introduction to probabilistic safety assessments -...

Introduction to Probabilistic Safety Assessments (PSA) O. Nusbaumer, Leibstadt NPP

1/20

Introduction to Probabilistic Safety Assessments (PSA)

Foreword This lecture attempts to give an overview on Probabilistic Safety Assessment with a minimum of equations and modelling. Its objective is to present the theoretical basis to understand the numerous and complex aspects that are covered by PSA nowadays. This lecture is based on Swiss regulation and IAEA 50-P-4. Examples are taken from the Leibstadt Nuclear Power Plant.

Background

Probabilistic Safety Assessment (PSA) is an established technique to numerically quantify risk measures in nuclear power plants.

It sets out to determine what undesired scenarios can occur, with which likelihood, and what the consequences could be. In addition, it can produce indirect information such as the importance of individual risk contributors.

In the nuclear industry, PSA is required to fulfil the following principal objectives:

Provide an estimate of the core damage frequency (CDF) and identify the major accident sequences

Identify those components or plant systems whose unavailability significantly contribute to the core damage frequency

Identify any functional, spatial and human induced dependencies within the plant configuration which contribute significantly to the core damage frequency

Provide a computerized model of the nuclear power plant

Rank the accidence sequences and components according to their relative importance

Evaluate the plant operating experience

Evaluate the plant technical specification and limiting condition of operation

Support decisions on backfitting and design modifications

PSA comprises a huge model of the nuclear power plant, in which all safety relevant systems, involving thousands of components, are modelled in terms of their reliability and are logically linked together to determine to overall likelihood of core melt accidents.

PSA documentation typically includes several thousand of pages that have to be maintained after each model update (Figure 1).


2/20

Figure 1: A typical PSA Documentation

The first step in a Probabilistic Risk Assessment is to identify a top event and trace out the different hazards that could lead to this event. System failures are identified and quantified by system models like Fault Trees (FT) which deduce logical combinations of simpler events. At the lowest level, the Basic Events (BE) of the fault trees are assigned probability distributions. These probability distributions are propagated up through the tree logic to reach a probability distribution of the top event. The response of the plant itself to each group of Initiating Events (IE) is usually modelled by the use of Event Trees (ET). They provide sequences that, depending on successes or failures of relevant systems, lead either to a safe or to a core damage state. This methodology is known as the linked fault tree methodology.

To summarize, the PSA methodology is a logical, deductive technique which specifies an undesired top event and uses fault trees and event trees to model the various parallel and sequential combinations of failures that might lead to an undesired event (e.g. core damage).

The number of failure combinations that might lead to core damage increases exponentially with the number of modelled components. Consequently, effective computer codes and quantification techniques are necessary to solve any large scale problem.

History

The first large scale applications of probabilistic assessment to nuclear safety were the risk analyses performed in the 1970s successively in the USA, the United Kingdom, Germany and other countries.

The Reactor Safety Study WASH-1400 (also known as the Rasmussen Report) evaluated the probability of a number of accident sequences that might lead to melting of the fuel in the reactor (core melt accident), by introducing the linked fault tree technique. A review report known as the Lewis Report (NUREG/CR-0400) followed.

The WASH-1400 study and the German investigations were aimed at the calculation of individual and population risks from the operation of nuclear power plants and compared them to other natural and industrial risks. These studies provided a more


3/20

realistic assessment of the risks associated with the operation of commercial nuclear power plants.

These studies found that human errors could be a major contributor to reactor accidents. It clarified the impact of test and maintenance, and pointed out to the possibility of common mode interactions. In addition, the studies demonstrated the significance of small break Loss Of Coolant Accidents (LOCAs) for Pressurized Water Reactors (PWRs). Four years later, the core melt accident in Three Mile Island confirmed that conclusion. In addition, they provided important insights into strengths and weaknesses of the design and operation of the plants under investigation, as well as possible ways to improve plant safety. PSAs have subsequently been carried out for many existing plants and for new designs, and have continued to confirm the benefit of PSA in identifying plant weaknesses to be remedied. Attempts to develop safety goals and technical acceptance criteria have continued in parallel. More recently, the move to risk informed regulation has opened many new areas where traditional engineering analyses are supplemented and supported by PSA studies. The large scale use of quantitative risk analysis is becoming widespread in other lines of business, including the chemical industry, the financial and insurances sectors, computer networks and other critical infrastructures.

