Station Blackout Risk of a Nuclear Power Plant with Consideration of Time Dependencies and Common Cause Failures

. One of the most signi ﬁ cant risk contributors to a nuclear power plant is the station blackout (SBO) risk. The calculation of an SBO risk is complicated because di ﬀ erent scenarios involving the failures of various components, and their time dependencies must be considered. Because time dependency modeling is di ﬃ cult, the conventional approach based on event trees (ETs) and fault trees (FTs) makes conservative assumptions when calculating the SBO risk. This study describes how these time dependencies can be e ﬀ ectively modeled and provides the mathematical formulas to model the time dependencies when calculating the SBO risk of a nuclear power plant when there exist redundant components and their common cause failures are considered. The mathematical formulas used to model the time dependencies are validated by Monte Carlo simulations. The conventional ET/FT approach is compared with the time dependency modeling approach to evaluate the conservativeness of the results it generates. Two signi ﬁ cant factors a ﬀ ecting the degree of conservativeness of the conventional ET/FT approach are also examined. The time dependency modeling with consideration of the common cause failures described in this study is expected to provide a sound mathematical framework for analyzing the SBO risk of a nuclear power plant.


Introduction
According to the International Atomic Energy Agency [1], nuclear energy provides approximately 10% of the world's electricity. The safe and reliable operation of nuclear power plants (NPPs) is crucial for the sustainable, carbon-free supply of electricity. Nuclear energy is also considered an important candidate for hydrogen production [2]. Therefore, accurately estimating the risks associated with NPPs is crucial for ensuring their safe and reliable operation.
The probabilistic risk assessment (PRA) is a quantitative method to calculate the risk from NPPs. Since the publication of WASH-1400 [3], the PRA has become an important tool not only for the safe and reliable operation of NPPs but also for supporting various regulatory decision-making. One of the most significant contributors to the NPP risk identified by the PRA is the station blackout (SBO) risk.
In an SBO, an NPP experiences a loss of offsite power (LOOP) followed by the failure of the emergency diesel gen-erators (EDGs). An SBO is a dangerous condition because there is no alternative current (AC) power to operate the safety systems and their pumps and valves to cope with the condition. Managing SBOs is an important safety consideration not only for light water reactors but also in other reactor types such as lead-bismuth reactors [4], sodium-cooled fast reactors [5], and lead or lead-alloy-cooled fast reactors [6].
Nuclear regulations require NPPs to be able to manage an SBO, and the SBO rule (10 CFR 50.63) [7] and Regulatory Guide 1.155 [8] by the United States Nuclear Regulatory Commission are examples of where these regulations can be found. One way to meet these requirements is to install an independent emergency generator such as an alternative AC diesel generator (AAC DG). With AC power from the AAC DG, an NPP can operate motor-driven pumps (MDPs) to provide feedwater to remove the decay heat generated by the nuclear fuel. If the AAC DG is not available, an NPP operates turbine-driven pumps (TDPs), which are powered by safety-grade direct current (DC) batteries to provide feedwater.
One of the issues identified in the SBO risk calculation in the practice of a PRA of an NPP is the insufficient consideration of time dependencies. The conventional ET/FT approach uses conservative assumptions instead of directly addressing the time dependency issue. However, there are several studies that have addressed the time dependency issue. For example, the EPRI TR 1009187 [19] provides a rigorous mathematical development of the time-averaging technique. Smith et al. [20] discussed the use of a simulation approach to model the time interactions directly. Sutton et al. [21] provided a practical method for calculating the convolution factors for up to three time-dependent events. Knudsen et al. [22] described the convolution correction factor adjustments with two EDGs. George-Williams et al. [23] suggested utilizing multistate node models comprising matrices to explain the interdependencies between different elements. Degonish [24] presented various insights and lessons learned from the application of the convolution methodology, and Krcal et al. [25] discussed the dynamic treatment of cut sets. The author in [26] presented a systematic approach for time dependency modeling and the mathematical development for conditional core damage probabilities under an SBO of an NPP when the SBO situation is managed with one AAC DG and one TDP.
Nevertheless, the previous studies that address the time dependency modeling issue do not consider redundant components for mitigating SBO and their common cause failures (CCFs). Therefore, their approaches apply to reactor types equipped with one TDP to supply feedwater. However, many reactor types are equipped with multiple redundant TDPs to supply feedwater. Because CCFs play a significant role in estimating the risk from NPPs, CCFs must be properly considered in the time dependency modeling of redundant components.
This study is an extension of the previous studies by including redundant components and their CCFs. Because redundant components are considered, the combination of their CCFs as well as independent failures must be considered so that the proposed approach be consistent with the current practice of the PRA. Therefore, the combination of fail-to-start and fail-to-run failures of the redundant components including their CCFs is considered in the proposed approach.
Section 2 explains how the consideration of SBO sequences should be extended for time dependency modeling compared with the conventional approach. Section 3 presents the mathematical formulas for the sequence probabilities for time dependency modeling and compares them with those of the conventional approach. Section 4 presents the numerical results with the failure probabilities, failure rates, and time-related data typically applied to the PRA of an NPP. Section 5 presents the conclusions of this paper.

