Application of FMEA and FTA techniques for assessing the occurrence of LOCA in a TRIGA MARK I Reactor

.


INTRODUCTION
Training, Research, Isotopes, General Atomics (TRIGA) IPR-RI Mark I reactor, designed and constructed by General Atomics and housed at Centro de Desenvolvimento da Tecnologia Nuclear (CDTN) in the 1960s [1], is subject to stringent safety requirements outlined by the International Atomic Energy Agency (IAEA) [2].Ensuring the protection of individuals, society, and the environment against radiological hazards in nuclear research reactors such as TRIGA installations mandates establishing and maintaining effective defenses, addressing postulated accidents and operational limit conditions throughout the life cycle of the nuclear facility [3,4].
Rather than relying exclusively on engineered safety, this research reactor category boasts inherent passive safety defenses when using uranium-zirconium-hybrid (UZrH) nuclear fuel [5,6].Notably, the high prompt negative fuel temperature coefficient of reactivity counters reactivity insertions as the fuel temperature increases [7], thereby limiting the reactor power to safe levels.Moreover, the fuel exhibits a high retention capacity for fission products, effectively preventing their release in case of cladding rupture.
Comparable safety defenses must compose the facility's capabilities to manage other designed-based conditions that represent a deviation from the normal operational state [2].
The Final Safety Analysis Report (FSAR) of the TRIGA IPR-RI reactor identifies the lossof-coolant accident (LOCA) as the maximum hypothetical accident [8].This event represents an extreme and unanticipated scenario that could occur during the reactor's operational lifespan.Bock and Kirchsteinger (2008) [9] delineated two potential LOCA scenarios in TRIGA research reactors: p. 4 • Coolant loss from reactor tank rupture • Loss of coolant through primary circuit rupture without pump shutdown In order to estimate accident scenarios, risk management strategies often employ failure mode and effect analysis (FMEA) and fault tree analysis (FTA) as reliable techniques.
Previous studies [10,11] underscore the potential synergy between these methods.This approach involves using (1) the FMEA to assess potential failure modes based on the risk priority number (RPN) and ( 2) FTA to delineate events, including intermediate and basic events, contributing to system failure analysis from top to bottom.
The main contribution of this study resides in the application of a comprehensive approach, merging FMEA and FTA techniques to evaluate LOCA events in the Brazilian nuclear research reactor.The methodology involved conducting FMEA to identify stress factors and failure mechanisms that could lead to component failure, pinpointing respective failure modes and their impact on reactor operations.Furthermore, the RPN prioritized decision-making to mitigate and eliminate these failure modes.Subsequently, each failure mode became intermediate and basic events within a fault tree (FT), where the top event signifies the LOCA, enabling the determination of minimum cut sets (MCS)-the shortest pathways leading to the top event.

Description of TRIGA IPR-R1 reactor tank and cooling system
The TRIGA IPR-RI reactor stands as a typical TRIGA Mark I light-water and open-pool reactor [5,6].Figure 1 depicts its reactor tank design.The structure housing the reactor core consists of two coaxial steel plate cylinders spaced 20.3 cm apart and filled with concrete.
Situated over the steel tank as the innermost layer, an additional 10 mm aluminum barrier serves to withstand harsh environments especially caused by radiation.The entire cylinder structure, boasting an internal diameter and depth of 1.92 m and 6.625 m, respectively, accommodates approximately 18000 L of demineralized water, which functions as a coolant and plays a crucial role in moderating and reflecting neutrons.Moreover, it also operates as a biological shield for operators, providing suitable protection against radiation emitted from the reactor core.
The cooling mechanism for the reactor core relies on natural convection of demineralized water within the pool.Once the power exceeds 1 KW, the primary circuit engages to facilitate the cooling process [8].As illustrated in Figure 2, the hot water collected near the bottom of the pool undergoes cooling as it circulates through the channels formed between the shell and tubes of the heat exchanger.This process involves the transfer of heat from the hot water to the water from the secondary circuit.Subsequently, the demineralized water returns to the pool, entering at a height of 348.5 cm above the outlet.The mechanical components responsible for managing water flow in the primary circuit include a centrifugal pump, manual valve, and stainless-steel pipelines.A water purification system serves three primary functions in the primary circuit [12]: An external cooling tower cools the water from the secondary circuit after it circulates through the internal tubes of the heat exchanger.Components in direct contact with water in the primary circuit are crafted from stainless steel, while those in contact with normal water (in the secondary circuit) consist of carbon steel [8].The monitoring and control system of the TRIGA IPR-RI reactor integrates audible and visual alarms, receiving inputs from radiation, temperature, conductivity, and water level indicators (Figure 2).These passive components, part of the control panel, oversaw operational conditions, facilitating safer operation and ensuring optimal water quality in the reactor pool.

