probabilistic safety assessment - eurosafe … · 2008-04-18 · p. 36 upcoming events ... core...

E U R O S A F E T R I B U N E

#012APRI

L20

08

P R O B A B I L I S T I CS A F E T Y A S S E S S M E N T

Risk assessmentRisk assessmentRisk assessmentRisk assessmentRisk assessment Design & constructionDesign & constructionDesign & constructionDesign & constructionDesign & construction Maintenance & upgradingMaintenance & upgradingMaintenance & upgradingMaintenance & upgradingMaintenance & upgrading Ageing managementAgeing managementAgeing managementAgeing managementAgeing management Research & developmentResearch & developmentResearch & developmentResearch & developmentResearch & development

Published jointly by GRS and IRSNas a contribution to the EUROSAFE initiative

2

EUROSAFE Tribune

C O N T E N T S

R I S K A S S E S S M E N TProbabilistic Safety Assessments:Going beyond design limits .................... p. 4

Probabilistic and deterministic approaches:taking advantage of the right mix .......... p. 7

R E G U L AT I O N A N D P R A C T I C EProbabilistic safety assessment:Uses within nuclear regulation andpractice ................................................. p.10

P E R I O D I C S A F E T Y R E V I E W SThe specific roles of PSA and PSR:a Swedish regulatory perspective ........ p. 13

M A I N T E N A N C EPlant optimisation and optimum maintenanceplanning as a result of PSA .................. p. 16

L O W P O W E R & S H U T D O W NThe significance of PSA forlow-power and shutdown states .......... p. 19

U P G R A D I N GBackfitting and modifications of nuclearpower plants –An important PSA application ............... p. 21

SERVICE LIFE & AGEINGApplying PSA to assess nuclear facilityageing .................................................. p. 24

N E W R E A C T O R D E S I G NProbabilistic safety assessment:a powerful tool to hone new reactordesign .................................................. p. 27

S E I S M I C R I S KSeismic PSA:a state-of-the-art tool for updatingearthquake-specific regulatoryguidelines ............................................. p. 30

F I R E R I S KReducing uncertainty:how fire research supports PSA and riskmanagement ........................................ p. 33

D I A G N O S T I CThe benefits of risk-based, computeriseddiagnostic tools in the verification of theindustry’s safety assessments ............. p. 36

U P C O M I N G E V E N T S............................................................. p. 39

3

EUROSAFE Trib

une

T O O U R R E A D E R S

Lothar Hahn and Jacques Repussard

T he need for going beyond the ‘traditional’ approach used asthe sole safety assessment basis for designing and operatingnuclear facilities was largely evidenced by the TMI reactor

core melt accident in 1979. Based on the analysis of a limitednumber of accident sequences with conservative assumptions,deterministic assessments had proved insufficient to give acomprehensive view on the plant’s safety.Another approach, aimed at assessing the frequency of anundesirable event by identifying all the accident sequencesconducive to this event and combining the probabilities of theelementary events likely to trigger each sequence, was thenimplemented to supplement the deterministic assessment method.Called ‘probabilistic safety assessment’ (PSA), this approachprovides an integrated model developed using best-estimateassumptions and gives a balanced view of the relative importanceof initiating events, the failure of the structures, systems,components and the human errors modelled in the analysis.Whereas deterministic analysis is a powerful tool to specify thedesign based on a limited number of transients, PSA aims atcovering the whole range of situations and allows to evaluate theweight of uncertainties on the range of the results. The former isthus suited to specify legally binding design requirements whenlicensing a nuclear power plant, and the latter more appropriate toprovide insights into the existing safety margins for eventsequences with low probabilities.The present issue of The EUROSAFE Tribune provides an overviewof the implementation of PSA at different stages of the life cycle ofnuclear facilities from various perspectives – e.g. regulatory body,TSO, designer, operator… We wish you pleasant reading.

4

EUROSAFE Tribune

By Marina Röwekamp (GRS), Jeanne-Marie Lanore (IRSN),and Pieter De Gelder (AVN)

R I S K A S S E S S M E N T

PROBABILISTIC SAFETY ASSESSMENTS:GOING BEYOND DESIGN LIMITS

>>>>>A non-dissociable part of any safetyanalysisUntil 1975, when first experience wasgained with a Probabilistic Safety As-sessment (PSA) and published in theUSA, the safety demonstration of nu-clear power plants was purely deter-ministic (1), based on the analysis of alimited number of accident sequenceswith conservative assumptions.Originally aimed at comparing the riskassociated with nuclear power to otherrisks, the first PSAs raised real interestafter the Three Mile Island reactorcore melt accident since they had pre-dicted this type of accident with a non-negligible probability.Beyond providing overall results, themain benefit of PSAs rests with theirability to identify and rank the possi-ble risk causes, thus giving a compre-hensive view on plant safety. This iswhy PSAs were increasingly developed

Developed first in the USA in 1975, Probabilistic Safety Assessments (PSA) are primarily used to determinewhether or not there are any relative weaknesses in the design or operation of a nuclear power plant. Thisis achieved by determining the relative importance of structures, systems, components and human actionswith respect to the risk considered. A PSA thus provides insights that are not available from the determin-istic analyses, limited to design assumptions.

and used, and are now considered as auseful part of many safety analyses.

>>>>>Providing a balanced view of risksand weaknessesAimed at assessing the frequency of anundesirable event (see box and Fig. 1),a PSA first consists of identifying allthe accident sequences conducive tothis event and of combining the prob-abilities of the elementary events likelyto trigger each sequence. PSAs com-plement this way the safety approachbased on deterministic analyses and of-ten also on prescriptive requirements.The deterministic approach relies onconservative assumptions, the analysisof a set of faults that are thought to bebounding and the application of con-ventional safety criteria. By compari-son, the PSA starts with as completeas possible a set of initiating events andhazards, and aims at identifying all the

(1) See Balance between PSA and Deterministic Approaches, by H.P. Berg (BfS) on page 7.

Dr. Marina RöwekampGesellschaft für Anlagen- undReaktorsicherheit (GRS),Germany

5

EUROSAFE Trib

une


accident sequences that could lead tocore damage or a release of radioactiv-ity to the environment. The PSA pro-vides an integrated model developedusing best-estimate assumptions, andgives a balanced view of the relativeimportance of initiating events, thefailure of the structures, systems, com-ponents (SSCs) and the human errorsmodelled in the analysis.

>>>>>Relying as far as possible onoperating experienceTheoretically, there are a number ofways of carrying out a PSA. The usualapproach is to use appropriate logicalmodels called event trees and fault treesto identify the combinations of failuresthat can occur, leading to the undesir-able events. Although various combi-nations of fault trees and event treescould be used, all the approachesshould produce similar results.The data used in a PSA (e.g. frequencyof initiating events, probability of com-ponent and human failures) rely as faras possible on operating experience, ona national and/or international basis.Particular attention should be paid todata – such as common-cause failuresand human reliability – which mayhave a large impact on the results andare difficult to collect or assess.

>>>>>Uncertainties: making knowledgelimitations more visibleUncertainties are obviously inherentin PSA results and should therefore beconsidered as highly significant for thecredibility of the results and as a sup-port to decision-making. Uncertaintyand sensitivity analyses are thereforeuseful to empower the PSA results.

In this respect, it has to be noted that alarge part of PSA uncertainties are infact due more generally to knowledgelimitations. Uncertainties e.g. are grow-ing from Level 1 to Level 3, and uncer-tainties in a Level 2 PSA correspond tothe limits of knowledge relating to se-vere accidents physics and manage-ment. One of the virtues of PSAs is tomake these limitations more visible andto stimulate the on-going activities aim-ing at the reduction of uncertainties ina national or international context.

>>>>>An enlarged scope ofimplementationThe safety improvements resultingfrom the PSA applications lead to itsincreasing development worldwide forall the nuclear plants, at design or con-struction stage, and obviously in op-eration towards a continuous monitor-ing of safety (“Living PSA”). Moreover,the application of PSAs was, for a longtime, restricted mainly to nuclear re-actors, but there is a tendency towardsusing this approach for other nuclearfacilities. Due to the large number ofexisting PSAs, there is also a trend to-wards a harmonisation of methods byexternal peer reviews, intercompari-sons or set-up of standards, thus en-hancing the quality and credibility ofthe studies.

>>>>>An increased role in the licensing offuture NPPsThe framework of a PSA depends onthe country where it is implemented,i.e. whether or not probabilistic safetycriteria are available, and whether ornot a formal demonstration is required.However, the general trend is to

Pieter De GelderAssociation Vinçotte Nuclear(AVN), Belgium

Jeanne-Marie LanoreInstitut de Radioprotection et deSûreté Nucléaire (IRSN), France

6

EUROSAFE Tribune


use more and more the PSAinsights as a necessary complement tothe traditional safety analysis. Thiscombined approach, ca l led “RiskInformed Analysis”, is now widespread.The main applications take advantageof the particular strength of the PSAto determine whether or not there areany relative weaknesses in the designor operation of the plant. This isachieved by determining the relativeimportance of structures, systems,components and human actions withrespect to the risk by applying impor-

tance functions provided by recentPSA computer codes. This providesinsights that are not available from thedeterministic analyses.In recent years, there has been an in-crease in the use of PSAs by plant de-signers, operators and regulatory au-thorities for making decisions on safetyand regulatory issues throughout thelifetime of a nuclear power plant. Theuse of the PSA is likely to increase fur-ther and it will be even more promi-nent in the licensing of future nuclearpower plants.

The objective of a nuclear power plant PSAis the assessment of the frequency of anundesirable event. According to the currentterminology, the undesirable event can bedefined as core damage (referred to as a“Level 1 PSA”), a release of radioactivity tothe environment (“Level 2 PSA”), or theeffects on human health and society (“Level3 PSA”).

These three levels are in fact three steps ofthe same study:- A Level 1 PSA is a systematic analysis of

potential accident sequences startingfrom an initiating event and looking atthe performance of the safety systemsthat need to operate for preventing coredamage.

- A Level 2 PSA also considers theperformance of the containment and thesevere accident management measuresin preventing a release of radioactivity tothe environment.

- A Level 3 PSA considers the dispersion ofany radioactive material released todetermine its effect on human health andsociety.

As shown in the figure, the scope of the PSAis defined by the level of PSA carried out,the range of initiating events, and themodes of operation addressed.

Initiating events

Internal events(e.g.transients,

LOCA...)

Internal hazards(e.g. fire, flooding...)

External hazards(e.g. seismic, storm,

aircraft crash...)

Operating modes

Full power Low power Shutdown andrefuelling

Figure 1: The objectives and scope of probabilistic safety assessment

Level 1: core damage

Level 2: release of radioactivityto the environment

Level 3: effects on human healthand society

PSA level

7

EUROSAFE Trib

une


PROBABILISTIC AND DETERMINISTICAPPROACHES:TAKING ADVANTAGE OF THE RIGHT MIX

By Heinz-Peter Berg (BfS)

What realistic safety margins should be taken to operate a nuclear reactor in an as safe and effective wayas possible? Since they are suited to ensure that the design basis events and event sequences used in thedeterministic approach have been appropriately selected, probabilistic methods are considered as a usefulcomplement to use the operating experience.