SBO Sequences
When there are two TDPs, the failure of both TDPs can be divided into three cases: both TDPs fail to start, one TDP fails to start and the other TDP fails to run, and both TDPs fail to run. The first and third cases are further divided into whether the TDP failure is caused by CCFs or independent individual failures. Therefore, the cases are divided into the following five cases: (i) Both TDPs fail to start (CCF) (ii) Both TDPs fail to start (independently) (iii) One TDP fails to start and the other TDP fails to run (iv) Both TDPs fail to run (CCF) (v) Both TDPs fail to run (independently) The above five cases include the fail-to-start and fail-torun failure modes as well as the CCFs of the two failure modes of the TDPs. Figure 1 shows the conventional approach for considering AAC DG and TDP failures after an SBO in an event tree form. An SBO can be properly managed if the AAC DG or at least one TDP successfully starts and runs during mission time. The conventional approach does not distinguish between the fail-to-start and fail-to-run failure modes of the AAC DG and TDPs or their CCFs. In addition, conservative assumptions are used where time dependency cannot be properly considered. Figure 2 shows the identification of the SBO sequences with consideration of the fail-to-start and fail-to-run failures of the AAC DG and TDPs in an event tree form. Figure 2 depicts the classification of the analysis process, rather than to present the nature of the existing event tree. For the AAC DG, the fail-to-start and fail-to-run failures are considered. For the TDPs, the five combinations of both the TDP failures mentioned above are considered. The SBO sequence identification ( Figure 2) distinguishes between the fail-tostart and fail-to-run failure modes of the AAC DG and TDPs including the CCFs, so that the time dependency associations can be properly considered. In total, twelve core damage sequences are identified for which the mathematical formulas for the sequence probabilities are developed in Section 3.
The most important difference between this study and the author's previous publication [26] is the extension from one TDP to multiple TDPs so that the approach can be applied to NPPs with multiple TDPs. Because multiple TDPs are considered, their CCFs (in the fail-to-start and fail-torun failure modes) are also considered. By developing a method for two TDPs, it is expected that the method can 2 International Journal of Energy Research be extended to NPPs with more than two TDPs in a similar way. The twelve sequences are divided into two groups depending on whether the AAC DG fails to start or fails to run. For each group, there are six sequences: five sequences depending on how the two TDPs fail and one sequence for the depletion of the DC batteries that provide the control power to operate the TDPs. In this paper, the mathematical formulas for the twelve sequences are developed.

Mathematical Formulas for SBO Sequence Probabilities
In this paper, it is assumed that an SBO is caused by the start failures of the EDGs followed by a LOOP. To define the modeling parameters for the different components and their failure modes including the CCFs in a consistent and concise way, the modeling parameters and subscripts are first defined. The probability of failure is denoted as p, the failure rate is denoted as λ, and the probability density function and the cumulative distribution function are denoted as f ðtÞ and FðtÞ, respectively. The reliability function is denoted as RðtÞ.
The subscripts "A," "T," and "B" represent the AAC DG, TDPs, and safety-grade DC batteries. The subscripts "S" and "R" represent the fail-to-start and fail-to-run independent failure modes. The subscripts "W" and "K" represent the fail-to-start and fail-to-run CCF modes, while the subscript "D" represents the depletion of the safety-grade DC batteries. For example, the subscript "AS" implies the AAC DG's fail-to-start failure mode. Also, p AS and f TR ðtÞ indicate the probability that the AAC DG fails to start and a TDP fails to run independently, respectively. Because there are two TDPs, the subscripts for the independent failures of the two TDPs should also be defined. The subscripts "SS" and "RR" represent independent fail-to-start and fail-to-run failures, respectively. The subscript "SR" implies that one TDP fails to start and one TDP fails to run. For example, p TSS and f TRR ðtÞ indicate the probability of the two TDPs failing to start independently and the probability density function of the two TDPs failing to run independently, respectively. Table 1 provides the notations and their descriptions used in the mathematical modeling along with the numerical data used in the example of Section 4. The base failure probabilities and failure rates are from NUREG/CR-6928 (2020 update) [27,28], and the CCF data are from NUREG/CR-5497 (2020 update) [29,30]. The two data sources are typically applied to PRAs of NPPs. In Table 1, the value of p TW is calculated by multiplying the base failure probability with the corresponding CCF data. Similarly, the value of λ TK is calculated by multiplying the failure rate with the relevant CCF data. The time-related parameters are applicationspecific and should be determined based on a thermalhydraulic analysis, the scope of the PRA, and the capacity of the DC batteries. For the example in Section 4, typical values are assumed.

