My title


https://doi.org/10.14311/APP.2022.36.0231
Acta Polytechnica CTU Proceedings 36:231–236, 2022 © 2022 The Author(s). Licensed under a CC-BY 4.0 licence

Published by the Czech Technical University in Prague

PROBABILISTIC SAFETY ASSESSMENT OF KOEBERG SPENT
FUEL POOL

Sibongiseni Thabethe

University of Pretoria, National Nuclear Regulator, Centre for Nuclear Safety and Security, Engineering
Building 2, Lynwood Road, PO Box 395, Pretoria 0002, South Africa
correspondence: SThabethe@nnr.co.za

Abstract. The effective management of spent fuel pool (SFP) safety has been raised as one of the
emerging issues to further enhance nuclear installation safety after the Fukushima accident on March
11, 2011. SFP safety-related issues have been mainly focused on (a) controlling the configuration of
the fuel assemblies in the pool with no loss of pool coolants, and (b) ensuring adequate pool storage
space to prevent fuel criticality owing to chain reactions of the fission products and the ability for
neutron absorption to keep the fuel cool. In support of regulatory functions, the Centre for Nuclear
Safety and Security (CNSS) seeks to perform confirmatory analysis for all potential accident scenarios
that may occur in the Koeberg nuclear power plant SFP. Probabilistic safety assessment (PSA) was
done using the Systems Analysis Program for Hands-On Integrated Reliability Evaluations (SAPHIRE)
computer code. We present preliminary PSA results of initiating events that lead to boiling and cause
fuel uncovering, resulting in possible fuel damage in the Koeberg nuclear power plant SFP.

Keywords: Computer code, fuel assemblies, probabilistic safety assessment, spent fuel pool.

1. Introduction
Highly radioactive spent fuel assemblies that are un-
loaded from the nuclear reactor core are typically
stored for a certain period in cooling water pools called
spent fuel pools (SFP). The safe storage of these spent
fuel assemblies in the SFP is very vital since many ra-
dioactive fission products could potentially be released
into the environment if a severe accident occurred in
the SFP [1]. The Fukushima Daiichi nuclear accident
has proven that it is crucial to investigate potential
severe accidents and corresponding mitigation mea-
sures for the SFP of a nuclear power plant (NPP)
[2, 3]. The necessary mitigation measures, the effects
of recovering the SFP cooling system and makeup wa-
ter in SFP as the accident progresses have also been
investigated respectively based on the events of pool
water boiling and spent fuel uncovery [3–5].

To use risk insights in the decision-making processes
in an adequate manner, it is very important to estab-
lish a systematic approach that integrates in a sound,
transparent and justifiable manner all the elements
required as stated in IAEA TECDOC 1436 [6].

Requirement 21 Paragraph 4.71 of the IAEA general
safety requirements part 4; states that the regulatory
body should carry out a separate independent ver-
ification to satisfy itself that the safety assessment
is acceptable and to determine whether it provides
an adequate demonstration of whether the legal and
regulatory requirements are being met [7]. This work
looks at all internal possible initiating events that may
cause severe accidents in the Koeberg nuclear power
plant SFP. However, external events such as seismic
activity and aircraft crash were not considered for this
study.

A list of abbreviations is provided in Appendix A.

2. Probabistic analysis
The Systems Analysis Programs for Integrated Relia-
bility Evaluations (SAPHIRE) code was used as the
modelling tool. This work was carried out by (1) Iden-
tifying initiating events and scenarios, (2) Accident
sequence modelling, (3) Quantification of top events
and (4) Analysis of results.

The main modelling assumptions for the SFP PSA
model are listed below:

• The SFP water is at initial level of 19.65m.
• The initial pool water temperature is at 50◦C. The

SFP cooling loop is designed to provide a 50◦C bulk
SFP temperature with the maximum component
cooling system (RRI) temperature and a maximum
heat load of 2.88 MW during normal and outage
operation.