>>>>>Probabilistic safety assessment:a major shift in safety decision-makingIn the past, the safety concept of nu-clear power plants as well as licensingdecisions by the competent authoritiesand their experts were mainly based ondeterministic principles such as safetyfeatures to prevent or control abnor-mal operating conditions and inci-dents, passive barriers against radioac-tivity releases in case of an incident,and redundancy and diversity of safetysystems to ensure high reliability.Safety decision-making at design andlicensing stages was essentially basedon the verification of compliance withtechnical requirements as laid down inrespective industrial and nuclear safetystandards. Boundary conditions for thesafety analysis, safety margins with re-gard to the prevention and control ofincidents as well as specific, partiallydetailed, requirements concerningsafety functions are thus deter-ministically postulated.

Due to improved databases and ana-lysing methods implemented in suit-able computer codes, methods basedon probabilistic safety assessment(PSA) are now considered to be mature,to be able to check deterministic de-sign assumptions within acceptablelimits of confidence and to provideinformation on plant vulnerabilitiesand potential weaknesses of operationand design.

>>>>>Deterministic analysis:a conservative approach to safetybased on limited situationsThe traditional approach to nuclearsafety is deterministic, in a sensewhere a preselected number of eventsor postulated event sequences have tobe considered. The results of the analy-sis are then checked against a numeri-cal target, e.g. a dose limit or a set ofcriteria including optimisation such asthe ALARA principle. This approachneeds two ingredients, the set of

Heinz-Peter BergGerman Federal Office forRadiological Protection,Bundesamt für Strahlenschutz(BfS), Germany

8

EUROSAFE Tribune


events to be considered on the onehand and, on the other hand, thephysical modelling and the technicaldata to assess these events. The selec-tion criteria for the events to be con-sidered, however, contain primarily re-quirements on the maximum loads forsystems and components. The use ofdeterministic reliability principles asspecific precautionary design meas-ures, e.g. physical separation and bar-riers or leak detection and protectionfeatures, allows decreasing the likeli-hood of the design basis accidents.

>>>>>Probabilistic analysis:taking uncertainty and sensitivityinto considerationA probabilistic analysis starts by defin-ing the detrimental end effects, forwhich probability estimates aresought. Such effects may include po-tential plant damage states (e.g. coremelting) or potential source terms forradioactive releases to the environ-ment. The next step is to identify rel-evant initiating events. For each initi-ating event, potential event sequencesare mapped modelling potential pathsto the detrimental end effect. Prob-abilities, e.g. for component failure, areassigned to each step in each se-quence. The end result will typicallybe an estimate of the overall probabil-ity of occurrence of the chosen detri-mental end effect, and the identifica-tion of those initiating events and se-quences that are predominant in thisoutcome.The main objectives are to check theoverall safety level of the plant andwhether or not the engineered safe-guards designed to cope with safety-

relevant incidents are well-balanced.The evaluation has to be performedtaking into consideration quantitativeas well as qualitative results of theanalysis reflecting dependencies andhuman interaction. Interpretation ofthe results includes uncertainty, sen-sitivity and importance analysis in anadequate way.

>>>>>In search of the right balanceAs shown in Table 1, deterministic andprobabilistic approaches complementeach other in many ways. Both meth-ods having their inherent strengthsand weaknesses, they should be usedas complementary tools when specify-ing and assessing the safety of nuclearpower plants, e.g. in case of fire safetyevaluation (see Table 2).It has been pointed out that a PSAhelps identify possible weaknesses ofthe plant design but also provideinsights into the existing safety marginsfor event sequences exceeding the designlimits. A further benefit of a PSA inthis context is to show the existingsafety margins correlating the originaldesign criteria and boundary condi-tions and the real operating experience(e.g. by comparing the expected loadson structures, systems and compo-nents with the actual situation overseveral years of operation). In thatsense, a PSA is a very useful tool tocomplement deterministic insights insafety evaluation.The deterministic approach is typi-cally better suited to specify legallybinding design requirements when li-censing a nuclear power plant. It alsoprovides valuable tools when speci-fying the robustness of the design,

9

EUROSAFE Trib

une


i.e. ensuring that the plant can copewith certain specified events andevent sequences with adequatesafety margins against unacceptableconsequences.Since probabilistic assessment pro-vides valuable insights into plant vul-nerabilities and major contributors to

risk, it is used to improve the determin-istic approach, e.g. to ensure that thedesign basis events and event se-quences in the deterministic approachhave been appropriately selected. Be-cause of these complementary aspects,a combination of both approachesshould be applied.

Comparison of deterministic and probabilistic tools

Table 1: Simplified comparison of the deterministic and probabilistic approaches

Table 2: Exemplary comparison of the deterministic and probabilistic approaches with respect to firesafety evaluation

Deterministic approach Probabilistic approach

Objectives

Initiatingevents

Systemreliability

Operatorbehaviour

Analysis

Analysis of the effectiveness of safety systems tocontrol postulated accidents and covering not explicitlyquantified events by additional margins anddeterministic principles

Limited to design basis accidents

A single-failure criterion is often considered as adesign criterion

- For t < T: no action is postulated (T = to 30 min)- For t > T: absence of operator errors is postulated

Conservative assumptions

Analysis and quantification of the likelihood ofinitiating events and associated event sequences byusing realistic success criteria for safety systems;quantification of uncer-tainties associated withreliability data

All potentially important events are included

Multiple failures and common-cause failures are alsoconsidered

Errors in diagnosis and errors of execution areconsidered in the accident sequence

As realistic as possible

Deterministic approach Probabilistic approach

The train with fire protection features does not fail randomly

The fire does not propagate between different fire compart-ments

Loss of offsite power is postulated simultaneously with fire

The train with fire protection features can fail randomly, with afailure probability based on operating experience

The fire can propagate between different fire compartments,assigning a failure probability to the different barriers

Loss of offsite power simultaneously with fire has notprobability one, but can occur randomly

10

EUROSAFE Tribune

R E G U L A T I O N A N D P R A C T I C E

>>>>>The use of PSA in the regulation ofseveral countries worldwideMost of the nuclear safety authoritiesregard the deterministic andprobabilistic approaches as comple-mentary, and seek to combine themin as an effective way as possible.However, depending on each particu-lar country, the role played by the PSAin regulation ranges from a very pre-cise legal framework to a very abstractsituation. Thus, in some countriessuch as Finland, the Netherlands orGreat Britain, the compliance withseveral probabilistic objectives mustbe evidenced, requiring PSAs to becarried out and formally approved,whereas in other countries such as theUnited States, probabilistic objectivesare given as an indication with no le-gally binding compliance require-ment. In the same way, the implemen-tation of a PSA is seldom required, butvery often encouraged. A non-exhaus-tive overview of the respective posi-tions of different nuclear safety au-thorities is provided below with par-ticular attention paid to the situationin the United States, where the con-

cept of “risk-informed regulation”,now used as an element of reflectionin most of the other countries, wasintroduced.

The United StatesThe “risk-informed” approach there isaimed at combining the advantagesbrought by the probabilistic approachwith those of the traditional determin-istic approach. It is thus a kind of in-termediate position between the de-terministic approach and a “risk-based” approach which would exclu-sively build upon probabilistic evalu-ations. In other words, the “risk-in-formed” approach incorporates simul-taneously the insights fromprobabilistic assessment and otherinputs to establish requirementsaimed at focusing the owner’s and thenuclear safety authority’s attentionon those design or operational issueswhich have the greatest importancefor public health and safety.

The NetherlandsThey are the only country where therespect of probabilistic objectives is le-

PROBABILISTIC SAFETY ASSESSMENT:USES WITHIN NUCLEAR REGUL ATION AND PRACTICEBy François Corenwinder (IRSN)

To which extent are probabilistic safety assessments used from a regulatory perspective in differentnuclear countries worldwide and, among others, in France? This article provides an overview of thecurrent situation.

François CorenwinderInstitut de Radioprotection et deSûreté Nucléaire (IRSN), France

11

EUROSAFE Trib

une


gally binding. Defined in the Eight-ies in terms of risk of death among thepopulation, these objectives distin-guish between two levels of risk:- the threshold below which the risk

is acceptable;- the threshold above which the risk

is unacceptable.Although these thresholds originallyapplied to all hazardous activities (e.g.nuclear, chemical, transport of dan-gerous goods, airports), it was decidedto formulate these objectives in a dif-ferent way with respect to the indus-try considered in particular. Concern-ing nuclear power production for in-stance, the lower threshold is nolonger regarded as the acceptablelimit, but as the limit to be reachedfor future facilities.PSAs are required both for approvingconstruction and for periodic safetyreviews. PSA results are primarilyused to check compliance with theprobabilistic objectives, but also tojustify safety improvements.The Dutch nuclear safety authorityevaluated the PSA simultaneouslywith their development. Moreover,one external review was requestedfrom the IAEA. Guides were draftedto carry out and assess the studies.

FinlandA legal request, PSA studies are con-ducted according to a scope of workand acceptable methods specified ina guide issued by STUK, the Finnishnuclear safety authority. Probabilisticcriteria, whose demonstration is re-quired, were defined to assess the re-liability of systems. Those pertainingto core melt and releases were defined

for future nuclear power plants. Sincethey are required by law, PSAs are sys-tematically reviewed by STUK andbecome part of an official documentdescribing the requirements related tothe performance of PSA studies.

CanadaProbabilistic objectives have been de-fined concerning the reliability of sys-tems. These are not comprehensive,but the incorporation of probabilisticcriteria into the regulation, in a moreformal way, is presently considered.The Canadian nuclear safety author-ity requires that compliance with theprobabilistic objectives related to thesystems be evidenced and carries outPSA reviews. The first reviews wereincorporated into guides issued eitherby international organisations such asthe IAEA or national safety bodiessuch as HSK, the Swiss nuclear safetyauthority. Guides drafted in Canadaare currently debated. Generallyspeaking, Canada aims at establishinga more formal process for the use ofthe probabilistic approach in the regu-lation.

JapanThe performance of PSAs is not for-mally required, nor is compliance withprobabilistic objectives. Nevertheless,the Japanese nuclear safety authorityclearly supports the performance oflevel 2 PSA studies at all nuclearpower plants and scrutinises the re-sults with utmost attention. Internaldocuments have been drafted for per-forming or reviewing PSAs, althoughno formal guide was issued on thismatter.

12

EUROSAFE Tribune


BelgiumThere are no probabilistic objectiveswhose respect must be evidenced bythe operators, nor is the Belgian nu-clear safety authority requested by lawto perform PSAs. There is rather anincentive to use them, in particular forperiodical safety reviews. There are noformal proceedings for PSA approval,but, as studies progress, a comprehen-sive evaluation process results in a re-port whose conclusions are then dis-cussed with the owner.

>>>>>The particular situation in FranceSince 1990, probabilistic safety assess-ments have commonly been used tocorroborate or supplement the tradi-tional deterministic safety analyses.ASN, the French Nuclear Safety Au-thority, consider the PSA as a valuabletool to support safety analysis and rec-ognise their contribution to improvingthe safety of nuclear power plants. Amajor advantage of PSA is to providea more exhaustive consideration ofsafety problems and to prioritise theissues to be tackled. However, no ex-cessive confidence should be placed inthe numerical results (particularly inabsolute values), and the uncertaintiesrelated to these results have to be con-sidered. Major uncertainties pertain tothe data, the assumptions and the lackof exhaustiveness.In addition, it should be underlinedthat, besides PSAs, different ap-

proaches can be adopted to accountfor risk in assessing safety: risk can alsobe allowed for in an implicit or rela-tive way, notably in deterministicsafety studies (e.g. defence in depth,safety margins). PSAs allow a specifi-cation of the concept of risk and pro-vide quantification for some types ofrisks. Beyond the difficulty linked toallowing for uncertainties, the use ofquantified probabilistic objectives isnot advisable, since compliance withsuch objectives may encourage licen-sees to consider that the safety levelin their facilities is sufficient, whereasthe goal of the Nuclear Safety Author-ity is not only to maintain safety butalways to seek to improve it.

