1. Introduction
Multiple nuclear power plants (NPPs) are often located together for technical and economic reasons. In Korea, 25 NPPs are operating at four sites. As of the end of 2016, Shin-Hanul Units 1 and 2 were waiting for an operating license, and if they are added, a total of eight NPPs will be operational at the Hanul site. In addition, 10 NPPs (including Kori Unit 1 scheduled to be closed in 2017) will be located at the Kori site after the operating license for Shin-Kori Units 3 and 4 and the construction permit for Shin-Kori Units 5 and 6 are approved. Locating several units on a single site provides economic benefits and eases in using resources for normal operation and accident mitigation, but it can lead to unpredictable results when a catastrophic event affects multiple units, as seen with the Fukushima Daiichi NPPs. In particular, the Fukushima accident has focused deserved attention on the dangers of region-wide or multiple external events, such as an earthquake and tsunami.
Setting a target value for a quantitative indicator is a process of social consensus and should be discussed separately, but calculating the quantitative indicator itself is a technical issue. However, because a methodology for evaluating multiunit or site risk has not been sufficiently established worldwide, site safety metrics and regulatory review standards have not been established.
Currently, the quantitative risk for individual NPPs is analyzed using a probabilistic safety assessment (PSA), but it is not appropriate to analyze multiunit risk by simply adding the risks of individual NPPs. For example, to qualitatively guess the frequency and consequence of accidents, which is required to calculate the multiunit risk, two identical plants A and B on the site are simply assumed. As shown in Fig. 1, accident frequency can be expressed as the sum of the frequencies of two single units and their common accidents. In other words, the frequency of accidents on a site decreases as the dependency between units increases. It is expected that the projected consequences of an accident will also vary according to the conditions. Fig. 2 shows the expected patterns of the consequences. When an accident occurs in two units within a short time interval, twice the amount of radioactive material will be released, and the consequences will double. However, if we assume a situation exceeding a threshold threatening human health, the consequences could be more than double, which could open a debate about the appropriate health or economic objectives. Meanwhile, if evacuation and emergency preparedness plans are working perfectly, the consequences will reach only a certain limit that is less than double of the amount in one reactor regardless of the increase in radioactive source terms. In conclusion, the risk represented by the product of the frequency and the consequences remains ambiguous, as shown in Fig. 3.
Fig. 1. Frequency of multiunit accidents (1).
Fig. 2. Consequences of multiunit accidents.
Fig. 3. Expected multiunit risk represented by frequency × consequences.To obtain realistic multiunit risks, it is necessary to evaluate the dependency of every component in the PSA, such as initiators, mitigating systems, accident sequences, and emergency preparedness. The situation becomes even more complicated if the assessment takes into account a complex disaster that acts as a common initiator affecting multiple NPPs at the same time. It is well known that the uncertainty becomes larger as the level of the PSA increases. It is, therefore, obvious that interunit dependency under internal or particularly external initiators amplifies uncertainty and complicates interpretation.
Since the Fukushima accident, interest in multiunit accidents has increased significantly; in Korea, the number of NPPs per site and the population density around each plant area are relatively high. Therefore, the urgency and importance of evaluating multiunit risk are significantly higher in Korea than in other countries, and debates occur about the methods and criteria for dealing with multiunit and site risk assessments.
To provide a comprehensive reference on the enabling techniques necessary for subsequent studies, we reviewed and summarized journal and conference papers on multiunit and/or site risk assessments. The contents of the reviewed references are classified by technical status into the following categories: (1) research status, (2) risk metric or safety goal, (3) qualitative risk assessment, (4) quantitative risk assessment, (5) initiating event or initiator, (6) dependency data analysis, and (7) human reliability. We drew insights and summarized our conclusions.
