**1. Introduction**

In order to tackle the development of advanced nuclear technologies, the reliability of passive systems has become an important subject and area under discussion, for their extensive use in new and advanced nuclear power plants, (NEA, 2002), in combination with active safety or operational systems.

Following the IAEA definitions, [1], a passive component does not need any external input or energy to operate and it relies only upon natural physical laws (e.g. gravity, natural convection, conduction, etc.) and/or on inherent characteristics (properties of materials, internally stored energy, etc.) and/or 'intelligent' use of the energy that is inherently available in the system (e.g. decay heat, chemical reactions etc.).

The term "passive" identifies a system which is composed entirely of passive components and structures or a system which uses active components in a very limited way to initiate subsequent passive operation. That is why passive systems are expected to combine among others, the advantages of simplicity, a decrease in the need for human interaction and a reduction or avoidance of external electrical power or signals. These attractions may lead to increased safety and acceptability of nuclear power generation if the detractions can be reduced.

Besides the open feedback on economic competitiveness, special aspects like lack of data on some phenomena, missing operating experience over the wide range of conditions, and driving forces which are smaller - in most cases - than in active safety systems, must be taken into account: the less effective performance as compared to active safety systems has a strong impact on the reliability assessment of passive safety systems.

A categorisation has been developed by the IAEA in [1] distinguishing:

© 2012 Burgazzi, licensee InTech. This is an open access chapter distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. © 2012 Burgazzi, licensee InTech. This is a paper distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/3.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

a. physical barriers and static structures (e.g. pipe wall, concrete building).

This category is characterized by:


Examples of safety features included in this category are physical barriers against the release of fission products, such as nuclear fuel cladding and pressure boundary systems; hardened building structures for the protection of a plant against seismic and or other external events; core cooling systems relying only on heat radiation and/or conduction from nuclear fuel to outer structural parts, with the reactor in hot shutdown; and static components of safety related passive systems (e.g., tubes, pressurizers, accumulators, surge tanks), as well as structural parts (e.g., supports, shields).

Reliability of Passive Systems in Nuclear Power Plants 25

previous categories except that internal intelligence is not available to initiate the process. In these cases an external signal is permitted to trigger the passive process. To recognize this

Examples of safety features included in this category are emergency core cooling and injections systems based on gravity that initiate by battery-powered electric or electropneumatic valves; emergency reactor shutdown systems based on gravity or static pressure

According to this classification, safety systems are classified into the higher categories of passivity when all their components needed for safety are passive. Systems relying on no external power supply but using a dedicated, internal power source (e.g., a battery) to supply an active component are not subject to normal, externally caused failures and are included in the lowest category of passivity. This kind of system has active and passive characteristics at different times, for example, the active opening of a valve initiates

Inclusion of failure modes and reliability estimates of passive components for all systems is recommended in probabilistic safety assessment (PSA)1 studies. Consequently the reliability assessment of passive safety systems, defined as the probability to perform the requested

Notwithstanding that passive systems are credited a higher reliability with respect to active ones, – because of the smaller unavailability due to hardware failure and human error -, there is always a nonzero likelihood of the occurrence of physical phenomena leading to pertinent failure modes, once the system comes into operation. In fact the deviations of the natural forces or physical principles, upon which they rely, from the expected conditions can impair the performance of the system itself. This remark is especially applicable to type B passive systems (i.e. implementing moving working fluids) named thermal-hydraulic passive systems, due to the small engaged driving forces and the thermal-hydraulic

Indeed, while in the case of passive A systems the development of the structural reliability analysis methodology can be carried out with the application of the principles of the probabilistic structural mechanics theory, and operating experience data can be inferred for the reliability assessment of passive C and D components, there is yet no agreed approach as

In fact, such passive safety systems in their designs rely on natural forces, such as gravity or natural convection, to perform their accident prevention and mitigation functions once actuated and started: these driving forces are not generated by external power sources (e.g., pumped systems), as is the case in operating reactor designs. Because the magnitude of the natural forces, which drive the operation of passive systems, is relatively small, counterforces (e.g. friction) can be of comparable magnitude and cannot be ignored as it is generally

1 In the following PSA (Probabilistic Safety Assessment) and PRA (Probabilistic Risk Assessment) are utilized

mission to achieve the generic safety function, becomes an essential step.

departure, this category is referred to as "passive execution/active initiation".

subsequent passive operation by natural convection.

phenomena affecting the system performance.

far as passive B systems are concerned.

indifferently

driven control rods.

b. moving working fluids (e.g. cooling by free convection).

