Deterministic safety analyses as well as probabilistic safety assessments are widely used in risk management of complex engineering systems such as nuclear and process plants. Challenges to these approaches include modeling of dynamic interactions among physical process, safety systems, and operator actions as well as propagation of these model uncertainties. Dynamic Event Tree (DET) analysis allows for integrated deterministic and probabilistic safety assessment (IDPSA) by coupling thermal-hydraulic/process system models with safety system and operator response models. This chapter introduces the concept of IDPSA, highlights the benefits of the approach as well as its limitations. Case study on a medium loss of coolant accident in a nuclear power plant is presented, which focuses on a comparison between IDPSA and traditional approaches considering impact of accident dynamics.

1 Introduction to Integrated Deterministic and Probabilistic Safety Assessment

In the safety analysis of complex engineering systems, we develop accident sequence models to quantify the risk. In this process, it is a challenge to consider dynamic interactions and capture their impact on accident models. Such dynamics (time dependent interactions) can arise due to human interactions, digital control systems, & passive system behavior [1,2,3,4]. The main objective is to increase realisam in modeling dynamics while quantifying risk [5]. In this section, an integrated deterministic and probabilistic safety analysis approach (IDPSA) is introduced including its basic elements and their relationships.

1.1 Probabilistic and Deterministic Safety

In the Risk Analysis of Nuclear Power Plants (NPPs), we primarily address these questions: What is the hazard? How likely is it? What are the consequences? How to improve the level of safety? We use a systematic and comprehensive methodology Probabilistic safety assessment (PSA) to evaluate the risk associated with complex engineering systems like NPPs. Here are the high level tasks of PSA: (1) Identify accident initiators (2) developing accident models including sequence delineation (sequence delineation—which sequences lead to core damage) and success criteria definitions. Success criteria—identifying the requirements for success of the safety systems. For example, what is the success criteria of safety equipment. These requirement concern how many systems or pieces of equipment must operate, the latest time by which the operators must intervene, how long the equipment must function. (Typical questions to identify Success Requirements: *How many systems must operate? *How long they must function? *Latest time for operator intervention). (3) Quantifying the risk then corresponds to estimating the likelihood that the requirements are not met and an accident follows.

How is it done with the classical approach?

Risk/Safety assessments are widely performed to evaluate risks associated with complex engineering systems such as aeronautical systems, nuclear power plants, marine systems, etc. This is called PRA in aerospace and PSA in nuclear industry. Figure 1 shows elements of a typical PSA. Methods are quite common. Classical combination of event tree and fault trees are used to build risk models. Quantification of risk models require inputs such as data, simulations, etc. Typical results include risk, contribution of sequence, basic events to risk.

Fig. 1
figure 1

Elements of a typical PSA/PRA

Full size image

Offline (with predefined boundary conditions) thermal hydraulic/process analysis are performed for determination of sequence outcome and defining success criteria (deterministic safety analysis). Probability safety models (classical combination of event tree and fault tree models) address the probability that these criteria are not met. Figure 2 illustrates high level tasks in the current PSA practice. Accident scenario is simulated with a standalone tool, for instance thermal hydraulic code in case of nuclear power plants. Typically, few sequences with predefined boundary conditions are simulated to investigate if sequences lead to a safe state or an undesirable consequence.

Fig. 2
figure 2

Flow of high level tasks in a classical PSA

Full size image

1.2 Issues in Current Approach

How complex engineered system works in normal conditions is well known. What about in an accident scenario? What are the accident dynamics? Process behavior evolves with the time; i.e. the process parameters change with respect to time influencing the response of safety systems. Operator response may influence the physical process. A typical accident scenario in a Nuclear Power Plant (NPP) involves complex interactions among process, safety equipment, and operator actions. The big question is: In current practice of plant simulations by independent thermal hydraulic codes (which don’t have operator or equipment models), or A matrix of calculations) with pre-decided states of the systems and operator times, do we consider the complex interactions properly? For example, total operator time is dynamic, it is difficult to predict it offline. In addition to that, when stochastic variabilities in those responses are considered, defining success criteria will be cumbersome and complex. Also, the detrimental effects of binning; bounding assumptions are necessary while enveloping sequences and defining the success requirements in PSA; bounding is not only difficult but also produces modeling artifacts in certain cases. One of the major issues in current PSA practice is epistemic uncertainty in physical/process models [6,7,8]. PSA Model parameters (failure rates or failure probabilities) are already accounted, but uncertainties in physical model parameters (e.g. thermal hydraulic models) also needs to be addressed while building risk models. These may impact sequence outcomes, success requirements, subsequently risk estimates and contributors.

