Download hardcopy - Meetings and Conferences Online Home Page

Foreword
Dear Colleagues:
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
Welcome to Wilmington, North Carolina, the site of the 2011 International Topical Meeting on Probabilistic Safety Assessment,
(PSA 2011). This is the most recent of a series of topical meetings on PSA sponsored by the American Nuclear Society
Nuclear Installation Safety Division. The Wilmington Local Section of American Nuclear Society is proud to act as the
host for this important meeting.
In addition to the society sponsorship we would like to recognize our other sponsors. Our major sponsors include ERIN
Engineering and Research, GE Hitachi Nuclear Energy, and Scandpower. Additional exhibitors and sponsors include Engineering,
Planning & Management, Inc. (EPM), Curtiss Wright Flow Control (Scientech), Maracor, Nuclear Safety Associates
(NSA), Sandia National Labratories, and Westinghouse.
The purpose of PSA 2011 is to provide a world stage for presenting and discussing the development and evolution of
proba¬bilistic methods and their use in the risk management of nuclear facilities. Although we consider PSA to be a mature
technology, we continue to see changes and improvements in the methods and standards as a result of new applications,
particularly as it applies to the development of risk management methods and approaches, as well as, in advanced reactor
design. The changes in PSA methods are evident in technical areas such as Fire PSA, Seismic PSA, Passive Design PSA,
and Dynamic PSA, all of which are focus areas for PSA 2011. These changes highlight the importance of the PSA 2011
conference, where many of the PSA advancements will be shared and discussed. Important issues such as aging workforce
and translating PSA insights to organizational risk management approaches are important aspects for improving and maturing
our technology for the next generation of risk practitioners. The PSA conference will continue to grow in importance for
knowledge management and learning, which is why we have sponsored additional student participation and a best student
paper award for the conference.
We encourage you to take some time and attend a session or two outside of your area of specialty and learn about the
diversity of applications of Probabilistic Safety Assessment. We also encourage you to ask questions and get into extensive
dialogue with other attendees, which helps build new bridges and broadens our field of thinking while making some new
friends in the process.
Approximately 250 full papers have been contributed from the international community, and we are proud of the additional
international participating from outside the US including papers from over 25 countries and registrants from over 30 countries.
We appreciate our Technical Program Co-Chairs’ efforts to organize this expanded participation.
On behalf of the members of the organizing committee we invite you to actively participate in the conference and wish you
a great stay in Wilmington. We hope you can experience true southern hospitality during your stay, so feel free to call upon
any of the local participants to assist you during your visit.
Rick Grantom Dennis Henneke
General Chair Technical Program Chair
1

2
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
Acknowledgement
The Probabilistic Safety Analysis (PSA) 2011 Conference Organizing Committee wishes to express our gratitude to the
many people and organizations that have contributed to this conference. The ANS’ Nuclear Installation Safety Division
(NISD) and the Wilmington Local Section of the ANS provided volunteers that organized and managed the Wilmington, NC,
topical meeting. The financial and logistical support provided by contributing sponsors significantly enhanced the conference
experience.
In particular, the NISD acknowledges each author and participant for your interest, technical contributions and willingness to
actively participate. Each participant’s paper and presentation represents a significant investment, sometimes summarizing
years’ worth of effort by the authors. These authors’ efforts are invaluable in the PSA community.
The PSA 2011 Conference organizing committee acknowledges the significant contributions of our sponsors, ERIN Engineering
and Research, GE Hitachi Nuclear Energy and Scandpower, along with Curtiss Wright Flow Control (Scientech),
Engineering Planning & Management, Inc. (EPM), Maracor, Nuclear Safety Associates (NSA), Sandia National Laboratories
(SNL) and Westinghouse.
There were numerous individuals that disseminated the notice of this meeting and encouraged submission of technical papers.
This support facilitated a very strong performance by the Technical Program Committee with nearly 260 papers from
over 30 countries.
In particular, the ANS NISD acknowledges the following individuals for their volunteer efforts and dedication to facilitate the
technical program of this conference; Dennis Henneke, Dr. Enrico Zio, Kohei (Kevin) Hisamochi, Joon-Eon Yang, David
Johnson, Dr. Nathan Siu and Dr. Bulent Alpay.
The management and organization of PSA 2011 was made possible by the volunteer effort and dedication of the following
individuals, Drs. Phillip & Karen Ellison, Dr. Theron Marshall, Dr. Kurshad Muftuoglu, Rick Grantom, Matthew Warner, Dr.
John Bennion, Lisa Marshall, Dr. Jonathan Li, Tyler & Lauren Schweitzer, Glen Seeman, Randy Morrill, Jim Fawks, Elizabeth
Dunn, Jesus G Diaz-Quiroz, Benjamin Schmidt, James Young and Jose Caro.
In addition, the conference organization committee acknowledges insights provided from the PSA 2008 organization committee
and the NISD PSA steering committee members: Dr. Robert Budnitz, Dr. Charles Martin, Dr. Ian Wall and Dr. Kevin
O’kula. These insights and the contributions from Drs. George Apostolakis, Michael Corradini and John Kelly are seen
throughout the program’s organizations.
Of particular note are the invaluable contributions made by Mrs. Hanna Shapira of Techno-Info Comprehensive Solutions
(TICSs) on the Web Site design and Online Software. The conference organization committee expresses our sincere appreciation
for the professionalism, technical skill, and patience she provided.
Best Regards
Dr. Phillip G. Ellison
Co-Chair: PSA 2011 Conference

Welcome
March 2011
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
SCIENTECH WELCOMES YOU TO PSA 2011
Welcome to Wilmington! Scientech, a business unit of Curtiss-Wright Flow Control Company,
is pleased you are here. As the sponsor of the golf outing, we look forward to seeing you on the
links and throughout the conference.
Scientech is a worldwide provider of expert services and products to the nuclear power industry
and is dedicated to providing solutions to the current and future fleet. We are currently
participating in full scope internal event upgrade and fire PRA projects for several sites. The fire
PRA projects are full-scope risk-informed performance-based projects for transitioning from
Appendix R to NFPA-805 (10CFR 50.48 (c)). We have successfully completed internal event
and fire PRA peer reviews. For the fire PRAs we have developed reasonable (albeit conservative)
and defensible results without implementing major plant modifications. We have been able to
implement a standardized approach, improving our efficiency and addressing the uncertainties
inherent in the modeling approaches contained in NUREG/CR-6850. In addition to US clients,
international clients are pursuing this area; and we expect additional international projects to start
very soon.
Future opportunities abound for using risk informed, performance based approached to support
further improvements in safety focus and performance.
Scientech and our sister nuclear-focused companies in Curtiss-Wright Flow Control (EES, EMD,
Enertech, EST Group, NETCO, Nova Machine, QualTech NP, Solent & Pratt and Target Rock)
have the resources to support the critical needs of the nuclear power industry… today and in the
future.
We look forward to a great week with many engaging conversations and technical sessions.
Sincerely,
Jim Chapman
Director Safety and Risk
Scientech, Curtiss Wright Flow Control
1540 International Parkway
Suite 2000
Lake Mary, Florida 32746
Phone: 407-536-5338
Fax: 407-536-5156
Cell: 978-870-0432
jchapman@curtisswright.com
3

4
Welcome
March 2011
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
Dear PSA 2011 Attendee,
Maracor welcomes you to PSA 2011. We are pleased to be a sponsor of this important
conference, and a number of our staff will be presenting papers throughout the next few
days. With such a diverse spectrum of presentation topics, we are sure that you will leave
the conference with information that will help you to do your work more efficiently and
effectively.
Maracor provides analytical consulting services and technical software development,
primarily for the electric utility industry. For more than eight years, we have provided
high-quality products and services to over one-half of the nuclear power stations in the
US, as well as other clients around the world. Our experienced staff has a proven track
record of technical capability, customer service, and on-time product delivery. We
provide PSA development and update support, Configuration Risk Management, PSA
applications, reliability analysis, maintenance optimization, software applications, and
cost-benefit analysis services.
We hope that you will stop by our exhibit booth on Sunday or Monday. We would be
happy to discuss our capabilities and experience with you.
Sincerely,
Thomas Morgan
President

Welcome
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
5

6
Welcome
March 2011
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
Welcome to PSA 2011!
To our fellow Risk Management Professionals:
EPM welcomes you to Wilmington and to the 12 th International Topical Meeting on Probabilistic Risk
Assessment and Analysis.
Engineering Planning and Management was founded more than 30 years ago to provide consulting services to
the nuclear industry, primarily in the areas of fire protection, Appendix R, equipment qualification and licensing
support. With the industry move toward a risk informed regulatory environment and the transition of many
plants to NFPA 805 in particular, EPM has evolved and now provides risk management services as well. A little
more than two years ago, the EPM Risk Solutions Division was formed to enable EPM to provide the full
spectrum of services for plants making the move from Appendix R to NFPA 805 as the basis for their fire
protection program. The core team of the Risk Solutions Division is made up of industry professionals that have
been providing PRA and safety analysis expertise to the nuclear industry close to three decades. The Risk
Solutions Division is currently developing Fire PRAs for several clients and has also provided support for SDPs,
HRA, thermal hydraulics and other general PRA support. EPM developed the GENESIS software suite for
managing cable and raceway, safety systems, and fire protection information, and for performing safe
shutdown / nuclear safety system analyses. The EPM Risk Solutions Division is also developing the PRISM
software to visually display equipment damage due to fire scenarios and prepare the files necessary for
quantification of the Fire PRA.
As a new addition to the nuclear risk analysis community, EPM is excited to be a part of PSA 2011. We feel that
we bring a fresh perspective to the industry with additional insights from the utility perspective. We will be
presenting several papers on topics dealing with Fire PRA and Fire HRA, and we intend to establish a long
tradition of participation in these events.
We hope you enjoy the conference and the beautiful Wilmington area this week!
James Masterlark
Division Manager
Risk Solutions Division

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wilmington, NC March 13-17, 2011
Organizing Committee
Honorary Chair Dr. George Apostolakis, Commissioner, US Nuclear Regulatory
Commission
General Chair Rick Grantom, South Texas Project
General Co-Chair Dr. Phillip G Ellison, GE Hitachi Nuclear Energy (GEH)
Technical Program Chair Dennis Henneke, PE, GEH
Co-chair Europe Dr. Enrico Zio, Ecole Centrale Paris-Supelec, France & Politecnico
di Milano, Italy
Co-chair Korea Dr. Joon-Eon Yang, KAERI (Korea)
Co-chair Japan Kohei (Kevin) Hisamochi, Hitachi GE Nuclear Energy (Japan)
Finance Dr. Theron Marshall, GEH
Publications
Hotel & Exhibits
Dr. Kurshad Muftuoglu, GEH
Dr. Karen Ellison, GEH
Apostolakis
Registration Matthew Warner, GEH
Student Coordinators Ms. Lisa Marshall, NC State and Dr. John Bennion, GEH
Tours and Special Events: Tyler Schweitzer, Glen Seeman, and Randy Morrill, WLS
ANS Local Section Coordinator Jose Caro and Jim Fawks, Wilmington Area Local Section of ANS (WLS)
Web site Bulent Alpay, GEH
Web Site, Online Software Hanna Shapira, Techno-Info Comprehensive Solutions (TICSs), Oak Ridge, TN
Grantom P. Ellison Henneke Zio Yang
Hisamochi T. Marshall Muftuoglu K. Ellison Warner
L. Marshall Schweitzer Seeman Morrill Shapira
7

8
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wilmington, NC March 13-17, 2011
Technical Program Committee
Technical Program Chairs
General Dennis Henneke, GE Hitachi Nuclear Energy
Co Chair Europe Dr. Enrico Zio, Ecole Centrale Paris-Supelec, France & Politecnico di Milano, Italy
Co Chair Korea Dr. Joon-Eon Yang, KAERI
Co Chair Japan Kohei (Kevin) Hisamochi, Hitachi GE Nuclear Energy Craig Smith, NPS
Steering Committee
Dr. Robert Budnitz Lawrence Berkley National Laboratory
Dr. Charles Martin Defense Nuclear Facilities Safeguards Board
Dr. Kevin O’Kula URS Safety Management Solutions, LLC
Dr. Ian Wall Consultant
Technical Program Committee Members
Ana Gomez-Cobo, NII (UK)
Andrea Maioli, Westinghouse
Artur Lyubarskiy, IAEA
Barbara Baron, Westinghouse
Bill Burchill, Consultant (Past President ANS)
Bulent Alpay, GE Hitachi Nuclear Energy
Chang-Ju Lee, KINS (Korea)
Dana Kelly, Idaho National Laboratory
Dave Miskiewicz, Progress Energy
David Finnicum, Westinghouse
David Johnson, ABS Consulting
Derek Muliin, NB Power (Canada)
Dominique Vasseur, EDF (France)
Dragan Komljenovic, Hydro-Quebec, Nuclear Generating
Station Gentilly-2 (Canada)
Elmira Popova, University of Texas at Austin
Enrique Lopez Droguett, Universidade Federal de Pernambuco
(Brazil)
Eric Jorgenson, Maracor
Francesco Cadini, Politecnico di Milano (Italy)
Francisco Mackay, (Chile)
Gareth Parry, Consultant/Retired
Gerry Kindred, Scientech
Gopika Vidod, BARC, Trombay (India)
Greg Krueger, Exelon
Gunnar Johanson, ES-Konsult (Sweden)
Hitoshi Muta, Japan Nuclear Energy Safety Organization
Igor Bodnar, Argonne National Laboratory
James Reeves, Global Nuclear Fuels
Jan Vanerp, Argonne National Laboratory
Jeff LaChance, Sandia National Laboratory
Jerry Phillips, Idaho National Laboratory
Jim Chapman, Scientech
Jim Young, GE Hitachi Nuclear Energy
John Andrews, University of Nottingham
Jonathan Li, GE Hitachi Nuclear Energy
Jonathan Rohner, Global Nuclear Fuels
Ken Canavan, Electric Power Research Institute
Kevin O’Kula, URS Corporation, LLC
Lemmer Lusse, PBMR (South Africa)
Luca Podofillini, Paul Scherrer Institute (Switzerland)
Mariano J. Fiol, Iberdrola (Spain)
Marina Röwekamp, GRS (Germany)
Marty Sattison, Idaho National Laboratory
Matt Warner, GE Hitachi Nuclear Energy
Michael Golay, MIT
Mike Snodderly, US NRC
Mohammad Pourgol-Mohammad, FM Global
Moosung Jae, Hanyang University (Korea)
Nathan Siu, US NRC
Oleg Kocharyants, Zaporozhye Nuclear Power Plant
(Ukraine)
Pamela Nelson, UNAM (Mexico)
Parviz Moieni, Southern California Edison
Piero Baraldi, Politecnico di Milano (Italy)
Pierre-Etienne Labeau, Universite’ Libre de Bruxelles
(Belgium)
Ranbir Parmar, NSS Limited (Canada)
Raymond Gallucci, US NRC
See Meng Wong, US NRC
Shahen Poghosyan, NRSC (Armenia)
Stanley Levinson, AREVA NP
Steve Nowlen, Sandia National Laboratory
Stuart Lewis, Electric Power Research Institute
Terje Aven, University of Stavanger (Norway)
Tim Wheeler, Sandia National Laboratory
Todd Paulos, Alejo Engineering
Tom Morgan, Maracor
Tsu-Mu Kao, INER (Taiwan)
Vesna Dimitrijevic, AREVA NP
Vesselina Ranguelova, Joint Research Centre, European
Commission (Netherlands)
Vincent Ho, MTR (Hong Kong)
Wolfgang Kroger, ETH Zurich (Switzerland)
Woo Sik Jung, KAERI (Korea)
Yolanda Akl, Canadian Nuclear Safety Commission
(Canada)
Young In, Maracor
Yukihiro Kirimoto, CRIEPI

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
General Information
Registration
Registration is required for all attendees and presenters.
Badges are required for admission to all events.
Full Conference Registration Fee includes: Technical sessions,
continental breakfast, morning & afternoon breaks
(Mon. through Thu.), and proceedings’ CD. Special events
included are Sun. night reception (heavy hors d’oeuvres),
Mon. afternoon reception, Tuesday night banquet, Wednesday
Student Awards Lunch and Wednesday night Social.
1D Registration Fee includes: Continental breakfast, morning
& afternoon breaks, proceedings’ CD, and the evening event
for that day (based on availability).
Student Registration Fee includes: All technical sessions,
continental breakfast, morning & afternoon breaks (Mon.
through Thu.), Proceedings’ CD, the Wednesday Student
Awards Lunch, and the Wednesday night Social.
Retiree Registration Fee includes: Same as student plus
Sunday night reception.
Guest Registration Fee includes: Hospitality suite for all days,
the Sunday night reception and Wed. night Social. Registration
for additional guest events and the Tuesday night banquet
is optional.
Conference Proceedings
Conference Proceedings, in CD-ROM format, are included
with the program book. Please check the vinyl pocket inside
the back cover of the program book.
Meeting Registration Desk
Next to the Grand Ballroom
Sunday 2:00 PM – 6:00 PM
Monday 7:00 AM – 4:00 PM
Tuesday 7:00 AM – 4:00 PM
Wednesday 7:00 AM – 4:00 PM
Thursday 7:00 AM – Noon
Guidelines for Speakers
There will be six parallel sessions. Each presentation will
last 15 minutes, followed by a five minutes for questions.
The remaining time in the session will be used for further
discussion on the topic. In order to allow conference participants
to attend the presentation of papers in different sessions
in a timely manner, we, as organizers, will request the
chairpersons to comply with the time schedule rigorously.
In view of the given time constraints, please make sure that
your presentation fits within the prescribed 20-minute limit
leaving adequate time for questions from the audience.
The conference rooms will be equipped with a laptop
computer, an LCD projector, and a microphone. Microsoft
Windows XP, MS Office (PowerPoint) 2010, and the latest
Adobe Acrobat Reader (PDF reader) will be installed on the
computers. Presenters using the provided computer are
expected to preload their presentation slides in the computer
at the beginning of the respective session.
All presenters are to report to the Session Chair at the assigned
room 10 minutes before the start of the session. On
the day of your presentation, you may load and test your
presentation slides on the computer at the assigned room
during the tea/coffee/lunch break before the session.
It is highly encouraged to test the presentation (especially
if you have animation) at the lobby area where two computers
with the same settings as that in the session room will
be provided.
We highly recommend that you create a PDF version of the
presentation so that you can switch to the PDF in case of a
problem with the PowerPoint.
A microphone will be used for the presentation, please
make sure that you keep close to the microphone during
your talk.
When developing your presentation slides and material,
please keep in mind the diversity of the audience at PSA
2011. Many of the attendees are new to PSA, and almost
half of the attendees are non-US. We recommend two
simple guidelines you keep in mind: 1) Try to include 2-3 introduction
slides, which provide background on the subject
area. This might be as simple as “What is Proliferation Risk
Assessment?” or “How is Fire Modeling use in a Fire PRA,”
or however you can easily introduce your subject area;
and 2) Spell out all acronyms and abbreviations. You may
know what an SRP from the NRC is, but half the audience
will likely not. Keeping the diversity of the audience in mind
when developing your presentation will help communicate
your presentation material to the largest audience.
9

10
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
Things to do in Wilmington
From the Hilton, take a walk on the River Walk along the Cape Fear River, take a ride on a Cape Fear Riverboat or catch
the free downtown trolley. Other attractions include:
Cape Fear Museum of History and Science
814 Market Street
Featured Exhibits include Photography in Focus and Going
to the Movies
www.capefearmuseum.com
Battleship North Carolina
#1 Battleship Rd
Moored in quiet dignity and majesty the Battleship NORTH
CAROLINA, across the river from downtown Wilmington,
beckons visitors to walk her decks. Envision the daily life
and fierce combat her crew faced in the Pacific Theatre
during World War II.
http://www.battleshipnc.com/
Airlie Gardens
Established in 1901, Airlie Gardens is a valuable cultural
and ecological component of New Hanover County and
North Carolina history. After celebrating more than a
century of gardens by the sea, Airlie continues to amaze
visitors with its breathtaking combination of formal gardens,
wildlife, historic structures, walking trails, sculptures, views
of Bradley Creek, 10-acres of freshwater lakes, and the
grandeur of the 462-year-old Airlie Oak. The Gardens are
known for a collection of over 100,000 azaleas and countless
camellia cultivars, which bloom throughout the winter
and early spring.
http://www.airliegardens.org/
Bellamy Mansion
The Bellamy Mansion is one of North Carolina’s most spectacular
examples of antebellum architecture built on the
eve of the Civil War by free and enslaved black artisans,
for John Dillard Bellamy (1817-1896) physician, planter
and business leader; and his wife, Eliza McIlhenny Harriss
(1821-1907) and their nine children. After the fall of Fort
Fisher in 1865, Federal troops commandeered the house
as their headquarters during the occupation of Wilmington.
Now the house is a museum that focuses on history and
the design arts and offers tours, changing exhibitions and
an informative look at historic preservation in action.
http://www.bellamymansion.org/
Greenfield Park and Gardens
The park is located on Burnett Boulevard off South 3rd
Street. A 5-mile scenic drive surrounds the 250-acre city
park with lake, 20-acres of gardens, nature trail and a walking/biking
trail looped through dense cypress swamp. Skate
park, canoe and paddleboat rentals.
http://www.wilmingtonnc.gov/community_services/parks_
landscaping/parks/city_parks.aspx
North Carolina Aquarium at Fort Fisher
900 Loggerhead Road, Kure Beach
www.ncaquariums.com/fort-fisher
Ghost Walk of Old Wilmington
Riverfront at Market & Water Streets
Join locally renowned actors and ghost hunters on a journey
into the depths of Old Wilmington.
www.hauntedwilmington.com
Cameron Art Museum
3201 S. 17th Street
Museum committed to arts education, and presents exhibitions
and public programs of both historical and contemporary
significance.
www.cameronartmuseum.com
Nearby beaches include:
Wrightsville (12 miles away)
A clean, uncluttered stretch of white sand and sparkling
water just begs for swimming, sunbathing, beachcombing,
and fishing. The athletic at heart can take on the Loop, a
fitness trail that circles the inner island. Bargain hunters
gravitate to the beachside stores and distinctive, welcoming
shopping village. Boaters launch from full-service marinas,
and history buffs soak up the local museum and narrated
scenic cruises along the Intracoastal Waterway that offer
a glimpse into the island’s past. And clustered around
the bridge are some of the finest seafood restaurants on
the coast, along with vibrant nightspots. It’s all enough to
make visitors feel as if Wrightsville is still their own private
getaway island.
http://www.visitwrightsville.com/
Carolina Beach (16 miles away)
It’s all here: the fishing piers filled with kids and old-timers
alike angling for their first big one. The boardwalk, perfect
for evening strolls and ice cream cones. The arcades, as
challenging and addictive as when you were a teenager.
The gazebo, paddleboats and miniature golf. And of course
the clean, uncrowded ribbon of beach by the warm ocean
waters.
In addition to its nostalgic charm, Carolina Beach also
boasts an active charter boat basin – home to offshore
fishing excursions and nightly party cruises – a state park
full of coastal vegetation (think Venus Flytrap!), fine locally
owned restaurants, and shopping for everything from sunglasses
to surfboards to area souvenirs.
http://www.carolinabeachgetaway.com/
Cotton Exchange
321 N Front Street

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
Things to do in Wilmington - continued
Nearby Restaurants *Open for Lunch
Circa 1922
8 North Front Street
Southern, International Cuisine
www.circa1922.com
Caffe Phoenix*
35 North Front Street
Fresh, innovative cuisine in a comfortable bistro style atmosphere
www.caffephoenix.com
Deluxe-Casual Upscale Dining
114 Market Street
New American style dinners, with the largest selection of
fine wines in the region, and one of Wilmington’s superior
brunches.
www.deluxenc.com
George On the Riverwalk
128 South Water Street
American, Pasta, Seafood, Southern, Steak Cuisine
Elijah’s Restaurant*
2 Ann Street
Casual American Grill and Oyster Bar on the Cape Fear
River
www.Elijahs.com
Pilot House Restaurant
2 Ann Street
Innovation in Southern Cuisine
www.pilothouserest.com
Front Street Brewery*
9 North Front Street
The only microbrew pub in Southeastern North Carolina
serving 9 handcrafted beers on tap and delicious food for
the entire family.
www.frontstreetbrewery.com
Eat Spot*
34 North Front Street
Great selection of good food and great service.
Slice of Life
122 Market Street
Pizza and casual Italian Food
Fat Tony’s
131 N. Front Street
Casual American Food
25 Unique Shops and 4 Distinct Restaurants
(German Café*, Paddy’s Hollow*, The Basics* and The
Scoop Ice Cream and Café*) directly across from the Hilton
www.shopcottonexchange.com
Nearby Golf Courses
(average March high temp 66°F/19°C)
Echo Farms Golf & Country Club
4114 Echo Farms Boulevard
www.echofarmsnc.com
Wilmington City Golf Course
311 South Wallace Avenue
Donald Ross designed
www.wilmington.nc.us
Cape Fear National
1281 Cape Fear National Drive
Leland, NC
www.capefearnational.com
Magnolia Greens
1800 Linkwood Dr
Leland, NC
www.manoliagreensgolf.com
Carolina National
1643 Goley Hewett Road Southeast
Bolivia, NC
www.carolinanationalgolf.com
Farmstead Golf Links
541 McLamb Rd NW
Calabash, NC
www.farmsteadgolflinks.com
11

12
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
March 13-17, 2011
Meeting Rooms

Ed Halpin - CEO STPNOC
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 8:00 AM - Grand Ballroom
Plenary Session I
Edward D. Halpin is President and Chief Executive Officer for the South Texas Project (STP)
Nuclear Operating Company. In this role, he is responsible for the overall strategic direction
of the company. Halpin also serves as the companyʼs Chief Nuclear Officer, responsible for
the safe and reliable operation of Units 1 & 2 as well as the oversight of licensing and construction
for Units 3 & 4. Upon completion of new construction, he will be responsible for the
overall operation of one the nationʼs largest commercial nuclear facilities – STP Units 1-4. In
his 22 years with the company, Halpin has advanced through positions of increasing responsibility
and leadership, including site vice president, vice president of oversight, vice president
and assistant to the CEO, plant general manager, operations manager, maintenance manager,
systems engineering manager and design manager. He joined STP in 1988 as a start up
engineer in the initial commercial operations of Unit 1 and the completion of Unit 2. His role
as system certification recovery manager in the 1993 NRC diagnostic evaluation was instrumental
in moving STP in the direction of operational excellence. He also played a key role in
developing and sustaining the companyʼs strong collaborative culture, which has been critical
to STPʼs transition to excellence.
Halpin served as an officer in the U.S. Navyʼs Nuclear Power Submarine Service.
In 1983, Halpin graduated with honors from the U.S. Naval Academy earning a Bachelor of Science in Ocean Engineering.
In 2002, he graduated as valedictorian with a masterʼs degree in Strategic Communication and Leadership from
Seton Hall University. He also recently earned a masterʼs degree in Human Development from Fielding Graduate University
(2010).
Additionally, Halpin has a Senior Reactor Operator Certification and is a graduate of the Institute of Nuclear Power
Operationsʼ Senior Nuclear Plant Management course, and the Senior Nuclear Executives Seminar.
Current & Past Memberships
• NEI Board of Directors
• Executive Advisory Group Institute of Nuclear Power Operations
• Community Incident Response Executive Advisory Committee (Nuclear Energy Institute)
• Communications Advisory Committee (Institute of Nuclear Power Operations)
• Nuclear Safety Review board for Callaway
• Council of the National Academy for Nuclear Training
• Westinghouse Customer First Advisory Board
• Brazosport Community College Foundation Board
Honors & Awards
• Valedictorian, Seton Hall University
• Engineering Honor Society United States Naval Academy (USNA)
• Phi Kappa Phi Honor Society (USNA)
• National Collegiate Boxing Association All-American (1983)
• Numerous awards and recognition as a submarine officer
Certifications
• Certified and active instructor for Crucial Conversations & Facilitative Leadership
13

14
Session Chair: Carol Smidts
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 10:00 AM - Azalea
10:00 AM
Modeling the Impact of Digital System Failure Into Probabilistic
Safety Assessment
Gopika Vinod, Santosh, V. V. S. Sanyasi Rao, K. K. Vaze and A. K. Ghosh
Bhabha Atomic Research Centre, Trombay, Mumbai
Nuclear power plants (NPPs) traditionally relied upon analog instrumentation and
control (I&C) systems for monitoring, control, and protection functions. With a shift in
technology from analog systems to digital systems with their functional advantages,
plants have begun such replacement, while new plant designs fully incorporate digital
I&C systems. However, digital systems have some unique characteristics, such as
using software, and may have different failure causes and/or modes than the analog
systems; hence, their incorporation into NPP probabilistic safety assessments (PSA)
entails special challenges. This paper highlights our recent work in incorporating contribution
of software in digital I&C reliability analysis.
10:25 AM
Critical Digital Review Procedure Proposal and Its Preliminary
Experience
Hui-Wen Huang, Tsu-Mu Kao and Ming-Huei Chen
Institute of Nuclear Energy Research (INER), Taiwan (R.O.C.)
This paper describes the critical digital review (CDR) procedure, which was developed
by Institute of Nuclear Energy Research (INER), and sponsored by Taiwan Power
Company (TPC). A preliminary CDR application experience which was performed
by INER, is also described in this paper. Currently, CDR becomes one of the policies
for digital Instrumentation and Control (I&C) system replacement in TPC. The
contents of this CDR procedure include: Scope, Responsibility, Operation Procedure,
Operation Flow Chart, CDR review items. The “CDR Review Items” chapter proposes
optional review items, including the comparison of the design change, Software Verification
and Validation (SV&V), Failure Mode and Effects Analysis (FMEA), Evaluation
of Watchdog Timer, Evaluation of Electromagnetic Compatibility (EMC), Evaluation
of Grounding for System/Component, Seismic Evaluation, HFE Evaluation, Witness
and Inspection, Lessons Learnt from the Digital I&C Failure Events. Since CDR has
become a TPC policy, Chin Shan Nuclear Power Plant (NPP) performed the CDR
practice of Automatic Voltage Regulator (AVR) digital I&C replacement, even though
the project had been on the half way. The major review items of this CDR were: the
comparison of the design change, SV&V, FMEA, Evaluation of Watchdog Timer,
Evaluation of Electromagnetic Compatibility (EMC), Evaluation of Grounding for System/
Component, Witness and Inspection, Lessons Learnt from the Digital I&C Failure
Events. The experience of the CDR showed the importance of preparation of the
documents by the vendor. This means the communication with the vendors for the bid
preparation is crucial.
Digital I&C in PSA 1
10:50 AM
Estimating Failure Probabilities in High Reliability Digital Systems
Dave Blanchard (a), Thuy Nguyen (b), and Ray Torok (c)
a) Applied Reliability Engineering, Inc. San Francisco, California, b) EdF R&D, Chatou, France, and c)
EPRI, Palo Alto, California
Among the debates regarding the modeling of digital safety systems and their components
in PRA is what sources of data are appropriate for use in quantification of the
models. Chief among the differences with the hardware commonly included in PRA
is that digital equipment is systematic in nature rather than probabilistic (that is they
fail deterministically and are not subject to wear out or random failures). In addition,
the available operating experience on which to base failure probabilities is scarce,
particularly in the US where the installation of digital safety systems in nuclear power
plants has been limited.
In this paper, an overview of the various failure mechanisms that may affect elements
making up a typical digital safety system is presented. The failure mechanisms which
are concluded to dominate the reliability of the system are identified and design features
and defensive measures which result in these being dominant are discussed.
Given the dominant failure mechanisms, quantitative techniques currently available
to develop failure probabilities for digital I&C failure modes modeled in PRA are discussed.
Also discussed are possible common-cause factors that may affect multiple
divisions of digital I&C. Both the failure probabilities and common-cause factors are
developed considering the defensive measures that are used in the design of the
digital system.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 10:00 AM - Camelia/Dogwood
Next Generation Reactor PSA - 1
Session Chair: Donald Helton
10:00 AM
A look at the ABWR Design from a PRA Prospective
Calin Eftimie, Jyh-Tsair Hwu, and Dennis Henneke
GE Hitachi
The Advanced Boiling Water Reactor (ABWR) is a Generation III reactor designed
by GE Hitachi Nuclear Energy (GEH) and certified by the NRC in 1997. The ABWR
design includes improved features compared to previous GE designs, e.g., a more
balanced ECCS consisting of three high-pressure systems and three low-pressure
systems, a diverse instrumentation and control system, reactor internal pumps for
recirculation, and a new containment design. The ABWR certification submittal included
a Probabilistic Risk Assessment (PRA) that demonstrated the exceptionally high
safety of the design. The certified ABWR design was implemented by GEH for the
first time at Lungmen, units 1 and 2, in Taiwan. An updated, more detailed, PRA was
prepared for the Lungmen Final Safety Analysis Report (FSAR). This PRA includes
additional detail that emerged during the detailed design phase of the project, and was
updated to satisfy the latest PRA standards. At the same time, the PRA was used as
a tool for making detailed design decisions. This paper will present the advantages,
from a PRA point of view, of the ABWR design, as implemented at Lungmen, as well
as explain some of the challenges encountered when developing the PRA in parallel
with the design. Additional supporting analyses based on the PRA will also be summarized.
(Presentation only)
10:25 AM
Modifying the Risk-Informed Regulatory Guidance for New
Reactors
CJ Fong and Donald A. Dube
US Nuclear Regulatory Commission, Rockville, MD
Since the U.S. Nuclear Regulatory Commission (NRC) published its probabilistic risk
assessment (PRA) policy statement in 1995, the NRC staff has developed or endorsed
many guidance documents to support risk-informed changes to the licensing basis
and the Reactor Oversight Process (ROP). In September, 2010, the staff requested
Commission approval of the staff’s recommendation to modify the risk-informed regulatory
guidance to (1) recognize the lower risk profiles of new, large light-water reactors
(LWRs) and (2) prevent a significant decrease in the enhanced levels of safety
provided by these new reactors. With the implementation of an enhanced level of
severe-accident prevention and mitigation design capability being confirmed through
the review of applications for design certification for new LWRs, the staff is identifying
potential issues that may arise with the transition to operations and the use of the existing
risk-informed framework. Although Regulatory Guide (RG) 1.174 and the current
ROP have no specific provisions precluding their application to new reactor designs,
the NRC experience with implementing both RG 1.174 and the ROP has only involved
currently operating plants. As discussed in a 2009 white paper, the staff identified a
number of potential issues posed by the lower risk estimates of new reactors using the
current risk informed guidance that could potentially allow for a significant erosion of
the enhanced safety of new reactors as originally licensed. As a result, the staff is considering
whether changes to RG 1.174 and the ROP are needed in light of the differing
risk profiles and the 10 CFR Part 52 process (e.g., design certification rulemaking on
enhanced severe-accident features per Section VIII.B.5 of appendices for each certified
design). A number of industry representatives have expressed interest in pursuing
risk-managed technical specifications and risk-informed inservice inspection of piping
for new reactors, and the staff expects additional risk-informed applications for new
reactors in the future.
10:50 AM
IRSN Review of EPR Level 1 PSA
G. Georgescu and F. Corenwinder
Institute for Radiological Protection and Nuclear Safety, Fontenay-aux-Roses, France
The PSA was used for early design verification of EPR Reactor, several design improvement
being defined based on these PSA insights and following the discussions
with the French and German safety authorities. Now, in the frame of the construction
and licensing of Flamanville 3 NPP the PSA is playing an important role for the EPR
Project assessment. There are many uses of PSA in this context. PSA is used firstly
for the verification of the plant safety level, since the “Technical Guidelines” for EPR require
that the probabilistic approach should be used in order to show the achievement
of a significant reduction of the global core melt frequency comparing with the existing
NPPs. The PSA is used to support the demonstration of “practical elimination” of the
large early releases, equally requested by the “Technical Guidelines”. The PSA is also
involved in the verification of the completeness of the deterministic multiple failures
situation (Risk Reduction Categories) features. IRSN, as the French Safety Authority
(ASN) technical support organization, performs the review of the PSA developed by
the plant operator (EDF). The paper presents the main issues regarding the using of
“design PSA”, identified by IRSN following the review of the internal events Level 1
PSA transmitted by EDF in the frame of the anticipated instruction of the application
for operating license of the Flamanville 3 reactor.
11:15 AM
PSA Insights of the New Nuclear Power Plants
Andrija Volkanovski
Reactor Engineering Division, Jožef Stefan Institute, Ljubljana, Slovenia
Four designs of generation III+ pressurized water reactors were analyzed in the framework
of the project entitled “Safety characteristics of potential reactors for JEK 2”. The
project was done at the Reactor Engineering Division of the Jožef Stefan Institute for
the Slovenian utility. The analyzed designs selected as potential designs for construction
of the second unit at the Krško Nuclear Power Plant are: Westinghouse AP1000,
AREVA EPR, Mitsubishi APWR and ATMEA1 from AREVA and Mitsubishi.
The goal of the project was identification and description of the safety characteristics of
analyzed reactor designs. The identification of safety characteristics was based on description
of the structures, systems, components and their integral performance given
in the design documentation of the vendors. The identification was supported by the
review of the safety analyses including the Probabilistic Safety Assessment (PSA) organized
according to the classifications of the U.S. Nuclear Regulatory Commission.
The paper presents results of the review of the PSA section of the Final Safety Analysis
Report of the corresponding designs. The obtained results include identification
and description of the usage of PSA in design phase for the decrease of the risk
measures and elimination of the significant risk contributors. The obtained results for
the risk indices, namely the core damage frequency and large release frequency are
identified and compared against each other and against requirements of the regulator.
The comparison with the currently operating nuclear power plants is done and the
major contributors to the decrease of the risk indices are identified.
15

16
Session Chair: Michael Golay
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 10:00 AM - Magnolia
10:00 AM
Reducing the Risk of Turbine Missiles in a Nuclear Power
Plant
Alexander Knoll
Consultant, Wyomissing, PA, USA
The presentation will identify the risk contributors to turbine missiles and other turbine
blade failures. It will provide tangible recommendations to reduce the risk of turbine
missiles and other turbine blade failures.
Turbine missiles are very expensive to repair and might have impact on safety risks,
because: They are almost always accompanied by fire (Both Combustibles & Ignition
sources are in the impact area), Vital electrical supplies are close in the turbine
building area (offsite lines, 4KV vital buses), The Control Rooms might be close to the
impacted area (plant specific location and orientation of the turbine-generator).
Turbine missiles have impact on financial risks: Hundreds of Millions in Repairs (and
no on-the-shelf components), Hundreds of Millions in Generation Losses (up to two
years of forced outage).
A generic Turbine Generator layout in a power plant will be presented, including the
Control Room between twin units. The layout will show the High pressure turbine,
three stages of Low Pressure turbines and the generator, which are all on the same
shaft. The Failure Modes and Effects that could lead to turbine damage or missiles will
be clarified, including: What turbine components may fail, Blade failures that required
removal of damaged blades and rebalancing turbine for short term runs, What Human
errors may induce failures, during operation (operator errors), or - during (engineering
design), or - during oversight (QA and administration), What is the contribution of the
Protective System (automatic or manual).
The turbine missile events at Salem-2 (November 1991) and DC Cook-1 -(Sept. 2008)
will be described. Temporary modifications of degraded blades in aging turbines will
be provided. Based on the Risk Assessment, recommendations will be provided how
to reduce the risk of turbine missiles. (Presentation only)
10:25 AM
Treatment of the Loss of Heat Sink initiating events in the
IRSN PSA
F. Corenwinder
Institute for Radiological Protection and Nuclear Safety, Fontenay-aux-Roses, France
Loss of ultimate heat sink is an initiating event which, even it is mainly of external
origin, is considered in the frame of internal events Level 1 PSA by IRSN. Moreover,
according to the French PSA fundamental safety rule this kind of initiators should be
considered by the plant operator in the frame of the “Reference PSA”. Nevertheless,
the modelling of this initiating event is not always easy and the associated uncertainties
are still quite important. The occurrence frequency, the restoration time, the
impact on more than one plant, the impact on the emergency organisation, etc. are
some of the aspects, for which, today there is not a full consensus between different
PSA teams (IRSN, EDF). Recently, two events of loss of heat sink occurred in France
(Cruas and Fessenheim). This recent operating experience should be fully used in
order to ameliorate the modelling of the loss of heat sink initiating event in the PSA.
The paper presents the methods used today by IRSN to model the loss of heat sink
initiating event and the historical perspective. The two events will be shortly presents
as well as the foreseen evolution of the PSA methods and models to best incorporate
the operating experience.
Other External Events
10:50 AM
An Assessment of Large Dam Failure Frequencies Based on
US Historical Data
F. Ferrante, S. Sancaktar, J. Mitman, and J. Wood
US Nuclear Regulatory Commission, Rockville, MD
Flooding events are part of the hazard categories commonly considered in assessing
the design of industrial facilities. The failure of large upstream dams is one category of
flooding event that can challenge the safety of these facilities. Additionally, the failure
of dams downstream of facilities that depend on external water sources for their operations
could also represent a concern from a safety standpoint. Generic dam failure
estimates based on historical data are commonly relied on as screening values for use
in design and risk assessment. This paper presents an in-depth analysis of currently
available databases with information on US historical dam failure events and the dam
population in order to estimate generic large dam failure rates while also addressing
the challenges in deriving values supportable by historical data. Items such as completeness
of data, applicability of generic values versus site-specific considerations,
and screening criteria including dam types, construction vintage, and failure modes,
are addressed via independent failure frequency point estimates. The work highlights
the limitations of the derivation of a defensible screening value for dam failure frequency
estimates.
11:15 AM
Application of FRANX Software to External Events
Jeff Riley
Electric Power Research Institute, Palo Alto, CA
The EPRI FRANX software has been used for several years as a tool to assist the
PRA analyst in incorporating fire related impacts and modeling attributes into existing
PRA models. This simplifies the process of performing a Fire PRA and the ultimate
incorporation of the fire model into a configuration risk model.
Recent developments in FRANX have increased the capabilities to model numerous
other spatially-dependent and scenario-dependent situations. More recent applications
of the tool have included the modeling of flooding scenarios, thereby including
these scenarios into the PRA in model in a structured and automated manner, avoiding
laborious hand development of models.
Of particular note are improvements in the tool to support seismic analysis in a highly
structured manner. These seismic add-ons allow for the simple development of seismic
scenarios from the hazard curve, automatic implementation of the appropriate
fragility information, and integration with the full Level 1 PRA model.
This paper discusses the expanded capabilities of the FRANX software tool, with particular
emphasis on external event coverage such as flooding and seismic capabilities.

Session Chair: Eric J Jorgenson
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 10:00 AM - Salon A
10:00 AM
Estimating Fire-Induced DC Circuit Hot Short Duration
Dennis Henneke, James Young, Jonathan Li
GE Hitachi, Wilmington, NC
The purpose of this paper is to interpret the results of draft test results reported in “Direct
Current Electrical Shorting in Response to Exposure Fire (DESIREE-FIRE): Test
Results” [1], in order to determine the factors and probabilities on Fire-Induced DC
Circuit Hot Short duration with respect to time. The impact of Cable Type, Circuit Type
and Fire-Damage Conditions is reviewed for potential impact on the hot short duration.
The analysis presented does not include an analysis of the hot short probabilities for
tested cable types, circuit types or fire-damage conditions. The analysis of the results
shows that for the most part, DC Hot Shorts have a short duration, of less than 2
minutes. The one exception appears to be a hot short involving thermal-plastic cable
where the source temperature is near the cable damage temperature, and direct flame
impact does not occur. The hot short for these damage scenarios can be much longer,
averaging over 15 minutes. The analysis in this paper is considered preliminary, awaiting
both the final issuance of the DESIREE-FIRE report, as well as completion of the
industry review of the results through an NRC and Industry Phenomena Identification
and Ranking (PIRT) expert panel, scheduled for completion in mid-2011.
10:25 AM
Lessons Learned From Electrical Circuit Analysis in Support
of a Fire Probabilistic Risk Assessment
Cyrus N. Vadoli
Southern California Edison – San Onofre Nuclear Generating Station, San Clemente, CA
Following the methodology presented in NUREG/CR-6850 “Fire PRA Methodology
for Nuclear Power Facilities”, this paper focuses on the electrical-specific tasks completed
to support the upgraded Fire Probabilistic Risk Assessment for the San Onofre
Nuclear Generating Station (SONGS) Units 2 and 3. The SONGS Electrical Design
Engineering team supporting the Fire PRA utilized a three-phase approach to complete
these tasks. Each phase of the electrical circuit analysis is presented in this paper
with a general over-view of the task and how the task was completed. In addition,
a discussion of key lessons learned and strategies utilized to maximize efficiency and
minimize time delays is presented.
Fire PSA Methods - 1
10:50 AM
Concurrence Probability and Duration for Fire-Induced Cable
“Hot Shorts:” Alternating (AC) Vs. Direct Current (DC)
Raymond H.V. Gallucci
U.S. Nuclear Regulatory Commission (NRC), Washington, D.C.
In 2008, the author presented the results of a probabilistic/statistical examination of
cable “hot shorts” due to nuclear plant fires for alternating current (AC) circuits based
on two sets of cable fire tests: (1) the Nuclear Energy Institute (NEI) and Electric
Power Research Institute (EPRI) series of 18 cable fire tests in 2001; and (2) the
U.S. Nuclear Regulatory Commission (NRC) complementary series of electrical performance
and fire-induced failure cable tests, consisting of 78 small-scale tests and 18
intermediate-scale open burn tests in 2006 (the CAble Response tO Live FIRE [CAR-
OLFIRE] Program). In 2010, the NRC, in collaboration with the EPRI, as representative
of the nuclear industry, completed a follow-up to CAROLFIRE by performing a
“series of fire tests ... to assess cable failure modes and effects behavior for DC [direct
current]-powered control circuits ... known as the Direct Current Electrical Shorting in
Response to Exposure Fire (DESIREE-FIRE) test program.” As with the previous NEI/
EPRI and CAROLFIRE tests, the DESIREE-FIRE tests similarly produced data on the
occurrence and duration of electrical “hot shorts,” this time for DC circuits, in terms of
the type of cable (thermoplastic [TP] and thermoset [TS]) and equipment supported
by the circuits (both motor- and solenoid-operated valves [MOVs and SOVs]). As a
follow-up to the 2008 analysis, the author presents a parallel analysis of the probability
and duration for concurrence of two and three “hot shorts” for DC circuits, based on
the DESIREE-FIRE results, and compares this to the previous analysis for AC “hot
shorts.”
11:15 AM
Fire Induced Multiple Spurious Operation Review Methodology
Developed for Application to Fire PRAs
Gregory P. Rozga (a), and Paul D. Knoespel and John R. Olvera (b)
a) MARACOR Software and Engineering, Inc., Middletown, MD, b) EPM, Inc., Risk Solutions Division,
Hudson, WI
Multiple spurious operations (MSOs) of equipment due to fire induced electrical shorts
must be evaluated as part of the development of Fire PRA models. This paper will
describe a methodology to identify and document valid MSO combinations for future
inclusion into a Fire PRA by performing a systematic system-by-system review. This
process has been used during development of Fire PRAs at three plants to date. The
methodology employs a set of rules at the system level to determine which systems
can potentially impact the plant CDF given spurious operations within the system.
Once the systems are identified, piping & instrumentation drawing reviews identify
single components which are susceptible to spurious operation. Identified components
are evaluated to determine the impact their spurious operation has on the modeled
functions of the screened-in systems. If it can be determined that the component
cannot impact the modeled function under any circumstance, that component can be
screened. Unscreened components are then evaluated with respect to multiple spurious
operations using a component matrix to identify couplets, triplets, and further
combinations if necessary. The result is the identification of non-minimal potential
MSO groups. For component groups where cable location information is already available,
screening can be performed to eliminate groups where cables for all components
are never within the same fire area. Remaining MSO groups now undergo detailed
circuit analysis, and the final MSO groups are modeled in the PRA. This systematic
MSO identification process can also provide useful input to plant expert panel reviews
of MSOs.
17

18
Session Chair: Nathan Siu
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 10:00 AM - Salon B
10:00 AM
Establishing a Community of Practice to Address PSA Knowledge
Management Issues
Donald P. Remlinger, Stacy A. Zarewczynski, and Camille T. Zozula
Westinghouse Electric Company LLC, Cranberry Twp., USA
The resurgence of the nuclear industry and the increased use of Probabilistic Safety
Assessment (PSA) in existing plant regulatory affairs, utility operations, and new plant
licensing have created opportunities to improve the reliability, cost, and safety of nuclear
power plants. However, many organizations in the nuclear industry are faced
with an aging workforce, resource shortages, and gaps in technical skills, specifically
in PSA methodologies. Improving communication and information management combined
with utilizing a global workforce are challenges to successfully addressing these
issues. A knowledge-based initiative that provides these solutions is the organization
of a community of PSA professionals; a PSA centered community of practice. A Community
of Practice (CoP) is an effective aid for storing critical task-related knowledge,
for allowing open discussions and knowledge exchanges, and for finding explanations
of commonly used methods and practices. The PSA CoP within Westinghouse Electric
Company, LLC consists of a network of members from different geographical locations
with diverse experiences, skills, and backgrounds who work in PSA-related areas. The
PSA CoP’s objectives are to share information, solve common problems, mentor, and
develop an awareness of methods and tools. Within Westinghouse, the PSA CoP exists
outside of the boundaries of specific organizational structure and project teams.
10:25 AM
Experience in PRA Training
Ross C. Anderson (a), and Robert W. Fosdick (b)
a) Virginia Commonwealth University, Richmond, VA, b) R&B Nuclear LLC, Maidens, Virginia
PSA Knowledge Management - 1
As with all disciplines within the nuclear industry, the PRA workforce is aging and will
continue to suffer significant losses to retirement over the next 5-10 years. Unfortunately,
these losses will occur at a time when the demands upon the PRA staff are
not holding steady but are actually increasing. The NRC evaluates the quantitative
risk of licensing actions such as Technical Specifications changes and licensee activities
(via the Significance Determination Process, for example). Program and system
inspections are often risk-informed or risk-based. In addition, new plants are likely
to be added to the existing U.S. fleet over the next 5-10 years. The combination of
experienced workforce losses and increasing demand poses substantial challenges to
existing PRA groups and their management.
Virginia Commonwealth University has addressed some of these concerns on a local
level by developing both a graduate course and a professional workshop in PRA applications.
The graduate course proved to be surprisingly popular, as students developed
a subset of a North Anna PRA model with WinNUPRA software donated by Scientech.
Students, mostly without prior PRA experience, built their own models from
the ground up; solved them, learned to use the descriptive statistics, and performed
representative calculations such as (a)(4) compliance and potential Significance Determination
Process applications. Those course notes are currently being compiled
for a textbook.
The workshop followed a similar strategy but has not yet been widely marketed.
In summary, the need for PRA training for users at all levels remains substantial.
Training for both existing and future PRA engineers should emphasize practical applications
and the incorporation of plant knowledge.
10:50 AM
PSA Knowledge Transfer - Approaches in OECD/NEA WGRisk
Member States
Marina Röwekamp (a) and Kevin Coyne (b)
a) Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany, b) U.S. Nuclear Regulatory
Commission (NRC), Washington, DC, USA
The OECD/NEA Working Group Risk (WGRisk) has initiated in 2010 a task on PSA
(probabilistic safety assessment) knowledge transfer in member states. The objective
of this task is to develop a common understanding of the current needs and ongoing
activities in organizations in the member states on PSA knowledge transfer, including
other ongoing international activities in this technical area.
In this context a survey has been developed focusing on knowledge transfer activities
such as training courses, on-the-job training, seminars, mentoring. This survey
places less emphasis on other aspects of knowledge management (e.g., knowledge
representation, capture, storage, retrieval). Furthermore, it is limited to knowledge regarding
the performance, review, and use of nuclear power plant (NPP) PSA studies
in risk-informed decision making.
The survey results are being documented in a NEA report discussing lessons learned
and best practices. Furthermore the survey shall be used to identifying potential followon
activities (e.g., knowledge transfer seminars on specified topics) that could be performed
to efficiently and effectively preserve the current PSA know-how.
11:15 AM
Current PRA Knowledge Management Activities at the NRC
M. Tobin, K. Coyne, and N. Siu
U.S. Nuclear Regulatory Commission, Washington, DC
Probabilistic Risk Assessment knowledge management programs at the Nuclear Regulatory
Commission are becoming increasingly important as experienced members of
the field prepare for retirement. The US Nuclear Regulatory Commission, which views
knowledge management as the broad set of activities capturing critical information
and making the right information available to the right people at the right time, has
developed or is in the process of developing a number of knowledge management
mechanisms and tools including: databases and electronic reading rooms, formal and
informal training, interviews, procedures, desk references, communities of practice,
websites, and portals. This paper, which is based largely on NRC’s response to an
OECD Working Group on Risk Assessment (WGRISK) survey described in a separate
paper at this conference, describes the NRC’s PRA-related applications of both formal
and informal knowledge management activities, as well as lessons learned to date
from these activities.

