: number of broken tubes of RP2 exchanger. For the primary circuit: PUI: percentage of the nominal power of the core; PP: pressure in the pressurizer; ANS: decay of residual power according to the ANS law. For the secondary circuit (i = 1,3): NGVi: real secondary level in the three steam generators.

    30. Example of RP2 system: Quantification of uncertainties

    31. Instant of opening of the RP2 Valve The valve is supposed to be a pneumatic valve opened by default of power supply: a default of power supply implies the closure of the valve of compressed air supply which causes the opening of the pneumatic valve. we suppose that the failure of opening of the pneumatic valve is due to the failure of closure of the valve of compressed air supply. after half an hour, we suppose that the action of an operator is possible in case of non-opening of the valve. we have considered only two states for the valve, completely open or completely close. The state of the valve (open/close) is then modeled by: a discrete variable with two values, giving the state of the valve at the initial time just after the black-out: Ot=0: P(Ot=0) = 0.95 Ft=0 : P(Ft=0) = 0.05 a continuous variable giving the instant of opening of the valve after the time t= 30 mn , in the case the valve fails to open at the initial time P(Ot>30/F0)= Log(1.0607t + 0.809) (--> P=1 t=5heures)

    32. Example of RP2 system: sensitivity analysis

    33. Summary of the part 1 Definition of the accidental scenario. Characterization: missions of the system, its failure modes and the failure criteria are defined. Evaluation by qualified thermal-hydraulic system code performing best estimate calculations. Identification of the potentially important contributors to uncertainty of the code results. Identification of the relevant parameters. Sensitivity analysis: guidance as to where to improve the state of knowledge in order to reduce the output uncertainties most effectively.

    34. PART 2 Reliability evaluations of passive systems that utilize NC Propagating the uncertainties Uncertainty range Density of probability Conclusion on the methods for propagating uncertainties Evaluating the reliability Reliability evaluations using Monte-Carlo simulation Approximated methods (FORM/SORM) Conclusion on the methods for evaluating the reliability Application to the RP2 system

    35. Propagating the uncertainties (1/3) Y=g(X1,,Xn)

    36. Propagating the uncertainties (2/3) Uncertainty range of the response A two-sided tolerance interval [m,M] of a response Y, for a fractile ? and a confidence level ? is given by: Number of calculation given by Wilks formula:

    37. Propagating the uncertainties (3/3) Empirical distribution are fitted by theoretical pdf Choice of the pdf based on goodness-of-fit tests Kolmogorov-Smirnov ?2 Cramer Von Mises Monte-Carlo simulation Response surface method Method of moments

    38. Reliability evaluations (1/6) Performance function of a passive system for a specified mission: M = performance criterion limit = g(X1, X2,,Xn) M = 0: limit state, or failure surface, M < 0: failure state, M > 0: safe state. Failure Probability:

    39. Reliability evaluations (2/6) Direct Monte-Carlo simulation techniques

    40. Reliability evaluations (3/6) Variance reduction techniques Importance sampling Stratified sampling, Latin Hypercube sampling Other : directional simulation

    41. Reliability evaluations (4/6) Response surface Types: polynomial, thin plate splines , neural network Quality of approximation and prediction

    42. Reliability evaluations (5/6) Approximated methods (FORM/SORM) the transformation of the space of the basic random variables X1, X2,,Xn into a space of standard normal variables, the research, in this transformed space, of the point of minimum distance from the origin on the limit state surface (design point), an approximation of the failure surface near the design point, a computation of the failure probability corresponding to the approximating failure surface. FORM method SORM method

    43. Reliability evaluations (6/6) Conclusion on the methods for evaluating the reliability

    44. Global reliability analysis of the RP2 system (1/3) Broad ranges of variation for the characteristic parameters, supposed to represent the whole set of initial configurations: Advantage: single reliability analysis of the system, limited number of uncertainty calculations. Drawbacks conservative, does not give the influence of the passive system on different accidental situations.

    45. Global reliability analysis of the RP2 system (2/3) M = Core outlet temperature12 hours 450C = g(X1, X2,,X24) Monte-Carlo simulation Evaluation of M with the CATHARE code Failure of the system in 7% of the cases. All corresponding to cases with one tube rupture in one of the RP2s. Limit core output temperature is reached between 4100s and 7100s. Evolution of the outlet temperature of the core

    46. Global reliability analysis of the RP2 system (3/3) Example of response surface fitted of performance criterion

    47. Specific reliability analyses of the RP2 system (1/4) In order to test the influence of the passive system on different accidental situations : specific ranges of variation and specific PDFs of the characteristic parameters for each studied sequence. specific failure criteria specific reliability and sensitivity analyses for each studied sequences. Example of the sequence with two RP2 available and no broken tube in the RP2 exchanger.