View into the open reactor pressure vessel on thereactor core during maintenance

13

EUROSAFE Trib

une

P E R I O D I C S A F E T Y R E V I E W S

The Periodic Safety Review (PSR) proc-ess described in the Swedish SafetyRegulations (1) is based on the “looking-ahead principle” which is a way to pro-vide conditions for the future safe op-eration of the NPPs. Other aims are toshow and verify how the present regula-tions are fulfilled and how resistant thedesign and construction are against ac-cidents. The overall aims of PSRs are toprovide safety evaluations for 15 speci-fied areas (called SKIQ-15) in the regu-lation (see Table 1).The Integrated Safety Assessment proc-ess at SKI is structured to follow theSKIQ-15 areas in the annual safety as-sessment of all regulatory supervisionactivities, follow-up of operating experi-ence, and reporting to the Government.The PSRs are planned to follow thesame structure, to get better uniformityboth at licensees and at SKI.

THE SPECIFIC ROLES OF PSA AND PSR :A SWEDISH REGUL ATORY PERSPECTIVE

By Ralph Nyman (SKI)

After the TMI accident, the Swedish Parliament required in 1981 that all NPP operators should submitthorough periodic safety reviews (PSRs) every 8-10 years for each reactor unit. Probabilistic safetyassessments (PSAs) have no longer been part of the PSR process since 1998, when the SKIFS 1998:1regulation went into force. The Swedish Nuclear Power Inspectorate (SKI) considers today that PSRs haveto focus on how different regulations are fulfilled and what issues can challenge future operation, whereas,in the past, the flashback into the previous decade’s operating experience was considered as important forthe understanding of the present situation of the plants.

(1) SKIFS 2004:1 chap 4 §4.

Ralph NymanSwedish Nuclear PowerInspectorate,Statens Kärnkraftinspektion (SKI),Sweden

>>>>>How does SKI “look ahead” with PSRsSKI reviews the report submitted every8-10 years by a licensee in the followingmanner:- For each of the 15 PSR areas, a

judgement is made of the licensee’sanalyses of the present situation re-garding, among others, how regula-tions are fulfilled, the visions of thefuture considering planned or actualplant modifications, or fulfilment ofnew demands;

- Documents from the licensee are re-viewed and compared with SKI’sown documents (e.g. inspections, re-views, plant visits, investigation re-ports, operating experience, R&D);

- The plant’s safety barriers and levelsin the defence-in-depth at present areassessed, and a judgement about theconditions for safe operation over thecoming 10 years is derived from this.

14

EUROSAFE Tribune


The main focus in a review is placedon assessing the fulfilment of presentregulatory decisions and requirementsby the licensees.

>>>>>PSAs’ primary role in Sweden today:optimise the NPP modernisationprocessesAs stated in the introduction, the PSAactivities have been kept separate fromthe PSR process since 1998 and their rolehas changed accordingly. In compliancewith the Regulations concerning Safetyin Nuclear Facilities (SKIFS 2004:1),Level-1 and Level-2 PSAs have to be per-formed by licensees for all operationalmodes and have to be complementedwith area events analyses (fire, flooding)and external events analyses.The Regulations concerning the Designand Construction of Nuclear Power Re-actors (SKIFS 2004:2) published by SKIin 2004 encompass new areas such asdesign principles of defence-in-depth,strongly constructed safety functionsagainst failures and events, resistance toenvironmental impact, threats to controlrooms… To fulfil these regulatory de-mands, huge plant modernisation proc-esses were launched at all facilities along-side power uprate projects.Today, PSAs are obviously expected tohelp verify and optimise, with the mostvalid or updated models, the plannedconstruction solutions. This implies alsoto indirectly verify the actual fulfilmentof construction and design rules, guidesand standards of e.g. structures, systemsand components. It is mandatory thatthe final safety analysis report be keptupdated after plant modifications, or ifcurrent deterministic safety analyses areupdated or new ones are introduced.

In Sweden, PSAs are also used, amongothers, to:- verify and evidence the safety im-

pact of changes required in plant-specific technical specifications, ofallowed outage time and of test in-tervals;

- evaluate the risk increase factor re-sulting from previous incidents;

- identify weak points in a plant andplan for countermeasures.

Supervision by SKI of the PSAs per-formed by licensees corresponds to thefollowing regulatory activities:- review of applications to SKI,- review of the chapter devoted to up-

dated PSA results in the final safetyanalysis report,

- review of PSA documentation andfault-tree models,

- inspections and plant visits,- research and development.Reviews of PSAs or PSA applicationsaim at getting knowledge about:- the representativeness of the PSA-

models regarding the correct behav-iour of analysed initiators affectingthe structures, systems and compo-nents,

- the dominating assumptions andsimplifications,

- the clarity and readability of docu-mentation (e.g. are the results pre-sented and interpreted in a didacticmanner?),

- the eventual plant modificationsderived from the PSA results.

>>>>>Taking advantage of a“risk-informed” approachFor SKI, it is also very important that theprimary and the independent reviews beperformed according to process-oriented

The current SKIapproaches in anutshell(according to thelatest regulations).

- A PSR report shall still beproduced every 8-10years for all plants.

- Recommendations in thereviewed PSR report ofSKI are presented to theGovernment.

- A PSR report is coupledto the operating licence.

- PSA is separated fromthe PSR process.

- PSAs have to beregularly updated andactively used inapplications.

- Final Safety AnalysisReports (FSAR) have tobe updated continuouslyin rhythm with themodifications performedat the plants.

- FSAR and PSA typicallyare living documents.

15

EUROSAFE Trib

une


instructions at the licensees and with ap-propriately chosen reviewing level anddepth. A current trend is that SKI putsmore pressure on this process to makeclear statements about the applicabilityof the PSA models to different uses. SKIis “risk-informed” to a sense where theyare provided with information on themodels’ content, on how realistic thosestudies are and how they are used. Thisbackground helps SKI review licenseeapplications. It is therefore of a certaininterest to have good knowledge of howwell the self-control function operates atthe licensees. Moreover, the knowledgeabout how well a PSA study does fulfil therequirements plays an important part inthe overall integrated safety assessment ofsome of the 15 PSR areas.As shown in Figure 1, the new respec-tive roles of PSRs and PSAs – providingconditions for the future safe operationof the NPPs thanks to the “looking-aheadprinciple” on the one hand, andoptimising the NPP modernisation proc-esses on the other – provides the Swed-ish regulatory authorities with comple-mentary perspectives on the safety of thereactor fleet in operation in the country.

< 1998 > 1998

PSR process before the SKIFS 1998:1regulation. < 1998PSA is integraded in the PSRsPSA is a recommendation in the SKIFS1998:1 regulation.

PSR process after the SKIFS 1998:1regulation. > 1998PSA is separated the the PSRsPSA is required in the SKIFS 2004:1regulation.

PSR have got a more formal position in thenew SKIFS 2004:1 regulation.The generalrecommendations to the chap 4 §4considers the recurring wholenessjudgements of the safety of the plants.

PSAupd.

PSR#1

PSAupd.

PSR#2

PSAupd.

PSR#3

PSAupd.

PSAupd.

PSAupd.

PSR#n

Continues update of FSAR/SAR.

1 Design and construction of the facility (incl. modifications)

2 Management, control and organisation of the activity

3 Competence and staffing of the nuclear activity

4 Operations, incl. the handling of deficiencies in barriers and defence-in-depth

5 Core and fuel issues as well as criticality issues

6 Emergency preparedness

7 Maintenance, material and in-service inspection issues

8 Primary and independent safety review

9 Investigation of events, experience feedback andexternal reporting

10 Physical protection

11 Safety analyses and safety reporting

12 Safety programme

13 Safekeeping of facility documentation

14 Handling of nuclear material and nuclear waste

15 Non-proliferation control, export control and transport safety

11 FinalSafety AnalysesReports andPSAs

Figure 1: The relationship between PSR and PSA in Sweden before and after 1998.(SKIQ-11, PSR area 11 – Safety analyses and safety reporting)

Table 1: Demands and extent of the PSRs in the regulation.

16

EUROSAFE Tribune

M A I N T E N A N C E

Risto HimanenTeollisuuden Voima Oy (TVO),Finland

>>>>>Optimisation of maintenance duringpower operation: the lessons learntfrom diesel generatorsSince the 1980s, preventive mainte-nance of diesel generators has beenpermitted during power operation atthe Olkiluoto units 1 and 2 (OL1 andOL2). The maintenance time has beenlimited to three days per year for eachof the eight diesel generators (four perunit). Since it is assumed in the deter-ministic design basis accident analysesthat the connection to the externalgrid is lost, the diesel-backed safetysystems are considered as “unavailable”when the corresponding diesel genera-tor is unavailable due to preventivemaintenance. Thus, the conclusionfrom the deterministic analysis is thatall diesel-backed, front-line safety sys-tems in one train can be maintainedat the same time as the correspondingdiesel generator itself in maintenance

PLANT OPTIMISATION AND OPTIMUMMAINTENANCE PLANNING AS A RESULT OF PSABy Risto Himanen (TVO)

Probabilistic Safety Assessment (PSA) can be used in many ways to support the planning of differentmaintenance-related activities in nuclear power plants. The first PSA application in the operating units atOlkiluoto NPP during the late 1980s was the optimisation of on-line maintenance of diesel generators anddiesel-backed pumps of front-line safety systems. Today’s model shows that the impact of the on-linemaintenance on the core damage frequency has been decreased from 50% to less than 1%. PSA, inconnection with Probabilistic Availability Analysis (1) gives useful insights when planning Reliability CentredMaintenance (2) Programmes, in maintenance priority classification of components according to their safetyand availability importance.

packages which are done consecutivelyfor each of the four trains.The PSA of OL1 and OL2 (which dur-ing the 1980s included only internalinitiating events) showed that the im-pact of the diesel packages on the coredamage frequency was 17%. Today’smodel, which also includes commoncause initiators such as fires, floods,seismic events and different weatherphenomena, shows that the impact ofthe old-type diesel package would bemore than 50%.

>>>>>Bringing the impact of on-line main-tenance on the core damage frequencydown from 50% to less than 1%Because PSA showed that the preven-tive maintenance of the safety systemswas a dominant risk contributor, thediesel packages had to be re-designedin order to minimise the risk impact.In addition, the consecutive mainte-

17

EUROSAFE Trib

une


nance of all trains included potentialfor repeated maintenance errors,which were not explicitly modelled.Risk-based modifications were thusperformed in the diesel packages, andthe optimised on-line maintenancemade it possible to reduce its impacton the core damage frequency to lessthan 1%:- Firstly, the diesel packages were stag-

gered so that only two diesel pack-ages in each unit were scheduledconsecutively and the remainingones only after a longer period.