Levels of PSA

In nuclear related applications, three levels of PSA have evolved:

Level 1 PSA: The assessment of plant failures leading to the determination of core damage frequency. It provides insights into design weaknesses and into ways of preventing core damage, which in most cases is the precursor of accidents leading to major radioactive releases with potential health and environmental consequences

Level 2 PSA: Addresses the containment system and phenomenological responses, leading, together with Level 1 results, to the determination of containment release frequencies. It provides additional insights into the relative importance of accident sequences leading to core damage in terms of the severity of the radioactive releases they might cause, and insight into weaknesses in (and ways of improving) the mitigation and management of core damage accidents (e.g. severe accident management)

Level 3 PSA: Addresses the off-site consequences, leading, together with the results of Level 2 analysis, to estimates of public injuries. It provides insights into the relative importance of accident prevention and mitigation measures expressed in terms of the adverse consequences for the health of the public, and the contamination of land, air, water and food provisions. In addition, it provides insights into the relative effectiveness of aspects of accident management related to emergency response planning.

The three PSA levels are depicted in Figure 2.


4/20

Figure 2: Levels of PSA

PSA in the integral surveillance concept PSA is only one aspect of the integral surveillance concept (Figure 3) established by the regulator. Other aspects include:

Deterministic analyses Radiation protection Periodic Safety Review (PSR) and Inspection Programs (BIP) Human aspects (MOS) Emergency preparedness

Figure 3: PSA in the integral surveillance concept

PSA Team Expertise

The expertise needed to conduct a PSA must provide two essential elements:

intimate knowledge of the nuclear power plant under normal and accident conditions, and

knowledge of PSA aspects in particular, and modelling techniques in general. This expertise can vary in depth, depending on the scope of the PSA, but the extensive participation of the plant designer and the utility is essential. Ideally, the PSA team should include:


5/20

Systems analysts: persons familiar with the design of fluid and electrical systems, operational aspects and plant layout. Disciplines usually include mechanical, electrical and instrumentation and control engineers.

PSA specialists: persons familiar with event tree, fault tree methods and computer programmes.

Operators and operational analysts: persons familiar with operating, test and maintenance procedures, administrative controls, control room layout and accident procedures.

Experts in thermohydraulic and neutronic (transient response) Data analysts: specialists in the collection and statistical analysis of data. Human factor analysts: persons familiar with the identification and

quantification of errors by operator and maintenance personnel. Access to individuals specializing in statistics, reliability engineering and plant components is important. Access to information on plant transient responses is also required. Additional analysis may be required to eliminate conservatisms from available licensing analyses. It is essential that individuals with operational experience participate in the PSA. If external hazards are included in the scope of analysis, appropriate expertise is required in specific disciplines, such as seismic and flood analysis. In addition to those major types of expertise, a sufficient part of the team (including at least the project management) must be able to provide specific task managerial expertise.

Model Development Basis

The PSA models are traditionally built from logical Boolean expressions. In PSA as found in nuclear-related application, such logical expressions are typically based on coupled fault tree and event tree models.

Event trees (ET) depict the potential event sequences from the initiating event to the associated consequences. They depict the phenomenological, time-dependant mitigation function of the accident progression. An event tree is generally read from left to right.

The ET begins with the initiating event. An initiating event (IE) could be a loss of coolant, an earthquake and any other event that causes plant disturbance and require safety systems to start. Next to the initiating event are the successive function events that define the success or failure of mitigating functions; branches on the event tree show where the progression of the accident could go depending on the success or failure of the corresponding mitigating function. The event tree headings are normally arranged in either chronological or causal order. Chronological ordering means that events are considered in the chronological order in which they are expected to occur in an accident.

Usually, a branch upwards reflects success of the mitigating function described by the associated function event, while a branch downwards reflects failure of the mitigating function. If a mitigating function is not appropriate to an event sequence, there is no branch at its top event node. In a linked fault tree model, the probabilities of the function events (e.g. split fraction) are evaluated using fault trees; this is where the FT/ET coupling takes place.

A simple ET from the Leibstadt PSA model is shown in Figure 4.


6/20

Figure 4: Example of event tree (split fractions are calculated using fault trees)

Fault trees are logical models of fault combinations that could cause a mitigating system to fail to perform its function when required. A FT is generally read from top to bottom. The top event defines the failure of the system or function. In a FT, we thus work in a failure space. Logical gates (e.g. Boolean operators) are used to illustrate how faults of the system (as described in the boxes below the gate) can combine to result in the failure described in the gate’s associated events.

