Epri-Pra Module 1

Basics of Nuclear Power Plant
Probabilistic Risk Assessment
Fire PRA Workshop 2011

San Diego CA and Jacksonville FL
A Collaboration of U.S. NRC Office of Nuclear Regulatory Research (RES) & Electric Power Research Institute (EPRI)
Course Objectives
• Introduce PRA modeling and analysis methods

applied to nuclear power plants
– Initiating event identification
– Event tree and fault tree model development
– Human reliability analysis
– Data analysis
y
– Accident sequence quantification
– LERF analysis
Fire PRA Workshop 2011, San Diego CA and Jacksonville FL A Collaboration of U.S. NRC Office of Nuclear Regulatory
Slide 2
PRA Fundamentals and Overview Research (RES) & Electric Power Research Institute (EPRI)
Course Outline
1. Overview of PRA
2. Initiating Event Analysis
3. Event Tree Analysis
4. Fault tree Analysis
5. Human Reliability Analysis
6. Data Analysis
7. Accident Sequence Quantification
8. LERF Analysis
Slide 3
Overview of PRA
What is Risk?
• Arises from a “Danger” or “Hazard”

• Always associated with undesired
eventt
• Involves both:
– likelihood of undesired event
– severity (magnitude) of the
consequences
Slide 5
Risk Definition
• Risk - the frequency

q y with which a g
given consequence
q
occurs
Risk [ Consequence Magnitude

Unit of Time ]=
Events Magnitude
F
Frequency [ Unit of Time ] x C
Consequences [ Event ]
Slide 6
Risk Example:
Death Due to Accidents
• Societal
S i t l Ri
Risk
k = 93
93,000
000 accidental-deaths/year
id t l d th /
(based on Center for Disease Control actuarial data)
• Average Individual Risk
= (93,000 Deaths/Year)/250,000,000 Total U.S. Pop.
= 3.7E-04 Deaths/Person-Year
. 1/2700 Deaths/Person
Deaths/Person-Year
Year
• In any given year, approximately 1 out of every 2,700 people in the entire
U.S. population will suffer an accidental death
• Note: www.cdc.gov latest data (2005) 117,809 unintentional deaths and

296,748,000 U.S. population, thus average individual risk . (117,809
deaths/year)/296 748 000 . 4E
deaths/year)/296,748,000 4E-04
04 Deaths/Person-Year
Deaths/Person Year
Slide 7
Risk Example:
Death Due to Cancer
• Societal Risk = 538,000 cancer-deaths/year

(based on Center for Disease Control actuarial data)
• Average
g Individual Risk
= (538,000 Cancer-Deaths/Year)/250,000,000 Total U.S. Pop.
= 2.2E-03 Cancer-Deaths/Person-Year
. 1/460 Cancer
Cancer-Deaths/Person-Year
Deaths/Person Year
• In any given year, approximately 1 person out of every 460 people in the
entire U.S. population will die from cancer
• Note: www.cdc.gov latest data (2005) 546,016 cancer deaths and 296,748,000 U.S.
population, thus average individual risk . (546,016 deaths/year)/296,748,000 .
1 8E-03
1.8E 03 Deaths/Person-Year
Deaths/Person Year
Slide 8
Overview of PRA Process
• PRAs are pperformed to find severe accident weaknesses

and provide quantitative results to support decision-making.
Three levels of PRA have evolved:
Level An Assessment of: Result
1 Plant accident initiators and Core damage frequency &

systems’/operators’ response contributors
2 Frequency and modes of Categorization &

containment failure frequencies of containment
releases
3 Public health consequences Estimation of public &
economic risks
Slide 9
Overview of Level-1/2/3 PRA
Bridge Event
Level-1 Tree Level-2 Level-3
E
Eventt (
(containment
t i t Containment Event Consequence
IEs Tree systems) Tree (APET) Analysis
RxTrip
Consequence
LOCA Source
S Code
LOSP CD PDS Terms Calculations
SGTR (MACCS)
etc.
Plant Systems Severe Accident Offsite Consequence

and
dHHuman A Action
ti Progression Risk
Models (Fault Analyses • Early Fatalities/year
Trees and Human (Experimental and • Latent Cancers/year
Reliabilityy Computer Code • Population Dose/year
Analyses) Results) • Offsite Cost ($)/year
• etc.
Slide 10
Principal Steps in PRA
LEVEL LEVEL LEVEL

1 2 3
Initiating Accident Accident RCS / Source Release Offsite Health &

Event Sequence Sequence Containment Term Category Conseq’s Economic
Analysis Analysis Quantif. Response Analysis Character. Analysis Risk
Analysis and
Analysis
Quantif.
Meteorology
Success Systems Uncertainty Phenomena Uncertainty Uncertainty
& & Model &
Criteria Analysis* Analysis
Sensitivity Sensitivity Sensitivity
Analysis Analysis Analysis
Population
Distribution
Emergency
Data Response
Analysis* Human
Reliability
Analysis* Pathways
Model
LERF Assessment Health

Effects
Economic
Eff t
Effects
* Used in Level 2 as required
Slide 11
PRA Classification
• Internal Hazards – risk from accidents initiated internal to

the plant
– Includes internal events, internal flooding and internal fire events
• External Hazards – risk from external events
– Includes seismic, external flooding, high winds and tornadoes,
airplane crashes, lightning, hurricanes, etc.
• At-Power – accidents initiated while p
plant is critical and
producing power (operating at >X%* power)
• Low Power and Shutdown (LP/SD) – accidents initiated
while plant is <X%*
<X% power or shutdown
– Shutdown includes hot and cold shutdown, mid-loop operations,
refueling
X is usually plant
*X plant-specific.
specific The separation between full and low power
is determined by evolutions during increases and decreases in power
Slide 12
Specific Strengths of PRA
• Rigorous, systematic analysis tool

• Information integration (multidisciplinary)
• Allows consideration of complex
p interactions
• Develops qualitative design insights
• Develops quantitative measures for decision
making
• Provides a structure for sensitivity studies
• Explicitly highlights and treats principal sources of
uncertainty
Slide 13
Principal Limitations of PRA
• Inadequacy of available data

• Lack of understanding of physical processes
• High sensitivity of results to assumptions
• Constraints on modeling effort (limited resources)
– simplifying
p y g assumptions
p
– truncation of results during quantification
• PRA is typically a snapshot in time
– this limitation mayy be addressed byy having
g a “living”
g PRA
• plant changes (e.g., hardware, procedures and operating
practices) reflected in PRA model
• temporary system configuration changes (e.g., out of service
for maintenance) reflected in PRA model
• Lack of completeness (e.g., human errors of commission typically not
considered)
Slide 14
Initiating Event Analysis
LEVEL LEVEL LEVEL

1 2 3

Analysis and
Analysis
Quantif.
Meteorology
& & Model &
Population
Distribution
Emergency
Data Response
Analysis* Human
Reliability
Analysis* Pathways
Model

Effects
Economic
Eff t
Effects
Slide 16
• Purpose: Students will learn what is an initiating event (IE), how

to identify
id if them,
h and
d group them
h iinto categoriesi ffor ffurther
h
analysis.
Objectives:
– Understand
U d t d the th relationship
l ti hi bbetween
t iinitiating
iti ti eventt
identification and other PRA elements
– Identify the types of initiating events typically considered in a
PRA
– Become familiar with various ways to identify initiating events
– Understand how initiating events are grouped
• References:
R f
– NUREG/CR-2300, NUREG/CR-5750, NUREG/CR-3862,
NUREG/CR-4550, Volume 1
Slide 17
Initiating Events
• Definition – Anyy potential

p occurrence that could disrupt
p p
plant
operations to a degree that a reactor trip or plant shutdown is
required. Initiating events are quantified in terms of their
frequency of occurrence (i.e., number of events per calendar year
of operation)
• Can occur while reactor is at full power, low power, or shutdown
– Focus of this session is on IEs during full power operation
• Can be internal to the plant or caused by external events
– Focus of this session is on internal IEs
• Basic categories of internal IEs:
– transients (initiated by failures in the balance of plant or nuclear
steam supply)
– loss-of-coolant accidents (LOCAs) in reactor coolant system
– interfacing system LOCAs
– LOCA outside of containment
– special transients (generally support system initiators)
Slide 18
Role of Initiating Events in PRA
• Identifying initiating events is the first step in the development of

accident sequences
• Accident sequences can be conceptually thought of as a combination
of:
– an initiating
i iti ti event,
t which
hi h triggers
ti a series
i off plant
l t and/or
d/ operator
t
responses, and
– A combination of success and/or failure of the plant system and/or
operator response that result in a core damage state
• Initiating event identification is an iterative process that requires
feedback from other PRA elements
– system analysis
– review of plant experience and data
Slide 19
• Collect information on actual plant trips

• Identify other abnormal occurrences that could cause a
plant trip or require a shutdown
• Identify the plant response to these initiators including the
functions and associated systems that can be used to
mitigate these events
• Grouping IEs into categories based on their impact on
mitigating systems
• Quantify
Q tif the
th frequency
f off each
h IE category
t (Included
(I l d d later
l t
in Data Analysis session)
Slide 20
Comprehensive Engineering
Evaluation
• Review historical events (reactor trips

trips, shutdowns
shutdowns, system
failures)
• Discrete spectrum of LOCA sizes considered based on location of
breaks (e
(e.g.,
g in vs
vs. out of containment
containment, steam vs
vs. liquid)
liquid),
components (e.g., pipe vs. SORV), and available mitigation
systems
• Review comprehensive list of possible transient initiators based
on existing lists (see for example NUREG/CR-3862) and from
Safety Analysis Report
• Review list of initiating event groups modeled in other PRAs and
adapt based on plant-specific information – typical approach for
existing LWRs
• Feedback provided
pro ided from other PRA taks
Slide 21
Sources of Data for Identifying IEs
• Plant-specific sources:
– Licensee Event Reports
– Scram reports
– Abnormal, System
y Operation,
p and Emergency
g y
Procedures
– Plant Logs
– Safetyy Analysis
y Report (SAR)
( )
– System descriptions
• Generic sources:
– NUREG/CR-3862
NUREG/CR 3862
– NUREG/CR-4550, Volume 1
– NUREG/CR-5750
– Other PRAs
Slide 22
Criteria for Eliminating IEs
• Some IEs may not have to modeled because:

– Frequency
F is
i very low
l ((e.g., <1E-7/ry)
1E 7/ )
• ASME PRA Standard exclude ISLOCAs ,
containment bypass,
yp , vessel rupture
p from this criteria
– Frequency is low (<1E-6/ry) and at least two trains of
mitigating systems are not affected by the IE
– Effect
Eff t is
i slow,
l easily
il identified,
id tifi d and d recoverable
bl bbefore
f
plant operation is adversely affected (e.g., loss of
control room HVAC)
– Effect does not cause an automatic scram or an
administrative demand for shutdown (e.g., waste
treatment failure))
Slide 23
Initiating Event Grouping
• For each identified initiating event:

– Identif
Identify the safet
safety ffunctions
nctions req
required
ired to pre
prevent
ent core damage
and containment failure
– Identify the plant systems that can provide the required safety
f
functions
ti
• Group initiating events into categories that require the
same or similar p plant response
p
• This is an iterative process, closely associated with
event tree construction. It ensures the following:
– All functionally distinct accident sequences will be included
– Overlapping of similar accident sequences will be prevented
– A single
g event tree can be used for all IEs in a category
g y
Slide 24
Example Initiating Events (PWR)
from NUREG/CR-5750
Category
g y Initiating
g Event Mean Frequency
q y
(per critical year)
B Loss of offsite power 4.6E-2
L Loss of condenser 0 12
0.12
P Loss of feedwater 8.5E-2
Q General transient (PCs available) 1.2
F Steam generator tube rupture 7.0E-3
ATWS 8.4E-6
G7 L
Large LOCA 5E 6
5E-6
G6 Medium LOCA 4E-5
G3 Small LOCA 5E-4
Slide 25
Example Initiating Events (PWR)
from NUREG/CR-5750 (cont.)
( )
Category Initiating Event Mean Frequency

(per critical year)
G2 Stuck-open relief valve 5.0E-3
K1 High energy line break outside 1.0E-2

containment
C1+C2 Loss of vital medium or low voltage 2 3E 2
2.3E-2
ac bus
C3 Loss of vital dc bus 2.1E-3
D Loss of instrument or control air 9.6E-3
E1 Loss of service water 9 7E 4

9.7E-4
Slide 26
Accident Sequence
Analysis
LEVEL LEVEL LEVEL

1 2 3

Analysis and
Analysis
Quantif.
Meteorology
& & Model &
Population
Distribution
Emergency
Data Response
Analysis* Human
Reliability
Analysis*
y Pathways
Model

Effects
Economic
Effects
Slide 28
Accident Sequence Analysis
• Purpose: Students will learn purposes & techniques of accident
sequence (event) analysis. Students will be exposed to the
concept of accident sequences and learn how event tree analysis
is related to the identification and quantification of dominant
accident sequences.
• Objectives:
Obj ti
– Understand purposes of event tree analysis
– Understand currently accepted techniques and notation for
event tree construction
– Understand purposes and techniques of accident sequence
identification
– Understand how to simplify event trees
– Understand how event tree logic is used to quantify PRAs
• References: NUREG/CR-2300, NUREG/CR-2728
Slide 29
Event Trees
• Typically used to model the response to an initiating event

• Features:
– Generally, one system-level event tree for each initiating event group is
developed
– Identifies
de es sys
systems/functions
e s/ u c o s required
equ ed for
o mitigation
ga o
– Identifies operator actions required for mitigation
– Identifies event sequence progression
– End-to-end traceabilityy of accident sequences
q leading
g to bad outcome
• Primary use
– Identification of accident sequences which result in some outcome of
interest (usually core damage and/or containment failure)
– Basis for accident sequence quantification
Slide 30
Simple Event Tree
Post-
Reactor Emergency Emergency Accident
Initiating Protection Coolant Coolant Heat
Event System Pump A Pump B Removal
Sequence - End State/Plant Damage State
A B C D E
1 A
1.
2. AE - plant damage
3. AC
Success
4. ACE - plant damage
5. ACD - plant damage

Failure
6. AB - transfer
Slide 31
Required
q Information
• Knowledge of accident initiators

• Thermal-hydraulic response during accidents
• Knowledge of mitigating systems (frontline and support)
operation
• Know the dependencies between systems
• Identify any limitations on component operations
• Knowledge of procedures (system, abnormal, and
emergency)
Slide 32
Principal Steps in Event Tree
Development
p
• Determine boundaries of analysis
• Define critical plant safety functions available to mitigate each
initiating event
• Generate functional event tree (optional)
– Event tree heading - order & development
– Sequence delineation
• Determine systems available to perform each critical plant safety
function
• Determine success criteria for each system for performing each
critical plant safety function
• Generate system
system-level
level event tree
– Event tree heading - order & development
– Sequence delineation
Slide 33
Determining Boundaries
• Mission time
– Sufficient to reach stable state (generally 24 hours)
• Dependencies among safety functions and systems
– Includes shared components, support systems, operator
actions, and physical processes
• End States (describe the condition of both the core and containment)
– Core OK
– Core vulnerable
– Core damage
– Containment OK
– Containment failed
– Containment vented
• Extent of operator recovery
Slide 34
Critical Safety Functions
Example safety functions for core & containment

– Reactor subcriticality
– Reactor coolant system overpressure protection
– Early
E l core h heat removall
– Late core heat removal
– Containment pressure suppression
– Containment heat removal
– Containment integrity
Slide 35
Functional Event Tree
• High-level representation of vital safety functions required

t mitigate
to iti t abnormal
b l eventt
– Generic response of the plant to achieve safe and
stable condition
• One functional event tree for transients and one for
LOCAs
• Guides the development of more detailed system-level
event tree model
• Generation
G ti off functional
f ti l eventt trees
t nott necessary;
system-level event trees are the critical models
– Could be useful for advanced reactor PRAs
Slide 36
Functional Event Tree
Initiating Reactor Short term Long term

Event Trip core cooling core cooling
SEQ # STATE
IE RX-TR ST-CC LT-CC
1 OK
2 LATE-CD
3 EARLY-CD
4 ATWS
Slide 37
System
y Success Criteria
• Identify systems which can perform each function

• Often includes if the system is automatically or manually
actuated.
• Identify minimum complement of equipment necessary to
perform function (often based on thermal/hydraulic
calculations, source of uncertainty)
– Calculations often realistic, rather than conservative
• May credit non-safety-related equipment where feasible
Slide 38
BWR Mitigating Systems
Function Systems
Reactivity Reactor Protection System, Standby Liquid Control,

Control Alternate Rod Insertion
RCS Safety/Relief Valves

Overpressure
Protection
Coolant Injection High Pressure Coolant Injection, High Pressure Core
Spray, Reactor Core Isolation Cooling, Low Pressure Core
Spray, Low Pressure Coolant Injection (RHR)
Alternate Systems- Control Rod Drive Hydraulic System,
Condensate, Service Water, Firewater
Decay Heat Power Conversion System, Residual Heat Removal (RHR)
Removal modes (Shutdown Cooling
Cooling, Containment Spray
Spray,
Suppression Pool Cooling)
Slide 39
PWR Mitigating Systems
Function Systems
Reactivity Control Reactor Protection System
RCS Overpressure Safety valves, Pressurizer power-operated relief valves

Protection (PORV)
Coolant Injection Accumulators, High Pressure Safety Injection, Chemical

Volume and Control System, Low Pressure Safety
Injection
j ((LPSI),
), High
g Pressure Recirculation ((may
y
require LPSI)
Decay Heat Power Conversion System (main feedwater), Auxiliary
Removal Feedwater, Residual Heat Removal (RHR), Feed and
Bleed (PORV + HPSI)
Slide 40
Example
p Success Criteria
Short Term Long Term