2. Analysis of technical status
2.1. Overview
This study investigated the main technical elements and research status of multiunit and site risk assessment. For this purpose, we analyzed the journal and conference papers published from 2011 to 2016 on multiunit PSA. The articles we reviewed focused on multiunit and/or site risk; we deliberately excluded general PSA issues. In cases of multiple publications with the same content, we selected and analyzed the latest one. Technical elements are divided into the seven aforementioned categories. It should be noted that many publications cover several categories; therefore, the seven categories are not completely mutually exclusive. However, we attempted to reorganize the PSA technical elements systematically using definitions in the standards of the IAEA-TECDOC-1804 or ASME PRA standard [1], [2]. For instance, in terms of International Atomic Energy Agency standards, “model integration and Level 1 PSA quantification” and “dependent failure analysis” are strongly related to categories (3) and (4), and “initiating event” and “hazard event” belong to category (5). Category (6) includes “data analysis” and category (7) is matched with “human reliability analysis (HRA).” A simple summary and statistics for the reviewed publications are shown in Table 1.
Table 1. Summary of the references reviewed.
| Category | References | Number of articles |
|---|---|---|
| (1) Research status | [6], [7], [8], [9] | 4 |
| (2) Risk metric or safety goal | [10], [11], [12], [13] | 4 |
| (3) Qualitative risk assessment | [14], [15], [16], [17], [18] | 5 |
| (4) Quantitative risk assessment | [19], [20], [21], [22], [23], [24], [25], [26] | 8 |
| (5) Initiating event or initiator | [27], [28], [29], [30], [31], [32], [33] | 7 |
| (6) Dependency data analysis | [34], [35] | 2 |
| (7) Human reliability | [36] | 1 |
At present, there is no fully agreed upon methodology for multiunit PSA, and various studies of multiunit risk are ongoing. Several institutes are publishing their current research status and future studies. We also highlighted risk metrics and safety goals as they fit the multiunit situation. Generally speaking, the conventional surrogate risk metrics, such as core damage frequency (CDF) and large early release frequency (LERF), need to be revised, and the quantitative goal also requires greater consensus.
The method for expanding the number of units from the existing single-unit PSA has been discussed both qualitatively and quantitatively. The important issues are mainly to identify and recognize how initiating events affect multiple units in specific situations and how dependent facilities function during accident scenarios. The major issues can be summarized as follows:
-
•
Modeling of multiunit risk accident scenarios
-
•
Propagation of a single-unit accident into a multiunit accident
-
•
Multiunit risk considering plant operation modes, including the spent fuelpool (SFP)
Regarding category (5), the initiating event or initiator, the Loss Of Offsite Power (LOOP) has been studied as a representative internal event in many cases, whereas the significant initiator has been seismic events. The main issues related to the initiating event or initiator are as follows:
-
•
Analysis of frequency of multiunit events
-
•
Site risk analysis considering seismic correlations
-
•
Seismic data collection and analysis
For category (6), dependency data analysis, we focused on explaining the International CCF Data Exchange (ICDE) project for collecting common cause failure (CCF) data on multiunit events and analyzing which dependency factors exist when classifying the initiating event for a multiunit PSA model. Human reliability analysis needs to be followed up as a whole, particularly the multiunit-related operator behaviors required on the Level 2 PSA. Major issues related to dependency are as follows:
-
•
Multiunit CCF data collection and analysis
-
•
Analysis of dependency factors in the initiating event
-
•
Multiunit accident scenarios involving human/organizational factors
2.2. General issues
The research status must be strongly related to the status of operating NPPs in each country. Table 2 shows the number of NPPs by major country.
Table 2. Number of NPPs on a single site by country [3].
| Number of units | Korea | USA | Canada | Japan | China | France |
|---|---|---|---|---|---|---|
| 1 | 23 | 1 | 4 | 2 | ||
| 2 | 28 | 3 | 6 | 9 | ||
| 3 | 4 | 5 | 1 | 1 | ||
| 4 | 2 | 1 | 3 | 2 | 8 | |
| 5 | 1 | 1 | ||||
| 6 | 2 | 1 | 3 | 1 | ||
| 7 | 1 | 1 | ||||
| 8 | 2 | 1 |
Table 2 shows that Korea and Canada have a maximum of eight units per site, which explains why multiunit risk researchers are active in these countries. On the other hand, Table 3 shows the land area per nuclear power unit: the density of NPPs in Korea is the world's highest. Table 4 shows the population density near Korean NPP sites. Given its geographic and geologic uniqueness, Korea has a higher need to evaluate site risk than other countries.
