Fault-Event Trees Based Probabilistic Safety Analysis of a Boiling Water Nuclear Reactor’S Core Meltdown and Minor Damage Frequencies

safety

Article Fault-Event Trees Based Probabilistic Safety Analysis of a Boiling Water Nuclear Reactor’s Core Meltdown and Minor Damage Frequencies

Jinfeng Li 1,2

1 Department of Electrical and Electronic Engineering, Imperial College London, London SW7 2AZ, UK; [email protected] or [email protected] 2 Centre for Electronics Frontiers, University of Southampton, Southampton SO17 1BJ, UK

Received: 26 April 2020; Accepted: 15 June 2020; Published: 17 June 2020

Abstract: A systematic probabilistic safety assessment for a boiling water nuclear reactor core is performed using fault trees and event trees analysis models. Based on a survey of the BWR’s safety systems against potential hazards, eight independent failure modes (initiating events) triggered scenarios are modelled and evaluated in the assembled fault-event trees, obtaining the two key outcome probabilities of interest, i.e., complete core meltdown (CCMD) frequency and minor core damage (MCD) frequency. The analysis results indicate that the complete loss of heat sink accounts for the initiating accident most vulnerable to CCMD (with a frequency of 1.8 10 5 per year), × − while the large break in the reactor pressure vessel is the least susceptible one (with a frequency of 2.9 10 12 per year). The quantitative risk assessment and independent review conducted in this × − case study contributed a reference reliability model for defense-in-depth core optimizations with reduced costs, informing risk-based policy decision making, licensing, and public understanding in nuclear safety systems.

Keywords: event tree analysis; fault tree analysis; industrial safety; nuclear safety; probabilistic safety assessment

1. Introduction The merits of nuclear energy have been re-discovered over recent years to address the future global energy needs [1] in an environmentally conscious and resource-sustainable way [2]. Since the nuclear renaissance [3] and the subsequent increase in nuclear newbuild projects [4] globally, new needs for safety assessment [5,6] of the complex nuclear power system has arisen. Securing a very high level of design and operating safety with reduced costs will not only be technically required for the burgeoning nuclear sector, but also from the policy [7] point of view to approach the challenge in addressing the public’s negative perception [8] on nuclear power in the post-Fukushima era [9]. Since introducing revolutionary reactor technologies takes a long time, traditional light water reactors (LWR) will inevitably remain the dominant technology for many decades in the foreseeable future. Therefore, improving the safety margin and cost-efficiency of reactors in the existing fleet, such as pressurized water reactors (PWR) and boiling water reactors (BWR), exhibits the highest priority. To this end, probabilistic safety assessment (PSA) [10,11] based on fault tree [12,13] and event tree [14] analyses present these characteristics and can be designed to tailor for the overall risk assessment of PWRs and BWRs. Historically developed for nuclear [15] and petrochemical [16] industries, fault tree and event tree methodologies have evolved and been well established in theory both deterministically [17], and stochastically [18]. However, relatively fewer applied studies or papers are reported concerning specifically the BWR core meltdown [19] and minor core damage [20]

Safety 2020, 6, 28; doi:10.3390/safety6020028 www.mdpi.com/journal/safety Safety 2020, 6, 28 2 of 18 estimations in detail. Therefore, developing a reference model in this work and conducting an independent review is momentous in the fields of reliability assessment, safety forecasting, core optimization and thus helps inform safety-based policy decision making. It is of importance to give to the nuclear regulatory body and the academic community an independent verification of the core meltdown and the minor core damage frequency calculations (a case study for the BWR in this work), as an independent study; if available, multi-benchmarking creates trust in safety reports. The risk-based approach applied in this work follows three steps. Firstly, defining all potential hazards and threats (initiating events) based on a survey of a standard BWR system architecture. Secondly, identifying risk control options (intermediate events) that can be established to control each risk element. Specifically, the empirical occurrence frequency of the initiating failure event and the corresponding unavailability frequency of each risk control option is specified. The final and key task is undertaking a failure mode and effect analysis (FMEA) incorporating the accident sequences using event trees and fault trees. Based on the premise that the probability of failure is dominated by the probability of the protection system to initiate on demand, the frequency of complete core meltdown (CCMD) and minor core damage (MCD) due to different plant faults are quantitatively evaluated. The modelling and analysis in this study provide a physical insight into the complex nuclear system, based on which risks and mitigation priorities are proposed, targeting cost effectiveness. The case study presented in this work can advantageously be used for training purposes. The potential beneficiaries are nuclear power plant operators, risk assessors, regulators, government energy policymakers, electricity suppliers and the wider academic community.

2. Materials and Methods A combination of fault tree and event tree methods are applied in this study for calculating the BWR’s core meltdown and minor core damage frequencies. The fault tree approach [10,13] is deductive in nature. This top-down approach assumes that the system has failed in a certain way (e.g., a complete loss of heat sink as reported in Section 3.3), in an attempt to investigate the modes of the components’ behavior (lower-level independent events) leading up to this failure (top event). Boolean logic gates (e.g., OR gates, or AND gates) are used to graphically characterize the logical interrelationships between these events, with the lower-level events serving as the gate’s input, and the higher-level event as the gate’s output. In this way, the probability of a specific system failure (top event) is a function of the reliability of the lower-level basic events. The event tree analysis [10,14] is an inductive approach that postulates an initiating event (e.g., the rupture of core shroud as detailed in Section 3.7), with a forward logic process in an attempt to derive the corresponding impact on the overall system (e.g., the core meltdown and the minor core damage that are of interest in this work). A series of independent intermediate events (e.g., the availability of the risk control options in this work) are split into binary (success or failure) trees, laying a path for evaluating the probabilities of the outcomes. To identify the initiating events and the intermediate events progression for different failure modes, a survey of the BWR’s system architecture and the corresponding risk control measures are conducted as follows (Sections 2.1 and 2.2). First, a current generation of BWR [21] plants are sketched in Figure1, with a steam/water mixture developed within the reactor core. Unlike PWR plants, the plant operating pressure is considerably less, and hence significant amounts of boiling occur. The steam/water blend departs from the top of the core and enters the separator/drier district, where steam is isolated from water and is guided along the steam line to the main turbine which drives the electrical generator to supply the grid. In contrast with PWR, the BWR plant is free of a pressurizer and a steam generator, in this way it incorporates less pipework that could potentially rupture, with a consequence of a loss of coolant accident (LOCA) [22]. After leaving the primary turbine, the low-pressure steam streams into the condenser where it is condensed into water, and after that pumped by means of feed-water pumps back to the reactor pressure vessel (RPV). Note that the coolant flows through the core and Safety 2020, 6, 28 3 of 18 hence the reactor power could be controlled via the recirculation and jet pumps as denoted in Figure1 forSafety varying 2020, 7, thex; doi: flow FOR ratePEER in REVIEW the down-comer (i.e., the region between the core shroud and the RPV).3 of 18

Figure 1. Schematic of a standard boiling water reactor (BWR) plant in this study. Figure 1. Schematic of a standard boiling water reactor (BWR) plant in this study. 2.1. Survey of Safety Systems for Potential Hazards in BWR 2.1. Survey of Safety Systems for Potential Hazards in BWR Both the control rod drive mechanisms [23] and the reactor scram (RS) system [24] are inserted from theBoth bottom the control of the rod core. drive The mechanisms RS system is initiated[23] and onthe tripreactor signals scram from (RS) high system power, [24 high] are pressure, inserted orfrom low the water bottom levels. of the Should core the. The RS RS fail system then an is independentinitiated on trip boron signals injection from(BI) high system power, [25 high] is availablepressure, toor shut low thewater plant level down.s. Should The plant the featuresRS fail then a ﬁssion an independe product monitornt boron (FPM) injection [26] which(BI) system cautions [25 the] is operatoravailable in to case shut minor the plant core damage down. (MCD)The plant has features happened. a fission Once theproduct FPM initiates,monitor the(FPM) operator [26] which must shutcautions the plantthe operator down, afterin case which minor the core core damage will proceed (MCD) to has generate happened decay. Once heat, the which FPM initiates is removed, the throughoperator turbine must shut bypassing the plant and down steam, after dumping which directlythe core towill the proceed condenser, to generate as illustrated decay inheat Figure, which2 belowis removed for the through normal plantturbine cool-down bypassing (NPCD) and steam system dumping [21] depicted directly based to the on condenser Figure1. The, as plantillustrated has twoin Figure loops and2 below every for loop the can normal be utilized plant tocool cool-down the plant (NPCD) down system for decay [21] heatdepicted elimination. based on Should Figure the 1. normalThe plant method has oftwo plant loops cool-down and every (i.e., loop the NPCD can be system) utilized fail, to a cool standby the reactorplant down core isolation for decay cooling heat (RCIC)elimination. system Should [27] kicks the normal in with method makeup of water plant supplied cool-down from (i.e. either, the theNPCD containment system) fail, suppression a standby chamberreactor core or the isolation condensate cooling storage (RCIC) tank system for cooling [27] kicks the plant in with down, makeup as illustrated water suppl in Figureied from3. either the containmentAlthough the suppression frequency ofchamber LOCA or will the be condensate less for a BWRstorage plant tank than for cooling that in the a PWR plant plant, down, the as BWRillustrated plant stillin Figure has an 3. emergency core cooling system (ECCS), which encompasses two high-pressure systems, i.e., a high-pressure coolant injection (HPCI) system and an automatic depressurization system (ADS) [28], as well as two low-pressure systems, i.e., low-pressure coolant injection (LPCI) and the core spray (CS) system [29], as depicted in Figures4 and5 below for illustrations of the redundant logic. SafetySafety 20202020,, 67,, 28x; doi: FOR PEER REVIEW 44 ofof 1818 Safety 2020, 7, x; doi: FOR PEER REVIEW 4 of 18

Figure 2. Sketch of the normal plant cool‐down (NPCD) system to remove the decay heat. Figure 2. SketchSketch of of the the n normalormal plant plant cool cool-down-down (NPCD) system to remove the decay heat heat..