    48. Specific reliability analyses of the RP2 system (2/4)

    49. Specific reliability analyses of the RP2 system (3/4) M = Core outlet temperature12 hours 450C = g(X1, X2,,X14) Monte-Carlo simulation Evaluation of M with the CATHARE code Conditional failure probability p1 (failure of the T-H process when only two RP2 are available) evaluated to to 0.24

    50. Specific sensitivity analyses of the RP2 system (4/4) sensitivity analyses in order to determine the parameters whose uncertainty influence the most the failure or the performance of the system. the most influential parameters are the percentage of the residual power decay curve (ANS) and the initial pool levels (L1, L2)

    51. Summary of the part 2 The uncertainty in the physical response of the T-H code can be evaluated by a confidence interval or by a pdf. Methods giving an uncertainty range of the system performance are not very useful for reliability estimation. The pdf of the system performance can be directly used for reliability estimation once a failure criterion is given. For the evaluation of the pdf, the existing methods are generally based on Monte-Carlo simulations. Monte-Carlo simulations require a large number of calculations and can be often prohibitive when each calculation involves a long and onerous computer time. To avoid this problem, two approaches are possible: the variance reduction techniques in Monte-Carlo methods or the use of response surfaces Possible to use approximate methods such as First and Second Order Reliability Methods (FORM/SORM).

    52. Part 3 Integration of NC system reliability in Probabilistic Safety Analysis Overview of PSA Levels of PSA PSA structure Benefits of PSA Limitation and drawbacks of PSA Interface between PSA and passive system reliability model Application to the RP2 system Approach used Specific reliability analyses for the PSA integration Integration of the reliability of the RP2 passive system in PSA

    53. Overview of PSA The first comprehensive application of the PSA dates back to 1975, to the United States Nuclear Regulatory Commission's (U.S. NRC) Reactor Safety Study [WASH-1400]. Since that pioneering study, PSA techniques have become a standard tool in the safety evaluation of the nuclear power plants (NPPs) and industrial installations in general. Levels of PSA: Level 1: The assessment of plant failures leading to core damage and the estimation of core damage frequency. Level 1 PSA provides estimates of the accidents frequency and the main contributors. Level 2: PSA at this level provides estimates of off-site\ release frequencies, based on the containment response and severe accident management possibilities. The results obtained in Level 1 are the basis for Level 2 quantification. Level 3: The assessment of off-site consequences leading to estimates of risks to the public. Level 3 incorporates results from both previous levels. Level 1 PSA is the most important level and creates the background for further risk assessment, therefore it has been used for the development of the methodology.

    54. Phases of a PSA project Planning phase: scope of the study, assumptions, limitations, level of detail and other boundary conditions Physical boundaries of the system : which parts are to be included in the analysis and which are not? Operational state of the system have to be fixed, at which capacity the system is analyzed (full or reduced), what are the equipment states (valves open or closed etc.)? What external factors are to be analyzed (e.g. earthquake, extreme wind etc.)? The level of detail is also an important issue, e.g. is it enough to identify the reason as a ''pump failure'' or the detailed classification is required as pump failure at start, while running, due to cooling failure or oil leak and so forth. The level of detail is often restricted by the amount of information available. Model Construction consists of selection of initiating events (IE), modeling of accident sequences by FT/ET and quantification of the model components (initiating events, basic events, success criteria). Calculations is a broad area of PSA work. It includes calculations of top event probabilities, importance, sensitivity and uncertainty analysis, quantification of sequences and consequences. The last phase is to draw conclusions, provide recommendations and support for safety improvement decisions.

    55. Initiating event, accidental sequences The initial step in the construction of the model is to select initiating events (IE). The initiating event is an event (e.g. equipment failure, transient) that can lead to the accident if no protective actions are taken. The protective actions can be either automatic (most safety systems are actuated in this way) or manual (operator intervention is required). For each selected IE, detailed examination of the accident progression has to be made and accident sequences as logical combinations of success/failure conditions of functions or systems are identified. Each accident sequence ends with certain consequence, which also have to be defined. Consequences in the case of Level 1 PSA of NPPs are usually defined as degrees of reactor core damage, including 'safe' state and 'severe' accident state.