Reactor
IE Core Core
Trip
Cooling Cooling
PCS PCS
or or
Auto Rx Trip
1 of 3 AFW 1 of 3 AFW
T
Transient
i t or
or or
Man. Rx Trip
1 of 2 PORVs 1 of 2 PORVs
& 1 of 2 ECI & 1 of 2 ECR
Auto Rx Trip
Medium or or 1 of 2 ECI 1 of 2 ECR
Large LOCA Man Rx Trip
Man.
Slide 41
System-Level Event Tree
Development
• A system-level
y event tree consists of an initiating
g event ((one p
per
tree), followed by a number of headings (top events), and a
sequence of events representing the success or failure of the top
events
• Top events represent the systems
systems, components
components, and/or human
actions required to mitigate the initiating event
• To the extent possible, top events are ordered in the time-related
sequence in which they would occur
– Selection of top events and ordering reflect emergency procedures
• Each node (or branch point) below a top event represents the
success or failure of the respective top event
– Logic is typically binary
• Downward branch – failure of top event
• Upward branch – success of top event
– Logic can have more than two branches, with each branch
representing a specific status of the top event
Slide 42
System-Level Event Tree
Development
p (Continued)
( )
• Dependencies among systems(needed to prevent core damage)
are identified
– S
Support systems can be
b iincluded
l d d as top events to account ffor
significant dependencies (e.g., diesel generator failure in station
blackout event tree)
• Timing of important events (e.g., physical conditions leading to
system failure) determined from thermal-hydraulic calculations
• Branches can be pruned logically (i.e., branch points for specific
nodes removed) to remove unnecessary combinations of system
success criteria requirements
– This minimizes the total number of sequences that will be generated
and eliminates illogical sequences
•BBranches
h can transfer
t f to
t other
th eventt tress
t for
f development
d l t
• Each path of an event tree represents a potential scenario
• Each potential scenario results in either prevention of core
d
damage or onsett off core damage
d (or
( a particular
ti l endd state
t t off
interest)
Slide 43
Small LOCA Event Tree from
y SDP Notebook
Surry
SLOCA EIHP AFW FB RCSDEP HPR LPR RS # STATUS
1 OK
2 CD
3 CD
4 OK
5 CD
6 CD
7 OK
8 CD
9 CD
10 CD
11 CD
Plant Name Abbrev.: SURY
Slide 44
Event Tree Reduction and
Simplification
p
• Single transient event tree can be drawn with specific IE
dependencies included at the fault tree level
• Event tree structure can often be simplified by reordering
top events
– Example – Placing ADS before LPCI and CS on a BWR transient
event tree
• Event tree development can be stopped if a partial
sequence frequency at a branch point can be shown to be
very small
• If at any branch point, the delineated sequences are
identical to those in delineated in another event tree,, the
accident sequence can be transferred to that event tree
(e.g., SORV sequences transferred to LOCA trees)
p
• Separate secondary y event trees can be drawn for certain
branches to simplify the analysis (e.g., ATWS tree)
Slide 45
System Level Event Tree
Determines Sequence Logic
g
ST LT
Initiating Rx Rx
Core Core
Event Trip Trip
Cooling
g Cooling
g
SEQ # STATE LOGIC
LOCA AUTO MAN ECI ECR
1 OK
2 LATE-CD /AUTO*/ECI*ECR
Success 3 EARLY CD
EARLY-CD /AUTO*ECI
4 OK
5 LATE CD
LATE-CD AUTO*/MAN*/ECI*ECR
Failure
6 EARLY-CD AUTO*/MAN*ECI
7 ATWS AUTO*MAN
Slide 46
Sequence Logic Used to Combine System
Fault Trees into Accident Sequence
q Models
• System
S t fault
f lt trees
t (or
( cutt sets)
t ) are combined,
bi d using
i
Boolean algebra, to generate core damage accident
sequence models.
– CD seq. #5 = LOCA * AUTO * /MAN * /ECI * ECR
Sequence
#5
Transfers to
Fault Tree
Logic
LOCA AUTO /MAN /ECI ECR
IE
Slide 47
Sequence Cut Sets Generated
From Sequence
q Logic
g
• Sequence cut sets generated by combining system fault

trees (or cut sets) comprised by sequence logic
– Cut sets can be generated from sequence #5 “Fault
Tree”
• Sequence #5 cut sets = (LOCA) * (AUTO cut sets) *
(/MAN cut sets) * (/ECI cut sets) * ( ECR cut sets)
• Or,
Or to simplify the calculation (via “delete
delete term”)
term )
– Sequence #5 cut sets  (LOCA) * (AUTO cut
sets) * (ECR cut sets) - any cut sets that contain
MAN + ECI cutt setst are deleted
d l t d
Slide 48
Plant Damage State (PDS)
• Core Damage (CD) designation for end state not

sufficient to support Level 2 analysis
– Need details of core damage phenomena to
accurately model challenge to containment
integrity
• PDS relates core damage accident sequence to:
– Status of plant systems (e
(e.g.,
g AC power
operable?)
– Status of RCS (e.g., pressure, integrity)
– Status
St t off water
t inventories
i t i (e.g.,
( injected
i j t d into
i t
RPV?)
Slide 49
Example Category Definitions for
PDS Indicators
1. Status of RCS at onset of Core Damage

T no break (transient)
A large LOCA (6” to 29”)
S1 medium LOCA (2” to 6”)
S2 small LOCA (1/2” to 2”)
S3 very smallll LOCA (l
(less th
than 1/2”)
G steam generator tube rupture with SG integrity
H steam generator tube rupture without SG integrity
V interfacing LOCA
2 Status of ECCS
2.
I operated in injection only
B operated in injection, now operating in recirculation
R not operating, but recoverable
N not operating and not recoverable
L LPI available in injection and recirculation of RCS pressure reduced
3. Status of Containment Heat Removal Capability
Y operating or operable if/when needed
R not operating, but recoverable
N never operated, not recoverable
Slide 50
Systems Analysis
LEVEL LEVEL LEVEL

1 2 3

Analysis and
Analysis
Quantif.
Meteorology
& & Model &
Population
Distribution
Emergency
Data Response
Analysis* Human
Reliability
Analysis* Pathways
Model

Effects
Economic
Eff t
Effects
Slide 52
Systems (Fault Tree) Analysis
• Purpose: Students will learn purposes & techniques of fault
tree analysis. Students will learn how appropriate level of detail
for a fault tree analysis is established
established. Students will become
familiar with terminology, notation, and symbology employed in
fault tree analysis. In addition, a discussion of applicable
component failure modes relative to the postulation of fault
events will be presented.
• Objectives:
– Demonstrate a working knowledge of terminology,
notation, and symbology of fault tree analysis
– Demonstrate a knowledge of purposes & methods of
fault tree analysis
– Demonstrate a knowledge of the purposes and
methods of fault tree reduction
• References:
– NUREG-0492, Fault Tree Handbook
– NUREG/CR-2300,
NUREG/CR 2300 PRA Procedures Guide
– NUREG-1489, NRC Uses of PRA
Slide 53
Fault Tree Analysis Definition
“An analytical technique, whereby an undesired state of

th system
the t is
i specified
ifi d ((usually
ll a state
t t th
thatt iis critical
iti l ffrom
a safety standpoint), and the system is then analyzed in
the context of its environment and operation
p to find all
credible ways in which the undesired event can occur.”
NUREG--0492
NUREG
Slide 54
Fault Trees
• Deductive analysis (event trees are inductive)

• Starts with undesired event definition
• Used to estimate system failure probability
• Explicitly
E li i l models
d l multiple
l i l ffailures
il
• Identify ways in which a system can fail
• Models can be used to find:
– System “weaknesses”
– System failure probability
– Interrelationships between fault events
Slide 55
Fault Trees (cont.)
• Fault trees are graphic models depicting the various fault

paths
th that
th t will
ill result
lt iin th
the occurrence off an undesired
d i d
(top) event.
• Fault tree development moves from the top event to the
basic events (or faults) which can cause it.
• Fault tree use gates to develop the fault logic in the tree.
• Different types of gates are used to show the relationship
of the input events to the higher output event.
• Fault
F lt tree
t analysis
l i requiresi th
thorough
h kknowledge
l d off hhow
the system operates and is maintained.
Slide 56
Fault Tree Development Process
Event
Tree Develop & Update Analysis Notebook
2
Heading
Define Define Develop Perform

Top Fault
T F lt Analysis
Primary System Fault Tree
Tree Event Assumptions
1 & Interfaces 3 Construction 5
& Constraints 4
Slide 57
Fault Tree Symbols
Symbol Description
Logic gate providing a representation

“OR” Gate of the Boolean union of input events.
The output
p will occur if at least one of
the inputs occur.
Logic gate providing a representation

of the Boolean intersection of input
“AND” Gate events. The output will occur if all of
the inputs occur.
A basic component fault which

Basic Event requires no further development.
Consistent with level of resolution
in databases of component faults.
Slide 58
Fault Tree Symbols (cont.)
Symbol Description
A fault event whose development

Undeveloped is limited due to insufficient
Event consequence or lack of
additional detailed information
A transfer symbol to connect

Transfer Gate various portions of the fault tree
A fault event for which a detailed

Undeveloped development is provided as a separate
Transfer Event fault tree and a numerical value is
derived
Used as a trigger event for logic
House Event structure changes within the fault tree.
Used to impose boundary conditions
on FT.
FT Used
U d tto model
d l changes
h iin plant
l t
system status.
Slide 59
Event and Gate Naming Scheme
• A consistent use of an event naming scheme is

required to obtain correct results
• Example naming scheme: XXX-YYY-ZZ-AAAA
• Where:
– XXX is the system identifier (e.g., HPI)
– YYY is the event and component type (e.g., MOV)
– ZZ is the failure mode identifier (e.g., FS)
– AAAAA is a plant component descriptor
• A gate naming scheme should also be developed and
utilized - XXXaaa
– XXX is the system identifier (e.g., HPI)
– aaa is the gate number
Slide 60
Specific Failure Modes Modeled
for Each Component
p
• Each component associated with a specific set of failure

modes/mechanisms
d / h i d
determined
t i db by:
– Type of component
• E.g.,
E g Motor
Motor-driven
driven pump
pump, air
air-operated
operated valve
– Normal/Standby state
• Normally not running (standby)
(standby), normally open
– Failed/Safe state
• Failed if not running,
g, or success requires
q valve to
stay open
Slide 61
Typical Component Failure Modes
• Active Components
– Fail to Start
– Fail to Run
– Fail
F il to O
Open/Close/Operate
/Cl /O
– Unavailability
• Test or Maintenance Outage
Slide 62
Typical Component Failure Modes
(
(cont.)
)
• Passive Components (Not always modeled in PRAs)

– Rupture
– Plugging (e.g., strainers/orifice)
– Fail
F il to R
Remain
i OOpen/Closed
/Cl d ((e.g., manuall valve)
l )
– Short (cables)
Slide 63
Component Boundaries
• Typically include all items unique to a specific component,

e.g.,
– Drivers for EDGs, MDPs, MOVs, AOVs, etc.
– Circuit breakers for pump/valve motors
– Need to be consistent with how data was collected
• That is,
is should individual piece parts be modeled
explicitly or implicitly
• For example, actuation circuits (FTS) or room
cooling (FTR)
Slide 64
Active Components
p Require
q “Support”
pp
• Signal needed to “actuate” component

– Safety Injection Signal starts pump or opens valve
– Operator action may be needed to actuate
• Support
S systems might
i h b
be required
i d ffor component to
function
– AC and/or DC power
– Service water or component water cooling
– Room cooling g
Slide 65
Definition of Dependent Failures
• Three general types of dependent failures:
– Certain initiating events ( e
e.g.,
g fires
fires, floods
floods, earthquakes
earthquakes, service water
loss) cause failure of multiple components
– Intersystem dependencies including:
• Functional dependencies (e.g., dependence on AC power)
• Shared-equipment
Shared equipment dependencies (e (e.g.,
g HPCI and RCIC share
common suction valve from CST)
• Human interaction dependencies (e.g., maintenance error that
disables separate systems such as leaving a manual valve
closed
l d iin th
the common suction
ti h header
d ffrom th
the RWST tto
multiple ECCS system trains)
– Inter-component dependencies (e.g., design defect exists in multiple
similar valves)
• The first two types are captured by event tree and fault
tree modeling; the third type is known as common cause
failure (i.e., the residual dependencies not explicitly
modeled) and is treated parametrically
Slide 66
Common Cause Failures (CCFs)
( )
• Conditions which may result in failure of more than one

component, t subsystem,
b t or system
t
• Concerns:
– Defeats redundancy and/or diversity
– Data suggest high probability of occurrence relative to
multiple
p independent
p failures
Slide 67
Common Cause Failure Mechanisms
• Environment
– Radioactivity
– Temperature
– Corrosive
C i environment
i
• Design deficiency
• Manufacturing error
• Test or Maintenance error
• Operational error
Slide 68
Two Common Fault Tree
Construction Approaches
pp
• “Sink to source”
– Start with system output (i (i.e.,
e system sink)
– Modularize system into a set of pipe segments (i.e.,
group
g p of components
p in series))
– Follow reverse flow-path of system developing fault
tree model as the system is traced
• Block diagram-based
– Modularize system into a set of subsystem blocks
– Develop
D l hihigh-level
hl l ffault
l tree llogic
i bbased
d on
subsystem block logic (i.e., blocks configured in
series or p
parallel))
– Expand logic for each block
Slide 69
Example - ECI
MV1
CV1
PA
T1
V1 MV2
PS--A
PS
Water
CV2
Source PB
MV3
PS--B
PS
Success Criteria: Flow from any one pump through any one MV
T_ tank
V manuall valve,
V_ l normally
ll open
PS-_ pipe segment
P_ pump
CV_ check valve
MV motor-operated
MV_ t t d valve,
l normally
ll closed
l d
Slide 70
ECI System Fault Tree –
“Sink to Source Method” (p
(page
g 1))
ECI fails to deliver
> 1 pump flow
ECI-TOP
No flow out of MV1 No flow out of MV2 No flow out of MV3
G-MV1 G-MV2 G-MV3

No flow out of pump No flow out of pump
MV1 fails closed segments MV2 fails closed segments
MV1 G- MV2 G-
PUMPS (page 1) PUMPS
No flow out of PS-A No flow out of PS-B MV3 fails closed No flow out of pump
segments
G-PSA G-PSB MV3 G-

PUMPS
(page 2) (not shown) (page 1)
Slide 71
(page
g 2))
No flow out
page 1
of PS-A
G-PSA
PS A fails
PS-A f il No flow out of V1
G-PSA-F G-V1
CV1 fails closed PA fails V1 fails closed T1 fails
CV1 PA V1 T1
Slide 72
(page
g 3))
PA fails
PA unavail
PA FTS PA FTR ECI Pump CCF
T or M
CCW-A fails EP-A fails A t A ffails

Act-A il
(Not Shown) (Not Shown) (Not Shown)
Slide 73
ECI System Fault Tree -
Block Diagram
g Method
ECI fails to deliver

> 1 pump flow
Injection lines fail Pump segments fail Suction lines fail
MV1 fails closed MV2 fails closed PS-B fails PS-A fails
V1 fails closed
MV3 ffails
il closed
l d
T1 fails
Slide 74
Boolean Fault Tree Reduction
• Express fault tree logic as Boolean equation

• Apply rules of Boolean algebra to reduce terms
• Results in reduced form of Boolean equation
Slide 75
Minimal Cutset
A group of basic event failures

(component failures and/or
human errors) that are
collectively necessary and
sufficient to cause the TOP
event to occur.
Slide 76
Fault Tree Pitfalls
• Inconsistent or unclear basic event names

– X*X = X, so if X is called X1 in one place and X2 in another place,
incorrect results are obtained
• Missing
g dependencies
p or failure mechanisms
– An issue of completeness
• Unrealistic assumptions
– Availabilityy of redundant equipment
q p
– Credit for multiple independent operator actions
– Violation of plant LCO
• Modelingg T&M unavailability
y can result in illegal
g
cutsets
• Putting recovery in FT might give optimistic results
• Logic loops
Slide 77
Results
• Sanity checks on cut sets

– Symmetry
• If Train-A failures appear, do Train-B failures also appear?
– Completeness
• Are all redundant trains/systems really failed?
• Are failure modes accounted for at component level?
– Realism
• Do cut sets make sense (i (i.e.,
e Train-A out for T&M ANDed with
Train-B out for T&M)?
– Predictive Capability
• If system model predicts total system failure once in 100 system
demands, is plant operating experience consistent with this?
Slide 78
Human Reliability
Analysis
LEVEL LEVEL LEVEL

1 2 3

Analysis and
Analysis
Quantif.
Meteorology
& & Model &
Population
Distribution
Emergency
Data Response
Analysis* Human
Reliability
Analysis* Pathways
Model

Effects
Economic
Eff t
Effects
Slide 80
Human Reliability Analysis
Purpose: This session will provide a generalized, high-level

introduction to the topic of human reliability and human
reliability
li bilit analysis
l i iin th
the context
t t off PRA
PRA.
Objectives: Provide students with an understanding of:

- The
Th goalsl off HRA andd iimportant
t t concepts
t andd iissues
- The basic steps of the HRA process in the context of PRA
- Basic aspects of selected HRA methods
Slide 81
HRA Purpose
Why Develop a HRA?

