Evaluating the Safety of Digital Instrumentation and Control Systems in Nuclear Power Plants

Similar documents
TEPCO s Activities on the Investigation into Unsolved Issues in the Fukushima Daiichi NPS Accident

CANDU Safety #3 - Nuclear Safety Characteristics Dr. V.G. Snell Director Safety & Licensing

2 Energy from the Nucleus

Overview of Control System Design

AP1000 European 7. Instrumentation and Controls Design Control Document

12 Moderator And Moderator System

Department of Engineering and System Science, National Tsing Hua University,

Applied Nuclear Science Educational, Training & Simulation Systems

Correlation between neutrons detected outside the reactor building and fuel melting

Lesson 14: Reactivity Variations and Control

Available online at ScienceDirect. Nuclear power plant explosions at Fukushima-Daiichi. Takashi Tsuruda*

MECHANICAL ENGINEERING. Five-year M.Sc. studies School of Mechanical Engineering National Technical University of Athens

Announcements. Projected Energy Consumption. Fossil fuel issues. By the end of class today

Thinking Like a Chemist About Nuclear Change!

Safety Analysis of Loss of Flow Transients in a Typical Research Reactor by RELAP5/MOD3.3

NUCLEAR SAFETY AND RELIABILITY WEEK 8

Ordinary Level Physics Long Questions: NUCLEAR PHYSICS

Uncertainty Analysis on Containment Failure Frequency for a Japanese PWR Plant

The Physics of Nuclear Reactors. Heather King Physics 420

Development of Multi-Unit Dependency Evaluation Model Using Markov Process and Monte Carlo Method

APPLICATION OF THE COUPLED THREE DIMENSIONAL THERMAL- HYDRAULICS AND NEUTRON KINETICS MODELS TO PWR STEAM LINE BREAK ANALYSIS

ANALYSIS OF THE OECD MSLB BENCHMARK WITH THE COUPLED NEUTRONIC AND THERMAL-HYDRAULICS CODE RELAP5/PARCS

Title: Development of a multi-physics, multi-scale coupled simulation system for LWR safety analysis

Overview of Control System Design

Thinking Like a Chemist About Nuclear Change!

The Dynamical Loading of the WWER440/V213 Reactor Pressure Vessel Internals during LOCA Accident in Hot and Cold Leg of the Primary Circuit

In-Vessel Retention Analysis for Pressurised Heavy Water Reactors (PHWR) under Severe Core Damage Accident (SCDA)

AP1000 European 19. Probabilistic Risk Assessment Design Control Document

Evaluating the Core Damage Frequency of a TRIGA Research Reactor Using Risk Assessment Tool Software

Nuclear Energy ECEG-4405

Employees Contractors

SCWR Research in Korea. Yoon Y. Bae KAERI

SAFETY GUIDED DESIGN OF CREW RETURN VEHICLE IN CONCEPT DESIGN PHASE USING STAMP/STPA

Name Date Class. alpha particle radioactivity gamma ray radioisotope beta particles radiation X-ray radioactive decay

Loads on RPV Internals in a PWR due to Loss-of-Coolant Accident considering Fluid-Structure Interaction

THE STORAGE, HANDLING AND PROCESSING OF DANGEROUS SUBSTANCES

NOTES: 25.3 Nuclear Fission & Fusion

Nuclear Chemistry. Chapter 24

Employees Contractors

October 2017 November Employees Contractors

ATLAS Facility Description Report

AP1000 European 15. Accident Analyses Design Control Document EVALUATION MODELS AND PARAMETERS FOR ANALYSIS OF RADIOLOGICAL CONSEQUENCES OF ACCIDENTS

SOME ASPECTS OF COOLANT CHEMISTRY SAFETY REGULATIONS AT RUSSIA S NPP WITH FAST REACTORS

Radiation Awareness Training. Stephen Price Office of Research Safety

DEVELOPMENT OF A COUPLED CODE SYSTEM BASED ON SPACE SAFETY ANALYSIS CODE AND RAST-K THREE-DIMENSIONAL NEUTRONICS CODE

Chapter 18: Consequences of Nuclear Energy Use

Overview of Control System Design

Residual activity (contamination) Radiation exposure levels

c) O-16 d) Pu An unstable nucleus emits. a) Atoms b) Electricity c) Plasma d) Radiation 3. Many of uranium are radioactive. a) Ions b) Isomers

