ARTICLE IN PRESS

Reliability Engineering and System Safety 92 (2007) 961–970

www.elsevier.com/locate/ress

A quantitative analysis of a risk impact due to a starting time extension

of the emergency diesel generator in optimized power reactor-1000
Ho-Gon Lim, Joon-Eon Yang, Mee-Jeong Hwang
Korea Atomic Energy Research Institute, P. O. Box 105, Yusung, 305-606, Taejeon, Republic of Korea
Received 15 June 2006; received in revised form 6 July 2006; accepted 6 July 2006
Available online 7 September 2006

Abstract

An emergency diesel generator (EDG) is the ultimate electric power supply source for the operation of emergency engineered safety
features when a nuclear power plant experiences a loss of off-site power (LOOP). If a loss of coolant accident (LOCA) with a
simultaneous LOOP occurs, the EDG should be in the state of a full power within 10 s, which is a prescribed regulatory requirement in
the technical specifications (TS) of the Optimized Power Reactor-1000 (OPR-1000).
Recently, the US nuclear regulatory commission (NRC) has been preparing a new risk-informed emergency core cooling system
(ECCS) rule called 10 CFR 50.46. The new rule redefines the size for the design basis LOCA and it relaxes some of the requirements such
as the single failure criteria, simultaneous LOOP, and the methods of analysis. The revision of the ECCS rule will provide flexibility for
plant changes if the plant risks are checked and balanced with the specified criteria.
The present study performed a quantitative analysis of the plant risk impact due to the EDG starting time extension given that the new
rule will be applied to OPR-1000. The thermal-hydraulic analysis and OPR-1000 probabilistic safety assessment (PSA) model were
combined to estimate the whole plant risk impact. Also, sensitivity analyses were implemented for the important uncertainty parameters.
r 2006 Elsevier Ltd. All rights reserved.

Keywords: EDG starting time; ECCS rule; LOOP; LOCA; PSA; Risk impact

1. Introduction core cooling system (ECCS) rule, 10 CFR 50.46, is also at

In recent years, the risk-informing 10 CFR part 50 has
been progressed promptly as an Option 3 framework [1] in
the United States Nuclear Regulatory Commission (NRC).
The first risk-informed revision to the technical require-
ments of part 50, the final rule for 10 CFR 50.44,
Combustible Gas Control in a Containment, has already
been published in the Federal Register [2]. The emergency
Abbreviations: EDG, emergency diesel generator; CDF, core damage
frequency; CFR, central federal regulation; ECCS, emergency core
cooling system; EPRI, electric power research institute; KAERI, Korea
atomic energy research institute; LOCA, loss of coolant accident; LOOP,
loss of off-site power; LOVS, loss of voltage signal; OPR-1000, optimized
power reator-1000; MCS, minimal cut set; NPP, nuclear power plant;
PSA, probabilistic safety assessment; RCS, reactor coolant system; T/H,
thermal/hydraulic; TS, technical specification; USNRC, United States
nuclear regulation commission
Corresponding author. Tel.: +82 42 868 2763; fax: +82 42 868 8256.
E-mail addresses: hglim@kaeri.re.kr (H.-G. Lim), jeyang@kaeri.re.kr
(J.-E. Yang), mjhwang@kaeri.re.kr (M.-J. Hwang).
the stage of proposing a final rule. The new rule redefines
the size for a design basis loss of coolant accident (LOCA)
and it relaxes some of the requirements such as the single
failure criteria, simultaneous LOOP, and the methods of
analysis. The revision of the ECCS rule will provide
flexibility for plant changes if the plant risks are checked
and balanced with the specified criteria. The main concerns
of the revision/design changes according to the new ECCS
rule are considered to be (1) power up-rate and (2)
relaxation of the emergency diesel generator (EDG)
starting time in the nuclear industries [3].
For the EDG starting time in Korea, when a LOOP
occurs following a large break LOCA, the EDGs of
Optimized Power Reactor-1000 (OPR-1000) should be
started promptly to supply electric power to the ECCS
within 10 s [4,5]. The prompt start-up of the EDG is mainly
for a mitigation of a large break LOCA including a double-
ended guillotine break of a pipe in the reactor cooling
system (RCS).

