**6.1. Uncertainties**

46 Nuclear Power – Practical Aspects

Probabilistic vs. deterministic

Merge of probabilistic and thermal hydraulic aspects

Merge of probabilistic and thermal hydraulic aspects

Only

probabilistic aspects

**Table 3.** Main features of the various approaches

research in all related areas are pointed out :

and system reliability assessment itself;

the whole process assessment.

active systems and human actions.

Methodology

**REPAS/RMPS** 

**APSRA** 

**ENEA approaches** 

**6. Open issues** 

The following Table attempts to identify the main characteristics of the methodologies proposed so far, with respect to some aspects, such as the development of deterministic and probabilistic approaches, the use of deterministic models to evaluate the system performance,

Analysis Uncertainties

Uncertainties in parameters modelled by probability density functions

parameters' deviations from nominal conditions caused by failure of active or passive components (root

diagnosis)

From the exam of the various methodologies, which have been developed over these most recent years within the community of the safety research, and are currently available in the open literature, the following open questions are highlighted and consequently needs for

 The aspects relative to the assessment of the uncertainties related to passive system performance: they regard both the best estimate T-H codes used for their evaluation

The dependencies among the parameters, mostly T-H parameters, playing a key role in

The integration of the passive systems within an accident sequence in combination with

 The consideration for the physical process and involved physical quantities dependence upon time, implying, for instance, the development of dynamic event tree to incorporate the interactions between the physical parameter evolution and the state of

the system and/or the transition of the system from one state to another.

Uncertainties in parameters

Expert Judgment/Experimental data

EJ adopted to a large extent; Statistical analysis when experimental data exist

Experimental data usage; EJ for root diagnosis

EJ adopted to a large extent (except the approach based on hardware failure)

the identification of the sources of uncertainties and the application of expert judgment.

Deterministic

T-H code adopted for

uncertainty propagation

T-H code adopted to build the failure surface The quantity of uncertainties affecting the operation of the T-H passive systems affects considerably the relative process devoted to reliability evaluation, within a probabilistic safety analysis framework, as recognized in [7].

These uncertainties stem mainly from the deviations of the natural forces or physical principles, upon which they rely (e.g., gravity and density difference), from the expected conditions due to the inception of T-H factors impairing the system performance or to changes of the initial and boundary conditions, so that the passive system may fail to meet the required function. Indeed a lot of uncertainties arise, when addressing these phenomena, most of them being almost unknown due mainly to the scarcity of operational and experimental data and, consequently, difficulties arise in performing meaningful reliability analysis and deriving credible reliability figures. This is usually designated as phenomenological uncertainty, which becomes particularly relevant when innovative or untested technologies are applied, eventually contributing significantly to the overall uncertainty related to the reliability assessment.

Actually there are two facets to this uncertainty, i.e., "aleatory" and "epistemic" that, because of their natures, must be treated differently. The aleatory uncertainty is that addressed when the phenomena or events being modelled are characterized as occurring in a "random" or "stochastic" manner and probabilistic models are adopted to describe their occurrences. The epistemic uncertainty is that associated with the analyst's confidence in the prediction of the PSA model itself, and it reflects the analyst's assessment of how well the PSA model represents the actual system to be modelled. This has also been referred to as state-of-knowledge uncertainty, which is suitable to reduction as opposed to the aleatory which is, by its nature, irreducible. The uncertainties concerned with the reliability of passive system are both stochastic, because of the randomness of phenomena occurrence, and of epistemic nature, i.e. related to the state of knowledge about the phenomena, because of the lack of significant operational and experimental data.

For instance, as initial step, the approach described in [16]. allows identifying the uncertainties pertaining to passive system operation in terms of critical parameters driving the modes of failure, as, for instance, the presence of non-condensable gas, thermal stratification and so on. In this context the critical parameters are recognized as epistemic uncertainties.