The basic events represent component failures or human errors, to which a reliability model and probability distributions are associated. The top event probability is a function of the probabilities of all the individual basic event probabilities that either on their own, or in combination with others, can lead to the top event. In a linked FT PSA model, the individual FTs are normally linked to the function events of the ET. When a FT is linked to an ET, the FT is used to quantify the probability of failure of the ET’s function event. A simple FT from the Leibstadt PSA model is shown in Figure 5.

Figure 5: Example of fault tree

FTs are usually developed manually by engineering analysts. Considerable system knowledge is necessary to address the different failure modes, the failure (or success) criteria, system behaviour and consequences.

Side remark: In nuclear related PSA, two different approaches have evolved: the fault tree linking and event tree linking approaches. They both utilize fault trees and event trees to represent and quantify PSA models. The key differences between the two approaches is in the degree of emphasis in the use of fault trees and event trees and in the manner in which the system fault tree logic models are combined to represent entire accident sequences.


7/20

Example of calculation using fault trees

At this stage, it may be good to briefly describe the mathematics behind fault tree quantification.

As an example, let’s assume an emergency water cooling system consisting of 3 pumps x1, x2 and x3. It is required that at least 2 pumps start on demand to get sufficient cooling flow. This defines the so-called success criteria for the system. Such a system is known as a “two out of three system”.

We know the independent start failure probability of each pump p(x1) = p(x2) = p(x3) = q = 0.02 (no common cause failure) and wish to calculate the failure probability of the whole system from them.

Figure 6: Two out of three system

The corresponding fault tree representation is shown in Figure 7.

Figure 7: Two out of three system fault tree

This means that for having a failure of this system, either a combined failure of pump x1 and x2, or x2 and x3 or x1 and x3 is required. Another way of depicting this fault tree is using Boolean algebra: )()()( 323121 xxxxxx .

We define by Minimal Cusets (MCS) the set of minimal failure combinations that lead to the top event. In our example, the minimal cutsets are easy to find:

{x1, x2}, {x2, x3} and {x1, x3}.

{x1, x2, x3} is a cutset but is not minimal, since it includes other smaller cutsets.

The top event probability for system failure can be estimated as:

0012.03)()()()()()( 2323121 qxpxpxpxpxpxpptop

Remark: This is actually not the exact solution, since we neglected the success terms. The exact solution can only be deduced from the corresponding truth table of the system (or using more sophisticated techniques like Binary Decision Diagrams):

x1 fails x2 fails x3 fails System failure Probability


8/20

no no no success no no yes success no yes no success no yes yes failure (1-q)q2 yes no no success yes no yes failure q(1-q)q yes yes no failure q2(1-q) yes yes yes failure q3

3q2-2q3 Table 1: Truth table for the two out of three system

Or in another form:

001184.023)()())(1()())(1()()()( 3232132121 qqxpxpxpxpxpxpxpxpptop

This exactness is impossible to be directly derived from the Fault Tree representation, or even from its minimal cutsets. Using minimal cutsets, one typically neglects the “1-p” terms and thus only gets an upper bound approximation. Note that the previous estimation is however very accurate for small failure probabilities (as it is typically the case in practice).

In practice, the numerous emergency systems and their support systems are modelled from their components using large fault trees. Figure 8 is an example of a relatively small emergency cooling system, in which all components are modelled in fault trees together with their respective reliability models.

SUPPRESSIONPOOL

31TJ10S003

TJ10S004TJ10N101

31TJ10S001

TJ10S002

TJ10S015

SPRAYSPARGER

REACTORVESSEL

31TJ10D001Main Pump

TJ10S005

TJ20S013

(RR) CONDENSATESTORAGE SYSTEM

(CSS)

31TJ20D001JOCKEY PUMP

TJ20S01131TJ20S004

31TJ20S001

31TJ10S006

31TJ20S002 31TJ20S003

TJ20S022

SUPPRESSIONPOOL TEST LINE

MFB LINE

STANDBYLIQUID

CONTROLSYSTEM (TW)