Chem 481 Lecture Material 4/22/09

QUALIFICATION OF A CFD CODE FOR REACTOR APPLICATIONS

WELCOME TO PERIOD 18: CONSEQUENCES OF NUCLEAR ENERGY

SIMULATION OF LEAKING FUEL RODS

Developments and Applications of TRACE/CFD Model of. Maanshan PWR Pressure Vessel

Chapter 8. Design of Pressurizer and Plant Control

Metropolitan Community College COURSE OUTLINE FORM LAB: 3.0

Wallace Hall Academy Physics Department. Radiation. Pupil Notes Name:

Compact Orifice FlowMeter

Safety Issues Related to Liquid Metals

Section 3: Nuclear Radiation Today

Correlating Radioactive Material to Sea Surface Temperature off the Coast of Japan: The Fukushima Daiichi Nuclear Disaster. Maya R.

Uncertainty Quantification of EBR-II Loss of Heat Sink Simulations with SAS4A/SASSYS-1 and DAKOTA

Ionizing Radiation Awareness (Non-User)

Nuclear power plants can generate large amounts of electricity.

Outage dates (duration): September 2, 1996 to February 6, 1998 (1.4 years) Reactor age when outage began: 19.5 years

The Research of Heat Transfer Area for 55/19 Steam Generator

Safety analysis on beam dump Luca de Ruvo LNL - INFN Safety group SSTAC meeting, July 23, 2015

Hybrid Low-Power Research Reactor with Separable Core Concept

nuclear fission nucleus slightly mass

Reliability of Technical Systems

Reliability Analysis of Hydraulic Steering System with DICLFL Considering Shutdown Correlation Based on GO Methodology

Course Reactor & Auxiliaries - Module 1 - Moderator Heavy Watec. Module 1 MODERATOR ..." Y "... I

Chemistry 500: Chemistry in Modern Living. Topic 5: The Fires of Nuclear Fission. Atomic Structure, Nuclear Fission and Fusion, and Nuclear.

UPGRADI G THE TWO-PHASE THERMOHYDRAULIC MODEL FOR THE FULL-SCOPE SIMULATOR OF PAKS UCLEAR POWER PLA T

A Probabilistic Physics-of-Failure Approach to Assessment of Frequency of In-Vessel Steam Generator Tube Rupture Accident in SMRs

Water Chemistry. Program Overview

ULOF Accident Analysis for 300 MWt Pb-Bi Coolled MOX Fuelled SPINNOR Reactor

REACTOR CANNOT EXPLODE LIKE A NUCLEAR BOMB

PSA on Extreme Weather Phenomena for NPP Paks

Nuclear Reactions and Reactor Safety DO NOT LICK

Analysis for Progression of Accident at Fukushima Dai-ichi Nuclear Power Station with THALES2 code

Institute for Science and International Security

UNIT 10 RADIOACTIVITY AND NUCLEAR CHEMISTRY

The Electromagnetic Spectrum. 7.1 Atomic Theory and Radioactive Decay. Isotopes. 19K, 19K, 19K Representing Isotopes

Risk. Management. Bulletin. Created by. Insurance Fully Managed Claims Service Financial Advice paveygroup.co.uk

Name: 10/21/2014. NE 161 Midterm. Multiple choice 1 to 10 are 2 pts each; then long problems 1 through 4 are 20 points each.

Homework 06. Nuclear

THE FORTRAN NALAP CODE ADAPTED TO A MICROCOMPUTER COMPILER

ANALYSIS OF THE OECD PEACH BOTTOM TURBINE TRIP 2 TRANSIENT BENCHMARK WITH THE COUPLED NEUTRONIC AND THERMAL-HYDRAULICS CODE TRAC-M/PARCS

