Use of PSA to Support the Safety Management of Nuclear Power Plants

Transcription

1 S ON IMPLEMENTATION OF THE LEGAL REQUIREMENTS Use of PSA to Support the Safety Management of Nuclear Power Plants РР - 6/2010 ÀÃÅÍÖÈß ÇÀ ßÄÐÅÍÎ ÐÅÃÓËÈÐÀÍÅ BULGARIAN NUCLEAR REGULATORY AGENCY

2 TABLE OF CONTENTS 1. GENERAL PROVISIONS... 2 OBJECTIVE... 2 SCOPE... 2 LEGAL BACKGROUND... 3 STRUCTURE REQUIREMENTS FOR PSA USE... 5 PSA SCOPE... 5 USE OF PSA... 6 APPLICATIONS OF PSA... 7 METHODS FOR USE OF PSA... 7 PSA VALIDATION AND REVIEW PSA QUALITY DECISION-MAKING PROCESS GENERAL ASPECTS INTEGRATED (RISK-INFORMED) APPROACH TO DECISION-MAKING APPLICATION OF THE INTEGRATED APPROACH IN DECISION-MAKING INTEGRATED PROCESS OF MAKING DECISIONS RELATED TO NPP SAFETY COMPREHENSIVE RISK ASSESSMENT AND DEMONSTRATION OF A BALANCED DESIGN PSA USE IN THE DESIGN ASSESSMENT PSA USE DURING THE NPP LIFE CYCLE IDENTIFICATION OF NPP SAFETY DEFICITS EVENT END POINTS AND PLANT DAMAGE STATES COMPARISONS WITH THE RISK CRITERIA/OBJECTIVES USE OF SETS COMPARISON OF THE DESIGN OPTIONS RESTRICTIONS IN THE DESIGN ASSESSMENT RESULTING FROM PSA SSC SAFETY CLASSIFICATION ASSESSMENT OF THE CHANGES IN THE NPP DESIGN EMERGENCY INSTRUCTIONS AND MANAGEMENT OF SEVERE ACCIDENTS GENERAL ASPECTS DEVELOPMENT AND UPDATING OF THE EMERGENCY PROCEDURES PREVENTION OF SEVERE ACCIDENTS AND MEASURES FOR MITIGATING OF THE CONSEQUENCES OPERATIONAL LIMITS AND CONDITIONS DEVELOPMENT OF OPERATIONAL LIMITS AND CONDITIONS OPERATIONAL LIMITS AND CONDITIONS TECHNICAL SPECIFICATIONS MONITORING REQUIREMENTS ASSESSMENT OF OPERATIONAL EVENTS DEVELOPMENT AND VALIDATION OF TRAINING PROGRAMS MAINTENANCE PLANNING GENERAL ASPECTS RISK-INFORMED TESTING DURING OPERATION RISK-INFORMED IN-SERVICE INSPECTIONS USE OF PSA TO SUPPORT THE REPAIR PROGRAMS ABBREVIATIONS AND ACRONYMS REFERENCES... 31

3 1. GENERAL PROVISIONS OBJECTIVE 1.1 This Guide aim to provide directions to the application of the requirements of the Regulation on ensuring the safety of nuclear power plants (the Regulation) [1] in terms of using the Probabilistic Safety Assessments (PSA) and the results from them in the design and operation of nuclear power plants (NPP). 1.2 This Guide should be applied by the applicants and license and permit holders, including the entities who perform work or provide services for them. The application of the Guide is aimed at achieving certain PSA characteristics necessary for its use in risk-informed decision making. SCOPE 1.3 In terms of PSA use the Regulation [1] requires: a) in accordance with Article 11, Paragraph 2 the choice of postulated initiating events should be based on the use of deterministic and probabilistic methods; b) in accordance with Article 15, Paragraph 2 the classification of the structures, systems and components (SSC) should be based on the use of deterministic methods, complemented, where appropriate, with probabilistic methods and engineering assessment; c) in accordance with Article 18, Paragraph 1 the NPP safety should be assessed using deterministic and probabilistic methods to confirm the design basis and the effectiveness of the in-depth defense; d) in accordance with Article 21, Paragraph 3 PSA should be performed in accordance with modern methodology, should be documented and maintained in accordance with the quality management program of the operating organization; e) in accordance with Article 21, Paragraph 4 Probabilistic safety analyses shall be used to support the deterministic assessments in the decision making for plant design and operation, for assessment of necessary changes of SSCs, operational limits and conditions, operating and emergency operating procedures and training programs of the operating personnel In accordance with Article 21, Paragraph 1 from the Regulation [1] PSA shall be carried out with the objective to: a) Systematically analyze the compliance with the basic safety criteria; b) Demonstrate a balanced design where each postulated initiating event has a proportional impact upon the overall plant risk and the safety is ensured mainly by the first two levels of defense in depth; c) Provide confidence that any impact of small deviations in operational parameters is prevented, when this could lead to aggravation of plant behavior; d) Assess the frequencies of severe core damage and large radioactive releases to the environment; e) Evaluate the frequencies and the consequences of the external events specific to the site; f) Identify SSCs that require design improvements or changes in operational procedures, leading to decrease of severe accident frequency or mitigation of their consequences; g) Assess the emergency operating instructions. PP-6/2010 2

4 1.5. This Guide includes different elements which should be reviewed when using PSA to support the NPP safety management, meaning the necessary NPP PSA characteristics as well as its use based on international good practices The PSA scope, reviewed in this Guide, includes the stages of NPP design and operation, respectively the different NPP operational states (full power, low power and shutdown state) and all potential initiating events and hazards, such as: a) Internal initiating events caused by random failures of components and human error, b) Internal hazards (for example, internal fires and floods, flying objects) and c) External hazards of natural character (for example, earthquakes, strong winds, tornados, external floods) as well as caused by human activities (for example, falling airplanes, accidents at nearby industrial plants) The consideration of hazards arising from deliberate actions is outside the scope of this Guide. LEGAL BACKGROUND 1.8. On the basis of 6 of the transitional and final provisions of the Regulation [1], this publication gives guidance on application of the legal requirements with respect to the use of probabilistic safety assessment. Some of the recommendations in this Guide derive from requirements and good practices as described in reference documents [2] [15] The NPP designs provide protective measures, such as redundancy and variety of systems and components, which reduce the probability of accidents with serious consequences. These measures are covered by quality assurance programs and technical supervision and inspection programs. In the deterministic analyses some analyzed failures may be ignored from a probabilistic point of view or, which is more important, some failures that are not traditionally assessed may be missed, which may lead to serious consequences. The further analyzing of failures using the traditional deterministic method becomes difficult, since the inclusion of more and more protective measures in the design results in fewer failures. The absence, however, of operational events does not exclude the existence of potential failures critical to safety. Therefore methods for identification and assessment of these failures are necessary The decision-making process has traditionally been based on deterministic methods derived from the analysis of beyond design basis accidents and is supplemented by the single failure criterion for ensuring sufficient reliability of the safety systems. However, studies with PSA expand the traditional deterministic analysis so that the NPP conditions affecting nuclear safety are adequately covered. The probabilities of their occurrence and the potential consequences from them as well as the uncertainties associated with the numerical assessment can be quantitatively evaluated The use of PSA provides systematic approach to the assessment of the: a) Adequacy of safety systems; PP-6/2010 3

