Embed Size (px)
Citation preview
eDirect
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5
Available online at Scienc
Nuclear Engineering and Technology
journal homepage: www.elsevier .com/locate/net
Original Article
Current Status and Applications of IntegratedSafety Assessment and Simulation Code Systemfor ISA
J.M. Izquierdo a, J. Hortal a, M. Sanchez Perea a,*, E. Mel�endez a, C. Queral b,and J. Rivas-Lewicky b
a Modeling and Simulation Area (MOSI), Nuclear Safety Council (CSN), Justo Dorado, 11, 28040 Madrid, Spainb Energy and Fuels Department, Technical University of Madrid (UPM), Alenza, 4, 28003 Madrid, Spain
a r t i c l e i n f o
Article history:
Received 28 November 2016
Received in revised form
13 January 2017
Accepted 13 January 2017
Available online 9 February 2017
Keywords:
Dynamic Event Trees
IDPSA
ISA
PSA
* Corresponding author.E-mail address: [email protected] (M. Sanchez
http://dx.doi.org/10.1016/j.net.2017.01.0131738-5733/Copyright © 2017, Published by Elthe CC BY-NC-ND license (http://creativecom
a b s t r a c t
This paper reviews current status of the unified approach known as integrated safety
assessment (ISA), as well as the associated SCAIS (simulation codes system for ISA) com-
puter platform. These constitute a proposal, which is the result of collaborative action
among the Nuclear Safety Council (CSN), University of Madrid (UPM), and NFQ Solutions
S.L, aiming to allow independent regulatory verification of industry quantitative risk
assessments. The content elaborates on discussions of the classical treatment of time in
conventional probabilistic safety assessment (PSA) sequences and states important
conclusions that can be used to avoid systematic and unacceptable underestimation of the
failure exceedance frequencies. The unified ISA method meets this challenge by coupling
deterministic and probabilistic mutual influences. The feasibility of the approach is illus-
trated with some examples of its application to a real size plant.
Copyright © 2017, Published by Elsevier Korea LLC on behalf of Korean Nuclear Society. This
is an open access article under the CC BY-NC-ND license (http://creativecommons.org/
licenses/by-nc-nd/4.0/).
1. Introduction
The two traditional approaches to safety analysis in nuclear
power plants are the so-called deterministic safety assess-
ment (DSA) and the probabilistic safety assessment (PSA). DSA
continues to be the main support for licensing design issues.
At post-TMI times, PSA started to be used as well in several
licensing applications. The question of the consistency of
deterministic and probabilistic studies was already posed in
different licensing groups and reflected in the following is-
sues: (1) to what extent and at which stage of the PSA a
Perea).
sevier Korea LLC on behamons.org/licenses/by-nc
significant change in stand-by safety system initiation set-
points, with obvious impact on DSA, could be reflected in
PSA; and (2) to what extent DSA and PSA covered different
operator behaviors, including for instance time delays in
manual actions.
The Nuclear Safety Council (CSN) makes intensive use
of PSA models in key aspects of its licensing day-to-day
life, including inspections planning and categorization of
their findings, incident analysis, and operational aspects
(maintenance rule, human reliability, and safety culture).
However, the operation is constrained by the conclusions
lf of Korean Nuclear Society. This is an open access article under-nd/4.0/).
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5296
of the analysis of the (automatic) design basis transients
and accidents, (DSA), as reported in the safety assessments
(SAR), which also include day-to-day requirements like
those included in the operating technical specifications
(OTS). The overall process encompasses widely different
safety studies in nature, data, phenomena, and systems,
each being a piece interacting in several ways with many
others.
Ensuring consistency among implicit and explicit assump-
tions, interfaces, and conclusions is a major task of the regu-
latory review. The set of activities may be considered as a
licensing validation and verification (V&V) process. Most reg-
ulatory activities are qualitative in nature, but the widespread
use of computerized analysis also requires sophisticated,
quantitative V&V with independent checks complementing
the qualitative process. This paper summarizes some of the
tools [simulation codes system for ISA (SCAIS)], methods [in-
tegrated safety assessment (ISA)], and results that have been
(and are being) developed at CSN for this purpose, with special
emphasis on the most recent ones. The main focus is on PSA
related developments that may be classified according to the
three main stages of a typical PSA, namely: (1) delineate the
possible sequences of events (SOE), which amounts to finding
all possible sequences of dynamic transitions (SOTs) resulting
from the sequence of protective actions as well as possible
failures of safety systems. No protective action takes place
unless necessary conditions for it are fulfilled, most often
consisting of process variables entering certain regions, situa-
tions that we call stimuli activations, such as alarms, proced-
ure entry points, and/or crossing of deterministic setpoints.
The set of transients activating stimulus here is called the
stimulus domain; (2) determine system success criteria,
discriminating among successful sequences of configurations
of the safety systems (i.e., those in which the wrong trends of
damage indicators are successfully corrected) from failed ones.