MATERIALS AND METHODS
This study undertook a reliability assessment of systems and components concerning coolant-loss-related accidents.The methodological framework for assessing LOCA occurrence involved employing the FMEA technique to identify and analyze failure modes and their implications on reactor operation.
Subsequently, the FTA technique established a logical relationship between these failure modes and derived minimal cut sets potentially leading to a LOCA event in the IPR-RI reactor.Figure 3 illustrates the entire framework process.As a computational resource, we executed the FMEA method using XFMEA++ [14] software, while BlockSim software facilitated the creation of the fault tree [15].A team from the technical personnel at CDTN implemented the FMEA technique adhering to the principles outlined in [16], focusing on their familiarity with the TRIGA IPR-RI reactor and maintaining group heterogeneity.Table 1 shows the professional positions and areas of expertise of the selected experts.The subsequent step involved an extensive survey of existing literature to identify potential failure modes with significant adverse effects on facility safety regarding LOCA events.
Each identified failure mode underwent classification by expert group judgment based on severity (S), probability of occurrence (O), and probability of detection (D).The rating criteria derive from the "standard FMEA" library of XFMEA++ and are detailed in Tables 2, 3, and 4, respectively.Subsequently, we evaluated the overall risk associated with each failure mode using the RPN from FMEA.Evaluating the RPN includes software tools like XFMEA++ or any similar applications settled by the user, otherwise performed manually as well.Equation 1 denotes the RPN expression.

RPN = S х O x D
(1) p. 9 probability of occurrence, enhancing controls to detect failures, and minimizing their consequences.Following expert judgment analysis, we categorized each failure mode into three priority groups based on the RPN: • HIGH RPN: Values higher or equal to 200; • MEDIUM RPN: Values higher or equal to 100 and lower than 200; • LOW RPN: Values lower than 100.Following the FMEA, the FTA technique applied a top-down graphical analysis, examining LOCA by considering the failure modes identified in the FMEA.At first, these failure modes became intermediate and basic events of the fault tree, as detailed in Figure 3.
Similar methods are readily available in prior studies [17,18].Posteriorly, BlockSim software facilitated Boolean gates implementation, enabling the logic flow through the fault tree by permitting or denying relationships among the events.This process established pathways illustrating potential failure sequences leading to the LOCA occurrence on TRIGA IPR-R1.
Finally, all minimum cut sets derived from Boolean logic algebra, outlining all possible paths culminating in the LOCA and their respective order.

RESULTS AND DISCUSSIONS
We implemented the comprehensive approach described above to items and systems within the TRIGA IPR-RI.As per the FMEA identification of the failure effects on components, a LOCA event relates directly to the reactor tank and primary circuit operation.
Therefore, the analysis excluded the secondary circuit and the purification system.
Transitioning from FMEA to FTA, the fault tree depicted in Figure 4 underwent analysis using BlockSim software.Notably, the top event connects to the intermediate events via an "OR" Boolean gate.Therefore, two potential undesired events can independently trigger the top event: loss of coolant from the reactor tank (B1) and loss of coolant due to a primary circuit rupture without a pump shutdown (B2).Sections 3.1 and 3.2 provide further elaboration on each path, respectively.