2.3. Enabling techniques
2.3.1. Research status
The Korea Atomic Energy Research Institute [6] is developing the On-line Consolidator and Evaluator of All-Mode Risk for Nuclear Systems, a risk assessment tool that integrates internal/external events, full power/low power and shutdown operation modes, and Levels 1, 2, and 3 PSA. The proposed integrated risk assessment framework is expected to address PSA-related issues and help reduce the inconsistencies that exist between the internal and external PSA models and the full power and low power shutdown PSA models and development of site risk assessment methodologies. The Korean nuclear utility company, Korea Hydro and Nuclear Power [7], is also working to evaluate multiunit risk based on its single-unit PSA models. Currently, it has performed all-mode PSAs for individual units and is developing Level 2 and 3 PSA models. In addition, the regulatory authority, the Nuclear Safety and Security Commission [8], has initiated a review of multiunit risks and commenced the necessary studies. Canada [9] has launched three major projects reflecting the lessons of the Fukushima accident: the revision of the PSA, a reassessment of the design or safety margin for external events, and the development of a whole-site PSA methodology.
2.3.2. Risk metric or safety goal
Multiunit safety goals or risk metrics that represent the safety goals should be the significant point of the PSA framework. To assess the multiunit risk through the Seabrook PSA [10], researchers recommend finding new risk metrics based on the site year, such as site core damage frequency (SCDF) or site large early release frequency, rather than CDF or LERF. Modarres [11] presented the risk metrics in Table 5. Currently, the possibility of multiunit core damage is taken into account, particularly in connection with systems designed using General Design Criteria 5, which limits the sharing of safety-related structures, systems, and components (SSCs) to practically eliminate multiunit risks. After the Fukushima accident, the US Nuclear Regulatory Commission [12] conducted the State-of-the-Art Reactor Consequences Analysis project to reduce the possibility and consequences of multiunit accidents. Those researchers claimed that evaluating the effects of the quantitative health objective required a Level 3 PSA analysis, which takes into account a multiunit PSA scenario.
Table 5. Risk metrics for integrated site safety assessment.
| Risk metric | Applicability |
|---|---|
| Core damage frequency (CDF) | Level 1 single-unit PSA |
| Large early release frequency (LERF) | Limited scope single-unit Level 2 PSA |
| Site core damage frequency (SCDF) | Level 1 multiunit PSA |
| Site large early release frequency (SLERF) | Limited scope multiunit Level 2 PSA |
| Conditional probability of multiunit accident (CPMA) | Level 1 multiunit PSA |
| Site release category frequency (SRCF) | Full scope Level 2 multiunit PSA |
| Complementary cumulative distribution function (CCDF) | Level 3 single-unit PSA |
| Site CCDF (SCCDF) | Level 3 multiunit or multifacility PSA |
| Quantitative health objective (QHO) |
PSA, probabilistic safety assessment.
On the other hand, Zhang et al. [13] proposed a new risk metric in which the cumulative incidence of all accident events that cause an offsite (including site boundaries) individual effective dose exceeding 50 mSv should be less than 1E-6 per reactor year. That metric also requires the results from a Level 2 analysisand dose evaluation.
2.3.3. Qualitative risk assessment
To obtain insights about the risk of multiunit accidents, qualitative and quantitative approaches can be used.
The qualitative approaches have mainly investigated the source of technical difficulties for a multiunit PSA. Samaddar et al. [14] pointed out the technical issue that NPPs cannot be properly protected from external disasters, as the Fukushima accident showed, because of deterministic design criteria that do not carefully consider the combination of potential hazards or realistically screen for those hazards. It was noted that the fact that the accessibility of operators or maintenance crews is limited due to the release of radioactive materials should be considered in terms of HRA, and facilities added as follow-up measures after the Fukushima accident should be included in the risk assessment process. Schroer and Modarres [15] suggested a comprehensive classification of dependent events. Five applicable methodologies for six dependencies in the PSA were recommended, as shown in Table 6.