    56. Event Trees Event trees are used for the graphical and logical presentation of the accident sequences. Starting from the initiating event Combining the success/failure conditions of functions or systems (usually safety systems, also called front-line systems) Terminating by the consequences

    57. Fault trees The logical combinations of success/failure conditions of functions or systems in the event tree are modeled by the fault trees. A fault tree logically combines the top event (e.g. complete failure of a support system) and the causes for that event (e.g. equipment failure, operator error etc.). The fault tree mainly consists of the basic events (all possible causes of the top event that are consistent with the level of detail of the study) and logical gates (OR, AND, M out of N and other logical operations).

    58. Interface between PSA and passive system reliability model RMPS is developed to produce reliability estimate of a specific passive safety system, based on phenomenological process (e.g. natural circulation). Failure of the physical process itself is the major contributor to the failure of the whole system together with some activating components (e.g. valves, actuation signal). In principle, the physical phenomenon could be represented as a basic event in a system fault tree, like any other component, which failure contributes to failure of the whole system. The system fault tree in a case of passive systems would be very simple, consisting of several basic events, representing failure of physical phenomena (natural circulation) and failure of activating valve or other means of initial system activation. The difference could be only in failure model, as exponential model conventionally used to model component failures is not applicable. A suitable alternative would be to use directly failure probability obtained in the reliability analysis of the passive system in the event tree.

    59. Classification of the RP2 System malfunctions Malfunctions which could affect the RP2 system are of 3 types. Passive system components failures: Non opening per demand of the RP2 valve, Broken tubes in the RP2 exchanger. Occurrence of an initial non standard configuration for the passive system, detectable by a monitoring system: Pool level lower than the low level threshold, Pool water temperature higher than the high temperature threshold, Steam generator level lower than the low level threshold, Primary pressure level higher than the high level threshold. Occurrence of an initial non standard configuration for the passive system, undetectable by any monitoring system: The rate of incondensable at the inlet of the RP2 exchanger, The fouling of the tubes of the RP2 exchanger.

    60. Quantification of the failure probabilities Failure of Components of the system (valves, tubes) Monitoring systems (pool water level and temperature) Safety injection system : analogy with similar components or systems existing on PWR reactors Failures of the monitoring systems for steam generator level and primary pressure ? negligible because they are safety system of the reactor. Failures of the physical process : ? quantitative reliability analysis with CATHARE

    61. Initiating and basic events A simplified event tree is built starting from : Initiating Event of Total Loss of the Power supplies (reactor in full power) The probability of occurrence of this IE is 10-5/year (value obtained by a fault tree analysis carried out on an analog real reactor) And considering the 4 basic events: Failure on solicitation of the RP2 system, The failure probability is obtained in cumulating the failure probabilities of the monitoring systems for pool level and pool temperature, and the probability for the non-opening of the valve ? 10-2/demand for each RP2 loop. Failure of a tube in at least one of the 3 RP2 exchangers Failure of the physical process Failure of the Safety Injection System.

    62. Order of the basic events The RP2 systems are solicited after the Initiating event, because normal means (active safety systems), which requires an energy source, are not available. The safety injection system is usable if the primary system is sufficiently depressurised (40 bars), i.e. if at least one tube of exchanger is broken. Exchanger tube can break only if the RP2 is available (valve is opened) Physical process (natural circulation) is possible only if the RP2 is available (valve is opened) -->The order is : Failure/Availability on solicitation of the RP2 system, Failure/Availability of a tube of exchanger Failure/Availability of the physical process Failure/Availability of the Safety Injection System Possible competition between RP2 system and Safety Injection System

    63. Simplified event tree of total loss of power supply

    64. Missions of the RP2 2 different missions for the RP2 depending on the scenario : For scenarios where no exchanger tube is broken (and thus for those the RP2 system must manage the situation alone) : the RP2 mission is to cool sufficiently the core in order to avoid its damage in pressure (the criterion is a limit temperature of the clad) For scenarios where at least one exchanger tube is broken : the RP2 mission is to depressurize sufficiently the primary circuit in order to allow the starting of the Safety Injection System (this system is not modelled by CATHARE : we suppose that if it start it will fulfil its mission which is to cool sufficiently the core) Possible competition between RP2 system and Safety Injection System : when the IS start, the RP2 continue to remove the residual power, but we cannot analyze more this competition in the lack of IS modelling. One can simply suppose that, as the two systems take part in the core cooling, their simultaneous action can be beneficial.