5 b) Balance of the design; c) Application of the defense in depth concept; d) Optimization The PSA model is a comprehensive, integrated and real model of NPP and the actions of the operating personnel for a wide range of initiating events and hazards, including internal fires, internal floods, extreme meteorological conditions and seismic events. Therefore, PSA is an important tool for tracking NPP processes and is necessary to be used as part of the decision-making process for the safety level assessment PSA allows a better understanding of NPP and better communication between the operating organization and the regulating body. STRUCTURE The Guide is structured as follows: Section 2 Requirements for PSA use presents the general principles of PSA use, including matters related to the PSA scope, as well as the process of PSA use. Here the main requirements to the means used to perform PSA are outlined and directions are given regarding the PSA aspects that should be considered in their use. Section 3 Decision-making process describes the integrated approach to decision-making, which combines features of deterministic and probabilistic approaches with other requirements. Section 4 Comprehensive risk assessment and demonstration of a balanced design describes in detail the design assessment using PSA. Section 5 SSC safety classification presents the main requirements in PSA use in the process of SSC safety classification. Section 6 Assessment of the design changes provides guidance for applying PSA to the safety assessment of proposed changes in the NPP design. Section 7 Emergency procedures and severe accidents management describes the PSA use in the development of the emergency procedures and the measures for severe accidents management, including in the assessment of their modification. Section 8 Operational limits and conditions presents the concept of using PSA to define the operational limits and conditions, describes some details of the types of limits and conditions for normal operation and the supervision requirements. Section 9 Assessment of the operational events describes the PSA use for assessment of the operational events importance. Section 10 Development and validation of training programs covers the PSA application in the development and validation of training programs for the personnel, including full-scope simulators. Section 11 Planning of maintenance covers the PSA use in support of the maintenance, riskinformed testing, risk-informed inspections and maintenance, focused on reliability. PP-6/2010 4

6 2. REQUIREMENTS FOR PSA USE PSA SCOPE 2.1. The risks entailed by NPP operation are analyzed qualitatively and quantitatively using PSA. In these terms, the safety functions for preventing or reducing the consequences of accidents and the systems necessary for performing the safety functions are assessed using PSA. PSA is used in NPP design as well as in the safety management during the entire life cycle NPP PSA is a comprehensive structured method for identifying failure scenarios and obtaining numerical assessments of risks for the personnel and the population PSA allows identifying the consequences of accidents resulting from a wide range of initial events and includes systematical and realistic definition of the frequencies and the consequences of emergency events. PSA are performed at the following levels: a) PSA level 1 identifies the consequences from events that may lead to core damage, assesses the core damage frequency and provides information on the safety systems deficits, the procedures (operational and maintenance procedures) and the personnel actions in the initial events development. PSA level 1 covers the events occurring during full power operation, low power operation and in shutdown state; b) PSA level 2 identifies the ways for release of radioactive materials from the NPP amd assesses the frequencies of large radioactive releases. This analysis complements the information obtained at PSA level 1, referring to the importance of accident prevention and the measures for reducing the consequences from them; c) PSA level 3 assesses and analyzes the consequences for the population health and other social risks, such as soil and food contamination caused by the release of radioactive materials. In addition, PSA level 3 provides information regarding the importance of accident prevention and the measures for reducing the consequences from them, as well as the accident management aspects related to the emergency planning In PSA level 1 the analysis is usually focused on the active reactor zone and the reactor pool PSA level 2 and 3 are performed in order to assess the impact of radioactive substances releases. Therefore, the PSA scope should include risks from other sources of radioactive material at the NPP site NPP PSA is performed to: a) Provide information about the risk in addition to the information obtained from the deterministic safety assessment and to establish confidence that the design will achieve the general safety objectives; b) Identify the deficits in the design and the NPP operation and to demonstrate that a balanced design has been achieved. This means that none of the characteristics or the postulated initial events provides a disproportionally large or significantly indefinite contribution to the overall risk and that the nuclear safety is ensured mainly by the first two levels of the defense in depth; PP-6/2010 5

7 c) Establish confidence that all minor variations in the operational parameters that may lead to significant deterioration of the NPP behavior have been prevented; d) Assess the risk from NPP operation with the risk assessment criteria; e) Review the events that might occur after core damage and to provide information regarding the NPP behavior during severe accidents, to assess the risks of large releases of radioactive products (especially those related to early failures of the protective sheath) that require emergency measures outside the site; f) Assess the occurrence probabilities and the consequences from external hazards, in particular those specific for the NPP site; g) Identify the need for additional systems and measures for accident management, which would provide better protection against severe accidents; h) Provide input data for specific applications, such as optimization of the technical specifications, and in relation to the operational issues, like maintenance and repair planning; i) Provide entry date for the emergency readiness The quantitative PSA results are used to verify compliance with the objectives and the safety criteria which are formulated as quantitative values of the core damage frequency, radioactive releases and the risk for the population The safety objectives or the safety criteria do not specify which events, hazards and operational modes should be reviewed. Therefore, in order to use the PSA results to assess the compliance with the safety objectives, full scale PSA should be performed, including a comprehensive list of initiating events and hazards as well as all operation modes The uncertainty analysis is considered as an integral part of each PSA and the uncertainty limits are presented together with the risk assessments. USE OF PSA PSA is used as a part of the decision-making process at all levels. The PSA role needs to be clearly defined PSA is used to identify the need of changes in the NPP design and procedures, including the measures to prevent severe accidents and mitigate the consequences from them to reduce the risk of NPP operation PSA is used to assess the overall risk of NPP operation and to demonstrate that a balanced design has been achieved PSA is used to assess the adequacy of the modifications, the changes in the limits and the operational conditions and to assess the importance of the operational events PSA is used to provide input data for the development and validation of the training programs for the personnel, including using a full scale simulator PSA is used to verify that the equipment with a large contribution to risk is included in the inspection program. PP-6/2010 6

8 2.16. PSA is used in the periodic NPP safety inspection PSA is used in a wide range of operational activities, such as: a) Complementing of the deterministic requirements and the combined use of deterministic and probabilistic approaches to ensure nuclear safety; b) Maintenance optimization and planning of the testing intervals for the systems and components c) Development of emergency procedures, guides for accident management and emergency scenarios for NPP personnel training; d) Design optimization in terms of preventing severe accidents and mitigating the consequences from them; e) Establishing the priority of the maintenance and the inspection When PSA is used to assess the periodic testing requirements and the defined length of stay for maintenance and repair of a component, a system or a part of it, all times are analyzed (including the states of the systems and components and the safety functions in which they participate) The limitations of PSA use need to be understood, recognized and considered. The adequacy of a certain PSA application should always be checked to consider the existing limitations. APPLICATIONS OF PSA The applications of PSA according to their purpose are the following: 1) Safety assessment: assessment of the overall NPP safety and providing of general understanding of the main risk contributors; 2) Design assessment: to support the design assessment; 3) NPP operation: to support the current NPP operational activities (not excluding the changes in the design or the operational practices); 4) Amendments to existing NPP: assessment of the importance to the safety of the proposed current changes in the design of the equipment, hardware or administrative measures (for example, operational procedures) and to support decision-making; 5) Control activities: to support the monitoring and assessment of NPP operation; 6) Assessment of safety problems A detailed list of PSA applications is included in Annex 2 of [7]. METHODS FOR USE OF PSA PSA is kept up-to-date during the entire NPP life cycle to be used in the decisionmaking process The maintenance of Living PSA is achieved through regular updating with consideration of the changes in the design and the NPP operation, the new technical PP-6/2010 7

