Accident Sequence Precursor Analysis of an Incident in a Japanese Nuclear Power Plant Based on Dynamic Probabilistic Risk Assessment

Probabilistic risk assessment (PRA) is an efective methodology that could be used to improve the safety of nuclear power plants in a reasonable manner. Dynamic PRA, as an advanced PRA, allows for more realistic and detailed analyses by handling time-dependent information. However, the applications of this method to practical problems are limited because it remains in the research and development stage. Tis study aimed to investigate the possibility of utilizing dynamic PRA in risk-informeddecision-making. Specifcally, the author performed an accident sequence precursor (ASP) analysis on the failure of emergency diesel generators that occurred at Unit 1 of the Tomari Nuclear Power Plant in Japan using dynamic PRA. Te results were evaluated by comparison with the results of simplifed classical PRA. Te fndings indicated that dynamic PRA may estimate lower risks compared with those obtained from classical PRA by reasonable modeling of alternating current power recovery. Te author also showed that dynamic PRA can provide detailed information that cannot be obtained with classical PRA, such as uncertainty distribution of core damage timing and importance measure considering the system failure timing.


Introduction
Probabilistic risk assessment (PRA) is a very useful, welldeveloped method to understand risk in complex systems such as nuclear power plants. Many countries have used this type of assessment for risk-informeddecision-making (RIDM). For example, in the U.S., the Nuclear Regulatory Commission (NRC) uses PRA in their signifcance determination process (SDP) [1], Mitigating Systems Performance Index (MSPI) [2], and Management Directive 8.3 (MD 8.3) [3] as components of the reactor oversight process (ROP) [4]. PRA is also used to extend the individual allowed outage time (AOT)/completion time (CT) (Initiative 4A) [5], riskinformed CT (Initiative 4B) [6], and Surveillance Frequency Control Program (Initiative 5B) [7]. Te NRC fnds that "PRA methods, models, tools, and data are sufciently mature to support risk-informed decision making at the NRC" [8]. In Japan, the Nuclear Regulation Authority (NRA) uses PRA for regulatory inspection, referencing the NRC's ROP [9].
One of the limitations of this method, however, is the difculty of modeling temporal information. Specifcally, temporal distributions of system failure timing, core damage timing, and recovery timing are difcult to assess the explicitly in classical PRA. Several dynamic PRA methods and tools have been developed and applied to some safety issues to overcome this difculty. Verma et al. classifed dynamic PRA methods into six methods, namely, Monte Carlo simulation, continuous event trees, discrete dynamic event trees (DDET), dynamic fow graph methodology, Markov modeling/Petri nets, and dynamic fault trees [10]. For example, RAVEN (reactor analysis and virtual control environment) has Monte Carlo-based sampler and many types of algorithms for dynamic PRA, optimization, data mining, and the like [11,12]. ADS-IDAC (accident dynamic simulator coupled with the information, decision, and action in a crew context) is a tool based on DDET and featuring an advanced human reliability model [13,14]. MCDET (Monte Carlo dynamic event tree) enables the proper use of the Monte Carlo method and DDET [15,16]. Tools such as ADAPT (analysis of dynamic accident progression trees) [17,18], SCAIS (simulation code system for integrated safety assessment) [19,20], PyCATSOO (Pythonic object-oriented hybrid stochastic automata) [21,22], DICE (dynamic integrated consequence evaluation) [23,24], MOSAIQUE (module for sampling input and quantifying estimator) [25,26] have also been developed.
Te Japan Atomic Energy Agency (JAEA) has been developing the dynamic PRA methodology. Tis method enables analysts to obtain more realistic and detailed results compared with those produced by classical PRA by processing the time-related information via coupling probabilistic sampling and thermal-hydraulics (T-H) simulation, as shown in Figure 1. In this methodology, not only system failure probabilities but also failure timing can be handled explicitly. To realize this method, the author used RAPID (risk assessment with plant interactive dynamics) framework [27][28][29] and THALES-2 (thermal hydraulic analysis of loss of coolant, emergency core cooling, and severe core damage, version 2) T-H analysis code [30][31][32][33][34]. Risk assessments of the randomly-and seismically-induced internal fooding were conducted using these codes [35,36].
However, unlike classical PRA, only a few cases of the use of dynamic PRA in RIDM have been reported. More case studies need to be performed to investigate the applicability of dynamic PRA for RIDM, including accident sequence precursor (ASP) analysis. ASP is performed by regulatory agencies to evaluate the potential of core damage based on operating experiences. Terefore, the author selected it as a representative of RIDM. Te procedure of ASP is described in Section 4.6.
In this paper, the dynamic PRA-based ASP of a Japanese nuclear power plant incident was performed with reference to the results of the literature review of representative dynamic PRA-based ASP. Te advantages of dynamic PRA in ASP were extracted by comparing the results with those of classical PRA. Furthermore, risk information obtained by dynamic PRA that cannot be obtained by classical PRA was presented.