1.3 IDPSA Using Dynamic Event Trees

Dynamic Event Tree (DET) analysis provides a framework for integrated accident simulation of physical process, equipment, and operator actions. In other words, DET provide the means to simulate physical system evolutions, the evolution of system states due to stochastic events, and the dynamic interactions between these evolutions (DET simulates the dynamic interactions among physical process, safety system responses, and operator responses). DET models include deterministic (physical) as well as Stochastic Models.

Accident scenario is simulated considering dynamic interactions and stochastic variabilities to generate sequences. The outcome of sequences are labelled based on the values of physical parameters. Risk is estimated considering all the undesired sequences.

In the dynamic event tree: The transient is simulated in deterministic dynamic model and the process parameter values are obtained from plant dynamic model with respect to time. Scheduler has the integrated model of the plant describing the behavior of the various elements as a set of rules. When the process parameter reaches a level, it would fire one of these rules. As a result, event sequences are generated based on the rules (scheduler). When the process parameter demands intervention of safety system or human action, one of the rule in scheduler gets fired, and branching takes place in the DET.

Several DET implementations tools and their applications can be seen in the literature. Interested readers may refer the following works in the literature [9,10,11,12,13,14,15,16,17,18].

2 A Simple Example: Water Leaks into a Ship/Vessel

Flooding is one of the important hazards for ship safety and stability. This example (see Fig. 3) is extremely simplified version of that problem. A Ship/vessel begins to accumulate water due to leak, which could be due to valve/pipe. The objective is to estimate the likelihood of vessel reaching the critical level, considering the stochastic variabilities and time dependent interactions. The tank will accumulate to a critical level if the operator does not isolate the leak in time. The operator receives a cue from an alarm caused by the rise in level, in response the operator should close the valve. System failure depends on the failures on demand of alarm and valve, as well as human response. The time dependent element in the problem is the human response time completing with the time taken by the tank to reach the critical level, which depends on leak size and location.

Fig. 3
figure 3

An accumulating vessel with an initial level Hi and a critical level Hf

Full size image

How do we solve this problem with the classical method? In the current practice, offline TH/physical process simulation-based analysis are performed to determine the sequence outcomes and define success criteria in developing accident sequence models. Success criteria analysis involved identifying the requirements on safety systems associated with the success branch for a function. These requirements concern how many components must operate, how long they must function, the latest time by which operator must intervene. The developed accident sequence model is typically an event tree with coupled fault trees, which are quantified to obtain risk. In the process of developing event tree models, bounding assumptions are necessary to envelop the sequences and define the success requirements. The accident dynamics complicate such grouping.

Figure 4 shows a classical event tree modeling of the vessel problem. Event trees are graphical models that order and reflect events according to the requirements for the mitigation of initiating events. Event trees are used to determine the sequences of system failures that can lead to undesired consequences.

Fig. 4
figure 4

Classical event tree modeling of vessel problem

Full size image

How do we solve this dynamic risk problem? There are several methods available in the literature such as analytical solution, analog Monte Carlo simulation, Dynamic Flowgraph Methodology, and DET, etc. As this is a simple problem, an analytical solution can be derived, which can be solved with a numerical integration method. Figure 5 shows the elements of the analytical solution of this problem, adapted from [6].