The intersection of all stimuli domains of a sequence is the
damage domain; and (3) compute, for each SOE, the frequency
resulting from its safety systems configurations, by using, for
instance, Fault-Tree/Event-Tree (FT/ET) techniques.
Although detailed methods and abundant works in the
literature [1] provide guidance for Stage 3, such guidance be-
comes loosewhen describing Stages 1 and 2,mainly due to the
unique phenomena involved in each application domain,
their strong nonlinearities, and their dependence on the pro-
tection design methods, all of which are usually very sophis-
ticated and technology dependent, as described in safety
analyses reports (SAR) [2].
This paper addresses the feasibility of the ISA-SCAIS
approach and, in addition, presents new ideas to handle
important event timing and boundary condition uncertainty,
allowing a dividing/synthesizing of the main ingredients of
the accident progression.
2. Integrated deterministic-probabilisticsafety assessment methodologies
Integrated deterministic-probabilistic safety assessment
(IDPSA) is a family of methods that use a time-dependent
phenomenological model of system evolution along with an
analysis of system stochastic behavior to account for possible
dependencies between failure events and dynamic processes
[3]. The starting point of these frameworks is that safety
justification must be based on the coupling of deterministic
(consequences) and probabilistic (frequency) considerations
to address mutual interactions between stochastic distur-
bances (e.g., failures of the equipment, human actions, and
stochastic physical phenomena) and deterministic responses
of the plant (i.e., transients). Thus it can be considered com-
plementary to PSA and DSA approaches that intend to help in:
(1) resolving time dependent interactions among physical
phenomena, equipment failures, control logic, and operator
actions in analysis of complex scenarios; (2) identification and
characterization of a priori unknown vulnerable scenarios
(sleeping threats) of the overall system; (3) consistent treat-
ment of different sources of uncertainties; and (4) reduction of
reliance on expert judgment and assumptions regarding
complex time dependencies and scenarios.
The literature reports on a variety ofmethods, e.g., DYLAM,
ADS-IDAC, MCDET, ADAPT, and GA-IDPSA; see [3e5] for
further details.
As a drawback, these methods operate in the actual time/
state space and the computational effort is considerably larger
compared with that required in a conventional event tree
analysis. For this reason, application is still restricted to spe-
cific aspects of PSA or DSA. In order to considerably reduce the
computation time for the numerous dynamic calculations,
these methods generally treat continuous and discrete
random transitions in a probabilistic way, through repeated
branching of the sequence at systematically chosen points in
time according to user specified probability distributions. ISA
methodology lies within those methodologies.
3. ISA-theory of stimulated dynamicsmethodology
As indicated, ISAmethodology tries to verify compliance with
regulations and consistency in the design and safety assess-
ments made by the industry. Consistent with this intent, ISA
is an integrated method in which deterministic and probabi-
listic aspects of the safety problem are solved together, taking
into account mutual dependencies.
The concept of a sequence as an ordered set of events is
also extensively used in ISA. The ISA methodology strongly
relies on simulation to determine the consequences of acci-
dent sequences. However, a sequence cannot be fitted to a
particular time history. Treatment of sequence uncertainties
and identification of failure domains are essential parts of ISA.
If sequence success criteria are used, each simulated transient
is evaluated against those criteria in order to find the failure
domain. The concept of header success criteria is no longer
needed because compliance with the sequence success
criteria is a direct result of the simulation. This allows for the
use of ISA as a powerful tool to verify the header success
criteria used in Level 1 PSA.
The main basis of the ISA-TSD method (integrated safety
assessment based on the theory of stimulated dynamics,
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5 297
[6e8]) is to lower the assessment from the system configura-
tion sequence level, characteristic of Level 1 PSA, or from the
envelope level, characteristic of DSA, to the transient level
within each sequence by: (1) considering sequences as large
groups of transients accounting for all uncertainties compat-
ible with the probability space under check, e.g., parameter
uncertainty, initial conditions, variability in occurrence time
of events and uncertainty in boundary conditions; (2) simu-
lating a number of those sequence transients in order to find
the sequence failure domain, defined as the subset of
sequence transients in the probability space ending in a failed
state. The number of transients that need to be simulated
depends on the desired accuracy of the failure domain char-
acterization but, in general, this number is very high; and (3)
providing TSD algorithms to compute the contribution to the
exceedance frequency (of the safety limit used to define the
failed state) of any transient belonging to the failure domain,
and then aggregating these contributions for all the transients
there. Included as factors in those algorithms are the condi-
tional probabilities of the safety system configurations char-
acteristic of Level 1 PSA. Explicit consideration of stimuli
ensures consistency of the set of safety measures included in
every transient and allows for a proper classification of tran-
sients into dynamic sequences.
4. SCAIS
Leaving aside the theoretical aspects that inspired the detailed
computational methods (TSD, [6e8]), ISA analysis involves a
lot of transients, and its application thus requires a set of
simulation/computational tools. The computerized platform
called SCAIS has been developed for this main purpose. It is
composed of a set of interconnected modules which, never-
theless, are their own entity and can be used as standalone
tools or as modules of other methods as well.