Figure 3. Sketch of the BWR standby reactor core isolation coolingcooling (RCIC)(RCIC) system.system. Figure 3. Sketch of the BWR standby reactor core isolation cooling (RCIC) system. Although the frequency of LOCA will be less for a BWR plant than that in a PWR plant, the BWR plantAlthough still has thean frequencyemergency of core LOCA cooling will be system less for (ECCS), a BWR plantwhich than encompasses that in a PWR two plant, high ‐thepressure BWR plantsystems, still i.e., has a an high emergency‐pressure ccoolantore cooling injection system (HPCI) (ECCS) system, which and encompasses an automatic two depressurization high-pressure systemsystems ,(ADS) i.e., a [28],high as-pressure well as coolanttwo low injection‐pressure (HPCI) systems, system i.e., low and‐pressure an automatic coolant depressurization injection (LPCI) systemand the (ADS) core spray[28], as(CS) well system as two [29], low as-pressure depicted systems in Figures, i.e., low4 and-pressure 5 below coolant for illustrations injection (LPCI) of the andredundant the core logic. spray (CS) system [29], as depicted in Figures 4 and 5 below for illustrations of the redundant logic. SafetySafety 20202020,, 67,, 28x; doi: FOR PEER REVIEW 55 of 1818 Safety 2020, 7, x; doi: FOR PEER REVIEW 5 of 18

Figure 4. Sketch of the BWR high‐pressure coolant injection (HPCI) system. Figure 4. Sketch of the BWR high high-pressure‐pressure coolant injection (HPCI) system.

Figure 5. Sketch of the BWR core spray (CS) system and low-pressure coolant injection (LPCI) system. Figure 5. Sketch of the BWR core spray (CS) system and low‐pressure coolant injection (LPCI) system. 2.2. FailureFigure Mode5. Sketch Identification of the BWR and core BWR’s spray (CS) Risks system Control and Options low‐pressure coolant injection (LPCI) system. 2.2. Failure Mode Identification and BWR’s Risks Control Options 2.2. FailureThe principle Mode Identification plant faults and that BWR’s can potentially Risks Control cause Options an accident are identified and summarized in TableThe1. For principle each fault, plant its faults frequency that percan yearpotentially is based cause on the an empirical accident datasetsare identified [ 30,31 and] reported summarized in 216 The principle plant faults that can potentially cause an accident are identified and summarized nuclearin Table accidents 1. For each and fault, incidents its frequency (of various per year reactor is based types on at thethe 95%empirical confidence datasets level). [30,31] The reported event and in in Table 1. For each fault, its frequency per year is based on the empirical datasets [30,31] reported in fault216 nuclear trees concerning accidents theand initial incidents plant (of response various and reactor the protection types at the system 95% thatconfidence are potentially level). The available event 216 nuclear accidents and incidents (of various reactor types at the 95% confidence level). The event willand befault detailed trees concerning later in the nextthe initial section. plant An response assessment and of the the protection final state ofsystem the core that if are all protectionspotentially andavailable fault willtrees be concerning detailed later the initialin the plantnext section.response An and assessment the protection of the systemfinal state that of are the potentially core if all available will be detailed later in the next section. An assessment of the final state of the core if all Safety 2020, 6, 28 6 of 18 fail or are unavailable is summarized in the “outcome without protections” column of Table1, i.e., minor core damage (MCD), complete core meltdown (CCMD), or a combination of MCD and CCMD. If the plant is scrammed, the cooling system is required for one month [32] to cool the plant down, after which it could be assumed that the decay heat declines to a level that is insignificant to damage the core. We assume for this study that the probability of failure is dominated by the probability of the system to initiate on demand (although the exact unavailability rates of some components might be available in plant-specific PSA studies). The probability of failure on demand for each of the protection systems is identified in the following Table2.

Table 1. Fault-initiating events identiﬁcation for BWR.

Plant Fault Event Event Frequency per Year Final Outcome Without Protections Continuous rod withdrawal (CRWA) 5 10 2 Complete core meltdown (CCMD) accident [33] × − Both main turbines failure (TF) [34] 2 10 3 CCMD × − Minor core damage (MCD) or MCD and Rupture of core shroud (RCS) [35] 1 10 4 × − CCMD Condenser failure (CF) on both sides [36] 5 10 4 CCMD × − Failure of both water pumps (FWP) [36] 2 10 3 CCMD × − Failure of both feed pumps (FFP) [36] 5 10 4 CCMD × − Large break in RPV (LBRPV) [35] 1 10 6 CCMD × − Rupture of steam line (RSL) [34] 1 10 5 CCMD × − Leak from instrumentation line (LIL) in 1 10 3 CCMD RPV [35] × − Breakup of drier structure causing local 5 10 4 MCD or MCD and CCMD channel blockage (BDS-LCB) [37] × −

Table 2. Empirical failure probability on demand of the BWR protection systems.

Failure Mode of BWR Protection System Failure Probability on Demand Failure of reactor scram (RS) system using safety rods [23] 1 10 4 × − Failure of reactor shut down using boron injection (BI) [25] 1 10 3 × − Failure of normal plant cool-down (NPCD) system [21] 3 10 2 × − Failure of reactor core isolation cooling (RCIC) system [27] 6 10 3 × − Failure of core spray (CS) system [29] 1.6 10 3 × − Failure of high-pressure coolant injection (HPCI) system [28] 6 10 3 × − Failure of automatic depressurization system (ADS) [28] 1.1 10 3 × − Failure of low-pressure coolant injection (LPCI) system [29] 1.8 10 3 × − Failure of ﬁssion product monitor (FPM) [26] 1 10 3 × −

3. Fault-Event Trees Modelling and Results Based on the initiating accidents and the mechanism of safety protection systems, as well as their corresponding failure rates as speciﬁed in Tables1 and2, the total core meltdown and minor core damage frequencies are calculated systematically using fault tree and event tree methods. According to the survey (Section2) of the safety systems for potential hazards in BWR as well as the fault-initiating events identiﬁed in Table1, the reliability problem of the complex overall systems can mainly be decomposed into eight independent initial accident-triggered scenarios (that could lead to the outcome of either complete core meltdown or minor core damage to our knowledge), which are modelled, assembled, and evaluated as follows. Note that several uncertain external environments (detailed in the results discussion part in Section4) are not evaluated in this study.

3.1. Continuous Rod Withdrawal Accident (CRWA) The continuous rod withdrawal accident (CRWA) model assumes that if the accident occurs, the rise in the reactor power, temperature and pressure will cause the reactor scram (RS) to initiate using safety rods. Providing the scram system fails, the boron injection (BI) will subsequently kick in. SafetySafety 20202020,, 67,, 28x; doi: FOR PEER REVIEW 77 ofof 1818

safety rods. Providing the scram system fails, the boron injection (BI) will subsequently kick in. FollowingFollowing thethe shutdown,shutdown, thethe normalnormal plantplant cool-downcool‐down systemsystem (NPCD)(NPCD) fromfrom eithereither sideside should initiate toto removeremove thethe decaydecay heat.heat. In thethe casecase of bothboth sides’sides’ failure,failure, thethe reactorreactor corecore isolationisolation coolingcooling systemsystem (RCIC)(RCIC) shouldshould initiateinitiate toto cool the plant down. Accordingly, Accordingly, the CRWA CRWA-triggered‐triggered eventevent treetree isis derived inin FigureFigure6 6 below, below, presenting presenting three three failure-propagating failure‐propagating scenarios scenarios that that can can result result in in the the outcome outcome of of completecomplete corecore meltdownmeltdown (CCMD),(CCMD), denoteddenoted asas CCMDCCMD 1,1, CCMDCCMD 22 andand CCMDCCMD 3. 3.

