As discussed before, risk importance measures are used in many applications to address issues relating to regulation and operation of NPPs. As being discussed in this monograph, these measures provide useful inputs and make the PRA models of NPPs present results that are directly applicable for the issues to be addressed. In these applications, the information obtained from these measures should be viewed in the context of their limitations some of which are discussed here. The last two points (i.e. 6 and 7) provide a discussion on some aspects and limitations of methods specifically considered in previous sections in this monograph.
1. PRA quality and scope
A PRA with an appropriate capability and quality is needed for calculation of risk importance measures for the SSCs. In many applications where risk importance measures have been used, PRA quality has been discussed and emphasized. Without a quality PRA that includes appropriate modeling and applicable data, the risk importance measures can have large uncertainties associated with them making them unusable. In some situations, PRA scope may not cover all internal and external hazards. Then, adequate considerations in addition to those obtained from the risk importance measures should be given to address the hazards not considered in defining the SSCs into safety-significant and non-safety-significant categories for different applications.
2. Varying levels of uncertainty and different degrees of conservatism in the spectrum of risk contributors
When a PRA is available addressing full-scope of hazards as well as the shutdown operation mode, it is expected that the level of uncertainty and the degrees of conservatism in the different risk contributors (e.g., fire, seismic, at-power vs shutdown) will be different. Consideration of a single risk importance measure calculated by an integrated model is a useful input, but may mask contribution of individual risk contributors that may need consideration. Care should be taken in use of such importance measures. Usually, separate evaluations are conducted for the contributors along with an integrated measures and a qualitative consideration by a group of experts from different disciplines are used. In such a way, the varying levels of uncertainty and degrees of conservatism are given due consideration.
3. Adequate modeling of the SSCs in the PRA
PRA model for an NPP includes many SSCs and the risk importance measures obtained using the PRA model includes the basic events for a long list of components. In many cases, the user evaluates the list to make judgment about the SSCs. It may be tempting to judge that a component is not risk-significant because any basic event belonging to the component does not appear in the list. It is possible that the SSC did not appear in the list is because the SSC was not modeled or its appropriate failure mode was not included. Use of an expert panel or a review of the PRA model can address such situations.
Additional point for consideration is that certain SSC may be included in the PRA model implicitly, e.g. as a part of initiating event (IE). Implicit contribution may be possible to address, for example, by expressing the importance of SSC with respect to the PRA element considered (e.g. FC of SCC with regard to the IE frequency) and combining it with the importance of the PRA element itself (e.g. FC of an IE).
4. Truncation level used to calculate risk importance measures
A PRA assesses a large number of accident sequences to calculate CDF and LERF. To manage the process, accident sequences cutsets are truncated to estimate accident sequence frequencies, CDF and LERF. Appropriate level for truncation should be used to avoid any underestimation. This issue becomes particularly relevant when conditional risk calculations, as needed for risk importance measures, are performed. In general, the selected truncation level should support an overall CDF/LERF value that has converged and the unaccounted for frequencies are sufficiently low to provide confidence that the calculated risk importance measures are accurate.
Some guidance in this regard is available in different documents. NEI 00-04 [17], provides the following guidance. It recommends a CDF (or LERF) truncation level of five orders of magnitude below the baseline CDF (or LERF) when calculating the F-V risk importance measure. For example, if the internal events, full power CDF baseline value is 1E-5/yr, a truncation level of at least 1E-10/yr is recommended.
When RAW risk importance measure is calculated which requires calculation of condition CDF/LERF for the component being unavailable, the truncation level should be given attention. If it is calculated by the full re-solution of the PRA model then the truncation level should not significantly affect the calculation A truncation level of 1E-9/yr is considered reasonable by NEI 00-04 [17]. If the model relies on pre-solved set of cut sets to calculate the CDF, then the RAW values may be underestimated. First of all, it must be checked that all safety functions are being represented and that the SSC in question is not being truncated out in the pre-solved cutsets. Sensitivity analyses may need to be performed to identify the appropriate truncation level to use to ensure that the CDF and LERF calculations are sufficiently accurate to obtain accurate risk importance measures.
5. Defense in depth and safety margin considerations
In making decisions using risk importance measures, due consideration should be given to fundamental principles for ensuring safety in NPPs. As discussed earlier, these are referred to as deterministic considerations that have proven effective in ensuring safety. In defining an SSC to be low safety significance, it is appropriate to confirm that defense-in-depth and safety margins are preserved in addition to the results of risk importance measures.
