Challenges of Defining In-Depth and Safety Margin Concepts


Scientific Essay, 2017
64 Pages, Grade: 2

Free online reading

Abstract

The paper presents results on the evaluation performed by the author for duration of two decades in various Nuclear Power Plants (NPP) safety projects. The focus is on the lessons learnt from the perspective of the evaluation of Safety Margins (SM) and Defense in depth (DiD). SM and DiD are two closely related concepts in the evaluation of NPP safety issues, that evolved in the last decades. They are again under scrutiny for potential adaptation to the lessons learnt from the operating experience and major accidents. One important direction in the review of the SM and DiD concepts is related to their better description and quantification, as well as the methodologies used to demonstrate compliance with the requirements in force for them. This review is also connected with the existing efforts to define better the SM in light with the extension of design conditions. The use of the complementary features of the deterministic and probabilistic methods, as well as of the feedback from operation for the evaluation of safety margins and the review / extension of the design conditions is illustrated for some examples from different projects in which the author took part. The paper presents some significant for the topic of SM and DiD from various projects. The paper presents aspects related to the process of evaluation of SM and DiD, the adopted strategies, the methodological approaches. The use of the complementary features of the deterministic and probabilistic methods and of the feedback from operation was one of the focus in all the projects. The results presented are for various projects, considered as cases significant for learning the lessons.

1. INTRODUCTION

The paper presents some results on safety evaluation set of projects that were performed during a period of more than two decades, from the perspective of the issues that had to be solved to comply with SM and DiD requirements.

Three periods were defined for this review, as illustrated in Figure 1. Figure 1 was presented in previous papers and represents results on the evaluation of the main lessons learnt and safety paradigm changes in the 60 years of the NPP technology lifecycle.

In the papers [1], the NPP lifecycle was presented as an evolution of a technology, considering also the main major accidents. It was shown that the “technology s-curve”, describing the SM parameters, was reviewed after each major accident. On the other side, it was considered that major accidents defined periods of safety paradigms. For the evaluations presented in this paper there were considered cases of safety reviews performed in the period 1990-up today and a forecast for the next ten years.

The cases and the manner the detailed adopted safety strategies and the methods used for the evaluation of the compliance with the requirements for SM and DiD are presented in the next paragraph.

illustration not visible in this excerpt

FIG. 1 . Evolution of the safety paradigms [1] and the periods considered for the evaluation of the cases of SM & DiD review

2. CASES AND OBJECTIVES OF THE EVALUATIONS

The review includes a set of periods that cover a two-decade period in the NPP history. The following strategies for a period starting from safety reviews from 1990 and up today are defined:

- S1- Concepts of SM & DiD are consolidated and recognized internationally in standard like format (period I 1990-2000 in Figure 1). Vendors are adapting the initial safety philosophy to the changes in SM and DiD.
- S2- Concepts of SM & DiD was consolidated. Special issues under research for advanced new generations of NPP and / or SM & DiD problems in the context of lifetime extension issues. Consolidation considered a certain optimism (“nuclear renaissance”) and did not anticipate intense actions to review approaches on SM & DiD after Fukushima accident (period II 2000-2011 in Figure 1).
- S3- Concepts of SM & DiD under review due to the need to consider extension of the Deign basis Accidents (DBA) in the format of Design Extended Conditions (DEC). DiD under scrutiny. Post Fukushima actions under implementation (period III 2011-2017 in Figure 1).

For the period 1990-2000 (CPER1), the strategy S1 was characteristic to the evaluations and / or safety actions taken for the following cases (described in Table 1 and for the methods details in the next paragraph):

- C1 (BAS- U1) – The case for basic safety design for CNE Cernavoda unit 1. More details on the method used (coded “M2”) are presented in paragraph
- C2 (EQUIV RO) - The case for performing equivalence of the licensing approach from CANDU environment to the Romanian environment for CNE Cernavoda unit 1. More details on the method used (coded “M2”) are presented in paragraph
- C3 (PRA 1) - The case for the evaluation of the results from the Probabilistic Safety Assessment (PSA). The probabilistic approach of basic CANDU of RA and SDM reviewed against PRA level 1 results performed in independent projects under IAEA for CNE Cernavoda unit 1. More details on the method used (coded “M1”) are presented in paragraph

For the period 2000-2011 (CPER2), the strategy S2 was characteristic to the evaluations and / or safety actions taken for the following cases (described in Table 1):

- C4 (U2) – Consolidated approach adopted for Cernavoda NPP unit 1 with the lessons learnt and supplementary changes proposed after experience in other CANDU 6 projects completed between 2000 and 2007. No change in SM and DiD requirements. PSA level 1 requirements included as mandatory and requirement to develop PSA level 2. More details of the method (coded “M2MOD”) are presented in paragraph.
- C5 (PBMR) - Generation III+ NPP project considering the latest requirements for generation IV. Use of results in RIDM. More details of the method (coded “M3P”) are presented in paragraph.
- C6 (AGE) - Review of existing status of the probabilistic methods for the evaluation of the impact of ageing on plant safety in the framework of an EU Ageing PSA network (including development of methods). More details of the method (coded “M4A”) are presented in paragraph.

For the period 2011-2017 (CPER3), the strategy S3 was characteristic to the evaluations and / or safety actions taken for the following cases (described in Table 1):

- C7 (L2 U172) – All the requirements on SM and DiD from case U2 valid and in addition PSA level 2 performed for Cernavoda U1 & 2 NPP. Evaluation of PSA level 2+ (impact on risk for some sequences) performed. Some SM and DiD reviewed based on the latest results for CANDU. Severe Accident Management Guidelines (SAMG) developed and started the systematic review of the technical basis for Emergency Planning (EP). More severe accidents considered to implement with post Fukushima action plan. Evaluations on cliff edge effects and a systematic review of all hazards on going. More details of the method (coded “M4A”) are presented in paragraph
- C8 (REST) - The Restart project for Cernavoda U3&4, after construction was stopped in early ‘90’s. SM and DID to be complied with considered to be for a restart project and not for a new project .Impact on SM & DiD new updates under review. More details of the method (coded “M5WE”) are presented in paragraph
- C9 (REFURB) - Refurbishment of Cernavoda NPP U 1 (Pressure Tube replacement and other long-term operation actions implemented). More details of the method (coded “M5WE”) are presented in paragraph

The period for the next 10 years was also considered (2017-2030), coded in table 1 as CPERN. This period is specific to the end of life of two units and possible restart of old projects.

Details on the characteristics of the strategies, cases and applicable methods are summarized in Table 1.

TABLE 1. STRATEGIES AND METHODS USED IN THE EVALUATED CASES

illustration not visible in this excerpt

TABLE 1. STRATEGIES AND METHODS USED IN THE EVALUATED CASES (cont’d)

illustration not visible in this excerpt

TABLE 1. STRATEGIES AND METHODS USED IN THE EVALUATED CASES (cont’d)

illustration not visible in this excerpt

3. METHODS OF THE EVALUATIONS

3.1 Method used for the cases of basic vendor design and its adaptation to importing country (M2)

This paragraph presents some insights on the method used for the evaluation of the compliance with the requirements for SM and DiD for the cases when the task is performed for a situation of importing a NPP and adapting the nuclear infrastructure to the conditions of the developer of the concept. In the table 1, those two cases were coded “BAS-U1” and “EQUIV RO”.

