Professional Documents
Culture Documents
DG JRC
Institute for Energy
August 2006
EUR 22302EN
Mission of the Institute for Energy
The Institute for Energy provides scientific and technical support for the conception, development, implementation
and monitoring of community policies related to energy. Special emphasis is given to the security of energy
supply and to sustainable and safe energy production.
European Commission
Directorate-General Joint Research Centre (DG JRC)
http://www.jrc.ec.europa.eu
Contact details:
Jozef Kubanyi
Tel.: +31-224-56-5376
E-mail: jozef.kubanyi@jrc.nl
Christian Kirchsteiger
Tel.: +31-224-56-5118
E-mail: christian.kirchsteiger@jrc.nl
Legal Notice
Neither the European Commission nor any person acting on behalf of the Commission is responsible for the
use which might be made of this publication.
The use of trademarks in this publication does not constitute an endorsement by the European Commission.
The views expressed in this publication are the sole responsibility of the author and do not necessarily reflect
the views of the European Commission.
August 2006
EUR 22302 EN
PSA Technology as a Complementary Tool to support Decision Making in
Nuclear Safety
Summary
The report provides a brief overview of overall framework of Probabilistic Safety
Assessment (PSA) technology used in various applications to assess nuclear power plant
(NPP) operational risk issues. Based on essential nuclear power engineering/safety
background and philosophy behind NPP safety justification, main terms of quantitative
risk assessment are discussed: basic aspects of Fault Tree (FT)/Event Tree (ET)
construction, modelling for graphical/logical representation of accident sequences,
Initiating Events (IE) selection, issues of consequences, data analysis and quantification
of the model. Basic aspects of Risk Informed Decision Making (RIDM) concept are
explained and discussed.
Introduction
A nuclear power plant is a thermal power station in which the heat source is one or more
nuclear reactors generating nuclear power. NPPs are base load stations, which work best
when the power output is constant. Their units range in power from about 40 MWe to
over 1000 MWe. New units and those under construction currently are typically in the
range 600-1200 MWe. As of 2005, there are 443 licensed nuclear power reactors in the
world, of which 441 are currently operational in 31 different countries. Together they
produce about 17% of the world's electric power.
NPPs are classified according to the type of reactor used. Fission power reactors generate
heat by nuclear fission of fissile isotopes of uranium and plutonium. There are two main
types of them: Thermal reactors use a neutron moderator to slow or moderate neutrons so
that they are more likely to produce another fission, while fast reactors sustain the chain
reaction without needing a neutron moderator. Because they use different fuel than
1
thermal reactors, the neutrons in a fast reactor do not need to be moderated for an
efficient chain reaction to occur. This paper concerns thermal reactors only.
There are three main groups of power reactors used at present: light water reactors
(LWR), cooled and moderated by H2O, graphite moderated reactors, which are cooled by
gas, and CANDU reactors, cooled and moderated by D2O. There are two subgroups of
LWR: boiling water reactors (BWR) and pressurized water reactors (PWR). Reactors of
VVER type belong to PWR subgroup.
Nuclear Safety
Nuclear safety covers the actions taken to prevent nuclear and radiation accidents or to
limit their consequences. Main concerns of nuclear safety are radioactive contamination,
radioactive waste, and reactor core damage. Countries utilizing nuclear power have
special institutions overseeing and regulating nuclear safety. In Czech Republic it is State
Office of Nuclear Safety (SUJB), in Hungary Hungarian Atomic Energy Agency (OAH),
in Slovakia Nuclear Regulatory Authority (UJD), in USA, for example, Nuclear
Regulatory Commission (NRC). Internationally, the International Atomic Energy Agency
(IAEA) works for the safe, secure and peaceful uses of nuclear science and technology.
As key terms of nuclear safety can be mentioned safety culture, redundancy, passive
safety, active safety, defence in depth, containment (confinement), and radiation
(radiological) protection.
Safety culture is a term introduced by the International Nuclear Safety Advisory Group
(INSAG). Safety culture is that assembly of characteristics and attitudes in organisations
and individuals, which establishes that, as an overriding priority, nuclear plant safety
issues receive the attention warranted by their significance. Safety culture is about
improving safety attitudes in people but it is also about good safety management
established by organizations. Good safety culture implies a constant assessment of the
safety significance of nuclear events and issues, so the appropriate level of attention can
be given.
2
Redundancy is duplication of critical components of a system with the intention of
increasing reliability of the system, usually in the case of a backup or fail-safe. In many
safety-critical systems, some parts of the system (including its control system) may be
doubled or tripled. A failure in one component may then be addressed or out-voted by the
other two. In a triple redundant system, the system has three subcomponents (subsystems,
“trains”), all three of which must fail before the system fails. Since each one rarely fails,
and the subcomponents are expected to fail independently, the probability of all three
failings is small.
