**6.3. Incorporation of passive system within probabilistic safety assessment**

PSA has been introduced for the evaluation of design and safety in the development of those reactors. A technology-neutral framework, that adopts PSA information as a major evaluation tool, has been proposed as the framework for the evaluation of safety or regulation for those reactors [21,22]. To utilize this framework, the evaluation of the reliability of Passive Systems has been recognized as an essential part of PSA.

In PSA, the status of individual systems such as a passive system is assessed by an accident sequence analysis to identify the integrated behaviour of a nuclear system and to assign its integrated system status, i.e. the end states of accident sequences. Because of the features specific of a passive system, it is difficult to define the status of a passive system in the accident sequence analysis. In other words, the status of a passive system does not become a robust form such as success or failure, since "intermediate" modes of operation of the system or equivalently the degraded performance of the system (up to the failure point) is possible. This gives credit for a passive system that "partially works" and has failed for its intended function but provides some operation: this operation could be sufficient to prolong the window for opportunity to recover a failed system, for instance through redundancy configuration, and ultimately prevent or arrest core degradation [19]. This means that the status of a passive system can be divided into several states, and each status is affected by the integrated behaviour of the reactor, because its individual performance is closely related with the accident evolution and whole plant behaviour.

Ref. [23] lays the foundations to outline a general approach for the integration of a passive system, in the form of a front line system and in combination with active ones and/or human actions, within a PSA framework.

In [7] a consistent approach, based on an event tree representation, has been developed to incorporate in a PSA study the results of reliability analyses of passive systems obtained on specific accident sequences. In this approach, the accident sequences are analyzed by taking into account the success or the failure of the components and of the physical process involved in the passive systems. This methodology allows the probabilistic evaluation of the

influence of a passive system on a definite accident scenario and could be used to test the advantage of replacing an active system by a passive system in specific situations.

Reliability of Passive Systems in Nuclear Power Plants 53

particularly relevant with regard to the introduction of a passive system in an accident sequence, since the required mission could be longer than 24 h as usual level 1 PSA mission time. In fact for design basis accidents, the passive systems are required to establish and maintain core cooling and containment integrity, with no operator intervention or

The goal of dynamic PRA is to account for the interaction of the process dynamics and the stochastic nature/behavior of the system at various stages: it associates the state/parameter evaluation capability of the thermal hydraulic analysis to the dynamic event tree generation capability approach. The methodology should estimate the physical variation of all technical parameters and the frequency of the accident sequences when the dynamic effects are considered. If the component failure probabilities (e.g. valve per-demand probability) are known, then these probabilities can be combined with the probability distributions of estimated parameters in order to predict the probabilistic evolution of each scenario

A preliminary attempt in addressing the dynamic aspect of the system performance in the frame of passive system reliability is shown in [26], which introduces the T-H passive system as a non-stationary stochastic process, where the natural circulation is modeled in terms of time-variant performance parameters, (as for instance mass flow-rate and thermal power, to cite any) assumed as stochastic variables. In that work, the statistics associated with the stochastic variables change in time (in terms of associated mean values and standard deviations increase or decrease, for instance), so that the random variables have

The design and development of future water-cooled reactors address the use of passive safety systems, i.e. those characterized by no or very limited reliance on external input (forces, power or signal, or human action) and whose operation takes advantage of natural forces, such as free convection and gravity, to fulfil the required safety function and to provide confidence in the plant's ability to handle transients and accidents. Therefore, they are required to accomplish their mission with a sufficient reliability margin that makes them attractive as an important means of achieving both simplification and cost reduction for future plants while assuring safety requirements with lesser dependence of the safety

On the other hand, since the magnitude of the natural forces, which drive the operation of passive systems, is relatively small, counter-forces (e.g. friction) can be of comparable magnitude and cannot be ignored as is generally the case with pumped systems. This concern leads to the consideration that, despite the fact that passive systems "should be" or, at least, are considered, more reliable than active ones - because of the smaller unavailability due to hardware failure and human error - there is always a nonzero likelihood of the occurrence of physical phenomena leading to pertinent failure modes, once the system

different values in every realization, and hence every realization is different.

**6.4. Comparative assessment between active and passive systems** 

function on active components like pumps and diesel generators.

requirement for a.c. power for 72 h, as a grace time [25].

outcome.

enters into operation.

However in order to generalize the methodology, it is important to take into account the dynamic aspects differently than by their alone modelling into the T-H code. Indeed in complex situations where several safety systems are competing and where the human operation cannot be completely eliminated, this modelling should prove to be impossible or too expensive in computing times. It is thus interesting to explore other solutions already used in the dynamic PSA, like the method of the dynamic event trees, in order to capture the interaction between the process parameters and the system state within the dynamical evolution of the accident.

