Fault-Event Trees Based Probabilistic Safety Analysis of a Boiling Water Nuclear Reactor’s Core Meltdown and Minor Damage Frequencies

Abstract

A systematic probabilistic safety assessment for a boiling water nuclear reactor core is performed using fault trees and event trees analysis models. Based on a survey of the BWR’s safety systems against potential hazards, eight independent failure modes (initiating events) triggered scenarios are modelled and evaluated in the assembled fault-event trees, obtaining the two key outcome probabilities of interest, i.e., complete core meltdown (CCMD) frequency and minor core damage (MCD) frequency. The analysis results indicate that the complete loss of heat sink accounts for the initiating accident most vulnerable to CCMD (with a frequency of 1.8 × ${10}^{-5}$ per year), while the large break in the reactor pressure vessel is the least susceptible one (with a frequency of 2.9 × ${10}^{-12}$ per year). The quantitative risk assessment and independent review conducted in this case study contributed a reference reliability model for defense-in-depth core optimizations with reduced costs, informing risk-based policy decision making, licensing, and public understanding in nuclear safety systems.

1. Introduction

The merits of nuclear energy have been re-discovered over recent years to address the future global energy needs [1] in an environmentally conscious and resource-sustainable way [2]. Since the nuclear renaissance [3] and the subsequent increase in nuclear newbuild projects [4] globally, new needs for safety assessment [5,6] of the complex nuclear power system has arisen. Securing a very high level of design and operating safety with reduced costs will not only be technically required for the burgeoning nuclear sector, but also from the policy [7] point of view to approach the challenge in addressing the public’s negative perception [8] on nuclear power in the post-Fukushima era [9]. Since introducing revolutionary reactor technologies takes a long time, traditional light water reactors (LWR) will inevitably remain the dominant technology for many decades in the foreseeable future. Therefore, improving the safety margin and cost-efficiency of reactors in the existing fleet, such as pressurized water reactors (PWR) and boiling water reactors (BWR), exhibits the highest priority.

To this end, probabilistic safety assessment (PSA) [10,11] based on fault tree [12,13] and event tree [14] analyses present these characteristics and can be designed to tailor for the overall risk assessment of PWRs and BWRs. Historically developed for nuclear [15] and petrochemical [16] industries, fault tree and event tree methodologies have evolved and been well established in theory both deterministically [17], and stochastically [18]. However, relatively fewer applied studies or papers are reported concerning specifically the BWR core meltdown [19] and minor core damage [20] estimations in detail. Therefore, developing a reference model in this work and conducting an independent review is momentous in the fields of reliability assessment, safety forecasting, core optimization and thus helps inform safety-based policy decision making. It is of importance to give to the nuclear regulatory body and the academic community an independent verification of the core meltdown and the minor core damage frequency calculations (a case study for the BWR in this work), as an independent study; if available, multi-benchmarking creates trust in safety reports.

The risk-based approach applied in this work follows three steps. Firstly, defining all potential hazards and threats (initiating events) based on a survey of a standard BWR system architecture. Secondly, identifying risk control options (intermediate events) that can be established to control each risk element. Specifically, the empirical occurrence frequency of the initiating failure event and the corresponding unavailability frequency of each risk control option is specified. The final and key task is undertaking a failure mode and effect analysis (FMEA) incorporating the accident sequences using event trees and fault trees. Based on the premise that the probability of failure is dominated by the probability of the protection system to initiate on demand, the frequency of complete core meltdown (CCMD) and minor core damage (MCD) due to different plant faults are quantitatively evaluated. The modelling and analysis in this study provide a physical insight into the complex nuclear system, based on which risks and mitigation priorities are proposed, targeting cost effectiveness. The case study presented in this work can advantageously be used for training purposes. The potential beneficiaries are nuclear power plant operators, risk assessors, regulators, government energy policymakers, electricity suppliers and the wider academic community.

2. Materials and Methods

A combination of fault tree and event tree methods are applied in this study for calculating the BWR’s core meltdown and minor core damage frequencies. The fault tree approach [10,13] is deductive in nature. This top-down approach assumes that the system has failed in a certain way (e.g., a complete loss of heat sink as reported in Section 3.3), in an attempt to investigate the modes of the components’ behavior (lower-level independent events) leading up to this failure (top event). Boolean logic gates (e.g., OR gates, or AND gates) are used to graphically characterize the logical interrelationships between these events, with the lower-level events serving as the gate’s input, and the higher-level event as the gate’s output. In this way, the probability of a specific system failure (top event) is a function of the reliability of the lower-level basic events.

The event tree analysis [10,14] is an inductive approach that postulates an initiating event (e.g., the rupture of core shroud as detailed in Section 3.7), with a forward logic process in an attempt to derive the corresponding impact on the overall system (e.g., the core meltdown and the minor core damage that are of interest in this work). A series of independent intermediate events (e.g., the availability of the risk control options in this work) are split into binary (success or failure) trees, laying a path for evaluating the probabilities of the outcomes.