Passive safety is a feature of modern nuclear reactor and other NPP systems that operator
actions are not required for some time in order to shut down safely in the event of a loss-
of-coolant accident (LOCA) or other emergency/accidental conditions. Besides, the
modern nuclear reactors may use the laws of physics to keep the nuclear reaction under
control rather than engineered safety systems.
Active safety is based on engineered safety features (ESF), especially emergency core
cooling system (ECCS) with its passive subsystem (hydro accumulators) and active
subsystems, consisting of high pressure injection (HPI) pumps, low pressure injection
(LPI) pumps and sprinkler (spray) (SS) pumps.
Defence in depth concept has been developed from the original idea of placing multiple
barriers between radioactive materials and the environment. At present the concept
includes a more general structure of multiple physical barriers and complementary means
to protect the barriers themselves, the so called levels of defence. It ensures that a high
level of safety is reliably achieved with sufficient margins to compensate for equipment
failures and human errors. The first level (L1) of defense is the inert, ceramic quality of
UO2 fuel, L2 is the air tight zirconium alloy of the fuel rod, L3 is the reactor coolant
system and reactor pressure vessel made of steel ~ 20 cm thick, L4 is the pressure
resistant, air tight containment, L5 is the reactor building or in newer NPPs a second
outer containment building. Defence in depth concept covers conservative design, quality
assurance (QA), safety culture, control of abnormal operation and detection of failures,
safety and protection systems, accident management, and off-site emergency response. It
3
employs successive compensatory measures to prevent accidents or mitigate damage if a
malfunction, accident or naturally caused event happens in a nuclear facility. It ensures
that safety is not wholly dependent on a single element of the design, construction,
maintenance or operation of nuclear facility.
Radiation (radiological) protection is for protecting people and the environment from
the harmful effects of both particle radiation and ionizing radiation. It includes
occupational radiation protection (plant people) and public radiation protection, which is
about protection of individual members of the public, and of the population as a whole.
There are three main principles to radiation protection: those of time, distance and
shielding.
Nuclear events are accidents, incidents, anomalies, deviations and near-misses. In terms
of PSA, accidents are most important. They are divided in design basis accidents (DBA,
plant design covers them and plant ESF will cope with them) and beyond design basis
accidents (BDBA, plant design does not cover them and plant ESF would not cope with
them). Any radioactive release bigger than that involved in DBA could only occur as the
result of the sequential failure of several levels of safety protection, or of some major and
very unlikely event (e.g. failure of reactor pressure vessel). They could range in size from
those bigger than DBA to very severe accident.
There are more methods and procedures for assessment of nuclear safety, that includes
identification of safety issues, ranking of safety significance of them, and assessment of
safety itself, resulting in decision-making in corrective measures and their feasibility. The
4
methods and procedures are based on either deterministic or probabilistic approach. PSA
technology can be effective tool in the decision making processes.
Tolerability to risk from NPPs would be of much interest in these considerations. In the
well known document of Health & Safety Executive, UK, 1992, The Tolerability of Risk
from Nuclear Power Stations, “Tolerability does not mean acceptability. It refers to a
willingness to live with a risk so as to secure certain benefits and in the confidence that it
is being properly controlled. To tolerate a risk means that we do not regard it as
negligible or something we might ignore, but rather as something we need to keep under
review and reduce still further if and as we can. For a risk to be “acceptable” on the other
hands means that for purpose of life or work, we are prepared to take it pretty well as it
is”.
Effectively, there are three components to be considered in estimating any risk: the
probability (whether there is a high risk or not); the event to which probability attaches;
and the severity of the consequences. In qualitative safety (risk) assessment the severity
5
of the consequences and their likelihood of occurrence are both expressed qualitatively
(e. g. through words like high, medium, low). In quantitative safety (risk) assessment risk
is characterized by two quantities: (1) Probability of occurrence of each consequence
(2) Magnitude (severity) of the possible adverse consequence. In PSA the consequences
are expressed numerically (e. g. number of people potentially hurt or killed) and their
likelihood of occurrences are expressed as probabilities or frequencies (i .e. the number
of occurrences or the probability of occurrence per time unit). The total risk then is the
sum of the products of the consequences multiplied by their probabilities.
2. What and how severe are the potential damages, or the adverse consequences that
the NPP unit may be eventually subjected to as a result of the occurrence of the
initiator?
The answers is obtained by developing and quantifying accident scenarios, which are
chains of events that link the initiator to the end-point damaging consequences as well as
from deterministic analyses (e.g., thermal, fluid, structural or other engineering analyses).
Those describe the phenomena, which could occur along the path of the accident scenario
when the initiator and the other subsequent events (through the damaging consequences)
take place.