Loss of coolant from reactor tank (B1)
This section addresses the potential for coolant loss from the IPR-RI reactor tank.Findings reported in [19,20] revealed corrosion spots on the sample surface, potentially evolving into wall-thinning and cracking failure modes.In response to this scenario, the IPR-RI reactor implemented a daily checklist, including visual inspection as a qualitative, nondestructive detection strategy for such structural failures to enhance the probability of early failure detection.Therefore, these failure modes are likely detectable earlier than coolant leakage, as evidenced in Table 5.
Despite the severe consequences of these failure modes, their low RPN values from the FMEA suggest they are not priorities in the scope of maintenance and inspection for risk management, according to expert analysis.The expert team perceived the design features, materials, and daily checklist of items and systems of the reactor as suitable barriers to prevent or, at the very least, significantly reduce the probability of LOCA occurrence through the tank.
Figure 5 depicts the "loss of coolant from rector tank" event as the B1 path leading to a potential TRIGA IPR-RI LOCA accident, and Table 6 delineates all the minimal cut sets associated with this scenario.Notably, the tank damage resulting from "external events" (C3) and "heavy object falling into the tank" (C4) formed a first-order minimal cut set directly linked to B1 occurrence (see Table 6).However, these basic events are unlikely due to the low seismic activity in the CDTN area and stringent regulations preventing maintenance activities that involve moving heavy objects during reactor operation.These factors have been extensively detailed in geological studies at the CDTN site [21] and the TRIGA IPR-RI FSAR [8].
p. 14 Table 6: MCSs of the fault tree for the B1 event.

Loss of coolant through primary circuit rupture without a pump shutdown (B2)
Another potential trigger for LOCA is a primary circuit rupture without a pump shutdown (Figure 4).One consequence of this event could be reducing or losing radiological shielding due to decreased water levels and degraded fuel element cooling.Table 7 shows the stress factors, failure modes, and their effects on TRIGA IPR-RI's operation identified using the FEMA method.
The absence of signals to shut down the reactor based on radiation, pressure, or water level indicators received a high severity rating.The elevated values accurately reflect the fact that any deviation from operational limit and conditions parameters could pose a risk of a postulated accident.FMEA also classified the probability of occurrence and detection of these failure modes as intermediate values, resulting in high RPNs.
A similar evaluation regards the possibility of foreign material intrusion plugging a siphon hole.While this does not directly impact operational consequences, since the primary circuit operates regularly in this situation, it received a high severity rating due to the safety requirement violation by not stopping the coolant outflow in the event of pump failure to shut down.However, this failure mode is highly detectable through daily checklists and visual inspections currently implemented.
Assessing the RPN values, the FMEA technique classified each failure mode related to monitoring components as high RPN.Consequently, they are priorities in the maintenance and inspection program of the reactor.One strategy to reduce risk involves enhancing the p. 16 During a primary circuit rupture, an installed pressure indicator triggered an automatic centrifugal pump shutdown upon detecting a pressure decrease beyond 2 atm.
Simultaneously, a water level indicator, positioned 42 cm below the top of the pool (see Figure 2), automatically initiated a cooling system shutdown upon detecting decreased water levels.Deviations from limit conditions on the pipeline pressure and pool water level parameters triggered visual and acoustic alarms on the control panel.An additional barrier, a siphon hole placed 50 cm below the top of the pool, prevented water from pumping out by enabling air into suction pipelines.
Another scenario involved the manual failure to shut down the pump.This event can result from undetected leakage or pool drainage, unnoticed by the alarm system, or potentially human error.Table 8 outlines the minimum cut sets for these events.If all previous safety measures fail, the Geiger-Müller (GM) counters would detect a high radiation level due to the loss of radiological shielding provided by the pool water.These detectors strategically positioned in the reactor hall provide timely information in the control panel of any relevant signals.
As a final safety measure, the operator should manually shut down the pump and initiate the TRIGA IPR-RI Reactor Local Emergency Plan immediately.Marques (2018) [13] predicted the human error probability regarding "operator does not initiate the shutdown" using the Standardized Plant Risk-Human Reliability Analysis (SPAR-H) method and concluded an acceptable error rate for the TRIGA IPR-RI reactor of 2.5 × 10 -², which is a value comparable to other similar TRIGA facilities [22,23].Even in scenarios where prior safety measures fail, the likelihood of preventing a LOCA event by the group of operators renders this accident not constituting an unacceptable risk concerning the safety management of the facility.
For further elaboration, higher-order MCS (such as the fifth-order MCS shown in Table 8) necessitate consideration of common-cause failures (CCFs), where multiple system or item failures may stem from a shared cause or coupling mechanism [24].However, this study did not delve into CCF analyses.