Present day SCAIS (see [7,8] for its evolution) is the result of
a consolidation and modernization program of the prior sys-
tem. It is being developed in close collaboration with NFQ
Solutions (Madrid, Spain), a software development company
specializing in risk assessment. Also, the Technical University
of Madrid (UPM) actively participates at the testing and
application level.
As the focus of the ISA setup is in Discrete Dynamic Event
Tree (DDET) transient simulation, most of the components of
SCAIS are transient related, whereas a few others are proba-
bilistic in nature. Fig. 1 presents a simplified scheme of the
ISA-TSD methodology, whose blocks parallel the main com-
ponents of SCAIS.
The “Automatic Generation of Paths/Sequences” block in
Fig. 1 includes the following SCAIS elements [7,8]: (1) BABIECA
is the general simulation driver. It combines internal and
external simulation modules from which the user can
configure the plant model in the form of a topology of inter-
connected modules [9]. It takes care of the overall solution by
controlling the transmission of information among modules,
solving feedback loops if they exist and advancing the time
step. These features provide great flexibility to build powerful
plant simulation models; (2) DENDROS (Fig. 2) is the event
scheduler that drives the dynamic generation and manage-
ment of the different event sequences resulting from a given
initiating event. It directs the simulation to perform the sys-
tematic traversal of all the possible branches, leading to
different sequences. DENDROS then identifies and manages
the branching points and, in certain cases, asks BABIECA to
open new simulation processes, one for each possible
outcome of the event (SIM in Fig. 2). The result is a dynamic
event tree (DET); (3) PLANTMODEL is a particular user-defined
combination of BABIECA modules able to simulate accident
sequences. The variety of plant models that can be configured
ranges from those using well accepted and validated external
codes (MAAP, TRACE) to those composed only with internal
BABIECA modules; (4) SIMPROC is a simulator of operating
procedures that interacts with BABIECA to implement the
operator actions requested by the procedures [10]. It is a spe-
cial case of BABIECA external module because of the particu-
larities of the interaction between plant and procedures.
These four SCAIS components implement the main dy-
namic modules as required by DET, also including those
allowing for the verification of procedures via automatic pilot
simulations. Other SCAIS components are the following. (5)
The PROBABILITY CALCULATOR (ET/FT/APET block in Fig. 1) is
actually a collection of methods and algorithms that provide
probabilistic quantifications. It may be optionally called on to
make estimates of the respective probabilities of the output
branches of a branching point and to use them for elimination
of some of these branches on the basis of low probability
termination criteria. Its major role is the computation of ex-
ceedance frequencies in coordination with the RISK ASSESS-
MENT module. (6) The PATH ANALYSIS MODULE (Fig. 1)
performs detailed analysis of individual event tree sequences
through the simulation of specific transients (paths) of the
analyzed sequence. In coordination with DENDROS, the PATH
ANALYSIS MODULE defines multiple simulation cases, i.e.,
sequence paths, by varying values of uncertain parameters
and/or time delays (human actions or stochastic phenomena).
The aim is to identify the sequence failure domain, given the
applicable configuration sequence success criteria. (7) The
SCAIS DATABASE is an SQL relational database (POSTGRES
SQL) used as a repository for input and output information.
Represented in the left- and right-hand side columns in Fig. 1,
it stores all the input data and results, allowing their easy
postprocessing. The information stored in the database can be
accessed off-line, making it possible to perform new analyses
on the existing data without repeating the simulations unless
necessary. (8) The RISK ASSESSMENT module, also shown in
Fig. 1, calculates the design barrier safety limit exceedance
frequency, i.e., the frequency of the failed state, by integrating
the TSD equations over the failure domain obtained from the
PATH ANALYSIS MODULE, and considering the frequency
density function obtained from the probability distributions
evaluated in the PROBABILITY CALCULATOR.
All main components of SCAIS, including the simulator
driver BABIECA and the event scheduler DENDROS, are
designed with object oriented architecture and implemented
in Cþþ language. In an attempt to make it platform
Fig. 1 e Simplified scheme of the ISA-TSD methodology. FT, transmission function; ISA, integrated safety assessment; PSA,
probabilistic safety assessment, TSD, theory of stimulated dynamics.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5298
independent, the whole SCAIS has been developed by CSN in
collaborationwithNFQ Solutions using open source standards
(Linux, XercesC, libpqþþ).
Automatic generation of DETs is only possible with an
adequate coordination between BABIECA and DENDROS, and
sometimes, also coordinated with the PROBABILITY CALCU-
LATOR. Fig. 2 illustrates the branching procedure imple-
mented in SCAIS. For the sake of simplicity, only binary
branching points are represented; these are points where the
two output branches correspond to occurrence or not of an
event. The upper part of Fig. 2 represents the opening of new
Fig. 2 e Overall BABIECA-DENDROS-pr
simulation processes, whereas the lower part represents the
corresponding dynamic event tree resulting from this
procedure.
