You are on page 1of 11

QUESTIONNAIRE FOR WG RISK MEMBERS

ON THE
STATE OF THE ART
IN THE MEMBER COUNTRIES
IN THE
DEVELOPMENT AND USE OF RISK MONITORS.
RESPONSES FROM MEXICO
Comisión Nacional de Seguridad Nuclear y Salvaguardias
and
Comisión federal de Electricidad

CURRENT POSITION ON LIVING PSA/ RISK MONITORS
Q1

What is the current state of the art in the development and application of Living
PSA and Risk Monitors in your country/ plant?

A1

The Laguna Verde Nuclear Power Plant Unit 1 has a full power PSA level 1 for
internal events. This PSA makes use of a generic data base, compiled from
different sources. It includes an analysis of the impact of the primary containment
status on the safety injection systems, in order to solve the so called core
vulnerable sequences. The study was frozen and represents the status of the
plant at the year 1994. The study was developed by the Mexican utility (Comisión
Federal de Electricidad) and it has already been approved by the Mexican
regulatory agency (Comisión Nacional de Seguridad Nuclear y Salvaguardias).
The PSA will be subjected to an updating, by the end of the year 2000, in order to
get a Living PSA that represents the actual design, operation and maintenance
procedures. This updating will also include the collection of plant specific data.
The frequency of subsequent updating will be at the end of each operating cycle
(6 months later of the end of the refueling outage).
The Laguna Verde NPP has a Risk Monitor which is currently being used on a
trial basis, until its models were updated according and consistent with the
approved and updated version of the PSA, the one that will be generated at the
end of year 2000.

Q2

Which nuclear power plants have a Living PSA/ Risk Monitor?

A2

Laguna Verde Nuclear Power Plant

REASONS FOR DEVELOPING A RISK MONITOR

which states that the utility should assess and manage the risk associated with maintenance activities. Q4 What was the order of costs involved in developing the living PSA and Risk Monitor? How did this compare with the initial costs of developing the PSA? A4 It is difficult to establish the cost involved in the development of the Laguna Verde PSA. The cost involved in the development of the actual Risk Monitor is around the $200. and to assess the accident sequence precursors. to justify the continued operation of the plant on AOT Technical Specifications requirements. Another specific reasons for developing the Living PSA/Risk Monitor are the need to have a computational tool to support the risk informed decision making. Then the utility aware of the benefits of having a Living PSA in terms of the posibility to reduce costs and burdensome regulations.Q3 What was the reason for developing a Living PSA and Risk Monitor? A3 The Laguna Verde NPP PSA was developed initially to comply with a regulatory requirement. since this process took a lot of time and efforts. allowed outage times.65. and since the study has been subjected to several updatings and a detailed review.)? Demonstrating compliance with deterministic requirements (Technical Specifications)? Demonstrating compliance with the maintenance rule? . asked the utility to perform an Individual Plant Examination.000 USD APPLICATION OF LIVING PSA/ RISK MONITOR Q5 For which of the following risk informed applications has the Living PSA/ Risk Monitor been used? Design changes? Configuration control? In-service inspection? Development of Technical Specifications (to define test intervals. The Mexican regulatory agency. etc. However the cost involved in the currently movement of the PSA towards the Living PSA concept is around $40. many IAEA expert missions which are difficult to quantify. following the USNRC regulation. to support the on-line maintenance activities.000 USD. The Risk Monitor was developed to support the plant operation and maintenance activities and at the same time to minimize the associated cost. took the necessary steps to move towards the Living PSA concept in order to have an approved probabilistic model to support PSA applications. One of the main reasons to develop the RM was to comply with the maintenance rule requirement established in the appendix (a)(4) of the 10CFR50.

so it is not currently being used to show compliance with deterministic criteria or rules. in-service inspection. the Mexican regulatory agency has to impose a more astringent risk criteria (core damage frequency and large early release frequency) in order to overcome such deficiencies. the Risk Monitor is being used on a trial basis to train the operator. eventhough is not based on the approved PSA. Since the PSA used for this risk informed applications has some deficiencies (lack of plant specific data. to demonstrate compliance with Technical Specifications and graded QA. in the near future it will be used to demonstrate compliance with the Maintenance rule. Once the PSA were updated and the Risk Monitor were based on the Living PSA. It is foreseen that the Living PSA will be used to support design changes. those required by Technical Specifications) or with rules (such as the maintenance rule)? A6 As it was stated in the answer to question 5. a more extensive use for risk informed applications is expected. It is still under development stage and will be updated consistent with the updating of the . However. The Risk Monitor. The Risk Monitor will be used for Configuration Control. to demonstrate compliance with the Maintenance rule and for the accident sequence precursors analysis. it has been used on a trial basis to train the operators for configuration control and for demonstrating compliance with the maintenance rule. the PSA does not reflect the actual design and operation and maintenance practices). Q6 Is the Risk Monitor used to show compliance with deterministic criteria (for example.Analysis of operating experience/ identification of potentially risk significant events? Quality assurance? Other? (Please give details) A5 The PSA for Laguna Verde NPP has been used to support design changes and to justify temporal and permanent changes to Technical Specifications. CURRENT STATUS OF THE RISK MONITOR Q7 What is the current state of development of the Risk Monitor? In particular: How long has it been in use? Is it being used on a trial basis? Is it still in the development stage? A7 The Risk Monitor is being used for the last 6 months on a trial basis.