The same reference points out, as well, the difference between the uncertainties related to passive system reliability and the uncertainties related to the T-H codes (e.g. RELAP), utilized to evaluate the performance itself, as the ones related to the coefficients, correlations, nodalization, etc.: these specific uncertainties, of epistemic nature, in turn affect the overall uncertainty in T-H passive system performance and impinge on the final sought reliability figure.

Reliability of Passive Systems in Nuclear Power Plants 49

analysis, the analysis method and the analysis focus of failure locations and modes and finally the selection of the parameters affecting the system performance. With this respect, it is important to underline, again, that the lack of relevant reliability and operational data imposes the reliance on the underlying expert judgment for an adequate treatment of the uncertainties, thus making the results conditional upon the expert judgment elicitation process. This can range from the simple engineering/subjective assessment to a well structured procedure based on expert judgment elicitation, as reported in [17], which

Initial/boundary conditions (design parameters)

**Table 4.** Categories of uncertainties associated with T-H passive systems reliability assessment

wide the distance from the nominal value, as in a sort of Gaussian distribution.

In ref. [17], in order to simplify both the identification of the ranges and their corresponding probabilities, initially discrete values have been selected. As a general rule, a central pivot has been identified, and then the range has been extended to higher and lower values, if applicable. The pivot value represents the nominal condition for the parameter. The limits have been chosen in order to exclude unrealistic values or those values representing a limit zone for the operation demand of the passive system. Once the discrete ranges have been set up, discrete probability distributions have been associated, to represent the probabilities of occurrence of the values. As in the previous step, the general rule adopted is that the higher probability of occurrence corresponds to the nominal value for the parameter. Then lower probabilities have been assigned to the other values, as much low the probability as much

Ultimately, as underlined in the previous section, the methodologies proposed in RMPS and within the studies conducted by MIT address the question by propagating the parameter and model uncertainties, by performing Monte Carlo simulations on the detailed T-H model based on a mechanistic code, and calculating the distribution of the safety variable and thus the probability of observing a value above the defined limit, according to the safety criterion.

Alike some other types of analyses for nuclear power plants, the documented experience with PSS reliability seems to focus on the analysis of one passive attribute at a time. In many

outlines the main aspects of the REPAS procedure.

Geometrical properties Material properties

Model (correlations)

System failure analysis Failure criteria

Failure modes (critical parameters)

*Aleatory* 

*Epistemic*  T-H analysis

Parameters

**6.2. Dependencies** 

A further step of the matter can be found in[11], which attempts to assign sound distributions to the critical parameters, to further develop a probabilistic model. As is of common use when the availability of data is limited, subjective probability distributions are elicited from expert/engineering judgment procedure, to characterize the critical parameters.

Three following classes of uncertainties to be addressed are identified:


The first, second and third groups are part of the category of aleatory uncertainties because they represent the stochastic variability of the analysis inputs and they are not reducible.

The fourth category is referred to the epistemic uncertainties, due to the lack of knowledge about the observed phenomenon and thus suitable for reduction by gathering a relevant amount of information and data. This class of uncertainties must be subjectively evaluated, since no complete investigation of these uncertainties is available.

A clear prospect of the uncertainties as shown in Table 4 [5].

As emphasized above, clearly the epistemic uncertainties address mostly the phenomena underlying the passive operation and the parameters and models used in the T-H analysis of the system (including the ones related to the best estimate code) and the system failure analysis itself. Some of the sources of uncertainties include but are not limited to the definition of failure of the system used in the analysis, the simplified model used in the analysis, the analysis method and the analysis focus of failure locations and modes and finally the selection of the parameters affecting the system performance. With this respect, it is important to underline, again, that the lack of relevant reliability and operational data imposes the reliance on the underlying expert judgment for an adequate treatment of the uncertainties, thus making the results conditional upon the expert judgment elicitation process. This can range from the simple engineering/subjective assessment to a well structured procedure based on expert judgment elicitation, as reported in [17], which outlines the main aspects of the REPAS procedure.