- Secondly, each diesel package wasdivided into three consecutive parts:a. The diesel generator is main-tained simultaneously with the corespray pump and those parts of theintermediate cooling system and cir-culating water system which are nec-essary for the diesel generator andthe core spray system.b. The auxiliary feed water pump(high pressure), which is a separatesystem for the low pressure corespray system, is maintained in itsown package.c. The containment spray pump ismaintained at the same time assome components in other systemsthat have no impact on the availabil-ity of core cooling systems, i.e. theauxiliary feed water system or thecore spray system.

- Thirdly, the maintenance tasks areallocated for each year so that theaverage of the sum of the three pack-ages during a ten-year period will notexceed three days per year and train.Thus, a ten-day major overhaul ispossible every ten years for each die-sel generator.

>>>>>The Role of PSA in Reliability CentredMaintenanceThe purpose of the maintenance activi-ties is to provide the required function-ality of Structures, Systems and Com-ponents (SSC) to allow safe and reliablepower production. The Reliability Cen-tred Maintenance (RCM) method isused for improving and optimising themaintenance program, based mainly onown operating experience of SSC.In the late 1990s TVO developed anapplication of the Probabilistic Availabil-ity Analysis (PAA) method (1) for the op-erating BWR units OL1 and OL2. Useof the same modelling method and samecomputer code in PAA as in PSA allowedthe calculation of importance measuresfor the components and systems. AllSSC of OL1 and OL2 were classified ac-cording to their maintenance priorityinto four different classes:- Components in the highest priority

maintenance class should always beoperational, and are thus subjectedto the most thorough preventivemaintenance programmes.

- In the second highest class, limitedunavailability of the component ispermitted.

- In the third class, preventive main-tenance is performed only if eco-nomically justified.

- In the lowest priority class no pre-ventive maintenance is carried out.

This maintenance priority classifica-tion was based on several economicaland safety-related factors. Besides theoperating and maintenance experi-ence of the components as well as thepreventive and corrective maintenancecosts and requirements in TechnicalSpecifications (TS), insights

Maintenance of diesel generatorsin Olkiluoto

18

EUROSAFE Tribune


were drawn from the probabilisticanalyses (PSA and PAA). PSA is used toassess the importance of the componentfailures on the plant safety. The imple-mentation of the insights from PSA inOL1 and OL2 was based on two impor-tance measures: Risk Achievement Worth(RAW 3) and Fussel-Vesely (F-V 4) Impor-tance. The limits for the importancemeasures were chosen after several trialsin such a way that the main componentsof the front line safety systems wereclearly distinguished in the highest pri-ority safety class. The following rules wereapplicable for OL1 and OL2:- If the Risk Achievement Worth

(RAW) is greater than 2, then thehighest maintenance priority is al-ways applied because decreased reli-ability of the component would havea strong effect on the Core DamageFrequency (CDF).

- If the RAW is between 1.1 and 2 andthe F-V is greater than 0.005, the main-tenance priority is 2 because the effectof decreased reliability of the compo-nent on the CDF is moderate (RAW)and the increased reliability would atleast slightly decrease the CDF (F-V).

- PSA is not used in the definition ofthe maintenance priority if the F-Vis less than 0.005 and the RAW is lessthan 1.1, i.e. neither increase nor de-crease of the component’s reliabilityhas a great impact on CDF.

>>>>>Defining the initial PreventiveMaintenance PlanRCM is used in the design phase of theEPR-type OL3 unit for the definitionof the initial Preventive MaintenancePlan. This plan defines – taking intoaccount risk insights – the maintenance

activities of each component, e.g.maintenance priority of the compo-nent, effective maintenance activities,and the frequency of the activities.Usual RCM methods are not welladapted to a new nuclear power plantdesign because own operating experi-ence is missing. Therefore, a new ap-plication of RCM was developed forOL3 to define the initial PreventiveMaintenance Plan without own oper-ating experience. The maintenancepriority class, which defines the depthof the RCM analysis, is based on theTechnical Specifications (TS), PSA,PAA and expert opinion. The expertsmay also select other SSC that are nei-ther addressed in TS, PSA nor in PAA,but which have to be covered by Pre-ventive Maintenance activities.The use of risk importance measuresin the classification shall be “relative”and “advisory”. “Relative” means thatplant-specific limits shall be definedbecause they seem to depend on therisk profile of the plant. “Advisory”means that the expert group shall havethe possibility to change the mainte-nance priority class independently ofthe results of PSA, if justified.The PSA model includes a great vari-ety of components, and some of themmay have very low importance due toseveral reasons. Inclusion of a compo-nent in the PSA model shall not auto-matically mean that it should be classi-fied into high maintenance priority. Ifthe PSA importance measures are usedto distinguish e.g. between two highestpriority classes, a limit shall be set toindicate when the importance is so lowthat even the second-highest class is notjustifiable based on PSA.

(1) Probabilistic Availability Analysis(PAA) is a method similar to PSA,but it estimates the risk for loss ofproduction (MWh/year) instead ofcore damage frequency. It is nowused also by utilities such as EDFor reactor designers such asFramatome.

(2) Reliability-Centred Maintenance(RCM) is an engineering frameworkthat allows the definition of acomplete maintenance regime. Thisapproach is focused on identifyingand establishing the operational,maintenance, and capitalimprovement policies that willmanage the risks of equipmentfailure most effectively. It is definedby the technical standard SAEJA1011, Evaluation Criteria forRCM Processes.

(3) Risk Achievement Worth (RAW) ofa modelled plant feature (usually acomponent, train, or system) is theincrease in risk if the feature isassumed to be failed at all times. Itis expressed in terms of the ratio ofthe risk with the event failed to thebaseline risk level.

(4) Fussell-Vesely (V-F) Importanceof a modelled plant feature (usuallya component, train, or system) isdefined as the fractional decreasein total risk level (usually CoreDamage Frequency, CDF) when theplant feature is assumed perfectlyreliable (failure rate = 0.0). If allthe sequences comprising the totalrisk level (e.g. CDF) are minimal,the F-V also equals the fractionalcontribution to the total risk level ofall sequences containing the(failed) feature of interest.

19

EUROSAFE Trib

une

L O W P O W E R & S H U T D O W N

The EUROSAFE Tribune. Mr. Wenk,what are EnBW’s priorities regardingthe operation of its reactor fleet?Michael Wenk: We are striving to get ourNPPs epitomise safety, reliability andcompetitiveness in the world of powergeneration. Safety comes first, beforeprofitability. Just like other German nu-clear facilities, our power reactors are per-manently placed under the independentcontrol of the regulatory authorities, andthe stringent inspections performed inthis framework are complemented withmandatory safety reviews performed pe-riodically (PSR). Those are aimed at es-tablishing whether or not a given facilityoffers a sufficient level of safety in viewof future operation. For each of our reac-tors, we therefore draft every ten years acomprehensive safety report taking intoaccount the state of the art in science andtechnology.

TET. In this process, what use doesyour company make of probabilisticsafety assessments?Michael Wenk: In compliance with the

THE SIGNIFICANCE OF PSA FORLOW-POWER AND SHUTDOWN STATES

Federal regulatory requirements on nu-clear energy, any PSR includes both a de-terministic analysis as well as aprobabilistic safety assessment (PSA) ofthe occurrence of defined events in or-der to verify whether or not the corre-sponding safety concept is commensu-rate to the risk. In this respect, the scopeof PSA was extended in 2005 to such op-erating configurations as low-power andshutdown states. We had carried out suchassessment at our Philippsburg andNeckarwestheim NPPs already earlier, aswe consider that the contribution to therisk during low-power and shutdownstates is not negligible and should there-fore be assessed as thoroughly as otherstates. This is our opinion, although thereactors operated by EnBW enjoy an avail-ability of more than 90% on average,making low-power and shutdown statesby far the less frequent operational state.

TET. How are PSAs performed at EnBW?Michael Wenk: Based on the officialPSA guidelines, comprehensive PSAswere conducted and optimised for

An interview with Michael Wenk (EnKK)

The three NPPs located in the Land of Baden-Württemberg – i.e. Neckarwestheim and Philippsburg –are jointly operated by EnBW Kernkraft GmbH (EnKK). EnKK’s CEO, Michael Wenk, gives The EUROSAFETribune (TET) his views on the contribution of probabilistic safety assessments of low-power and shutdownstates to an improved understanding of reactors’ behaviour beyond normal operation and, subsequently,to the enhancement of safety procedures in nuclear facilities.

Michael WenkEnBW Kernkraft (EnKK),Germany

20

EUROSAFE Tribune

L O W P O W E R & S H U T D O W N

each plant in an iterative process.First of all, the incidents recordedthrough the Incident Reporting Systemin Germany were analysed, taking intoaccount as well the Incident ReportingSystems of the OECD and IAEA allow-ing the scope of potential events to beassessed. Then, scenarios of each plantwere built, drawing upon the modellingof such events. Finally, fault trees basedon operating states were adapted to lowpower and shutdown states.

TET. To which extent do probabilisticsafety assessments improve yourunderstanding of low-power andshutdown states?Michael Wenk: The data gained fromlow-power and shutdown states PSAscontribute not only to the high safetylevel of our facilities, as shown by inter-national comparisons, but bearing wit-ness to our efforts towards continuoussafety improvements, they gave us pre-cious insights into the behaviour of ourfacilities during such states and into sce-narios of possible events as well. Split-ting low-power and shutdown states intodifferent phases including transitionstates for instance, enabled us to per-form numerous optimisations in our fa-cilities (e.g. in the planning of work dur-ing periodical inspections) conducive toimprovements of results using PSAs.

TET. How are identified optimisationsimplemented?Michael Wenk: The conclusions ob-tained are implemented in the operat-ing manuals of our facilities, in chaptersdedicated to low-power and shutdownstates. We designed event- and protec-tion orientated operating procedures

that can be practised by our operatorson simulators.

TET. What do you expect from low-power and shutdown states PSAs forthe future?Michael Wenk: As an iterative processdrawing upon previously gained results,the low-power and shutdown states PSAsallow on-going development and im-provement thanks to the renewal of pro-cedures based on existing knowledge. Wetherefore intend to continue with suchanalyses using the method for future im-provements and – this is very important– adjusting our highly conservativesafety margins accordingly. We also ex-pect PSAs to help us improve further ourworking processes and to assess evenmore accurately the status of our facili-ties, when operated at low power or shutdown. The measures derived from PSAresults are incorporated into our operat-ing manuals, thus becoming an impor-tant part of our know-how. We use themas a tool to raise the safety standards ofour facilities, beyond normal operation,to a level comparable to high qualitystandards recognised worldwide. Again,we regard the PSAs for low-power andshutdown states as a valuable tool forsubsequent safety reviews and for proc-ess optimisation. They enabled EnBWto gain meaningful information on themanagement of transition states and,through adequate changes in proce-dures, to further enhance the safety ofits nuclear facilities. The overall goalshould be to have a well-balanced PSAincluding normal operation and low-power and shutdown states, where themain contribution to the resulting riskcomes from normal operation.