0951-8320/$ - see front matter r 2006 Elsevier Ltd. All rights reserved.
doi:10.1016/j.ress.2006.07.004
 ARTICLE IN PRESS
962 H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970
It was well known that a sudden start-up of an EDG
may increase the EDG failure probability in real accident
situations in addition to the test-induced degradations
during a surveillance test. If the EDG starting time is
extended to a certain value, the plant risk will be changed
mainly due to (1) the increase of risk by immitigable LOCA
and (2) the decrease of risk by the availability improvement
of the EDG.
Under the condition that the ECCS rule in Korea will be
revised based on the new US 10 CFR 50.46, a risk impact
due to the EDG starting time extension is analyzed in the
present study.
This paper is composed of seven sections. In Section 2,
the LOCA break size that cannot be mitigable under the
condition of an extended EDG starting time is obtained
from the thermal hydraulic analysis. Section 3 discusses the
frequency of the immitigable LOCA and the probability of
a LOOP given a LOCA. In Section 4, the effect of the EDG
starting time extension on its failure probability is
discussed in a qualitative manner. Finally, all the risk
changes due to the EDG starting time extension are
calculated in Section 5 with the sensitivity analysis for the
important uncertainty parameters given in Section 6.
2. Determination of an immitigable LOCA break size
The extension of the EDG starting time causes the safety
injection (SI) to the RCS to be delayed because the electric
power supply to the SI is interrupted to start up the EDG.
In this section, thermal-hydraulic analysis for the RCS is
performed to determine the immitigable LOCA break size
for an extension of the EDG starting time. The extension
of the EDG starting time is estimated based on the OPR-
1000 periodic surveillance test procedure [6] and interviews
with the operators.
2.1. Estimations of a feasible EDG starting time extension
OPR-1000 has three EDGs for the prevention of a
station black out (SBO) accident. Two of the EDGs are for
a back-up for the two trains of the electric power supply
system and the other is for an alternate alternating current
(AAC) back-up. In Korea, one AAC back-up EDG is
shared with all the nuclear power plant (NPP) units in a
single site.
The present OPR-1000 technical specification (TS)
requires the EDG to start within 10 s to prevent a guillotine
break LOCA (GBLOCA) with a simultaneous loss of off-
site power (LOOP). GBLOCA with a simultaneous LOOP
is one of the design basis accidents (DBA) of OPR-1000.
When an accident condition such as a LOCA/LOOP
occurs, the EDG will be automatically started to reach the
rated speed by a loss of voltage signal (LOVS). After that,
the plant control system (PCS) distributes the electric
power to the safety-related systems, so called a load
sequencing. During the load sequencing, the power of the
EDG is automatically increased by opening a governor
valve.
In the surveillance test procedures of the EDG [6], there
exist two main time consuming steps to prevent a
mechanical failure of the EDG. One is an idling operation
of the EDG at the startup and the other is a load
sequencing. The test procedure guideline requires that the
EDG should be started by the ‘‘idle mode’’ by which the
EDG should reach the rated speed in about 2 min. In a
similar manner, when the EDG is synchronized to the
electric power line, the guideline also requires that the
power of the EDG should be slowly increased to prevent a
thermal shock to the components in addition to a
malfunctioning of the load sequencing.
We have interviewed two plant operators relevant to the
EDG surveillance test to estimate the appropriate EDG
starting time. One of them said that 3–5 min is needed to
safely startup the EDG while the other estimated 5–10 min
as the safe EDG starting time.
Based on the surveillance test procedures and the
interviews with the plant personnel, we estimated that the
proper EDG starting time would be within 10 min. We
expect that the optimal and reliable EDG starting time can
be estimated if a subsequent rigorous analysis for the EDG
starting procedures is performed.
2.2. T/H analysis for an estimation of the critical pipe break
size
Thermal/Hydraulic analysis was performed to investi-
gate the reactor transient behaviors given that the EDG
starting time is to be extended. From this analysis, the
largest pipe break size of a LOCA that the OPR-1000
ECCS can mitigate is determined.
MARS, which was developed by KAERI (Korea Atomic
Energy Research Institute) was used as the best-estimate
T/H system analysis code [7]. The applicability of the
MARS code has been verified by a comparison with the
RELAP5/MOD3.3 [8] verification and validation report
[9]. As core damage criteria, the 1204 1C (2200 1F) of the
peak cladding temperature described in 10 CFR 50.46 was
used. This value has also been widely used as the core
damage criterion in a NPP probabilistic safety assessment
(PSA). Since a cold leg break has severer impacts for a core
damage [10], the present study used the cold leg break as
the representative break locations.
Fig. 1 shows the calculation results for the reactor core
hottest channel cladding temperature for 10 min of the
EDG starting time. As shown in Fig. 1, if the break size is
larger than 0.4826 m (19 in), the ECCS of OPR-1000
cannot mitigate the core damage. On the other hand, if
the break size is smaller than 18 in, the ECCS has the
capability of mitigating the core damage with the
temperature margin of about 200 1C.
Also, we performed a sensitivity study for the critical
pipe break size according the EDG starting time. Fig. 2
shows the reactor peak cladding temperature of a
 ARTICLE IN PRESS
H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970 963

2000

1800 Core Damage Criterion

Break Size
1600 0.18m(7″)
0.23m(9″)
1400 0.28m(11″)
Cladding Temperature(K)
0.33m(13″)
1200
0.38m(15″)
1000 0.43m(17″)
0.46m(18″)
800 0.48m(19″)
0.51m(20″)
600
0.53m(21″)
400

200

0
0 250 500 750 1000 1250
Time (sec)

Fig. 1. Reactor core hottest cladding temperatures according to pipe break sizes.

2000
Ratio of Break Diameter to Cold leg Diameter

1800 Core Damage Criterion 1.4

SI start time
1600 3 min
Equivalent diameter to
Cladding Temperature(K)

4 min
1400 5 min 1.2 cold leg guilotine break

1200 6 min

1000 1.0
800

600 0.8 Cold leg diameter

400

200 0.6
0
0 250 500 750 1000 1250
0 2 4 6 8 10 12
Time (sec)
EDG Starting Time(minute)
Fig. 2. Peak cladding temperature for the EDG starting time assuming
GBLOCA. Fig. 3. Critical pipe break size according to the change of the EDG
starting time.