9 information, more complex methods and means, which have become available, as well as new specific data obtained from the NPP operation. Living PSA The Living PSA is the main method for use of PSA, starting from simple applications (decisions made based on a list of the elements contributing to the risk of NPP operation) to applications requiring complex models and/or data processing and analysis The Living PSA is PSA which is updated (when necessary) to reflect the current design and operational characteristics. The Living PSA should be documented in such a way that every aspect of the model can be directly associated with existing information about the equipment or with the assumptions made in cases of lack of such information The Living PSA should be updated with new data as frequently as necessary to guarantee that the model reflects the current state of NPP safety The Living PSA can be used for various specific purposes, mainly for design verification, assessment of the impact of potential design changes, development of training programs The Living PSA is accompanied by technical documentation which includes description of: a) The system of detailed individual procedures, which are documents providing detailed instructions how to perform the tasks, what methods to be used and what assumptions to be made; b) All PSA tasks, including reports, input, performed calculations and models or databases containing the results from the task performance and c) The database which contains links among the input, the results and the use of different documents during PSA development The impact of each change (in design, procedure, operational practice and so on) on PSA should be assessed to verify the validity of the analyses. Changes that affect the PSA results require its immediate updating The update process should be checked periodically (in accordance with the internal quality documents) and the Living PSA should be formally updated at the same time The Living PSA should be maintained by a team of properly qualified specialists. The requirements of the quality management system should be strictly applied in the updating process The quality of the Living PSA depends on a well-developed, maintained and applied program for quality management for all stages of PSA development. PP-6/2010 8

10 Risk monitoring A special tool for risk monitoring is used for some PSA applications, which require constant use of the PSA models and direct knowledge of the risks caused by the actual NPP state The risk monitoring is a tool for specific analysis of the current state to determine the on- spot risk resulting from the actual state of the systems and components The risk monitoring provides timely information on the potential significance of operational events and conditions, as long as these events and conditions are included in the models and assumptions (based on which the tool for risk monitoring has been developed) The tool for risk monitoring has been developed to show the current risk based on the actual equipment configuration and the performed testing programs at any point in time. By using this tool the repair and testing activities can be performed on risk-informed basis In order for a certain tool for risk monitoring to be effective, the time for risk assessment resulting from changes in the equipment configuration should be between 2 and 5 minutes The tool for risk monitoring should be used to assess the effects of: a) Changes in the system configuration and providing advice on the priority of component restoration; b) Changes in the state of components caused by repair activities or failure, testing progress, preparation of short-term maintenance schedules or planning of refueling; c) Changes in the external for the NPP conditions, which may lead to an initiating event The tool for risk monitoring is used by the NPP personnel in operational decisionmaking The tool for risk monitoring can also be used for obtaining values in regard to the riskinformed assessments. The following examples can be used in the decision-making process: Annual probability for core damage; Highest probability for the year for core damage; Duration of the periods with certain values for core damage probability; Duration of the periods with core damage probability higher than a predefined value; Unavailability of a safety system or part of it (component); Total time for repair of components critical to safety; Activities leading to maximal values of the core damage probability; Activities contributing to the core damage probability The model of the risk monitoring tool is based on and is in compliance with the living PSA. The PSA model is updated with the same frequency as the PSA. PP-6/2010 9

11 PSA VALIDATION AND REVIEW PSA requires the use of certain calculation methods which include: a) Logical models of the event trees and the refusal trees (in the sequence analysis); b) Models of events that can occur, for example in the nuclear unit hermetic structure as a result of core damage; c) Models of the transportation of radioactive substances into the environment which determine their impact on the health and economics and others The calculation methods used in PSA are validated to demonstrate their adequacy to represent the modeled processes The methods used in the computer calculation codes should be adequate to the purpose of the analysis and the control physical and chemical formulae should be correctly integrated in it The influence of the assumptions in modeling should be researched using sensitivity analysis to establish the reliability of the results To ensure that the scope, modeling and data are adequate, as well as to ensure their compliance with the best practices for PSA performance, it is recommended that the licensee should provide an independent verification by other expert organizations (preferably from another country). PSA QUALITY The development of PSA quality assurance program (QAP) is an important aspect of the good management and is crucial for achieving good PSA quality The PSA quality assurance refers to the technical adequacy of the methods, the detail level and the data used in the PSA model To ensure that the used methods and data are adequately and identifiably documented, a specific QAP should be developed. This program also covers the PSA applications The QAP includes requirements regarding the management, performance and assessment of the activities related to PSA development and use The QAP reviews the management measures, including planning and schedule preparation, establishment of the methods, resources, control and procedures, as well as the definition of responsibilities and subordination in the performance of activities, related to PSA quality The measures for communication assurance include review of the interfaces within the PSA development team as well as those between the team and external information sources. PP-6/

12 2.53. The measures for control and documenting of the information coming from external to the team sources are also included in the QAP If the PSA development project is executed by separate groups in different companies, suitable coordination and organization interfaces should be developed and applied in accordance with the practices adopted in these companies The QAP covers the planned phases of the PSA development project and the management control related to them. This includes, for example, information management, organization and training, and the provision of measures for assessment of all functions The QAP defines the organizational requirements for execution and validation referring to the quality The QAP defines the procedure for performing systematic control of identification, documenting and handling of discrepancies, which can have direct and immediate effect on the NPP safety assessment The procedures and the work instructions specify the checks and reviews to identify the faults in PSA development and to establish of confidence that representative results will be obtained If any faults or discrepancies in the QAP specific requirements or any procedures related to QAP are identified, the person responsible for the inadequate function should take the appropriate corrective actions The persons participating in the PSA development project should perform the requirements of the general NPP QAP. The process of QA of the PSA development project should follow that program The regular PSA updating is subject to QAP The PSA is performed in accordance with the best international practices. 3. DECISION-MAKING PROCESS GENERAL ASPECTS 3.1. The continuous progress in the development and use of PSA give boost to the application of systematic approach to the integration of the risk concepts in the operational safety assessment and the decision-making PSA is used during the entire NPP life cycle in addition to the results and conclusions from the deterministic analyses and the defense in depth concept. PP-6/

