NOTES on
Potential Areas for Enhancement of the PSA Methodology based on Lessons Learned from
the Fukushima Accident
by A. Lyubarskiy, I. Kuzmina, M. El-Shanawany
International Atomic Energy Agency
Wagramer Strasse 5, PO Box 100, 1400 Vienna, Austria
I.Kuzmina@iaea.org, M.El-Shanawany@iaea.org, A.Lyubarskiy@iaea.org
Abstract
The methodology for Probabilistic Safety Assessment (PSA) of Nuclear Power Plants (NPPs)
was created in mid-70s of the last century and has been maturing within more than three
decades. Currently, PSA studies are performed for practically all NPPs around the world.
There are many guidelines and standards for PSA methodology (e.g. IAEA Safety Guides and
TECDOCs, ASME/ANS PRA Standard). The PSA technology was judged to be well
matured. However, the accident happened at Fukushima NPP in Japan in March 2011
highlighted some issues in the PSA methodology that need more emphasis or further
development and/or adjustment. In addition, the application of PSA methodology requires a
more rigorous control and independent review. These notes provide a summary of some
major considerations in Level-1 and Level-2 PSAs that may require enhancement based on
the preliminary lessons learned from the Fukushima accident regarding the impact of external
hazards.
1.
INTRODUCTION
With the famous study WASH-14000 [1] (also known as Rasmussen Report) that was
conducted in mid-70s of the last century, the PSA methodology started being developed for
NPP applications, and nowadays it is being widely applied in safety assessment of NPPs and
other nuclear installations. The PSA methodology for NPPs was considered sufficiently
mature; presently it covers all operational modes and all types of hazards (i.e. internal
initiating events initiated by random component failures and human errors, internal hazards
like fires and floods initiated inside the plant, turbine missiles, etc., and external hazards, both
natural and human-induced). Level-1 PSA is often an essential requirement and performed
practically for all NPPs worldwide. Level-2 PSA is also recognized as an important part of
safety assessment and completed for many NPPs. Many guidelines for PSA performance and
review are available worldwide. In addition, more formal standards on PSA methodology
have been issued, including IAEA Safety Guides [2, 3] and PRA Standard developed in the
U.S. [4].
However, the accident happened at the Fukushima NPP in March 2011 highlighted a number
of issues challenging with respect to the current application of PSA technology and the
validity of its results. A thorough analysis of the PSA tasks, assumptions, and modeling
approaches is needed to adjust the methodology in such a way that it could capture/predict
the accident scenarios actually happened during the course of the accident. This paper
provides a summary of some preliminary analysis of the relevant PSA considerations that
need to be explored in detail in the future; these should be viewed as neither complete nor
exhaustive. The PSA community is challenged to further develop the PSA methodology and
suggest solutions based on the analysis of the Fukushima accident progression when this
information is available in sufficient detail.
1
‘Notes on PSA Methodology’ by A. Lyubarskiy, I. Kuzmina, M. El-Shanawany, IAEA
2. ISSUES IN PSA METHODOLOGY
FURTHER DEVELOPMENT
REQUIRING
ENHANCEMENT
OR
The PSA issues presented below can be grouped into two categories: hazard assessment and
plant response modeling and assessment. From this perspective, Issues #1-2 are related to the
hazard assessment, Issue # 3 relates to both categories, and Issues #4-12 are related to plant
response modeling.
1) External hazards screening criteria and frequency assessment
The PSA methodology for external hazards envisages employment of qualitative and
quantitative screening criteria to focus analysis on most risk-significant hazards. More
attention should be given in this respect to consistent application of screening criteria in PSAs
for external hazards; in addition, screening criteria themselves may need to be revised. In
particular, external hazards should not be screened out if a similar hazard of lesser intensity
has been observed in the region of the site. Another point is that external hazards should not
be screened out prior to consideration of potentially correlated hazards and their combined
impact on the plant components and engineered safety features.