21

EUROSAFE Trib

une

U P G R A D I N G

Four VVER 440-213 type reactor unitshave been operating at the Paks NPPsince the early eighties. The first com-prehensive level-1, full-power, internal-initiator PSA study was completed in1994 for Unit 3 of the plant. More re-cently, the scope of the original PSAhas been considerably extended toencompass internal (fires and floods)and external (seismic) hazards, to de-termine annual refuelling outage risk(including all phases of cooling down,refuelling and restart) as well as deter-mine the frequency of large radioac-tivity releases and their main contribu-tors (level 2 PSA).In general, the methodologies followedto perform the different PSAs werebased on international (mainly IAEAand NEA) guidelines and practices,namely:

BACKFITTING AND MODIFICATIONS OFNUCLEAR POWER PL ANTS –AN IMPORTANT PSA APPLICATIONBy Attila Bareith, Elod Hollo (VEIKI), andJozsef Elter (PAKS NPP)

Probabilistic safety assessments have been used to support safety-related decisions at nuclear powerplants for many years. One of the main objectives of PSA applications is to identify the potential backfitsand modifications conducive to safety enhancement, and to demonstrate their impact on different riskmeasures. The frequency/probability of core damage (level 1 PSA) and large radioactivity release (level 2PSA) is widely used to support this demonstration. An overview of the essential backfits and modifica-tions performed at the Hungarian Paks NPP is provided below, and their impact on plant safety issummarised.

- The small-event-tree/large-fault-treeapproach was used to model acci-dent sequences. Functional andphysical dependencies are explicitlymodelled;

- Common-cause failures, human er-rors and recovery actions were in-cluded. Plant-specific statistics andgeneric data were both used to setup the input database;

- An efficient computer code(RiskSpectrum PSA Professional)was implemented for quantification.

>>>>>A major safety enhancementprogramme based on PSA resultsA PSA can be used to determine theimportant contributors to risk measuresand, subsequently, to outline the mosteffective safety upgrading backfits andmodifications. As a next step, the

Attila BareithVEIKI Institute for Electric PowerResearch, HungaryR

22

EUROSAFE Tribune

practically applicable changes in de-sign and in operational conditions haveto be incorporated into the event se-quence model and data base. The re-sults of a quantification using the modi-fied input information will reveal therisk decrease rate induced by the givenchanges.At the Paks NPP, the PSA has been usedfor this purpose since the completionof the first comprehensive study. In1996, an extensive programme of safetyenhancement measures (SEM) was ini-tiated. This programme covered numer-ous practically feasible modificationsand improvements to provide the plantwith enhanced capability to preventand cope with severe accidents. Theessential elements of the completedSEM programme are as follows:- Relocation of the emergency feed

water system (EFWS)A design shortcoming was elimi-nated by the relocation of the EFWSfrom the direct vicinity of the mainsteam and feed water lines to a plantlocation protected from the effect ofhigh energy pipe breaks. With thisrelocation, the EFWS is protectedfrom the hazard of high-energy linebreaks as well as of fires and floods.

- Protection of containment sumpagainst cloggingNew sump strainers prevent the una-vailability of the emergency corecooling system under loss-of-cool-ant-accident (LOCA) conditions.

- Refurbishment of the reactor protec-tion system (RPS)The replacement of the analogueRPS with digital equipment andsoftware control has been carriedout. The new, reliable system has im-

proved the control functionality andprovided a better man-machine in-terface.

- Replacement of the primaryoverpressure protection systemThe new system with its advancedsafety and relief valves and controlprovides appropriate tools to helpprevent severe accidents throughprimary pressure decrease by bothautomatic and manual operations.

- Earthquake resistance improvementThe measures include the reinforce-ment of building structures, techno-logical and I&C systems, introduc-tion of new protection signals, andmodification of the cool-down tech-nology following a seismic event.

- Introduction of symptom-orientatedemergency operating procedures(EOP)The new procedures offer bettersupport for operators in their emer-gency operations to identify and ex-ecute the most appropriate actionsin a timely manner under highstress. In parallel with the EOPs, astate-of-the-art monitoring systemfor critical safety functions was alsoinstalled.

- Handling primary to secondary leak-age in steam generatorsSeveral technological and I&Cmodifications will facilitate the earlydetection of steam generator failure,terminate the primary leak by de-creasing primary circuit pressure,and limit the amount of radioactivereleases.

- Hydrogen management in the con-tainment during a design basis acci-dentCatalytic recombiners were installed

Elod HolloVEIKI Institute for Electric PowerResearch, Hungary

U P G R A D I N G

Jozsef Elter,PAKS Nuclear Power Plant,Hungary

23

EUROSAFE Trib

une

U P G R A D I N G

in the containment to prevent theaccumulation of hydrogen resultingfrom a design basis LOCA event.

Further modifications are currently ex-ecuted in order to mitigate any conse-quences of potential severe accidents,e.g. to perform hydrogen managementin the containment.

>>>>>Probabilistic indicators: a clearillustration of risk reduction by SEMsLevel 1 PSA was used for evaluating thesafety enhancement measures havingeffect on core damage probability (e.g.introduction of new emergency oper-ating procedures), while the results oflevel 2 PSA studies supported the iden-tification of the accident mitigationmeans (e.g. installation of hydrogenrecombiners).Figure 1 shows the changes in the coredamage probability of the Paks NPP,Unit 2, during the last decade (the back-ground photo illustrates the construc-tion phase of EFWS pumps relocation).The overall risk figure for internal

events has been reduced by an order ofmagnitude during this period of time.The individual SEMs can influence therisk level within different plant operat-ing states. It can be seen in the figurethat – with a constantly decreasing riskprofile – relative contributions from full-power and from low-power and shut-down states vary over time for the PaksNPP: although relatively important, lowpower has nowadays a small absolutecontribution and, similarly, the risk levelduring planned outages for refuellinghas also been reduced. It is nowadaysdominated by those plant operatingstates when the reactor vessel is openfor fuel manipulation and the waterlevel in the vessel is low.From these results, it can be inferredthat the safety level of the Paks NPPunits has been systematically raised bymeans of backfits and modifications,and that it now complies with that ofplants of the same vintage in otherEuropean countries. This is a clear il-lustration of risk reduction by SEMs.

1997 1999 2001 2003 2005 2007

25%

75%

50%

50%

31%

69%50%

50% 61%39%

61%39%

Full Power

Low Power and Shutdown

2.0E-041.8E-04

1.6E-04

1.4E-04

1.2E-04

1.0E-04

8.0E-05

6.0E-05

4.0E-05

2.0E-05

0.0E+00

Figure 1: Evolution of core damage probability at the Paks NPP, Unit 2

24

EUROSAFE Tribune

S E R V I C E L I F E & A G E I N G

The EUROSAFE Tribune. What is theEuropean Commission’s Joint Re-search Centre (JRC) in charge of?Andrei Rodionov: This Centre wasoriginally established under theEuratom treaty signed in 1957.Euratom’s role is to promote nuclearsafety and security in Europe and theJRC has been contributing to this aimwith its research activities ever since.The JRC has, however, at the requestof its customers, expanded to also em-brace other fields important to policy-making, such as life sciences, energy,security and consumer protection. Ithas transformed itself from a purely re-search-driven organisation focussing onnuclear energy to a customer-driven,research-based policy support organisa-tion. Today, the JRC is deeply embed-ded in the European research area.

TET. How is the JRC funded?Andrei Rodionov: The JRC, with a staffof around 2700, is allocated an annualbudget of around 320 million euros fordirect support to EU institutions from

APPLYING PSA TO ASSESS NUCLEARFACILITY AGEINGAn interview with Andrei Rodionov (JRC)

As part of the European Commission’s Joint Research Centre, the Institute for Energy is focussing onenergy issues. Andrei Rodionov, senior researcher in the Institute, co-ordinates the scientific networkset up in 2004 to perform research in the field of PSA applied to nuclear facility ageing. He givesThe EUROSAFE Tribune (TET) an insight into the network’s activities and achievements.

the Seventh Framework Programme(FP7). It earns up to a further 15%from such competitive activities asparticipation in collaborative projects,technology transfer and work for thirdparties including industry and regionalauthorities.

TET. What is the Institute for Energytasked with?Andrei Rodionov: As part of the JRC,the Institute for Energy (IE) providesscientific and technical support for theconception, development, implemen-tation and monitoring of communitypolicies related to energy. It covers thefollowing key areas: energy techno-eco-nomic assessment; energy recoveryand production of intermediate fuelsfrom waste and biomass; cleaner fossilfuels, including carbon capture; newenergy technologies, including fuelcells and hydrogen; safety of opera-tional and future nuclear reactors; stor-age and transport of nuclear waste, andnew treatment methods in nuclearmedicine.

Andrei RodionovInstitute for Energy,European Commission JointResearch Centre (JRC),Netherlands

25

EUROSAFE Trib

une


TET. In the field of nuclear safety, theJRC set up a network specialising inthe use of PSA for the evaluation ofageing effects on the safety of energyfacilities…Andrei Rodionov: Yes, and as a seniorresearcher in the IE, I am personallytasked with co-ordinating the activitiesof this network devoted to what we useto call “ageing PSA”. Created in 2004by common initiative of the Institutefor Energy and interested Europeanorganisations such as research insti-tutes, technical support organisations,regulators and utilities, the networkwas formally joined by 14 organisationsfrom EU Member States as well asArmenia, Russia, South Korea andSwitzerland. CNSC (Canada),Statwood Consulting (USA) andNMRI (Japan) provide active participa-tion.

TET. What does the network’s workingprogramme consist in?Andrei Rodionov: Its scope of workencompasses eight tasks: 1. Organisa-tion and co-ordination of network ac-tivities; 2. Analysis of main PSA taskswith regard to Ageing PSA; 3. Selec-tion of the Structures, Systems andComponents (SSC) to be consideredin Ageing PSA; 4. Reliability and dataanalysis for active components;5. Consideration of Common CauseFailures; 6. Reliability and data analy-sis for passive components; 7. Incor-poration of age-dependent reliabilityparameters and data into PSA model.Interpretation of quantification re-sults; 8. Ageing PSA development andapplications. Focus is placed on thePSA application for Long Term Opera-

tion of NPPs, but developed ap-proaches and obtained results could beapplied as well to research reactors andfuel cycle facilities.

TET. What are the major issuesassociated with the ageing of nuclearfacilities?Andrei Rodionov: Well, if you refer toThe EUROSAFE Tribune #10, it is clearthat the most critical issues are associ-ated with the non-replaceable heavystructures as a reactor or containmentfor instance. Ageing of major passivecomponents as steam generators, pri-mary and secondary pipes are also con-sidered as very important issues… Andsince the risk profile is quite sensitiveto the failures of passive componentsconsidered in PSA models on the levelof initiating events (e.g. primary pipebreaks) we are focussing on them. Wealso address other safety systems thatare not considered critical in ageingmanagement, because maintenance issupposed to keep failure rates constant.But this assumption has to be checkedand justified when one would like to usePSA for aged NPPs.

TET. How can PSA be used to helpidentify and prioritise ageing issues?Andrei Rodionov: From a technicalperspective, PSA makes it possible toprioritise risk depending on impor-tance factors: if you identify some age-ing issue or see some trend towardsageing in a reliability curve, you maydecide to perform a sensitivity studyto assess the risk more accurately. Letus assume you have some core damagefrequency estimated with your PSAcode; assessing the sensitivity to the

26

EUROSAFE Tribune


ageing parameters included in themodel will help you forecast the impor-tance under some boundary conditionsin 5 or 10 years.

