For safety review and assessment of nuclear power plants (NPPs), various methods are employed. Primarily, these examinations are based on a so-called “deterministic” approach. The special characteristic of this method is that the behaviour of the facility or of its specific components in reaction to an event is analysed for which specific assumptions are made. For example, it is analysed if safety systems of an NPP would ensure the control of a loss-of-coolant accident (LOCA) of a certain extent as it was assumed in the design. In contrast, risk analyses use other methods which reveal two essential differences to the deterministic review: They not only take into account certain accident sequences, but they also provide a conclusion on the frequency with which a certain state of damage will occur in a given time period.
Risk analyses were first used in the 1960ies for the aerospace industry in the civilian sector. The first risk analysis in the nuclear technology field was published in the USA (WASH-1400, called “Rasmussen Report” after the head of the study). On behalf of the Federal Ministry for Research at the end of the 1970ies, the GRS developed the first risk analysis for a German reference NPP (Biblis B) with the “Deutsche Risikostudie (Phase A)” - German Risk Study (Phase A), thus introducing this method in Germany. Since then, the GRS has been dealing with risk analyses and further development of its methods.
To a greater extent, risk analyses for German NPPs have been carried out since the 1990ies. Since 2002, it has been mandatory to provide such analyses within the periodic safety reviews for all NPPs.
For many years, risk analyses have been referred to as “probabilistic safety analyses”, using the abbreviation PSAs. The PSA is divided into three levels according to the scope of the review.
Level 1: From the initiating event to core damage
It is by means of the PSA Level 1 that the annual so-called (reactor) core damage frequency (CDF) is determined. In the event of core damage due to insufficient core cooling, the fuel assemblies reach the temperature where damage of the fuel rod cladding must be assumed. To calculate the CDF, the inductive procedure of an event tree analysis is employed. This method assumes that the analysis is made using a model that corresponds to the reviewed NPP as precisely as needed. Therefore, each PSA is specific to a certain plant. The PSA Level 1 - if simplified – is conducted according to the following procedure:
Firstly, all scenarios must be found and analysed that may result in core damage. Since the number of all probable scenarios is rather big, they are grouped into those of a similar event sequences, like LOCA (loss of coolant accidents) or loss of power supply. For the further procedure, in each group the scenario is chosen that poses the most serious challenges to the safety system. It is therefore taken as a reference case for all the other scenarios of the same group.
Thus, at the beginning of the further analyses for a scenario, there is always a certain initiating event.
The reviewed NPP produces no power after shutdown due to e. g. works on the generators. For this status of the plant, the system for residual heat removal from the reactor core is operated using the external grid power. A failure of the power supply is assumed. According to the aforementioned approach, this loss of power is assumed for at least two hours thereby covering all the other events with a shorter duration of loss of power (the events with a longer loss of power are calculated separately).
The initiating event forms the root case of the event tree. As a rule, this event alone cannot lead to core damage. The reason is that according to the in-depth safety concept of NPPs, a failure of one safety-related function is compensated by another, multiply redundant safety system.
In order to ensure power supply in the event of loss of power, the reviewed NPP possesses several emergency power diesels of which each one can provide the power as necessary.
This means that the initiating event can only lead to core damage if the safety systems or emergency procedures destined to control the initiating event fail simultaneously or one after another.
During the shutdown state, one diesel is in repair, and two of the other ones do not start automatically and the remaining ones fail after a shorter operation time. This means that only the batteries provide the power and the residual heat removal systems cannot be operated.
Such a failure of a system function (as in the example with the loss of power from emergency power supply) is taken as another event which constitutes a branch in the event tree. For that, the PSA takes into account both the technical processes of the facility and also actions of personnel.
The leaves of the event tree are reached when the initiating event is under control or core damage is unavoidable.
Using emergency procedures, core damage can be avoided until the external grid power supply is restored or until one of the two emergency diesels that failed to start can be started manually (“event under control”).
Loss of emergency power cannot be remedied or compensated for in time. Resulting from the residual heat removal failure, the reactor heats up in some hours so that the fuel rod claddings are damaged (“core damage”).
Each of the leaves of the event tree with core damage contributes to the CDF in the particular scenario by its frequency. For calculations it is necessary to know occurrence frequency of each initiating event and the probabilities for all branching points of the event tree. These are based on the failure statistics for technical components made on the basis of real events at NPPs. Moreover, these are used to compute the failure probability of safety systems forming branches of the event tree. For this, additional models are created from which the failure combinations of safety systems can be determined.
The sum of CDFs for all the scenarios under review adds up to the total frequency – according to the assumptions and within the PSA method constraints – of the CDF in a year for the NPP under review. In 2001, the GRS published a study on newer German pressurised water reactors. For the scenarios analysed (which did not include those for the spent fuel storage pool), a mean CDF of about 1:200.000 per year was determined for a reference nuclear power plant.
As a part of the periodic safety review, the PSA Level 1 in Germany must be provided for all modes of operation including shutdown operation during outages.
Level 2 and 3: From core damage to the radiation dose
A core damage state can result in very different radioactive release values since core damage with minor release is also possible. Therefore, core damages may result in different risks for man and the environment. To determine these, the PSA Level 2 reviews the frequency of the scenarios which lead from an initial core damage over core melting and a containment failure to the release of radioactivity. In order to establish the frequency of the associated events and processes, it is necessary to rely mainly on computer simulation of complex physical and chemical processes. Fortunately, those scenarios have occurred seldom and there are few directly transferrable experiments. As there are still emergency procedures that even during progressing core damage can be effective to end core melting or to mitigate its implications, these procedures –analogously to Level 1 – are also taken into consideration and analysed. The PSA Level 2 must be provided within the periodic safety review in Germany for the power operation mode.