Branching criteria are represented by Pi (P1, P2, etc.) in Fig. 2.
These criteria correspond to stimulus activations; the
branching consists of simulating both the occurrence and the
nonoccurrence of the event. When DENDROS detects that a
branchingcriterionhasbeen reached, it initiates thebranching
procedure, which can possibly be delayed by a time d if so
specified in the branching rules: (1) DENDROS asks BABIECA to
generate a restart filewith the current status of the simulation;
obability calculator coordination.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5 299
the existing simulation process continues with the “nominal”
option (occurrence or nonoccurrence of the event, depending
on the defined branching rules); and (2) DENDROS spawns a
new simulation process, i.e., another instance of BABIECA,
initializing the simulation model with the stored restart file
and forcing the “alternative” option of the branching point.
This procedure is recursively continued until every simulation
process meets some predefined termination criterion.
5. Recent activities. Summary of activities onthe deterministic side
5.1. ISA methods used for sequence delineation andquality of the set of design basis transients used in SARs(envelope issue)
PSA-DSA in the nuclear context is but another example of
optimization of adequate protections and its verification. The
main problem is to find envelopes of the evolution of damage
indicators in piecewise sequences of successive changes in
dynamics, (i.e., SOT), associated with protection actions. In
general, the problem focuses on ensuring that the envelopes
consider all the possible SOTs that may be involved in the
accident progression and then cover, for each sequence, un-
certainty in initial conditions and key data, as well as, most
importantly, boundary conditions and protective action
timing. These uncertainties easily explode the number of
situations to consider, so that brute force techniques based on
reproducing transients with best estimate simulations usually
fail at reaching completeness of the situations considered to
demonstrate the (umbrella) enveloping character.
Fig. 3 deploys the strategy followed in the Spanish nuclear
industry, as well as at CSN/modeling and simulation area
(MOSI), to ensure that all relevant situations are covered,
including the division in subproblems that accounts for the
accident progression (APET, [8]).
The SAR underground philosophy is consistent with that
shown in Fig. 3, but this approach uses the concept of “design
basis transients/accidents” in order to cover all automatic
action design situations. This implies the use of artificial
events distorted both in assumptions and models, so that the
timing of these analyses is also artificial. It is not simple to
make an equivalence with the sequence delineation because
of the different purpose. Any PSA invoking SARs should be
Fig. 3 e Strategy to ensure that all safe
aware that they provide no clue to answering important issues
such as the available times embedded in the success criteria.
Neither do they guarantee the sequence delineation, Stage 1,
which requires extensive PSA additional analysis, based on
safety functions, taking into account that out-of-design situ-
ations should also be considered, including operator actions.
Instead, the ISA-SCAIS verification method considers se-
quences as piecewise objects (1 piece for each interval be-
tween consecutive transitions) consisting of well identified
groups of transients covering all uncertainties explicitly,
including times of actions and dynamic model boundary
conditions as functions of time. The design domain is clearly
distinguished from the general risk domain.
References [7,8] detail tools and methods and provide
several examples describing the ISA-SCAIS V&V approach for
internal consistency of the deterministic analysis and the
verification of the sequence delineation, that is, Stage 1. The
method proposes the use of surrogate models to analyze the
sequences, models fed from the deterministic analysis. When
considering the deterministiceprobabilistic consistency of
Stages 2 and 3, the approach ends up in the generation of a
SCAIS database with an adequate, best estimate set of repre-
sentative transients and the corresponding identification of
dynamic surrogate models. These surrogate models consis-
tently carry the deterministic connection while allowing for
fast simulation of a myriad of transients, each stimulus vari-
able having a different surrogate model that projects the in-
fluence of the rest of the system.
5.2. Verification of emergency operating procedures andsevere accident management guidelines
When verification of an emergency procedure (EOP) for sce-
narios without coremelt is the issue, simulations are runwith
an automatic pilot version of the procedures, as realistically as
possible, using the procedure simulator SIMPROC [10] coupled
to the automatic event tree SCAIS simulator. Timing to take
the actions is predetermined using information from best
practices and as operator crew task action studies indicate.
The objectives of the procedure should be met and success
relative to any of the safety limits should be assured. If this is
not the case, the procedure is questioned at specific points.
Examples are given in [11]. These examples are part of the
automatic sequence delineation verification of Stage 1.
Concerning severe accident management guidelines
(SAMGS), asapostFukushimastartingactivity,MOSIengaged in
ty relevant situations are covered.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5300
methods to obtain useful insight into severe accident scenarios
typifiedbyblackouts (SBO).Asapreliminary exercise, theSCAIS
platform, using itsMAAP systemmodule,wasused to analyze a
sequence initiated by loss of both off-site and on-site AC power
[emergency diesel generators (EDG)] in a three loop Pressurized
WaterReactorWestinghousedesign (see [12]). Theset ofactions
is depicted in Fig. 4, which identifies the EOPs and SAMGs
involved. Five damage indicators have been considered in the
analysis:(1) core uncover; (2) core exit temperature
(CET > 648.86�C); (3) peak cladding temperature
(PCT > 1203.85�C); (4) fuel relocation into lower plenum; and (5)
reactor pressure vessel (RPV) failure.
