RISK
MONITORS
A Report on the State of the Art
in their Development and Use
Produced on behalf of
OECD WG RISK and IAEA
Compiled by
Dr C H SHEPHERD
HM Principal Inspector,
Nuclear Installations Inspectorate, UK
Issue 4, November 2002


TABLE of CONTENTS

1. INTRODUCTION 8

1.1 Background 8

1.2 Aim of the work 8

1.3 Way of working 9

1.4 Structure of the report 9

2. Terminology used in the report 11

2.1 Living PSA and Risk Monitor 11

2.2 General terms 12

2.3 Risk measures 13

2.4 Allowed Outage Time and Allowed Configuration Time 15

2.5 Terms related to the basic PSA model and the Risk Monitor model 16

2.6 Maintenance Rule 17

3. DEVELOPMENT OF RISK MONITORS 19

3.1 Current position on Living PSA/ Risk Monitors 20

3.2 Reasons for developing a Risk Monitor 20

3.3 Application of Living PSA/ Risk Monitor 21

3.3.1 Design changes 21

3.3.2 Configuration control 21

3.3.3 In-service inspection 21

3.3.4 Development of Technical Specifications 21

3.3.5 Demonstrating compliance with deterministic requirements 22

3.3.6 Demonstrating compliance with the maintenance rule 22

3.3.7 Accident precursor analysis 22

3.3.8 Quality assurance 22

3.3.9 Other 22

3.4 Current status of Risk Monitors 22

3.4.1 PSA model included in the Risk Monitor 23

3.4.2 Modelling changes in the plant configuration and system alignment 23

3.4.3 Time-dependent dynamic events 24

3.4.4 Time-dependent initiating event frequencies 25

3.4.5 Modelling of common cause failures 26

3.5 Organisational aspects of the use of the Risk Monitor 27

3.5.1 Role of the Risk Monitor during operation 27

3.6 Development of the Living PSA model for use in the Risk Monitor 29

3.6.1 Running and standby equipment 29

3.6.2 Safety system alignments 29

3.6.3 Inclusions of initiating events screened out of the initial PSA 29

3.6.4 Addition of safety system components not included in the initial PSA 30

3.6.5 Removal of asymmetries 30

3.6.6 Removal of basic events modelling maintenance outages 30

3.7 Problems encountered in the development of the Risk Monitor PSA model 31

3.7.1 Incompatibility of PSA codes 31

3.7.2 Checking the results produced by the Risk Monitor 31

3.8 Control of modifications to the Risk Monitor 31

3.8.1 Frequency of updating 31

3.8.2 Control of changes 32

3.9 Results, experiences and lessons learned from the use of the Risk Monitor 33

3.9.1 Most successful applications of the Risk Monitor 33

3.9.2 Least successful applications of the Risk Monitor 34

3.10 Future plans and activities 34

4. Software packages available 36

4.1 Introduction 36

4.2 Software used in the Risk Monitor application 36

4.3 Safety Monitor 37

4.4 Equipment Out Of Service (EOOS) 42

4.5 ORAM-SENTINEL™ 48

4.6 ESSM, ESOP1-LINKITT and ESOP used in the UK 62

4.6.1 Essential Systems Status Monitor (ESSM) 62

4.6.2 ESOP1-LINKITT 65

4.6.3 ESOP 69

4.7 RiskSpectrum RiskWatcher 74

4.8 Other Risk Monitor software 83

5. Development of the Basic PSA into a Risk Monitor model 84

5.1 Suitability of the basic PSA for a Risk Monitor application 85

5.1.1 Limitations of the basic PSA 86

5.1.2 Approach used for the basic PSA 86

5.1.3 Limits of applicability of the Risk Monitor 87

5.1.4 Calculation of the point-in-time risk 88

5.2 Removal of simplifications from the basic PSA 88

5.2.1 Lumped initiating events 89

5.2.2 System alignments 90

5.2.3 Addition of safety system components not modelled in the basic PSA 91

5.2.4 Inclusion of initiating events screened out of the basic PSA 93

5.2.5 Maintenance modelling 93

5.2.6 Modelling running/ standby trains 94

5.2.7 Modular and Undeveloped Events 95

5.2.8 Common cause failure model following a reduction in redundancy 96

5.2.9 HRA model 98

5.2.10 Dynamic events 99

5.2.11 Initiating events involving support systems 101

5.2.12 Automated recovery 103

5.3 Dealing with software incompatibilities 104

5.3.1 NOT logic 104

5.3.2 Sequence specific house event settings 105

5.3.3 Top Logic development 106

5.4 Development of the Risk Monitor databases 107

5.4.1 Plant component to PSA basic event database 108

5.4.2 PSA related database 109

5.4.3 Interpretation databases 109

5.4.4 Pre-solution database 111

5.5 Validation of the Risk Monitor PSA model 112

6. USE OF RISK MONITORS 115

6.1 Users of Risk Monitors 115

6.2 Development of Interface between the Plant and the Risk Monitor 117

6.2.1 Interface for on-line use 117

6.2.2 Interface for off-line or retrospective use 118

6.2.3 Correctly identifying component unavailabilities 118

6.3 Risk Monitor software interface design 119

6.3.1 Access Levels 119

6.3.2 Input of configuration and environmental factor information 121

6.3.3 Capabilities for analysing retrospective operating histories 123

6.3.4 Treatment of dual-units 123

6.3.5 Use of plant and PSA terminology 123

6.3.6 PSA model solution 124

6.3.7 Risk Monitor Output 124

6.3.8 Other items 126

6.4 Use of Risk Monitor Outputs 127

6.4.1 Risk levels and action statements 127

6.4.2 Use of quantitative risk criteria 128

6.4.3 Use of qualitative risk measures 129

6.4.4 Discussion 131

6.5 Control of changes to the Risk Monitor PSA model 132

6.6 Training requirements 134

6.6.1 On-Line Users 135

6.6.2 Maintenance planners 135

6.6.3 Off-line users 135

6.6.4 Management and Key Personnel 135

6.6.5 Model Development and Installation 136

6.7 Other applications 136

6.8 Procedures 137

7. operational safety criteria and ALLOWED CONFIGURATION TIMES 143

7.1 Introduction 143

7.2 Operational Safety Criteria for full power operation 144

7.2.1 Operational Safety Criteria for full power operation defined in terms of absolute risk levels 144