Figure 6. Event tree model developed for CCMD initiated by the CRWA accident.accident.

ToTo quantitativelyquantitatively derive derive the the probability probability (frequency (frequency per per year) year) of the of CRWA-inducedthe CRWA‐induced complete complete core meltdown,core meltdown, i.e., P i.e., (CCMD P (CCMD by CRWA), by CRWA), we denote we denote the occurrence the occurrence probability probability of the initial of the event initial CRWA event asCRWA P (CRWA), as P (CRWA), and the and failure the probability failure probability on demand on demand of each of intermediate each intermediate event as event F (RS), as F (RS), (BI), FF (NBCD)(BI), F (NBCD) and F (RCIC). and F Therefore,(RCIC). Therefore, P (CCMD P 1),(CCMD P (CCMD 1), P 2), (CCMD P (CCMD 2), P 3) (CCMD and the total3) and P (CCMDthe total by P CRWA)(CCMD ofby interest CRWA) are of calculatedinterest are via calculated Equations via (1)–(4), Equations respectively: (1)–(4), respectively:

P (PCCMD (CCMD 1) 1= =P P( CRWA(CRWA)) ×( 1(1 − FF( (RS))RS)) × F (NPCD))(NPCD)) × FF (RCIC),(RCIC) ,(1) (1) CRWA × − × × P (CCMD 2= P (CRWA) × F (RS) × (1 − F (BI)) × F (NPCD) × F (RCIC), (2) P (CCMD 2) = P (CRWA) F (RS) (1 F (BI)) F (NPCD) F (RCIC), (2) CRWA × × − × × P (CCMD 3 = P (CRWA) × F (RS) × F (BI), (3) P (CCMD 3) = P (CRWA) F (RS) F (BI), (3) CRWA × × P (CCMD by CRWA) = P (CCMD 1 + P (CCMD 2 + P (CCMD 3. (4) P (CCMD by CRWA) = P (CCMD 1)CRWA+P (CCMD 2)CRWA+P (CCMD 3)CRWA. (4) Incorporating the probability of failure for the initiating event (CRWA) as specified in Table 1, and theIncorporating failure probabilities the probability on demand of failure of for the the risk initiating control eventoptions (CRWA) listed asin speciﬁedTable 2 with in Table Equations1, and the(1)–(4), failure we probabilities obtain the predicted on demand result of theof P risk (CCMD control by options CRWA) listed = 9.0049991 in Table ×2 10 with–. Equations (1)–(4), we obtain the predicted result of P (CCMD by CRWA) = 9.0049991 10 6. × − 3.2. Main Turbine Failure (TF) 3.2. Main Turbine Failure (TF) The main turbine failure (TF) model assumes that if an accident occurs, the temperature and The main turbine failure (TF) model assumes that if an accident occurs, the temperature and pressure rise will cause the reactor scram (RS) to initiate using safety rods. If the scram system fails, pressure rise will cause the reactor scram (RS) to initiate using safety rods. If the scram system the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant cool‐ fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant down system (NPCD) from either side should initiate to remove the decay heat. In the case of both cool-down system (NPCD) from either side should initiate to remove the decay heat. In the case of sides’ failure, the reactor core isolation cooling system (RCIC) should initiate to cool the plant down. both sides’ failure, the reactor core isolation cooling system (RCIC) should initiate to cool the plant The graphical representation is reported in Figure 7. down. The graphical representation is reported in Figure7. Safety 2020, 6, 28 8 of 18 Safety 2020, 7, x; doi: FOR PEER REVIEW 8 of 18

FigureFigure 7.7. EventEvent treetree modelmodel developeddeveloped forfor CCMDCCMD initiatedinitiated byby thethe TFTF accident.accident.

FollowingFollowing a a similar similar calculation calculation mechanism mechanism as the as lastthe subsection,last subsection, the probability the probability of the TF-induced of the TF‐ completeinduced complete core meltdown core meltdown (CCMD) is(CCMD) given step is given by step step through by step Equations through Equations (5)–(8), i.e., (5)–(8), i.e.,

P (PCCMD (CCMD 1) 1= P= P(TF (TF)) ×( 1(1 − FF( RS(RS)))) × F ((NPCD))NPCD)) × FF (RCIC),(RCIC) ,(5) (5) TF × − × × P (CCMD 2 = P (TF) × F (RS) × (1 − F (BI)) × F (NPCD) × F (RCIC), (6) P (CCMD 2) = P (TF) F (RS) (1 F (BI)) F (NPCD) F (RCIC), (6) TF × × − × × P (CCMD 3 = P (TF) × F (RS) × F (BI), (7) P (CCMD 3) = P (TF) F (RS) F (BI), (7) TF × × P (CCMD by TF) = P (CCMD 1 + P (CCMD 2 + P (CCMD 3. (8) P (CCMD by TF) = P (CCMD 1)TF+P (CCMD 2)TF+P (CCMD 3)TF. (8) Incorporating the probability of failure for the initiating event (TF) as specified in Table 1, and the failureIncorporating probabilities the probability on demand of failureof the forrisk the control initiating options event listed (TF) in as Table speciﬁed 2 with in Table Equations1, and the(5)– failure(8), we probabilities obtain the predicted on demand result of theof P risk (CCMD control by options TF) = 3.60199964 listed in Table × 102– with. Equations (5)–(8), we obtain the predicted result of P (CCMD by TF) = 3.60199964 10 7. × − 3.3. Complete Loss of Heat Sink (CLOHS) 3.3. Complete Loss of Heat Sink (CLOHS) Note that any one of the following independent lower‐level basic events will lead to the top Note that any one of the following independent lower-level basic events will lead to the top event event of a complete loss of heat sink (CLOHS) accident [36]. of a complete loss of heat sink (CLOHS) accident [36].  Condenser failure (CF) on both sides Condenser failure (CF) on both sides • Failure of both water pumps (FWP) from the river to condensers  Failure of both water pumps (FWP) from the river to condensers • Failure of both feed pumps (FFP)  FailureThe fault of bothtree is feed developed pumps (FFP)accordingly using a logic OR Boolean gate shown in Figure 8 below. • The fault tree is developed accordingly using a logic OR Boolean gate shown in Figure8 below. • According to the Boolean algebras [12] regarding the union of independent events, the fault tree shown in Figure8 above can be translated to an equivalent Boolean equation. From the occurrence probability of the top event, CLOHS is thereby given by Equation (9) below based on the three independent basic events (CF, FWP, FFP), i.e.,

P (CLOHS) = P (CF) + P (FWP) + P (FFP). (9)

Figure 8. Fault tree model developed for the complete loss of heat sink (CLOHS) accident.

According to the Boolean algebras [12] regarding the union of independent events, the fault tree shown in Figure 8 above can be translated to an equivalent Boolean equation. From the occurrence Safety 2020, 7, x; doi: FOR PEER REVIEW 8 of 18

Figure 7. Event tree model developed for CCMD initiated by the TF accident.

Following a similar calculation mechanism as the last subsection, the probability of the TF‐ induced complete core meltdown (CCMD) is given step by step through Equations (5)–(8), i.e.,

P (CCMD 1 = P (TF) × (1 − F (RS)) × F (NPCD)) × F (RCIC), (5)

P (CCMD 2 = P (TF) × F (RS) × (1 − F (BI)) × F (NPCD) × F (RCIC), (6)

P (CCMD 3 = P (TF) × F (RS) × F (BI), (7)

P (CCMD by TF) = P (CCMD 1 + P (CCMD 2 + P (CCMD 3. (8) Incorporating the probability of failure for the initiating event (TF) as specified in Table 1, and the failure probabilities on demand of the risk control options listed in Table 2 with Equations (5)– (8), we obtain the predicted result of P (CCMD by TF) = 3.60199964 × 10–.

3.3. Complete Loss of Heat Sink (CLOHS) Note that any one of the following independent lower‐level basic events will lead to the top event of a complete loss of heat sink (CLOHS) accident [36].  Condenser failure (CF) on both sides  Failure of both water pumps (FWP) from the river to condensers Safety 2020Failure, 6, 28 of both feed pumps (FFP) 9 of 18  The fault tree is developed accordingly using a logic OR Boolean gate shown in Figure 8 below.