GBLOCA as a function of the EDG starting time. From LOCA. Since the OPR-1000 PSA model does not deal with
the results, the current OPR-1000 DBA may be prevented double initiating events and there have not been any OPR-
if the EDG is started within 5 min. Fig. 3 also shows 1000 specific estimations of a LOCA frequency and a
the critical pipe break size as a function of the EDG LOOP probability, we utilized generic estimation results.
starting time. As shown in Fig. 3, the critical pipe break The following two sections describe the details of each
size is shown to exponentially decrease for the EDG information selection.
starting time.
3.1. LOCA frequency distribution
3. LOCA frequency and the probability of a loop given a
LOCA There have been several studies on the estimations of a
pipe break failure frequency [11–13]. The first systematic
To estimate a CDF increase by an immitigable LOCA, study on a piping failure in the nuclear industry was
we need information on the LOCA frequency as a function performed in WASH-1400. At that time, the combined
of the pipe break size and the LOOP probability given a years of reactor service experiences were less than 200 yr.
 ARTICLE IN PRESS
964 H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970
0.1
0.01
Cumulative Frequency(/yr)
1E-3
1E-4
1E-5
1E-6
1E-7
1E-8
1E-9
1 10
Fig. 4. Cumulative LOCA frequency for PWR [3].
Therefore, the pipe LOCA frequencies were based on
experiences from other industries, that is, data from a naval
nuclear reactors’ experience, experimental reactors, United
Kingdom military information, commercial power plants,
and the oil and gas transmission pipeline industry. The next
NRC-sponsored evaluation of the pipe break LOCA
frequencies was carried out within Appendix J of
NUREG/CR-5750. The authors evaluated the nuclear
piping failures in this study and separate frequencies were
determined for the BWR and PWR reactors, respectively.
In the same time period as the NUREG/CR-5750
evaluation, the Swedish Nuclear Inspectorate (SKI) in-
itiated an effort to develop an international piping failure
database. Unfortunately, these estimates are not sufficient
to estimate the immitigable break size LOCA frequency
because they do not discriminate among breaks with
effective diameters greater than 6 in.
Recently, the NRC has finished a study on new
estimations of the LOCA frequencies by using an expert
elicitation process [14]. It was aimed at providing a
technical basis for the new ECCS rule (10 CFR 50.46).
Service history data and the insights from the probabilistic
fracture mechanics (PFM) with the knowledge of a plant
design, operation and material performance were consoli-
dated to provide the LOCA frequency as a function of the
break size.
The present study used these results for the frequency
estimation of an immitigable LOCA break size. Fig. 4
shows the estimation result for an immitigable LOCA size
according to the years of a NPP operation for a PWR.
Since the NUREG-1829 estimated the LOCA frequencies
cumulatively for the break size, the results of NUREG-
1829 were rescaled with a reciprocal of the break diameter
shown in Fig. 4. As shown in Fig. 4, for two reactor
25 yr
40 yr
1.35X10-7
5.0X10-8
Critical Diameter 2.1872 m-1 (1/18 in.)
100
-1
Reciprocality of Diameter(m )
operation years of 25 and 40 yr, the frequencies of an
immitigable break size for a 10 min EDG starting time
records 5.0E-8/yr and 1.35E-7/yr, respectively.
3.2. Simultaneous LOOP given a LOCA
There have been several studies to estimate the condi-
tional probability of consequential LOOP following a
reactor trip [15–17]. The first study for estimating a LOOP
is contained within NUREG/CR-6538. Recently, EPRI
and USNRC independently performed a study for an
estimation of the probability of a LOOP given a LOCA.
EPRI used an expert elicitation process based on service
history data while USNRC used a systematic approach
based on the fault tree method. USNRC categorized the
causes of a LOOP into two factors. One is by a plant-
centered factor and the other is by that of an electric grid
instability.
Table 1 shows a comparison of the EPRI and USNRC
results. As shown in Table 1, the LOOP probability
estimations of USNRC are much larger than those of
EPRI. It is partially due to the fact that the probability of
an electric grid instability was conservatively determined by
using the LOOP probability by a plant-centered factor.
USNRC used bounding values of the LOOP probability by
a plant-centered factor as the LOOP probability by an
electric grid instability. They accounted for this approach
by stating that the relevant phenomenon for a grid
instability was not clearly understood, so called an
epistemic uncertainty.
In Korea, such a quantitative analysis for the LOOP
probability given a LOCA has not been performed as yet.
However, it is expected that the effect of a grid instability
on the LOOP probability in Korea would be comparatively
 ARTICLE IN PRESS
H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970 965

