PROBABILISTIC SAFETY ASSESSMENT:
AN ANALYTICAL TOOL FOR ASSESSING NUCLEAR SAFETY

The objectives of nuclear safety

In constructing a facility as complex as a nuclear power plant, engineers must comply with a number of stringent regulations aimed at limiting the risks inherent in this type of installation, primarily the possible release of radioactivity. These regulations are applied throughout the lifetime of the facility, i.e. from the design and construction stages to the operating phases and final decommissioning. They embody the principal concern of all those involved with the plant, from construction engineers to operators or regulators: nuclear safety.

Nuclear safety has three objectives, namely to:

• ensure that nuclear facilities operate normally and without an excessive risk of operating staff and the environment being exposed to radiation from the radioactive materials contained in the facility;
• prevent incidents and;
• limit the consequences of any incidents that might occur.

Pursuing these objectives enables those concerned to achieve the overall goal of nuclear safety, namely to protect man and his environment by limiting the release, under any circumstances, of the radioactive materials that the facility contains; in other words, ensuring the containment of radioactive materials.

The basic principles of nuclear safety

Nuclear safety management uses two basic strategies to prevent releases of radioactive materials, notably in the event of an incident:

• the provision of leaktight "barriers" (see Figure 1) between the radioactive source and the public. These barriers, of which there are generally three, consist of: the fuel cladding, the primary reactor coolant system, and the containment building (reactors of the type built at Chernobyl are not equipped with a third containment barrier of this kind);
• the concept of defence-in-depth (see Figure 2), which applies to both the design and the operation of the facility and which may be briefly summed up as follows: despite the fact that measures are taken to avoid accidents, it is assumed that accidents may still occur, and systems are therefore designed and installed to combat them and to ensure that their consequences are limited to a level that is acceptable for both the public and the environment.

Figure 1. Maintaining containment by means of three successive barriers

Figure 2. The concept of defence-in-depth

The deterministic approach

This analytical procedure has been widely used throughout the world in the design of nuclear reactors for the purpose of generating electricity. It attempts to ensure that the various situations, and in particular accidents, that are considered to be plausible, have been taken into account, and that the monitoring systems and engineered safety and safeguard systems will be capable of ensuring the containment of radioactive materials.

The deterministic approach is based on the two principles referred to earlier: leaktight barriers and the concept of defence-in-depth. Defence-in-depth consists of taking into account potential equipment failures and human errors, so that suitable preventive measures may be applied, and of making provisions for the installation of successive devices to counter such failures and limit their consequences. It consists of several successive stages (or levels), hence the term "defence-in-depth":

• Prevention and surveillance: all necessary measures are taken to ensure that the plant is safe; items of equipment are designed with adequate safety margins and constructed in such a way that under normal operating conditions the risk of an accident occurring in the plant is kept to a minimum;
• Protection: it is assumed that operating incidents may occur; provisions are made to detect such incidents and to prevent them from escalating. This is achieved by designing safety systems that will restore the plant to a normal state and maintain it under safe conditions.
• Safeguard: it is assumed that severe accidents might occur that could have serious consequences for the public and the environment. Special safety systems are therefore designed to limit the consequences to an acceptable level.

Some countries make provision for a fourth level of safety consisting of what are known as ultimate measures, designed to provide protection against severe conditions under which defences at the three levels described above prove inadequate.

The concept of risk

Nuclear facilities are designed so that the risks associated with their operation are within acceptable limits for both the public and the environment. There is no precise definition, however, of what constitutes an "acceptable risk"; it is basically a subjective notion. In its simplest form, risk denotes the level of uncertainty associated with an individual's given action. The acceptance of risk is generally governed by the degree to which it is considered to be relatively improbable and of limited consequence.

In a nuclear facility, as in any industrial plant, risk assessment distinguishes between the potential hazards that might be encountered in the absence of any protective measures, and the residual risks that will still remain despite the measures taken. The problem lies in assessing the latter, since there is no way of ensuring that they have been completely eliminated.

The concept of event probability and its associated consequences was rapidly incorporated into safety analysis procedures, by taking account of the fact that the probability of an accident must be inversely proportional to the severity of the potential consequences for the public and the environment. This approach may be represented schematically in a probability/consequence diagram (known as a "Farmer curve"), which sets out acceptable and prohibited domains (Figure 3).

Figure 3. Probability consequence diagram

Risk assessment

The question that the analyst asks himself when performing a risk assessment is which accident conditions should he take into consideration and to what level of probability should he pursue his analysis. As the use of probabilistic risk analysis became more widespread, the safety authorities asked design engineers to introduce appropriate measures whenever such analyses indicated that the probability of an event occurring that might potentially have unacceptable consequences for the public and the environment was sufficiently high.