Table 6. Applicability of methodologies for each classification.
| Dependency | Classification | Applicable methodology |
|---|---|---|
| Initiating event | Definite | Combination |
| Conditional | Parametric or causal | |
| Shared connection | Single | Combination |
| Time sequential | Parametric, causal, or extension | |
| Standby | Causal or extension | |
| Identical component | Parametric or causal | |
| Proximity | Extension or external event type | |
| Human | Pre-initiating event | Parametric or causal |
| Post-initiating event | Parametric or causal | |
| Organizational | Extension or causal | |
Kiper and Maioli [16] also presented multiunit issues: the need for a scenario search considering the interaction between the reactor and the SFP, initiating events that can lead to multiunit problems, shared SSCs, and site arrangement. The possibility of cascading effects or propagation to other units was presented. According to Kim et al. [17], the issues that need to be addressed to implement a multiunit PSA are 1) initiating event, 2) hardware failure, 3) human error, and 4) recovery failure. They noted that residual risks cannot be easily quantified due to technological issues that still need to be considered for realistic estimation. Heo et al. [18] asserted that most multiunit PSA issues could be solved by strengthening the infrastructure or capability of the conventional PSA because multiunit PSA issues are similar to those included in the single-unit PSA.
To manage multiunit risks, a common opinion is that multiunit or site risk should be implemented in an integrated manner (human, organizational, technical factors, etc.) such that the insights from the PSA can be applied in the decision-making process. To use the insight from the PSA models, uncertainty has to be considered and addressed. The uncertainty of multiunit PSA results will be amplified; therefore, a proper sensitivity analysis should accompany them to capture the effects of the uncertainty.
2.3.4. Quantitative risk assessment
The development of quantitative methodologies should be one of the most active areas in multiunit PSA research. Existing studies are largely classified as (1) single-unit-based assessments that reflect the effects of a simultaneous accident and (2) integrated multiunit assessments. A single-unit-based assessment methodology was introduced to roughly estimate the limits of multiunit risk. Stutzke [19] proposed the scoping estimation, which classifies initiators into common-cause initiators (CCIs), initiating events that affect multiple units, and single-unit initiators (SUIs), initiating events that affect a single unit. It categorizes accident sequences into cascading sequences, propagating sequences, and restricted sequences. The scoping estimation methodology expresses CCIs as n times individual unit risk and SUIs as n2 times individual unit risk. Duy et al. [20] suggested a method to extend a single-unit PSA model into a multiunit PSA model. They used case studies to compare the CDFs of the existing PSA model with those of the extended multiunit PSA model and found that the CDF calculated with the extended PSA model was twice that of the existing PSA model. This model evaluated twin units sharing a control room; therefore, the increase in CDF was caused by the dependency of human resources. Hassija et al. [21] estimated the SCDF using Boolean expression. The core damage cases combined from 1 unit to 4 units were simplified to (1) definite external hazard, (2) conditional external hazard, (3) definite internal initiating events, and (4) conditional internal initiating events, and the SCDF was eventually estimated and assessed using the number of units and hazard types at the site. Kumar et al. [22] showed that as the number of units increased, the SCDF increased. The major contributors to the increase in SCDF were the shared SSCs and CCF. In the case of external events, the impact of an earthquake was the most significant. In the case of internal events, about 99% of the risk contribution came from definite initial events.
As an integrated method, Bareith et al. [23] proposed the decomposition of single-unit event trees into one large event tree and the conversion of the core damage sequence of the event tree into a fault tree connected with the headings of the event tree. Fig. 4 shows the method used to combine the event trees. Fig. 5 shows the method used to convert the fault tree. Jang and Lim [24]suggested that multiunit conditional core damage probabilities are more dominantly influenced by dependency between units than other multiunit accident scenario combinations. In addition, the dynamic PSA by Dennis et al. [25] effectively explains the risk of dependency between units.
Fig. 4. Construction of a single and combined event tree. CD, core damage; IE, initiating event; S, success. {EED
Fig. 5. Combined event tree using fault tree conversion of accident sequences. CD, core damage; CDF, core damage frequency; LOCA, loss of coolant accident; S, success; TRAN: TRANSIENT .Zhang et al. [13] suggested a technique to solve the difficulty of scenario explosion as the number of units increases. They grouped the events headings in an event tree based on the basic safety functions and then drew event trees for the remaining cases (except for the success of the final state) by groups. To quantify a large PSA model, Lim et al. [26] proposed a methodology for calculating the CDF through Monte Carlo sampling.
2.3.5. Initiating event or initiator
The data issues are, of course, of great importance in a single-unit PSA and become more important in a multiunit PSA due to rarity (difficulty to be observed), complexity (difficulty to be understood), and uncertainty (difficulty to be quantified).