Table 1
Generic conditional probability of LOOP given a LOCA

Institute Power supply mode during normal operation Probability

5% Mean 95%

USNRC 1. Main generator through an auxiliary transformer 1.1E2 2.4E2 4.6E2

2. Offsite power through a start-up transformer 8.6E3 2.1E2 4.3E2
EPRI N/A 1.07E3 9.8E3 3.14E2

Table 2
The causes of EDG failure to start [18]

Failure to start due to EDG failure to start in

A test An accident

Undetected failure before the demand a1lT a2lT

A failure caused by demand p p
Repair or maintenance between tests N/A wd
Repair or maintenance by demand-caused failure or degradation in a test N/A cd/T
Repair or maintenance by running failure in a test N/A l0t0d/T

lower than that in US. The electric grid in Korea is
composed of lots of electric power stations including
nuclear-electric, thermo-electric, hydro-electric, etc. When
a NPP is tripped, the effect of the trip of a NPP on the
electric grid is considered to be insignificant.
In the present study, since there was no study for a
Korean-specific LOOP probability, the results of USNRC
were used as the representative LOOP probability given a
LOCA for the OPR-1000.
4. The effect of the starting time on the EDG failure
probability
From Eq. (1), the failure probability caused by demand,
p, is expected to be relevant to an extension of the EDG
starting time because a failure by a demand shock will be
reduced when the EDG starting time is prolonged to
certain values. Vessely used 9.89E-3 for the probability
assessment as a default value. However, it is not easy to
estimate what portions of the value will be reduced.
Therefore, a risk change by a reduction of the probability
by a demand shock is estimated as a function of the EDG
unavailability in the next section.
5. Estimation of the OPR-1000 CDF changes

Although the EDG failure probability is expected to be
reduced when we extend its starting time, quantitative
estimations for the EDG failure probability as a function
of the starting time are not clearly known. Therefore,
qualitative considerations are discussed in this section.
To examine the effect of the test intervals of an EDG,
Vessely et al. classified an EDG unavailability for a failure
to start into five causes [18]. Table 2 shows the details of the
causes. The total accident unavailability of an EDG is then
expressed by the following equation by using the first order
approximation [19,20]:
QEDG ¼ a2 lT þ p þ wd þ cd=T þ l0 t0 d=T,
where l is the standby failure rate, w the maintenance
frequency, c the probability of a maintenance, p the failure
probability per demand, l0 the operating failure rate, d the
average down time, t0 the average test time, T the EDG
mission time, a2 ¼ 1=2 if the average probability from
undetected failures is to be included in the accident un-
availability and a2 ¼ 1 if the maximum probability from
undetected failures is to be included in the accident
unavailability.
As explained in the previous sections, the CDF changes
due to an EDG starting time extension occur from two
aspects. One is that the CDF increase by the appearance of
an immitigable LOCA and the other is the CDF decrease
by an improvement of the EDG availability. The following
sections describe each risk impact.
5.1. CDF increase by immitigable LOCA
The CDF increase by an immitigable LOCA can be
estimated quantitatively by using the results in Sections 2
and 3. Since an immitigable LOCA may contribute to a
(1)
CDF under the simultaneous LOOP, a CDF by immitig-
able LOCA can be given as follows:
CDFBLOCA=LOOP ¼ f BLOCA PðLOOPjLOCAÞ, (2)
where CDFBLOCAL/LOOP is the core damage frequency of
an immitigable LOCA, fBLOCA the frequency of an
immitigable LOCA and P(LOOPjLOCA) the probability
of a LOOP given a LOCA.
Fig. 7 shows the CDF increase by an immitigable LOCA
as a function of the EDG starting time. The frequencies of
 ARTICLE IN PRESS
966 H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970

ccf
an immitigable LOCA were evaluated by using the results where ðcm j Þi1 i2 im is the frequency by the part of MCSs with
of the critical pipe break sizes for each EDG starting time which simultaneous mj independent EDG failure events
as shown in Fig. 3. The power supply mode of OPR-1000 and j CCF of EDGs result in a core damage, Fj=i1 imj the
during a normal operation corresponds to the first case of probability of the fraction of the MCSs which j, EDG,
the NRC evaluation, that is, ‘‘Main generator through an CCF events are included.Fj=i1 imj can be written as the
auxiliary transformer’’ in Table 1. If this LOOP probability following Eq. (7) with the constraint in Eq. (8)
is used, the mean value of CDFBLOCAL/LOOP at 10 min of X n Xn
an EDG starting time records 5.256E-10 and 1.3272E-9 for Fj=i1 ...imj ¼  ðQk1 Þimjþ1 ...imjþk   
1
imjþ1 ¼1 im ¼1
the 25 and 40 yr plant operations, respectively. imjþ1 ai1 imj im ai1 im1