To identify the initiating events and the intermediate events progression for different failure modes, a survey of the BWR’s system architecture and the corresponding risk control measures are conducted as follows (Section 2.1 and Section 2.2). First, a current generation of BWR [21] plants are sketched in Figure 1, with a steam/water mixture developed within the reactor core. Unlike PWR plants, the plant operating pressure is considerably less, and hence significant amounts of boiling occur. The steam/water blend departs from the top of the core and enters the separator/drier district, where steam is isolated from water and is guided along the steam line to the main turbine which drives the electrical generator to supply the grid. In contrast with PWR, the BWR plant is free of a pressurizer and a steam generator, in this way it incorporates less pipework that could potentially rupture, with a consequence of a loss of coolant accident (LOCA) [22]. After leaving the primary turbine, the low-pressure steam streams into the condenser where it is condensed into water, and after that pumped by means of feed-water pumps back to the reactor pressure vessel (RPV). Note that the coolant flows through the core and hence the reactor power could be controlled via the recirculation and jet pumps as denoted in Figure 1 for varying the flow rate in the down-comer (i.e., the region between the core shroud and the RPV).

2.1. Survey of Safety Systems for Potential Hazards in BWR

Both the control rod drive mechanisms [23] and the reactor scram (RS) system [24] are inserted from the bottom of the core. The RS system is initiated on trip signals from high power, high pressure, or low water levels. Should the RS fail then an independent boron injection (BI) system [25] is available to shut the plant down. The plant features a fission product monitor (FPM) [26] which cautions the operator in case minor core damage (MCD) has happened. Once the FPM initiates, the operator must shut the plant down, after which the core will proceed to generate decay heat, which is removed through turbine bypassing and steam dumping directly to the condenser, as illustrated in Figure 2 below for the normal plant cool-down (NPCD) system [21] depicted based on Figure 1. The plant has two loops and every loop can be utilized to cool the plant down for decay heat elimination. Should the normal method of plant cool-down (i.e., the NPCD system) fail, a standby reactor core isolation cooling (RCIC) system [27] kicks in with makeup water supplied from either the containment suppression chamber or the condensate storage tank for cooling the plant down, as illustrated in Figure 3.

Although the frequency of LOCA will be less for a BWR plant than that in a PWR plant, the BWR plant still has an emergency core cooling system (ECCS), which encompasses two high-pressure systems, i.e., a high-pressure coolant injection (HPCI) system and an automatic depressurization system (ADS) [28], as well as two low-pressure systems, i.e., low-pressure coolant injection (LPCI) and the core spray (CS) system [29], as depicted in Figure 4 and Figure 5 below for illustrations of the redundant logic.

2.2. Failure Mode Identification and BWR’s Risks Control Options

The principle plant faults that can potentially cause an accident are identified and summarized in

Table 1. Fault-initiating events identification for BWR.

Plant Fault Event	Event Frequency per Year	Final Outcome Without Protections
Continuous rod withdrawal (CRWA) accident [33]	5 × ${10}^{-2}$	Complete core meltdown (CCMD)
Both main turbines failure (TF) [34]	2 × ${10}^{-3}$	CCMD
Rupture of core shroud (RCS) [35]	1 × ${10}^{-4}$	Minor core damage (MCD) or MCD and CCMD
Condenser failure (CF) on both sides [36]	5 × ${10}^{-4}$	CCMD
Failure of both water pumps (FWP) [36]	2 × ${10}^{-3}$	CCMD
Failure of both feed pumps (FFP) [36]	5 × ${10}^{-4}$	CCMD
Large break in RPV (LBRPV) [35]	1 × ${10}^{-6}$	CCMD
Rupture of steam line (RSL) [34]	1 × ${10}^{-5}$	CCMD
Leak from instrumentation line (LIL) in RPV [35]	1 × ${10}^{-3}$	CCMD
Breakup of drier structure causing local channel blockage (BDS-LCB) [37]	5 × ${10}^{-4}$	MCD or MCD and CCMD

. For each fault, its frequency per year is based on the empirical datasets [30,31] reported in 216 nuclear accidents and incidents (of various reactor types at the 95% confidence level). The event and fault trees concerning the initial plant response and the protection system that are potentially available will be detailed later in the next section. An assessment of the final state of the core if all protections fail or are unavailable is summarized in the “outcome without protections” column of Table 1, i.e., minor core damage (MCD), complete core meltdown (CCMD), or a combination of MCD and CCMD. If the plant is scrammed, the cooling system is required for one month [32] to cool the plant down, after which it could be assumed that the decay heat declines to a level that is insignificant to damage the core. We assume for this study that the probability of failure is dominated by the probability of the system to initiate on demand (although the exact unavailability rates of some components might be available in plant-specific PSA studies). The probability of failure on demand for each of the protection systems is identified in the following

Table 2. Empirical failure probability on demand of the BWR protection systems.