this analysis is still under review by the Mexican regulatory agency. the operators and schedulers staff are generating comments on the RM and identifying errors that will be taking into account during the updating process.)? A9 The PSA model used in the Risk Monitor only includes internal initiating events. However. Q8 How many modes of operation are addressed by the Risk Monitor? Full power? Low power? Shutdown? Other? (Please give details) A8 The Risk Monitor only considers full power operation mode. The Internal flooding analysis is included in the scope of the Individual Plant Examination requested to the utility.PSA. For normally operating systems a choice has been made in the PSA model regarding which trains are supposed to be running and which ones are in . A11 The PSA model used in the Risk Monitor includes a typical plant configuration. During this trial period.)? External hazards (earthquake. Q11 What changes in the plant configuration and plant alignment are modelled in the Risk Monitor and how is this done? (Changes in plant configuration include changes in the choice of the running and standby trains of a normally operating system. etc.core damage frequency? Level 2 -frequency of a large release/ large early release? Level 3 .which societal consequences? A10 The Risk Monitor for Laguna Verde NPP includes a level 1 PSA model. Q9 What range of initiating events is included in the PSA model used in the Risk Monitor? Internal initiating events? Internal hazards (fire. flood. etc. The utility is currently developing a Fire Risk Analysis for Laguna Verde NPP. Q10 What Level of PSA is included in the Risk Monitor? Level 1 . Once these analyses were approved the utility plans to include them in the Risk Monitor. Changes in system alignments include opening and closing the interconnections in electrical distributions systems or fluid pumping s'ystems).

The CCF model used in the PSA (beta factor) is considered adequate for the Risk Monitor. testing activities? If YES. Q12 Does the Risk Monitor handle time-dependent (dynamic) events? In particular. A14 The common cause failures used in the PSA model were not modify and were directly used in the Risk Monitor. However. since is in a trial basis and under development.standby mode. The need of developing suitable models for the normally operating support systems will be taking into account in the next version of the RM. However. meteorological conditions? internal plant activities . were the common cause failure models used in the original PSA found to be adequate for the Risk Monitor or were changes needed? If so. The random-component failures and the pre and post accident human error probabilities in the RM are those considered in the PSA model. A13 The Risk Monitor for Laguna Verde does not have correlations to modify the initiating event frequencies according to external plant conditios or internal plant activities. the EOOS sotfware package used has the ability to handle these features. Q13 Does the Risk Monitor have internal correlations that allow the modification of the initiating event frequencies according to: external plant conditions . please supply details on how these correlations have been established. please supply details on what changes were made. does it handle: primary events that represent random component failures? primary events that represent pre-accident human errors? primary events that represent post accident human errors? (The third bullet point relates to whether the Risk Monitor can handle different human error probabilities depending on the specific system configuration).for example. A12 The Risk Monitor for Laguna Verde does not handle time-dependent events. in the next version of the RM some changes will have to be implemented in order to take into account the . The plant alignment is supposed in the PSA model to be the one during normal full power operation. Q14 How have common cause failures been modelled in the Risk Monitor? In particular. The modification of the initiating event frequencies according to the external conditions or internal activities will be taking into account in the next version of the RM. does not make any changes to the plant configuration and system aligment considered in the PSA model. The Risk Monitor.for example.