This category is characterized by:


Examples of safety features included in this category are reactor shutdown/emergency cooling systems based on injection of borated water produced by the disturbance of a hydrostatic equilibrium between the pressure boundary and an external water pool; reactor emergency cooling systems based on air or water natural circulation in heat exchangers immersed in water pools (inside containment) to which the decay heat is directly transferred; containment cooling systems based on natural circulation of air flowing around the containment walls, with intake and exhaust through a stack or in tubes covering the inner walls of silos of underground reactors; and fluidic gates between process systems, such as "surge lines" of Pressurized Water Reactors (PWRs).

c. moving mechanical parts (e.g. check valves).

This category is characterized by:


Examples of safety features included in this category are emergency injection systems consisting of accumulators or storage tanks and discharge lines equipped with check valves; overpressure protection and/or emergency cooling devices of pressure boundary systems based on fluid release through relief valves; filtered venting systems of containments activated by rupture disks; and mechanical actuators, such as check valves and spring-loaded relief valves, as well as some trip mechanisms (e.g., temperature, pressure and level actuators).

d. external signals and stored energy (passive execution/active actuation, e.g. scram systems).

This category addresses the intermediary zone between active and passive where the execution of the safety function is made through passive methods as described in the previous categories except that internal intelligence is not available to initiate the process. In these cases an external signal is permitted to trigger the passive process. To recognize this departure, this category is referred to as "passive execution/active initiation".

24 Nuclear Power – Practical Aspects

This category is characterized by:


structural parts (e.g., supports, shields).

This category is characterized by:



b. moving working fluids (e.g. cooling by free convection).

such as "surge lines" of Pressurized Water Reactors (PWRs).

c. moving mechanical parts (e.g. check valves).

This category is characterized by:

systems).




Examples of safety features included in this category are emergency injection systems consisting of accumulators or storage tanks and discharge lines equipped with check valves; overpressure protection and/or emergency cooling devices of pressure boundary systems based on fluid release through relief valves; filtered venting systems of containments activated by rupture disks; and mechanical actuators, such as check valves and spring-loaded relief valves, as well as some trip mechanisms (e.g., temperature, pressure and level actuators).

d. external signals and stored energy (passive execution/active actuation, e.g. scram

This category addresses the intermediary zone between active and passive where the execution of the safety function is made through passive methods as described in the

a. physical barriers and static structures (e.g. pipe wall, concrete building).

Examples of safety features included in this category are physical barriers against the release of fission products, such as nuclear fuel cladding and pressure boundary systems; hardened building structures for the protection of a plant against seismic and or other external events; core cooling systems relying only on heat radiation and/or conduction from nuclear fuel to outer structural parts, with the reactor in hot shutdown; and static components of safety related passive systems (e.g., tubes, pressurizers, accumulators, surge tanks), as well as

Examples of safety features included in this category are reactor shutdown/emergency cooling systems based on injection of borated water produced by the disturbance of a hydrostatic equilibrium between the pressure boundary and an external water pool; reactor emergency cooling systems based on air or water natural circulation in heat exchangers immersed in water pools (inside containment) to which the decay heat is directly transferred; containment cooling systems based on natural circulation of air flowing around the containment walls, with intake and exhaust through a stack or in tubes covering the inner walls of silos of underground reactors; and fluidic gates between process systems,


Examples of safety features included in this category are emergency core cooling and injections systems based on gravity that initiate by battery-powered electric or electropneumatic valves; emergency reactor shutdown systems based on gravity or static pressure driven control rods.

According to this classification, safety systems are classified into the higher categories of passivity when all their components needed for safety are passive. Systems relying on no external power supply but using a dedicated, internal power source (e.g., a battery) to supply an active component are not subject to normal, externally caused failures and are included in the lowest category of passivity. This kind of system has active and passive characteristics at different times, for example, the active opening of a valve initiates subsequent passive operation by natural convection.

Inclusion of failure modes and reliability estimates of passive components for all systems is recommended in probabilistic safety assessment (PSA)1 studies. Consequently the reliability assessment of passive safety systems, defined as the probability to perform the requested mission to achieve the generic safety function, becomes an essential step.

Notwithstanding that passive systems are credited a higher reliability with respect to active ones, – because of the smaller unavailability due to hardware failure and human error -, there is always a nonzero likelihood of the occurrence of physical phenomena leading to pertinent failure modes, once the system comes into operation. In fact the deviations of the natural forces or physical principles, upon which they rely, from the expected conditions can impair the performance of the system itself. This remark is especially applicable to type B passive systems (i.e. implementing moving working fluids) named thermal-hydraulic passive systems, due to the small engaged driving forces and the thermal-hydraulic phenomena affecting the system performance.