• The model is done for the normal operating mode
which is 94.2 % of an 18-month fuel cycle.

• No gate seal failure during SFP boiling.
• Make up from the reactor cavity and SFP cooling

system is not considered because of limited capacity.
• The Demineralised Water Distribution System

(SED), Fire Fighting Water Supply (JPP) and the
Mobile Fire Fighting System (JPS) are the consid-
ered make up systems. Make up from the reactor
cavity and SFP cooling system (PTR) is not con-
sidered because of limited capacity

231

https://doi.org/10.14311/APP.2022.36.0231
https://creativecommons.org/licenses/by/4.0/
https://www.cvut.cz/en


Sibongiseni Thabethe Acta Polytechnica CTU Proceedings

Figure 1. Loss of SFP Cooling Event Tree.

Figure 2. Event tree model of the Loss of Inventory due to Pipe Rupture.

3. Results and discussions
Event tree models were developed for the identified
initiating events; this was done to better understand
accident progression in the SFP resulting from the ini-
tiating events. The Loss of SFP Cooling, Loss of SFP
Inventory due to Pipe Rupture, Loss of SFP Inven-
tory due to Flow Diversion, Loss of Offsite Power and
Station Blackout are the initiating events that were
modelled in this study. These initiating events either
lead to a loss of SFP cooling, a loss of SFP inventory
or both. The success criteria for a loss of cooling or
inventory is generally to recover PTR cooling before
boiling or before a loss of PTR suction. It also entails
making up inventory before PTR suction uncovery
and making up inventory prior to fuel uncovery.

3.1. Event sequence modelling
The loss of SFP cooling initiating event results from a
failure of the reactor cavity and spent fuel pool cooling
system (PTR) whereby all trains are unavailable for
SFP cooling. The Loss of SFP Cooling event tree is
shown in Figure 1.

Following a loss of SFP cooling it will be ideal to
recover cooling before boiling occurs (PTRCRECBB-
NMOM). Although boiling occurs when the pool heats
up to a temperature of 100◦C, it is crucial to maintain
the pool level at a safe level, in this case 15,5m. The
pumps take suction from the fuel pool at an inlet lo-
cated below the pool water level (∼ 15.5 m), transfer
the pool water through a heat exchanger and return it
back into the pool through an outlet typically located
below the cooling system inlet and some large distance

from it. Recovering PTR cooling before the loss of
suction at the 17 m level would be ideal in this case
(PTRRECBS).

If make-up cannot be established and PTR cooling
is not restored the SFP level will drop from the 17
m level to the point where it is assumed that fuel
damage occurs i.e. at the 9,85m level. The success
criterion will be to establish SED make up before fuel
damage (SED-MU-BD). In the event where SED is
unavailable for make up to the SFP, an operator will
be instructed to use the JPP system (JPP-MU-BD).
As a last resort, if make up cannot be established
through the SED and JPP systems, an operator will
have to start the mobile fire pump (JPS-MU-BD).

This end state indicates that fuel damage has not
occurred, the pool is boiling as illustrated by the BOIL
in the event trees. The OK end state indicates that the
accident has been successfully mitigated. This state
comprises of all states where spent fuel damage has not
occurred and either cooling has been re-established or
make up to the SFP has been established.

The Loss of SFP Inventory due to a Pipe Rupture,
this initiating event considers the loss of SFP inventory
due to pipe breaks in the PTR system. After a pipe
rupture event the operator action required is to isolate
the break before the loss of the PTR pump suction
(PTR-ISO-RP). A similar action is required in the
case of loss of inventory due to flow diversion, with
the operator being required to isolate the PTR flow
diversion before the loss of suction (PTRFDISO).

The loss of SFP Inventory due to a Flow Diversion,
this event is defined as a loss of SFP inventory due to
diversion through an interfacing system valve failing

232



vol. 36/2022 Koeberg spent fuel POOL safety

Figure 3. Event tree model of the Loss of Inventory due to Flow Diversion.