Session Chair: Dave Gertman
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 10:00 AM - Carolina
10:00 AM
Practical Refinements to Human Action Dependency Analysis
for Probabilistic Safety Assessment
James K. Liming, Thomas J. Mikschl (a), and Shawn S. Rodgers (b)
a) ABSG Consulting Inc. (ABS Consulting), Irvine, CA, b) STP Nuclear Operating Company, Wadsworth,
TX
This paper summarizes the results of an evaluation of human action dependency for
the STP Nuclear Operating Company (STPNOC) South Texas Project Electric Generating
Station (STPEGS) Units 1 and 2 low power and shutdown (LPSD) probabilistic
risk assessment (PRA). Specifically, this paper focuses on the potential impact of
refinements to current industry PRA human reliability analysis (HRA) methods (e.g.,
the EPRI HRA Calculator® methods) for human action dependency evaluation. These
potential refinements were conceptualized during the performance of the STPNOC
LPSD PRA HRA. The scope of this evaluation included a thorough post-processing
evaluation of over 37,000 PRA event sequences (or cut sets) for combinations of
human failure events (HFEs) that could result in potential HEP interdependence,
and thus, could significantly impact the results of the PRA and any associated riskinformed
applications. The paper presents a discussion of the importance of human
action dependency analysis (HADA) in PRA or probabilistic safety assessment (PSA),
and presents an overview of current methods typically applied. The paper also presents
general results from the STPNOC LPSD PRA HRA HADA, and it provides selected
examples of how potential HADA refinements could impact the rigor and accuracy
of HADA results, and thus, overall PRA or PSA results.
10:25 AM
Guidance on Use of Limiting Values for Human Error Probabilities
in PRAs
Gareth Parry (a), and Stuart Lewis (b)
a) ERIN Engineering and Research, Inc., Walnut Creek, CA, b) Electric Power Research Institute, Knoxville
TN
Human reliability analysis, as it is conducted in probabilistic risk assessments, relies
on the use of various models of human performance, informed by relatively sparse
data from actual experience. Such an approach can give rise to a degree of skepticism,
especially when the methods produce very low probabilities of failure. At some
level, there is a perception that there is a limit to the reliability of operating crews, and
that available methods do not necessarily capture all the important causes of failure.
As a result, a variety of approaches has been taken to defining limiting or minimum
values that should be used in lieu of low calculated human error probabilities (HEPs).
Up to this point, there has been no consensus practice in setting or using such minimum
values. This paper summarizes the issues associated with the development and
use of limiting values for HEPs. The proposed limiting values are presented in EPRI
1021081, Establishing Minimum Acceptable Values for Probabilities of Human Failure
Events Practical Guidance for Probabilistic Risk Assessment. It is expected that
the guidance provided in that report may be applied in probabilistic risk assessments
performed by the nuclear industry, and that it may be revised or refined as a result of
insight gained from that experience.
Human Reliability Analysis - 1
10:50 AM
A Context Based Approach to Human Reliability Analysis for
Seismic PSA
Paul Amico (a), Andreas Strohm and Jörg Rattke (b)
a) Energy Research, Inc., Rockville, MD, USA, b) EnBW Kernkraft GmbH, Neckarwestheim, Germany
This paper suggests an approach to seismic HRA that addresses some of the deficiencies
of the “shock model” approach commonly used for seismic HRA. The problem
with the shock model approach is that it places too much emphasis on the acceleration
associated with the seismic event and not enough on the extent of damage caused
by the event. Logic suggests that the effects of the acceleration are short-lived as
regards human performance (i.e., due to disorientation) and that after a short initial
period performance would return essentially to normal other than for the need to deal
with the impact of the actual seismic failures. Because of this, the shock model does
not adequately allow credit for increased seismic design capacity or long coping times
before operator action is required. In this paper, the authors suggest the use of a
more context based approach that does account for these influences. The emphasis
of this approach is on the overall context under which an action is performed, of which
the acceleration is only one part. This allows for better consideration of the broader
range of performance influencing factors that result from the actual seismic damage
to the plant. The paper presents the methodology and the process for application, and
also presents a specific application from the SPSA of the German NPP Kernkraftwerk
Neckarwestheim Unit 2 (GKN II). It is concluded that the approach was successful in
that application to provide a more realistic treatment of human reliability and so a more
accurate risk profile. As such, the approach clearly has promise, but further development
is required beyond this first application.
11:15 AM
Qualitative Human Reliability Analysis of Dry Cask Storage
Operations
Jeffrey D. Brewer, Stacey M. L. Hendrickson (a), and Susan E. Cooper (b)
a) Sandia National Laboratories, Albuquerque, NM, USA, b) United States Nuclear Regulatory Commission,
Rockville, MD, USA
Human reliability analysis (HRA) methods have been developed primarily to provide
information for use in probabilistic risk assessments of nuclear power plant control
room operations. The HRA method of A Technique for Human Event Analysis (ATHEA-
NA) has been proposed for use in diverse applications outside the control room due to
its particular approach for systematically examining the dynamic, contextual conditions
influencing human performance. This paper describes aspects of a recently completed
project in which the qualitative analysis within ATHEANA was successfully used to
prospectively examine how unsafe actions may contribute to a cask drop and generate
ideas for avoiding cask drops. Through the investigation of previous analyses as
well as discussion with subject matter experts, cask drop scenarios were generated
that might occur within dry cask storage operations. The development of these scenarios
led to the development of human performance vulnerabilities meant to describe
performance shaping factors as well as plant conditions that generate a context that
may ultimately contribute to human failure events (HFEs). After analyzing the human
performance vulnerabilities, illustrative guidance was developed for avoiding or mitigating
them so that HFEs involving cask drops may be avoided or mitigated. This
paper provides a description of the qualitative HRA process followed, a listing of HFE
scenario groupings, discussion of selected human performance vulnerabilities, and
illustrative approaches for avoiding or mitigating human performance vulnerabilities
that may contribute to dropping a spent fuel cask.
19

20
Session Chair: Sergio Guarro
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 1:30 PM - Azaleca
1:30 PM
Overview and Impact of RG 1.97 Rev 4, Accident Monitoring
Instrumentation, on New Reactor Reviews
Deirdre W. Spaulding-Yeoman
USNRC, Washington, DC
Some new reactor applicants have committed to Regulatory Guide 1.97 Revision 4
which endorses IEEE standard 497-2002, IEEE Standard Criteria for Accident Monitoring
Instrumentation for Nuclear Power Generating Stations. 10 CFR 52.79(a)(30)
indicates that the submitted final safety analysis report include proposed technical
specifications. In keeping with RG 1.97 Revision 4, and IEEE 497, accident monitoring
variable selection must be consistent with the plant specific emergency operating
procedures and the abnormal operating procedures. Meeting RG 1.97 Revision
4 has presented challenges to new reactor applicants such that the USNRC allows
applicants to pursue one of three options in regard to their tech specs pertaining to
accident monitoring instrumentation; provide a plant specific instrumentation value,
provide a value that bounds the plant specific value, or, establish an administrative
controls program or report. This presentation provides an overview of Reg Guide 1.97
Revision 4 and discusses the approaches that have been submitted to the Office of
New Reactors for staff review. Specific discussion will be provided in regard to the
implications of Reg Guide 1.97 Revision 4, using the staff guidance, Standard Review
Plan Section 7.1, Instrumentation and Controls, Overview of Review Process, and
Section 7.5, Information Systems Important to Safety, for new reactor staff reviews.
(Presentation Only)
1:55 PM
Error Modeling and Analysis of DIgital I&C System Failure
Modes
Carl Elks, Nishant George,and Barry Johnson
University of Virginia
Over the last ten years rigorous approaches to safety analysis and assessment have
been of particular interest to safety community, motivated mainly by the increasing
complexity of safety critical systems across a wide range of applications. Although
there are commercial software and tools available that assists engineers in performing
clerical tasks, such as forming tables and filling in data, the essential and critical part
of an FMEA process remains a difficult and elusive challenge – that is, a systematic
and comprehensive means to characterize failure modes of the system and identify
significant failure paths associated with these potential failure modes. Current approaches
using operating plant, commercial, and vendor databases certainly aid in the
identification and classification of what component failures have happened, but they
are limited in their utility in determining what could happen. As newer I&C systems
and micro-technology is introduced, failure data is sparsely available on these new
technologies. These problems naturally become more acute as I&C systems grow in
scale and complexity and criticality, which is the trend that is now emerging.
This paper presents a unique modeling and analysis method based on the concepts of
error modeling and error propagation analysis. The concept we present is based on an
information theory approach, where the functional representation of the digital system
is viewed as a composition of information channels. More precisely, information flow
in a computer is characterized by symbols, and the interpretation and manipulation
of those symbols. Errors can corrupt symbols, rendering them into different symbols,
non-symbols or reconstitute the interpretation of symbols. Errors in the information
universe are usually manifested as bit flips in the data and/or instruction symbols. Our
approach defines an error behavior function which allows information flow in digital
I&C system to be corrupted according to a context fault model. A context fault model
is based on what vulnerabilities are perceived to be relevant in the environment of the
digital I&C systems. These include, common mode faults and errors, bit flips, software
flaws, intentional security faults, and byzantine faults. (Presentation Only)
Digital I&C in PSA - 2
2:20 PM
Advanced Risk Modeling and Risk-informed Testing of Digital
Instrumentation and Control Systems
Sergio B. Guarro, Michael Yau and Scott Dixon
ASCA, Inc., Redondo Beach, CA
Assuring the reliability and safety of Digital Instrumentation & Control (DI&C) systems
presents special challenges. Their potential complexity, associated with the multi-faceted
functionality of the software, makes testing the various combinations of logic execution
paths “exhaustively” very difficult. A rigorous process of analytical partitioning
of the test space is generally necessary to guide a meaningful process of risk-informed
test and assessment for these systems.
The Context-based Software Risk Model, applied in combination with the Dynamic
Flowgraph Methodology (CSRM/DFM) is an extension of the traditional Probabilistic
Risk Assessment (PRA) approach. It provides a modeling and analysis platform that
can be applied to risk-inform the testing and verification of DI&C, and more in general
software driven and/or controlled systems. The basic principle of the approach is that
DI&C systems and software driven systems can be analyzed and tested in effective
and convincing fashion, only if the software is analyzed and tested with the actual “balance
of system” in the loop, and the test and analysis process includes a risk-informed
set of off-nominal scenarios.
This paper summarizes and discusses a few recent applications of the CSRM/DFM approach
to both space and nuclear power plant DI&C systems. The projects discussed
demonstrate several modes of use of the risk-informed analytical and test procedures
enabled by the CSRM/DFM process, and more specifically how the methodology can
serve both as a stand-alone DI&C test driving resource and as an advanced riskmodeling
and quantification extension of traditional PRA models and procedures.
2:45 PM
Application of Fault Tree Methodology to Modeling of The
Ap1000® Plant Digital Reactor Protection System
David S. Teolis, Stacy A. Zarewczynski, Heather L. Detar
Westinghouse Electric Company LLC, Cranberry Twp., USA
The reactor trip system (RTS) and engineered safety features actuation system (ES-
FAS) in nuclear power plants utilizes instrumentation and control (I&C) to provide automatic
protection against unsafe and improper reactor operation during steady-state
and transient power operations. During normal operating conditions, various plant
parameters are continuously monitored to assure that the plant is operating in a safe
state. In response to deviations of these parameters from pre-determined set points,
the protection system will initiate actions required to maintain the reactor in a safe
state. These actions may include shutting down the reactor by opening the reactor
trip breakers and actuation of safety equipment based on the situation. The RTS and
ESFAS are represented in probabilistic risk assessments (PRAs) to reflect the impact
of their contribution to core damage frequency (CDF). The reactor protection systems
(RPS) in existing nuclear power plants are generally analog based and there is general
consensus within the PRA community on fault tree modeling of these systems. In
new plants, such as AP1000® plant, the RPS is based on digital technology. Digital
systems are more complex combinations of hardware components and software. This
combination of complex hardware and software can result in the presence of faults and
failure modes unique to a digital RPS. The United States Nuclear Regulatory Commission
(NRC) is currently performing research on the development of probabilistic
models for digital systems for inclusion in PRAs; however, no consensus methodology
exists at this time. Westinghouse is currently updating the AP1000® plant PRA to support
initial operation of plants currently under construction in the United States. The
digital RPS is modeled using fault tree methodology similar to that used for analog
based systems. This paper presents high level descriptions of a typical analog based
RPS and of the AP1000® plant digital RPS. Application of current fault tree modeling
techniques to the digital system is reviewed, and unique issues related to accounting
for common cause failures and software failures are discussed.

Session Chair: Karl Fleming
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 1:30 PM - Camelia/Dogwood
Next Generation Reactor PSA - 2
1:30 PM
Investigation of Risk-Informed Methodologies to Improve Sodium-Cooled
Fast Reactor Economics With Safety, and Non-
Proliferation Constraints
George Apostolakis, Michael Driscoll, Michael Golay, Andrew Kadak, Neil
Todreas (a), Tunc Aldemir, Richard Denning (b), and Michael Lineberry
a) Massachusetts Institute of Technology, Cambridge, MA, b) The Ohio State University, Columbus, OH,
c) Idaho State University, Idaho Falls, ID
A substantial barrier to the implementation of Sodium-cooled Fast Reactor (SFR)
technology is that they would not be economically competitive relative to advanced
light water reactors. With increased acceptance of risk-informed regulation, the opportunity
exists to reduce the costs of a nuclear power plant at the design stage without
applying excessive conservatism that is not needed in treating low risk events.
In NUREG-1860, the U.S. Nuclear Regulatory Commission describes developmental
activities associated with a risk-informed, technology neutral framework (TNF) for
regulation that provides quantitative yardsticks against which the adequacy of safety
and proliferation resistance can be judged. The objective of this project is to develop
a design process for minimizing the cost of electricity generation within constraints of
adequate safety and proliferation resistance. This paper describes the proposed design
optimization process within the context of reducing the capital cost and levelized
cost of electricity production for a small (possibly modular) SFR. The project provides
not only an evaluation of the feasibility of a risk-informed design process but also a
practical test of the applicability of the TNF to an actual advanced, non-LWR design.
The report provides results of two safety related case studies of design alternatives, as
well as an assessment of measures to improve proliferation resistance.
1:55 PM
The Evolution from a Design Certification Pra to an As-Built
As-Operated PRA
Yunlong Li, Dennis Henneke, Glen Seeman and Gary Miller
GE Hitachi Nuclear Energy, Wilmington, NC
A number of uncertainties exist in the development and updating of PRAs for new
reactors, such as the amount of information available, applicability of the failure data
to the components, and the availability of details of the design and operation. As it gets
closer to operation, some of these uncertainties are removed. This paper addresses
the evolution of the PRA during the reactor design process and in the various stages
of design certification, licensing, and plant operation. While only one peer review is
required for the new reactors to be licensed for operation, the evolution path that each
vendor and licensee adopts could significantly affect the time and efforts involved in
the PRA model development and updates, the quality of the PRA, and the safety, reliability
and availability of the new reactor’s design and operation. This paper discusses
the logical division of the stages for the development of PRA models, the purposes
of the PRA at each stage, and major deliverables. The pros and cons of the different
evolutions are also included. Based on GEH’s extensive experience in developing and
updating PRA models for advanced BWRs that span across all stages, reasonable
evolution paths are recommended.
2:20 PM
PRA Analysis for a New Reactor Design: The B&W MPOWER
Small Modular Reactor
Thomas A. Morgan (a) and Kenneth W. Baity (b)
a) Maracor Software & Engineering, Inc., Middletown, MD, b) Babcock & Wilcox Nuclear Energy, Inc.,
Lynchburg, VA
The B&W mPower reactor is a small modular PWR with numerous evolutionary
design concepts, including passive safety systems, an integrated reactor pressure
vessel, and a below-grade containment building. To support Design Certification, a
complete probabilistic risk assessment (PRA) must be performed that meets industry
standards and regulatory requirements.
Sufficient design and operational details must be available to develop PRA models
and data. However, it is also desirable to obtain risk estimates for the plant early in the
design process and to feed back risk insights into design decisions. If such insights are
not developed until after the PRA is completed (and the design is largely finalized), it
can be costly to backfit beneficial changes. Therefore, PRA tasks are being performed
concurrently with design activities, using an iterative approach that incorporates design
changes as they occur.
For example, alternative concepts have been proposed for the emergency core cooling
systems as the plant’s design has evolved. PRA personnel participated in design
discussions to evaluate the alternatives and offered reliability insights that improved
these designs. A “risk insights” training course was also developed for the designers
so that the ongoing development tasks could incorporate beneficial features that would
improve safety and reliability.
The internal events PRA is underway, and work on the external events and low power/
shutdown modes PRAs will begin in early 2012. Because of the plant’s innovative
features, it is expected that the B&W mPower reactor will have a low core damage
frequency and should pose minimal risk to the public.
2:45 PM
Risk-Informed Design and Safety Review of HTR-PM
Jiejuan TONG, Tao LIU, and Jun ZHAO
Institute of Nuclear and New Energy Technology, Tsinghua University, P.R China
HTR-PM is the abbreviation of the demonstration plant project which will be built in
China with a pebble bed high temperature gas cooled reactor design. Due to the
unique features of the reactor, the Chinese safety authority recognizes the big challenge
it will bring to the current regulation and decides to launch the pilot use of PSA
in the design and in the safety review in an extensive way, based on the consensus
that PSA should be the necessary and efficient key to solve the puzzles. This paper
will present and discuss the aspects which PSA has been successfully used during
the design and safety review of HTR-PM project, including safety goal, plant operating
modes definition, beyond design accidents, emergency planning and so on. Every
aspect may require some philosophically innovative efforts, however moving to the
risk-informed decision making and regulation will be adhered as the common opinion
arrived by the authority and the designer. Working processes and results for some of
the aspects will also be explained. The paper will also address the methodological issues
for performing design PSA. Although most of the traditional PSA techniques are
still valid for HTR-PM, a few new techniques are introduced.
21

22
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 1:30 PM - Magnolia
Configuration Risk Management - 1
Session Chair: Gerry Kindred
1:30 PM
Development of Risk Communication Sheet for Daily Operational
Focus Meetings at STP
George C. R. Grantom P.E., Fatma Yilmaz, and Ernie Kee
South Texas Project Electric Generating Station, Wadsworth, TX
South Texas Project (STP) uses a work week planning concept that is based on a
cycle of train weeks. The work week risk is planned well in advance of the actual work
week by the Work Control organization and is updated as needed during the week
by the on-shift Control Room operators. The actual maintenance configurations are
entered in the station’s risk monitoring tool, the Risk Assessment Calculator (RAsCal)
application, [1] by the Control Room Operators. The planned work week ICDP (Incremental
Core Damage Probability) and ITP (Incremental Trip Probability) values along
with the actual ICDP and ITP values from RAsCal are communicated every morning
at Daily Operational Focus (DOF) Meetings at STP in the form of numeric values. STP
has developed a tool to better communicate online maintenance risk by assigning
colors to maintenance configurations based on numeric thresholds to the ICDP and
ITP. Associating colors to each maintenance state in terms of the quantitative values
of ICDP and ITP on a bar graph provides a clear indication of when, how long, and
what maintenance activities increased station risk occur [2]. This paper describes the
development, usage and further applications of this new risk communication report
providing examples.
1:55 PM
Nuclear Power Plant Configuration Risk Management: Recent
EPRI CRMF Research
Thomas A. Morgan, Diane M. Jones (a), and Doug Hance (b)
Maracor Software & Engineering, Inc., Middletown, MD, b) Electric Power Research Institute, Risk and
Safety Management, Charlotte, NC
The Configuration Risk Management Forum was established in 2003 by EPRI to serve
as a venue to discuss Configuration Risk Management issues applicable to commercial
nuclear power plants. The Forum’s activities include identification and sponsorship
of research on current and emerging CRM issues. The CRMF has recently focused
on the development of two guideline documents to assist plants in addressing
evolving expectations concerning activities that should be considered under Section
(a)(4) of the maintenance rule, 10CFR50.65. In 2008, a CRMF working group developed
guidance for the evaluation of heavy load lifts. A screening approach categorizes
each planned lift into one of four classes of scenarios. A series of flow charts indicate
how the screening would proceed, and suggestions are provided for possible Risk
Management Actions that could be considered for implementation during lifts/movements
that might incur some additional risk to the plant. Most recently, the CRMF has
provided support to the Nuclear Energy Institute (NEI) in the development of updated
Maintenance Rule guidance concerning the evaluation of fire risk impacts during plant
configuration changes. NEI has drafted proposed guidance and this guidance is now
being tested by several pilot plants. CRMF, in collaboration with the PWR Owners
Group, is assisting in the development of supporting implementation guidance, incorporating
insights gained from the pilot plants. The supporting guidance highlights
possible approaches that could be used to implement each of the specific objectives
noted in the draft NEI guidance.
2:20 PM
A Study for the Reliability Evaluation Method for The Maintenance
Plan Using the Risk Information
Naoki CHIGUSA (a), Yoshiyuki NARUMIYA (b), Takahiro KURAMOTO (c)
a) The Kansai Electric Power Company, Fukui, Japan, b) The Kansai Electric Power Company, Osaka,
Japan, c) Nuclear Engineering, Ltd., Osaka, Japan
This paper discusses the development of the quantitative method to evaluate the reliability
for the maintenance plan with respect to the risk impact both for Core Damage
Frequency and Plant Trip Frequency. The quantitative approach includes the considerations
for the effect of the Condition Based Maintenance (CBM) changing in addition
to the Time Based Maintenance (TBM), and the reliability for the maintenance plan
is evaluated using the actual plant-specific maintenance information collected in the
plant. In this study, overhaul and surveillance test for the components are considered
as TBM. The objective components should include “Prevention System (PS)” in addition
to “Mitigation System (MS)”. Therefore, in this quantitative reliability evaluation, it is
necessary to cover both PS and MS, and the Plant Trip Frequency in addition to Core
Damage Frequency should be introduced as the risk index. The conventional PSA
method is enough to confirm the plant overall risk level and the risk profile, however,
this quantitative approach should have the extended method such as extension of the
objective component sphere and detailed analysis for the component failure data. In
this paper, the developed method to evaluate the reliability for the maintenance plan
using the risk information is described. And, the tested evaluation to confirm the effectiveness
of this quantitative method is also described. And furthermore, the requirements
for the plant-specific maintenance information to be used in this quantitative
method are described.
2:45 PM
Licensee Experience With the ATWS Vulnerability
Robert W. Fosdick (a), Ross C. Anderson (b)
a) R&B Nuclear LLC, Maidens, Virginia, b) Virginia Commonwealth University, Richmond, VA
The process and circumstances leading to the calculation of the ATWS UET contribution
to core for the Surry plant were reviewed to determine key lessons learned. Key
points included the effects of the ongoing work environment, focus on regulatory compliance,
and effort required to perform the calculation vs. the worth of the results. The
conclusions are presented in a generalized form as lessons learned for the benefit of
the entire U.S. industry. The numeric results of the ATWS UET theoretical calculation
were previously presented at the ANS 2009 Winter meeting; this paper focuses upon
the field experience with its results.

Session Chair: Andrea Maioli
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 1:30 PM - Salon A
1:30 PM
TEPCO’s Effort for Pursuing Further Safety Against Niigataken-Chuetsu-Oki
Earthquake at Kashiwazaki-Kariwa NPS
Masayuki Yamamoto
Tokyo Electric Power Co., Japan
On July 16,2007, Tokyo Electric Power’s Kashiwazaki-Kariwa nuclear power station
(KKNPS), the world’s largest generation capacity of 8,212MWe, was near the center
of a 6.8 Richter scale earthquake. The earthquake is known as the Niigataken-
Chuetsu Oki Earthquake (NCOE). All the essential nuclear safety functions, automatic
shutdown, cooling and containment, worked as designed, and all the nuclear reactors
shut down safely. While all seven units at the site have remained safely shut down,
TEPCO continues inspections and safety evaluations of these plant facilities, including
a thorough geological survey to establish a new design basis ground motion. As of
September 2010, TEPCO has completed and resumed commercial operation for unit
6, 7 and 1. Unit 5 is expected to follow soon as of September 2010.
Although the observed acceleration of the NCOE exceeded the design value for dynamic
seismic force, the quake generated forces applied to safety significant SSCs
were of about the same strength as the design basis, taking into account the static
seismic force which is required to be set at three times the strength of general facilities.
Other conservatisms were already embedded in the design process, and the
safety significant SSCs possessed sufficient design margin that kept the facilities and
their safety functions intact.
TEPCO is determined to strengthen its nuclear power stations with added seismic
safety and emergency preparedness and committed to sharing the lessons learned
with the nuclear community worldwide. (Presentation Only)
1:55 PM
Development of Seismic Risk Evaluation Model for New Nuclear
Power Plant
Kohei HISAMOCHI, Daisuke TANIGUCHI, and Shingo ODA
Hitachi-GE Nuclear Energy, Ltd., Ibaraki-ken, Japan
Seismic isolators have been studied and applied to the basic design of a nuclear power
plant to improve the seismic capacity and design standardization. As an alternative
approach, diversified mitigation systems have been also considered to withstand the
common load from earthquakes. While these two options are considered, a seismic
risk evaluation model has been developed and the seismic margin has been evaluated
to assess the effectiveness of seismic isolators and/or diversified mitigation system.
In this study, plant level HCLPF (High Confidence - Low Probability of Failure) accelerations
have been calculated by using seismic margin analysis methodology. Firstly,
the simplified seismic risk evaluation model has been developed for ABWR (Advanced
Boling Water Reactor) as the base configuration. The ABWR has three divisional safety
systems for core cooling and decay heat removal. Each division has a high pressure
injection system, a residual heat removal system, and support systems including
diesel generator system. Then, the risk evaluation model has been expanded to
model the configuration of IC (Isolation Condenser) and passive containment cooling
systems, which have relatively large pools on the upper part of the building, as the
diversified mitigation systems.
Using this model and generic fragility parameter values, the plant level HCLPF accelerations
have been quantified to compare the seismic isolator case, diversified mitigation
systems case, and the combination case. As a result of margin analysis, these
cases have larger margin than base case. According to the sensitivity analyses, it is
indicated that the scope of the capacity increase in case of the seismic isolator and the
capacity of the additional systems are important to increase the seismic margin.
Throughout this model development and demonstration of margin calculation, we
have discussed the applicability of this seismic risk evaluation model to choose a
seismic isolator option in the view point of the seismic risk.
Seismic PSA - 1
2:20 PM
Addressing Accident Sequence Over-Counting in the Kernkraftwerk
Mühleberg Seismic PSA
R.F. Kirchner (a), E.T. Burns, V.M. Andersen (b), O. Zuchuat and Y. Bayraktarli
(c)
a) RFK Dynamics, Inc., Niskayuna NY, b) ERIN Engineering and Research, Inc., Campbell, CA, c) BKW
FMB Energie AG, Kernkraftwerk Mühleberg, Mühleberg, Switzerland
Due to the high conditional failure probabilities that can occur given seismic initiating
events, the quantification approximations typically employed in Seismic Probabilistic
Safety Assessment (SPSA) models result in significant over-counting of accident
sequence frequencies. Over-counting of sequence frequency by a factor of ten or
more has been observed during the quantification of seismic models using algorithms
which employ the rare event or minimum cutset upper bound (MCUB) approximations.
This can occur when the constituent basic events of a system or functional gate in
the model sum to greater than one due to high basic event failure probabilities. This
paper describes the methods developed to reduce seismic sequence overcounting via
use of “AND-NOT” modeling as well as the Advanced Cutset Upper Bound Estimator
(ACUBE) computer code.
2:45 PM
Use of Seismic PRA for Risk-Informed Decision Making by
Utilities and Regulatory Agencies
Robert J. Budnitz (a), Nilesh C. Chokshi (b), and M.K. Ravindra (c)
a) Lawrence Berkeley National Laboratory, University of California, Berkeley CA, b) US Nuclear Regulatory
Commission, Rockville MD, c) MK Ravindra Consulting, Irvine CA
The methodology for seismic PRA (SPRA) has existed for over three decades, over
which time it has evolved and matured, like the rest of PRA. It has been applied at
several dozen nuclear power plants worldwide. SPRA has been used to support riskinformed
decision-making to upgrade the safety of existing plants, to help prioritize
which proposed backfits are most urgent , to help regulatory agencies like he USNRC
and international agencies like the IAEA to develop regulations and regulatory guidance
related to seismic risk, to support the prioritization of safety research projects,
and to develop insights into the overall seismic risk from an individual plant and from
an entire fleet of plants. In this latter role, it has been the principal vehicle for informing
decision-makers and the general public about the risk from earthquakes at a typical
nuclear plant. What emerges from the ensemble of SPRAs is that typically the seismic
part of the overall reactor risk is a major contributor, sometimes dominant, almost
always important, although sometimes negligible. However, seismic PRA is subject to
a major misconception on the part of some PRA analysts who can be heard continuing
to profess the view that SPRA is not mature enough for routine use for risk-informed
applications. This view is inconsistent with the current status of the SPRA methodology
and its uses in regulatory and plant-specific applications. This paper describes the
evolution of the SPRA methodology and its components, and provides examples of
some specific applications.
23

24
Session Chair: David Johnson
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 1:30 PM - Salon B
1:30 PM
On Considering Safety Culture and Probabilistic Risk Assessment
Charles T Ramsey (a), David H Johnson (b), and C. Richard Grantom (c)
a) Oak Ridge National Laboratory, Oak Ridge, TN, b) ABS Consulting, Irvine, CA, c) STP Nuclear Operating
Company, Wadsworth, TX
The current generation of nuclear power plants operating in the United States has
an impressive safety record. This record is a result of successful design, effective
regulation and, perhaps most importantly, skilled operating staff. When compared to
their original design and operation, today’s plants have undergone hardware modifications,
procedure improvement and changes in operation to help achieve this success.
Application of modern probabilistic risk assessment methods and the integration of
risk analysis in the form of risk-informed regulation and into operations have been
central to improving safety. Probabilistic assessment provides the bases for estimating
the risk at commercial nuclear power plants; direct actuarial data is not sufficient.
A number of assumptions – both explicit and implicit – underpin PRA. These include
assuming, for example, the plant design meets the general design criteria, various
industry standards, the safety limits and the limiting system safety settings. It is also
assumed that plant is managed and operated in a safety-focused environment. This
last aspect can be thought of as ‘safety culture.’ These assumptions together describe
an envelope outside of which the results of the PRA, and therefore risk management
programs based on the PRA, may no longer be valid. In recent years, much progress
has been made in investigating the nature of an effective safety culture, including attempts
to measure changes in this environment. This paper explores the relationship
of safety culture to PRA focusing on how plant-specific safety culture analyses relate
to effective risk-management programs. (Presentation Only)
1:55 PM
Development of Safety Culture Assessment Model Using
Safety Culture Maturity Model and 4P-4C MATRIX
Cheol SHEEN and Dae-Wook CHUNG
Korea Institute of Nuclear Safety, Daejeon, Republic of Korea
It has been assumed that safety culture is one of the fundamental elements to maintain
safety of nuclear facilities and to achieve safety goals in the nuclear industries. Safety
culture assessment is indispensible factor to diagnose safety culture deficiencies of
organization and to advance level of safety culture. However, the intrinsic attributes
of culture have been an obstacle to measure level of safety culture quantitatively and
objectively. Therefore, we tried to make a nuclear safety culture assessment model
applying the safety culture maturity model and 4P-4C matrix to evaluate the inherent
characteristic of safety culture quantitatively with maintaining objectivity. The safety
culture maturity model is proposed by Professor Patrick Hudson who improved Ron
Westrum’s model. Hudson applied the model for the organizations of oil and gas industries.
The 4P-4C model is originally developed by aerospace psychology research
group in Trinity College, University of Dublin to evaluate human and organizational
factors. As the assessment models are originated from other industries, we performed
comparison study to IAEA SCART’s model to examine the nuclear applicability. The
differences between assessment models were derived and analyzed. The analysis
study demonstrates the limitation of IAEA’s models to assess safety culture. And we
developed a 4P-4C matrix as a safety culture evaluation tool using NRC safety culture
attributes.
Safety Culture
2:20 PM
Nuclear Power: Too Risky for Risk Management? Facing the
Limits of Doublet Risk Modeling
William P. Mullins
Better Choices Consulting, Mission Hills, KS
The paper explores, from a systems perspective, inherent limitations in the current
US nuclear energy regulatory framework (i.e. NRC) owing to predication of “risk” as a
two element trade space (i.e. likelihood, consequence). For purposes of analysis the
following hypothesis is given: With the emergence of a US national energy security
risk integration space, effective portfolio risk management cannot be achieved absent
consideration of variation in scenarios upstream of all but the most general principles
of eventual technology regulation. NRC’s one-sizefits- all, and tradition-bound reliance
upon doublet risk leads predictably to unwieldy metaphysical compensating mechanisms
such as “positive nuclear safety culture” which become constraints on portfolio
risk performance improvement with no offsetting value for the exclusive investments
they require. Assumptions in the NRC’s current predication of “risk” far predate current
best practice for risk-balanced portfolio decision-making and have not been adapted to
the evolution of such practice. The author demonstrates that the management of goal
conflicts at national energy security enterprise level is necessarily more complex (i.e.
multivariate) than, and seriously at odds with, the inherently “reliability-assessment”
character of NRC’s institutional sense of “risk.” In the paper, analysis includes a comparison
with evolving concepts principles, and practices for “riskinformed decisionmaking
as practiced by NASA.
2:45 PM
Impact of Viable System Model (VSM) Type of Organizational
Concept on Safety Regulation of the Nuclear Industry
Anthony J Spurgin (a), and David Stupples (b)
a) City University of London, San Diego, CA, b) School of Engineering & Mathematical Sciences, City
University of London, London, UK
VSM is based upon a holistic concept of a cybernetic biological model for organisms.
Beer [1.] used this concept to construct a model for businesses. The VSM approach
has been used to model the interactions between the NPP utilities, INPO and the
NRC in this paper. In reality, one has to consider the competitive aspects between
economics and safety, as far as NPP managements are concerned, but the paper
focuses on safety issues in considering the equivalence between VSM and the current
state of the nuclear industry. In the context of VSM, the role of management
and outside organizations on improvements in safety culture of NPPs are considered.
Various operations within a power plant organization can be modeled in a manner
like similar autonomic functions in living animals. Such an autonomic function might
be plant maintenance, however because of safety considerations, the role of safety
culture must be considered in how they are modeled in VSM. This paper examines the
enhancement of nuclear power plant (NPP) safety based upon three aspects, namely
Regulation by US NRC, NPP self regulation and by INPO and their effectiveness. It
appears that the organization of the US nuclear power has responded to accidents by
making changes in its organizational structures. The current safety related structure,
of the inter-relationships between the NPP utilities, NRC and INPO, is compared to a
modified VSM [1.] approach. The industry’s organization seems to developed towards
a VSM approach. The paper is based upon a more detailed study made by the authors
on the impact of regulation and control on safety using a VSM approach. Under Safety
Regulations, limited safety variations are permitted under NRC rules. It is virtually
impossible to produce power without equipment or human failures. The objective is to
limit the accident consequences to values acceptable to the public. The design and
operation of the NPPs should be such as to limit radioactive releases to as low as
possible commensurate with public acceptability and this should achievable within the
rules of the NRC and the guidance and help given by INPO. How the management
structure of the industry is examined here. In order to give some context to understand
the current state of the US nuclear Industry, the paper provides a brief commentary on
the developments in safety awareness and implementation over the period from circa
1960 to present, including reference to Three Mile #2 accident and other incidents and
how these accidents and incidents have influenced the industry.

Session Chair: Ray Dremel
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 1:30 PM - Carolina
1:30 PM
Upgrade to Seabrook Station Flood Risk Assessment Summary
and Insights
Richard Turcotte and Kenneth Kiper
Seabrook Station, NextEra Energy Seabrook, LLC,, Seabrook, NH
Although the total plant risk is extremely low, the relative contribution of internal flooding
risk at Seabrook has increased based on a recent PRA update. This paper examines
the reasons for the relative change in flood risk compared to previous assessments.
The change in risk was identified through a recent revision to the internal flood
PRA, using comprehensive and systematic methods. It concludes that low frequency /
high consequence scenarios may be missed in a risk assessment that does not have
a developed methodology. The SBK 2010 internal flood PRA study was performed to
meet the latest ASME PRA Standard (specifically Part 3 regarding internal flood) and
also to take advantage of the latest available EPRI data and guidance for performing
internal flood risk assessments. The latest generic internal flood analysis guidance is
significantly more comprehensive than guidance used in the previous flood analyses.
As a result, the upgraded internal flood risk assessment evaluated over 200 flood
initiating events. Of these, all but 32 events were screened from detailed quantitative
assessment. The 32 unscreened events are included in the SBK PRA model and
quantitatively evaluated for impact on plant risk. This compares to just 3 internal flood
events evaluated in the previous model. This paper presents a summary of the upgraded
SBK 2010 internal flood risk assessment key scope and method areas. The
noteworthy differences between the previous flood study for IPE and the updated
study are summarized. The quantitative results and risk insights of the update study
are presented.
1:55 PM
Electrical Switchgear Flood Area Impact Assessment
Alexander Rubbicco and Rupert Weston
Westinghouse Electric Company, LLC, Windsor, CT
This paper examines specific topics that relate to propagation modeling and credit
for drains in assessing flood-induced failure of electrical switchgear equipment. The
design philosophy of most nuclear power plants (NPPs) is to eliminate or minimize
flood sources inside electrical switchgear areas, but total elimination of flood sources
in the Class 1E electrical switchgear areas is not always practical. Certain electrical
equipment associated with switchgears, load centers and motor control centers are
generally located within close proximity of the floor. Flood events in electrical switchgear
areas can cause complete or partial flood-induced failures of mitigating systems
causing certain flood scenarios to dominant overall plant risk. The modeling of water
propagating from an originating flood area to an adjacent flood area containing electrical
switchgear equipment is examined in this paper. A quasi-static method is used to
estimate the flow rate from the originating flood area to the adjacent area. The method
assumes that flooding loads do not cause structural failure of doors or other flood
barriers and propagation from the originating flood area to the adjacent flood areas is
achieved through door gap(s). Credit for the drain system in the adjacent flood areas
is taken into consideration in assessing the flood heights and the potential for floodinduced
failures of electrical equipment. This method is considered to be a more realistic
approach in determining the components impacted in adjacent flood areas in the
propagation path for a given scenario. Depending on the flow rate, recovery strategies
can be developed for isolating the flood source.
Flooding PSA - 1
2:20 PM
Internal Flood PRA Case Study at Exelon Nuclear’s Limerick
Generating Station for 4 Kv Safeguard Room Corridor
Philip Tarpinian (a), Robert Wolfgang (b)
a) Exelon Nuclear, Pottstown, PA, b) ERIN Engineering and Research, Inc., West Chester, PA
A newly-identified internal flooding Probabilistic Risk Assessment (PRA) scenario,
located in a 4kV safeguard corridor, having an impact on core damage frequency
(CDF) was discovered during an update of the flooding PRA model in 2008-2009. The
update of the internal flooding analysis was performed to meet the requirements of
the American Society of Mechanical Engineers (ASME) PRA standard, ASME RA-S-
2002 (and addenda and subsequent revisions). Application of recent internal flooding
criteria contained in the ASME PRA standard and an Electric Power Research Institute
(EPRI) internal flooding analysis guideline imposes different pipe rupture probabilities
and a more rigorous methodology than previously considered. This issue does not represent
a design-basis issue but rather is associated with potential plant risk insights.
The previously unidentified flooding scenario had the ability to result in the potential
loss of much of the 4 kV switchgear for Unit 1 and Unit 2. No event occurred, but the
identified potential flooding configuration had existed for approximately 10 years after
a plant modification was installed to meet licensing requirements. The plant consequences
of the identified scenario, although unlikely, could be significant, i.e., potentially
resulting in a loss of safety-related power for Unit 1 and Unit 2. Incorporation
of the new scenario into the PRA yielded a preliminary calculated increase in LGS’
CDF of 160%. However, since the overall CDF was extremely small, the calculated
increase represented a large change and therefore helped focus plant attention on the
potential consequences of a pipe break and the operator actions and plant changes
needed to mitigate this risk contributor. The risk was mitigated by implementation of a
plant modification that reduced the impacts of a potential pipe rupture and yielded a
net reduction in CDF.
25

26
Session Chair: Enrico Zio
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 3:45 PM - Azalea
3:45 PM
Reliability Prediction of Passive Systems Based on Multiple
Failure Measures Modeling
Luciano Burgazzi
Reactor Safety and Fuel Cycle Methods Technical Unit, ENEA, Italian National Agency for New Technologies,
Energy and Sustainable Economic Development, Bologna, Italy
This paper illustrates a modeling and analysis approach for reliability prediction based
on degradation modeling, considering multiple degradation measures and with respect
to the t-h (thermal-hydraulic) passive systems.
Previous research on the topic has pointed out the susceptibility of the passive system
to several modes of failure. In fact it has been recognized that a system may
have, in addition to component mechanism failures, multiple degradation paths, so it
is necessary to simultaneously consider multiple degradation measures. Also, many
research efforts on degradation analysis were initiated by making assumptions about
the degradation mechanism. In reality often there is very limited understanding about
the concerned degradation mechanisms together with their interdependencies.
In this paper, an analysis procedure is developed to address this aspect. Simulated
data have been used to illustrate the applicability of this approach. Results on the application
of the methods to a simplified model of the passive residual heat transport
system in water cooled reactors are presented.
It was verified that, when the multiple degradation measures in a system are correlated,
an incorrect independence assumption may overestimate the system reliability.
4:10 PM
Critical Issues Pertaining to the Evaluation of Passive System
Reliability
A.K. Nayak, Vikas Jain, and D. Saha
Reactor Engineering Division, Bhabha Atomic Research Centre, Mumbai, India
Passive systems are playing prominent role in the design and development of innovative
reactor systems because of generally perceived enhanced safety and reliability
on account of reduced human intervention and ample grace period for the operator
in case of accidental conditions. These systems are considered to be more reliable
than the active systems, due to their dependence solely on the natural phenomena
based on simple physical laws. However, assessing their reliability in a transparent
manner is an unresolved issue as the natural phenomena based on simple physical
laws too undergo the degradation and may not be able to fulfil the desired function for
the mission time in a satisfactory manner. Currently existing methodologies for the assessment
of passive system reliability suffer the lack of universal acceptability due to
unrealistic assumptions to account for uncertainty and over-dependence on the expert
elicitation. This paper provides a general perspective on the evolution of state-of-art
methodologies and examines the critical issues pertaining to the evaluation of passive
system reliability which need to be considered to resolve the ambiguities surrounding
the issue of passive system reliability assessment.
Passive Reliability - 1
4:35 PM
Using Importance Sampled RELAP5-3D Simulations to Evaluate
Radioactive Material Release Frequencies for the Technology
Neutral Framework
M. Denman, N. Todreas, M. Driscoll
Department of Nuclear Science and Engineering, MIT, Cambridge, MA
NUREG-1860, more commonly known as the Technology Neutral Framework (TNF),
is a risk-informed licensing process drafted by the Nuclear Regulatory Commission’s
(NRC) Office of Nuclear Regulatory Research. The TNF determines the acceptability
of accident sequences by examining the 95th percentile estimate of both the frequency
and quantity of radioactive material release and compares this value to predetermined
limits on the Frequency-Consequence Curve. Estimating the 95th percentile of frequency
and consequence of accident sequences can be difficult, as many advanced
reactors are designed to have high reliability when confronted with licensing basis
transients. While statistical techniques such as importance sampling exist to estimate
the mean and variance of an estimate, frequentist statistics does not provide insight
into the shape, and thus 95th percentile, of the distribution around that estimate. This
paper proposes that the evidence derived from importance sampling of epidemic uncertainties
in RELAP5-3D simulations may be used in Bayesian updating to provide a
posterior distribution with which a 95th percentile value can be estimated. While both
metal and oxide fuel types will be shown to meet the TNF requirements, the frequency
of radiation release for metallic fuel will be shown to be orders of magnitude lower than
that for oxide fuel.
5:00 PM
Insights from PSA Applications of the OECD Nuclear Energy
Agency (OECD/NEA) OPDE Database
Bengt Lydell (a), Alejandro Huerta (b), Karen Gott (c)
a) Scandpower Inc., Houston, TX, USA, b) OECD Nuclear Energy Agency, Issy-les-Moulineaux, France,
c) Swedish Radiation Safety Authority, Dept. of Nuclear Power Plant Safety, Stockholm, Sweden
The OECD Pipe Failure Data Exchange (OPDE) Project has established an international
database on pipe degradation and failure in commercial nuclear power plants.
During its third term of operation (2008-2011) methods & techniques for systematic
evaluation of piping service experience data have been developed and explored. Included
in the third term work scope is a conversion to an entirely web-based system
both for entering new records and also for the development of an enhanced webbased
database for the collection and evaluation of service induced pipe degradation
and failure. The lessons learned from database applications performed during the
period 1994- 2010 have been summarized in an Applications Handbook (OPDE-AH).
Included in this paper is an overview of how the application-specific database queries
are utilized to reflect unique combinations of piping reliability attributes and influence
factors that are considered for anticipated applications. Three types of applications are
considered: 1) ‘advanced application’ in support of structural integrity assessments
including fracture mechanics considerations, 2) risk-informed applications that involve
probabilistic safety assessment (PSA) considerations (e.g., internal flooding PSA),
and 3) ‘high-level’ database reviews for the purpose of simple trend analyses.