External hazards PSAs should be based on justifiable frequencies for the hazards of relatively
high magnitude that may be never observed in the past in the plant vicinity. The frequency
assessment should take into account all events occurred in the immediate vicinity of the plant,
in wider regions around the plant, and around the world. An analysis of all available
information has to be performed in order to determine the level of applicability of the
observed events to the conditions of the specific plant site. Statistical correlation analysis for
event occurrence data can be used as part of this process.
2) Consideration of correlated hazards
The requirement to consider correlated hazards is not new, e.g. the IAEA Safety Guide on
Level-1 PSA [2] provides such a requirement; however the importance of the issue should be
reemphasized. In order to consider a wider range of correlated hazards, a thorough analysis of
potential occurrence of several hazards simultaneously should be performed. This analysis
should avoid simple assumptions on independence of the hazards; rather it should focus on
identification of all possible correlation mechanisms: the same source of origin, duration,
phenomenology, induction mechanisms, etc. The examples of correlated hazards include:
 Source correlated hazards: seismic hazard and tsunami;
 Phenomenologically correlated hazards: strong winds and heavy rain;
 Duration correlated hazards: any external hazards occurred during the prolonged hot
summer temperature period;
 Induced hazards: seismic hazards and seismically induced fire, etc.
The frequency assessment of correlated hazards should take into account all correlation
mechanisms. Methodologies to assess frequencies of correlated hazards should be developed
taking into account all uncertainties and correlations as well as all available information (i.e.
site-specific, regional, worldwide).
2
‘Notes on PSA Methodology’ by A. Lyubarskiy, I. Kuzmina, M. El-Shanawany, IAEA
3) External hazard impact assessment
Impact of external hazards should be analyzed in the PSA in a complete manner. All potential
impacts of the external hazards should be taken into account, e.g. submergence, spray,
humidity, and mechanical load from the accumulated water caused by external flooding; or
acceleration, vibration, relay chattering for earthquakes.
Combined impact of correlated hazards should be assessed taking into account the following:
 One of the correlated hazards may have a specific damage mechanism that could lead
to a failure of redundant safety systems that survived the impact of another hazard.
 Low-magnitude hazards with relatively low individual damage potential may have
very severe consequences if occurred simultaneously.
Examples of impact of correlated hazards:
 Seismic hazard and prolonged period of hot summer temperature. At many plants
during the hot temperature season, the air cooling is provided with utilization of
artesian water, the underground pipes of which can be damaged by seismic event of a
relatively low magnitude. Individually, the considered events may have negligible
impact, but their combined impact resulting in loss of air cooling may be significant.
The frequency of simultaneous occurrence of low-magnitude correlated hazards that
can severely compromise plant safety may be higher than the frequency of individual
hazards of a higher magnitude with the same damage potential.
 High wind and prolonged external flooding due to high water precipitation: similarly
to the previous case, each event may have negligible impact, but occurring
simultaneously may lead to flood pressure waves that could disable important
equipment.
It is not sufficient to consider a single worst impacting parameter of the hazard as it might be
possible that for correlated hazards other parameters could be more important (e.g. structural
damage induced by mechanical loads from flood wave may be more severe than the effect of
submergence when combined with the impact of high winds).
The available methodologies to assess impact of external hazards should be adjusted to take
full account of possible correlated hazards and their effects including all correlations and all
parameters associated with each hazard.
4) Multiple units’ consideration
The Fukushima accident progression highlighted the importance of multi-unit effects
consideration in PSAs. There are two main issues to be addressed in this context:
 Interactions between the plant units due to the existing, but not considered in the PSA,
connections between units (e.g. shared turbine building, cable tranches, ventilation
ducts, spatial interactions between plant units compartments. etc.); and
 Simultaneous source term due to simultaneous cores and containments damage in
plant units. Radiological consequences in case of a multi-unit plant may be much
more severe and may also impact mitigation strategies on other units after the
confinement function failed in the first affected unit.