In this article, one part of the data analysis focused on initiating events or initiators from the viewpoint of a multiunit PSA. The most probable initiating event in a multiunit analysis was generally LOOP. To use the SCDF, the frequency of multiunit initiating events must be converted to site-years. A method for obtaining the frequencies of multiunit initiating events that accounts for site operating years was suggested [27]. Kim et al. [28] conducted a case study to evaluate the usability of an alternate AC diesel generator (AAC DG), which is a shared system within a site, in the event of a multiunit accident. The results showed that the CDF increased by 2% when the AAC DG was not used in any units, whereas the CDF increased by 1% when the AAC DG was used in one unit. In addition, in the case of multiunit LOOP under the same conditions, the result of an evaluation taking into account the recovery probability of off-site power showed that the CDF increased by 11–13% [29]. The recovery probability of the offsite power source in the case of multiunit LOOP shows a larger CDF increase than when the availability of AAC DG is considered and shows the importance of assessing the effects of accidents caused by human error. Among the multiunit accident mechanisms, such as independent random combination, cascade, and simultaneous occurrence by the same hazard, the SCDF caused by the simultaneous occurrence of an independent initiating event, the so-called random combination, turned out to be negligible [30].
Seismic external events were analyzed with the correlation of dependency between units by dividing dependency into complete independence, partial dependency, and complete dependency. Ebisawa et al. [31] showed that the CDF decreased with an increasing seismic correlation. However, it should be noted that the method for calculating seismic correlation has not been fully studied. As a case study, a seismic-induced loss of coolant accident was evaluated. Fig. 6shows the event tree considering the seismic correlation.
Fig. 6. Seismic correlation event tree.
LOCA, loss of coolant accident.
The loss of coolant accident frequency per site year of two units was calculated for the seismic CCF coupling factor by 0.0, 0.1, 0.2, 0.5, and 1.0. In addition, Fleming [32] suggested that sensitivity analysis should be performed to evaluate the risk more accurately and that the seismic correlation should be carefully considered when applying a combination of different components or designs between units. According to Epstein [33], more seismic data (i.e., seismic hazard data and fragility data) collection is required to improve the quality of the seismic PSA. The seismic data are used to understand the success and failure of SSCs using ground motion records and damage-indicating parameters. Bayesian theory was used to enhance the quality of the seismic data.
2.3.6. Dependency data analysis
Intuitively, interunit CCF is one of the key factors affecting multiunit risk. The biggest issue among the six dependencies proposed by Schroer and Modarres [15] is CCF, and the ICDE project is currently under way to address that issue. The ICDE project [34] is collecting multinational CCF data to improve the quality of risk analysis; it has reviewed 80 multiunit events that occurred because of CCF and grouped them into 35 categories. Most CCFs were generated by human errors during design and operation, and a method to prevent CCF caused by human error was suggested. It was also found that more data were needed to analyze CCF caused by deficiencies in manufacturing and production. In addition, researchers used data obtained through the ICDE [35] to present a CCF for an emergency diesel generator (EDG), which plays an important role in supplying power to the safety systems in the event of LOOP. Examples of EDG CCF include the following: (1) crack caused by vibration in start relay socket, (2) simultaneous replacement of sockets in two units, (3) speed reduction of EDG caused by a faulty resistor, and (4) fuel supply failure due to gauge calibration mistakes. The most typical cause of failures was design errors, and many causes were found in auxiliary systems. The failure rate of the EDG due to a cooling water or fuel supply failure in the auxiliary system is high, and the fuel supply system problem, in particular, can be directly linked to multiunit problems.
2.3.7. Human reliability
Finally, HRA is an important issue, but few studies have been performed in this area. Particularly, HRA needs to be supported in Level 2 and 3 PSAs that consider multiunit accidents. Dinnie [36] addressed a dependency analysis related to human error. At present, the Severe Accident Management Guidance does not consider multiunit events. The prioritization process and decision-making of the Severe Accident Management Guidance should be expanded to consider multiunit accidents. He also suggested the need for an HRA method for multiunit accidents, consistent training and qualification requirements, and guidelines for SSCs that can contribute to the reduction of risk.