TJ10S007

TJ10S008GATE VALVELocked Open

DRYWELL

M

M

M

M

M

MM

M

TJ10S202

TJ10S204 TJ10S203

TJ20S005

TJ20S006

TJ10S210

CST TESTLINE

Floor Drain(TX) System

Residual Heat Removal(TH) System

TJ20S023

TJ20S029TJ20S040

Emergency ServiceWater System (VE)

Instrument AirDistribution System

(UE)

TJ20F011

TJ20F001TJ20F201TJ20F202

TJ20F203

TJ20F002

TJ20S027

TJ10S014LockedClosed

TJ10S013LockedClosed

M

Flow Transmitters31TJ10F002 / 31TJ10F003

CONTAINMENT

ANNULUS

TJ20F101

TJ10N001

Level Transmitters31TJ10L005 &31TJ10L007

REACTORAUXILIARYBUILDING

ANNULUS

Pressure Transmitter31TJ10P004


MACHINEBUILDING


Figure 8: Example of modelled emergency cooling system

Importance Analysis Importance analysis requires the determination of the importance of contributors to core damage frequency, accident sequence frequencies and system failure probability. The following importance measures are often used in a PSA:


9/20

Risk Increase Factor (RIF or RAW): Risk increase assuming the component x under investigation is completely failed.

)(

)()( 1)(

topP

topPxRIF xp

Fussell-Vesely (FV): Fractional contribution of sequences in which component x is involved. It measure of the involvement level of a given component.

Differential Importance Measure (DIM): Relative risk increase for small variation in the reliability of the component x under investigation

)(

)()(

xp

topPxDIM

Identification and selection of radioactivity sources

The PSA should cover all the potential sources of significant radioactive sources in the nuclear power plant (NPP). For example, for a LWR, this list should include the reactor core, the refuelling pool, spent fuel handling facilities and waste storage tanks. If any of these sources are excluded from detailed modelling in the PSA, the exclusion should be justified.

Determination and selection of plant operating states

Probabilistic safety assessments have often considered only one plant operating state in which an accident may be initiated, that of normal full power operation. Nowadays, modern PSA typically covers all modes of operation, like low-power operation, shutdown and refuelling, for which:

1. other accident initiators might occur or

2. success criteria for and/or the unavailability of some systems might differ from those of full power operation.

These criteria define the basis for establishing plant operating states to be modelled.

In advanced PSA models, many operating states are considered. For LWR, the number of modelled plant operating states typically varies between 5 and 20.

Selection of Initiating Events

An initiating event (IE) is an event that creates a disturbance in the plant and has the potential to lead to core damage, depending on the successful operation of the various mitigating systems in the plant.

Initiating events are generally classified into internal IEs (LOCA and transient initiators) and hazards (internal and external). Internal IEs are hardware failures in the plant or faulty operations of plant hardware through human error or software deficiencies. Loss of connection to the grid (complete or partial) is sometimes classified as an external hazard, but it is recommended that it should be considered as an internal IE. Electrical supply faults such as excessive variations in grid voltage and frequency should also be included.

Loss of coolant accident (LOCA) initiators are all events that directly cause loss of integrity of the primary coolant pressure boundary. Of particular importance are events in systems that have an interface with the primary coolant system and lead to LOCAs outside the containment (interfacing systems LOCAs). A second category of


10/20

LOCA of special importance includes those breaks that occur at locations that can entirely or partially disable systems required for mitigating the accident.

Transient initiators are those that require reactor power reduction or shutdown and subsequent removal of decay heat. Of particular interest are events that cause a transient and at the same time total or partial failure of a system required for mitigating consequences. A special subset of this type of transients is those that are caused by complete or partial failure of support systems.

External hazards (or external events) are events that create extreme damages common to several plant systems. External hazards include earthquakes, floods, high winds and aircraft crashes.

Internal hazards include internal flooding, fire and turbine bursting.

When the list of IEs has been made as comprehensive as possible, it should be reviewed to remove any repetitions or overlaps. Once identified, the IEs are normally listed in a systematic way in the following categories:

LOCAs

transients applicable to the plant

transients initiated by support system faults which affect mitigating systems

hazards (internal and external)

It should be recognized that subsequent steps in the PSA analysis may reveal further IEs. Modern PSA includes several hundred of initiating events.