3
‘Notes on PSA Methodology’ by A. Lyubarskiy, I. Kuzmina, M. El-Shanawany, IAEA
Additional consideration should be given to the specific human reliability analysis (HRA) of
the actions and activities to be attended by the shared staff during the course of the
simultaneous severe accident at several plant units.
5) Mission time considered in Level-1 PSA
The IAEA Safety Standards [2, 3] have already noticed the need to consider mission time for
modeling accident sequences longer than 24 hours, but only for the evident cases when a socalled “cliff-edge effect” is clearly observed (e.g. depletion of feedwater supply tanks after 24
hours). The Fukushima accident highlighted the importance of realistic consideration of
mission time in Level-1 PSA models for all accident sequences.
Generally, a simple extension of the mission time from 24 hours to 48 hours, or 72 hours or
even one month has no solid justification behind. Moreover, it would contain greater degree
of deficiencies than that associated with the current 24 hours approach. The overall approach
can be in the extended consideration of success paths for specific accident scenarios beyond
24 hours based on restoration models (Markov or semi-Markov models). This is particularly
important for the accident sequences, in which core damage is prevented by successful
operation of safety systems during prolonged time after the accident. An example of the
application of the approach can be found in Ref. [5], however, more work is needed.
6) HRA analysis for external hazards
In addition to the multi-unit effect in terms of HRA discussed in Item (4), the following
insights can be drawn:
 The methodology for human reliability analysis should be enhanced in the part of
consideration of the impact of the accident scenarios when information/indications are
either not available or not reliable (flying blind syndrome) and when decisions have to
be made and actions performed in unfavorable environmental conditions. In such
cases it might be reasonable not to give credit to the success of human actions or
higher failure probabilities should be assigned to the associated human errors.
 A more comprehensive and less optimistic analysis should be performed for all
operator actions in order to account for the impact of the external hazards on
operator’s performance and associated human errors.
7) Failure possibility for qualified equipment
In present PSA studies it is usually assumed that if equipment operates within the design
limits for environmental conditions, there is no additional impact on the equipment (it is
assumed that only random failures are possible).
The approach for consideration of qualified equipment failures due to the accident and/or
hazard impact (acceleration, vibration, temperature, humidity, submergence, etc.) should be
revised. In particular, less credit should be given in PSA to survival of the qualified
equipment when the actual environmental conditions are close to the design limits. Further
study may be required with respect to “equipment qualification”.
4
‘Notes on PSA Methodology’ by A. Lyubarskiy, I. Kuzmina, M. El-Shanawany, IAEA
8) Hydrogen explosion in case of station blackout (SBO)
Usually in PSA studies, in case of an SBO event, the probability of hydrogen explosion is
considered to be very small (assuming there is no ignition sources). Based on the experience
from the Fukushima accident, the probability of hydrogen explosion appeared to be much
higher than it was expected before.
The approach for consideration of hydrogen explosion for SBO accident sequences needs to
be reconsidered.
9) Transient explosive materials in external event conditions
Containers carrying flammable or explosive substances may be temporarily located in plant
compartments. It is a common practice to consider the impact of transient flammable and
explosive material in an internal fire PSA; usually this aspect is not systematically addressed
in PSA for other external hazards. The damage to the components carrying flammable or
explosive substances that is caused by external hazards could lead to an explosion/fire and
subsequent significant damage to safety-related components. Such accident scenarios should
be analyzed; it is seen especially important to do so prior to any major maintenance/
construction activities at the plant.
10) Non-envisaged connections between plant buildings and compartments
Different connections may exist between plant compartments and buildings envisaged by the
plant design. On multi-units sites, the connections may exist due to common system,
structures, and components (SSCs). During normal operation, these connections may require
being isolated; however there is a possibility that the isolation was erroneously missed, or, in
case of an external hazard, in particular, in seismic event, the isolation could fail.