ATTACHMENT Mitigating Systems

Science 30 Unit D Energy and the Environment

FAULT DIAGNOSIS AND SEVERITY ESTIMATION IN NUCLEAR POWER PLANTS

A METHOD TO PREVENT SEVERE POWER AND FLOW OSCILLATIONS IN BOILING WATER REACTORS

Estimation of accidental environmental release based on containment measurements

Sensitivity Analyses of the Peach Bottom Turbine Trip 2 Experiment

I.CHEM.E. SYMPOSIUM SERIES NO. 110

THERMAL STRATIFICATION MONITORING OF ANGRA 2 STEAM GENERATOR MAIN FEEDWATER NOZZLES

Chapter 10 Section 4 Notes

MULTIVARIABLE ROBUST CONTROL OF AN INTEGRATED NUCLEAR POWER REACTOR

Assessment of the responses to RI-ABWR Definition and Justification for the Radioactive Source Terms in UK ABWR during Normal Operations

Transcription:

Evaluating the Safety of Digital Instrumentation and Control Systems in Nuclear Power Plants John Thomas With many thanks to Francisco Lemos for the nuclear expertise provided!

System Studied: Generic Evolutionary Power Reactor Fully digital All control systems including RPS are digital Case study focused on MSIV closure * Image from Wikipedia

STPA Process Identify system-level accidents Identify system-level hazards Draw the control structure Identify Unsafe Control Actions (UCAs) Create corresponding safety constraints Identify causal factors Process model flaws Analyze controller, control path, feedback path, process

System-level Accidents A-1: People injured or killed Includes employees and general population May involve radiation exposure, explosion, etc. A-2: Environment contaminated Includes radioactive material or other harmful release Includes contamination to air, ground, groundwater, etc. A-3: Equipment damage (economic loss) May occur with or without radiation release A-4: Loss of electrical power generation Includes any unplanned plant shutdown

System-level Hazards H-1: Release of radioactive materials Includes any release outside primary system (e.g. releases into secondary cooling system, groundwater, air inside or outside containment structures, etc.) H-2: Reactor temperature too high Includes conditions that cause every accident (e.g. if fuel rods melt), or cause accidents without any radiation release (e.g. hydrogen production) Makes no assumption about behavior of other protective systems (e.g. containment) H-3: Equipment operated beyond limits Includes operation beyond safe limits that can cause reactor damage or operation beyond design limits that damages other equipment H-4: Reactor shut down Includes any unplanned shutdown that may result in a loss of electrical power generation

Safety Control Structure

More Detailed Control Structure

Brute-force approach Produced gigantic tables Embraced by some, but others found it hard to define, understand, and review Went back to basics STPA is a top-down method Really need to start at high level, add detail through refinement How can we start with simpler analysis, then add more detail in a way that is easy to define, understand, and review?

Identify Unsafe Control Actions What are the high-level process model variables? MSIV remains open during normal plant operation MSIV only used to control a few specific abnormal conditions: Steam generator tube rupture Can cause uncontrolled SG level increase, release contaminated fluid into secondary system Steam system piping failure Can depressurize SG, cause overcooling transient and energy release into containment Feedwater system piping failure Can depressurize SG, cause overcooling transient and energy release into containment MSIV also controls heat exchange within SG Other support systems must be engaged to provide additional cooling if closed

Context table for Close MSIV control action not provided Template automatically generated from control structure and process model To identify the UCAs, engineers fill in the last column 1 2 1 2 3 4 5 6 Control Action Condition of Steam Generator Tube 3 4 5 Condition of Main Feedwater Pipe Condition of Main Steamline Operation of other support systems Adequate Adequate Adequate Adequate Adequate 6 Adequate 7 Adequate 8 Close Adequate 9 MSIV Adequate 10 Inadequate 11 Inadequate 12 Inadequate 13 Inadequate 14 15 16 Inadequate Inadequate Inadequate Providing Control Action is Hazardous?

Context table for Close MSIV control action not provided Keeping MSIV open is not hazardous if no rupture (row 1, 9) If MSIV kept open during SGTR, will cause all hazards If kept open, causes H- 2, H-3 during steamline or feedwater rupture Tools can automatically populate table using these 3 rules 1 2 1 2 3 4 5 6 Control Action Condition of Steam Generator Tube 3 4 5 Condition of Main Feedwater Pipe Condition of Main Steamline Operation of other support systems Adequate Adequate Providing Control Action is Hazardous? No H-1, H-2, H-3, H-4 Adequate H-2, H-3 Adequate H-2, H-3 H-1, H-2, Adequate H-3, H-4 6 Adequate H-2, H-3 7 H-1, H-2, Adequate H-3, H-4 8 H-1, H-2, Adequate Close H-3, H-4 9 MSIV Adequate No 10 H-1, H-2, Inadequate H-3, H-4 11 Inadequate H-2, H-3 12 Inadequate H-2, H-3 13 Inadequate 14 15 16 H-1, H-2, H-3, H-4 Inadequate H-2, H-3 Inadequate Inadequate H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4