Figure 4. Event tree model of LOSP.

Figure 5. Event tree model of SBO.

open or having been left open during PTR operation.
The event tree models for the loss of inventory due to
pipe rupture and flow diversion are shown in Figure 2
and 3 respectively.

At the 15.5 m level, PTR pump suction is lost.
This means PTR cannot be recovered and make-up
via SED, JPP or JPS is the only remaining options.
This event considers maintaining the SFP water level
so that PTR repairs can still be undertaken even after
boiling has started. Success for this function event
is defined as the establishment of SED make-up to
the SFP before SFP boiling (SED-MU-BB). Should
the SED be unavailable for make up to the SFP, an
operator will be instructed to use the JPP system
(JPP-MU-BB). As a last resort, if make up cannot
be established through the SED and JPP systems,
an operator will have to start the mobile fire pump
(JPS-MU-BB).

The Loss of Offsite Power is defined as the failure of
off-site power supplies. Both units are tripped and the
emergency diesel generators (EDGs) and Acacia power

station supply are started. Off-site power restoration
is attempted as soon as possible. EDGs will automat-
ically actuate and supply power to the emergency AC
buses (LHA-B_E).

If the EDGs start and run, and the operator starts
a PTR pump, SFP cooling can be re-established
(PTR_CLBB19NMOM). The PTR pumps must not
be restarted with a level of less than 17.0 m in the SFP.
The suction of the PTR pumps located at the 15.5 m
level in the SFP. Below this level PTR cooling can-
not be restarted (PTR_C_BS17NMOM), therefore
make-up is the only remaining option (SED-MU-BD,
JPP-MU-BD and JPS-MU-BD).

The SBO initiating event is the failure of the off-
site power supplies, including emergency off-site power
from Acacia. Both units are tripped, the EDGs fail
to start or run for 24 hours and offsite sources are not
recovered.

Following a SBO, it is desirable to recover power
before SFP boiling. This can be done in one of two
ways: either the recovery of the grid or by aligning

233



Sibongiseni Thabethe Acta Polytechnica CTU Proceedings

Initiating Event Frequencies
Initiator Time Factor Conditional Initiating Fre-

quency (IEC)
Initiating Event Frequency
(IEF)

Loss of SFP Cooling (NM) 9,42E-01 9,52E-04 8,97E-04
Loss of SFP Inventory due
to Flow Diversion (NM)

9,42E-01 3,57E-02 3,36E-02

Loss of SFP Inventory due
to PTR Pipe Rupture

9,42E-01 1,37E-08 1,22E-08

Loss of Offsite Power (NM) 9,42E-01 4,50E-01 4,24E-01

Table 1. Summary of Initiating Event Frequencies.

Figure 6. Failure Model of the SED System.

Figure 7. Failure Model of the JPP System.

Figure 8. Failure Model of the JPS System.

the fifth diesel to either LHA or LHB (9LHS_SBO). It is also to recover the grid before SFP boiling

234



vol. 36/2022 Koeberg spent fuel POOL safety

(GRID_BB_NM_OM) and to start PTR cooling
before boiling (PTR_SBO_NM_OM). The loss of
inventory due to boiling causes the SFP level to drop
from the 19.3m level to the 17m level in 37.5 hours
in Normal Mode. Success for this function event is
defined as the recovery of the grid before the 17 m
level is reached (GRID_BS_NM_OM). As already
mentioned, the PTR pumps must not be restarted at
a level less than 17m, PTR cooling must be started
before loss of suction (PTR_C_SBO_BS_NM_OM).
It is also desirable to recover the grid before fuel dam-
age (GRID_BD_NM_OM). The available make up
systems before fuel damage occurs are the SED, JPP
and JPS systems (SED-MU-BD, JPP-MU-BD and
JPS-MU-BD).