Literature Review of ASP Analysis Using Dynamic PRA
Tis section summarizes the information obtained from a literature review on two dynamic PRA-based ASP analyses.

ASP Analysis of Loss of a Reactor Coolant Pump Seal
Cooling Event. Coyne et al. performed a case study on ASP analysis using dynamic PRA [37]; here, the selected event was the loss of reactor coolant pump (RCP) seal cooling induced by an electrical fre at the Robinson nuclear power plant on March 28, 2010 [38]. Te analysis was performed using RELAP (reactor excursion and leak analysis program) [39] and ADS-IDAC [13]. In their analysis, the authors focused on the rate of leakage from the RCP seal. Tis rate is a critical parameter describing the scale of loss of coolant accident (LOCA) model in classical PRA. In standardized plant analysis risk (SPAR) models [40] based on the classical PRA model developed by the U.S. NRC, two leakage rates (4.8 m 3 /h (21 gallons per minute (gpm)) per pump and 109 m 3 /h (480 gpm) per pump) were modeled to simulate small and medium LOCAs. Specifc risk value was not quantifed in the author's analysis. However, the results reported by them showed that the most conservative leakage rate of 480 gpm was demonstrated to likely behave like a small LOCA. Tus, the authors argued that dynamic PRA could improve communication with decision-makers by clearly demonstrating the impact of high-risk scenarios compared with classical PRA.

ASP Analysis of a Steam Generator Tube Rupture Event.
Lee et al. performed dynamic PRA-based ASP analysis of a steam generator tube rupture (SGTR) that occurred at the Ulchin nuclear power plant in Korea on April 5, 2002 [41]. Information on this incident is available in OPIS (operational performance information system for nuclear power plant), which is managed by the Korea Institute of Nuclear Safety (KINS) [42]. Te MARS (multidimensional analysis of reactor safety) [43] and MOSAIQUE [25] were used to quantify the total conditional core damage probability (CCDP).
Te results of classical and dynamic PRA were compared, and the total CCDP obtained by classical PRA was in the order of 10 −3 . By comparison, the total CCDP determined by dynamic PRA was in the order of 10 −4 . Te group thus concluded that dynamic PRA could quantify risk using a best-estimate approach and eliminate the conservatism featured in classical PRA. Specifcally, the realistic handling of shutdown mode and operator action enables to obtain lower calculated CCDP.

Selected Japanese Incident
An incident that occurred at Unit 1 of the Tomari Nuclear Power Plant in Japan in September 2007 was selected. In this incident, two emergency diesel generators (EDGs) became unavailable within a short period. At the time of this incident, the plant was in full-power operation mode and eventually shut down by the operator. Te simplifed scenario of this incident is summarized in Figure 2. Te above information is available in the Japanese nuclear power plant incident database, called NUCIA (nuclear information archives) [44] and a report published by the Japan Nuclear Energy Safety Organization (JNES) [45]. Note that the reactor trip means inserting the control rods and that the shutdown means stopping the electric power generation.
As shown in Figure 2, the status of each EDG, which was estimated from the timeline described above, may be available, degraded, or unavailable. Te status of each EDG can also be classifed into six states.
Prior to August 21, 13 : 37, the EDGs could be assumed to be available (base state). Because EDG-B failed to start during the surveillance test on September 18, the system could be inferred to be degraded in the period between August 21 and September 18 (State i). Ten, after 4 h, EDG-A was successfully started. Terefore, EDG-A was determined to be available up to 17 : 37 (State ii). When the status check of EDG-A was done at 15 : 49 on September 19, the generator failed to start to run. Tus, the author defned the period before this time as State iii and the period 2 h from this time to the reactor trip as State iv. After 6 h, electric power generation ceased. Te period from the reactor trip to the cessation of electric generation was defned as State v.