– PRA reflects the asas-built,
built as-operated
as operated plant
• HRA models the “as-operated” portion
Definition of HRA
– A structured approach used to identify potential
human failure events (HFEs) and to systematically
estimate
ti t the
th probability
b bilit off those
th errors using
i data,
d t
models, or expert judgment
HRA Produces
– Qualitative evaluation of the factors impacting human
errors and successes
– Human error probabilities (HEPs)
Slide 82
Human Reliability Analysis
• Starts with the basic premise that the humans can be

represented t d as either:.
ith
– A component of a system, or
– A failure mode of a system or component
component.
• Identifies and quantifies the ways in which human actions
initiate, propagate, or terminate fault & accident sequences.
• Human actions with both positive and negative impacts are
considered in striving for realism.
• A diffic
difficult
lt task in a PRA since need to understand
nderstand the plant
hardware response, the operator response, and the
accident progression modeled in the PRA.
Slide 83
Human Reliability Analysis Objectives
Ensure that the impacts of plant personnel actions are reflected in

the assessment of risk in such a way that:
a) both pre-initiating event and post-initiating event activities,
including those modeled in support system initiating event fault
trees, are addressed.
b) logic model elements are defined to represent the effect of such
personnel actions on system availability/unavailability and on
accident sequence development.
c) plant-specific and scenario-specific factors are accounted for,
including those factors that influence either what activities are of
interest or human performance.
d) human performance issues are addressed in an integral way so
that issues of dependency are captured
captured.
Ref.
Fire PRAASME RA-Sb-2005
Workshop 2011, San Diego CA and Jacksonville FL A Collaboration of U.S. NRC Office of Nuclear Regulatory
Slide 84
Modeling of Human Actions
• Human Reliability Analysis provides a structured

modeling process
• HRA process steps:
– Identification & Definition
• Human interaction identified, then defined for use in
the PRA as a Human Failure Event (HFE)
• Includes
I l d HFE categorization
t i ti as tto the
th type
t off action
ti
– Qualitative analysis of context & performance shaping
factors
– Quantification of Human Error Probability (HEP)
– Dependency
– Documentation
Slide 85
PRA Standard Requirements for HRA
ASME HRA High Level Requirements Compared

P I iti t
Pre-Initiator P t Initiator
Post I iti t
A – Identify HFEs E – Identify HFEs
B – Screen HFEs <blank>
C – Define HFEs F – Define HFEs

D – Assess HEPs G – Assess HEPs
<blank> H – Recovery HFEs
I – Document HFEs/HEPs
Slide 86
Categories Of Human Failure Events in
PRA
• Operator actions can occur throughout the accident sequence

– Pre-initiator
P i iti t errors (latent
(l t t errors, unrevealed)
l d) occur b
before
f
the initiating event.
• Mayy occur in or out of the main control room
• Failure to restore from test/maintenance
• Miscalibration
• Often captured in equipment failure data
• For HRA the focus is on equipment being left unavailable
or not working exactly right.
– Operator actions contribute or cause initiating events
• Usually implicitly included in the data used to quantify
initiating event frequencies.
f
Slide 87
Categories Of Human Failure Events in
PRA (cont’d)
( )
– Post-initiator errors occur after reactor trip. Examples:

• Operation of components that have failed to operate
automatically, or require manual operation.
• “Event
Event Tree top event”
event operator actions modeled in the
event trees (e.g., failure to depressurize the RCS in
accordance with the EOPs)
• Recovery actions for hardware failures (example - aligning
an alternate cooling system, subject to available time)
• Recovery
R actions
ti ffollowing
ll i crew ffailures
il ((example
l -
providing cooling late after an earlier operator action failed)
• Operation of components from the control room or locally.
Slide 88
Categorization & Definition of
Human Failure Events in PRA (cont’d)
( )
• Additional “category”, error of commission or aggravating errors of
commission typically out of scope of most PRA models
commission, models.
– Makes the plant response worse than not taking an action at all
• Within each operator action, there are generally, two types of error:
– Diagnostic error (cognition) – failure of detection, diagnosis, or
decision-making
– Execution error ((manipulation)) – failure to accomplish the critical
steps, once they have been decided, typically due to the
following error modes.
• Errors of omission ((EOO, or Skip) p) -- Failure to p
perform a
required action or step, e.g., failure to monitor tank level
• Errors of commission (EOC, or Slip) -- Action performed
y or wrong
incorrectly g action p
performed,, e.g.,
g , opened
p the wrong
g
valve, or turned the wrong switch.
Slide 89
Human Reliability Analysis is the
Combination of Three Basic Steps
Identification &
Qualitative Quantification
Definition
taxonomies
context from event trees Context from event trees & data availability
error producing conditions fault trees databases
cognitive error generic error models simulation
errors of commission performance shaping factors empirical approaches
From abo
aboutt 1980 on,
on some 38 different HRA methods ha have e
been developed - almost all centered on quantification.
There is no universally accepted HRA method (to date).
The context of the operator action comes directly from the
event trees and fault trees although some techniques have
recently ventured beyond.
Slide 90
Identification & Definition Process
• Identify Human Failure Events (HFEs) to be considered in

plant models.
p
– Based on PRA event trees, fault trees, & procedures.
• Includes front line systems & support systems.
– Often done in conjunction with the PRA modelers
(Qualitative screening)
– Normal Plant Ops-- Identify potential errors involving
miscalibration or failure to restore equipment by
observing test and maintenance, reviewing relevant
procedures and plant practices
• Guidelines for ppre-initiator q
qualitative screening
g
– Post-Trip Conditions-- Determine potential errors in
diagnosing and manipulating equipment in response to
various accident situations
Slide 91
Identification & Definition Process (cont.)
• PRA model identifies component/system/function failures

• HRA requires definition of supporting information, such as:
– for post-initiating events, the cues being used, timing and
th emergency operating
the ti procedure(s)
d ( )b being
i used. d
• ATHEANA – identify the “base case” for accident scenario
– Expected scenario – including operator expectations for the
scenario
– Sequence
q and timingg of p
plant behavior – behavior of p
plant
parameters
– Key operator actions
Slide 92
Identification Process (cont’d)
• Review emergency operating procedures to identify

potential human errors
• Flow chart the EOPs to identify critical decision points

and relevant cues for actions
• If possible, do early observations of simulator

exercises
• List human actions that could affect course of events

(
(qualitative
lit ti screening)
i )
Slide 93
Qualitative Analysis
• Context, a set of plant conditions based on the PRA model

– Initiating event & event tree sequence
• includes preceding hardware & operator successes/failures
– Cues, Procedure, Time window
• Qualitatively examine factors that could influence performance
(Performance Shaping Factors, PSFs) such as
- Training/experience - Scenario timing
- Clarity of cues - Workload
- Task complexity - Crew dynamics
- Environmental cond. - Accessibility
- Human
Human-machine
machine interface
- Management and organizational factors
- Note ATHEANA models “Error Forcing Context” consisting of plant
context & scenario
scenario-specific
specific factors that would influence operator
response.
Slide 94
Performance Shaping Factors (PSFs)
• Are people-, task-, environmental-centered

influences which could affect performance.
• Most HRA modeling techniques allow the analyst
to account for PSFs during their quantification
procedure.
• PSFs can Positively or Negatively impact human
error probabilities
• PSFs
PSF are identified
id tifi d andd evaluated
l t d in
i th
the
human reliability task analysis
Slide 95
Quantifying the Human Error Probability
• Quantifying is the process of

– selecting an HRA method then
– calculating the Human Error Probability for a HFE
• based on the qualitative assessment and
• based on the context definition.
• The calculation steps depend on the methodology being used.
• Data sources – the input data for the calculations typically comes
operator talk-throughs &/or simulations, while some methods the
data comes from databanks or expert judgment.
• The result is typically called a Human Error Probability or HEP
Slide 96
Levels of Precision
• Conservative (screening) level useful for

determining which human errors are the most
significant
f contributors to overall system error
• Those found to be potentially significant

contributors can be profitably analyzed in
greater detail ((which often lowers the HEP))
g
Slide 97
Screening
• Too many HFEs to do detailed quantification?

– Trying
T i tto reduce
d llevell off effort,
ff t resources
– Used during IPE era for initial model development
• ASME PRA Standard
– Pre-initiators: screening pre-initiators is addressed in
High Level Requirement HLR-HR-B
– Post-initiators: screening is not addressed explicitly as
a High Level Requirement
• Supporting requirement HR-G1 HR G1 limits the PRA to
Capability Category I if conservative/screening
HEPs used.
• Thus,
Thus screening is more appropriate to Fire PRA PRA.
Slide 98
Detailed Quantification
• Point at which you bring all the information you have

about each event
– PSFs, descriptions of plant conditions given the
sequence
– Results from observing simulator exercises
– Talk-throughs with operators/trainers
– Dependencies
D d i
• Quantification Methods
– Major problem is that none of the methods handle all
this information very well
• Assign HEPs to each event in the models
Slide 99
HRA Methods
• Attempt to reflect the following characteristics:

– plant behavior and conditions
– timing of events and the occurrence of human action cues
– parameter indications used by the operators and changes in
those parameters as the scenario proceeds
– time available and locations necessary to implement the
h
human actions
ti
– equipment available for use by the operators based on the
sequence
q
– environmental conditions under which the decision to act
must be made and the actual response must be performed
– degree
d off training,
t i i guidance,
id and
d procedure
d applicability
li bilit
Slide 100
Common HRA Methodologies in the USA
• Technique for Human Error Rate Prediction (THERP)

• Accident Sequence Evaluation Program (ASEP) HRA
Procedure
• Cause-Based Decision Tree (CBDT) Method

• Human Cognitive Reliability (HCR)/Operator Reliability
Experiments (ORE) Method
• Standardized Plant Analysis Risk HRA (SPAR-H) Method

• A Technique for Human Event Analysis (ATHEANA)
Slide 101
Caused Based Decision Tree (CBDT)
Method (EPRI)
Series of decision trees address potential causes of errors, produces HEPs based on
those decisions.
• Half of the decision trees involve the man-machine cue interface:
– Availability of relevant indications (location, accuracy, reliability of indications);
– Attention to indications (workload, monitoring requirements, relevant alarms);
– Data errors (location on panel, quality of display, interpersonal communications);
– Misleading data (cues match procedure, training in cue recognition, etc.);
• Half of the decision trees involve the man-procedure interface:
– Procedure format (visibility and salience of instructions, place-keeping aids);
– Instructional clarity (standardized vocabulary, completeness of information,
training provided);
– Instructional
I t ti l complexity
l it ((use off "not"
" t" statements,
t t t complex l use off "and"
" d" & "or"
" "
terms, etc.); and
– Potential for deliberate violations (belief in instructional adequacy, availability and
q
consequences of alternatives, etc.).
)
• For time-critical actions, the CBDT is supplemented by a time reliability correlation
Slide 102
EPRI HRA Calculator
• Software tool
• Uses SHARP1 as the HRA framework
• Post-initiator HFE methods:
– For diagnosis, uses CBDT (decision trees) and/or
HCR/ORE (time based correlation)
– For execution, THERP for manipulation
• Pre-Initiator HFE methods:
– Uses THERP and ASEP to quantify pre-initiator HFEs
Slide 103
ATHEANA
• Experience-based
Experience based (uses knowledge of domain
experts, e.g., operators, pilots, trainers,etc.)
• Focuses on the error-forcing g context
• Links plant conditions, performance shaping factors
(PSFs) and human error mechanisms
• Consideration of dependencies across scenarios
• Attempts to address PSFs holistically (considers
potential interactions)
• Structured search for problem scenarios and unsafe
actions
Slide 104
Dependencies
Dependency
p y refers to the extent to which failure or
success of one action will influence the failure or
success of a subsequent action.
1) Human interaction depends on the accident

scenario, including the type of initiating event
2)) Dependencies
p between multiple
p human actions
modeled within the accident scenario,
3) Human interactions performed during testing or
maintenance can defeat system
y redundancy,y,
4) Multiple human interactions modeled as a single
human interaction may involve significant
p
dependencies. ((from SHARP1))
Slide 105
HRA Process Summary
• Human Reliability Analysis provides a structured modeling process

• Human Interactions are incorporated as Human Failure Events in a
PRA, identification & definition finds the HFEs
• Post-initiator operator actions consist of:
– Qualitative analysis of Context and Performance Shaping Factors
• Operator action must be feasible (for example, sufficient time,
sufficient staff,, sufficient cues,, access to the area))
– Then Quantitative assessment (using an HRA method)
• Includes dependency evaluation
• Two Parts of the Each Human Failure Event (HFE)
– Operator must recognize the need/demand for the action
(cognition) AND
– Operator must take steps (execution) to complete the actions.
Slide 106
Data Analysis
LEVEL LEVEL LEVEL

1 2 3

Analysis and
Analysis
Quantif.
Meteorology
& & Model &
Population
Distribution
Emergency
Data Response
Analysis* Human
Reliability
Analysis* Pathways
Model

Effects
Economic
Eff t
Effects
Slide 108
Data Analysis
• Purpose: Students will be introduced to sources of

initiating event data; and hardware data and equipment
failure modes, including common cause failure, that are
modeled in PRAs.
• Objectives: Students will be able to:

– Understand parameters typically modeled in PRA and how
each is quantified.
– Understand what is meant by the terms
• Generic data
• Plant-specific
p data
• Bayesian updating
– Describe what is meant by common-cause failure, why it is
important, and how it is included in PRA
Slide 109
PRA Parameters
• Initiating Event Frequencies

• Basic Event Probabilities
– Hardware
• component reliability (fail to
start/run/operate/etc.)
• component unavailability (due to test or
maintenance)
– Common Cause Failures
– Human Errors (discussed in previous session)
Slide 110
Categories of Data
• Two basic categories of data: plant-specific and generic

• Some
S guidance
id on th
the use off each
h category:
t
– Not feasible or necessary to collect plant-specific data
for all components
p in a PRA ((extremelyy reliable
components may have no failures)
– Some generic data sources are non-conservative (e.g.,
LERS do not report all failures)
– Inclusion of plant-specific data lends credibility to the
PRA
– Inclusion of plant-specific data allows comparison of
plant equipment performance to industry averages
• Should use plant-specific
plant specific data whenever possible
possible, as
dictated by the availability of relevant information
Slide 111
Boundary Conditions and Modeling
Assumptions Affect Form of Data
• Clear understanding of component boundaries and

missions
i i needed
d d tto accurately
t l use raw d
data
t or generic
i
failure rates. For example:
– Do motor driven components include circuit breakers?
(Are CB faults included in component failure rate?)
• Failure mode being modeled also impacts type and form
of data needed to quantify the PRA.
– FTR – failures while operating and operating time
– FTS/FTO – failures
f il anddd
demandsd ((successes))
Slide 112
Data Sources for Parameter Estimation
• Generic data
• Plant-specific data
• Bayesian updated data
– Prior
P i didistribution
ib i
– Updated estimate
Slide 113
Generic Data Issues
• Key issue is whether data is applicable for the specific

plant being analyzed
– Most generic component data is mid-1980s or earlier
vintage
– Some IE frequencies known to have decreased over
the last decade
• Frequencies updated in NUREG/CRs 5750 and
5496
– Criteria for judging data applicability not well defined
(d nott forget
(do f t important
i t t engineering
i i considerations
id ti
that could affect data applicability)
– ASME PRA Standard requirements
q
Slide 114
Plant-Specific Data Sources
• Licensee Event Reports (LERs)

– Can also be source of generic data
• Post-trip SCRAM analysis reports
• Maintenance
M i reports and
d work
k orders
d
• System engineer files
• Control room logs
• Monthly operating status reports
• Test surveillance procedures
Slide 115
Plant-Specific
p Data Issues
• Combining data from different sources can result in:

– double counting of the same failure events
– inconsistent component boundaries
– inconsistent
i i d
definition
fi i i off “f
“failure”
il ”
• Plant-specific data is typically very limited
– small statistical sample size
• Inaccuracy and non-uniformity of reporting
– LER reporting rule changes
• Difficulty in interpreting “raw” failure data
– administratively declared inoperable, does not
necessarily equate to a “PRA” failure
Slide 116
Bayesian Methods Employed to
Generate Uncertainty
y Distributions
• Two motivations for using Bayesian techniques

– Generate probability distributions (classical
methods generally only produce uncertainty
i t
intervals,
l nott pdf’s)
df’ )
– Compensate for sparse data (e.g., no failures)
• In effect
effect, Bayesian techniques combine an initial
estimate (prior) with plant-specific data (likelihood
function) to produce a final estimate (posterior)
• However,
Ho e er Ba Bayesian
esian techniq
techniques
es rel
rely on (and
incorporate) subjective judgement
– different options for choice of prior distribution (i.e.,
the starting point in a Bayesian calculation)
Slide 117
Common Cause Failures (CCFs)
• Conditions which may result in failure of more than one

component, t subsystem,
b t or system
t
• Common cause failures are important since they:
– Defeats redundancy and/or diversity
– Data suggest high probability of occurrence relative to
multiple
p independent
p failures
Slide 118
Common Cause Failure Mechanisms
• Environment
– Radioactivity
– Temperature
– Corrosive
C i environment
i
• Design deficiency
• Manufacturing error
• Test or Maintenance error
• Operational error
Slide 119
Limitations of CCF Modeling
• Limited data, hence generic data often used

– Applicability issue for specific plant
• Screening values may be used
– Potential
P i l to skew
k the
h results
l
• Not typically modeled across systems since data is
collected/analyzed for individual systems
• Not typically modeled for divers components (e.g., motor-
driven pump/turbine-driven pump)
• Causes not explicitly modeled (i.e., each failure
mechanism not explicitly modeled)
Slide 120
Component Data Not Truly Time
Independent
p
• PRAs typically assume time-independence of component failure
rates
– One of the assumptions for a Poisson process (i.e., failures
in time)
• However,
H experience
i h
has shown
h aging
i off equipment
i td
does occur
– Failure rate () = (t)
– “Bathtub” curve
(t) Failure Rate
t
Burn-in
Burn in Maturity Wearout
Slide 121
Accident Sequence
Quantification
LEVEL LEVEL LEVEL

1 2 3

Analysis and
Analysis
Quantif.
Meteorology
& & Model &
Population
Distribution
Emergency
Data Response
Analysis* Human
Reliability
Analysis* Pathways
Model

Effects
Economic
Eff t
Effects
Slide 123
Purpose and Objectives
• Purpose
–P
Present elements
l off accident
id sequence
quantification and importance analysis and
introduce conceptp of pplant damage
g states
• Objectives
– Become familiar with the:
• process of generating and quantifying cut sets
• different importance measures typically calculated in
a PRA
• impact of correlation of data on quantification results
• definition of plant damage states
Slide 124
Prerequisites for Generating and
Quantifying
y g Accident Sequence
q Cut Sets
• Initiating events and frequencies

• Event trees to define accident sequences
• Fault trees and Boolean expressions
p for all
systems (front line and support)
• Data ((component
p failures and human errors))
Slide 125
Accident Sequence Quantification
((Fault-Tree Linking
g Approach)
pp )
• Link fault tree models on a sequence level using event

t
trees (i.e.,
(i generate
t sequence logic)
l i )
• Generate minimal cut sets (Boolean reduction) for each
sequence
• Quantify sequence minimal cut sets with data
• Eliminate inappropriate
pp p cut sets,, add operator
p recovery
y
actions, and requantify
• Determine dominant accident sequences
• Perform sensitivity, importance, and uncertainty analysis
Slide 126
Example Event Tree
#
T A-FAIL B-FAIL C-FAIL END-STATE-NAMES
1 OK
2 OK
3 CD
4 CD
ET-EXAMPLE - 2005/10/03 Page

g 3
Slide 127
Example Fault Trees
System A System
y B
Fails Fails
A-FAIL B-FAIL
B FAIL
Valve Y Pump 1 Fails Valve X Fails