The worst-case scenario is a drop in the pool water
level to an extent where the fuel assemblies will be
uncovered, which is assumed to be at the 9.85m level.
This will lead to the fuel being damaged as indicated
by the end state FD in the event trees. Fuel damage
will occur when all possible mitigating actions fail to
be implemented. Several thermal hydraulic studies on
the initiating events have also been performed. These
studies are often used to support PSA because they
reveal crucial information on SFP behaviour [8, 9].

3.2. Accident sequence quantification
To quantify accident sequences, fault tree models were
used to quantify the function events in the event
trees. Accident sequence quantification involves firstly
the quantification of the initiating event frequencies.
The conditional (IEC) and initiating event frequencies
(IEF) were calculated for normal mode of operation
(17 months) i.e., a time factor of 94.2 % of an 18-month
fuel cycle was applied to the IEC to calculate the IEF.
The IEC and the calculated IEF were obtained from
Koeberg nuclear power plant documentation and are
shown in Table 1.

The failure models of the make-up systems take into
account human failure events, those function events
which require human action were quantified following
step by step standardized plant analysis risk-human
reliability analysis (SPAR-H) methodology [10] for
quantifying human failure events (HFE). A number
of performance shaping factors (PSF) are taken in to
consideration. These factors include available time,
stress/stressor, complexity, experience/training, etc.

The failure model of the SED is modelled on the
basis that the operator fails to start or align SED
make up or the SED isolation valves fail or there
is an overall loss of the SED. The loss of the SED
results from two events, if the tank leaks externally
or the pumps fail to start and run. The failure of the
pumps was not modelled in detail and were treated
as undeveloped transfers, in this case they are treated
as basic events. SPAR models are generally not as
detailed as those contained in licensee PRAs. The
failure probabilities for valves, pumps and tanks were
obtained from Koeberg internal documentation.

The failure model of the JPP system modelled JPP
system fails to start and run from standby or Operator
fails to start or align JPP make-up. The failure model
of JPS because of the failure of the Mobile Fire Pump
from standby or mobile fire pumps suction or discharge
valves fail to open or operator ails to establish JPS
make up. The failure models of the JPP and JPS are
shown in Figure 7 and 8 respectively.

The other function events in the LOSP and the
SBO event trees are operator actions such as "Operator
Starts PTR Cooling After LOSP Before SFP boiling at
19.3m" (PTR_CLBB19NMOM) are operator actions
and are currently being re-quantified using SAPHIRE
HRA calculator.

4. Current and future work
The purpose of this work is to do an independent
verification of the current Koeberg nuclear power plant
spent fuel pool PSA model. Fuel Damage is the event
consequence state of interest and is considered for
quantification. System and failure probabilities were
inputted into the model for quantification. Since
the failure models of the make-up systems involve
human or operator action, the function events which
require human, or operator action will be re-quantified
following a step-by-step standardized plant analysis
risk-human reliability analysis (SPAR-H) methodology
for quantifying human failure events (HFE).

5. Conclusions
This study entails the independent verification of the
current Koeberg nuclear power plant SFP PSA model.
Initiating events that lead to boiling and potential
fuel uncovery were reviewed and investigated. The
event tree models for the Loss of SFP cooling, Loss of
SFP inventory, Loss of Offsite Power, Station Black-
out were developed. The accident sequence modelling
highlighted the importance of recovering SFP cool-
ing and making up SFP inventory to prevent fuel
uncovery. Operator or human action is a key compo-
nent in always maintaining critical pool levels using
the available make up systems. Through appropriate
mitigation measures the increase in the fuel tempera-
ture could be stopped, limiting the release of fission
products to the environment and preventing severe
accident that could result in significant damage to the
spent fuel assemblies in SFP.

References
[1] F. Niehaus. Use of Probabilistic Safety Assessment

(PSA) for nuclear installations. Safety Science
40(1-4):153-76, 2002.
https://doi.org/10.1016/s0925-7535(01)00047-9.