    65. Uncertain parameters

    66. Deterministic evaluation with CATHARE

    67. Sequence 1: 3RP2, no broken tube

    68. Uncertainty analysis with CATHARE

    69. Sequences 4 and 5: 2 RP2 available, no broken tube Reliability analysis with CATHARE p1 = 0.24 Objective : Evaluate the probability p1 of failure of the thermal-hydraulic process when only two RP2 are available (sequence 5).

    70. Sequences 6, 7 and 8: 2 RP2 available, one broken tube

    71. Evaluation of core damage probabilities

    72. PSA results and analysis Core damage frequency, after a blackout evaluated at 7.5.10-8/year Sum of the probabilities of each accident sequence leading to the core melt in pressure for the transient of blackout on the assumption that all the events are independent. The probabilistic objectives of 10-7/year for all the transient families, which corresponds for a transient family to 10-8/year, is not respected Sequence 5 represents 96% of the core damage frequency Necessary to re-examine the dimensioning of the RP2 system The probabilistic objective to reach for the T-H process failure in case of 2 RP2 loops available is 0.03 (instead of 0.24) ? These results underline the importance to take into account the T-H process failure probability to evaluate the reliability of a safety passive system

    73. Specific limitation of the PSA This analysis concerns only one initiating event, the Total Loss of Power supplies, other initiating events have to be analysed, The initiating events created by a failure of the RP2, when it is not in demand are not taken into account, No aggravating event is considered, relative to the initiating event of Total Loss of Power supplies, else than the RP2 passive system failures (component failures or T-H process failure) and the safety injection, Human factor (operator errors) are not explicitly taken into account, No mechanical common cause failure between the 3 RP2 loops have been considered. But the thermal-hydraulic common cause failure has been taken into account through the global CATHARE modelling of the 3 RP2 loops. The common cause failure between the monitoring systems of the RP2 loop are considered as negligible, No common cause failure is considered between the RP2 passive system and the safety injection.

    74. Conclusion on this application Proposal of a methodology to integrate the passive systems unreliability in PSA and application to an example. Positive effect of the RP2 passive system on the reactor safety. Proposal of a new dimensioning of the RP2 in order to fully satisfy the reactor safety objectives. These results confirm that the development and the validation of a methodology of reliability analysis relative to the safety passive systems are a precondition to the implementation of such systems on a nuclear reactor.

    75. Summary of the part 3 There is a number of different ways how to integrate passive system reliability model into the whole plant PSA model. It could be done directly in the event tree of relevant accident sequence as a single basic event, or a separate fault tree could be developed. The new element in the probabilistic modeling of the passive system is the methodology to quantify reliability of the physical process, represented as a single basic event, from thermal-hydraulic modeling calculations. In a first approach, applied to a simplified PSA carried out on a fictive reactor equipped with two types of safety passive systems, we have chosen an Event Tree (ET) representation of the accidental scenario. The failures analyses performed on this reactor have allowed the characterisation of the technical failures and the ranges of variation of uncertain parameters which influence the physical process. The majority of the sequences of this event tree have been analysed by deterministic evaluations with envelope values of the uncertain parameters. For some sequences where the definition of envelope cases was impossible, basic events corresponding to the failure of the physical process have been added and uncertainty analyses have been performed to evaluate the corresponding probability of failure. This methodology allows the probabilistic evaluation of the influence of the passive system on an accidental scenario and could be used to test the interest to replace an active system by a passive system on specific situations.

    76. Methodology overview . .

    77. Conclusion (1/3) A specific methodology is necessary for the evaluation of the reliability of passive system and its integration into the probabilistic analyses of accidental sequences The Analytical Hierarchy Process has been chosen for the identification of the relevant parameters Interest of sensitivity analysis for the determination, among the uncertain parameters, of the main contributors to the risk of failure of the passive system. Quantification of the uncertainties is an fundamental step, but methods exist to measure the influence of input distribution changes without running again the T-H code

    78. Conclusion (2/3) Evaluation of the reliability of the systems for specific situations, once the probability density functions of the input parameters is defined, in using Monte-Carlo or FORM method. The use of response surface methods where the physical model is approximated by a simpler mathematical model is often necessary in order to reduce the number of calculations with the physical model. Possibilities to integrate passive system reliability in a PSA sequence have been tested on an example. In a first approach, applied to a simplified PSA carried out on a fictive reactor equipped with two types of safety passive systems, we have chosen an Event Tree (ET) representation of the accidental scenario. This methodology allows the probabilistic evaluation of the influence of the passive system on an accidental scenario and could be used to test the interest to replace an active system by a passive system on specific situations.

