This report presents an analysis of the Emergency Core Cooling System (ECCS) for a generic Boiling Water Reactor (BWR)-4 NPP. The Electric Power Research Institute (EPRI) developed Hazards and Consequences Analysis for Digital Systems (HAZCADS) process is applied to the ECCS and its subsystems to identify unsafe control actions (UCAs) which act as possible cyber events of concern. The analysis is performed for two design basis events: Small-break Loss of Coolant Accident (SLOCA) and general transients (TRANS), such as unintended reactor trip. In previous work, HAZCADS UCAs were combined with other cyber-attack analysis to develop a risk-informed approach; however, this was for a single system. This report explores advanced systems engineering modeling approaches to model the interactions between digital assets across multiple systems which may be targeted by cyber adversaries. The complex and interdependent design of digital systems has the potential to introduce emergent cyber properties that are generally not covered by hazard analyses nor formal nuclear Probabilistic Risk Assessment (PRA). The R&D and supporting analysis presented here explores approaches to predict and manage how interdependent system properties effect risk. To show the potential impact of a successful cyber-attack to formal PRA event tree probabilities, HAZCADS analysis was also used. HAZCADS was also used to model the automatic depressurization system (ADS) automatic actuation. This analysis extended to an integrated system analysis for common-cause failure (CCF). In this aspect, the HAZCADS analysis continued by analyzing plant design details for system connectivity in support of critical plant functions. A dependency matrix was developed to depict the integrated functionality of the interconnected systems. Areas of potential CCF are indicated. Future work could include adversary attack development to show how CCF could be caused, resulting in PRA events. Across the multiple systems that comprise the ECCS, the analysis shows that the change in such probabilities was very different between systems. This indicates that some systems have a larger potential risk impact from successful cyber-attack or digital failure, which indicates a need for these systems to have a higher priority for design and defensive measures. Furthermore, we were able to establish that a risk analysis using any arbitrary threat model establishes an ordering of components with regard to cyber-risk. This ordering can be used to influence the overall system design with an eye to lowering risk, or as a way to understand real-time risk to operational systems based on a current threat landscape. Expert knowledge of both the analysis process and the system being analyzed is required to perform a HAZCADS analysis. The need for a tiered risk analysis is demonstrated by the results of this report.
The feasibility and component cost of hydrogen rail refueling infrastructure is examined. Example reference stations can inform future studies on components and systems specifically for hydrogen rail refueling facilities. All of the 5 designs considered assumed the bulk storage of liquid hydrogen on-site, from which either gaseous or liquid hydrogen would be dispensed. The first design was estimated to refuel 10 multiple unit trains per day, each train containing 260 kg of gaseous hydrogen at 350 bar on-board. The second base design targeted the refueling of 50 passenger locomotives, each with 400 kg of gaseous hydrogen on-board at 350 bar. Variations from this basic design were made to consider the effect of two different filling times, two different hydrogen compression methods, and two different station design approaches. For each design variation, components were sized, approximate costs were estimated for major components, and physical layouts were created. For both gaseous hydrogen-dispensing base designs, the design of direct-fill using a cryopump design was the lowest cost due to the high cost of the cascade storage system and gas compressor. The last three base designs all assumed that liquid hydrogen was dispensed into tender cars for freight locomotives that required 7,500 kg of liquid hydrogen, and the three different designs assumed that 5, 50, or 200 tender cars were refueled every day. The total component costs are very different for each design, because each design has a very different dispensing capacity. The total component cost for these three designs are driven by the cost of the liquid hydrogen tank; additionally, delivering that much liquid hydrogen to the refueling facility may not be practical. Many of the designs needed the use of multiple evaporators, compressors, and cryopumps operating in parallel to meet required flow rates. In the future, the components identified here can be improved and scaled-up to better fit the needs of heavy-duty refueling facilities. This study provides basic feasibility and first-order design guidance for hydrogen refueling facilities serving emerging rail applications.
The Hydrogen Risk Assessment Models (HyRAM) software version 3 uses a real gas equation of state rather than the Abel-Noble equation of state that is used in 2.0 and previous versions. This change enables the use of HyRAM 3 for cryogenic hydrogen flows, whereas the Abel-Noble equation of state is not accurate at low temperatures. HyRAM 3.1 results were compared to experimental data from the literature in order to demonstrate the accuracy of the physics models. HyRAM 3.1 results were also compared to HyRAM 2.0 for high-pressure, non-cryogenic flows to highlight the differences in predictions between the two major versions of HyRAM. Validation data sets are from multiple groups and span the range of HyRAM physics models, including tank blowdown, unignited dispersion jet plume, ignited jet flame, and accumulation and overpressure inside an enclosure. Both versions 2.0 and 3.1 of HyRAM are accurate for predictions of blowdowns, diffusion jets, and diffusion flames of hydrogen at pressures up to 900 bar, and HyRAM 3.1 also shows good agreement with cryogenic hydrogen data. Overall, HyRAM 3.1 improves on the accuracy of the physical models relative to HyRAM 2.0. In most cases, this reduces the conservatism in risk calculations using HyRAM.
Alternatives to conventional diesel electric propulsion are currently of interest to rail operators. In the U.S., smaller railroads have implemented natural gas and other railroads are exploring hydrogen technology as a cleaner alternative to diesel. Diesel, battery, hydrogen fuel cell, or track electrification all have trade-offs for operations, economics, safety, and public acceptability. A framework to compare different technologies for specific applications is useful to optimize the desired results. Standards from the Association of American Railroads (AAR) and other industry best practices were reviewed for applicability with hydrogen fuel cell technology. Some technical gaps relate to the physical properties of hydrogen, such as embrittlement of metals, invisible flames, and low liquid temperatures. A reassessment of material selection, leak/flame detection, and thermal insulation methods is required. Hydrogen is less dense and diffuses more easily than natural gas, and liquid hydrogen is colder than liquefied natural gas. Different densities between natural gas and hydrogen require modifications to tank designs and flow rates. Leaked hydrogen will rise rather than pool on the ground like diesel, requiring a modification to the location of hydrogen tanks on rolling stock. Finally, the vibration and shock experienced in the rail environment is higher than light-duty vehicles and stationary applications for which current fuel cell technology has been developed, requiring a modification in tank design requirements and testing.