Application of REPAS Methodology to Assess the Reliability of Passive Safety Systems

The paper deals with the presentation of the Reliability Evaluation of Passive Safety System (REPAS) methodology developed by University of Pisa. The general objective of the REPAS is to characterize in an analytical way the performance of a passive system in order to increase the confidence toward its operation and to compare the performances of active and passive systems and the performances of different passive systems. The REPAS can be used in the design of the passive safety systems to assess their goodness and to optimize their costs. It may also provide numerical values that can be used in more complex safety assessment studies and it can be seen as a support to Probabilistic Safety Analysis studies. With regard to this, some examples in the application of the methodology are reported in the paper. A best-estimate thermal-hydraulic code, RELAP5, has been used to support the analyses and to model the selected systems. Probability distributions have been assigned to the uncertain input parameters through engineering judgment. Monte Carlo method has been used to propagate uncertainties and Wilks’ formula has been taken into account to select sample size. Failure criterions are defined in terms of nonfulfillment of the defined design targets.


Introduction
Passive systems deserve a special attention within the nuclear technology owing to their potential to increase the safety level of the power plants and to reduce the cost for the energy production.The intensive use of passive systems in the new nuclear technology needs a robust assessment of their reliability.The passive safety systems for their nature, because their functioning depends only on natural physical laws and not on an external source of supplied energy, are more reliable than the active ones.Nevertheless the passive systems may fail their mission as consequence of components failure, deviation of physical phenomena, boundary and initial conditions.
The extensive use of passive safety systems, mainly in advanced reactors design, makes necessary to deeply study the approach to their reliability assessment.This implies not only the consideration of mechanical components, evaluated through classical risk assessment tools (e.g., Failure Mode and Effects Analysis (FMEA), FTA, Hazard Operational Analysis (HAZOP), etc.), but also the consideration of the associated TH phenomena in terms of the deviation from expected system behavior due to "alterations" in the environmental conditions.
In the present paper an overview of the REPAS methodology is reported with its application and its effectiveness is briefly shown.It is also shown how it can be used to support the design of the passive systems.
The reliability evaluation of passive system needs a suitable methodology aiming to determine the passive system reliability function, which is the failure probability of the physical principle upon which the system operation is relying [1].
A pioneering activity aimed to evaluate the reliability of passive systems was proposed in mid-1990s within the framework of bilateral contacts between CEA and ENEA.In 2000 this issue was studied by the University of Pisa (UNIPI) [2].Later on, cooperation between ENEA, UNIPI, Polytechnic of Milan, and University of Rome leads to the proposal of a methodology called REPAS.The methodology was applied to evaluate the reliability of an existing passive system design where two-phase Natural Circulation (NC) takes place.
The methodology was embedded in the Reliability Methods for Passive Safety (RMPS) methodology, developed within the framework of a project called RMPS functions, under the European 5th Framework program [3,4].
Actually the methodology is in the setting up phase for an absolute evaluation of the reliability of passive safety system function.
It is important to give the following definition to understand the proposed issue The Accuracy.Is the known bias (or difference) between a code prediction and the actual (measured) transient performance of a real facility.
The Uncertainty.Analysis (of a code prediction) implies a procedure to evaluate the precision (or the error) that characterizes the application of a best-estimate code.
The Reliability.Analysis (of a system) aims at characterizing the ability of a system "to operate satisfactorily," following assigned specifications, over a period of time.

REPAS Methodology Overview
The REPAS methodology can be subdivided in the following main steps ( [1,[5][6][7][8][9]): (a) characterization of design/operational status of the system (identification of relevant parameters connected with the TH phenomenon: design and critical parameters), (b) definition of nominal values, range of variation and assigned probability distributions to design and critical parameters, (c) deterministic (based on engineering judgment) and statistic (e.g., through Monte Carlo procedure) selection of system status, (d) definition of failure criteria for the system performance (starting from the knowledge of the system mission and the identification of the accident scenario and allowing the definition of design targets for passive system); the failure criteria are established as single targets (e.g., the system shall deliver a specific quantity of liquid within a fixed time) or as a function of time targets or integral values over a mission time (e.g., the system shall reject at least a mean value of thermal power all along the system actuation); in some cases, it can be better to define a global Failure Criterion (FC) of the complete system instead of a specific criterion concerning the passive system; for instance, the FC can be based on the maximal clad temperature during a specified period; in this case, it is necessary to model the complete system and not only the passive system, (e) detailed code modeling; once the system mission, accident scenario, and FC are established, a system model has to be developed by means of a bestestimate TH code (e.g., RELAP5), (f) direct Monte Carlo simulation applied to TH code; it involves the propagation of the uncertain selected parameters through the considered TH code obtaining a model response (i.e., output variable) which allows, by means of statistic methods, to estimate the probability of failure of the passive function, (g) sensitivity analysis, (h) quantitative reliability evaluation.