This was a period of consolidating the paradigm after TMI on the importance of SM and DiD and of starting the intensive development of PSA level 2, basis for severe accidents and international emergency plans (as post Chernobyl actions). During this period, the international community underlined in documents and at international meetings (as for instance at the International Conference on Topical Issues in the area of nuclear installation safety held in Vienna in 1998) the need to focus on:

- The development of guidance on safety performance indicators.
- The development of new IAEA safety standards to present in more detail aspects as for instance those related to SM and DiD, by intensive reference to methodologies like PSA.
- Increase of the support to assure the compliance of the national nuclear infrastructure with the internationally agreed practices (as those promoted by IAEA).
- Increase the cooperation and exchange of information between actors involved in the safety evaluation and licensing process.

The evaluations performed for the cases described in this paper for the Period I were performed with a focus on the following safety criteria:

- “Safety Margin” (noted in this paper SM and in previous work as SAFMAG) assured in compliance with the regulations in force for that plant by the time of the evaluation.
- The level of “Uncertainty” in the evaluation of the “safety margin” as calculated and/or perceived by the regulator reviewer of the safety documents / results of commissioning tests and /or safety indicators of the operation (noted in previous work as UNCTY and as CRU / CRED UNC in this paper).
- The “Core Damage Frequency” a risk metrics defined by PSA standards for level 1 (in all papers CDF).
- A total enveloping safety margin indicator considered by the regulatory evaluator as a qualitative indicator of the safety as a whole (noted in previous work GLOBAL and CR TOT in this paper).

The evaluations were performed for a series of results available for the same plant, as follows:

- The set of safety documents developed by the owner of the CANDU concepts at the level of the 1980’S (in previous work coded BAS80 in this paper as BAS-U1).
- CDF and other insights as per the PSA level 1 developed in Romania for Cernavoda NPP in the early 1990’s (in previous work noted as PSA 90 in this paper PRA 1).
- The probabilistic safety envelope of the CANDU concept defined originally by the Canadian designer in a set of Reliability Analyses (RA in all papers) and Safety Design Matrices (SDM in all papers).
The method coded “M2” in Table 1 was used in the cases BAS-U1 and EQUIV ro. The main features of the method consisted on using a combined set of safety analyses results and comparison of their similarities and differences, as follows:
- Deterministic analyses for a set of Postulated Initiating Events in Final safety Analysis Report and supplementary support documentation of probabilistic analyses (Reliability Analyses RA for some systems and Safety Design Matrices SDM).
- Licensing meetings considered differences in licensing on an issue by issue approach in a regulatory licensing project process.
- Use of expert advises based on the transfer of regulatory approaches on deterministic and probabilistic tools started with Canadian regulator.
- Use of international expert support (from IAEA projects and in late 90’s from EU via PHARE) projects for Regulatory Body support in licensing, its reorganization and review/implement updated regulatory environment in accordance with the international best practice.

Figure 2 illustrates the sample of the evaluations obtained, based on which licensing decisions were taken [1-5].

illustration not visible in this excerpt

FIG.2. Results of comparison of benchmarking type for the safety evaluations for Cernavoda NPP unit 1[6]

In the paragraph 3.5, the results are the basis for the summary conclusions, which are presented in the framework of this paper.

3.2 Method used for the cases of NPP initial operation in a technology importing country (M1)

SM and DiD for the cases when the task is performed for a situation of importing a NPP and adapting the nuclear infrastructure to the conditions of the developer of the concept. In the table 1 those two cases were coded “PRA 1”.

This was at the end of a period of consolidating the paradigm after TMI on the importance of SM and DiD and of starting the intensive development of PSA level 2, basis for severe accidents and international emergency plans (as post Chernobyl actions). The situation at the international level was similar to the one mentioned in paragraph 3.1. At the national level, the situation was changing in the sense that the regulatory framework implemented the international practice, got the experience of the completion of commissioning of Unit 1 in Cernavoda NPP, and passed through the phase of initial operation.

At the national level, this was a period of increase of importance and use of the results from the PSA level 1 for Cernavoda NPP unit1. However, those results were used in combination with the basic CANDU probabilistic approach consisting of RA and SDM. The PRA level 1 results themselves were not fully validated, as they were not checked for the real case of unit 1, the model being built without intensive participation of the operating organization.

The safety criteria used were the ones mentioned for Period I during the use of M2 method, i.e. Safety Margin, the level of Uncertainty in the evaluation of the “Safety Margin, Core Damage Frequency and a t otal enveloping safety margin indicator considered by the regulatory evaluator as a qualitative indicator of the safety as a whole. The criteria were used to review the compliance with the requirements for DiD, to review and study possibility to extend DBA category, while the unit was in commissioning, evaluate impact of the support systems.

New results from PSA level 1 for unit 1 were evaluated. The type of new information brought by this evaluation is illustrated in Figure 2. The results identified the importance and ranking of various systems, underlying the need to reconsider some support systems, because their contribution was higher to the plant SM than initially thought. In the same sense it was identified that the DiD acceptance criteria and independence of layers needed more investigation.

illustration not visible in this excerpt

FIG.2.Example of results from PSA level 1 versions of 1995-2000 used to review SM and DiD issues [6]

3.3 Methods used for the cases of mature NPP and preparation for long term operation and for new NPP generations (M2MOD; M3P; M4A)

This paragraph presents some insights on the method used for the evaluation of the compliance with the requirements for SM and DiD for the cases of:

- A mature NPP and preparation for long term operation (M2MOD)
- For new NPP generations (M3P)
- A NPP for which ageing issues become important and have to be considered (M4A)

The method for a mature NPP safety evaluation, considering the perspective for its long-term operation (M2MOD) was used as an approach for Cernavoda Unit 1 after its commissioning and start-up, reaching a “mature operation” and after successful completion of Unit 2 commissioning and its start of operation. For this case, there were the following specifics [6-8]:

- The units were successfully commissioned and operating very well.
- The regulatory environment was set up in its basic features and adopted national rules, that were in compliance with the international best practice
- The best results from the previous case (PRA 1), as described in the paragraph 3.2, were incorporated in the safety evaluation system, creating a c onsolidated approach for SM and DiD compliance review.

The international environment was similar to the one mentioned at paragraphs 3.1 and 3.2.

The main features of the method used for SM and DiD compliance evaluation were as follows:

- The review of compliance with DiD and SM and of the postulated events (including possible extension of DBA list) were considered based on the experience from unit 1
- Design changes were implemented to consolidate the SM and the DiD layers.
- A plant specific PSA level 1 for internal and external events was completed and its use for operation as risk monitor started.
- PSA level 1 became part of the required licensing safety documentation and used for current operation of units.
- Started preparation for PSA level 2 and severe accidents evaluations
- Started program for long term management (ageing impact)
- Completed the Periodical Safety Review (PSR)
- Started implementation of risk management throughout all the plant processes – hardware and software and use of the elements of RIDM for decisions on SM and DiD.

The method (M3P) for a generation III+ NPP (PBMR) , that considered the latest reviews and developments from IAEA and Generation IV initiative on next NPP generation. This was a serious challenge to review the SM and characteristics and independency of layers for DiD in case of the future NPP. This was an opportunity to identify the need for integrated safety evaluations, for increased role of risk metrics at level 3. The projects of this type gave a serious input into the review of SM and DiD features for generation II, II+ and III [10-11].

The method (M4A) for evaluation using probabilistic tools (PSA level 1) of the existing yet margins and how to evaluate them in case of ageing NPP (in the case AGE as pert of the Ageing PSA network under European Commission). This case gave the possibility for the systematic review of the probabilistic methods for the evaluation of the impact of ageing on plant safety and indicated how to evaluate the remaining SM. It also gave insights on the fact that the layers of DiD are not as independent as considered before and that the acceptability criteria for the layers are expected to change with the process of NPP ageing. The case included case study for PSA level 1 tools capable to be used for Cernavoda NPP. With interesting methodological insights [9].