Session Chair: Jim Young
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 3:45 PM - Camelia/Dogwood
3:45 PM
Insights from Quantitative Risk Analysis Applications for Nonreactor
Nuclear Facilities
Kevin R. O’Kula
URS Safety Management Solutions LLC, Aiken, SC
U.S. Department of Energy (DOE) directives provide a deterministic approach for performing
hazards analysis at DOE’s nuclear facilities and selecting hazards controls to
provide reasonable assurance of adequate public protection. In particular, DOE Standard
(STD)-3009-94, is a “safe harbor” in terms of methodology for compliance with
Code of Federal Regulations (CFR) Title 10, Part 830, Nuclear Safety Management,
Subpart B. DOE-STD-3009-94 provides direction on the analyses that are required to
support safety basis decisions and states that the Department’s approach does not
require or expect the level of detail analysis necessary for a quantitative risk assessment
(QRA). Nonetheless, risk assessment-related polices, standards, guides, and
other controls used by other government organizations, as well as by industry, are
being evaluated by DOE and its contractors for applicability to its nuclear facilities. Ultimately,
a standards-based approach is the goal for use of risk tools, as supplements
to deterministic methods, and taking full advantage of the available risk assessment
tools, best practices, and lessons learned from across the spectrum of experienced
practitioners. In this paper, three specific QRA applications are described as potential
prototypes for supplementing deterministic approaches in DOE safety basis applications,
and include: (1) the probabilistic safety assessment (PSA) performed for the
Defense Waste Processing Facility (DWPF) at the Savannah River Site (SRS); (2) a
SEN-35-91 compliance evaluation of replacement tritium facilities at SRS; and (3) an
ongoing QRA of hydrogen events in Hanford Site’s Waste Treatment and Immobilization
Plant (WTP), as a design guidance application. (Presentation Only)
4:10 PM
Challenges Developing a FECA For a Supporting System During
Conceptual Design
Stanley H. Levinson (a), Michael W. Kelly, Salvatore J. DiGiovanni (b), and
Timothy W. Dodson (c)
a) AREVA, Lynchburg, VA, b) AREVA, Charlotte, NC, c) AREVA, Marlborough, MA
The United States (US) is participating in an international effort to design and build
the International Thermonuclear Experimental Reactor (ITER). The responsibility assigned
to the US is the design and construction of the Tokamak Cooling Water System
(TCWS). Part of this effort includes conducting a series of design optimization studies
that will ultimately include Reliability, Availability, Maintainability, and Inspectability
(RAMI) analyses, Hazard Analysis, Failure Modes, Effects, and Criticality Analysis
(FMECA), and Human Engineering. This paper discusses the FMECA approach, and
three challenges to its implementation. These are: status of the design, analysis of a
supporting system, and scope and schedule limitations. A conceptual design is not a
complete design and requires many assumptions. A FMECA performed for a supporting
system creates uncertainty when developing global and safety effects. The scope
and schedule required five analysts to divide the TCWS systems, potentially creating
inconsistencies among the FMECA tables. Work-arounds, templates, and assumptions
were used to try to ameliorate the impact of these challenges. The final FMECA
can provide high-level insights on design; it can also provide a preliminary basis for
developing operating and maintenance procedures. The conceptual design FMECA
will require significant review and modification during the transition to the preliminary
design FMECA. Nonetheless, developing the conceptual design FMECA establishes
the process, provides some insights, and creates the foundation for future work as the
design matures.
Non-Reactor PSA - 1
4:35 PM
Risk -Informing Safety Reviews for Non-Reactor Nuclear Facilities
V. Mubayi, A. Azarm, M. Yue, W. Mukaddam, G. Good, F. Gonzalez and
R.A. Bari
Brookhaven National Laboratory, Upton, NY
This paper describes a methodology used to model potential accidents in fuel cycle
facilities that employ chemical processes to separate and purify nuclear materials. The
methodology is illustrated with an example that uses event and fault trees to estimate
the frequency of a specific energetic reaction that can occur in nuclear material processing
facilities. The methodology used probabilistic risk assessment (PRA)-related
tools as well as information about the chemical reaction characteristics, information on
plant design and operational features, and generic data about component failure rates
and human error rates. The accident frequency estimates for the specific reaction
help to risk-inform the safety review process and assess compliance with regulatory
requirements.
5:00 PM
Nuclear PRA and Defense-in-Depth Insights into the Deepwater
Horizon Accident
Dennis Henneke, Matt Warner, Paul Nichols
GE Hitachi, Wilmington, NC
Nuclear Defense-in-Depth (DID) is a principle of long standing for the design, construction
and operation of nuclear reactors, and may be thought of as requiring a
concentric arrangement of protective barriers or means, all of which must be breached
before a hazardous material or dangerous energy can adversely affect human beings
or the environment. The classic three physical barriers to radiation release in a
reactor— fuel cladding, reactor pressure vessel, and primary containment —are an
example of defense-in-depth.
Probabilistic Risk Assessment (PRA) has been performed for all US Nuclear Plants,
and most nuclear plants around the world. Insights from the PRAs have been incorporated
into the plant designs. For new nuclear reactors, PRA has been used to dramatically
improve the designs and lower the analyzed plant risk prior to construction.
Oil drilling rigs used for drilling for oil in very deep water, such as the Gulf of Mexico,
have been designed using standard engineering design approaches, with improvements
made to the design over time. However, lessons learned from the Deepwater
Horizon accident have shown that the design and operation of deepwater drilling may
not be sufficient to prevent an accident. The purpose of this paper is to review the
Deepwater Horizon Accident, and provide insights to possible contributing factors and
improvements using Nuclear Probabilistic Risk Assessment (PRA) and Nuclear Defense-in-Depth
(DID) principals. While there are certainly applicable lessons learned
from this accident for the nuclear industry, this report is focused on insights from Nuclear
PRA and DID.
27

28
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 3:45 PM - Magnolia
Configuration Risk Management - 2
Session Chair: Tom Morgan
3:45 PM
Consideration of Fire Risk in Configuration Risk Management
Programs
Victoria K. Anderson (a), Bradley W. Dolan (b), Leo B. Shanley (c), Denis P.
Shumaker (d)
a) Nuclear Energy Institute, b) Tennessee Valley Authority, c) Erin Engineering and Research, Inc., d)
PSEG Nuclear LLC.
US nuclear utilities base their configuration risk management processes on guidance
found in NUMARC 93-01. The current revision of NUMARC 93-01 does not require
consideration of risk associated with potential fire initiators. The Nuclear Energy Institute
(NEI) has proposed a set of changes to NUMARC 93-01 which, if implemented,
would describe approaches that utilities could use to incorporate consideration of risk
associated with potential fire initiators into their configuration risk management and
work scheduling processes. The proposed changes would encourage development
and implementation of a focused approach involving identification of key components,
components whose removal from service could have a material impact on core damage
risk. The proposed changes to NUMARC 93-01 would also encourage development
of risk management actions to limit or mitigate the associated risk when key
components are taken out of service. In addition, enhanced communications would
be encouraged between work scheduling groups, risk management personnel, and
station personnel involved with maintaining and operating fire protection programs
and systems. This paper discusses potential approaches for identifying key components
with respect to fire risk, including an approach based on using risk information
from a fire PRA and an approach using risk information from an internal events model
combined with information from a safe shutdown equipment list. The paper also discusses
approaches for identification of possible risk management actions which could
be considered when key components with respect to fire risk are made unavailable.
In addition this paper discusses ways to ensure adequate communications between
the various affected plant organizations so that fire risk can be adequately managed.
Insights and experience gained in performing a “tabletop pilot” of a proposed approach
are also discussed. (Presentation Only)
4:10 PM
Lessons Learned in (A)(4) Compliance
Ross C. Anderson (a), Robert W. Fosdick (b)
a) Virginia Commonwealth University, Richmond, VA, b)R&B Nuclear LLC, Maidens, Virginia
Ten years after 10 CFR 50.65(a)(4) first required utilities to perform configuration
risk analysis in support of risk management, the Dominion compliance program was
reviewed to identify key lessons learned. Key points included the effort required to
sustain an effective program; the number of approaches to the regulatory action
threshold, and actual risk performance; expected and unexpected contributors to risk
significance; and regulatory experience. The conclusions are presented in a generalized
form for the benefit of the entire U.S. industry.
4:35 PM
Use of U.S. On-Line Maintenance Experience with Non-U.S.
Utilities
Ken Huffman and Stephen Hess
Electric Power Research Institute (EPRI), Charlotte, NC
U.S. nuclear power plants routinely apply on-line maintenance (OLM) to improve plant
reliability, safety and economic performance. In EPRI report 1018422 [1], which is
available to the public, we provide a detailed discussion of the U.S. experience since
the use of OLM became widespread in the mid-1990’s. Recognizing the performance
improvements achieved by U.S. plants facilitated by the use of OLM, a number of
non-U.S. nuclear utilities are exploring the expanded use of OLM in their plants. The
use of U.S. experience in initiating or expanding use of OLM by non-U.S. utilities will
be discussed in this paper.
There are several elements of the U.S. experience base that can serve as effective
models, yield valuable lessons-learned and / or can be directly adapted outside of the
U.S. These include application of risk assessment methods to plant configuration management
and the expanded use of condition based maintenance strategies to manage
the health and performance of plant structures, systems and components. However,
there are aspects of the U.S. experience base that may not be optimum for plants that
are just initiating OLM. In the U.S., plant work practices and organizations are structured
to support a large amount of maintenance that can be performed on-line. Adoption
of these practices and organizational structures may not be optimum in all cases;
particularly if limited OLM activities are to be conducted. To support non-U.S. plants in
initiating or expanding their use of OLM, EPRI has developed a phased approach that
is effective for different quantities and complexity of OLM activity.
5:00 PM
Optimizing Planned Maintenance and On-Line Risk
Gerry W. Kindred
Curtiss-Wright/Scientech, Madison, OH
Title 10 of the Code of Federal Regulations (CFR), Part 50.65(a)(4) provides an allowance
for performing plant maintenance during power operations. A key aspect to
this provision is to assess and manage risk prior to taking risk-significant equipment
out-of-service. Four principles govern optimization of planned maintenance with respect
to nuclear risk; 1) ensuring nuclear safety (CDF/LERF) by understanding the
impact of equipment unavailability, including combinations of equipment, 2) managing
risk (CDP/LERP) by limiting the duration equipment is unavailable, 3) maximizing
the efficiency and effectiveness of the plant staff and other resources by integrating
risk-insights into the work management schedule, and 4) by identifying the impact of
work by effectively communicating to the plant staff. Several components to optimizing
planned maintenance include integration of PRA risk-insights into the work management
process, a process to evaluate scenarios (what-ifs), and a real-time assessment
tool (e.g., Safety Monitor, EOOS, etc.). To optimize maintenance it is important that
PRA insights begin early in the process, i.e., approximately twelve weeks or more in
advance of the workweek. What-if capability is important to allow the Planner/Scheduler/PRA
Engineer to move work activities around in the schedule early in the process
to best determine how to minimize the overall instantaneous risk (CDF) as well as the
overall cumulative risk (CDP). Another aspect of optimizing maintenance is to provide
the plant operator with real-time capability of assessing risk. Real-time capability allows
for unplanned conditions, such as severe weather to be taken into account with
planned activities, in addition to providing allowance for the dynamics of a complex
schedule involving several risk-significant activities to be performed simultaneously.
Both qualitative and quantitative approaches must be considered to manage the risk
associated with on-line maintenance activities. A review of the as-performed workweek
can provide additional risk-insights that may prove beneficial in the future. Integrating
lessons-learned will strengthen the on-line risk program significantly if risk-insights are
included. The performance of the on-line risk assessment need not be performed by a
PRA Engineer; however, prudence dictates inclusion of the PRA Staff commensurate
with the magnitude of risk (CDF/LERF) associated with a given workweek schedule.
Optimization of on-line maintenance cannot be performed effectively without integration
of PRA.

Session Chair: Robert Budnitz
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 3:45 PM - Salon A
3:45 PM
Seismic PRA Modeling and Quantification Approaches
Andrea Maioli (a), Martin W. McCann, Jr. (b), David J. Finnicum (c)
a) Westinghouse Electric Company LLC, Cranberry Township, PA, b) Jack R. Benjamin & Associates,
Inc., Menlo Park, CA, c) Westinghouse Electric Company LLC, Windsor, CT
The inter-relationship between component and system fragilities and hazard curves
is a defining characteristic of a Seismic Probabilistic Risk Assessment (S-PRA) and
dictates the unique needs for both modeling and quantification techniques and tools
associated with this specific hazard group. In this paper, S-PRA modeling and quantification
techniques are discussed in the framework of the current S-PRA trend of
developing one comprehensive and integrated plant system model and performing
hazard-fragility integration over all ground motions for the full plant model. Given the
current inability (or at best difficulty) of the majority of the PRA software packages to
fully integrate seismic hazard and fragility curves, the preferred S-PRA modeling and
quantification approach would require a breakdown of the hazard curves into a limited
number of intervals, and the offline integration of hazard and fragility curves for each
interval. This is the only approach that would allow a “one-top” fault tree linked model
including seismic hazard. The need for an improved seismic modeling and quantification
approach as applied to S-PRA is discussed considering the importance of the
seismic hazard to support risk-informed applications. In addition, the seismic risk profile
as a function of the characterization of earthquake ground motions (e.g., PGA or
SA), is binned into the same limited number of intervals into which the seismic hazard
curve is broken down. This approach potentially adds uncertainties and unnecessarily
complicates the risk analysis quantification. A more integrated quantification approach
for the integration of the hazard and fragilities and quantification of seismic risk is herein
discussed that would; not require an apriori breakdown of the hazard and fragility,
properly (seamlessly) addresses event successes in the quantification process, and
provide a set of results of higher intrinsic value not only for the PRA end-user, but for
the system analyst, seismic design and qualification engineers, with the possibility of
identifying not only the CDF and/or release frequencies as a function of the parameter
used for seismic event characterization but also potentially seismic sequence, system
and plant level fragility curves.
4:10 PM
A Comprehensive Database Application to Support Seismic
PSA Modeling
Silvio T. Sperbeck, Michael Türschmann (a), Matias Krauß (b)
a) Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Berlin, Germany, b) Bundesamt für
Strahlenschutz Postfach, Salzgitter, Germany
The German PSA Guideline and its technical document on PSA methods published
in 2005 require probabilistic safety analyses (PSA) to be carried out in the frame of
periodic safety reviews for nuclear power plants. This also includes a seismic PSA
(SPSA) forsites with design earthquake intensities exceeding the value VII (MSK or
EMS scale). Based on the specifications in the PSA Guideline, a comprehensive
database is conceived, which can be used for performing and applying
SPSA. can be also applied as a tool in the frame of SPSA reviews for
all queries regarding the plant specific SPSA to be evaluated. Some enlargements
and concretions of the requirements in the PSA Guideline were implemented to ensure
an adequate quality as well as the traceability and reproducibility of a SPSA.
Therefore, a two-stage screening process of structures, systems and components
(SSC) is developed that may be used to compile and complete the seismic equipment
list (SEL). Moreover, the seismic robustness of allSSC of the SEL can be evaluated
with respect to their safety significance. In addition, a general model is developed for
modeling dependencies of seismic failures for different SSC. It is planned to configure
for an automatic parameter transfer (e.g. fragilities of all SSC of the
SEL and correlation parameters for the description of seismic dependent SSC failure
behavior) in order to quantify the plant model for arbitrary seismic intensities. The
paper outlines the detailed structure of the database. The application of
during accomplishment of the SSC screening process, for description and
modeling of dependencies and, finally, for quantification of the plant model is elucidated
by means of selected examples.
Seismic PSA - 2
4:35 PM
Methods for Seismic Analysis Using Riskspectrum
Ola Bäckström and Johan Sörman
Scandpower - Lloyds Register, Sundbyberg, Sweden
Seismic analysis requires that the PSA model must be able to represent some specific
reliability parameters. These are representation of the hazard and fragility curve. This
paper will describe one method for performing seismic analysis using RiskSpectrum,
within the existing framework. The focus will be:
• To enable basic understanding of how seismic PSA model is developed in
RiskSpectrum
• How is it related to the existing PSA model for internal initiating events
• How are seismic hazard and fragility data input into RS model
• How seismic risk is (in terms of CDF) quantified with RS
The paper will describe how the extended uncertainty definition in RiskSpectrum can
be used to perform uncertainty analysis. To facilitate the seismic analysis a new module
is also being developed. The module will include representation of all necessary
elements within a seismic analysis. This paper will also describe the ideas and methods
for this new seismic module.
5:00 PM
Advanced Quantification Methods Applied to Seismic Risk
Assessment
Ken Canavan, Jeff Riley
Electric Power Research Institute, Palo Alto, CA
Until recently, one of the key limitations in a Seismic Probabilistic Risk Assessment
(PRA) has been quantification of the seismic logic model itself. While the quantification
or calculation of the model is similar to the calculations required for an internal-events
PRA, the seismic assessments add unique challenges to the calculations of very large
models.
Over that last several years, enhancements to quantification tools and techniques
to address each of these issues have been made. A significant enhancement has
been the development of an advanced quantification method and associated tool (Advanced
Min Cut Upper Bound Estimator (ACUBE)). Previous to the development of
this method, the calculation of the plant risk was subject to conservatisms that could
lead a plant to over-state the risk and thus inappropriately determining the significance
of various plant systems, structures and components as well as plant configurations
and operations.
The advancement in the quantification methods allows for the effective removal of
over- approximation for the dominant cutsets. The dominant cutsets typically contain
the largest magnitude overstatement in the results. In addition, successive model runs
can also establish event importance for the seismic model.
29

30
Session Chair: Mike Lloyd
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 3:45 PM - Salon B
3:45 PM
Risk Communication: A PRA in Your Pocket?
Greg Krueger (a), Duane Wilson (b)
a) Exelon, b) ERIN Engineering & Research, Inc., Walnut Creek, CA
Today, PRA results are used in a wide variety of utility decision-making settings. One
of the key challenges for the PRA community today is the communication and adoption
of risk management principles within a utility organization. Unfortunately, in many
cases, the understanding of PRA and PRA results is limited to the PRA organization.
As the PRA has become a key input to utility and regulatory decision-making, there is
an increasing need to expand the level of understanding outside of the cubicles of the
PRA engineers and into the broader utility organization. In order to help communicate
risk results within the organization many utilities have adopted a four quadrant poster.
Typically, these posters include information on initiating events, systems, and operator
actions. While beneficial, these posters are static and leave much to the interpretation
of the reader. Furthermore, while they do serve to raise the visibility of risk within
the organization, they are often out-of-sight-out-of-mind and not available to support
all levels of decision-making. Two utilities have embarked on an effort to deploy this
information electronically, in order to facilitate more timely and complete communication
of risk information across the utility organization. The vehicle for this is a mobile
‘app’, Risk VisualizerTM. Risk VisualizerTM provides access to the PRA results poster,
and more, on a real-time basis, in the palm of your hand via a Smart Phone or other
mobile device. To date, it has been successfully deployed on Blackberry, iPhone, and
iPad devices to support use across the entire utility organization. This will allow all
organizations to have access to the information on demand, as well as more detailed
data and explanations of the data. (Presentation Only)
4:10 PM
PSA Insights of the New Nuclear Power Plants
Andrija Volkanovski
Ljubljana, Slovenia
PSA Knowledge Management - 2
Four designs of generation III+ pressurized water reactors were analyzed in the framework
of the project entitled “Safety characteristics of potential reactors for JEK 2”. The
project was done at the Reactor Engineering Division of the Jožef Stefan Institute for
the Slovenian utility. The analyzed designs selected as potential designs for construction
of the second unit at the Krško Nuclear Power Plant are: Westinghouse AP1000,
AREVA EPR, Mitsubishi APWR and ATMEA1 from AREVA and Mitsubishi.
The goal of the project was identification and description of the safety characteristics
of analyzed reactor designs. The identification of safety characteristics was based on
description of the structures, systems, components and their integral performance
given in the design documentation of the vendors. The identification was supported
by the review of the safety analyses including the Probabilistic Safety Assessment
(PSA) organized according to the classifications of the U.S. Nuclear Regulatory Commission.
The paper presents results of the review of the PSA section of the Final Safety Analysis
Report of the corresponding designs. The obtained results include identification
and description of the usage of PSA in design phase for the decrease of the risk
measures and elimination of the significant risk contributors. The obtained results for
the risk indices, namely the core damage frequency and large release frequency are
identified and compared against each other and against requirements of the regulator.
The comparison with the currently operating nuclear power plants is done and the
major contributors to the decrease of the risk indices are identified.
4:35 PM
Development of Entergy Fleet PSA Guidance Documents for
Model Development
Loys Bedell and John Bretti
Entergy Services Inc., Jackson, MS
Entergy Nuclear is a large diverse nuclear fleet that consists of nine nuclear sites and
two regional headquarters offices. The PSA models for these plants were generally developed
and maintained separately until the early 2000’s. Therefore, much of the organizational
learning and best practices from one site were not implemented at another
site due to time constraints, plant demands, lack of communication, or lack of expertise.
In 2007, Entergy Nuclear management requested that guidelines be developed to
standardize PSA processes and to better address the requirements of the ASME PSA
Standard. Twelve guidelines were scheduled to be developed. These guides were
based on the nine major Full Power Internal Events (FPIE) ASME Standard elements
with additional guidelines for Loss of Offsite Power analyses, Risk Monitor development,
and Uncertainty Analysis. The majority of these guidelines were scheduled to
be completed by the end of 2008. These guidelines had to be developed while still
meeting the model update schedules, IPEC License Renewal, and various plant PSA
applications. In addition to the compressed schedule for developing these guidelines,
the completion of these reports were complicated by other factors. The amount of
detail necessary for the guidelines was a significant challenge. More detail would likely
force some plants to make major changes to the models or the documentation with
unacceptable impacts on model update schedules. However, some amount of detail
is necessary to help new PSA engineers in performing these tasks. The PSA software
tools were generally consistent across the sites (all sites use CAFTA for fault tree
modeling). However, other methodologies and tools varied throughout the fleet. These
variations are acceptable within the ASME Standard and had to be accounted for in the
guidelines. Despite the compressed schedule and the significant challenges and compromises
necessary, the PSA guidelines were able to be completed and have been
useful to both the experienced and new PSA engineers across the Entergy Nuclear
fleet. The guideline development has also fostered more cooperation between the two
regional offices and has led to more discussions and sharing of information across
the fleet.

Session Chair: Richard Turcotte
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Monday March 14, 2011 - 3:45 PM - Carolina
3:45 PM
Methodology for Parsing Cumulative Rupture Frequencies for
Internal Flood Initiators
Robert J. Wolfgang
ERIN Engineering and Research, Inc., West Chester, PA
EPRI data for pipe rupture frequencies published in 2006 subdivided the flooding flow
rates into three major categories, namely sprays (< 100 gpm), general floods (between
100 and 2000 gpm), and major floods (> 2000 gpm). For large capacity water
systems, it was customary to assign the maximum flooding flow rate to the major
flooding frequencies. However, this was overly conservative in that it did not recognize
that a range of equivalent break sizes (EBS) were possible that could give rise to
much lower flow rates. The revised EPRI pipe rupture frequencies developed in 2010
propose a methodology to parse the rupture frequency for pipe ruptures of varying
sizes that give rise to corresponding flow rates, which in essence subdivide the categories
into any desired range of flow rates. For example, the rupture frequencies for
a given break size or larger are presented in the 2010 EPRI report, and can be parsed
to represent a particular frequency or likelihood for a given range of break sizes, and
hence range of flow rates. The methodology presented in this paper was applied to
the Fire Protection system at a particular nuclear plant in order to provide three ranges
for major flooding flow rates in order to provide a greater opportunity for isolation and
mitigation response instead of assuming the maximum flow rate for a single rupture
frequency, which tends to minimize the time available for mitigation.
4:10 PM
A Method to Identify and Calculate the Frequency of High Energy
Line Break-Induced Flooding Events
Raymond Dremel, Russell Sharpe, Todd Reichardt (a), Jayne Ritter, Dave
Malek (b)
a) Maracor Software & Engineering, Inc., Batavia, IL, b) Xcel Energy, Prairie Island Nuclear Plant, Welch,
MN
In a qualification to supporting requirement (SR) IFSN-A6 of ASME/ANS RA-Sa-2009,
Regulatory Guide 1.200, Revision 2 states that the effects of high energy line breaks
be considered in flooding analyses in order to meet Capability Category II. An evaluation
of the turbine building at the Prairie Island Nuclear Generating Plant (PINGP)
identified the potential for break in a high energy line to impact another system and
initiate flooding from a source in addition to the system that experienced the initial
break. Because high-energy line break-induced flooding was being Authors’ names,
use et al. if more than 3 Page 2 of 6 considered in the significance determination
process (SDP), there was a need to determine an initiating event frequency for these
HELB-induced floods so that their impact on core damage frequency (CDF) could be
assessed. Little documentation of factors affecting HELB-induced flooding events was
available and data to support any numerical evaluations of initiating event frequency
was even more sparse than the other documentation. Because hundreds of potential
interactions between high energy lines and lines with the potential to cause significant
flooding existed, detailed evaluations such as finite element analyses for each potential
interaction were impractical. Therefore, it was necessary to develop a method to
identify potential HELB-induced flooding events, determine potential flooding effects
from each event, and quantify frequency for each event. This paper details the method
used to develop and quantify the HELB-induced floods for events in the PINGP turbine
building. The method used a set of assumptions that, when taken as a group, result
in a consistent and easily reproducible method. The method can be used to limit the
high energy piping that must be considered as contributing to HELB-induced floods
and gives a basis for eliminating the need for detailed stress or finite element analyses
of high energy pipe. This method provides a reasonable estimate for HELB-induced
flooding initiating events consistent with the qualification of Regulatory Guide 1.200
to use conservative assumptions. The method makes use of the latest published pipe
break data from the Electric Power Research Institute (EPRI)
Flooding PSA - 2
4:35 PM
Effects of Alternative Leak Detection Methods on Internal
Flooding Initiating Event Frequencies in Flooding PSA
Russell Sharpe
Maracor Software & Engineering, Inc., Louisville, TN
It is not unusual for the initial quantification of an internal flooding PSA to result in
sequences that offer an unreasonably high contribution to the overall core damage
frequency. Typically, such sequences are analyzed further and conservatisms are removed.
Such analysis might include replacing HEP screening values with detailed
HRA values, applying directional factors to spray events, or performing detailed flow
calculations to obtain a less conservative picture of flood propagation. If such analysis
still does not provide reasonable results, leak detection methods may be credited.
The most well-known methods of leak detection include non-destructive examination
(NDE) and system leak surveillance. Non-destructive examination typically involves
ultrasonic testing of pipe walls to detect hidden flaws in the piping material. The frequency
of such NDE can vary but is commonly performed every 10 years. System leak
surveillance programs usually involve visual examination of the piping for leaks. It is
important to note that visual examination in the context of this paper includes actual
inspection of the piping itself and not simply a search for pools of water on the floor
due to a leaking pipe. The frequency of such leak surveillance can vary, but typically
more credit is awarded as the frequency increases. For service water and fire protection
system piping, crediting such alternative leak detection methods typically results
in an order-of-magnitude reduction in the initiating event frequency and, therefore, the
CDF contribution. For some very large pipe breaks the reduction can be two orders of
magnitude. The application of such leak detection factors eliminates conservatism and
results in a more realistic result.
5:00 PM
Enhanced Piping Reliability Models for Use in Internal Flooding
PSA
Bengt Lydell (a), Ali Mosleh, and Danielle Chrun (b)
a) Scandpower Inc., Houston, TX, b) University of Maryland, ENGR-Mechanical Engineering, College
Park, MD
The likelihood of a pipe flaw propagating to a significant structural failure (SF) is expressed
by the conditional failure probability pSF|DC where “DC” represents degraded
condition. With no service data available to support a direct statistical estimation of the
conditional probability the assessment can be based on probabilistic fracture mechanics
(PFM), expert judgment, or a combination of service data insights, expert judgment
and PFM. Different PFM algorithms have been developed, but with a focus on fatigue
growth and stress corrosion cracking. There remain issues of dispute with respect
to reconciliation of results obtained through statistical estimation versus the physical
models of PFM, however. Results from studies to benchmark PFM calculations against
field experience have shown PFM computer codes to over-predict pipe failure rates
by more than an order magnitude relative to statistical estimates of field experience
data. In general, the results obtained with PFM computer codes are quite sensitive
to assumptions about weld residual stresses, crack growth rates, and correlations of
crack initiation times and growth rates. In earlier applications a simple Beta distribution
formulation has been used to estimate the conditional probability of flood modes. The
main issue with assuming a prior Beta distribution is the estimation of its parameters.
Several “constrained” approaches have been proposed. Methods to determine the
parameters of the prior Beta distribution include: the method of moments, the PERT
approach or the Pearson-Tukey approach. In the absence of data, non-informative
priors appear to be a straightforward solution. However, there is often a good knowledge
on one constraint, such as the mean probability. The approach described in this
paper is the use of a constrained non-informative prior. This approach seems to be
especially relevant to situations where limited failure data are available to assess the
probability that a structural failure occurs, given a degraded condition. In the Pearson-
Tukey approach a subject matter expert (SME) is asked to provide the 5th, 50th, 95th
percentiles (noted C05, C50 and C95, respectively) and these statistical estimates are
used to determine the parameters of a Beta prior distribution. Included in this paper are
the results from practical applications of the Pearson-Tukey approach to estimating
conditional flood modes for Service Water piping.
31

32
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 8:00 AM - Grand Ballroom
Plenary Session II
George Apostolakis - US NRC Commissioner
The Honorable George Apostolakis was sworn in as a Commissioner
of the U.S. Nuclear Regulatory Commission (NRC) on April 23, 2010, to a term ending on
June 30, 2014.
Dr. Apostolakis has had a distinguished career as an engineer, professor and risk analyst.
Before joining the NRC, he was the Korea Electric Power Corporation professor of Nuclear
Science and Engineering and a professor of Engineering Systems at the Massachusetts
Institute of Technology. He was also a member and former chairman of the statutory Advisory
Committee on Reactor Safeguards of the NRC.
In 2007, Dr. Apostolakis was elected to the National Academy of Engineering for “innovations
in the theory and practice of probabilistic risk assessment and risk management.” He has
served as the Editor-in-Chief of the International Journal Reliability Engineering and System
Safety and is the founder of the International Conferences on Probabilistic Safety Assessment
and Management. He received the Tommy Thompson Award for his contributions to improvement
of reactor safety in 1999 and the Arthur Holly Compton Award in Education in 2005 from the American Nuclear
Society.
Dr. Apostolakis has published more than 120 papers in technical journals and has made numerous presentations at
national and international conferences. His research interests include the use of Probabilistic Risk Assessment (PRA) in
reactor design; uncertainty analysis; decision analysis; infrastructure security; risk-informed and performance-based regulation;
human reliability; and risk management involving multiple stakeholders. He has edited or co-edited eight books and
conference proceedings and has participated in many PRA courses and reviews.
Dr. Apostolakis received his diploma in electrical engineering from the National Technical University in Athens, Greece in
1969. He earned a master’s degree in engineering science from the California Institute of Technology in 1970 and a Ph.D.
in engineering science and applied mathematics in 1973, both from the California Institute of Technology.

Session Chair: Bill Burchill
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 9:00 AM - Azalea
9:00 AM
A Probabilistic Physics of Failure Approach to Prediction of
Steam Generator Tube Rupture Frequency
Kaushik Chatterjee and Mohammad Modarres
Center for Risk and Reliability, Department of Mechanical Engineering, University of Maryland College
Park, PA
In probabilistic safety assessments of pressurized water reactors, it is imperative to
assess the potential and frequency of steam generator tube rupture failures. Estimation
of frequency of steam generator tube ruptures has traditionally been based on
historical occurrences, which are not applicable to new designs of steam generators
with different geometries, material properties, degradation mechanisms and thermalhydraulic
behaviors. This paper presents a new probabilistic mechanistic-based approach
for estimating steam generator tube rupture frequencies that is based on the
principle that failure of passive systems is governed by degradation or unfavorable
conditions created through the underlying operating conditions and underlying mechanical,
electrical, thermal, and chemical processes. As opposed to using the historical
data for reliability prediction, the developed probabilistic physics-offailure based
approach identifies, probabilistically models, and simulates potential degradations in
new and existing steam generator designs to assess degradation versus time, until
such degradation exceeds a known endurance limit. An example application of proposed
probabilistic physics-of-failure based reliability prediction approach has been
presented for a new design of steam generators consisting of helical tubes and more
advanced tube material. The developed probabilistic physics-of-failure based approach
when combined with probabilistic safety assessment techniques can provide
an effective tool for the evaluation of safety and reliability of steam generators, particularly
new steam generator designs used in advanced reactors.
Passive Reliability - 2
9:25 AM
Passive System Accident Scenario Analysis by Simulation
Francesco Di Maio (a), Enrico Zio (a,b), Tao Liu and Jiejuan Tong (c)
a) Energy Department, Politecnico di Milano, Milano, Italy, b) Ecole Centrale Paris and Supelec, Chatenay-Malabry
Cedex, France, c) Institute of Nuclear and New Energy Technology, INET
Tsinghua University, Beijing, China
In this paper, a simulation framework of analysis is presented aiming at evaluating the
safety performance of the Residual Heat Removal system (RHRs) of the Chinese High
Temperature Gas- Cooled Reactor – Pebble Bed Modular (HTR-PM) under uncertain
operation conditions, and components and equipments failures. A transparent and fast
model of the passive system has been implemented in MATLAB to reproduce the
three-interconnected natural circulation trains of the RHRs, for removing the residual
heat of the reactor core after a reactor shut-down. The model is characterized by
a one-dimensional mono-phase moving fluid, whose operation is based on thermalhydraulic
(T-H) principles. The model is coded into a Monte Carlo (MC) failure engine
for sampling single and multiple components faults at random times and of random
magnitudes. Accidental transients of the system are simulated, highlighting equipment
contribution to system failure.
33

34
Session Chair: Paul Amico
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 9:00 AM - Camellia/Dogwood
9:00 AM
Development of a Generation Risk Assessment Model for a
Fossil-Fueled Power Station
Thomas A. Morgan (a), Wayne Crawford and Frank Rahn (b)
a) Maracor Software & Engineering, Inc., Middletown, MD, b) Electric Power Research Institute, Palo
Also, CA
Generation Risk Assessment (GRA) has been used at several US nuclear power
plants to estimate the frequency of a plant shutdown or power reduction due to equipment
failures or plant configuration changes. A GRA model would also be of value to
fossil-fueled stations by identifying key contributors to plant unreliability and can assist
maintenance planning by highlighting inter-system relationships.
A GRA model was developed for a coal-fired power station. EPRI’s Equipment Out of
Service (EOOS) software was used to provide the user interface to the model. The
likelihood of a plant shutdown or power reduction of greater than 10% within two hours
of a failure or adverse plant configuration change was considered. About 25 systems
were modeled, including steam cycle systems, coal handling systems, boiler systems,
combustion air and ash handling systems, and various plant support systems.
Simplified system models were developed, using generic failure estimates for major
components. System interdependencies were modeled and plant conditions were
considered that could affect operation (such as winter conditions, the quality of the
coal, etc.). Status panel displays were developed to graphically display system/component
status, and to provide an easy-to-use interface for staff to input component and
alignment status changes.
The plant staff plans to use the GRA model to assist in the review of proposed maintenance
work during daily planning meetings. The software’s graphical system status
display will be helpful to the shift supervisor. Lastly, the tool can be used to assist in
the training of new plant personnel.
Non-Reactor PSA - 2
9:25 AM
Study of Risk Assessment Programs at Federal Agencies and
Commercial Industry Related to the Conduct or Regulation of
High Hazard Operations
Robert A. Bari (a), Samuel Rosenbloom and James O’Brien (b)
a) Brookhaven National Laboratory, Upton, NY, b)U. S. Department of Energy, Washington, DC
In the Department of Energy (DOE) Implementation Plan (IP) for Defense Nuclear
Facilities Safety Board’s Recommendation 2009-1, the DOE committed to studying
the use of quantitative risk assessment methodologies at government agencies and
industry. This study consisted of document reviews and interviews of senior management
and risk assessment staff at six organizations. Data were collected and analyzed
on risk assessment applications, risk assessment tools, and controls and infrastructure
supporting the correct usage of risk assessment and risk management tools. The
study found that the agencies were in different degrees of maturity in the use of risk
assessment to support the analysis of high hazard operations and to support decisions
related to these operations. Agencies did not share a simple, “one size fits all”
approach to tools, controls, and infrastructure needs. The agencies recognized that
flexibility was warranted to allow use of risk assessment tools in a manner that is commensurate
with the complexity of the application. The study also found that, even with
the lack of some data, agencies’ application of the risk analysis structured approach
could provide useful insights such as potential system vulnerabilities. This study, in
combination with a companion study of risk assessment programs in the DOE Offices
involved in high hazard operations, is being used to determine the nature and type of
controls and infrastructure needed to support risk assessments at the DOE.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 9:00 AM - Magnolia
Configuration Risk Management - 3
Session Chair: Ross Anderson
9:00 AM
A Method of Implementing NEI (A)(4) Fire Risk Guidance
Edward Parsley and Leo Shanley
ERIN Engineering and Research, Inc., West Chester, PA
Since November, 2000, Licensees have been using their Configuration Risk Management
programs to meet federal regulation 10CFR 50.65(a)(4). These programs
generally evaluate risk of internal events quantitatively with supporting qualitative assessments.
Regarding External Event Risk, the NRC has stated that it would be acceptable
for the industry to add only internal fire hazards to the (a)(4) program, and
can be accomplished by [generally] following the guidance provided by NEI in June
2006. Although the guidance has not yet been endorsed by the NRC, NEI-sponsored
pilot efforts have been undertaken to demonstrate possible methods. In general, the
approach will be qualitative, which is consistent with the NEI guidance. One such
pilot’s method for addressing fire risks in (a)(4) will utilize the plant’s fire PRA to focus
attention and risk management actions to fire scenarios for which there is no mitigation
available.
This presentation discusses one such pilot’s method for addressing fire risks in (a)
(4). The method utilizes the plant’s fire PRA to focus attention and risk management
actions to fire scenarios for which there is no mitigation available. An overview of the
equipment scoping methodology will be described, and will include discussion of issues
encountered. Additionally, the presentation discusses items to consider when
identifying Risk Management Actions for candidate fire scenarios. Finally, the presentation
highlights items to consider when implementing this approach with a risk
monitor, with examples using the PARAGON software.
9:25 AM
On Crediting a 10CFR50.54(X) Proceduralized Operator Action
in SONGS PRA Used for Maintenance Rule (A)(4) Risk Assessments
Parviz Moieni, Michelle P. Carr, and Dean R. Goodwin
Southern California Edison
The purpose of this paper is to discuss an issue that was raised recently by the NRC
residents at San Onofre Nuclear Generating Station (SONGS) with regard to crediting
a 10CFR50.54(x) operator action in PRA used for Maintenance Rule (MR) (a)(4) risk
assessments. The operator action is to manually cross-tie an emergency diesel generator
(EDG) from one unit to the same train EDG of the other unit. The EDG manual
cross-tie credit for the baseline PRA was not challenged because this is a feasible,
proceduralized, and trained-on operator action. There were three key questions associated
with this issue: 1) is the risk impact on the opposite unit assessed correctly, 2) is
it clear in the EOIs that this is a last resort action, and 3) are there adequate risk management
actions in place when an EDG is taken OOS? Following many discussions
with the residents, the region SRAs, NRC headquarters’ PRA staff, other utilities, and
NEI, the use of EDG cross-tie for MR (a)(4) risk assessments remained acceptable
given some procedural changes are made. These included addition of formalized risk
management actions to the MR (a)(4) procedure and a note to the SBO EOI informing
the operators that the preferred strategy for restoring AC power is from the switchyard
or unit specific EDGs. The 10CFR50.54(x) EDG cross-tie action should be utilized after
normal actions have been proven unsuccessful, or Safety Functions are challenged
by being in danger of becoming not satisfied.
35

36
Session Chair: Raymond H Gallucci
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 9:00 AM - Salon A
9:00 AM
A Comparison of the MQH Method and CFAST for Scoping
Fire Modeling
Tom Elicson
WorleyParsons Polestar, Inc., Hudson, OH
The EPRI/NRC fire PRA methodology presented in NUREG/CR-6850 recommends
using the method of McCaffrey, Quintiere, and Harkleroad (MQH) for hot gas layer
Zone of Influence (ZOI) calculations as part of Task 8: Scoping Fire Modeling.
Compared to measured temperatures for prototypical cable spreading room fires with
a peak heat release rate of 1 MW (International Fire Model Benchmarking Exercise
# 3, Tests 2 and 3), the MQH method shows errors relative to the measured gas
temperatures from 47% to 1190%. In contrast, CFAST shows errors of less than 1%,
which is within the expanded uncertainty of the temperature measurements.
The MQH method deviation from experimental data increases as the room ventilation
size decreases. Yet for totally enclosed rooms, NUREG/CR-6850 recommends using
the MQH method with a 0.5” high leakage path. With this approach, the error relative
to measured temperatures is 1190%.
Benchmark results suggest that the MQH method is inadequate for predicting smoky
layer temperatures for closed compartments as part of the fire PRA scoping fire modeling
task. In contrast, CFAST provides reasonable predictions of gas temperature
and appears to be a better choice for smoky layer ZOI scoping calculations.
Fire PSA Methods - 2
9:25 AM
Development and Application of a Large Scale Fire Dynamics
Simulator Model for BWR Reactor Building Fire Scenarios
Jeffrey Miller
Reliability & Safety Consulting Engineers, Inc. , Knoxville, TN
To gain a more realistic evaluation of fire scenarios in a BWR reactor building, a sophisticated
Fire Dynamics Simulator (FDS) model was created that would simulate as
close as possible the actual building openings, passages, and structural features of
the entire building. The result was a FDS model of approximately 40 meters (131 ft) in
diameter and approximately 55 meters (180 ft) in height. From the completed model,
various large fire scenarios were evaluated with significant result improvements from
other more bounding estimations or other model simulations that only focused on portions
of the building structure size. In addition to use on this project, the same FDS
model can be utilized for other future scenario evaluations throughout the building
structure in a very easy manner by adding a new fire source to the base building model
and performing the evaluations. Data is captured through the use of FDS outputs as
well as added outputs for temperatures at various building locations, and presented
using graphical plots for easier, clearer understanding of estimated room temperatures
and potential component impacts. While it is vital to capture details as close as possible
to the actual structure and fire scenario being modeled, as well as to not make
gross over assumptions, ever present resource limitations must be managed. Key
model development efficiencies were gained by using a model construction approach
similar to solid three dimensional CAD modeling rather than typical piece by piece
FDS modeling. Model simulations were able to be made overnight with approximately
twelve (12) hour run times while staying within the suggested FDS model grid size using
an off the shelf multi-processor server style computer. Lessons learned and future
work suggestions will also be discussed.

Session Chair: Earl Page, Ian Wall
9:00 AM
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 9:00 AM - Salon B
History of Nuclear PSA
The two presentations in this session cover the history of development of probabilistic risk (safety) assessment (PRA or
PSA) and its application to domestic US nuclear power plants. It actually begins before publication of WASH 1400, considered
to be the birth of PRA, and continues through the early development and acceptance stages to the long saga of
specific application to real power plant situations and regulatory application. Key milestones in policy and development are
cited together with specific examples to help realistically portray this four decade story.
37

38
Session Chair: Parviz Moieni
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 9:00 AM - Carolina
9:00 AM
Simulator Use in Support of Human Reliability Analysis –
Where do we stand?
Vinh N. Dang
OHSA/D16, Paul Scherrer Institut, Villigen, Switzerland
Full-scope simulators are the primary means to observe operating crews responding
to most of the major accident scenarios treated in the Probabilistic Safety Assessments
of nuclear power plants. Worldwide, many plants operate plant-specific
simulators, where they are an essential element of training. With regard to HRA, such
simulators offer the means to conduct the walk-throughs of key operator actions as
recommended in the THERP guidance (NUREG/CR-1278), and much more. They are
frequently used to characterize the demands of the operators’ tasks, to estimate typical
values of the time taken to perform tasks, and to determine the plant information
available during the scenario evolution. Although some of this information is used as
input to (some) HRA quantification methods, simulator observation remains primarily
a support for qualitative analysis. This paper will examine the outlook and issues
for more extended use of simulator studies and data for HRA. To what extent are
the limitations inherent? Which sources of potential biases are of most concern and
what can be done about them? What are some features of a state-of-the-art simulator
study methodology? The paper will draw on the broader results and implications recent
efforts, in particular on the International HRA Empirical Study and the NEA CSNI
WGRISK work related to HRA data (Nuclear Energy Agency, Committee on the Safety
of Nuclear Installations, Working Group on Risk Assessment).
Human Reliability Analysis - 2
9:25 AM
Human Error Probabilities Derived From German Operational
Experience -Methodology and Results-
Wolfgang Preischl
Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Garching, Germany
The results of German PSA studies for nuclear power plants and their uncertainties are
considerably affected by the assessment of human reliability. According to the German
PSA Guideline and its supplementary documents on PSA methods and data, databases
containing data gained with the ASEP and THERP methodologies shall preferably
be used to provide error probabilities for human actions. The amount of these data is
too limited to evaluate all human actions considered in a modern state-of-the-art PSA
adequately. The recommended data are not sufficiently validated and rely as well as
the proposed uncertainty bounds on expert judgment.
The paper summarizes the investigations of GRS on human performance data collection
and data evaluation during the past three years. In order to derive human error
probabilities from the available operational experience from reportable events occurred
in German nuclear power plants almost 6000 events have been reviewed. More
than 100 events with human errors have been screened out as potential candidates for
the application of the Bayesian methodology. The method of Bayes is widely accepted
to calculate error rates and error probabilities of mechanical and electrical components
based on the error frequencies observed within samples taken from operational experience.
To get suitable samples describing human reliability it is necessary to know
with sufficient accuracy the number of opportunities for an error, the number of errors
really occurred and the relevant performance shaping factors. Approximately 50 % of
the identified candidates have been sufficiently reinvestigated and evaluated with the
Bayesian methodology.
The calculated probabilistic data are establishing the first human reliability database
derived from the German operational experience. They have been used to validate
recommended human error probabilities as well as to review predicted impact of performance
shaping factors (e.g. ergonomic features or stress), to extend the amount
of available data (e.g. activities out of main control room) and to get some preliminary
data to cognitive tasks (e.g. to remember knowledge). Finally, the paper outlines the
next steps of the ongoing project. All remaining candidates will be evaluated and a new
approach for using human performance experience from events below the reporting
threshold will be developed and tested.

Session Chair: Bulent Alpay
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 10:05 AM - Azelea
10:05 AM
Reliability of the EPR Fuel Pool Cooling System Using a Dynamic
Approach
Marie Sordelet (a), Mohamed Hibti (b)
a) EDF SEPTEN, Lyon, France, b) EDF R&D, Clamart, France
One of the important issues for PSA analysis is to fully consider safety systems with
their dynamic behaviour and the possibility to include operational properties and procedures.
In the static traditional approach, it is not easy to introduce such dynamic
phenomena in a the event tree model and one may need to use some dynamic framework
to solve such problems. In this paper, we consider the Boolean Markov Driven
Processes (BDMP) to model a safety system of a nuclear power plant. The main
objective is to model functional dependencies, component recoveries, time dependant
or conditional failures/recoveries and the possibility to use special congurations with \
extra”-alignments. Thanks to a declarative knowledge based tool, these features can
be embedded in such models in a compact form that may be instantiated in dierent
ways with respect to the conguration or state of the system. Indeed, the BDMP
framework allows to dene such dynamic models using a fault-tree like construction
with interesting mathematical properties. In particular, the possibility to reduce the
combinatorial explosion problems inherent to Markov models. This allows to quantify
the models and get the dierent reliability measures in reasonable times. The dynamic
approach oered by the BDMP is particularly useful to model very redundant systems
such as FA3 EPR FCPS (Fuel Pool Cooling System). The FCPS consists in three
trains: two identical main trains, each equipped with two pumps in parallel, and a
third train, fully independent. The complexity of the dependencies between each line
can only be apprehended by a dynamic model and the BDMP allows a more realistic
approach to model accident scenarios. The BDMP model of the FCPS as well as the
reliability results obtained are presented in this article.
10:30 AM
Data Processing Methodologies Applied to Dynamic PRA: an
Overview
Diego Mandelli, Alper Yilmaz and Tunc Aldemir
The Ohio State University
The use of dynamic event trees (DETs) can serve as a powerful tool for the dynamic
probabilistic risk assessment (DPRA) of nuclear power plants. The DETs have the
capability to more accurately model the complex interactions and events which may
occur during a transient. One of the challenges of DPRA through DETs is the management
of the resulting very large data sets. Hence, the need for a methodology able
to handle high volumes of data in terms of both cardinality (due to the high number
of uncertainties included in the analysis) and dimensionality (due to the complexity of
systems) arises. Hierarchical and partitional clustering methodologies are compared
and evaluated with regard to their potential to analyze large scenario datasets generated
by DETs using several different data sets.
Dynamic PSA - 1
10:55 AM
A Monte Carlo Algorithm for Dynamic PSA Based on the Concept
of Stimulus
A. Jourdain and P.E. Labeau
Université Libre de Bruxelles (CP 165/84), Brussels, Belgium
The theory of probabilistic dynamics (TPD) was first introduced in order to overcome
some of the limitations of the classical PSA methodology, by incorporating the coupling
between the deterministic evolution of the process variables and discrete stochastic
transitions in the delineation process of accident sequences. The Stimulus-Driven
Theory of Probabilistic Dynamics (SDTPD) enriches the TPD framework by modeling
in a finer fashion the competing process defining the next branching in an event tree.
Each possible next event is modeled as a two-stage process: first, a so-called stimulus
must be activated, i.e. conditions necessary for the event to take place must be satisfied;
then a delay must elapse before the actual event occurrence.
An analog Monte Carlo game can easily be implemented to solve these problems.
Yet it usually turns out to be inefficient, as rare scenarios with potentially high damage
are not or insufficiently sampled. To tackle this issue, an innovative algorithm properly
uses the outputs of a pre-simulation of the mother branch of the event tree and the
SDTPD to sample more systematically various types of branching events out of this
mother branch. Compared with a classical analog simulation, this new algorithm leads
to a better identification of rare sequences and a more accu-rate estimation of their
frequency. This method is illustrated on a pressurization transient in con-tainment. Different
sampling methods of branching points along the mother branch are considered
and their efficiency compared with that of the analog Monte Carlo game.
39

40
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 10:05 AM - Camellia/Dogwood
Next Generation Reactor PSA - 3
Session Chair: Matthew Warner
10:05 AM
Containment Source Terms in SFR Accidents
M. Umbel, A. Brunett and R. Denning
The Ohio State University, Columbus, OH
In order to support the demonstration of a risk-informed approach to the design optimization
of an SFR, it was necessary to make realistic estimates of the consequences of
severe accident scenarios. This paper describes the database and assumptions used
to estimate the magnitude and characteristics of representative containment source
terms for characteristic accident scenarios. The reference plant design is a 1,000 MWt
pool-type design with metallic fuel. An integrated analysis tool comparable to MEL-
COR does not exist for SFR accident scenario analysis that is capable of predicting
radionuclide release and transport and the assessment of offsite doses. In order to
perform the analysis of an entire sequence, it was necessary to write a computer
code, RCS, that could examine the in-pool aspects of the release and transport of
radionuclides. The offsite consequences for the different scenarios are presented in a
companion paper that examines containment transport processes and environmental
release.
10:30 AM
Containment Processes in Sodium-Cooled Fast Reactor Accidents
A. Brunett, W. Wutzler and R. Denning
Department of Nuclear Engineering, The Ohio State University, Columbus, OH
In order to support the demonstration of a risk-informed approach to the design optimization
of an SFR, it was necessary to make realistic estimates of the consequences
of severe accident scenarios. This paper describes the containment transport, deposition
and release to the environment of radionuclides escaping the sodium pool region
in characteristic scenarios as calculated by the MELCOR code. The models used in
the development of these containment source terms are described in a companion paper.
The reference plant design is a 1,000 MWt pool-type design with metallic fuel and
a conventional dry containment. The offsite dose at one mile from the plant boundary
is calculated using conservative meteorology for scenarios involving different modes
of failure of the primary system and the containment system. For perspective, the conditional
probability of early fatalities within one mile and latent cancer fatalities within
ten miles was calculated with the MACCS code for each scenario. Comparisons are
made with the NRC’s Quantitative Health Objectives.
10:55 AM
Risk-Informed Approach for Design of Korean Demonstration
Fusion Reactors
Gyunyoung Heo, Myoung-suk Kang (a), Young-seok Lee and Hyuck Jong
Kim (b)
a) Kyung Hee University, Yongin-si, Gyeonggi-do, South Korea, b) National Fusion Research Institute,
Yusung-gu, Daejeon-si, South Korea
The Korean fusion technology roadmap is aggressively pushing ahead the realization
of a demonstrative-scale fusion power plant (FPP) around 2030. While many of the
critical design parameters are not technically verified and the regulatory requirements
are, therefore, not specified, it is generally agreed that engineering phases should be
initiated to create a design framework and prioritize related R&D needs. For fusion
technology to settle down as an industry, radiological safety should be guaranteed
even though the risk from fusion reactors may not be as serious as that of the fissionbased
power plants. On the other hand, excessively controlled regulation may delay
commercialization and make generation cost higher. Conventionally the deterministic
approach has been primarily utilized to evaluate nuclear safety. On the other hand,
the application of the probabilistic approach is being emphasized for, particularly, advanced
fission-based reactors. This technical trend should be applicable to FPPs. This
study articulates the conceptual design of the Korean demonstration FPP under the
framework of a risk-informed design. We aimed at (1) embracing uncertainties in selecting
design parameters, (2) investigating the list of initiating events, and (3) evaluating
design weaknesses. Due to technical status and the lack of available failure data,
the qualitative aspect was focused. In this study the principles of axiomatic design
were followed to setup a bare-bone FPP, and a risk-informed approach based on fault
trees, event trees, and failure modes & effects analysis were conducted to determine
the list of initiating events and scenarios.
11:20 AM
Partitioning of LOCA Initiating Event Frequencies to Support
PRA Modeling of Debris-Induced Failure of Long Term Core
Cooling Via Recirculation Sumps
David S. Teolis, Heather L. Detar, Robert J. Lutz, Jr., and Rachel A. Solano
Westinghouse Electric Company LLC, Cranberry Twp., PA
Generic Safety Issue GSI-191 identified that the methodology used for assessing containment
sump screen debris loading at Pressurized Water Reactor (PWR) nuclear
power plants may not be conservative. All PWR licensees have been required to reassess
their design basis for long term core cooling (LTCC) and make necessary
modifications. NEI 04-07 provided a conservative methodology for assessing PWR
sump screen performance and the impact on LTCC. These studies were acceptable
for conservative design basis assessments; however, a probabilistic risk assessment
(PRA) model was necessary to enable utilities to model the potential for debris-induced
failure of LTCC and to allow for the determination of the risk significance of any nonconformances
to their licensing basis. A probabilistic risk assessment model for debrisinduced
LTCC was developed, as reported in WCAP-16882-NP Revision 1, based on
the conservatisms, margins and uncertainties in the licensing basis methodology and
provides implementation guidance. Changes to the PRA are recommended prior to
implementation of the debris-induced LTCC model to permit development of a model
that more realistically represents the potential for failure of LTCC due to debris generation.
A key part of the recommendations in the WCAP was to use decreasing failure
probabilities for failure of LTCC as loss of coolant accident (LOCA) size decreases. A
general exception to this guidance was made for those plants that have determined
that some smaller breaks are within the limiting breaks assessed for the licensing basis.
For example, some plants have a small line directly above the containment sump
screens where transport of all of the debris generated by the break is highly likely. In
such cases, a higher probability for failure of LTCC should be used for that portion
of the small break initiating event frequency represented by the limiting pipe break
location. A separate small break initiating event should be defined and assessed for
that break location. No guidance was provided in the WCAP on how to partition the
initiating event frequency (IEF). This paper discusses two methods that could potentially
be used to partition the total IEF in such instances based on pipe dimensions.
The first method is based on the assumption that the conditional probability of a break
within a specific portion of pipe is proportional to the total length of pipe that a break
could occur in. The second approach is based on a methodology, referred to as the
“Thomas-approach”, which was developed several years ago in the United Kingdom to
estimate the frequency of pipe leaks and catastrophic failures. An example is provided
that demonstrates application of both methods and compares the results between the
two methods. Extension of this partitioning approach to more general applications is
also discussed for cases where it may be beneficial to partition LOCA IEFs based on
the impact on mitigating equipment such as accumulators in legacy plants or passive
safety systems in advanced plants.