6
3. How likely to occur are these undesirable consequences, or what are their
probabilities or frequencies?
The answer is obtained by using Boolean Logic methods for model development and by
probabilistic and statistical methods for the quantification portion of the model analysis,
fault tree analysis and event tree analysis.
Fault Tree (FT) is a deductive logic diagram that depicts how a particular undesired
event can occur as a logical combination of other undesired events.
OR
An undesired event is taken as the top event of a tree of logic. Then, each situation that
could cause that effect added to the tree as a series of logic expressions. When FTs are
labelled with actual numbers about component reliability data (parameters), computer
programs can calculate top event probabilities from FTs. Any combination of component
failures causing the top event is called a cutset. A minimal cutset is the smallest
combination of component failures causing the top event.
Event Tree (ET) is a logic diagram that begins with an initiating event or condition and
progresses through a series of branches that represent expected system or operator
7
performance that either succeeds of fails and arrives at either a successful or failed end
state.
Available
Consequence A
Available
Consequence B
Available Fails
Consequence B
Fails
Consequence C
Consequence D
Fails
Based on IEs selection, accident sequences for each selected IE with their consequences
are developed in FTs/ETs as graphical and logical representation of accident sequences.
The relevant data are analyzed and added to the model (failure rate, i. e. number of
failures per time unit, repair rate, probability of failure per demand, test intervals, mission
time, and others. The final stage then is quantification of the model.
There is important and challenging issue of (statistical) data to be used in the analyses. In
cases when the probability of an event is well known from past experience, plant specific
data (data from the plant being analyzed) as statistical data can be used, if the uncertainty
in these data is acceptably low. In other cases the relevant data, e. g. component failure
frequency is estimated by expert judgment based on engineering knowledge and
experience. This kind of data is so called generic data (US NRC, IAEA, IEEE, EPRI,
INPO, others). For rare events (e.g., system failures), for which there is no past failure
experience at all, or the data are very sparse, probabilistic failure models are developed
with deductive logic tools like fault trees, or inductive logic tools like reliability block
diagrams an Failure Mode and Effect Analysis (FMEA).
8
There are some other very important analysis tools in PSA: Human reliability analysis
(HRA), which deals with methods for modelling human error and Common-cause failure
analysis (CCF), dealing with methods for evaluating the effect of inter-system and inter–
component dependencies (dependent failures), which tend to cause significant increases
in overall system or facility risk.
Complex calculations and quantifications based beside other tools mainly on Boolean
algebra logical operations provide such results as core damage frequencies (CDF),
minimal cut sets, and their probabilities. They are simple for small ET/FT, however, to
obtain probabilities of top events, sequences and consequences including importance
analysis, uncertainty analysis and sensitivity analysis results for large and complex NPP
systems, special approximate algorithms have to be used.Computer codes like Relcon’s
Risk Spectrum, EPRI’s CAFTA or INPO’s SAPHIRE are mostly used.
PSA can be performed for internal and external IEs. Both trigger sequences of events that
challenge plant control and safety systems whose failure could potentially lead to core
damage or large early release. Internal IEs consist in hardware or system failures or
human errors in situations arising from the normal mode of operation of the NPP being
analyzed, e. g. LOCA (large, medium, small, …), Loss of Offsite Power (LOOP), Steam
Line Break (SLB), Steam Generator Tube Rupture (SGTR), support system initiators and
other transients. External IEs are outside the domain of normal operation of NPP, e. g.
earthquakes, lightnings, fires, floods, and tornados.
PSAs are normally performed at the following three levels. Level 1 PSA identifies the
sequences of events that can lead to core damage, estimates CDF and provides insights
9
into the strengths and weaknesses of the safety systems and procedures provided to
prevent core damage. Level 2 PSA identifies the ways in which radioactive releases from
NPP can occur and estimates their magnitudes and frequencies. This analysis provides
additional insights into the relative importance of accident prevention and mitigation
measures such as reactor containment. Level 3 PSA estimates public health and other
societal risks such as contamination of land or food. PSA is normally performed for full
power operation (PSA) and low power level and shutdown states (SPSA).
As main benefits of PSA could be mentioned that it estimates risk level of the plant,
identifies dominant event sequences affecting safety of the plant, identifies systems,
components and human actions important for safety (“week points”), and provides
decision support in various application areas. Besides the benefits, there are also some
limitations of PSA technology: binary representation (success or failure, intermediate
states are also possible, but not treated), time treatment (chronology of events instead of
actual timing), aging effect of systems, structures and components is either ignored or
considered insufficiently, uncertainty of numerical values (due to completeness,
modeling accuracy and input data uncertainties).