Indeed, while in the case of passive A systems the development of the structural reliability analysis methodology can be carried out with the application of the principles of the probabilistic structural mechanics theory, and operating experience data can be inferred for the reliability assessment of passive C and D components, there is yet no agreed approach as far as passive B systems are concerned.

In fact, such passive safety systems in their designs rely on natural forces, such as gravity or natural convection, to perform their accident prevention and mitigation functions once actuated and started: these driving forces are not generated by external power sources (e.g., pumped systems), as is the case in operating reactor designs. Because the magnitude of the natural forces, which drive the operation of passive systems, is relatively small, counterforces (e.g. friction) can be of comparable magnitude and cannot be ignored as it is generally

<sup>1</sup> In the following PSA (Probabilistic Safety Assessment) and PRA (Probabilistic Risk Assessment) are utilized indifferently

the case of systems including pumps. Moreover, there are considerable uncertainties associated with factors on which the magnitude of these forces and counter forces depends (e.g. values of heat transfer coefficients and pressure losses). In addition, the magnitude of such natural driving forces depends on specific plant conditions and configurations which could exist at the time a system is called upon to perform its safety function. All these aspects affect the thermal-hydraulic (T-H) performance of the passive system.

Reliability of Passive Systems in Nuclear Power Plants 27

natural circulation systems are described hereafter and namely as regards AP600/AP1000,

It is important to note that the incorporation of systems based on natural circulation to achieve plant safety and economic goals is being extended also to Generation-IV reactor concepts: however due to the early stage of the design - many systems are not yet

Figure 1 presents a schematic that describes the connections of the primary system passive

**2.1. AP600/AP1000 Passive Residual Heat Removal systems (PRHR)** 

**Figure 1.** Passive Safety Systems used in the AP600/AP1000 Designs

A Four Stage Automatic Depressurization System (ADS)

An In-containment Refueling Water Storage Tank, (IRWST)

The PRHR implemented in the Westinghouse AP1000 design consists of a C-Tube type heat exchanger in the water-filled In-containment Refuelling Water Storage Tank (IRWST) as

The AP600/AP1000 passive safety systems consist of: A Passive Residual Heat Removal (PRHR) System

Two Core Make-up Tanks (CMTs)

Two Accumulator Tanks (ACC)

A Lower Containment Sump (CS)

Passive Containment Cooling System (PCS)

ESBWR and ABWR designs.

safety systems.

established - they are not explicitly addressed.

Consequently, a lot of efforts have been devoted mostly to the development of consistent approaches and methodologies aimed at the reliability assessment of the T-H passive systems, with reference to the evaluation of the implemented physical principles (gravity, conduction, etc.). For example, the system fault tree in case of passive systems would consist of basic events, representing failure of the physical phenomena and failure of activating devices: the use of thermal-hydraulic analysis related information for modeling the passive systems should be considered in the assessment process.

The efforts conducted so far to deal with the passive safety systems reliability, have raised an amount of open issues to be addressed in a consistent way, in order to endorse the proposed approaches and to add credit to the underlying models and the eventual reliability figures, resulting from their application. In fact the applications of the proposed methodologies are to a large extent dependent upon the assumptions underlying the methods themselves. At the international level, for instance, IAEA recently coordinated a research project, denoted as "*Natural Circulation Phenomena, Modelling and Reliability of Passive Systems"* (2004-2008), [2,3], while another coordinated research project on "*Development of Methodologies for the Assessment of Passive Safety System Performance in Advanced Reactors"* (2008-2011) is currently underway: while focus of the former project has been the natural circulation and related phenomena, the objective of the latter program is to determine a common analysis-and-test method for reliability assessment of passive safety system performance. This chapter provides the insights resulting from the analysis on the technical issues associated with assessing the reliability of passive systems in the context of nuclear safety and probabilistic safety analysis, and a viable path towards the implementation of the research efforts in the related areas is delineated as well. Focus on these issues is very important since it is the major goal of the international research activities (e.g. IAEA) to strive to reach a common consensus about the different proposed approaches. The chapter is organized as follows: after an overview on passive safety systems being implemented in the design of innovative reactors and an introduction on the main components of Probabilistic Safety Assessment approach, at first the current available methodologies are illustrated and compared, the open issues coming out from their analysis are identified and for which one of them the state of the art and the outlook is presented; the relative importance of each of them within the evaluation process is presented as well.