Fails
5.000E-3 1.000E-3 5.000E-3

VALVE-Y PUMP-1 VALVE-X
Slide 128
Example Fault Trees (Concluded)
System
S t C
Fails
C-FAIL
Pump 1 Fails Valve Y Fails Pump 2 Fails
1.000E-3 5.000E-3 1.000E-3

PUMP-1 VALVE-Y PUMP-2
Slide 129
Generating Sequence Logic
• Fault trees are linked using sequence logic from event

t
trees. From
F the
th example l eventt tree
t two
t sequences are
generated:
– Sequence # 3: T * /A
/A-FAIL
FAIL * B
B-FAIL
FAIL * C
C-FAIL
FAIL
– Sequence #4: T * A-FAIL
Slide 130
Generate Minimal Cut Sets for Each
Sequence
q
• A cut set is a combination of events that cause the sequence to
occur
• A minimal cut set is the smallest combination of events that causes to
sequence to occur
• Cut sets are generated by “ANDing”
ANDing together the failed top event fault
trees, and then, if necessary, eliminating (i.e., deleting) those cut sets
that contain failures that would prevent successful (i.e.,
complemented) top events from occurring. This process of
elimination is called Delete Term
• Each cut set represents a failure scenario that must be “ORed”
together with all other cut sets for the sequence when calculating the
total frequency of the sequence
Slide 131
Sequence Cut Set Generation Example
• Sequence
q #3 logic
g is T * /A-FAIL * B-FAIL * C-FAIL
• ANDing failed top events yields
B-FAIL * C-FAIL = (PUMP-1 + VALVE-X) * (PUMP-1 *
VALVE-Y * PUMP-2)
= (PUMP-1 * PUMP-1 * VALVE-Y *
PUMP-2) + (VALVE-X * PUMP-1 *
VALVE-Y * PUMP-2)
= (PUMP-1
(PUMP 1 * VALVE-Y
VALVE Y * PUMP-2)
PUMP 2) +
(VALVE-X * PUMP-1 * VALVE-Y *
PUMP-2)
= PUMP-1 * VALVE-Y * PUMP-2
• Using Delete Term to remove cut sets with events that would fail top event
A-FAILS (i.e., VALVE-Y) results in the elimination of all cut sets
• Sequence #4 logic is T * A-FAIL, resulting in the cut set
T *VALVE-Y
*VALVE Y
Slide 132
Eliminating “Inappropriate” Cut Sets
• When solving fault trees to generate sequence cut sets it

i lik
is likely
l th
thatt “i
“inappropriate”
i t ” cutt sets
t will
ill b
be generated
t d
• “Inappropriate” cut sets are those containing invalid
combinations of events
events. An example would be:
– … SYS-A-TRAIN-1-TEST * SYS-A-TRAIN-2-TEST ….
• Typically
yp y eliminated byy searching g for combinations of
invalid events and then deleting the cut sets containing
those combinations
Slide 133
Adding “Recovery Actions” to Cut Sets
• Cut sets are examined to determine whether the function

associated with a failed event can be restored; thus “recovering”
from the loss of function
• If the function associated with an event can be restored, then a
“Recovery Action” is ANDed to the cut set to represent this
restoration
• The probability assigned to the “Recovery
Recovery Action”
Action will be the
probability that the operators fail to perform the action or actions
necessary to restore the lost function
•P
Probabilities
b biliti are derived
d i d either
ith from
f data
d t (e.g.,
( recovery off off-site
ff it
power) or from human reliability analysis (e.g., manually opening
an alternate flow path given the primary flow path is failed)
Slide 134
Dominant Accident Sequences
(
(Examples)
p )
Surry (NUREG-1150) Grand Gulf (NUREG-1150)
Seq Description % CDF Cum Seq Description % CDF Cum

1 Station Blackout (SBO) - Batt Depl. 26.0 26.0 1 Station Blackout (SBO) With HPCS And RCIC Failure 89.0 89.0
2 SBO - RCP Seal LOCA 13.1 39.1 2 SBO With One SORV, HPCS And RCIC Failure 4.0 93.0
3 SBO - AFW Failure 11 6
11.6 50.7 3 ATWS - RPS Mechanical Failure With MSIVs Closed, 33.00 96.0
4 SBO - RCP Seal LOCA 8.2 58.9 Operator Fails To Initiate SLC, HPCS Fails And
5 SBO - Stuck Open PORV 5.4 64.3 Operator Fails To Depressurize
6 Medium LOCA - Recirc Failure 4.2 68.5
7 Interfacing LOCA 4.0 72.5
8 SGTR - No Depress - SG Integ’ty Fails 3.5 76.0
9 Los s of MFW/AFW - Feed & Bleed Fail 2.4 78.4
10 Medium LOCA - Injection Failure 2.1 80.5
11 ATWS - Unfavorable Mod. Temp Coeff. 2.0 82.5
12 Large LOCA - Recirculation Failure 1.8 84.3
13 Medium LOCA - Injection Failure 1.7 86.0
14 SBO - AFW Failure 1.6 87 6
87.6
15 Large LOCA - Accumulator Failure 1.6 89.2
16 ATWS - Emergency Boration Failure 1.6 90.8
17 Very Sm all LOCA - Injection Failure 1.5 92.3
18 Small LOCA - Injection Failure 1.1 93.4
19 SBO - Battery Depletion 11
1.1 94.5
20 SBO - Stuck Open PORV 0.8 95.3
Slide 135
Importance Measures for Basic Events
• Provide a quantitative perspective on risk and sensitivity

off risk
i k to
t changes
h i iinputt values
in l
• Three are encountered most commonly:
– Fussell-Vesely
Fussell Vesely (F
(F-V)
V)
– Birnbaum
– Risk Reduction (RR)
– Risk Increase (RI) or Risk Achievement (RA)
Slide 136
Importance Measures
((Layman
y Definitions))
• Risk Achievement Worth (RAW)

– Relative risk increase assuming failure
• Risk Reduction Worth (RRW)
– Relative
R l i riski k reduction
d i assuming i perfect
f performance
f
• Fussell-Vesely (F-V)
– Fractional reduction in risk assuming perfect
performance
• Birnbaum
– Difference in risk between perfect performance and
assumed failure
Slide 137
Importance Measures
((Mathematical Definitions))
R = Baseline Risk
R(1) = Risk with the element always failed or unavailable
R(0) = Risk with the element always successful
RAW = R(1)/R or R(1) - R

RRW = R/R(0) or R - R(0)
F-V = [R-R(0)]/R
Birnbaum = R(1) – R(0)
Slide 138
Uncertainty
y Must be Addressed in PRA
• Uncertainty arises from many sources:

– Inability to specify initial and boundary conditions
precisely
• Cannot specify result with deterministic model
• Instead, use probabilistic models (e.g., tossing a coin)
– Sparse data on initiating events, component failures,
and human errors
– Lack of understanding of phenomena
– Modeling assumptions (e.g., success criteria)
– Modeling
M d li lilimitations
it ti ((e.g., iinability
bilit tto model
d l errors off
commission)
– Incompleteness (e.g., failure to identify system failure
mode)
d )
Slide 139
PRAs Identify Two Types of
Uncertainty
y
• Distinction between aleatory and epistemic uncertainty:

– “Aleatory” from the Latin Alea (dice), of or relating to
random or stochastic phenomena. Also called
“random
random uncertainty or variability.
variability ”
– “Epistemic” of, relating to, or involving knowledge;
cognitive. [From Greek episteme, knowledge]. Also
called “state-of-knowledge uncertainty.”
Slide 140
Aleatory
y Uncertainty
y
• Variability in or lack of precise knowledge about

underlying
d l i conditions
diti makes
k events t unpredictable.
di t bl S Suchh
events are modeled as being probabilistic in nature. In
PRAs, these include initiating g events, component
p failures,
and human errors.
• For example, PRAs model initiating events as a Poisson
process similar to the decay of radioactive atoms
process,
• Poisson process characterized by frequency of initiating
event,, usuallyy denoted byy parameter
p 
Slide 141
Epistemic
p Uncertainty
y
• Value of  is not known precisely
•C
Couldld model
d l uncertainty ti t off  using
t i t iin estimate i statistical
t ti ti l confidence
fid
interval
– Can’t propagate confidence intervals through PRA models
– Can’t interpret confidence intervals as probability
statements about value of 
• PRAs model lack of knowledge about value of  by assigning (usually
subjectively) a probability distribution to 
– Probability distribution for  can be generated using
B
Bayesian
i methods.
th d
Slide 142
Types of Epistemic Uncertainties
• Parameter
P t uncertainty
t i t
• Modeling uncertainty
– System success criteria
– Accident progression phenomenology
– Health effects models (linear versus nonlinear, threshold versus
non-threshold
non threshold dose-response
dose response model)
• Completeness
– Complex errors of commission
– Design and construction errors
– Unexpected failure modes and system interactions
– All modes of operation
p not modeled
Slide 143
Addressing Epistemic Uncertainties
• Parameter uncertainty addressed by propagating

parameter
t uncertainty
t i t di
distributions
t ib ti th
through
h model
d l
• Modeling uncertainty usually addressed through
sensitivity studies
– Research ongoing to examine more formal
approaches
• Completeness addressed through comparison with other
studies and peer review
– Some
S iissues ((e.g., d
design
i errors)) are simply
i l
acknowledged as limitations
– Other issues (e.g., errors of commission) are topics of
ongoing research
Slide 144
Prerequisites for Performing
a Parameter Uncertaintyy Analysis
y
• Cut sets for individual sequence or groups of

sequences (e.g., by initiator or total plant model)
exist
• Failure probabilities for each basic event,
including distribution and correlation information
(for those events that are uncertain or are
modeled as having uncertainty)
• Frequencies for each initiating event
event, including
distribution information
Slide 145
Performing A Parameter Uncertainty Analysis
• Select cut sets

• Select sampling strategy
– Monte Carlo: simple random sampling
process/technique
– Latin Hypercube: stratified sampling
p
process/technique
q
• Select number of observations (i.e., number of times a
variable’s distribution will be sampled)
• Perform calculation
Slide 146
Correlation: Effect on Results
• Correlating data produces wider uncertainty in results

– Without correlating a randomly selected high value will
usually be combined with randomly selected lower
values (and vice versa)
versa), producing an averaging effect
• Reducing calculated uncertainty in the result
– Mean value of p probability
y distributions that are skewed
right (e.g. lognormal, commonly used in PRA) is
increased when uncertainty is increased
Slide 147
LEVEL 2/LERF Analysis
LEVEL LEVEL LEVEL

1 2 3

Analysis and
Analysis
Quantif.
Meteorology
& & Model &
Population
Distribution
Emergency
Data Response
Analysis* Human
Reliability
Analysis* Pathways
Model

Effects
Economic
Eff t
Effects
Slide 149
Purpose and Objectives
• Purpose: Students receive a brief introduction to

accident progression (Level 2 PRA).
• Objectives: At the conclusion of this topic,
students will be able to:
– List
Li t primary
i elements
l t which
hi h comprise
i accident
id t
phenomenology
– Explain
p how accident pprogression
g analysis
y is
related to full PRA
– Explain general factors involved in
containment response
• Reference: NUREG/CR-2300, NUREG-1489
(App. C)
Slide 150
Level 2 PRA Risk Measures
• Current NRC emphasis on LERF

– Ri
Risk-informed
ki f dDDecision-Making
i i M ki ffor C Currently
tl OOperating
ti
Reactors
– Broader view expected
p for new reactors
• Some discussion of alternative risk acceptance criteria
– Goals for frequency of various release magnitudes
– Release often expressed in units of activity (not health
consequences)
• Full-scope
p Level 2 offers Complete
p Characterization of Releases
to Environment
– Frequency of large/small, early/late releases
Slide 151
LERF Definition
• A LERF definition is provided in the PSA Applications

G id
Guide:
Large, Early Release: A radioactive release from the
containment which is both large and early
early. Large is
defined as involving the rapid, unscrubbed release of
airborne aerosol fission products to the environment.
Early is defined as occurring before the effective
implementation of the off-site emergency response and
protective actions.
Slide 152
Level 2 PRA is a Systematic Evaluation of
Plant Response to Core Damage Sequences
LEVEL 2
RCS / Source Release

Containment Term Category
Response Analysis Character.
and
INPUT Analysis
Quantif. OUTPUT
Uncertainty Deterministic:
Accident Phenomena &
Analysis Sensitivity • Reactor transient
Sequences • Containment response
Analysis
• Core damage progression
• Fission product inventory
released to environment
Computer Logic
code models
calculations
l l ti Probabilistic:
Association of • Relative likelihood of
Engineering uncertainty with (confidence in) alternative
analyses probability
responses for each sequence
Application of Grouping of • Frequency of fission product
experimental data results release categories
Slide 153
Some Subtle Features of the
Level 2 PRA Process
• Level 2 Requires More Information than a Level 1 PRA
Generates
– Containment safeguards systems not usually needed to
determine ‘core damage’
– Level 1 event trees built from success criteria can ignore
status of front-line systems that influence extent of core
damage
• Event Trees Create Very Large Number of Scenarios
to Evaluate
– Grouping of similar scenarios is a practical necessity
• Quantification Involves Considerable Subjective
Judgment
– Uncertainty, Sensitivity and Uncertainty in Uncertainty
Slide 154
Additional Work is Often Required to Link
Level 1 Results to Level 2
Plant Damage State

(PDS) Analysis
Level-1 Sequence Level-2 Containment or
Event Tree Add containment Accident Progression
systems Event Tree (CET or APET)
OK
PDS1
Initiating CD PDS2
Event A OK
Source
PDSn
CD PDSx Terms
(Release
OK
Resolve status of Categories)
ignored systems
Initiating CD
Event B PDSi
CD
PDSj
Slide 155
Major Tasks:
• Plant Damage State (PDS) Analysis

– Link to Level 1
• Deterministic Assessments of Plant Response to
Severe Accidents
– Containment performance assessment
– Accident progression & source term analysis
• Probabilistic Treatment of Epistemic Uncertainties
– Account for phenomena not treated by computer codes
– Characterize relative probability of alternative outcomes
for uncertain events
• Couple
p Frequency
q y with Radiological
g Release
– Link to Level 3
Slide 156
Typical Steps in Level 2 Probabilistic Model
Initial plant Consolidated Accident progression / Conditional

Initiating Accident damage plant damage containment event tree Release consequence
Events sequences states states end states categories bins
(< 100) (millions) (50 to 100) (< 20) (104 to 106) (< 20) (< 20)
Frequency * Consequence
Combine Similar PDS

Accident progression /
ntegration
containment event trees
Process
(branch probabilities with

uncertainties)
Accident sequence
q
Binning P
Risk In
event trees
(event probabilities
from fault trees)
Stop
Screen on
Iterative truncation low frequency
10-10 ... 10-12 ...
to convergence
Sensitivity analysis & reconsideration of

low-frequency PDS with high consequences
LEVEL 1 LEVEL 1 -2 LEVEL 2 LEVEL 3

Interface
Slide 157
Schematic of Accident Progression Event Tree
Boundary Recovery of Core In-vessel Processes Ex-vessel Processes Final

Conditions: Prior to Vessel & Containment & Containment Outcome
Plant Damage States Breach Impact Impact
Large/Early
Release
Pressure Debris
in vessel coolability
coo ab ty Yes
Hydrogen
released? Yes No
System
Setpoint
Recovery of
injection Yes
No
High Yes
Inter- No No
mediate
Hydrogen
L
Low b rn before
burn
vessel
Yes
breach
No
Pressure
increase due to
H2 burn during
CCI gas generation
Source: NUREG-1150
Slide 158
Accident Progression Analysis
• There are 4 major steps in Accident Progression Analysis

– 1. Develop the Accident Progression Event Trees
(APETs)
– 2.
2 Perform structural analysis of containment
– 3. Quantify APET issues
– 4.
4 Group APET sequences into accident progression
bins
Slide 159
Containment Response
• How does the containment system deal with physical

conditions
diti resulting
lti ffrom th
the accident?
id t?
– Pressure
– Heat sources
– Fission products
– Steam and water
– Hydrogen
– Other non-condensables
Slide 160
Full Scope Level 2 PRA: Wide Range of Possible
Releases of Accidental Releases to Environment
95th
• Characterization of Releases 50th

10-6
dance
to the Environment of all
Types 5th
Frequenccy of exceed
10-7
– Large/Small
Late
– Early/Late
arly
0-8
10
Ea
– E
Energetic/Protracted
ti /P t t d
– Elevated/Ground level 10-9
• Frequency
q y of Each Type
yp
Describes Full Spectrum of
Releases Associated with 10x 10x+1 10x+2 10x+3
Core Damage Events Release magnitude
Slide 161
EPRI/NRC-RES
EPRI/NRC RES FIRE PRA
METHODOLOGY
Introduction and Overview: the Scope
andd Structure
S off PRA/Systems
PRA/S A
Analysis
l i
Module
Jeff LaChance – Sandia National Laboratories

Rick Anoba – Anoba Consulting Services
Services, LLC

What we’ll cover in the next four days
An overview…
• The purpose of this presentation is to provide an

Overview of the Module 2 – PRA/Systems Analysis
– Scope of this module relative to the overall methodology
• Which tasks fall under the scope of this module
– General structure of the each technical task in the documentation
– Quick introduction to each task covered by this module:
• Objectives
j of each task
• Task input/output
• Task interfaces
Fire PRA Training, 2011 San Diego CA and Jacksonville FL A Collaboration of U.S. NRC Office of Nuclear Regulatory
Module 1 PRA/Systems – Introduction and Overview Slide 2
Research (RES) & Electric Power Research Institute (EPRI)
Training Objectives
• Our intent:
– To deliver practical implementation training
– To illustrate and demonstrate key aspects of the procedures
• We expect and want significant participant interaction

– Class size should allow for questions and discussion
– We will take questions about the methodology
– We cannot answer questions about a specific application
– We will moderate discussions, and we will judge when the course
must move on
Recall the overall fire PRA structure
Module 2 covers the “blue” tasks
TASK 1: Plant Boundary & TASK 2: Fire PRA Component