The publication of the Reactor Safety Study WASH-1400 and subsequent conducted NPP
PSAs had a tremendous impact on the thinking of nuclear safety experts. Two major
insights from WASH-1400 were:
1. Prior thinking was that (no quantified) frequency of severe core damage was
extremely low and the consequences of such damage would be catastrophic. The
WASH-1400 calculated a CDF in the order of 10-4 to 10-5 per reactor-year, a
much higher number than anticipated, and showed that the consequences would
not always be catastrophic.
2. A significant failure path for radioactivity release that bypasses the containment
building was identified. Traditional safety analysis methods had failed to do so.
10
Risk Informed Decision Making
Deterministic approach is very effective to achieve very high safety level. Nevertheless,
its main disadvantage is that it might be not efficient regarding the use of resources
(human, financial, others) based on the risk and its impact. The risk profile produced by
deterministic principles has very high range. This is natural, because the same criteria are
applied to both high risk systems/components and low risk systems/components.
Conclusion
Present application of PSAs to operating plants has provided a modelling technique and
quantification tools that are sufficiently proven, that allows the use of PSA in decision-
making. There is an international consensus on a qualitative safety objective, which is to
reduce risk, compared to existing reactors, due to accidental releases of radioactivity,
including severe accidents. To achieve this objective, in establishing additional
11
requirements, even for Design Basis Accidents (DBA), Beyond Design Basis Accidents
(BDBA) and other multiple failure situations, the PSA results should be used as input
data for various applications. Implementation of this approach should lead to the
achievement, as stated in INSAG-3 document, of a CDF less than 10-5 per reactor
operating year to be considered for new and future reactors as a reference value. This
value, as well as in some cases an objective for large early release frequency (LERF) of
less than 10-6 per reactor operating year is in common use currently. Besides, effective
NPP safety management, consisted of accident management, risk management and
emergency management should be based on RIDM concept.
References
[1] http://www.iaea.org/cgi-bin/db.page.pl/pris.oprconst.htm
[2] Kumamoto, H., Henley, E.: Probabilistic Risk Assessment and Management for
Engineers and Scientists. IEEE, New York, 1996. ISBN 0-7803-6017-6
[3] Fullwood, R. R., Hall, R. E.: Probabilistic Risk Assessment in the Nuclear Power
Industry. Fundamentals and Applications. Pergamon Press, Oxford, UK, 1988. IBSN
0-08-036362-8 or IBSN 0-08-034879-3.
[4] McCormick, N. J.: Reliability and Risk Analysis. Methods and Nuclear Power
Applications. Academic Press, Inc., Harcourt Brace & Company, Publishers, San
Diego, CA, 1981. IBSN 0-12-482360-2.
[5] Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications.
ASME RA-S-2002. An American National Standard, The American Society of
Mechanical Engineers, New York, NY 10016-5990, USA, 2002.
[6] ASME RA-Sa-2003. Addenda to ASME RA-S-2002 Standard for Probabilistic Risk
Assessment for Nuclear Power Plant Applications. The American Society of
Mechanical Engineers, New York, NY 10016, USA, 2002.
[7] INSAG, Basic Safety Principles for Nuclear Power Plants, Safety Series No.75-
INSAG 3, IAEA, Vienna, 1998.
12
(XJHQH:LJQHU&RXUVH
678%UDWLVODYD 6ORYDNLD 6HSWHPEHU
36$7HFKQRORJ\DVD&RPSOHPHQWDU\7RRO
WRVXSSRUW'HFLVLRQ0DNLQJLQ1XFOHDU6DIHW\
-R]HI.XEDQ\L#MUFQO &KULVWLDQ.LUFKVWHLJHU#MUFQO
(&'*-RLQW5HVHDUFK&HQWUH3HWWHQ1/
Summary
2
Presentation Outline
Nuclear Power Plant (NPP)
Nuclear Safety
Nuclear Safety Assessment Concept
Probabilistic Safety Assessment (PSA)
Risk Informed Decision Making (RIDM) Concept
RIDM Example 1
RIDM Example 2
RIDM Example 3
Conclusions
Some General Conclusions to RIDM
Graphite-moderated reactors
• Gas cooled reactor (GCR), Magnox type
• Advanced gas-cooled reactor (AGCR)
• High temperature gas cooled reactor (HTGR)
• RBMK (water cooled)
• Pebble bed reactor (PBMR)
6
Nuclear Power Plant (4)
BWR
Cooled and moderated by water under slightly lower pressure. The water is allowed to boil
in the reactor. The thermal efficiency can be higher and they can be simpler, potentially
more stable and safe. However, the boiling water puts more stress on many of the
components, and increases the risk that radioactive water may escape in an accident
8
Nuclear Power Plant (6)
Pros & Advantages
11
12
Nuclear Safety (3)
Assessment
International Nuclear Events Scale
Probabilistic Safety Assessment (PSA) = Probabilistic Risk Assessment (PRA)
Essential documents - cornestones - from the past:
The BNL Report: Theoretical Possibilities and Consequences of Major Accidents in
Large Nuclear Power Plants, WASH-740, 1957
Rasmussen Report: Reactor Safety Study, WASH-1400, 1975