    79. Conclusion (3/3) The developed methodology participates to the safety assessment of reactors equipped with passive systems. The development and the validation of a methodology of reliability analysis relative to the safety passive systems are a precondition to the implementation of such systems on a nuclear reactor. This methodology is required to gain the necessary confidence of: The designers who define the architecture of reactors and safety systems. Indeed, the designers will accept new safety systems only if these systems remain at reasonable costs and with same efficiencies in comparison with the existing safety systems, Regulatory authorities who will have to accept the implementation of such systems on a nuclear reactor.

    80. Possible improvements (1/3) Two items of the methodology roadmap deserve closer attention: the identification of the relevant parameters and the quantification of uncertainties Rules, which guarantee a rationale approach to the problem and, which demonstrate that the procedure is based on realistic assumptions, would justify the choice of the uncertain parameters and moreover should convince the designer. In the selection of the relevant input parameters, a clear distinction for the various kinds of uncertainties should be introduced distinguishing between modelling uncertainties on one side and uncertainties dealing with the state of knowledge about the passive systems and their characteristic parameters on the other side.

    81. Possible improvements (2/3) An other important item of improvement is the integration of the passive systems reliability in the PSAs. The first attempts performed within the framework of RMPS have taken into account as well the failures of the components of the passive system as the failures of the physical process involved like basic events in static event trees. This last choice might seem unsuitable because it does not appear to consider the dynamic aspects of the transient progression including dynamic system interactions, T-H induced failure, and operator actions in response to system dynamics. In fact, we have treated in the RMPS project, examples where the overall reactor, including the safety systems and in particular the passive system, is modelled by the T-H code. This leads to the fact that the dynamic system interactions are taken into account by the T-H calculation itself. In addition, we have not considered human intervention during the studied sequences, which is coherent with the usual utilization of the passive systems in innovative reactors. So, for a first approach, the event tree presentation seems a good and simple representation for the assessment of accident sequences, including the passive systems. In order to generalise the methodology, it is important to take into account the dynamics aspects differently than by their alone modelling into the T-H code. Indeed in complex situations where several safety systems are competing and where the human operation cannot be completely eliminated, this modelling should prove to be impossible or too expensive in computing times. It is thus interesting to explore other solutions already used in the dynamic PSA like the method of the dynamic event trees.

    82. Possible improvements (3/3) A very important issue is on the human factors, which play an important role in the reliability assessment of a passive system. Indeed the periodic maintenance and inspection of such systems introduce particular constraints ; unlike an active system that can be more easily isolated or inspected during the shutdown periods, a passive system requires to be tested under its real physical conditions of utilization, and this can generate new specific implementation in the global architecture and safety problems. In addition, the question of whether it is an advantage or a disadvantage that passive systems do not allow operator intervention during its operation, should be investigated. Before comparing a passive and an active system on the same mission, it is necessary to make sure that the passive system design is optimised in terms of performance. Methods have to be developed to ensure the optimisation. Technical-economical evaluations of the systems must be carried out to provide information that is essential for the comparison between passive and active systems.

    83. A LIST OF REFERENCES RELATED TO THIS TOPIC Note : all deliverables of the RMPS project are available on www.rmps.info OECD, 2002. Passive system reliability. A challenge to reliability engineering and licensing of advanced nuclear power plants. In Proceedings of an International Workshop, OECD/NEA/ CSNI/R(2002)10, Cadarache, France, 46 March. L. Burgazzi, Evaluation of Uncertainties Related to Passive Systems Performance, Nucl. Eng. Design, 230, 93 (2004) B. Papin. Principle of an operational complexity index for the characterization of the human factor relevance of future reactors concepts. Proceedings of EHPGM2004, Sandefjord (2004). M. Marqus et al. Methodology for the reliability evaluation of a passive system and its integration into a Probabilistic Safety Assessment. Nuclear Engineering and Design 235 (2005) 26122631 C. Kirchsteiger. A new approach to quantitative assessment of reliability of passive systems. Safety Science 43 (2005) 771 777 L.P. Pagani et al. The impact of uncertainties on the performance of passive systems. Nuclear Technology. Vol. 149 (2005) IAEA-TECDOC-1474. Natural circulation in water cooled nuclear power plants phenomena, models, and methodology for system reliability assessments. November 2005