 ðQkh ÞimjþS . . .  ðQkl Þimk im ð7Þ

h1 mjþS h
5.2. CDF decrease by EDG availability improvement l

X
l
To investigate a risk impact due to an improvement of kh ¼ j; 2pkh pj, (8)
the EDG availability, we should know the relation between h¼1
a NPPs’ whole CDF and the EDG failure probability. P
where S h ¼ hi¼1 kh , ðQkh ÞimjþS mjþS is the CCF prob-
When the CDF of a NPP is quantified from its fault tree in ability of kh number of EDGs.
h1 h

a PSA model, the Minimal Cut Sets (MCS) can be To evaluate Eqs. (6) and (7), a method of treating CCF
classified according to the number of EDG failure events. events should be determined. The PSA for OPR-1000 uses
For a plant, which has ‘‘N’’ EDGs, the CDF of that plant the alpha factor model [21,22] for treating a CCF event.
can be expressed by the following equation in view of the With the staggered testing scheme for the EDG, the kth
EDG failure events if the rare event approximation is CCF probability is given as follows [26]:
applied: ak h
X
n ðQkh Þik þ1ik ¼ Qt , (9)
h1 h
m1 C kh 1
CDFT ¼ CSðmÞ, (3)
m¼0 where Qt is the total EDG failure probability, akh the ratio
of the probability of failure events involving kh component
where CS(m) means the core damage frequency of a set of failures in a common cause group over the total probability
MCSs which have m numbers of EDG failure events. The of all the failure events.
CS(m) can be further subdivided according to the causes of By inserting Eq. (9) into Eqs. (6) and (7), it is easily seen
the EDG failure events. The EDG may fail by two causes, that the total CDF in Eq. (3) is expressed as Nth order
that is, an independent failure or a common cause failure polynomials of Qt.
(CCF). Accordingly, CS(m) can be expressed as follows: Since OPR-1000 has three EDGs and the PSA model for
X
m OPR-1000 treats these three EDGs as a single CCF group,
CSðmÞ ¼ ðF m ÞCCF ðjÞ, (4) Eq. (4) can be written by using Eqs. (7)–(9) as follows:
j¼0
ja1
X 3  
ccf 0 a1
CSð1Þ ¼ ðc1 Þi1 Qt , (10)
where (Fm)CCF(j) is the core damage frequency of a set of i ¼1 2C0
1
MCSs which have m numbers of EDG failure events in "
which j CCF events are included. When j equal 0, that is, 3 X
X 3  2  #
a1 a2
no CCF event is involved in a set of MCSs, the following CSð2Þ ¼ ðcccf 0
2 Þi1 i2 Qt þ ðcccf
2 Þ
2
Qt ,
i1 ¼1 i2 ¼1 2C0 2C1
equation is obtained: i2 4i1

X
n X
n X
n (11)
F CCFm ð0Þ ¼  ðcccf
m Þi1 i2 im ðQ1 Þi1 ðQ1 Þi2    ðQ1 Þim ,
0

i1 ¼1 i2 ¼1 im ¼1
X
3 X
3 X
3  3
i2 4i1 im 4im1 a1
CSð3Þ ¼ ðcccf 0
3 Þi1 i2 i3 Qt
(5) i1 ¼1 i2 ¼1 i3 ¼1 2C0
i2 4i1 im 4im1

where ðcccf is the frequency of the part of MCSs with   

m Þi1 i2 im
0
3 X
X 3 X
3
a1 a2
which simultaneous m independent EDG failure events þ ðcccf 2
3 Þi 1 i 2 Qt Qt
2C0 2C1
result in a core damage, ðQ1 Þij the independent failure i1 ¼1 i2 ¼1 im ¼1
i2 4i1 im 4im1
probability of ijth EDG.  
X
3 X
3 X
3
a3
When j number of EDGs failures is due to a CCF, the þ ðcccf 3
Qt .
3 Þi 1 i 2 i 3 ð12Þ
(Fm)CCF(j) is expressed as follows: i1 ¼1 i2 ¼1 im ¼1 2C2
i2 4i1 im 4im1
X
n X
n
ðF m ÞCCF ðjÞ ¼  ðcccf
m Þi1 i2 im ðQ1 Þi1    ðQ1 Þimj Fj=i1 imj ,
j
The total CDF in Eq. (3) can be simplified as a third
i1 ¼1 imj ¼1
imj 4imj1
order polynomial of Qt as follows:
(6) CDFT ðQt Þ ¼ CSð0Þ þ d 1 Qt þ d 2 Q2t þ d 3 Q3t , (13)
 ARTICLE IN PRESS
H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970 967

Table 3
Highest 10 MCSs relevant to EDG failure to start

Value I.E. B.E. 1 B.E. 2 B.E. 3 B.E. 4

8.33E7 LOOP EGDGW01ABET NR-AC11HR

9.99E8 LOOP EGDGS01A EGDGS01B EGDGS01E NR-AC11HR
9.12E8 LOOP EGDGM01E EGDGS01A EGDGS01B NR-AC11HR
2.27E8 LOOP EGDGS01E EGDGW01ABD NR-AC11HR
2.27E8 LOOP EGDGS01B EGDGW01AED NR-AC11HR
2.27EE8 LOOP EGDGS01A EGDGW01BED NR-AC11HR
2.27E8 LOOP EGDGS01A EGDGS01B EGOPHDG01E NR-AC11HR
2.07E8 LOOP EGDGM01E EGDGW01ABD NR-AC11HR
1.88E8 LOOP AFTPW01B2A EGDGW01ABET NR-AC1HR
5.85E9 LOOP EGDGM01B EGDGS01A EGDGS01E NR-AC11HR
*
EGDGW01XYZT: EDG Triple CCF.
**
EGDGW01XYD: EDG Double CCF.
***
EGDGS01X: EDG Independent Failure.