Session Chair: James Liming
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 10:05 AM - Magnolia
10:05 AM
Methodology to Rank BOP Components at STP
Fatma Yilmaz and Ernie Kee
South Texas Project Electric Generating Station, Wadsworth, TX
STP developed a categorization process to aid in communicating the overall importance
of components. The components are ranked under Graded Quality Assurance
(GQA) program with input from STP PRA model. The GQA program is approved by
Nuclear Regulatory Commission (NRC) under 10CFR50.69. Components are also
ranked under Plant Generation Risk (PGR) categorization process communicating
components’ importance in supporting maximum electrical generation output. Categorization
for both processes is performed by an Integrated Working Group. Currently,
the Integrated Working Group uses heuristics for PGR ranking. This process can be
improved by using the STP Balance of Plant Performance Predictor (BOPPP) model
to provide ranking of the components it models (those that have a potential to lead
to a power reduction event including turbine trip, manual shutdowns and reduced
power operations) [1]. In this article, it is proposed to rank equipment modeled in STP
BOPPP for PGR using the triggering event probabilities [2] and the consequence of a
failure in terms of dollar amounts. The results of this ranking process has been used
for creating a poster for the maintenance shop at STP. Results of this application are
summarized for some components in production-critical systems.
10:30 AM
An Improved Generation Risk Assessment (GRA) Model Considering
Degradation of Components in a Nuclear Plant
M.I. Jyrkama and M.D. Pandey (a), S.M. Hess (b)
a) Department of Civil and Environmental Engineering, University of Waterloo, Waterloo, Ontario, Canada,
b) Electric Power Research Institute, West Chester, PA
The objective of generation risk assessment (GRA) is to predict the potential economic
losses from forced outages and derates due to equipment degradation and
failure. The primary challenge with the current GRA approach is the inability to model
explicitly any temporal changes in the underlying parameters or processes, i.e., failure
rates are assumed to be constant over time.
This paper illustrates how time-dependent equipment reliability and availability information
can be integrated with a system reliability model to quantitatively predict
the generation risk associated with various operating and maintenance scenarios,
including life extension and refurbishment. The analysis is performed in a standard
spreadsheet based on the cut set output and basic event information from a fault tree
program. The impact of aging degradation can be modeled separately for each component,
assuming the events are independent. In order to capture the joint contribution
of equipment failure and unavailability to generation risk, new risk-based importance
measures are also developed based on the concept of net present value.
The developed methodology is applied to the risk assessment of the main turbine/
generator system at a nuclear station. The results of the study readily demonstrate
the benefits and cost-savings realized from the integrated GRA methodology, and
also the resulting improvement in flexibility and long range stability of the budget for
plant improvement.
Generation Risk Assessment
10:55 AM
GRA Model Development at Bruce Power
R. Parmar and K. Ngo (a), I. Cruchley (b)
a) AMEC NSS Limited, Toronto, Ontario, Canada, b) Bruce Power, Tiverton, Ontario, Cananda
In 2007, Bruce Power undertook a project, in partnership with AMEC NSS Limited, to
develop a Generation Risk Assessment (GRA) model for its Bruce B Nuclear Generating
Station. The model is intended to be used as a decision-making tool in support of
plant operations. Bruce Power has recognized the strategic importance of GRA in the
plant decision-making process and is currently implementing a pilot GRA application.
The objective of this paper is to present the scope of the GRA model development
project, methodology employed, and the results and path forward for the model implementation
at Bruce Power. The required work was split into three phases. Phase 1
involved development of GRA models for the twelve systems most important to electricity
production. Ten systems were added to the model during each of the next two
phases. The GRA model development process consists of developing system Failure
Modes and Effects (FMEA) analyses to identify the components critical to the plant
reliability and determine their impact on electricity production. The FMEAs were then
used to develop the logic for system fault tree (FT) GRA models. The models were
solved and post-processed to provide model outputs to the plant staff in a user-friendly
format. The outputs consisted of the ranking of components based on their production
impact expressed in terms of lost megawatt hours (LMWH). Another key model output
was the estimation of the predicted Forced Loss Rate (FLR).
41

42
Session Chair: Marina L Röwekamp
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 10:05 AM - Salon A
10:05 AM
Post-Processing Franc Results to Determine Fire Risk Importance
Measures and Uncertainty
David Miskiewicz
Progress Energy, Raleigh, NC
FRANC is a software tool developed as part of the EPRI Risk and Reliability workstation
for quantifying fire PRAs. It is a scenario based tool that computes conditional core
damage probabilities (CCDP) for individual scenarios. The CCDPs can be combined
with predetermined ignition frequencies and non-suppression probabilities to produce
scenario core damage frequencies (CDF). The individual scenario results contain cutsets
that use the same basic event names but with different values as determined by
the sequence. For example, depending on the scenario, the same basic event can be
set to 1.0 (failed), 0.6 (hot short induced spurious), or retain the base random failure
probability. The cutsets may also use the same initiating event name although each
scenario can have a unique frequency. These factors prevent the analyst from simply
combining the scenario cutsets for evaluation. An additional software tool is needed to
facilitate the combining of scenario results into a single cutset file such that the traditional
CAFTA analysis tools can be used to determine various importance measures
and uncertainty. A prototypical software tool has been developed for this purpose. This
paper presents details of the issues and challenges for the PRA analyst, development
and use of the software, and relevant findings.
10:30 AM
Progress Energy Fire PRA: Putting Our Tools to Work Use of
Linked Databases in Development of the Progress Energy
HNP Fire PRA
Ricardo Davis-Zapata
Progress Energy, Raleigh, NC
For the pilot NFPA805 submittal for Harris Nuclear Plant, Progress Energy developed
a set of linked database tools to bring together the data necessary to process the Fire
PRA. This linked database method is being implemented with development of our
subsequent Fire PRAs, providing consistency among the fleet for creation of the Fire
PRAs as well as simplifying the process for future PRA updates. The linked database
format is based on creating a series of tables, queries, and visual basic coding to link
each of the Fire PRA data gathering tasks, Safe Shutdown Analysis, cable routing
information, and the Fire PRA model.
The linked database method is expected to facilitate many applications, including
future updates to the Fire PRA. Updates to data can be as simple as adding new
lines to the linked tables and re-running the associated queries. This also simplifies
sensitivities, by allowing the data to be treated in aggregate as well as with individual
modeling. Progress Energy’s utilization of the linked databases allows us to put our
tools to work for us.
Fire PSA Methods - 3
10:55 AM
Cooper Nuclear Station Fire Risk Evaluations – Insights and
Challenges
Ole Olson (a), Stephen P Meyer (b), Jim Chapman (c)
a) Nebraska Public Power District, Cooper Nuclear Station, Brownsville, NE, b) Scientech, Curtiss Wright
Flow Control, Madison, OH, c) Scientech, Curtiss Wright Flow Control, Lake Mary, FL
Cooper Nuclear Station (CNS) is a single unit BWR 4. A Fire PRA was developed, using
guidance from NUREG/CR-6850, Frequently Asked Questions (FAQs) and recent
EPRI technical evaluations, such as fire ignition frequency updates. The fire PRA was
developed to support the NFPA 805 project and other risk informed initiatives. Detailed
fire modeling, cable and circuit analysis and Human Reliability Analyses (HRA) were
needed to achieve results which were not clearly extraordinarily conservative. The
results achieved are believed to be conservative but a factor of 5 to 10; and there are
plans to further refine the results as Industry and NRC research and development
programs provide improved methods and data in areas including fire frequency, fire
development and propagation, heat release rate and detection and suppression. Even
though the results are conservative, the insights obtained are being successfully used
to evaluate variances from deterministic requirements (VFDRs) and support identification
and evaluation of potential safety enhancements.
Each VFDR is evaluated using a risk informed approach which considers the calculated
change in risk if the VFDR was eliminated, as measured by delta CDF and delta
LERF and defense in depth and safety margin. The paper discusses the approach to
evaluating VFDRs in the fire risk evaluations (FREs) using the fire PRA. For a sample
of VFDRs critical aspects of the evaluation, such as reviewing the base case fire PRA
for sufficiency for evaluating the VFDR case and the compliant case, changes needed
and the insights and sensitivity of results to alternative assumptions or model refinements,
where performed, will be provided. Finally the challenges in conducting the
analyses, including lessons learned are provided.
11:20 AM
Summary of Fire PRA Development Activities at Kewaunee
Power Station
John Spaargaren (a), Francisco Joglar (b)
a) Dominion Resources Services, Millstone Power Station, Waterford CT, b) SAIC, Mclean VA
Kewaunee Power Station is currently transitioning to NFPA 805. This process includes
the development of a Fire PRA. The fire PRA is currently in the final quantification
stages of its development process. The Fire PRA has been developed following the
guidance in NUREG/CR-6850 and subsequent supplemental material. The purpose of
this paper is to describe the Fire PRA development activities including: 1. The use of
the EPRI’s Fire Modeling Database. This topic includes description of the data collection
process, the fire modeling analysis to complete key input fields in the database,
and the development and automation of input tables to the FRANX software. 2. The
description of the quantification process including treatment of single compartment,
multi-compartment, main control room scenarios and individual fixed ignition source
fire scenarios.

Session Chair: Doug True
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 10:05 AM - Salon B
PSA Knowledge Management - 3
10:05 AM
Procedures and Tools Comparing PSA in the Frame of Periodic
Safety Reviews
Joachim Herb and Joachim von Linden
Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Garching b. München, Germany
Different procedures and tools have been developed by GRS for improving efficiency
and comprehensibility of PSA review tasks. They are based on the database interface
of a widely applied PSA software tool using SQL queries and the scripting language
Ruby. Changes in fault and event trees are identified and presented as “difference
graphs” by drawing an overlay of the fault/event trees of the different versions and
flagging the differences. It is also possible to trace the influence of changes of a specified
fault tree to all corresponding TOP-gates, to the affected function events and
event trees. For a given fault tree an “expanded” view can be created consisting of all
fault trees connected to it by transfer gates either “upwards” to all affected TOP-gates
or “downwards” to the basic events. Another feature of the GRS tools is the merging
of data from different sources such as specifications of basic events (e.g. failure rates,
test intervals, repair times). For quantifying the changes in the core damage frequency
(CDF) between different versions of a PSA the quantitative differences are split up in
contributions by the changes of the initiating event frequencies, changes in the modeling
of fault trees and event trees respectively, as well as changes in the reliability data
for the basic events.
10:30 AM
Using a Modern PRA Documentation System to Facilitate Review
Ola Bäckström, Wei Wang and Johan Sörman (a), Andrea Maioli (b)
a) Scandpower - Lloyds Register, Sundbyberg, Sweden, b) Westinghouse Electric Company LLC, Cranberry
Township, PA
The PRA documentation is written to make the PRA traceable and understandable.
The documentation is normally very comprehensive, since it shall cover several different
purposes. The main purpose is that the study shall be possible to understand
and reproduce.
A review, and especially a peer review process, shall make sure that the study meets
some defined criteria. It can be a tedious task to verify that the requirements are met
due to that the verification of a specific task may be spread over several documents.
A review is also normally done with restrictions in time. Therefore, due to the comprehensiveness,
the limitations in time and the need to focus on the correct things – the
existing PRA documentation should be improved to facilitate PRA review.
This paper proposes a dynamic PRA documentation and presents features and advantages
of the new system, and discusses how it can help in PRA review.
43

44
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 10:05 AM - Carolina
Human Reliability Analysis - 3
Session Chair: Luca Podolfillini
10:05 AM
Pre-Initiator HRA using the PRA Standard
Joshua Beckton, Barbara Baron, Stephen Nass (a), William Etzel and Jason
Hall (b)
a) Westinghouse Electric Company LLC, Cranberry Township, PA, b) First Energy Nuclear Operating
Company, Shippingport, PA
Pre-initiator Human Failure Events (HFEs) occur when an operator fails to return
equipment to its Normal System Alignment (NSA) during calibration, maintenance, or
test activities. Pre-initiator HFEs result in the unavailability of equipment/functions included
in the Probabilistic Risk Assessment (PRA). There are two types of pre-initiator
HFEs: (1) instrument miscalibrations and (2) system/train misalignments following
maintenance or test activities. Human Reliability Analysis (HRA) is used to determine
the pre-initiator Human Error Probabilities (HEPs). This paper presents a method and
assumptions applied to identify HFEs and quantify pre-initiator HEPs for the Beaver
Valley Power Station, a Westinghouse Electric Company LLC designed plant with two
units, which occur during maintenance or test activities. The method of identifying
potential misalignments to be included in the PRA as pre-initiator HFEs involved a
process of assigning each PRA component manipulation from the maintenance or test
activity to a category representing a specific criterion. Pre-initiator HFEs that occur
due to instrument miscalibrations are addressed in common cause failure rates [1].
The method considers the supporting requirements included in the ASME/ANS PRA
Standard [2]. The Technique for Human Error Rate Prediction (THERP), as included in
the EPRI HRA Calculator, Version 4.1.1 [3] is used to quantify the pre-initiator HEPs.
The results show that when the method is applied to identify pre-initiator HFEs for
each unit, a similar number of HFEs are identified for each unit. 12 pre-initiator HFEs
were identified for Unit 1, and 13 pre-initiator HFEs were identified for Unit 2. The
HEPs ranged between 3.80E-06 and 1.30E-03 for Unit 1 and between 2.00E-07 to
1.30E-03 for Unit 2. Per NUREG-1792 [4], pre-initiator HEPs should typically fall between
1.00E-02 and 1.00E-05, and HEPs outside that range should be justified. Further
review of the application indicated that when using the THERP as included in the
EPRI HRA Calculator, HEPs that were outside of the typical range involved infrequent
tests (i.e., 18 months) with frequent position verification checks (i.e., monthly). The
difference between these two intervals results in relatively few chances for misaligning
equipment with a far greater number of opportunities to identify the misalignment and
minimize the duration. Thus, the low HEPs were justified.
10:30 AM
Post-initiator Human Reliability Analysis and Documentation
Approach for Atypical Accident Scenarios
Charlene Greene, Raymond J. Dremel (a), Jayne Ritter & Dave Malek (b)
a) Maracor Software and Engineering, Maple Valley, WA, b) Prairie Island Nuclear Generating Plant,
Welch, MN
A significance determination process (SDP) evaluation of turbine building flooding for
Unit 1 and Unit 2 at the Prairie Island Nuclear Generating Plant (PINGP) identified the
need to perform a detailed post-initiator human reliability analysis (HRA) for actions
that are anticipated to be taken as a result of pipe breaks in the turbine building that
would cause a reactor trip and also cause a failure of the plant equipment required
to mitigate the event. Three broad categories of human failure events were created:
flooding events resulting from random pipe breaks, flooding events resulting from
high energy line break (HELB) interactions with other plant systems, and seismicallyinduced
dual unit flooding events. Documentation is essential in the creation of any
human failure event (HFE), however when modeling highly unusual situations, the
documentation is often as important as the numerical value obtained. Further, communication
between the main control room (MCR) operators and the turbine building
operators is essential to the successful outcome for many of the flooding scenarios
analyzed. Because this communication affects a specific response, it is an important
consideration when ensuring the HFE reflects the as-operated plant. Finally, assessing
each HFE for reasonableness within categories of events as well as a comparison
of events across categories is a useful check to ensure the human error probabilities
(HEP) generated are reasonable, given the context. This paper will discuss a documentation
approach used to analyze atypical accident scenarios, identify considerations
for ensuring that the HFE reflects the as-operated plant, and present insights
from interviews with control room personnel, turbine building operators, training, and
security.
10:55 AM
Calculation of Human Error Probabilities for Initiating Event
Fault Trees
Loys Bedell
Entergy Services Inc., Jackson, MS
As the Probabilistic Risk Assessment technology grows and the uses for the technology
increase, the ability to calculate the likelihood of support system initiating events
has become a more important and more detailed. One of the issues in developing detailed
initiating event fault trees is the calculation of human error probabilities. Detailed
initiating event fault trees generally include operator actions for aligning redundant
equipment to prevent an automatic or manual reactor scram. Initiating event-related
interactions, the so-called Type B human errors, have not been explicitly addressed
in most human error techniques. This paper discusses the use of post-initiator human
error techniques for calculating the Type B human errors developed for the River
Bend support system initiating event fault trees. Similar to the post-initiator event, the
operator actions to prevent an initiating event will be evaluated based on the cues
that indicate a problem, the available procedural guidance, and other performance
shaping factors. However, some of the performance shaping factors may not be applicable
to Type B actions. The stress from the accident mitigation will generally not
be present for these support system initiating events. In many instances, the plant will
be trending various performance measures, such as increases in pump vibration or
gradual degradation in heat exchanger performance that will result in a swap from one
train to another. This paper will review some of the similarities and differences in the
performance shaping factors for post-accident events and provides some insight into
how the post-accident HRA techniques can be applied with caution to develop the human
error probabilities for initiating event fault trees. Entergy Nuclear is a large diverse
nuclear fleet that consists of nine nuclear sites and two regional headquarters offices.
The PSA models for these plants were generally developed and maintained separately
until the early 2000’s. Therefore, much of the organizational learning and best practices
from one site were not implemented at another site due to time constraints, plant
demands, lack of communication, or lack of expertise.
11:20 AM
Re-Writing Fire Response Procedures to Reduce Fire Response
Human Failure Event Probabilities
Thomas J. Asmus
EPM Inc., Risk Solutions Division, Hudson, WI
Fire response procedures describe what actions an operator may need to perform in
order to ensure a credited path exists for safe shutdown. These procedures are not
typically written to mimic existing Emergency Operating Procedures (EOP) and may
be written as a guidance document. In many cases, the equipment that is credited for
the safe shutdown path in fire areas is not listed along with instrumentation that may be
needed in order to confirm proper equipment operation. Actions contained within the
procedure are also not ordered such that time sensitive actions may not be performed
before other actions that have a much longer time frame. With these shortcomings in
mind, calculation of an acceptable fire response Human Failure Event (HFE) is very
challenging
A method to remove these shortcomings is to re-write the fire response procedures
into a format with which operators are more familiar. Fire response procedures can
be re-written to mimic the current Pressurized Water Reactor two column format such
that these documents can then be used to supply cues and definitive instructions as
to what actions to perform to reduce the impact of fire induced failures, or to recover
failed equipment. Instrumentation can also be specified so operators will know what
instruments may be available for diagnosis and recovery. The equipment that is credited
to satisfy the various safe shutdown functions such as Reactor Coolant System
(RCS) Inventory Control, or AC power can be listed. The needed operator actions can
also be ordered such that time critical actions are performed first. Recovery steps can
also be provided to ensure equipment is operating correctly after performance of a fire
response action.

Session Chair: Pierre-Etienne Labeau
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 1:30 PM - Azalea
1:30 PM
An Approach to Validation of Dynamic PRA Methods against
Past Events
Kaspar Kööp (a), Yury Vorobyev (b), Pavel Kudinov (b)
a) Division of Nuclear Power Safety, Royal Institute of Technology, Stockholm, Sweden, b) Department of
Nuclear Power Plants, Moscow Power Engineering Institute, Russia
The paper is concerned with the validation of the deterministic/probabilistic risk assessment
tools. Specifically we address validation of Genetic Algorithm (GA) based
Dynamic Probabilistic Risk Analysis (DPRA). GA-DPRA is developed for exploration
of the plant scenario space with the goal to identify failure domains in which at least
one of the safety limits is violated. GA-DPRA approach is based on the combination of
(i) a deterministic system code for modeling of the plant transients, (ii) GA for solution
of the global optimization problem on identification of the failure domains and (iii) importance
sampling (IS) method for probabilistic characterization of the identified failure
domains. Straightforward validation of the GA-DPRA approach in terms of comparison
of probabilistic characteristics of the failure domains against a reality is impossible
because of the rareness of the adequate plant data in abnormal behaviors.
In order to increase confidence in the GA-DPRA analysis results we propose a hierarchical,
separate effect approach to verification and validation of the GA-DPRA. At the
first level each component of the GA-DPRA (deterministic code, GA, IS) are verified
and validated separately. At the second level we propose to validate coupled GA-
DPRA on the base of analysis of the past plant events. Main idea of such validation is
to check if past events which have happen in the existing plants can be identified by
GA-DPRA in the process of exploration of the plant scenarios space. As a benchmark
case for validation of the GA-DPRA we propose to use data from high power oscillations
event occurred in the Oskarshamn-2 nuclear power plant in 1999 (O2-99). This
event was a result of complex interaction between plant physics (BWR instability),
control logic, and operator actions. The first step in the validation process is optimization
of the uncertain parameters in the RELAP5 system code input model. At this
step a combination of uncertain plant parameters is selected by solving optimization
problem to minimize discrepancy between available plant transient data and system
code predictions. At the second step GA-DPRA is used to find O2-99 type scenarios
in the plant events space. Each free parameter forming the event space (e.g. closing/
opening of the valves, start/stop/reduction of the pump flow, partial/full scram, etc.) is
characterized by a certain time window within which changes of the parameter can
occur. Results of the validation and an approach to selection of the fitness function for
guiding global optimum search process towards scenarios of safety importance are
discussed in the paper. (Presentation Only)
1:55 PM
Bayesian Network Representing System Dynamics in Risk
Analysis of Nuclear Systems
Athi Varuttamaseni, John C. Lee (a), Robert W. Youngblood (b)
a) Department of Nuclear Engineering and Radiological Sciences, University of Michigan, Ann Arbor, MI,
b) Idaho National Laboratory, Idaho Falls, ID
Conventional probabilistic risk assessment using fault trees (FTs) and event trees
(ETs) is inefficient when dealing with systems having more than two states and with
scenarios where the timing of the event is critical. A Markov approach can be applied
to cases in which the FT/ET structure proves inadequate, but as the number of
components grows, the number of system states grows exponentially. This paper proposes
the use of a dynamic Bayesian network (DBN) as an alternative to Markov chain
analysis. The DBN uses conditional independence to simplify the factorization of the
system joint probability function, leading to a problem that can be analyzed piecewise
instead of globally. We demonstrate the use of the DBN by analyzing a feed and bleed
procedure in a nuclear power plant.
Dynamic PSA - 2
2:20 PM
Development and Application of a Genetic Algorithm Based
Dynamic PRA Methodology to Plant Vulnerability Search
Yury Vorobyev (a), Pavel Kudinov (b)
a) Department of Nuclear Power Plants, Moscow Power Engineering Institute Krasokazarmennaya, 14,
111250, Moscow, Russia, b) Division of Nuclear Power Safety, Royal Institute of Technology, Sweden
The paper describes recent achievements in development and application of the Dynamic
Probabilistic Risk Analysis (DPRA) methodology based on the Genetic Algorithm
(GA). The aim of the GA-DPRA approach is to enable identification of safety
vulnerabilities and quantification of accident risks related to operation of nuclear power
plants (NPP). The approach combines a system code as a deterministic model of the
plant and a GA search engine for the exploration of the plant scenarios space. A point
in this space represents a scenario (transient) which is defined by unique combination
of initial plant state and time dependent sequence of changes in the plant state
parameters implemented in the system code input. The GA-DPRA is used to address
two main types of safety analysis problems: (i) identification of a “worst case” scenario
with most severe violation of safety limits (failure of safety barriers); (ii) identification
of “failure domains” (sub-domains in the space of plant scenarios where at least one
of the safety limits (barriers) is violated). Safety critical parameters (safety limits) are
used by GA as fitness functions to guide selection of the system code input parameters
in process of the global optimum search. The GA controls selection of system code
input parameters within predefined diapasons and time windows. Unlike “brute force”
approaches or Monte Carlo type methods the GA-DPRA is much less demanding to
computational resources due to intelligent and adaptive resolution in the exploration
of the plant scenarios space. Stochastic properties of GA and Importance Sampling
technique are applied to estimate probabilistic characteristics of the identified vulnerabilities.
Solutions of benchmark problems and comparison with other methods are
discussed in the paper.
2:45 PM
Hybrid Fault Tree Markov Chain (HFT-MC) Probabilistic Risk
Assessment Methodology with Application
Mohammad Pourgol-Mohammad (a), Kamran Sepanloo (b), and Kaveh Karimi
(c)
a) FM Global, Norwood, MA, USA, b) AEOI, Vienna Office, Vienna, Austria, c) Science and Research
Branch, Islamic Azad University, Tehran, Iran
The Hybrid Fault Tree-Markov Chain (HFT-MC) methodologies is developed in framework
of dynamic and hybrid PRA methods as new generation of the probabilistic risk
assessment methodologies. An overall description of proposed hybrid fault tree (FT)/
continuous time Markov chain methodology is given with an application example for
demonstration of methodology on the steps, assumptions and the results. HFT-MC
is a localized dynamics methodology for assessment of the temporal behavior of the
safety-critical systems in case of an accident e.g., anticipated Loss of Coolant Accident
(LOCA). The fault tree is used for localized component/subcomponent failure rate
estimation assessment. Markov chain, coupled by the results from fault tree for each
node, provides overall unavailability/dependability estimation of the system over the
time for either repairable or non-repairable system. The methodology has capability to
consider common cause failure, and effect of operators. The methodology is applied to
simulation of emergency power system of the Bushehr nuclear power plant with combined
construction of two different design technologies (Western KWU PWR design
and Russian WWER PWR design).
45

46
Session Chair: Jonathan Li
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 1:30 PM - Camellia/Dogwood
Next Generation Reactor PSA - 4
1:30 PM
Reliability Analysis of 2400 Mwth Gas-Cooled Fast Reactor
Natural Circulation Decay Heat Removal System
M. Marquès, C. Bassi (a), F. Bentivoglio (b)
a) CEA, DEN, SESI, Cadarache, Saint-Paul-lez-Durance, France, b) CEA, DEN, SSTH, Grenoble,
France
In support to a PSA performed at the design level on the 2400 MWth Gas-cooled
Fast Reactor, the functional reliability of the decay heat removal system working in
natural circulation has been estimated in two transient situations corresponding to an
“aggravated” Loss of Flow Accident (LOFA) and a Loss of Coolant Accident (LOCA).
The reliability analysis was based on the RMPS methodology. Reliability and global
sensitivity analyses use uncertainty propagation by Monte Carlo techniques. The results
obtained on the reliability of the DHR system and on the most important input
parameters are very different from one scenario to the other showing the necessity for
the PSA to perform specific reliability analysis of the passive system for each considered
scenario. The analysis shows that the DHR system working in natural circulation
is a very reliable system in case of LOFA situations even when only one DHR loop is
available. On the other hand, its reliability has to be improved in LOCA situations. This
analysis shows the way to make this improvement in specifying the main uncertainties,
which could to be reduced.
1:55 PM
Options for Defining Large Release Frequency for Applications
to the Level-2 PRA and Licensing of SMRS
Mohammad Modarres (a), Mark Leonard (b), Kent Welter, Jason Pottorf (c)
a) University of Maryland, Center for Risk and Reliability, College Park, MD, b) Dycoda, LLC, Los Lunas,
NM, c) NuScale Power, Inc., Corvallis, OR
Large release frequency (LRF) is used in Probabilistic Risk Assessments (PRAs) as
a risk metric for advanced LWR Design Certification (DC) and Combined Construction
and Operating License (COL) applications. While the Commission requested the
Nuclear Regulatory Commission (NRC) staff to provide a definition of LRF, in SECY-
93-138 the Staff recommended to the Commission that work on a definition be terminated.
As a result, the definitions of LRF in the Design Control Document (DCD) and
COL applications of advanced Light Water Reactors (LWRs) differ to varying degrees.
In the absence of a unique regulatory definition for LRF, the Small Modular Reactors
(SMRs), including NuScale’s PRA and DCD, must define and adopt one. The purpose
of this paper is to highlight possible options for LRF measures along with the pros and
cons of each. The paper will propose one of such options for consideration. The most
challenging part of LRF definition is to describe what is meant by “large” to measure
the scale of release. There are three possible bases for describing the scale of release:
number of fatalities, amount of radionuclide release, or state and integrity of the
reactor pressure boundary and containment at the time of release. These options will
be discussed in this paper.
2:20 PM
Achievement of the Level 1 PSA in Support to the CEA 2400
MWTH Gas-Cooled Fast Reactor
M. BALMAIN (a), C. BASSI, P. AZRIA (b)
a) EDF R&D Division, Industrial Risks Management Department, Clamart, FRANCE, b) CEA, Nuclear
Energy Directorate, Reactor Studies Department, Innovative Systems Service CEA, Saint-Paul-Lez-
Durance, FRANCE
Within Generation IV International Forum, the CEA has developed since 2006 a Level
1 PSA to support the design of the 2400 MWth GFR. A first period, with insights published
in 2008, consisted in a model with few initiators representative of medium and
high pressure situations, those used for the deterministic design of the Decay Heat
Removal dedicated loops. In a second period, an iterative work reached the probabilistic
targets used for generation III reactors, with prior use of normal loops, and
increase of DHR reliability in high pressure conditions. The PSA team covered all
the internal initiators, and supported the design of components with instrumentation
and control and electrical supplies, and the shutdown operating modes of secondary,
tertiary circuits, with possible re-alignment to dedicated DHR loops. Besides, the completed
PSA integrated more realistic success criteria than the preliminary model and
than the deterministic approach, thanks to CATHARE2 code. In case of loss of Forced
Convection, the probability of success of the Natural Convection DHR was assessed
by a reliability method for passive systems. The paper underlines the PSA methodology
knowledge from the EdF expertise, the improvements co-developed with CEA,
and the iteration design-PSA-design.
2:45 PM
U.S. Regulatory Lessons Learned from New Nuclear Power
Plant Applications on Evaluating Degraded Voltage Protection
Robert G. Fitzpatrick, Ronaldo V. Jenkins, Malcolm D. Patterson, and Nicholas
T. Saltos
United States Nuclear Regulatory Commission, Rockville, Maryland
This paper addresses one of the lessons learned from regulatory review of applications
for new nuclear power plants. It discusses U.S. regulations and implementing
guidance related to applications for a design certification (DC) or a combined operating
license (COL). Regulations require applicants for a design certification to perform
a design-specific probabilistic risk analysis (PRA). Applicants for a COL must have a
plant-specific PRA. Each application must include a description of the associated PRA
and its results. This paper describes a method used to assess the safety significance
of degraded grid voltage and to confirm that a particular passive design meets General
Design Criterion 17, “Electric power systems.” The staff of the Nuclear Regulatory
Commission (NRC) used insights from the PRA to evaluate the effects of degraded
grid voltage. The PRA insights provided by the applicant, deterministic considerations,
and the evaluation of safety issues under degraded voltage conditions are discussed
in the context of new reactors. The paper also discusses some of the technical issues
that the NRC staff has encountered in reviewing recent applications and the staff’s
need for additional information to make appropriate safety determinations.

Session Chair: Shan Chien
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 1:30 PM - Magnolia
1:30 PM
Dynamical and Hierarchical Criticality Matrixes-Based analysis
of Power Grid Safety
Eugene Brezhnev (a), Vyacheslav Kharchenko (b), Alexandr Siora (c), Vladimir
Sklyar (b)
a) National Aerospace University KhAI, Kharkiv, Ukraine, b) Centre for Safety Infrastructure Oriented
Research and Analysis, National Aerospace University KhAI, Kharkiv, Ukraine, c) Research and Production
Company Radiy, Kirovograd, Ukraine
This paper presents the technique for the power grid safety assessment based on
accident risk-analysis by use of the dynamical and hierarchical criticality matrixes
(D&HCM). The technique is founded on principles suggested for the power grid safety
assessment. The basic tool is Failure Modes, Effects and Criticality Analysis (FMECA)
supplemented with changes in procedure according to the features of safety assessment
process. The power grid safety assessment model is presented as a graph of
criticality with edges connecting the nodes corresponding with subsystems of next
higher and lower levels. The nodes are described by criticality matrixes. The changes
of subsystems’ failures criticality during the power grid operation are the results of
sequential changes of subsystems’ states (transition to state of nonoperability) or the
changes of failures probabilities caused by influence of the operational environment
or factor of time (physical or automaton time). This approach suggests considering the
interaction and mutual influence among subsystems which results to multiple failures,
change of the criticality and risk values. In this way the capacities of FMECA-based
safety assessment may be expanded. The accident in Sayano–Shushenskaya hydroelectric
power station was investigated on dynamical and hierarchical criticality
matrixes-based analysis.
1:55 PM
Towards an Integrated Probabilistic Analysis of the Blackout
Risk in Transmission Power Systems
Pierre Henneaux, Pierre-Etienne Labeau, Jean-Claude Maun
Service de Métrologie Nucléaire, Service Beams-Energy, Université Libre de Bruxelles, Brussels, Belgium
In our modern society, the electrical grid has become one of the most critical infrastructures.
Even if feedback from the electrical sector is very positive, electricity generation
and transmission cannot be considered as totally reliable activities. A residual blackout
risk remains, especially as new ways of generating electricity and operating the
grid develop. To study the grid reliability, deterministic criteria are usually considered.
Probabilistic risk assessment methods have also been developed, but they usually
neglect the dependencies between failures and the dynamic evolution of the grid in the
course of a transient: yet a blackout is due to cascading failures in the grid. There is a
strong coupling between events, since the loss of an element increases the stress on
others and, hence, their probability to fail. Our purpose is therefore to develop an integrated
probabilistic approach to blackout analysis, capable of handling the dynamic
response of the grid to stochastic initiating perturbations and the event sequences
they possibly entail. This approach is adapted from dynamic reliability methodologies,
by accounting for the different characteristic times and processes of different cascading
phases leading to a blackout. This paper focuses on the modeling adopted for the
first phase, ruled by thermal transients. The goal is to identify dangerous cascading
scenarios (possibly leading to a blackout) and calculate their frequency. A Monte Carlo
code derived from this methodology is validated on a test grid. Some dangerous scenarios
are presented and their frequency calculated by this method is compared with
the classical estimation.
Grid Reliability
2:20 PM
Probabilistic Risk Assessment of a Transmission and Distribution
System
Frank Rahn, Jeff Riley (a), Alan Ross (b)
a) Jean-Francois Roy, and Alexander Bonilla, Electric Power Research Institute, Palo Also, CA, b) Consultant,
Pleasanton, CA
Probabilistic Risk Assessment (PRA) tools and modeling techniques can be used to
evaluate a wide variety of complex systems and facilities. This paper presents an application
of PRA techniques to an electric transmission and distribution system. The
work focuses on the reliability of a small utility system and examines the probability of
loss of system-wide service, as well loss of power to critical facilities. The evaluation is
both qualitative and quantitative in nature.
The work was originally motivated by an unfortunate event that caused a complete
city-wide blackout that lasted approximately 12 hours and was close to exceeding the
coping time of vital services, such as fire water. The outage also resulted in a high
economic loss.
For this project, the EPRI CAFTA software tool was used to examine the fault trees
representing the transmission system. Also modeled were the underground transmission
cables feeding a central substation that was configured in a breaker and a half arrangement,
and a transmission system that encircled the service area. The evaluation
also considered other risks including earthquakes, flooding, gas pipeline ruptures, and
aircraft crashes that could disrupt the system.
2:45 PM
Reliability Forecasting Modeling for Distribution System Infrastructure
Decisions
Shan (Sam) H. Chien, Zoilo S. Roldan, Roger J. Lee
Southern California Edison Company, Santa Ana, CA
Transmission and distribution (T&D) infrastructure is aging in electric utilities throughout
the U.S. as indicated by upward trends in average equipment ages. There are significant
implications ahead in system reliability and customer service. The magnitude
of these future challenges can only be revealed by probabilistic reliability modeling.
Such models have been developed to forecast future distribution system reliability
and to evaluate the value of various asset management strategies. Three key insights
which would be of value to reliability practitioners in the area of distribution system
asset and reliability management are 1) the understanding that the systems are aging
and declining in reliability, 2) the appreciation that there are major benefits from
developing reliability models, and 3) the understanding that there are many levels of
reliability modeling complexity, all of which are useful.
47

48
Session Chair: David N Miskiewicz
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 1:30 PM - Salon A
1:30 PM
Achieving Realism in Fire PRA: Insights and Challenges based
on Fire Damage States and Associated Frequencies
James R Chapman
Scientech, Lake Mary, Florida
About half the US fleet has developed or is developing fire PRAs to support NFPA 805
licensing basis transition. These fire PRAs, or adapted versions of these fire PRAs,
can also support other risk informed applications, such as risk informed completion
times. Many other units are also developing fire PRAs for risk informed applications
other than NFPA -805. The Fire PRAs have been or are being developed using guidance
from NUREG/CR-6850, Industry Frequently Asked Questions (FAQs) and recent
EPRI technical evaluations, such as fire ignition frequency updates. Many of these
fire PRAs have used detailed fire modeling, cable and circuit analysis and Human
Reliability analyses (HRA) to improve the calculated results. However, even with such
detailed analyses, the calculated results are believed to be conservative by a factor
in the range of 5 to 10 (or perhaps higher) overall. This belief is based on comparison
of calculated results, such as the frequency of fire damage states to operating experience,
as provided by the NRC’s Accident Sequence Precursor (ASP) program. This
paper will discuss the results of a comparison of calculated fire damage state frequencies,
at the cumulative level, and associated consequences in terms of damage level
(at the conditional core damage probability level and availability of mitigating systems
and actions level) to actual industry experience. The comparison is based on calculated
results for several US units. This comparison provides additional evidence that the
calculated results overall are conservative because the calculated frequencies of fire
scenarios leading to the failure of safety significant equipment are too high. Industry
and NRC have plans to provide improved methods and data in technical areas including
fire frequency, fire development and propagation, heat release rate and detection
and suppression. Comparison to operating experience needs to be considered when
benchmarking the integrated effect of changes in methods and data intended to refine
the conservative results presently being developed and when making decisions on
plant changes. (Presentation Only)
1:55 PM
Collective Insights from NFPA-805 Fire PRAs and Related Fire
Risk Evaluations
Edward Simbles and Usama Farradj
ERIN Engineering, Inc., Walnut Creek, CA
Completion of a series of Fire Probabilistic Risk Assessments (FPRAs) for NFPA 805
transitioning plants has provided insights with respect to the fire PRA methodology as
defined by NUREG/CR-6850 as well as insights with respect to contributors to plant
fire risk and modifications identified for addressing these risks. The Fire Risk Evaluation
(FRE) methodology for calculation of the risk of variances from deterministic
requirements (VFDRs) and risk of recovery actions is also addressed. Insights associated
with the FRE process, methodology and the impact of FREs as opposed to overall
fire risk on decisions regarding plant modifications are addressed. The methods of
defining the compliant plant condition for the plant including alternative shutdown fire
areas (e.g., control room, cable spreading room) are discussed. Based on the insights
identified, recommendations for refinements in NUREG/CR-6850 methodologies and
FRE process requirements and methodologies are proposed. (Presentation Only)
Fire PSA Methods - 4
2:20 PM
How Immature and Overly Conservative is Fire PRA? - A Comparison
of Early Vs. Contemporary Fire PRAS and Methods
Raymond H.V. Gallucci
U.S. Nuclear Regulatory Commission (NRC), Washington, D.C.
There is a prevailing cognition, at least among an apparently significant portion of the
commercial nuclear power industry, that the current methods available for fire PRAs
are still relatively immature, at least when compared to internal events PRA methods,
and produce overly conservative predictions of risk (core damage frequency [CDF]
and large early release frequency [LERF]). This paper compares “conservatism” issues
from the “early” era of fire PRA to contemporary issues to answer three questions:
Is fire PRA conservative? Is it immature? Is it too conservative?
2:45 PM
Fire Modeling in PSA with EdF/EPRI Magic Code
Isabel Viniegra, Mariano J. Fiol, Miguel Á. Celaya
IBERDROLA, Ingeniería y Construcción, Madrid, Spain
The MAGIC software is a fire simulation code developed and maintained by EdF and
sponsored by EPRI. It uses a typical two homogeneous zones model where the solution
of the mass and energy balances accumulated on each zone, together with the
ideal gas law and equation of heat conduction into the walls, results in the environmental
conditions generated by the fire. Several rooms and their interactions can be
modeled, including doors opening, hatches, forced or natural ventilation, sprinkler actuation
and trigger of some fire detectors. A useful set of outcomes (temperatures, heat
fluxes, hot gas layer thickness, etc.) can be obtained to determine the time to targets’
damage in a variety of scenarios. It has been broadly validated and verified.
IBERDROLA, Ingeniería y Construcción has used the MAGIC code in one Spanish
Fire PSA for calculate available times to credit manual extinguishment on Fire Brigade
actuation. The use of the code is conveniently simple, compared with CFD codes, allowing
a high number of scenarios to be modeled in a restricted project schedule and
results sound credible and realistic with a coherent nearness to intuitive expectations.
Finally, it is important to note that MAGIC features related with its input data definition
(Heat Release Rate of fire load sources specially) permit a good fulfillment of NUREG/
CR-6850 methodological and data provisions.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 1:30 PM - Salon B
Risk-Informed Safety Margins
Session Chair: Dominique Vasseur
1:30 PM
Enhanced Defence-in-Depth features during the design
phase of Olkiluoto 3
Matti Lehto, Jouko Marttila, Ari Julin, Reino Virolainen
STUK, Helsinki, Finland
The first EPR, Olkiluoto 3, is under construction in Finland and the unit is expected to
be commissioned in 2013. Detailed, full-scope PSA of Olkiluoto 3 will be a part of the
required documentation to be attached to the operation license application.
Finnish regulatory requirements include e.g. separation principle applied to parallel
parts of the safety systems and diversity principle applied to the systems related to
the most important safety functions. The probabilistic design objectives in Finland are
the following:
- The mean value of the PSA Level 1 result must be < 1E-05/a (core damage frequency).
- The mean value of the PSA Level 2 result must be < 5E-07/a (major radioactive
release frequency).
Previous review of the Olkiluoto 3 Preliminary Safety Analysis Report and the preliminary
PSA revealed some deficiencies in the plant design. Thereafter, several improvements
have been done to fulfil Finnish regulatory requirements, as well as to assure
on adequacy of safety margins. For example, following improvements have been done
in the design considering Defence-in-Depth features:
- Additional heat exchangers were applied to certain room cooling systems in safeguard
buildings to provide two diverse heat sinks for the cooling function.
- Structural modification was applied to protect diesel engine combustion and cooling
air intakes against weather phenomena and external fires.
- Additional measures were applied to prevent or limit leakage of primary coolant pump
motor’s lubrication oil system to mitigate impact of assumed oil fires inside the containment.
- Additional measures were applied to prevent or limit leakage of fire water system to
mitigate impact of assumed flooding in the reactor building annulus.
Considering fire safety of the typical fire retardant cables to be installed in Olkiluoto
3, fire research and some specific fire tests were performed. Thereafter, several fire
simulations of a cable spreading room have been done based on a new model taking
into account the fire properties of the typical cables. The study was performed to be
able to quantify cable fire spreading and to assure on the adequacy of the designed
fire protection concept, especially considering the cable rooms containing big fire
loads. (Presentation Only)
1:55 PM
Recent Trends In Risk-Informed Safety Margin Characterization
Stephen M. Hess (a), Robert Youngblood (b), Dominique Vasseur (c)
a) Electric Power Research Institute, West Chester, PA, b) Idaho National Laboratory, Idaho Falls, ID, c)
Electricité de France, Clamart, France
The design and maintenance of adequate safety margins has served as a foundational
principle for the safe operation of commercial nuclear power plants since the inception
of the commercial nuclear power industry. During the original licensing of the current
fleet of plants, adequate safety margins were established by performing conservative
analyses and using conservative engineering judgment to specify appropriate safety
limits for critical plant parameters. However, over time, plant operation and ageing of
plant structures systems and components (SSCs) has the potential to impact these
original design margins. Due to the recent emphasis on extended plant operation, it
will become imperative that effective methods be developed to manage age-related
degradation of plant SSCs, prevent the occurrence of safety-significant operational
events, and demonstrate maintenance of acceptable (and even improved) nuclear
safety risk. In this paper, we summarize the current state of research to develop a
risk-informed approach to characterize and manage nuclear plant safety margins. We
describe the basic safety margin concept and summarize research performed under
the Nuclear Energy Agency Committee on the Safety of Nuclear Installations Safety
Margins Working Group to investigate such an approach for use by regulatory authorities.
We also describe collaborative safety margin research sponsored by the
Electric Power Research Institute Long Term Operation initiative and the United States
Department of Energy’s Light Water Reactor Sustainability program being conducted
to support decision making by plant owner/operators. Finally, we provide some preliminary
conclusions and suggestions for further investigation.
2:20 PM
Experiences in Describing PRA Technical Adequacy in Risk
Informed Submittals
Victoria A. Warren, Donald E. Vanover (a), Lawrence K. Lee (b)
a) ERIN Engineering and Research, Inc., West Chester, PA, b) ERIN Engineering and Research, Inc.,
Campbell, CA
With the advent of Revision 2 of Regulatory Guide 1.200, the technical adequacy of
Probabilistic Risk Assessments (PRAs) used for risk informed submittals has come
to the forefront. The type of submittal from the very specific, such as a change to the
completion time of a single system to very broad process changes such as the surveillance
frequency control program (i.e., Risk Informed Technical Specification (RITS)
Initiative 5B) affects how technical adequacy is determined and described. The level
of internal assessment and external review of the PRA is also a factor. The information
content involving the impact of a gap to fully meeting the PRA standard (ASME/
ANS RA-Sa-2009) must allow independent determination of acceptability. It is relatively
straightforward to address PRA technical adequacy for a narrow application but
more complex for a broad application where the specific instances are not defined.
The broad application may need to rely on the methodology used to address certain
technical adequacy issue. An example of this is the RITS 5B methodology which requires
data sensitivities as part of the surveillance test interval analysis. Forethought
about the intended use of the PRA technical adequacy assessment will lead to a better
assessment leading to a better analysis and a better submittal.
2:45 PM
Insights from the SM2A Pilot Study Towards Quantification of
a Change of Plant Safety Margin After a Hypothetical Power
Up-Rate
Martin A. Zimmermann, Vinh N. Dang (a), Jeanne-Marie Lanore, Pierre
Probst (b), Javier Hortal (c), Abdallah Amri (d)
a) Paul Scherrer Institute, Villigen, Switzerland, b) Institut de Radioprotection et de Sûreté Nucléaire,
Fontenay aux Roses, France, c) Consejo de Seguridad Nuclear, Madrid, Spain, d) OECD/NEA / Nuclear
Safety Division, Issy-les-Moulineaux, France
During recent years, many nuclear power plants underwent significant modifications,
e.g. power up-rating. While compliance with all the deterministic acceptance criteria
must be shown during the licensing process, the larger core inventory and the facts
that the plant response might get closer to the limits after a power up-rate, suggest
an increase of the core damage frequency (CDF) and other possible risk indicators.
Hence, a framework to quantitatively assess a change in plant safety margin becomes
very desirable. The Committee on the Safety of Nuclear Installations (CSNI) mandated
the Safety Margin Action Plan expert group (SMAP) to develop a framework for the
assessment of such changes to safety margin. This framework combines PSA and
the analytical techniques developed in BEPU. CSNI then mandated the SM2A expert
group to especially explore the practicability of the SMAP framework. This pilot study
was completed end of 2010. An increase of the (conditional) probability of exceedance
for a surrogate acceptance limit (PCT) indicating core damage was successfully evaluated
for the selected sequences from several initiating event trees, and it was found
that only a restricted number of sequences need to be analyzed. The impact of power
up-rate could also be assessed for scenarios where no violation of the surrogate criterion
was observed. The modeling of human actions was found to be of particular
importance as the sequences related to scenarios including a time delay for a recovery
action or for a repair correspond to the more visible risk increase.
49

50
Session Chair: Gareth Parry
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 1:30 PM - Carolina
1:30 PM
Towards an Improved HRA Quantification Model
Gareth W Parry (a), John A Forester, Katrina Groth, and Stacey M L Hendrickson
(b), Stuart Lewis (c), Erasmia Lois (d)
a) ERIN Engineering and Research Inc., Walnut Creek, CA, b) Sandia National Laboratories, Albuquerque,
NM, c) Electric Power Research Institute, Knoxville, TN, d) U.S. Nuclear Regulatory Commission,
Washington DC
The U.S. Nuclear Regulatory Commission and the Electric Power Research Institute
are working together under a memorandum of understanding to improve the state of
the art in human reliability analysis (HRA) by incorporating an understanding of the
causes of human failures and the contextual factors that influence the likelihood of
failures based on a review of relevant behavioral science and cognitive psychology
literature. This paper outlines a decision-tree approach that is being developed for
the estimation of human error probabilities (HEPs) that is consistent with that understanding.
1:55 PM
The Value of Upgrading the HRA Method
P.F. Nelson
Departamento de Sistemas Energéticos, Facultad de Ingeniería, Universidad Nacional Autónoma de
México, Mexico DF, CP
Human Reliability Analysis (HRA) is a very important part of Probabilistic Risk Analysis
(PRA), and constant work is dedicated to improving methods, guidance and data in
order to approach realism in the results as well as reducing uncertainties. In order to
advance in these areas, several HRA studies are being performed globally. Mexico
has participated in the recent HRA Empirical studies with the objective of “benchmarking”
HRA methods by comparing HRA predictions to actual crew performance in a
simulator. The experience of participating in these efforts is being incorporated in the
updating of the Laguna Verde PRA to comply with the ASME/ANS PRA standard. In
order to be considered an HRA with technical adequacy for PRA risk-informed applications,
the methodology used for the HRA in the original PRA is not considered
sufficiently detailed, and the methodology had to upgraded. The HCR/CBDT/THERP
method was chosen, since this is used in many nuclear plants with similar design.
The HRA update includes the evaluation of human errors that can occur during an
accident, known as post initiating events. Due to the results, it does not appear to be
necessary to use a more detailed existing HRA method for the quantification of the
human error probabilities; however, there is room for qualitative assessment enhancement.
It is also expected that if new methods are employed with new data, there could
be advances in the quantitative HRA predictions as well.
Human Reliability Analysis - 4
2:20 PM
Development and Use of a Bayesian Network to Estimate Human
Error Probability
Katrina Groth and Ali Mosleh
Center for Risk and Reliability, University of Maryland, College Park, MD
In Human Reliability Analysis (HRA), Performance Influencing Factors (PIFs) are used
to represent the various factors that influence individual behavior and to predict the
outcome of human cognitive processes. PIFs have been used in many HRA methods
as a means to estimate Human Error Probability (HEP). Recently there has been an
interest in replacing “linear models” of accounting for the impact of PIF on estimates
for HEPs with model-based approach that include the interdependencies among PIFs.
Addressing the PIFs in a model is expected to provide more refined HEP estimates
and reduce the amount of information required to assess HEPs.
A previous paper [1] has proposed a Bayesian Network (BN) model of the relationships
among PIFs. The model structure and probabilities were developed based on analysis
of available data. The BN provides a natural framework to assess the impact of different
combinations of the same PIFs. This paper describes an extension of the original
model to estimate HEPs. This paper discusses how to the model was modified and
how it can be used to make inferences in the BN. It also demonstrates how to integrate
the PIF model into traditional PRA.
2:45 PM
First Results From A Study For Errors Of Commission For A
Boiling Water Reactor
Luca Podofillini, Vinh N. Dang (a), Olivier Nusbaumer, Dennis Dres (b)
a) Paul Scherrer Institut, Villigen, Switzerland, b) Leibstadt Nuclear Power Plant, Leibstadt, Switzerland
Errors Of Commission (EOCs) refer to carrying out inappropriate, undesired actions
that aggravate an accident scenario. The challenges to their systematic treatment in
PSA relate to both the identification (which error events should be included in the PSA)
as well as to the quantification of their probability. This paper presents the first results
from a plant-specific study performed to identify potential EOC vulnerabilities and
quantify their risk significance. The study addresses a Boiling Water Reactor (BWR) in
Switzerland and is one of the first EOC analyses ever done for BWRs. The Commission
Error Search and Assessment (CESA) method was used to identify EOC events.
The application shows that CESA is effective in narrowing the EOC search down to a
limited number of events to be included in the PSA – six events in the present case.
This demonstrates the feasibility of a systematic treatment of EOCs for large-scale
applications. A preliminary analysis shows that the contribution to risk of the most
important EOCs is comparable to that of the most important errors of omission. This
highlights the significance of EOCs in the overall risk profile of the plant.