Failure Mode of BWR Protection System	Failure Probability on Demand
Failure of reactor scram (RS) system using safety rods [23]	1 × ${10}^{-4}$
Failure of reactor shut down using boron injection (BI) [25]	1 × ${10}^{-3}$
Failure of normal plant cool-down (NPCD) system [21]	3 × ${10}^{-2}$
Failure of reactor core isolation cooling (RCIC) system [27]	6 × ${10}^{-3}$
Failure of core spray (CS) system [29]	1.6 × ${10}^{-3}$
Failure of high-pressure coolant injection (HPCI) system [28]	6 × ${10}^{-3}$
Failure of automatic depressurization system (ADS) [28]	1.1 × ${10}^{-3}$
Failure of low-pressure coolant injection (LPCI) system [29]	1.8 × ${10}^{-3}$
Failure of fission product monitor (FPM) [26]	1 × ${10}^{-3}$

.

3. Fault-Event Trees Modelling and Results

Based on the initiating accidents and the mechanism of safety protection systems, as well as their corresponding failure rates as specified in Table 1 and Table 2, the total core meltdown and minor core damage frequencies are calculated systematically using fault tree and event tree methods. According to the survey (Section 2) of the safety systems for potential hazards in BWR as well as the fault-initiating events identified in Table 1, the reliability problem of the complex overall systems can mainly be decomposed into eight independent initial accident-triggered scenarios (that could lead to the outcome of either complete core meltdown or minor core damage to our knowledge), which are modelled, assembled, and evaluated as follows. Note that several uncertain external environments (detailed in the results discussion part in Section 4) are not evaluated in this study.

3.1. Continuous Rod Withdrawal Accident (CRWA)

The continuous rod withdrawal accident (CRWA) model assumes that if the accident occurs, the rise in the reactor power, temperature and pressure will cause the reactor scram (RS) to initiate using safety rods. Providing the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant cool-down system (NPCD) from either side should initiate to remove the decay heat. In the case of both sides’ failure, the reactor core isolation cooling system (RCIC) should initiate to cool the plant down. Accordingly, the CRWA-triggered event tree is derived in Figure 6 below, presenting three failure-propagating scenarios that can result in the outcome of complete core meltdown (CCMD), denoted as CCMD 1, CCMD 2 and CCMD 3.

To quantitatively derive the probability (frequency per year) of the CRWA-induced complete core meltdown, i.e., P (CCMD by CRWA), we denote the occurrence probability of the initial event CRWA as P (CRWA), and the failure probability on demand of each intermediate event as F (RS), F (BI), F (NBCD) and F (RCIC). Therefore, P (CCMD 1), P (CCMD 2), P (CCMD 3) and the total P (CCMD by CRWA) of interest are calculated via Equations (1)–(4), respectively:

$$\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{CRWA}}=\mathrm{P} \left(\mathrm{CRWA}\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right))\times \mathrm{F} (\mathrm{RCIC}),$$

(1)

$$\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{CRWA}}=\mathrm{P} \left(\mathrm{CRWA}\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right)\times \mathrm{F} \left(\mathrm{RCIC}\right),$$

(2)

$$\mathrm{P} {(\mathrm{CCMD} 3)}_{\mathrm{CRWA}}=\mathrm{P} \left(\mathrm{CRWA}\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times \mathrm{F} \left(\mathrm{BI}\right),$$

(3)

$$\mathrm{P} (\mathrm{CCMD} \mathrm{by} \mathrm{CRWA})=\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{CRWA}}+\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{CRWA}}+\mathrm{P} {(\mathrm{CCMD} 3)}_{\mathrm{CRWA}}.$$

(4)

Incorporating the probability of failure for the initiating event (CRWA) as specified in Table 1, and the failure probabilities on demand of the risk control options listed in Table 2 with Equations (1)–(4), we obtain the predicted result of P (CCMD by CRWA) = 9.0049991 × ${10}^{-6}$.

3.2. Main Turbine Failure (TF)

The main turbine failure (TF) model assumes that if an accident occurs, the temperature and pressure rise will cause the reactor scram (RS) to initiate using safety rods. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant cool-down system (NPCD) from either side should initiate to remove the decay heat. In the case of both sides’ failure, the reactor core isolation cooling system (RCIC) should initiate to cool the plant down. The graphical representation is reported in Figure 7.

Following a similar calculation mechanism as the last subsection, the probability of the TF-induced complete core meltdown (CCMD) is given step by step through Equations (5)–(8), i.e.,

$$\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{TF}}=\mathrm{P} \left(\mathrm{TF}\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right))\times \mathrm{F} (\mathrm{RCIC}),$$

(5)

$$\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{TF}}=\mathrm{P} \left(\mathrm{TF}\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right)\times \mathrm{F} \left(\mathrm{RCIC}\right),$$

(6)

$$\mathrm{P} {(\mathrm{CCMD} 3)}_{\mathrm{TF}}=\mathrm{P} \left(\mathrm{TF}\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times \mathrm{F} \left(\mathrm{BI}\right),$$

(7)

$$\mathrm{P} (\mathrm{CCMD} \mathrm{by} \mathrm{TF})=\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{TF}}+\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{TF}}+\mathrm{P} {(\mathrm{CCMD} 3)}_{\mathrm{TF}}.$$

(8)

Incorporating the probability of failure for the initiating event (TF) as specified in Table 1, and the failure probabilities on demand of the risk control options listed in Table 2 with Equations (5)–(8), we obtain the predicted result of P (CCMD by TF) = 3.60199964 × ${10}^{-7}$.