In the PSA of nuclear power plants (NPPs), accident scenarios, which are dynamic in nature, are usually analyzed with event trees and fault trees.

The current PSA framework has some limitations in handling the actual timing of events, whose variability may influence the successive evolution of the scenarios, and in modelling the interactions between the physical evolution of the process variables (temperatures, pressures, mass flows, etc.,) and the behaviour of the hardware components. Thus, differences in the sequential order of the same success and failure events and the timing of event occurrence along an accident scenario may affect its evolution and outcome; also, the evolution of the process variables (temperatures, pressures, mass flows, etc.,) may affect the event occurrence probabilities and thus the developing scenario. Another limitation lies in the binary representations of system states (i.e., success or failure), disregarding the intermediate states, which conversely concern the passive system operation, as illustrated above.

To overcome the above-mentioned limitations, dynamic methodologies have been investigated which attempt to capture the integrated response of the systems/components during an accident scenario [24].

The most evident difference between dynamic event trees (DETs) and the event trees (ETs) is as follows. ETs, which are typically used in the industrial PSA, are constructed by an analyst, and their branches are based on success/ failure criteria set by the analyst. These criteria are based on simulations of the plant dynamics. On the contrary, DETs are produced by a software that embeds the models that simulates the plant dynamics into stochastic models of components failure. A challenge arising from the dynamic approach to PSA is that the number of scenarios to be analyzed is much larger than that of the classical fault/event tree approaches, so that the a posteriori information retrieval can become quite onerous and complex.

This is even more relevant as far as thermal hydraulic natural circulation passive systems are concerned since their operation is strongly dependent, more than other safety systems, upon time and the state/parameter evolution of the system during the accident progression.

Merging probabilistic models with T-H models, i.e. dynamic reliability, is required to accomplish the evaluation process of T-H passive systems in a consistent manner: this is particularly relevant with regard to the introduction of a passive system in an accident sequence, since the required mission could be longer than 24 h as usual level 1 PSA mission time. In fact for design basis accidents, the passive systems are required to establish and maintain core cooling and containment integrity, with no operator intervention or requirement for a.c. power for 72 h, as a grace time [25].

52 Nuclear Power – Practical Aspects

evolution of the accident.

during an accident scenario [24].

onerous and complex.

are usually analyzed with event trees and fault trees.

influence of a passive system on a definite accident scenario and could be used to test the

However in order to generalize the methodology, it is important to take into account the dynamic aspects differently than by their alone modelling into the T-H code. Indeed in complex situations where several safety systems are competing and where the human operation cannot be completely eliminated, this modelling should prove to be impossible or too expensive in computing times. It is thus interesting to explore other solutions already used in the dynamic PSA, like the method of the dynamic event trees, in order to capture the interaction between the process parameters and the system state within the dynamical

In the PSA of nuclear power plants (NPPs), accident scenarios, which are dynamic in nature,

The current PSA framework has some limitations in handling the actual timing of events, whose variability may influence the successive evolution of the scenarios, and in modelling the interactions between the physical evolution of the process variables (temperatures, pressures, mass flows, etc.,) and the behaviour of the hardware components. Thus, differences in the sequential order of the same success and failure events and the timing of event occurrence along an accident scenario may affect its evolution and outcome; also, the evolution of the process variables (temperatures, pressures, mass flows, etc.,) may affect the event occurrence probabilities and thus the developing scenario. Another limitation lies in the binary representations of system states (i.e., success or failure), disregarding the intermediate states,

To overcome the above-mentioned limitations, dynamic methodologies have been investigated which attempt to capture the integrated response of the systems/components

The most evident difference between dynamic event trees (DETs) and the event trees (ETs) is as follows. ETs, which are typically used in the industrial PSA, are constructed by an analyst, and their branches are based on success/ failure criteria set by the analyst. These criteria are based on simulations of the plant dynamics. On the contrary, DETs are produced by a software that embeds the models that simulates the plant dynamics into stochastic models of components failure. A challenge arising from the dynamic approach to PSA is that the number of scenarios to be analyzed is much larger than that of the classical fault/event tree approaches, so that the a posteriori information retrieval can become quite

This is even more relevant as far as thermal hydraulic natural circulation passive systems are concerned since their operation is strongly dependent, more than other safety systems, upon time and the state/parameter evolution of the system during the accident progression.