Calculation of Reactor Accident Consequences, CRAC-II, 1982
Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants,
NUREG-1150, 1991
Safety assessment issues are in close relation to key concepts of nuclear safety
• Safety culture is about improving safety attitudes in people but it is also about
good safety management established by organisations with a holistic, whole
of community, whole of life approach. Good safety culture implies a constant
assessment of the safety significance of events, and issues, so the
appropriate level of attention can be given. Establishing and developing
attitudes towards safety culture in community is both essential, and,
effectively, cost effective
14
Nuclear Safety (5)
Redundancy
15
Passive safety
• Some such reactors use the laws of physics to keep the nuclear reaction
under control rather than engineered safety systems
16
1XFOHDU6DIHW\
Active safety
• Engineered Safety Features
Active subsystems
High Pressure Injection (HPI) Pumps
Low Pressure Injection (LPI) Pumps
Spray System (SS)
17
1st level (L1) of defense is the inert, ceramic quality of UO2 fuel
L2 is the air tight zirconium alloy of the fuel rod
18
Nuclear Safety (9)
Containment building
• For PWR, the containment also encloses the steam generators and the
pressurizer, and is the entire reactor building
19
20
Nuclear Safety (11)
Nuclear Events
Accidents
• Design Basis Accidents (DBA): engineered safety feature (ESF) of NPP will cope with them
They do not produce unacceptable consequences
• Beyond Design Basis Accidents (BDBA): ESF of NPP will not cope with them
Any radioactive release bigger than that involved in DBA could only occur as the result of the
sequential failure of several levels of safety protection, or of some major and very unlikely
event (e.g. failure of RPV). They could range in size from those bigger than DBA to very
severe accidents.
Incidents
Anomalies
Deviations
(Near-misses)
21
22
Nuclear Safety Assessment Concept
23
Risk is the potential harm that may arise from some present process or from
some future event. In everyday usage, "risk" is often used synonymously with
"probability", but in professional risk assessments, risk combines the
probability of a negative event occurring with how harmful that event would be,
i.e. the consequence
24
Probabilistic Safety Assessment (2)
Engineering definition of risk:
Philosophy behind NPP safety justification: some bare essentials: UK example (1)
• (“The Tolerability of Risk from Nuclear Power Stations”, ISBN 0 11 886368 1, HSE, Sheffield, UK,
1992)
• “Tolerability” does not mean acceptability. It refers to a willingness to live with a risk so as to secure
certain benefits and in the confidence that it is being properly controlled. To tolerate a risk means
that we do not regard it as negligible or something we might ignore, but rather as something we
need to keep under review and reduce still further if and as we can. For a risk to be “acceptable” on
the other hands means that for purpose of life or work, we are prepared to take it pretty well as it
is”.
To learn that over 5 000 people are killed each year by traffic does not prevent us
from using the roads, though it warns us to be cautious
A woman who wants a child will not change her mind if she learns that the average
chance of her dying as a result is of the order of 1 in 104 (probability of dying is 10-4).
There is a chance of 1 in 10 000 000 000 each year that anyone of us will be killed by
lightning (1 in 107; LDF=10-7 per lightning year). Because lightning generally kills only
one person at a time, and the risk to each of us is very low, we treat it as negligible: i.
e. apart from taking certain simple precautions the possibility of dying in this way
does not influence our behaviour.
26
Probabilistic Safety Assessment (4)
Philosophy behind NPP safety justification: some bare essentials: UK example (3)
• When risks are regulated by society, the relevant judgements cease to be in the hands of the
individuals who bear the risk. The risks will be shifted around, so that some people bear
more and others less of them; and the benefits may also be unevenly distributed. E. g., the
building of any dam imposes risk on people nearby whereas the benefits are shared by
people living further away.
• Levels of fatal risk (risk of deth, average figures, approximated, per year)
1 in 100 (Death Frequency, DF=10-2): from five hours of solo rock climbing every vweekend
1 in 103 (DF=10-3): due to work in high risk groups within relatively risky industries (mining)
1 in 104 (DF=10-4): general risk of death in a traffic accident
1 in 105 (DF=10-5): in an accident at work in very safest parts of industry
1 in 106 (DF= 10-6): general risk of death in fire or explosion from gas at home
1 in 107 (DF= 10-7): by lightning
27
2. What and how severe are the potential damages, or the adverse consequences that the NPP unit
may be eventually subjected to as a result of the occurrence of the initiator?
3. How likely to occur are these undesirable consequences, or what are their probabilities or
frequencies?
28
Probabilistic Safety Assessment (6)
1. What can go wrong with the studied NPP unit, or what are the initiators or initiating events (IE -
undesirable starting events) that lead to adverse consequences (core damage or large early release, i.
e. the rapid, unmitigated release of airborne fission products from the containment to the environment
occurring before the effective implementation of off-site emergency response and protective actions )?
The answer requires technical knowledge of the possible causes leading to damaging outcomes of a given
activity or action. In order to focus on the most important initiators while screening out the unimportant
ones, logic tools like Master Logic Diagrams (MLD) or Failure Modes and Effects Analyses (FMEA) have been
successfully used.
2. What and how severe are the potential damages, or the adverse consequences that the NPP unit may be
eventually subjected to as a result of the occurrence of the initiator?
The answers is obtained by developing and quantifying accident scenarios, which are chains of events that
link the initiator to the end-point damaging consequences as well as from deterministic analyses (e.g.,
thermal, fluid, structural or other engineering analyses). Those describe the phenomena which could occur
along the path of the accident scenario when the initiator and the other subsequent events (through the
damaging consequences) take place.
3. How likely to occur are these undesirable consequences, or what are their probabilities or frequencies?
The answer is obtained by using Boolean Logic methods for model development and by probabilistic and
statistical methods for the quantification portion of the model analysis, fault tree analysis and event tree
analysis.
29
Safety System 1 Fails An undesired effect is taken as the top event of a tree of
logic. Then, each situation that could cause that effect is
OR
added to the tree as a series of logic expressions. When
fault trees are labelled with actual numbers about
Support System 11 Fails Support System 12 Fails component reliability data (parameters), computer programs
Basic
Event can calculate top event probabilities from fault trees.
AND 10 AND
Any combination of component failures causing the topevent is called a cutset. A minimal cutset is
the smallest combination of component failures causing the top event.
30
Probabilistic Safety Assessment (8)
Event Tree Analysis
Available
Consequence A
Available
Consequence B
Available Fails
Consequence B
Fails
Consequence C
Consequence D
Fails
31
The model
32
Probabilistic Safety Assessment (10)
33
• Plant specific data. In cases when the probability of an event is well known from
past experience, statistical data can be used if the uncertainty in these data are
acceptably low (data from the plant being analyzed).
• Generic data. In other cases the relevant data, e. g. component failure frequency is
estimated by expert judgment based on engineering knowledge and experience (US
NRC, IAEA, IEEE, EPRI, INPO, others).
• Rare events data. For rare events (e.g., system failures), for which there is no past
failure experience at all or the data are very sparse, probabilistic failure models are
developed with deductive logic tools like fault trees, or inductive logic tools like
reliability block diagrams (RBD) and FMEAs.
34
Core Damage Frequency
1,E+01
1,E+00
1,E-01
1,E-02
1,E-03
1,E-04
1,E-05
1,E-06
1,E-07
1,E-08
1,E-09
1,E-10
DS-RUPT 1,0E-06
TE 1,0E-02 7,6E-07
TM 1,7E+00 4,9E-07
A-1B 2,0E-05 4,1E-07
PCB1 1,1E-02 3,7E-07
TTA 8,0E-01 3,1E-07
EPRI: CAFTA
CCI-HZ15+16 1,8E-03 3,0E-07
Calculations
INPO: SAPHIRE
AE B2/014&B2/02 2,0E-04 2,4E-07
CCI-HZ18 1,8E-02 2,2E-07
Computer codes
TT 2,0E-01 1,6E-07
S1-1T 1,0E-04 1,5E-07
Sensitivity analysis
CCI-ICC 2,5E-04 1,3E-07
Risk Topography
Initiating Events
A-1T 2,0E-05 3,2E-08
CCI-SWS 2,0E-05 2,2E-08
S2-2 5,0E-04 1,6E-08
GDH-BLOCK 1,0E-04 1,6E-08
MSRVM 1,0E-04 1,4E-08
TD 5,0E-04 1,0E-08
• Boolean algebra logical operations (see Appx 1)
(13)
(12)
CDF
IE freq.
36
35
Probabilistic Safety Assessment (14)
where
F is initiating event frequency
P is probability of safety system failure
37
38
Probabilistic Safety Assessment (16)
PSAs are normally performed at the following three levels:
Level 1 PSA, which identifies the sequences of events that can lead to core damage,
estimates core damage frequency (CDF ) and provides insights into the strengths
and weaknesses of the safety systems and procedures provided to prevent core
damage
Level 2 PSA, which identifies the ways in which radioactive releases from NPP can
occur and estimates their magnitudes and frequencies. This analysis provides
additional insights into the relative importance of accident prevention and mitigation
measures such as reactor containment.
Level 3 PSA, which estimates public health and other societal risks such as
contamination of land or food
39
40
Probabilistic Safety Assessment (1)
Prior thinking was that (no quantified) frequency of severe core damage
was extremely low and the consequences of such damage would be
catastrophic. WASH-1400 calculated a CDF in the order of 10-4 to 10-5
per reactor year, a much higher number than anticipated, and showed
that the consequences would not always be catastrophic
41
42
Risk Informed Decision Making Concept (2)
Defence in depth principle
Defence in depth employs successive compensatory measures to prevent
accidents or mitigate damage if a malfunction, accident or naturally caused
event happens in a nuclear facility
It will ensure that safety will not be wholly dependent on a single element of
the design, construction, maintenance or operation of nuclear facility
Some issues in deterministic approach
Deterministic approach is very effective to achieve very high safety level.
However, its main disadvantage is that it might be not efficient regarding the
use of resources (human, financial, others) based on the risk and its impact
The risk profile produced by deterministic principles has very high range. This
is natural, because the same criteria are applied to both high risk
systems/components and low risk systems/components
• Not proportional to importance of a problem
43
44
Risk Informed Decision Making Concept (4)
CDF criterion in PSA application
Main criterion for risk-informed optimization applications is CDF
In general, any modifications cannot cause increasing of the CDF
US NRC allows, however, insignificant increase in CDF
Not acceptable
10
∆CDF
10
Acceptable
10 10
CDF
45
46
RIDM Example 1 (2)
PSA in Bohunice 1 and 2 Gradual Reconstruction Process (1)
1 .7 0 E -3
1 .8 0 E -0 3 C D F d e cre a se d b y a fa cto r o f
1 .6 0 E -0 3 1 .9 66
1 .4 0 E -0 3
1 .2 0 E -0 3 8 .8 9 E -4
1 .0 0 E -0 3
8 .0 0 E -0 4
6 .0 0 E -0 4
4 .0 0 E -0 4
2 .0 0 E -0 4 2 .5 6 E -5
47
48
RIDM Example 1 (4)
PSA in Bohunice 1 and 2 Gradual Reconstruction Process (3)
49
RIDM Example 2
PSA in Bohunice 1 and 2 Gradual Reconstruction Process (4)
50
RIDM Example 3 (1)
PSA in Bohunice 3 and 4: AOT of Components & Systems (1)
Technical specifications
51
The utility was assigned the task of submitting justification for all the
outage times of components and systems permitted by the LCO
including times determined for transition of NPP unit, when the
limiting condition is not fulfilled, to an operational regime of higher
number
52
RIDM Example 3 (3)
PSA in Bohunice 3 and 4: AOT of Components & Systems (3)
The proposed AOT changes are expected to meet the
following essential principles:
53
All Slovak NPPs and their LCO including AOT have been
designed on deterministic basis
? to shutdown the unit OR to accept a risk
increase for a limited period of time ?
54
RIDM Example 3 (5)
PSA in Bohunice 3 and 4: AOT of Components & Systems (5)
Allowable Outage Times
• To make a decision on the optimal strategy, the risk for these two
cases should be compared taking into account both the outage risk
and the shutdown risk
55
CDP (i)
sd is CD probability for manual shutdown including the cooling down and
follow-up startup of the reactor when component i is unavailable
CDF (0) is CDF under normal power operation, when none of the components
concerned is unavailable, i. e. baseline risk
CDF (i) is CDF under continued operation, when component i is unavailable
Obtained more conservative results than when using “acceptable risk in continued
operation” as multiple CDF (0) reference value of risk (baseline risk)
56
RIDM Example 3 (7)
PSA in Bohunice 3 and 4: AOT of Components & Systems (7)
57
59
60
RIDM Example 3 (11)
PSA based Bohunice Risk Monitor Project (1)
Software developed under EPRI’s R&R Workstation Program, applied by SAIC in co-
operation with national engineering companies in many countries
The basis: model and outcome of PSA L1 conducted when updating the SAR after 10
years of operation within periodic safety evaluation process
The model and results of SPSA incorporated into the EOOS MonitorTM under
sponsoring by EC within a PHARE project
61
62
RIDM Example 3 (13)
PSA based Bohunice Risk Monitor Project (3)
64
Conclusions
Transition to risk-informed regulation is taking place gradually
Dependable PSA study with its realistic arguments is a helpful tool for the utility
to deal with nuclear safety issues, and, on the other hand, may significantly
contribute to setting requirements for regulatory applications as well
65
Risk-informed approach and RIDM simulate the real world with all the
determined, random and uncertain elements and parameters based on our state
of knowledge
They are based on the understanding of the system and component behaviour
implemented in deterministic codes and calculations
They integrate all the safety issues, and therefore allow rankings and
optimizations
They integrate design, manufacturing and operational aspects of safety
balancing over the life cycle of a system
They are supported explicitly (quantitatively) by our historical experience
They are quantitative, and therefore appropriate for sensitivity, importance and
optimization studies
They can be flexibly supported by codes of good engineering practices (e.g.