Partitioning Selection
TASK 3: Fire PRA Cable

Selection
SUPPORT TASK A: Plant

W lk D
Walk Downs TASK 4:
4 Qualitative
Q lit ti Screening
S i TASK 5: Fire
Fire-Induced
Induced Risk
Model
TASK 6: Fire Ignition

Frequencies
SUPPORT TASK B: Fire PRA

Database TASK 7A: Quantitative TASK 12A: Post-Fire HRA:
Screening - I Screening
TASK 8: Scoping Fire Modeling Fire Analysis Module
PRA/System Module
TASK 7B: Quantitative
Screening - II Circuits Module
HRA Module
B Fire Analysis and Fire
Modeling Modules
Recall the overall fire PRA structure (2)
Module 2 covers the “blue” tasks
B
Detailed Fire Scenario Analysis
TASK 9: Detailed Circuit Failure

Analysis TASK 11: Detailed Fire Modeling
A. Single Compartment
B. Multi-Compartment
C. Main Control Room
TASK 10: Circuit Failure Mode &
Lik lih d A
Likelihood Analysis
l i
TASK 12B: Post fire HRA:

TASK 13: Seismic-Fire TASK 14: Fire Risk Quantification Detailed & recovery
Interactions
Fire Analysis Module
TASK 15: Uncertainty & PRA/System Module

Sensitivity Analyses
Circuits Module
TASK 16: Fire PRA HRA Module

Documentation
Fire Analysis and Fire
Modeling Modules
Each technical task has a common structure as
presented in the g
guidance document
1. Purpose
2 Scope
2.
3. Background information: General approach and
assumptions
4. Interfaces: Input/output to other tasks, plant and other
information needed, walk-downs
5. Procedure: Step-by-step instructions for conduct of the
technical task
6 References
6. R f
Appendices: Technical bases, data, examples, special models
or instructions, tools or databases
Scope of Module 1: PRA/Systems Analysis
• This module will cover all aspects of the plant systems

accident response modeling
modeling, integration of human actions
into the plant model, and quantification tasks
• Specific
p tasks covered are:
– Task 2: Equipment Selection
– Task 4: Qualitative Screening
– Task
T k 5:
5 Fire-Induced
Fi I d d Ri
Risk
kMModel
d l
– Task 7: Quantitative Screening
– Task 15: Risk Quantification
– Task 16: Uncertainty Analysis
Task 2: Equipment Selection (1 of 2) Module 1
• Objective: To decide what subset of the plant equipment will

be modeled in the FPRA
• FPRA equipment will be drawn from:

– Equipment from the internal events PRA
• We do assume that an internal events PRA is available!
– Equipment
q p from the Post-Fire Safe Shutdown analysis
y
• e.g., the Appendix R analysis or the Nuclear Safety Analysis under
NFPA-805
– Other “new” equipment
q p not in either of these analyses
y
Task 2: Equipment Selection (2 of 2) Module 1
• Many choices to be made in this task, many factors will

influence these decisions
– Fire-induced failures that might cause an initiating event
– Mitigating equipment and operator actions
– Fire-induced failures that adversely impact credited equipment
– Fire-induced failures that could lead to inappropriate
pp p or unsafe
operator actions
• Choices are important in part because “selecting” equipment

i li a b
implies burden
d tto Identify
Id tif and dTTrace cables
bl
– Cable selection is Task 3 (Module 2)…
Task 4: Qualitative Screening (1 of 2) Module 1
• Objective: To identify fire compartments that can be

screened out as insignificant risk contributors without
quantitative analysis
• This
Thi iis an Optional
O ti l task
t k
– You may choose to bypass this task which means that all fire
compartments will be treated quantitatively to some level of analysis
(level may vary)
Task 4: Qualitative Screening (2 of 2) Module 1
• Qualitative screening criteria consider:

– Trip initiators
– Presence of selected equipment
– Presence of selected cables
• Note that any compartment that is “screened out” in this step

is reconsidered in the multi-compartment
multi compartment fire analysis as a
potential source of multi-compartment fires
– See Module 3, Task 11c
Task 5: Fire-Induced Risk Model Module 1
• Objective: Construct the FPRA plant response model

reflecting:
– Functional relationships among selected equipment and operator
actions
• Covers both CDF and LERF
• Begins with internal events model but more than just a
“tweak”
tweak
– Adds fire unique equipment – various reasons/sources
– May delete equipment not to be credited for fire
– Adds fire-specific equipment failure modes
• e.g., spurious actuations (Task 9)
– Adds fire-specific
p human failure events ((Task 12))
Task 7: Quantitative Screening (1 of 2) Module 1
• Objective: To identify compartments that can be shown to be

insignificant contributors to fire risk based on limited
quantitative considerations
• This
Thi ttaskk is
i Optional
O ti l
– Analyst may choose to retain all compartments for more detailed
analysis
Task 7: Quantitative Screening (2 of 2) Module 1
• Screening may be performed in stages of increasing

complexity
• Consideration is given to:
– Fire ignition frequency
– Screening of specific fire sources as non-threatening (no spread, no
damage)
– Impact of fire-induced
fire induced equipment and cable failures
• conditional core damage probability (CCDP)
• A word of caution: quantitative screening criteria should
consider
id ththe PRA standard
t d d and dRReg. G
Guide
id 1 1.200
200
– 6850/1011989 criteria are obsolete, but approach is unchanged
Task 14: Fire Risk Quantification Module 1
• Objective: To quantify fire-induced CDF and LERF
• Covered in limited detail
• Relatively
R l ti l straight-forward
t i ht f d roll-up
ll f fire
for fi scenarios
i
considering
– Ignition
g frequency
q y
– Scenario-specific equipment and cable damage
– Equipment failure modes and likelihoods
– Credit
C dit for
f fire
fi mitigation
iti ti (d (detection
t ti andd suppression)
i )
– Fire-specific HEPs
– Quantification of the FPRA plant response model
Task 15: Uncertainty and Sensitivity Module 1
• Objective: Provide a process for identifying and quantifying

uncertainties in the FPRA and for identifying sensitivity
analysis cases
• Covered
C d iin lilimited
it d d
detail
t il
• Guidance is based on p potential strategies

g that might
g be
taken, but choices are largely left to the analyst
– e.g., what uncertainties will be characterized as distributions and
propagated through the model?
Any questions before we move on?
EPRI/NRC-RES
METHODOLOGY
Sample Plant Description
Joint RES/EPRI Fire PRA Workshop

A
August 2011,
2011 SSan Di
Diego, CA
November 2011, Jacksonville FL
Sample Problems / Sample Plant
• Fire PRA module will involve hands-on exercises

– Intent: To illustrate key aspects of the methodology through a
cohesive set of sample problems
• All exercises are built around a common sample plant – the

Simple Nuclear Power Plant (SNPP)
• The exercises are designed such that taking all modules

together presents a fairly complete picture of the FPRA
methodology
– Not every task is covered by the SNPP sample problems
– Not every aspect of covered tasks are illustrated
Fire PRA Training 2011, San Diego CA and Jacksonville FL A Collaboration of U.S. NRC Office of Nuclear Regulatory
Introduction and Overview Slide 2
The SNPP: Intent and Approach
• The SNPP is not intended to reflect either regulatory

compliance or good engineering practice
– It is purely an imaginary construct intended to highlight key aspects
of the methodology – nothing more!
• The SNPP has been kept as simple as possible while still

serving the needs of the training modules
• Aspects of the plant are assumed for purposes of the

training exercises, e.g.:
– BOP equipment not covered in detail
– Some systems are assumed to remain available
The SNPP: Plant Characteristics
• PWR with one primary coolant loop

– One steam ggenerator, one RCP, one p
pressurizer
– Chemical volume control/high-pressure injection system
– Residual heat removal system
• Secondary side includes:

– Main steam and feedwater loop for the single steam generator (not modeled)
– Multiple train auxiliary feedwater system to provide decay heat removal
• Support systems includes:

– CCW (not modeled)
– Instrument air
– AC and DC power
– Instrumentation
• See Chapter
p 2 for complete
p p
plant description
p
The SNPP: Primary Systems P&ID
The SNPP: Secondary Systems P&ID
The SNPP: Electrical One-Line Diagram
The SNPP: General Plant Layout - Plan
The SNPP: Plant Layout – Elevation
y Building
Containment and Auxiliary g
The SNPP: Aux. Bld. – RHR Pump Room
The SNPP: Aux. Bld. – Charging Pump Rm.
The SNPP: Aux. Bld. – Switchgear Rooms
The SNPP: Aux. Bld. – Cable Spreading Rm.
The SNPP: Aux. Bld. – Main Control Room
The SNPP: Turbine Building
The SNPP: Main Control Board Layout
EPRI/NRC-RES FIRE PRA
METHODOLOGY
Task 2 - Fire PRA Component Selection
Jeff LaChance – Sandia National Laboratories

Rick Anoba – Anoba Consulting Services, LLC

Component Selection
Purpose
p (per
(p 6850/1011989))
• Purpose: describe the procedure for selecting plant

components to be modeled in a Fire PRA
• Fire PRA Component List
– Key source of information for developing Fire PRA
Model (Task 5)
• Used to identify cables that must be located (Task 3)
• Process is iterative to ensure appropriate agreement
among fire PRA Component List, Fire PRA Model, and
cable identification
Slide 2
Task 2: Component Selection Research (RES) & Electric Power Research Institute (EPRI)
Corresponding PRA Standard Element
• Primary match is to element ES - Equipment Selection

– ES Objective (as stated in the PRA standard):
Select plant equipment that will be included/credited in
“Select
the fire PRA plant response model.”
Slide 3
HLRs (per the PRA Standard)
• HLR-ES-A: The Fire PRA shall identify equipment whose failure

caused by y an initiating
g fire including
g spurious
p operation
p will
contribute to or otherwise cause an initiating event (6 SRs)
• HLR-ES-B: The Fire PRA shall identify equipment whose failure
including spurious operation would adversely affect the
operability/functionality of that portion of the plant design to be
credited in the Fire PRA (5 SRs)
• HLR-ES-C: The Fire PRA shall identify instrumentation whose
failure includingg spurious
p operation
p would impact
p the reliability
y of
operator actions associated with that portion of the plant design to
be credited in the Fire PRA (2 SRs)
• HLR-ES-D: The Fire PRA shall document the fire PRA equipment
selection including that information about the equipment
selection,
necessary to support the other fire PRA tasks (e.g. equipment
identification, equipment type, normal, desired, failed states of
equipment) in a manner that facilitates fire PRA applications,
upgrades, and peer review (1 ( SR)
S )
Slide 4
Task 2: Fire PRA Component Selection
Scope (per 6850/1011989)
Fire PRA Component List should include the following major

categories of equipment:
• Equipment whose fire-induced failure (including spurious
actuation) causes an initiating event
• Equipment needed to perform mitigating safety functions
and to support operator actions
• Equipment whose fire-induced failure or spurious actuation
may adversely impact credited mitigating safety functions
• Equipment whose fire-induced failure or spurious actuation
may cause inappropriate or unsafe operator actions
Slide 5
Component Selection
Approach
pp (per
(p 6850/1011989))
• Step 1: Identify Internal Events PRA sequences to include in fire PRA Model
(necessary for identifying important equipment)
• Step 2: Review Internal Events PRA model against the Fire Safe Shutdown
(SSD) Analysis and reconcile differences in the two analyses (including circuit
analysis approaches)
• Step 3: Identify fire-induced initiating events based on equipment affected
• Step 4: Identify equipment subject to fire-induced spurious operation that

may challenge the safe shutdown capability
• Step 5: Identify additional mitigating

mitigating, instrumentation
instrumentation, and diagnostic
equipment important to human response
• Step 6: Include “potentially high consequence” related equipment
• Step 7: Assemble the Fire PRA Component List

Slide 6
Component Selection
General Observations
• Two major sources of existing information are used to generate the Fire PRA
Component List:
• Internal
I lEEvents PRA model
d l
• Fire Safe Shutdown Analysis (Appendix R assessment)
• Just “tweaking” your Internal Events PRA is probably NOT sufficient –
requires additional effort
– Consideration of fire-induced spurious operation of equipment
– Potential for undesirable operator actions due to spurious alarms/indications
– Additional operator actions for responding to fire (e.g., opening breakers to prevent
spurious operation)
• Just crediting Appendix R components may NOT be conservative
– True that all other components in Internal Events PRA will be assumed to fail, but:
• Mayy be missing g components
p with adverse risk implications
p ((e.g.,
g event
initiators or complicatd SSD response)
• May miss effects of non-modeled components on credited (modeled)
systems/components and on operator performance
• Still need to consider non-credited
non credited components as sources of fires
Slide 7
Overview of Scope
p
In Appendix R
In Internal Events PRA
CDF/LERF vs.
New* analysis resources
tradeoff
d ff
* - multiple spurious
- new sequences
In Fire PRA
perhaps not all
of Appendix R
New*
not all
internal event
sequences
Slide 8
Assumptions
The following assumptions underlie this procedure:

• A good quality Internal Events PRA and Appendix R Safe Shutdown
(SSD) analysis are available
• Analysts have considerable collective knowledge and understanding of

plant systems, operator performance, the Internal Events PRA, and
Appendix R SSD analysis
• Steps 4 thru 6 are applied to determine an appropriate number of

spurious actuations to consider
– Configurations
Configurations, timing
timing, length of sustained spurious actuation
actuation, cable
material, etc., among reasons to limit what will be modeled
– Note that HS duration is a current FAQ topic…
Slide 9
From: Lessons Learned and Insights
p
In-process FAQs
Q …
• FAQ 08-0051
- Issue:
• The guidance does not provide a method for estimating the
duration of a hot short once formed
• This could be a significant factor for certain types of plant
equipment
i t that
th t will
ill return
t tto a “f
“failil safe”
f ” position
iti if th
the h
hott short
h t iis
removed or if MSO concurrence could trigger adverse impacts
– General approach to resolution:
• Analyze the cable fire test data to determine if an adequate basis
exists to establish hot short duration distributions
– Status:
• Approved,
Approved but limited to AC hot shorts only
• Will be revisited with lessons learned from DESIREE-FIRE test
results for DC hot shorts
Slide 10
Inputs/Outputs
p p
Task inputs and outputs:

• Inputs from other tasks: equipment considerations for operator actions
from Task 12 (Post-Fire HRA)
• Inputs from the MSO Expert Panel Reviews
• Could use inputs from other tasks to show equipment does not have to
be modeled (e.g., Task 9 – Detailed Circuit Analysis or Task 11 - Fire
Modelingg to show an equipment
q p item cannot spuriously
p y fail or be
affected by possible fires)
• Outputs to Task 3 (Cable Selection) and Task 5 (Risk Model)
• Choices made in this task set the overall analysis scope
Slide 11
Steps
p In Procedure/Details
Step 1: Identify sequences to include and exclude from Fire PRA

• Some sequences can generally be excluded
– Sequences requiring passive/mechanical failures that can not be initiated by
fires (e.g., pipe-break LOCAs, SGTR, vessel rupture)
– Sequences
q that can be caused by
y a fire but are low frequency
q y ((e.g.,
g ATWS))
– It may be decided to not model certain systems (i.e., assume failed for Fire
PRA) thereby excluding some sequences (e.g., main feedwater as a mitigating
system not important)
• Possible additional sequences (recommend use of expert panel to
address plant specific considerations)
– Sequences associated with spurious operation (e.g., vessel/SG overfills,
p g, letdown or other p
PORV opening, pressure/level control anomalies))
– MCR abandonment scenarios and other sequences arising from Fire
Emergency Procedures (FEPs) and/or use of local manual actions
• Corresponding PRA Standard SRs: PRM

PRM-B5,B6
B5 B6
Slide 12
Steps
Step 2: Review the internal events PRA model against the fire safe
shutdown analysis
• Identify and reconcile:
– differences in functions, success criteria, and sequences (e.g., Appendix R - no
f d/bl d PRA - feed/bleed)
feed/bleed; f d/bl d)
– front-line and support system differences (e.g., App. R - need HVAC; PRA - do
not need HVAC)
– system and equipment differences due to end state and mission considerations
(e.g., App. R - cold shutdown; PRA - hot shutdown)
– other miscellaneous equipment
q p differences.
• Include review of manual actions (e.g., actions needed for safe shutdown) in
conjunction with Task 12 (HRA)
• Corresponding PRA Standard SRs: ES
ES-A3(a),
A3(a) ES-B1,B3
ES B1 B3
Slide 13
Steps
Step 3: Identify fire-induced initiating events based on

equipment affected
• Consider equipment whose failure (including spurious actuation) will
cause automatic plant trip
• Consider equipment whose failure (including spurious actuation) will likely
result in manual plant trip, per procedures
• Consider equipment whose failure (including spurious actuation) will
invoke Technical Specification Limiting Condition of Operation (LCO)
necessitating a forced shutdown while fire may still be present (prior EPRI
guidance recommended consideration of <8 hr LCO))
g
• Compartments with none of the above need not have initiator though can
conservatively assume simple plant trip
• Corresponding PRA Standard SRs: ES-A1,A3 & PRM-B3,B4,B5,B6
Slide 14
Steps
• Since not all equipment/cable locations in the plant (e.g., all Balance of
Plant systems) may be identified, judgment involved in identifying ‘likely’
likely
cable paths
– Need a basis for any case where routing is not verified
– Routing by exclusion (e.g., from a fire area, compartment,

raceway…) is a common and acceptable approach
• Should consider spurious event(s) contributing to initiators
• Related PRA standard SR: CS

