**3. Overview of PSA**

PSA methodology widely used in the nuclear power industry is deemed helpful to the safety assessment of the facility and along the correspondent licensing process: probabilistic safety assessment can provide insights into safety and identify measures for informing designers of the safety of the plant.

The first comprehensive application of the PSA dates back to 1975, to the United States Nuclear Regulatory Commission's (U.S. NRC) Reactor Safety Study [4]. Since that pioneering study, there has been substantial methodological development, and PSA techniques have

become a standard tool in the safety evaluation of the nuclear power plants (NPPs) and industrial installations in general. Due to historical reasons, the PSA sometimes is called PRA.

Reliability of Passive Systems in Nuclear Power Plants 33

and identification of the correspondent plant systems that perform these functions (termed front-line systems): for each system the probability of failure is assessed, by

accident sequences development by constructing event trees for each initiating event or

 accident sequences analysis to assess the frequencies of all relevant accident sequences; identification of dominant sequences on a frequency-consequence base, i.e. the ones presenting the most severe consequences to the personnel, the plant, the public and the environment and definition of the reference accident scenarios to be further analysed through deterministic transient analysis (for instance by t-h code simulation), in order to verify the fulfilment of the safety criteria. Consequences in the case of Level 1 PSA of NPPs are usually defined as degrees of reactor core damage, including 'safe' state and

One of the main issues encountered in probabilistic analysis concerns the availability of pertinent data for the quantification of the risk, which eventually raises a large uncertainty in the results achieved. Usually these data are accessible from consolidated data bases (e.g.

They pertain, for instance, to component failure rates, component probability on demand, initiating event frequency: for this reason within a PSA study usually an uncertainty analysis, in addition to a sensitivity analysis, is required in order to add credit to the model and to assess if sequences have been correctly evaluated on the probabilistic standpoint.

Event trees are used for the graphical and logical presentation of the accident sequences. An example of an event tree is shown in Figure 7. The logical combinations of success/failure conditions of functions or systems (usually safety systems, also called front-line systems) in

IAEA), resulting from the operational experience of the plants.

the event tree are modelled by the fault tree.

**Figure 7.** Example of an event tree

fault tree model;

initiating event groups;

'severe' accident state.

As the most important area of PSA projects remains nuclear power plants, mainly due to the specific features of the nuclear installations, three levels of PSA have evolved:

**Level 1**:The assessment of plant failures leading to core damage and the estimation of core damage frequency. A Level 1 PSA provides insights into design weaknesses and ways of preventing core damage. In the case of other industrial assessments, Level 1 PSA provides estimates of the accidents frequency and the main contributors.

**Level 2**: As possible releases are additionally protected by containment in most NPPs, PSA at this response and severe accident management possibilities. The results obtained in Level 1 are the basis for Level 2 quantification. In the case of other industrial assessments, Level 2 PSA might be fully covered by Level 1, as containment function is rather unique feature and is not common in other industries.

**Level 3**: The assessment of off-site consequences leading to estimates of risks to the public. Level 3 incorporates results om both previous levels.

Level1 PSA is the most important level and creates the background for further risk assessment, therefore it will be presented in detail. The structure of the other levels is much more application specific, and will be discussed only in general.

The methodology is based on systematically: 1) postulating potential accident scenarios triggered by an initiating event (IE), 2) identifying the systems acting as "defences" against these scenarios, 3) decomposing the systems into components, associating the failure modes and relative probabilities, 4) assessing the frequency of the accident scenarios. Two elements of the PSA methodology typically stand out:


Assigning the safe end state to a sequence means that the scenario has been successfully terminated and undesired consequences have not occurred. In contrast the accident end state means that the sequence has resulted in undesired consequences.

Synthetically, the methodology embraced for the analysis consists of the following major tasks:


and identification of the correspondent plant systems that perform these functions (termed front-line systems): for each system the probability of failure is assessed, by fault tree model;


One of the main issues encountered in probabilistic analysis concerns the availability of pertinent data for the quantification of the risk, which eventually raises a large uncertainty in the results achieved. Usually these data are accessible from consolidated data bases (e.g. IAEA), resulting from the operational experience of the plants.

They pertain, for instance, to component failure rates, component probability on demand, initiating event frequency: for this reason within a PSA study usually an uncertainty analysis, in addition to a sensitivity analysis, is required in order to add credit to the model and to assess if sequences have been correctly evaluated on the probabilistic standpoint.

Event trees are used for the graphical and logical presentation of the accident sequences. An example of an event tree is shown in Figure 7. The logical combinations of success/failure conditions of functions or systems (usually safety systems, also called front-line systems) in the event tree are modelled by the fault tree.

**Figure 7.** Example of an event tree

32 Nuclear Power – Practical Aspects

is not common in other industries.

become a standard tool in the safety evaluation of the nuclear power plants (NPPs) and industrial installations in general. Due to historical reasons, the PSA sometimes is called PRA. As the most important area of PSA projects remains nuclear power plants, mainly due to the

**Level 1**:The assessment of plant failures leading to core damage and the estimation of core damage frequency. A Level 1 PSA provides insights into design weaknesses and ways of preventing core damage. In the case of other industrial assessments, Level 1 PSA provides

**Level 2**: As possible releases are additionally protected by containment in most NPPs, PSA at this response and severe accident management possibilities. The results obtained in Level 1 are the basis for Level 2 quantification. In the case of other industrial assessments, Level 2 PSA might be fully covered by Level 1, as containment function is rather unique feature and

**Level 3**: The assessment of off-site consequences leading to estimates of risks to the public.

Level1 PSA is the most important level and creates the background for further risk assessment, therefore it will be presented in detail. The structure of the other levels is much