TET. How would you characterise theJRC Network’s achievements at thisstage?Andrei Rodionov: Well, this is a researchproject, thus we do not pretend to per-form any evaluation or judgment of ex-isting facilities. We aim at providing someapproaches, models, application exam-ples, etc. For the task titled “Reliabilityand data analysis for active components”(task #4), for instance, we developed sev-eral case studies which demonstrate thestatistical methods to identify the age-ing trends using some operating experi-ence data. Proposed approaches, mod-els and corresponding software are in-cluded into the guidelines for reliabilityparameters estimation.As I mentioned earlier, PSA studiesconsider that failure rates for compo-nents are constant because of mainte-nance. But in reality, if componentsare not maintained properly, failurerates will increase. So we proposed anapproach and method to assess reliabil-ity using experience feedback and, as

reliability data collection at plants inservice do not include such verifica-tion, we prepared methodologicalguidelines to perform it. Moreover, werecognised that reliability data collec-tion has to be improved for long-timeoperation.

TET. What are the Network’s futureprospects?Andrei Rodionov: For future develop-ment, concerned by tasks #5 to 8, weshall try to understand:- how ageing could impact common

cause failures;- whether or not representative reli-

ability models are available to calcu-late a failure probability of passivecomponents which could be used inPSA; and

- how to apply “ageing PSA” in a risk-informed decision-making process.

From 2008 onwards, we will start withthese tasks and should be ready to fi-nalise this stage of the programmewithin 2 years.At the end, I would like to invite thoseEUROSAFE Tribune readers who areinterested in the subject to visit ourweb page: http://safelife.jrc.nl/APSA

Partial view of a turbine rotor

27

EUROSAFE Trib

une

N E W R E A C T O R D E S I G N

PROBABIL IST IC S AFETY A SSESSMENT:A POWERFUL TOOL TO HONE NEW REACTOR DESIGN

By Reino Virolainen and Ari Julin (STUK)

The Olkiluoto 3 (OL3) NPP is the first unit to be built according to the European Pressurised Water Reactor(EPR) concept. Its planned thermal power is 4,300 MW and net electric power output approximately1,600 MWe. OL3 has been designed to comply with the current international safety principles, the Finnishregulatory requirements and the European utility requirements, including a management strategy for coremelt accidents. Several modifications to the original EPR design were made during the licensing procedurebased on the Finnish regulatory requirements and local conditions. Many of those safety-significant designmodifications were based on PSA insights.

In Finland, probabilistic safety assess-ments (PSAs) are formally integrated inthe regulatory process of NPPs alreadyin the early design phase and are runthroughout the construction, commis-sioning and operation phases. A plant-specific, design phase level 1 and 2 PSAis required as a prerequisite for issuingthe construction license and a completeLevel 1 and 2 PSA for issuing the oper-ating license. The plant-specific Level1 and 2 PSA includes internal initiators,fires, flooding, harsh weather condi-tions and seismic events for full-poweroperation mode and for low-power andshutdown mode. In each licensingphase, a PSA has to be used to demon-strate that the following probabilisticdesign objectives will be met:- Mean value of the core damage fre-

quency is less than 1.10-5/year;- Mean value of a large radioactive

release frequency (>100 TBq Cs137)is less than 5.10-7/year.

The design has to be improved in casethese objectives are not met.

The plant supplier conducted a designphase PSA for Olkiluoto 3 (OL3). TheLevel 1 analyses for full-power opera-tion covered internal events, fires,floods and external events. However,there were some shortages in the scopeof the analysis (e.g. seismic risks), butPSAs and a qualitative justification to-gether demonstrated that safety objec-tives will be met.

>>>>>Weather, seismic risk, severeaccidents: the major PSA reviewfindings at Olkiluoto 3While the design phase PSA was inprogress, the detailed design of struc-tures, systems and components (SSCs)was still incomplete. Hence the com-prehensive analyses concerning systemdependencies and common-cause fail-ures for all systems, particularly

Ari Julin, Radiation and NuclearSafety Authority (STUK), Finland

Reino Virolainen, Radiation andNuclear Safety Authority (STUK),Finland

28

EUROSAFE Tribune


electrical and instrumentation andcontrol (I&C) systems were lacking.There were also deficiencies in the cov-erage of plant-specific initiating events,which is understandable at the designstage, where detailed information ofSSCs is missing.The analysis on risk from fire and flood-ing performed in the design phase dem-onstrated that their contribution to thetotal core damage frequency is smalland that there are no remarkable flawsleft in the plant design that would in-crease the risk. Not all design detailswere known at this stage, requiring ex-pert judgment and conservative as-sumptions to be used. A detailed fireand flooding risk analysis is to be per-formed at the construction stage ofOL3 when the design is finalised.

Weather risksThe design phase PSA has been usedto ensure the adequacy of the plantdesign basis and of the design require-ments related to external events(weather phenomena, etc.). The OL3PSA includes a screening analysis ofexternal phenomena covering weatherconditions (wind, temperature, light-ning, rain) and seawater-related condi-tions such as variations in level, tem-perature, and blockage-causing phe-nomena (algae, mussels, frazil ice, oilspills). The analysis of external eventsalso covers risks connected with indus-trial activities, transport and other nor-mal human activities in the vicinity ofthe plant site, but not activities delib-erately aimed at damaging the plant.Precautions have been taken to with-stand a blockage of the essential serv-ice water system (loss of ultimate heat

sink) and a loss of residual-heat removaland component cooling functions.The plant has been designed to with-stand a total loss of the ultimate heatsink for 72 hours. Two safety trains ofthe emergency feed water and emer-gency core cooling systems areequipped with air-cooled chillers toensure cooling also during a loss ofseawater cooling. The prevention of ablockage of air intakes with snow hasbeen taken into account while re-designing the diesel generator systems.

Seismic riskSeismic activity in Finland is quite low.During the construction of the Finn-ish NPP units currently in operation,there were no specific regulatory re-quirements on seismic design. Con-cerning OL3, the plant supplierclaimed it would be possible to demon-strate that the plant unit meetsprobabilistic design objectives with asufficient safety margin for seismicrisks, provided that it is implementedaccording to the principles of earth-quake design stated in the PreliminarySafety Analysis Report. A detailed seis-mic risk analysis with fragility curves isrequired to establish that the quantita-tive risk targets (less than 1.10-5/year forcore damage frequency and 5.10-7/yearfor a large release) will be reached.

Severe reactor accidentA Level 2 PSA analysed the physicalprogression of sequences leading to asevere reactor accident and the timingof releases in accidents which threatenthe structural integrity of the contain-ment or its functional tightness, or inwhich a release from the primary cir-

Construction work at Olkiluoto 3NPP

29

EUROSAFE Trib

une


cuit occurs through systems locatedoutside the containment building (con-tainment by-pass). The results of theLevel 2 PSA indicated that the fre-quency of exceeding the release limitfor a severe accident is less than5.10-7/year, i.e. the limit set forth as asafety objective in the RegulatoryGuide.

>>>>>Plant design changes resultingfrom PSAAs a result of the regulatory review ofconstruction license documentation(PSA and PSAR), some changes to theoriginal plant design were required.The design modifications required bySTUK were mostly related to the im-provement of the reliability of safety-significant systems by adding diversity,redundancy or separation. The mostsignificant changes pertained to:- the separation requirements of the

electrical systems (e.g. safety-classi-fied electrical cables),

- the protection of air intakes of theemergency diesel generator and thecooling systems against snow block-ing,

- the separation by fire barriers of re-dundancies in all safety-critical loca-tions,

- the prevention of flooded conditionsspreading through safety buildingsand from the service water pumpingstation between redundant rooms.

>>>>>Risk informed applications of PSAsSeveral PSA applications have been re-quired in Finnish Regulatory Guides

for construction and operating li-censes, such as:- Support for safety classification of

SSCs: this classification has to be as-sessed with a PSA also in the con-struction phase if substantial designmodifications are performed;

- Drawing-up of a programme forTechnical Specifications, e.g.: test-ing of safety-significant SSCs, rel-evance of allowed outage times(AOT) of safety systems, identifica-tion of situations in which the plantshutdown may cause a higher riskthan that of continuing power op-eration and fixing the failures;

- Drawing-up of a programme for on-line preventive maintenance;

- Drawing-up and development ofpiping (RI-ISI) inspection pro-grammes;

- Ensuring the coverage of distur-bance and emergency operating pro-cedures: a PSA must be used to de-termine those situations for whichthe procedures shall be drawn up;

- Planning of personnel training: themost important accident sequencesand significant operator actions interms of risk have to be practised atleast once in the period of threeyears.

The applicant has submitted to STUKhis risk-informed planning methods onthe programmes of the technical speci-fications, RI-IST (1), on-line preventivemaintenance, RI-ISI (2) and is drawingup a respective risk-informed pro-gramme.

Bird’s view of Olkiluoto NPP

(1) Risk Informed In-Service Testing (2) Risk Informed In-Service Inspection

30

EUROSAFE Tribune

S E I S M I C R I S K

S E I S M I C P S A :A STATE- OF -THE-ART TOOL FOR UPDAT INGEARTHQUAKE-SPECIF IC REGUL ATOR Y GU IDEL INESAn interview with Katsumi Ebisawa andMamoru Fukuda (JNES)

Frequently hit by powerful tremors, Japan developed earthquake-specific regulatory guidelines aimed atreinforcing the design of its nuclear facilities. These texts are revised based on the lessons learnt frommajor seismic events such as the 1995 Hyôgo-ken Nambu earthquake. Existing plants are now being back-checked according to the new guideline where seismic probabilistic safety assessments play an increasedpart. The new guideline is put to the test with the 2007 Niigata-ken Chûetsu-oki earthquake.

Katsumi EbisawaJapan Nuclear Energy Safety(JNES), Japan

The EUROSAFE Tribune (TET). What arethe specific implications of earth-quakes on nuclear plant design?Mamoru Fukuda. Whereas internalevents are often attributed to such inci-dents as random equipment failure, earth-quakes are natural phenomena and aretherefore difficult to control through hu-man intervention. Damage to structures,systems and components (SSC) resultingfrom severe seismic ground motions is si-multaneous and of different kinds, oftenrendering multiple protection mecha-nisms ineffective. The Japanese NPPshave been seismically designed, taking theso-called “design basis ground motion Ss”(DBGM Ss) as a deterministically estab-lished reference derived from the recordsof seismic activity.

TET. How can a probabilistic safetyassessment (PSA) be applied toseismic events?Mamoru Fukuda. First of all, a seismic

PSA (SPSA) analyses accident sequencesconducive to core damage and estimatestheir occurrence probabilities and frequen-cies. Uncertainties associated with earth-quake ground motion or responses andfragilities of buildings and components areaccounted for, just as earthquakes withextremely small occurrence probabilities,i.e. beyond-design-basis ground motions.Secondly, SPSA can provide informationbeyond the deterministic approach, as itallows seismic safety to be assessed in arealistic manner. Therefore, SPSA is usedto reasonably estimate the “residual risk”,to secure the estimation’s transparency byproviding information of the estimationprocess, and to define the sequences con-tributing to core damage as well as thesubsequent mitigation systems.

TET. How is the SPSA incorporated inthe Japanese nuclear plant designregulatory requirements?Mamoru Fukuda. Based on such experi-

31

EUROSAFE Trib

une


Mamoru FukudaJapan Nuclear Energy Safety(JNES), Japan

ences as the Hyôgo-ken Nambu earth-quake in 1995, the Nuclear Safety Com-mission of Japan (NSC) started revisingin July 2001 the guideline established inJuly 1981 and issued the new guidelinefor the seismic design of nuclear powerreactor facilities in September 2006. Thenew guideline requires to determine the“Design Basis Earthquake Ground Mo-tion Ss” with uncertainties duly consid-ered and to reduce the “Residual Risk”,expectedly with probabilistic approaches.