> *Aleatory*  Geometrical properties Material properties Initial/boundary conditions (design parameters) *Epistemic*  T-H analysis Model (correlations) Parameters System failure analysis Failure criteria Failure modes (critical parameters)

**Table 4.** Categories of uncertainties associated with T-H passive systems reliability assessment

In ref. [17], in order to simplify both the identification of the ranges and their corresponding probabilities, initially discrete values have been selected. As a general rule, a central pivot has been identified, and then the range has been extended to higher and lower values, if applicable. The pivot value represents the nominal condition for the parameter. The limits have been chosen in order to exclude unrealistic values or those values representing a limit zone for the operation demand of the passive system. Once the discrete ranges have been set up, discrete probability distributions have been associated, to represent the probabilities of occurrence of the values. As in the previous step, the general rule adopted is that the higher probability of occurrence corresponds to the nominal value for the parameter. Then lower probabilities have been assigned to the other values, as much low the probability as much wide the distance from the nominal value, as in a sort of Gaussian distribution.

Ultimately, as underlined in the previous section, the methodologies proposed in RMPS and within the studies conducted by MIT address the question by propagating the parameter and model uncertainties, by performing Monte Carlo simulations on the detailed T-H model based on a mechanistic code, and calculating the distribution of the safety variable and thus the probability of observing a value above the defined limit, according to the safety criterion.

#### **6.2. Dependencies**

48 Nuclear Power – Practical Aspects

reliability figure.

of failure.

vessel).

The same reference points out, as well, the difference between the uncertainties related to passive system reliability and the uncertainties related to the T-H codes (e.g. RELAP), utilized to evaluate the performance itself, as the ones related to the coefficients, correlations, nodalization, etc.: these specific uncertainties, of epistemic nature, in turn affect the overall uncertainty in T-H passive system performance and impinge on the final sought

A further step of the matter can be found in[11], which attempts to assign sound distributions to the critical parameters, to further develop a probabilistic model. As is of common use when the availability of data is limited, subjective probability distributions are elicited from expert/engineering judgment procedure, to characterize the critical parameters.

 Geometrical properties: this category of uncertainty is generally concerned with the variations between the as-built system layout and the design utilized in the analysis: this is very relevant for the piping layout (e.g. suction pipe inclination at the inlet of the heat exchanger, in the isolation condenser reference configuration) and heat loss modes

Material properties: material properties are very important in estimating the failure

 Design parameters, corresponding to the initial/boundary conditions (for instance, the actual values taken by design parameters, like the pressure in the reactor pressure

 Phenomenological analysis: the natural circulation failure assessment is very sensitive to uncertainties in parameters and models used in the thermal hydraulic analysis of the system. Some of the sources of uncertainties include but are not limited to: the definition of failure of the system used in the analysis, the simplified model used in the analysis, the analysis method and the analysis focus on failure locations and modes and

The first, second and third groups are part of the category of aleatory uncertainties because they represent the stochastic variability of the analysis inputs and they are not reducible.

The fourth category is referred to the epistemic uncertainties, due to the lack of knowledge about the observed phenomenon and thus suitable for reduction by gathering a relevant amount of information and data. This class of uncertainties must be subjectively evaluated,

As emphasized above, clearly the epistemic uncertainties address mostly the phenomena underlying the passive operation and the parameters and models used in the T-H analysis of the system (including the ones related to the best estimate code) and the system failure analysis itself. Some of the sources of uncertainties include but are not limited to the definition of failure of the system used in the analysis, the simplified model used in the

modes concerning for instance the undetected leakages and the heat loss.

finally the selection of the parameters affecting the system performance.

since no complete investigation of these uncertainties is available.

A clear prospect of the uncertainties as shown in Table 4 [5].