Fig. 5 shows the damage domains for the same sequence
obtained when considering the uncertain times of failure of
the continuous, and of recovery of the alternate, current
electric supply. A total of 900 simulations were run, each
providing information on one of the (uncertain) time combi-
nation points in Fig. 5.
6. Recent activities. Summary ofdevelopments and applications in classicalprobabilistic issues
6.1. Incident analysis
CSN/MOSI has direct responsibility in executing CSN incident
analysis on a routine basis using a customized, classical FT/ET
method in order to rank incident severity and to classify in-
cidents as precursors of more severe situations.
Fig. 4 e Main operator actions taken into account in SBO seque
Station Black Out; AC, Alternate Current; CC, Direct Current; SA
Auxiliary Feed Water; LPSI, Low Pressure Safety Injection; HPS
Precursor analyses [13] are performed in the framework of
the Incident Revision Panel (IRP). The IRP is a cross-
disciplinary group that discusses, reviews, and classifies
every incident reported by the Spanish Nuclear Power Plants
(NPPs) to CSN. Within this group, precursor analyses are
requested to obtain a measure of the risk impact associated
with an incident and to obtain a probabilistic criterion as an
input to the classification. An incident with a risk measure
[conditional core damage probability (CCDP)] > 10�6 is a pre-
cursor; an incident with a CCDP > 10�5 is a significant pre-
cursor, and is then classified as a significant event. Insights
from precursor analyses are discussed within this group.
This area of precursor activity has evolved in scope over
the years (also covering significance determination of in-
spection findings), as has MOSI involvement as more PSA
models have become available. Some overall results are pre-
sented in Figs. 6 and 7.
6.2. Probabilistic consistency across different plants.Verifying classical FT quantifications
The accumulated MOSI experience in FT/ET quantification of
Spanish plants with industry PSA models includes use of, and
knowledge regarding, different computational platforms
(substantially Risk Spectrum and CAFTA), and different
modeling cultures at the different plants. As exemplified in
the cases of precursors and significance determination of in-
spection findings, intercomparison between results in
different contexts is essential to better understand the risk
profiles of plants. However, sometimes doubts appear
nces with seal LOCA. (CET, Core Exit Temperature; SBO,
G, Severe Accident Guideline; SG, Steam Generator; AFW,
I, High Pressure Safety Injection).
Fig. 5 e Comparison between damage domains with slow and fast cooling. SAMG, Severe Accident Management Guideline;
EOP, Emergency Operating Procedures.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5 301
regarding whether or not the same problem will yield similar
results in different environments. In view of this, MOSI, in
cooperation with the CSN PSA licensing branch, initiated an
important harmonization activity. It was based on the use of
tools (where they existed, and on internal development where
they did not), to translate different modeling formats into a
unified XML language (open PSA initiative) [14]. Additionally,
tools were also used/developed to translate the unified XML
input files back into either computing environment. In addi-
tion, research projects were launched to verify the efficiency
of the computations by comparison with alternate ET/FT
1E-09
1E-08
1E-07
1E-06
1E-05
1E-04
1E-03
1E-02
1E-01
1E+00
1 4 7 10 13 16 19 22 25 28 31 34 3
Con
ditio
nal p
roba
bilit
y
Incide
Fig. 6 e Results of pre
approaches. Among these approaches, binary decision dia-
grams (BDD) constitute a popular alternative; one of the pro-
jects [15] used them for this purpose.
Furthermore, as regulators, CSN staff members need in-
dependent views of licensee models, which calls for in-house
made models. This harmonization activity also needs to ab-
stract different modeling techniques and diverse hypotheses
that are not intrinsic to and therefore not part of the risk
profile. In view of this and within the framework of these
harmonization activities, CSN has initiated also a standardi-
zation activity to bring together PSA hypotheses andmodeling
7 40 43 46 49 52 55 58 61 64 67 70 73 76 79nt no
cursor analysis.
0
5
10
15
20
25
30
CCDP<1E-6 1E-6<CCDP<1E-5 1E-5<CCDP<1E-4 1E-4<CCDP<1E-3 1E-3<CCDP<1E-2 1E-2<CCDP
No.
of i
ncid
ents
CCDP interval
Fig. 7 e Precursor distribution. CCDP, conditional core damage probability.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5302
techniques from different Spanish NPP PSAmodels. The SPAR
(standardized plants analysis risk) concept, taken from the
approach followed by United States Nuclear Regulatory
Commission (USNRC) in its regulatory system, is being studied
and analyzed by CSN in collaboration with UPM, with the aim
of attaining a standard modeling framework and overcoming
the problems and drawbacks that have appeared in the
application of Integrated Nuclear Power Plant Supervision
System (SISC) during these past years. The strategy followed is
based on a comparison of current PSAs of similar Spanish
NPPs; it is implemented in order to collect, identify, and agree
on which characteristics, hypothesis, and modeling
Simulatepath
GeneratesequenceUser
Sequence Problem data
System configuration
Sequence data
Command
Systems configuration
Sequenc
Sequence d
Problem data
Path and param
Sequence data= paths, stimulus, parameters, and probabilityPath data= stimulus, parameters, and probability
Fig. 8 e Structural block diagram
approaches (both at the ET and the FT levels) are most
adequate and convenient for SISC purposes, and to propose a
standard for in-house modeling (see [16]).