a PSA especialist. The RM will be used to comply with the appendix (a)(4) of the Maintenance rule (10CFR50.65) which states that the utility should assess and manage the risk associated with a plant configuration. This procedure has records to be filled by the actual users to report to the PSA group any comment or error in the RM. No additional personnel have been required/recruited to use the Risk Monitor. Q17 Does the use of the Risk Monitor require a PSA specialist? Have additional personnel been required/ recruited to use the Risk Monitor? A17 The use of the Risk Monitor at Laguna Verde does not required. In this sense. Q15 What is the role of the Risk Monitor during operation of the nuclear power plant? How frequently is it used? A15 The Risk Monitor is used by the plant operators to evaluate the instantaneous risk associated with a particular plant configuration. Since the RM is currently being used for the configuration control of Laguna Verde. maintenance schedulers and regulators. ORGANISATIONAL ASPECTS OF THE USE OF THE RISK MONITOR.unavailability due to test or maintenance of the components included in the common cause failures. Q16 Who uses the Risk Monitor: Plant designers? Plant operators? Regulators? Other? (Please give details) A16 The current users of the Risk Monitor are the plant operators. it is used as frequently as the plant configuration changes as a result of equipment being out for maintenance. A procedure has been written to define the steps and instructions necessaries to use the RM. at the moment. the plant scheduler will use the Risk Monitor to make decisions about when to perform maintenance on plant equipment over periods of several weeks or months. The risk indication is used to decide what particular system/component be taken out for preventive maintenance or which ones should be promptly returned to the operable state. . This information will be used during the updating of the RM.

? A20 The EOOS monitor is being used extensively by many US utilities and for some non USA utilities around the world. validation.1) will be used in the next version of the Risk Monitor. SOFTWARE USED IN THE RISK MONITOR APPLICATION Ql9 What software package has been used for the Risk Monitor? A19 The Risk Monitor of Laguna Verde has been used the Equipment-Out-Of-Service (EOOS) package developed by EPRI/SAIC. the Risk Monitor for Laguna Verde uses the FORTE package. acceptance by the regulatory body. However.for example. etc. does it solve the event tree/ fault tree model each time or does it rely on pre-solved solutions or cut set manipulation? A21 The EOOS monitor uses a combination of solutions options. Therefore the EOOS code will be subjected to this process and the Mexican regulatory agency will only perform a verification that the PSA model were implemented properly. EOOS has an open architecture which lets plug-in third part software components. as part of the Safety Culture Program. The code is not in a developement state. which is considered the fastest quantification engine. For example.6B. Q21 How does the Risk Monitor work . the current version used is the 2. and it is expected to include all the features offered by EOOS. a permanent training program on the risk management concepts and on the use of the results and insights of the Laguna Verde PSA is considered necessary and important and will be implemented in the near future.Q18 What training in PSA is provided to the users of the Risk Monitor? A18 The Risk Monitor actual users have received a basic training on the use of the RM. An overview of the general concepts of the PSA methodology.from the PSA. The utility as part of its software QA process requires that all the computer software used for the operation of Laguna Verde be subjected to a validation and verification process. The utility has not considered necessary to provide a detailed training on the PSA to the plant operators and maintenance schedulers. verification. Other options are the . The Laguna Verde RM es in process of further improvements. there are a commercial versions of the code.list of cutset . and a updating version (3. Q20 What is the status of the software codes used in terms of state of development. has been provided to the users. The Mexican regulatory agency is not endeavour in a verification or validation process of the EOOS code. for the quantification process. The primary option is a presolved solution .

DEVELOPMENT OF THE PSA MODEL FOR USE IN THE RISK MONITOR Q22 What changes were made to the basic PSA model to develop it into the one used in the Risk Monitor? This would typically include modelling of: Plant configuration in terms of running and standby equipment? Safety system alignments .(converted from the PSA) or a hybrid solution. Q24 What requirements were set on the response time of the Risk Monitor? What change were made to the PSA model to meet this requirement? . However. the process of moving the PSA model to EOOS has been little cumbersome since the format of the PSA model was developed in a software package (SETS and TEMAC) which represents the model in a scriptlike fashion and include features not found in CAFTA format. which is the format used by EOOS.event tree/fault tree . Q23 What problems were encountered in the development of the Risk Monitor PSA mode from the initial PSA? A23 There were not major problems encountered in the development of the Risk Monitor PSA model. The basic PSA event tree/fault tree models have sufficient level of detail. so there was not necessary the addition of safety system components to the Risk Monitor PSA model.requantification of the whole model . The Risk Monitor of Laguna Verde is using the requantification of the whole model option.for example. changing the model for LOCAs from a single representative initiating event in one of the loops to separate initiating events in each of the loops? Other? (please give details). in which the model is solved at a higher cut off value than the full quantification and the cutsets list are compared with the full cutsets list. The Risk Monitor since uses the requantification of the whole model option considers all the initiating events that were included in the initial PSA.for example. As it was mentioned in the answer to question 11. A22 The only change made to the basic PSA model to develop the one used in the Risk Monitor is the removal of all the basic events that represent the unavailability of system and components due to test and maintenance. interconnections between trains of safety systems? Inclusions of initiating events screened out of the initial PSA? Addition of safety system components not included in the initial PSA? Removal of asymmetries . the Risk Monitor model considers the same plant configuration and system aligments as the basic PSA model. Any new cutsets are added to the list and the new list is used to perform the risk calculation.