Description of Analyzed Systems
The REPAS methodology has been applied to three NC systems.The three systems are (i) a prototypical integrated system: the related analysis can be considered as an exercise scope calculation; (ii) the scaled Isolation Condenser (IC) of a Simplified Boiling Water Reactor (SBWR) [2]; (iii) the TTL-1 experimental apparatus [6].
In the first case the analyzed system is a typical "pool heat removal system."The heat source, the steam generator and the primary recirculation loop, are contained inside the Reactor Pressure Vessel [10].
The simplified layout of this prototypical reactor is shown in Figure 1, where there is also evidenced the external passive safety system.The performance of that system is the main objective of the analysis.
The second analyzed system is the IC, which is part of the SBWR design.A sketch of the system is given in Figure 2.
The third analyzed system, the TTL-1 experimental apparatus [6,11], is a separate effect test facility that has been designed at the Atomic Energy Organization of Iran   (AEOI), in the context of research programs in the NC field.The sketch of the loop is given in Figure 3.The maximum pressure and power at which the loop can operate are 1 MPa and 50 kW, respectively.More details about the system configuration are given in [6].

REPAS Application
In the following subsections are reported the application steps of the methodology above briefly described.In particular is deeply described the application and the results obtained of the REPAS methodology to a pool heat removal system of a prototypical integrated system (case a) while for the other two systems (cases b and c) are outlined only the main outcomes of the application (see Section 5).

Characterization of Design/Operational Status for the
System.The first step is the characterization of the system, in particular the identification of relevant parameters connected with the TH phenomenon.The relevant parameters are defined design and critical parameters.
Design Parameters.are mainly related to the nominal system configuration, for example, nominal power, pressure, level, and may include also geometrical parameters.
Critical Parameters.are physical quantities that may affect the mission of the passive system like presence of noncondensable gas in an NC system.In Tables 1 and 2 are reported the design and critical parameters; for each of them are defined nominal values, range of variation, and an assigned probability distributions.The full characterization of a thermal-hydraulic system may need a very large number of such parameters.Therefore, a bounded number of parameters should be selected deterministically (based on engineering judgment) and statistically (e.g., through a Monte Carlo procedure).

Definition of Failure Criteria.
The knowledge of the system missions and failure modes allows evaluating the failure criteria.The accident scenario considered is a loss of the ultimate heat sink with the hypothesis of loss of all safety systems involved, no feed and bleed strategy is taken into account, and so forth Considering that transient, the system mission is to remove the decay heat reducing the pressure in the primary system.The design FC defined for the transient sequence is the opening of the safety valves during any stage of the transient.To characterize the passive system behavior (or passive system performance) three Transient Performance Indicators (TPI) are defined.In particular they have to indicate how far the system is from the opening condition of the passive safety valve of the condenser system.
In terms of the system mission two design targets can be defined: long-term (e.g., hot shutdown condition) and shortterm (e.g., primary overpressure) design target.The failure of the system is reached when passive safety valves are open.
The TPIs defined are (i) (ii) where P HX is the Power exchanged across the condensers tubes, P CORE is the Core power, T PRHRS is the activation time, p is the primary circuit pressure, eot is the end of transient (65000 seconds).

Detailed Code
Modeling.RELAP5 mod 3.3 input deck has been developed to perform the TH analyses.The model involves the Primary System and the pool for the removal of decay heat (see Figure 4).The primary circuit has been set up by modeling the most relevant components: Reactor Pressure Vessel (RPV), Steam Generator (SG), Down-Comer (DC), Core, Lower Plenum (LP) and Upper Plenum (UP).
The passive heat removal nodalization includes steam line and return line, condensers, and the pool.
In order to simulate properly the natural circulation inside the pool, a detailed model has been adopted with specific feature coming from engineering judgments and user experience (e.g., by pass line, slice nodalization).