Analytical Methodology
Tis section describes the accident scenario, analysis codes, and probabilistic models used to evaluate the risk of a selected event.

Accident Scenarios.
To model the incident mentioned above, the author assumed that the dominant initiating event causing core damage was the loss of ofsite power (LOOP). Terefore, in this study, LOOP-initiated accident scenarios, including station blackout (SBO), were evaluated. Figure 3 shows the simplifed event tree of LOOP. Te author assumed that the frequency of LOOP is 1 × 10 −2 / reactor year and that the reactor trip would always be successful upon the occurrence of LOOP. When both EDG-A and EDG-B fail, the plant experiences SBO. In the early phase of the SBO, the turbine-driven auxiliary feedwater systems (AFWs) are available, but they become unavailable in the late phase. Tis unavailability is caused by the depletion of the direct current (DC)-power supply from the battery, thus rendering the operation of the air-operated valve necessary to adjust the steam fow rate to drive AFWs impossible.
For the recovery action, the author modeled alternating current (AC)-power recovery and its timing following a normal distribution with a mean value (μ) and standard deviation (σ) of 8.0 and 2.0 h, respectively. Tis recovery makes the AFWs and high-pressure injection systems (HPIs) available, thus injecting water from the condensate storage tank (CST) to the secondary side of steam generator (SG) and the refueling water storage tank (RWST) to reactor vessel (RV). Note that Japanese nuclear power plants have their own alternate AC-power sources after the Fukushima Daiichi Nuclear Power Plant accident as a measure against SBO [46,47]. Terefore, AC-power recovery time is plantspecifc value, and although a hypothetical probability   Science and Technology of Nuclear Installations distribution is set in this study, it is obtained by detailed engineering judgment.

Probabilistic Modeling of EDG Failure.
In this study, the failure probability and timing were assumed, as shown in Table 1. In classical PRA, two types of failure models are generally used [48]: the time-related failure model and the demand model. Time-related failures are generally modeled using the exponential failure density function given in equation (1) under the assumption that the failure rate remains constant over time.
where λ is the failure rate (/unit time) and t is the time. Te time-related failure probability is obtained by integrating equations (1) with time and presented in (2).
Te binomial distribution is generally used for the demand failure model. In this study, evaluation was conducted under the assumption that time-related failures are dominant. In this failure mode, as shown in equation (2), a mission time is required to calculate the failure probability. In general, 24 h is used as the mission time in classical PRA. However, the validity of applying this mission time to dynamic PRA has not been sufciently verifed. Tus, the author did not integrate the failure rate with time and set the failure probability at the base state to 1 × 10 −2 . For failure timing, the author assumed a uniform distribution in the range of 0-4 h.
For State i, the author set the failure probability of EDG-B to 10 times higher than the base state because of the degradation of EDG-B. For failure timing, the uniform distribution in the range of 0-4 h is identical to that in the base state. For State ii, the failure probability of EDG-B was set to 1 because of the failure of EDG-B. Te failure timing was assumed to have a normal distribution with μ and σ of 1.0 and 0.1 h, respectively. For State iii, besides the failure of the EDG-B, the degradation of EDG-A was considered, and the failure probability of EDG-A was set to 10 times the base state. For State iv, the failure probability of EDG-A was set to 1 because of the failure of the EDG-A. Te failure timing was assumed to have a normal distribution with μ and σ of 1.0 and 0.1 h, respectively. Te author excluded State v from the evaluation because it is not subject to the PRA at power, but for the PRA at low power or shutdown mode.