Merging probabilistic models with T-H models, i.e. dynamic reliability, is required to accomplish the evaluation process of T-H passive systems in a consistent manner: this is

which conversely concern the passive system operation, as illustrated above.

advantage of replacing an active system by a passive system in specific situations.

The goal of dynamic PRA is to account for the interaction of the process dynamics and the stochastic nature/behavior of the system at various stages: it associates the state/parameter evaluation capability of the thermal hydraulic analysis to the dynamic event tree generation capability approach. The methodology should estimate the physical variation of all technical parameters and the frequency of the accident sequences when the dynamic effects are considered. If the component failure probabilities (e.g. valve per-demand probability) are known, then these probabilities can be combined with the probability distributions of estimated parameters in order to predict the probabilistic evolution of each scenario outcome.

A preliminary attempt in addressing the dynamic aspect of the system performance in the frame of passive system reliability is shown in [26], which introduces the T-H passive system as a non-stationary stochastic process, where the natural circulation is modeled in terms of time-variant performance parameters, (as for instance mass flow-rate and thermal power, to cite any) assumed as stochastic variables. In that work, the statistics associated with the stochastic variables change in time (in terms of associated mean values and standard deviations increase or decrease, for instance), so that the random variables have different values in every realization, and hence every realization is different.

## **6.4. Comparative assessment between active and passive systems**

The design and development of future water-cooled reactors address the use of passive safety systems, i.e. those characterized by no or very limited reliance on external input (forces, power or signal, or human action) and whose operation takes advantage of natural forces, such as free convection and gravity, to fulfil the required safety function and to provide confidence in the plant's ability to handle transients and accidents. Therefore, they are required to accomplish their mission with a sufficient reliability margin that makes them attractive as an important means of achieving both simplification and cost reduction for future plants while assuring safety requirements with lesser dependence of the safety function on active components like pumps and diesel generators.

On the other hand, since the magnitude of the natural forces, which drive the operation of passive systems, is relatively small, counter-forces (e.g. friction) can be of comparable magnitude and cannot be ignored as is generally the case with pumped systems. This concern leads to the consideration that, despite the fact that passive systems "should be" or, at least, are considered, more reliable than active ones - because of the smaller unavailability due to hardware failure and human error - there is always a nonzero likelihood of the occurrence of physical phenomena leading to pertinent failure modes, once the system enters into operation.

These characteristics of a high level of uncertainty and low driving forces for heat removal purposes justify the comparative evaluation between passive and active options, with respect to the accomplishment of a defined safety function (e.g. decay heat removal) and the generally accepted viewpoint that passive system design is more reliable and more economical than active system design has to be discussed [27].

Reliability of Passive Systems in Nuclear Power Plants 55

Table 5 below aims at identifying for each of the above items both the criticality with respect to the passive system reliability assessment process, in terms of the relative importance and the existing advancement, according to Table 6 which ranks the relative level of both the

**Grade Definition** Importance H The item is expected to have a significant impact on the

L The item is expected to have only a small impact on the

It is clear that he worst case is characterized by "high "and "low" rankings relative respectively to the importance and the advancement aspects, thus making the

Based on this, the results of this qualitative analysis show the relevance relative to the uncertainties and the comparison between active and passive, as most critical points to be addressed in the application of the PRA to the evaluation of the passive system performance assessment. This allows the analyst to track a viable R&D program to deal with these issues

Due to the specificities of passive systems that utilize natural circulation (small driving force, large uncertainties in their performance, lack of data…), there is a strong need for the development and demonstration of consistent methodologies and approaches for evaluating

M The item is expected to have a moderate impact on the

M The issue is represented by simple modelling based on

L The issue is not represented in the analysis or the models

are too complex or inappropriate which indicates that the calculation results will have a high degree of ambiguity

experimental observations or results.

system failure

system failure

system failure Advance H The issue is modelled in a detailed way with adequate

validation

and limitations and to steer the relative efforts towards their implementation.

**Table 6.** Grade rank for importance and advancement analysis

correspondent item development a critical challenge.

Uncertainties H L Dependencies M L Integration within PSA M L Passive vs. Active H L

**Item Importance Advance** 

importance and progress.

**Table 5.** Importance analysis

**8. Conclusions** 

Here are some of the benefits and disadvantages of the passive systems that should be evaluated vs. the correspondent active system.


The question whether it is favourable to adopt passive systems in the design of a new reactor to accomplish safety functions is still to be debated and a common consensus has not yet been reached, about the quantification of safety and cost benefits which make nuclear power more competitive, from potential annual maintenance cost reductions to safety system response.