3.4 Methods used for the cases of mature long-term operation and new NPP construction (M5ST, M5WE)

This paragraph presents some insights on the method used for the evaluation of the compliance with the requirements for SM and DiD for the cases of:

- Case of a NPP in a mature operation close to the moment of refurbishment, as in Cernavoda NPP Unit 1 (M5ST)
- Case of refurbishment of an operating unit in order to extend the operating lifetime (M5WE)
- Case of restarting a project of NPP after is was stopped and conservation assured for a long period of time (M5WE)

The method for a mature NPP safety evaluation (Cernavoda NPP unit 1), being in a status of a mature operation close to the moment of refurbishment, as in Cernavoda NPP Unit 1 (M5ST). For this case, there are some specifics:

- The unit is similar to other units at international level for which such extensions were done successfully.
- The preliminary data of operation and inputs to safety reviews indicate no reason that the unit has special problems by comparison with other CANDU units.
- The regulatory environment is coordinated with the similar international situations.

The international environment was similar to the one mentioned at paragraphs 3.1 -3.3 with some specifics due to the paradigm changes after Fukushima accident. The paradigm change included for the SM and DiD the need for systematic review of the existing SM in light of DEC and Cliff Edge Effects (CEE) and important actions in a safety back fitting, called “post Fukushima safety actions plans”. This trend was underlined in the internationally accepted documents since 2011 and included in international exchange of information (as for instance at the 2013 IAEA conference on safety topics in Vienna).

The case (L2 U1&2) involved, at the national level, the update of the safety regulatory environment and safety changes at the NPP operating plants. The following issues reflect the specifics of the safety evaluation method of this case [5-6; 12]:

- The SM and DiD assumptions as defined for the operating plants and included in the regulatory environment at national level, are preserved and a systematic review of the potential challenges to them if post Fukushima actions are implemented is performed. The review illustrates so far that the existing SM are sufficient even if extended design basis might be considered.
- A very important tool used for the review of SM and adequacy of success criteria and independence of DiD was the use of the PSA level 2 and partial (for some important sequences) PSA level 2+ evaluations.
- The process was integrated in the whole review of safety features in the CANDU community.
- Identification of CEE and degree of independence of layers of DiD as well as the status of the existing SM (operational, regulatory).
- SAMG were prepared and implemented and a systematic review of the technical basis for EP was started in the regulatory environment, under IAEA project.
- A systematic review as part of international projects (being also main topics of many international meetings and programs of exchange of information) of issues like:
- Concepts of SM & DiD under review, due to the need to consider extension of the Design Basis Accidents (DBA) in the format of Design Extended Conditions (DEC).
- DiD issues (acceptance criteria of each level and independence of the levels).
- Change control of the post Fukushima actions programs.

The method for a refurbishment and extension of the lifetime of a NPP (Cernavoda NPP Unit 1) that considers dealing with generic NPP lifetime extension issues, but mainly with the specific CANDU life extension for pressure tubes and further retubing (M5WE). In this evaluation, the feedback from all the CANDU community on the refurbishment is essential and used. This case does not include technical and/or safety elements that make its situation different from other units of this type that performed the refurbishment.

The method for a restart of restarting a project of NPP (Cernavoda units 3 & 4) after is was stopped and conservation assured for a long period of time (M5WE). The specifics are under scrutiny so that to comply with both IAEA best practice and the European Union safety regulations.

3.5 Method to obtain concluding enveloping results from the detailed evaluations of the cases

The paragraph presents obtain concluding enveloping results from the detailed evaluations of the real cases, with direct participation of the author in each of them. For those cases this paper is presenting an enveloping set of conclusions from the perspective of lessons learnt on SM and DiD review.

The process of enveloping such results is performed in an international context of various actions for systematic review of the SM and DiD paradigms, as defined in the previous NPP technology periods (after Three Mile Islands, Chernobyl). Nowadays, in the context of post Fukushima series of action plans, the review of paradigms proved to be necessary for the next phases of the NPP technology.

This is in our view, as expressed before [1;12] a sign of maturity of NPP as a world like technology and will have very high impact on the back fitting of old NPP and building the new ones.

The method of integrating results of evaluation for all cases will consider the list form Table 2 for all the cases defined in Table 1 and considering the results of application of methodologies described in paragraphs 3.1 – 3.4.

Table 2 DETAILED CRITERIA FOR THE EVALUATION OF RESULTS

illustration not visible in this excerpt

4. RESULTS

The results of the safety evaluation performed for cases defined before and with the application of the methods shortly described in 3.1-3.3 and included in referenced papers published so far, are summarized in Table 3. In the table 3, the notations are as follows:

H- high impact

M-medium impact

L-low impact

TABLE 3 SUMMARY RESULTS OF THE SAFETY EVALUATION OF THE CASES DEFINED IN TABLE 1

illustration not visible in this excerpt

A summary of the impact for each case of the issues related to the SM and DiD is represented in Table 4.

TABLE 4. SUMMARY OF THE IMPACT ON SM AND DiD FOR THE CONSIDERED CASES

illustration not visible in this excerpt

The results from Tables 3 and 4 are represented in Figures 3 and 4.

illustration not visible in this excerpt

FIG.1. 4. Impact on SM and DiD for the evaluated cases in the periods 1 to 3 and forecast for period 4

As represented in Figure 3 there is an asymptotic behavior of the impact on SM and DiD, indicating reaching a certain level of maturity for the NPP technology. However, it has to be considered that NPP is a technology with a lifetime and this involves consideration of phasing out in time, before abrupt fall of the existing margins.

illustration not visible in this excerpt

FIG.4. Impact on complementary criteria for the evaluation of SM and DiD in the considered cases in the periods 1 to 3 and forecast for period4

The trend indicated by the complementary criteria for evaluating impact in the analyzed cases on the SM and DiD issues illustrate that fact that it is expected to have a stable, but low level on the uncertainties in the safety evaluations and their credibility, as well as in the decision process. This asymptotic low level indicates on a possible resurgence of the more “traditional” deterministic evaluations in the future. This means that the trend of an increased role of intrinsic safety features, of using passive components improving human and organizational factors contribution to the safety evaluation is going to be maintained.

Figure 5 illustrate the summary of the safety evaluations mentioned above. It is also important to mention that the major risk envisaged for the period 4 (next 10 years) is, in our view, not the fact that post Fukushima actions will be not implemented, but the fact that

- Either the change control, i.e. the planning of introducing all those modifications are not functioning,
- Alternatively, there is a (possibly) hidden impact (not evaluated in sufficient detail) of those modifications on already existent safety features from the “traditional” DBA, which may lead to totally unexpected major accidents.

Those possible accidents might be generated by a cavalcade of modifications on designs that do not support them, making things worst, or due to the loss of change control itself. It might be that by avoiding CEE we may endanger basic safety feature already existent and that is way implementation of changes of post Fukushima type should consider with priority this aspect while implementing new safety features. One has to be very confident that by intruding new safety features the old ones remain valid.

illustration not visible in this excerpt

FIG.5. Summary of evolution of impact on SM and DiD of various safety actions taken for the cases in Table1

Therefore, the role of independent safety reviews, performed by knowledgeable experts of that particular type of NPP, including upgraded peer reviews oriented on those goals might be very useful.

5. CONCLUSIONS

The paper presents the evaluation performed in various Nuclear Power Plants (NPP) safety projects for a set of projects (cases) within a period of about two decades. There are many insights from the practical experience of performing safety evaluation with the objective to check the level of compliance with safety requirements, protection in layers (DiD) and the level of available SM and hence to judge on the conservatism of the decisions taken. The cases are related to real situations and therefore experience could be of use for further similar cases.