Determination of safety functions

Important safety functions for LWR against core damage include:

1. Control of reactivity

2. Remove core decay heat and stored heat

3. Maintain integrity of primary reactor coolant boundary (pressure control)

4. Maintain primary reactor coolant inventory

5. Protect containment integrity (isolation, overpressure)

6. Scrub radioactive materials from containment atmosphere

For each IE, the safety functions that must be performed in order to prevent core damage should be identified, as a basis for developing event trees. Several definitions of safety functions are possible, depending on the degree of resolution of the initial general safety objective.

Initiating events can only be grouped if the demands they place on safety functions, front line systems, support systems and success criteria are the same.

A cut-off criterion may be applied to separate out those IEs which are of very low frequency. The purpose is to avoid undue effort in systems analysis for low frequency IEs which will not make a significant contribution to the overall core damage frequency.


11/20

Event sequence modelling

Once accident initiating events have been identified and grouped, it is necessary to determine the response of the plant to each group of initiating events. This modelling of the responses results in the generation of event sequences. An event sequence model provides sequences of events that, following an initiating event, lead either to a successful state or to a core damage state. Event sequences are expressed in terms of initiating events and successes or failures of mitigating systems, typically using event trees. System failures are subsequently represented by another set of system models which are logical combinations of simpler events (using fault trees). Use of the combined event tree/fault tree method represents the recommended basic modelling approach.

The event sequence models simulate the response of the plant to an accident initiator and consequently are based on supporting deterministic transient and LOCA analyses in which the success criteria required from the various systems are determined. The success criteria for the same system may differ for different accident sequences. It is then possible to characterize the end result of each event sequence as a success state (if the initiating event has been mitigated) or a failed state (core damage).

System Modelling

The most usual element of an event sequence model is the failure or success of a system. As already stated above, system modelling is typically done using fault trees.

Before any specific method is applied, a very good understanding of the system operation as well as the operation of its components and the effects of their failure on system success is necessary. Such knowledge and understanding can be achieved through a qualitative analysis, e.g. a failure modes and effects analysis (FMEA).

The faults (identified in FMEA) can be events associated with component hardware failures, human errors, maintenance or test unavailabilities or any other pertinent events that can lead to the undesired state. A system fault tree thus depicts the logical interrelations of basic events that lead to the system failure, which is the top event of the fault tree.

Human Performance Analysis

Human performance that relates to the initiating events and subsequent system responses should be analyzed in detail. Human acts covered by this analysis are all those identified during the course of model development as having a potential impact on the structure and output of the models. The treatment of human performance in a PSA is still evolving owing to the complexity of human behaviour and to a general lack of relevant data. There is a growing consensus, however, on the usefulness and applicability of certain methodologies and techniques (THERP, SLIM, ASEP etc.).

Human interactions that can affect both the cause and the frequency of an event sequence can take place before, during or after the initiation of the event sequence and can either mitigate or exacerbate an accident. On the basis of these considerations, the following classification scheme is possible:

Category A (Type 1) human errors made before an accident sequence has begun.


12/20

Category B (Type 2) actions that cause initiating events and may concurrently fail safety related systems.

Category C (Types 3, 4 and 5) actions that concern response to an accident sequence.

Human error probabilities (HEP) must be evaluated. Ideally, data for estimating these probabilities would come from a large number of people performing the tasks. However, there is a lack of actual data on human performance. Human error probability assessments must therefore be based on extrapolation from other sources of information combined with expert judgement, or on expert judgement alone. Such methodologies to quantify HEP include THERP, SLIM, ASEP.

Reliability Model of Components

We now turn to the modelling and quantification of component failure probabilities and unavailabilities. In general, these models estimate the probability that a component will not perform its intended function and they depend on the mode of operation of the system to which the components belong.

Standby equipment

The major reliability measure of interest for standby systems is their unavailability on demand. It is presently assumed that the unavailability of a standby system can be reasonably approximated by the use of fault trees (or some other logic model) in which the component time averaged unavailabilities are used as the probabilities of the basic events.

The component time averaged unavailabilities are derived on the assumption that the failure of a component is a time dependent phenomenon and that the time to failure during the standby period is a random variable distributed according to a certain distribution (usually exponential). The unavailability of these components is a function of the standby time. If the component is tested periodically, the unavailability becomes a periodic function of time.

To reduce the burden of calculation, the time dependent unavailabilities of the components may be substituted in some logic models by their average values over the period of the analysis. This assumption allows the component unavailabilities to be considered as 'constant' in the models.