Thus for example, some safety authorities stipulated that the overall probability that a nuclear reactor would be the source of an accident with unacceptable consequences must remain less than 10-6 a year. But what does this figure actually mean? It means that the theoretical probability of an event occurring amounts to once in a million years, which is equivalent to the chances of winning a lottery in which there are 1 million tickets.

The deterministic approach to the design of nuclear reactors was rapidly supplemented by the development of probabilistic studies, referred to more commonly as PSAs.

Historically, these assessments were originally developed in order to calculate the probability of external events such as an aircraft falling onto a given target. PSA techniques were subsequently used to develop scenarios for hypothetical accidents that might result in severe core damage, and to estimate the frequency of such accidents. The first study of this kind carried out in the United States was published in 1975 (Rasmussen report) and provided the first assessment of the potential risk of core damage for two power reactors.

The accident in 1979 at the Three Mile Island plant generated renewed interest in this type of study. One of the recommendations made after the accident was that probabilistic analysis techniques should be used to supplement conventional safety assessment procedures for nuclear power plants, and that probabilistic objectives should be developed in order to facilitate the determination of acceptable safety levels for nuclear facilities.

A large number of generic and plant-specific PSA studies (over one hundred to date) have been carried out or are currently in progress in those OECD countries currently operating nuclear plants. These studies are of interest not only in determining the absolute value of the risk of damage to the reactor core, but also for the information they can provide about the various components of this risk and their relative weighting.

Lastly, the accident at Chernobyl in 1986 revealed the potential consequences of failure to manage nuclear power plant safety, and lent greater urgency to the need to develop PSA applications in the areas of safety management and accident prevention.

What is the purpose of a PSA?

PSAs can be used to calculate the probability of damage to the core as a result of sequences of accidents identified by the study.

With the development of this type of analyses, PSAs can now also be used to assess the size of radioactive releases from the reactor building in the event of an accident, as well as the impact of such releases on the public and the environment. These studies are referred to as level 2 and level 3 PSAs respectively (level 1 corresponding to the assessment of the risk of a core damage). Level 2 analyses have been performed, or are planned, in most NEA countries in view of their importance in determining accident management strategies and identifying potential design weaknesses in reactor containment buildings. Level 3 analyses are used for emergency planning.

The results of these analyses can therefore identify not only the weaknesses but also the strengths with regard to the plant's safety, and thus assist in setting priorities and focusing efforts on the points identified as the most sensitive in terms of the contribution they can make to improving the safety of facilities. Indeed, it is this type of assessment that is most commonly carried out, given that its use as an "analytical tool" was rapidly recognised as its most important aspect.

What does a PSA contain?

A PSA is an analysis that is used during both the design and the operating stages of a nuclear plant to identify and to analyse every possible situation and sequence of events that might result in severe core damage.

A typical PSA involves:

• acquiring an in-depth understanding of the facility and collecting a large volume of related information;
• identifying initiating events and states of plant damage;
• modelling the main systems within the plant using event and fault trees;
• assessment of the relationships between events and human actions and;
• development of a database on the reliability of a specific plant's systems and components.

A PSA generally comprises:

• An initial section known as a probabilistic assessment of initiating events, which is aimed at identifying and estimating the frequencies of initiating events that might lead to severe core damage, or even meltdown, as a result of either a safety system failure or human error.
• The second part of the analysis assesses the reliability of systems designed to meet safety requirements. This assessment consists in the identification, for each system and function reviewed, of failures that might result in the loss of the system's function. The probability of each type of failure occurring is then calculated and the failures can be ranked by decreasing order of probability. Potential weaknesses in the facility may thus be revealed. This part of the assessment is particularly important because its results will largely depend on the reliability of the data used in calculations. Reliability values must be based on data which are representative of plant operating experience and thus on the incidents and events observed in the systems concerned;
• The third part of the analysis is aimed at identifying and assessing sequences of events that might lead to a severe accident, i.e. damage to the core resulting in core melt. For this, analysts generally use the event-tree method (see Figure 4), which consists in identifying accident sequences from individual initiating events and then postulating the failure of the safety systems triggered by the event in question. The safety system failures postulated are those identified and calculated in the previous stage of the assessment. This underlines the importance of collecting reliable data, as noted above.

Figure 4. Event tree example

THE LIMITATIONS OF PSAs

Just as the deterministic approach has its limitations, so too does probabilistic assessments. These are due to the fact that the results of a PSA invariably contain uncertainties arising from three main sources:

• uncertainties due to a lack of comprehensive data regarding the area under consideration. It is impossible to demonstrate the exhaustiveness of a PSA, even when the scope of the analysis has been extended to as large a number of situations as possible --notably in terms of various reactor operating states and potential initiating events.
• uncertainties regarding data. Such uncertainties concern the reliability data for plant components, the frequency of initiating events, common-mode failures and failures resulting from human actions. The main uncertainties are those relating to the frequency of rare initiating events (for example, the combination of a steam piping break and a steam-generator tube break), as well as data relating to human factors.
• uncertainties associated with modelling assumptions that cannot easily be quantified, such as the resistance of certain components under accident conditions, poorly understood physical phenomena or human actions.