International Journal of Energy Research
The available time for AC power recovery is the sum of the time the AAC DG has run, the time a TDP or TDPs has run, and T c . When the AAC DG or TDP fails to start, the time the component has run becomes zero.
For fail-to-run failures, a failure rate is assumed constant, and therefore, the time to failure follows an exponential distribution. The probability density function, cumulative distribution function, and reliability function are, respectively, The probability distribution for the nonrecovery of AC power before t is assumed to follow a lognormal distribution as where μ and σ are the mean and standard deviation of the natural logarithms of the data, respectively. Figure 3 shows p NRAC ðtÞ for four event types provided in NUREG/CR-6890 (2020 update) [12,31]. It is noted that the 2021 update of NUREG/CR-6890 is also available.
The p NRAC ðtÞ for the switchyard-centered event type is used in the example of Section 4.
The probability that both TDP fail to start due to independent start failures is When both TDPs fail to run due to independent run failures of both TDPs, the time to failure of the TDPs is given as the time that the second TDP fails, under the condition that the success criteria for the two TDPs is the operation of at least one TDP. In simpler terms, if the first TDP fails at time t 1 and the second TDP fails at time t 2 , the time to failure for both TDPs is defined as t 2 . The cumulative distribution function for the time the second TDP fails is The reliability of the system of two TDPs is Therefore, its probability density function is 3.1. The Conventional Approach. In this section, the mathematical formulas for the twelve sequences shown in Figure 2 are derived based on the conventional approach.
3.1.1. When the AAC DG Fails to Start. In Figure 2, the failto-start failure of the AAC DG may lead to one of six core damage sequences: 15, 17, 19, 21, 23, and 25. Because the AAC DG fails to start, the mission time of the TDPs is assigned as T bd , instead of T m , because the TDPs are not able to operate beyond T bd . This approach may be different from the current practice of PRAs, but it is more reasonable and consistent with the exact calculation results.
The mathematical formulas for the six sequence probabilities are as follows: (i) When both TDPs fail to start owing to CCFs (sequence 25), (ii) When both TDPs fail to start independently (sequence 23), where p TSS is given in Equation (3) (iii) When one TDP fails to start and one TDP fails to run (sequence 21), (iv) When both TDPs fail to run owing to CCF (sequence 19),

International Journal of Energy Research
(v) When both TDPs fail to run independently (sequence 17), where F TRR ðtÞ is given in Equation (4) (vi) When the TDPs cannot run because the DC batteries are depleted (sequence 15), 3.1.2. When the AAC DG Fails to Run. In Figure 2, the failto-run failure of the AAC DG may lead to one of six core damage sequences: 3, 5, 7, 9, 11, and 13. Because the AAC DG fails to run, the mission time of TDPs is assigned as T m because the TDPs may need to operate up to T m . The mathematical formulas for the six sequence probabilities are as follows: (i) When both TDPs fail to start owing to CCF (sequence 13), (ii) When both TDPs fail to start independently (sequence 11), (iii) When one TDP fails to start and one TDP fails to run (sequence 9), (iv) When both TDPs fail to run owing to CCF (sequence 7), (v) When both TDPs fail to run independently (sequence 5), where F TRR ðtÞ is given in Equation (4) (vi) When TDPs cannot run because DC batteries are depleted (sequence 3), 6 International Journal of Energy Research (i) when both TDPs fail to start owing to CCF (sequence 25), (ii) When both TDPs fail to start independently (sequence 23), (iii) When one TDP fails to start and one TDP fails to run (sequence 21), (iv) When both TDPs fail to run owing to CCF (sequence 19), (v) When both TDPs fail to run independently (sequence 17), where f TRR ðtÞ is given in Equation (6) (vi) When TDPs cannot run because DC batteries are depleted (sequence 15), In Equation (24), the first and second terms in the bracket are for the situations in which one TDP fails to start and the other TDP operates successfully until the DC batteries are depleted and when both TDPs operate successfully until the DC batteries are depleted, respectively.

