Criterion CR7.5: Safety assessment

Indicator IN7.5: Adequate safety assessment involving a suitable combination of deterministic and probabilistic methods, and identification of uncertainties and sensitivities.

Acceptance limit AL7.5: Uncertainties and sensitivities are identified and appropriately dealt with, and the safety assessment is approved by a responsible regulatory authority.

The safety assessment is expected to be performed using a suitable combination of deterministic and probabilistic evaluations and documented in an appropriate format [72]. The analysis needs to cover all modes of operation of the installation to obtain a complete assessment of conformance with the DID concept. Deterministic safety assessment [52] uses a pre-defined set of accidents to define the design of the safety systems. Normally pessimistic assumptions on accident initiation and evolution, plant state, and plant response are applied. Probabilistic safety assessment (PSA) [73, 74] calculates the frequency and consequences of all accidents down to very low probability of occurrence. Best estimate analyses are commonly used in PSA because a realistic response to an initiating event is needed to estimate the risk and to determine the margins in predicted plant behaviour between a conservative deterministic safety assessment and a best estimate result.

A deterministic safety assessment needs a sound data base and incorporates some conservatism (margins) by using pessimistic assumptions to cover uncertainties in input data such as model parameters and plant state. The value of a PSA depends also very much on the availability of well-based data on, primarily, the reliability of components. Because all data (including experimental data) are somewhat uncertain, PSA normally includes uncertainty analyses.

It is commonly accepted that PSA provides a broader and deeper understanding of safety and risk relevant issues than deterministic methods alone (see above); therefore, PSA is increasingly used for optimization of the various levels of DID, and the optimal allocation of available resources.

The extent to which each method is used needs to be consistent with the confidence in the method for the particular application in terms of reliability data, failure modes and physical phenomena. In some innovative systems, the application of probabilistic methods could be more restricted in comparison with those accepted for operating reactor types, as a consequence of changes in technology and the resulting limited availability of data.

The degree of conservatism in a deterministic safety assessment is commensurate with the uncertainties in the technology evaluated; thus, when the important phenomena are well known, and codes are validated a realistic hypothesis (best estimate) could be considered in the assessment. A best estimate assessment needs to be accompanied by a consideration of the uncertainties of experimental data used for the code models, and uncertainties of the plant status. Where the technology itself is uncertain, a more traditional approach is normally taken:

for example, when other liquid metals than those used today are foreseen in a reactor, the currently available codes are not sufficiently developed to simulate all phenomena. Until these tools are available and proven accurate enough, additional or extended safety margins and conservatism are expected to be implemented in the simulations of plant behaviour.

In addition to the assessment of the vulnerability of a nuclear reactor to severe accidents and accidental releases, a probabilistic safety assessment is used starting at the design stage to:

 Determine more realistic loads and conditions for mitigation systems, including containment;

 Assess the balance of the design and possible weakness;

 Integrate human factors into the safety assessment;

 Identify safety margins;

 Help to define operational safety requirements;

 Identify sensitivities and uncertainties.

In principle, a PSA is expected to investigate all possible accident scenarios. Practically, all scenarios involve phenomena associated with some uncertainty; therefore, there exists a fundamental uncertainty in the results of these analyses. A thorough uncertainty analysis can identify areas that need further investigation. Furthermore, if the PSA generates ‘point’

estimates, an uncertainty analysis may contribute to the credibility of these results.

Sensitivity studies – determining the difference in results using a defined value of a variable and a given deviation from that reference value – are a tool to define the required accuracy (or allowable uncertainty) of a variable.

Typically, three classes of uncertainties are identified:

 Parameter (data) uncertainty, like initiating event frequencies, component failure rates, human error probabilities, etc. The uncertainties are propagated through the assessment steps to generate a probability distribution of the end result.

 Model uncertainty associated with phenomenological models of the physical-chemical processes and related assumptions. They are treated similar to the parameter uncertainties.

 Completeness uncertainties reflect limitations of the scope or truncation effects. In principle, such uncertainties cannot be quantified within a given PSA scope, but by performing additional analyses of excluded events their significance can be evaluated.

In case a required accuracy has not been achieved, either additional experiments have to be performed or design provisions have to be implemented to cope with these uncertainties.

Detailed consideration of uncertainties in reliability data of components and human performance involves human factor related data appropriate for a given organisation and / or country.

Safety assessment has to cover all relevant operating stages of the nuclear reactor and its operating phases. In addition to AOOs and accidents which may influence the nuclear fuel in the reactor core, the safety assessment has to cover also potential AOOs and accidents in the near reactor handling and storage of fresh fuel and spent fuel.

For assessing the adequate performance of NPP safety analyses, there exist a number of IAEA publications, e.g. Refs [75, 76]. The safety assessment should be periodically re-examined and updated [77].

‘Risk informed decision making’ [78–83] includes design criteria that implicitly involve probabilistic considerations and that are complemented by explicit probabilistic arguments for clarifying design objectives. Weaknesses and vulnerabilities of a design can be identified and judged against design objectives. Various options available for improving safety can be quantitatively assessed and compared also with respect to cost effectiveness. Decisions concerning reliable assurance of safe operation and control of risk can be based on such additional justification.

In Ref [78] various publications, national positions and examples of such options for several reactor designs are provided, e.g. the implementation of strategies for fission product retention in a faulted non-isolated steam generator, modification and back fits to PWR and BWR containments, provisions against LOCA outside BWR containments, protection of suction strainers against clogging, etc. The listed examples demonstrate substantial use of PSA in safety relevant decisions by regulators and licensees.

It is, however, evident that, due to the non-availability of experience-based data on the behaviour of innovative designs, a risk-informed approach is more appropriate for operating (or evolutionary) reactor designs with well recorded operational behaviour than for innovative designs.

The acceptance limit AL7.5 (adequate safety assessment covering uncertainties and sensitivities) is met if evidence available to the INPRO assessor shows that an adequate safety assessment involving a suitable combination of deterministic and probabilistic methods, and a thorough analysis of uncertainties including complementary sensitivity studies⁴⁰ has been performed for the facility assessed and was accepted by the responsible regulatory authority in the country of origin.