If the component is periodically tested, then the average unavailability during the period of analysis is the average unavailability during the period between tests.

Obviously, the value of this averaged constant unavailability depends on, among other things, the period of testing (test interval). An alternative model that has been proposed for components during the standby period is that of constant unavailability or constant failure probability per demand. This model assumes that the failure of the component is only caused by immediate influences related to the demand. The unavailability does not change with time nor is it affected by tests or actual demands. In fact, tests should be avoided if this model holds.

The unavailability (probability that the equipment is unavailable at the time of demand, e.g. fail to start) is a function of the standby time t and is given by an exponential decay.

Suppose we're given a batch of N0 = 1000 identical components (say, pumps), and each running pump has a probability of = 0.1 of failing on any given operating hour.


13/20

This suggests that about 100 components are likely to fail on the first hour, leaving us with N(t = 1) = 900 functioning pumps. On the second hour we would again expect to lose about 0.1 of our functioning pumps, which represents 90 pumps, leaving us with N(t = 2) = 810. On the third hour we would expect about 81 pumps to fail, and so on. Clearly this is an exponential decay, where each day we lose 0.1 of the remaining functional units. In a situation like this we can say that pumps have a constant failure rate (in this case, 0.1), which results in an exponential failure distribution. The number of remaining functioning components at time t follows the differential equation given by:

0

0

)0(

)())((

NN

dttNtNNd

For a single component, the unavailability Q(t) at time t is defined as:

teN

tNtQ 1

)()(

0

Side remark: Another way to view the failure rate is illustrated by the following equality:

t

tQttQ

tQ t

Survived

)()(lim

)(1

10

Now the average unavailability over time T is calculated as the average of Q as follows:

2

1

0

2/1!

)1(11)1(/1i

iTailorT

Tt T

i

TeTdteTQ

We may now ask what is the mean time for a component to fail. For this reliability model, the mean time to failure (MTTF) is given by the inverse of the failure rate as:

1)(

0functiondensity

dttdt

tdQMTTF

Those equations define the basis for developing more advanced reliability models.

Depending on how a component is tested, we can distinguish three types of components of standby systems:

Periodically tested standby components

i

rTT

i T

Tee

TQ ii

11

11 , where Ti is the test interval and Tr is the

repair time. The average repair time Tr is estimated as the sum of the observed repair times divided by the number of repair actions. The repair times should include detection plus waiting times.

Untested standby components


14/20

mT TeTQ

2/1)1(11 , typically using Tm = one full plant operating

cycle

Inspected components

i

rTT

i T

Tee

TQ ii

11

11 , where Ti is the inspection interval and Tr

is the repair time.

Continuously monitored components

rT

Q1

Operating equipment

For operating systems, the reliability characteristic of interest is generally the probability that the system will fail to operate successfully for a given period of time Tm (the mission time). It is assumed that the failure probability of an operating system can be approximated by the use of fault trees or some other appropriate logic model with which the component failure probabilities up to the time Tm are used. The failures of operating components are assumed again to follow an exponential distribution with an operating failure rate m, instead of a standby rate. Operating systems contain two general types of components: non-repairable components and repairable components.

Non-repairable components. The operating failure rate is estimated in a completely analogous way to that for the other failure rates mentioned earlier.

mmT

mTeTQ m

2/1)1(11 , with Tm = mission time (typically 24

hours)

Repairable components. Care must be exercised when calculating the unavailability.

rm

m

T

Q1

Component failure rate estimation Although many nuclear power plants have established rather extensive collection of operating and maintenance data, and although some of these systems have been computerized since the plants began to operate, very few stations have data systems designed specifically to provide plant specific data for use in a PSA. The parameter to be estimated is either the standby failure rate s or the operating failure rate m of the exponential distribution. The steps for estimating both these parameters are as follows:

Identify the component population whose failure history is to be used to estimate the assumed common component failure rate (i.e. components assumed to have the same failure rates).

Identify the time period during which the component failures are to be counted. In the component population, count the total number of failures N and the total

component standby time T (or total operating time for operating components)


15/20

for the time period. Care should be taken to avoid counting preventive maintenance actions as catastrophic failures. This distinction is not always made in plant records.

Estimate the plant specific mean failure rate as = N/T. From the Bayesian point of view this estimate is the mean of the posterior distribution of g if a non-informative prior distribution is assumed. This estimate is also the maximum likelihood estimator of the parameter of an exponential distribution.