Direct Monte Carlo Simulation Applied to TH Code.
The purpose of direct Monte Carlo simulation is to assess the propagation of the uncertain parameters through the TH code in order to obtain a model response (set of code run).In particular it consists in sampling the identified parameters, running, for each obtained sample, the system model computer code and estimating the characteristics of the output variables.This method was used to evaluate the failure probability p f (an estimation can be obtained dividing the number of simulation cycles in which the failure criteria take places by the total number of simulation cycles) associated with the failure criteria of the system defined above ( [1,3]).
In the following subsections the main steps of direct Monte Carlo simulation (i.e., sampling and best-estimate code run) are outlined, describing the used procedures and the results obtained.Also best estimate code run results are reported based on deterministic selection of input cases coming from engineering judgment and sensitivity analysis outcomes.
4.4.1.Sampling.Simple Random Sampling (SRS) method was adopted to obtain the parameters samples.The method generates randomly all values of parameter sample from their defined distribution.
Simple Random Sampling Procedure.The parameter samples, through SRS, are obtained considering the following three main steps.
(1) to draw the value of the truncated cumulative distribution function by sampling a uniform distribution u = U(0, 1), (2) to obtain the correspondent value (y = F(x)) of the non truncated cumulative distribution by means of the following correction: (3) to feed this probability into the inverse of the cumulative distribution function in order to obtain the parameter sample (x): Consider the following definitions.
For normal distribution, we have the following.
(i) Cumulative function is For lognormal distribution, we have the following.
(i) Cumulative function is (ii) Inverse of F is  sample value for each parameter.In the plot shown in Figure 5 the overall input vectors are reported.
From the plot it can be seen that some parameters were not sampled in their full range (blank regions); this outcome led to the necessity of generating additional deterministic cases in order to add completeness to the study.

Stochastic and Deterministic Selection of Input
Cases.The stochastic selection has been made sampling the defined design and critical parameters (Tables 1 and 2).
A hundred samples were obtained for each parameter implying the same number of code runs.The input set was built as follows where S j is the set of parameters used to perform the jth code run (with: j = 1, 2, . . ., 100), and P i− j is the jth sample value of parameter i.
The number of code runs (and then the number of samples for each parameter) was calculated by means of Wilks' formula [12].
Wilks' formula gives the proper number of independent observations of the random output (Y ) (minimizing the number of calculations that characterize the system performance) in order to fulfill the following relationship: Based on the hypothesis that nothing is known about the output distribution function-f Y(y)-except that it is continuous, we have the following.
(i) α is the probability content limit.It gives a lower limit to the proportion of the distribution included in the tolerance interval [L, U].This proportion is called probability content (pc) and is given by the following expression: (ii) β is the confidence level.It gives the probability that the tolerance interval [L, U] has a probability content major than α.
The number of independent observations of the output variable (i.e., number of code runs) for the two-sided tolerance interval is calculated by the following equation: The tolerance interval [L, U] is given by L = y 1 , U = y N ; where y 1 = min[y k ] and According to this, the number of codes runs obtained (N) results independent by the number of inputs parameters, their assigned distributions, and sampling method adopted.
The deterministic selected cases have been made in order to add completeness to the analysis, additionally ten cases where added, based on engineering judgment, five "a priori" to evaluate parameters combinations not achieved by the stochastic selection (blank region of cobweb plot) and five "a posteriori" considering as feedback the results obtained from sensitivity analysis.

Direct Monte Carlo Simulation: RELAP5 Calculations Results.
The main outcomes, obtained by Direct Monte Carlo simulation, are linked to the design FC selected for the passive system.B-E code runs of the associated input vector are shown; in particular are reported the follows.
(i) the pressure trend: (a) short term (Figures 6 and 12); (b) a long term (Figure 9); (ii) the power exchange ratio (power exchanged across the condensers tubes and core power) long term (Figure 7).
Below are reported the main outcomes of the three TPIs defined above (Figures 9, 10, and 11), in particular, the following.(ii) TPI-II.The second proposed TPI is verified by the all 100 probabilistically selected cases.
(iii) TPI-III.The third proposed TPI is verified by 78 over 100 probabilistically selected cases.