Fig. 5
figure 5

Analytical Solution of the vessel problem

Full size image
$$ HEP = \int\limits_{0}^{\infty } {f_{R} (r)} \int\limits_{0}^{{(\frac{{r + k_{2} }}{{k_{1} }})^{2} }} {f_{H} } (h)dh \cdot dr $$
(1)

where \( k_{1} = \frac{A}{aC}\sqrt {\frac{2}{g}} \,{\text{and}}\,k_{2} = \sqrt {H_{f} } \times k_{1} \)

As depicted in Fig. 6, DET simulation framework integrates both deterministic and probabilistic models. In response to an accident in the vessel, several safety systems and crew actions are demanded by the process. The transient is simulated in deterministic dynamic model and the process parameter values are obtained from vessel dynamic model with respect to time. The branches represent the possible states of the safety systems or/and crew. The sequences and vessel parameters with respect to time are obtained from the DET simulations.

Fig. 6
figure 6

DET solution of the vessel problem

Full size image

3 IDPSA Methodologies

This section describes two IDPSA methodologies available in the literature, namely, DET Informed PSA [19] and quantified DET [20].

3.1 DET Informed PSA

Figure 7 shows the high level tasks of DET Informed PSA approach, which include DET Modeling, accident simulations with DET simulator, and success criteria analysis to develop event tree models and their evaluation. Primarily DET models consists of physical models of system behavior, stochastic models of the equipment, and operator response models.

Fig. 7
figure 7

Macro tasks of DET informed PSA

Full size image

Focusing on the detailed tasks involved in this approach, firstly the scope of the overall analysis is defined including the boundary conditions of initiating event, safety functions to be considered and the variabilities to be addressed, end sequence criteria (undesirable consequence), etc. The simulation models for physical process, response of safety functions, and operator responses are developed. The accident scenarios are simulated with Simulators considering the random variabilities. The results from the simulations are analyzed to understand the accident dynamics and identify the evolutions that lead to undesirable consequence. The success criteria are identified by examining the sequences generated by DETs, initially for the individual safety functions and initiating events. Initiators and sequences with similar success criteria for each safety function are then grouped, as a basis for defining one or more event trees to represent the overall variability of initiating event. Finally, the success criteria for these trees are defined. For operator actions, additional DET simulations are used to estimate time windows (TWs) in order to calculate the Human Error Probabilities (HEPs) in consideration of the sequence boundary conditions. The overall risk is quantified and important contributors are also identified.

The quantification of event trees requires various tasks such as fault tree modeling, common cause failure modeling, human reliability analysis, and failure data (See Fig. 8). Fault trees for safety functions are developed and linked to event trees. The common cause failure modeling accounts for any implicit dependencies among similar safety equipment. DET simulations provide useful information to estimate time windows for operator actions, which are used to estimate human error probabilities. PSA parameters including probabilities and frequencies of the initiating events, hardware, and operator actions are also necessary. Finally, PSA tools are used for quantification of accident sequence models to obtain risk results including point risk estimate and important contributors to risk basic events and sequences.

Fig. 8
figure 8

Flow of tasks in DET informed PSA

Full size image

3.2 Quantified DET Based IDPSA

Figure 9 shows the high level tasks of DET quantification approach, which are DET modeling, simulation, and evaluation. DET Modeling and simulation task are quite similar to DET Informed approach. DET Evaluation replaces success criteria and bounded compact event trees modeling in this approach. In DET evaluation, all of the individual sequences that are generated are explicitly quantified. The DET sequences whose outcomes lead to undesirable consequences are identified and the frequencies for each of these failure sequences as well as total risk from the scenario are estimated.

Fig. 9
figure 9

Macro tasks of DET quantification

Full size image

Figure 10 shows a comparison between both IDPSA methodologies. Both DET Informed approach and DET quantification use the same integrated DET simulation tool. Although the DET tool and models are same, the simulations in DET-informed are with bounding while the latter approach perform simulations without bounding.

Fig. 10
figure 10

Comparison of the tasks in the IDPSA methodologies

Full size image

DET Informed PSA provides an integrated framework to account for complex dynamic interactions and stochastic variabilities among physical process, safety equipment, and operator actions. DET Informed PSA helps to get Success criteria definitions and to build a compact event tree which is quite practical in large scale PSAs of complex engineering systems. On the flipside, in DET informed PSA, bounding assumptions are inevitable to envelop the sequences and define the success requirements. Some detrimental effects of bounding may arise due to accident dynamics, which could be overlooked. Quantified DET approach does not need any bounding assumptions, thus bypassing issues associated with bounding effects. However additional computations are necessary.