[2] G. Mignot, S. Paranjape, D. Paladino, et al. Large
Scale Experiments Simulating Hydrogen Distribution in
a Spent Fuel Pool Building During a Hypothetical Fuel
Uncovery Accident Scenario. Nuclear Engineering and
Technology 48(4):881-92, 2016.
https://doi.org/10.1016/j.net.2016.06.005.

235

https://doi.org/10.1016/s0925-7535(01)00047-9
https://doi.org/10.1016/j.net.2016.06.005


Sibongiseni Thabethe Acta Polytechnica CTU Proceedings

[3] X. Wu, W. Li, Y. Zhang, et al. Analysis of the loss of
pool cooling accident in a PWR spent fuel pool with
MAAP5. Annals of Nuclear Energy 72:198-213, 2014.
https://doi.org/10.1016/j.anucene.2014.05.030.

[4] S. Carlos, F. Sanchez-Saez, S. Martorell. Use of
TRACE best estimate code to analyze spent fuel storage
pools safety. Progress in Nuclear Energy 77:224-38, 2014.
https://doi.org/10.1016/j.pnucene.2014.07.008.

[5] X. Wu, W. Li, Y. Zhang, et al. Analysis of accidental
loss of pool coolant due to leakage in a PWR SFP.
Annals of Nuclear Energy 77:65-73, 2015.
https://doi.org/10.1016/j.anucene.2014.11.010.

[6] International Atomic Energy Agency, Risk Informed
Regulation of Nuclear Facilities: Overview of the
Current Status, TECDOC Series
(IAEA-TECDOC-1436), 2005. https://www-pub.iaea.
org/MTCD/Publications/PDF/TE_1436_web.pdf.

[7] International Atomic Energy Agency, Safety
Assessment for Facilities and Activities, General Safety

Requirements, No. GSR Part 4 (Rev. 1), 2016.
https://www-pub.iaea.org/MTCD/publications/PDF/
Pub1714web-7976998.pdf.

[8] K.-I. Ahn, J.-U. Shin, W.-T. Kim. Severe accident
analysis of plant-specific spent fuel pool to support a
SFP risk and accident management. Annals of Nuclear
Energy 89:70-83, 2016.
https://doi.org/10.1016/j.anucene.2015.11.024.

[9] J. C. de la Rosa Blul, P. McMinn, A. Grah. Analysis
of the inherent response of nuclear spent fuel pools.
Annals of Nuclear Energy 124:295-326, 2019.
https://doi.org/10.1016/j.anucene.2018.10.014.

[10] W. J. Galyean, A. M. Whaley, D. L. Kelly, et al.
SPAR-H Step by Step Guidance, Technical Report
INL/EXT-10-18533, Rev. 2, Idaho National Lab. (INL),
Idaho Falls US, 2011. Bautechnik 98(7):475-81, 2020.
https://doi.org/10.2172/1027888.

236

https://doi.org/10.1016/j.anucene.2014.05.030
https://doi.org/10.1016/j.pnucene.2014.07.008
https://doi.org/10.1016/j.anucene.2014.11.010
https://www-pub.iaea.org/MTCD/Publications/PDF/TE_1436_web.pdf
https://www-pub.iaea.org/MTCD/Publications/PDF/TE_1436_web.pdf
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1714web-7976998.pdf
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1714web-7976998.pdf
https://doi.org/10.1016/j.anucene.2015.11.024
https://doi.org/10.1016/j.anucene.2018.10.014
https://doi.org/10.2172/1027888

	Acta Polytechnica CTU Proceedings 36:231–236, 2022
	1 Introduction
	2 Probabistic analysis
	3 Results and discussions
	3.1 Event sequence modelling
	3.2 Accident sequence quantification

	4 Current and future work
	5 Conclusions
	References