Review of methods and assumptions

The reviewers usually determine the standard of the PSA that the regulatory body would expect the utility to carry out. This would be expected to be a state of the art analysis which conforms with the best modern practices in PSA using meth-ods that have been proven to bring about reasonable improvements over previously existing methods.

It is recognized that PSA methods are evolving. However, it is important that both the regulatory body and the utility determine what the state of the art is in PSA and this needs to be agreed between both parties. A review of the state of the art was carried out by CSNI. This is presented in Ref. [18] for Level 1 PSA.

2.4.2. Level of detail

The reviewers need to determine whether the level of detail of the PSA is suf-ficient to include all significant interdependences. These can arise due to support sys-tems such as electric power syssys-tems and cooling water syssys-tems, which all need to be modelled explicitly in the analysis.

The reviewers need to determine whether the level of detail of the PSA is suf-ficient for the intended applications. For example, if the PSA is to be used to control equipment outages during maintenance, the PSA is expected not to have any asym-metries (e.g. the model incorporates initiating events in each of the loops of the plant rather than lumping them together as a representative initiating event in one of the loops) and to model basic events which represent the individual components which might be removed from service during maintenance. If such applications are not def-initely planned but are a possibility for the future, the PSA needs to be structured so that it can be readily adapted to their inclusion.

It is recognized that the level of detail of the systems analysis has a significant influence on the cost of the PSA as well as on the credibility of the results. Significant dependences may be missed if the level of detail is not enough to uncover them. It is good practice to reach a level that provides assurance that all significant dependences are included in the model.

For example, plant specific calculations of severe accident behaviour are essen-tial to an analysis performed for the purposes of measuring reductions in risk associ-ated with proposed accident management measures; extensive use of ‘reference plant’

results is inappropriate for such an application.

Interdependences can arise in a number of ways, including:

(a) Support systems such as electric power systems and cooling water systems.

Although they will have been included in the Level 1 PSA/plant damage states, their status is important in determining how the accident sequences progress after core melt has occurred.

(b) Phenomena which are addressed in different time framesin the model of how the accident progresses. For example, the likelihood of a hydrogen burn occur-ring in one time frame will depend on the safety systems that have operated and whether a burn has occurred in an earlier time frame.

(c) Human actionswhich have been addressed in one time frame and may arise again in a later time frame.

The reviewers need to determine the level of detail that the regulatory body would expect to see in the PSA and confirm with the utility that this is what is intended before the PSA is started.

2.4.3. Methods of analysis

The reviewers need to determine whether the methods used for the analysis are adequate to meet the aims and objectives of the PSA. More detailed guidance is given in the later sections of this report on the various aspects of PSA.

The reviewers will ideally identify the state of the art methods and tools for each task, and then make a comparison with the ones used in the PSA. At this stage, the reviewers do not need to check that the methods and tools have been correctly applied. Whenever a method or tool different from the state of the art is identified, this matter is to be raised immediately with the utility as a significant area of concern.

Where screening methods have been used in the analysis or cut-offs applied to the event sequences/cut sets, the reviewers need to check that this does not lead to sig-nificant underestimation of the risk or to invalidation of the PSA for one of its uses.

For a Level 2 PSA, this would include:

• The codes used to model the progression of the severe accident,

• The framework (usually an event tree analysis) for the modelling of severe accident sequences,

• The probabilistic quantification of the event sequences.

The reviewers need to identify what methods and tools are used (or proposed for use) for each of the PSA tasks, ensure that the ones to be used are consistent with the state of the art and check that these methods and tools have been correctly applied.

2.4.4. Sources of data

Data are required in the PSA for initiating event frequencies, component fail-ure probabilities, component unavailability during periods of test or maintenance, common cause failure probabilities and human error probabilities.

The reviewers need to confirm that all the sources of data have been identified and are relevant. The aim is to ensure that plant specific data are used whenever pos-sible. Where this is not possible, use of data from the operation of the same type of reactor system or of generic data is acceptable. Where no relevant operating data are available and judgement has been used to assign the initiating fault frequency, the basis for this judgement is to be stated and shown to be valid, as far as possible.

It is necessary for the reviewers to determine whether the data used in the PSA are acceptable. The preference is for best estimate data which are appropriate for the

purposes of the PSA and cover all the causes of failure which could occur, with the uncertainties identified.

For Level 2 PSA, the accident progression analysis is usually carried out in an event tree framework referred to as CETs or APETs. These event trees delineate the various ways in which an accident sequence can proceed after the onset of core damage.

Quantification of the event trees is accomplished by assigning conditional probabilities to each of the branches that emerge from event nodes in the trees.