DET-informed approach yields classical event trees that is compatible with the current PSA practice. Usually the classical event trees contain binary branches. On the other hand, Quantified DET approach may generate several branches for safety systems representing various combinations of conditions among the safety functions. Regarding quantification of risk, both approaches differ how safety systems are handled whose response involves a continuous aleatory variable. For example, recovery time of power supply or response time of operator actions. In classical event trees, the human error probability or recovery probability are estimated offline, then used as inputs to quantification of binary branches. In contrast, Quantified DET does not require the time windows to estimate these probabilities.

Quantified DET approach has to deal with the following practical issues: it must evaluate all generated sequences, treat support system dependencies among safety functions, as well as account for safety systems whose response is continuous. Some possible solutions for these issues were proposed in [20].

4 Case Study—MLOCA Scenario

This section presents a case study on Medium Loss of Coolant Accident (MLOCA) scenario. The application of both IDPSA approaches presented in preceding Section are described. The analysis of results primarily focuses on impact of accident dynamics as well as impact of bounding. This accident scenario is particularly chosen because its break range has strong effect on the sequence dynamics and consequently on the requirements on the safety function (success criteria). The DET models and some of the simulations of MLOCA accident scenario are adapted from the references [19, 20].

4.1 Description

The accident scenario is derived from the Zion Pressurized Water Reactor (PWR), a decommissioned 4-loop PWR with a thermal power of 3250 MW and one of the plants addressed in the NUREG-1150 study of severe accident risks [21].

In a PWR, the primary coolant (water) is pumped under high pressure to the reactor core where it is heated by the energy generated by the fission of atoms. The heated water then flows to a steam generator where it transfers its thermal energy to a secondary system where steam is generated and flows to turbines which, in turn, spin an electric generator. This is about the physical process during the normal operation of NPP. In accident conditions, we need safety systems like Emergency Core Cooling System (ECCS) to prevent core damage. When automatic systems don’t function, operator has to intervene. Figure 11 shows a simplified schematic diagram of the ECCS of the PWR. ECCS consists of a high-pressure injection (HPI) system, a low-pressure injection (LPI) system, and an accumulator in each loop (not shown); HPI consists of two charging (CH) pumps as well as two high head (HH) injection pumps and theirs associated Valves. LPI includes two Low Pressure (LP) pumps in their injection trains. All these injection trains take suction from Refueling Water Storage Tank (RWST). When the water level in RWST tank reaches low level, an alarm prompts operator in control room to manually switch the injection to recirculation from containment sump.

Fig. 11
figure 11

A schematic diagram of the ECCS of a PWR

Full size image

If HPI fails, operator must perform rapid cooldown to depressurize reactor coolant system to low pressures conditions, which allows LP injection system to prevent core damage. This rapid cooldown is manual action using steam generator dump valves. Figure 12 shows operator actions during this accident sequence, which include reactor trip alerts operator in control room, emergency procedures will be examined, required action to depressurize must follow.

Fig. 12
figure 12

Operator actions to initiate rapid cooldown

Full size image

Figure 13 shows an Event Sequence Diagram (ESD) of MLOCA scenario. The sequence of events occurring, and their interactions are shown at a high level. Following reactor trip and turbine trip, the response to a MLOCA scenario begins with a HPI phase. Subsequently, the RCS pressure drops below the set point of the accumulators (40 bars) and finally to the low pressure injection (LPI) set point (15 bars). The summary of events and their potential stochastic variabilities are also depicted in Fig. 13.

Fig. 13
figure 13

Events and their interactions in the accident scenario (simplified ESD)

Full size image

Figure 14 presents ESDs during Secondary Rapid Cooldown (SRC) and Recirculation Injection (RI) phases.

Fig. 14
figure 14

Detailed events in secondary rapid cooldown and recirculation modes

Full size image

The pivotal events involved in MLOCA scenario can be represented with a simplified event tree as shown in Fig. 15. There are four safety functions and seven sequences. Each header will have a fault tree (Fault trees are used to identify all combinations of component failures/events that can lead to system failure). Event tree represents sequences of system failures and associated consequences. The success criteria definitions of safety functions (which decide their respective probabilities) are input to the fault tree (in order to calculate their branch probabilities) modeling. The important elements of success requirements are: number of injection trains, rate and timing of cooldown, timing of recirculation. Irrespective of what method (PSA or IDPSA) we choose, plant simulations are designed (scope is defined) to provide information to know the answers to these questions which give SC definitions.