Probabilistic
Modeling of AFW Failure. AFWs are turbine-driven and available only in the early phase of SBO. Terefore, the AFWs were modeled as a follow-on failure after the failure of EDG-A and EDG-B. Te interval between the failure of the EDGs and AFWs was determined by the depletion time of the DC-power supply from the battery, which was assumed to follow a normal distribution with μ and σ of 4.0 and 1.0 h, respectively. If either EDG was available, i.e., SBO did not occur, only the random failure of the AFWs was considered. Te failure probability was set to 1 × 10 −2 and the failure timing was set to a normal distribution with μ and σ of 12.0 and 3.0 h, respectively.

4.4.
Dynamic PRA Approach. THALES-2 and RAPID were coupled to perform dynamic PRA; here, RAPID provided the failure probability and timing described in Sections 4.1 to 4.3 for THALES-2. Te core damage criterion was set when the peak cladding temperature (PCT) exceeded 1200°C, referring to the Japanese PRA standard [49]. Figure 4 shows a schematic of the system, where the abbreviations used are defned in the acronyms section.

4.5.
Classical PRA Approach. Te author used SAPHIRE (system analysis programs for hands-on integrated reliability evaluations) code [50] to execute the classical PRA approach. Te fault tree of the mitigation systems is shown in Figure 5. Failure probabilities were modeled against the basic events in this fault tree. Note that the failure timings were ignored in this approach.
Te minimal cut set (MCS) of this fault tree is represented by equation (3). Te dynamic handling of the failure probabilities in this equation is limited. However, it is possible to quantify the occurrence probability of a top event at a given point in time, i.e., the probability of failure of the mitigation system or core damage.
Te failure probability of AC-power recovery depends on the failure timing of the EDGs, AFWs, the decay heat generated in the reactor core, and their uncertainty. Tus, determining a unique value in classical PRA is challenging. Tis recovery is modeled by providing the heading in the event tree and/or reducing the failure probability of the basic event, in addition to engineering judgment. Tis study modeled the failure probability of AC-power recovery (P AC−rec ) as the event tree's heading, as shown in Figure 3. Te value assigned to this probability was determined based on the relationship between the time margin (t m ) required to avoid core damage and the cumulative distribution function of the AC-power recovery     (4)). Note that t m represents the latest time by which AC-power must be recovered to prevent core damage. Figure 6 illustrates the sensitivity of the time margin to the failure probability of AC-power recovery. For instance, if 2.0 h (the mean of the EDG failure time following uniform (0.0, 4.0)) is assumed, the failure probability is approximately 1. Assuming 6.0 h (the sum of the mean of the EDG failure time and the mean of depletion time of the DC-power source since the start of the SBO condition) results in a failure probability of 0.84. Although applying a longer time margin leads to lower calculated risk metrics, such as core damage frequency, it typically requires technical justifcation. In some cases, high-level simulations, equivalent to dynamic PRA, are necessary to demonstrate the relationship between decay heat and heat removal performance by the cooling systems, including treating their uncertainties. In this study, the time margin of 0.0 h was the condition without AC-power recovery. Te time margin was 6.0 h with AC-power recovery, representing the time between the LOOP occurrence and the depletion of the DC-power source in the base state.