3.3. Complete Loss of Heat Sink (CLOHS)

Note that any one of the following independent lower-level basic events will lead to the top event of a complete loss of heat sink (CLOHS) accident [36].

• Condenser failure (CF) on both sides
• Failure of both water pumps (FWP) from the river to condensers
• Failure of both feed pumps (FFP)
• The fault tree is developed accordingly using a logic OR Boolean gate shown in Figure 8 below.

According to the Boolean algebras [12] regarding the union of independent events, the fault tree shown in Figure 8 above can be translated to an equivalent Boolean equation. From the occurrence probability of the top event, CLOHS is thereby given by Equation (9) below based on the three independent basic events (CF, FWP, FFP), i.e.,

P (CLOHS) = P (CF) + P (FWP) + P (FFP).

(9)

Incorporating the probability of failure for the initiating events (CF, FWP, FFP) as specified in Table 1, we obtain P (CLOHS) = 3 × ${10}^{-3}$. Subsequently, the CLOHS event-tree model is developed assuming that if the accident occurs, the temperature and pressure rise will cause the reactor scram (RS) to initiate using safety rods. If the scram system fails, boron injection (BI) will subsequently kick in. Following the shutdown, the reactor core isolation cooling system (RCIC) should initiate to cool the plant down. The event tree is presented in Figure 9 below.

The probability of the CLOHS-induced complete core meltdown (CCMD) is thereby derived by Equations (10)–(13), i.e.,

$$\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{CLOHS}}=\mathrm{P} \left(\mathrm{CLOHS}\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times \mathrm{F} \left(\mathrm{RCIC}\right),$$

(10)

$$\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{CLOHS}}=\mathrm{P} \left(\mathrm{CLOHS}\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times \mathrm{F} \left(\mathrm{RCIC}\right),$$

(11)

$$\mathrm{P} {(\mathrm{CCMD} 3)}_{\mathrm{CLOHS}}=\mathrm{P} \left(\mathrm{CLOHS}\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times \mathrm{F} \left(\mathrm{BI}\right),$$

(12)

$$\mathrm{P} (\mathrm{CCMD} \mathrm{by} \mathrm{CLOHS})=\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{CLOHS}}+\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{CLOHS}}+\mathrm{P} {(\mathrm{CCMD} 3)}_{\mathrm{CLOHS}}.$$

(13)

Incorporating the probability of failure for the initiating event (CLOHS) as derived in Equation (9), and the failure probabilities on demand of the risk control options listed in Table 2 with Equations (10)–(13), we obtain the predicted result of P (CCMD by CLOHS) = 1.80002982 × ${10}^{-5}$.

3.4. Large Break in RPV (LBRPV)

In a large break in RPV (LBRPV), pressure in the primary plant falls quickly, and the reactor shut down occurs. The high-pressure coolant injection (HPCI) system is not designed to provide protection. Instead, the low-pressure coolant injection (LPCI) system, or the core spray (CS) system, is available to provide protection. Thereby, the event-tree model assumes that if the accident occurs, the reactor scram (RS) initiates using safety rods to shut down the plant. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the low-pressure emergency cooling system (LPECS) will initiate, including the low-pressure coolant injection (LPCI) or the core spray (CS) system. The failure frequency on demand of LPECS is calculated based on if LPCI and CS both fail at the same time, i.e., a fault tree with a logic AND Boolean gate is applied and shown in Figure 10 as governed by Equation (14) for the two independent events (LPCI, CS). The propagation of failure rates is presented in Figure 11 below.

F (LPECS) = F (LPCI) × F (CS).

(14)

The frequency of the LBRPV-triggered complete core meltdown (CCMD) is given by Equations (15)–(18), i.e.,

$$\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{LBRPV}}=\mathrm{P} \left(\mathrm{LBRPV}\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times \mathrm{F} \left(\mathrm{LPECS}\right),$$

(15)

$$\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{LBRPV}}=\mathrm{P} \left(\mathrm{LBRPV}\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times \mathrm{F} \left(\mathrm{LPECS}\right),$$

(16)

$$\mathrm{P} {(\mathrm{CCMD} 3)}_{\mathrm{LBRPV}}=\mathrm{P} \left(\mathrm{LBRPV}\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times \mathrm{F} \left(\mathrm{BI}\right),$$

(17)

$$\mathrm{P} (\mathrm{CCMD} \mathrm{by} \mathrm{LBRPV})=\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{LBRPV}}+\mathrm{P} (\mathrm{CCMD} 2{)}_{\mathrm{LBRPV}}+\mathrm{P} (\mathrm{CCMD} 3{)}_{\mathrm{LBRPV}}.$$

(18)

Incorporating the probability of failure for the initiating event (LBRPV) as specified in Table 1, the failure probabilities on demand of the risk control options listed in Table 2, as well as the derived F (LPECS) at Equation (14) into Equations (15)–(18), we obtain P (CCMD by LBRPV) = 2.97999971 × ${10}^{-12}$.