the RM will have to be updated consistent with the currently PSA model. along with a detailed review by the Mexican regulatory agency. The Risk Monitor updating is subjected. to a internal peer review and a review and verification by the regulatory agency. Q27 How are changes to the Risk Monitor controlled to ensure that it remains an accurate. as well as the LPSA. That is why the FORTE quantification engine used to solve the whole model was implemented in the Laguna Verde Risk Monitor and a better performance PC will be install in the control room of the plant. This updating will include desing changes. So once this updating process is finished the LPSA will actually represents in an accurate way the plant desing. . This updating is subjected to an utility internal peer review and QA process to assure that all the plant modifications have been considered. modifications to operation and maintenance procedures. collection of plant specific data. The basic idea during the development of the Risk Monitor was to increase the speed at no cost of accuracy. unless there were important changes to the plant that significantly impact the global risk figures. changes to the event trees/ fault trees used in the model or the data used)? A26 The basic PSA model for Laguna Verde will be updated each operating cycle (6 months later of the refueling outage). representation of the plant? A27 The Living PSA model for Laguna Verde is updating. However. and methodological improvements. Q25 What trade-off is there between the speed and accuracy? A25 It was not necessary to trade-off the speed and accuracy of the Risk Monitor. Since the Risk Monitor is based on the LPSA model. operation and maintenance. the plant operators claim that for some risk calculation the response time is too high. each operating cycle.A24 There were not requirement impose regarding the response time. according to the changes made to the model. Once the PSA model were updated the RM will have to be actualized. with the same frequency. CONTROL OF MODIFICATIONS TO THE RISK MONITOR Q26 How often are changes made to the PSA model used in the Risk Monitor (to include. as established in answer to question 26.

it is not mandatory to shutdown the plant. RISK CRITERIA USED IN THE RISK MONITOR Q30 What risk levels are set in the Risk Monitor? This should address any risk criteria used within the Risk Monitor to determine the regions of normal maintenance/ urgent maintenance/ shutdown.706E-05 Inaceptable Risk The risk level associated with a particular plant configuration is just an indication of the risk increase. Since .RESULTS. etc. Even if the risk calculation indicates that the risk associated falls in the region 4 (colour red). EXPERIENCES AND LESSONS LEARNED FROM THE USE OF THE RISK MONITOR. Q28 Which applications of the Risk Monitor have been most successful? A28 Since the Laguna Verde Risk Monitor is used on a trial basis the only risk informed application were the RM has been used is Configuration Control.0 times the base CDF Yellow Small Risk Increase 30 times the base CDF 10 times the base CDF Orange Moderate Risk Increase More than 30 times More than 10 times Red the base CDF the base CDF Baseline risk for the zero maintenance model 2. the Mexican regulatory agency has evaluated them and has proposed a new ones. A30 The EOOS monitor for Laguna Verde shows the instantaneous risk calculation in varying colours according to the risk levels preset. A meeting is scheduled to define the final risk levels to be used in the Risk Monitor. Actually the RM uses the risk levels proposed by the regulatory agency. The utility has proposed and submitted a set of risk levels. Q29 Which applications of the Risk Monitor have been least successful? A29 Since the Laguna Verde Risk Monitor is used on a trial basis the only risk informed application were the RM has been used is Configuration Control. Risk Levels proposed by the Utility Risk Levels proposed by the regulatory agency Colour Comments 3 times the base CDF 1.1 times the base CDF Green Risk Insignificant 10 times the base CDF 2.

this configuration is controlled and allowed by the Technical Specification. once they were approved by the Mexican regulatory agency. FUTURE PLANS AND ACTIVITIES Q31 What are the future plans for the development and use of the Risk Monitor? This should relate to any proposed extensions of the scope of the PSA. to get a sound foundations to implement the risk-informed performance-based regulation.a more aggresive PSA application program will be initiated. The utility is only requested to take the necessary steps to get away from the region 4 (color red) as soon as possible. within the Mexican regulatory agency and the utility. PUBLISHED MATERIAL Q32 What material has been published on your Living PSA/ Risk Monitor? (Please supply) copies of the papers or details of the reference). The Risk Monitor scope will be expanded to include the Internal Flooding Analysis and Fire Risk Analysis. This process will result in a version of the RM that could be used in a production basis. A32 No material has been published on the Laguna Verde Risk Monitor. The plans also include the movement of the Living PSA computer platform from SETS and TEMAC to a more efficient one like CAFTA or SAPHIRE. . Finally. etc. further development of the software or the PSA models. additional applications. A31 The future plans for the development and use of the Living PSA/Risk Monitor include the updating process in order to get a PSA model that accurate represents the plant.