Session Chair: Tunc Aldemir
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 3:45 PM - Azelea
3:45 PM
Research Activities of Germany’s GRS in the Field of Dynamic
PSA
Martina Kloos
Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Garching, Germany
GRS started its research activities in the field of dynamic PSA with the development
of the MCDET method which considers discrete aleatory uncertainties (referring, for
instance, to the occurrence of system function failures or of human errors) by the
Discrete Dynamic Event Tree (DDET) approach and continuous aleatory uncertainties
(e.g. failure-to run times of system functions or execution times for human actions) by
MC simulation. The method is implemented as a module system which can in principal
be coupled with any deterministic dynamics code. Since the MCDET modules can account
for epistemic uncertainties as well, two approaches for an epistemic uncertainty
analysis were developed. They are useful for complex long running applications. Last
step of the research activities until now was the development of a so-called crew
module. It enables calculating the dynamics of crew actions depending and acting on
the uncertainties as considered in the MCDET modules and on the dynamics as modeled
in the deterministic code. The combination of the MCDET and crew modules with
an appropriate deterministic code allows for evaluating complex accident scenarios
where human actions, technical installations, the physical process and aleatory uncertainties
are the main interacting parts in the course of time. Accident sequences are
generated automatically and supplied together with probabilistic assessments which
account for the spectrum of sequences that may actually evolve. This paper describes
the current state of development, some large scale applications and future research
projects in the context of the MCDET method.
4:10 PM
Online State Estimation in Dynamic Event Trees for a Level
Controller Dataset
Daniya Zamalieva and Alper Yilmaz (a), Tunc Aldemir (b)
a) Photogrammetric Computer Vision Lab., The Ohio State University, Columbus, OH, b) Department of
Mechanical and Aerospace Engineering, The Ohio State University, Columbus, OH
The large amount of data produced by dynamic event tree generation algorithms introduces
the need for new methods and software tools that are capable of analyzing the
data and extracting useful information. The classification of each transient produced
by dynamic event tree generation algorithms as normal or failure (i.e. situation that has
to be avoided) is addressed. The classification is carried out in an online manner, i.e.
using the part of the scenario that is available, while the rest is still being generated.
The classification can be used for more efficient utilization of computing resources by
discontinuing scenarios with normal transient behavior. Learning the behavior of normal
scenarios is accomplished using a Hidden Markov Model. Experiments show that
using the proposed model, it is possible to continue the execution of 100% of failed
scenarios while identify more than 50% of normal scenarios for termination.
Dynamic PSA - 3
4:35 PM
Discrete Dynamic Event Tree Analysis of MLOCA Using Ads-
Trace
Durga R. Karanki, Vinh N. Dang, Tae-Wan Kim
Paul Scherrer Institute, Villigen, Switzerland
In current practice, success criteria analyses for Probabilistic Safety Assessments
(PSAs) primarily use thermal-hydraulic simulation (transient analysis) codes. In dynamic
event tree (DET) simulations, a stochastic model is coupled to such codes. The
stochastic model allows the variability of system failures (number of trains, timing)
and of operator responses (response strategies, timing of actions) to be considered.
Consequently, DET simulations provide the means to examine the combined influence
of such variabilities on success criteria. This paper presents initial results from DET
analyses performed for Medium Loss of Coolant Accident (MLOCA) scenarios in a
Pressurized Water Reactor (PWR). The analyses focus in particular on the interaction
of break size, number of high pressure safety injection trains, and the timing and
rate of primary cooldown and depressurization over the secondary, in terms of their
impacts on sequence success.
5:00 PM
Dynamic Event Tree Analysis of Competing Creep Failure
Mechanisms in a Station Blackout Accident
Kyle Metzroth, Richard S. Denning, and Tunc Aldemir
The Ohio State University, Columbus, OH
The ADAPT (Analysis of Dynamic Accident Progression Trees) methodology is a dynamic
event tree (DET) methodology capable of accounting for the uncertainty in the
modeling of complex stochastic phenomena which may take place during the course
of a severe accident. In this work, the ADAPT methodology is applied to a stationblackout
(SBO) scenario and the competition of creep failure mechanisms of several
components of reactor coolant system (RCS) is analyzed. Special attention is paid
to the modeling of steam generator tube rupture and approximations are used to account
for the possible temperature stratification in the steam generator tubes that may
not be captured by lumped parameter models. Timings of the creep failure of various
components are estimated.
51

52
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 3:45 PM - Camellia/Dogwood
Risk-Informed Decision Making - 1
Session Chair: Stanley Levinson
3:45 PM
Risk Informed Optimization of Fatigue Rules
Alexander Knoll
Consultant, Wyomissing, PA
Various PRAs in the nuclear and other industries identified human errors as a significant
contributor to undesired events and accidents. Fatigue is one of the factors
included in human reliability analyses of PRAs. This paper will compare the existing
and proposed fatigue rules in various industries and will provide tangible recommendations
to optimize the procedural and regulatory requirements for reducing the risk of
fatigue errors to an acceptable level.
High risk industries have work hour limitations based on current or planned regulations.
These limitations need to comply also with new regulations to help mitigating
the risks of fatigued personnel. The current fatigue rules and limitations are constantly
and frequently revised because there is no consistent methodology that satisfies all
the impacted stakeholders: public (safety), employee unions, employers, regulators,
government, etc.
This is a Risk Informed Optimization Problem: If the Fatigue Rules are extremely lenient,
allowing key employees work continuously an unacceptable number of hours,
public safety might be reduced, employees might be exposed to accidents and the
resultant company losses might be unacceptably high. If the Fatigue Rules are extremely
demanding, exaggerated in their levels of reduced work-hour requirements,
the risk reduction might not be tangible but the implementation costs might be unacceptably
high as well. This is a classical Risk Informed Optimization problem (see
Reference 1): Identifying fatigue rules and procedural guidance that are optimal (not
exaggerated in demand and not lenient.
Published industry experience of fatigue errors in various industries will be reviewed
and translated into statistical data. Then they will be correlated with previous work
(see Reference 2) and the Risk Informed methodology of Reference 1. Recommendations
will be provided how to optimize fatigue rules and procedural requirements in
various industries.
References: 1.A. Knoll, “Risk Informed Optimization, Theory and Applications”, Proc.
ANS PSA ’05, International Topical Meeting on Probabilistic Safety Assessment, San
Francisco, 2005. 2. A. Knoll & Al., “Event Tree Methodology for Analyzing the Risk of
Fatigue Errors During Flight”, Proc. PSAM 5 Topical Meeting on PSA and Management,
Osaka, Japan, 2000. (Presentation Only)
4:10 PM
Application of Analytic-Deliberative Decision-Making Process
(ADP) to the Design of Advanced Reactor Passive Residual
Heat Removal System
LIU TAO, Tong jiejuan, Zheng Yanhua
INET, Tsinghua University
Analytic-Deliberative Decision-Making Process (ADP) is a process that helps stakeholders
make risk-informed decisions. It has been used in variety of decision-making
problems since has been worked out. The paper describes the application of the ADP
to the selection of Residual Heat Removal System (RHRS) design which will work for
an advanced reactor. Two RHRS options are identified and evaluated, which are 3
trains, 50% load per train and 2trains, 70% load per train. (Presentation Only)
4:35 PM
WGRISK Activities: What’s New?
Jeanne-Marie Lanore (a), Marina Röwekamp (b), Nathan O. Siu (c), Abdallah
Amri (d)
a) Institut de Radioprotection et de Sûreté Nucléaire (IRSN), Fontenay-aux-Roses Cedex, France, b)
Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany, c) U.S. Nuclear Regulatory
Commission (NRC), Washington, DC, USA, d) OECD Nuclear Energy Agency, Issy-les-Moulineaux,
France
The main objective of the Working Group on Risk Assessment (WGRISK) of the OECD
Nuclear Energy Agency (NEA) Committee for the Safety of Nuclear Installations
(CSNI) is to advance the PSA understanding and to enhance its utilization for improving
the safety of nuclear installations. The main products of WGRISK are state-of-theart
reports, workshops, technical notes and technical opinion papers (available to all
NEA member countries and in some cases to the public). The integrated plan of the
WGRISK is prepared in order to help ensure the Working Group addresses important
safety issues identified by the CSNI. It also helps ensure that WGRISK is appropriately
coordinated with other international activities. A number of past products of WGRISK
have been presented to international experts at various meetings. The objective of this
paper is to focus on recently completed and ongoing activities: - Recent topic areas
include: Probabilistic risk criteria and safety goals, non-seismic external events, low
power and shutdown PSA, digital I&C risk, severe accident management, human reliability
analysis data. - Currently active topic areas include: PSA for advanced reactors,
PSA knowledge transfer, PSA for new plants, digital system failure modes, and PSA
use and development.
5:00 PM
Experiences from the project on Validity of Safety goals
Göran Hultqvist
Forsmark Nuclear Power plant, Sweden
A guidance document has been developed as part of a four-year Nordic project dealing
with the use of probabilistic safety criteria for nuclear power plants. The project have
been supported by NPSAG, NKS (the Nordic utilities and regulators). The Guidance
sums up, on the basis of the work performed throughout the project, issues to consider
when defining and applying probabilistic safety criteria. The Guidance describes the
terminology and concepts involved, levels of probabilistic safety criteria and relations
between these, how to define a criterion, how to apply a criterion, on what to apply
the criterion, and how to interpret the result of the application. It specifically deals
with what makes up a probabilistic safety criterion, i.e., the risk metric, the frequency
criterion, the PSA used for assessing compliance, and the application procedure for
the criterion. It will also discuss the concept of subsidiary criteria, i.e., different levels
of safety goals, their relation to defense in depth and to a primary safety goal in terms
of health effects or other off-site consequences.
The project has included 4 different parts in which different assessment have been
performed. These includes the following
- Historical use of safety goals and the experiences of this
- The historical basis for setting safety goals
- International use of safety goals historical and today and trends
- Quality demands on PSA methodologies and data to be used for safety goals
- Uncertainties/Variance in PSA outputs in assessing the safety level of a specific plant
(important parameters for low variance)
- Use of safety goals in other industries
- Development of recommendations of using safety goals in the Nuclear industry.
The project has been developed in parallel with a similar project in OECD. The project
leaders have been involved in both these projects. The Nordic project has included a
broader scope. The presentation will include information from the different phases of
the project and important outputs from the work.

Session Chair: Robert L Ladd
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 3:45 PM - Camellia/Dogwood
3:45 PM
Mapping of Fire Events to Multiple Internal Events PRA Initiating
Events
Richard C. Anoba
Anoba Consulting Services, LLC, Raleigh, NC
Probabilistic Risk Assessments (PRAs) are increasingly being used as a tool for developing
a Fire PRA model to support NFPA 805. Most PRAs have the capability to address
internal events including internal floods. As more demands are being placed for
using the PRA to support risk-informed applications, there has been a growing need
to quantitatively address external events such as fire. The NFPA pilot applications
have implemented the guidance provided in NUREG/CR-6850 and the ANS/ASME
PRA Standard to develop a Fire PRA that adequately addressees the unique impact
of a fire event initiating event. A fire event that results in damage to electrical cables
could cause potentially unique plant demands and responses beyond the scope of the
Internal Events PRA model. The current PRA practice provides alternate methods and
approaches to address unique initiating events. One method is to develop an event
tree model for each unique initiating event. For a Fire PRA, this method could be impractical
since the number of unique compartment/scenario fire initiating events could
number in the hundreds and possibly in the thousands. Recent Fire PRA model development
experience has demonstrated that cable damage translates to nuclear power
plant demands and responses that can be characterized by multiple Internal Events
PRA initiating events. From this perspective, a fire event can be mapped to multiple Internal
Event PRA initiating events that already exist in the logic models. Consequently,
an alternate approach would be to map the fire event to multiple Internal Event PRA
initiating events, while utilizing the existing structure of the Internal Events PRA event
tree models. This methodology presents new challenges for addressing simultaneous
and sequential occurrences of plant demands and responses chased by a single fire
initiating event. The intent of this paper is to provide an overview of a modeling approach
for mapping fire events to multiple Internal Events PRA initiating events.
4:10 PM
Applying Hierarchical Bayes Methods to Fire Ignition Frequency
Estimation
Patrick Baranowsky and Krisnandito Hardjoko (a), Corwin Atwood (b)
a) ERIN Engineering and Research, Inc., Bethesda, MD, b) Statwood Consulting, Silver Spring, MD
This paper provides a brief description of the methodology that is currently being
considered for derivation of fire ignition frequency distributions for use in fire PRA
(Probabilistic Risk Assessment) applications when updated fire events data becomes
available. The approach uses a hierarchical Bayesian methodology to account for between
plant variability of the fire ignition frequencies that is more data driven and uses
analytic techniques that are well established nuclear power risk assessment methods
and used broadly in many other technological and medical research applications. This
paper summarizes the application methodology, evaluation and validation analyses
that were performed, and recommends implementation details for the proposed methodology.
A more extensively detailed report has been prepared for peer review.
Fire PSA Methods - 5
4:35 PM
Use of Computational Fluid Dynamic Fire Models to Evaluate
Operator Habitability for Manual Actions in Fire Compartments
Robert L. Ladd
Engineering Planning and Management, Inc., Hudson, WI
Conduct of a Fire PRA may identify situations that require the performance of operator
manual actions (OMA) to mitigate the consequences of a fire. In cases where
OMAs are required within the affected fire compartment or the action requires transit
through the compartment to access components, human reliability analysis has traditionally
assigned little to no credit for their performance. These situations typically require
the performance of additional analysis to credit additional system options or the
performance of modifications to relocate/protect affected circuits and/or equipment.
However with the advent of advanced computational fluid dynamic (CFD) fire modeling
tools such as Fire Dynamics Simulator (FDS), such cases can be evaluated to
estimate feasibility and demonstrate the ability to perform necessary actions or transit
through the fire environment. FDS fire models used to show feasibility of manual actions
in a fire environment are designed much like those used to evaluate Fire PRA
target damage. Feasibility of OMAs is demonstrated by establishing reasonable acceptance
criteria and a means to measure the fire environment against those criteria.
The acceptance criteria must ensure that the fire environment to which the operator is
exposed, is acceptable for the performance of the required action and that it poses no
immediate danger to the operator. In addition the model is designed to measure the
time when equipment damage would precipitate performance of the action as well as
the time when the required action must take place for successful mitigation of undesirable
affects. This allows measurement of the expected environmental conditions when
the operator would be required to be in the affected fire compartment to perform the
required actions.
5:00 PM
Expanding the Use of Generic Fire Model Treatments
Gregory T. Zucal (a), Jeffrey L. Voskuil (b), Donald E. Vanover (c), Sean Hunt
(d)
a) ERIN Engineering and Research, Inc., West Chester, PA, b) Entergy, Covert, MI, c) ERIN Engineering
and Research, Inc., West Chester, PA, d) Hughes Associates, Bingham, ME
Generic fire models provide an efficient method to determine fire scenario zones of
influence in support of development of fire probabilistic risk assessments. These fire
models generally assume static conditions and therefore limit the ability to consider
time in the fire risk analysis. This paper explores an approach to adapt the results of a
generic fire model in order to perform a timed based analysis. This facilitates the ability
to analyze the growth phase of selected fires and provides a method for manual suppression
to be credited during fire PRA scenario development. This approach includes
input parameters that have known uncertainties. These parameters include fire growth
rates, heat release rate distributions, and cable damage delay times. The approach
utilizes various features of Mathcad® to calculate an overall non-suppression probability
for a given fixed distance to an initial target. The method accounts for each of the
heat release rate distribution bins, the vertical zone-of-influence from each bin, the fire
growth time to reach the peak release rate, and the time it takes for cable damage to
occur once the heat flux at a given distance exceeds the threshold heat flux criteria.
53

54
Session Chair: Kohei Hisamochi
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 3:45 PM - Salon A
3:45 PM
Advancing Performance-Based and Risk-Informed Design
Methods for the Seismic Design and Regulation of SSCs in
NPPs
Robert J. Budnitz
Lawrence Berkeley National Laboratory, University of California, Berkeley CA
The current NRC regulations for design and analysis of nuclear power plants to resist
large earthquakes use a framework that is partially risk-informed, in the sense that
a target performance goal of 10-5 per year is the design target for the design of every
individual SSC (structure, system, or component) that contributes significantly to
the safety performance of the plant. However, the current framework does not admit
design-specific or plant-specific PSA information directly as a part of the technical basis
used to determine whether an SSC should be approved. Instead, the design rules
and analysis provisions have used information from the body of seismic PSAs already
in the literature to inform how the design process and analysis provisions themselves
are framed. This is “risk informed” but not fully so, and it is also not fully performancebased
because although the target is framed in probabilistic terms, most of the design
rules are prescriptive, rather than allowing the designer to choose his/her own design
approach. This paper will discuss a group of several proposals, any one of which could
advance the situation significantly toward a more fully performance-based and riskinformed
framework. This paper will discuss the technical basis for each of the several
proposals, what valid reasons stand in the way of their early implementation, and what
research could be undertaken to help move the seismic design and approval process
along toward a more nearly risk-informed and performance-based framework.
4:10 PM
Calculation of Seismic Fragility Parameters for Flatbottom
Vertical Liquid Storage Tanks by Numerical Simulation
John J. O’Sullivan and Tsiming Tseng
Stevenson and Associates, Woburn, MA
Seismic probabilistic risk assessments for nuclear power plants will normally include
a fragility analysis of one or more flat-bottom vertical liquid storage tanks and these
tanks will often rank high for risk-significance. Typically a tank’s function is to provide
a reliable source of cooling water and the consequence of failure is of high importance.
In this paper, seismic fragility parameters are calculated for storage tanks using
a Monte Carlo analysis procedure. A range of tank geometries is investigated, with
tank design parameters chosen to be representative of water storage tanks at older
nuclear power plants. Following common practice, probabilistic variables are taken
to follow a lognormal distribution. The Latin hypercube procedure is used to sample
probabilistic variables. By performing the capacity analysis many times, each time with
newly sample variables, the underlying probability distribution of the seismic capacity
is estimated. Three lightly anchored example tanks were analyzed with height to
radius (H/R) ratios of 1.41, 2.13 and 2.84. The logarithmic standard deviation (β) values
produced by the simulation vary from 0.334 to 0.360. This is within the expected
range. The trend is for β to increase with tank height. It was judged that the trend is
a consequence of increasing ductility (μ) values. Calculations were also performed
using a conservative deterministic failure margin procedure (CDFM) with a single set
of input parameters. The CDFM and simulation are in very good agreement for the
lower H/R ratios (within about 5%). The CDFM produced moderately conservative
results compared to the simulation results for the tallest tank (11% lower HCLPF). The
higher capacity values produced by the simulation for the tallest tank are attributed
to the computed inelastic energy absorption factor, which was conservatively fixed at
unity in the CDFM.
Seismic PSA - 3
4:35 PM
EPRI Pilot Application of the ASME/ANS Seismic PRA Standard
Greg Hardy (a), Robert Kassawara (b), Divakar Bhargava (c), David Moore
(d)
a) Simpson Gumpertz and Heger, Newport Beach, CA, b) Electric Power Research Institute, Palo Alto,
CA, c) Dominion Resources Inc., Glen Allen, VA, d) Consultant, Mercer Island, WA
The American Society of Mechanical Engineers (ASME) and the American Nuclear
Society (ANS) have developed a “Standard for Level 1/Large Early Release Frequency
Probabilistic Risk Assessment for Nuclear Power Plant Applications.” The objective
of the Standard is to provide basic requirements for performing probabilistic risk assessments
that would support future risk informed decisions. The Standard limits its
requirements to performing a Level 1 analysis of the core damage frequency (CDF)
and a limited Level 2 analysis of Large Early Release Frequency (LERF). The Standard
also provides requirements for a graded approach to risk assessment. These
requirements are set for three “Capability Categories” representing three levels of
detail. Guidance is not provided as to which capability category is appropriate for riskinformed
decisions. This is left to the judgment of the risk analyst.
The probabilistic risk assessment (PRA) standards for internal events and for fire have
been piloted and updated in past studies and are further along in terms of common
usage, regulatory review, and familiarity by nuclear industry engineers than is the case
for seismic risk. While seismic PRAs (SPRAs) have been conducted for research purposes
and in response to the Individual Plant Evaluation for External Events (IPEEE),
no systematic SPRA has been conducted using the new SPRA standard requirements.
Dominion Generation teamed with Electric Power Research Institute (EPRI) to conduct
this Pilot study of the Surry nuclear plant.
The purpose of the EPRI pilot project was twofold: To evaluate the process, requirements,
and results involved in updating the Surry SPRA developed for the IPEEE
program using modern SPRA methods such that it can meet regulatory approval and
be used in future risk-based decision making. To review the requirements in the ASME/
ANS SPRA Standard to determine if they are reasonable or require clarification relative
to the current state of the art in performing SPRAs.
This paper focuses on the key results from this SPRA Pilot project.
5:00 PM
Seismic PSA of Kernkraftwerk Neckarwestheim Unit 2
P. Amico, A. Lubarsky, I. Kouzmina and M. Khatib-Rahbar (a), M. Ravindra
(b), W. Tong (c), A. Strohm, J. Rattke, W. Schwarz (d), D. Rittig (e)
a) Energy Research, Inc., Rockville, MD, b) Consultant, Irvine, CA, c) Simpson, Gumpertz & Heger,
Newport Beach, CA, d) EnBW Kernkraft GmbH, Neckarwestheim, Germany, e) GKN Consultant, Köln,
Germany
In accordance with German nuclear regulations, a seismic PSA (SPSA) was performed
on Kernkraftwerk Neckarwestheim Unit 2 (GKN II), a PWR located in Germany near
Stuttgart. The study was conducted using techniques that comply with both German
PSA guidelines and the ANS (now ASME/ANS) standard requirements for SPSA. The
study found that the seismic design of the plant is quite high given the seismic hazard
at the site. As a result, seismic core damage frequency contributes approximately 1%
to total core damage risk of the plant. The risk is dominated by seismically-induced
plant shutdown (no loss of offsite power) followed by random failures and human errors,
and the dominant seismic events are at the low end of the hazard curve. The
results are essentially insensitive to most seismic-related inputs, but are sensitive to
the human error probabilities used. The walkdown did indentify few housekeeping
items that could compromise the seismic performance of a few components, which
the plant is addressing.

Session Chair: Barry Sloane
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 3:45 PM - Salon B
3:45 PM
Development of a Standard for Risk-Informed Decision Making
Yoshiyuki Narumiya and Munehiro Yasuda (a), Akira Yamaguchi (b), Masashi
Hirano (c)
a) The Kansai Electric Power Co., Inc., Osaka, Japan, b) Department of Energy and Environment Engineering,
Osaka University, Osaka, Japan, c) Japan Atomic Energy Agency, Tokai, Japan
Atomic Energy Society of Japan (AESJ) has developed a standard which provides
the underlying requirements and procedures commonly applicable to Risk-Informed
Decision Making (RIDM) applications for facilitating changes in safety-related activities
of all kinds. The Nuclear and Industrial Safety Agency (NISA) that is the Japanese
regulatory body issued Basic Guideline bearing Risk Informed Regulation (RIR)
applications in mind. It is noted that NISA gives encouragement in the Guideline to
the utilization of risk information in safety related activities of Nuclear Power Plants
(NPPs). Accordingly, it is a matter of course that the risk information is useful and trustable
not only for the licensees to submit applications but also for the regulatory agency
to review and examine the application from the licensees. The AESJ standard, “the
Standard of Implementation on the Use of Risk Information in Changing the Safety
Related Activities” has been developed. In the standard, the basic idea and common
concept on the rules and requirements that should be implemented by the utilities
are described in consistent with the requirements stated in the NISA Basic Guideline.
Individual standards with specific applications will be expected to be developed in the
future according to RIDM applications.
4:10 PM
Technical Overview of Japan’s Standards for Riskinformed
Decision Making
Akira Yamaguchi (a), Yoshiyuki Narumiya (b), Mitsumasa Hirano (c)
a) Osaka University, Osaka, Japan, b) Kansai Electric Power Co. Ltd., Osaka, Japan, c) Tokyo City
University, Tokyo, Japan
The paper presents the Japanese practice of the probabilistic safety assessment
(PSA) technology development and its application to the safety design/operation and
the safety regulation. The Nuclear Safety Commission has issued the safety goal,
performance objectives and the basic policies toward the risk informed decision making.
The Nuclear and Industry Safety Agency has published the guidelines for the risk
informed regulation and the for the PSA quality. Conforming to the movement of the
regulatory agencies, standards have been developed by the Atomic Energy Society of
Japan. The AESJ has developed the Standards Committee in 1999 and has made a
number of PSA standards. At present, the AESJ has issued standards for Level 1, 2,
and 3 PSA, seismic PSA at power, Level 1 PSA during shutdown state, and estimation
of PSA parameters and data. Additionally standard concerning the usage of the risk
information in changing the safety related activities has been issued. Hence the standards
for internal PSAs have been completed and are ready for extensive use in the
risk-informed decision making (RIDM) process. Development of standards for other
dominant risk contributors, e.g. fire risk and internal flood risk are under consideration.
Moreover, we recognize the necessity of developing the standard for individual RIDM
applications in opportune occasions.
PSA Standards - 1
4:35 PM
NPSAG- Nordic PSA-Group – Performed and Ongoing Research
Program
Göran Hultqvist
Forsmark Kraftgrupp AB, Östhammar Sweden
The Nordic PSA Group NPSAG was founded in December 2000 by the nuclear utilities
in Finland and Sweden. In addition, the Swedish Nuclear Power Inspectorate (SKI)
participates as an observer, and also takes part in the funding of many of the projects.
NPSAG is intended to be a common forum for discussion of issues related to probabilistic
safety assessment (PSA) of nuclear power plants, with focus on research and
development needs. The group follows and discusses current issues related to PSA
nationally and internationally, as well as PSA activities at the participating utilities. The
group initiates and co-ordinates research and development activities and discusses
how new knowledge shall be used. Important on-going activities concern CCF and
dependent failures in general, as well as applications of PSA. In addition, a general
and quite extensive discussion has been initiated about data for PSA models. The
discussion concerns a number of issues, ranging from types of data needed to future
procedures for data collection, processing and analysis. Over the years, international
contacts have increased, especially with partners in Europe (initiated by BWROG Associate
program and EU-research contacts). This is in line with the group’s aim to
create a common and lasting basis for the performance of PSA and for risk informed
applications of PSA in Europe. One important result is a common pilot project with
VGB (Germany) on multi-national CCF data analysis. The paper gives an overview
of NPSAG projects – past and present, and of the types of international contacts and
information collection activities of the group.
5:00 PM
Recent Advances in Developing Guides and Standards for Internal
Flooding PRA
Karl N. Fleming and Jean Francois Roy
KNF Consulting Services LLC, Spokane, WA
The Electric Power Research Institute has sponsored many projects to improve and
upgrade the technology for Probabilistic Risk Assessments (PRAs) and associated applications
at nuclear power plants as part of their PRA Scope and Quality Program. The
focus of this paper is to highlight some recent advances in the development of guides
and standards in the evaluation of accident sequences initiated by internal flooding.
The topics addressed include the development of guidelines for the performance of
a PRA in a manner that meets the technical requirements in the ASME/ANS PRA
standard, and the development of a data base of piping system failure rates for use
in estimating flood-induced initiating event frequencies. Examples are shown of how
these methods and tools have been used to support the evaluation of design, inspection,
and surveillance strategies to reduce the risk of internal-flood induced accident
sequences. Progress made recently in the enhancement of PRA standards for internal
flooding PRA (IFPRA) that take advantage of these developments is also discussed.
55

56
Session Chair: Mike Lloyd
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 3:45 PM - Carolina
3:45 PM
Proposed Approach for Simple Support System Initiating
Event (SSIE) Fault Trees
Michael Lloyd (a), Heather L. Detar (b), Ashley Peterman (c)
a) Risk Informed Solutions Consulting Services, Inc., b) Westinghouse Electric Corporation, c) Xcel Energy
Company
This paper introduces several new support system initiating event (SSIE) modeling
methods. Incentive for developing these methods was provided by inadequacies in
those currently used and difficulty in implementing the Explicit Event method recommended
in EPRI Technical Update Report 1016741. One of these new SSIE modeling
methods, the Composite method, was found to have valuable characteristics: it can
accurately estimate the SSIE frequency, is relatively easy to implement, use, maintain,
and document, can be used as a stand-alone SSIE model or integrated into a PRA
model, is consistent with existing PRA software capabilities, and meets all applicable
requirements of the PRA Standard and Reg. Guide 1.200. As such, the Composite
SSIE method is recommended for general use in the industry. This method should be
considered a tool available to PRA analysts who have immediate need for a practical
and easily implemented SSIE modeling method which can be integrated with a full
PRA model and applied in risk applications. This paper describes the Composite SSIE
model in detail and briefly describes two other SSIE methods developed in support of
this paper. It describes applicable PRA requirements related to SSIEs and describes
limitations of the Composite and other models. The paper also provides a detailed
example application of the Composite modeling method to create a SSIE fault tree
from a post-initiator support system fault tree of a simplified hypothetical but realistic
Service Water (SW) plant support system. The Composite SSIE model was quantified
and its cutset and frequency results were verified to be reasonable by comparing
them with the results obtained from the other two new methods. Example sensitivity
analyses were performed using the Composite model results to demonstrate the effect
of varying SSIE model assumptions.
4:10 PM
Updated and Improved Methodology for treating Interfacing
System LOCAs
C.H. Matos and R.J. Wolfgang (a), D.E. Gaynor (b)
a) ERIN Engineering, West Chester, PA, b) Entergy Nuclear
Interfacing system loss of coolant accidents (ISLOCAs) are caused by the failure of
piping and other components designed for low pressures as a result of their exposure
to high pressure reactor coolant. Because piping susceptible to ISLOCAs is routed
both inside and outside containment, the potential exists for unmitigated LOCAs and
for containment bypass and subsequent radionuclide release to the primary auxiliary
building (PAB). Due to the need for quantification of risk caused by an interfacing system
LOCA, it was necessary for a methodology to be developed that met the ASME
PRA Standard. This was done for a specific plant and followed NUREG/CR-5744 in
providing screening criteria. Using the criteria from NUREG/CR-5744, all lines that
penetrate containment were checked. Lines were checked against the screening criteria
if they directly connected an interfacing system and the reactor coolant system.
Lines that did not meet the screening criteria were retained as susceptible to ISLOCA.
Additional lines were susceptible if valves in the line were periodically stroke-tested.
Using this list, ISLOCA pathways were determined. Some were screened out after
qualitative and quantitative reasoning. The remaining lines were modeled in a fault
tree using CAFTA software. Values for component failure were obtained from either
generic or plant specific sources. Finally, pipe fragilities were determined. NUREG/
CR-5603 was used to determine the line rupture frequency given the identifying characteristics
of the pipe from piping schedules. Quantification of this model gave an accurate
representation of the risk due to an ISLOCA event for this specific plant.
Fault Tree Initiating Events
4:35 PM
Support System Initiating Events – Selection of a Modeling
Method for the Columbia Generating Station PSA
Eric J. Jorgenson (a), Albert T. Chiang (b)
a) Maracor Software & Engineering, Inc., Seattle, WA, b) Energy Northwest, Columbia Generating Station,
Richland, WA
This paper examines the considerations made to select the most suitable method to
model and quantify the support system initiating events for the Columbia Generating
Station Probabilistic Safety Assessment (Columbia PSA). EPRI 1016741 [1], which
was utilized as the primary resource for these considerations, documents selection
considerations and technical approaches for the three generally known methodologies:
1) explicit event method, 2) point-estimate fault tree method, and 3) multiplier
method. The Columbia PSA development team sought specific features for the SSIE
modeling, with a primary goal of meeting Capability Category II of the ASME / ANS
Combined Standard. This work was performed in 2008 and 2009 as part of an internal
events PSA upgrade to meet Capability Category II of the ASME/ANS Probabilistic
Risk Assessment (PRA) Standard [2], in accordance with Regulatory Guide 1.200
[3]. Although the EPRI 1016741 SSIE guidance encourages using the explicit event
method, the multiplier method was found to offer overwhelming advantages for the
Columbia PSA and provided the specific features that the PSA development team
sought. To develop the SSIE multiplier modeling, the methodologies recommended
by EPRI 1016741 were utilized. This paper does not detail the methodologies, as this
would be duplicative, but instead provides the highlights of implementing the multiplier
method. This paper also examines the concerns that PSA developers have cited for
the multiplier method, and provides an assessment / resolution of each concern.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Tuesday March 15, 2011 - 6:30 PM - Grand Ballroom
Banquet
Kevin C. Walsh - Senior Vice President, Nuclear Fuel Cycle, GE Hitachi Nuclear Energy
Kevin C. Walsh was named Senior Vice President, GE Hitachi Nuclear Energy (GEH) and
Chief Executive Officer of Global Nuclear Fuel, LLC, the legal entity that manages the Global
Nuclear Fuel joint venture of GE, Hitachi and Toshiba, headquartered in Wilmington, North
Carolina in October 2009. In his role Kevin leads all nuclear fuel cycle activities for GEH,
including the global BWR fuel business and the recently formed laser enrichment business.
Kevin joined GEH from his most recent role as General Manager-Nuclear Services on September
4, 2006. Kevin is located at GE Nuclear Headquarters in Wilmington, NC where he is
responsible for managing the Parts, Services and Repair work associated with GE’s Nuclear
business globally.
Kevin joined GE as a Field Engineer in 1984. He subsequently served as Project Manager,
Plant Manager of a 50 MW Cogeneration Power Plant in Bethpage, NY and later as Plant
Manager of 250 MW Cogeneration Plant in Springfield, MA.
Kevin went on to positions in GE Energy Services as Manager-Long Term Service Agreements, General Manager-Operations
for Contractual Services, General Manager- Performance Services, and General Manager-Field Services where he
had responsibility for over 1,500 Field Engineers leading the installation, uprate, and maintenance activities for both GE
and non-GE large gas turbines, steam turbines and generators as well as supporting Industrial power delivery and drives
and controls activities.
Kevin has 29 years experience in the Power Industry with an extensive background in Operations and Maintenance. He
began his career sailing on ships in the Merchant Marine as a Licensed Engineer before joining GE. He attended the
United States Merchant Marine Academy where he received a B.S. Degree in Marine Engineering.
57

58
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 8:00 AM - Grand Ballroom
Plenary Session III
John Kelly - DOE Deputy Assistant Secretary for Nuclear Energy
Dr. John E. Kelly was appointed Deputy Assistant Secretary for Nuclear Reactor Technologies
in the Office of Nuclear Energy in October 2010. He is responsible for the Department
of Energy’s nuclear reactor research and development programs for Light Water Reactors,
Gas Cooled Reactors, Small Modular Reactors, and advanced reactor concepts. His office is
also responsible for the advanced modeling and simulation program within DOE-NE.
Prior to joining the Department of Energy, Dr. Kelly spent 30 years at Sandia National Laboratories
where he was engaged in a broad spectrum of research programs in nuclear reactor
safety, advanced nuclear energy technology, and national security. In the reactor safety field,
he led efforts to establish the scientific basis for assessing the risks of nuclear power plant
operation and specifically those risks associated with potential accident scenarios. His research
focused on core melt progression phenomena and led to an improved understanding
of the Three Mile Island accident. In the advanced nuclear energy technology field, he led
Sandia’s efforts to develop advanced concepts for space nuclear power, Generation IV reactors,
and proliferation-resistant and safe fuel cycles. These research activities explored new
technologies aimed at improving the safety and affordability of nuclear power. In the national security field, he led national
efforts to evaluate the safety and technical viability of tritium production technologies.
Dr. Kelly is an active member of the American Nuclear Society and has served on the Nuclear Installations Safety Division
for the last 2 decades in a number of leadership positions. His committee work has focused on increasing the publication
of scientific work in the nuclear safety field and in developing national positions on the safety of nuclear power.
Dr. Kelly received his B.S. in nuclear engineering from the University of Michigan in 1976 and his Ph.D. in nuclear engineering
from the Massachusetts Institute of Technology in 1980.

Session Chair: Martina Kloos
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 9:00 AM - Azalea
9:00 AM
Extension of CAFTA with Dymonda Module To Analyze Dynamic
Accident Scenarios
Scott Dixon, Michael Yau, Sergio Guarro
ASCA, Inc., Redondo Beach, CA
This paper discusses the development and applications of an advanced Probabilistic
Risk Assessment (PRA) tool. This tool is an integration of the ASCA, Inc. developed
Dymonda software and the EPRI managed CAFTA software. This integrated tool
extends the “conventional PRA” capabilities of the CAFTA software to solve timedependent
accident scenarios completely within the CAFTA environment. The class of
time-dependent scenarios targeted contains recovery actions and time dependencies.
Solutions to this class of scenarios traditionally require calculations external to CAFTA
which are generally difficult to manage. The integrated tool permits the modeling and
analysis of the aforementioned time-dependent scenarios entirely within the CAFTA
environment without doing any external calculations. Under EPRI sponsorship, this
integrated tool was applied to the Loss of Offsite Power (LOSP) time-dependent risk
scenario for the Turkey Point Nuclear Facility. In the first phase, a loosely coupled
method was applied which used DFM models to identify “recovery rules” and correction
factors to account for the possibility of time-dependent offsite power and/or diesel
power recovery. In the second phase, a closely coupled solution was implemented.
The dynamically consistent LOSP cut-sets were identified and quantified by means of
DFM models. The cut-set information was then transmitted into CAFTA in standard-
PRA-compatible format. Ongoing work is being done to apply this integrated tool to
a case study involving fire risk scenarios with HRA (Human Reliability Analysis) aspects.
Dynamic PSA - 4
9:25 AM
Heartbeat Model for Component Failure Time in Simulation of
Plant Behavior
R. W. Youngblood, R. R. Nourgaliev, D. L. Kelly, C. L. Smith, and T-N. Dinh
Idaho National Laboratory, Idaho Falls, ID
As part of the Department of Energy’s “Light Water Reactor Sustainability Program”
(LWRSP), we are developing a methodology and associated tools for risk-informed
characterization of safety margin that can be used to support decision-making about
plant life extension beyond the first license renewal. Beginning with the traditional discussion
of “margin” in terms of a “load” (a physical challenge to system or component
function) and a “capacity” (the capability of that system or component to accommodate
the challenge), we are developing the capability to characterize realistic probabilistic
load and capacity spectra, reflecting both aleatory and epistemic uncertainty in system
behavior. This way of thinking about margin comports with work done in the last 10
years. However, current capabilities to model in this way are limited: it is currently possible,
but difficult, to validly simulate enough time histories to support quantification in
realistic problems, and the treatment of environmental influences on reliability is relatively
artificial in many existing applications. The INL is working on a next-generation
safety analysis capability (widely referred to as “R7”) that will enable a much better
integration of reliability- and phenomenology-related aspects of margin. In this paper,
we show how to implement cumulative damage (“heartbeat”) models for component
reliability that lend themselves naturally to being included as part of the phenomenology
simulation. Implementation of this modeling approach relies on the way in which
the phenomenology simulation implements dynamic time step management. Within
this approach, component failures influence the phenomenology, and the phenomenology
influences the component failures.
59

60
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 9:00 AM - Camellia/Dogwood
Risk-Informed Decision Making - 2
Session Chair: Dana Kelly
9:00 AM
Using PRA to Improve Safety Through Design and Operational
Changes
Robert Lutz
Westinghouse Electric Company, Cranberry Township, PA
The design and operation of the existing fleet of nuclear power plants was based on
conservative design basis analyses to show reasonable assurance of compliance with
regulatory requirements. These conservative analyses were often focused on meeting
singular requirements using very detailed, focused analyses without consideration of
the overall safety impact. With the maturing of Probabilistic Risk Assessment (PRA)
as a tool for risk-informed decision making, the opportunity exists to re-visit some of
design and operational features of the plants in light of their overall impact on safety
as measured by risk metrics of core damage frequency (CDF) and large early release
frequency (LERF).
Using risk assessment techniques, several changes to existing design features and
emergency procedures can be identified that would result in a decrease in either CDF
or LERF, but just as importantly reduce uncertainties and provide additional defense
in depth. Thus an overall improvement in safety can be obtained. One of the most risk
significant changes identified is elimination of automatic initiation of containment spray
on high containment pressure. Another key change that has been identified is the elimination
of rapid starting and loading of the diesel generators. Insights from the PRA
have also been used to change Emergency Operating Procedures to decrease the
potential for operator errors in performing key actions that impact CDF or LERF. The
barrier to implementation of these changes is, in some cases, the approved analysis
methods to show compliance with various deterministic regulatory requirements. This
paper describes the basis for recommending these design and operational changes
as well as regulatory barriers to change.
9:25 AM
An Approach for Holistic Consideration of Defence in Depth
for Nuclear Installation Using Probabilistic Techniques
I. Kuzmina, M. El-Shanawany, M. Modro, and A. Lyubarskiy
International Atomic Energy Agency, Vienna, Austria
The concept of defence in depth (DiD) is fundamental to the safety of nuclear installations.
DiD is referred in the safety standards produced by the International Atomic
Energy Agency (IAEA) as the primary means of preventing and mitigating the consequences
of accidents in nuclear installations. DiD provides a hierarchical deployment
of quality independent different levels of equipment and procedures in order to
maintain the effectiveness of physical barriers placed between radioactive materials,
the workers, public, and the environment during normal operation states and potential
accident conditions. DiD ensures that a high level of safety is achieved with sufficient
margins to compensate for potential equipment failures and human errors. Several
publications were produced by the IAEA on DiD over the last twenty years that summarized
the basic principles for DiD and provided high-level guidance on the assessment
of defence in depth for nuclear power plants (NPP). The IAEA is further developing the
approach for the representation and assessment of DiD in nuclear installations emphasizing
the need for a holistic consideration of the levels of DiD in conjunction with
deterministic and probabilistic goals and success criteria. Particularly, an investigation
is being conducted by the IAEA to explore on the use of probabilistic techniques for
the assessment of compliance with DiD for new NPP designs. Different categories of
initiating events are considered in conjunction with equipment reliability requirements.
The paper summarizes the available outcome of the work and outlines a possible
holistic approach for effective application of DiD principles.