The paper presents also some insights on the potential issues of concern in the safety evaluations, of which Sm and DiD evolutions are considered dominant. However, it is mentioned that it should not be forgotten the fact that NPP is a technology and that SM and DiD paradigms are changing systematically after major accidents. Nevertheless if the post Fukushima action plan is going to be implemented then a series of refinements is to be introduced in SM definition and evaluation of DiD, while keeping under a strict control the design and operation change process.

References

[1] SERBANESCU, D., Understanding major accidents -Shifting paradigms in safety and riskSafety Summit Vienna 27-28 Sept 2011, http://www.academia.edu/ 3763738/Understanding_major_nuclear_accidents_shifting_in_paradigms_for_safety_and_risk

[2] SERBANESCU, D., Use OF PSA in the regulatory process, Vienna, Austria, 26-29 April 1993

[3] SERBANESCU, D., A New Approach in Decision Making in Different Phases of the PSA Studies IAEA-PSA 1991 Symposium,IAEA-SM-321/35

[4] SERBANESCU, D., A Comparison between Different Methods Used for the PHWR Primary System Leakage Event Tree Sensitivity Analysis, International Workshop on 'Reactor Coolant System Leakage and failure Probabilities' , OECD-NEA,9-11 December 1992,Koln,Germany.

[5] SERBANESCU, D., CNCAN basic principles for the Cernavoda unit NPP PSA level 1, IAEA Vienna, 1993

[6] SERBANESCU, D., The use of the decision theory and probabilistic analyses in the NPP licensing decision process, International Conference on topical issues in nuclear safety, IAEA-CN-82/28, IAEA, Vienna, Austria, 3-6 Sept 2001,

[7] SERBANESCU, D., Final Report on the On-the Job Training at AECB Canada for the Use of Probabilistic Analyses in the Licensing Process of CANDU NPP, Vienna, (1992).

[8] SERBANESCU, D., Nuclear Safety for Nuclear Power Plants, Master Course being held for the specialization on nuclear safety of the students in Bucharest Polytechnic Institute, Bucharest, Faculty of Energy, 1996-2000.

[9] SERBANESCU, D., VETERE ARELLANO, A.L, Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds) 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5

[10] SERBANESCU, D., Int. J. Critical Infrastructures, Vol. 1, Nos. 2/3, 2005 281,2005 Inderscience Enterprises Ltd

[11] SERBANESCU, D., VANGRAAN, H., ELLOF, L., COMBRINK,Y. Int. J. Critical Infrastructures, Vol. 1, Nos. 2/3, 2005 287 Copyright © 2005 Inderscience Enterprises Ltd.

[12] SERBANESCU, D.., Some specifics of the use of probabilistic risk analyses as a support to the evaluation of safety

ANNEXES

To the paper

On some challenges in defining and using Defense in Depth and Safety Margin concepts, as highlighted by the safety improvement process

Annex 1 – Serbanescu D., A New Approach In Nuclear Risk Theory, in the IAEA document Use OF PSA in the regulatory process, Vienna, Austria, 26-29 April 1993

Annex 2- Serbanecsu D., CNCAN basic requirements for the PSA level 1, S pecialist meeting on Use of the PSA in the regulatory process, IAEA Vienna 26-29 April 1993

Annex 3- Serbanescu D., The use of the decision theory and probabilistic analyses in the NPP licensing decision process, International Conference on topical issues in nuclear safety, IAEA, Vienna, Austria, 3-6 Sept 2001, IAEA-CN-82/28 , DOI: 10.13140/RG.2.1.4859.2487

Annex 4- Serbanescu D., Systematic biases in event review and their impact on learning process

ANNEX 1

to the paper On some challenges in defining and using Defense in Depth and Safety Margin concepts, as highlighted by the safety improvement process

A New Approach In Nuclear Risk Theory, Dan Serbanescu,Ph.D. Use OF PSA in the regulatory process, Vienna, Austria, 26-29 April 1993

Dan Serbanescu,Ph.D

National Commission for Nuclear Activities Control - Division of Nuclear Safety Regulations

Safety Analyst

Probabilistic Safety Assessment and Severe Accidents

Bucharest 5 Bd.Libertatii 12, P.0,5, Fax :(401) 6813 476

Romania

ABSTRACT

The basic problem of the probabilistic safety assessment (PSA) is the errors evaluation. the main contributor to the final PSA results is the systematical error induced by the method itself. there may be some alternatives to the psa classical approaches .all the new more successful approaches in the psa results validation are related to the modelling problem .

a comparison between two possible approaches for a pressurized heavy water reactor (PHWR) leakage event tree is included:

* the new approach proposed in (Serbanescu,1991)

* the approach used in {Serbanescu ,1992) ,based on some unexplored yet features of the existing psa analyses.

The results are presented in relative units and an algorithm, which was already implemented on an IBM PC computer (Serbanescu, 1991) is used as a tool to decisions making tool.

the decision making process should be based on a nuclear power plant (NPP) better modelling from the risk analysis point of view . This is the main feature of the proposed approach.

1. PROBLEM DESCRIPTION

The PSA validation process has encountered so far a lot of difficulties related basically to the general problem of the risk modelling. The new approach proposed in (Serbanescu,1991), (Serbanescu,1992) had some basic features :

1.1 The PSA validation is considered to be a risk model problem, i.e. the NPP risk evaluation is modelled as a global complex hierarchical system.

1.2 The specific results of the complex hierarchical systems are used in the risk evaluation process.

1.3 The synergy thaory results are used for the risk model Lagrange function.

2. DESCRIPTION OF THE METHODS

The methods used will be :

2.1 The method used in (Serbanescu ,1992),based on some unexplored yet features of

the existing PSA analyses - which is the PSA reference method- METHOD A

2.2 The method (Serbanescu,1991) based on information theory which is the proposed method - METHOD B

2.1. METHOD A

2.1.1. Small leakage event tree logic was performed using CAFTA and ETA codes.

2.1.2. The sensitivity and uncertainty analyses were performed using CAFTA features - for the uncertainty analyses –and ETA features - for the sensitivity analyses.

2.1.3. The basic output of this method ,which is used in a decision - making process on the major contribution to the NPP safety degradation due to a small leakage event tree is given by the importance factors .

This method has a postdictive character.

2.1.4. The basic decisions could be taken on the basis of the sensitivity and/or uncertainty analyses.

2.2. METHOD B

2.2.1. Small leakage event tree logic was performed using CAFTA and ETA codes.

2.2.2. The sensitivity and uncertainty analyses were performed using the author methodology,as it was outlined in (Serbanescu^, 1991) and (Serbanescu, 1992) .

2.2.3. The basic dutput of this method ,which is used in a decision - making process on the major contribution to the NPP safety degradation due to a small leakage event tree is given by the Lagrange function of this problem The main feature of this function is to be able to describe quantitatively the departure from the target state of the global system state indicator ,i.e. the information entropy of the analyzed system.

This model has a predictive character.

2.2.4. The basic decisions could be taken on the basis of the existing methodology developed in a computer code and suppose that a global NPP risk model exists .

3. DESCRIPTION OF THE RESULTS

The results obtained using the methods A and B are presented in Fig.l and Fig.2,respectively.

3.1. METHOD A

3.1.1. The results are presented in Fig.l .The Fussel-Vessely importances have been computed using the above defined method A.