Safety 2020, 7, x; doi: FOR PEER REVIEW 9 of 18

probability of the top event, CLOHS is thereby given by Equation (9) below based on the three independent basic events (CF, FWP, FFP), i.e., Figure 8. Fault tree model P (CLOHS) developed = forP (CF) the complete + P (FWP) loss + ofP heat(FFP). sink (CLOHS) accident. (9)

IncorporatingAccordingIncorporating to the thethe Boolean probabilityprobability algebras of failurefailure [12] regarding forfor thethe initiatinginitiating the union events of independent (CF, FWP, events, FFP)FFP) asas the speciﬁedspecified fault tree inin –3 TableshownTable1 ,1, in we we Figure obtain obtain 8 P aboveP (CLOHS) (CLOHS) can be= = 3 translated3 × 1010− .. Subsequently, to an equivalent thethe Boolean CLOHSCLOHS event-treeequation.event‐tree From modelmodel the isis occurrence developeddeveloped × assumingassuming thatthat ifif thethe accidentaccident occurs,occurs, thethe temperaturetemperature andand pressurepressure riserise willwill causecause thethe reactorreactor scramscram (RS)(RS) toto initiateinitiate usingusing safetysafety rods.rods. IfIf thethe scramscram systemsystem fails,fails, boronboron injectioninjection (BI)(BI) willwill subsequentlysubsequently kickkick in.in. FollowingFollowing the the shutdown, shutdown, the the reactor reactor core core isolation isolation cooling cooling system system (RCIC) (RCIC) should should initiate initiate to cool to cool the plantthe plant down. down. The The event event tree tree is presented is presented in Figure in Figure9 below. 9 below.

Figure 9. Event tree model developed for CCMD initiated by the CLOHS accident. Figure 9. Event tree model developed for CCMD initiated by the CLOHS accident. The probability of the CLOHS-induced complete core meltdown (CCMD) is thereby derived by The probability of the CLOHS‐induced complete core meltdown (CCMD) is thereby derived by Equations (10)–(13), i.e., Equations (10)–(13), i.e., P (CCMD 1) = P (CLOHS) (1 F (RS)) F (RCIC), (10) P (CCMD CLOHS1 = P (CLOHS)× × (1 − − F (RS)) ×× F (RCIC), (10) P (CCMDP (CCMD 2) 2= =P P( CLOHS(CLOHS)) × FF ((RS)RS) × (1(1 − FF (BI))(BI)) × FF (RCIC),(RCIC) ,(11) (11) CLOHS × × − × P (PCCMD (CCMD 3) 3= =P P( (CLOHS)CLOHS) × FF ((RS)RS) × FF (BI),(BI) ,(12) (12) CLOHS × × P (CCMD by CLOHS) = P (CCMD 1 + P (CCMD 2+ P (CCMD 3. (13) P (CCMD by CLOHS) = P (CCMD 1)CLOHS+P (CCMD 2)CLOHS+P (CCMD 3)CLOHS. (13) Incorporating the probability of failure for the initiating event (CLOHS) as derived in Equation Incorporating the probability of failure for the initiating event (CLOHS) as derived in (9), and the failure probabilities on demand of the risk control options listed in Table 2 with Equations Equation (9), and the failure probabilities on demand of the risk control options listed in Table2 with (10)–(13), we obtain the predicted result of P (CCMD by CLOHS) = 1.80002982 × 10–. Equations (10)–(13), we obtain the predicted result of P (CCMD by CLOHS) = 1.80002982 10 5. × − 3.4. Large Break in RPV (LBRPV) In a large break in RPV (LBRPV), pressure in the primary plant falls quickly, and the reactor shut down occurs. The high‐pressure coolant injection (HPCI) system is not designed to provide protection. Instead, the low‐pressure coolant injection (LPCI) system, or the core spray (CS) system, is available to provide protection. Thereby, the event‐tree model assumes that if the accident occurs, the reactor scram (RS) initiates using safety rods to shut down the plant. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the low‐pressure emergency cooling system (LPECS) will initiate, including the low‐pressure coolant injection (LPCI) or the core spray (CS) system. The failure frequency on demand of LPECS is calculated based on if LPCI and CS both fail at the same time, i.e., a fault tree with a logic AND Boolean gate is applied and shown in Figure 10 as governed by Equation (14) for the two independent events (LPCI, CS). The propagation of failure rates is presented in Figure 11 below. Safety 2020, 6, 28 10 of 18

3.4. Large Break in RPV (LBRPV) In a large break in RPV (LBRPV), pressure in the primary plant falls quickly, and the reactor shut down occurs. The high-pressure coolant injection (HPCI) system is not designed to provide protection. Instead, the low-pressure coolant injection (LPCI) system, or the core spray (CS) system, is available to provide protection. Thereby, the event-tree model assumes that if the accident occurs, the reactor scram (RS) initiates using safety rods to shut down the plant. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the low-pressure emergency cooling system (LPECS) will initiate, including the low-pressure coolant injection (LPCI) or the core spray (CS) system. The failure frequency on demand of LPECS is calculated based on if LPCI and CS both fail at the same time, i.e., a fault tree with a logic AND Boolean gate is applied and shown in Figure 10 as governed by Safety 2020, 7, x; doi: FOR PEER REVIEW 10 of 18 Equation (14) for the two independent events (LPCI, CS). The propagation of failure rates is presented in Figure 11 below. F (LPECS) = F (LPCI) F (CS). (14) Safety 2020, 7, x; doi: FOR PEER REVIEW × 10 of 18

Figure 10. Fault tree model developed for the failure of LPECS.

F (LPECS) = F (LPCI) × F (CS). (14) Figure 10. Fault tree model developed for the failure of LPECS.

F (LPECS) = F (LPCI) × F (CS). (14)

Figure 11. Event tree model developed for CCMD initiated by LBRPV accident.

The frequency of the LBRPV-triggered complete core meltdown (CCMD) is given by The frequency of the LBRPV‐triggered complete core meltdown (CCMD) is given by Equations Equations (15)–(18), i.e., (15)–(18), i.e., Figure 11. Event tree model developed for CCMD initiated by LBRPV accident. P P(CCMD (CCMD 1 )1LBRPV= =P P( (LBRPV)LBRPV) × ((11 − F (RS))(RS)) × FF (LPECS),(LPECS) ,(15) (15) The frequency of the LBRPV‐triggered complete× core− meltdown× (CCMD) is given by Equations (15)–(18), i.e., P (CCMD 2 = P (LBRPV) × F (RS) × (1 − F (BI)) × F (LPECS), (16)

P (CCMD 3 = P (LBRPV) × F (RS) × F (BI), (17) P (CCMD 1 = P (LBRPV) × (1 − F (RS)) × F (LPECS), (15)

P (CCMD by LBRPV) = P (CCMD 1 + P (CCMD 2 + P (CCMD P (CCMD 2 = P (LBRPV) × F (RS) × (1 − F (BI)) × F (LPECS), (18)(16) 3. P (CCMD 3 = P (LBRPV) × F (RS) × F (BI), (17) Incorporating the probability of failure for the initiating event (LBRPV) as specified in Table 1, P (CCMD by LBRPV) = P (CCMD 1 + P (CCMD 2 + P (CCMD the failure probabilities on demand of the risk control options listed in Table 2, as well as the derived(18) F (LPECS) at Equation (14) into Equations (15)–(18),3 we. obtain P (CCMD by LBRPV) = 2.97999971 – × 10 Incorporating. the probability of failure for the initiating event (LBRPV) as specified in Table 1, the failure probabilities on demand of the risk control options listed in Table 2, as well as the derived 3.5.F (LPECS) Rupture at of EquationSteam Line (14) (RSL) into Equations (15)–(18), we obtain P (CCMD by LBRPV) = 2.97999971 – × 10 In .the rupture of the steam line (RSL) accident between the RPV and the isolation valve, the RSL event‐tree model assumes that if this intermediate‐size leak occurs and pressure in the primary plant 3.5. Rupture of Steam Line (RSL) In the rupture of the steam line (RSL) accident between the RPV and the isolation valve, the RSL event‐tree model assumes that if this intermediate‐size leak occurs and pressure in the primary plant Safety 2020, 6, 28 11 of 18

P (CCMD 2) = P (LBRPV) F (RS) (1 F (BI)) F (LPECS), (16) LBRPV × × − × P (CCMD 3) = P (LBRPV) F (RS) F (BI), (17) LBRPV × ×

P (CCMD by LBRPV) = P (CCMD 1)LBRPV+P (CCMD 2)LBRPV +P (CCMD 3)LBRPV. (18) Incorporating the probability of failure for the initiating event (LBRPV) as speciﬁed in Table1, the failure probabilities on demand of the risk control options listed in Table2, as well as the derived F (LPECS) at Equation (14) into Equations (15)–(18), we obtain P (CCMD by LBRPV) = 2.97999971 10 12. × − 3.5. Rupture of Steam Line (RSL)

Safety In2020 the, 7, rupturex; doi: FOR of PEER the REVIEW steam line (RSL) accident between the RPV and the isolation valve, the11 RSLof 18 event-tree model assumes that if this intermediate-size leak occurs and pressure in the primary plant drops, the reactor scram (RS) initiates using safety rods toto shutshut downdown thethe plant.plant. If the scram system fails, thethe boronboron injectioninjection (BI)(BI) willwill subsequentlysubsequently kickkick in.in. Following thethe shutdown,shutdown, thethe high-pressurehigh‐pressure coolant injection (HPCI) system provides protection. In the case of the HPCI failure, thethe automaticautomatic depressurization system (ADS) will permit the low-pressurelow‐pressure emergency cooling system (LPECS) to initiate. Thereby, ﬁvefive didifferentﬀerent scenariosscenarios leadingleading to to CCMD CCMD are are depicted depicted in in Figure Figure 12 12 below. below.