For an assessment of the uncertainties, a Bayesian approach can be used in which an appropriate prior distribution is updated to provide a posterior distribution.

For estimating the reliability data (e.g. probabilities and failure rates), existing compiled lists of such parameters can be used, gained from national or international experience. These lists are usually referred to as generic databases and could range from published plant specific lists to lists that were based on information from more than one plant and are called “generic”. Generic (e.g. international) reliability data should always be combined with plant specific experience using a Bayesian approach. We talk here about data specialisation or data refinement. Using a Bayesian approach, we try to use as much from the international experience (prior) as needed, but not excessively, especially if the plant specific experience is large, in order to get a more accurate information on the data (posterior). If the own plant experience is small, the generic data are favorized. The underlying method is based on the Bayesian theorem, and extended for continuous functions (distributions):

)()()()( HpHEpEpEHp E: plant specific experience (evidence) H: Hypothesis about

)()()(

0)(

)()()()()(

pEpEp

Ep

dfEdEfdEf

Figure 9: Baysian update process

1.E

-09

1.E

-08

1.E

-07

1.E

-06

1.E

-05

1.E

-04

1.E

-03

1.E

-02

1.E

-01

1.E

+00

Prior

Posterior


16/20

Regulatory Basis in Switzerland

Based on Article 4 Paragraph 3 of the Swiss Nuclear Energy Act (KEG) of 21 March 2003 (SR 732.1), licensees of nuclear installations are required to introduce all safety measures that are deemed necessary.

In regulatory guides ENSI-A05 and ENSI-A06, PSA is depicted as a tool to evaluate the necessity and adequacy of safety measures.

In addition, these guidelines are based on the following articles in the Nuclear Energy Ordinance (KEV) of 10 December 2004 (SR 732.11):

Article 33 Paragraph 1a KEV (systematic safety evaluation: impact of plant modifications, events and findings on plant safety and in particular on the risk)

Article 8 Paragraph 5 KEV (requirements on measures for protection against accidents)

Article 10 Paragraph 1k KEV (accident prevention to take priority over mitigation of consequences)

Article 24 Paragraph 1b KEV (probabilistic requirements to obtain construction permit for a new nuclear power plant)

Article 28 Paragraph 1 KEV (documents to be submitted with the application for an operating license, in particular the requirement for a current, plant-specific PSA)

Article 34 Paragraph 2d KEV (Periodic Safety Review: PSR)

Article 35 Paragraph 1 KEV (Ageing surveillance)

Article 37 KEV in conjunction with Appendix 5 (periodic reporting: list of PSA-relevant plant modifications)

Article 40 Paragraph 1c No. 4 and Paragraph 4 KEV (modifications requiring approval: Technical Specification)

Article 41 Paragraph 1 KEV (documentation, in particular a current, plant specific PSA)

Article 82 KEV (transitional regulation).

Article 33 Paragraph 1a and Article 41 Paragraph 1 KEV require a current, plant-specific PSA that shall be periodically maintained and upgraded based on the following principles:

For the Level 1 PSA:

A complete revision of the PSA shall at the latest be carried out in the course of the PSR. At this time, it shall be determined whether it is necessary to change the applied methods in order to reflect the state of the art (as far as not already described in ENSI-A05).

At least once every 5 years, plant-specific data shall be updated and plant modifications shall be incorporated into the PSA model and documented. The


17/20

low-power and shutdown PSA shall be updated and submitted to ENSI at the latest one year after the update of the full-power PSA.

If the combined impact of the PSA-relevant plant modifications not yet incorporated in the PSA model is expected to result in more than about 10% change in Core Damage Frequency (CDF) or Fuel Damage Frequency (FDF) respectively, these modifications shall be incorporated in the PSA model and documented within a year’s time.

For the Level 2 PSA:

A complete revision of the PSA shall at the latest be carried out in the course of the PSR. At this time, it shall be determined whether it is necessary to change the applied methods in order to reflect the state of the art (as far as not already described in ENSI-A05).

The requirement of updating the Level 2 PSA outside the scope of PSR will be decided by ENSI on a case-by-case basis.

Changes to the PSA model shall be carried out according to a procedure that ensures that the PSA model represents the current state of the plant. The impact of the plant modifications not yet incorporated in the PSA model on CDF, FDF and Large Early Release Frequency (LERF) shall be quantitatively estimated (Article 37 KEV, Appendix 5 KEV) and summarized in a list.