In view of these uncertainties, the assumptions on which PSAs are based are designed to ensure sufficient safety margins. It is worth noting that the uncertainties are not intrinsic to PSAs, but may generally be attributed to lack of detailed knowledge. Indeed, one of the benefits of conducting PSAs is that they can identify areas about which we need to learn more.

Despite these uncertainties, the assessment of both the strengths and the weaknesses of the safety features can clearly suggest ways of improving both the design and operation of nuclear facilities. Probabilistic safety analysis has thus become an important supplement to deterministic analysis in checking the safety level of a facility and improving it by identifying design weaknesses. In addition to assessing the safety of a plant at a given point in its lifetime, such applications have also demonstrated the usefulness of PSAs in other areas and a certain number of programmes are already being developed which hint at future applications.

THE FUTURE OF PSAs

The development of probabilistic analysis has resulted not only in an increase in the number of assessments carried out, but also and more importantly in expansion of their scope of application. A study published in 1989 by the OECD Nuclear Energy Agency entitled Probabilistic Safety Assessment in Nuclear Power Plant Management demonstrated the benefits afforded by PSA in the management of safety in nuclear power plants. The conclusions set out in the study were based in particular on the example of one utility that considered the use of PSA to be an integral part of the daily activities of its organisation. The experts who drafted this report considered that the use of PSA as an instrument of safety management in nuclear power plants offers immediate benefits to those who implement PSA techniques in the design and operation of their plants, and for all those endeavouring to enhance the safety of nuclear power plants. According to the authors, the implementation of PSA will reduce the frequencies of severe incidents and accidents and will thus be of benefit to the nuclear industry as a whole.

A new report published by the Nuclear Energy Agency and entitled Living Probabilistic Safety Assessment for Nuclear Power Plant Management describes recent developments in the use of PSA. Recent applications of PSA techniques have demonstrated their unique ability to assess alternative configurations or engineering modifications that could be made to existing facilities. It has thus become apparent that PSA techniques could be successfully used in the assessment and management of safety-related operations and of the engineering modifications routinely made to nuclear power plant systems. In order to keep track of such modifications, however, they have to be incorporated in a procedure for regularly updating the PSA model in order to ensure that the latter accurately reflects the current configuration of the facility.

This process constitutes the "living" PSA programme, whose basic element is a well-structured, well-documented, reviewed, highly detailed and specific study of the plant. To ensure that this study remains "living", it is periodically updated to reflect all relevant plant changes, thereby monitoring the safety level of the plant over time.

While a PSA provides a safety profile of a plant at a given time, a "living" PSA programme monitors and influences changes in this safety profile as a function of time. This ability to monitor the impact of design and procedural changes on the safety profile of the plant, and to influence changes that improve safety, makes a "living" PSA programme a powerful tool with which to support decisions that affect plant safety and to foster understanding between the utility and the safety authorities.

CONCLUSION

After a period of cautiousness, the performance of PSAs has started to become more widespread and many applications are pending or have already been developed. Further development, however, will require a better understanding of the current limitations of PSA techniques notably the significant uncertainties that still remain. Countries that are actively implementing PSAs are currently endeavouring to reduce these uncertainties by improving their models and the reliability of their input data. These limitations should not necessarily curb the use of PSAs, provided that adequate allowance is made for them in the safety assessment.

If PSAs continue to be used by operators, constructors and safety authorities to assess the design of their installations, then we can safely predict that their use as an instrument of plant management will increase substantially for the daily management of nuclear power plants under both normal and accident conditions. It is in this respect that PSAs meet the overall objective of nuclear safety and thereby constitute an indispensable tool for assessment and dialogue between the various actors responsible for the safety of nuclear installations.

REFERENCES  

1. NEA (1991), Living Probabilistic Safety Assessment for Nuclear Power Plant Management, Report by a Group of Experts, OECD, Paris.
2. NEA (1989), Probabilistic Safety Assessment in Nuclear Power Plant Management, Report by a Group of Experts, OECD, Paris.
3. J. BRISBOIS & J.M. LANORE (CEA/IPSN), A. VILLEMEUR (EDF/DER), J.P. BERGER (EDF/DE), J.M. de GUIO (EDF/DPT), Les etudes probabilistes de surete des centrales nucleaires francaises de 900 et 1300 MWe (Probabilistic Safety Assessments of French 900 and 1300 MWe Nuclear Power Plants).
4. J. MURPHY "Probabilistic Safety Assessments: Can they be relied upon?", NEA Newsletter, Spring 1990.