Figure 12. Event tree model developed for CCMD initiated by the RSL accident.

Accordingly, thethe frequencyfrequency ofof thethe RSL-triggeredRSL‐triggered complete core meltdown (CCMD) is given by Equations (19)–(24), i.e.,

P (CCMDP (CCMD 1) 1= P= (PRSL (RSL)) ×(1 (1 − FF( RS(RS)))) × FF ((HPCI)HPCI) × ((11 − FF (ADS))(ADS)) × FF (LPECS),(LPECS) ,(19) (19) RSL × − × × − × P (CCMD 2 = P (RSL) × (1 − F (RS)) × F (HPCI) × F (ADS), (20) P (CCMD 2) = P (RSL) (1 F (RS)) F (HPCI) F (ADS), (20) RSL × − × × P (CCMD 3 = P (RSL) × F (RS) × (1 − F (BI)) × F (HPCI) × (1 − F (ADS)) × F P (CCMD 3) = P (RSL) F (RS) (1 F (BI)) F (HPCI) (1 F (ADS)) F (LPECS),(21) (21) RSL × × − (LPECS),× × − × P (CCMD 4)RSL = P (RSL) F (RS) (1 F (BI)) F (HPCI) F (ADS)), (22) P (CCMD 4 = P (RSL)× × F (RS)× × (1 − − F (BI)) × F (HPCI) ×× F (ADS)), (22) P (CCMD 5)RSL = P (RSL) F (RS) F (BI), (23) P (CCMD 5 = P (RSL)× × F (RS) ×× F (BI), (23) P (CCMD by RSL) = P (CCMD 1) +P (CCMD 2) + ... + P (CCMD 5) . (24) P (CCMD by RSL) = P (CCMD 1RSL+ P (CCMD 2RSL + … + P (CCMD 5RSL. (24) Incorporating the the probability probability of of failure failure for for the the initiating initiating event event (RSL) (RSL) as specified as speciﬁed in Table in Table 1, the1, thefailure failure probabilities probabilities on demand on demand of the of risk the control risk control options options listed in listed Table in 2, Tableas well2, as as the well derived as the F derived(LPECS) Fat (LPECS) Equation at (14) Equation into Equations (14) into Equations (19)–(24), (19)–(24),we obtain we the obtain result the of resultP (CCMD of P (CCMDby RSL) by = 11 RSL) = 6.71726033 10– 10− . 6.71726033 × .×

3.6. Leak from Instrumentation Line (LIL) Likewise, fault modelling of the leak from the instrumentation line (LIL) in RPV assumes that if the small leak occurs, pressure in the primary plant drops, the reactor scram (RS) initiates using safety rods to shut down the plant. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the high‐pressure coolant injection (HPCI) system provides protection. In the event of the HPCI failure, the automatic depressurization system (ADS) will permit the low‐ pressure emergency cooling system (LPECS) to initiate, including the low‐pressure coolant injection (LPCI) or the core spray (CS) system. The event tree is drawn in Figure 13. Safety 2020, 6, 28 12 of 18

3.6. Leak from Instrumentation Line (LIL) Likewise, fault modelling of the leak from the instrumentation line (LIL) in RPV assumes that if the small leak occurs, pressure in the primary plant drops, the reactor scram (RS) initiates using safety rods to shut down the plant. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the high-pressure coolant injection (HPCI) system provides protection. In the event of the HPCI failure, the automatic depressurization system (ADS) will permit the low-pressure emergency cooling system (LPECS) to initiate, including the low-pressure coolant injection (LPCI) or theSafety core 2020 spray, 7, x; doi: (CS) FOR system. PEER REVIEW The event tree is drawn in Figure 13. 12 of 18

FigureFigure 13.13. Event tree model developed for CCMDCCMD initiatedinitiated byby thethe LILLIL accident.accident.

Accordingly,Accordingly, thethe probabilityprobability ofof thethe LIL-triggeredLIL‐triggered completecomplete corecore meltdownmeltdown (CCMD)(CCMD) isis givengiven byby EquationsEquations (25)–(30),(25)–(30), i.e.,i.e.,

P (CCMDP (CCMD 1) 1= P= (PLIL (LIL)) (×1 (1 − FF( RS(RS)))) ×F F( (HPCI)HPCI) × ((11 − F (ADS))(ADS)) × FF (LPECS),(LPECS) ,(25) (25) LIL × − × × − × P (CCMD 2 = P (LIL) × (1 − F (RS)) × F (HPCI) × F (ADS), (26) P (CCMD 2) = P (LIL) (1 F (RS)) F (HPCI) F (ADS), (26) LIL × − × × P (CCMD 3 = P (LIL) × F (RS) × (1 − F (BI)) × F (HPCI) × (1 − F (ADS)) × F P (CCMD 3) = P (LIL) F (RS) (1 F (BI)) F (HPCI) (1 F (ADS)) F (LPECS),(27) (27) LIL × × − (LPECS),× × − × P (CCMD 4)LIL = P (LIL) F (RS) (1 F (BI)) F (HPCI) F (ADS)), (28) P (CCMD 4 = P (LIL)× × F (RS)× × (1− − F (BI)) × F (HPCI) ×× F (ADS)), (28) P (CCMD 5)LIL = P (LIL) F (RS) F (BI), (29) P (CCMD 5 = P (LIL)× × F (RS) ×× F (BI), (29) P (CCMD by LIL) = P (CCMD 1) +P (CCMD 2) + ... + P (CCMD 5) . (30) P (CCMD by LIL) = P (CCMD 1LIL+ P (CCMD 2LIL + … + P (CCMD 5LIL. (30) IncorporatingIncorporating the probability of failure for thethe initiatinginitiating event (LIL) as specifiedspecified in Table1 1,, the the failurefailure probabilitiesprobabilities on demand of thethe riskrisk control options listed in Table2 2,, as as well well as as the the derived derived F F (LPECS) at Equation (14) into Equations (25)–(30), we obtain P (CCMD by LIL) = 6.71726033 10–9. (LPECS) at Equation (14) into Equations (25)–(30), we obtain P (CCMD by LIL) = 6.71726033 ×× 10− . 3.7. Rupture of Core Shroud (RCS) 3.7. Rupture of Core Shroud (RCS) Rupture of the core shroud (RCS) is not part of the pressurizing boundary but an uneven flow Rupture of the core shroud (RCS) is not part of the pressurizing boundary but an uneven flow that could develop in the core due to debris coming off the core shroud and blocking off coolant flow that could develop in the core due to debris coming off the core shroud and blocking off coolant flow channels. Minor core damage (MCD) could occur which will initiate the fission product monitor. channels. Minor core damage (MCD) could occur which will initiate the fission product monitor. Thereby, the RCS event-tree model assumes that MCD occurs from the start, initiating the fission Thereby, the RCS event‐tree model assumes that MCD occurs from the start, initiating the fission product monitor (FPM), causing the reactor scram (RS) to initiate using safety rods. If the scram system product monitor (FPM), causing the reactor scram (RS) to initiate using safety rods. If the scram fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant cool‐down system (NPCD) from either side should initiate to remove the decay heat. In the case of both sides’ failure, the reactor core isolation cooling (RCIC) system should initiate to cool the plant down. The event tree is depicted in Figure 14 below. Safety 2020, 6, 28 13 of 18 cool-down system (NPCD) from either side should initiate to remove the decay heat. In the case of both sides’ failure, the reactor core isolation cooling (RCIC) system should initiate to cool the plant down.Safety 2020 The, 7, eventx; doi: FOR tree PEER is depicted REVIEW in Figure 14 below. 13 of 18

Figure 14. Event tree model developed for CCMD and MCD initiated byby thethe RCSRCS accident.accident.