ASP Procedure.
In the ASP, the incidents were divided into the following two groups [51]: Te former is evaluated by the change of core damage probability (ΔCDP). Te latter is evaluated by CCDP. Te incident selected in this study corresponds to the former. Te ΔCDP is defned by following equation.
where CDF i is the core damage frequency under status i shown in Figure 2, CDF base is the core damage frequency under the base status, Δt i is the exposure time of status i, and CDF i of dynamic PRA is defned by following equation.
where CCDP i is CCDP under status i, F IE is the frequency of the initiating event, N CD, i is the number of simulations leading to core damage, and N total, i is the total number of simulations under status i. Te calculated ΔCDP was classifed into four colors according to severity. Te U.S. NRC's color-coding scheme is shown in Table 2. Figure 7 shows the time variations of PCT with the accident scenarios shown in Table 3 as examples of reactor response. In this fgure, the solid red line indicates core damage. Dashed lines avoid core damage by AC-power recovery. After the failure of EDG-A and EDG-B, PCT is maintained at approximately 300°C because of heat removal by AFWs. After the failure of AFWs, the steam generators dry out. PCT then begins to rise at approximately 10.5 h. If AC-power is recovered before 10.8 h, the reactor core could remain intact. Te dynamic PRA can handle several uncertainties including system failure timing and AC-power recovery time and provide to the analyst realistic results. Table 4 shows the CDF of each PRA model. As the status progressed, CDF increased on account of severe conditions related to the reliability of the EDGs. Consideration of AC-power recovery using the dynamic PRA method lowered the CDF by approximately one order of magnitude. Similar to that of classical PRA shown in the second column, the CDF of dynamic PRA increased as the status progressed. Figure 8 shows the ΔCDP of each case investigated in this work. Te ΔCDP values of classical PRA (red) and dynamic PRA without AC-power recovery (orange) were of the same order of magnitude. Tis result means similar results can be expected if classical and dynamic PRA are modeled equivalently. However, the ΔCDP of classical PRA with AC-power recovery (green) and dynamic PRA with AC-power recovery (blue) difered by approximately one order of magnitude. Tis discrepancy is due to the diference in the modeling of AC-power recovery. Dynamic PRA could manage the uncertainty related to AC-power recovery more reasonably and realistically than classical PRA. Terefore, the results of dynamic PRA were observed to be lower than that of classical PRA.

Result of CDF Calculation and ASP Analysis.
A ΔCDP of 10 −6 is assigned the color white and a ΔCDP of 10 −7 is assigned the color green in the color scheme of the U.S. NRC. If the evaluation methods used to obtain color codes are more realistic, decision-makers may be able to make more rational decisions. In other words, efective regulations and safety improvement could be implemented. Terefore, it can be said that dynamic PRA can be a tool for rational decision-making. Figure 9 shows the sensitivity analysis result of the time margin for AC-power recovery to the total ΔCDP calculated by classical PRA. Te time margin should be approximately 10 h to reduce the total ΔCDP to 10 −6 . Tis criterion is consistent with the typical T-H behavior shown in Figure 7. However, detailed simulations related to decay heat and Table 2: U.S. NRC's color-coding scheme [51].

Color
Result Decision Red 10 −4 ≤ ΔCDP High safety signifcance Yellow 10 −5 ≤ ΔCDP < 10 −4 Substantial safety signifcance White 10 −6 ≤ ΔCDP < 10 −5 Low to moderate safety signifcance Green ΔCDP < 10 −6 Very low safety signifcance   coolability via the mitigation system must be conducted to credit this criterion in classical PRA. In the dynamic PRA, a single value for the time margin need not be defned, as T-H simulations are performed for all accident scenarios. Furthermore, time-related uncertainty can be considered more realistic. Figure 10 shows a histogram of the core damage timing in States iii and iv. Focused on State iv, core damage occurred in the range 7-13 h and the mode is approximately 10.5 h. Te magnitude of the histogram decreased and its peak shifted to the left as the AC-power was recovered. Tese results related to core damage timing including uncertainty cannot be obtained by classical PRA that evaluates only the presence or absence of core damage. Tis information is helpful for levels 2 and 3 PRA and evacuation planning because it can be used as an input value when examining the available time for measures to prevent damage of containment vessel and initiate evacuation. Importance measure is a valuable information that can be obtained from PRA. Fussel-Vesely [52], risk reduction worth (RRW) [53], risk achievement worth (RAW) [53], Birnbaum [54], and diferential importance measure (DIM) [55] were proposed in classical PRA. Several importance measures for dynamic PRA were suggested and applied [56][57][58]. Te author introduced a new measure of timedependent RAW (RAW t ), defned as equation (6), to discuss risk information obtained from dynamic PRA. Classical PRA without AC-power recovery Dynamic PRA without AC-power recovery Classical PRA with AC-power recovery Dynamic PRA with AC-power recovery  where F(CD) is CDF at nominal failure probability and its timing. F(CD | A � 1, t � x) is CDF with event A's probability set to 1 and its occurrence timing set to x. Figure 11 shows the RAW t values of EDG-A at States ii and iii with AC-power recovery. Te RAW t of State ii is approximately six times larger than that of State iii. Te diference noted may be attributed to the denominator for State ii in equation (6) being smaller than that for State iii. Tis result indicates that the risk increases more in State ii than in State iii when EDG-A failure is assumed.