3.2.2.
When the AAC DG Fails to Run. The mathematical formulas for the probabilities of the six sequences after the fail-to-run failure of the AAC DG with consideration of time dependencies are as follows: (i) When both TDPs fail to start owing to CCF (sequence 13), 7 International Journal of Energy Research (ii) When both TDPs fail to start independently (sequence 11), (iii) =When one TDP fails to start and one TDP fails to run (sequence 9), (iv) When both TDPs fail to run owing to CCF (sequence 7), (v) When both TDPs fail to run independently (sequence 5), where f TRR ðtÞ is given in Equation (6) 8 Similar to Equation (24), the first and second terms in the bracket in Equation (30) are for the situations in which one TDP fails to start and the other TDP operates successfully until the DC batteries are depleted and when both TDPs operate successfully until the DC batteries are depleted, respectively.

Conditional Core Damage
Probability for an SBO. The conditional core damage probability (CCDP) of an SBO caused by the EDGs' failure to start is calculated as the sum of the twelve sequence probabilities in Equations (7)-(18) for the conventional approach and Equations (19)-(30) for the time dependency modeling approach.
CCDP SBO−S = P AS,TW + P AS,TSS + P AS,TSR + P AS,TK + P AS,TRR ð + P AS,BD Þ + P AR,TW + P AR,TSS + P AR,TSR ð + P AR,TK + P AR,TRR + P AR,BD Þ: 3.4. Discussion. The mathematical formula of P AS,BD for the conventional approach in Equation (12) is slightly different from that of the time dependency modeling approach in Equation (24). The conventional approach slightly underes-timates the probability when one TDP fails to start and one TDP operates successfully until the DC batteries are depleted. However, as long as F TK ðT bd Þ and F TRR ðT bd Þ are sufficiently small, the difference is insignificant. A similar difference can also be found in the mathematical formulas of Equations (18) and (30) for the conventional approach and the time dependency modeling approach, respectively.

Numerical Results
The numerical data in Table 1 are applied to the conventional approach, the time dependency modeling approach, and the Monte Carlo simulation. First, the mathematical formulas for the time dependency modeling approach in Equations (19)- (30) are validated by the Monte Carlo simulations. Then, the numerical results from the conventional approach and the time dependency modeling approach are compared to determine the conservativeness of the results the conventional approach provides. Next, the degree of conservativeness of the conventional approach is examined by varying two timerelated factors, p NRAC ðtÞ and the mission time.

Validation and Comparison. Monte Carlo simulations
were performed to validate the mathematical formulas with consideration of the time dependencies in Equations (19)- (30). Each simulation was performed with 10 8 sample sets, and ten simulations were performed. Table 2 shows the Monte Carlo simulation results. For each simulation, the sequence probability for the OK state was also calculated to confirm that the sum of all sequence probabilities is one. Table 3 compares the probabilities calculated by the conventional approach with Equations (7)-(18), those calculated by the time dependency modeling approach with Equations (19)- (30), and the average of ten Monte Carlo simulation results. The ratios are between the conventional and time dependency modeling approaches, given as the probabilities calculated with the conventional approach to those calculated with the time dependency modeling approach. The errors are between the time dependency modeling approach and the Monte Carlo simulations. Figure 4 visually compares the numerical results from the three approaches. For the SBO caused by the start failures The numerical results from the time dependency modeling approach are in good agreement with those from the Monte Carlo simulations. The difference in the conditional core damage probabilities calculated by the time dependency modeling and Monte Carlo simulations is as insignificant as 0.01%. The two greatest errors (5.39% and 4.31%) are found in P AR,TW and P AR,TSS , which are the two lowest sequence probabilities. This is mainly caused by the relatively small number of samples compared with the sequence probabilities, in which, for example, 10 8 samples were used to esti-mate probabilities around 1E-07. Therefore, the sequence probabilities calculated by the time dependency modeling approach can be considered exact.
The values for P AS,TW , P AS,TSS , and P AS,BD are similar for the conventional and time dependency modeling approaches, i.e., the ratios in Table 3 are 1 because the time dependency is not involved in the three probabilities. When time dependencies are involved, the conventional approach adopts conservative assumptions, and therefore the probabilities calculated with the conventional approach are greater than those calculated with the time dependency modeling approach, i.e., the ratios in Table 3 are greater than 1. In the case of P AS,TRR , the conventional approach  For the sequence probabilities when the AAC DG fails to start, the conventional approach results in sequence probabilities that are approximately two times greater compared with the time dependency modeling approach. These ratios are attributed to the fail-to-run failures of the TDPs. For the sequence probabilities when the AAC DG fails to run, the conservative approach results in sequence probabilities that are up to fifteen times greater. These ratios are attributed to the fail-to-run failures of both the AAC DG and TDPs. By comparing the ratios for P AS,TSR , P AS,TK , and P AS,TRR and those for P AR,TW and P AR,TSS , it is found that the contribution of the fail-to-run failure of the AAC DG is greater than that of the fail-to-run failures of the TDPs. This observation is supported by Table 3, which depicts the impact of both AAC DG and TDPs' fail-to-run failures on the conservativeness of the conventional approach. Specifically, the ratios for P AR,TW and P AR,TSS are both 4.10, while the ratios for P AS,TSR , P AS,TK , and P AS,TRR are 1.63, 1.64, and 1.93, respectively.