Accordingly, the failure rate of the RCS-triggered complete core meltdown (CCMD) is given by Accordingly, the failure rate of the RCS‐triggered complete core meltdown (CCMD) is given by Equations (31)–(35), i.e., Equations (31)–(35), i.e., P (CCMDP (CCMD 1) 1 = P= (PRCS (RCS)) ×(1 (1 − FF( FPM(FPM)))) ×( (11 − FF ((RS))RS)) × FF (NPCD)(NPCD) × FF (RCIC),(RCIC) ,(31) (31) RCS × − × − × × P (CCMD 2 = P (RCS) × (1 − F (FPM)) × F (RS) × (1 − F (BI)) × F (NPCD) × F P (CCMD 2)RCS = P (RCS) (1 F (FPM)) F (RS) (1 F (BI)) F (NPCD) F (RCIC),(32) (32) × − ×(RCIC), × − × × P (CCMD 3)RCS = P (RCS) (1 F (FPM)) F (RS) F (BI), (33) P (CCMD 3 = P (RCS)× × (1− − F (FPM)) ×× F (RS) × F (BI), (33) P (CCMD 4)RCS = P (RCS) P (FPM), (34) P (CCMD 4 = P (RCS)× × P (FPM), (34) P (CCMD by RCS) = P (CCMD 1)RCS +P (CCMD 2)RCS + ... + P (CCMD 4)RCS. (35) P (CCMD by RCS) = P (CCMD 1 + P (CCMD 2 + … + P (CCMD 4. (35) Incorporating the probability of failure for the initiating event (RCS) as speciﬁed in Table1, the Incorporating the probability of failure for the initiating event (RCS) as specified in Table 1, the failure probabilities on demand of the risk control options listed in Table2 into Equations (31)–(35), we failure probabilities on demand of the risk control options listed in Table 2 into Equations (31)–(35), 7 obtain the result of P (CCMD by RCS) = 1.179919882 10 . Meanwhile,– the frequency of RCS-triggered we obtain the result of P (CCMD by RCS) = 1.179919882× − × 10 . Meanwhile, the frequency of RCS‐ minor core damage (MCD) is given by Equations (36)–(40), i.e., triggered minor core damage (MCD) is given by Equations (36)–(40), i.e., P (MCDP (MCD 1) 1 = P= (PRCS (RCS)) ×(1 (1 − FF( FPM(FPM)))) × ((11 − F ((RS))RS)) × (1(1 − FF (NPCD),(NPCD) ,(36) (36) RCS × − × − × − P (MCD 2 = P (RCS) × (1 − F (FPM)) × (1 − F (RS)) × F (NPCD) × (1 − F (RCIC)), (37) P (MCD 2) =P (RCS) (1 F (FPM)) (1 F (RS)) F (NPCD) (1 F (RCIC)), (37) RCS × − × − × × − P (MCD 3 = P (RCS) × (1 − F (FPM)) × F (RS) × (1 − F (BI)) × (1 − F (NPCD), (38) P (MCD 3) = P (RCS) (1 F (FPM)) F (RS) (1 F (BI)) (1 F (NPCD), (38) RCS × − × × − × − P (MCD 4) P =(MCDP (RCS 4) (=1 P (RCS)F (FPM × (1)) − F (FPM))(RS) ( ×1 F (RS)F (BI ×)) (1 − FF( NPCD(BI)) × )F (NPCD)(1 F ( RCIC)), (39) RCS × − × × − × × − (39) × (1 − F (RCIC)), P (MCD by RCS) = P (MCD 1) RCS + P (MCD 2)RCS+P (MCD 3)RCS+P (MCD 4)RCS. (40) P (MCD by RCS) = P (MCD 1 + P (MCD 2 + P (MCD 3 + P (MCD Incorporating the failure probabilities on demand into Equations (36)–(40), the result of P (MCD(40) by RCS) is obtained as 9.988200801 10 5. 4. × − Incorporating the failure probabilities on demand into Equations (36)–(40), the result of P (MCD 3.8. Breakup of Drier Structure Causing Local Channel Blockage (BDS-LCB) by RCS) is obtained as 9.988200801 × 10–. Likewise, the breakup of the drier structure causing local channel blockage (BDS-LCB) model assumes3.8. Breakup that of minor Drier coreStructure damage Causing (MCD) Local happens Channel from Blockage the start, (BDS initiating‐LCB) the ﬁssion product monitor Likewise, the breakup of the drier structure causing local channel blockage (BDS‐LCB) model assumes that minor core damage (MCD) happens from the start, initiating the fission product monitor (FPM), causing the reactor scram (RS) to initiate using safety rods. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant cool‐ down system (NPCD) from either side should initiate to remove the decay heat. In the case of both Safety 2020, 6, 28 14 of 18

(FPM), causing the reactor scram (RS) to initiate using safety rods. If the scram system fails, the boron injectionSafety 2020, (BI) 7, x; willdoi: FOR subsequently PEER REVIEW kick in. Following the shutdown, the normal plant cool-down system14 of 18 (NPCD) from either side should initiate to remove the decay heat. In the case of both sides’ failure, the reactorsides’ failure, core isolation the reactor cooling core (RCIC) isolation system cooling should (RCIC) initiate system to coolshould the initiate plant down. to cool The the eventplant down. tree is presentedThe event intree Figure is presented 15 below. in Figure 15 below.

Figure 15. Event tree model developed for CCMD and MCD initiated byby thethe BDS-LCBBDS‐LCB accident.accident.

The failure frequency of BDS-LCB-induced complete core meltdown (CCMD) is given by The failure frequency of BDS‐LCB‐induced complete core meltdown (CCMD) is given by Equations (41)–(45), i.e., Equations (41)–(45), i.e.,

P (PCCMD (CCMD 1) 1= P= (PBDS (BDS)) ×( 1(1 − FF( FPM(FPM)))) × ((11 − F ((RS))RS)) × FF (NPCD)(NPCD )× FF (RCIC),(RCIC ),(41) (41) BDS × − × − × × P (CCMD 2 = P (BDS) × (1 − F (FPM)) × F (RS) × (1 − F (BI)) × F (NPCD) × F P (CCMD 2) = P (BDS) (1 F (FPM)) F (RS) (1 F (BI)) F (NPCD) F (RCIC),(42) (42) BDS × − ×(RCIC), × − × × P (CCMD 3)BDS = P (BDS) (1 F (FPM)) F (RS) F (BI), (43) P (CCMD 3 = P (BDS)× × (1− − F (FPM)) × F (RS) ×× F (BI), (43) P (CCMD 4)BDS = P (BDS) P (FPM), (44) P (CCMD 4 = P (BDS) ×× P (FPM), (44)

P (CCMD by BDS) = P (CCMD 1)BDS +P (CCMD 2)BDS+ ... + P (CCMD 4)BDS. (45) P (CCMD by BDS) = P (CCMD 1 + P (CCMD 2 + … + P (CCMD 4. (45) IncorporatingIncorporating thethe probabilityprobability of of failure failure for for the the initiating initiating event event (BDS-LCB) (BDS‐LCB) as as speciﬁed specified in in Table Table1, the1, the failure failure probabilities probabilities on on demand demand of the of the risk risk control control options options listed listed in Table in Table2 into 2 into Equations Equations (41)–(45), (41)– 7 we obtain the result of P (CCMD by BDS-LCB) = 5.89959941 10 . – (45), we obtain the result of P (CCMD by BDS‐LCB) = 5.89959941× −× 10 . TheThe probability probability of BDS of‐ BDS-LCB-triggeredLCB‐triggered minor minorcore damage core (MCD) damage is derived (MCD) by is Equations derived (46)– by Equations(50), i.e., (46)–(50), i.e.,

P (MCDP (MCD 1) 1= P= (PBDS (BDS)) ×(1 (1 − FF( FPM(FPM)))) × ((11 − F ((RS))RS)) × (1(1 − FF (NPCD),(NPCD) ,(46) (46) RCS × − × − × − P (MCD 2 = P (BDS) × (1 − F (FPM)) × (1 − F (RS)) × F (NPCD) × (1 − F (RCIC)), (47) P (MCD 2) =P (BDS) (1 F (FPM)) (1 F (RS)) F (NPCD) (1 F (RCIC)), (47) BDS × − × − × × − P (MCD 3 = P (BDS) × (1 − F (FPM)) × F (RS) × (1 − F (BI)) × (1 − F (NPCD), (48) P (MCD 3) = P (BDS) (1 F (FPM)) F (RS) (1 F (BI)) (1 F (NPCD), (48) BDS × − × × − × − P (MCD 4P) (MCD= P4(BDS =) P ((BDS)1 F (×FPM (1 − ))F (FPM))F (RS )× F ((RS)1 F × ((1BI − ))F (BI))F (NPCD × F (NPCD)) (1 ×F (1(RCIC – F )), (49) BDS × − × × − × × − (49) (RCIC)), P (MCD by BDS) = P (MCD 1)BDS+P (MCD 2)BDS+P (MCD 3)BDS+P (MCD 4)BDS. (50) P (MCD by BDS) = P (MCD 1 + P (MCD 2 + P (MCD 3 + P (MCD (50) Incorporating the failure probabilities on demand4 . into Equations (46)–(50), the result of P (MCD 4 by BDS) is obtained as 4.9941004 10− . Incorporating the failure probabilities× on demand into Equations (46)–(50), the result of P (MCD by BDS) is obtained as 4.9941004 × 10–.