The possibility for non-envisaged connections to be erroneously established prior to or during
an accident (including the connections caused by the external hazard) should be considered in
Level-1 and Level-2 PSAs. The methodology to account for such connections needs to be
developed.
11) Spent fuel pool and waste treatment facilities
Spent fuel pools are always considered in shutdown PSAs; however, in at-power PSAs, spent
fuel pools are often ignored. This concern is even more applicable to waste treatment
facilities located at NPP sites. The methodology to consider spend fuel pools in accident
conditions are readily available, therefore, the need to consider spent fuel pools and waste
treatment facilities in at-power PSAs should be emphasized.
12) Modeling of Severe Accident Management Guidelines
Severe Accident Management Guidelines (SAMGs) provide guidance for mitigation of
severe accidents when the core may be damaged and are usually considered in Level-2 PSA.
However, the specific impact of external hazards on the feasibility of SAMGs actions, such
as damage to the infrastructure and communication means, loss of equipment, stress and
injuries to the people involved, etc. should be given more attention to consider them
5
‘Notes on PSA Methodology’ by A. Lyubarskiy, I. Kuzmina, M. El-Shanawany, IAEA
appropriately in line with their contribution to safety. Further work needs to be considered to
address the impact of external hazards in SAMGs and consistent modeling them in PSA.
3.
THE ROLE OF INDEPENDENT PSA REVIEW
PSAs can provide useful insights on safety-related issues dealing with plant design and
operation. It is important that PSA quality is provided in terms of its technical consistency of
the data and assumptions, comprehensiveness of the analysis, correctness of the results and
insights, etc. The main instrument for PSA quality provision is a comprehensive, truly
independent peer review, and its role should be re-emphasized. The IAEA provides such a
review, which is widely recognized, at request of Member States; a well-established
International Probabilistic Safety Assessment Review Team (IPSART) service is available
[6].
4.
CONCLUSIONS
The accident at Fukushima NPP revealed many aspects of accident progression not
considered properly in the contemporary PSA studies. It became apparent that some of the
issues related to PSA, despite being recognized important in general, needs to be more
emphasized as they may not be given the proper attention. The event, in general, has also
triggered further thinking on the adequacy and comprehensiveness of the existing safety
assessments of the impact of external hazards. More work is needed to enhance the current
PSA technology. The paper provides a summary of some issues that may require further
considerations in Level-1 and Level-2 PSAs based on the preliminary lessons noted from the
Fukushima accident and emphasizes the importance of independent PSA review.
5.
REFERENCES
1. WASH-1400, “Reactor Safety Study: An Assessment of Accident Risks in U.S.
Commercial Nuclear Power Plants”, NUREG-75/014, US NRC (1975).
2. International Atomic Energy Agency, Development and Application of Level 1
Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards,
Specific Safety Guide SSG-3, IAEA, Vienna (2010).
3. International Atomic Energy Agency, Development and Application of Level 2
Probabilistic Safety Assessment for Nuclear Power Plants, IAEA Safety Standards,
Specific Safety Guide SSG-4, IAEA, Vienna (2010).
4. ASME/ANS, Standard for Level 1/Large Early Release Frequency Probabilistic Risk
Assessment for Nuclear Power Plant Applications, ASME/ANS RA-Sa-2009, New York,
NY (2009).
5. Morozov V., Tokmachev G, et al, “PSA for NPPs Considering a Prolonged Afteraccident Period,” High School News Magazine – Nuclear Energy N2, Atomenergoproekt,
Moscow (2010).
6. “International
Atomic
Energy
Agency:
IPSART
Service,”
http://wwwns.iaea.org/reviews/saf-assessment-reviews.asp?s=7&l=52#ipsart (2010).
6
‘Notes on PSA Methodology’ by A. Lyubarskiy, I. Kuzmina, M. El-Shanawany, IAEA