Session Chair: William E. Burchill
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 9:00 AM - Magnolia
9:00 AM
The Past and Current Proliferation Resistance R&D Activities
in KAERI
Ho-Dong Kim, Hong-Lae Chang, Won Il Ko, Hee-Sung Shin, Seong-Kyu
Ahn
Korea Atomic Energy Research Institute, Daejeon, Republic of Korea
The Republic of Korea has carried out vigorous research and development activities
on nuclear fuel cycle technology options such as direct disposal, Direct Use of PWR
Spent fuel in CANDU Reactors (DUPIC), and pyroprocessing for the management of
spent fuel. Since the proliferation resistance is one of the key issues in the fuel cycle
option studies, the Koran Atomic Energy Research Institute (KAERI) has engaged in
R&D to develop methodologies to evaluate the proliferation resistance of nuclear fuel
cycles, as well as to enhance the level of proliferation resistance. This paper introduces
the past and current R&D activities undertaken at the KAERI on the evaluation
of proliferation resistance of direct disposal, DUPIC and pyroprocessing fuel cycles, as
well as on international collaboration within the framework of INRPO and Generation
IV International Forum in the area of proliferation resistance of nuclear energy systems.
KAERI is currently performing an IAEA Member State Support Program (MSSP)
on the safeguards approach development for the pyroprocessing facility. Even though
the pyroprocessing technology is still in the development stage, efforts to make a
vulnerability assessment of pyroprocessing with available design information are currently
undertaking. (Not included in proceedings)
Proliferation Risk - 1
9:25 AM
The Need for Proliferation Risk Assessment
William E. Burchill
Consultant, Past President, American Nuclear Society
This paper presents the need for quantitative assessment of proliferation risk. Current
non-proliferation methodologies provide a basic taxonomy of proliferation pathways.
However, the relative likelihood of these pathways is currently known only qualitatively,
subjectively, incompletely, and in many cases arguably, i.e., there is disagreement
among experts. Therefore, efforts to quantify all elements of proliferation pathways
including the effectiveness of various proliferation barriers would provide significant
insights with which to guide policies and actions to deter potential proliferators. PRA
(probabilistic risk assessment) techniques could be applied to close this knowledge
gap. This paper refers to this application as “proliferation PRA.”
61

62
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 9:00 AM - Salon A
Fire PSA Methods - 6
Session Chair: Pedro Fernández Ramos
9:00 AM
Fire Analyses Performed by Empresarios Agrupados for
some Spanish NPPs
Pedro Fernández Ramos
Empresarios Agrupados, Madrid, Spain
Spanish nuclear power plants are undergoing a process of updating their fire risk
analyses as part of the requirements for updating the probabilistic safety analyses
in the framework of periodic safety revisions. In some cases, this is also part of the
transition process to NFPA 805 as an alternative to the current licensing bases for fire
protection.
Because part of the transition process requires carrying out analyses such as:
A deterministic fire analysis
A probabilistic fire analysis
Empresarios Agrupados has undertaken to carry out both the deterministic and probabilistic
analyses for the nuclear power plants at Almaraz, Ascó and Vandellós 2, all of
which are Westinghouse PWR plants.
9:25 AM
Application of the NUREG/CR-6850 EPRI/NRC Fire PRA Methodology
to a DOE Facility
Heather Lucek, Jim Bouchard, Tom Elicson, Ray Jukkola, Duan Phan (a),
Bentley Harwood and Richard Yorg (b)
a) WorleyParsons Polestar, Inc, Idaho Falls, ID, b) Battelle Energy Alliance, LLC, Idaho Falls, ID
The application NUREG/CR-6850 EPRI/NRC fire PRA methodology to DOE facility
presented several challenges. This paper documents the process and discusses several
insights gained during development of the fire PRA. A brief review of the tasks
performed is provided with particular focus on the following:
• Tasks 5 and 14: Fire-induced risk model and fire risk quantification. A key lesson
learned was to begin model development and quantification as early as possible in the
project using screening values and simplified modeling if necessary.
• Tasks 3 and 9: Fire PRA cable selection and detailed circuit failure analysis. In retrospect,
it would have been beneficial to perform the model development and quantification
in 2 phases with detailed circuit analysis applied during phase 2. This would have
allowed for development of a robust model and quantification earlier in the project and
would have provided insights into where to focus the detailed circuit analysis efforts.
• Tasks 8 and 11: Scoping fire modeling and detailed fire modeling. More focus should
be placed on detailed fire modeling and less focus on scoping fire modeling. This was
the approach taken for the fire PRA.
• Task 14: Fire risk quantification. Typically, multiple safe shutdown (SSD) components
fail during a given fire scenario. Therefore dependent failure analysis is critical to obtaining
a meaningful fire risk quantification. Dependent failure analysis for the fire PRA
presented several challenges which will be discussed in the full paper.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 9:00 AM - Salon B
Significance Determination Process
Session Chair: Greg Krueger
9:00 AM
Recent Updates of Risk Assessment Standardization Project
(RASP) Handbook for Risk Assessment of Operational
Events
S.M. Wong, C.S. Hunter, and F.P. Bonnett
U.S. Nuclear Regulatory Commission, USNRC, Washington, D.C.
This paper provides an overview of recent updates and ongoing activities to enhance
the NRC Risk Assessment Standardization Project (RASP) Handbook for risk assessment
of operational events. This RASP Handbook was developed to provide consistent
methods for use by NRC staff in performing risk assessments in various risk-informed
regulatory applications. The Handbook describes methods that are used in risk
analysis of plant conditions for Significance Determination Process (SDP) Phase 3
analyses, and for the Accident Sequence Precursor (ASP) program and Management
Directive (MD) 8.3 event assessments. Revision 1 of the RASP Handbook containing
Volumes 1, 2 and 3 has been updated on a periodic and as-needed basis, based on
user comments and insights gained from field application of the documents. In concert
with ongoing activities to enhance the RASP Handbook, new topics are being added
to future revisions of the Handbook to streamline risk assessments performed by NRC
staff.
9:25 AM
Examples of Risk Assessments in Support of Significance
Determination Process (SDP) Evaluations at San Onofre Nuclear
Generating Station (SONGS)
Parviz Moieni, Michelle P. Carr, Craig F. Nierode
Southern California Edison
The purpose of this paper is to describe a few examples of risk assessments in support
of significance determination process (SDP) evaluations at SONGS. The SDP uses
probabilistic risk assessment (PRA) methods to assess the safety significance of various
findings or events at nuclear power plants (NPPs). The focus of this paper is on
Phase 3 SDPs, where detailed PRA evaluations performed by the NRC’s senior reactor
analysts (SRAs) and plant PRA staff, are used to determine the safety significance
of the findings or events. SDPs are typically used to assess the safety significance
of events documented in Licensee Event Reports (LERs), inspection findings, and
equipment failures or deficiencies impacting the plant risk. The examples discussed in
this paper include the safety significance evaluations of: 1) a loss of emergency core
cooling system (ECCS), 2) a loss of main feedwater (LMFW) event, 3) a seismically
unrestrained 4.16 kV breaker, and 4) potential inadequate Maintenance Rule (a)(4)
risk assessment due to erroneous room heat up calculation results used in the PRA
model.
63

64
Session Chair: Robert Budnitz
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 9:00 AM - Carolina
9:00 AM
Application of Low Power and Shutdown PSA Insights to
Development and Implementation of Full Scope Severe Accident
Management Guidelines Covering All Plant Operating
States for VVER And PWR in Europe
Oleg Solovjanov (a), Robert Lutz (b), Antoine Rubbers (a)
a) Westinghouse Electric Belgium S.A., Nivelles, Belgium, b) Westinghouse Electric Company LLC,
Cranberry, PA
Over the past fifteen years many of the nuclear power plants worldwide have been
equipped with a capability for severe accident management. This has been driven
partly by the Severe Accident Management Guidance (SAMG) developed by owners
groups in the USA for plant specific applications. At the same time Probabilistic Safety
Analyses (PSA) have been extended to shutdown and low power operation modes in
many countries [1]. Many studies such as the shutdown PSA for Beznau, Koeberg,
EdF 900/1300, and VVER plants in Central Europe (Hungary, Slovak and Czech Republic)
as well as latest industry events, such as Paks NPP shutdown fuel damage accident
[2], demonstrated that the core damage frequency from an accident occurring
when at shutdown or low power operation modes was of the same order of magnitude
and even higher (up to 80% of CDF for some plants) than the one at power.
In response to the needs of the European community, Westinghouse has developed
Shutdown SAMG (SSAMG) that is integrated into at-power Westinghouse Owners
Group (WOG) SAMG to form a complete symptom-based SAMG package applicable
to all Plant Operational States (POS). The development of the SSAMG is based on
the shutdown and low power PSA studies performed for the European plants. The
principal changes required in the entry conditions, diagnostic parameters, diagnostic
prioritization, as well as specific severe accident guidelines and development of new
guideline. The SSAMG methodology based on this approach is matured and has been
implemented at several operating plants with different reactor types: Westinghouse
PWR, AREVA PWR, and VVER.
The impact of SSAMG has also been included in a number of recent PSAs for plants
that have implemented the SSAMG and this has tended to lead to a reduction in the
core damage frequency, large early release frequency, and source term frequencies.
The Westinghouse methodology to extend the applicability of the WOG SAMG to
shutdown and low power conditions and the basis derived from the low power and
shutdown PSA studies is described.
Shutdown PSA - 1
9:25 AM
Quantification of A 3 Loops Westinghouse PWR Outage Key
Safety Functions Using Probabilistic Safety Assessment
M.M. Cid, J.Dies, C.Tapia, O.Viñals
Nuclear Engineering Research Group (NERG), Department of Physics and Nuclear Engineering (DFEN),
Technical University of Catalonia (UPC), Barcelona, Spain
The developed methodology provides a guidance of the systematic of using Probabilistic
Safety Assessment (PSA) for the evaluation of guides or procedures which
ensure the compliment of the Outage Key Safety Functions (OKSF) in nuclear power
plants. As a pilot experience, the methodology has been applied to the 3th and 13th
Operational Plant State (OPS), always within the operational mode 4 of a 3 loops
Westinghouse Pressurized Water Reactor. The analyzed procedure requires the operability
of just one charge pump as boric acid supply source. PSA gives a Core Damage
Frequency increase (DCDF) of 1.19·10-6 year-1 for the pump in standby, consequently,
an exposure time T= 53.6 hours. Given an average time for the OPS of 40 hours,
it is concluded the correct treatment of the procedure. However, it could be improved
with the inclusion of an additional inventory replacement function. This would limit the
charge pump unavailability. On the other hand, the availability of the external electrical
sources is ratified. The procedure requires the operability of both supplies during
the OPS. The unavailability of one of them (transformer fail) involves a DCDF equal to
1.64·10-5 year-1 and a T= 3.89 hours. Then, it is considered appropriate the treatment
of the procedure from the PSA point of view.

Session Chair: Jeff Riley
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 10:05 AM - Azalea
10:05 AM
The Performance And Importance Analysis Of Power Systems
Based On Bayesian Networks
Shubin SI, Caitao LI, Zhiqiang CAI, Wei HU
Ministry of Education Key Laboratory of Contemporary Design and Integrated Manufacturing Technology,
School of Mechantronics, Northwestern Polytechnical University, Shaanxi, P.R. China
Because the power systems are becoming more gigantic, it is important for the power
corporations to monitor the performance of power systems and determine which object
needs maintenance most in the operation. With the advantages of describing
uncertain variables and conditional independence relationships, we introduce the
Bayesian network (BN) to build the performance and importance analysis model of
power systems in this paper. The standard multilayer BN (MLBN) unit is put forward
at first to represent different kinds of inner or outer factors in the power system. Then,
the special meanings of nodes and edges in the equipment layer, station layer and
network layer of MLBN are discussed in detail. Third, the integration method of MLBN
in these three layers is also described to facilitate the modeling and inference process.
Based on the built MLBN model of power system, the system performance and importance
analysis approaches are demonstrated with corresponding posterior probability
distributions. At last, the case study based on the Yunnan electric power corporation
(China) is implemented. The practical transformer model shows that the proposed
MLBN method can describe the inner & outer factors and relationships well to provide
useful performance and importance analysis helps.
10:30 AM
Fast Calculation Methods of Importance Measures in the
Fault Tree Analysis
Woo Sik Jung and Joon-Eon Yang
Korea Atomic Energy Research Institute, Daejeon, South Korea
This paper explains improved methods to calculate importance measures that are
based on Rare Event Approximation (REA) and Min Cut Upper Bound (MCUB) probabilities.
The new methods were developed to accelerate the importance measure calculation
of enormous Minimal Cut Sets (MCSs). The new methods embody one-time
accessing of the MCSs and individual quantification of MCSs. By the new methods
for the importance measure calculations of huge MCSs, the MCSs are individually
accessed and quantified just one time regardless of their location in a hard disk or
computer memory. By virtue of the individual quantification of MCSs, these methods
do not require a large computer memory and they can be used even when the huge
MCSs cannot be loaded into a memory.
Additionally, a fast computing method of the importance measures by the Zero-suppressed
Binary Decision Diagram (ZBDD) structure is introduced in this paper. The
ZBDD-based importance measure calculation also realizes the one-time accessing of
the MCSs. However, the acceleration with the ZBDD is limited to the case of importance
measure calculation using REA probabilities and the case when the ZBBD can
be loaded into a memory. That is, there is no available acceleration method for the
importance measures using MCUB probabilities.
Advanced PSA Methods
10:55 AM
Utilizig Degradation Monitorig for Operatioal Risk Assessmet
Bulent Alpay and James Paul Holloway
Department of Nuclear Engineering and Radiological Sciences, University of Michigan, Ann Arbor, MI
System/component degradations in nuclear power plants lead to reduction in system
performance and plant economy, and further challenge safe operation of a plant by
reducing the safety margins if they remain undetected. In many instances, it is hard
to observe the signatures of degradation on the system behavior directly due to inefficient
sensor placement, small disturbances as compared to measurement uncertainties,
etc. Simultaneous multicomponent degradations may also mask the signatures
of the degradations. For the cases when degradations in components/systems are
detected and estimated, quantifying the operational risk associated with these degradations
in that NPP in a timely manner is essential.
We propose a degradation monitoring technique that is capable of detecting and estimating
simultaneous multicomponent degradations for high dimensional and highly
nonlinear systems. We present a degradation monitoring technique based on sequential
Monte Carlo filtering with an adaptive Markov chain Monte Carlo (MCMC) step.
This step works as a multiple hypotheses testing algorithm in which the hypotheses
are constructed by utilizing a degradation database, which is compiled via past operational
experience and manufacturer specifications. The adaptation scheme is based
on a comparison of reproducibility of the limited number of measurements of the particles
coming from the filter itself and from the degradation database to estimate the
degradations in the components. A loworder model of a balance of plant of a boiling
water reactor (BWR) is chosen as a demonstrative application. We show tests of our
degradation monitoring algorithm for the estimation of nominal states, and multicomponent
degradations.
In addition, we utilize the resistancestress model taken from structural reliability analysis
to evaluate the functional/performance failure probability of a degraded system and
further assess its risk on plant operation.
11:20 AM
Quantitative Risk Assessment Using Hybrid Causal Logic
Model
Yan Fu Wang, Min Xie, Shahrzad Faghih Roohi
Department of Industrial & Systems Engineering, National University of Singapore, Singapore
This paper presents a hybrid causal logic model, which integrates the traditional
Quantitative Risk Assessment (QRA) models with Bayesian Network (BN) incorporating
human and organizational factors. The multi-phase model allows different risk
assessment methods to be applied to different parts. In the first phase, Event Tree
(ET) defines the base scenarios for the source of risk issues. In the second phase,
Fault Tree (FT) is used to model the factors how to contributing to the final failures. BN
comprise the third phase, which extends the causal chain of basic events to potential
human and organizational roots and provide a more precise quantitative links between
the event nodes. The new model integrates the power of typical QRA for modeling deterministic
causal paths with the flexibility of BN for modeling non-deterministic causeeffect
relationships. The integration algorithm is demonstrated on an offshore fire case
study. It clearly shows the new model is more flexible and useful than traditional QRA
models.
65

66
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 10:05 AM - Camellia/Dogwood
Risk-Informed Technical Specifications
Session Chair: Mike Snoderly
10:05 AM
Risk-Managed Technical Specifications Application At STP:
More Than Three Years Of Experience
Fatma Yilmaz, Ernie Kee, and Rick Grantom
South Texas Project Electric Generating Station, Wadsworth, TX
South Texas Project (STP) implemented Risk-Managed Technical Specifications
(RMTS) in 2007. The overall objective of the RMTS initiative is to provide a risk-based
approach to assign the amount of time allowed (allowed outage time, AOT) for certain
equipment important to safety to be out of service. Classically, Technical Specifications
have been written with AOTs based on heuristics or deterministic criteria. As
a consequence, maintenance events unimportant to safety have caused unnecessary
plant shutdowns or significant Regulator and plant staff resources to determine
a more reasonable time (for example, Notice of Enforcement Discretion). Three and a
half years after implementation, the STP RMTS program has proved its worth, giving
unprecedented operational flexibility to STP by delivering possibly the largest operating
envelope with respect to Technical Specifications in any US commercial nuclear
electric generating station. From the perspective of the STP Risk Management group,
there have been some lessons learned about the program’s implementation. In this
article, we focus primarily on experience with the plant application, Risk Informed
Completion Time Calculator (RICTCal), which provides Operators the tool needed to
accurately determine the limiting times associated with RMTS.
10:30 AM
A Proposed Framework for Integrated Risk-Informed Performance-Based
Regulation for Nuclear Power Plants
James K. Liming and David H. Johnson (a), C. Richard Grantom (b)
a) ABSG Consulting Inc. (ABS Consulting), Irvine, CA, b) STP Nuclear Operating Company, Wadsworth,
TX
This paper summarizes a refreshed perspective on a proposed integrated risk-informed
performance-based regulatory framework via the application of probabilistic safety assessment
(PSA). This perspective is refreshed, in that it is based on the considerable
industry experience gained during the last decade in the implementation of important
risk-informed applications (e.g., risk-managed technical specifications (RMTS), riskinformed
surveillance frequency control programs (RI-SFCPs), risk-informed in-service
testing programs (RI-IST), risk-informed in-service inspection (RI-ISI) programs,
risk-informed graded quality assurance (RI-GQA) programs, etc.) and in the area of
PSA standards development and implementation. The focus of this paper is to provide
an integrated framework of proposed practical safety management metrics that can
be effectively and efficiently applied in the regulation of commercial nuclear power
plant design, construction, operation, maintenance, and decommissioning. The scope
of the discussion in this paper includes treatment of conventional deterministic safety
criteria as well as probabilistic risk criteria. The paper addresses both qualitative and
quantitative aspects relating to this proposed regulatory framework.
10:55 AM
Interpretation and Evaluation of the TS Criteria – Development
of a Guidance Document
Ola Bäckström, Anna Häggström and Anders Olsson
Scandpower - Lloyd’s Register, Stockholm, Sweden
A nuclear power plant’s Technical Specifications (TS) define the limits and conditions
for plant operation. The original TS were based on deterministic analyses and engineering
judgments, but as the Probabilistic Safety Assessment (PSA) has developed it
has shown to constitute a useful tool for evaluating many aspects of the TS from a risk
point of view. The US NRC has fully adopted a risk informed decision process, in which
PSA plays an important role. In the Nordic countries the use of risk informed methods
has been discussed since the early nineties, but on the whole the methods have only
been applied on a case by case basis.
It is however expected that the use of risk informed decision making will increase significantly
in the coming years with on-going modernization and power uprate projects,
which require TS to be updated. Within a co-operation project between Nordic Nuclear
Safety Research (NKS) and the Nordic PSA Group (NPSAG) the different aspects that
must be taken into account in a risk based evaluation process of TS changes have
been studied. The aim has been to produce a guidance document covering the most
important issues to consider, but not to point out a single method as the only acceptable
one.
11:20 AM
Fleet Wide Pursuit of Risk-Informed Initiative 5B - Surveillance
Frequency Control Program (SFCP) at Exelon Nuclear
Stations
Philip Tarpinian (a), Glenn Stewart (b), Victoria Warren (c)
a) Exelon Nuclear, Limerick Generating Station, Pottstown, PA, b) Exelon Nuclear, Licensing & Regulatory
Affairs, Kennett Square, PA, c) ERIN Engineering and Research, Inc., West Chester, PA
Exelon Nuclear’s Limerick Generating Station (LGS) became the first plant to receive
Nuclear Regulatory Commission (NRC) approval in September of 2006 to control its
own surveillance test intervals via a Surveillance Frequency Control Program (SFCP).
Exelon is now pursuing a fleet wide strategic initiative to implement the SFCP at its
other nine (9) nuclear stations utilizing the regulatory framework established by the
NRC. Exelon submitted license amendment requests (LARs) to the NRC for these
nine stations in the 2009 and early 2010 timeframe. These LARs utilize Technical
Specification Task Force (TSTF) traveler TSTF-425, “Relocate Surveillance Frequencies
to Licensee Control - RITSTF Initiative 5b” that was subsequently developed
based on the LGS pilot and NEI methodology and was approved by the NRC. The
NRC granted approval to Exelon’s Peach Bottom Atomic Power Station in August of
2010, Oyster Creek Generating Station in September of 2010 and Three Mile Island
Nuclear Station in January 2011. Exelon expects to receive approval from the NRC
for the balance of its nuclear stations by early 2011. Implementation of the SFCP occurs
within the timeframe approved by the NRC as specified in each site’s respective
license amendment request (LAR) and is typically sixty (60) or one hundred twenty
(120) days. Implementation of the SFCP at all Exelon sites is expected to be completed
by the mid 2011. Exelon will be adapting the SFCP process and procedures initially
developed for Limerick to apply toward its entire nuclear fleet by the end of 2011. In the
interim, sites are implementing the SFCP on a site-specific basis. This paper is sequel
to a topical paper presented by Philip Tarpinian et al, titled “Implementation of a Risk-
Informed Surveillance Frequency Control Program - A PRA Perspective” (Reference
1) at ANS PSA 2008 conference.

Session Chair: Steve Farminham
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 10:05 AM - Magnolia
10:05 AM
Methodology for Developing a Probabilistic Risk Assessment
Model of Spacecraft Rendezvous and Dockings
Steven J. Farnham II and Warren C. Grant (a), Michael G. Lutomski (b)
a) ARES Corporation, League City, TX, b) NASA-JSC
In 2007 NASA was preparing to send two new visiting vehicles carrying logistics and
propellant to the International Space Station (ISS). These new vehicles were the European
Space Agency’s (ESA) Automated Transfer Vehicle (ATV), the Jules Verne,
and the Japanese Aerospace and Explorations Agency’s (JAXA) H-II Transfer Vehicle
(HTV). The ISS Program wanted to quantify the increased risk to the ISS from these
visiting vehicles. At the time only the Shuttle, the Soyuz, and the Progress vehicles
rendezvoused and docked to the ISS. The increased risk to the ISS was from a potential
catastrophic collision during the rendezvous and the docking or berthing of
the spacecrafts to the ISS. A universal method of evaluating the risk of rendezvous
and docking or berthing was created by the ISS’s Risk Team to accommodate the
increasing number of different spacecrafts, as well as the future arrival of commercial
spacecraft, and the increasing number of rendezvous and docking or berthing operations.
Before the first docking attempt of ESA’s ATV and JAXA’s HTV to the ISS, a
probabilistic risk model was developed to quantitatively calculate the risk of collision
between each spacecraft and the ISS. Building on ATV’s rendezvous and docking
risk model, probabilistic risk models for Soyuz and Progress were developed. These
5 rendezvous and docking models have been used to build and refine the methodology
for rendezvous and docking of spacecrafts. This risk modeling methodology will
be NASA’s basis for evaluating future spacecrafts’ hazards including the SpaceX’s
Dragon, Orbital Science’s Cygnus, and NASA’s own Orion spacecraft. This paper will
describe the methodology for developing a visiting vehicle risk model.
Space/Aircraft PSA
10:30 AM
Command Process Modeling for Safety during Operations
Leila Meshkat
California Institute of Technology - Jet Propulsion Laboratory, Pasadena, CA
The design of the command generation process for the spacecraft during operations
often occurs long before launch. The different phases of the spacecraft lifecycle during
design, development and operations and the applicable command products for each
phase are considered and the process needed for the development of these commands
are then designed and documented.
A command error is when the commands sent do not match the operator intent. Examples
include sending the wrong command, sending the right command twice, incorrect
parameter settings, and sequence errors. Root causes include transcription errors,
inadvertently selecting the wrong command because the names are non-intuitive, failing
to notice an error caught by an automated checker, lax execution of processes,
incomplete awareness of the spacecraft state, and operations complexity.
Although current processes catch 99.5% of all command errors, they account for an
alarming fraction of spacecraft anomalies and near misses. This paper explains an approach
for more explicitly considering the trades involved during the design of the command
processes, in terms of risk and cost, in order to reduce commanding errors. The
thesis is that this approach helps to reduce the commanding errors without increasing
the costs associated with the command generation process. (Presentation Only)
67

68
Session Chair: Andrea Maioli
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 10:05 AM - Salon A
10:05 AM
Study on Seismic PSA for A BWR in Shutdown State
Masahide Nishio and Haruo Fujimoto
Japan Nuclear Energy Safety Organization, Tokyo, Japan
A seismic PSA was performed for a BWR4 plant in shutdown state, assuming that it
is located in relatively high earthquake ground motion site. During periodic inspection,
core decay heat decreases with time and reactor system configuration changes in
accordance with maintenance work. Taking into consideration plant thermal-hydraulic
situation and system configuration, periodic inspection period was divided into 6 plant
operating states (POS). Earthquake-induced initiating events in shutdown state were
selected for analysis. They were listed in the order of the extent of severity on core
damage and their occurrence probability was calculated using hierarchy tree model.
Seismic shutdown PSA models were constructed and accident sequence analysis
was performed for each POS. As a result, the characteristics of core damage frequency
such as dominant accident sequences, core damage probability per seismic
acceleration, contributing factors to core damage frequency and important components
with high FV importance were obtained. Comparison of core damage frequency
between in shutdown state and in full power operation was performed, considering
duration time of periodic inspection and full power operation in a year. Core damage
frequency in periodic inspection was shown to be smaller enough than that in full
power operation.
10:30 AM
Human Reliability Modeling in the Kernkraftwerk Mühleberg
Seismic PSA
R.F. Kirchner (a), E.T. Burns and V.M. Andersen (b), O. Zuchuat and Y.
Bayraktarli (c)
a) RFK Dynamics, Inc., Niskayuna NY, b) ERIN Engineering and Research, Inc., Campbell, CA, c) BKW
FMB Energie AG, Mühleberg, Switzerland
The modeling of human interactions (HI) in a Seismic Probabilistic Safety Assessment
(SPSA) is more difficult than in other types of PSA models because seismic events
involve additional performance shaping factor considerations. Factors such as the
magnitude of the seismic event, timeframe for actions, and location of actions all must
be considered in operator reliability modeling. A seismic impact matrix method was
developed for the Kernkraftwerk Mühleberg (KKM) SPSA in order to realistically model
operating crew performance in seismic event response. In addition, the seismic fragility
of support structures that could impact operators was also considered. This paper
describes the method developed for the KKM SPSA Human Reliability Assessment
(HRA) including seismic performance shaping factors and quantification of related
impacts.
Seismic PSA - 4
10:55 AM
A Procedure for The Computation of Seismic Fragility Of NPP
Buildings with Base Isolation
G. Bianchi, M. Domaneschi, D.C. Mantegazza and F. Perotti (a), L. Corradi
dell’Acqua (b)
a) Department of Structural Engineering, Politecnico di Milano, Milan, Italy, b) Energy Department, Politecnico
di Milano, Milan, Italy
The research work here described is devoted to the development and testing of a numerical
procedure for the computation of seismic fragilities for equipment and structural
components in Nuclear Power Plants (NPP). Given the very low damage probabilities
which are required in modern nuclear industry, attention is focused on the comparison
between the performance of traditional and seismically isolated buildings. The procedure
is based on the hypothesis, typical of nuclear structures, of linear behaviour of the
building in the traditional case; the behaviour of isolation devices, on the other hand, is
modelled taking mechanical non-linearities into account. The proposed procedure for
fragility computation makes use of the Response Surface (RS) Methodology to model
the influence of the random variables on the dynamic response. To account for stochastic
loading the latter is computed by means of a simulation procedure. Given the
RS, the Monte Carlo method is used to compute the failure probability; a risk-based
procedure for refining the RS is also proposed and tested in an illustrative example.
For the isolated case, an overall experimental/numerical methodology for fragility assessment
is summarized and an example of fragility estimation is finally shown.
11:20 AM
Seismic PSA in Germany
Ralf Obenland, Holger Ulrich, Theodor Bloem, Wolfgang Tietsch
Westinghouse Electric Germany GmbH, Mannheim, Germany
The German regulatory guide for nuclear power plants demands plant specific Probabilistic
Safety Analyses (PSA) including External Events. In 2005, a new Methodology
Guideline (Methodenband) based on the current state of science and technology was
released to provide the analyst with a set of suitable tools and methodologies for the
analysis of all PSA events. In the case of earthquakes a staggered procedure is suggested
which requires a probabilistic analysis only for those nuclear power plants with
an intensity for the design basis earthquake above IDBE > 6. For earthquake intensities
IDBE between 6 and 7, a reduced analysis is possible. For earthquake intensities
IDBE above 7, a full scope analysis is mandatory.
In Germany the seismic hazard curve is determined as a function of the intensity of
the earthquakes. Compared to a procedure suggested in the Methodenband, a more
realistic procedure to implement the hazard curve in a seismic PSA by using realistic
site specific response spectra is presented, as well as the procedure to consider these
spectra in the fragility analysis. Also an approach for the reduced analysis will be presented.
Additionally, experiences from performed seismic PSA are discussed.

Session Chair: Jim Chapman
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 10:05 AM - Salon B
10:05 AM
U.S. NRC Confirmatory Level 1 PRA Success Criteria Activities
Donald Helton and Hossein Esmaili (a), Robert Buell (b)
a) U.S. Nuclear Regulatory Commission, Washington, DC, b) Idaho National Laboratory, Idaho Falls, ID
The U.S. Nuclear Regulatory Commission’s standardized plant analysis risk (SPAR)
models are used to support a number of risk-informed initiatives. The fidelity and realism
of these models are ensured through a number of processes including crosscomparison
with industry models, review and use by a wide range of technical experts,
and confirmatory analysis. This paper will describe a key activity in the latter arena.
Specifically, this paper will describe MELCOR analyses performed to augment the
technical basis for confirming or modifying specific success criteria of interest. The
analyses that will be summarized provide the basis for confirming or changing success
criteria in a specific 3-loop pressurized-water reactor and a Mark-I boiling-water
reactor. Initiators that have been analyzed include loss-of-coolant accidents, loss of
main feedwater, spontaneous steam generator tube rupture, inadvertent opening of a
relief valve at power, and station blackout. For each initiator, specific aspects of the
accident evolution are investigated via a targeted set of calculations (3 to 22 distinct
accident analyses per initiator). Further evaluation is ongoing to extend the analyses’
conclusions to similar plants (where appropriate), with consideration of design and
modeling differences on a scenario-by-scenario basis. This paper will also describe
future plans.
10:30 AM
Peer Review of NRC Standardized Plant Analysis Risk Models
James Knudsen, Robert Buell, John Schroeder, Anthony Koonce (a), Pete
Appignani (b)
a) Idaho National Laboratory, Idaho Falls, Idaho, b) U.S. Nuclear Regulatory Commission, Washington,
DC
The Nuclear Regulatory Commission (NRC) Standardized Plant Analysis Risk (SPAR)
Models underwent a Peer Review using ASME PRA standard (Addendum C) as endorsed
by NRC in Regulatory Guide (RG) 1.200. The review was performed by a mix
of industry probabilistic risk analysis (PRA) experts and NRC PRA experts. Representative
SPAR models, one PWR and one BWR, were reviewed against Capability Category
I of the ASME PRA standard. Capability Category I was selected as the basis
for review due to the specific uses/applications of the SPAR models. The BWR SPAR
model was reviewed against 331 ASME PRA Standard Supporting Requirements;
however, based on the Capability Category I level of review and the absence of internal
flooding and containment performance (LERF) logic only 216 requirements were
determined to be applicable. Based on the review, the BWR SPAR model met 139 of
the 216 supporting requirements. The review also generated 200 findings or suggestions.
Of these 200 findings and suggestions 142 were findings and 58 were suggestions.
The PWR SPAR model was also evaluated against the same 331 ASME PRA
Standard Supporting Requirements. Of these requirements only 215 were deemed
appropriate for the review (for the same reason as noted for the BWR). The PWR review
determined that 125 of the 215 supporting requirements met Capability Category
I or greater. The review identified 101 findings or suggestions (76 findings and 25
suggestions). These findings or suggestions were developed to identify areas where
SPAR models could be enhanced. A process to prioritize and incorporate the findings/
suggestions supporting requirements into the SPAR models is being developed. The
prioritization process focuses on those findings that will enhance the accuracy, completeness
and usability of the SPAR models.
PSA Standards - 2
10:55 AM
Potential Enhancements to the PRA Peer Review Process
Edward T. Burns (a), Gregory A. Krueger (b), Barry D. Sloane, Donald E.
Vanover (c)
a) ERIN Engineering and Research, Inc., Campbell, CA, b) Exelon Nuclear, KSA 2-N Kennett Square, PA,
c) ERIN Engineering and Research, Inc., West Chester, PA
A common industry PRA peer review process has been in use in the US for the past
decade for internal events at-power PRAs. This method of PRA model review began
with the process originally developed by the BWR Owners Group (BWROG) and subsequently
documented in Nuclear Energy Institute (NEI) report NEI 00-02, and has
evolved slightly to the current process, documented in NEI 05-04 [Ref. 1]. At the same
time, the criteria against which a PRA is assessed during a peer review have become
more codified (i.e., via the ASME/ANS PRA Standard, which provides limited guidance
in application of the criteria), and the pool of PRA practitioners being called upon to
participate in peer reviews has become broader, bringing in reviewers less familiar with
the mechanics of a successful peer review.
This paper identifies an alternative focus to that defined in NEI 05-04. This alternative
focus places a greater emphasis during the peer review week (and preparation) on the
PRA results and quantification process as the appropriate means to focus the team’s
attention on the plant specific details that are of importance in the determination of
PRA technical capability. The objective is to maintain the team’s focus on technical
adequacy of the PRA in areas critical to the development of insights and calculation
of risk metrics, while still addressing the scope of PRA technical requirements defined
in the PRA Standard. The review team’s deeper understanding of the whole PRA then
provides a more insightful perspective for delving into each PRA technical element in
a manner that highlights the critical aspects of the PRA element.
69

70
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 10:05 AM - Carolina
Panel - Joint EPRI/NRC-RES Fire HRA Guidelines
Session Chair: Susan Cooper
10:05 AM
Updates to EPRI/NRC-RES Fire HRA Guidelines
Susan E. Cooper and Kendra Hill (a), Stuart Lewis (b), Jeffrey A. Julius, Jan
Grobbelaar, and Kaydee Kohlhepp (c), John Forester and Stacey Hendrickson
(d), Bill Hannaman and Erin Collins (e), and Mary R. Presley (f)
a) U.S. Nuclear Regulatory Commission, Washington, DC, b) Electric Power Research Institute, Knoxville
TN, c) Scientech, Tukwila, WA, d) Sandia National Laboratory, Albuquerque, NM, e) Science Applications
International Corporation, Campbell, CA, f) ARES Corporation, Albuquerque, NM
Over the past several years, the nuclear power plant (NPP) fire protection community
in the United States and overseas has been transitioning towards risk-informed
and performance-based (RI/PB) practice in design, operation and regulation. In order
to make more realistic decisions for risk-informed regulation, fire probabilistic risk
analysis (PRA) methods needed to be improved. To address this need, in 2001, the
NRC Office of Nuclear Regulatory Research (RES) and Electric Power Research Institute
(EPRI) collaborated under a joint Memorandum of Understanding (MOU), to
develop NUREG/CR-6850 (EPRI101989), “EPRI/NRC-RES Fire PRA Methodology
for Nuclear Power Facilities,” a state-of-art Fire PRA methodology. The fire human reliability
analysis (HRA) guidance provided in NUREG/CR-6850 included: 1) a process
for identification and inclusion of the human failure events (HFEs), 2) a methodology
for assigning quantitative screening values to these HFEs, and 3) initial considerations
of performance shaping factors (PSFs) and related fire effects that might need to be
addressed in developing best-estimate human error probabilities (HEPs). However,
NUREG/CR-6850 did not identify or produce a methodology to develop these bestestimate
HEPs given the PSFs and the fire-related effects.
In 2007, EPRI and RES embarked upon another cooperative project to develop explicit
guidance for estimating HEPs for human error events under fire generated conditions,
building on existing HRA methods. It is anticipated that such guidance will be
used by the industry as part of transition to the risk-informed, performance-based fire
protection rule, 10CFR50.48c, which endorsed National Fire Protection Association
(NFPA) 805, “Performance-Based Standard for Fire Protection for Light Water Reactor
Electric Generating Plants” and possibly in response to other regulatory issues
such as multiple spurious operation (MSO) and operator manual actions (OMAs). As
the methodology is applied at a wide variety of NPPs, the guidance may benefit from
future improvements to better support industry-wide issues being addressed by fire
PRAs.
The collaborative project produced a draft report for public comment, “EPRI/NRC-RES
Fire Human Reliability Analysis Guidelines,” (NUREG-1921, EPRI TR 1019196). The
draft guidelines address the range of fire procedures used in existing plants, the range
of strategies for main control room (MCR) abandonment, and the potential impact
of fire-induced electrical spurious actuation effects on crew performance. The draft
guidelines also present a three tiered, progressive approach for fire HRA quantification.
The quantification approaches included are: a screening approach per NUREG/
CR-6850 guidance (modified somewhat to clarify certain aspects and to account for
long-term events), a scoping approach, and detailed quantification using either EPRI’s
Cause Based Decision Tree (CBDT) and HCR/ORE or the NRC’s ATHEANA approach
with modifications to account for fire effects.
In the spring of 2010, the joint EPRI/NRC-RES team received public comments on the
draft guidelines. These comments were reviewed by the team and are currently being
addressed. (Presentation Only)
10:30 AM
Lessons Learned During Recent Application of Draft EPRI/
NRC Fire HRA Guidelines
Jeffrey A. Julius, Jan F. Grobbelaar, and Kaydee Kohlhepp
Scientech
The fire human reliability analysis (HRA) guidelines [1] developed jointly by the Electric
Power Research Institute (EPRI) and the U.S. Nuclear Regulatory Commission
(NRC) are intended to provide methodology as well as guidance for identifying, modeling
and quantifying human failure events under post-fire conditions. The methodology
includes qualitative analysis and three tiers of quantification. The three tiers of quantification
consist of a screening level similar to that presented in NUREG/CR-6850 [2],
a new scoping fire HRA quantification approach, and two detailed HRA quantification
approaches. This presentation discusses examples of the practical application of the
EPRI/NRC Fire HRA Guidelines to recent Fire PRA/HRA projects and the associated
insights. (Presentation Only)
10:55 AM
Lessons Learned from Fire HRA Applications
Erin P. Collins, Pierre Macheret, Paul Amico, and G. William Hannaman
SAIC
The fire human reliability analysis (HRA) guidelines developed jointly by the Electric
Power Research Institute (EPRI) and the U.S. Nuclear Regulatory Commission (NRC)
are intended as explicit guidance for identifying, modeling and quantifying human failure
events under fire-generated conditions. A three tiered approach to quantification
is offered including a screening level similar to that presented in NUREG/CR-6850, a
new scoping fire HRA quantification approach, and two detailed HRA quantification
approaches. This presentation discusses examples based on the application of the
EPRI/NRC Fire HRA Guidelines to recent Fire PRA/HRA and NFPA 805 transition
projects and the insights gained from this experience.. (Presentation Only)
11:20 AM
Panel Discussion: Draft EPRI/NRC Fire HRA Guidelines
Following the presentations, there will be an discussion of current technical issues and
potential treatment, to include methodology, guidance, and other aspects related to
implementation in a fire PRA supporting a plant transitioning to NFPA-805.

John Yoshinari
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 11:45 AM - Cape Fear Ballroom
Student Awards Luncheon
Chief Operating Officer (COO), Hitachi-GE Nuclear Energy, Ltd.
Mr. John Yoshinari, Chief Operating Officer, Hitachi-GE Nuclear Energy Ltd, is responsible for
its US nuclear business. John has been in the current position since the GE Hitachi Nuclear
Alliance formed in 2007.
Prior to joining the GE Hitachi Alliance as COO, John experience includes the Japanese fast
reactor programs including the Prototype Fast Reactor MONJU and the Demonstration Fast
Breeder Reactor (FBR). In addition, he has extensive knowledge of the Advanced Boiling
Water Reactors (ABWR) including the design of Shika 2 and Shimane 3 and extensive
background in the digitization of design information. Outside of the FBR and ABWR reactor
programs, John’s background includes the nuclear fuel cycle including fuel reprocessing in
Japan.
John holds the BS degree in Mechanical Engineering from The University of Tokyo and MS
degree in Management Science from A. P. Sloan School of Massachusetts Institute of Technology.
With his US assignment, he currently resides in New Jersey.
71

72
Session Chair: Gareth Parry
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 1:30 PM - Azelea
1:30 PM
Common Cause Failure Modeling Using Probabilistic Physics-
Of-Failure (POF) Analysis: A Mechanistic Approach
Zahra Mohaghegh and Mohammad Modarres
Center for Risk and Reliability, University of Maryland, College Park, MD
One of the most important topics in Probabilistic Risk Assessment (PRA) is modeling
dependent failures. In general, dependent failures are defined as events in which
the probability of each failure depends on the occurrence of other failures. The major
causes of dependence among a set of systems or components can be explicitly
modeled using system reliability methods (e.g. fault trees). Other dependent failures,
where root causes are not known or are difficult to model explicitly in the system or
component reliability analysis, are called Common Cause Failures (CCFs). Currently,
CCFs are treated using parametric modeling based on historical common cause
events.
This research leads to a shift of paradigm in the assessment of CCFs and seeks to
model such events utilizing the underlying phenomena of failure, called the Probabilistic
Physics-Of-Failure (POF) analysis. For this, we propose a methodology for the integration
of POF models into PRA frameworks in a way that is capable of depicting the
interactions of physical failure mechanisms and, ultimately, the dependencies between
the component failures. The proposed steps of this methodology can be summarized
as follows: 1. Modeling the deterministic phenomena of failures (at the material-level)
due to the interactions of two failure mechanisms. A mechanistic approach (i.e. based
on semi-empirical models of failure mechanisms) is suggested in this paper. 2. Developing
advanced uncertainty characterization and propagation methods (probabilistic
assessment of model errors, aleatory and epistemic uncertainty modeling considering
the dynamic interactions of diverse equations and a large number of parameters) and
Bayesian updating to make the deterministic POF models (developed in step 1) probabilistic
and ready to be linked to the PRA frameworks. 3. Expanding material-level
probabilistic POF models to the component-level in order to create physics-based
CCF models 4.Developing appropriate modeling techniques to link the physics-based
CCF models (at the component-level) to the system-level PRA.
The potential applications of this research include the abilities to (a) incorporate operational
and environmental conditions in hardware failure models, (b) model aging
and degradation processes, (c) model CFFs in PRAs of operating plants , (d) model
CCFs in PRAs of plants at design level, (e) use retrospective assessments intended
to estimate the risk significance of single or multiple equipment failures (degradation)
accompanied by a deficiency in design, operating conditions, and/or a process
such as maintenance scheduling (the so-called Significant Determination Process by
Nuclear Regulator Commission (NRC) inspectors), (f) schedule accurate maintenance
intervals based on more precise estimates of time to failure (and, ultimately, reduce
maintenance costs) , (g) facilitate the connection between POF models and CCF models
and the harsh post-accident environment in a nuclear power plant (using common
physical variables) , (h) extend the notion of dependence beyond identical redundant
components and into diverse components and applications. This research also forms
a good basis for passive system reliability for advanced reactor concepts. (Presentation
Only)
1:55 PM
A Stochastic Transition Model for Evaluating fhe Effects of
Common Cause Failure Events on System Reliability
Dae-Wook Chung
Korea Institute of Nuclear Safety (KINS), Taejon, Republic of Korea
A stochastic transition model is developed to evaluate the effects of common cause
events on system reliability. It is assumed in this study that there are several common
cause events which occur in sequence and affect system reliability individually and
independently and each common cause event has its own probability of occurrence
and probability of component failure. The changes in system states (i.e., number of
failed components) due to common cause events are modeled using finite Markov
chain theory. The inter-arrival times between common cause events are determined
using Poisson process. For every common cause event, the transition probabilities
between system states are derived using Bernoulli process considering both the common
cause and independent cause of component failure. By applying the transition
probabilities, Markov transition matrix for each common cause event is constructed
and then multiplied one by one to produce final probability distribution of system states
after all common cause events hit the system. Since there is no backward transition
and self-transition is dominant, our Markov transition matrix is upper triangular and diagonal
dominant and, therefore, approximately commutative. Thanks to this property,
the occurrence sequence of common cause events can be arranged randomly with
negligible effects on the final probability distribution. For the case that common cause
events are indistinguishable, the stationary Markov transition model is developed,
which assumes all common cause events have the same probability of occurrence
and probability of component failure. The reliability of a redundant system consisting
of three identical components is evaluated using the developed stochastic transition
models which are the stationary and the non-stationary Markov transition models. The
BFR model which is a special case of stationary Markov transition model with only
Common Cause - 1
one aggregate transition is also used for comparison. The final probability distribution
of system states and corresponding system unreliability are computed. Conclusively,
both the stationary and non-stationary Markov transition models produce more conservative
results than the BFR model in general. It is noticeable that, for system consisting
of small number (3 or 4) of components, both the stationary and non-stationary Markov
transition models produce almost the same results, which implies that the stationary
Markov transition model can be used in place of the non-stationary Markov transition
model when data problems exist. This is not true for system having large number of
components.
2:20 PM
Finding A Minimally Informative Dirichlet Prior Using Least
Squares
Dana Kelly (a), Corwin Atwood (b)
a) Idaho National Laboratory, Idaho Falls, ID , b) Statwood Consulting, Silver Spring, MD
Abstract In a Bayesian framework, the Dirichlet distribution is the conjugate distribution
to the multinomial likelihood function, and so the analyst is required to develop a Dirichlet
prior that incorporates available information. However, as it is a multiparameter
distribution, choosing the Dirichlet parameters is less straightforward than choosing
a prior distribution for a single parameter, such as p in the binomial distribution. In
particular, one may wish to incorporate limited information into the prior, resulting in a
minimally informative prior distribution that is responsive to updates with sparse data.
In the case of binomial p or Poisson \lambda, the principle of maximum entropy can
be employed to obtain a so-called constrained noninformative prior. However, even
in the case of p, such a distribution cannot be written down in the form of a standard
distribution (e.g., beta, gamma), and so a beta distribution is used as an approximation
in the case of p. In the case of the multinomial model with parametric constraints,
the approach of maximum entropy does not appear tractable. This paper presents an
alternative approach, based on constrained minimization of a least-squares objective
function, which leads to a minimally informative Dirichlet prior distribution. The alphafactor
model for common-cause failure, which is widely used in the United States, is
the motivation for this approach, and is used to illustrate the method. In this approach
to modeling common-cause failure, the alpha-factors, which are the parameters in the
underlying multinomial model for common-cause failure, must be estimated from data
that are often quite sparse, because common-cause failures tend to be rare, especially
failures of more than two or three components, and so a prior distribution that is responsive
to updates with sparse data is needed.
2:45 PM
Adjustment of a Dirichlet Prior Distribution for Multiple Greek
Letter Parameters Estimation in Bayesian Approach at EDF
Thi Thuy Linh Nguyen, Christophe Bérenguer, Mitra Fouladirad (a), Anne-
Marie Bonnevialle (b)
a) Troyes University of Technology Institut Charles Delaunay & UMR STMR CNRS, Troyes Cedex,
France, b) Department of Management of Industrial Risks, Electricité de France – R&D, Clamart Cedex,
France
Common cause failure (CCF) is the simultaneous failure of several components due
to a shared cause. The assessment of CCF parameters deserves an important attention
at EDF due to their high influence on the results of the Probabilistic Safety
Analysis. Use of the classical (frequentist) approach does not permit to update the
CCF parameters in case of no observed data. Bayesian approach is a suitable alternative
partly because of this and it is also used as a natural way to incorporate the
variety of forms of information in the estimation process. In the Bayesian inference, the
analyst’s uncertainties in the parameters due to lack of knowledge are expressed via
a probability distribution. In our case, the Dirichlet distribution is used as a prior distribution.
The problem is how to quantify the parameters of this prior distribution based
on minimal available information which is specified in term of expected value and the
error factor determining by expert judgment. Using the moment matching will lead to
the over-specified problem. In case of the Alpha model, to overcome this issue, Kelly
and Atwood propose an approach based on the constrained noninformative (CNI) prior
to build a minimally informative Dirichlet prior distribution and they use a constrained
minimization of a least squares objective function. This paper investigates how this
proposal can match EDF needs. A case study is presented in order to compare the
performance of various estimators for the Multiple Greek Letter model.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 1:30 PM - Camellia/Dogwood
Risk-Informed Decision Making - 3
Session Chair: Marty Sattison
1:30 PM
Phased Approach PSA in Support of CANDU License Renewal
Paul Lawrence (a), Sugata Ganguli (b), Doug True (c), Greg Hardy (d), Kiang
Zee, Barry Sloane (c), Alexander Trifanov (b), Wen Tong (d), Thomas Daniels,
Steven Mays (c)
a) Ontario Power Generation, b) Kinectrics, Inc., c) ERIN Engineering and Research, Inc., d) SGH, Inc.
In support of the license renewal requirements for its Darlington Nuclear Generating
Station (DNGS), Ontario Power Generation (OPG) has embarked on development of
broad scope Level 1 and 2 probabilistic safety assessment (PSA) to meet the requirements
of Canadian Nuclear Safety Commission (CNSC) regulatory standard S-294.
The DNGS PSA will ultimately address: Internal events at power, Internal events at
shutdown, Internal fires, Internal floods, Seismic events, Other pertinent events.
Darlington is a four-unit CANDU plant, and this is the first application of PSA to address
a broad set of hazards at a multi-unit CANDU station. In developing the PSAs
for the set of “complicated” spatial hazards, i.e., internal fire, internal flood, and seismic
events, OPG and their PSA services consultants (Kinectrics-ERIN-SGH) have
adopted a “phased approach”, which entails performing a screening PSA phase and
a more refined PSA phase to establish the extent to which a final comprehensive PSA
phase may be needed. The phased approach is equivalent to the traditional PSA development
approach, but is implemented in steps of increasing detail using the design
specifics of the Darlington station to optimize the screening process and focus efforts
on the most risk-significant areas. Existing guidance (e.g., NUREG/CR-6850, IAEA
SSG-3) recognizes that development of any “hazard”-PSA always involves some degree
of initial screening and gradual addition of detail. At the outset, there is significant
uncertainty in the analysis and potentially large associated development cost. Committing
to an “all-inclusive” PSA requires resources not always justified by the benefits.
This is particularly the case for the latest multi-unit Candu designs, which include
unique design feature such as physically separated and diverse grouping (Group 1 -
Group 2) of safety systems, which are further separated into odd and even divisions.
These features provide the opportunity to apply the graded process for increasing the
level of analysis detail based on insights and risk significance of contributors.
Three phases have been defined for each hazard: Phase 1 – Screening PSA (or PSAbased
Seismic Margin Assessment for seismic risk); initial focus is on “pinch points”
where both Group 1 and Group 2 safety features are affected by the hazard. Phase
2 – Refined PSA; where needed, build on the Phase 1 results and insights to further
develop PSA models for important contributors and to reflect additional detail for
potential interactions between Groups or divisions. Phase 3 – Comprehensive PSA;
continue PSA development to the degree desired to support risk-informed decisionmaking
for the plant. The concept is to systematically identify and address the key risk
contributors in a manner that is cost-effective, timely, and acceptable to CNSC. In all
cases, appropriate technical bases and methods are applied; the difference among
the phases is in the degree to which simplifying assumptions are employed to reduce
time and resources to develop the PSA. A hazard or contributor is evaluated to the
degree necessary to support acceptance by CNSC and the degree of operational
decision-making needed by OPG. This proactive methodology, as applied by an experienced
PSA team, has provided the following advantages to OPG in meeting its regulatory
requirements for the DNGS PSA: gradual scope control based on intermediate
assessment results and input from OPG and CNSC; the possibility of early CNSC
acceptance and, thus, early removal of PSA-related activities from the license renewal
critical path; efficient cost control by focusing on risk significant areas during transition
from one phase to the next; and ability to extend the models cost-effectively to support
development of operational decision-making tools if desired. This paper describes the
phased approach to PSA development being applied for Darlington, and provides a
summary of the experience to date in development of the seismic, internal fire, and
internal flood PSAs. (Presentation Only)
1:55 PM
A Study on Methodology for Identifying Correlations Between
LERF and EF
Kyungmin Kangb (b), Moosung Jae (a)
a) Department of Nuclear Engineering, Hanyang University, Korea, b) Korea Institute of Nuclear Safety,
Daejeon, Korea
The correlations between Large Early Release Frequency (LERF) and Early Fatality
need to be investigated for risk-informed application and regulation. In RG-1.174,
there are decision-making criteria using the measures of CDF and LERF, while there
are no specific criteria on LERF. Since there are both huge uncertainty and large cost
need in off-site consequence calculation, a LERF assessment methodology need to
be developed and its correlation factor needs to be identified for risk-informed decision-making.
This regards, the robust method for estimating offsite consequence has
been performed for assessing health effects caused by radioisotopes released from
severe accidents of nuclear power plants. And also, MACCS2 code are used for validating
source term quantitatively regarding health effects depending on release characteristics
of radioisotopes during severe accidents has been performed. This study
developed a method for identifying correlations between LERF and Early Fatality and
validates the results of the model using MACCS2 code. The results of this study may
contribute to defining LERF and finding a measure for risk-informed regulations and
risk-informed decision-making.
2:20 PM
Risk Informed Safety Margin Characterization: Trial Application
to a Loss of Feedwater Event
Richard Sherry and Jeff Gabor
ERIN Engineering and Research, Inc., West Chester, PA
This paper presents the results of a trial application to assess safety margins using
a risk informed approach. The trial application focused on a PWR loss of feedwater
event with failure of AFW where feed and bleed cooling is required to prevent core
damage. For this trial application the main parameters which impact core damage
for the scenario were identified and distributions were constructed to represent the
uncertainties associated with the parameter values. These distributions were sampled
from using a Latin Hypercube Sampling technique to generate sets of sample cases to
simulate using the MAAP4 code. Simulation results were evaluated to determine the
safety margins relative to PRA modeling (success criteria) assumptions.
2:45 PM
Analysis of BWR CRDH System to Provide Supportable PRA
Basis in Support of EPU Evaluation
Benjamin Jessup (a), Julie Weber (b)
a) ABZ, Inc., Chantilly, VA, b) Xcel Energy, Monticello, MN
The Nuclear Regulatory Commission (NRC) requires Probabilistic Risk Assessment
(PRA) models to have a documented methodology to support engineering judgments
or assumptions made on a system’s performance. One important system in a PRA
model for a Boiling Water Reactor (BWR) is the Control Rod Drive Hydraulic (CRDH)
system. The CRDH system includes a complex set of pumps, pipes, and valves that
provides motive force for the control rods, but can also be used to provide cooling
water during emergencies. Accurately determining the flow rates and pressures under
alternate system conditions to provide supportable bases for PRA calculations is difficult
given the system’s complexity. To address these issues for the Extended Power
Uprate (EPU) at the Monticello Nuclear Generating Plant (MNGP), a computerized
fluid system model of the CRDH system was developed. First, the model was designed
and validated to replicate normal operating conditions using operating log data.
The validated model then allowed for evaluation of various alternate conditions by manipulating
system lineups and the status of operating equipment. Fluid flow models allow
efficient, reliable, and reproducible characterization of alternate system conditions,
thus eliminating the time necessary for complex hand calculations while meeting PRA
requirements for documented methodology. The CRDH model was used to simulate
various plant conditions consistent with plant procedures. The Monticello PRA model
includes logic for both the normal configuration as well as an enhanced flow configuration.
Results were compared to previous MAAP calculations and previous assumptions.
The calculated flow rates for both the normal and enhanced flow configuration
showed that makeup capacity to the reactor from the CRDH system is greater than
that assumed in the PRA model based on the previous evaluations.
73

74
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 1:30 PM - Magnolia
Panel: Next Generation Rx Risk Metrics
Session Chair: Mohammad Modarres
1:30 PM
Panel: Next Generation Rx Risk Metricsl
Mohammad Modarres, Matt Warner (GEH), Biff Bradley, Victoria Anderson (NEI), Donald Dube (NRC), Ed Wallace, Jim Kinsey
The issue of alternative risk metrics for new LWRs has been under consideration by the NRC and industry for the last two years. The central issue is, given the lower risk numerics
(CDF, LRF) for new reactors compared to operating plants, how to assure that the level of enhanced safety believed to be achieved with new reactors will be maintained
over the life of these reactors. The alternative risk metric focus to date has been on large, single-shaft LWRs. The purpose of this session is to address the alternative risk metric
issue for advanced LWRs, considering such issues as the even lower risk numerics and multiple modules in SMRs.