3.5. Rupture of Steam Line (RSL)

In the rupture of the steam line (RSL) accident between the RPV and the isolation valve, the RSL event-tree model assumes that if this intermediate-size leak occurs and pressure in the primary plant drops, the reactor scram (RS) initiates using safety rods to shut down the plant. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the high-pressure coolant injection (HPCI) system provides protection. In the case of the HPCI failure, the automatic depressurization system (ADS) will permit the low-pressure emergency cooling system (LPECS) to initiate. Thereby, five different scenarios leading to CCMD are depicted in Figure 12 below.

Accordingly, the frequency of the RSL-triggered complete core meltdown (CCMD) is given by Equations (19)–(24), i.e.,

$$\mathrm{P} (\mathrm{CCMD} 1{)}_{\mathrm{RSL}}=\mathrm{P} (\mathrm{RSL})\times (1-\mathrm{F} \left(\mathrm{RS}\right))\times \mathrm{F} (\mathrm{HPCI})\times (1-\mathrm{F} \left(\mathrm{ADS}\right))\times \mathrm{F} (\mathrm{LPECS}),$$

(19)

$$\mathrm{P} (\mathrm{CCMD} 2{)}_{\mathrm{RSL}}=\mathrm{P} (\mathrm{RSL})\times (1-\mathrm{F} \left(\mathrm{RS}\right))\times \mathrm{F} (\mathrm{HPCI})\times \mathrm{F} (\mathrm{ADS}),$$

(20)

$$\mathrm{P} (\mathrm{CCMD} 3{)}_{\mathrm{RSL}}=\mathrm{P} (\mathrm{RSL})\times \mathrm{F} (\mathrm{RS})\times (1-\mathrm{F} \left(\mathrm{BI}\right))\times \mathrm{F} (\mathrm{HPCI})\times (1-\mathrm{F} \left(\mathrm{ADS}\right))\times \mathrm{F} (\mathrm{LPECS}),$$

(21)

$$\mathrm{P} (\mathrm{CCMD} 4{)}_{\mathrm{RSL}}=\mathrm{P} (\mathrm{RSL})\times \mathrm{F} (\mathrm{RS})\times (1-\mathrm{F} \left(\mathrm{BI}\right))\times \mathrm{F} (\mathrm{HPCI})\times \mathrm{F} (\mathrm{ADS}\left)\right),$$

(22)

$$\mathrm{P} (\mathrm{CCMD} 5{)}_{\mathrm{RSL}}=\mathrm{P} (\mathrm{RSL})\times \mathrm{F} (\mathrm{RS})\times \mathrm{F} (\mathrm{BI}),$$

(23)

$$\mathrm{P} (\mathrm{CCMD} \mathrm{by} \mathrm{RSL})=\mathrm{P} (\mathrm{CCMD} 1{)}_{\mathrm{RSL}}+\mathrm{P} (\mathrm{CCMD} 2{)}_{\mathrm{RSL}}+\dots +\mathrm{P} (\mathrm{CCMD} 5{)}_{\mathrm{RSL}}.$$

(24)

Incorporating the probability of failure for the initiating event (RSL) as specified in Table 1, the failure probabilities on demand of the risk control options listed in Table 2, as well as the derived F (LPECS) at Equation (14) into Equations (19)–(24), we obtain the result of P (CCMD by RSL) = 6.71726033 × ${10}^{-11}$.

3.6. Leak from Instrumentation Line (LIL)

Likewise, fault modelling of the leak from the instrumentation line (LIL) in RPV assumes that if the small leak occurs, pressure in the primary plant drops, the reactor scram (RS) initiates using safety rods to shut down the plant. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the high-pressure coolant injection (HPCI) system provides protection. In the event of the HPCI failure, the automatic depressurization system (ADS) will permit the low-pressure emergency cooling system (LPECS) to initiate, including the low-pressure coolant injection (LPCI) or the core spray (CS) system. The event tree is drawn in Figure 13.

Accordingly, the probability of the LIL-triggered complete core meltdown (CCMD) is given by Equations (25)–(30), i.e.,

$$\mathrm{P} (\mathrm{CCMD} 1{)}_{\mathrm{LIL}}=\mathrm{P} (\mathrm{LIL})\times (1-\mathrm{F} \left(\mathrm{RS}\right))\times \mathrm{F} (\mathrm{HPCI})\times (1-\mathrm{F} \left(\mathrm{ADS}\right))\times \mathrm{F} (\mathrm{LPECS}),$$

(25)

$$\mathrm{P} (\mathrm{CCMD} 2{)}_{\mathrm{LIL}}=\mathrm{P} (\mathrm{LIL})\times (1-\mathrm{F} \left(\mathrm{RS}\right))\times \mathrm{F} (\mathrm{HPCI})\times \mathrm{F} (\mathrm{ADS}),$$

(26)

$$\mathrm{P} (\mathrm{CCMD} 3{)}_{\mathrm{LIL}}=\mathrm{P} (\mathrm{LIL})\times \mathrm{F} (\mathrm{RS})\times (1-\mathrm{F} \left(\mathrm{BI}\right))\times \mathrm{F} (\mathrm{HPCI})\times (1-\mathrm{F} \left(\mathrm{ADS}\right))\times \mathrm{F} (\mathrm{LPECS}),$$