13 3.3. PSA provides useful information and input data for decision-making regarding the following: a) The design and modernization; b) The NPP operation; c) The safety analyses and research; d) Regulatory issues When the PSA results are used to support the decision-making process, a formal system for performing this activity should be established The specific steps in the decision-making process depend on the purpose of the reviewed PSA application, the nature of the decision and the used PSA results. For example, when the PSA numeric results are used, criteria and/or certain reference levels should be established against which to compare these values The PSA reviews the actual or the presumable NPP design, which needs to be clearly defined as initial point for the analysis. The NPP state can be fixed (as it was on a certain date) or as it is presumed to be (when the approved modifications have been executed). This is necessary to be done to set an end point for PSA completion As part of the design process, the PSA results are used to assess the NPP safety level. The conclusions obtained in the process of PSA development are considered together with the results from the deterministic safety analysis The PSA results are compared to the probabilistic targets or the safety criteria set out in regulations, regulatory guides and applicable safety standards. This must be done for all defined probabilistic criteria, including those referring to: The reliability of systems; Core damage; Disposal of radioactive material; Effects on the personnel health; Effects on the population health; Consequences outside the NPP site, such as soil contamination and bans on use of food The PSA is used for: a) Identification of the consequences from failures which contribute to the risk; b) Identification of potential deficits in the NPP design or the operation; c) Assessment of the need for modernizations to reduce the impact of these deficits on the NPP safety. If the analysis does not account for all risk contributors (for example, if external events or shutdown reactor states have not been reviewed), the conclusions made regarding the level of risk of NPP operation, the ensured balance of the safety systems and the need for modifications in the design or the operation to reduce the risk are not considered to be representative. PP-6/

14 3.10. In the decision-making process the results from PSA Level 1 are used to identify the deficits in the NPP design or operation. These deficits are identified by reviewing the risk contributors from the groups of initiating events and from the assessments of the contribution of the safety systems and the human errors to the general risk When PSA results show that modifications in the NPP design or operation should be made to reduce the risk, changes are made where it is reasonably achievable The results from PSA Level 2 are used to determine whether there are sufficient conditions to prevent (or minimize) the consequences from core damage if it should occur. Here the strength of the hermetic structure is reviewed, assessing whether the protection systems (such as the system for hydrogen recombination, the systems for injection and ventilation of the hermetic structure) are able to prevent a large release of radioactive material into the environment. Events related to a bypass of the hermetic structure, such as rupture with loss of a coolant in the interface systems, are also reviewed In addition, the PSA Level 2 is used to identify and optimize the measures for accident management In the most general form, the PSA use to support the decision-making process is performed as follows: a) For new NPPs, ideally the PSA would start together with the NPP conceptual design to check the adequacy of the redundancy level and the variety of the safety systems. PSA continues at the technical design phase to provide a more detailed assessment of the NPP design and to support the forthcoming operation. At the design stage an iterative process is organized to ensure the use of the PSA information in the design process. b) For NPPs in operation, PSA is performed either as a part of the periodic safety assessment or to support any proposed modifications. Although the requirements to PSA remain the same, the used databases can be different. Moreover, depending of the NPP lifetime, the remaining resources, the costs for the proposed modifications (and other reasons), there will be differences regarding which modifications can reasonably be implemented to reduce the risk. INTEGRATED (RISK-INFORMED) APPROACH TO DECISION-MAKING The integrated process of decision-making is a structured process which involves review of the results and the requirements related to safety or to regulatory issues (solved by the regulating body) when making a decision The integrated process of decision-making considers the following factors: a) Mandatory requirements, which normally include all requirements of laws, regulations and technical specifications. One of the most important requirements is that the risk must be reduced as much as reasonably achievable (ALARA principle); b) Results from the deterministic analysis. The deterministic analysis provides information whether the requirements of the defense in depth have been fulfilled and whether sufficient PP-6/

15 safety supplies are maintained. On a more detailed level, the deterministic analysis determines: Whether the redundancy level and the variety of the safety systems are adequate to allow the systems to perform effectively their functions; Whether the NPP equipment is adequately qualified so that it can withstand the impacts of initiating events; The conditions under which the equipment functions after occurrence of the initiating events. If the deterministic requirements have not been fulfilled, the deterministic analysis provides information on the objects with deficits. c) The results from the probabilistic analysis, which assess the level of risk of NPP and the other results (such as sets, importance functions and so on) can be used to determine deficits in the NPP design and operation. d) Other applicable factors, such as the costs and benefits of the proposed modification, the remaining resource of the equipment, results from inspections, operational experience as well as the occupational dose for the personnel resulting from the implementation of the changes in the NPP equipment and so on The structured decision-making process should ensure that a balanced decision has been made, considering all of the above factors related to the decision Examples of safety issues requiring solution that can be directly resolved using the integrated decision-making process include the following: a) The NPP design and operation; b) NPP technical specifications/operational limits and conditions; c) The frequency of inspections during operation, testing during operation, maintenance, mandatory stays; d) Quality assurance organization in particular, whether to introduce a differentiated approach to the quality assurance, which recognizes the risk contribution of each type of equipment; e) The admissible combinations of safety systems components that can be decommissioned during power operation and when the reactor is shut down; f) Emergency procedures and accident management measures When the taken decision includes changes in the NPP design or operation, the decrease or increase in risk and benefit should be considered. APPLICATION OF THE INTEGRATED APPROACH IN DECISION-MAKING When applying the integrated approach to decision-making, not more than one issue should be reviewed at one time, as the cumulative effect from the taken decisions can be substantial The manner of application of the integrated process of decision-making to these issues is described in the following sequence: Step 1: Defining the issue which should be reviewed using the integrated approach to decision-making. PP-6/

16 Step 2: Identification of the applicable requirements and criteria related to the specific issues. This usually includes main, deterministic, probabilistic and other requirements. Step 3: Defining the manner in which the proposed modification affects the main requirements, especially if there are discrepancies in the fulfillment of the main requirements, identified in Step 2. Step 4: Performing an assessment to obtain deterministic results, identified in Step 2. The aim should be to identify those areas in which the requirements have not been fulfilled. Step 5: Performing an assessment to obtain probabilistic results using the probabilistic criteria identified in Step 2 to determine the importance of the risk resulting from these issues. Step 6: Performing an assessment of the importance of other applicable factors, such as the costs and the time necessary to perform the task, cost/benefit analysis, unfavorable factors that may arise during implementation of the NPP modifications, results from analysis of the operational data or the inspection results, the occupational dose for the personnel that might occur as a result of the performed activities necessary for the NPP design modifications and so on. Step 7: Assessment of the results to determine the relative weight of each entry factor in the decision-making process obtained in Steps 3, 4, 5 and 6. When the results are related to the main normative requirements or need to comply with certain established practices, these results receive the highest relative weight and must necessarily be considered. Step 8: Making a decision about how to perform the modification (in the NPP design or operation, in the reviewed regulatory document and so on). This step requires consolidation of the separate results and their weights and making a decision. As the decision-making process requires the consideration and the combination of many different input data and factors with many different relative weights, it is a good practice the decisions (at least the important ones) to be taken by a group of experts with different specialties. Thus, their collective experience would cover the entire field of the decision, including operation, repair, engineering, safety analysis, licensing and PSA. There may be additional factors which the regulating body wants to consider in decisionmaking. Such additional factors may include the cumulative impact of previous modifications and the NPP general operational parameters as shown in the inspection results, operational data and the indicators for safe NPP operation. Step 9: Decision implementation which requires the regulating body to approve a work program for the licensee to implement the necessary modifications in the NPP design or operation and the corresponding changes in documentation, operational procedures and training. Step 10: Monitoring the effect of the decision to determine whether the modification has been effectively implemented and whether there are any unfavorable consequences. Such monitoring is usually based on operational parameters. Although the steps that must be followed in the decision-making process are basically the same in all cases, the manner in which the probabilistic, deterministic and other results are obtained as well as their relative weight will be different. PP-6/