Three following classes of uncertainties to be addressed are identified:

Alike some other types of analyses for nuclear power plants, the documented experience with PSS reliability seems to focus on the analysis of one passive attribute at a time. In many cases, this may be sufficient, but for some advanced designs with multiple passive features, modelling of the synergistic effects among them is important. For example, modelling of a passive core cooling system may require simultaneous modelling of the amount of non condensable gases which build up along the circuit during extended periods of operation, the potential for stratification in the cooling pool, and interactions between the passive core cooling system and the core. Analysis of each of these aspects independently may not fully capture the important boundary conditions of each system. For instance, with regard to the aforementioned methodologies, the basic simplifying assumption of independence among system performance relevant parameters, as the degradation measures, means that the correlation among the critical parameter distributions is zero or is very low to be judged significant, so that the assessment of the failure probability is quite straightforward. If parameters have contributors to their uncertainty in common, the respective states of knowledge are dependent. As a consequence of this dependence, parameter values cannot be combined freely and independently. Instances of such limitations need to be identified and the dependencies need to be quantified. If the analyst knows of dependencies between parameters explicitly, multivariate distributions or conditional subjective pdfs (probability density functions) may be used. The dependence between the parameters can be also introduced by covariance matrices or by functional relations between the parameters.

Reliability of Passive Systems in Nuclear Power Plants 51

high level of conservatism as it appears that the probability of failure of the system is relevantly high to be considered acceptable, because of the combination of various modes of failure, where a single fault is sufficient to challenge the system performance. Initial evaluations, [19], reveal that the critical parameters are not suitable to be chosen independently of each other, mainly because of the expected synergism between the different phenomena under investigation, with the potential to jeopardize the system performance. This conclusion allows the implementation of the proposed methodology, by properly capturing the interaction between various failure modes, through modelling system performance under multiple degradation measures. It was verified that when the multiple degradation measures in a system are correlated, an incorrect independence

assumption may overestimate the system reliability, according to a recent study, [20].

**6.3. Incorporation of passive system within probabilistic safety assessment** 

reliability of Passive Systems has been recognized as an essential part of PSA.

with the accident evolution and whole plant behaviour.

actions, within a PSA framework.

PSA has been introduced for the evaluation of design and safety in the development of those reactors. A technology-neutral framework, that adopts PSA information as a major evaluation tool, has been proposed as the framework for the evaluation of safety or regulation for those reactors [21,22]. To utilize this framework, the evaluation of the

In PSA, the status of individual systems such as a passive system is assessed by an accident sequence analysis to identify the integrated behaviour of a nuclear system and to assign its integrated system status, i.e. the end states of accident sequences. Because of the features specific of a passive system, it is difficult to define the status of a passive system in the accident sequence analysis. In other words, the status of a passive system does not become a robust form such as success or failure, since "intermediate" modes of operation of the system or equivalently the degraded performance of the system (up to the failure point) is possible. This gives credit for a passive system that "partially works" and has failed for its intended function but provides some operation: this operation could be sufficient to prolong the window for opportunity to recover a failed system, for instance through redundancy configuration, and ultimately prevent or arrest core degradation [19]. This means that the status of a passive system can be divided into several states, and each status is affected by the integrated behaviour of the reactor, because its individual performance is closely related

Ref. [23] lays the foundations to outline a general approach for the integration of a passive system, in the form of a front line system and in combination with active ones and/or human

In [7] a consistent approach, based on an event tree representation, has been developed to incorporate in a PSA study the results of reliability analyses of passive systems obtained on specific accident sequences. In this approach, the accident sequences are analyzed by taking into account the success or the failure of the components and of the physical process involved in the passive systems. This methodology allows the probabilistic evaluation of the

As observed in [15], both REPAS and RMPS approaches adopt a probability density function (pdf) to treat variations of the critical parameters considered in the predictions of codes. To apply the methodology, one needs to have the pdf values of these parameters. However, it is difficult to assign accurate pdf treatment of these parameters, which ultimately define the functional failure, due to the scarcity of available data, both on an experimental and operational ground. Moreover, these parameters are not really independent ones to have deviation of their own. Rather deviations of them from their nominal conditions occur due to failure/malfunctioning of other components or as a result of the combination with different concomitant mechanisms. Thus the hypothesis of independence among the failure driving parameters appears non proper.