The methodology is based on systematically: 1) postulating potential accident scenarios triggered by an initiating event (IE), 2) identifying the systems acting as "defences" against these scenarios, 3) decomposing the systems into components, associating the failure modes and relative probabilities, 4) assessing the frequency of the accident scenarios. Two elements

 The event tree (ET) which is used to model the accident scenarios: it represents the main sequences of functional success and failure of safety systems appointed to cope with the initiating events and the consequences of each sequence. These consequences, denoted also as end states, are identified either as a safe end state or an accident end state. The fault tree (FT) which documents the systematic, deductive analysis of all the possible causes for the failure of the required function within an accident scenario modelled by the ET. A FT analysis is performed for each of the safety systems, required

Assigning the safe end state to a sequence means that the scenario has been successfully terminated and undesired consequences have not occurred. In contrast the accident end

Synthetically, the methodology embraced for the analysis consists of the following major tasks: identification of initiating events or initiating event groups of accident sequences: each

 systems analysis: identification of functions to be performed in response to each initiating events to successfully prevent plant damage or to mitigate the consequences

state means that the sequence has resulted in undesired consequences.

initiator is defined by a frequency of occurrence;

specific features of the nuclear installations, three levels of PSA have evolved:

estimates of the accidents frequency and the main contributors.

more application specific, and will be discussed only in general.

Level 3 incorporates results om both previous levels.

of the PSA methodology typically stand out:

in response to the IE.

A fault tree logically combines the top event (e.g. complete failure of a support system) and the causes for that event (e.g. equipment failure, operator error etc.). An example of the fault tree is shown in Figure 8. The fault tree mainly consists of the basic events (all possible causes of the top event that are consistent with the level of detail of the study) and logical gates (OR, AND, M out of N and other logical operations). Other modelling tools, like common cause failures, house or area events are also used in the fault trees. All front-line and support systems are modelled by the fault trees and then combined in the event trees depending on the initiating event.

Reliability of Passive Systems in Nuclear Power Plants 35

modern tools of risk management are also based on the PSA model, such as risk monitoring,

Despite its popularity among the risk assessment tools, the PSA has a number of imitations

*Binary representation of the component state*. Only two states are analyzed: failed state or fully functioning state. However, this is not always realistic, as intermediate states are also possible. The same limitation exists for the redundant systems with certain success criteria system is in failed state (success criteria is not satisfied) or in full power. The intermediate

*Independence*. In most cases, the components are assumed to be independent (except modelled by CCF), however there are many sources of dependencies, not treated by the

*Aging effect*. The aging effect is ignored because of the constant failure rate assumption. The

*Time treatment*. The FT/ET model is not capable to treat time explicitly during the accident progression. This is one of the major drawbacks of the methodology. In realistic systems, many parameters and functions depend on time and this is not encountered in the model

*Uncertainty of the calculations*. Uncertainties are inevitable in the PSA results and calculations and therefore direct treatment of the quantitative PSA estimates might be misleading. Due to the fact of uncertainties, the qualitative PSA results (identification of dominant accident sequences, comparison of different safety modifications) are of greater importance than

The reliability of a passive system refers to the ability of the system to carry out a safety function under the prevailing conditions when required and addresses mainly the related



These two kinds of system malfunction are to to be considered as ET headings, to be

In general the reliability of passive systems should be seen from two main aspects:

up the system operation (e.g. drain valve failure to open)

assessed by specific FT components, as shown in figures 9 and 10.

only conservative possibility to treat the aging impact is to perform sensitivity study.

and drawbacks. The main limitations of the PSA model are the following:

states for redundant systems are even more important.

and only approximate chronological order is assumed.

**4. Passive system unavailability model** 

than on component malfunctions.

precursor analysis and others.

model.

quantitative.

performance stability.

**Figure 8.** Example of a fault tree

A fault tree is capable to include rather special cases, usually identified in complex systems. These include system and components dependencies, called common cause failures (simultaneous failures of several components due to the same reason), area events (usually fire, flood etc., which damages groups of components in certain rooms), human actions (operator errors or mitigation actions).

The PSA is a powerful tool that can be used in many different ways to assess, understand and manage risk. Its primarily objectives are the following:


The growing area of PSA use is extensive support of probabilistic results in risk management and decision-making processes. The main areas of the PSA applications are assessment of design modifications and back-fitting, risk informed optimization of the Technical Specifications, accident management, emergency planning and others. Several modern tools of risk management are also based on the PSA model, such as risk monitoring, precursor analysis and others.

Despite its popularity among the risk assessment tools, the PSA has a number of imitations and drawbacks. The main limitations of the PSA model are the following:

*Binary representation of the component state*. Only two states are analyzed: failed state or fully functioning state. However, this is not always realistic, as intermediate states are also possible. The same limitation exists for the redundant systems with certain success criteria system is in failed state (success criteria is not satisfied) or in full power. The intermediate states for redundant systems are even more important.

*Independence*. In most cases, the components are assumed to be independent (except modelled by CCF), however there are many sources of dependencies, not treated by the model.

*Aging effect*. The aging effect is ignored because of the constant failure rate assumption. The only conservative possibility to treat the aging impact is to perform sensitivity study.

*Time treatment*. The FT/ET model is not capable to treat time explicitly during the accident progression. This is one of the major drawbacks of the methodology. In realistic systems, many parameters and functions depend on time and this is not encountered in the model and only approximate chronological order is assumed.

*Uncertainty of the calculations*. Uncertainties are inevitable in the PSA results and calculations and therefore direct treatment of the quantitative PSA estimates might be misleading. Due to the fact of uncertainties, the qualitative PSA results (identification of dominant accident sequences, comparison of different safety modifications) are of greater importance than quantitative.