4. Summary of Results and Discussion Safety 2020, 6, 28 15 of 18

4. Summary of Results and Discussion Heretofore, the BWR risk study evaluates eight types of independent accidents in the complex system that could lead to the outcome of either complete core meltdown (CCMD) or minor core damage (MCD). The results of the predicted frequencies are summarized in Table3.

Table 3. Modelling results of CCMD and MCD frequencies per year (based on the frequencies of initiating events at the 95% conﬁdence level).

BWR Accident Type CCMD Frequency MCD Frequency Continuous rod withdrawal accident (CRWA) 9.00499910 10 6 Not applicable × − Main turbine failure (TF) 3.60199964 10 7 Not applicable × − Complete loss of heat sink (CLOHS) 1.80002982 10 5 Not applicable × − Large break in RPV (LBRPV) 2.97999971 10 12 Not applicable × − Rupture of steam line (RSL) 6.71726033 10 11 Not applicable × − Leak from instrumentation line in RPV (LIL) 6.71726033 10 9 Not applicable × − Rupture of core shroud (RCS) 1.179919882 10 7 9.98820080 10 5 × − × − Breakup of drier structure causing local channel blockage 5.899599410 10 7 4.99410040 10 4 × − × − Total 2.808022798 10 5 5.99292048 10 4 × − × −

As observed from Table3, the complete loss of heat sink (CLOHS) is the initiating accident that is most vulnerable to the outcome of the complete core meltdown (CCMD), while the large break in RPV (LBRPV) and the rupture of steam line (RSL) are least likely to result in the CCMD. Based on the quantified susceptibilities, an optimum balance between safety performance and costs could be attempted by placing the safety enhancement priority on mitigating the CLOHS-related lower-level events (i.e., condenser failure on both sides, failure of both water pumps from the river to condensers, and failure of both feed pumps), as well as improving the reliability of the risk control options for CLOHS, i.e., reactor scram (RS), boron injection (BI), and reactor core isolation cooling system (RCIC). Factoring all the eight types of initiating accidents, the overall CCMD frequency per year is 2.81 10 5, and the total MCD frequency is 5.99 10 4, indicating a six-in-ten-thousand chance per × − × − year for an MCD to happen in the BWR. Arguably, the empirical data-based modelling results in this work provide a conservative yet insightful implication for the nuclear regulatory authority when reviewing the existing nuclear fleet and considering those claimed by the Generation III+ PWR systems using advanced technologies with highly reliable designs, e.g., EPR (AREVA) predicted with a MCD of 5.78 10 7 per year [38], and AP1000 (Westinghouse) claimed with MCD of 1.23 10 7 per year [39] × − × − subject to diverse modelling boundary conditions. However, the fault-event trees established in this work are more deterministically oriented and entail a limited level of uncertainties regarding the events’ failure probabilities data collected from the empirical operating experiences of the system being investigated. Fuzzy-set logic [40–42] may be incorporated into the fault and event trees for model refinement of imprecision and uncertainty. Computer-aided synthesis, fuzzy neural networks [43], and Bayesian approaches [44–47] are worth exploring and integrating into the fault-event trees for further insights on the reliability analysis. Moreover, the assumption of using the failure probability on demand in this work associated to the event-tree model only represents the failures per demand of the component, but is not necessarily equivalent to the exact failure rate (i.e., the number of times the component failed in a given period of time). It is also worth noting that the system boundary condition of the event trees model in this work is not coupled with uncertain external environments, such as earthquakes [48], malicious reactor attacks by terrorists [49], insider worker sabotage [50] and ever-increasing cyberattacks [51], the perspectives on which future research directions could focus. Last but not least, the fault-event tree approach in this work can expand the scenarios of applications in terms of nuclear in-core instrumentations, such as the Safety 2020, 6, 28 16 of 18 reliability analysis of robots employed for inspection and maintenance [52] of civil nuclear reactors targeting an extended lifespan.

5. Conclusions This work leverages fault tree and event tree approaches to deliver systematic reliability and risk assessment models for monitoring the safety performance of the complex BWR nuclear power plant system, concerning particularly the core complete meltdown and minor damage frequencies, the results of which enhance the existing body of knowledge and can inform the existing nuclear system regulations as well as the licensing of new nuclear power plants targeting in-depth safety, enhanced reliability and cost-efficiency. The potential beneficiaries are nuclear power plant operators, risk assessors, regulators, government energy policy makers, electricity suppliers, and the wider academic community. Furthermore, the assembled fault-event trees model the train of safety-related events for the complex BWR system into an understandable manner by visualizing the cause and effect relationship, which is highly desirable for the use in training purposes, thus assisting in public understanding and engagement in nuclear energy and nuclear safety.

Funding: This research received no external funding. Acknowledgments: The author wishes to acknowledge the Cambridge Nuclear Energy Centre for the guidance in this case study, Imperial College London and University of Southampton for the support in this work. Conﬂicts of Interest: The author declares no conﬂict of interest.

References

1. Breyer, C. A Global Overview of Future Energy. In Future Energy; Elsevier: Amsterdam, The Netherlands, 2020; pp. 727–756. 2. Eriksson, O. Nuclear Power and Resource Eﬃciency—A Proposal for a Revised Primary Energy Factor. Sustainability 2017, 9, 1063. [CrossRef] 3. Merk, B.; Bankhead, M.; Litskevich, D.; Gregg, R.; Peakman, A.; Shearer, C. On a Roadmap for Future Industrial Nuclear Reactor Core Simulation in the U.K. to Support the Nuclear Renaissance. Energies 2018, 11, 3509. [CrossRef] 4. Sekimoto, H. A Roadmap of Innovative Nuclear Energy System. J. Phys. Conf. Ser. 2017, 799, 012001. [CrossRef] 5. Steijn, W.M.P.; Kampen, J.N.V.; Beek, D.V.; Groeneweg, J.; Gelder, P.V. An integration of human factors into quantitative risk analysis using Bayesian Belief Networks towards developing a ‘QRA+’. Saf. Sci. 2020, 122, 104514. [CrossRef] 6. Cid, M.M.; Dies, J.; Tapia, C.; Diaz, P. Outage Key Safety Functions Conﬁguration risk assessment for a three loops Westinghouse PWR. Nucl. Eng. Des. 2015, 291, 271–276. [CrossRef] 7. Gattie, D.K. U.S. energy, climate and nuclear power policy in the 21st century: The primacy of national security. Electr. J. 2020, 33, 106690. [CrossRef] 8. Goodfellow, M.J.; Dewick, P.; Wortley, J.; Azapagic, A. Public perceptions of design options for new nuclear plants in the UK. Process Saf. Environ. Prot. 2015, 94, 72–88. [CrossRef] 9. Nishikawa, M.; Kato, T.; Homma, T.; Takahara, S. Changes in risk perceptions before and after nuclear accidents: Evidence from Japan. Environ. Sci. Policy 2016, 55, 11–19. [CrossRef] 10. Zohuri, B.; Fathi, N. Probabilistic Risk Assessment. In Thermal-Hydraulic Analysis of Nuclear Reactors; Springer: Amsterdam, The Netherlands, 2015; pp. 479–488. 11. Iman, R.L. Methods Used in Probabilistic Risk Assessment for Uncertainty and Sensitivity Analysis. In New Risks: Issues and Management. Advances in Risk Analysis; Cox, L.A., Ricci, P.F., Eds.; Springer: Boston, MA, USA, 1990; Volume 6. 12. Purbaa, J.; Tjahyanib, D.; Deswandric. The implementation of fault tree analysis approaches in nuclear power plant probabilistic safety assessment. AIP Conf. Proc. 2019, 2180, 020010. 13. Lee, W.; Grosh, D.; Tillman, F.; Lie, C. Fault Tree Analysis, Methods, and Applications—A Review. IEEE Trans. Reliab. 1985, 34, 194–203. [CrossRef] Safety 2020, 6, 28 17 of 18

