IAEA Training Course on Safety Assessment of Assessment

IAEA Training Course on Safety Assessment of. Assessment NPPs to Assist Decision Making PSA Fundamentals and Overview Lecturer Lesson IV 3_1 Workshop Information , Country IAEA Workshop XX -City XX Month, Year

PSA Overview – PSA is intended to provide probabilistic estimates of the occurrence of undesired events in technical systems, such a NPP, that cannot be obtained based on past experience or such estimations are not useful. – Some undesired events in a NPP, are: • Reactor core damage (level 1 PSA) • Large early release of radioactivity to the environment (level 2 PSA) • Fatalities, other consequences following a large radioactivity release (level 3 PSA) • Fuel element damage during fuel manipulation – Not only numerical estimates are obtained. The results are also analysed to obtain important contributors to risk, plant vulnerabilities, etc. – Probabilistic estimates are: core damage frequency failure frequencies, probabilities, expected amount radioactivity release, etc. IAEA Training Course on Safety Assessment 2

Type of Probabilistic Methods – Boolean methods: Each component, system, subsystem, etc. , e. g. a valve, has 2 possible states: • The component works as new, i. e. it is capable to perform the required mission, or • The component is failed – Non Boolean methods, such as Markov reliability models: • Allow the consideration of several component/system states • Allow more detailed calculations of certain issues that Boolean models cannot address with ease, but • Adequate data is lacking • Are only solvable for very small systems with simplifications. IAEA Training Course on Safety Assessment 3

Boolean Reliability Models – All standard PSAs for NPPs use Boolean reliability models. Other techniques have been used for analyses of very limited scope. – Boolean models make use of Boolean algebra: The state of each component, subsystem, system or event is associated to a Boolean variable that takes the following values: • TRUE: if the component or system has failed or the event has occurred • FALSE: if the component or system works or an event has not occurred. – The state of the whole system is related to the state of its components through the system “structure function” which is built up with Boolean operators. IAEA Training Course on Safety Assessment 4

Classification According to the Type of Analysis – Deductive methods: An undesired event is postulated and is related to the immediate causes leading to it. These in turn are further analysed in the same way until this recurrent process finally allows to establish a relation between the undesired event and the failures of single components in the plant, such as pumps or valves. Fault tree analysis is a deductive modelling method. The question “how can this happen” is asked through the process. – Inductive methods: An event is postulated in a plant and the consequences of that event are analysed depending on whether the some other events happen at the same time or not. Event tree analysis is an inductive modelling method. The question “what happen if” is asked along the process. PSA combines both deductive and inductive methods. IAEA Training Course on Safety Assessment 5

Deductive Methods. Case Example Plant drawing A S B A S A B 0 0 0 1 0 1 0 0 1 1 Failure to deliver flow to point S (AND gate) B Reliability block diagram System structure function: S= A B IAEA Training Course on Safety Assessment Valve A fails to open Valve B fails to open Fault tree 6

Inductive Methods. Case Example IAEA Training Course on Safety Assessment 7

Model Boundaries – External boundaries: Many systems are not isolated from their surrounding. External model boundaries define where to stop the analysis, e. g. power supply. Limited resources – Limited time Internal boundaries: Level of detail of the analysis, related to availability of reliability data for the basic events and modelling limitations. IAEA Training Course on Safety Assessment 8

Model Boundaries – Boundaries are defined depending on the purpose of the analysis, the limitations of the modelling method used, and the availability of data. – Usual practices in a NPP PSA are: • External supplies are not further modelled. • Non safety systems are either not credited, or not modelled in detail • Safety systems are modelled up to the level of pumps, valves, chillers, breakers, instrumentation channels, etc. • A higher level of detail is reached to account for dependencies on other systems, e. g. the circuitry of a valve is analysed to take into account safety signals or interlocks commanding the valve. IAEA Training Course on Safety Assessment 9

Some Rules for Model Development – Avoid shortcuts. Go step by step. Refer a failure to the immediate causes in fault tree system analyses. Follow natural accident progression in accident sequence development. Follow accident procedures. If necessary, let the computer codes rearrange internally the models to improve computational efficiency. Beware of subtle failures. – Document the models. For instance, don’t let fault tree boxes without comments. – Describe and support modelling assumptions. – State clearly the model boundaries and system interfaces. State clearly the modelling needs for other analysts, such as success criteria, boundary conditions, etc. Define clearly the needs of reliability data. – If the normal behaviour of the plant or components, or their normal alignment affects negatively some model, assume it will always occur. No miracle’s rule. Example, if a fire door, normally closed, helps to damage equipment by accumulating water in a flood analysis scenario, don’t postulate that the fire door could be opened. IAEA Training Course on Safety Assessment 10