Session Chair: Richard M Wachowiak
1:30 PM
Fire PRA Maintenance and Update
Brandi T. Weaver
Duke Energy, Charlotte, NC
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 1:30 PM - Salon A
The fire PRA is a living document that must be in synch with the internal events PRA
and the as-built configuration of the plant. As the Fire PRA changes the analyst, along
with interested parties at the sites, need to take action to ensure that Fire Risk related
NFPA 805 conclusions are not adversely impacted. This paper will detail Duke’s approach
to meeting these requirements. (Presentation Only)
1:55 PM
Application of Fire PSA in Nuclear Reactors
Fatemeh Karimi Dehcheshmeh (a), K. Sepanloo (b), M. Zohrehbandian (c)
a) School of industrial and mechanical engineering Qazvin Islamic Azad University, Iran, b) Atomic Energy
Organization, Iran, c) karaj Islamic Azad University, Iran
The occurrence of fire accident is among the most serious accidents which might
happen in a nuclear (or nonnuclear) facility. Thus analysis of fire accident and determination
of level of safety and reliability of systems and components provide valuable
information for the designers and the operating organizations. Probabilistic safety assessment
(PSA) of the fire accident or “fire PSA” is a method which quantitatively
analyzes the systems and equipment and based on the input data and the fire propagation
models assess the consequences of the fire and the amount of exposure of
the operating personnel. To achieve the above goals, it is needed firstly to analyze
the structures, systems and components and their inter links and secondly the event
is modeled by the PSA technique (Event trees and Fault trees) to estimate the fire
accident consequences. In this paper, probability that the fire ignited in the given fire
compartment will burn long enough to cause the extent of damage defined by each
fire scenario is calculated by means of detection-suppression event tree. As a part of
detection-suppression event trees quantification, and also for generating the necessary
input data for evaluating the frequency of core damage states by SAPHIRE 7.0 or
Risk Spectrum, CFAST fire modeling software is applied. The results provide a probabilistic
measure of the quality of existing fire protection systems in order to maintain a
typical research reactor at a reasonable safety level.
Fire PSA Methods - 7
2:20 PM
Understanding Plant Fire Risk and Visualizing a Safe Shutdown
Strategy Using PRISM - a Case Study
Mitchell A. Theisen
EPM, Inc., Risk Solutions Division, Hudson, WI
To successfully quantify risk impacts of a fire within a nuclear power plant, PRA analysts
need to compile various drawings, flow diagrams, cable routing information, and
procedures along with a complete Fire PRA model. The evaluation process can be
time consuming since the process needs to be performed for many possible fire scenarios.
The Plant Risk Informed Systems Model (PRISM) can streamline this process.
The development of PRISM has been used to lower plant risk and improve the safe
shutdown strategy process that EPM has incorporated into various NFPA 805 Transitions
projects. PRISM is being used to visually depict fire damage using electrical
distribution and system diagrams. An analyst can quickly see where cable damage
disrupts power supply alignments as well as alternate cross-ties.
Once a plant-specific Fire PRA is complete, PRISM is still an effective tool that can be
used by PRA Engineers, Safe Shutdown Engineers, and Plant Operations. The tool
can be used to create ‘What-If’ scenarios, understand impacts of plant modifications
(such as new cable routings or electrical cabinets) to analyze risk insights for a fire in
a new location, and understand impacts of equipment that is out-of-service. PRISM
has provided the guidance
2:45 PM
Cooper Nuclear Station Fire PRA Results, Insights and Challenges
Ole Olson (a), Stephen P Meyer (b), Jim Chapman (c)
a) Nebraska Public Power District, Cooper Nuclear Station, Brownsville, NE, b) Scientech, Curtiss Wright
Flow Control, Madison, OH, c) Scientech, Curtiss Wright Flow Control, Lake Mary, FL
Cooper Nuclear Station is a single unit BWR 4 with a Mark I containment. A Fire PRA
was developed, using guidance from NUREG/CR-6850, Industry Frequently Asked
Questions (FAQs) and recent EPRI technical evaluations, such as fire ignition frequency
updates. The fire PRA was developed to support the NFPA 805 project and
other risk informed initiatives. Detailed fire modeling, cable and circuit analysis and
Human Reliability Analyses (HRA) were needed to achieve results which were not
clearly extraordinarily conservative. The results achieved are estimated to be conservative
by a factor of 5 to 10; and there are plans to further refine the results as Industry
and NRC research and development programs provide improved methods and data
in areas including fire frequency, fire development and propagation, heat release rate
and detection and suppression.
Even though the results are conservative, the insights obtained are being successfully
used to evaluate variances from deterministic requirements (VFDRs) and support
identification and evaluation of potential safety enhancements.
The paper discusses the methods used, and the results obtained including significant
fire damage states and area specific results. In addition the insights and sensitivity of
results to alternative approaches are provided. Finally the challenges in conducting the
analyses, including lessons learned are provided.
75

76
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 1:30 PM - Salon B
Panel: PRA Standards Development, International Considerations
Session Chair: Rick Grantom
1:30 PM
Panel: PRA Standards Development, International Considerations
Rick Grantom, Karl Fleming, Biff Bradley, Göran Hultqvist, Donnie Harrison (NRC)
This panel discussion will examine the role and expectations of PSA standards used to support risk management programs and risk informed applications for nuclear facilities.
PSA standards identify what the requirements are for an acceptable PSA; however, many risk informed applications require PSAs to go beyond what the typical standard’s
requirements. PSA Standards have evolved over the last decade and their scope has expanded. This panel will discuss this as well as items such as: How should standards be
used for risk informed applications? What does it mean to “meet the standard”? How does regulatory endorsement impact the processing of risk informed applications? What
are the international uses and expectations for PSA standards? Should standards go beyond PSA and address risk management methods? What metrics can be used to assess
the effectiveness of a PSA Standard, a risk informed application, a risk management method?

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 1:30 PM - Carolina
Uncertainty Analysis & Methods - 1
Session Chair: M.Pourgol-Mohammad
1:30 PM
Model Uncertainty of Empirical Metallic Fuel/Clad Eutectic
Predictive Relationships
M.R. Denman (a), M. Zucchetti (b)
a) Department of Nuclear Science and Engineering, MIT, Cambridge, MA, b) Department of Radiation
Protection, DENER - Politecnico di Torino, Turino, Italy
Sodium-cooled Fast Reactors (SFRs) remain a strong contender amongst the Generation
IV reactor concepts. Many U.S. SFR designs utilize binary or ternary metallic
fuel with stainless steel cladding. At high temperatures, iron from the cladding will
diffuse into the fuel, and uranium, plutonium and rare earth fission products from the
fuel will diffuse into the cladding to form a low melting point fuel/clad eutectic. The erosion
of the cladding due to this eutectic formation may accelerate creep rupture, thus
allowing the radioactive fission products to escape into the sodium coolant. Accurate
modeling of this phenomenon may be important to making the SFR more economically
competitive, but currently the eutectic formation rate is predicted using only the
temperature of the fuel/clad interface. This paper improves the modeling accuracy of
eutectic formation through the application of a multivariable linear regression with a
database of fuel/clad eutectic experimental results.
1:55 PM
Uncertainty Analysis and Sensitivity Calculations for Reliability
Assessment of a Digital Feedwater Control System
Meng Yue, Tsong-Lun Chu, Gerardo Martinez-Guridi, and John Lehner (a),
Alan Kuritzky (b)
a) Brookhaven National Laboratory, Upton, New York, b) Division of Risk Analysis, Office of Nuclear
Regulatory Research, U. S. Nuclear Regulatory Commission, Washington, D. C.
This paper provides an analysis of three types of uncertainties for a digital feedwater
control system (DFWCS) reliability model; namely, parameter uncertainty, modeling
uncertainty, and completeness uncertainty. Parameter uncertainty is directly addressed
by propagating the parameter associated uncertainties throughout the reliability model
and explicitly considering the state-of-knowledge-correlation (SOKC) in the parameter
values. Important assumptions that contribute to the modeling and completeness uncertainties
are identified and discussed. Software modeling was considered out of the
scope of developing the DFWCS reliability model. Still, a placeholder was provided
to account for the failure of the software in the model. The software contributes to all
three types of uncertainty. Finally, sensitivity calculations are performed to evaluate
the importance of different design features to the reliability of the DFWCS, which provides
a practical means to evaluate the digital design features.
2:20 PM
Identification of Single Point Vulnerability Using a Blended
Method
Kwang Nam Lee and Jin Kyu Han (a), Moon Goo Chi and Eun Chan Lee (b)
a) KEPCO Engineering & Construction Company, Inc., Gyeonggi-do, Korea, b) Korea Hydro & Nuclear
Power Company, Limited, Daejeon, Korea
A Single Point Vulnerability (SPV) may cause plant transients like reactor trip, turbine/
generator trip, or derated power under 50% of full power. In order to improve plant
reliability and performance by preventing unexpected plant transients, we, KHNP and
KEPCO E&C, are developing an SPV evaluation program. To have a better result of
the SPV identification and evaluation, we used a blended method comprised of qualitative
and quantitative approaches. This blended method and SPV evaluation program
are described herein.
2:45 PM
An Integrated Methodology for Assessing Model Uncertainty
in Fire Simulation Codes
Victor Ontiveros and Mohammad Modarres
University of Maryland, Center for Risk and Reliability, Department of Mechanical Engineering
The use of fire simulation models has increased with the growth of risk-informed and
performance-based approaches to regulatory decision-making for the fire protection
of current and advanced light water reactors. These simulation codes (considered
simulation fire models) rely on various sub-models such as correlations and empirical
relations to describe the underlying phenomena and processes. Most fire Probabilistic
Risk Assessments (PRAs) rely on the results of the simulation codes to estimate fireinduced
core damage frequency. It is, therefore, imperative to properly account for
uncertainties in the simulation code results and properly account for them in the fire
PRAs. This paper will review an expansion of earlier research reported by the authors
for characterizing the total code output uncertainty for applications to fire simulation
codes (i.e., the research considered the simulation code as a closed “black-box”). In
this paper the simulation code will be opened up and considered a “white-box”, in
which the uncertainties associated with the code’s inner sub-models can be accounted
for in the code outputs. With this information, a more complete determination of the fire
risk can be obtained when using a fire simulation model. Results of this methodology
will be demonstrated by an example using the plume mass flow rate sub-model in the
fire simulation code CFAST. These results will be compared with the results obtained
from an earlier uncertainty estimation approach.
77

78
Session Chair: Jeanne-Marie Lanore
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 15, 2011 - 3:45 PM - Azelea
3:45 PM
Development of an Integrated Program and Database System
for the Estimation of CCF Probabilities
J. C. Stiller, L. Gallner, H. Holtschmidt, A. Kreuser, M. Leberecht, C. Verstegen
Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany
In order to handle the large amounts of information necessary to quantify common
cause failure (CCF) probabilities for probabilistic risk assessments (PRA) efficiently,
consistently and in a traceable way, GRS has developed the integrated program system
POOL for carrying out the necessary steps in the CCF quantification process.
Information is managed in a project structure, where a project corresponds to a specific
PRA. The user is guided through different menus to create datasets and enter
the necessary information on the component groups to be modeled. The possibility to
copy and change datasets at different levels of hierarchy facilitates the reuse of information.
Since each CCF event in the data bank is assessed by multiple experts, the
group of experts whose assessments are to be used can be defined as well. The time
interval for which operating experience shall be considered also can be selected. The
CCF events that occurred in the chosen time interval are automatically selected and
the observation times are also calculated automatically. These features also facilitate
carrying out trend analyses regarding CCF with very little effort. To actually calculate
the CCF probabilities an interface to the program “PEAK” has been created. PEAK
estimates the CCF probabilities using the coupling model [1][2]. Both the complete
input data and the results are written to a project-specific database, which thus serves
as documentation for the process of CCF quantification. Using the program POOL is
much more efficient than the previous procedures which included significant manual
data handling efforts, provides comprehensive documentation and – by extensive automation
and user guidance – facilitates the quality assurance of the results [3].
4:10 PM
Investigations of Inter-System Common Cause Failures: An
Update
Marie Gallois, Dominique Vasseur, Philippe Nonclercq, Jean Primet (a),
Stuart Lewis (b)
Ia) Electricité de France Recherche & Développement, CLAMART, France, b) Electrical Power Research
Institute, Knoxville, TN
Intra-system common-cause failures (CCFs) are widely studied and addressed in existing
PSA models, but the information and studies that incorporate the potential for
inter-system CCFs are limited. However, the French Safety Authority has requested
that EDF investigate the possibility of common-cause failure across system boundaries
for Flamanville 3 (an EPR design). Also, the modeling of inter-system CCF, or the
determination that their impact is negligible, would satisfy Capability Category III for
one of the requirements in the ASME/ANS PRA standard in the U.S.
EDF and EPRI have presented at PSA ‘08 the proposition of a method to assess when
it is necessary to take into account inter-system CCF in a PSA model. This method is
based both on the likelihood of inter-system CCF and on its demonstrated potential
impact on core-damage frequency (CDF). This method had been applied for pumps in
different systems using a PSA model for an operating plant.
Since that application was completed, the method has been applied to address the
potential for failure of motor-operated valves across different systems, using the same
PSA model. More recently, this application has been extended to consider the highvoltage
circuit breakers in a PSA model of Flamanville 3.
This paper describes the results of these last two studies and shows how they helped
in refining the methodology. All three studies have shown either that components in
different equipment are not susceptible to common causes of failure, or that the potential
for inter-system common-cause failure had a negligible impact on the overall risk.
Common Cause - 2
4:35 PM
Ommon Cause Failure Data Exchange (ICDE) Project
Albert Kreuser (a), Gunnar Johanson (b)
a) GRS - Gesellschaft für Anlagen- und Reaktorsicherheit(GRS) mbH, Schwertnergasse, Köln, GER-
MANY, b) ES-Konsult - ES konsult, Solna, SWEDEN
The objective of this paper is to give generic information about the ICDE activities and
lessons learnt.
Common-cause-failure (CCF) events can significantly impact the availability of safety
systems of nuclear power plants. In recognition of this, CCF data are systematically
being collected and analysed in most countries. A serious obstacle to the use of national
qualitative and quantitative data collections by other countries is that the criteria
and interpretations applied in the collection and analysis of events and data differ
among the various countries. To overcome these obstacles, the preparation for the
international common cause data exchange (ICDE) project was initiated in August of
1994. Since April 1998, the OECD/NEA has formally operated the project. The objectives
of the ICDE project are: to provide a framework for a multinational co-operation;
to collect and analyze CCF events over the long term so as to better understand such
events, their causes, and their prevention; to generate qualitative insights into the root
causes of CCF events which can then be used to derive approaches or mechanisms
for their prevention or for mitigating their consequences; to establish a mechanism
for the efficient feedback of experience gained in connection with CCF phenomena,
including the development of defenses against their occurrence, such as indicators for
risk based inspections; and to record event attributes to facilitate quantification of CCF
frequencies when so decided by the member countries of the Project.
5:00 PM
Probabilistic Failure Analysis of a Residual Heat Removal Heat
Exchanger During a Postulated Loss of Coolant Accident
Zeaid Hasan and Matthew King (a), Jordan Green, Alan Lee, and Christopher
Pannier (b)
a) Mechanical Engineering Department, Texas A&M University, College Station, Texas, b) Nuclear Engineering
Department, Texas A&M University, College Station, Texas
The primary function of the residual heat removal system (RHRS) is to remove heat
from the core and the reactor coolant system (RCS) during plant cooldown, safety
grade cold shutdown, and refueling operations when reactor coolant temperature and
pressure are significantly lower than normal RCS operating conditions. During normal
reactor operation, the RHRS is isolated from the RCS by two isolation valves in series.
The RHRS consists of multiple independent trains, each with a pump, heat exchanger
and associated piping, valves, and instrumentation. The RHR heat exchanger contains
thousands of U-bend pressure tubes which are periodically sampled and examined for
cracks and flaws. Otherwise, such a cracking mechanism could lead to an unstable
rupture of a pressure tube. This paper describes a means to quantify the conditions
and probability of an RHRS heat exchanger failure given an interfacing system loss of
coolant accident (ISLOCA) in which the RHR heat exchanger is exposed to normal operating
RCS temperature and pressure by a failure of the two isolation valves between
the systems. If the RHR heat exchanger fails such that flow enters the component
cooling water (CCW) loop and exits containment, it could empty the refueling water
storage tank (RWST) and cause core damage. It is advantageous to know the conditions
that will cause RHR heat exchanger failure as well as the probability of such a
failure. In the analysis, heat exchanger pressure tube failure probabilities are calculated
using the Monte Carlo simulation. As a result of the analysis, failure probabilities
are calculated and the flow rate resulting from the failure is quantified.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 3:45 PM - Camellia/Dogwood
Risk-Informed Decision Making - 4
Session Chair: Robert Lutz
3:45 PM
Evolution of Canadian Reliability Requirements in a Risk-Informed
Environment
C. Morin
Canadian Nuclear Safety Commission, Ottawa, Ontario, Canada
This paper will discuss the evolution of design, safety and reliability requirements in
Canada over the last fifty years. Specifically, we will discuss the recent advancement
of reliability requirements in light of the progress in probabilistic safety analysis. The
role of Safety Goals within the past and current regulatory framework will be discussed.
The development of the Canadian nuclear power safety philosophy is traced
from its early roots in the 1960s to the current development of more modern requirements
in the risk and reliability area. The paper will link the traditional single and dual
failure criteria for safety analysis which led to the reliability requirements for special
safety systems, with the modern advances in probabilistic safety assessments that
are contributing to the current reliability requirements. Within the last few years, the
Canadian Nuclear Safety Commission (the nuclear regulator) has developed a new
reliability program regulatory guide whereby the program would not only encompass
the four traditional special safety systems, but a more comprehensive list of systems
that are deemed important due to their contribution to safety as determined by the
probabilistic safety analysis. Some details of the implementation of this new regulatory
guide will be discussed.
4:10 PM
“How Safe Is Safe Enough?”: A PRA Perspective on GSI-191
Robert Lutz, Heather Detar, Rachel Solano and David Teolis
Westinghouse Electric Company, Cranberry Township, PA
Probabilistic Risk Assessment (PRA) can be used to provide insights to the question
of “How Safe is Safe Enough?” The three key traditional keystones of safety are
compliance with regulatory requirements; ensuring that defense in depth for accident
prevention and mitigation; and maintaining safety margins. The methods used to show
compliance with regulatory requirements can significantly impact the design and operation
of the plant, especially the conservatisms included in the analysis methods
to address uncertainties in knowledge. The PRA can be used to show that, at some
point the degree of conservatisms in the analysis methods does not increase safety
as measured by the core damage frequency (CDF) and large early release frequency
(LERF) risk metrics.
A series of PRA analyses have been performed to show the sensitivity of the risk
metrics to various key assumptions used to drive the design and operational features
of long term core cooling using containment sump recirculation. This directly ties to
the NRC acceptance of plant modifications to respond to Generic Issue 191 to ensure
long term core cooling via sump recirculation. These sensitivity analyses show
that wholesale insulation change-out and further containment sump re-design may
not improve safety as measured by risk. Additional focus on other aspects of accident
prevention and mitigation such as leak detection and containment water management
strategies provide additional defense in depth and decrease overall risk metrics.
Thus, the fundamental keystones of safety may not be optimized by only considering
conservatisms in methods used for regulatory compliance. This paper describes the
analyses and results along with recommendations for improving the probability of successful
long term core cooling via sump recirculation and the NRC acceptance of the
current plant modifications to address GSI-191.
4:35 PM
MSPI False Indication Probability Simulations
Dana Kelly, Kurt Vedros, Robert Youngblood
Idaho National Laboratory, Idaho Falls, ID
This paper examines false indication probabilities in the context of the Mitigating System
Performance Index (MSPI), in order to investigate the pros and cons of different
approaches to resolving two coupled issues: (1) sensitivity to the prior distribution
used in calculating the Bayesian-corrected unreliability contribution to the MSPI, and
(2) whether (in a particular plant configuration) to model the fuel oil transfer pump
(FOTP) as a separate component, or integrally to its emergency diesel generator
(EDG). False indication probabilities were calculated for the following situations: (1)
all component reliability parameters at their baseline values, so that the true indication
is green, meaning that an indication of white or above would be false positive; (2) one
or more components degraded to the extent that the true indication would be (mid)
white, and “false” would be green (negative) or yellow (negative) or red (negative). In
key respects, this was the approach taken in NUREG-1753. The prior distributions examined
in this paper are 1) the constrained noninformative (CNI) prior used currently
by the MSPI, 2) a mixture of conjugate priors, 3) the Jeffreys noninformative prior, 4)
a nonconjugate log(istic)-normal prior, and 5) the minimally informative prior investigated
in [1]. Results are presented for a set of base case parameter values, and three
sensitivity cases in which the number of FOTP demands was reduced, along with the
Birnbaum importance of the FOTP.
5:00 PM
CCI or CCF incident at Forsmark NPP 25 of July 2006
Göran Hultqvist
Forsmark Nuclear power plant, Sweden
On Tuesday the 25 of July a two phase short circuit occurred when a breaker was
operated in the 400 kV switch gear that connects Forsmark units 1 and 2 with the outer
grid. Unit 2 was at the occurrence shut down for annual maintenance. Unit 1 was operating
on full power. Each unit has two turbines. As a consequence of the short circuit
the unit 1 generator bus bar voltages dropped substantially whereupon the induced
magnetization in the generator tried to compensate for this. At the same time the 400
kV unit breakers was opened due to under- voltage. This resulted in a voltage peek of
about 120% during approximately 1 second on the generator bus bars. The voltage
transient resulted in the failure of two out of four UPS, sub divisions A and B. Both the
rectifier and the inverter in the UPS tripped because of over-voltage. Normally the
rectifiers shall trip before the inverters but in this case the voltage changed in such an
unfortunate way that transient was let through the rectifiers and caused also the inverters
to trip. UPS for sub division C and D functioned as expected. Unit 1 then went into
house turbine operation but both turbines tripped within approximately 30 seconds. As
the turbine speed decreased the voltage and frequency of the generator fell.When the
frequency reached 47 Hz the circuit breakers for the 500 V bus bars opened resulting
in a loss of power for sub divisions A and B because of the failure of UPS. As a result
of the power loss in two sub divisions the reactor protection system initiated a reactor
scram and isolation of the containment. Two out of four electrically operated pressure
relief valves opened and two out of four high pressure emergency core cooling pumps
started. The diesel generators for all four sub divisions started but in sub divisions
A and B the diesel generators were not connected to the 500 V bus bars because
of loss of information about the motor speed. The information was missing because
of the failure of the two UPS. In the control room many alarms and other information
from trains A and B was missing because of the loss of power in these two trains.
Approximately 22 minutes after the initial incident the power for the 500 V bus bars
in all four sub divisions was restored manually by connecting the station to the 70 kV
grid. Two protections that should have prevented/restricted the effects of the incident
did not work as expected due to inappropriate parameter settings (UPS) and incorrect
installations (under frequency relays) performed when the plant electrical systems was
modernized in 2005. The incident has led to a number of changes and adjustments in
order to prevent that a similar event has the same consequences in the future. A comprehensive
corrective action plan was developed and approved by the management
and the authority. The plan includes actions and improvements in the following areas:
- Improvements in the management decision making process - Improvements in the
plant modification/modernization process and in the maintenance process. - Improved
safety culture - A sixty item hardware improvement action plan, including e.g. improvements
in the Human-Machine interface in the main control room.
79

80
Session Chair: William Burchill
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 3:45 PM - Magnolia
3:45 PM
Investigation of Probabilistic Risk Assessment for Safeguards
Inspection Verification
Brent Randall Beatty, Man-Sung Yim (a), Michael D Zentner (b), George F
Flanagan, Michael David Muhlheim (c)
a) NCSU, North Carolina State University, Raleigh, NC, b) PNNL - Pacific Northwest National Laboratory,
Richland, WA, c) ORNL - Oak Ridge National Laboratory, Oak Ridge, TN
Since the IAEA experiences in Iraq and DPRK highlighted the limitations of the Comprehensive
Safeguards Agreement (CSA) implementation, a major shift of focus in
safeguards inspections has been made. The implementation of safeguards for states
with CSA’s are focused on verifying the nuclear material and activities which are declared.
However, this ‘nuclear material accountancy’, which is similar to financial accounting,
lacks the structure necessary to quickly and consistently provide assurance
of facility capability and purpose with regard to undeclared material processing and
production. With more facilities coming under safeguards every day without a correlating
increase in the number of inspectors or the inspection capacity by domestic
entities or the IAEA, it has become necessary for the inspections themselves to become
more efficient. Despite the addition of targeted training for the complexities of
Complimentary Access, the inspection is very dependent on the knowledge base and
proclivities of the individual inspectors. The current inspection process relies heavily
on the individual inspector’s experience and wisdom to identify areas of risk. It is
necessary to require consistency in the application of different mix of skills of various
inspection teams to consistently identify the same major risk area.
The objective of this research work is to investigate the use of probabilistic risk assessment
to help safeguards inspectors understand and analyze the complexity of a
nuclear facility for investigatory inspection. Development of such tool will be through
the application of probabilistic risk assessment (PRA) technique. The proposed application
will provide the ability to identify the potential high risk areas and evaluate the
sensitivity to characteristic perturbations in the analysis in order to identify which areas
of the facility would have the greatest impact on the proliferation risk if they deviated
from the declared design.
The Graphite Reactor at the ORNL site is chosen for the application of PRA for safeguards
inspections in this study. The choice was due to its accessibility, potential
proliferation vulnerabilities, and potential for an immediate applicability of the results.
Graphite reactors are particularly at risk for proliferation because they don’t require
enriched uranium. Implementation of the PRA methodology, results of the analysis,
and implications of the results will be discussed.. (Presentation Only)
4:10 PM
An Assessment of the Terrorists Attack Risk for a BWR Nuclear
Power Plant Using Monte Carlo Simulation
Min Lee and Yi-Chang Tian
Institute of Nuclear Engineering and Science, Nation Tsing Hua University, Hsin Chu, Taiwan
The risk of operating a nuclear power plant associated with the terrorist attack risk
can be quantified as the summation of the risk of each individual region within the vital
area of the plant. The risk of each individual region can be viewed as the product of
five factors. These factors are the frequency of terrorist attack, the probability that the
terrorist can break into vital area of the plant, the probability of a specific area within
the vital area becomes the target of the attack, the probability that terrorist can reach
the area successfully, and the conditional core damage probability (CCDP) of the specific
area once the terrorists reach the area. In the present study, a mathematical
model is developed to quantify the probability of a specific region within the vital area
of the plant becomes the target of the attack. It is assumed that the terrorists’ acts in
the plant are purely random, i.e. their behavior can be simulated using Monte Carlo
method with assumed probability distribution functions. The Monte Carlo simulations
are performed separately for each important floor of almost all the buildings within the
vital area. The probability of invaders leave the floor through a particular entrance or
exit can also be determined in the simulations. Another set of Monte Carlo simulation
based on these probabilities is performed to determine the probability that a particular
floor and building will become the target of the attack. The surrogate plant used in the
present study is Kuoshen Nuclear Power Station of Taiwan Power Company. The station
employs a General Electric designed BWR VI (Boiling Water Reactor) reactor with
Mark III containment. The model has identified the specific regions within the vital area
of the plant that have higher risk and also the regions with higher probability that terrorist
will appear. The latter regions are also the areas that the security force can arrest
the invaders. The results demonstrate that the risk of terrorist attack is dominated by
the CCDP of the specific area. The results of the present study can used to enhance
the security of the plant.
Proliferation Risk - 2
4:35 PM
Simiting Future Proliferation and Security Risk
Robert A. Bari
Brookhaven National Laboratory, Upton, NY
A major new technical tool for evaluation of proliferation and security risks has
emerged over the past decade as part the activities of the Generation IV International
Forum. The tool has been developed by a consensus group from participating
countries and organizations and is termed the Proliferation Resistance and Physical
Protection (PR&PP) Evaluation Methodology. The methodology defines a set of challenges,
analyzes system response to these challenges, and assesses outcomes. The
challenges are the threats posed by potential actors (proliferant states or sub-national
adversaries). It is of paramount importance in an evaluation to establish the objectives,
capabilities, resources, and strategies of the adversary as well as the design and protection
contexts. Technical and institutional characteristics are both used to evaluate
the response of the system and to determine its resistance against proliferation threats
and robustness against sabotage and terrorism threats. The outcomes of the system
response are expressed in terms of a set of measures, which thereby define the
PR&PP characteristics of the system. This paper summarizes results of applications of
the methodology to nuclear energy systems including reprocessing facilities and large
and small modular reactors. The use of the methodology in the design phase a facility
will be discussed as it applies to future safeguards concepts.
5:00 PM
Security System Designs Via Games of Imperfect Information
and Multi-Objective Genetic Algorithms
Isis Didier Lins (a), Leandro Chaves Rêgo (b), Márcio das Chagas Moura
and Enrique López Droguett (a)
a) Departamento de Engenharia de Produção, Centro de Estudos e Ensaios em Risco e Modelagem Ambiental,
Universidade Federal de Pernambuco, Recife, PE, Brasil, b) Departamento de Estatística, Centro
de Ciências Exatas e da Natureza, Universidade Federal de Pernambuco, Recife, PE, Brasil
The investments in security systems are of great importance to protect industrial plants
from intentional attacks. An exhaustive analysis of the security resources’ allocation
is sometimes prohibitive given its combinatorial complexity when there are several
subsystems to protect and various potential security alternatives with different characteristics
of reliability and cost. Alternatively, a multi-objective genetic algorithm is used
to determine the optimal security system’s configurations representing the tradeoff
between the probability of a successful defense and the acquisition and operational
costs. Games with imperfect information are considered, in which the attacker has
limited knowledge about the actual security system. The types of security alternatives
are readily observable, but the number of redundancies actually implemented in each
security subsystem is not known. In this way, this work analyzes the strategic interaction
between a defender and an intelligent attacker by means of a game and reliability
framework involving a multi-objective approach and imperfect information so as to
support decision-makers in choosing efficiently designed security systems. The game
equilibria are obtained via a backward induction procedure and a criterion for a single
equilibrium selection is adopted. The proposed methodology is applied to an illustrative
example considering power transmission lines in the Northeast of Brazil, which are
often targets for attackers who aims at selling the aluminum conductors. The empirical
results show that the framework succeeds in handling this kind of strategic interaction
between defender and attacker.

Session Chair: Doug True
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 3:45 PM - Salon A
Panel: Fire PSA Improvements
3:45 PM
Roadmap for Attaining Realism in Fire PRAs
Brent Doug True (a), Ken Canavan (b), Rick Wachowiak (c), Jim Chapman (d)
a) ERIN Engineering and Research, Inc., Walnut Creek, CA, b) EPRI, Charlotte, NC, c) EPRI, Thor, IA, d) Curtiss-Wright Flow Control, Boxborough, MA
Over the past several years, U.S. nuclear power industry has undertaken a large number of plant-specific Fire Probabilistic Risk Assessment (FPRAs). Many of these FPRAs
are based on NUREG/CR-6850 and have been performed in support of a transition to the risk-informed, performance-based fire protection requirements under 10 CFR 50.48(c).
As these fire PRAs have moved toward completion, it has become evident to the industry practitioners that:
• The manner in which fire are characterized does not appear to conform with operating experience,
• The level of quantified risk appears to be overstated, as compared to operating experience, and
• There appears to be an unevenness in the level of conservatism in the results that may mask key risk insights and result in inappropriate decision-making.
The need for realistic FPRAs is one that should be felt by both the NRC and licencees. Conservatively-biased PRAs do not support good decision-making:
• Conservatisms in the results can mask important risk contributors
• Conservatisms in the characterization of fire damage can mask the significance of plant changes
• Conservatisms can lead to improper decision-making by misleading decision-makers
This paper summarizes work performed by EPRI to identify the specific areas where the current methods are departing from realism and provide a roadmap for a 3 year research
and development effort in this area.
The panel and audience will discuss the issues associated with Fire PSA methods, and proposed improvements, if planned.
81

82
Session Chair: Louis Chu
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 3:45 PM - Salon B
3:45 PM
A Dynamic Flowgraph Methodology Approach Based on Binary
Decision Diagrams
Kim Björkman and Ilkka Karanta
VTT Technical Research Centre of Finland , VTT, Finland
The dynamic flowgraph methodology (DFM) is an approach to model and analyze
the behavior of dynamic systems for reliability assessment. The methodology can
be utilized to identify how certain postulated top events may occur in a system. The
result is a set of prime implicants which represent system faults resulting from diverse
combinations of software logic errors, hardware failures, human errors, and adverse
environmental conditions. A binary decision diagram (BDD) is a data structure used to
represent Boolean functions applied, e.g., in fault tree analysis and model checking.
This paper presents an alternative DFM approach based on BDD called YADRAT.
The objective of a YADRAT model analysis is to find the root causes of the query
(top event) of interest, similarly to traditional fault tree analysis. The main difference
of YADRAT compared to the existing DFM approach is that YADRAT employs a BDD
to represent a DFM model. Two different approaches to solving a BDD model have
been implemented for exact computation of prime implicants. These approaches have
previously been applied in static failure tree analysis. In this work the ideas for prime
implicant calculation are adapted to a dynamic reliability approach combined with the
multi-valued logic of DFM. In this paper the basic concepts and algorithms of YADRAT
and the identified strengths and limitations of the employed approach are discussed.
Also a case study illustrating the usage of YADRAT and a comparison of computational
effort between two BDD implementations is presented.
4:10 PM
Use of Advanced Cutset Upper Bound Estimator (ACUBE)
Software to Avoid Limitations Due to Use of Non-Rare
Events
V.M. Andersen, E.T. Burns and J.R. Stender
ERIN Engineering and Research, Inc., Campbell, CA
Probabilistic Safety Assessment (PSA) software, such as the CAFTA suite of codes,
uses approximation algorithms (such as the Minimum Cut Upper Bound (MCUB), as
well as other alternative approximations) to calculate the frequency results. These
approximations are acceptably accurate when the constituent probabilities in the
model are small. However, when the PSA model contains a significant number of
comparatively high probability (i.e., 0.1 to 1.0) basic events, such as in Level 2 PSAs,
seismic PSAs, or fire PSAs, the approximation algorithms can produce unacceptable
over-counting of Core Damage Frequency (CDF) or Large Early Release Frequency
(LERF) results. For example, it is not uncommon for Level 2 PSAs to over-predict
LERF results by 10-25%; fire PSAs to over predict CDF results by 50%, and for seismic
PSAs to over predict CDF by factors of 2-10 depending upon the modeling approach
used. The Advanced Cutset Upper Bound Estimator (ACUBE) software can be
used to reduce this overcounting. ACUBE processes cutsets using a binary decision
diagram (BDD) algorithm to return a refined cutset result. This paper provides lessons
learned and insights into the use of ACUBE to address over-counting in Level 1 PSAs,
Level 2 PSAs, fire PSAs, and seismic PSAs. Practical examples from actual PSA applications
are presented.
Computer Methods - 1
4:35 PM
Data for Equipment and System Reliability (DESREL)
Derek S. Mullin (a), Dan Morehouse (b)
a) New Brunswick Power Corporation Point Lepreau Generating Station, Lepreau, NB, Canada, b) Syntact
Consulting Inc., Saint John, NB, Canada
Since Point Lepreau Generating Station (PLGS), a CANDU 600 MWe nuclear facility
owned and operated by New Brunswick Power (NBP) in eastern Canada, began
first power operation, information pertaining to experienced component failures, system
unavailability and the equipment that comprised the site reliability program was
stored on a VAX mainframe and in MSAccess databases. The program requirement
was to quantify fault tree analyses on an annual basis to incorporate up-to-date component
failure rates, update system probability of failure estimates for comparison to
prescribed targets, and to adjust surveillance programs as necessary or raise other
corrective actions to resolve emerging issues. This became a labor-intensive effort. In
2001 NBP began development of a full-scope Level 2 Probabilistic Safety Assessment
(PSA) to meet the requirements of Canadian Regulatory Standard S-294, “Probabilistic
Safety Assessment for Nuclear Power Plants.” To manage both the PSA and site reliability
program, efficiency in the generation of plant-specific failure rates was needed
to reduce that effort and to enhance capabilities. Consequently, NBP has developed a
new intranet-based software system called Data for Equipment and System Reliability
(DESRel), to support both the PSA and reliability programs using the C# programming
language with a .NET framework. The software is scalable, developed in a modular
fashion, has been validated and allows failure rates to be generated for user-defined
type code patterns required by the EPRI Risk & Reliability Workstation (i.e. CAFTA).
This paper describes how the DESRel system integrates with the PSA and reliability
program at NBP, its features and capabilities, and identifies possible enhancements
for the future.
5:00 PM
Quantifying Truncation Errors and Approximation Errors in
PSA Quantification
Jongsoo Choi
Korea Institute of Nuclear Safety, Daejeon, Korea
The quantification of Probabilistic Safety Assessment (PSA) of Nuclear Power Plants
(NPPs) is a complicated process and always has the following two limitations: (1)
Truncation Errors (TEs) in deleting low-probability cut sets and (2) Approximation Errors
(AEs) in quantifying Minimal Cut Sets (MCSs). In practice, it has been impossible
to quantify NPP PSA models without TEs and AEs. The purpose of this study is to
develop a practical method which can exactly quantify the risk measures of NPP PSAs
through evaluating TEs and AEs. Firstly, in order to deal with the TEs, the iterative
process of reducing cutoff values and proving the convergence of risk measures is
chosen. Using the plot of risk increment vs. cutoff value and the exponential fitting of
risk increments caused by successive reductions in cutoff value, we can evaluate the
truncation error. Secondly, the approach chosen here to deal with the AEs is “Semi-
SDP method” which provides a practical solution to time-consuming SDP algorithms.
Similarly to the cutoff value in MCS generation, Semi-SDP method also uses a parameter
CBA related to accuracy and computing time. Under a sufficient low CBA values,
Semi-SDP method provides a good estimate of MCS quantification within a reasonable
time. This paper shows that this proposed approach is successfully applied to
Level 1 PSAs for internal events of NPPs.

PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Wednesday March 16, 2011 - 3:45 PM - Salon Carolina
Uncertainty Analysis & Methods - 2
Session Chair: Göran Hultqvist
3:45 PM
Probability of Events with Failing Control Rods
Göran Hultqvist
Forsmark Nuclear Power Plant, Sweden
Within the NPSAG group several projects have been performed to position the risk for
failing control rod insertion in BWR-reactors.
In a separate project 3D- thermo hydraulic code have been developed and validated
for assessing the effects of failing control rods in scram scenarios. Scrams ending
in hot standby or in cold shut down and even in scenarios with slowly decreasing
pressure have been assessed. The changes of reactivity, water level, power, heat
transfer to the condensation pool have been assessed by 2 different methods. The
codes have been adjusted after assessing and comparing results from the 2 different
methods. Based on verified 3D-codes the calculations have been performed to assess
the consequences of
- 7 , 15, 30, 64, 128 failing adjacent control rods
- Failing control rods in 2 of 4 trains and in 3 of 4 trains
Based on this knowledge specific cases for needs of Boron system in PSA can be
specified as
- No boron needed
- Boron needed after 30 minutes
- Boron needed within 30 minutes
The output from this indicates that many rods can be failing without large consequences.
Therefore it was needed to develop methods to specify the risk for having many
rods failing
- as adjacent rods
- as spread out rods
ICDE data collected for failures in scram system and in control rod screw insertion
functions have been assessed for the Nordic plant. Detailed assessments of the root
cause of the failures have been developed. Based on this knowledge the independence
between the two different systems has been assessed. Failure data for each
function and for combined functions of these systems for insertion of control rods have
been specified.. The data have also been assessed concerning risk for CCF and the
degree of (incipient) CCF in each event. Based on this the CCF-factors have been
developed for these functions. A specific project has been performed to develop such
data including the effects of CCF. This study has been based on the ICDE-data study
performed earlier.
4:10 PM
A Simplified Methodology to Generate MGL-Parameter Uncertainty
Distributions Using Alpha-Parameter Data from
NUREG/CR-5497
Joshua M. Reinert
AREVA NP Inc., Marlborough, MA
This paper describes a simplified methodology to convert uncertainty in commoncause
failure (CCF) data in alpha-parameter format from NUREG/CR-5497 into
MGL-parameter data uncertainty. A simplified methodology is proposed that assumes
a large amount of uncertainty in the beta parameter and none in the remaining MGLparameters.
This leads to overestimation of the uncertainty for CCF of two-out-of-four
redundant components and a more realistic estimate of uncertainty in CCF of more
redundant components, with the most realistic level of uncertainty estimated for CCF
of all redundant components. Since PRA results are generally dominated by CCF of all
redundant components, this proposed methodology has the advantage of producing
the most realistic estimate of uncertainty for the failure mode of concern. This work
describes the use of different types of uncertainty distributions. The adequacy of this
approach is evaluated using simulation of a four-train system and various system
success criteria.
4:35 PM
Parameter and Model Uncertainty Analysis using Dempster-
Shafer Theory in Nuclear Probabilistic Risk Assessment.
Tu Duong Le Duy, Dominique Vasseur, Mathieu Couplet (a), Laurence
Dieulle, Christophe Bérenguer (b)
a) Risk Management Department, Electricity of France R&D, Clamart cedex, France, b) University of
Technology of Troyes, UMR STMR, Institut Charles Delaunay/LM2S, Troyes Cedex, France
In Nuclear Power Plants, Probabilistic Risk Assessment (PRA) insights contribute to
achieve a safe design and operation. In this context, decision making process must be
robust and uncertainties must be taken into account and controlled. In the current PRA
practice, the model uncertainty due to different alternative assumptions made in logical
structures of event or fault trees may be neglected or addressed only through sensibility
studies. In this paper, two approaches for dealing with the model uncertainty:
the weighted mixing approach and the enveloping approach will be presented in the
Dempster-Shafer Theory framework which is used to take account of parameter uncertainty
at the same time. The weighted mixing approach is recognized to be suitable
only to cases where the experts have sufficient information to express their degrees of
belief in terms of probabilities with regard to alternative models. On the contrary, the
enveloping approach will be more appropriate to apply when no information is available.
This approach will be illustrated through a practical example in the context of
level 1 PRA application at EDF.
83

84
Robert J. Budnitz
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 8:00 AM - Grand Ballroom
Plenary Session IV
Dr. Robert J. Budnitz has been involved with nuclear-reactor safety and radioactive-waste
safety for many years. Bob earned a Ph.D. in experimental physics from Harvard in 1968.
Dr. Budnitz is on the scientific staff at the University of California’s Lawrence Berkeley National
Laboratory (LLNL), where he works on nuclear power safety, security and radioactivewaste
management. From 2002 to 2007 he was at UC’s Lawrence Livermore National
Laboratory, during which period he worked on a two-year special assignment (late 2002 to
late 2004) in Washington to assist the Director of DOE’s Office of Civilian Radioactive Waste
Management to develop a new Science & Technology Program.
Prior to joining LLNL in 2002, Dr. Budnitz ran a one-person consulting practice in Berkeley CA
for over two decades. In 1978-1980, he was a senior officer on the staff of the U.S. Nuclear
Regulatory Commission, serving as Deputy Director and then Director of the NRC Office of
Nuclear Regulatory Research.
Cheri Collins
Cheri Collins is general manager of external alliances in Southern Nuclear’s Nuclear Development
organization.
She is responsible for establishing and maintaining relationships with companies building
AP-1000’s including the plants in China. Additionally, she is a primary spokesperson for new
nuclear development and is responsible for developing and sustaining key alliances that benefit
Southern Company’s nuclear operations.
Prior to her current position, Collins served as Plant Manager at the Joseph M. Farley Nuclear
Plant in southeast Alabama where she oversaw all aspects of plant operations. Collins began
her career with Southern Company in 1978 as a summer intern in Alabama Power’s Clanton
District office. In 1982, she accepted a full-time position as a junior engineer in the safety,
audit and engineering review department at Plant Farley. In 1987, Collins earned a senior reactor
operator license from the Nuclear Regulatory Commission and was promoted to operations
shift foreman. Collins progressed through positions of increasing responsibility at Plant
Farley including licensing supervisor and shift supervisor. From 1993 to 1994 she served as a loaned employee to the
Institute of Nuclear Power Operations (INPO) where she had the opportunity to observe nuclear plant operations across
the country. After serving as a loaned employee to INPO, Collins’ responsibility continued to increase at Plant Farley. In
1995, she became operations support superintendent and in 1999 she was promoted to operations manager. In 2002 she
became plant support assistant general manager responsible for engineering, security and training. In 2004 Collins left
Plant Farley to assume the position of general manager of nuclear support at the Southern Nuclear corporate offices in
Birmingham. As a general manager, she traveled to Germany to visit two nuclear plants. In 2005, while still in Birmingham,
she served as Human Resources director for Southern Company Generation. In 2006, Collins was named general manager
of Southern Nuclear’s supply chain organization.
Collins holds a bachelors of science degree in structural engineering from the University of Alabama at Birmingham. She
is regularly asked to speak at industry conferences addressing various aspects of leadership. In 2001, she was a keynote
speaker at the annual CEO conference of INPO. She is a member of the Women in Nuclear Organization (WIN) and has
spoken at a number of the organization’s conferences.
Collins calls Eufaula, Alabama home. Her hobbies include reading and golf.

Session Chair: Kyle Metzroth
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 9:00 AM - Azalea
9:00 AM
Applications Guidance Document for the MAAP4 Accident
Analysis Code
Barbara J. Schlenger-Faber
ERIN Engineering and Research, Inc., West Chester, PA
The Modular Accident Analysis Program Version 4 (MAAP4) is a computer code used
by nuclear utilities and research organizations to predict the progression of LWR accidents.
The code simultaneously models the dominant thermal-hydraulic and fission
product phenomena in both the primary system and the containment. The MAAP4 Applications
Guide provides detailed information to enable code users to optimize their
efforts and generate high-quality Level 1 analyses for probabilistic risk assessments
(PRAs). The guide also contains a compilation of summary information on the benchmarking
of MAAP4 models and an assessment of the code’s ability to adequately
predict significant Level 1 PRA phenomena. In addition, it specifies the code’s range of
applicability and provides a comprehensive list of limitations, precautions and recommendations.
The portions of the guide related to best practices for performing analyses
and addressing uncertainties and sensitivities were presented at the PSA 2008
conference. The current paper contains representative highlights and insights from the
portions that focus on specific guidance for BWR and PWR analyses. It describes the
process and summarizes the conclusions of the review of more than 30 benchmarks
by a team of MAAP4 experts. It also discusses the portion of the guide that delineates
the applicability of the code, its limitations, and recommended precautions as a function
of sequence type and plant feature.
Computer Methods - 2
9:25 AM
Conversion of Fault Tree and Event Tree Models for PSA
Johan Sörman and Ola Bäckström
Scandpower - Lloyds Register, Sundbyberg, Sweden
There are today 5 computer codes that are used by a majority of the world´s Nuclear
Power Plant´s for Fault Tree and Event Tree modeling and PSA. The computer codes
display differences in the way fault trees and event trees are realized, but in particular
they include many advanced features that have been implemented based on different
philosophies.
In a transition from one code to another it is therefore important to have knowledge
about each codes special and advanced features to best translate them, making optimal
use of the advanced features in the code you are moving to.
Most nuclear power plants continue to use the PSA software code they started using
when first developing their PSA, but in some occasions transitions from one code to
another is done including a conversion of the fault tree and event tree models. National
regulatory authorities may have to be able to convert from one fault tree and event
tree model in one software to another, because they have chosen to use one of them
for their regulatory process and the fault tree and event tree models they receive are
made in different PSA software.
This paper discusses technical issues moving a fault tree and event tree model from
one software to another. What are the similarities and what are the differences in the
fault tree and event tree model software of today?
85

86
Session Chair: Karl Fleming
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 9:00 AM - Camellia/Dogwood
9:00 AM
Development of Core Damage Frequency Evaluation Code
for NPP Due to Components Aging Degradation
Masajiro Sugawara, Hitoshi Muta and Haruo Fujimoto
Japan Nuclear Energy Safety Organization (JNES), Tokyo, JAPAN
A part of accidents has the potential to be induced by the age-degradation of components.
The feature of failure rate of components has bathtub curve, i.e., initial failure
rate (decreasing rate in time), random failure rate (constant rate in time) and wear-out
failure rate (increasing rate in time). However, in many probabilistic safety assessments
(PSAs), core damage frequency (CDF), containment failure frequency (CFF)
and large early release frequency (LERF) are estimated using only component’s random
failure rate. This is because of difficulty of treating aging-effect directly into the
ordinary fault trees. In this situation, CDF, CFF and LERF have cyclic feature and
never grows its value even in the end of nuclear power plant (NPP) life time.
This paper shows the development of analysis model, computer code and sample
calculation of aging-effects for PSA use.
Aging in PSA - 1
9:25 AM
Inclusion of Passive Failures in a PRA System for Long Term
Operation Considerations
L. L. Genutis, B. R. Baron, S. A. Nass (a), D. M. Tirsun (b)
a) Westinghouse Electric Company LLC, Cranberry, PA, b) Westinghouse Electric Company LLC, Comanche
Peak Nuclear Power Plant, Glen Rose, TX
Passive failures, such as pipe failures in mitigating and support systems, are not typically
explicitly included in a Probabilistic Risk Assessment (PRA) model; however,
passive failures are considered for aging management decisions and evaluations. As
utilities begin to consider plant life extension beyond 60 years, it is useful to include
PRA as potential input to plant decision making related to aging management and long
term operation. One way to jointly consider PRA and aging management is to evaluate
the sensitivity of PRA results to the addition of passive failures that are not typically included
in the PRA but could impact aging management decisions. This paper presents
a study of the risk impact of passive failures in the Station Service Water (SW) support
system for the Comanche Peak Nuclear Power Plant (CPNPP) PRA model. Piping
segments within the current CPNPP PRA model’s SW flowpath were added to the CP-
NPP PRA model of record to create a base Aging Management model. Core Damage
Frequency (CDF), SW Initiating Event Frequency, and impact on failure probability of
the Auxiliary Feedwater System (AFW) (SW is AFW’s backup supply) were quantified
using the Aging Management model. Sensitivity studies were then performed.
The results demonstrated that the addition of new failures shows a measurable increase
in results. This is expected because the SW System provides cooling to a
number of mitigating systems including the Emergency Core Cooling System, Diesel
Generator, and Auxiliary Feedwater.