(27)

$$\mathrm{P} (\mathrm{CCMD} 4{)}_{\mathrm{LIL}}=\mathrm{P} (\mathrm{LIL})\times \mathrm{F} (\mathrm{RS})\times (1-\mathrm{F} \left(\mathrm{BI}\right))\times \mathrm{F} (\mathrm{HPCI})\times \mathrm{F} (\mathrm{ADS}\left)\right),$$

(28)

$$\mathrm{P} (\mathrm{CCMD} 5{)}_{\mathrm{LIL}}=\mathrm{P} (\mathrm{LIL})\times \mathrm{F} (\mathrm{RS})\times \mathrm{F} (\mathrm{BI}),$$

(29)

$$\mathrm{P} (\mathrm{CCMD} \mathrm{by} \mathrm{LIL})=\mathrm{P} (\mathrm{CCMD} 1{)}_{\mathrm{LIL}}+\mathrm{P} (\mathrm{CCMD} 2{)}_{\mathrm{LIL}}+\dots +\mathrm{P} (\mathrm{CCMD} 5{)}_{\mathrm{LIL}}.$$

(30)

Incorporating the probability of failure for the initiating event (LIL) as specified in Table 1, the failure probabilities on demand of the risk control options listed in Table 2, as well as the derived F (LPECS) at Equation (14) into Equations (25)–(30), we obtain P (CCMD by LIL) = 6.71726033 × ${10}^{-9}$.

3.7. Rupture of Core Shroud (RCS)

Rupture of the core shroud (RCS) is not part of the pressurizing boundary but an uneven flow that could develop in the core due to debris coming off the core shroud and blocking off coolant flow channels. Minor core damage (MCD) could occur which will initiate the fission product monitor. Thereby, the RCS event-tree model assumes that MCD occurs from the start, initiating the fission product monitor (FPM), causing the reactor scram (RS) to initiate using safety rods. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant cool-down system (NPCD) from either side should initiate to remove the decay heat. In the case of both sides’ failure, the reactor core isolation cooling (RCIC) system should initiate to cool the plant down. The event tree is depicted in Figure 14 below.

Accordingly, the failure rate of the RCS-triggered complete core meltdown (CCMD) is given by Equations (31)–(35), i.e.,

$$\mathrm{P} (\mathrm{CCMD} 1{)}_{\mathrm{RCS}}=\mathrm{P} (\mathrm{RCS})\times (1-\mathrm{F} \left(\mathrm{FPM}\right))\times (1-\mathrm{F} \left(\mathrm{RS}\right))\times \mathrm{F} (\mathrm{NPCD})\times \mathrm{F} (\mathrm{RCIC}),$$

(31)

$$\mathrm{P} (\mathrm{CCMD} 2{)}_{\mathrm{RCS}}=\mathrm{P} (\mathrm{RCS})\times (1-\mathrm{F} \left(\mathrm{FPM}\right))\times \mathrm{F} (\mathrm{RS})\times (1-\mathrm{F} \left(\mathrm{BI}\right))\times \mathrm{F} (\mathrm{NPCD})\times \mathrm{F} (\mathrm{RCIC}),$$

(32)

$$\mathrm{P} (\mathrm{CCMD} 3{)}_{\mathrm{RCS}}=\mathrm{P} (\mathrm{RCS})\times (1-\mathrm{F} \left(\mathrm{FPM}\right))\times \mathrm{F} (\mathrm{RS})\times \mathrm{F} (\mathrm{BI}),$$

(33)

$$\mathrm{P} (\mathrm{CCMD} 4{)}_{\mathrm{RCS}}=\mathrm{P} (\mathrm{RCS})\times \mathrm{P} (\mathrm{FPM}),$$

(34)

$$\mathrm{P} (\mathrm{CCMD} \mathrm{by} \mathrm{RCS})=\mathrm{P} (\mathrm{CCMD} 1{)}_{\mathrm{RCS} }+\mathrm{P} (\mathrm{CCMD} 2{)}_{\mathrm{RCS}}+\dots +\mathrm{P} (\mathrm{CCMD} 4{)}_{\mathrm{RCS}}.$$

(35)

Incorporating the probability of failure for the initiating event (RCS) as specified in Table 1, the failure probabilities on demand of the risk control options listed in Table 2 into Equations (31)–(35), we obtain the result of P (CCMD by RCS) = 1.179919882 × ${10}^{-7}$. Meanwhile, the frequency of RCS-triggered minor core damage (MCD) is given by Equations (36)–(40), i.e.,

$$\mathrm{P} {(\mathrm{MCD} 1)}_{\mathrm{RCS}}=\mathrm{P} \left(\mathrm{RCS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times (1-\mathrm{F} (\mathrm{NPCD}),$$

(36)

$$\mathrm{P} {(\mathrm{MCD} 2)}_{\mathrm{RCS}}=\mathrm{P} \left(\mathrm{RCS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right)\times (1-\mathrm{F} (\mathrm{RCIC}\left)\right),$$

(37)

$$\mathrm{P} {(\mathrm{MCD} 3)}_{\mathrm{RCS}}=\mathrm{P} \left(\mathrm{RCS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times (1-\mathrm{F} (\mathrm{NPCD}),$$