where Table 4
Numeric values of the coefficients
a1 X 3
a2 X 3 X 3
a3 ccf 3
d1 ¼ ðcccf
1
0
Þi þ ðcccf
2 Þþ
2
ðc3 Þ, Coefficient Value
C
2 0 i ¼1
1
C
2 1 i ¼1 i2 ¼1 2C2
1 1
i2 4i1
CS(0) 3.69E06
 2 X
3 X
a1 3
a1 a2 X 3 X 3 X 3 Qt,BASE 4.49E02
d2 ¼ ðcccf 0
2 Þi 1 i 2 þ ðcccf
3 Þi 1 i 2 ,
2
a1 0.9627733
2C0 i1 ¼1 i2 ¼1 2 C 0 2 C 1 i ¼1 i2 ¼1 im ¼1 a2 0.0202
1
i2 4i1 i2 4i1 im 4im1

  3 X a3 0.0168
a1 3 X 3 X 3
d1 2.25E05
d3 ¼ ðcccf
3 Þi 1 i 2 i 3 .
0
d2 1.17E04
2C0 i ¼1 i2 ¼1 i3 ¼1
1
i2 4i1 im 4im1 d3 1.20E03
CDFBASE 5.05E6
The coefficient di in Eq. (13) can be obtained from the
fault tree quantification results, that is, the MCSs of the
NPP. All the MCSs are classified according to their number 1E-5
of EDG failure events and their types of failures. As an
9E-6 Constant alpha factor(ΔQt)
OPR-1000 Core Damage Frequency(/yr)

example, the coefficient d3 can be obtained from the MCSs,

which have a triple CCF event of the EDG as follows: 8E-6

7E-6
d 3 ¼ ðF 3 ÞCCF ð0Þ=ðQt Þ3 . (14) Current CDF
QBASE = 4.49E-2
6E-6
For a quantification of Eq. (13), the present study used CDFBASE = 5.05E-6
the KIRAP code [23], which was developed by KAERI and
5E-6
uses FTREX [24] as the quantification engine in the
KIRAP code. Under the truncation limit of 1.0E-11 for the
MCSs, KIRAP shows over 4000 MCSs, which include the 4E-6
EDG failure events. Table 3 shows several of the MCSs,
which have the largest failure frequencies in OPR-1000.
The LOOP is the initiating event for these MCSs. Table 4 3E-6
0.00 0.02 0.04 0.06 0.08
also shows the coefficients for Eq. (6). The alpha factors in
EDG Unavailability due to failure to start
Table 4 which are used in the OPR-1000 PSA model are
referenced from NUREG-5497 [25]. Fig. 5. OPR-1000 CDFtot as a function of EDG probability of failure to
Fig. 5 shows the overall OPR-1000 CDF as a function of start.
the EDG failure probability. For the default values of an
EDG failure to start probability, the OPR-1000 has 5.05E- where DCDFEEDG is the amount of CDF decrease by an
6 as a base NPP CDF. EDG availability improvement for the EDG failure to start
To obtain the risk impact due to an improvement of the events, QBASE the base EDG probability of a failure to
EDG availability, the CDF change can be given as start.
DCDFEEDG ¼ ðCDFð0Þ þ d 1 Qt;BASE þ d 2 Q2t;BASE þ d 3 Q3t;BASE Þ Fig. 6 shows a comparison of the CDF changes by an
EDG availability improvement and an immitigable LOCA.
 ðCDFð0Þ þ d 1 Qt þ d 2 Q2t þ d 3 Q3t Þ, ð15Þ As shown in Fig. 6, the effect of a CDF decrease can be
 ARTICLE IN PRESS
968 H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970

1E-6 1E-8
25Yr(NRC LOOP Pr)
ΔCDFEEDG(Constant α factor) 40Yr(NRC LOOP Pr)
CDFBLOCA/LOOP at 40 years 25Yr(EPRI LOOP Pr)
1E-7 CDFBLOCA/LOOP at 25 years 40Yr(EPRI LOOP Pr)

1E-9

CDFBLOCA/LOOP

CDFBLOCA/LOOP
ΔCDFEEDG

1E-8 95 percentile

Mean P(LOOP/LOCA)
1E-10
1E-9
5 percentile

1E-10 1E-11
0.0 1.0x10-3 2.0x10-3 3.0x10-3 4.0x10-3 5.0x10-3
6 8 10 12
EDG Availability Increase(QBASE-Qnew)
EDG Starting Time(Min)
Fig. 6. OPR-1000 CDF changes due to EDG starting time extension. Fig. 7. The CDF increase effect according to the EDG starting time and
Pr(LOOP|LOCA).