3.1.2. The main conclusions are given in 3.3

3.2. METHOD B

3.2.1. The results are presented in Fig.2 The Lagrange function is computed in accordance with Method B.

3.2.2. The main conclusions are given in 3.3

illustration not visible in this excerpt

Notes to Table 1

(1) The analyzed events ,due to systems failure are ,as follows:

CC - Crash Cooldown - PI - Process System 1

G1SS - Safety System Group 1 = SI - Safety System 1

G1SW - Service Water System 1 = S2 - Safety System 2

G2SW - Service Water System 2 = S3 - Safety System 3

LW - Light Water System to SG = P2 - Process System 2

OP - Operator Action of SDC = HI - Human Interaction 1

SDC - Shutdown Cooling System = P3 - Process System 3

SG - Steam Generator Cooling = P4 - Process System 4

(2) The criterion A is well known;the criterion B is defined in [1]

(3) The ranking of the systems failure using the quantitative criterion of the Fussel-Vessely Importance.

(4) The ranking of the systems failure using the quantitative criterion of the Lagrange function.

(5) The ranking for GRI;GRII;GRIII;Stot using Fussel-Vessely Importance is :

GR I = Ila ( between II and III )

GR II = IX \ •

GR III = VIII'

Stot = lib ( between Ila and III )

(6) The ranking for GRI;GRII;GRIII;Stot using Lagrange Function is

GR I = Ila ( between II and III )

GR II = IVa ( between IV and V )

GR III = Ib ( between I and II )

Stot = la ( before I )

3.3. Decision-Making using NPP Risk Models

3.3.1. The main pragmatic conclusions to be used in a PSA type decision-making process are ,as follows :

(1) In accordance with the Method B results , the importance Fussel-Vessely leads us to an overestimation of the S1;S2 and S3 systems.The error of method B in stating this conclusion is 10%.

(2) In accordance with both methods A and B results the systems P2 and operator action HI are a significant contributor to the plant safety.

(3) In accordance with the Method B results ,the importance Fussel-Vessely leads us to an underestimation of the P3 system.The error of method B in stating this conclusion is 10%.

3.3.2. The results mentioned at para 3.3.1 have been obtained by processing the ranking from Table 1 with the method (Serbanescu,1992).Method (Frujinoiu,1992) confirmed these results.

Table 2 presents some partial inputs and outputs given by this methodology.

3.3.3. The main results from 3.3.1. lead us to some PSA type decisions to be taken for the small leakage event tree presented in this paper based on the :

(1) The process systems P2,P3 and human interaction Hi are a very important factor of decreasing the effects of a small leakage event tree . Usually their contribution is underestimated.
(2) The contribution of the safety systems to the decreasing of the small leakage event tree effects should not be overestimated.
(3) The best NPP safety oriented state following a small leakage event tree would be if the contribution of the safety systems for short term and process systems for long term are balanced.
(4) The only way to evaluate our error in making the above defined decisions is to use method B.In our particular case , the error of all these statements is about 10 %.

Any other PSA method does not evaluate the error of the decision taken for the whole methodology.The existing PSA results take into account only the errors induced by the probability distribution of the events and do not take into account the overall methodology errors , which are the highest.

illustration not visible in this excerpt

4. REFERENCES

Serbanescu,Dan (1991) . A New Approach in Decision Making in Different Phases of the PSA Studies IAEA-PSA 1991 Symposium,IAEA-SM-321/35

Serbanescu,Dan (1992) . A Comparison between Different Methods Used for the PHWR Primary System Leakage Event Tree Sensitivity Analysis, International Workshop on 'Reactor Coolant System Leakage and failure Probabilities' , OECD-NEA,9-11 December 1992,Koln,Germany.

Serbanescu,Dan (1992) . Reports on the fellowship at AECB,Canada ,IAEA-AECB,January-July 1992.

Serbanescu,Dan (1991) . The Use of a New Method for INES Evaluation, IAEA Advisory Technical Committee on INES,Vienna,14-18 October 1991.

ANNEX 2

CNCAN basic requirements for the PSA level 1 paper to the Specialist meeting on Use of the PSA in the regulatory process, IAEA Vienna 26-29 April 1993

illustration not visible in this excerpt

Annex 3

Serbanescu D., The use of the decision theory and probabilistic analyses in the NPP licensing decision process, International Conference on topical issues in nuclear safety, IAEA, Vienna, Austria, 3-6 Sept 2001, IAEA-CN-82/28 , DOI: 10.13140/RG.2.1.4859.2487

THE USE OF THE DECISION THEORY AND PROBABILISTIC ANALYSES IN THE

NPP LICENSING DECISION PROCESS

SERBANESCU, D.

National Commission for Nuclear Activities Control

Bd. Libertatii 14

PO42-4, Bucharest 5, Romania

Fax: +4014111436; Email: sdan@cncan.ro

Abstract

The licensing process is the place were the use of the decision theory and some specialized analyses, like for instance, the probabilistic analyses is increasing. However this use might be highly misleading if the impact of the actual errors and limitations in the analysis are not considered. The decision theory was actually used in this sense during an actual licensing process of the Cernavoda NPP unit 1 in order to support the decisions taken.

1. METHOD

The licensing decision process is part of a hierarchical multilevel system, which is called nuclear safety[1,2]. For this system goals are defined and criteria to be reached. One of the basic problems to be solved during the licensing process is to define with a desirable quantifiable error a conservative decision on the fact whether the safety goals and criteria are met by the nuclear power plant (NPP). Due to the fact that the error and uncertainties of such a complex system are difficult to be defined, the evaluation of the degree of conservatism of the licensing decisions taken are usually variable in time. The main aspects inducing an apparent decrease of conservatism is in our opinion mostly related to the conservatism of the error evaluation of the differences between the goals to be met and the actual results on safety for various NPP applications and performances.

This degree of conservatism is mostly dependent on the knowledge during the plant lifetime, which is reflected also in the safety evaluation method, too. Historically many methods were used during the NPP licensing process. Many times the initial design basis method and the initial licensing basis taken for a plant are subject to evolution and feedback from basic science methodology and the plant operation feedback. The Probabilistic Safety Analysis (PSA) is one example of such a method. It was initially very fast promoted because it is a special method: systemic, systematic and structured. It is a method adapted to the dynamic object, called nuclear safety system. However the basic problem for the use of this method in the licensing process was the evaluation of the error supposed by the decision based on its results. For these purposes a whole system was considered and it is not the intent of this paper to insist on it [3]. It is to be noted however that there are two big possible choices in using PSA results and hence the risk tools: one is the risk-informed regulation and the other one is the risk- based regulation.

Some basic early results and evaluation of the author [1, 2, 4] indicated on the fact that the method to be used would emphasize the decision theory tools as they are reflected in the PSA methodology and from this perspective the error and uncertainty evaluation play a basic role in defining the degree of conservatism of the decision.

The use of this approach in the actual licensing process of Cernavoda NPP Unit 1 and the definition of the licensing process for next units was based on this understanding and made the connection between basic methodology aspects and real life. One very important advantage in this particular case was the possibility to have feedback from the whole process of safety definition: design, commissioning, early operation and also to use various methods in evaluating it. It was considered that the results of risk analysis form part of the decision making process to evaluate safety margins and the areas of review of these results were related to:

- define proposed change;
- conduct engineering evaluation;
- develop implementation and monitoring strategies;
- document evaluation and submit request.

A set of acceptance criteria was developed so that:

- meet the regulation requirements;
- be consistent with Defense in Depth concept, i.e. check that the following balance exists;
- core damage prevention;
- containment failure;
- consequence mitigation;
- maintain sufficient safety margin;
- be consistent with safety goal policy;
- monitor impact and assure feedback.