Context table for Close MSIV control action 1 1 2 3 4 5 6 7 8 Condition of Control Action Steam Condition of Main Condition of Operation of other Control Action Hazardous if Too Generator Feedwater Pipe Main Steamline support systems Hazardous? Late? Tube Control Action Control Action Hazardous if Too Early? Adequate H-4 H-4 H-4 2 Adequate No H-1, H-2, H-3, H-4 H-3, H-4 3 Adequate No H-2, H-3, H-4 No 4 Adequate No H-2, H-3, H-4 No 5 Adequate No H-1, H-2, H-3, H-4 H-3, H-4 6 Adequate No H-2, H-3, H-4 No 7 Adequate No H-1, H-2, H-3, H-4 H-3, H-4 8 Adequate No H-1, H-2, H-3, H-4 H-3, H-4 9 Close MSIV Inadequate H-2, H-4 H-2, H-4 H-2, H-4 10 Inadequate H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 11 Inadequate H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 12 Inadequate H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 13 Inadequate H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 14 Inadequate H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 15 Inadequate H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 16 Inadequate H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4 H-1, H-2, H-3, H-4

Simplified context table for Close MSIV control action provided 1 2 3 4 5 6 1 2 3 4 5 6 7 8 Condition of Control Action Steam Condition of Main Condition of Operation of other Control Action Hazardous if Too Generator Feedwater Pipe Main Steamline support systems Hazardous? Late? Tube Control Action Close MSIV Control Action Hazardous if Too Early? Adequate Yes Yes Yes * * Adequate No Yes Yes Adequate No Yes No Adequate No Yes No Adequate No Yes No * * * Inadequate Yes Yes Yes * means doesn t matter Helps to simplify the table

Summary of UCAs identified Unsafe Control Actions Control Action Providing Causes Hazard Providing Causes Hazard Wrong Timing or Order Causes Hazard Stopped Too Soon or Applied Too Long Close MSIV Close MSIV not provided when there is a rupture in the S/G tube, main feedwater, or main steam line and the support systems are adequate [H-2, H-1, H-3] Close MSIV provided when there is a rupture and other support systems are inadequate [H-1, H-2, H-3] Close MSIV provided when there is no rupture [H-4] Close MSIV provided too early (while SG pressure is high): SG pressure may rise, trigger relief valve, abrupt steam expansion [H-2, H-3] Close MSIV provided too late after SGTR: contaminated coolant released into secondary loop, loss of primary coolant through secondary system [H-1, H-2, H-3] N/A

Conflicts automatically detected Rows 10-16 Context: rupture is present but other support systems are not operating or inadequate Hazardous to keep MSIV open May contaminate secondary system, cause overcooling transient, etc. Hazardous to close MSIV Isolates the only operational cooling system Conflict should be addressed. For example, best to keep MSIV open depending on type of rupture to provide limited cooling until operators find a solution?

Automatically generated model-based requirements Traceability can also be provided from info in context tables

Including more detail with refinement What about these gigantic tables? At the end of the day, this information needs to be defined May not have to manually fill out large tables to define it STPA is a top-down method Really need to start at high level, add detail through refinement How can we start with simpler analysis, then add more detail in a way that is easy to define, understand, and review?

Including more detail with refinement Solution: Define how process model variables are inferred Then automatically generate low-level requirements or tables 1 2 3 4 5 Condition Condition of Condition of Steam Main of Main Generator Feedwater Steamline Tube Pipe Control Action Operation of other support systems Close MSIV * Inference rules based on existing public documentation

Conclusions Provides structured way to generate low-level context tables from high-level information Top-down approach to identifying UCAs, helps manage complexity Provides rigorous process to analyze complex systems using STPA e: Project focus was on developing methods, not evaluating one particular design In practice, the results at each step should be carefully reviewed by nuclear experts

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback