PSA TECHNOLOGY AS A COMPLEMENTARY

TOOL TO SUPPORT DECISION MAKING

IN NUCLEAR SAFETY

International Eugene Wigner Training Course

on Research Reactor Safety
2006

Jozef KUBANYI, Christian KIRCHSTEIGER

DG JRC
Institute for Energy

August 2006

EUR 22302EN
Mission of the Institute for Energy
The Institute for Energy provides scientific and technical support for the conception, development, implementation
and monitoring of community policies related to energy. Special emphasis is given to the security of energy
supply and to sustainable and safe energy production.

European Commission
Directorate-General Joint Research Centre (DG JRC)
http://www.jrc.ec.europa.eu

Institute for Energy, Petten (the Netherlands)

http://ie.jrc.ec.europa.eu

Contact details:
Jozef Kubanyi
Tel.: +31-224-56-5376
E-mail: jozef.kubanyi@jrc.nl

Christian Kirchsteiger
Tel.: +31-224-56-5118
E-mail: christian.kirchsteiger@jrc.nl

Legal Notice

Neither the European Commission nor any person acting on behalf of the Commission is responsible for the
use which might be made of this publication.

The use of trademarks in this publication does not constitute an endorsement by the European Commission.

The views expressed in this publication are the sole responsibility of the author and do not necessarily reflect
the views of the European Commission.

© European Communities, 2006

Reproduction is authorised provided the source is acknowledged.
Printed in the Netherlands

Cover: JRC IE, PR & Communication

(No commercial use. Credit “Audiovisual Library European Commission”.)
PSA TECHNOLOGY AS A COMPLEMENTARY
TOOL TO SUPPORT DECISION MAKING
IN NUCLEAR SAFETY

International Eugene Wigner Training Course

on
Research Reactor Safety
2006

Jozef KUBANYI, Christian KIRCHSTEIGER

European Commission, DG JRC

Institute for Energy

August 2006

EUR 22302 EN
PSA Technology as a Complementary Tool to support Decision Making in
Nuclear Safety

Jozef Kubanyi, Christian Kirchsteiger

European Commission, DG Joint Research Centre, Institute for Energy, Petten, NL

Summary
The report provides a brief overview of overall framework of Probabilistic Safety
Assessment (PSA) technology used in various applications to assess nuclear power plant
(NPP) operational risk issues. Based on essential nuclear power engineering/safety
background and philosophy behind NPP safety justification, main terms of quantitative
risk assessment are discussed: basic aspects of Fault Tree (FT)/Event Tree (ET)
construction, modelling for graphical/logical representation of accident sequences,
Initiating Events (IE) selection, issues of consequences, data analysis and quantification
of the model. Basic aspects of Risk Informed Decision Making (RIDM) concept are
explained and discussed.

Introduction

A nuclear power plant is a thermal power station in which the heat source is one or more
nuclear reactors generating nuclear power. NPPs are base load stations, which work best
when the power output is constant. Their units range in power from about 40 MWe to
over 1000 MWe. New units and those under construction currently are typically in the
range 600-1200 MWe. As of 2005, there are 443 licensed nuclear power reactors in the
world, of which 441 are currently operational in 31 different countries. Together they
produce about 17% of the world's electric power.

NPPs are classified according to the type of reactor used. Fission power reactors generate
heat by nuclear fission of fissile isotopes of uranium and plutonium. There are two main
types of them: Thermal reactors use a neutron moderator to slow or moderate neutrons so
that they are more likely to produce another fission, while fast reactors sustain the chain
reaction without needing a neutron moderator. Because they use different fuel than

1
thermal reactors, the neutrons in a fast reactor do not need to be moderated for an
efficient chain reaction to occur. This paper concerns thermal reactors only.

There are three main groups of power reactors used at present: light water reactors
(LWR), cooled and moderated by H2O, graphite moderated reactors, which are cooled by
gas, and CANDU reactors, cooled and moderated by D2O. There are two subgroups of
LWR: boiling water reactors (BWR) and pressurized water reactors (PWR). Reactors of
VVER type belong to PWR subgroup.

Nuclear Safety

Nuclear safety covers the actions taken to prevent nuclear and radiation accidents or to
limit their consequences. Main concerns of nuclear safety are radioactive contamination,
radioactive waste, and reactor core damage. Countries utilizing nuclear power have
special institutions overseeing and regulating nuclear safety. In Czech Republic it is State
Office of Nuclear Safety (SUJB), in Hungary Hungarian Atomic Energy Agency (OAH),
in Slovakia Nuclear Regulatory Authority (UJD), in USA, for example, Nuclear
Regulatory Commission (NRC). Internationally, the International Atomic Energy Agency
(IAEA) works for the safe, secure and peaceful uses of nuclear science and technology.
As key terms of nuclear safety can be mentioned safety culture, redundancy, passive
safety, active safety, defence in depth, containment (confinement), and radiation
(radiological) protection.

Safety culture is a term introduced by the International Nuclear Safety Advisory Group
(INSAG). Safety culture is that assembly of characteristics and attitudes in organisations
and individuals, which establishes that, as an overriding priority, nuclear plant safety
issues receive the attention warranted by their significance. Safety culture is about
improving safety attitudes in people but it is also about good safety management
established by organizations. Good safety culture implies a constant assessment of the
safety significance of nuclear events and issues, so the appropriate level of attention can
be given.

2
Redundancy is duplication of critical components of a system with the intention of
increasing reliability of the system, usually in the case of a backup or fail-safe. In many
safety-critical systems, some parts of the system (including its control system) may be
doubled or tripled. A failure in one component may then be addressed or out-voted by the
other two. In a triple redundant system, the system has three subcomponents (subsystems,
“trains”), all three of which must fail before the system fails. Since each one rarely fails,
and the subcomponents are expected to fail independently, the probability of all three
failings is small.

Passive safety is a feature of modern nuclear reactor and other NPP systems that operator
actions are not required for some time in order to shut down safely in the event of a loss-
of-coolant accident (LOCA) or other emergency/accidental conditions. Besides, the
modern nuclear reactors may use the laws of physics to keep the nuclear reaction under
control rather than engineered safety systems.

Active safety is based on engineered safety features (ESF), especially emergency core
cooling system (ECCS) with its passive subsystem (hydro accumulators) and active
subsystems, consisting of high pressure injection (HPI) pumps, low pressure injection
(LPI) pumps and sprinkler (spray) (SS) pumps.

Defence in depth concept has been developed from the original idea of placing multiple
barriers between radioactive materials and the environment. At present the concept
includes a more general structure of multiple physical barriers and complementary means
to protect the barriers themselves, the so called levels of defence. It ensures that a high
level of safety is reliably achieved with sufficient margins to compensate for equipment
failures and human errors. The first level (L1) of defense is the inert, ceramic quality of
UO2 fuel, L2 is the air tight zirconium alloy of the fuel rod, L3 is the reactor coolant
system and reactor pressure vessel made of steel ~ 20 cm thick, L4 is the pressure
resistant, air tight containment, L5 is the reactor building or in newer NPPs a second
outer containment building. Defence in depth concept covers conservative design, quality
assurance (QA), safety culture, control of abnormal operation and detection of failures,
safety and protection systems, accident management, and off-site emergency response. It

3
employs successive compensatory measures to prevent accidents or mitigate damage if a
malfunction, accident or naturally caused event happens in a nuclear facility. It ensures
that safety is not wholly dependent on a single element of the design, construction,
maintenance or operation of nuclear facility.

Containment building is a steel or concrete structure enclosing a nuclear reactor. It is

designed to, in any emergency, contain the escape of radiation despite high pressures. It
is the final barrier to radioactive release. Typically it is an airtight steel structure
enclosing the reactor normally sealed off from the outside atmosphere. For PWR, the
containment also encloses the steam generators and the pressurizer, and is the entire
reactor building.

Radiation (radiological) protection is for protecting people and the environment from
the harmful effects of both particle radiation and ionizing radiation. It includes
occupational radiation protection (plant people) and public radiation protection, which is
about protection of individual members of the public, and of the population as a whole.
There are three main principles to radiation protection: those of time, distance and
shielding.

Nuclear events are accidents, incidents, anomalies, deviations and near-misses. In terms
of PSA, accidents are most important. They are divided in design basis accidents (DBA,
plant design covers them and plant ESF will cope with them) and beyond design basis
accidents (BDBA, plant design does not cover them and plant ESF would not cope with
them). Any radioactive release bigger than that involved in DBA could only occur as the
result of the sequential failure of several levels of safety protection, or of some major and
very unlikely event (e.g. failure of reactor pressure vessel). They could range in size from
those bigger than DBA to very severe accident.
There are more methods and procedures for assessment of nuclear safety, that includes
identification of safety issues, ranking of safety significance of them, and assessment of
safety itself, resulting in decision-making in corrective measures and their feasibility. The

4
methods and procedures are based on either deterministic or probabilistic approach. PSA
technology can be effective tool in the decision making processes.

Probabilistic Safety Assessment

PSA, or Probabilistic Risk Assessment (PRA) is a systematic and comprehensive

methodology to evaluate risk associated with a nuclear installation. Risk is the potential
harm that may arise from some present process or from some future event. In everyday
usage, "risk" is often used synonymously with "probability", but in professional risk
assessments, risk combines the probability of a negative event occurring with how
harmful that event would be, i. e. the consequence. Prevention of NPP specific risk
requires efficient control of the chain reaction ad hence the power produced, fuel cooling
assured under thermal hydraulic conditions designed to maintain fuel clad integrity and
containment of radioactive products in the fuel, but also in the primary coolant, in reactor
coolant system (RCS), in the containment or confinement.

Engineering definition of risk is as follows:

Tolerability to risk from NPPs would be of much interest in these considerations. In the
well known document of Health & Safety Executive, UK, 1992, The Tolerability of Risk
from Nuclear Power Stations, “Tolerability does not mean acceptability. It refers to a
willingness to live with a risk so as to secure certain benefits and in the confidence that it
is being properly controlled. To tolerate a risk means that we do not regard it as
negligible or something we might ignore, but rather as something we need to keep under
review and reduce still further if and as we can. For a risk to be “acceptable” on the other
hands means that for purpose of life or work, we are prepared to take it pretty well as it
is”.
Effectively, there are three components to be considered in estimating any risk: the
probability (whether there is a high risk or not); the event to which probability attaches;
and the severity of the consequences. In qualitative safety (risk) assessment the severity

5
of the consequences and their likelihood of occurrence are both expressed qualitatively
(e. g. through words like high, medium, low). In quantitative safety (risk) assessment risk
is characterized by two quantities: (1) Probability of occurrence of each consequence
(2) Magnitude (severity) of the possible adverse consequence. In PSA the consequences
are expressed numerically (e. g. number of people potentially hurt or killed) and their
likelihood of occurrences are expressed as probabilities or frequencies (i .e. the number
of occurrences or the probability of occurrence per time unit). The total risk then is the
sum of the products of the consequences multiplied by their probabilities.

PSA usually answers three basic questions:

1. What can go wrong with the studied NPP unit, or what are the initiators or
initiating events (IE)? IE are undesirable starting events, which lead to adverse
consequences (core damage or large early release, i. e. the rapid, unmitigated
release of airborne fission products from the containment to the environment
occurring before the effective implementation of off-site emergency response and
protective actions).
The answer requires technical knowledge of the possible causes leading to damaging
outcomes of a given activity or action. In order to focus on the most important initiators
while screening out the unimportant ones, logic tools like Master Logic Diagrams (MLD)
or Failure Modes and Effects Analyses (FMEA) have been successfully used.

2. What and how severe are the potential damages, or the adverse consequences that
the NPP unit may be eventually subjected to as a result of the occurrence of the
initiator?

The answers is obtained by developing and quantifying accident scenarios, which are
chains of events that link the initiator to the end-point damaging consequences as well as
from deterministic analyses (e.g., thermal, fluid, structural or other engineering analyses).
Those describe the phenomena, which could occur along the path of the accident scenario
when the initiator and the other subsequent events (through the damaging consequences)
take place.

6
 3. How likely to occur are these undesirable consequences, or what are their
probabilities or frequencies?
The answer is obtained by using Boolean Logic methods for model development and by
probabilistic and statistical methods for the quantification portion of the model analysis,
fault tree analysis and event tree analysis.

Fault Tree (FT) is a deductive logic diagram that depicts how a particular undesired
event can occur as a logical combination of other undesired events.

Safety System 1 Fails

OR

Support System 11 Fails Support System 12 Fails

Basic
Event
AND 10 AND

Basic Basic Basic Basic OR

Event Event Event Event
11 13 11 13
Basic
Event Basic Basic
12 Event Event
14 15

An undesired event is taken as the top event of a tree of logic. Then, each situation that
could cause that effect added to the tree as a series of logic expressions. When FTs are
labelled with actual numbers about component reliability data (parameters), computer
programs can calculate top event probabilities from FTs. Any combination of component
failures causing the top event is called a cutset. A minimal cutset is the smallest
combination of component failures causing the top event.
Event Tree (ET) is a logic diagram that begins with an initiating event or condition and
progresses through a series of branches that represent expected system or operator

7
performance that either succeeds of fails and arrives at either a successful or failed end
state.

Initiating Safety Safety Safety

Consequences
Event System 1 System 2 System 3

Available
Consequence A
Available

Consequence B
Available Fails

Consequence B

Fails
Consequence C

Consequence D
Fails

Based on IEs selection, accident sequences for each selected IE with their consequences
are developed in FTs/ETs as graphical and logical representation of accident sequences.
The relevant data are analyzed and added to the model (failure rate, i. e. number of
failures per time unit, repair rate, probability of failure per demand, test intervals, mission
time, and others. The final stage then is quantification of the model.

There is important and challenging issue of (statistical) data to be used in the analyses. In
cases when the probability of an event is well known from past experience, plant specific
data (data from the plant being analyzed) as statistical data can be used, if the uncertainty
in these data is acceptably low. In other cases the relevant data, e. g. component failure
frequency is estimated by expert judgment based on engineering knowledge and
experience. This kind of data is so called generic data (US NRC, IAEA, IEEE, EPRI,
INPO, others). For rare events (e.g., system failures), for which there is no past failure
experience at all, or the data are very sparse, probabilistic failure models are developed
with deductive logic tools like fault trees, or inductive logic tools like reliability block
diagrams an Failure Mode and Effect Analysis (FMEA).

8
There are some other very important analysis tools in PSA: Human reliability analysis
(HRA), which deals with methods for modelling human error and Common-cause failure
analysis (CCF), dealing with methods for evaluating the effect of inter-system and inter–
component dependencies (dependent failures), which tend to cause significant increases
in overall system or facility risk.

Complex calculations and quantifications based beside other tools mainly on Boolean
algebra logical operations provide such results as core damage frequencies (CDF),
minimal cut sets, and their probabilities. They are simple for small ET/FT, however, to
obtain probabilities of top events, sequences and consequences including importance
analysis, uncertainty analysis and sensitivity analysis results for large and complex NPP
systems, special approximate algorithms have to be used.Computer codes like Relcon’s
Risk Spectrum, EPRI’s CAFTA or INPO’s SAPHIRE are mostly used.

PSA can be performed for internal and external IEs. Both trigger sequences of events that
challenge plant control and safety systems whose failure could potentially lead to core
damage or large early release. Internal IEs consist in hardware or system failures or
human errors in situations arising from the normal mode of operation of the NPP being
analyzed, e. g. LOCA (large, medium, small, …), Loss of Offsite Power (LOOP), Steam
Line Break (SLB), Steam Generator Tube Rupture (SGTR), support system initiators and
other transients. External IEs are outside the domain of normal operation of NPP, e. g.
earthquakes, lightnings, fires, floods, and tornados.

Based on the above, PSA of a NPP provides a comprehensive, structured approach to

identifying failure scenarios and deriving numerical estimates of the risks to plant staff
and individuals of the public as well. It is a systematic approach to determining whether
safety systems are adequate, the plant design balanced, the defence in depth requirement
have been realized and the risk as low as reasonably achievable (ALARA).

PSAs are normally performed at the following three levels. Level 1 PSA identifies the
sequences of events that can lead to core damage, estimates CDF and provides insights

9
into the strengths and weaknesses of the safety systems and procedures provided to
prevent core damage. Level 2 PSA identifies the ways in which radioactive releases from
NPP can occur and estimates their magnitudes and frequencies. This analysis provides
additional insights into the relative importance of accident prevention and mitigation
measures such as reactor containment. Level 3 PSA estimates public health and other
societal risks such as contamination of land or food. PSA is normally performed for full
power operation (PSA) and low power level and shutdown states (SPSA).

As main benefits of PSA could be mentioned that it estimates risk level of the plant,
identifies dominant event sequences affecting safety of the plant, identifies systems,
components and human actions important for safety (“week points”), and provides
decision support in various application areas. Besides the benefits, there are also some
limitations of PSA technology: binary representation (success or failure, intermediate
states are also possible, but not treated), time treatment (chronology of events instead of
actual timing), aging effect of systems, structures and components is either ignored or
considered insufficiently, uncertainty of numerical values (due to completeness,
modeling accuracy and input data uncertainties).

The publication of the Reactor Safety Study WASH-1400 and subsequent conducted NPP
PSAs had a tremendous impact on the thinking of nuclear safety experts. Two major
insights from WASH-1400 were:

1. Prior thinking was that (no quantified) frequency of severe core damage was
extremely low and the consequences of such damage would be catastrophic. The
WASH-1400 calculated a CDF in the order of 10-4 to 10-5 per reactor-year, a
much higher number than anticipated, and showed that the consequences would
not always be catastrophic.

2. A significant failure path for radioactivity release that bypasses the containment
building was identified. Traditional safety analysis methods had failed to do so.

10
Risk Informed Decision Making

Defence in depth philosophy employs successive compensatory measures to prevent

accidents or mitigate damage if a malfunction, accident or naturally caused event happens
in a nuclear facility. It will ensure that safety will not be wholly dependent on a single
element of the design, construction, maintenance or operation of nuclear facility.
However, there are some issues in deterministic approach in RIDM processes.

Deterministic approach is very effective to achieve very high safety level. Nevertheless,
its main disadvantage is that it might be not efficient regarding the use of resources
(human, financial, others) based on the risk and its impact. The risk profile produced by
deterministic principles has very high range. This is natural, because the same criteria are
applied to both high risk systems/components and low risk systems/components.

An improvement of decision making based on deterministic approach is Risk Informed

Decision Making (RIDM) concept. Risk informed (RI) approach uses risk values
(qualitative or quantitative) to determine safety requirements and risk values are provided
by PSA. RI approach is not an alternative to deterministic approach, but it is a
complementary to deterministic approach. The use of PSA results as the sole figure of
merit cannot be recommended, as it would be risk based decision making approach. In
RIDM, fundamental deterministic safety principles, mainly defense in depth and
sufficient safety margins, have to be maintained, even if probabilistic evaluation would
indicate already high enough safety level. The main elements of RIDM framework are
1) defence in depth philosophy is fully maintained, 2) insights from PSA and 3)
knowledge from NPP operation experience/feedback are considered.

Conclusion

Present application of PSAs to operating plants has provided a modelling technique and
quantification tools that are sufficiently proven, that allows the use of PSA in decision-
making. There is an international consensus on a qualitative safety objective, which is to
reduce risk, compared to existing reactors, due to accidental releases of radioactivity,
including severe accidents. To achieve this objective, in establishing additional

11
requirements, even for Design Basis Accidents (DBA), Beyond Design Basis Accidents
(BDBA) and other multiple failure situations, the PSA results should be used as input
data for various applications. Implementation of this approach should lead to the
achievement, as stated in INSAG-3 document, of a CDF less than 10-5 per reactor
operating year to be considered for new and future reactors as a reference value. This
value, as well as in some cases an objective for large early release frequency (LERF) of
less than 10-6 per reactor operating year is in common use currently. Besides, effective
NPP safety management, consisted of accident management, risk management and
emergency management should be based on RIDM concept.

References

[1] http://www.iaea.org/cgi-bin/db.page.pl/pris.oprconst.htm

[2] Kumamoto, H., Henley, E.: Probabilistic Risk Assessment and Management for
Engineers and Scientists. IEEE, New York, 1996. ISBN 0-7803-6017-6

[3] Fullwood, R. R., Hall, R. E.: Probabilistic Risk Assessment in the Nuclear Power
Industry. Fundamentals and Applications. Pergamon Press, Oxford, UK, 1988. IBSN
0-08-036362-8 or IBSN 0-08-034879-3.

[4] McCormick, N. J.: Reliability and Risk Analysis. Methods and Nuclear Power
Applications. Academic Press, Inc., Harcourt Brace & Company, Publishers, San
Diego, CA, 1981. IBSN 0-12-482360-2.

[5] Standard for Probabilistic Risk Assessment for Nuclear Power Plant Applications.
ASME RA-S-2002. An American National Standard, The American Society of
Mechanical Engineers, New York, NY 10016-5990, USA, 2002.

[6] ASME RA-Sa-2003. Addenda to ASME RA-S-2002 Standard for Probabilistic Risk
Assessment for Nuclear Power Plant Applications. The American Society of
Mechanical Engineers, New York, NY 10016, USA, 2002.

[7] INSAG, Basic Safety Principles for Nuclear Power Plants, Safety Series No.75-
INSAG 3, IAEA, Vienna, 1998.

12
 (XJHQH:LJQHU&RXUVH
678%UDWLVODYD಴ 6ORYDNLD಴ 6HSWHPEHU

36$7HFKQRORJ\DVD&RPSOHPHQWDU\7RRO
WRVXSSRUW'HFLVLRQ0DNLQJLQ1XFOHDU6DIHW\

-R]HI.XEDQ\L#MUFQO &KULVWLDQ.LUFKVWHLJHU#MUFQO
(&'*-RLQW5HVHDUFK&HQWUH3HWWHQ1/

Summary

Presentation provides a brief overview of overall framework of

Probabilistic Safety Assessment (PSA) technology used in various
applications to assess nuclear power plant (NPP) operational risk
issues. Based on essential nuclear power engineering/safety
background and philosophy behind NPP safety justification, main
terms of quantitative risk assessment are discussed: basic aspects of
Fault Tree (FT)/Event Tree (ET) construction, modelling for
grafical/logical representation of accident sequences, Initiating Events
(IE) selection, issues of consequences, data analysis and
quantification of the model. Basic aspects of Risk Informed Decision
Making concept are explained, discussed and demonstrated on three
examples from engineering practice.

2
 Presentation Outline

Nuclear Power Plant (NPP)

Nuclear Safety

Nuclear Safety Assessment Concept

Probabilistic Safety Assessment (PSA)

Risk Informed Decision Making (RIDM) Concept

RIDM Example 1

RIDM Example 2

RIDM Example 3

Conclusions

Some General Conclusions to RIDM

Nuclear Power Plant (1)

Thermal power station in which the heat source is one ore more nuclear
reactors generating nuclear power
electric power

Their Units range in power from 40 Mwe to 1 000MWe

New units (also under construction): typically 600 – 1 200 MWe
 2005: 443 licensed nuclear power reactors in the world
 441 currently operational, operating in 31 countries; ~ 17% world el. power

NPP types classified according to the type of fission reactor used:
 Thermal reactors use neutron moderator to slow or moderate neutrons  they
are more likely to produce another fission. Neutrons created by fission are of high
energy, “fast”, and must have their energy decreased (be made thermal, “slow”)
by the moderator in order to efficiently maintain the chain reaction
 Fast reactors sustain the chain reaction without needing a neutron moderator.
Because they use different fuel than thermal reactors, the neutrons in a fast
reactor do not need to be moderated for an efficient chain reactor to occur
4
 Nuclear Power Plant (2)

Thermal reactors
 Light water reactors (LWR)
• Pressurized water reactor (PWR) H2O cooled & moderated
(Westinghouse, VVER)
• Boiling water reactor

 Graphite-moderated reactors
• Gas cooled reactor (GCR), Magnox type
• Advanced gas-cooled reactor (AGCR)
• High temperature gas cooled reactor (HTGR)
• RBMK (water cooled)
• Pebble bed reactor (PBMR)

 CANDU (PHWR): D2O cooled & moderated

5

Nuclear Power Plant (3)

PWR
 Cooled and moderated by high pressure/temperature H2O. Majority of current
reactors, generally considered the safest and most reliable technology

6
 Nuclear Power Plant (4)

BWR
 Cooled and moderated by water under slightly lower pressure. The water is allowed to boil
in the reactor. The thermal efficiency can be higher and they can be simpler, potentially
more stable and safe. However, the boiling water puts more stress on many of the
components, and increases the risk that radioactive water may escape in an accident

Nuclear Power Plant (5)

CANDU
 Cooled and moderated by D2O. Instead of using a single large containment vessel as in
PWR, the fuel of natural uranium is contained in hundreds of pressure tubes

8
 Nuclear Power Plant (6)

Pros & Advantages

 No greenhouse gas emissions during normal operation (greenhouse gases are

emitted only when the Emergency Diesel Generators are tested); (the
processes of uranium mining and of building and decommissioning power
stations produce significant greenhouse gas emissions)
 Does not produce air pollutants such as carbon monoxide, sulfur dioxide,
mercury, nitrogen oxides or particulates
 The quantity of waste produced is small during normal operation
 Low fuel costs
 Large fuel reserves
 Future designs may be small and modular

Nuclear Power Plant (7)

Cons & Disadvantages
 Risk of major accidents - e.g. Three Mile Island and Chernobyl
 Consequences of an accident have in the past been projected to possibly be disastrous
(see NUREG-1150)
 Nuclear waste produced is dangerous for thousands of years (unless reprocessed)
 Risk of nuclear proliferation associated with some designs
 High capital costs (cost to build the plant)
 Roughly five-year completion periods, imposing large finance costs and delaying return
on investment
 High maintenance costs
 Significant security concerns
 High cost of decommissioning plants
 Designs of current plants are all large-scale
 Nuclear power is highly controversial, enough so that the building of NPPs has ceased in
Europe (except in Finland and Ukraine, perhaps in Slovakia)
10
 Nuclear Safety (1)

Nuclear safety covers the actions taken to prevent nuclear and
radiation accidents or to limit their consequences
 Key concepts
 Concerns
 Enforcement organisations
 Assessment

Key concepts
 Safety culture
 Redundancy
 Passive safety
 Active safety
 Defence in depth
 Containment building
 Radiation (radiological) protection

11

Nuclear Safety (2)

Concerns
 Radioactive contamination
 Radioactive waste
 Nuclear core damage

Enforcement organisations
 Countries utilizing nuclear power have special institutions overseeing
and regulating nuclear safety
 US NRC
 Slovakia: NRA SR (UJD)
 Czech Republic: SONS (SUJB)
 Hungary: HAEA
Internationally, the International Atomic Energy Agency (IAEA) works for the
safe, secure and peaceful uses of nuclear science and technology

12
 Nuclear Safety (3)

Assessment
 International Nuclear Events Scale
 Probabilistic Safety Assessment (PSA) = Probabilistic Risk Assessment (PRA)
Essential documents - cornestones - from the past:
 The BNL Report: Theoretical Possibilities and Consequences of Major Accidents in
Large Nuclear Power Plants, WASH-740, 1957
 Rasmussen Report: Reactor Safety Study, WASH-1400, 1975
 Calculation of Reactor Accident Consequences, CRAC-II, 1982
 Severe Accident Risks: An Assessment for Five U.S. Nuclear Power Plants,
NUREG-1150, 1991
Safety assessment issues are in close relation to key concepts of nuclear safety

 Safety culture (1)

• Safety culture is a term introduced by the IAEA International Nuclear Safety Advisory
Group (INSAG). INSAG published a report on Post Accident Review Meeting on Chernobyl
Accident in 1986
13

Nuclear Safety (4)

 6DIHW\FXOWXUH

• IAEA concept of safety culture: Safety culture is that assembly of

characteristics and attitudes in organisations and individuals which establishes
that, as an overriding priority, nuclear plant safety issues receive the attention
warranted by their significance.
nuclear safety first

• Safety culture is about improving safety attitudes in people but it is also about
good safety management established by organisations with a holistic, whole
of community, whole of life approach. Good safety culture implies a constant
assessment of the safety significance of events, and issues, so the
appropriate level of attention can be given. Establishing and developing
attitudes towards safety culture in community is both essential, and,
effectively, cost effective

14
 Nuclear Safety (5)

 Redundancy

• The duplication of critical components of a system with the intention of

increasing reliability of the system, usually in the case of a backup or fail-
safe.

• In many safety-critical systems, some parts of the system (including its

control system) may be doubled or tripled. A failure in one component
may then be addressed or out-voted by the other two.

• In a triple redundant system, the system has three subcomponents

(subsystems, “trains”), all three of which must fail before the system fails.
Since each one rarely fails, and the subcomponents are expected to fail
independently, the probability of all three failings is small.

15

Nuclear Safety (6)

 Passive safety

• Is a feature of modern nuclear reactor and other NPP systems that

operator actions are not required in order to shut down safely in the event
of a loss-of-coolant accident (LOCA) or other emergency/accidental
conditions

• Some such reactors use the laws of physics to keep the nuclear reaction
under control rather than engineered safety systems

16
 1XFOHDU6DIHW\ 
 Active safety
• Engineered Safety Features

• EMERGENCY CORE COOLING SYSTEM (ECCS)

Passive subsystems: hydro accumulators

Active subsystems
 High Pressure Injection (HPI) Pumps
 Low Pressure Injection (LPI) Pumps
 Spray System (SS)

17

Nuclear Safety (8)

 Defence in depth
The concept of defence in depth has been developed from the original idea of placing multiple barriers
between radioactive materials and the environment. At present the concept includes a more general
structure of multiple physical barriers and complementary means to protect the barriers themselves, the so-
called levels of defence. It ensures that a high level of safety is reliably achieved with sufficient margins to
compensate for equipment failures and human errors.

This diagram demonstrates the defense in depth quality of NPP:

1st level (L1) of defense is the inert, ceramic quality of UO2 fuel
L2 is the air tight zirconium alloy of the fuel rod

L3 is the reactor pressure vessel made of steel ~ 20 cm thick

L4 is the pressure resistant, air tight containment
L5 is the reactor building or in newer NPPs a second outer
containment building

18
 Nuclear Safety (9)
 Containment building

• A steel or concrete structure enclosing a nuclear reactor. It is designed to,

in any emergency, contain the escape of radiation despite high pressures.
The containment is the final barrier to radioactive release, the first being
the fuel ceramic itself, the second being the metal fuel cladding tubes, the
third being the reactor pressure vessel and reactor coolant system.

• The containment building itself is typically an airtight structure enclosing

the reactor normally sealed off from the outside atmosphere

• For PWR, the containment also encloses the steam generators and the
pressurizer, and is the entire reactor building

19

Nuclear Safety (10)

 Radiation (radiological) protection

• Radiation or radiological protection is the science of protecting people and

the environment from the harmful effects of both particle radiation and
ionizing radiation.

• It includes occupational radiation protection, which is the protection of

NPP staff; and public radiation protection, which concerns protection of
individual members of the public, and of the population as a whole

• There are main three principles to radiation protection:

 Time
 Distance and
 Shielding

20
 Nuclear Safety (11)

Nuclear Events
 Accidents
• Design Basis Accidents (DBA): engineered safety feature (ESF) of NPP will cope with them

They do not produce unacceptable consequences

• Beyond Design Basis Accidents (BDBA): ESF of NPP will not cope with them

Any radioactive release bigger than that involved in DBA could only occur as the result of the
sequential failure of several levels of safety protection, or of some major and very unlikely
event (e.g. failure of RPV). They could range in size from those bigger than DBA to very
severe accidents.

 Incidents
 Anomalies
 Deviations
 (Near-misses)
21

Nuclear Safety (12)

International Nuclear Event Scale (INES)
 Introduced by IAEA in order to enable prompt communication of safety
significance information in case of nuclear accidents. A number of criteria and
indicators are defined to assure coherent reporting of nuclear events by
different official authorities. There are 7 levels on the INES scale:

• Major accident - Maximum credible accident (7)

• Serious accident (6)
• Accident with off-site risk (5)
• Accident without off-site risk (4)
• Serious incident (3)
• Incident (2)
• Anomaly (1)
• Deviation, no safety relevance (0)

22
 Nuclear Safety Assessment Concept

Identification of safety issues

Ranking of safety significance of the issues

Decision-making in corrective measures and their
feasibility

 PSA Technology can be effective tool in decision making

processes

23

Probabilistic Safety Assessment (1)

PSA, or Probabilistic Risk Assessment (PRA) is a systematic and comprehensive
methodology to evaluate risk associated with a nuclear installation

Risk is the potential harm that may arise from some present process or from
some future event. In everyday usage, "risk" is often used synonymously with
"probability", but in professional risk assessments, risk combines the
probability of a negative event occurring with how harmful that event would be,
i.e. the consequence

Prevention of NPP specific risk requires:

• Efficient control of the chain reaction ad hence the power produced
• Fuel cooling assured under thermal hydraulic conditions designed to maintain fuel clad
integrity and
• Containment of radioactive products in the fuel, but also in the primary coolant, in
reactor coolant system (RCS), in the reactor building constituting the containment or in
other parts of the NPP unit

24
 Probabilistic Safety Assessment (2)

Engineering definition of risk:

Philosophy behind NPP safety justification: some bare essentials: UK example (1)
• (“The Tolerability of Risk from Nuclear Power Stations”, ISBN 0 11 886368 1, HSE, Sheffield, UK,
1992)

• “Tolerability” does not mean acceptability. It refers to a willingness to live with a risk so as to secure
certain benefits and in the confidence that it is being properly controlled. To tolerate a risk means
that we do not regard it as negligible or something we might ignore, but rather as something we
need to keep under review and reduce still further if and as we can. For a risk to be “acceptable” on
the other hands means that for purpose of life or work, we are prepared to take it pretty well as it
is”.

• Effectively, there are three components to be considered in estimating any risk:

 the probability (whether there is a high risk or not);
 the event to which probability attaches; and
 the severity of the consequences
25

Probabilistic Safety Assessment (3)

Philosophy behind NPP safety justification: some bare essentials: UK (2)

(Proportion: 106 is about the number of sugar grains in a half of kg  1 in 106

is the chance of picking out a specific grain)

 To learn that over 5 000 people are killed each year by traffic does not prevent us
from using the roads, though it warns us to be cautious

 A woman who wants a child will not change her mind if she learns that the average
chance of her dying as a result is of the order of 1 in 104 (probability of dying is 10-4).

 There is a chance of 1 in 10 000 000 000 each year that anyone of us will be killed by
lightning (1 in 107; LDF=10-7 per lightning year). Because lightning generally kills only
one person at a time, and the risk to each of us is very low, we treat it as negligible: i.
e. apart from taking certain simple precautions the possibility of dying in this way
does not influence our behaviour.

26
 Probabilistic Safety Assessment (4)

Philosophy behind NPP safety justification: some bare essentials: UK example (3)

 Societally regulated risk

• When risks are regulated by society, the relevant judgements cease to be in the hands of the
individuals who bear the risk. The risks will be shifted around, so that some people bear
more and others less of them; and the benefits may also be unevenly distributed. E. g., the
building of any dam imposes risk on people nearby whereas the benefits are shared by
people living further away.

• Levels of fatal risk (risk of deth, average figures, approximated, per year)

1 in 100 (Death Frequency, DF=10-2): from five hours of solo rock climbing every vweekend
1 in 103 (DF=10-3): due to work in high risk groups within relatively risky industries (mining)
1 in 104 (DF=10-4): general risk of death in a traffic accident
1 in 105 (DF=10-5): in an accident at work in very safest parts of industry
1 in 106 (DF= 10-6): general risk of death in fire or explosion from gas at home
1 in 107 (DF= 10-7): by lightning

27

Probabilistic Safety Assessment (5)

Qualitative safety (risk) assessment
 The severity of the consequences and their likelihood of occurrence are both expressed
qualitatively (e. g. through words like high, medium, low)

Quantitative safety (risk) assessment
 Risk is characterized by two quantities:
1. Probability of occurrence of each consequence
2. Magnitude (severity) of the possible adverse consequence
 PSA; consequences are expressed numerically (e. g. number of people potentially
hurt or killed) and their likelihoods of occurrences are expressed as probabilities or
frequencies (i .e. the number of occurrences or the probability of occurrence per
time unit)
 The total risk is the sum of the products of the consequences x by their probabilities
PSA usually answers three basic questions:
1. What can go wrong with the studied NPP unit, or what are the initiators or initiating events
(undesirable starting events) that lead to adverse consequence(s)?

2. What and how severe are the potential damages, or the adverse consequences that the NPP unit
may be eventually subjected to as a result of the occurrence of the initiator?

3. How likely to occur are these undesirable consequences, or what are their probabilities or
frequencies?
28
 Probabilistic Safety Assessment (6)
1. What can go wrong with the studied NPP unit, or what are the initiators or initiating events (IE -
undesirable starting events) that lead to adverse consequences (core damage or large early release, i.
e. the rapid, unmitigated release of airborne fission products from the containment to the environment
occurring before the effective implementation of off-site emergency response and protective actions )?

The answer requires technical knowledge of the possible causes leading to damaging outcomes of a given
activity or action. In order to focus on the most important initiators while screening out the unimportant
ones, logic tools like Master Logic Diagrams (MLD) or Failure Modes and Effects Analyses (FMEA) have been
successfully used.

2. What and how severe are the potential damages, or the adverse consequences that the NPP unit may be
eventually subjected to as a result of the occurrence of the initiator?

The answers is obtained by developing and quantifying accident scenarios, which are chains of events that
link the initiator to the end-point damaging consequences as well as from deterministic analyses (e.g.,
thermal, fluid, structural or other engineering analyses). Those describe the phenomena which could occur
along the path of the accident scenario when the initiator and the other subsequent events (through the
damaging consequences) take place.

3. How likely to occur are these undesirable consequences, or what are their probabilities or frequencies?

The answer is obtained by using Boolean Logic methods for model development and by probabilistic and
statistical methods for the quantification portion of the model analysis, fault tree analysis and event tree
analysis.

29

Probabilistic Safety Assessment (7)

Fault tree analysis
• Fault Tree is a deductive logic diagram that depicts how a particular undesired event
can occur as a logical combination of other undesired events

Safety System 1 Fails An undesired effect is taken as the top event of a tree of
logic. Then, each situation that could cause that effect is
OR
added to the tree as a series of logic expressions. When
fault trees are labelled with actual numbers about
Support System 11 Fails Support System 12 Fails component reliability data (parameters), computer programs
Basic
Event can calculate top event probabilities from fault trees.
AND 10 AND

Basic Basic Basic Basic OR Relcon: Risk Spectrum

Event Event Event Event
11 13 11 13 EPRI: CAFTA
Basic
Event
12
Basic
Event
Basic
Event
INPO: SAPHIRE
14 15

Any combination of component failures causing the topevent is called a cutset. A minimal cutset is
the smallest combination of component failures causing the top event.

30
 Probabilistic Safety Assessment (8)

Event Tree Analysis

Initiating Safety Safety Safety

Consequences
Event System 1 System 2 System 3

Available
Consequence A
Available

Consequence B
Available Fails

Consequence B

Fails
Consequence C

Consequence D
Fails

31

Probabilistic Safety Assessment (9)

The model

 Initiating event (IE) selection

 Accident sequences for each selected IE
 Consequences
 Event /fault trees for graphical and logical representation of accident
sequences
 Data analysis
 Quantification of the model

32
 Probabilistic Safety Assessment (10)

Quantification of the model

 IE frequency (number of events per year):

Number of Events / Total Observed Time (years)

 Basic events failure parameters:

• failure rate (number of failures per time unit)
• repair rate
• probability per demand
• test intervals
• mission time
• others

33

Probabilistic Safety Assessment (11)

Challenging issue of (statistical) data to be used in the analyses:

• Plant specific data. In cases when the probability of an event is well known from
past experience, statistical data can be used if the uncertainty in these data are
acceptably low (data from the plant being analyzed).
• Generic data. In other cases the relevant data, e. g. component failure frequency is
estimated by expert judgment based on engineering knowledge and experience (US
NRC, IAEA, IEEE, EPRI, INPO, others).
• Rare events data. For rare events (e.g., system failures), for which there is no past
failure experience at all or the data are very sparse, probabilistic failure models are
developed with deductive logic tools like fault trees, or inductive logic tools like
reliability block diagrams (RBD) and FMEAs.

Other very important analysis tools in PSA

• Human reliability analysis (HRA): deals with methods for modelling human error
• Common-cause failure analysis (CCF): methods for evaluating the effect of inter-
system and inter–component dependencies (dependent failures), which tend to cause
significant increases in overall system or facility risk

34
 



Core Damage Frequency

1,E+01
1,E+00
1,E-01
1,E-02
1,E-03
1,E-04
1,E-05
1,E-06
1,E-07
1,E-08
1,E-09
1,E-10
DS-RUPT 1,0E-06
TE 1,0E-02 7,6E-07
TM 1,7E+00 4,9E-07
A-1B 2,0E-05 4,1E-07
PCB1 1,1E-02 3,7E-07
TTA 8,0E-01 3,1E-07

 EPRI: CAFTA
CCI-HZ15+16 1,8E-03 3,0E-07

Calculations

TSA 5,0E-01 2,5E-07

 INPO: SAPHIRE
AE B2/014&B2/02 2,0E-04 2,4E-07
CCI-HZ18 1,8E-02 2,2E-07

Computer codes
TT 2,0E-01 1,6E-07
S1-1T 1,0E-04 1,5E-07

Sensitivity analysis
CCI-ICC 2,5E-04 1,3E-07

 Relcon: Risk Spectrum

Uncertainty analysis
Importance analysis
TS 1,0E-03 1,2E-07
AE B2/02 2,0E-04 1,0E-07
S1-AF 3,0E-05 8,2E-08
A-4W 5,0E-05 8,1E-08
 Simple for small ET/FT

S1-4W 5,0E-05 7,2E-08

A-4S 5,0E-05 7,2E-08
S1-4S 5,0E-05 7,2E-08
S1-2 2,0E-05 6,7E-08
 Core Damage Frequency (CDF)

AE-TH 2,0E-03 6,1E-08

Example of risk topography

S1-1G 2,0E-05 5,7E-08
 Minimal cut sets and probabilities

S1-1B 2,0E-05 5,3E-08

TCHCS 1,0E-01 4,9E-08
S3 2,0E-03 4,7E-08
A-4S.TRANS 2,6E-05 3,9E-08
AE SWS 1,0E-04 3,3E-08

Risk Topography

Initiating Events
A-1T 2,0E-05 3,2E-08
CCI-SWS 2,0E-05 2,2E-08
S2-2 5,0E-04 1,6E-08
GDH-BLOCK 1,0E-04 1,6E-08
MSRVM 1,0E-04 1,4E-08
TD 5,0E-04 1,0E-08
• Boolean algebra logical operations (see Appx 1)

TDL 5,0E-02 9,8E-09

S2-4W 3,0E-04 9,7E-09
AE-D212 1,0E-04 8,0E-09
TF 5,0E-02 7,7E-09
S2-3 2,0E-04 6,8E-09
CCI-HZ13+15 1,8E-03 6,4E-09
Probabilities of top events, sequences and consequences

CCI-HZ19 1,8E-02 5,2E-09

CCI-HZ11+12 1,8E-03 4,6E-09
CCI-HZ13+16 1,8E-03 4,1E-09
AE-D213 1,0E-04 3,8E-09
 For large and complex systems: special approximate algorithms used

AE A2/074 3,0E-04 2,5E-09

CCI-HZ11+15 1,8E-03 2,3E-09
S2-ECCS 3,0E-05 9,7E-10
S2-1B 1,0E-05 3,2E-10
S2-1T 1,0E-05 3,2E-10

Probabilistic Safety Assessment

Probabilistic Safety Assessment

S2-4S 3,0E-04 2,8E-10

AE B2/014 2,0E-04 2,6E-10

(13)
(12)

CDF
IE freq.

36
35
 Probabilistic Safety Assessment (14)

Mathematical interpretation of risk topography

 Total Core Damage Frequency
n
CDF = ∑F
i =1
i
IE
× Pi SS

where
F is initiating event frequency
P is probability of safety system failure

37

Probabilistic Safety Assessment (15)

PSA can be performed for
• Internal IE
hardware or system failures or operator errors in situations arising
from the normal mode of operation of NPP, e. g.:
 LOCA (large, medium, small, …)
 Loss of Offsite Power (LOOP)
 Steam Line Break (SLB)
 Steam Generator Tube Rupture (SGTR)
 Support system initiators
 Other transients
 …
• External IE
outside the domain of normal operation of NPP: earthquakes,
lightnings, fires, floods, and tornados

• Based on the above, PSA of a NPP provides

 a comprehensive, structured approach to identifying failure scenarios and deriving
numerical estimates of the risks to plant staff and members of the public as well
 a systematic approach to determining whether safety systems are adequate, the plant
design balanced, the defence in depth requirement have been realized and the risk as
low as reasonably achievable

38
 Probabilistic Safety Assessment (16)

PSAs are normally performed at the following three levels:

 Level 1 PSA, which identifies the sequences of events that can lead to core damage,
estimates core damage frequency (CDF ) and provides insights into the strengths
and weaknesses of the safety systems and procedures provided to prevent core
damage
 Level 2 PSA, which identifies the ways in which radioactive releases from NPP can
occur and estimates their magnitudes and frequencies. This analysis provides
additional insights into the relative importance of accident prevention and mitigation
measures such as reactor containment.
 Level 3 PSA, which estimates public health and other societal risks such as
contamination of land or food

PSA is normally performed also for

 Full power operation (PSA)
 Low power level and shutdown states (SPSA)

39

Probabilistic Safety Assessment (17)

Main Benefits of PSA
 Estimates risk level of the plant
 Identifies dominant event sequences affecting safety of the plant
 Identifies systems, components and human actions important for safety
 Provides decision support in various application areas

Main Limitations of PSA

 Binary representation (success or failure, intermediate states are also
possible, but not treated)
 Time treatment (chronology of events instead of actual timing)
 Aging effect is ignored or considered insufficiently
 Uncertainty of numerical values (due to completeness, modeling accuracy
and input data uncertainties)

40
 Probabilistic Safety Assessment (1)

Reactor Safety Study WASH-1400 and subsequent conducted NPP

PSAs had a tremendous impact on thinking of nuclear safety experts.
Two major insights from WASH-1400 were

 Prior thinking was that (no quantified) frequency of severe core damage
was extremely low and the consequences of such damage would be
catastrophic. WASH-1400 calculated a CDF in the order of 10-4 to 10-5
per reactor year, a much higher number than anticipated, and showed
that the consequences would not always be catastrophic

 A significant failure path for radioactivity release that bypasses the

containment was identified Traditional safety analysis methods had
failed to do so

41

Risk Informed Decision Making Concept (1)

Traditional deterministic approach (1)

 Principles of deterministic decision making
• The doctrine of determinism assumes that any failure has a cause and can be
explained. There are no random failures! It is a matter of knowledge to identify
and explain the cause of any event or effect
• Another fundamental concept of deterministic doctrine is that everything could be
understood by analysis
• Potential danger of nuclear reactors lead to the need of safety analysis

 Defense in depth quality of NPPs, 5 levels (slide 18)

 Broader concept of defence in depth principle: IAEA, SS No.75 – INSAG-3
• Conservative design, QA, safety culture
• Control of abnormal operation and detection of failures
• Safety and protection systems
• Accident management and confinement protection
• Off-site emergency response

42
 Risk Informed Decision Making Concept (2)

Defence in depth principle
 Defence in depth employs successive compensatory measures to prevent
accidents or mitigate damage if a malfunction, accident or naturally caused
event happens in a nuclear facility
 It will ensure that safety will not be wholly dependent on a single element of
the design, construction, maintenance or operation of nuclear facility

Some issues in deterministic approach
 Deterministic approach is very effective to achieve very high safety level.
However, its main disadvantage is that it might be not efficient regarding the
use of resources (human, financial, others) based on the risk and its impact
 The risk profile produced by deterministic principles has very high range. This
is natural, because the same criteria are applied to both high risk
systems/components and low risk systems/components
• Not proportional to importance of a problem

43

Risk Informed Decision Making Concept (3)

An Improvement of decision making based on deterministic approach is Risk
Informed Decision Making (RIDM)

Some essentials of RIDM
 Risk-informed approach uses risk values (qualitative or quantitative) to determine
safety requirements
 Risk values are provided by probabilistic safety assessment (PSA) study
 RI approach is not an alternative to deterministic approach, but it is a
complementary to deterministic approach
 The use of PSA results as the sole figure of merit cannot be recommended, as it would
be risk-based decision making process
 In RIDM, fundamental deterministic safety principles, mainly defense-in-depth and
sufficient safety margins, have to be maintained, even if probabilistic evaluation would
indicate already high enough safety level
 The main elements of RIDM framework
• Defence in depth philosophy is fully maintained
• Insights from PSA
• Knowledge from NPP operation experience/feedback

44
 Risk Informed Decision Making Concept (4)

CDF criterion in PSA application
 Main criterion for risk-informed optimization applications is CDF
 In general, any modifications cannot cause increasing of the CDF
 US NRC allows, however, insignificant increase in CDF

Modification assessment based on CDF

Not acceptable
10

∆CDF

10

Acceptable
10 10

CDF
45

RIDM Example 1 (1)

Probabilistic safety criteria: safety goals, targets

 CDF<10 exp -4 per reactor year for existing NPPs

 CDF <10 exp -5 per reactor year for new or future NPPs
 Reactor protection failure probability <10 exp -5
 Safety system failure probability <10 exp -3
 Large early release frequency (LERF)<10 exp -6 per reactor year
 Screening criterion for external events <10 exp -7 per reactor year

46
 RIDM Example 1 (2)
PSA in Bohunice 1 and 2 Gradual Reconstruction Process (1)
1 .7 0 E -3
1 .8 0 E -0 3 C D F d e cre a se d b y a fa cto r o f

1 .6 0 E -0 3 1 .9 66
1 .4 0 E -0 3

1 .2 0 E -0 3 8 .8 9 E -4
1 .0 0 E -0 3

8 .0 0 E -0 4

6 .0 0 E -0 4

4 .0 0 E -0 4

2 .0 0 E -0 4 2 .5 6 E -5

P re s m a ll re co n s tru ctio n P o stsm a ll re c o n stru ctio n P o s t g ra d u a l re c o n stru ctio n

(1 9 9 1 ) (1 9 9 3 ) (2 0 0 0 )

47

RIDM Example 1 (3)

PSA in Bohunice 1 and 2 Gradual Reconstruction Process (2)

PSA contributed to solving some challenging problems:

 Incorporation of generator switches into the main power supply
diagram (1)
• 15. 75 kV generator switches (GS) should have been incorporated into the
main power supply diagram within basic engineering reconstruction stage
• Some other ways of increasing reliability of preferable supplying power to
emergency distribution sections were proposed (1):
 doubled interconnecting circuit breakers between preferable and emergency
power distribution sections
 reconstruction a nearby hydro power plant supposed as another electric
power source

48
 RIDM Example 1 (4)
PSA in Bohunice 1 and 2 Gradual Reconstruction Process (3)

 Incorporation of generator switches into the main power supply

diagram (2)
• Some other ways of increasing reliability of preferable supplying power to
emergency distribution sections were proposed (2):
• consistent dividing emergency and vital power supply distribution sections
into two independent separate redundant trains
• modifications in alternative (reserved) power supply of 220/110/6 kV and
several other measures

 Two comparative PSA studies were developed: A & B

• A: all the above measures, but without GS  CDF= 2, 85 exp -4 /reactor year
• B: all the above measures with GS  CDF= 2, 57 exp -4/ reactor year
• Introducing symptom orientated EOP: even lower value of CDF

49

RIDM Example 2
PSA in Bohunice 1 and 2 Gradual Reconstruction Process (4)

Extension of AOT of motorgenerator (MG)

 On the basis of PSA model after the Gradual Reconstruction, a national

engineering company and the utility proposed an extension of AOT of MG
from the original value of 8 hours ( basic risk r0 increase by a 0. 001 %) to
a value of 120 hours ( r0 increase by 0, 14 %)

 Regulatory body (RB) was considering permitting AOT extension to a value of

24 hours ( r0 increase by 0, 028 %, i. e. 5x lower value)

 Final standpoint of the RB and decision made: when decision-making,

current practice at performing maintenance work within the plant taken into
account: permission to extend AOT to 36 hours issued;  r0 increase by a
value between 0, 028% and 0, 084%, which is the value approximately 2 up
to 5 x lower than value of risk increase when AOT=120 hours

50
 RIDM Example 3 (1)
PSA in Bohunice 3 and 4: AOT of Components & Systems (1)

Technical specifications

 LCO, particularly AOT of safety related

systems/components
Bohunice 3 and 4: AOT are based on deterministic methods or
engineering judgements, i.e. the basis does not incorporate PSA and
risk-based insights

 Efforts undertaken by the utility and the RB to explore possibilities

and means of improving the content and format of the existing AOT

51

RIDM Example 3 (2)

PSA in Bohunice 3 and 4: AOT of Components & Systems (2)

RB reviews and approves any modifications to plant’s LCO

 The utility was assigned the task of submitting justification for all the
outage times of components and systems permitted by the LCO
including times determined for transition of NPP unit, when the
limiting condition is not fulfilled, to an operational regime of higher
number

 The required warrant had to be based and performed by using PSA

technology

52
 RIDM Example 3 (3)
PSA in Bohunice 3 and 4: AOT of Components & Systems (3)

The proposed AOT changes are expected to meet the
following essential principles:

 Meet the current regulations

 Consistent with defense-in-depth philosophy
 Maintain sufficient safety margins
 When they result in increase in CDF, the increase should
be small and consistent with the intent of the safety goal
policy

53

RIDM Example 3 (4)

PSA in Bohunice 3 and 4: AOT of Components & Systems (4)

Full power/Shutdown PSA are developed for all NPPs in

Slovakia

 Comparison of results from full power PSA and SPSA:

potential TecSpecs conflict between requirements for operating ability
of a safety system and AOT extension of it or its component

 All Slovak NPPs and their LCO including AOT have been
designed on deterministic basis
? to shutdown the unit OR to accept a risk
increase for a limited period of time ?

54
 RIDM Example 3 (5)
PSA in Bohunice 3 and 4: AOT of Components & Systems (5)
Allowable Outage Times

• When a component failure covered by LCO occurs, it can be under

repair either during power operation or after shutdown

• To make a decision on the optimal strategy, the risk for these two
cases should be compared taking into account both the outage risk
and the shutdown risk

• Several methods to calculate and limit the risk available

55

RIDM Example 3 (6)

PSA in Bohunice 3 and 4: AOT of Components & Systems (6)

AOT can be calculated e. g. by the following formula:

AOT ≤ CDP (i)sd / CDF (i) – CDF (0) , where

CDP (i)
sd is CD probability for manual shutdown including the cooling down and
follow-up startup of the reactor when component i is unavailable
CDF (0) is CDF under normal power operation, when none of the components
concerned is unavailable, i. e. baseline risk
CDF (i) is CDF under continued operation, when component i is unavailable

Obtained more conservative results than when using “acceptable risk in continued
operation” as multiple CDF (0) reference value of risk (baseline risk)

56
 RIDM Example 3 (7)
PSA in Bohunice 3 and 4: AOT of Components & Systems (7)

Some examples of proposed AOT changes

 Hydroaccumulators, HP & LP of ECCS, spray system, EFWS,

essential service water system, electric power output system,
station service load power supply system, emergency / vital electric
power systems, ESFAS, and some other systems

 Two principles applied:

• The calculated value of AOT modified in a value usually used in LCO (8

hours, 24 hours, 3 days, 14 days, 21 days ...): the closest but shorter than
calculated value proposed
• If a calculated value of AOT is longer than 7 000 hours, proposed to allow
the component unavailability unlimited

57

RIDM Examle 3 (8)

PSA in Bohunice 3 and 4: AOT of Components & Systems (8)

Hydroaccumulators (ACCUM), 4 within reactor unit:
 Current AOT for Regime 1, 2, 3:
• All 4 ACCUM shall be operable
• One ACCUM allowed inoperable for 72 hours max.
• One another ACCUM allowed inoperable for 1 hour max.
If the LCO is not fulfilled, the unit shall be in 24 hours transferred to
regime 4

 Calculated and modified AOT changes:

• All 4 ACCUM shall be operable
• One ACCUM allowed inoperable for unlimited period of time
• One another ACCUM allowed inoperable for 24 hours max.

 Final proposal into LCO:

AOT =24 hours for any two of the four ACCUM
58
 RIDM Example 3 (9)
PSA in Bohunice 3 and 4: AOT of Components & Systems (9)

HP & LP of ECCS:

 Current AOT for Regime 1, 2, 3:

• All 3 HP (3x2 pumps) and 3 LP(3x1 pump) trains (3) shall be operable
• One HP and one LP system of the same train allowed inoperable for 72 h max.
• Before scheduled outage of a HP or a LP system, other 2 trains shall be tested
• After tripping a HP or a LP system, other 2 trains shall be tested in 4 hours
If the LCO is not fulfilled, the unit shall be in 24 hours transferred to regime 4

 Calculated and modified AOT changes:

• All 3 HP & LP trains incl. tanks, pumps, routs, valves and DG shall be operable
• One HP and one LP of the same train allowed inoperable due to repair/test
for 21 days max.
• Before scheduled outage of a HP or a LP system, other 2 trains shall be tested
• After tripping a HP or a LP system, other 2 trains shall be tested in 4 hours

59

RIDM Example 3 (10)

PSA in Bohunice 3 and 4: AOT of Components & Systems (10)

Emergency & Vital Electric Power Supply Systems:

 Current AOT for Regime 1, 2, 3, 4:

• All 3 trains of EPSS / VPSS shall be operable
• One EPSS / VPSS of the same train allowed inoperable for 72 hours max.
• Before scheduled outage of a DG, other 2 DG shall be tested on 3 minute run
• After tripping a DG, other 2 DG shall be tested in 4 hours on 3 minute run
If the LCO is not fulfilled, the unit shall be in 48 hours transferred to regime 5

 Calculated and modified AOT changes:

• All 3 trains of EPSS / VPSS shall be operable

• One EPSS / VPSS of the same train allowed inoperable for 72 hours max.
except one (of 3) 6kV EPSS section, which allowed inoperable for 8 h max.
• Before scheduled outage of a DG, other 2 DG shall be tested on 3 minute run
• After tripping a DG, other 2 DG shall be tested in 4 hours on 3 minute run

60
 RIDM Example 3 (11)
PSA based Bohunice Risk Monitor Project (1)

Equipment Out Of Service (EOOS) Monitor™

 Software developed under EPRI’s R&R Workstation Program, applied by SAIC in co-
operation with national engineering companies in many countries

 Dynamic tool performing real-time calculations of plant risk

• to evaluate on-line maintenance schedules to minimize high risk configurations
• to monitor component outages, changes in AOT, repair and maintenance
strategies including surveillance test intervals

 The basis: model and outcome of PSA L1 conducted when updating the SAR after 10
years of operation within periodic safety evaluation process

 The model and results of SPSA incorporated into the EOOS MonitorTM under
sponsoring by EC within a PHARE project

61

RIDM Example 3 (12)

PSA based Bohunice Risk Monitor Project (2)

EOOSTM monitor screen of plant risk shows:

 plant current information

 safety impact of changes in work activities or plant configuration

It helps operators to make decisions by means of:

 Plant Safety Index (changes in equipment status)