Session Chair: Mike Yau
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 9:00 AM - Magnolia
9:00 AM
Effect of Testing Coverage on Software Reliability - An Experimental
Investigation
Sergiy Vilkomir
East Carolina University, Greenville, NC
Logical expressions are often used to formalize software specifications of safety-critical
systems. These logical expressions can be tested using software testing methods
(criteria) that include Decision Coverage (DC), Condition Coverage (CC), Decision/
Condition (D/CC), and Modified Condition/Decision Coverage (MC/DC). Selection of
the appropriate testing method is an important practical task. A significant characteristic
for this selection process is understanding the effect of testing methods on software
reliability, specifically their ability to reveal faults. This paper provides experimental
results for determining the probabilistic characteristics of effectiveness of testing criteria.
A logical expression, which is typical for nuclear reactor protection system logic,
is used as a case study for this research. Probabilities for a test set to reveal a fault in
the logical expression are evaluated for DC, CC, D/CC, and MC/DC. Our experimental
results show that, when compared with random testing, using DC, CC, or D/CC criteria
do not provide significant benefits. At the same time, the results confirm that MC/DC is
a reasonable and effective technique to test logical expressions in software.
Software Reliability
9:25 AM
Review of Quantitative Software Reliability Methods
Tsong-Lun Chu, Meng Yue, Gerardo Martinez-Guridi, and John Lehner
Brookhaven National Laboratory, Upton, New York
For several years, Brookhaven National Laboratory (BNL) has worked on Nuclear
Regulatory Commission (NRC) projects to investigate methods and tools for the probabilistic
modeling of digital systems. However, the scope of this research principally
focused on hardware failures, with limited reviews of software failure experience and
software reliability methods. An important identified research need is to establish a
commonly accepted basis for incorporating the behavior of software into digital instrumentation
and control (I&C) system reliability models for use in PRAs. To address this
need, BNL is exploring the inclusion of software failures into the reliability models of
digital I&C systems, such that their contribution to the risk of the associated nuclear
power plant (NPP) can be assessed. Two tasks were undertaken towards this objective:
(1) establishment of a philosophical basis for incorporating software failures into
digital system reliability models for use in PRAs and (2) review of quantitative software
reliability methods (QSRMs).
The objective of this paper is to summarize the work accomplished under the second
task and documented in a BNL report. The objective of reviewing the QSRMs was to
gain comprehensive knowledge of available methods, especially those emphasizing
the quantification of software failure rates and probabilities that might be employed
in reliability models of digital systems used in NPP PRAs. The review was built upon
BNL‟s previous reviews of software reliability methods, and on leveraging earlier work
sponsored by the NRC and by the National Aeronautics and Space Administration
(NASA).
87

88
Session Chair: Brandi T Weaver
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 9:00 AM - Salon A
9:00 AM
A Holistic Approach for Performing Level 1 Fire PRA
Marina Röwekamp and Michael Türschmann (a), Heinz-Peter Berg (b)
a) Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, Köln, Germany, b) Department of Nuclear
Engineering, Bundesamt für Strahlenschutz (BfS), Salzgitter, Germany
For performing a state-of-the-art Fire PRA it is essential to establish and apply a
comprehensive database in a well-structured and easily traceable manner. Such a
database structure has been developed and the compilation of data and information
needed has been demonstrated for performing a Level 1 Fire PRA for full power states
to a German nuclear power plant with boiling water reactor (BWR). To achieve a holistic
approach this database has been enhanced such that it can also be used to derive
a Level 1 Fire PRA for low power and shutdown states. For an easier application by
external users, the user interface of the database has also been improved.
A thoroughly investigated database provides a suitable tool to assist the Fire PRA analyst
by means of its implemented functions such as data examination and preparation,
analysis and application as well as in the review of a Fire PRA.
It is demonstrated that the general methodology for performing Fire PRA as described
in the German Probabilistic Safety Analysis Guide can be applied both for full power
as well as for low power and shutdown plant operational states. However, some differences
in the data (e.g., unavailability of systems, transient fire loads, and hot work)
must carefully be regarded. In the contribution, the structure and use of the fire database
established is explained in detail. Two aspects are particularly emphasized. First,
it is outlined how the database is used to provide the input data for PRA modeling
software in case of screening analyses in a systematic and mainly automatic manner.
This is compared to the preparation of input data for calculating the conditional core
damage frequency for selected fire sources in the detailed analyses. Secondly, the
stepwise process of determining fire occurrence frequencies during screening and
detailed analyses is depicted and the support which can be provided by a comprehensive,
traceable and integral database is described.
Fire PSA Methods - 8
9:25 AM
Calculation of Fire Severity Factors and Fire Non-Suppression
Probabilities for a DOE Facility Fire PRA
Tom Elicson (a), Jim Bouchard and Heather Lucek (b), Bentley Harwood (c)
a) WorleyParsons Polestar, Inc., Hudson, OH, b) WorleyParsons Polestar, Inc., Idaho Falls, ID, d) Idaho
National Laboratory, Battelle Energy Alliance, LLC, Idaho Falls, ID
Over a 12 month period, a fire PRA was developed for a DOE facility using the NUREG/
CR-6850 EPRI/NRC fire PRA methodology. The fire PRA modeling included calculation
of fire severity factors (SFs) and fire non-suppression probabilities (PNS) for each
safe shutdown (SSD) component considered in the fire PRA model. The SFs were
developed by performing detailed fire modeling through a combination of CFAST fire
zone model calculations and Latin Hypercube Sampling (LHS). Component damage
times and automatic fire suppression system actuation times calculated in the CFAST
LHS analyses were then input to a time-dependent model of fire non-suppression
probability. The fire non-suppression probability model is based on the modeling approach
outlined in NUREG/CR-6850 and is supplemented with plant specific data.
This paper presents the methodology used in the DOE facility fire PRA for modeling
fire-induced SSD component failures and includes discussions of modeling techniques
for:
• Development of time-dependent fire heat release rate profiles (required as input to
CFAST),
• Calculation of fire severity factors based on CFAST detailed fire modeling, and
• Calculation of fire non-suppression probabilities.

Session Chair: Paul Boneham
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 9:00 AM - Salon B
9:00 AM
Dealing with System Recoveries in Event Trees
Mohamed Hibti and Anne Dutfoy
EDF R&D, cedex Clamart, France
PSA models are generally supported by a classical event tree approach. For level 2
applications, there is a need to integrate system recoeveries to reduce conservatism
and allow consideration of some dynamic phenomena. In this paper, we propose an
apprach to model system recoveries in event tree sequences such that automated
treatment can be done for quantication issues without post-treatments which may be
very convenient for models that are dedicated to uncertainty and sensitivity analysis.
Three methods are proposed : the rst is based on integration of recovery events for
some signicant components, the second consider what we call functional groups, and
the third is based on the combination of the event tree approach with a dynamic framework.
In the last approach, to model recovery, sequences, obtained from a Boolean
driven Markov processes quantication, are integrated in the form of trees representing
their minimal content.
9:25 AM
The Plant Damage States Analysis for CPR1000 at Power Operation
PENG Changhong and ZHANG Ning
China Nuclear Power Technology Research Institute, Shenzhen, China
In PSA model, the quantification of Level 2 consists of two distinctive stages: 1) propagation
of Level 1 core damage sequences to plant damage states (PDS) and 2) mapping
of PDS to Level 2 release categories. The Level 1 PSA identifies a large number
of accident sequences which lead to core damage. Accident sequences should be
grouped together into plant damage states (PDS) so that all accidents within a given
PDS can be treated in the same way for the purposes of the Level 2 PSA. The first
stage is performed by means of interfacing event trees or, so called, bridge trees. The
PDS analysis and bridge tree for CPR1000 at power operation should consider the
following attribution: Status of RCS at onset of core damage; Status of Emergency
Core Cooling system (ECCS); Status of Containment Spray Injection and Recirculation;
heat removal and status of the Steam Generators; Status of AC Power and Accumulator.
For each of these sequences with frequency of at least 1E-10 /yr in which
not all the attribution can be indentified in Level 1 model, a specific bridge tree should
be developed. The end states of bridge tree or Level 1 model sequences represent
plant damage states (PDS). The PDS with similar accident progression can be binned
into a same group, PSDG. At last, the frequency and attribution of top five PDSG can
be provided.
Level II/III PSA - 1
9:50 AM
A Monte Carlo Approach for Categorizing LERF Scenarios in
Loss of Decay Heat Removal Accident Sequences
Donald E. Vanover and Robert J. Wolfgang
ERIN Engineering and Research, Inc., West Chester, PA
Recent Emergency Planning (EP) inputs have indicated that guidance is now provided
to not to call for a General Emergency (GE) until multiple barriers are determined to
be lost (unless there is a scenario specific alternative, e.g., Station Blackout). If these
recent EP interpretations of the Emergency Action Levels (EALs) are used and applied
to the Class II long term severe accident sequences, then the LERF risk metric would
increase significantly for most BWRs. Alternatively, credit for the ERO, the state, the
NRC, and vendor inputs into the decision making process can be anticipated and
legitimately integrated into the LERF assessment process. Additional considerations
regarding the potential variability of evacuation times with respect to variations in the
magnitude of the releases and when they become a candidate for a large release can
also be integrated into the LERF assessment process.
The intent of this paper is to describe an approach that was developed to assess the
various inputs that go into the determination of a “Large” and “Early” release for long
term loss of decay heat removal scenarios. Once these inputs are assessed, each of
the inputs are integrated using a Monte Carlo approach factoring in the uncertainty associated
with each key input to determine the overall probability that a large and early
release occurs in these scenarios.
89

90
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 9:00 AM - Carolina
Uncertainty Analysis & Methods - 3
Session Chair: Gabriel Georgescu
9:00 AM
Approaches for Addressing Parametric and Modeling Uncertainties
in a Refernce PWR PRA
Young G. Jo and Beomhee Jeong
Southern Nuclear Operating Company, Birmingham AL
In this paper, approaches used in a reference PWR PRA for addressing parametric
and modeling uncertainties were discussed. A challenge in performing parametric
uncertainty analysis is to properly treat the state-of-knowledge correlations among
basic event probabilities. An approach was developed and applied successfully for
treating the state-of- knowledge correlations effectively in CAFTA and UNCERT codes
environment. The basic strategy for reducing modeling uncertainties in the reference
PWR PRA was to perform accident analysis as many as possible using MAAP code
from the early stage of the PRA modeling and use the results and insights from such
MAAP analyses in PRA modeling , especially in determining success criteria, event
progresses, timings for operator actions, and timings for recoveries. In some cases,
sensitivity studies were performed to address uncertainties. Insights from uncertainty
analyses included a potentially significant under estimation of interfacing system loss
of coolant accident risk if the-state-of-knowledge correlations are ignored, significant
difference in plant responses to a different break sizes in a same loss of coolant accident
category or steam generator tube rupture initiating event, and the significant
impacts of steam generator tube condition on large early release frequency. Since
steam generator tube condition affects large early release frequency significantly, it is
needed to re-evaluate the steam generator tube condition during the future updates of
the reference PWR PRA to reflect such impacts properly. Also, even though much efforts
had been made beforehand to reduce modeling uncertainties, when it is required
to evaluate the risk associated with a very specific case, like a loss of coolant accident
with a known break size, it may be desirable to perform additional case specific accident
analysis and PRA modeling in order to evaluate the associated risk more accurately
and to support a proper risk informed decision making.
9:25 AM
Uncertainty Assessment Methodology for Probabilistic Risk
Assessment (PRA); Data, Methods, Models, and Inputs
Mohammad Pourgol-Mohammad (a), Seyed Mohsen Hosseini (b)
a) FM Global, Norwood, MA, b) Science and Research Branch, Islamic Azad University, Tehran, Iran
Uncertainty analysis is a crucial step in process of probabilistic risk assessment (PRA)
for better management and decision making purposes. This paper reviews the process
of uncertainty analysis and methodologies for characterization of the uncertainties and
their treatment in probabilistic risk assessment (PRA). This research is limited to Fault
Tree (FT) and Event Tree (ET) methodologies only and deals with all uncertainties in
process of PRA level I. A literature review was conducted on the subject to evaluate
the state of the art on the topic. Uncertainty taxonomy is reviewed in this research to
better address different sources of uncertainty. A hybrid method of maximum Entropy
approach supported by Bayesian Updating is proposed to quantify the parameters’
uncertainties effectively by using all relative and partially relative data and information.
Bayesian approach is utilized for the inference of the parameter uncertainties.
Examples from applications are provided for greater clarification of the proposed uncertainty
analysis techniques.

Session Chair: Dana Kelly
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 10:15 AM - Azalea
10:15 AM
Experiences from Implementation of Updated Reliability Data
for Piping Components Using the R-Book
Anders Olsson and Vidar Hedtjärn Swaling (a), Bengt Lydell (b)
a) Scandpower-Lloyd’s Register, Sundbyberg, Sweden, b) Scandpower-Lloyd’s Register, Houston,
Texas
The Nordic PSA Group (NPSAG) has undertaken to develop a piping reliability parameter
handbook – the so-called R-Book – for use in risk-informed applications. The
scope of R-Book is to establish high quality reliability parameters that account for the
Nordic and Worldwide service experience with safety-related and non-safety-related
piping systems in a consistent and realistic manner. The first version of R-Book was
released at the beginning of 2010 and covers ASME Code Class 1 or 2 piping components.
This paper presents the whole process from start to finish: (1) The derivation of application-specific
event populations and corresponding exposure terms, as input to
R-Book. (2) The methodology for deriving rupture/leakage frequencies from raw data
and some examples of results. (3) The first experiences gained from using R-Book
data for assessment of LOCA frequencies in Swedish PSA’s.
10:40 AM
Component Failure Rate Refinement Using RADS/EPIX/IEDB
for Prairie Island PRA
S. Eide (a), A. Peterman, D. Malek, and J. Ritter (b)
a) Scientech, A Curtiss-Wright Flow Control Company, Idaho Falls, ID, b) Xcel Energy, Welch, MN
The RG 1.200 probabilistic risk assessment (PRA) upgrade project for the Prairie
Island Nuclear Generating Plant (PINGP) included the use of NUREG/CR-6928 as the
main source for industry-average component failure rates. Plant-specific data were
collected for significant events to use in Bayesian updates of the industry-average
priors. Preliminary quantification results indicated that several component type codes
were dominating the results. For those cases, both the applicability of the prior and
the plant-specific data (if available) were reviewed. This paper deals with refinements
of the prior distributions using more specific searches of the Equipment Performance
and Information Exchange (EPIX) data and the Initiating Event Database (IEDB) using
the Reliability and Availability Data System (RADS) software. For each of seven component
failure modes, a RADS/EPIX or RADS/IEDB search was conducted to obtain a
more specific or applicable prior distribution. The search in some cases also included
a review of the failure events identified in the search to eliminate events that were not
applicable. Also, in one case the trend over 1988 – 2007 was significant so only data
over 2003 – 2007 were used. The result of this effort was a greater than 50% reduction
in the internal event core damage frequency.
PSA Data Analysis
11:05 AM
PSA Generic Component Failure Rate Database Update Methodology
Aaron M. Lee
Reliability and Safety Consulting Engineers, Inc., Knoxville, TN
There are many methods of combining different types of data while updating the data
with new sources of data recently made available. This paper presents the methodology
used for combining multiple sources of generic data with multiple sources of historical
data while simultaneously updating the data with the most current data available
from NUREG/CR-6928. Also, the methodology provides a way of reconciling some of
the NUREG/CR-6928 data with how the data is presented in previous generic sources.
An example of this is the addition of “running” and “standby” component failure rates in
the NUREG/CR-6928 report. The NUREG/CR-6928 also came with the added benefit
of adding many new components and failure modes to the database while the other
generic databases and plant experience included components and failure modes that
were not included in NUREG/CR-6928. The overall results of the work show that after
changing methodology and inclusion of NUREG/CR-6928 data that the estimate for
the rate of failure of each failure mode is relatively unchanged when compared to the
original values. or example, a motor-operated valve fails to open or close failure in
the previous version of the database had a failure rate of 3.00E-3/demand. After the
update, it had a value of 3.89E-3/demand. However, the added benefit of having additional
components and component failure modes to include in the database makes
updating a database with NUREG/CR-6928 data in it worthwhile.
11:30 AM
Use of RADS/IEDB To Refine Initiating Event Prior Distributions
for the Calvert Cliffs PRA
R. Marlow and S. Eide (a), J. Stone and J. Landale (b)
a) Scientech, A Curtiss-Wright Flow Control Company, Idaho Falls, ID, b) Constellation Energy Nuclear
Group (CENG), Lusby, MD
The RG 1.200 probabilistic risk assessment (PRA) upgrade project for the Calvert
Cliffs Nuclear Power Plant (CCNPP) included a large number of initiating events (IEs)
and the use of NUREG/CR-6928 as the main source of industry-average frequency
distributions. Those IE frequency distributions can be used as prior distributions in
Bayesian updates incorporating plantspecific data as the evidence. Many of the IE
distributions in NUREG/CR-6928 were generated using the Reliability and Availability
Data System (RADS) and the Initiating Event Database (IEDB). However, the IE categories
in NUREG/CR-6928 are general in scope and do not include the more specific
IEs often modeled in current industry PRAs. This paper describes the additional
RADS/IEDB analyses performed to develop priors for the detailed IE categories used
in the CCNPP PRA. Methods in NUREG/CR-6928 were used to determine the appropriate
periods to use for CCNPP-specific IE data when trends existed. Finally, the
method used to determine whether the prior distributions developed were consistent
with the CCNPP data is explained.
91

92
Session Chair: Hitoshi MUTA
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 10:15 AM - Camellia/Dogwood
10:15 AM
Investigation of Ageing Impact on Safety Systems’ Reliability
Sh. Poghosyan and A. Amirjanyan
Nuclear and Radiation Safety Center, Yerevan, Armenia
Safety performance of nuclear installations mostly depends on risk-significant safety
systems’ reliability. PSA studies show that final results are very sensitive to the reliability
parameters of safety-related components. So factors influencing reliability of
particular components could also have significant impact on plant risk and play important
role in riskinformed decision making process. One of the main factors which
could affect component reliability is ageing process. Ageing issue is becoming more
important as average age of operating nuclear plants is about 25 years. This paper is
devoted to the numerical evaluation of ageing impact on safety-related components
reliability. Time-dependent reliability models have been used to investigate behavior
of safety systems’ reliability.
10:40 AM
Multi-State Physics Models of Aging Passive Components in
Probabilistic Risk Assessment
Stephen D. Unwin, Peter P. Lowry, Robert F. Layton, Jr., Patrick G. Heasler,
and Mychailo B. Toloczko
Pacific Northwest National Laboratory, Richland, WA
Understanding the long-term reliability performance of passive components and the
extent to which safety margins are preserved will be critical to decisions on reactor
life extension. Multi-state Markov modeling has proved to be a promising approach
to estimating the reliability of passives - particularly metallic pipe components - in the
context of probabilistic risk assessment (PRA). These models consider the progressive
degradation of a component through a series of observable discrete states, such
as detectable flaw, leak and rupture. Service data then generally provides the basis
for estimating the state transition rates. Research in materials science is producing a
growing understanding of the physical phenomena that govern the aging degradation
of passive pipe components. As a result, there is an emerging opportunity to incorporate
these insights into PRA. In this paper a state transition model is described that
addresses aging behavior associated with stress corrosion cracking in ASME Class
1 dissimilar metal welds – a component type relevant to LOCA analysis. The state
transition rate estimates are based on physics models of weld degradation rather than
service data. The resultant model is found to be non-Markov in that the transition rates
are time-inhomogeneous and stochastic. Numerical solutions to the model provide
insight into the effect of aging on component reliability.
Aging in PSA - 2
11:05 AM
Evaluation Of Pipe Rupture Frequency For NPP Goesgen Using
Markov Models
Kozlik, T., Klügel, J.-U. (a), Dinu, I.P. (b)
a) NPP Goesgen-Daeniken, Switzerland, b) CNE Cernavoda, Romania
Based on information from the International OPDE pipe failure database and from
plant specific information, a Markov model was developed for estimating pipe rupture
frequency to support PSA LOCA and internal flood analysis. The main purpose of
the model is to obtain more realistic pipe rupture frequencies based on plant-specific
information including ageing effects. The model was applied to evaluate LOCA frequencies
and pipe rupture frequencies for ASME class 1 piping. The results obtained
were compared with results derived from traditional Bayesian approaches. Significant
conservatism of current LOCA frequency estimation methods was demonstrated. The
model was also used to study alternate In-Service-Inspection practices for ASME class
I piping. The method is intended to be used for estimating pipe rupture frequency of
high pressure piping located in the secondary containment of the plant that have a
potential to cause internal floods and harmful environmental conditions. The paper
presents the essential step of model development and the results of its application.
The paper presented is a contribution of NNP Goesgen-Daeniken to the Ageing PSA
research network of the European Union.

Session Chair: Tom Morgan
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 10:15 AM - Magnolia
10:15 AM
Psa and Risk Monitor for the Electrical Grid
Zoltan Kovacs and Pavol Hlavac
RELKO Ltd, Bratislava, Slovakia
The deregulated power market has already contributed to conditions that challenge
the stability of the grid. Restructuring of power systems to promote market-based dispatch
was designed, in part, to increase utilization of existing assets. It has resulted in
greater power transfers over longer distances. This has increased the loading of the
transmission grid and also made local reliability more dependent on distant events.
On the other side, the customer expectations of reliability are increasing and the consequences
of power outages have never been greater. Even small weak points in the
power transmission system, if undetected and uncorrected, might eventually lead to
costly outages or trigger cascading failures that affect large regions. The traditional
approach to electrical grid reliability is based on deterministic analyses for congestion
and transient response under normal conditions or a condition that satisfies a
single failure criterion. However, under the changed conditions this approach is not
enough. The probabilistic approach should be used which can help to identify and correct
potential weak points in the power system long before they trigger costly failures.
Powerful reliability methods (PSA) have been developed over the past three decades,
which can be tailored for use in evaluating the reliability of the existing and the future
electrical grid system. Given a PSA model of the grid constructed, the risk monitor can
be developed. This is a specific real-time analysis tool of the grid which can be used
to determine the instantaneous risk based on the actual status of its systems and
components. At any given time, the risk monitor reflects the current grid configuration
in terms of the known status of the various systems and components. For example,
whether there are any components out of service for maintenance or tests. The risk
monitor is based on the PSA model. It can be used by the staff in support of operational
decisions. PSA and risk monitor is being developed for the Slovak transmission
grid within a project supported by the Slovak Research and Developing Agency. This
paper describes the preliminary results of this project.
10:40 AM
Development of the Risk Monitoring System “COSMOS” and
Application for the Risk Evaluation During Online Maintenance
Hirohisa TANAKA (a), Junji NYUUI (b), Akira HASHIMOTO and Takahiro
KURAMOTO (c)
a) The Kansai Electric Power Company, (Currently belong to International Atomic Energy Agency), b) The
Kansai Electric Power Company, Fukui, JAPAN, c) Nuclear Engineering, Ltd., Osaka, JAPAN
The Japanese utilities have been applying risk monitoring system. It was first intended
to introduce risk monitoring system for outage work planning. In addition, the utilities
are considering the possibility of applying risk monitoring system to on-line maintenance
(OLM) in the near future, and making necessary preparations in a steady manner.
The Kansai Electric Power Company (KANSAI) and Nuclear Engineering Ltd.
(NEL) are jointly working to develop the risk monitoring system “COSMOS” aiming
at the utilization of the system to optimize nuclear power plant (NPP) operation and
maintenance activities. COSMOS, which is intended for level 1 PSA at power and
during shutdown, has the complete linkage with the comprehensive PSA tool, RISK-
MAN, which is widely adopted by NPPs at home and abroad. This paper explains how
KANSAI and NEL are working on the application of risk monitoring system in planning
the outage work and on-line maintenance activities. Regarding the outage work planning,
KANSAI’ s plants are conducting Level 1 shutdown PSA by using a simplified
risk monitoring system now, and planning to introduce COSMOS for the future outage
work planning. In planning OLM activities, it is necessary to evaluate the risk levels
of individual configurations in advance in which specific systems and components are
placed out-of-service according to the predetermined scope of isolation. It is planned
to apply COSMOS to the evaluation of risk levels. We will make a continuous effort to
extend COSMOS functions considering experience with the actual application of risk
monitoring system in OLM and outage work planning.
Risk Monitors
11:05 AM
Development of OLM Configuration Risk Management Actions
for Potential Use by Japanese Utilities
Hidetaka Imai, Ken-ichi Bando, Koichi Miyata
Tokyo Electric Power Company, Tokyo, Japan
In Japan, an overarching objective of nuclear power plant (NPP) operators is to
achieve enhanced operational performance. One significant component of meeting
this objective is to initiate the performance of on-line maintenance (OLM) throughout
the fleet of commercial NPPs in Japan. Because Japanese NPPs currently do not perform
voluntary maintenance activities that remove plant safety systems from service,
the development, approval and implementation of this strategy is a complex evolution
requiring the participation of the nuclear operating companies and the Japanese
regulatory authority. Implementing a strategy that will safely and effectively permit the
conduct of OLM requires a comprehensive and coordinated effort among all Japanese
NPP operators. To achieve this objective, the Japanese Federation of Electric Power
Companies formed a task force that consists of members from each nuclear operating
company in Japan to develop the requirements for performing OLM. In this paper,
we describe the development of a process to evaluate and manage configuration risk
during the conduct of OLM at Japanese NPPs. The proposed approach was initially
modeled based on the approach utilized by many NPP operators in the United States.
However, there are numerous significant cultural and regulatory differences between
Japan and the US (for example, there is no regulation in Japan comparable to the
Maintenance Rule). As a result, the initial requirements have evolved to address the
unique circumstances associated with application of OLM within the Japanese context.
In this paper we describe the approach and requirements for OLM configuration
risk management that have been developed for application in Japan.
11:30 AM
Implementation of Risk Monitoring Technology at Russian
Federation VVER-1000 Reactors With Risk Watcher
Francisco Osorio, Carlos López and Alfonso Sánchez
Iberdrola Ingeniería y Construcción, Madrid, SPAIN
Risk monitoring technology has been widely used both to determine the instantaneous
risk depending on the availability of the plant components, and to help on plant safety
manage over the time. This is the first Risk Monitor developed in Russia according to
international Standards. In order to implement this technology, three main phases has
been developed. Phase 1: Improving the PSA quality to achieve IAEA Standards for
this kind of application. Phase 2: Developing the risk monitor model using Risk Watcher
software. Phase 3: Transfer the know-how on risk monitoring technology. Balakovo
NPP has been selected by the Russian utility Rosenergoatom as the pilot plant, and
Risk Watcher (ScandPower risk monitor software) as the software toolbox.
93

94
Session Chair: Dennis Henneke
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 10:15 AM - Salon A
10:15 AM
Examination of the Efficacy of the NFPA-805 “Fire Modeling”
Approach (Comparison Between “Maximum Expected” and
“Limiting” Fire Scenarios)
Raymond HV Gallucci
U.S. Nuclear Regulatory Commission (NRC), Washington, D.C.
National Fire Protection Association Standard 805 permits the use of fire modeling
to quantify the fire risk and margin of safety when using the performance-based approach
to demonstrate compliance, provided that there is a “sufficiently large” margin
between the “maximum expected” and “limiting” fire scenarios. This paper attempts to
develop quantitative insight to determine what might constitute this “sufficiently large”
margin based on heat release rates (HRRs) typical of ignition sources (combustibles)
at nuclear power plants. The results indicate that this comparative approach may be
practical only for “low” HRRs (say on the order of 100 kW), for which there is relatively
small uncertainty (narrow variability) in the HRR distribution. In general the efficacy of
this comparative approach increases as the uncertainty in the HRR decreases and the
magnitude of the “limiting” HRR relative to the “maximum expected” HRR increases.
10:40 AM
Failure Mode and Effect Analysis of Cable Failures in The
Context of a Fire PSA
Joachim Herb and Ewgenij Piljugin
Gesellschaft für Anlagen- und Reaktorsicherheit (GRS) mbH, München, Germany
A computer aided methodology based on the principles of FMEA (failure mode and
effect analysis) has been developed to systematically assess the effects of cable failures
caused by fire in a nuclear power plant. It is intended to use this method as an
integral part of Level 1 Fire PSA in Germany. The main purpose of the methodology
and its supporting tools is to improve the comprehensibility and completeness of cable
failure analysis within the context of Fire PSA. The main objective of the presented
methodology is the standardization of the FMEA for similar components of affected
electrical circuits. Cable FMEA (CaFEA) consists of two phases of analysis: In the first
phase an analysis of generic cable failures of standardized electrical circuits of the
nuclear power plant is performed. In the second phase for each cable those generic
failure modes are identified which could affect safety relevant components. The specific
effects identified in the second phase of the FMEA are mapped to basic events
used as initiating events and/or component failures in the Fire PSA. The suitability
of the presented methodology has been already successfully demonstrated by an
exemplary application for the cables within a selected fire compartment of a nuclear
power plant.
Fire PSA Methods - 9
11:05 AM
Thermal Hydraulic Parametric Studies of Multiple Spurious
Operations Using MAAP
John R. Olvera
EPM, Inc., Risk Solutions Division, Hudson, WI
The potential for fire-induced multiple spurious operations (MSOs) of equipment is
included as part of the Fire PRA analysis. MSOs could result in a number of adverse
conditions including various loss of reactor coolant events, loss of reactor coolant system
pressure control, and loss of decay heat sink. Although not all of these scenarios
result in a risk significant outcome, it is instructive to determine the bounding limits
of the reactor coolant system and associated emergency cooling systems in order to
provide guidance for the fire PRA and human reliability analysts.
The MAAP code is used to analyze various combinations of MSOs in order to provide
bounding information on system capability and operator action timing. The MSOs that
are studied that affect the primary system at a pressurized water reactor include the
spurious opening of a pressurizer power operated relief valves, letdown valves, and
reactor vessel and pressurizer head vents. In combination with these types of MSOs,
studies also include the impact of excessive reactor coolant pump seal leakage. Finally,
the spurious operation of the primary system pressure control systems is also
examined.
These studies provide useful information regarding the feasibility of recovering from
various MSO combinations, and the related timing to prevent escalation to more challenging
transients up to and including core damage. The results demonstrate the degree
of importance of potential MSO scenarios to the Fire PRA.
11:30 AM
Evaluation of Heat Release Rates of Vertical Electrical Cabinet
Fires
Pierre Macheret and Paul J. Amico
Science Applications International Corporation, Las Vegas, NV
Two models calculating the peak heat release rate (HRR) in vertical cabinet fires were
developed, based on existing fire test data published in the literature. The first model
establishes proportionality between the peak HRR and the energy released through
combustion when there is no limitation on oxygen availability, and further relates this
energy to the initial fuel loading of the cabinet. The effect of IEEE-383-type cable qualification
on the HRR is taken into account. Dependencies between random parameters
are captured via a hierarchical Bayes model, which is run using Markov Chain Monte
Carlo sampling. The model is used to produce scoping HRR values, which are found
to be compatible with predictions of an alternative model published in the literature.
Taking the cabinet volume as a proxy for fuel loading, the model is used to produce
HRR values based on overall cabinet dimensions. The second model modifies existing
analytical formulations of the peak HRR under ventilation-restricted conditions, by
probabilistically accounting for random variables such as variations in the vent area
due to the formation of gaps from cabinet door warping by thermal stress. With this
model, scoping HRR values are calculable based on simple cabinet geometry parameters
including information on inlet and outlet vent areas. Limitations to the model
validity are explored. The scoping HRR values of both models are viewed as refining
those given in Table G-1 of NUREG/CR-6850-EPRI 1011989.

Session Chair: Glen Seeman
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 10:15 AM - Salon B
10:15 AM
Examination Deterministic Analysis of Severe Accidents to
Support Design Certification of the Nuscale PWR
Jason Pottorf, Kent Welter, Wendell Wagner (a), Mark Leonard (b)
a) NuScale Power, Inc., Corvallis, OR, b) dycoda, LLC, Los Lunas, NM
The analysis of accidents that result in physical damage to the reactor core is an essential
element of the design certification process for the NuScale PWR. The type and
frequency of such accidents is determined by Probabilistic Risk Assessment (PRA).
The physical and temporal progression of damage to the reactor core, as well as the
quantitative assessment of fission product release and transport away from fuel, is calculated
in an integrated computational model developed with the MELCOR computer
code. MELCOR provides a convenient framework for modeling the innovative design
features of NuScale due to the modular “building block” architecture of the code. An
overview of the NuScale MELCOR model is provided, which highlights the technical
challenges and progress made to validate the important features of calculated results.
Foremost among these features is retention and cooling of debris within the lower
head of the reactor pressure vessel (RPV). The physical configuration of the steel
containment pressure vessel, which is fully-submerged in a large reactor cooling pool,
ensures an adequate source of water for RPV lower head heat transfer and passively
cooled surfaces for condensation of resulting steam. Another unique and important
feature of the NuScale design is enhanced in-vessel retention of fission products via
efficient deposition on twin helical coil steam generators that are mounted within the
RPV. The manner in which these design features are modeled is discussed, and their
impact on radiological source terms is quantified.
10:40 AM
A Methodology for the Characterization of Severe Accident
Consequences and the Results Presentation in Level 2 Probabilistic
Safety Assessment
N. Rahni, Y. Guigueno, E. Raimond, J. Denis, M. Baichi, T. Durin, B. Laurent
Institut de Radioprotection et de Sûreté Nucléaire, Fontenay-aux-Roses - France
To provide a better understanding of the results of its L2 PSA and to facilitate their
adoption for decision making, IRSN has developed a methodology for the characterization
of the severe accident risks identified in the L2 PSA. A dedicated very fast
running code has been developed for the calculation of radioactive releases, while radiological
consequences assuming standard meteorological conditions are estimated
using software originally developed for crisis management. These tools are integrated
within the L2 PSA APET (Accident Progression Event Tree) through the KANT probabilistic
software. The global L2 PSAs results now offer many keys for the risk analysis
and help IRSN to formalize positions in the field of severe accident NPP robustness.
Level II/III PSA - 2
11:05 AM
Application of Regional Environmental Code HARP in the
Field of Off-Site Consequence Assessment
R. Hofman and P. Pecha
Institute of Information Theory and Automation of the ASCR, Prague 8, Czech Republic
The environmental code HARP (HAzardous Radioactivity Propagation) estimates consequences
of accidental radioactivity releases from a nuclear facility and on basis of
simulation of dispersion in atmosphere, deposition of radionuclides on the ground and
further propagation through the food chains towards human body. Classical Gaussian
approach in the form of hybrid puff-plume segmented model SGPM is introduced
for simulation of pollution dissemination in the atmosphere. The ingestion pathway is
modeled dynamically. The system architecture consists of the inner kernel designated
for deterministic calculations and outer probabilistic shell, which ensures application
of probabilistic approach in the consequence assessment. Propagation of uncertainties
through the model towards the output values of interest is realized through the
multiple recalling procedure of the inner kernel, which is optimized for such intensive
Monte Carlo (MC) computations. The HARP code is primarily designed for application
of advanced statistical data assimilation techniques based on sequential MC methods
(SMCM) allowing an improvement of model predictions using real measurements incoming
from terrain. In this paper we shall demonstrate two additional specific applications
of the HARP code based on the repeated sampling. Firstly, a partial PSA-Level3
study of ecological risk assessment is accomplished taking into account variability of
meteorological inputs represented by historical long sequences of archived values
(for each hour in the years 2008 and 2009). Output radiological quantities are then
processed statistically. Secondly, a long term release of radioactive material is simulated
through the superposition of a large number of one-hour fractional release rates.
The procedure is applied on annual radioactivity releases from a nuclear power plant
(NPP) during its routine normal operation when each partial hourly release is driven by
the real meteorology archived at that time.
11:30 AM
An Updated Economic Model for Level-3 PRA Consequence
Analysis Using MACCS21
Pierre Vanessa N. Vargas, Nathan E. Bixler, Alexander V. Outkin, Verne W.
Loose, Prabuddha Sanyal, and Shirley Starks
Sandia National Laboratories, Albuquerque, NM
This paper presents the preliminary findings for updating the estimation of economic
consequences in MACCS2. The objective of this effort is to include a more representative
set of costs in the MACCS2 economic model. The original model included the
losses associated with evacuating and relocating the public, interdiction and decontamination,
loss of use of property, loss of crops, and, potentially, permanent loss of
property. The new economic model is intended to include those costs, but to extend
them by capturing the effect of an accident on the gross domestic product (GDP) produced
in the affected area to create a more comprehensive picture of the economic
impacts. The team determined the GDP reductions by using the REAcct analysis tool
developed at Sandia National Laboratories. This paper outlines the motivation for the
proposed improvements; the economic methodology used, including a description of
the REAcct tool; and an implementation outline.
95

96
Session Chair: Jonathan Li
PSA 2011 - International Topical Meeting on Probabilistic Safety Assessment and Analysis
Thursday March 17, 2011 - 10:15 AM - Carolina
10:15 AM
Outage PRA METHODOLOGY for Multi-Unit Candu Generating
Stations
Krist Papadopoulos, Ben Hryciw and Steve Kaasalainen (a), Ian Beith (b),
Rob McLean (c)
a) AMEC NSS Ltd., Toronto, Ontario, Canada, b) Ontario Power Generation, Pickering, Ontario, Canada,
c) Bruce Power, Tiverton, Ontario, Canada
A Level 1 Internal Events Outage Probabilistic Risk Assessment (PRA) methodology
was developed by AMEC NSS Ltd. for multi-unit Canadian Deuterium Uranium
(CANDU) nuclear generation stations. The methodology was developed in cooperation
with utilities, Ontario Power Generation and Bruce Power, owners and operators
of multi-unit CANDU stations in Ontario, Canada. The methodology provides a generic
framework that examines the plant operating states (POSs) where one unit is shutdown
and placed in a guaranteed shutdown state (GSS) for outage maintenance while
at least one adjacent unit is operating. The POS, initiating event, event tree, fault tree,
reliability data and human reliability analyses methodologies are defined with the aim
of determining the risk of core damage resulting from internal events occurring at the
outage unit while in GSS.
The scope of the analysis is limited to internal events, e.g. process and human interaction
related events, for the outage unit in GSS and the adjacent units. Events originating
in the adjacent units can be analyzed for their impact on the risk of core damage
for the outage unit in GSS. The methodology is applicable to different CANDU designs
and outage configurations, allowing each station to develop a comprehensive and
detailed PRA for plant outage maintenance operation in GSS. This PRA can then be
used to provide support for maintaining station Safety Goals, risk informed decision
making and outage maintenance planning.
This paper gives an overview of the methodology.
10:40 AM
Dominion Experience in Shutdown Risk Analysis
Ross C. Anderson (a), Robert W. Fosdick (b)
a) Virginia Commonwealth University, Richmond, VA, b) R&B Nuclear LLC, Maidens, VA
Between 2004-2007, Dominion used a shutdown PRA model to support compliance
with the requirements of 10 CFR 50.65(a)(4) at the Surry Power Station. Dominion did
so in order to cultivate experience with shutdown PRA, and because the available,
deterministic methods tended to be excessively conservative and limited in providing
risk insights. At that time several risk profiles at the “sister” North Anna plant were also
analyzed, with similar results.
During this time, the Dominion staff observed that all refueling outages exhibited the
same basic risk profile. There were only minor variations from one cycle to the next.
A significant risk plateau occurred after the unit cooled below 200oF (Mode 5 in the
Westinghouse Standard Technical Specification convention), until the refueling cavity
was flooded for fuel offload. Afterward, risk dropped to an almost negligibly low level
until restart.
Shutdown risk was dominated by diversion LOCA events and, to a lesser extent, loss
of RHR. Potential human error was significant because of the unavailability of automatic
safety injection (SI).
Another major insight from the analysis is that the majority of excess risk is incurred
during the time between SI deactivation and cavity flood-up. (After the cavity is flooded,
the long time to boil-off reduces the Core Damage Frequency by about an order
of magnitude.) Risk could be reduced by decreasing the time until cavity flood occurs.
However, Technical Specifications require a minimum of four days for decay heat reduction
before fuel may be moved. While TS compliance normally provides a measure
of risk reduction, in this case, it added additional risk by delaying cavity flood.
Previously, the site had used a deterministic method for shutdown risk assessment. In
comparison, the deterministic method was extremely conservative, resulting in most of
the outages being classified as “non-green” approximately three quarters of the time.
As a result, the plant staff tended to be desensitized to “non-green” conditions during
shutdown. Further, the assessment tended to mask the actual period of legitimately
elevated risk. This “masking” can divert focus from the genuinely risk significant evolutions.
It should also be noted that the NRC staff has reasonably commented, in informal discussions,
that they would be less likely to challenge a probabilistic shutdown analysis
than a deterministic one.
Shutdown PSA - 2
11:05 AM
Transition Risk Model for PWR
Zoulis, A
U.S. Nuclear Regulatory Commission, Washington, DC
Low-Power and shutdown risk analyses, in addition to the at-power risk models, of
commercial pressurized light-water reactors (PWRs) in the United States have been
performed in the past. However, the risk associated with the transition between lowpower
and full power has been more challenging in terms of modeling and quantification.
This paper documents the transitional risk model developed to quantify the risk
associated with transitioning from lowpower to full-power operations of a 4-loop PWR
commonly operated in the US as part of the US Nuclear Regulatory Commission’s
(NRC) Significance Determination Process. Potential initiators for all modes were evaluated
while the plant transitions between different operational states. Through this approach,
each mode is divided into specific plant operating states to account for specific
plant conditions, equipment availability, and plant response, which change as the transition
between full-power, low-power, and shutdown configurations occur. The analysis
was performed using the Standardized Plant Analysis Risk (SPAR) Model used by the
Nuclear Regulatory Commission (NRC), and developed and maintained by the Idaho
National Laboratory (INL). The existing at-power SPAR model was modified to develop
the transitional model used for this analysis. This paper presents the results observed
as the core damage frequency changes as a function of the plant progression between
the different operational modes from shutdown to fullpower conditions.

PSA 2011 Program/Proceedings CD-ROM
About this CD-ROM
The material in this CD-ROM was published using Adobe© technology.
Included on the CD-ROM are versions of Acrobat Reader for Microsoft© Windows TM , Apple© Macintosh TM (Mac OS X), and Unix©
Installation
To view files on this CD-ROM you must have Adobe Reader installed on your hard drive. Installation instructions can be found in the
README.TXT file.
Getting Started
Windows users: Software included in this CD-ROM should automatically launch the proceedings. You can always start viewing the
content by opening the Start.pdf file provided Adobe Reader has been installed on your hard drive.
MacOS X and Unix users: To start open the Start.pdf file.
Copyright © 2011
American Nuclear Society - ANS
Program Book, CD-ROM, WebSite, Online Paper Submission and Review, and Online Registration are
services/products of Techno-Info Comprehensive Solutions.
http://techno-info.com

SUNDAY
PSA 2011 Program
Azalea Camellia/Dogwood Magnolia Salon A Salon B Carolina
1:00 pm-­‐ 5:00 pm WORKSHOP Dynamic PSA Tunc Aldemir DeRosset
6:00-8:00 PM
MONDAY
7:00 – 8:00 AM Continental Breakfast - Grand Concourse
8:00-9:45 AM Plenary Session I
Ed Halpin, CEO STPNOC
9:45-10:00 AM Coffee Break
10:00-11:45 Digital I&C in PSA - 1 Next Generation Rx PSA - 1 Other External Events Fire PSA Methods - 1 PSA Knowledge Management - 1 Human Reliability Analysis - 1
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Carol Smidts Donald Helton Michael Golay Eric Jorgensen Nathan Siu Dave Gertman
11:45 - 1:30 PM Lunch Break
1:30 - 3:15 PM Digital I&C in PSA - 2 Next Generation Rx PSA - 2 Configuration Risk Management -
1:
Seismic PSA - 1 Safety Culture Flooding PSA - 1
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Sergio Guarro Karl Fleming Gerry Kindred Andrea Maioli David Johnson Ray Dremel
3:15 - 3:45 PM Coffee Break
3:45 - 5:30 PM Passive Reliability - 1 Non-Reactor PSA - 1 Configuration Risk Management -
2
Seismic PSA - 2 PSA Knowledge Management - 2 Flooding PSA - 2
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Enrico Zio Jim Young Tom Morgan Robert Budnitz Mike Lloyd Richard Turcotte
6:00 - 8:00 PM
TUESDAY
7:00 – 8:00 AM Continental Breakfast - Grand Concourse
8:00-9:00 AM Plenary Session II
George Apostolakis - US NRC Commissioner
9:00 - 9:50 AM Passive Reliability - 2 Non-Reactor PSA - 2 Configuration Risk Management -
3
Fire PSA Methods - 2 History of Nuclear PSA Human Reliability Analysis - 2
Session Chair: Session Chair: Session Chair: Session Chair: Session Chairs: Session Chair:
William Burchill Paul Amico Ross Anderson Raymond H Gallucci Earl Page, Ian Wall Parviz Moieni
9:50-10:05 AM Coffee Break
10:05-11:45 Dynamic PSA - 1 Next Generation Reactor PSA - 3 Generation Risk Assessment Fire PSA Methods - 3 PSA Knowledge Management - 3 Human Reliability Analysis - 3
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Bulent Alpay Matthew Warner James Liming Marina L Roewekamp Doug True Luca Podolfillini
11:45 - 1:30 PM Lunch Break
1:30 - 3:15 PM Dynamic PSA - 2 Next Generation Rx PSA - 4 Grid Reliability Fire PSA Methods - 4 Risk-Informed Safety Margins Human Reliability Analysis - 4
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Pierre-Etienne LABEAU Johnathan Li Shan Chien David N Miskiewicz Dominique Vasseur Gareth Parry
3:15 - 3:45 PM Coffee Break
3:45 - 5:30 PM Dynamic PSA - 3 Risk-Informed Decision Making - 1 Fire PSA Methods - 5 Seismic PSA - 3 PSA Standards - 1 Fault Tree Initiating Events
6:30 - 9:00 PM
WEDNESDAY
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Tunc Aldemir Stanley Levinson Robert Ladd Kohei Hisamochi Barry Sloane Mike Lloyd
Azalea Camellia/Dogwood Magnolia Salon A Salon B Carolina
7:00 – 8:00 AM Continental Breakfast - Grand Concourse
8:00-9:00 AM Plenary Session III
John Kelly, DOE Deputy Assistant Secretary for Nuclear Energy
9:00 - 9:50 AM Dynamic PSA - 4 Risk-Informed Decision Making - 2 Proliferation Risk - 1 Fire PSA Methods - 6 Significance Determination Process Shutdown PSA - 1
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Martina Kloos Dana Kelly Bill Burchill Pedro Fernandez Greg Krueger Robert Budnitz
9:50-10:05 AM Coffee Break
10:05-11:45 Advanced PSA Methods Risk-Informed Technical
Space/Aircraft PSA Seismic PSA - 4 PSA Standards - 2 Panel - Joint EPRI/NRC-RES Fire
Specifications
HRA Guidelines
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Jeff Riley Mike Snoderly Steve Farminham Andrea Maioli Jim Chapman Susan Cooper
11:45 - 1:30 PM Student Awards Luncheon - Cape Fear Ballroom
1:30 - 3:15 PM Common Cause - 1 Risk-Informed Decision Making - 3 Panel: Next Generation Rx Risk Fire PSA Methods - 7 Panel: PRA Standards
Uncertainty Analysis & Methods - 1
Metrics
Development, International
Considerations
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Gareth Parry Marty Sattison Mohammad Modarres Richard M Wachowiak Rick Grantom M.Pourgol-Mohammad
3:15 - 3:45 PM Coffee Break
3:45 - 5:30 PM Common Cause - 2 Risk-Informed Decision Making - 4 Proliferation Risk - 2 Panel: Fire PSA Improvements Computer Methods - 1 Uncertainty Analysis & Methods - 2
THURSDAY
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Jeanne-Marie Lanore Bob Lutz William Burchill Doug True Louis Chu Goran Hultqvist
7:00 – 8:00 AM Continental Breakfast - Grand Concourse
8:00-9:00 AM Plenary Session IV
Speakers: Robert Budnitz and Cheri Collins
9:00 - 10:00 AM Computer Methods - 2 Aging in PSA - 1 Software Reliability Fire PSA Methods - 8 Level II/III PSA - 1 Uncertainty Analysis & Methods - 3
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Kyle Metzroth Karl Fleming Mike Yau Brandi T Weaver Paul Boneham Gabriel Georgescu
10:00 - 10:15 AM Coffee Break
10:15-12:00 PSA Data Analysis Aging in PSA - 2 Risk Monitors Fire PSA Methods - 9 Level II/III PSA - 2 Shutdown PSA - 2
1:00 PM
Session Chair: Session Chair: Session Chair: Session Chair: Session Chair: Session Chair:
Dana Kelly Hitoshi MUTA Tom Morgan Dennis Henneke Glen Seeman Jonathan Li
1:00 pm - 5:00 pm WORKSHOP Risk Phenomenology, TMI & Accident Management Insights Robert Henry Dudley
1:00 pm - 5:00 pm WORKSHOP Level 3 Consequence Evaluations - MACCS2 Nathan Bixler DeRosset
FRIDAY
Registration Starting at 2:00 next to the Grand Ballroom
Welcome Reception 6:00-8:00 - Grand Ballroom
Registration Starting at 7:00 next to the Grand Ballroom
NETWORKING RECEPTION - Grand Concourse
Registration Starting at 7:00 next to the Grand Ballroom
Banquet - Speaker Kevin Walsh
Registration Starting at 7:00 next to the Grand Ballroom
Registration Starting at 7:00 next to the Grand Ballroom
Global Nuclear Fuels Tour
Grand Ballroom Cape Fear Ballroom
Grand Ballroom Cape Fear Ballroom
8:00 am - 12:00 pmWORKSHOP Level 3 Consequence Evaluations - MACCS2 Nathan Bixler DeRosset