larger than a CDF increase if the EDG availability is 6.2. Effect of the CCF on CDF
improved slightly.
If as expected, the EDG availability will be improved by
6. Sensitivity analysis an extension of the EDG starting time, the CDF decrease
effect will vary with the types of an EDG failure events. If
As a pilot study of option 3, the present quantification the CCF of the EDG is decreased by an extension of the
results can have large uncertainties in the estimations of EDG starting time, the entire plant risk will be reduced
their parameters. The candidates of the dominant uncer- more effectively than that of an independent EDG failure
tainty parameters in the present study are assumed to be probability.
those for a feasible extension of the EDG starting time, This section investigates the effect of the EDG starting
availability reduction effect by the EDG starting time time extension on a CCF. The following EDG availability
extension, LOOP probability, and so forth. improvement cases were assumed for the CDF decrease
In this section, two sensitivity analyses are performed to quantification:
investigate the effect of the parameters on the plant risks.
(1) independent EDG failure probability;
6.1. Effect of the EDG extended starting time and (2) double EDG CCF;
P(LOOP|LOCA) on CDFBLOCA|LOOP (3) triple EDG CCF;
(4) total EDG failure probability with constant alpha
As described in Section 2, the feasible EDG starting time factor
extension can has large uncertainties because a rigorous
analysis has not yet been implemented. When the EDG To perform such a sensitivity analysis, the change of a
starting time is changed, the LOCA break size, which basic parameter should be converted into an alpha factor
cannot be mitigated with the present ECCS is changed (see because the present OPR-1000 PSA model uses the alpha
Fig. 3). factor model.
Using the pipe break frequency estimations of NRC [14], By assuming the basic parameter of the k EDGs CCF
the frequencies of the critical pipe diameter can be probability, Qk, is reduced to Q0 k, and the new total failure
evaluated and thereby the immitigable LOCA frequency probability and the alpha factor can be represented as
can be expressed as a function of the EDG starting time. follows:
Finally, by multiplying the simultaneous LOOP probabil-
ity, P(LOOP|LOCA), with the immitigable LOCA size X
3
Q0t ¼ 2 C i1 Qi þ 2 C k1 Q0k ; k ¼ 1; 2; 3, (16)
frequency, the CDF increase in Eq. (2) can be expressed as i¼1
a function of the EDG starting time. Fig. 7 shows the iak

overall results. For a simultaneous LOOP probability, the

8
NRC and EPRI’ estimations were compared. As shown > 2 C j1 Qj
>
> a 0
¼ ; jak
in Fig. 7, the CDF increase by using the EPRI data was < j
Q0t
lower than that of the NRC. However, most of the CDF 0 . (17)
increase in both P(LOOPjLOCA) is shown to be no larger > a0 ¼ 2 C j1 Qj ; j ¼ k
>
>
: j Q0t
than 108.
 ARTICLE IN PRESS
H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970 969

was found that the entire plant CDF would be reduced if

1E-6
the EDG failure probability is slightly decreased due to the
Core Damage Reduction(ΔCDF)

EDG starting time extension in OPR-1000. Also, if a

precise EDG unavailability reduction can be given as a
1E-7
result of an EDG starting time extension, a more accurate
plant CDF change is expected to be analyzed. As a pilot
1E-8 study, this work is expected to contribute to similar work
Triple CCF(ΔQ3) as an Option 3 framework.
Double CCF(ΔQ2)
1E-9 Constant αk(ΔQt)
Acknowledgments
Independent failure(ΔQ1)

1E-10
This work was performed under the Long-term Nuclear
0.0 -4
4.0x10 8.0x10 -4
1.2x10 -3
1.6x10 -3
2.0x10 -3 R&D Program sponsored by the Ministry of Science and
Unavailability Reduction(ΔQk) Technology.