17 INTEGRATED PROCESS OF MAKING DECISIONS RELATED TO NPP SAFETY Examples of integrated decision-making process applied to NPP safety issues are presented in detail in [8]. 4. COMPREHENSIVE RISK ASSESSMENT AND DEMONSTRATION OF A BALANCED DESIGN PSA USE IN THE DESIGN ASSESSMENT 4.1. The PSA methods are used to perform a comprehensive risk assessment and to demonstrate that the design is well balanced in terms of: Different safety functions; Different systems performing the same function; Main and supporting systems; Sub-systems within the same system The purpose of the assessment is to show that the risk (in terms of core damage and/or release of radioactive substances into the environment and weight) is distributed among the various initiating events in such a way that no single sequence, system, sub-system, structure or component leads to a substantial increase of the overall risk In a balanced design PSA needs to demonstrate that: a) no single design characteristic or initiating event leads to disproportionately large contribution to risk, meaning that the NPP is designed so that no single component, system, phenomenon or other factor dominate the risk and that the share of the difficult to manage risks is as small as possible; b) The achievement of low overall risk is not based on contributions with substantial uncertainty; c) The first two levels of defense carry most of the weight in safety assurance. The lack of balance may indicate that opportunities for reasonably achievable reducing of the risk are missed The assessment of overall NPP safety is the main purpose of PSA implementation and includes identification and ranking of important design and operational characteristics or dominating emergency sequences, components, human interaction and dependencies which are important to safety A comprehensive safety assessment requires full scope PSA (Levels 1 and 2, Level 3 is recommended), covering all operational states and modes with a shutdown reactor for internal as well as for external to the NPP hazards. Particular efforts are made to identify the specific for the design initiating events, failure modes, event sequences and dependencies which can be implemented with new design characteristics. PP-6/

18 4.6. All systems for normal operation are examined to identify possible initiating events, which may be caused by loss of an entire system, a system channel or a combination of channels. PSA USE DURING THE NPP LIFE CYCLE 4.7. PSA, which provide some of the input data for design assessment during the NPP life cycle, should: a) be used on a conceptual level to provide information whether the proposed design of the safety systems, the supporting systems and the equipment location are adequate; b) be updated during the development of the technical design and during the construction and the commissioning period to take account of the new information from the design and the safety analysis, when such information becomes available; c) be maintained as a Living PSA of the operating NPP and be used as one of the sources for input data to resolve operational issues, for periodical safety inspections, to extend the period of operation and to provide information on the adequacy of the design modifications and the operation changes The same PSA should be used during the NPP life cycle with increasing scope, level of detail and accuracy, according to the design development. When new data from the operational experience become available, the PSA should be complemented by further analyses to support the PSA modeling assumptions The PSA results are used to identify weaknesses in the design, as well as to assess and rank the potential options for design improvement. IDENTIFICATION OF NPP SAFETY DEFICITS The full scope of PSA used to assess the design should ensure that a wide range of issues concerning the NPP design and operation have been considered. This refers mainly to the scope of the initiating events, the internal and external hazards, included in PSA, and to the scope of operational states reviewed in PSA. EVENT END POINTS AND PLANT DAMAGE STATES The analysis of the PSA Level 1 emergency sequences identifies the event sequences where all safety functions are performed and there is no danger of core damage. This analysis also identifies the sequences where one or more safety functions are not performed and core damage is allowed For PSA Level 2 a multitude of plant damage states is defined, which takes account of the characteristics of each sequence leading to core damage. The latter affects the behavior of the hermetic structure or the release of radioactive substances into the environment The sequences leading to core damage are characterized in accordance with the overall physical state of the NPP equipment resulting from each sequence and in accordance with the PP-6/

19 possible availability of the safety systems, which could prevent or mitigate radioactive releases. COMPARISONS WITH THE RISK CRITERIA/OBJECTIVES The final results from PSA Level 1 are compared with the risk criteria to determine whether the proposed NPP design and method of operation lead to sufficiently low risk level. The purpose of PSA is to determine the fulfillment of the risk criteria/objectives and to provide general information on whether there are enough safety systems and emergency procedures for prevention of core damage included in the design and operation This comparison should take into account the number of nuclear units located on the same site. In particular, the comparison should take into account the way of defining the risk criterion whether the criterion refers to all units on the site altogether (so that the risk criterion should be distributed among the units on the site) or whether it is defined for each separate unit on the site The comparison should account for the results from the sensitivity studies and the uncertainty analyses. This should demonstrate the degree of reliability in meeting the criteria and achieving the goals. USE OF SETS The list of sets from the PSA Level 1 model is used to identify the weaknesses in the NPP design and operation. An examination for sets which contribute significantly to the frequency of core damage should be made to identify the groups of initiating events and safety functions that give the highest contribution to the core damage frequency The contributions to the core damage frequency and the sets of the individual groups of initiating events are used to determine whether the NPP design is balanced in regard to the contribution to the core damage frequency of any group of initiating events with disproportionally big contribution to the core damage frequency The lists of sets are also used to identify the presence of single sets for which the single failure requirement is not fulfilled for any of the safety systems. COMPARISON OF THE DESIGN OPTIONS When NPP improvements are considered, there are usually multiple options. PSA Level 1 should be used to provide input data to compare these options The manner of comparison depends on the complexity of the reviewed modification, but can be changed from preparing of a PSA Level 1 model revision (to include a new proposed safety system) to calculations of sets to account for the simple changes. This can provide some of the input data for an integrated/risk-informed decision-making process to determine which option should be used. PP-6/

20 RESTRICTIONS IN THE DESIGN ASSESSMENT RESULTING FROM PSA If the PSA Level 1 is not performed in full scope (for example, PSA does not include all initiating events and hazards that can contribute to the core damage frequency), this should be considered in the use of its results In addition, it should be noted that there are certain areas where the models and data have not been well studied (for example, in the modeling of the effects of aging and the safety culture). This should be considered when using the PSA Level SSC SAFETY CLASSIFICATION 5.1. In accordance with Article 15, Paragraph 2 from the Regulation [1] the SSC classification shall be based on deterministic methods, complemented where appropriate by probabilistic methods and engineering judgment. The probabilistic analyses are used to assess the classification plan, including a demonstration that the requirements and measures for QA of each SSC correspond to the risk importance (contribution) of that SSC The safety classification (performed based on a deterministic analysis and engineering judgment) and the risk importance (contribution) (obtained by PSA) are used jointly in the assessment of the need for changes in the current requirements and measures for QA (respectively, in the proposed QA requirements for newly-built NPPs) It should be estimated whether the QA requirements can be increased for SSC which have been classified in a low safety class or in a non-nuclear class, but have relatively high importance for risk. 6. ASSESSMENT OF THE CHANGES IN THE NPP DESIGN 6.1. PSA is used to assess the modifications in NPP design The PSA results are used to improve safety and to demonstrate the need for changes, as well as to assess their priority. PSA methods are used in the assessment of optional decisions in the design of system modifications PSA is used to identify the weaknesses and the strengths of the improvement in the design and the operational characteristics (in terms of the risk from NPP operation). The assessment may include studies of options. The PSA arguments should be used to support the choice, design, implementation, justification and licensing of NPP modifications If the PSA results show that the NPP does not fulfill the safety criteria set by the regulations, corrective measures should be proposed The level of detail of the PSA model representing the design modification should be greater than that of the other SSC, for which a more simple conservative consideration is PP-6/