The main features of the use of probabilistic and risk analyses:

- use them in an integrated (with the deterministic analyses) manner;
- use appropriate methods;
- perform independent review;
- evaluate uncertainties, using feedback tiers;
- use Core Damage Frequency (CDF) and Large Early Release Frequency (LERF) to demonstrate
- consistency with safety goals;
-r
- consider as safety goals quantitative doses on plant personnel and population as prior determined by other methods;
- evaluate carefully the variations of CDF and LERF and the sensitivity/uncertainty calculation results;
- evaluate the results in an integrated manner;
- formalize the whole system of the adopted practice.

2. MAIN RESULTS

The licensing decision process for Cernavoda NPP unit 1 was based on some specific features:

- CANDU reactors operate with the concept of Plant damage States (PDS) in order to define the CDF and LERF;
- the basic CANDU design includes the probabilistic analyses as Reliability Analyses (RA) and Safety Design Matrices (SDM);
- the PSA tools were themselves during a period of about 10 years subject of internal national development and review;
- the plant safety concept itself had a certain evolution during the period since acquisition and connection to the grid;
- feedback from commissioning and early operation events was considered to review and check both the safety design and licensing decision tools, too;
- there were some important mismatches between some elements of the initially adopted regulatory environment and the basic plant safety philosophy, which had to be taken into account and adjusted during the process itself.

As illustrated in Fig.1 the pilot PSA results for Cernavoda NPP were mainly used as an information supplementary tool, which has in its turn its own evolution. The various versions were independently reviewed by the regulatory body during the decision process. The review had to consider also that the concepts of important contributors grouped on PDS, as Late Core Damage (LCD), Moderator heat Sink (MHS), Early Core Damage (ECD) and Other PDS (OPDS) had to be correlated with the basic safety philosophy of the plant. The PSA results review identified the main contributors, but also a band of variation of the CDF themselves.

FIG. 1 Results of PSA versions for various PDS

illustration not visible in this excerpt

The decision process practically performed a Benchmark type exercise as part of the independent review process of PSA results. Fig.2 presents as an example the main contributors to the CDF based on the PSA version 1998 (after the implementation of the most of the IPERS mission recommendations for the 1995 version). The initial 1990 version was a initial pilot study, reviewed also by an IPERS mission in 1991. In

all these versions there were some common conclusions, as for instance:

- moderator as a heat sink is an important aspect to be reviewed by other methods;
- the importance of the interface systems between the nuclear island and the balance of plant is to be reviewed, too;
- some initially considered Beyond Design Basis accidents as for instance Loss of Coolant accidents and coincident Loss of offsite power have to be considered as Design Basis Accidents;
- operator model and actions have to be reviewed carefully.

FIG. 2 Main PDS Contributors to the PSA 1998

illustration not visible in this excerpt

The decision process was done on three main steps in relation with the use of the probabilistic analyses results. The first step of the decision process was to use of PSA level 1 results in the regulatory decisions and consisted on:

(1) identification of the most important contributors to the CDF, in all the versions of PSA level 1. For instance all the above mentioned common conclusions indicated that moderator as a heat sink, interface systems, extension of Beyond Design Basis Accidents (BDBA) list and contribution of operator model are important aspects of the plant risk;

(2) based on the identified main contributors the regulator decided to require;

- extensive calculations in the Safety Reports for these contributors;
- some supplementary actions (mainly new tests) during commissioning;

(3) the regulator decided to evaluate in more detail the supplementary actions needed.

- There were several safety evaluation methods to be considered during the licensing process (Fig. 3):
- basic design and licensing approaches, as defined in the 1980 version (BAS80);
- PSA results for versions 1990, 1995 and 1998;
- review of the initial RA and SDM, as a basic design probabilistic analyses;
- define and use combined methods for specific topics as resulted during the review.

FIG. 3 Safety Margins for Different Evaluations

illustration not visible in this excerpt

indicator

BAS80 = Basic design as per 1980

PSA_90 = PSA 1990 version

RA-SDM = RA and SDM reviewed

PSA_95 = PSA 1995 version

Using decision tables [4] the results were normalized and compared for various methods from the point of view (Fig. 3) of the Safety Margins (SAFMG), Uncertainty/error (UNCTY), Core Damage Frequency (CDF) and the use of the Global indicator, which was defined in [1] as a Lagrange function of the hierarchical system evaluated.

The results as presented in Fig. 3 indicate on the fact that a more carefully chosen indicator as the global one, could include not only the departure from an acceptance criteria (safety margin, CDF etc.) but also the error of this evaluation.

At this point of the paper it is the moment to mention that in the second step of the decision process the regulator started to evaluate in more detail if the results of the CDF are confirmed by more refined analyses. These analyses were done for some specific contributors, like for instance for the Nuclear Steam Plant (NSP) — Balance of Plant (BOP) interface systems. The versions considered for the decision process were related (as illustrated in Fig. 3) to the:

- basic design as per 1980 (BAS80);
- results from reliability analyses and safety design matrices in 1995;
- results from PSA in 1995;
- results from PSA updated in 1998 as per last IPERS recommendations; and
- all the combined conclusions as they resulted from the Final Safety Report in 1998-1999.

The criteria used to evaluate all the above mentioned results were based on the safety margins, as they resulted from the norms, calculations of the CDF and uncertainties and combination of CDF and importance using a Lagrange function as defined in [1].

The evaluations confirmed that all the tools used indicated that such contributors defined in step 1 of the decision process, as for instance BOP-NSP interface systems, are important for the plant risk. It was also confirmed that these contributors must be supplementary analyzed and tested, even if without those supplementary actions the plant safety could be still considered well within the national and international limits.

The results illustrated in Fig. 3 were based on extensive check lists and decision tables, which might be summarized in risk calculations and importance for the contribution of various systems. The evaluation of importance for various systems (process systems: P1, P2, P3, P4) and safety systems (S1,S2, S3) or human factors (H1) for various sequences (grouped in 3 groups, SEQ_GR1, SEQ_GR2, SEQ_GR3) may be done using classic categories like Fussel Vessely (IMP_FV) or modified ones using the Lagrange function as defined in [1] and [4]. The differences between them indicate again mainly the fact that the decision should consider the error of the evaluation method itself. A practical illustration of these results is that the ranking done (Fig. 5) using these different tools indicated the better decisions are those which consider the error, too. All these changes in understanding priority and importance for the licensing decisions on various systems are done so that the global balance between sequences is not changed, as illustrated in Fig. 6. The third step of the regulatory decision process consisted on performing evaluation as illustrated in Fig.4 to 6. For each of the important contributor passing the step 2 of the process, based on the detailed evaluations, it was considered to require during the licensing process performed in the commissioning phases:

- supplementary deterministic calculations;

- supplementary commissioning tests.

FIG. 4 Importances for Systems

illustration not visible in this excerpt

FIG. 5 Systems Ranking

illustration not visible in this excerpt

FIG. 6 Sequences Ranking

illustration not visible in this excerpt

Legend to the figure 6

SEQ1..3_GR = Groups of sequences

RANK_FV = Ranking of sequences/systems using Fussel Vessely Importance

RANK_LAGR= Ranking of Sequences/systems using Lagrange Function

All these requirements are actions actually implemented for a real plant. They all were based on the above described regulatory decision process

To summarize, some important licensing decisions were based on these results:

- the importance of the moderator, in the basic design considered a process system, is higher and should be reflected in plant hardware and software;
- the importance of interface systems is higher than initially expected and it was reviewed supplementary during commissioning both by analyses and supplementary commissioning tests;
- some BDBA accidents like LOCA coincident with loss of off-site power have to be considered DBA and they were demonstrated by analysis and design;
- review the decisions based on the event review even from the commissioning phases;
- perform and document a review of the regulatory environment.