Reliability Data – Risk and reliability estimates for a NPP, such us: • Core damage frequency • Unavailability or failure probability of a system • Initiating event frequencies are obtained based on the failure probability of the components or basic events included in the model. The basic events of the models are principally: component or human failures. – Component failure probabilities are mainly obtained based on appropriate statistical data. – Human failure probabilities are obtained based on models for human reliability analysis. IAEA Training Course on Safety Assessment 11

The Component’s Behaviour in PSA Models FRate The Failure Rate The failure rate is the rate at which the population survivors at any given instant are "falling over the cliff" The failure rate is defined as the (instantaneous) rate of failure for the surviving components to time t during the next instant of time. (t) = lim ( t 0) (n (t + t) - n(t) ) / n(t) The failure rate is a "conditional failure frequency, since it is the rate of failures at time t, of the components surviving until time t, not related to the total amount of components working at the beginning. The exponential distribution shows a constant failure rate. This constant failure rate is the only parameter of the distribution. Therefore, it is the most simple distribution of time lives. F ( t T ) = 1 - exp (- (t) t), f(t) but constant It implicitly assumes that the rate of failures does not depend on the time point. So, when a component is tested and found OK, or fails and is repaired, from this time on it is considered as new. This model is very simple but very often misused. However, the use of other types of distributions introduces the need for estimating additional parameters and can also make the models non solvable for large systems. IAEA Training Course on Safety Assessment 12

The Component’s Behaviour in PSA Models A plot of the failure rate over time for most products yields a curve that looks like a drawing of a bathtub. – – – The initial region that begins at time zero when a customer first begins to use the product is characterised by a high but rapidly decreasing failure rate. This region is known as the Early Failure Period (also referred to as Infant Mortality Period, Next, the failure rate levels off and remains roughly constant for (hopefully) the majority of the useful life of the product. This long period of a level failure rate is known as the Stable Failure Period. We assume, believe it or not, that most of the components in a NPP spend most of their lifetimes operating in this flat portion of the bathtub curve Finally, if components remain in use long enough, the failure rate begins to increase as materials whereat and degradation failures occur at an ever increasing rate. This is the Wear Out Failure Period. IAEA Training Course on Safety Assessment 13

PSA TASKS (1) – Definition of Initiating events: Those events requiring the prompt activation of the rector protection system and the intervention of the safety systems to achieve a safe shutdown state are identified and grouped according to their similar impact on the plant response needed. – Accident sequence development: The accident progress is analysed depending of the successful or unsuccessful actuation of the safety systems and human actions needed to mitigate an initiating event. Success criteria are needed to define the conditions required for the successful actuation of the safety systems. – System analysis: The safety systems considered in the accident sequence development are analysed by developing fault tree models. The necessary support systems are analysed as well. IAEA Training Course on Safety Assessment 14

PSA TASKS (2) – Reliability data analysis: Failure rates or failure probabilities need to be obtained for component failures, initiating events and other special events postulated in the PSA models. A particular important type of component failures are the common cause failures. They are analysed separately taking into account statistical data and plant design features, and using special models. – Human reliability analysis: Human actions or human errors postulated in the accident sequence and system analysis are analysed to obtain probability estimates for them. – Model quantification. Interpretation of results: Based on the basic event probabilities, the PSA models are quantified using thereby suitable computer codes to obtain the core damage frequency of the plant. Results are analysed to identify important risk contributors, plant vulnerabilities and to provide uncertainty bounds for the plant risk estimates. IAEA Training Course on Safety Assessment 15

PSA TASKS (3) For the following subjects only a short overview will be provided, due to time constraints: – Low power and shutdown PSA: The techniques are somehow similar to those of full power PSA. It is partially based on the full power models, taking thereby into account specific circumstance of each operating mode. – Hazard’s analysis: Specific methodologies are used. Important screening analyses are perform to disregard potential hazards or low significant scenarios. – Level 2 and level 3 PSA: Accident sequences leading to core melt are grouped in similar plant damage states to analyse the accident progression phenomena and estimate the frequency of different accident release categories. The potential impact to the environment is assessed based on offsite accident management measures, population distribution and predominant meteorological conditions in the level 3 PSA. IAEA Training Course on Safety Assessment 16

Other Relevant PSA Aspects l l l PSA ORGANIZATION AND MANAGEMENT: Proper measures are needed to set up a qualified set of experts. Procedures, task interfaces and responsibilities need to be established as a basis for a good team work. The full support and the involvement of technical plant staff is essential PSA VERIFICATION AND QUALITY ASSURANCE: An adequate programme of technical quality assurance with the involvement of the utility and independent experts is needed to ensure the adequacy of the PSA. IMPLEMENTATION OF A LIVING PSA PROGRAMME: After finishing the PSA the utility has to provide the resources and the organisation for maintaining the PSA updated and develop PSA applications on it. IAEA Training Course on Safety Assessment 17