In the PSA Level 3 as a further step, various scenarios for the dispersion of the released radioactivity into the environment are calculated. It is only then that the frequency, the scope and the extent of a significant radioactive contamination of the environment can be determined. Taking into consideration radiation protection procedures like evacuation or interdiction of consumption, the radiation exposure associated with the accident can be eventually determined in form of specific doses . Also for this level, the necessary data must be deduced from simulation programs to a large extent. Worldwide, only few PSAs Level 3 are available. In Germany, they are not required by law. After the German Risk Study A of 1979, no complete PSA from Level 1 up to Level 3 has been produced.
Which events are considered in the analysis?
Initially, the PSA Level 1 considers mostly internal initiating events for each plant, i. e. technical failures like loss of power supply. The more recent risk analyses increasingly consider contributions to the risk by other hazards like earthquake or flooding. Such redundancy-wide impacts on NPP operation are distinguished by the fact that, similar as in Fukushima, they can cause the simultaneous failure of several safety systems. For instance, it was found for a foreign NPP that a strong earthquake there can contribute more significantly to the core damage frequency than all other scenarios reviewed. What external hazards and with what intensity they can occur strongly depends on the site of the NPP. Also in this respect the results of a PSA are plant-specific since they are site-specific.
The PSA approach requires that events, for which occurrence frequencies cannot be quantified, will not be included as event scenarios. From today’s perspective this is true for all hazards that are inflicted deliberately or even as malicious acts, like terrorist attacks or acts of war. Therefore, these analyses do not claim to determine the “real risk” i. e. the totality of all conceivable scenarios. This methodical restriction must be borne in mind while interpreting the conclusions of the PSA.
How are the uncertainties taken into account?
Statistics always imply uncertainties. Part of the uncertainty lies in the accidental nature of events that may or may not occur – here, one speaks of stochastic uncertainties. Even more important, however, is the contribution to the uncertainty that results from the incomplete knowledge of the processes that are studied. This depends e.g. on the size of a sample that is analysed or is caused by the lacking data of the melt-trough of a molten core through the reactor pressure vessel.
Both sources of uncertainties are relevant to a PSA and must therefore be taken into consideration for the results. This is already done at the level of specific branches of the event tree. There, the uncertainty for the probability of each specific branch is calculated. Thus, starting from the root over the branches up to each leaf of the event tree– and finally for the total frequency – the uncertainty of the result is calculated as the frequency distribution. For the above mentioned GRS study of 2001 it was determined that for the NPP analysed, the annual CDF lies - which a certainty rate of 90 % - at somewhat between 1:1 million and 1:100000.
What is the use of the results?
Since the PSA Level 1 does not consider all realistically possible damage scenarios due to the above mentioned methodological constraints, the core damage frequency of an NPP determined with it does not stand for an absolute measure of risk or safety. However, it provides an indication for the safety level of the plant.
The fact that a PSA always relates to a specific NPP (and its specific status at the moment of the analysis) means that a PSA result alone does not allow drawing conclusions on the overall accident risk for all operated NPPs. In other words, the core damage frequency of a specific NPP cannot be extrapolated to a general core damage frequency. An accurate probabilistic conclusion on this general risk would only be possible if all the NPPs within a certain period of time could be analysed using comparable methodical assumptions in the PSA.
An essential merit of the PSA is that owing to its holistic view, it allows to judge what scenario implies the largest contribution to the risk of a nuclear accident of the specific plant. Those weak points are sometimes hard to be detected by ordinary assessments or evaluations. Therefore, PSA results can help to identify backfitting measures that are most effective in reducing the overall risk. Thus, the subsequent improvement of the emergency power supply can be put down to these analyses. Also, the establishment of emergency procedures and the evaluation of their efficiency were checked with the help of PSA methods. PSA results can contribute to the optimisation of technical inspections, e.g. by reducing test intervals for components of major risk potential. Eventually, repeated PSAs can contribute to the safety assessment after e. g. an increase of the net electric power or safety-related backfitting and thus to the identification of the associated risk implications. To summarise, the PSA provides an additional value to the safety assessment in licensing and supervisory procedures.
This contribution served as a basis for a guest column by Michael Türschmann and Andreas Wielenberg (both GRS), published on 27 April in the daily Frankfurter Allgemeine Zeitung (“Was ist eigentlich ein Restrisiko?” - Remaining risk: What does it mean?)
• Leitfaden zur Durchführung der „Sicherheitsüberprüfung gemäß § 19a des Atomgesetzes – Leitfaden Probabilistische Sicherheitsanalyse –„ für KKW in der Bundesrepublik Deutschland
• Deutsche Risikostudie Kernkraftwerke – Phase A
• Deutsche Risikostudie – Phase B
• Bewertung des Unfallrisikos fortschrittlicher Druckwasserreaktoren in Deutschland (GRS 175)
• Assessment of the Accidental Risk of Advanced Pressurized Water Reactors in Germany (GRS-184) (http://www.grs.de/sites/default/files/pdf/GRS-184.pdf)
• SWR Sicherheitsanalyse Abschlussbericht Teil 1 (GRS 102/1)
• SWR Sicherheitsanalyse Abschlussbericht Teil 2 (GRS 102/2)
• Fortschrittliche Methoden für eine Brand-PSA (GRS 190)
• Sicherheitsanalyse für Siedewasserreaktoren - Zusammenfassende Darstellung