14. Ferdous, R.; Khan, F.; Sadiq, R.; Amyotte, P.; Veitch, B. Fault and event tree analyses for process systems risk analysis: Uncertainty handling formulations. Risk Anal. 2011, 31, 86–107. [CrossRef][PubMed] 15. Raju, S. Estimating the frequency of nuclear accidents. Sci. Glob. Secur. 2016, 24, 37–62. [CrossRef] 16. Lavasani, S.M.; Zendegani, A.; Celik, M. An extension to Fuzzy Fault Tree Analysis (FFTA) application in petrochemical process industry. Process Saf. Environ. 2015, 93, 75–88. [CrossRef] 17. Munera, H.A. A deterministic event tree approach to uncertainty, randomness and probability in individual chance processes. Theory Decis. 1992, 32, 21–55. [CrossRef] 18. Jenab, K.; Dhillon, B.S. Stochastic fault tree analysis with self-loop basic events. IEEE Trans. Reliab. 2005, 54, 173–180. [CrossRef] 19. Podowski, M.Z.; Luo, W.; Kirchner, R.F. Simulation of BWR core meltdown accidents using the APRIL and MAAP computer codes. In Proceedings of the Transactions of the Twenty-Second Water Reactor Safety Information Meeting, Bethesda, MD, USA, 24–26 October 1994. 20. Villafuerte, J.O.; Durán, R.C.; López, H.H.; Martínez, E.A. Fundamentals of Boiling Water Reactor Safety Design and Operation. In Towards a Cleaner Planet; Springer: Berlin/Heidelberg, Germany, 2007. 21. USNRC Technical Training Center. Boiling Water Reactor (BWR) Systems. In Reactor Concepts Manual; US Nuclear Regulatory Commission: Rockville, MD, USA, 2012. 22. Nikitin, K.; Mueller, P.; Martin, J.; Doesburg, W.V.; Hiltbrand, D. BWR loss of coolant accident simulation by means of Relap5. Nucl. Eng. Des. 2016, 309, 113–121. [CrossRef] 23. Greene, R.H. Maintenance of BWR control rod drive mechanisms. In Proceedings of the Nuclear Power Plant and Facility Maintenance Topical Meeting, Salt Lake City, UT, USA, 7–11 April 1991. 24. Hurlebaus, D. An advanced scram system for BWR reactors. In Proceedings of the Reactor Congress 1977, Mannheim, Germany, 29 March–1 April 1977. (In German). 25. Tinoco, H.; Buchwald, P.; Frid, W. Numerical simulation of boron injection in a BWR. Nucl. Eng. Des. 2010, 240, 221–234. [CrossRef] 26. Lin, C.C.; Skarpelos, J.M. Monitoring of fission product release in a boiling water reactor. J. Radioanal. Nucl. Chem. 1997, 220, 173–181. [CrossRef] 27. Lopez, H.; Erkan, N.; Okamoto, K. Reactor core isolation cooling system analysis of the Fukushima Daiichi Unit 2 accident with RELAP/ScdapSIM. J. Nucl. Sci. Technol. 2016, 53, 1899–1905. [CrossRef] 28. Ramirez, G.C.; Chavez, M.C. Simulation of the automatic depressurization system (Ads) for a boiling water reactor (BWR) based on RELAP. In Proceedings of the 23rd SNM Annual Congress: Perspective and Development of Nuclear Energy after Fukushima, Oaxaca, Mexico, 29 July–1 August 2012; Sociedad Nuclear Mexicana: Mexico, Mexico, 2012. 29. Hideo, N.; Yutaka, K.; Kanji, T. BWR Loss-ofCoolant Accident Tests at ROSA-III with High Temperature Emergency Core Coolant Injection. J. Nucl. Sci. Technol. 1988, 25, 169–179. 30. Wheatley, S.; Sovacool, B.K.; Sornette, D. Reassessing the safety of nuclear power. Energy Res. Soc. Sci. 2016, 15, 96–100. [CrossRef] 31. Minh, H.D.; Journé, V. Calculating nuclear accident probabilities from empirical frequencies. Environ. Syst. Decis. 2014, 34, 249–258. 32. Ilas, G.; Liljenfeldt, H. Decay heat uncertainty for BWR used fuel due to modeling and nuclear data uncertainties. Nucl. Eng. Des. 2017, 319, 176–184. [CrossRef] 33. Sembiring, T.M.; Pinem, S.; Liem, P.H. Analysis of NEA-NSC PWR Uncontrolled Control Rod Withdrawal at Zero Power Benchmark Cases with NODAL3 Code. Sci. Technol. Nucl. Install. 2017, 2017, 5151890. [CrossRef] 34. Solis, J.; Ivanov, K.N.; Sarikaya, B.; Olson, A.M.; Hunt, K.W. Boiling Water Reactor Turbine Trip (TT) Benchmark. Volume I: Final Specifications; OECD Nuclear Energy Agency: Paris, France, 2001. 35. IAEA. Assessment and Management of Ageing of Major Nuclear Power Plant Components Important to Safety: BWR Pressure Vessel Internals; Engineering Safety Section, IAEA: Vienna, Austria, 2005. 36. Takahiro, S.; Makoto, N. Failure cause and failure rate evaluation on pumps of BWR plants in PSA Hypothesis testing for typical or plant specific failure rate of pumps. Denryoku Chuo Kenkyusho Hokoku 2009, 41, 1–45. 37. Ivanov, K.; Olson, A.; Sartori, E. OECD/NRC BWR Turbine Trip Transient Benchmark as a Basis for Comprehensive Qualification and Studying Best-Estimate Coupled Codes. Nucl. Sci. Eng. 2004, 148, 195–207. [CrossRef] Safety 2020, 6, 28 18 of 18

38. Godefroy, F. PSA Discussion and Conclusions. In Pre-Construction Safety Report of the UK EPR; AREVA: Paris, France, 2012; Volume 157, p. 6. 39. Westinghouse. AP1000 Pre-Construction Safety Report; Westinghouse: Cranberry Township, PA, USA, 2009; p. 321. 40. Kenarangui, R. Event-tree analysis by fuzzy probability. IEEE Trans. Rel. 1991, 40, 120–124. [CrossRef] 41. Batzias, F.A.; Siontorou, C.C. Investigating the causes of biosensor SNR decrease by means of fault tree analysis. IEEE Trans. Instrum. Meas. 2005, 54, 1395–1406. [CrossRef] 42. Mahmood, Y.A.; Ahmadi, A.; Verma, A.K.; Srividya, A.; Kumar, U. Fuzzy fault tree analysis: A review of concept and application. Int. J. Syst. Assur. Eng. Manag. 2013, 4, 19–32. [CrossRef] 43. Chen, Y.; Zhen, Z.; Yu, H.; Xu, J. Application of Fault Tree Analysis and Fuzzy Neural Networks to Fault Diagnosis in the Internet of Things (IoT) for Aquaculture. Sensors 2017, 17, 153. [CrossRef][PubMed] 44. Mohan, V.D.; Vardon, P.; Hicks, M.; Gelder, P.V. Uncertainty Tracking and Geotechnical Reliability Updating Using Bayesian Networks. In Proceedings of the 7th International Symposium on Geotechnical Safety and Risk (ISGSR), Taipei, Taiwan, 11–13 December 2019. 45. Febres, J.D.; Mohamadi, F.; Mariscal, M.A.; Herrera, S.; García-Herrero, S. The Role of Journey Purpose in Road Traﬃc Injuries: A Bayesian Network Approach. J. Adv. Transp. 2019, 2019, 6031482. [CrossRef] 46. Tolo, S.; Patelli, E.; Beer, M. Robust vulnerability analysis of nuclear facilities subject to external hazards. Stoch. Environ. Res. Risk Assess. 2017, 31, 2733–2756. [CrossRef] 47. Lye, A.T.; Hector, E.L.; Patelli, E. Conversion of Fault Tree into Credal Network for Probabilistic Safety Assessment of a Nuclear Power Plant. In Proceedings of the 3rd International Conference on Nuclear Power Plants, London, UK, 10–11 June 2019. 48. Ebisawa, K.; Teragaki, T.; Nomura, S.; Abe, H.; Shigemori, M.; Shimomoto, M. Concept and methodology for evaluating core damage frequency considering failure correlation at multi units and sites and its application. Nucl. Eng. Des. 2015, 288, 82–97. [CrossRef] 49. Helfand, I.; Forrow, L.; Tiwari, J. Nuclear terrorism. BMJ 2002, 324, 356–359. [CrossRef][PubMed] 50. International Atomic Energy Agency. Engineering Safety Aspects of the Protection of Nuclear Power Plants against Sabotage; IAEA Nuclear Security Series No. 4; IAEA: Vienna, Italy, 2007. 51. The Economist. A Cyber-Attack on an Indian Nuclear Plant Raises Worrying Questions. Available online: https://www.economist.com/asia/2019/11/01/a-cyber-attack-on-an-indian-nuclear-plant-raises- worrying-questions (accessed on 20 April 2020). 52. Ferguson, T.; Lu, L. Fault tree analysis for an inspection robot in a nuclear power plant. IOP Conf. Ser. Mater. Sci. Eng. 2017, 235, 012003. [CrossRef]

© 2020 by the author. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).