TET. How is the “Design Basis Earth-quake Ground Motion Ss” assessed?Katsumi Ebisawa. Exploration of groundand geographical survey can be per-formed based on state-of-the-art knowl-edge. DBGM Ss will be determined fora. “Site-specific earthquakes ground mo-tion whose source is identified with theproposed site” and b. “Earthquake groundmotion whose source is not identified”.For the former, a large number of earth-quakes which are suspected to have a se-vere impact on the proposed site will beselected, for which evaluations of groundmotion will be conducted. The latter willbe determined based on the observationrecords near the source obtained frompast earthquakes. As observation recordsare limited, probabilistic approaches areused. If uncertainties are properly con-sidered, DBGM Ss can be deter-ministically assessed. The “Residual Risk”is a function of excess probability of earth-quake ground motions over DBMG Ss,in which “Residual Risk” decreases as theexcess probability is set small. The Nu-clear and Industrial Safety Agency (NISA)of Japan issued instructions in Septem-ber 2006, calling on those concerned tomake back checks on reactors under con-

struction and existing reactors to ensureseismic safety against landslides and tsu-namis is included.

TET. What are the limits set for the“Residual Risk”?Mamoru Fukuda. For the quantitativeassessment of the “Residual Risk”, theNSC promotes the use of SPSAs to iden-tify seismic-risk-significant scenarios andequipment, and to improve seismic de-sign. The quantitative target of the safetygoals is set to less than 1.10-6/year.site, interms of average fatal risk for individualsliving around the facilities. Regarding theperformance targets, the core damagefrequency is set to 1.10-4/reactor.yearwhile the containment failure frequencyis set to 1.10-5/reactor.year.

TET. What happened during theChûetsu-oki earthquake on July 16th,2007?Katsumi Ebisawa. The tremor that oc-curred near the Kashiwazaki-Kariwa NPP(Niigata-ken) had a magnitude of 6.8 onthe Richter scale with a hypo-central dis-tance of 17 km from the NPP. A level ofresponse approximately 2.5 times as highas the value set for the Design Basis Earth-quake Ground Motion Ss in the formerguideline was observed. However, the plantcould maintain the functions of safety-im-portant SSCs, although there were suchSSC failures as a fire in a station servicetransformer.

TET. What are the lessons learnt fromthis particular earthquake?Katsumi Ebisawa. On September 28th,vigorous exchanges of views occurred ata special session in the autumn meet-ing of the Atomic Energy Society

32

EUROSAFE Tribune


of Japan (AESJ) devoted to theChûetsu-oki Earthquake. Those wereaimed at finding out whether or notthe seismic ground motion could bepredictable under the new guideline,whether or not further reinforcementsagainst earthquake motion wereneeded, and whether or not a revisionof the new guideline were needed.Other issues were also debated, suchas the reasons why main SSCs did notfail and the way to cope with fire andflooding which are out of scope in theSPSA standard.

TET. What do you regard as the mainopinions that reached consensus?Katsumi Ebisawa. The new guidelinerequires the establishment of DBGMSs based on state-of-the-art knowledgefor investigation of active faults, ana-lytical techniques, and so on. Atpresent, many seismic specialists arestudying the generating mechanismsof the Niigata-ken, Chûetsu-oki earth-quake characteristics. In the near fu-ture, they will confirm if state-of-the-art technology, including new geologi-cal surveys on sea and continental ar-eas, helps accurately establish DBGMSs based on e.g. earthquake sizes andcharacteristics. Under the present situ-ation, it is very important to apply andput into practice the new guidelinestrictly and with sincerity.

TET. What do you consider as essentialtasks in this respect?Katsumi Ebisawa. It is fundamentalto establish DBGM Ss in such a waythat “Residual Risk” shall be mini-mised, taking into account uncertain-ties. Having said that, I think there is

no need to revise the basic policy inthe new guideline, although there isroom for re-categorising SSCs indi-vidually with a view to improving pre-vention, detection and extinction offire as well as prevention of radioactivematerial releases out of controlledzones during an earthquake. Even if aNPP does not satisfy the performancetargets, a seismic PSA can identify risk-significant accident sequences andseismic safety-critical SSCs, then con-firm the efficacy of the improvement.For instance, a seismic PSA can indi-cate whether or not the reinforcementof support structures by means of e.g.anchor bolts is effective for the struc-tures in case of a DBGM Ss. On itsside, AESJ issued a standard for SPSAin March 2007, which utilities are nowfollowing to quantify the “ResidualRisk” for their NPPs.

TET. How does JNES use SPSA toprevent seismic disasters in nuclearfacilities?Katsumi Ebisawa. First reinforce-ments for seismically important SSCsidentified by the SPSA will be pursuedusing state-of-the-art technology suchas seismic component isolation tech-nology. JNES is developing an infor-mation system called PEES for “Post-earthquake plant evaluation andevacuation support”. This system’s aimis to estimate possible damage to thebridges and roads in the neighbour-hood and ultimately indicate theevacuation routes, considering thelikely behaviour of released radioactivesubstances, as well as shelters andvehicles.

33

EUROSAFE Trib

une

>>>>>Specific aspects of fire PSAFire PSA involves the identification andcharacterisation of potentially signifi-cant fire-initiated accident scenarios, aswell as a determination of the cumula-tive risk impact of these scenarios. Simi-lar to the analyses of other initiatingevents addressed in a PSA study, firePSA involves the assessment of the like-lihood and consequences of failures ofplant safety equipment and requiredoperator actions. In general, the firePSA must:- identify potentially important fire

scenarios;- estimate the frequency of occur-

rence of these scenarios;- estimate the probability that specific

fire scenarios will damage key plantequipment (especially electrical ca-

bles for instrument, control, andpower circuits);

- estimate the probability of impor-tant equipment failure modes (in-cluding spurious operations); and

- estimate the probability that, underscenario-specific conditions (includ-ing the possibility of heat, smoke,loss of lighting, and confusing indi-cations, as well as fire-inducedequipment failures), operators fail toperform required actions to achievea safe and stable plant state.

>>>>>The benefits of past R&D:an improved understanding of keyissues and the development of firePSA methodsWith the U.S. Nuclear RegulatoryCommission’s (NRC) enacting of a

F I R E R I S K

R E D U C I N G U N C E R T A I N T Y :H O W F I R E R E S E A R C H S U P P O R T S P S A A N DR I S K M A N A G E M E N TBy Nathan Siu, J.S.Hyslop (US NRC), andSteven P.Nowlen (SNL)

As shown by past experience, including the recent transformer fires at the Krümmel (Germany) andKashiwazaki (Japan) plants, fires can and do occur at NPPs. In a small number of cases (1), they havetriggered chains of events that have seriously challenged plant safety systems. Fire PSA provides amechanism to systematically identify and prioritise potential fire-related vulnerabilities, and to assesspotential risk management strategies. Fire PSA is, in turn, improved by fire safety R&D that addresses keyareas of uncertainty. Fire safety R&D has supported the development of the fire PSA methods, models, andtools used worldwide. In the future, it can be expected that such R&D will continue to play an importantrole in the development of improved methods for assessing and managing risk.

Nathan SiuUnited States Nuclear RegulatoryCommission, (US NRC), USA

34

EUROSAFE Tribune

risk-informed, performance-basedfire protection rule in 2004, and with on-going activities to develop a fire PSAstandard, our current ability to performfire PSA might be taken for granted.However, fire safety R&D, initiated af-ter the 1975 Browns Ferry fire, wasneeded to develop the basic frameworkused in current detailed fire PSAs, as wellas initial versions of the elements of thatframework. This R&D supported therealistic treatment of room-specific fea-tures (including cable locations) throughthe use of fire models. More recent R&Dhas led to an improved understandingof key issues (notably the likelihood andpotential consequences of fire-inducedshort circuits in electrical cables) and thedevelopment of associated fire PSAmethods and data. These efforts havedemonstrated that, despite the inherentcomplexity of fire as a phenomenon, arisk-informed approach to fire safety istechnically feasible.

>>>>>The aims of current efforts:facilitate the performance of highquality fire PSAs and reduce keyuncertaintiesAt present, fire PSA is being used inmany countries to better understandand manage fire risk. Within the U.S.,for example, several utilities have noti-fied the NRC of their intention tomodify their fire protection programsusing the new risk-informed, perform-ance-based fire protection rule. Themodification, which will likely involveupgrades to the plants’ fire PSAs, is ex-pected to help resolve complex, long-standing questions associated with pos-sible operator actions performed duringchallenging fire events, and with poten-

tial fire-induced spurious actuations.Fire PSA is also playing a significant rolein the NRC’s Reactor Oversight Pro-gram where fire PSA results are used toprioritise areas for inspection, and firePSA tools are used to assess the signifi-cance of inspection findings. To supportthese and other applications, currentNRC fire safety R&D and related activi-ties are aimed at: a. facilitating the per-formance of high quality fire PSAs, andb. reducing key uncertainties.Some notable activities are as follows:- Fire risk requantification study. The

purpose of this cooperative activityby the Electric Power Research Insti-tute (EPRI) and the NRC’s Office ofNuclear Regulatory Research (RES)is to develop improved fire PSA meth-ods, tools, and data to support morerealistic assessments for risk-in-formed regulation. To date, the pro-gram has resulted in a fire PSA guid-ance document. Ongoing efforts in-volve the application of the guidancedocument in two pilot plant studies.

- Fire model verification and validation.The purpose of this EPRI/RES co-operative activity is to verify and vali-date five fire-modelling tools com-monly used by the nuclear industry.The approach involved the compari-son of model predictions with datafrom a set of fire experiments, someof which were performed specificallyfor the study. The results to date,summarised in the form of a simplecolour-coded chart, indicate areas ofstrengths and weakness for each ofthe tools. In future work, the uncer-tainties in model predictionswill be quantitatively assessed in aprobabilistic framework.

F I R E R I S K

J. S. HyslopUnited States Nuclear RegulatoryCommission (US NRC), USA

Steven P. NowlenSandia National Laboratories(SNL), USA

35

EUROSAFE Trib

une

- Electrical cable response fire tests. Theprimary objective of the NRC’s Ca-ble Response to Live Fire Project(CAROLFIRE) is to assess the impor-tance of a number of potential firescenarios involving fire-induced shortcircuits. A secondary objective is tofoster the development of cable ther-mal response and electrical failurefire modelling tools, which can beused in fire PSAs. The preliminaryresults of the project are documentedin a draft report issued for publiccomment.

- International fire event data base. TheOECD’s Nuclear Energy Agency(NEA) is currently administering aFire Incident Records Exchange(FIRE) project. The purpose of thisinternational project is to collect andanalyse fire events to support the de-termination of fire frequencies andfire scenario attributes, generateinsights into the causes of fires toenable their prevention or mitigation,and establish a mechanism for feed-back of fire experience.

>>>>>New technologies raising newchallengesThe R&D activities discussed previ-ously are focused on addressing theneeds of current reactors. New tech-nologies introduced through reactorupgrades or new reactor designs canraise new fire PSA questions, including:- The effects of fires on digital instru-

mentation and control systems (in-cluding the effects of smoke, and thebehaviour of fibre optic cables ex-posed to fire);

- The risks of fires involving new ma-terials (e.g. liquid metals);

- The fire risk associated with co-locatedhydrogen facilities; and

- The effects of fire on operator per-formance under operational schemesbeing considered for advanced de-signs (e.g. involving reduced controlroom crew staffing).