With reference to the functional reliability approach set forth in [13], the selected representative parameters defining the system performance, for instance coolant flow or exchanged thermal power, are properly modelled through the construction of joint probability functions in order to assess the correspondent functional reliability. A recent study shows how the assumption of independence between the marginal distributions to construct the joint probability distributions to evaluate system reliability adds conservatism to the analysis, [18]: for this reason the model is implemented to incorporate the correlations between the parameters, in the form of bivariate normal probability distributions. That study has the merit to highlight the dependence among the parameters underlying the system performance: further studies are underway, with regard, for instance to the approach based on independent failure modes. As described in the previous section 2, this approach begins by identifying critical parameters, properly modelled through probability functions, as input to basic events, corresponding to the failure modes, arranged in a series system configuration, assuming non-mutually exclusive independent events. It introduces a high level of conservatism as it appears that the probability of failure of the system is relevantly high to be considered acceptable, because of the combination of various modes of failure, where a single fault is sufficient to challenge the system performance. Initial evaluations, [19], reveal that the critical parameters are not suitable to be chosen independently of each other, mainly because of the expected synergism between the different phenomena under investigation, with the potential to jeopardize the system performance. This conclusion allows the implementation of the proposed methodology, by properly capturing the interaction between various failure modes, through modelling system performance under multiple degradation measures. It was verified that when the multiple degradation measures in a system are correlated, an incorrect independence assumption may overestimate the system reliability, according to a recent study, [20].

50 Nuclear Power – Practical Aspects

cases, this may be sufficient, but for some advanced designs with multiple passive features, modelling of the synergistic effects among them is important. For example, modelling of a passive core cooling system may require simultaneous modelling of the amount of non condensable gases which build up along the circuit during extended periods of operation, the potential for stratification in the cooling pool, and interactions between the passive core cooling system and the core. Analysis of each of these aspects independently may not fully capture the important boundary conditions of each system. For instance, with regard to the aforementioned methodologies, the basic simplifying assumption of independence among system performance relevant parameters, as the degradation measures, means that the correlation among the critical parameter distributions is zero or is very low to be judged significant, so that the assessment of the failure probability is quite straightforward. If parameters have contributors to their uncertainty in common, the respective states of knowledge are dependent. As a consequence of this dependence, parameter values cannot be combined freely and independently. Instances of such limitations need to be identified and the dependencies need to be quantified. If the analyst knows of dependencies between parameters explicitly, multivariate distributions or conditional subjective pdfs (probability density functions) may be used. The dependence between the parameters can be also

introduced by covariance matrices or by functional relations between the parameters.

independence among the failure driving parameters appears non proper.

As observed in [15], both REPAS and RMPS approaches adopt a probability density function (pdf) to treat variations of the critical parameters considered in the predictions of codes. To apply the methodology, one needs to have the pdf values of these parameters. However, it is difficult to assign accurate pdf treatment of these parameters, which ultimately define the functional failure, due to the scarcity of available data, both on an experimental and operational ground. Moreover, these parameters are not really independent ones to have deviation of their own. Rather deviations of them from their nominal conditions occur due to failure/malfunctioning of other components or as a result of the combination with different concomitant mechanisms. Thus the hypothesis of

With reference to the functional reliability approach set forth in [13], the selected representative parameters defining the system performance, for instance coolant flow or exchanged thermal power, are properly modelled through the construction of joint probability functions in order to assess the correspondent functional reliability. A recent study shows how the assumption of independence between the marginal distributions to construct the joint probability distributions to evaluate system reliability adds conservatism to the analysis, [18]: for this reason the model is implemented to incorporate the correlations between the parameters, in the form of bivariate normal probability distributions. That study has the merit to highlight the dependence among the parameters underlying the system performance: further studies are underway, with regard, for instance to the approach based on independent failure modes. As described in the previous section 2, this approach begins by identifying critical parameters, properly modelled through probability functions, as input to basic events, corresponding to the failure modes, arranged in a series system configuration, assuming non-mutually exclusive independent events. It introduces a