CONCLUSIONS
This study proposes an approach for assessing the reliability of the TRIGA IPR-RI system related to the occurrence of a LOCA, combining the FMEA and FTA techniques.
This method effectively combines the proactive identification capability of the FMEA with p. 18 the logical relationship analysis capability of the FTA.XFMEA++ and BlockSim software facilitated the execution of FMEA and FTA, respectively.
The FMEA results highlighted that the "loss of coolant from the tank" path connects to external leaks from tank thinning or cracking, classified as low RPN due to the high detectability before compromising tank integrity.Hence, the reactor tank is not a priority for maintenance and inspection in managing facility risk.Similarly, possibilities stemming from external tank damage, such as "earthquakes" and "heavy objects falling into the tank," though specified in FTA as a direct path to LOCA, are unrealistic in practice.
On the other hand, the "loss of coolant through primary circuit rupture without a pump shutdown" event seemed more complex.The FMEA highlighted "no shutdown signals" from monitoring components-pressure, radiation, and water level-as having the most severe consequences, leading to their classification as high RPN.Siphon hole plugging and visual and acoustic failure modes received medium RPN, as these failure modes are highly detectable through daily inspections.
According to the FTA analysis, the primary circuit ruptures followed by simultaneous failure of safety defenses, including potential human error, are the causes of the Loss of Coolant Accident scenarios.However, any safety barrier available during TRIGA IPR-R1 operation can automatically or manually avoid a LOCA occurrence if it functions as intended.
For higher-than-fifth-order MCS, considering CCFs resulting from shared causes or coupling mechanisms is recommended for investigation.

( i )
Maintaining the pool water conductivity at ≤ 2 µS/cm to minimize corrosion of reactor components, especially fuel elements.(ii) Reducing water radioactivity by eliminating suspended particles and soluble impurities.(iii) Preserving the optical transparency of the water.This system encompasses a demineralizer based on ion exchange resins, filters, pumps, and monitoring equipment.

Figure 2 :
Figure 2: Piping and instrumentation diagram of the TRIGA IPR-RI reactor cooling system.

Figure 3 :
Figure 3: Methodological framework for the evaluating occurrence of LOCA.

Figure 4 :
Figure 4: Fault tree for TRIGA IPR-RI loss of coolant accident.
loss) or cracking, both heavily influenced by environmental stress factors.FEMA identified failure mechanisms like radiation damage, corrosion, and vibration that could impact the structural properties of the tank.Studies conducted in 2005 involved immersing samples of the same aluminum and stainless-steel alloys, composing the tank, in the TRIGA IPR-RI reactor pool for three years.

Table 1 :
Basic information of experts.
RPN values ranging from 1 to 1000 employed classification of potential failures, aiding in determining crucial actions to mitigate risk.This process typically involves reducing the Carvalho et al.Brazilian Journalof of Radiation Sciences, Rio de Janeiro, 2024, 12(1): 01-21.e2363.

Table 5
12tlines the failure modes derived from FMEA, their effects on reactor operation, and their respective RPN values.Physical tank damage results from either thinning (metal p.12

Table 8 :
MCSs of the Fault tree for the B2 event.