CS-A11
A11
Slide 15
Steps
Instrument
Air
Compartment Compartment Compartment
Compressor
XX YY ZZ
Cables jjudged
g
Compartment Compartment to be here
AA BB
Compartment
C t t Compartment
C t t MCC
MCCs
CC DD
Fires cause loss of

i
instrument air
i Fires assumed to cause loss of Fires assumed to cause loss
instrument air of MCC(s) & subsequent
effects (including loss of
instrument air)
Slide 16
Steps
Step 4: Identify equipment whose spurious actuation may

challenge the safe shutdown capability
• Examine multiple spurious events within each system considering
success criteria
– PRA standard has specific requirements for multiple spurious
• Review system P&IDs, electrical single lines, and other drawings
• Review/Incorporate PRA related scenarios identified by the MSO Expert
Panel to identify new components/failure modes
• Review Internal Events System Notebooks to identify components/failure
modes screened based on low probability combinations
Slide 17
Steps
Step 4: Identify equipment whose spurious actuation may

challenge
h ll th
the safe
f shutdown
h td capability
bilit (C
(Continued)
ti d)
• Be aware of any failure combinations that could cause or contribute to
an initiating
g event.
• Any new failure combinations that could cause or contribute to an
initiating event should be addressed in Step 3.
• Any new equipment/failure modes should be added to component list
for subsequent cable-tracing and circuit analysis
• Corresponding PRA Standard SRs: ES-B2,B3
ES B2,B3
Slide 18
Flow Diversion Path Examples
p
from main to diversion takes 2 spurious

flowpath path hot shorts to
open diversion
Div A MOV Div B MOV path
Included in model
takes 1 spurious
to diversion hot short &
from main path
th
flowpath failure of check
Div A MOV valve to open
CheckValve diversion path
Screened from model

if not potential high
consequence event
Slide 19
p of a New Failure Mode of a Component
Example p
App. R ensures MSIVs
will close / remain closed
Containment so as to isolate vessel1
Main Steam Line

Reactor
Vessel
Inboard MSIV Outboard MSIV
Fire PRA concerned with

MSIVs closing / remaining
closed AND will not
spuriously close when want
valves to remain open so as to
use condenser as heat sink1
1
different cables and corresponding
circuits and analyses may need to
be accounted for
Slide 20
p
MSO Expert Panel
• This approach complements but is not part of the published

consensus methodology (6850/1011989)
Reference Documents
• NEI 00-01, Revision 2, “Guidance for Post-Fire Safe Shutdown Circuit
Analysis”, May 2009
Analysis
Focused on use of the generic list of MSOs provided in Appendix G,
and the guidance provided in Section 4.4, “Expert Panel Review of
MSOs”
• NEI 04-02 Frequently Asked Question (FAQ) 07-0038, Lessons Learned on
Multiple Spurious Operations
• WCAP-16933-NP, Revision 0, “PWR Generic List of Fire-Induced Multiple
Spurious Operation Scenarios
Scenarios”, April 2009
• NRC Regulatory Guide 1.205, Risk-Informed, Performance-Based Fire
Protection for Existing Light-Water Nuclear Power Plants, Revision 1,
December 2009
Slide 21
p
MSO Expert Panel
Purpose
• Perform a systematic and complete review of credible
spurious and MSO scenarios, and determine whether or
not each individual scenario is to be included or excluded
from the plant specific list of MSOs to be considered in
the plant specific post-fire Fire PRA and Safe Shutdown
Analysis (SSA).
• Involves group “what-if” discussions of both general and
specific scenarios that may occur.
Slide 22
p
MSO Expert Panel
Expert Panel Membership:

• Fire Protection
• Fire Safe Shutdown Analysis: This expert should be
familiar with the SSA input to the expert panel and with
the SSA documentation for existing spurious operations.
• PRA: This expert should be familiar with the PRA input to
th expertt panel.
the l
• Operations
• System Engineering
• Electrical Circuits
Slide 23
p
MSO Expert Panel
Process Overview
• Process is based on a diverse review of the Safe
Shutdown Functions. Panel focuses on system and
component
p interactions that could impact
p nuclear safety
y
• Review and discuss the potential failure modes for each
safe shutdown function
• Identify
Id tif MSO combinations
bi ti th
thatt could
ld d
defeat
f t safe
f
shutdown through those failure mechanisms
• Outputs are used in later tasks to identify cables and
potential locations where vulnerabilities could exist
• MSOs determined to be potentially significant may be
added
dd d tot the
th PRA model d l and
d SSA
Slide 24
p
MSO Expert Panel
Supporting Plant Information for Reviews

• Flow Diagrams
• Control Wiring Diagrams
• Single and/or Three Line Diagrams
• Safe Shutdown Logic Diagrams
• PRA Event Sequence Diagrams
• Post-Fire Safe Shutdown Analysis
• Fire PRA models, analyses
y and cut-sets
• Plant operating experience
Slide 25
p
MSO Expert Panel
MSO Selection
• Review existing Safe Shutdown Analysis (SSA) list
• Expand existing MSO’s to include all possible component
failures
• Verify SSA assumptions are maintained
• Review g generic list of MSO’s ((NEI 00-01 Revision 2,
Appendix G)
• Screen MSO’s that do not apply to your plant (i.e.,
components or system do not exist)
Slide 26
p
MSO Expert Panel
MSO Selection (Continued)

• Place all non-screened MSO’s on plant specific list of
MSO’s
• Evaluate each MSO to determine if it can be screened
due to design or operational features that would prevent it
from occurring (i.e., breaker racked out during normal
operation)
• Review the generic MSO list for similar or additional
MSO’s
• Develop and evaluate list of new MSO’s
Slide 27
p
MSO Expert Panel
MSO Development
• Identify MSO combinations that could defeat safe
shutdown through the previously identified failure
mechanisms
The panel will build these MSO combinations into fire
scenarios to be investigated
Th scenario
The i ddescriptions
i ti th
thatt result
lt should
h ld iinclude
l d
the identification of specific components whose failure
or spurious operation would result in a loss of a safe
shutdown function or lead to core damage
Slide 28
p
MSO Expert Panel
MSO Development (Continued)

• The expert panel systematically reviews each system
(P&IDs, etc) affecting safe shutdown and the core, for the
following
g Safe Shutdown Functions:
Reactivity Control
Decay Heat Removal
Reactor Coolant
Inventory Control
P
Pressure C t l
Control
Process Monitoring
Support Functions
Slide 29
p
MSO Expert Panel
Typical Generic PWR MSOs
Scenario Description
oss o
Loss of a
all RCP
C Spu ous isolation
Spurious so a o o of sea
seal injection
jec o header
eade flow,
o , AND
Seal Cooling Spurious isolation of CCW flow to Thermal Barrier Heat
Exchanger (TBHX)
RWST Drain Spurious opening of multiple series containment sump

Down via valves
Containment
Sump
Slide 30
p
MSO Expert Panel
Typical Generic BWR MSOs
RPV coolant drain through the Scram MSO opening of the solenoid valves
Di h
Discharge V
Volume
l (SDV) ventt and
d which
hi h supply
l control
t l air
i tto th
the air
i
drain operated isolation valves
Spurious Operations that creates RHR flow can be diverted to the

RHR Pump Flow Diversion from containment through the RHR Torus
RHR/LPCI, including diversion to the or Suppression Pool return line
Torus or Suppression Pool. isolation valves (E11-F024A, B and
E11-F028A, B).
Slide 31
p
MSO Expert Panel
Outputs and Documentation

• Plant specific list of MSO’s
• MSO Expert Panel Review Report
• The MSO Expert Panel is a living entity and the Plant
Specific list of MSO’s is a living document
• MSO components
p that could have PRA impact
p are
addressed in Task 2
• MSO scenarios that have PRA impact are addressed in
Task 5.
5
Slide 32
Steps
p In Procedure/Details (per
(p 6850/1011989))
Step 5: Identify additional instrumentation/diagnostic equipment important

to operator
p response
p ((level of redundancy
y matters!))
• Identify human actions of interest in conjunction with Task 12 (HRA)
• Identify instrumentation and diagnostic equipment associated with credited and
potentially
p y harmful human actions consideringg spurious
p indications related to
each action
– Is there insufficient redundancy to credit desired actions in EOPs/FEPs/ARPs in spite
of failed/spurious indications?
– Can a spurious indication(s) cause an undesired action because action is dependent
on an indication that could be ‘false’?
– If yes – put indication on component list for cable/circuit review
• W
Watch
t h for
f new/expanded
/ d d guidance
id tto be
b ddeveloped
l dbby th
the RES/EPRI fire
fi HRA
collaboration…
• Corresponding
C di PRA St
Standard
d d SR
SRs: ES
ES-C1,C2
C1 C2
Slide 33
Steps
Guidance on identification of harmful spurious operating

instrumentation and diagnostic equipment:
• Assume instrumentation is in its normal configuration
• Focus on instrumentation with little redundancy
– Note that fire PRA standard has language
g g on this subject
j ((i.e., verification
of instrument redundancy in fire context)
• When verification of a spurious indication is required (and reliably performed),
it may be eliminated from consideration
• When multiple and diverse indications must spuriously occur, those failures
can be eliminated if the HRA shows that such failures would not likely cause
a harmful operator action
• Include spurious operation of electrical equipment that would cause a faulty
indication and harmful action
• Include inter-system effects
Slide 34
Steps
Step 6: Include “potentially high consequence” related equipment

• High consequence events are one or more related failures at least partially
caused by fire that:
– by themselves cause core damage and large early release, or
– single
g component
p failures that cause loss of entire safety
y function and lead directly
y to
core damage
• Example of first case: spurious opening of two valves in high-pressure/low
pressure RCS interface, leading to ISLOCA
• Example of second case: spurious opening of single valve that drains safety
injection water source
• Corresponding PRA Standard SR: ES-A6
Slide 35
Steps
Step 7: Assemble Fire PRA component list. Should include following

information:
• Equipment ID and description (may be indicator or alarm)
• System designation
• Equipment type and location (at least compartment ID)
• PRA event ID and description
• Normal and desired position/status
• Failed electrical/air position
• References, comments, and notes
• Note: development of an actual/physical fire PRA component list is not a

requirement of the PRA Standard
Slide 36
Sample Problem Exercise for Task 2, Step 1
• Distribute blank handout for Task 2, Step 1
• Distribute completed handout for Task 2, Step 1
• Question and Answer Session
Slide 37
Sample Problem Exercise for Task 2, Steps 2
and 3
• Distribute completed handout for Task 2, Step 2 Question

and
dA Answer SSession
i
• Discuss Step 3
Slide 38
Sample Problem Exercise for Task 2, Steps 4
g 6
through
• Distribute blank handout for Task 2, Steps 4 through 6
• Distribute completed
p handout for Task 2, Steps
p 4 through
g 6
Slide 39
Sample Problem Exercise for Task 2, Step 7
• Distribute completed handout for Task 2, Step 7
Slide 40
Mapping HLRs & SRs for the ES technical
element to NUREG/CR-6850,, EPRI TR 1011989
Technical HLR SR 6850/1011989 Comments
element sections that
cover SR
ES A The Fire PRA shall identifyy equipment
q p whose failure caused byy an initiating
g fire including
g spurious
p
operation will contribute to or otherwise cause an initiating event.
1 2.5.3
2 3.5.3 Covered in “Cable Selection” chapter
3 2.5.3
4 2.5.1, 2.5.4
5 254
2.5.4
6 2.5.6
B The Fire PRA shall identify equipment whose failure including spurious operation would
adversely affect the operability/functionality of that portion of the plant design to be credited in the
Fire PRA.
1 2.5.2
2 2.5.4
3 5.5.1 Covered in “Fire-Induced Risk Model” chapter
4 3.5.3 Covered in “Cable Selection” chapter
5 n/a Exclusion based on probability is not covered in 6850/1011989
C The Fire PRA shall identify instrumentation whose failure including spurious operation would
impact
p the reliabilityy of operator
p actions associated with that p
portion of the p
plant design
g to be
credited in the Fire PRA.
1 2.5.5
2 2.5.5
D The Fire PRA shall document the Fire PRA equipment selection, including that information about
the equipment necessary to support the other Fire PRA tasks (e.g., equipment identification;
equipment type; normal
normal, desired
desired, failed states of equipment; etc
etc.)) in a manner that facilitates Fire
PRA applications, upgrades, and peer review.
1 n/a Documentation not covered in 6850/1011989
Slide 41
EPRI/NRC-RES
METHODOLOGY
Task 5 - Fire-Induced Risk Model

Development

Fire PRA Risk Model
Purpose
p (per
(p 6850/1011989))
• Purpose: describe the procedure for developing the Fire

PRA model to calculate CDF,
CDF CCDP
CCDP, LERF
LERF, and CLERP
for fire ignition events.
• Fire Risk Model
– Key input for Quantitative Screening (Task 7)
• Used to quantify CDF/CCDP and LERF/CLERP
• Process is iterative to ensure appropriate agreement
among fire PRA Component List, Fire PRA Model, cable
identification, and quantitative screening
Fire PRA Workshop2011, San Diego CA and Jacksonville FL A Collaboration of U.S. NRC Office of Nuclear Regulatory
Slide 2
Task 5 - Fire
Fire--Induced Risk Model Development Research (RES) & Electric Power Research Institute (EPRI)
Fire PRA Risk Model
Corresponding
p g PRA Standard Element
• Primary match is to element PRM - Equipment Selection

– PRM Objectives (as stated in the PRA standard):
“(a) to identify the initiating events that can be caused
by a fire event and develop a related accident
sequence model. (b) to depict the logical relationships
among equipment failures (both random and fire
induced) and human failure events (HFEs) for CDF
and LERF assessment when combined with the
initiating event frequencies.”
Slide 3
Task 5 - Fire
Fire PRA Risk Model
HLRs (p
(per the PRA Standard))
• HLR-PRM-A: The Fire PRA shall include the Fire PRA plant
response
p model capable
p of supporting
pp g the HLR requirements
q of
FQ.
• HLR-PRM-B: The Fire PRA plant response model shall include
fire-induced initiating events, both fire induced and random
failures of equipment
equipment, fire-specific
fire specific as well as non
non–fire-related
fire related
human failures associated with safe shutdown, accident
progression events (e.g., containment failure modes), and the
supporting probability data (including uncertainty) based on the
SR provided
SRs id d under
d thithis HLR ththatt parallel,
ll l as appropriate,
i t PPartt 2
of this Standard, for Internal Events PRA.
• HLR-PRM-C: The Fire PRA shall document the Fire PRA plant
response model in a manner that facilitates Fire PRA applications
applications,
upgrades, and peer review.
Slide 4
Task 5 - Fire
Fire PRA Risk Model
Scope
p (per
(p 6850/1011989))
• Task 5: Fire-Induced Risk Model Development
– Constructing the PRA model
– Step 1–Develop the Fire PRA CDF/CCDP Model

Model.
– Step 2–Develop the Fire PRA LERF/CLERP Model
Slide 5
Task 5 - Fire
Fire PRA Risk Model
General Comment/Observation
• Task 5 does not represent any changes from past

practice but what is modeled is largely based on Task 2
practice,
with HRA input from Task 12
• Bottom line – just “tweaking” your Internal Events PRA is

probably NOT sufficient
Slide 6
Task 5 - Fire
Task 5: Fire Risk Model Development
General Objectives
j
Purpose: Configure the Internal Events PRA to provide fire

risk metrics of interest (primarily CDF and LERF).
• Based on standard state-of-the-art PRA practices
• Intended to be applicable for any PRA methodology or
software
• Allows user to quantify CDF and LERF
LERF, or conditional
metrics CCDP and CLERP
• Conceptually, nothing “new”
new here – need to “build
build the PRA
model” reflecting fire induced initiators, equipment and
failure modes, and human actions of interest
Slide 7
Task 5 - Fire
Inputs/Outputs
Task inputs and outputs:

• Inputs from other tasks: [Note: inclusion of spatial
information requires cable locations from Task 3]
– S
Sequence considerations,
id ti iinitiating
iti ti eventt considerations,
id ti and
d
components from Task 2 (Fire PRA Component Selection),
– Unscreened fire compartments from Task 4 (Qualitative Screening),
– HRA events from Task 12 (Post-Fire HRA)
• Output
p to Task 7 ((Quantitative Screening)
g) which will further
modify the model development
• Can always iterate back to refine aspects of the model
Slide 8
Task 5 - Fire
Steps
p in Procedure
Two major steps:
• Step 1: Develop CDF/CCDP model
• Step
p 2: Develop
p LERF/CLERP model
Slide 9
Task 5 - Fire
Steps in Procedure/Details
Step 1 (2): Develop CDF/CCDP (LERF/CLERP) models
Step 1.1 (2.1): Select fire-induced initiators and sequences

and incorporate into the model.
– Corresponding SRs: PRM-A1, A2, A3, B1-B15
• Fire initiators are generally defined in terms of

compartment fires or fire scenarios
• Each fire initiator is mapped to one or more internal event

initiators to mimic the fire-induced impact to the plant.
Slide 10
Task 5 - Fire
Steps
p in Procedure/Details
Step 1.1 (2.1) – continued
• Initiating events previously screened in the internal events

analysis may have to be reconsidered for the Fire PRA
• Final mapping of fire initiator to internal events initiators is

based on cable routing information (task 3)
• The structure of Internal Events PRA should be reviewed

to determine proper mapping of fire initiators
Slide 11
Task 5 - Fire
Steps
Step 1.1 (2.1) – continued
• The Internal Events PRA should have the capability to

quantify CDF and LERF sequences
• Internal events sequences form bulk of sequences for Fire

PRA, but a search for new sequences should be made
(see Task 2). Some new sequences may require new
logic to be added to the PRA model
Slide 12
Task 5 - Fire
Step 1.1 (2.1) - continued
• Plants that use fire emergency procedures (FEPs) may

need special models to address unique fire-related actions
(e.g., pre-defined fire response actions and MCR
abandonment).
• Some human actions may induce new sequences not

covered in Internal Events PRA and can “fail” components
– Example: SISBO, or partial SISBO
Slide 13
Task 5 - Fire
Steps
Loss of raw water

as initiator
Loss of raw Fire in

water compartment
(internal) A-1
Initiator Initiator
Example of new logic with a fire-

induced loss of raw water initiating
event
Slide 14
Task 5 - Fire
Step 1.2 (2.2): Incorporate fire-induced equipment failures
– Corresponding SRs: PRM-A4, B3, B6, B9
• Fire PRA database documents list of p

potentially
y failed
equipment for each fire compartment
• Basic events for fire-induced spurious

p operations
p are
defined and added to the PRA model (FAQ 08-0047)
• Inclusion of spatial information requires equipment and

cable locations
– May be an integral part of model logic, or handled with manipulation
of a cable location database, etc.
Slide 15
Task 5 - Fire
Loss of high
Original logic pressure injection
Loss of Loss of
train A train B
etc.
…Suppose
Suppose fire in
Pump A Pump A Valve fails compartment L1 or L2
fails to start fails to run to open could fail pump A
because pump A is in L1
and cable for pump A is
in L2 …
Loss of high
Possible temporary pressure injection
change to model to run
CCDPs for L1 and L2
Loss of Loss of
train A train B
etc.
Pump A Pump A Valve fails

fails to start fails to run to open
p
Set to
TRUE
Slide 16
Task 5 - Fire
Steps
Slide 17
Task 5 - Fire
Loss of high
pressure injection Permanent
change to model
Loss of Loss of
train A train B
etc
etc.
Pump A Pump A Valve fails

fails to start fails to run to open
Pump A Pump A
fails to start fails to start
- hardware - fire
Fire in Fire in
compartment L1 compartment L2
fails ppumpp A fails ppumpp A
Initiator Initiator
Slide 18
Task 5 - Fire
Steps
Slide 19
Task 5 - Fire
Steps
Step 1.3 (2.3): Incorporate fire-induced human failures