Additional Analysis.
Sensitivity analysis can provide additional criteria in order to perform a further screening of the uncertain parameters.In this case, since the number of relevant parameters selected is reasonably low, the sensitivity analysis will be used just to determine those parameters that affect mostly the condenser system behavior.As it can be observed (Figure 12) the worst system condition is linked to transients with slow pressurization phases since they allow a higher system energy accumulation.
The Standardized Regression Coefficients (SRCs) technique [13] allows the ranking of the parameters according to their relative contribution upon the system Performance Indicator (PI) and quantifying this contribution for each parameter.
The technique is based on the hypothesis of a linear relationship between response and input parameters.
For the use of the SRC technique it is supposed that the response Y (in this case the system PIs defined above) is a linear function of the random input variables Xi, that is, and indicate the importance of the individual input variables X i with respect to the output Y .The SRCs quantify the effect of varying each input variable from its mean value by a fixed fraction of its variance (maintaining all other variables at their expected values).
The SRC values are reported in Figure 13 in relation to each of the identified parameters listed in Tables 1 and 2.

Quantitative Reliability Evaluation.
A preliminary qualitative reliability assessment is made by means of a socalled response surface calculation [12,14].a simplified equivalent model that fits the initial data, which has good prediction capacities.After determining the response surface, a Monte Carlo Simulation was performed to assess the reliability of the passive safety system.Several code runs were done without obtaining failure cases, showing that the use of Monte Carlo is limited to estimate rare events probabilities.This allows estimating a conservative boundary of the failure probability by means of equation used to evaluate the number of code runs necessary to set γ as a boundary of the failure probability (p): where β represent the "confidence" that p will be lower than γ, and k can alternatively take the values N or N + 1.
The same can be achieved by the application of Wilks' formula [12,15].
The result obtained shows the highly reliability of the investigated passive safety system.

Lay-Out Modification.
A lay-out modification (see Figure 14) test study was also performed (i) to analyze the methodology and the model developed, (ii) to evaluate the long term transient, (iii) to give support to the system design adding another judgment criterion (iv) to add completeness to the sensitivity analysis.
In particular the length of the connection lines between the condenser pool and the reactor was reduced of about 3 meters.One of the results of reducing the piping line of the safety system is the condensers tubes flooding after the system is demanded.This is due to the fact that the liquid column height is mainly affected by the overall friction across the safety system circuit.
The change proposed affects only the nonrelevant distributed frictions; thus, the return line equivalent liquid level is approximately sustained at original system values, which derives in the mentioned piping line flooding.
The liquid present into the piping affects the heat transfer reducing the power exchanged across the condensers.The relevance of this effect can be seen through the comparison between the power ratio values obtained for the original and modified systems (Figure 15).
From the simulations results (Figure 16) it has been shown that there are no differences in the long-term system behavior.The application of long-term defined TPI gives us a result similar to system performances, reflecting the condition stated before.

Main Outcomes of Cases (b) and (c)
In the following are reported the main results of the REPAS application to the following systems: (i) a scaled IC of an SBWR (case b) [2], (ii) TTL-1 experimental apparatus (case c) [6].
In particular in the following, according to Section 2 (methodology overview) and Section 4 (detailed description of case a), are presented only the main steps.Main purpose of this section is just to show how the REPAS grew up.

Case (b) Isolation Condenser (IC) of an SBWR.
The system was modeled (Figure 17) and the design and critical parameter were selected (Tables 3 and 4).
For the analysis were chosen 6 system status selected deterministically and 69 system status selected probabilistically (for each of two probability distribution) discrete and continuous (Figures 18 through 20).
The FC considered was where Z is (i) the thermal power exchanged across the IC (W2); (ii) mass flow rate at the IC inlet (Γ2).
"ref " related to the code calculation for the reference or nominal system configuration.Indicators of system performance are (1) time during the calculation when the FC is verified, failure time Ft(s), ( (3) ratio between the failure time and the time of calculation.where P HX is the Power exchanged across the condensers tubes, P CORE is the Core power, T is the system activation time, and eot is the end of transient calculation.
In this case the curves of merit (Figure 21) were used to judge the system acceptability and to compare the selected system with different system.They show the PI values (W2/W2 ref ) as a function of the probability interval range.