 Maximum time allowed in the relevant configuration
 List of current activities affecting plant equipment
 Ranked lists of in-/out-of service equipment
 Quick recalculating these safety measures for a variety of “what - if” kind of tests

62
 RIDM Example 3 (13)
PSA based Bohunice Risk Monitor Project (3)

Risk Meter colour regions versus operator actions:

Region Condition Operator Action

Green Low risk • Proceed normally
Yellow Small risk increase • Include safety assessment
insights in pre-shift meetings
Orange Intermediate risk • Invoke contingency actions
increase • Hasten the restoration of risk
important equipment
• Notify plant management
Red High risk increase • Notify plant management
• Suspend all new work orders
• Invoke contingency actions
• Hasten the restoration of risk
important equipment
63

RIDM Example 3 (14)

PSA based Bohunice Risk Monitor Project (4)

64
 Conclusions

Transition to risk-informed regulation is taking place gradually

Dependable PSA study with its realistic arguments is a helpful tool for the utility
to deal with nuclear safety issues, and, on the other hand, may significantly
contribute to setting requirements for regulatory applications as well

The use of risk and reliability-based techniques enables quantitatively evaluate

the risk impact and justify changes based on objective risk arguments

Application of PSA technology to operating NPPs has provided modelling

techniques and quantification tools that are sufficiently proven and allow use of
PSA for plant-specific decision making for existing NPPs as well as in design and
licensing for future plants

65

Some General Conclusions to RIDM

(formulated by Peter Kafka)

Risk-informed approach and RIDM simulate the real world with all the
determined, random and uncertain elements and parameters based on our state
of knowledge

They are based on the understanding of the system and component behaviour
implemented in deterministic codes and calculations

They integrate all the safety issues, and therefore allow rankings and
optimizations

They integrate design, manufacturing and operational aspects of safety
balancing over the life cycle of a system

They are supported explicitly (quantitatively) by our historical experience

They are quantitative, and therefore appropriate for sensitivity, importance and
optimization studies

They can be flexibly supported by codes of good engineering practices (e.g.
deterministic codes) to fulfill high safety standard design

66
APPX 1: Fundamentals of Boolean Algebra in PSA (1)

Boolean Algebra is a simple tool, methodology to find the minimal

combinations of failures that cause system failure: minimal cutsets

This is the first step in the assessment of the system failure

67

APPX 1: Fundamentals of Boolean Algebra in PSA (2)

OPERATIONS AND LAWS (1)
UNION:

VX VY

VX VY SYSTEM
FINAL STATE
S S 1= SUCCESS
S F 2= FAILURE
F S 3= FAILURE
F F 4= FAILURE

68
APPX 1: Fundamentals of Boolean Algebra in PSA (3)
OPERATIONS AND LAWS (2)

UNION:
E = { system states } = { 1,2,3,4 }
E
A B A = { system states that contain
3 4 2 failure of VX } = { 3,4 }

B = { system states that contain

1 failure of VY } = { 2,4 }

AUB
A U B = { system states that contain all
the failures of VX OR the failures of
VY } =

= { 2,3,4 } 69

APPX 1: Fundamentals of Boolean Algebra in PSA (4)

OPERATIONS AND LAWS (3)

UNION: A U B is normally written as A

SYSTEM + B and in fault tree notation it
FAILURE is represented by an OR gate

P (TOP) = P(A) + P(B) - P(AB)

Using the rare event approximation:
FAILURE OF FAILURE OF
P(AB) <<< 1
VX VY

A B
P(TOP) = P(A) + P(B)

70
APPX 1: Fundamentals of Boolean Algebra in PSA (5)
OPERATIONS AND LAWS (4)

INTERSECTION:

VX VZ S YST EM
F IN A L S TA TE
VX S S 1 = SU C C ESS
S F 2 = SU C C ESS
F S 3 = SU C C ESS
F F 4 = FA ILU R E

VZ

71

APPX 1: Fundamentals of Boolean Algebra in PSA (6)

OPERATIONS AND LAWS (5)

INTERSECTION:
E = { system states } =
{ 1,2,3,4 }
E
A C A = { system states that contain
failure of VX } =
3 4 2 { 3,4 }

C = { system states that contain

1 failure of VZ } =
{ 2,4 }

A C A C = { system states that

contain failure of VX AND failure of
VZ } = {4}
72
 APPX 1: Fundamentals of Boolean Algebra in PSA (7)
OPERATIONS AND LAWS (6)

INTERSECTION:

SYSTEM A C is normally written

FAILURE as A × C and in fault tree
notation it is represented
by an AND gate

P (TOP) = P(A) x P(C)

FAILURE OF FAILURE OF
VX VZ (Assuming that A and C are
independent)
A C

73

APPX 1: Fundamentals of Boolean Algebra in PSA (8)

OPERATIONS AND LAWS (7)
COMBINATIONS OF UNIONS AND INTERSECTIONS (1)

VX VY VZ SYSTEM
FINAL STATE
S S S 1 = SUCCESS
S S F 2 = SUCCESS
VX VY S F S 3 = SUCCESS
F S S 4 = SUCCESS
S F F 5 = FAILURE
F S F 6 = FAILURE
F F S 7 = SUCCESS
VZ F F F 8 = FAILURE

74
 APPX 1: Fundamentals of Boolean Algebra in PSA (9)
OPERATIONS AND LAWS (8)
COMBINATIONS OF UNIONS AND INTERSECTIONS (2)
E = { system states } =
{ 1,2,3,4,5,6,7,8 }
E
A B A = { system states that contain
4 7 3 failure of VX } = { 4,6,7,8 }
B = { system states that contain
8
6 5 failure of VY } = { 3,5,7,8 }
C = { system states that contain
1 failure of VZ } = { 2,5,6,8 }
2
C (A U B) C = { system failure
states } = { system states that
contain failure of VX OR VY, AND
failure of VZ } = ({ 4,6,7,8 }
(A U B) C U { 3,5,7,8 }) { 2,5,6,8 } =
{ 3,4,5,6,7,8 } { 2,5,6,8 } =

{ 5,6,8 } 75

APPX 1: Fundamentals of Boolean Algebra in PSA (10)

OPERATIONS AND LAWS (9)
DISTRIBUTIVE LAW

(A U B) C = (A C) U (B C)
SYSTEM SYSTEM
FAILURE FAILURE

FAILURE OF FAILURE OF
FAILURE OF FAILURE OF VX AND VZ VY AND VZ
VX OR VY VZ
C

FAILURE OF FAILURE OF FAILURE OF FAILURE OF FAILURE OF

FAILURE OF VX VY
VX VY VZ VZ

A A C B C
B

76
APPX 1: Fundamentals of Boolean Algebra in PSA (11)
OPERATIONS AND LAW S (10)
ABSORPTION LAW

A U (A B) = A

A B A B=C
C

A B
C CUA=A

77

APPX 1: Fundamentals of Boolean Algebra in PSA (12)

OPERATIONS AND LAWS (11)
LAWS OF THE BOOLEAN ALGEBRA

Commutative A+B = B+A AxB=BxA

Associative A + B + C = (A + B) + C = A + (B + C)
A x B x C = (A x B) x C = A x (B x C)
Distributive A x (B + C) = (A x B) + (A x C)
Idempotent A+A=A AxA=A
Null Set A+0=A Ax0=0
Universal Set A+1=1 Ax1=A
Absorption A + (A x B) = A

78
European Commission

EUR 22302 EN – DG JRC – Institute for Energy – PSA TECHNOLOGY AS A COMPLEMENTARY TOOL TO
SUPPORT DECISION MAKING IN NUCLEAR SAFETY

Luxembourg: Office for Official Publications of the European Communities

2006 – 54 pp. – 21 x 29.7 cm
Scientific and Technical Research Series

Authors:
J. Kubanyi , C. Kirchsteiger

Abstract
The report provides a brief overview of overall framework of Probabilistic Safety Assessment (PSA) technology
used in various applications to assess nuclear power plant (NPP) operational risk issues. Based on essential
nuclear power engineering/safety background and philosophy behind NPP safety justification, main terms of
quantitative risk assessment are discussed: basic aspects of Fault Tree (FT)/Event Tree (ET) construction,
modelling for graphical/logical representation of accident sequences, Initiating Events (IE) selection, issues of
consequences, data analysis and quantification of the model. Basic aspects of Risk Informed Decision Making
(RIDM) concept are explained and discussed.
The mission of the Joint Research Centre is to provide customer-driven scientific and technical support for the
conception, development, implementation and monitoring of EU policies. As a service of the European Commission,
the JRC functions as a reference centre of science and technology for the Union. Close to the policy-making
process, it serves the common interest of the Member States, while being independent of special interests,
whether private or national.