3. CONCLUSIONS

The licensing decision process for Cernavoda NPP unit 1 included the use of the review from the perspective of decision theory and probabilistic analyses, including the methods errors, uncertainties and modelling limitations. The process had also some specific features, but they highlighted in the author's opinion the fact that any licensing decision has to carefully evaluate their conservatism. The paper also includes some results in using specific tools in order to measure these limitations in the decision process.

The path for the evaluations of this type for NPP of including the risk analysis in a global decision theory method may be found in other field, as space techniques and aviation [5]. It might be therefore a deeper problem with a larger application. On the other hand it is important to mention that the further development of the method is being performed [6].

References

[1] SERBANESCU, D., A New Approach in the Decision Phases of the PSA Studies, PSA91, Vienna, (1991).

[2] SERBANESCU, D., Metode de Corelare a Defectiunilor provocate de Cresterea de Temperatura in Zona Activa a unui Reactor Nuclear si a Sigurantei in Functionare a unei Centrale Nuclearoelectrice, Teza de doctorat, ICEFIZ, Magurele-Bucuresti, (1987).

[3] USNRC, Standard Review Plan, Chpt. 19.0 Use of Probabilistic Risk Assessment in Plant Specific, Risk-Informed Decision making, NUREG 08000

[4] SERBANESCU, D., Final Report on the On-the Job Training at AECB Canada for the Use of Probabilistic Analyses in the Licensing Process of CANDU NPP, Vienna, (1992).

[5] ROSENBERG, L. H., HAMMER, T., GALLO A., ‘Continuous Risk Management at NASA’, Applied Software Measurement / Software management Conference, San Jose, California (1999).

[6] SERBANESCU, D., et al. ‘Nuclear Safety for Nuclear Power Plants’, Master Course being held for the specialization on nuclear safety of the students in Bucharest Polytechnic Institute, Bucharest, Faculty of Energy — in publication.

Annex 4,

Serbanescu D., Systematic biases in event review and their impact on learning process

Dan Serbanescu , Safety and Risk expert

Abstract

The paper presents some results from a research on the best approaches to be adopted in order to avoid the systematic biases in the review of major accidents in complex systems. The work considers that prevention of systematic biases in the event review and lessons learnt are very important obstacles in preventing recurrence and improving learning process. The work approached the issue of systematic biases in the events review process from a new point of view, i.e. considering the impact of accidents on the product lifetime, the impact of sociopolitical environment and systematic scientific biases in drawing conclusions. A triadic approach to the causes of the learning gaps from major accidents is proposed.

Keywords: lessons learnt, biased knowledge, paradigm, triadic learning gap

1. Introduction

The review of major technological accidents has many lessons learnt in all cases. However there is one common feature for most of them that the lessons prove to be never fully learnt and the events repeat themselves. There are many possible approaches to explain such situation. One of them is proposed in this paper considering that there are some general common features of the biases one can expect in learning lessons.

The paper presents some results on some important factors proposed to be considered in order to avoid the systematic biases in the review of major accidents in complex systems. The research is based mainly on details from the nuclear power plants experience, but makes also reference to other complex technical systems. The topic is related to the issues of improving the feedback from event review into the practice of performance for complex systems. It is considered that there are systematic biases in implementing lessons from the operation feedback process from accidents/incidents review into practice. Apparently it happens many times that very important lessons are not learned and /or are forgotten by people, organizations or society as a whole, situation leading to major obstacles into the improved learning from experience process.

Evaluation is based on the nuclear power plants experience, with some reference on other complex technical systems. The main message of the evaluation is that prevention of systematic biases in the event review and lessons learnt is tightly connected with the consideration of some aspects, of which three are to be considered with priority:

1. There is a continuous gap between the derived lessons to be learnt from incidents/accidents and the implementation process in a lifetime of a given technology, due to high degree to the technology changes and specifics of implementing such lessons at a later time after the accidents. By the time of the implementation of the lessons learnt the lifetime status of the technology requires an approach adapted to its new status.
2. The evaluation of major accidents is rarely considering the fact that the given complex system subjected to a major accident is part of a more complex environment (a complex system of a multitude of complex systems interacting between them). Even if it is done so, the evaluation of interdependencies is performed not in a systematic manner.
3. The evaluations rarely consider the systematic bias possible to be induced by the knowledge process itself.

2. Biases in evaluation of accidents

Biases as a triadic learning gap approach due to the need to consider technology lifecycle, interdependencies between technologies and systematic knowledge biases, which are specific for complex systems.

2.1 Biases in learning process connected to the product lifetime cycle

Any technological complex system has a certain lifecycle. Therefore if the implementation of the lessons learnt from major accidents takes significant amount of time, then it has to be considered the fact that the product is already on another lifecycle step.

illustration not visible in this excerpt

Figure 1 Nuclear Power Plants technology curves (Source IAEA)

The evaluation of the biases induced by this aspect starts from a description of the technological product performance curve (called s-curve) – an example for Nuclear Power Plants is presented in [1] – Figure 1. As a result of this aspect, which is considered as an important one, inducing biases in implementation of the lessons learnt in the operational feedback process, it can be shown as in Figure 2 that there are significant differences between the ideal s-curve of a technology and the real one. Every time a major accident and/or technology challenge of any type takes place the curve is changed as shown in the figures 2, 4 and 5.

illustration not visible in this excerpt

Figure 2 Technology S-curve for a complex system-example of a Nuclear Power Plant [1]

The objective functions defined for the evaluation of the degree of safety of the technical system (as for instance safety margins or risk levels) change also, as shown in figures 2 to 5.

In addition to this phenomenon there will be initiations of new/updated/improved versions of the same technology (as for instance Nuclear Power Plant (NPP) generations III or IV or of complementary energy sources as for instance renewable energy sources [4,5]) under design or testing, for which the accidents and any other challenges on the operating technical systems will have also very high impact.

Therefore the lessons derived as to be learnt after a major accident have to consider the phase of the technology when they will be implemented, as well as the fact that each phase is being developed and reviewed under a set of governing set of paradigms for the objective functions (for instance for safety margins for NPP) as illustrated in Figures 3-5.

illustration not visible in this excerpt

Figure 3 Technology risk criterion for a complex system- example for a Nuclear Power Plant [1]

illustration not visible in this excerpt

Figure 4 Technology and risk criterion for a complex system during its lifetime, considering accidents impact - example for a Nuclear Power Plant (NPP)[1] Abbildung in dieser Leseprobe nicht enthaltenFigure 5 Technology and risk criterion for a complex system considering the switch in paradigms - example for a Nuclear Power Plant [1]

To illustrate the bias formulated before in implementation of the lessons learnt and based on the main features of each lifetime phase illustrated in Figure 5 there is a series of significant safety approaches for this particular system (NPP). As shown in Figure 5 there were on our view a set of very important changes in safety objectives paradigms after the major accidents. This finding is illustrated by national and international documents, standards and changes in policies during the lifetime of NPP as a complex system. Based on that it can be noted that the existing reports listed in literature mention already significant switches in paradigms on nuclear safety after each major accident, including after Fukushima[1]. Based on those documents and evaluations we can mention some important changes in post Fukushima case safety paradigms for NPP, as follows:

1. An increased integration of safety as defined for design postulated accidents and for severe accidents with a target of defining new, extended design basis.
2. A better integration of the issues related to various objective functions (safety and security, safety and safeguards, safety and radiation protection etc)
3. A significant review of the methods used for the evaluation of the features mentioned under points 1 and 2 above (an increased debate over the methods-deterministic versus probabilistic, operational feedback etc)
4. An increased search for systematic evaluation on possible answers to questions related to how to perform:

i. Integration of safety and other evaluations production/economical, safeguards, security general emergency plans for a given region local regional global etc (to be addressed in this paper in the next paragraph)
ii. Analysis of end of lifetime safety issues for complex technologies
iii. Review of the site conditions and sitting and of the safety objectives for specific sites
iv. Review of the issues related to the technical solutions for normal and abnormal decommissioning
v. Adoption of strategies for catastrophic challenges especially for technologies with less intrinsic protection with an enhanced target of having complex systems with an increased catastrophe resistance features.