7. Other current developments
7.1. ISA-TSD off-line prototype
The ISA-TSD framework has a deterministic aspect, i.e.,
finding the damage (failure) domains, and a probabilistic one,
i.e., finding its frequency. The SCAIS transient simulation
Calculateprobability
Analysepath
Generateparameters
Analysesequence
Analysepaths
e
Sequence
ata
Path
Path
Path
Parameters
Path data
eters
Probability
Stimulus andtransition rate
Path stimulus,transition rateand parameters
of the off-line TSD prototype.
sT1
S3S2 Sn
sT2 sT3 sTn-1 sTn
T2 T3 Tn-1 TnT1
S1
T1 T2 T3 Tnt
t=0
Interval 1 Interval 2 Interval 3
Output j
System
Input i
Time variables
Laplace variables
Fig. 9 e TFT þ TSD approach. TFT, transmission functions theory; TSD, theory of stimulated dynamics.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5 303
techniques described above do not include any strategy to
optimize the branching approach of the DET to minimize the
number of runs needed to identify the so-called damage do-
mains, defined as the locus of failed transients and differing
only in terms of specified features characteristic of the un-
certainty problem. ISA-TSD extends the classical uncertainty
methods (which mostly refer to parameters) to uncertainty of
the timing of events, including envelopes of initial conditions,
and the boundary condition uncertainty.
Fig. 8 shows the structure of a first off-line TSD prototype
implementing the search of damage/failure domains and the
computation of the exceedance frequency. With this proto-
type, each research item can be tested off-line before its
integration into SCAIS, which is then used as a developmental
tool for testing ISA/SCAIS improvements. To show the unified
character of the tools, prototype performance has been used
under some challenging situations, such as the impact on the
containment of an inflow of hydrogen and steam as a PSA2
subproblem, resulting from a severe accident medium size
Loss of Coolant Accident (LOCA), and in a completely different
case consisting of a plant transient analysis (SAR type) in an
experimental facility.
It is easy to distinguish, in Fig. 8, circles dealing with single
transients (paths) from those related to the overall strategy,
i.e., selection of paths and identification of failure domains.
Several search methods have been proposed and tested.
Concerning transient treatment, the “simulate path” action
shown in Fig. 8 is performed with the help of models suitable
for finding reasonable envelopes (adequate models). These
models may be found in many ways (from Best Estimate (BE)
to simplified or parametric models).
7.2. Transmission functions theory and TSD approach
The ISA TSD method requires adequate dynamic models that
are able to find reasonable envelopes for any subproblem
describing accident progression phases in different areas of
the plant. However, best estimate codes are too large and
complex to be used directly, and finding adequate models for
each subproblem is hard, and the resulting models are diffi-
cult to validate, especially when considering the widely
different phenomena involved in the various subproblems.
CSN-MOSI is working on a new approach to tackle this
problem.
p�j!; T!
; t�≡ qj1 j0 ðT1; 0Þ$ qj1 j2 ðT2;T1Þ|fflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflffl}
A factor q for eachinterval betweenevents
…qjnjn�1ðTn;Tn�1Þ$ e
�Z t
Tn
dzXksj
pj/k zð Þ
|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}A term of finalsurvival
; where qjkðt;TÞ ¼ pk/j tð Þ|fflfflfflffl{zfflfflfflffl}Occurrenceof event at t
$ e
�Z t
T
Xlsj
pk/l zð Þdz
|fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl{zfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl}Internal survival
(1)
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5304
As the safety variables of interest are not that numerous,
the idea is to use the BE multi-process-variable codes to
identify and feed envelope surrogate dynamic, models that
are adequate to project and envelope the BE result on any
preselected single process-variable. The single process vari-
able surrogate models are dynamic models based on piece-
wise linear approximations; these models have the same
mathematical structure in all cases. Very fast and efficient
algorithms allow the running of the very many transients
required to construct the timing and boundary condition en-
velopes. The basis for the dynamic surrogate models is
transmission functions theory (TFT) ([8,17]). Fig. 9 and Eq. (1)
depict the approach schematically.