(38)

$$\mathrm{P} {(\mathrm{MCD} 4)}_{\mathrm{RCS}}=\mathrm{P} \left(\mathrm{RCS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right)\times (1-\mathrm{F} (\mathrm{RCIC}\left)\right),$$

(39)

$$\mathrm{P} (\mathrm{MCD} \mathrm{by} \mathrm{RCS})=\mathrm{P} {(\mathrm{MCD} 1)}_{\mathrm{RCS}}+\mathrm{P} {(\mathrm{MCD} 2)}_{\mathrm{RCS}}+\mathrm{P} {(\mathrm{MCD} 3)}_{\mathrm{RCS}}+\mathrm{P} {(\mathrm{MCD} 4)}_{\mathrm{RCS}}.$$

(40)

Incorporating the failure probabilities on demand into Equations (36)–(40), the result of P (MCD by RCS) is obtained as 9.988200801 × ${10}^{-5}$.

3.8. Breakup of Drier Structure Causing Local Channel Blockage (BDS-LCB)

Likewise, the breakup of the drier structure causing local channel blockage (BDS-LCB) model assumes that minor core damage (MCD) happens from the start, initiating the fission product monitor (FPM), causing the reactor scram (RS) to initiate using safety rods. If the scram system fails, the boron injection (BI) will subsequently kick in. Following the shutdown, the normal plant cool-down system (NPCD) from either side should initiate to remove the decay heat. In the case of both sides’ failure, the reactor core isolation cooling (RCIC) system should initiate to cool the plant down. The event tree is presented in Figure 15 below.

The failure frequency of BDS-LCB-induced complete core meltdown (CCMD) is given by Equations (41)–(45), i.e.,

$$\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{BDS}}=\mathrm{P} \left(\mathrm{BDS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right)\times \mathrm{F} \left(\mathrm{RCIC}\right),$$

(41)

$$\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{BDS}}=\mathrm{P} \left(\mathrm{BDS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right)\times \mathrm{F} \left(\mathrm{RCIC}\right),$$

(42)

$$\mathrm{P} {(\mathrm{CCMD} 3)}_{\mathrm{BDS}}=\mathrm{P} \left(\mathrm{BDS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times \mathrm{F} \left(\mathrm{BI}\right),$$

(43)

$$\mathrm{P} {(\mathrm{CCMD} 4)}_{\mathrm{BDS}}=\mathrm{P} \left(\mathrm{BDS}\right)\times \mathrm{P} \left(\mathrm{FPM}\right),$$

(44)

$$\mathrm{P} (\mathrm{CCMD} \mathrm{by} \mathrm{BDS})=\mathrm{P} {(\mathrm{CCMD} 1)}_{\mathrm{BDS} }+\mathrm{P} {(\mathrm{CCMD} 2)}_{\mathrm{BDS}}+\dots +\mathrm{P} {(\mathrm{CCMD} 4)}_{\mathrm{BDS}}.$$

(45)

Incorporating the probability of failure for the initiating event (BDS-LCB) as specified in Table 1, the failure probabilities on demand of the risk control options listed in Table 2 into Equations (41)–(45), we obtain the result of P (CCMD by BDS-LCB) = 5.89959941 × ${10}^{-7}$.

The probability of BDS-LCB-triggered minor core damage (MCD) is derived by Equations (46)–(50), i.e.,

$$\mathrm{P} {(\mathrm{MCD} 1)}_{\mathrm{RCS}}=\mathrm{P} \left(\mathrm{BDS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times (1-\mathrm{F} (\mathrm{NPCD}),$$

(46)

$$\mathrm{P} {(\mathrm{MCD} 2)}_{\mathrm{BDS}}=\mathrm{P} \left(\mathrm{BDS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times (1-\mathrm{F} (\mathrm{RS}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right)\times (1-\mathrm{F} (\mathrm{RCIC}\left)\right),$$

(47)

$$\mathrm{P} {(\mathrm{MCD} 3)}_{\mathrm{BDS}}=\mathrm{P} \left(\mathrm{BDS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times (1-\mathrm{F} (\mathrm{NPCD}),$$

(48)

$$\mathrm{P} {(\mathrm{MCD} 4)}_{\mathrm{BDS}}=\mathrm{P} \left(\mathrm{BDS}\right)\times (1-\mathrm{F} (\mathrm{FPM}\left)\right)\times \mathrm{F} \left(\mathrm{RS}\right)\times (1-\mathrm{F} (\mathrm{BI}\left)\right)\times \mathrm{F} \left(\mathrm{NPCD}\right)\times (1-\mathrm{F} (\mathrm{RCIC}\left)\right),$$

(49)

$$\mathrm{P} (\mathrm{MCD} \mathrm{by} \mathrm{BDS})=\mathrm{P} {(\mathrm{MCD} 1)}_{\mathrm{BDS}}+\mathrm{P} {(\mathrm{MCD} 2)}_{\mathrm{BDS}}+\mathrm{P} {(\mathrm{MCD} 3)}_{\mathrm{BDS}}+\mathrm{P} {(\mathrm{MCD} 4)}_{\mathrm{BDS}}.$$

(50)

Incorporating the failure probabilities on demand into Equations (46)–(50), the result of P (MCD by BDS) is obtained as 4.9941004 × ${10}^{-4}$.