PSA Applications in Switzerland

In the following, those PSA applications are listed, which shall be carried out as a minimum requirement. The implications of those different applications are depicted in Figure 10.

Figure 10: ENSI-A06 Implications

Probabilistic Evaluation of the Safety Level


18/20

It shall be demonstrated that the mean CDF of a plant is less than 10-5 per year. The following risk measures and criteria shall be applied at existing operating plants for the probabilistic evaluation of the safety level and of the necessity of measures:

For the probabilistic evaluation of the safety level in full-power operation:

If the mean CDF (LERF) is greater than 10-5 per year (10-6 per year) measures to reduce the risk shall be identified and, to the extent appropriate, implemented.

For the probabilistic evaluation of the safety level in non-full-power operation:

If the mean FDF is greater than 10-5 per year, measures to reduce the risk shall be identified and, to the extent appropriate, implemented.

The assessment of the safety for operating nuclear power plants shall be carried out during the annual systematic safety evaluation as part of the report on probabilistic evaluation of operational experience and as part of the PSR.

Evaluation of the Balance of the Risk Contributors

The balance among the contributors to risk shall be investigated as follows:

The balance among the risk contributions from accident sequences, components and human actions shall be evaluated. If any of the accident sequences, components or human actions are found by PSA to have a remarkably high contribution, measures to reduce the risk shall be identified and, to the extent appropriate, implemented.

If an initiating event category contributes more than 60% to the mean CDF and its contribution is more than 6·10-6 per year, measures to reduce the risk shall be identified and, to the extent appropriate, implemented.

If the ratio of the mean CDF to the CDFBaseline (i.e. nominal CDF without unavailabilities) is greater than 1.2, measures to reduce the risk due to planned or unplanned maintenance shall be identified and, to the extent appropriate, implemented.

The evaluation of the balance of the risk contributions shall at least be carried out in the course of the PSR.

Probabilistic Evaluation of the Technical Specifications

The Technical Specifications shall be evaluated as follows:

Probabilistic Evaluation of the Completeness and the Balance of the Allowed Outage Times

Probabilistic Evaluation of Component Maintenance during Full-Power Operation

No component unavailability configuration i resulting from maintenance will result in a Conditional Core Damage Frequency (CCDFi) greater than 1·10-4 per year, and the total cumulative maintenance time for components shall be limited such that the portion of the Incremental Cumulative Core Damage Probability (ICumCDP) resulting from maintenance is less than 5·10-7.

Probabilistic Evaluation of Changes to Technical Specifications


19/20

The CDF calculated considering the change should remain below 10-5 per year.

Probabilistic Evaluation of Changes to Structures and Systems

The CDF calculated considering the change should remain below 10-5 per year.

Risk Significance of Components

The following criteria shall be used for the evaluation of the risk significance of components:

A component is regarded as significant to safety from the PSA point of view if the following, in terms of CDF or FDF or LERF, applies (selection criterion):

FV ≥ 10-3 or RAW ≥ 2

Components, which are regarded as significant to safety from the PSA point of view, shall be included in a list with the above mentioned importance measures. This list is an integral part of the operating documents.

The list shall be updated at the time of the PSR.

Annual Evaluation of Operational Experience

The operational experience shall be evaluated with the PSA as follows.

The effects of PSA-relevant plant modifications carried out during the year shall be assessed.

The probabilistic safety indicators CCDF and ICumCDP shall be determined and assessed.

The trend of these safety indicators shall be assessed.

The contributions to ICumCDP shall be reported in terms of the four categories of maintenance, repair, test and reactor trip (see Figure 11).

The dominant contributions to ICumCDP shall be identified and evaluated for both events and susceptibility to component or system failure.


20/20

Figure 11: Riskprofile of Leibstadt NPP in 2009

Probabilistic Rating of Reportable Events

Reportable events that affect PSA relevant structures, systems, components or operator actions shall be evaluated by means of PSA. The probabilistic rating of events shall be established in accordance to Table 2.

ICCDPevent INES

ICCDP 110-2 3

110-2 > ICCDP 110-4 2

110-4 > ICCDP 110-6 1

110-6 > ICCDP 110-8 0 Table 2: INES Classification

introduction to probabilistic safety assessments -...

Documents