2.2 Biases in learning process due to interdependencies between technologies

Another source of the biases in the implementation of lessons learnt from major accidents and/or challenges for a given technology is related to the need to consider that complex technologies are tightly connected with other complex systems (technologies, socio-political, economical).

For example in Figure 5 under the time axis of NPP technology and accidents there is a list of major socio-political, economical events that took place in periods surprisingly coincident with some of the most challenging accidents in nuclear field.

DBE refers to Design basis Accident and PRA to Probabilistic Risk Assessment. This simple connexion is also supported by a proposed approach of evaluation of the safety level (as defined by a safety matrix prior to the event), the vectors of the safety margins and goals for that complex system and the consideration of the impact of the major challenge on the new safety matrix of the system. This approach is in general illustrated in Figures 6 and 7. The approach is similar to the development of models for consideration of challenges to technical, economical and sociopolitical systems in previous evaluations related to complex energy systems[5]

illustration not visible in this excerpt

Figure 6 Evaluation of the safety objectives considering lifetime phases and external interdependencies[1]

illustration not visible in this excerpt

Figure 7 Matrix to support the evaluation of the safety objectives considering lifetime phases and external interdependencies [1]

illustration not visible in this excerpt

Figure 8. Matrix used to define the reviewed safety goal of NPP considering the target requirements before an accident and the perturbation due to a serious challenge/accident [1]

illustration not visible in this excerpt

Figure 9 Model of the system of energy systems and its parts [5]

The model for the security of energy supply evaluation is presented in figure 9, where IE denotes Initiating Event (a challenge to the system) and ES energy sources of various types.

The results for the case of post Fukushima type of evaluations on the new priorities and goals in safety after paradigm changes are presented in the figure 10.

illustration not visible in this excerpt

Figure 10 Matrix of main issues to be implemented in a postFukushima strategy[1]

2.3 Biases in learning process due to knowledge management process

Another source of the biases in the implementation of lessons learnt from major accidents / challenges during phases of the evaluation of complex systems risk objective functions [1,5,6,7]. As it was already shown evaluation of the risk as an objective function of a complex system leads to the construction of algebraic structures (Figures 11 and 12) for which the features and advantages are presented in [1,2,4,5,6,7]. These algebraic structures can be built for the cybernetic systems (as for instance NPP model) for which the evaluation can be translated from the risk-probability space (highly non linear) to the state - space that is linear and additive. This makes possible to support the decision process with evaluations in a linear like space.

illustration not visible in this excerpt

Figure 11 Risk goals and objectives for a complex system of NPP type [1,2,4,5,6,7]

illustration not visible in this excerpt

Figure 12 Risk model for a complex system of NPP type in risk [1,2,4,5,6,7]

In figure 12 the parts of a risk model are represented. ET denote the event trees (describing scenarios), IE the initiating events (the challenges) FT the fault trees describing the failure modes of the barriers of the system designed to cope with challenges. The sets of the algebra defines are Pm for the set of interactions defined by the PRA model and R ND the set of results obtained in risk analyses. The representations are typical for a PRA for NPP or an energy system.

There are various possible representations of an energy source system, for instance NPP, one possible is in the format of cybernetic representation as in figure 13 (which is based on real cases of NPP).

illustration not visible in this excerpt

Figure 13 A risk model in a cybernetic format possible to be translated into space risk algebra [7]

illustration not visible in this excerpt

Figure 14 Systematic biases in knowledge process [ 1, 2 ]

illustration not visible in this excerpt

Figure 15 Systematic biases in knowledge process [ 1, 2 ]

In risk analyses as in any evaluations of complex systems the expected results are in a bounding surface (as shown in Figures 14 and 15) and they are highly dependent on the capability to evaluate the systematic errors in judgments [1,2]

3. Conclusions

The triadic approach in evaluating biases of the learning process for lessons after major accidents/challenges of complex systems proved to help the guidance in searching for solutions of improved strategies for the post severe accidents actions to be implemented in a complex system.

It was found that the systematic biases in implementing lessons from the operation feedback process from accidents/incidents review into practice are leading to high extent to a decrease in the efficiency of the operational feedback process.

The work approached the issue from a new point of view, i.e. considering the impact of accidents on the product lifetime, from the perspective of the product technological curve (s-curve) and other objective functions like the risk/safety impact. The evaluations performed so far on this issue showed that consideration of the triadic set of biases is leading to improvement in the learning process.

References

[1] Serbanescu, D. Understanding major accidents -Shifting paradigms in safety and risk Safety Summit Vienna 27-28 Sept 2011, http://www.academia.edu/ 3763738/Understanding_major_nuclear_accidents_shifting_in_paradigms_for_safety_and_risk

[2] Serbanescu, D. On some knowledge issues in sciences and society, ECKM2013, Kaunas 5-6 September 2013

[3] Serbanescu, D., Vetere Arellano, A.L, WP1 – Risk-Informed Decision Making (RIDM) Safety, Reliability and Risk Analysis: Theory, Methods and Applications – Martorell et al. (eds) 2009 Taylor & Francis Group, London, ISBN 978-0-415-48513-5 SIXTH FRAMEWORK PROGRAMME Citizens and governance in a knowledge-based society COORDINATION ACTION Proposal/Contract no.: FP6-036720 Comparison of Approaches to Risk Governance

[4] Serbanescu, D., PRA-type study adapted to the multi-crystalline silicon photovoltaic cells manufacture process A. Colli & D. Serbanescu EC DG Joint Research Centre, Institute for Energy, Petten, The Netherlands B.J.M. Ale TU Delft, Policy and Management, Delft, The Netherlands

[5] Serbanescu, D., Vetere Arelano, A.L, Colli, A., O n some aspects related to the use of integrated risk analyses for the decision making process, including its use in the non-nuclear applications, EC DG Joint Research Centre, Institute for Energy, Petten, Netherlands

[6]. Serbanescu,D., Some insights on issues related to specifics of the use of probability, risk, uncertainty and logic in PRA studies, Int. J. Critical Infrastructures, Vol. 1, Nos. 2/3, 2005 281,2005 Inderscience Enterprises Ltd

[7] Serbanescu,D., vanGraan, H., Ellof, L., Combrink,Y. Some lessons learnt from the use of PRA during the design phase, Int. J. Critical Infrastructures, Vol. 1, Nos. 2/3, 2005 287 Copyright © 2005 Inderscience Enterprises Ltd.

64 of 64 pages

Details

Title
Challenges of Defining In-Depth and Safety Margin Concepts
Grade
2
Author
Year
2017
Pages
64
Catalog Number
V417894
ISBN (Book)
9783668676930
File size
4818 KB
Language
English
Tags
specific, experience, some, challenges, defining, using, defense, depth, safety, margin, concepts, highlighted, improvement, process
Quote paper
Dan Serbanescu (Author), 2017, Challenges of Defining In-Depth and Safety Margin Concepts, Munich, GRIN Verlag, https://www.grin.com/document/417894

Comments

  • No comments yet.
Read the ebook
Title: Challenges of Defining In-Depth and Safety Margin Concepts


Upload papers

Your term paper / thesis:

- Publication as eBook and book
- High royalties for the sales
- Completely free - with ISBN
- It only takes five minutes
- Every paper finds readers

Publish now - it's free