21 allowed. The new equipment data may not be available; therefore, the consideration of such equipment by the PSA model should be justified The design modifications are assessed to determine whether previous events or precursors could lead to an initiating event for the modified configuration If the modifications in the design of the equipment or the operational practices lead to a condition for which the past data are not representative for the new operational limits, the use of old data is admissible: a) If the modification includes new equipment or practice for which a substantial part of the summarized parameters assessments is available (the parameter assessments should be updated with specific data for the equipment, when such data become available), or b) If the modification is unique to such a degree that summarized parameters for it are not available and only limited experimental data after the modification are available. In order to determine to what extent the data can be used, the modification impact should be analyzed and the hypothetical effect from the historical data should be assessed PSA for existing NPPs is performed within the frames of a general (periodic) safety inspection, which results in a program for safety improvement. Then PSA can be referred to the modified state of NPP. In such cases it is recommended that PSA is performed in both cases (before and after the modifications) so that the risk reduction can be assessed The licensee should submit to BNRA a probabilistic assessment of the impact of the design modification on the NPP safety together with the application for the modification implementation. PP-6/

22 7. EMERGENCY INSTRUCTIONS AND MANAGEMENT OF SEVERE ACCIDENTS GENERAL ASPECTS 7.1. The PSA results are used in the development of programs for testing of systems important for safety and technical maintenance during operation, as well as for development and/or systematic review of the emergency procedures and the guides for management of severe accidents In order to ensure the completeness of the instructions for actions in deviations from the normal operation and of the emergency instructions, PSA is used to determine the situations for which such instructions should be developed PSA can also provide the information for specifying the times for decision-making, when to proceed to implementation of the guides for management of severe accidents. DEVELOPMENT AND UPDATING OF THE EMERGENCY PROCEDURES 7.4. The systematic assessment of the NPP weaknesses and the results form PSA are used to develop or improve the emergency instructions by reviewing a wide range of weaknesses in a realistic compatible way with a suitable level of detail The integral review of the accidents development provides information on the benefits and disadvantages of various actions when operating conditions are violated. Typically, the emergency sequences analysis in PSA is performed using the existing emergency instructions and assessment of the human actions related to them. Using of existing documents, in turn, provides detailed information for review of the emergency instructions and possible improvements arising from the PSA results The measures resulting from the importance analysis can help to give priority to changes in the instructions, changes in the core damage frequency and the frequency of early releases of radioactive substances, used to justify the risk acceptability and to determine the risk importance The level of detail in the PSA model in the areas affected by the modifications, including the emergency sequences for which the relevant emergency instructions and guides for accident management are provided, should be greater than that of the rest of the equipment. For the other parts of the model and the emergency sequences a more simple conservative review can be used PSA should clearly present the actions of the operators referring to specific emergency instructions. To support such applications the method of analysis of human reliability used in PSA should be able to predict the impact of the instruction changes. PP-6/

23 PREVENTION OF SEVERE ACCIDENTS AND MEASURES FOR MITIGATING OF THE CONSEQUENCES 7.9. The effectiveness of the existing alternative or additional systems, equipment and measures should be assessed in the procedures for management of severe accidents with the help of PSA In the case of operator actions to manage accidents, PSA should clearly present the operator actions referring to specific emergency instructions and accident management procedures. To support such applications the method of analysis of human reliability used in PSA should be able to predict the impact of procedure changes The reflection of the operator actions in PSA LEVEL 1 supports the improvement of the procedures for accident management for these actions to prevent a severe damage of the core. PSA Level 2 with limited scope reviews the strategies for mitigation of the consequences from severe accidents The mitigation of the consequences from severe accidents should include identification and categorization of emergency sequences based on PSA, together with descriptions of the NPP behavior and weaknesses PSA supports the understanding of accident development, the identification of successful ways to manage and the strategies related to it, as well as the prioritization of safety characteristics to reduce risk. The integral demonstration of NPP behavior with the PSA methodology supports the reduction of potential negative effects from certain measures. 8. OPERATIONAL LIMITS AND CONDITIONS DEVELOPMENT OF OPERATIONAL LIMITS AND CONDITIONS 8.1. PSA applications are used for the optimization of the operational limits and conditions. The methods for probabilistic assessment together with the operational experience can be used to justify and modify the operational limits and conditions PSA is used to assess the adequacy of the changes in the operational limits and conditions. OPERATIONAL LIMITS AND CONDITIONS 8.3. The SSC unavailability (non-operational state) periods which are important to safety and their cumulative effect should be assessed to determine whether the risk increase has been reduced to admissible levels. The PSA or the reliability analysis methods are the most appropriate means for this purpose. PP-6/

24 8.4. The operational limits and conditions can provide for shorter unavailability (nonoperational state) periods than those obtained by PSA, based on other information, such as already existing safety studies or operational experience. TECHNICAL SPECIFICATIONS 8.5. The PSA results are used for the development of operational procedures and provide input data for the NPP technical specifications The technical specifications should be reviewed with the help of PSA to ensure that they are balanced The review should cover all the NPP operational states, especially those for which the change of the operational state may lead to greater risk than if the equipment is repaired in operational conditions. The results from the review should be submitted to BNRA together with the application for change of the technical specifications The PSA results are applied in the assessment of the need for changes in the technical specifications in relation to major modifications in the design in the same manner as in the construction phase. Similarly, the need for changes in the technical specifications should be assessed if previously unidentified factors are discovered The assessment of the importance to safety of a planned exception (deviation) from the technical specifications should be submitted together with the exception proposal The PSA results are used to study the risk contribution of SSC decommissioning for testing or maintenance, as well as the frequency of the monitoring or testing A risk-informed approach should be used to define the operational limits and conditions set in the technical specifications. The goal is to provide a consistent base for them related to the SSC importance to risk. MONITORING REQUIREMENTS The monitoring procedures frequency should be specified and should be based on a reliability analysis, including, where applicable, PSA and study of the experience from previous monitoring activities, or, in case of lack of both, on recommendations of the manufacturer. 9. ASSESSMENT OF OPERATIONAL EVENTS 9.1. PSA is used to assess the importance to safety of the operational events By studying of the operational events development to emergency scenarios with serious consequences based on PSA, important results are obtained regarding the emergency procedures based on minor accidents without real consequences. PP-6/