7.3. ISA road map development
Some research objectives that are foreseen within ISA-TSD-
SCAIS development are the following: (1) future activities
will continue to consolidate, optimize, and gain more experi-
ence in the specific approach followed, including imple-
mentation of regular PSA quantification methods and tools
within SCAIS computer platform. The aim is to implement
current NPP Fault Trees models and generation of CSN stan-
dardized PSA models (such as the USNRC SPAR models) of
Spanish plants that may be quality graded; (2) different
research aspects devoted to improving and optimizing the use
of dynamic surrogate models based on TFT within ISA-TSD
methodology. Some examples are the following: explore the
definition of several useful figures of merit to synthesize re-
sults of PSA dynamic assessments; e.g., header-importance
indices that characterize header dynamic efficiency (i.e., the
actual protective or degrading function of the header); devel-
opment of transmission function (FT) identification tech-
niques based on database (BE code or experimental results);
application to estimates of source terms in PSA2, in a manner
similar to that in which the USNRC representative PSA2 study
[18] estimates the uncertainty bands for the release of the
most important families of radio-nuclides; (3) within themore
general integrated deterministic probabilistic safety assess-
ment (IDPSA) techniques being developed worldwide [3, 4],
some research activities have been foreseen: equip SCAISwith
adequate data mining and classification techniques [19],
which would help to establish lossless extraction and
condensation of useful information amenable to expert eval-
uation. Here again TFT could play a relevant role; and (4)
further applications of the method [12,20e23] are still
required. In particular, the ISA/SCAIS approach has inter-
esting and direct applicability to the verification of SAMGs and
EDMGs [12,24].
8. Conclusion
Quantitative V&V activities at regulatory bodies are comple-
mentary of their qualitative reviews, and are essential in view
of the ubiquity of computerized analysis included in the in-
dustry safety cases. Among the many issues involved, con-
sistency checks are of primary importance. They require
specific developments of independent tools and methods.
In particular, these checks should be performedwhen they
refer to issues of probabilistic versus deterministic aspects
that involve very difficult problems, so as to verify the success
criteria and to discriminate when those criteria should be
consistently modified in PSA applications. For instance,
relaxation of OTS (operating technical specifications), justified
on the basis of FT/ET computations, should not be accepted
without ensuring first that the FT/ET success criteria do not
require consistent modification.
Part of the efforts made at CSN to develop diagnostic tools
and methods for this purpose were briefly described, focusing
on the success criteria and internal consistency of the prob-
abilistic side. This helps a great deal in technically objective
regulatory decision-making because consistency of probabi-
listic and deterministic aspects can be better addressed.
This document has elaborated on: (1) the steps taken in the
development of the integrated safety assessment (ISA)
methodology and its associated software package (SCAIS); (2)
recent applications of methods and tools that illustrate its
potential to verify the consistency of deterministic and prob-
abilistic licensing safety cases; and (3) further areas of devel-
opment that are foreseen.
Conflicts of interest
The authors have no conflicts of interest to declare.
r e f e r e n c e s
[1] ASME, Standard for Probabilistic Risk Assessment forNuclear Power Plant Applications, ASME RA-S-2005, 2005.USA.
[2] USNRC, Regulatory Guide 1.70, Standard Format and Contentof Safety Analysis Reports for Nuclear Power Plants,November 1978. USA. AAN: ML011340072.
[3] T. Aldemir, A survey of dynamic methodologies forprobabilistic safety assessment of nuclear power plants,Ann. Nucl. Energy 52 (2013) 113e124.
[4] E. Zio, Integrated deterministic and probabilistic safetyassessment: concepts, challenges, research directions, Nucl.Eng. Des. 280 (2014) 413e419.
Nu c l e a r E n g i n e e r i n g a n d T e c h n o l o g y 4 9 ( 2 0 1 7 ) 2 9 5e3 0 5 305
[5] Tunc Aldemir (Ed.), Advanced Concepts in Nuclear EnergyRisk Assessment and Management, World ScientificPublishing Company Pte. Ltd, Singapore, 2017.
[6] J.M. Izquierdo, I. Ca~nam�on, TSD, a SCAIS Suitable Variant ofthe SDTPD. Presented at ESREL-2008 and 17th SRA EuropeAnnual Conference, Valencia (Spain), Sep 2008.
[7] J.M. Izquierdo, J. Hortal, M. S�anchez-Perea, E. Mel�endez, CSNExperience in the Development and Application of aComputer Platform to Verify Consistency of Deterministicand Probabilistic Licensing Safety Cases [Internet]. Vol I.General Approach and Deterministic Developments; CSNpublication, Colecci�on Otros Documentos, 40.2016 [citedMarch 2017]. Available from: https://www.csn.es/documents/10182/1012054/ODE-04.22þCSNþExperienceþinþtheþDevelopmentþandþApplicationþofþaþComputerþPlatformþtoþVerifyþConsistencyþofþDeterministicþandþProbabilisticþLicensingþSafetyþCasesþVolumeþI.þGeneralþApproachþandþDeterministicþDevelopments.
[8] J.M. Izquierdo, J. Hortal, M. S�anchez-Perea, E. Mel�endez, Whysequence dynamics matters in PSA: checking consistency ofprobabilistic and deterministic analyses, in: T. Aldemir (Ed.),Advanced Concepts in Nuclear Energy Risk Assessment andManagement, World Scientific Publishing Company Pte. Ltd,Singapore, 2017 (in press).