– Corresponding
C S
SRs: PRM-B9, B11
• New fire-specific HFEs may have to be added to the model
to address actions specified in FEPs [Note: all HFEs will be
set at screening values at first, using Task 12 guidance]
• Successful operator actions may temporarily disable (“fail”)
( fail )
components
Slide 20
Task 5 - Fire
Steps
Slide 21
Task 5 - Fire
Suppose a proceduralized manual action
carried out for fires in compartments AA & BB
defeats Pump A operation by de-energizing the
pump (opening its breaker drawer)…
Pump A fails
etc.
t
Pump A fails Pump A fails Operator action

to start to run defeats pump
operation
Relevant fires Operator opens

pump A
breaker as
directed
Fire in Fire in
compartment compartment
AA BB
Initiator Initiator
Slide 22
Task 5 - Fire
Sample Problem Exercise for Task 5
• Distribute blank handout for Task 5, Steps 1 and 2
• Distribute completed
p handout for Task 5, Steps
p 1 and 2
Slide 23
Task 5 - Fire
Mapping HLRs & SRs for the PRM technical

cover SR
PRM A The Fire PRA shall include the Fire PRA plant response model capable of supporting the
HLR requirements of FQ.
1 5.5.1.1, 5.5.2.1
2 5.5.1.1, 5.5.2.1
3 5.5.1.1, 5.5.2.1
4 5.5.1.1, 5.5.1.2,
5.5.2.1, 5.5.2.2
Slide 24
Task 5 - Fire
Technical HLR SR 6850/1011989 sections that cover SR Comments
element
PRM B The Fire PRA plant response model shall include fire-induced initiating events, both fire induced
and random failures of equipment, fire-specific as well as non–fire-related human failures
associated with safe shutdown, accident progression events (e.g., containment failure modes),
and the supporting probability data (including uncertainty) based on the SRs provided under this
HLR that parallel, as appropriate, Part 2 of this Standard, for Internal Events PRA.
1 5.5.1.1, 5.5.2.1
2 5.5.1.1, 5.5.2.1
3 5.5.1.1, 5.5.1.2, 5.5.2.1, 5.5.2.2
4 5.5.1.1, 5.5.2.1
5 5.5.1.1, 5.5.2.1
6 5.5.1.1, 5.5.1.2, 5.5.2.1, 5.5.2.2
7 5.5.1.1, 5.5.2.1
8 5511 5
5.5.1.1, 5.5.2.1
521
9 5.5.1.1, 5.5.1.2, 5.5.1.3, 5.5.2.1, 5.5.2.2, 5.5.2.3
10 5.5.1.1, 5.5.2.1
11 5.5.1.1, 5.5.1.3, 5.5.2.1, 5.5.2.3
12 5.5.1.1, 5.5.2.1
13 5.5.1.1,, 5.5.2.1
14 5.5.1.1, 5.5.2.1
15 5.5.1.1, 5.5.2.1
12 5.5.1.1, 5.5.2.1
13 5.5.1.1, 5.5.2.1
14 5.5.1.1, 5.5.2.1
15 5.5.1.1,
5511 5 5.5.2.1
521
Slide 25
Task 5 - Fire

cover SR
C The Fire PRA shall document the Fire PRA plant response model in a manner that facilitates Fire
pp
PRA applications, upgrades,
pg and p
peer review.
1 n/a Documentation not covered in 6850/1011989
Slide 26
Task 5 - Fire
METHODOLOGY
Task 4 - Qualitative Screening

Task 7 - Q
Quantitative Screeningg

Qualitative / Quantitative Screening
Scope
p (per
(p 6850/1011989))
• Task 4: Qualitative Screening

– First chance to identify very low risk compartments
• Task 7: Quantitative Screening

– Running the Fire PRA model to iteratively screen / maintain
modeled sequences at different levels of detail
Slide 2
Task 4 & 7 – Qualitative/Quantitative Screening Research (RES) & Electric Power Research Institute (EPRI)
Qualitative Screening -
Corresponding g PRA Standard Element
• Primary match is to element QLS – Qualitative Screening

– QLS Objectives (as stated in the PRA standard):
“(a) The objective of the qualitative screening (QLS)
element is to identify physical analysis units whose
potential fire risk contribution can be judged negligible
without quantitative analysis.
(b) In this element, physical analysis units are examined
only in the context of their individual contribution to fire
risk The potential risk contribution of all physical analysis
risk.
units is reexamined in the multicompartment fire scenario
analysis regardless of the physical analysis unit’s
di
disposition
iti during
d i qualitative
lit ti screening.”
i ”
Slide 3
Qualitative Screening –
HLRs ((per the PRA Standard))
• HLR-QLS-A: The Fire PRA shall identify those

physical
h i l analysis
l i units
it that
th t screen outt as individual
i di id l
risk contributors without quantitative analysis (4
SRs).)
• HLR-QLS-B: The Fire PRA shall document the results
of the qualitative screening analysis in a manner that
facilitates Fire PRA applications
applications, upgrades
upgrades, and peer
review (3 SRs).
Slide 4
Task 4: Qualitative Screening
Objectives and Scope
• The objective of Task 4 is to identify those fire

compartments that can be shown to have a negligible risk
contribution without quantitative analysis
– This is where you exclude the office building inside the protected
area
• Task 4 only considers fire compartments as individual
contributors
– Multi-compartment scenarios are covered in Task 11(b)
– Compartments that screen out qualitatively need to be re-
considered as potential Exposing Compartments in the multi-
compartment analysis (but not as the Exposed Compartment)
Slide 5
Required Input and Task Output
• To complete Task 4 you need the following input:

– List of fire compartments from Task 1
– List of Fire PRA equipment from Task 2 including location mapping
results
– List of Fire PRA cables from Task 3 including location mapping
results
• Task Output: A list of fire compartments that will be

screened out (no further analysis) based on qualitative
criteria
– Unscreened fire compartments are used in Task 6 and further

screened in Task 7
Slide 6
A Note….
• Qualitative Screening is OPTIONAL!
– You may choose to retain any number of potentially low-risk fire

compartments (from one to all) without formally conducting the
Qualitative Screening
g Assessment for the compartment
p
• However, to eliminate a compartment, you must exercise the

screening process for the compartment
– Example 1: Many areas will never pass qualitative screening, so

simply keep them
– Example 2: If you are dealing with an application with limited scope

(e.g. NFPA 805 Change Evaluation) a formalized Qualitative
Screening may be pointless
Slide 7
Screening Criteria (per 6850/1011989)
• A Fire Compartment may be screened out** if:

– No Fire PRA equipment or cables are located in the compartment,
and
d
– No fire that remains confined to the compartment could lead to:
• An automatic plant trip, or
• A manual trip as specified by plant procedures
procedures, or
• A near-term manual shutdown due to violation of plant Technical
Specifications*
*In the case of tech spec shutdown, consideration of the time
window
i d i appropriate
is i
– No firm time window is specified in the procedure – rule of thumb:
consistent with the time window of the fire itself
– Analyst must choose and justify the maximum time window
considered
(**Note: screened compartments are re-considered as fire source
compartments in the multi-compartment analysis - Task 11c)
Corresponding PRA Standard SRs: QLS-A1, A2

Slide 8
Mapping HLRs & SRs for the QLS technical
element to NUREG/CR-6850, EPRI TR 1011989

Element 9 section that
covers SR
QLS A The Fire PRA shall identify those physical analysis units that screen out as
individual risk contributors without quantitative analysis
individual risk contributors without quantitative analysis
1 4.5
2 4.5
3 4.5
4 n/a Additional screening not covered in 6850/1011989
B The Fire PRA shall document the results of the qualitative screening analysis in a
The Fire PRA shall document the results of the qualitative screening analysis in a
manner that facilitates Fire PRA applications, upgrades, and peer review
1 n/a Documentation is discussed in Section 16.5 of 6850/101198
Slide 9
Task 7: Quantitative Screening
General Objectives (per 6850/1011989)
Purpose: allow (i.e., optional) screening of fire compartments

and scenarios based on contribution to fire risk. Screening is
primarily compartment-based (Tasks 7A/B). Scenario-based
screening (Tasks 7C/D) is a further refinement (optional).
• Screening
S i criteria
it i nott th
the same as acceptance
t criteria
it i ffor
regulatory applications (e.g., R.G. 1.174)
• Screening does not mean “throw
throw away”
away – screened
compartments/scenarios will be quantified (recognized to be
conservative) and carried through to Task 14 as a measure
of the residual fire risk
Slide 10
Quantitative Screening -
Corresponding g PRA Standard Element
• Primary match is to element QNS – Quantitative

S
Screening
i
– QNS Objective (as stated in the PRA standard):
“The
The objective of the quantitative screening (QNS)
element is to screen physical analysis units from further
(e.g., more detailed quantitative) consideration based on
preliminary estimates of fire risk contribution and using
established quantitative screening criteria.”
Slide 11
Quantitative Screening –
• HLR-QNS-A: If quantitative screening is performed, the Fire PRA

shall establish quantitative screening criteria to ensure that the
estimated cumulative impact of screened physical analysis units
on CDF and LERF is small (1 SR).
• HLR
HLR-QNS-B:
QNS B: If quantitative screening is performed
performed, the Fire PRA
shall identify those physical analysis units that screen out as
individual risk contributors (2 SRs).
• HLR
HLR-QNS-C:
QNS C: VERIFY that the cumulative impact of screened
physical analysis units on CDF and LERF is small (1 SR).
• HLR-QNS-D: The Fire PRA shall document the results of
quantitative screening in a manner that facilitates Fire PRA
applications, upgrades, and peer review (2 SRs).
Slide 12
Inputs/Outputs
p p
• Inputs from other tasks for compartment-based screening

(7A/B):
– Fire ignition frequencies from Task 6,
– Task 5 (Fire-Induced Risk Model),
– Task 12 (Post-Fire HRA Screening), and
– Task 8 (Scoping Fire Modeling) (7B only)
Slide 13
Inputs/Outputs (cont’d)
• Inputs from other tasks for scenario-based screening (7C/D)

include inputs listed above plus:
– Task 9 (Detailed Circuit Failure Analysis) and/or
– Task 11 (Detailed Fire Modeling) and/or
– Task 12 ((Detailed Post-Fire HRA),

), and
– Task 10 (Circuit Failure Mode Likelihood Analysis) (7D only)
Slide 14
Inputs/Outputs
p p (cont’d)
• Outputs to other tasks:
– Unscreened fire compartments from Task 7A go to Task 8 (Scoping

Fire Modeling),
– Unscreened fire compartments from Task 7B go to Task 9 (Detailed

Circuit Failure Analysis) and/or Task 11 (Detailed Fire Modeling)
and/or Task 12 (Detailed Post-Fire HRA),
– Unscreened fire scenarios from Task 7C/D go to Task 14 (Fire Risk

Quantification) for best-estimate risk calculation
Slide 15
Overview of the Process
Make
M k more realistic
li ti via
i
circuit analysis
Perform any one,
Unscreened compartment two, or all three
Make more realistic via b d on where
based h
or scenario based on
calculated fire modeling you will get more
realistic results
CDF/CCDP/LERF/CLERP for the least
resources
Make more realistic via
more detailed HRA
Screens?
If NO, iterate as
necessary
Slide 16
Steps
p in Procedure
Three major steps in the procedure:
• Step 1: Quantify CDF/CCDP model
• Step 2: Quantify LERF/CLERP model
• Step 3: Quantitative screening
Slide 17
Steps
Step 1: Quantify CDF/CCDP models.
• Step 1.1: Quantify CCDP model

– Fire-induced initiators are set to TRUE (1.0) for each fire
compartment, CCDP calculated for each compartment
– This step can be bypassed, if desired, by using fire frequencies in
the model directly and calculating CDF
Slide 18
Step 1: Quantify CDF/CCDP models.
• Step 1.2: Quantify CDF

– Compartment fire-induced initiator frequencies combined with
compartment CCDPs from Step 1.1 to obtain compartment CDFs
• Step 1.3: Quantify ICDP (optional)

– ICDP includes unavailability of equipment removed from service
routinely
– Recommend this be done if will use PRA for configuration
management
Slide 19
Step 2: Develop LERF/CLERP models.
• Exactly analogous to Step 1 but now for LERF, CLERP
• Like ICDP, ILERP is optional
Slide 20
Establishing Quantitative Screening Criteria
• This is an area that has evolved beyond 6850/1011989

• 6850/1011989 cumulative
l ti screeningi criteria
it i are b
based d iin partt on
screening against a fraction of the internal events risk results
– Published PRA standard echoes 6850/1011989 (SR QNS-C1)
• Regulatory Guide 1.200 took exception to SR QNS-C1
– NRC staff position: “screening criteria … should relate to the total
CDF and LERF for the fire risk, not the internal events risk.”
– That is, screening should be within the hazard group (e.g., fire)
• An update to the PRA standard is pending and will likely revise QNS-
C1 to reflect NRC staff position
• Bottom line: If you plan to use your fire PRA in regulatory
applications, pay attention to RG 1.200 and watch for the PRA
standard update
Slide 21
Screening Criteria for Single Fire Compartment
Step 3: Quantitative screening, Table 7.2 from NUREG/CR-6850

Quantification Type CDF and LERF ICDP and ILERP
Compartment Screening Compartment Screening
Criteria Criteria (Optional)
Fire Compartment CDF CDF < 1.0E-7/yr
1 0E 7/yr
Fire Compartment CDF ICDP < 1.0E-7

With Intact Trains/Systems
Unavailable
Fire Compartment LERF LERF < 1.0E-8/yr
Fire Compartment LERF ILERP < 1.0E-8
With Intact Trains/Systems
Unavailable
Note: The standard and RG 1.200 do not establish screening criteria for
individual fire compartments – only cumulative criteria (see next slide…)
Slide 22
Screening Criteria For All Screened Compartments
Quantification 6850/1011989 NRC Staff Position per RG NRC Staff Position per RG
Type Screening Criteria 1.200 for Cat II 1.200 for Cat III
Sum of CDF for all < 10% of internal the sum of the CDF the sum of the CDF
screened-out fire event average CDF contribution for all screened contribution for all screened
compartments fire compartments is <10% of fire compartments is <1% of
the estimated total CDF for the estimated total CDF for
fi events
fire t fi events
fire t
Sum of LERF for < 10% of internal the sum of the LERF the sum of the LERF
all screened-out event average LERF contributions for all screened contributions for all screened
fire compartments fire compartments is <10% of fire compartments is <1% of
the estimated total LERF for the estimated total LERF for
fire events fire events
Sum of ICDP for < 1.0E-6 n/a n/a
all screened-out
fire compartments
Sum of ILERP for < 1.0E-7 n/a n/a

all screened-out
fire compartments
p
Slide 23
Sample Problem Demonstration for Task 7
• On-line demonstration of Task 7
Slide 24
Mapping HLRs & SRs for the QNS technical

El
Elementt 9 section that
9 ti th t
covers SR
QNS A If quantitative screening is performed, the Fire PRA shall establish quantitative
screening criteria to ensure that the estimated cumulative impact of screened
physical analysis units on CDF and LERF is small
1 753
7.5.3 Specific screening criteria are identified in 6850/1011989
Specific screening criteria are identified in 6850/1011989
B If quantitative screening is performed, the Fire PRA shall identify those physical
analysis units that screen out as individual risk contributors
1 7.5.1, 7.5.2
2 7.5.1, 7.5.2
C Verify that the cumulative impact of screened physical analysis units on CDF and
Verify that the cumulative impact of screened physical analysis units on CDF and
LERF is small
1 7.5.3 Specific screening criteria are identified in 6850/1011989
D The Fire PRA shall document the results of quantitative screening in a manner that
facilitates Fire PRA applications, upgrades, and peer review
1 n/a Documentation is discussed in Section 16 5 of 6850/101198
Documentation is discussed in Section 16.5 of 6850/101198
Slide 25
TASK 7 – DEMONSTRATION
METHOD 1 – BASIC EVENTS SET TO “TRUE” OR “ONE”
Figure 1: FIRE SCENARIO RESULTS SUMMARY AND SYSTEM STATUS (METHOD 1)

Figure 2: SCENARIO TO BASIC EVENT MAPPING TABLE (METHOD 1)
Figure 3: SCENARIO DEFINITION (METHOD 1)

Figure 4: RESULTS PRESENTATION (METHOD 1)
METHOD 2 – FIRE INITIATING EVENTS INSERTED IN FAULT TREE LOGIC
– SINGLE-TOP CDF/LERF
Figure 5: RISK MONITOR PANEL (METHOD 2)

Figure 6: FAULT TREE EXAMPLE (METHOD 2)
Figure 7: EXAMPLE RESULTS (METHOD 2)
METHOD 3 – EVENT TREE WITH FIRE COMPARTMENT HOUSE EVENTS
INSERTED IN FAULT TREE
Figure 8: EXAMPLE FIRE EVENT TREE (METHOD 3)
Figure 9: EXAMPLE BRIDGE TREE (METHOD 3)

Figure 10: INTERNAL EVENT TREE (METHOD 3)
Figure 11: FIRE EVENT TREE LINKAGE RULES

Figure 12: BRIDGE TREE LINKAGE RULES
Figure 13: FAULT TREE MODEL WITH INSERTED FIRE COMPARTMENT HOUSE EVENTS
(METHOD 3)
Figure 14: EXAMPLE RESULTS (METHOD 3)
METHODOLOGY
Task 14 – Fire Risk Quantification