Case (c)
TTL-1 Apparatus.The system was modeled (Figure 22) and the design and critical parameter were selected (Table 4).
The FC is expressed as where where W is the integral of thermal power exchanged in the cooler, "ref " is the related to the code calculation for the reference or nominal system configuration, and τ obs is the "observation time".
The system PIs to evaluate the Thermal Hydraulic Reliability (TH-R) are (i) integral value over a mission time, (ii) ratio W/W ref .
The deterministic and statistic selection of system scenarios was done by means of Monte Carlo procedure.Four ways are pursued to arrive at four definitions for the TH-R of the TTL-1 loop, respectively, adopting the following.(1) The "figure of merit" approach proposed by [2]: the result is given in Figure 24.(2) The "cumulative probability" approach suggested by [16]: the result is given in Figure 25, where a comparison is made with the result from a previous REPAS application case b. (3) The R1 single-valued reliability definition is where NF is number of failed runs and N is total number of runs.The R2 single-valued reliability definition is The TH-R definition in Figure 24 (first TH-R definition) uses data elaboration given in Table 6.
The TH-R definition in Figure 25 (second TH-R definition) makes use of the classic Cumulative Distribution Function (CDF) concept.The TH-R is achieved by ordering the cooler power integral ratio (W/W ref ) with respect to the probability of occurrence of each configuration from the probabilistic and deterministic sets.
Sensitivity analyses identify the main contributors to the passive system performance.The SRC technique, see the above section, was used.The SRC values are reported in Figure 26 in relation to each of the defined critical and design parameters.

Conclusions
The assessment of the reliability of passive systems is a crucial issue to be solved for their extensive use in future NPPs.
Several physical parameters affect significantly the behavior of a passive system and their values at the time of operation are "a priori" uncertain: thus, there is the need to consider a multitude of scenarios of system response.This gives back the reliability assessment nonmanageable, the bottleneck being the need to simulate several system behaviors with time-consuming mechanistic computer codes.
To overcome these difficulties, it is necessary to identify those parameters which are most relevant to the system response and limit the probabilistic analysis to them.The REPAS procedure can be applied: (i) to evaluate the acceptability of a passive system, (ii) to compare two different passive systems having the same mission; moreover the methodology is still in assessment phase (by means of a suitable "experimental tests") for absolute reliability evaluation, (iii) to evaluate the performances of an active and a passive system on a common basis, (iv) to supplement deterministic criteria and analyses (e.g., TH) in the design process considering the reliability of accident prevention and mitigation functions, (v) to optimize the design of a passive safety system, (vi) to assess the economical impact in the design change.
REPAS method is described in Section 2 and its application in Sections 4 and 5.The first "embryonic" applications of the methodology are reported in [2,5,7] and so forth.It was the result of a joint cooperation between ENEA, UNIPI, and Polytechnic of Milan.Then this methodology was embedded in the RMPS EU project on the framework of the 5th EURATOM program [19], see also [3,4,16,17] and so forth, In this report is shown an improvement

Figure 1 :
Figure 1: Passive pool heat removal system for a prototypical integrated system.

Figure 7 :
Figure 7: Power ratio evolution-long-term behavior (stochastic selected and nominal case).

Figure 16 :
Figure 16: Transient performance indicators results comparison between original and modified system.
TPI-I.Only three probabilistically selected cases over 100 do not meet the first proposed TPI.

Figure 18 :
Figure 18: (a) Reference system performance: power exchanged through the IC.(b) Time trends related to the ensemble of 75 code runs (6 deterministic status and 69 probabilistic statusdiscrete probability distribution): power exchanged trough the IC.(c) Time thrends related to the ensemble of 75 code runs (6 deterministic status and 69 probabilistic status-continuous probability distribution): power exchanged through the IC.

Figure 19 :
Figure 19: Characterization of system status on the basis of the probability.Six system status (1 to 6 in the figure) is deterministically derived and sixty-nine (7 to 75 in the figure) are statistically derived assuming a discrete probability distribution.

Figure 20 :
Figure 20: Characterization of system status on the basis of the probability.Six system status (1 to 6 in the figure) is deterministically derived and sixty-nine (7 to 75 in the figure) are statistically derived assuming a continuous probability distribution.

Figure 23 :Figure 24 :
Figure 23: Time trends related to the ensemble of 137 code runs ([1-18] deterministic status): power exchanged in the cooler.

Figure 25 :
Figure 25: Comparison between thermal hydraulic reliability for two different systems: IC-SBWR (two-phase NC system) and TTL 1.

Figure 26 :
Figure 26: Standardized regression coefficients for the defined performance indicator: W/W ref

Table 1 :
Design parameters case a.

Table 2 :
Critical parameters case a.

Table 3 :
Design parameters case b.

Table 4 :
Critical parameters case b.

Table 5 :
Design and critical parameters case c.

Table 6 :
Selected system performance indicator related to individual probability intervals.