Risk Information Obtained by Dynamic PRA.
Te RAW t for State ii under the assumption that EDG-A would fail without working was approximately 150. Assuming that EDG-A fails after operating for 4 h, RAW t was approximately 30. Tis diference indicates that if EDG-A fails after 4 h of operation, the increase in risk is about 1/5 of that when it fails without operation. Tis importance measure demonstrates that the amount of risk increase may be quantifed in more detail than classical PRA by considering not only whether the system will fail or not but also when it will fail. Using the importance measure depending on the time obtained by dynamic PRA could help to improve the reliability of mitigation systems and to prevent increasing core damage risk efciently. In addition, such timedependent importance measure can be a reference for the perspective to be checked in case of an actual incident or accident.

Conclusions
Tis paper performed an ASP analysis of a Japanese nuclear power plant incident using dynamic and classical PRAs with some assumptions and simplifcations. Te ΔCDP values of these PRAs were of the same order of magnitude under the equalized condition, i.e., ignoring AC-power recovery. However, under the condition where AC-power recovery was considered, the ΔCDP of dynamic PRA was approximately one order of magnitude lower than that of classical PRA because the time-dependent uncertainty of AC-power recovery could be modeled reasonably. Tese results support the proposal of Lee et al. [41] that the risk calculated by dynamic PRA is lower than that obtained by classical PRA when using a best-estimate approach.
Te sensitivity analysis of the time margin of AC-power recovery for avoiding core damage in classical PRA was performed, and the resulting total ΔCDP was investigated. A time margin of approximately 10 h was necessary for ACpower recovery to achieve the same magnitude of ΔCDP as the dynamic PRA. It is necessary to perform T-H simulations that account for time-dependent uncertainties, similar to those performed in dynamic PRA, to justify this value technically under these conditions. Tese fndings suggest that the dynamic PRA results could be used to refne the modeling of classical PRA.
Te author focused on core damage timing and timedependent RAW as helpful information obtained from dynamic PRA other than ΔCDP. Te author demonstrated that the proposed method could be used to calculate how countermeasures afect core damage timing and its uncertainty. About time-dependent RAW, it was shown that it is possible to quantify the amount of increase in risk considering when it fails, not just whether it fails or not. Tese results show that dynamic PRA can provide detailed information that classical PRA cannot. Te results are consistent with the conclusions of Coyne et al. [37], who showed that dynamic PRA improves communication between decision-makers.
Te results of this study are insufcient for practical decision-making because various assumptions are employed to simplify the problem. Specifcally, the author ignored initiating events other than LOOP and did not use the realistic data of the mitigation system such as failure probability and timing. In real situations, accident sequences with greater complexity, such as RCP seal LOCA and stack open of power-operated relief valve, may occur. Furthermore, this study's justifcation of assumptions and simplifcation was limited due to the lack of data sources, such as the failure time of mitigation systems. Eliminating these assumptions will allow dynamic PRA analysts to model accident scenarios more realistically and obtain risk information with a higher degree of confdence. Terefore, it is necessary to obtain statistical data, such as the failure timing of systems and components not used in classical PRA. Terefore, further studies to obtain data for dynamic PRA will add value to the practical use of advanced PRA.
Despite the limitations described above, however, this study provides much-needed information on using dynamic PRA in RIDM. Te author strongly believes that this study promotes advanced PRA methodology and the future use of dynamic PRA in RIDM, regulation, and safety improvement.

Acronyms
ACC: Accumulator injection system AFW: Auxiliary feed water system CL: Cold leg CST: Condensate storage tank CV: Containment vessel Science and Technology of Nuclear Installations 9 DC: Down comer HL: Hot leg HPI: High-pressure injection system LPI: Low-pressure injection system PZR: Pressurizer RWST: Refueling water storage tank R/B: Reactor building SG: Steam generator.

Data Availability
Te data used to support the fndings of this study are included within the article.

Conflicts of Interest
Te authors declare that they have no conficts of interest.