deterministic codes) to fulfill high safety standard design
66
APPX 1: Fundamentals of Boolean Algebra in PSA (1)
67
VX VY
VX VY SYSTEM
FINAL STATE
S S 1= SUCCESS
S F 2= FAILURE
F S 3= FAILURE
F F 4= FAILURE
68
APPX 1: Fundamentals of Boolean Algebra in PSA (3)
OPERATIONS AND LAWS (2)
UNION:
E = { system states } = { 1,2,3,4 }
E
A B A = { system states that contain
3 4 2 failure of VX } = { 3,4 }
AUB
A U B = { system states that contain all
the failures of VX OR the failures of
VY } =
= { 2,3,4 } 69
A B
P(TOP) = P(A) + P(B)
70
APPX 1: Fundamentals of Boolean Algebra in PSA (5)
OPERATIONS AND LAWS (4)
INTERSECTION:
VX VZ S YST EM
F IN A L S TA TE
VX S S 1 = SU C C ESS
S F 2 = SU C C ESS
F S 3 = SU C C ESS
F F 4 = FA ILU R E
VZ
71
INTERSECTION:
E = { system states } =
{ 1,2,3,4 }
E
A C A = { system states that contain
failure of VX } =
3 4 2 { 3,4 }
INTERSECTION:
73
VX VY VZ SYSTEM
FINAL STATE
S S S 1 = SUCCESS
S S F 2 = SUCCESS
VX VY S F S 3 = SUCCESS
F S S 4 = SUCCESS
S F F 5 = FAILURE
F S F 6 = FAILURE
F F S 7 = SUCCESS
VZ F F F 8 = FAILURE
74
APPX 1: Fundamentals of Boolean Algebra in PSA (9)
OPERATIONS AND LAWS (8)
COMBINATIONS OF UNIONS AND INTERSECTIONS (2)
E = { system states } =
{ 1,2,3,4,5,6,7,8 }
E
A B A = { system states that contain
4 7 3 failure of VX } = { 4,6,7,8 }
B = { system states that contain
8
6 5 failure of VY } = { 3,5,7,8 }
C = { system states that contain
1 failure of VZ } = { 2,5,6,8 }
2
C (A U B) C = { system failure
states } = { system states that
contain failure of VX OR VY, AND
failure of VZ } = ({ 4,6,7,8 }
(A U B) C U { 3,5,7,8 }) { 2,5,6,8 } =
{ 3,4,5,6,7,8 } { 2,5,6,8 } =
{ 5,6,8 } 75
(A U B) C = (A C) U (B C)
SYSTEM SYSTEM
FAILURE FAILURE
FAILURE OF FAILURE OF
FAILURE OF FAILURE OF VX AND VZ VY AND VZ
VX OR VY VZ
C
A A C B C
B
76
APPX 1: Fundamentals of Boolean Algebra in PSA (11)
OPERATIONS AND LAW S (10)
ABSORPTION LAW
A U (A B) = A
A B A B=C
C
A B
C CUA=A
77
78
European Commission
EUR 22302 EN – DG JRC – Institute for Energy – PSA TECHNOLOGY AS A COMPLEMENTARY TOOL TO
SUPPORT DECISION MAKING IN NUCLEAR SAFETY
Authors:
J. Kubanyi , C. Kirchsteiger
Abstract
The report provides a brief overview of overall framework of Probabilistic Safety Assessment (PSA) technology
used in various applications to assess nuclear power plant (NPP) operational risk issues. Based on essential
nuclear power engineering/safety background and philosophy behind NPP safety justification, main terms of
quantitative risk assessment are discussed: basic aspects of Fault Tree (FT)/Event Tree (ET) construction,
modelling for graphical/logical representation of accident sequences, Initiating Events (IE) selection, issues of
consequences, data analysis and quantification of the model. Basic aspects of Risk Informed Decision Making
(RIDM) concept are explained and discussed.
The mission of the Joint Research Centre is to provide customer-driven scientific and technical support for the
conception, development, implementation and monitoring of EU policies. As a service of the European Commission,
the JRC functions as a reference centre of science and technology for the Union. Close to the policy-making
process, it serves the common interest of the Member States, while being independent of special interests,
whether private or national.