In some areas, past R&D efforts (e.g.on the effects of smoke on electrical cir-cuits, and on the characteristics of liq-uid metal fires) may be useful. In othercases, new R&D may be needed.

(1) e.g., 1975: Browns Ferry, 1989:Vandellos, and 1993: Narora.

Cable tray fire experiment with time-temperature curves(figure courtesy of GRS).

Fire-induced circuit failure testing apparatus andinsulation resistance measurements.

F I R E R I S K

36

EUROSAFE Tribune

>>>>>Ever more sophisticated safety casesfrom the industry…The safety cases provided by operatorswithin the framework of licensing proc-esses include safety analyses that relymore and more frequently on computa-tional tools capable of simulating tran-sients as well as accidents and process-ing the complex models used forprobabilistic safety assessments. Such anassessment capability, even if reduced toits analytical aspects, is a huge effort re-quiring considerable resources.The ever larger demand for computer-ised safety case analyses is fuelled by theincreasing trend towards Risk InformedRegulation (RIR 1) and the recent inter-est in methods that are independent ofthe diversity of existing nuclear tech-nologies. It is further fostered by:- new nuclear power plant designs;- the need to confirm the present ap-

plicability of old, “generic” safetyanalyses;

- the wish to extend the life of existingplants, with associated challenges in

T H E B E N E F I T S O F R I S K - B A S E D , C O M P U T E R I S E DD I A G N O S T I C T O O L S I N T H E V E R I F I C AT I O NO F T H E I N D U S T R Y ’ S S A F E T Y A S S E S S M E N T SBy José M. Izquierdo and Miguel Sánchez (CSN)

The growing computational capabilities of information systems allow regulators, supported by TSOs’, to developincreasingly refined risk-based diagnostic tools appropriate for an integrated approach of safety assessment.Yet, such developments, necessary to assess the highly complex safety cases provided by the industry, requireconsiderable resources, calling for a co-operative effort among national TSOs. A regulator’s view.

terms of potential reductions in safetymargins.

>>>>>…challenging the regulators’ andTSOs’ computational resourcesThis trend makes it mandatory for regu-latory bodies to increase their technicalexpertise and capabilities in computer-ised diagnostic tools. Technical SafetyOrganisations (TSOs) have become anessential player in the regulatory proc-ess, providing a substantial part of thetechnical and scientific basis of compu-terised safety analyses based on availableknowledge and analytical methods/tools.TSO tasks cannot have the same scopeas those of their industry counterparts,nor is it reasonable to expect the samelevel of resources. Therefore, in provid-ing their technical expertise, they shallfocus on:- Reviewing and approving methods

and results of licensees; and- Performing their own analyses/calcu-

lations to verify the quality, consist-

D I A G N O S T I C

José M. IzquierdoConsejo de Seguridad Nuclear(CSN), Spain

Miguel SánchezConsejo de Seguridad Nuclear(CSN), Spain

37

EUROSAFE Trib

une

D I A G N O S T I C

ency and conclusions of day-to-day in-dustry assessments.

>>>>>Plea for a jointly developed, inte-grated approachThe latter is a highly complex and par-ticular regulatory task requiring specificTSO diagnostic tools to independentlycheck the validity and consistency of themany assumptions used and conclusionsobtained by the licensees in their safetyassessments. Efficiency is enhanced byincreasing the international co-operationamong national TSOs with a view todeveloping jointly methods and tools.Those shall be independent of domes-tic technology and adaptable to the fa-cilities reviewed by each TSO.The assessment approach shall includea sound combination of deterministicand probabilistic single checks which, atthe same time, are part of an integralsafety assessment method suitable foraddressing all relevant risk factors asso-ciated with decision-making and ensur-ing that the decision ingredients areproperly and consistently weighed.In recent years, different organisationshave undertaken initiatives with claimssuch as the need for an integration ofprobabilistic safety analyses in the safetyassessment, up to the approach of a risk-informed decision-making process, aswell as for proposals of verification meth-ods for application that are in compli-ance with the state of the art in scienceand technology. It is our opinion thatthese initiatives should progressivelyevolve into a sound and efficient inter-pretation of the regulations that may beconfirmed by means of computerisedanalyses. It is not so much a question ofnew regulations from the risk assessment

viewpoint, the aim being rather to en-sure compliance with the existing rulesin a new context by verifying the con-sistency of individual plant assessmentresults through a comprehensive set ofchecks. This can be considered as a keyand novel research topic within nuclearregulatory agencies and TSOs (2).More precisely, issues that require anintegrated approach arise when consid-ering:- The process by which the insights

from these complementary safetyanalyses are combined, and

- Their relationships when addressinghigh level requirements such as de-fence in depth and safety margins.

>>>>>Extending the probabilistic safetymetrics used for consistency checksEstablishing the mutual consistency ofPSA success criteria on one hand andoperating technical specifications on theother is an important issue, as both ofthem are often derived from potentiallyoutdated base calculations performed inolder times, in a different context, andwith a different spectrum of applicationsin mind. This is an important chapterof the optimisation of the protectionsystem design, which encompasses, forinstance, such problems as:- Ensuring that the protection system is

able to cope with all accident scenariosand not only with a predeterminedset. This umbrella character is hard toestablish, particularly in a context ofreduced safety margins. It requires theregulator’s careful attention to the his-toric evolution of the deterministic as-sessments and is a source of potentialconflicts when different techniquesare combined to assess risk.

38

EUROSAFE Tribune

(1) Risk-informed regulation (RIR) isdefined by the US NRC as:“incorporating an assessment ofsafety significance or relative riskin regulatory actions. Making surethat the regulatory burden imposedby individual regulations orprocesses is commensurate withthe importance of that regulation orprocess to protecting public healthand safety and the environment.”

(2) The idea of a European platformof safety codes is the basis of suchEuropean programs as SARNET.The new aspects we are focusingon pertain to methods for checkingconsistency by means ofprobabilistic and deterministictechniques, which, in practice,amount to procedures on how touse these tools for regulatorypurposes.

(3) “An integrated PSA approach toindependent regulatory evaluationsof nuclear safety assessments ofSpanish nuclear power stations”,J. M. Izquierdo et al. (CSN).EUROSAFE Forum 2003, Paris.

- Verifying the adequacy of critical andsensitive success criteria. Many stud-ies aimed at demonstrating the um-brella conditions are outdated andpotentially unsuitable under thesemore restrictive circumstances. Veri-fication of emergency proceduresfor instance is worth mentioning, asit implies to consider longer timescales than those of automatic de-sign accident analyses as well as im-portant uncertainties in the timingof interventions, both potentiallyaltering the umbrella conditions ofthe deterministic design.

- The need to consider degraded coresituations to ensure acceptable re-sidual risks. Again consistency issuesappear requiring regulatory checks.

These consistency checks call for an ap-propriate extension of the probabilisticsafety metrics used, in terms ofexceedance frequencies of safety limitindicators, additional to the widely usedsevere core damage frequency (CDF) andlarge early radioactivity release frequency(LERF). This impacts on the basis of theoperating technical specifications that somuch affect the daily regulatory plant lifeand goes beyond the design phase of li-censing activities.Together with design-based checks, thereis also room for improvements in theanalysis of operating events, the associ-ated lessons learned, and the correct fo-cus on the various aspects mentionedabove. They may or may not be con-firmed in real-life incidents, accountingfor more aspects than the present ap-proaches almost exclusively focused onevent–tree/fault-tree quantification ofCDF and LERF safety metrics.

>>>>>CSN developments towards anintegrated approachJust as an example of existing projectsin the domain of risk-based, computer-ised diagnostics, CSN has developed itsown Integrated Safety Assessmentmethodology (ISA) in the area of Mod-elling and Simulation (MOSI 3). Thisdiagnostic method was designed as aregulatory tool, able to compute the fre-quency of exceeding selected safety lim-its by quantifying the contribution ofPSA sequences and to check in an inde-pendent way the results and assump-tions of the industry’s PSAs, includingtheir extensions/applications to RiskInformed Regulation. The approachharmonises the probabilistic and deter-ministic safety assessment aspects via aconsistent, unified and suitable compu-tational simulation framework calledSystem of Codes for Integrated SafetyAssessment (SCAIS).

>>>>>Conclusion: EUROSAFE, an importantcontribution to the development ofrisk-based, computerised diagnosticmethods and toolsWe have argued in favour of an interna-tional co-operative effort among nationalTSOs, much in line with EUROSAFEgoals: the joint development of TSO di-agnosis tools and methods to performtheir own computerised analysis to verifyquality, consistency, and conclusions ofday-to-day safety assessments performedby industrial operators, in such a waythat asserts consistency of probabilisticand deterministic aspects.

D I A G N O S T I C

39

EUROSAFE Trib

une

U P C O M I N G E V E N T S

EUROSAFE Tribune is a periodical from the EUROSAFE Forum. Editorial Committee: Benoît De Boeck, AVN – Ulrich Erven, GRS –Gustaf Löwenhielm, SKI – Antonio Munuera Bassols, CSN – Edouard Scott de Martinville, IRSN – Peter Storey, HSE – Seppo Vuori, VTT.

Coordination: Horst May, GRS – Emmanuelle Mur, IRSN. Credits: GRS Archiv, DR, Thomas Gogny, Seignette/Lafontan. Writer: Jean-Christophe Hédouin.DTP: Regina Knoll, GRS. Printing: Moeker Merkur Druck.

ISSN: 1634-7676. Legal deposit: April 2008.The EUROSAFE Tribune will be available on the Website: www.eurosafe-forum.org

17-18 April 2008 – Mannheim, GermanyProbabilistische Sicherheitsanalysen in derKerntechnik –Erfahrungen, Erkenntnisse, EntwicklungenTÜV SÜD Akademie GmbH

25-29 May 2008 – Dubrovnik, Croatia7th International Conference on Nuclear Option inCountries with Small and Medium Electricity GridsOrganised by the Croatian Nuclear Society in co-operation with IAEA and Sponsorship from theEuropean Nuclear Society

The EUROSAFE Forum 2008 organisedin Paris (at Cité Internationale) on 3 & 4 November

will be devoted to “The role of TSOs in the context ofan increasing demand for safety expertise”.

8-12 June 2008 – Anaheim (California), USA2008 Annual Meeting on Nuclear Science andTechnology: Now Arriving on Main Street + 2008International Congress on Advances in NuclearPower Plants (ICAPP ’08), embedded InternationalTopical MeetingOrganised by the American Nuclear Society

1-3 October 2008 – Dubrovnik, Croatia,TOPSAFE 2008Organised by the European Nuclear Society

17-21 November 2008 – Mumbai, IndiaInternational Conference on Topical Issues inNuclear Installation Safety: Ensuring Safety forSustainable Nuclear DevelopmentOrganised by the International Atomic Energy Agencyand hosted by the Government of India through theAtomic Energy Regulatory Board of India

INSTITUT DE R ADIOPROTECTIONET DE SÛRETÉ NUCLÉAIRE ( IRSN)

B .P.17F -9226 0 FONTENAY-A UX - ROSES

CEDEX

GESELLSCHAF T FÜR ANL A GEN-UND REAK TORSICHERHEIT (GRS) mbH,

SCHWERTNERG A SSE 1D -50667 KÖLN

FOR FURTHER INFORMATION:www.eurosa fe - fo rum.o rg

Towards Convergence ofTechnical Nuclear Safety Practices in Europe