Fig. 15
figure 15

Qualitative event tree of MLOCA scenario

Full size image

Figure 16 shows the computational framework for MLOCA scenario. Simulation of accident scenario with different break sizes results in about 1000 sequences. A typical event tree for this scenario may have about 7 sequences as shown in Fig. 15, which is compact and of practical use with cut sets, importance measures, etc. Classical PSA approach usually based on a single limiting break, which may ignore the dynamic interactions, or in principle we could also take hybrid of most challenging criteria (it gives unnecessary conservatism and it does not represent any physical break). To account for dynamics, variabilities, and diversity in success requirements, split break range model can be used, which has about 30 sequences; additional sequences and appropriate success criteria definitions are used. To bypass issues associated with bounding, we can use DET quantification, meaning quantifying all the 1000 sequences.

Fig. 16
figure 16

Computational framework with three approaches

Full size image

4.2 Results—Comparison of IDPSA Approaches with PSA

The results obtained from the three methods, namely, classical PSA, DET informed PSA, and Quantified DET are considered for comparison. The obtained results include conditional core damage probabilities, core damage frequencies, critical sequences, and important basic events.

Figures 17 and 18 show event tree models from classical PSA and DET-informed approaches respectively. 7″ limiting break is assumed to represent MLOCA scenario in PSA approach, based on the results reported in [22]. DET-informed includes three split break range models, 2–4.5″, 4.5–6.5″, and 6.5–8″. Regarding event tree headers, they are different because of different time windows and high or low pressure conditions leading to different events or probabilities in fault tree. Sequence 4 (1HP) in 4.5–6.5″ event tree leads to core damage (CD) as there is no cue for OA for cooldown. To quantify risk estimates, fault trees of safety systems, CCF models, HRA models, and failure data were plugged into the event trees. In Quantified DET approach, large event trees consisting of 1000 sequences were quantified (a section of DET can be seen in Fig. 9).

Fig. 17
figure 17

Event tree of classical PSA approach

Full size image
Fig. 18
figure 18

Event trees of DET informed PSA approach

Full size image

Figure 19 shows a comparison of the obtained core damage frequency (CDF) estimates among three methods. The core damage frequency (CDF) indicates the likelihood of an accident that would cause damage to reactor core, which also incorporates the probability of the breaks occurring. The results indicate the classical PSA approach is the most conservative, followed by DET-informed approach. The classical approach is significantly higher than quantified DET by a factor of 14 while DET-informed is higher by almost a factor of 5. PSA and DET-informed estimates are higher than quantified DET, due to conservative bounding success criteria (limiting time windows).

Fig. 19
figure 19

Comparison of core damage frequencies among three methods

Full size image

Figure 20 shows a comparison of Fussel-Veseley importance measure of basic events. In PSA and DET-informed quantification, operator action during recirculation has the highest importance measure and none of the other basic events has comparable measure. Interestingly in quantified DET results, CCF event of LP injection is as important as operator action. Due to the conservative human error probability in PSA and DET-informed quantification, the importance of hardware events was underestimated. Quantified DET gave more realistic results as the impact of bounding is not present.

Fig. 20
figure 20

Comparison of important events

Full size image

5 Summary

In the current case study, bounding in PSA and DET informed quantification lead to conservative estimate of overall risk (core damage frequency), but it can be sensitive to bounding assumptions and their ability to capture accident dynamics. Also both quantifications underestimated the percentage risk contribution and importance of events due to bounding success criteria. Bounding gets complicated when we consider physical parameter uncertainties and epistemic uncertainties of failure and repair parameters. The IDPSA approach, quantified DET, improves the modeling of accident dynamics, eliminates the effects of bounding, and provides a framework propagate the epistemic uncertainties of the physical model, safety system model, and operator response models. However, quantified DET requires additional computations as well as the discretization of continuous stochastic responses.