Fig. 8. The CDF decrease effect according to the CCF probability

changes.
References

[1] USNRC. Options for risk-informed revisions to 10 CFR Part 50—

domestic licensing of production and utilization facilities, SECY-98-
By inserting Eqs. (16) and (17) into Eq. (13), the total 300, 1998.
CDF in Eq. (13) can be expressed as a function of Qk only. [2] USNRC. Final rulemaking—risk-informed 10 CFR 50.44. Combus-
The quantification of a CDF decrease of cases 1–3 can be tible gas control in containment, SECY-03-0127, 2003.
achieved with this method. Case 4 is identical to the result [3] USNRC. Attachment 2, regulatory analysis: risk-informed changes
of Section 5.2. to loss-of-coolant accident technical requirements, SECY-05-0052,
2005.
Fig. 8 shows the results of the four cases. As shown in [4] KHNP. Yong-Gwang unit 5&6 final safety analysis report: technical
Fig. 8, the CDF decrease is highly sensitive in the CCF specification. Korea Hydraulic Nuclear Power Co; 2000.
case. Especially, the CDF decrease is more than E-7 in the [5] USNRC. Selection, design, qualification, and testing of emergency
case of a triple CCF in spite of the small failure probability diesel generator units used as class 1E onsite electric power systems at
changes. nuclear power plants, R.G. 1.9, Rev. 3, 1992.
[6] KHNP. Ulchin unit 3&4 emergency diesel generator periodic
surveillance test procedure. Korea Hydraulic Nuclear Power Co;
7. Concluding remarks 2005.
[7] Jeong J-J, Ha KS, Chung BD, Lee WJ. Development of a multi-
The present study performed a pilot study for a risk dimensional thermal-hydraulic system code, MARS 1.3.1. Ann Nucl
Energy 1999;26(18):1161–642.
change due to an EDG starting time extension in OPR-
[8] ISL (Information Systems Laboratories). RELAP5/MOD3.3 Code
1000. The motive for this work was the ECCS rule (10 CFR manual. Code structure, system models, and solution method, vol. I.
50.46) change based on risk-informing 10 CFR part 50 in Rockville, Maryland/Idaho Falls: Idaho, 2003.
the USNRC. [9] Lee YJ, Bae SW, Chung BD. Validation of one-dimensional module
For a quantification of a plant risk change by an EDG of MARS 2.1 computer code by comparing with The RELAP5/
starting time extension, the following information is MOD3.3 developmental assessment results. KAERI/TR-2411/2003,
Daejeon, KAERI, 2003.
needed: [10] USNRC. Compendium of ECCS (emergency core cooling systems)
research for realistic LOCA (loss-of-coolant accidents) analysis.
(1) The largest break size which is preventable when the NUREG-1230, US Nuclear Regulatory Commission, 1988.
EDG starting time is extended to a certain value in a [11] Nyman R, Erixon S, Tomic B, Lydell B. Reliability of piping system
components. Piping reliability—a resource document for PSA
NPP.
applications. SKI Report 95:58, vol. 1. Swedish Nuclear Power
(2) The distribution of the LOCA pipe break size Inspectorate; December 1995.
frequency. [12] Poloski JP, Marksberry DG, Atwood CL, Galyean WJ. Rates of
(3) The distribution of a simultaneous LOOP frequency initiating events at US nuclear power plants: 1987–1995. NUREG/
with a LOCA. CR-5750, US Nuclear Regulatory Commission, 1999.
(4) The PSA model for the effect of a CDF. [13] USNRC. Reactor safety study: an assessment of accident risks in US
commercial nuclear power plants. WASH-1400, US Nuclear Reg-
(5) The information for an EDG failure probability ulatory Commission, 1975.
variation due to the extension of an EDG starting time. [14] Tregoning R, Abramson L, Scott P. Draft report for comment:
estimating loss-of-coolant accident (LOCA) frequencies through the
The present study utilized the recent NRC work for elicitation process. NUREG-1829, US Nuclear Regulatory Commis-
items 2 and 3 and the OPR-1000 specific analysis data for sion, 2005.
[15] Electric Power Research Institute (EPRI). Probability of LOOP given
items 1 and 4. A qualitative discussion was given is Section large LOCA—results of expert elicitation meeting, dated March 20,
5 because the relevant analysis for the EDG failure 2002. Report forwarded to the NRC by the Nuclear Energy Institute
probability was not nearly studied. As an overall result, it (NEI) in a letter dated April 27, 2002.
 ARTICLE IN PRESS
970 H.-G. Lim et al. / Reliability Engineering and System Safety 92 (2007) 961–970
[16] Martinez-Guridi G, et al. Evaluation of LOCA with delayed LOOP
and LOOP with delayed LOCA accident scenarios. NUREG/CR-
6538, BNL-NUREG-52528. Brookhaven National Laboratory, 1997.
[17] USNRC. Technical work to support possible Rulemaking for a risk-
informed alternative to 10 CFR 50.46/GDC 35, Appendix G, Revision
1, Memorandum, US Nuclear Regulatory Commission, 2002.
[18] Vesely WE, DeMoss GM, Lofgren EV, Ginzburg T, Samanta P,
Boccio J. Evaluation of diesel unavailability and risk effective surveillance
test intervals, NUREG/CR-4810(BNL-NUREG-52022), 1987.
[19] Barlow RE, Prochan F. Mathematical theory of reliability. New
York: Wiley; 1965.
[20] Gnedenko BV, et al. Mathematical methods of reliability Theory.
New York: Academic Press; 1969.
[21] Mosleh A, Siu NO. A multi-parameter, event-based common-cause
failure model, Paper M7/3. In: Proceedings of the ninth international
conference on structural mechanics in reactor technology. Lausanne,
Switzerland, 1987.
[22] Mosleh A, Fleming KN, Parry GW, Paula HM, Worledge DH,
Rasmuson DM. Procedures for treating common cause failures in
safety and reliability studies. NUREG/CR-4780, USNRC, 1988.
[23] Han SH. PC-workstation based level 1 PRA code package-KIRAP.
Reliab Eng Syst Safe 1990;30:313–22.
[24] Jung WS, Han SH, Ha JJ. A fast BDD algorithm for large coherent
fault trees analysis. Reliab Eng Syst Safe 2004;83(3):369–74.
[25] Marshall FM, Rasmuson DM, Mosleh A. Common-cause parameter
estimations, NUREG/CR-5497. Idaho Falls, ID: Idaho National
Engineering and Environmental Laboratory; 1998.
[26] Mosleh A, Rasmuson DM, Marshall FM. Guidelines on modeling
common-cause failures in probabilistic risk assessment. NUREG/
CR-5485, USNRC, 1998.