25 9.3. PSA based analysis of the occurred events (direct events), as well as of events occurred at other NPPs (transposed events), should be performed, including analysis of: a) Initiating events when the initiating events has occurred in reality, but it has been prevented by timely operator action; b) Conditional events when the probability of an initiating event has increased or the availability of the necessary safety systems has been reduced PSA based analysis of events with potentially big impact on safety should be performed. This requires the development of preliminary (screening) criteria which can be applied to choose among events with little importance to safety PSA based analysis of the operational events should be performed to complement the deterministic analyses by introducing multiple failures using an integrated model and providing quantitative indication of the operational events PSA based analysis should also be used to provide input data for the consideration of changes that can be made to reduce the probability of recurrence of operational events PSA is used to analyze the events at NPPs which can cause stopping of the NPP or inability to work of the safety systems, or both. The application provides assessment in terms of the conditional probability of the available stock in cases of accidents with unacceptable consequences If the considered event is an initiating event, the PSA model is used to assess the conditional probability of core damage and the conditional probability of early large release of radioactive substances, which are reported in the event categorization. The precursors` analysis is also part of this application The main purpose of the PSA based operational events analysis is to determine how a certain operational event can develop as an accident with more serious consequences and to provide the conditional probability of core damage resulting from such event The operational experience data should be gathered and store as input data for performance of PSA and of periodic safety assessment. 10. DEVELOPMENT AND VALIDATION OF TRAINING PROGRAMS The results from each NPP PSA are used to demonstrate the importance of the systems for preventing of damages or severe accidents The training of the managers and the technical specialists participating in the management of the emergency situations should include: a) Diagnosis and/or assessment of the accident; b) Formulation of the actions in case of an accident by identifying and assessment of the strategies for accident management using all available results, including the PSA assessments; PP-6/

26 c) Taken decision for activities during the accidents; d) Review and updating of the strategies The training programs for actions in emergency situations should be periodically reviewed and updated when necessary to take account of the new knowledge, own and foreign experience The PSA results are used as input data for the development and validation of the important to safety training programs of the operating organization, including the use of training simulators The PSA results should be accounted for in the planning of the personnel training. The most important to risk emergency sequences and operator actions are subject to training for a period of at least three years. This training should be provided in relation to the planning of the block panel management team training The identification of the important to risk measures in the context of PSA should be considered in the planning of the block panel management team training The PSA results and a detailed summary of the results and conclusions regarding risk and the importance to risk of all modeled SSC and events are necessary to add risk-related considerations to the safety culture The training of senior operators and management personnel should focus on the special problems in NPP management, with the particular importance of safety and the need for knowing the emergency procedures. Special attention should be given to the benefits of studying the operational experience and the analysis of the root causes of the events which are of general nature or which occur frequently at the NPPs The improvement of the NPP management personnel training should include an adequate connection between the PSA methods, applications and conclusions and the managing personnel to develop an integral understanding of their responsibilities. The NPP management is responsible for the decisions taken to manage severe accidents. This requires a good understanding of the important scenarios for severe accidents development, their frequencies and consequences, as well as the connection between the NPP design and the operational characteristics which affect the PSA results PSA is used to improve the operators training programs by providing information on the emergency processes, the relative probability of the dominating emergency sequences and the related operator actions to prevent or mitigate the consequences from core damage The relative sequences of various operator mistakes and the predicted by PSA failure probabilities should be used to predict such actions that would be benefited from a more intensive training. The introduction of guides for management of severe accidents requires the operators to understand the severe accidents development scenarios. PP-6/

27 The maintenance personnel training should be based on PSA results. The training should be focused on the potential influence on risk of the maintenance activities, such as general failures and failures of multiple safety systems channels caused by maintenance activities. This results in a more intensive focus on the important to risk SSC and on the important to risk functions and failure modes, which should be reviewed in the maintenance program, as well as on the possibilities for optimization of the activities that are essential for risk management The operating organizations should analyze the events to determine the root causes related to the human factor. The results from such analyses are used as feedback in the applicable training programs Based on the assessments results, a plan for improvement and correction of the training programs should be developed and applied. This leads to improvement of the training or to changes in the training programs An independent review of the training programs should be performed by outside expert organizations The main PSA results showing the importance of NPP systems to the prevention of reactor core damage or severe accidents should be identified in the training programs. 11. MAINTENANCE PLANNING GENERAL ASPECTS PSA is used to determine the priorities of the system maintenance activities that can have the greatest impact on risk and NPP safety. The maintenance activities should be appropriately planned and situated in time The risk monitoring is a tool for real-time analysis, which generates information on risk based on the actual equipment configuration, defined by a certain number of factors, which typically include: a) Operating mode (power operation or shut down reactor state); b) Decommissioned components; c) The selection of the channels in operation and on standby of the systems for normal operation. This information is used in the everyday maintenance planning activities to ensure that the activities are situated in time in such a way that peak risk values are avoided, when possible, and that the cumulative risk is low The results from the maintenance activities and the operational indicators of the equipment should be compared to the assumptions used in the modeling of the reliability and the availability of the equipment. This leads to management decisions about the adequacy of the operational indicators of the system, the need for review of the maintenance activities or the need for a new design or system modifications. PP-6/

28 11.4. The process of identification of the important to risk systems and equipment is used to plan and situate in time all the maintenance activities on risk-informed basis PSA is used to identify the systems for which a detailed study of the maintenance activities is recommended PSA is used to monitor the influence on risk of the changes in the strategies for maintenance and testing, as long as adequate data for the reliability of the system or component are available The use of PSA should support the personnel in optimizing the maintenance program, including: a) To identify the equipment that requires improved to some extent maintenance (as the improvement of its reliability leads to improvement of safety); b) To identify the equipment that requires continuous or limited preventive maintenance (as far as reducing the reliability of this equipment will not affect the level of safety); c) To identify the equipment that requires corrective maintenance only (as far as the unavailability of this equipment will not increase risk) PSA provides quantitative information about the potential benefit from risk mitigation by improving the equipment availability, as well as about the consequences for risk of equipment decommissioning for maintenance. This information can be compared to other costs and benefits to ensure that the resources will be used in the most effective way to support the safety and the availability of the equipment The use of PSA to support the maintenance planning is associated to a large extent with other PSA applications, for example, to support testing during operation, inspections during operation and in the Reliability Centered Maintenance. RISK-INFORMED TESTING DURING OPERATION The use of information about risk in the optimization of the programs for testing during operation will help for the better utilization of limited resources. Also, one of the results from the process can be reduction of the overall operation and maintenance costs, along with maintaining high level of safety PSA is used to support the programs for testing during operation, taking into account the relative importance to risk of the components. The relative importance to risk should be assessed by the combined use of probabilistic and deterministic methods before changing the testing interval, and the overall impact of changes should be assessed The purpose of applying risk-informed in-service testing during operation is to use the information obtained from PSA. Thus the optimization of the programs for testing during operation is supported, with the purpose to focus on components that have the greatest importance to risk. PP-6/