Dependency on p NRAC ðtÞ and Mission
Time. The conventional approach uses p NRAC ðtÞ for a specific time point when calculating the sequence probabilities, whereas the time dependency modeling approach uses p NRAC ðtÞ for the entire range of the mission time. As the p NRAC ðtÞ decreases more quickly, the sequence probabilities calculated with the time dependency modeling approach become smaller compared

11
International Journal of Energy Research with those calculated with the conventional approach. In other words, the ratios of the probabilities calculated with the conventional approach to the probabilities calculated with the time dependency modeling approach increase as the p NRAC ðtÞ decreases more quickly. The ratios also increase as the mission time increases. Figure 5 shows the dependency of the ratios on p NRAC ðtÞ. The four p NRAC ðtÞ datasets are associated with the four LOOP event types in NUREG/CR-6890 (2020 update) and are shown in Figure 3. The ratios are in the order of gridrelated, switchyard-centered, plant-centered, and weatherrelated. This order is closely related to how quickly the p NRAC ðtÞ decreases in Figure 3. When the p NRAC ðtÞ data from EPRI 1009187 [19] are applied, the ratio of P AR,TRR can be up to 644.27 for the grid-related LOOP event. Figure 6 shows the dependency of the ratios on the mission time. For three mission times (24,48, and 72 hours), the ratios increase linearly as the mission time increases. Therefore, p NRAC ðtÞ and the mission time have significant effects on the conservativeness of the sequence probabilities calculated by the conventional approach.

Conclusions
To calculate the risk from an NPP, the SBO risk should be accurately calculated with consideration of time dependencies. This paper extends the time dependency modeling in the calculation of the SBO risk of an NPP by considering redundant components and their CCFs.
The mathematical formulas to calculate the sequence probabilities with the consideration of time dependencies and CCFs are derived and validated with Monte Carlo simulations. After conducting ten Monte Carlo simulations, each utilizing 10 8 sample sets, the difference in the CCDPs calculated by the time dependency modeling approach and the Monte Carlo simulations is as insignificant as 0.01%. The differences in the individual sequence probabilities are also small, with the two greatest differences being 5.39% and 4.31% for the two lowest sequence probabilities.
Mathematical formulas are also derived for the conventional approach to evaluate the conservativeness of the sequence probabilities calculated by the conventional approach. This is because the sequence probabilities calculated by the time dependency modeling approach can be considered exact. The more fail-to-run failures are involved, the more conservative the calculation results provided by the conventional approach. For example, the sequence probability when the AAC DG fails to run and the TDPs fail to run independently becomes approximately fifteen times more conservative when the conventional approach is used. The degree of conservativeness by the conventional approach is dependent on the probability distribution of the nonrecovery of AC power and the mission time. As the probability distribution of the nonrecovery of AC power decreases more quickly over time or the mission time increases, the conventional approach provides more conservative sequence probabilities.
The time dependency modeling provided in this paper effectively decomposes complicated SBO scenarios and pro-vides exact sequence probabilities. This approach is expected to provide a sound mathematical framework for analyzing the SBO risk of an NPP.

Data Availability
The calculation and simulation data used to support the findings of this study are included within the article.

Conflicts of Interest
The author declares that there is no conflict of interest regarding the publication of this paper.