Fire Risk Quantification
Purpose ((per 6850/1011989))
• Purpose: describe the procedure for performing fire risk

quantification.
tifi ti
• Provides a general method for quantifying the final Fire
PRA Model to generate the final fire risk results
Slide 2
Task 14 – Fire Risk Quantification Research (RES) & Electric Power Research Institute (EPRI)
Correspondingg PRA Standard Element
• Primary match is to element FQ – Fire Risk Quantification

– FQ Objectives (as stated in the PRA standard):
(a) quantify the fire-induced CDF and LERF contributions to plant
risk.(b) understand what are the significant contributors to the fire-
induced CDF and LERF.”
Slide 3
• HLR-FQ-A: Quantification of the Fire PRA shall quantify the fire-

induced CDF
• HLR-FQ-B: The fire-induced CDF quantification shall use
appropriate models and codes and shall account for method-
specific limitations and features.
• HLR-FQ-C: Model quantification shall determine that all identified
dependencies are addressed appropriately.
• HLR-FQ-D: The frequency of different containment failure modes
leading to a fire-induced large early release shall be quantified
and aggregated, thus determining the fire-induced LERF.
Slide 4
• HLR-FQ-E: The fire-induced CDF and LERF quantification results

shall be reviewed,, and significant
g contributors to CDF and LERF,,
such as fires and their corresponding plant initiating events, fire
locations, accident sequences, basic events (equipment
unavailabilities and human failure events), plant damage states,
containment challenges
challenges, and failure modes
modes, shall be identified
identified.
The results shall be traceable to the inputs and assumptions
made in the Fire PRA.
• HLR-FQ-F: The documentation of CDF and LERF analyses shall
b consistent
be i t t with
ith th
the applicable
li bl SR
SRs.
Slide 5
Scope
p (per
(p 6850/1011989))
• Task 14: Fire Risk Quantification
– Obtaining best-estimate quantification of fire risk
– Step
p 1–Quantify
Q y Final Fire CDF Model
– Step 2–Quantify Final Fire LERF Model
– Step 3–Conduct Uncertainty Analysis
Slide 6
Task 14: Fire Risk Quantification
General Objectives
Purpose: perform final (best-estimate) quantification of fire

risk
• Calculate CDF/LERF as the primary risk metrics
• Include uncertainty analysis / sensitivity results (see Task
15)
• Identify significant contributors to fire risk
• Carry along insights from Task 13 to documentation but this
is not an explicit part of “quantifying” the Fire PRA model
• Carry along residual risk from screened compartments and
scenarios (Task 7); both (final fire risk and residual risk) are
documented in Task 16 to provide total risk perspective
Slide 7
Inputs/Outputs
Task inputs:
• Inputs from other tasks:

– Task 5 (Fire-Induced Risk Model) as modified/run thru Task 7
(Quantitative Screening),
– Task 10 (Circuit Failure Mode Likelihood Analysis),
– Task 11 (Detailed Fire Modeling), and
– Task 12 (Post-Fire HRA Detailed Analysis)
Slide 8
Inputs/Outputs
• Output is the quantified fire risk results including the

uncertainty and sensitivity analyses directed by Task 15
(Uncertainty and Sensitivity Analysis), all of which is
documented per Task 16 (Fire PRA Documentation)
Slide 9
Steps in Procedure
Four major steps in the procedure*:

• Step 1: Quantify CDF
• Step 2: Quantify LERF
• Step 3: Perform uncertainty analyses including propagation
of uncertainty bounds as directed under step 4 of Task 15
• Step 4: Perform sensitivity analyses as directed under step
4 of Task 15
* In each case, significant contributors are also identified
Slide 10
Quantification Process
Characteristics of the quantification process:
• Procedure is “general”; i.e., not tied to a specific method

(event tree with boundary conditions, fault tree linking…)
• Can calculate CDF/LERF directly by explicitly including fire

scenario frequencies or first calculate CCDP/CLERP and
then combine with fire scenario frequencies
• Quantify consistent with relevant ASME-ANS PRA Standard

(RA Sa 2009) supporting requirements
(RA-Sa-2009)
– Many cross-references from FQ to internal events section (Part 2)
for most aspects of risk quantification
Slide 11
Step 1 (2): Quantify Final Fire CDF/LERF Model
Step 1.1 (2.1): Quantify Final Fire CCDP/CLERP Model
– Corresponding SRs: FQ-A1, A2, A3, A4, B1, C1, D1, E1
• Final HRA probabilities including

g dependencies
• Final cable failure probabilities
• Final cable impacts
Slide 12
Step 1.2 (2.2): Quantify Final Fire CDF/LERF Frequencies

– Corresponding SRs: FQ-A1-A4, B1, C1, D1, E1
• Final compartment frequencies
• Final scenario frequencies
• Final fire modeling parameters (i.e., severity factors, non-

suppression probabilities, etc)
Slide 13
Step 1.3 (2.3): Identify Main Contributors to Fire

CDF/LERF
• Corresponding SRs: FQ-A1-A3, E1
• Contributions by fire scenarios, compartments where fire

ignition occurs, plant damage states, post-fire operator
actions, etc.
Slide 14
Step 3: Propagate Uncertainty Distributions
• Probability distributions of epistemic uncertainties

propagated through the CDF and LERF calculations
• Monte Carlo or Latin hypercube protocols
Slide 15
Step 4.1: Identification of Final Set of Sensitivity Analysis

Cases
• Review sensitivity cases identified in Task 15
• Finalize sensitivity cases for Step 4.2
Slide 16
Step 4.2: CDF and/or LERF Computations and

C
Comparison
i
• Mean CDF/LERF values computed for each sensitivity

analysis
l i case considered
id d iin S
Step 4
4.1
1
• The results should be compared with the base-case

considered in Steps1 and 2
Slide 17
Mapping HLRs & SRs for the FQ technical
Technical HLR SR 6850/1011989 sections that cover SR Comments
element
FQ A Quantification of the Fire PRA shall quantify the fire-induced CDF.
1 14.5.1.1, 14.5.1.2, 14.5.2.1, 14.5.2.2, 14.5.2.3
2 14.5.1.1, 14.5.1.2, 14.5.2.1, 14.5.2.2, 14.5.2.3
3 14.5.1.1, 14.5.1.2, 14.5.2.1, 14.5.2.2, 14.5.2.3
4 14.5.1.1, 14.5.1.2, 14.5.2.1, 14.5.2.2
B The fire-induced CDF quantification shall use appropriate models and codes and shall account
p
for method-specific limitations and features.
1 14.5.1.1, 14.5.1.2, 14.5.2.1, 14.5.2.2
C Model quantification shall determine that all identified dependencies are addressed appropriately.
1 14.5.1.1, 14.5.1.2, 14.5.2.1, 14.5.2.2
D The frequency of different containment failure modes leading to a fire-induced large early
release shall be quantified and aggregated, thus determining the fire-induced LERF
1 14 5 1 1 14.5.1.2,
14.5.1.1, 14 5 1 2 14.5.2.1,
14 5 2 1 14.5.2.2
14 5 2 2
E The fire-induced CDF and LERF quantification results shall be reviewed, and significant
contributors to CDF and LERF, such as fires and their corresponding plant initiating
events, fire locations, accident sequences, basic events (equipment unavailabilities and
human failure events), plant damage states, containment challenges, and failure modes,
shall be identified. The results shall be traceable to the inputs and assumptions made in
the Fire PRA
1 14.5.1.1, 14.5.1.2, 14.5.2.1, 14.5.2.2, 14.5.2.3
F The documentation of CDF and LERF analyses shall be consistent with the applicable
SRs.
1 n/a Documentation not covered in
6850/1011989
2 n/a Documentation not covered in
6850/1011989
Slide 18
EPRI/NRC-RES
METHODOLOGY
Task 15 – Uncertainty and Sensitivity

Analysis

Task 15:Uncertainty and Sensitivity Analysis
Purpose (per 6850/1011989)
Purpose: Provide a process for identifying and treating

uncertainties
t i ti ini the
th Fire
Fi PRA,
PRA and d id
identifying
tif i sensitivity
iti it
analysis cases
– Many of the inputs to the Fire PRA are uncertain
– Important to identify sources of uncertainty and assumptions that have
the strongest influence on the final results
– Fire risk can be quantified without explicit quantification of
uncertainties, but the risk results cannot be considered as complete
without it
– S
Sensitivity
iti it analysis
l i iis an iimportant
t t complement
l t tto uncertainty
t i t
assessment
Slide 2
Task 15 - Uncertainty and Sensitivity Analysis Research (RES) & Electric Power Research Institute (EPRI)
Scope
Scope of Task 15 includes:
•Background information on uncertainty

•Classification of the types of uncertainty
•A general approach on treating
uncertainties in Fire PRA
Slide 3
Uncertainty and Sensitivity Analysis -
Correspondingg PRA Standard Element
• Primary match is to element UNC – Uncertainty and

Sensitivity Analysis
• UNC Objectives (as stated in the PRA standard):
“(a)
(a) identify sources of analysis uncertainty
(b) characterize these uncertainties
(c) assess their potential impact on the CDF and LERF
estimates”
Slide 4
Uncertainty and Sensitivity Analysis –
• HLR-UNC-A: The Fire PRA shall identify sources of

CDF and LERF uncertainties and related assumptions
and modeling approximations. These uncertainties
shall be characterized such that their potential
i
impactst on the
th results
lt are understood.
d t d
Slide 5
Types of Uncertainty
• Distinction between aleatory and epistemic uncertainty:

– “Aleatory”
y - from the Latin alea ((dice),
), of or relating
g to random or
stochastic phenomena. Also called “random uncertainty or
variability.”
• Reflected in the Fire PRA models as a set of interacting
random processes involving a fire-induced
f transient, response
of mitigating systems, and corresponding human actions
– “Epistemic” - of, relating to, or involving knowledge; cognitive.
[From Greek episteme,
episteme knowledge].
knowledge] Also called “state state-of-
of
knowledge uncertainty.”
• Reflects uncertainty in the parameter values and models
(including completeness) used in the Fire PRA – addressed in
this Task
Slide 6
Inputs and Outputs
• Inputs from other Tasks:

– Id
Identification
tifi ti off sources off epistemic
i t i uncertainties
t i ti ffrom TTasks
k 1 ththrough
h
13 worthy of uncertainty/sensitivity analysis (i.e., key uncertainties)
– Quantification results from Task 14 including risk drivers used to help

determine key uncertainties
– Proposed approach for addressing each of the identified uncertainties

including
g sensitivity
y analyses
y
• Outputs to other Tasks:

– Sensitivity analyses performed in Task 14
– Results of uncertainty and sensitivity analysis are reflected in

documentation of Fire PRA (Task 16)
Slide 7
General Procedure (per 6850/1011989)
Addresses a process to be followed rather than a pre-defined

list of epistemic uncertainties and sensitivity analyses, since
these could be plant specific
•Step 1: Identify uncertainties associated with each task
•Step 2: Develop strategies for addressing uncertainties
•Step 3: Review uncertainties to decide which uncertainties
to address and how
•Step 4: Perform uncertainty and sensitivity analyses
•Step 5: Include results of uncertainty and sensitivity
analyses in Fire PRA documentation
Slide 8
See Appendix U to NUREG/CR-6850 for background on

uncertainty analysis. See Appendix V for details for each
task.
task
Step 1: Identify epistemic uncertainties for each task
• Initial assessment of uncertainties to be treated is provided in Appendix
V to NUREG/CR-6850
NUREG/CR 6850 (but consider plant specific analysis for other
uncertainties such as specific assumptions)
• From a practical standpoint, characterize uncertainties as modeling and
data uncertainties
• Outcome is a list of issues, by task, leading to potentially important
uncertainties (both modeling and data uncertainty)
Related SRs:
• PRM-A4, FQ-F1, IGN-A10, IGN-B5, FSS-E3, FSS-E4, FSS-H5, FSS-H9, and CF-A2 for
sources of uncertainty
Slide 9
Step 2: Develop strategies for addressing uncertainties

• Strategy
St t can range from
f no action
ti to t explicit
li it quantitative
tit ti
modeling
• Each task analyst is expected to provide suggested
strategies
• Possible strategies include propagation of data
uncertainties, developing multiple models, addressing
uncertainties qualitatively, quality review process, and basis
for excludingg some uncertainties
• Basis for strategy should be noted and may include
importance of uncertainty on overall results, effects on
f t
future applications,
li ti resource and d schedule
h d l constraints
t i t
Slide 10
Step 3: Review uncertainties to decide which uncertainties to

address and how
• Review carried out by team of analysts familiar with issues,

perhaps meeting more than once
• Review has multiple objectives:

– Identify uncertainties that will not be addressed, and reasons why
– Identify uncertainties to be addressed, and strategies to be used
– Identify uncertainties to be grouped into single assessment
– Identify issues to be treated via sensitivity analysis
– Instruct task analysts who perform the analyses
Slide 11
y Analysis
Sensitivity y
• Sensitivity analysis can provide a perspective that

cannot be obtained from a review of significant risk
contributors.
– Each task analyst can provide a list of parameters that had the
strongest influence in their part of the analysis
– Experiment
p with modified p
parameters to demonstrate impact
p on
the final risk results
– Modeling uncertainties can be demonstrated through sensitivity

analysis
– Sensitivities should be performed for individual uncertainties as

wellll as ffor appropriate
i t llogical
i l groups off uncertainties
t i ti
Slide 12
Step 4: Perform uncertainty and sensitivity analyses
• Uncertainty analyses may involve:

– Quantitative sampling of parameter distributions
– Manipulation
p of models to p
perform sensitivity
y analyses
y
– Qualitative evaluation of uncertainty
• Following items should be made explicit:

– Uncertainties being addressed
– Strategy being followed
– Specific methods, references, computer programs, etc. being used
(to allow traceability)
– Results of analyses, including conclusions relative to overall results
of Fire PRA
– Potential impacts on anticipated applications of results
Slide 13
Step 5: Include results in PRA documentation
• Adequate documentation of uncertainties and sensitivities is

as important
p as documentation of baseline results
• Adequate documentation leads to improved decision-making
• Documentation covered more fully under Task 16
Slide 14
Expectations
• Minimum set of uncertainties expected to have a formal

treatment:
– Fire PRA model structure itself, representing the uncertainty with regard
to how fires could result in core damage and/or large early release
outcomes (Tasks 5/7)
– Uncertainty in each significant fire ignition frequency (Task 6)
– Uncertainty in each significant circuit failure mode probability (Task 10)
– Uncertainty
Uncertaint in each significant target fail
failure
re probabilit
probability (Task 11)
– Heat release rate
– Suppression failure model and failure rate
– Position of the target set vs
vs. ignition sources
– Uncertainty in each significant human error probability (Task 12)
– Uncertainty in each core damage and large early release sequence
frequency based on the above inputs as well as uncertainties for other
significant equipment failures/modes (Task 14)
Slide 15
Expectations
• Other uncertainties may be relevant to address

– Other activities related to uncertainty are underway
– You might need to consult other resources for information (e.g.,
NUREG-1855,, EPRI TR 1016737))
• Sensitivity analyses should be performed where
important to show robustness in results (i.e., demonstrate
where results are / are not sensitive to reasonable
changes in the inputs)
• While not really a source of uncertainty
uncertainty, per se
se, technical
quality issues and recommended reviews are also
addressed
Slide 16
Mapping HLRs & SRs for the UNC technical

Element 9 section that
covers SR
A The Fire PRA shall identify sources of CDF and LERF uncertainties and related
assumptions and modeling approximations. These uncertainties shall be
characterized such that their potential impacts on the results are understood
1 15.5.1
2 15.5.5 Documentation is discussed in Section 16.5 of 6850/101198
Slide 17

Epri-Pra Module 1

Uploaded by

Copyright:

Available Formats

Epri-Pra Module 1

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Epri-Pra Module 1

Uploaded by

Copyright:

Available Formats

Basics of Nuclear Power Plant

Probabilistic Risk Assessment

Fire PRA Workshop 2011

• Introduce PRA modeling and analysis methods

• Arises from a “Danger” or “Hazard”

• Risk - the frequency

Risk [ Consequence Magnitude

• Note: www.cdc.gov latest data (2005) 117,809 unintentional deaths and

• Societal Risk = 538,000 cancer-deaths/year

• PRAs are pperformed to find severe accident weaknesses

1 Plant accident initiators and Core damage frequency &

2 Frequency and modes of Categorization &

Plant Systems Severe Accident Offsite Consequence

LEVEL LEVEL LEVEL

Initiating Accident Accident RCS / Source Release Offsite Health &

LERF Assessment Health

• Internal Hazards – risk from accidents initiated internal to

• Rigorous, systematic analysis tool

• Inadequacy of available data

LEVEL LEVEL LEVEL

Initiating Accident Accident RCS / Source Release Offsite Health &

LERF Assessment Health

• Purpose: Students will learn what is an initiating event (IE), how

• Definition – Anyy potential

• Identifying initiating events is the first step in the development of

• Collect information on actual plant trips

• Review historical events (reactor trips

• Some IEs may not have to modeled because:

• For each identified initiating event:

Category Initiating Event Mean Frequency

G2 Stuck-open relief valve 5.0E-3

K1 High energy line break outside 1.0E-2

D Loss of instrument or control air 9.6E-3

E1 Loss of service water 9 7E 4

LEVEL LEVEL LEVEL

Initiating Accident Accident RCS / Source Release Offsite Health &

LERF Assessment Health

• Typically used to model the response to an initiating event

5. ACD - plant damage

• Knowledge of accident initiators

Example safety functions for core & containment

• High-level representation of vital safety functions required

Initiating Reactor Short term Long term

• Identify systems which can perform each function

Reactivity Reactor Protection System, Standby Liquid Control,

RCS Safety/Relief Valves

Reactivity Control Reactor Protection System

RCS Overpressure Safety valves, Pressurizer power-operated relief valves

Coolant Injection Accumulators, High Pressure Safety Injection, Chemical

Short Term Long Term

Plant Name Abbrev.: SURY

• Sequence cut sets generated by combining system fault

• Core Damage (CD) designation for end state not

1. Status of RCS at onset of Core Damage

LEVEL LEVEL LEVEL

Initiating Accident Accident RCS / Source Release Offsite Health &

LERF Assessment Health

“An analytical technique, whereby an undesired state of

• Deductive analysis (event trees are inductive)