29 PSA, together with the deterministic methods and the expert assessments, is used to assess the importance to risk of the components, to categorize these components and to formulate a new testing strategy The information from PSA is used to identify the components with a relatively large contribution to risk, for which intensive testing during operation is required, as well as the components that have a relatively small contribution to risk and can be subject to less intensive testing. The program for testing during operation should be updated, taking into account the importance to safety of each component The influence of the changes in the testing strategy should be assessed by increasing of the unavailability of the affected components and PSA Level 1 should be used to calculate the change in the core damage frequency for the new testing intervals and it should be determined whether this is acceptable. RISK-INFORMED IN-SERVICE INSPECTIONS The methodology of risk-informed in-service inspections consists in ranking the elements subject to inspection, for example welded joints of pipe systems, depending on their importance to risk, and in developing a strategy for conducting inspections (frequency, method, samples size and so on), comparable to the importance of the elements to risk The programs for risk-oriented in-service inspections are designed to address all parts of the piping systems that can be subject to degradation processes. The integration of riskrelated considerations in the programs can help focusing on more important places by using more appropriate methods for inspection of the expected mechanisms of damage occurrence The conclusions from PSA and the information about risk should be used to support the decisions regarding proposed changes in the inspection programs (in terms of inspection frequency, used methods, samples size and so on) so that the focus falls on parts of the piping systems that have the greatest importance to risk The results from PSA Level 1 should be used as input data to determine the parts of the piping systems that should be covered by a design for risk-informed in-service inspections, while assessing the importance to risk of the parts of the piping systems, the target probabilities of the inspected parts and the change in risk as a result from the changes in the program for risk-informed in-service inspections The comprehensive way to determine the significance to risk of all parts of the piping systems, included in a design for risk-informed in-service inspections, is by revision of the PSA model to clearly include the parts of the piping systems, so that the core damage frequency and the conditional probability of core damage can be directly determined When the revised program for risk-informed in-service inspections has been defined, PSA can be used for determination of the expected overall change in risk. PP-6/

30 This can be done by assessment of the change in the initiating events frequency or the probability of component failure as a result of the changes in the risk-informed in-service testing program and re-calculation using the PSA model, or by conducting sensitivity studies All methodological steps of the process can benefit from PSA use in addition to the other sources of information. For example, PSA can be used to identify the appropriate number of components subject to inspection (such as parts of the piping systems) that should be included in the program. If the object of analysis is modeled in PSA, the probabilistic model is the best way to assess the importance to risk. USE OF PSA TO SUPPORT THE REPAIR PROGRAMS The analysis of the Reliability Centered Maintenance is a systematic approach to the development and optimization of the repair program The methodology of the Reliability Centered Maintenance includes systematical and logical review of the functions of systems, sub-systems or components, the failure mode of each function and the importance related to the function and its failure For systems important to safety the PSA model is the only means for identification of the relative importance of the system components. Therefore, PSA can be used together with the Reliability Centered Maintenance process to focus the analysis on the key elements The impact of the revised maintenance strategy on risk, gained by the implementation of the Reliability Centered Maintenance, can be assessed by modifying suitable PSA data, that is by change in the unavailability of the equipment and the systems in accordance with the new strategy and by intermediate modification of suitable failure frequencies based on engineering judgment The measures from the PSA importance analysis are also used to support the definition of the failure modes of the equipment, critical to safety. PSA information is intended to be used together with other information on the reliability of the equipment and the costs, as well as on the maintenance effectiveness, to determine the guidelines in terms of increase or decrease 1 of the maintenance, the checks and the volume of inspections To effectively support the Reliability Centered Maintenance process, the PSA model should be a minimum PSA Level 1 model, which includes internal and external initiating events Following the steps of the risk-informed maintenance, PSA gives the following contributions: a) Equipment separation/selection of systems/collection of data and information The PSA model includes information that has already been structured in such a way that satisfies some of the needs of the Reliability Centered Maintenance; 1 Provided that lack of negative impact on safety is demonstrated. PP-6/

31 b) Ranking of the critical functional failures/identification of the critical components PSA is used to rank the components and the failure modes in accordance with their impact on the overall risk from NPP operation. To obtain a list of components and failure modes that can be considered full for the purposes of the Reliability Centered Maintenance process, the PSA results should be complemented by adding other components/failure modes based on engineering judgment, related to the costs consideration and other qualitative factors; c) Initial selection of maintenance activities before implementation of the program, PSA is used to assess the effects of the revised program on the overall risk from NPP operation; d) Performance of the maintenance activities using PSA as an actual tool, the current effect of the implementation of the Reliability Centered Maintenance should be assessed, thus supporting the determination whether further changes in the maintenance program are necessary In the Reliability Centered Maintenance process PSA is used as a source of information as well as an assessment tool. When using data related to the maintenance activities and the operational indicators of the PSA components, attention should be paid to the completeness and scope of the PSA data models If PSA is used to assess the impact on risk of the newly proposed maintenance practices, attention should be paid when assumptions are made, related to the expected behavior of the components as a result of such changes in maintenance. 12. ABBREVIATIONS AND ACRONYMS ASUNE BNRA IAEA NPP QAP PSA QA SSC Act on the Safe Use of Nuclear Energy Bulgarian nuclear regulatory agency International Atomic Energy Agency Nuclear power plant Quality assurance program Probability safety analysis Quality assurance Structures, systems and components PP-6/

32 13. REFERENCES [1] Regulation on ensuring the safety of nuclear power plants, promulgated in the State Gazette No. 66 of 30 July [2] INTERNATIONAL ATOMIC ENERGY AGENCY, Development and Application of Level 1 PSA for NPPs, IAEA Safety Standard Series No. DS394, Draft 2, IAEA, Vienna (2007). [3] INTERNATIONAL ATOMIC ENERGY AGENCY, Operational Limits and Conditions and Operating Procedures for NPPs, IAEA Safety Standard Series No. NS-G-2.2, IAEA, Vienna (2000). [4] INTERNATIONAL ATOMIC ENERGY AGENCY, Recruitment, Qualification and Training of Personnel for NPPs, IAEA Safety Standard Series No. NS-G-2.8, IAEA, Vienna (2002). [5] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of NPPs: Operation, IAEA Safety Standard Series No. NS-R-2, IAEA, Vienna (2002). [6] INTERNATIONAL ATOMIC ENERGY AGENCY, Application of PSA for NPPs, IAEA-TECDOC-1200, IAEA, Vienna (2001). [7] INTERNATIONAL ATOMIC ENERGY AGENCY, Determining the Quality of PSA for Applications in NPPs, IAEA-TECDOC-1511, IAEA, Vienna (2006). [8] INTERNATIONAL ATOMIC ENERGY AGENCY, Risk informed regulation of nuclear facilities: Overview of the current status, IAEA-TECDOC-1436, IAEA, Vienna, (2005). [9] INTERNATIONAL ATOMIC ENERGY AGENCY, Review of PSA by regulatory bodies, IAEA Safety Reports Series No.25, IAEA, Vienna (2002). [10] Western European Nuclear Regulators Association, Reactor Harmonization Working Group, WENRA Reactor Safety Reference Levels, Issue O, Probabilistic Safety Analysis, January 2008, ( [11] PSA in Safety Management of NPPs, Finish Nuclear Radiation and Safety Authority (STUK), Guide YVL 2.8, [12] System Design for NPPs, Finish Nuclear Radiation and Safety Authority (STUK), Guide YVL 2.0, [13] Nuclear power plant systems, structures and components and their safety classification, Finish Nuclear Radiation and Safety Authority (STUK), Guide YVL 2.1, [14] Requirements for Elaboration of Probabilistic Safety Analyses, Nuclear Regulatory Authority of the Slovak Republic (UJD SR), Safety Guide BNS I.4.2/2006, Bratislava [15] Risk-informed Decision Making, Nuclear Regulatory Authority of the Slovak Republic (UJD SR), Safety Guide BNS I.1.1/2007, Bratislava. PP-6/