The defense-in-depth assessment ensures that adequate redundancy and diversity will be retained in design basis accidents. This assessment evaluates the SSC functions with respect to core damage mitigation, early containment failure/bypass, and long-term containment integrity. Existing safety margins for SSCs arising from the design technical and functional requirements should also not be compromised. A systematic consideration of defense-in-depth and safety margin is discussed in Regulatory Guide 1.174 [38], and NEI 00-04 [17].
6. Complex models of a component in FTs in a PRA
One can easily imagine more and more complex models of a “component” in FTs in a PRA, such as: different FT modules (sub-trees) applying in different ET sequences, which share some basic events (i.e. they are not independent) and some of those basic events are involved in CCF groups, etc. However, it is believed that calculation of component-level importance measures for such complex cases can be made by combining the principles and formulas from the cases discussed in the monograph.
To make an outline of an approach toward determining the component-level importance measures in a general case we can offer the following points:
The process can, also, start with a measure other than FC, if more convenient.
7. Limitations of methods discussed
For the end of this section, we wanted to recapitulate the limitations and main assumptions involved in the methods discussed in this monograph. The very first one, introduced in Section 5.1 is that probability of a top event, P(B), as designated throughout the monograph, can be taken as a representative or surrogate for the quantitative risk (R). Then, the next one, postulated in same Section 5.1 is that this top event (e.g. reactor core damage) is expressed in terms of logic sum of minimal combinations of failures (minimal cutsets). This basically means that discussions are limited to PRAs developed by the “fault tree linking” approach, as emphasized in 5.1. There are other PRA approaches, sucn as “event tree linking” (with the event trees in which function events in sequences are made mutually independent by use of initial/boundary conditions and states) or binary decision diagrams (BDDs) wich were not discussed in this monograph. This was so because it could not have been done without “monograph” becoming a “much larger book”, which was not possible due to different practical reasons. (We, however, still do believe that many of the discussions are applicable to and can be used with other approaches.)
The above assumption made it, in turn, possible to express the top event by the general logic form B = L + CA, (5-3), which, under couple of other approximations enabled establishing the relation between FC and RAW, (5-17), which is one of the key points for the whole discussion. Mentioned approximation were explained in Section 5.4 and a claim was made that they would not make a relevant difference in practical PRA applications as long as the failures involved in minimal cutsets are low probability events. This claim was explored in several examples in Appendix B which have, indeed, shown that it would not make a relevant difference with a simplified PRA model used in those exercises, described in B.1. (The simplified PRA model was using failure probabilities and initiator rates which are in the range of those used in the PRAs conducted for operating NPPs.)
The question which can be immediately raised is what if not all basic events involved in MCSs are low probability events, i.e. what kind of impact would it have on calculated importance measures. (The “question within the question” could be what it actually means to say “low probability events”. Without going into a long discussion, let the following explanation be offered: those are such events which, when the top event probability calculated, would produce a reasonably small difference between the results obtained by the “Mincut Upper Bound” and 2nd order approximation in the inclusion-exclusion principle. The example of what it means “reasonably small difference” can be several percent or up to 10%, rather than a difference by a factor.) The above question does not have a straightforward and an easy answer and it is, apparently, related to the limits or boundaries of the PRA approach with “fault tree linking” and a single list of minimal cutsets for the top event. Once that “non-low probability failure events start to be introduced into a PRA model on a large scale their complements (i.e. success events) would also need to be included into the combinations of events. Explicit presentation of complements in combinations of (basic) events opens many other questions and, ultimately, leads to other PRA approaches some of which were mentioned above and were not addressed in this monograph.
As a last remark in this section let it be pointed out that discussion of importance measures in the monograph was focused on the base case PRA models and results which reflect long-term averaged risk, rather than on the applications which reflect conditional risk such as configuration risk monitoring. Direct use of risk measures such as RAW for configuration risk monitoring (i.e. to directly calculate conditional risk measures), although possible in principle, should be done with due caution in order not to neglect condition-specific aspects (which may, for example, include restorability of equipment out of service due to preventive maintenance). Those additional aspects relevant for particular PRA applications (as compared to the base case model) were not considered in the discussions, with exception of some brief mentions in the sections devoted to failure modes or components involved in a CCF group.