4. Summary of Results and Discussion

Heretofore, the BWR risk study evaluates eight types of independent accidents in the complex system that could lead to the outcome of either complete core meltdown (CCMD) or minor core damage (MCD). The results of the predicted frequencies are summarized in

Table 3. Modelling results of CCMD and MCD frequencies per year (based on the frequencies of initiating events at the 95% confidence level).

BWR Accident Type	CCMD Frequency	MCD Frequency
Continuous rod withdrawal accident (CRWA)	9.00499910 × ${10}^{-6}$	Not applicable
Main turbine failure (TF)	3.60199964 × ${10}^{-7}$	Not applicable
Complete loss of heat sink (CLOHS)	1.80002982 × ${10}^{-5}$	Not applicable
Large break in RPV (LBRPV)	2.97999971 × ${10}^{-12}$	Not applicable
Rupture of steam line (RSL)	6.71726033 × ${10}^{-11}$	Not applicable
Leak from instrumentation line in RPV (LIL)	6.71726033 × ${10}^{-9}$	Not applicable
Rupture of core shroud (RCS)	1.179919882 × ${10}^{-7}$	9.98820080 × ${10}^{-5}$
Breakup of drier structure causing local channel blockage	5.899599410 × ${10}^{-7}$	4.99410040 × ${10}^{-4}$
Total	2.808022798 × ${10}^{-5}$	5.99292048 × ${10}^{-4}$

.

As observed from Table 3, the complete loss of heat sink (CLOHS) is the initiating accident that is most vulnerable to the outcome of the complete core meltdown (CCMD), while the large break in RPV (LBRPV) and the rupture of steam line (RSL) are least likely to result in the CCMD. Based on the quantified susceptibilities, an optimum balance between safety performance and costs could be attempted by placing the safety enhancement priority on mitigating the CLOHS-related lower-level events (i.e., condenser failure on both sides, failure of both water pumps from the river to condensers, and failure of both feed pumps), as well as improving the reliability of the risk control options for CLOHS, i.e., reactor scram (RS), boron injection (BI), and reactor core isolation cooling system (RCIC).

Factoring all the eight types of initiating accidents, the overall CCMD frequency per year is 2.81 × ${10}^{-5}$, and the total MCD frequency is 5.99 × ${10}^{-4}$, indicating a six-in-ten-thousand chance per year for an MCD to happen in the BWR. Arguably, the empirical data-based modelling results in this work provide a conservative yet insightful implication for the nuclear regulatory authority when reviewing the existing nuclear fleet and considering those claimed by the Generation III+ PWR systems using advanced technologies with highly reliable designs, e.g., EPR (AREVA) predicted with a MCD of 5.78 × ${10}^{-7}$ per year [38], and AP1000 (Westinghouse) claimed with MCD of 1.23 × ${10}^{-7}$ per year [39] subject to diverse modelling boundary conditions.

However, the fault-event trees established in this work are more deterministically oriented and entail a limited level of uncertainties regarding the events’ failure probabilities data collected from the empirical operating experiences of the system being investigated. Fuzzy-set logic [40,41,42] may be incorporated into the fault and event trees for model refinement of imprecision and uncertainty. Computer-aided synthesis, fuzzy neural networks [43], and Bayesian approaches [44,45,46,47] are worth exploring and integrating into the fault-event trees for further insights on the reliability analysis. Moreover, the assumption of using the failure probability on demand in this work associated to the event-tree model only represents the failures per demand of the component, but is not necessarily equivalent to the exact failure rate (i.e., the number of times the component failed in a given period of time).

It is also worth noting that the system boundary condition of the event trees model in this work is not coupled with uncertain external environments, such as earthquakes [48], malicious reactor attacks by terrorists [49], insider worker sabotage [50] and ever-increasing cyberattacks [51], the perspectives on which future research directions could focus. Last but not least, the fault-event tree approach in this work can expand the scenarios of applications in terms of nuclear in-core instrumentations, such as the reliability analysis of robots employed for inspection and maintenance [52] of civil nuclear reactors targeting an extended lifespan.

5. Conclusions

This work leverages fault tree and event tree approaches to deliver systematic reliability and risk assessment models for monitoring the safety performance of the complex BWR nuclear power plant system, concerning particularly the core complete meltdown and minor damage frequencies, the results of which enhance the existing body of knowledge and can inform the existing nuclear system regulations as well as the licensing of new nuclear power plants targeting in-depth safety, enhanced reliability and cost-efficiency. The potential beneficiaries are nuclear power plant operators, risk assessors, regulators, government energy policy makers, electricity suppliers, and the wider academic community. Furthermore, the assembled fault-event trees model the train of safety-related events for the complex BWR system into an understandable manner by visualizing the cause and effect relationship, which is highly desirable for the use in training purposes, thus assisting in public understanding and engagement in nuclear energy and nuclear safety.