[9] R.H. Santos, A Standardized Methodology for the Linkage ofComputer Codes, Application to RELAP5/Mod3.2. NUREG/IA-0179, Office of Nuclear Regulatory Research, USNRC, USA,March 2000.
[10] J. Gil, I. Fern�andez, S. Murcia, J. Gomez, H. Marr~ao, C. Queral,A. Exp�osito, G. Rodrıguez, L. Iba~nez, J. Hortal, J.M. Izquierdo,M. S�anchez, E. Mel�endez, A code for simulation of humanfailure events in nuclear power plants: SIMPROC, Nucl. Eng.and Des. 241 (2011) 1097e1107.
[11] J.M. Izquierdo, J. Hortal, M. S�anchez-Perea, E. Mel�endez. AnIntegrated PSA Approach to Independent RegulatoryEvaluations of Nuclear Safety Assessments of SpanishNuclear Power Stations [Internet]. CSN publication,Colecci�on Otros Documentos, 28.2002 [cited March 2017].Available from: https://www.csn.es/images/stories/english/publications/ode-04_18_psa.pdf.
[12] C. Queral, L. Mena-Rosell, G. Jimenez, M. Sanchez-Perea,J. Gomez-Magan, J. Hortal, Verification of SAMGs in SBOsequences with Seal LOCA. Multiple damage domains, Ann.Nucl. Energy 98 (2016) 90e111.
[13] E. Mel�endez, R. Mu~noz-G�omez, CSN activities in precursoranalysis. NEA/CSNI/R(2003)11, in: Proceedings of the
Workshop on Precursor Analysis, 28e30 March, 2001 at theAssociation Vincotte Nuclear (AVN), 2001. Brussels, Belgium.
[14] E. Mel�endez, R. Herrero, Use of PSA model XML StandardFormats for V&V. Presented at the 2015 International TopicalMeeting on Probabilistic Safety Assessment and Analysis(PSA2015), Sun Valley (Idaho), Apr 26e30, 2015.
[15] C. Ib�a~nez-Llano, A. Rauzy, E. Mel�endez, F. Nieto, Hybridapproach for the assessment of PSA models by means ofbinary decision diagrams, Reliab. Eng. Syst. Safe 95 (2010)1076e1092, http://dx.doi.org/10.1016/j.ress.2010.04.016.
[16] E. Mel�endez, M. S�anchez-Perea, C. Queral, J. Mula, A.Hern�andez, C. Parıs. Standardized Probabilistic SafetyAssessment Models: First Results and Conclusions of aFeasibility Study. Presented at the 13th InternationalConference on Probabilistic Safety Assessment andManagement (PSAM 13), Seoul, Korea, 2e7 Oct, 2016.
[17] S.E. Galushin, J.M. Izquierdo, M. S�anchez-Perea,Transmission Functions and its application to the analysis oftime uncertainties in Protection Engineering, Process Saf.Environ. Protect. 92 (2014) 625e636, http://dx.doi.org/10.1016/j.psep.2013.07.004.
[18] United States Nuclear Regulatory Commission, SevereAccident Risks. An Assessment for Five US Nuclear PowerPlants, NUREG 1150, 1989.
[19] D. Mandelli, A. Yilmaz, T. Aldemir, K. Metzroth, R. Denning,Scenario clustering and dynamic probabilistic riskassessment, Reliab. Eng. Syst. Safe. 115 (2013) 146e160.
[20] L. Ib�a~nez, J. Hortal, C. Queral, J. G�omez-Mag�an, M. S�anchez-Perea, I. Fern�andez, E. Mel�endez, A. Exp�osito, J.M. Izquierdo,J. Gil, H. Marrao, E. Villalba-Jabonero, Application of theintegrated safety assessment methodology to safetymargins. Dynamic event trees, damage domains and riskassessment, Reliab. Eng. Syst. Safe. 147 (2016) 170e193.
[21] J. Montero-Mayorga, C. Queral, J. Rivas-Lewicky, J. Gonz�alez-Cadelo, Effects of RCP trip when recovering HPSI during LOCAin a Westinghouse PWR, Nucl. Eng. Des. 280 (2014) 389e403.
[22] M.J. Rebollo, C. Queral, G. Jimenez, J. Gomez-Magan,E. Mel�endez, M. Sanchez-Perea, Evaluation of the offsite dosecontribution to the global risk in a Steam Generator TubeRupture scenario, Reliab. Eng. Syst. Safe. 147 (2016) 32e48.
[23] A. Flores, J.M. Izquierdo, K. Tu�cek, E. Gallego, Assessment ofdamage domains of the High-Temperature Engineering TestReactor (HTTR), Ann. Nucl. Energy 72 (2014) 242e256.
[24] Nuclear Energy Agency, Informing Severe AccidentManagement Guidance and Actions through AnalyticalSimulations, Report of the Working Group on Analysis andManagement of Accidents, Paris, France, 2017 (in press).