Although the conditional probabilities for some of these branches can be quan-tified through the use of statistical data, for example, those involving containment system operation or operator actions, many branches represent alternative outcomes of events that are governed by severe accident phenomena about which there is a sig-nificant degree of uncertainty. This uncertainty means that the physically correct out-come of an event is not known. Conditional probabilities are associated with such events to weight the outcomes according to the strength of the evidence suggesting one outcome versus another. These conditional probabilities are usually generated through a more or less formal expert judgement process.

The reviewers need to be satisfied that the framework for making these expert judgements is sound and is applied consistently throughout the analysis, and that the technical information used to make such judgements is stated and shown to be valid, as far as possible. They need to take account of plant specific accident progression analysis that has been carried out, adaptation of analysis for similar plants and appli-cable research data.

2.4.5. Use of best estimate methods, assumptions and data

The reviewers need to check that best estimate methods, assumptions and data have been used in the PSA wherever possible. This is a particular requirement for Level 2 PSA where conservative assumptions will lead to a model of the accident sequence progression which is not realistic, and hence may provide limited or mis-leading insights into where the weaknesses might be in the design and operation of the plant and which accident management measures would be useful in reducing the risk.

However, it is recognized that best estimates are generally more difficult and time consuming to derive and lead to a PSA of greater complexity than a conserva-tive approach. Also, many analysts contributing to the PSA will tend to err on the con-servative side as a matter of prudence, this being a principle of design basis analysis.

Thus any PSA will be expected to contain many aspects which are conservative to a greater or lesser degree. If the only objective of the PSA is to show that the core dam-age frequency is less than a specified criterion, conservatism would be acceptable.

For nearly all other objectives, however, substantial use of the conservative approach

will distort the estimates of the relative contributions to risk from, for example, components, systems and events, and thus frustrate the objective.

With the aim of best estimates throughout the PSA, it is important to check that the conservatism present is not so great that it leads to an unacceptable bias and distortion in the results of the PSA. This will largely be a matter of judgement on the part the reviewers. It is usually straightforward to obtain best estimates of all the numerical data used in the PSA.

Where an uncertainty analysis is not part of the PSA, i.e. where the PSA is based on point values alone, all the values and assumptions input need to represent best estimates of the mean values and not, for example, of the median values, which can be very non-conservative with respect to the mean. Where an uncertainty analy-sis is performed, the values characterizing the input distributions, for example median values and percentiles, should be best estimates of those values.

There are several areas of a PSA, for example, human reliability analysis, exter-nal events and common cause failures, where performing a detailed best estimate analysis of each case could be impossibly time consuming. The technique of screen-ing is then used to select the dominant cases for detailed analysis, leavscreen-ing the remain-der with their conservative screening values in place. This deliberate introduction of conservatism into the PSA may be regarded as acceptable provided that the review-ers can be satisfied that the degree of conservatism is not so great as to throw serious doubt on the results. The importance factors calculated in the PSA can be helpful in reaching a view on this. In cases of doubt, the conservative screening values can be replaced in the PSA by best estimate values, even though these may have to be assigned by judgement rather than by further analysis.

The reviewers should note that the effect of including conservatism in the Level 2 PSA may be significantly different from that in the Level 1 PSA. In the Level 1 PSA, the use of conservative safety systems success criteria, initiating event frequen-cies or component failure data would lead to an overestimate of the core damage fre-quency. However, in the Level 2 PSA, a conservative assumption in the modelling of one of the phenomena, which would occur during the severe accident, may not be conservative with respect to other phenomena.

Hence, it is important that the reviewers should check that any conservatism inclu-ded in the analysis would not lead to an unacceptable bias and distortion in the results of the PSA. This will be largely a matter of judgement on the part of the reviewers.

Where an uncertainty analysis is performed, the values characterizing the input distributions always need to be realistically estimated.

2.4.6. Validation and verification of computer codes

The computer codes used in the PSA need to be validated and verified. In this context, validation is defined as demonstrating theoretically that the calculational

methods used in the computer code are fit for their purpose and verificationis defined as ensuring that the controlling physical and mathematical equations have been cor-rectly translated into computer code.

The computer codes required for a Level 2 PSA include the codes which model the severe accident phenomenology, including the codes which model individual phe-nomena as well as the integrated codes and the probabilistic codes for quantifying the event trees used to model the development of a severe accident — see Section 4.

The reviewers need to check that the analysts have used the codes within their limits of applicability. In addition, they need to confirm that the predictions of the codes are consistent with the analyses carried out for similar plants and experimental information. Where integrated codes are used, their predictions should be compared with those obtained using separate effects codes.

It is necessary for the reviewers to determine whether the codes which have been selected by the PSA team are fit for their purpose and whether the users of the codes are experienced in their use and fully understand their limitations. It is advis-able that the regulatory body and the utility reach an agreement on the set of codes to be used.

2.5. REVIEW/AUDIT OF THE UTILITY’S PSA PRODUCTION PROCESS