7.2.2 Operational Safety Criteria for full power operation defined in terms of multipliers on the baseline risk 145

7.2.3 Comparison of the approach used to define Operational Safety Criteria 146

7.2.4 Comparison of the numerical values used for Operational Safety Criteria 147

7.3 Allowed Configuration Times 148

7.3.1 Methods used for the calculation of the Allowed Configuration Time 148

7.3.2 Discussion and conclusions on Allowed Configuration Time calculations 150

8. LIMITATIONS OF RISK MONITORS 152

8.1 Limitations in the basic PSA 152

8.1.1 Scope of the Basic PSA 152

8.1.2 Suitability of the Basic PSA model for Risk Monitoring 153

8.2 Incompleteness in the conversion process 153

8.3 Limitations in the software 154

8.4 Operational issues 155

8.5 Acceptance of Risk Monitors 155

9. Regulatory perspectives on Risk Monitors 156

10. COSTS AND BENEFITS OF RISK MONITORS 157

10.1 Risk Monitors Costs 157

10.1.1 Costs of Software Development and V&V 157

10.1.2 Cost of the conversion of the basic PSA into a Risk Monitor PSA model 158

10.1.3 Cost of enhancements carried out to the basic PSA, 159

10.1.4 Costs of Quality Assurance and validation 160

10.1.5 Training costs 160

10.1.6 Costs of upkeep of the Risk Monitor. 160

10.2 Overall indicative costs 161

10.3 Benefits from Risk Monitors 162

11. Conclusions 163

12. REFERENCES 166

12.1 References cited in the report 166

12.2 Other published material 166

Annex 1: QUESTIONNAIRE ISSUED BY WG RISK on regulatory perspectives 173

1.  INTRODUCTION

1.1  Background

The use of Living PSAs[{i}] during nuclear power plant operation has been addressed fairly extensively over the past few years. In particular, a series of four international workshops was held on Living PSA [1] and one on reliability data collection for Living PSA [2]. In addition there have been IAEA publications [3]. [expand]

One of the specific applications of Living PSA is the Risk Monitor[{i}] which is a real-time analysis tool used to determine the instantaneous risk based on the actual status of the systems and components. These are being used to provide risk information to the operators and regulators for use in the decision making process to ensure the safe operation of nuclear power plants.

The first Risk Monitors were put into service in the UK in 1988. Since then the number of applications world-wide has been increasing. This is arguably the most influential development of PSA and the number in service has increased rapidly in recent years. In view of this, it is a good time for OECD and IAEA to review the current state of the art in this area.

1.2  Aim of the work

The aim is to determine what the state of the art is in the development of Risk Monitors and their use in making risk informed decisions during nuclear power plant operation.

The work will:

-  describe the state of the art in the development and use of Risk Monitors at nuclear power plants,

-  provide information on the software packages available for Risk Monitors,

-  gives information on the issues relating to the design of the Risk Monitor interface so that it gives a tool that can be used by all station staff,

-  discusses the Operational Safety Criteria that are currently being used in Risk Monitor applications, investigates the basis for these criteria and proposes a scheme for justifying such criteria,

-  discusses the regulatory perspective on the use of Risk Monitors to provide risk information which can be used during nuclear power plant operation, and

-  gives insights into the costs involved.

As well as providing information on the state of the art, the report will also identify the issues that need to be addressed in the development and use of a basic PSA for use in a Risk Monitor application and gives guidance on how these issues can be resolved.

The report also identifies the limitations in the use of Risk Monitors and gives insights into the perspectives of the Regulatory Authorities in the Member countries

1.3  Way of working

This task is being carried out jointly by WG RISK and IAEA. The information presented in this report has been obtained from a number of sources as follows:

-  questionnaires on the development and use of Risk Monitors, software and Regulatory perspectives,

-  OECD and IAEA Workshops on Risk Monitors, and

-  WG RISK Task Group Meetings and IAEA consultants meetings.

1.4  Structure of the report

Section 2 defines the terminology used in the report. This includes the agreed definitions of Living PSA and Risk Monitor. This section also gives definitions of the measures of risk used in the report such as baseline risk, annual average risk, point-in-time risk, annual cumulative core damage (or large early release) probability and the incremental core damage (or large early release) probability. This section also defines the terms plant configuration and configuration control. It also defines PSA terms such as dynamic events, environmental factors and the top logic model. It also provides a full description of the US NRC Maintenance Rule which is one of the main reasons identified for developing Risk Monitors.

Section 3 describes the current position on the development and use of Risk Monitors during power plant operation. This section provides an overview based on a sample of Risk Monitors currently in use throughout the world and describes the current position on Living PSA/ Risk Monitors, the application of Living PSA/ Risk Monitor, the current status of Risk Monitors, the organisational aspects of the use of the Risk Monitor, gives an overview of the software used in the Risk Monitor applications, how the Living PSA model has been developed for use in the Risk Monitor and the problems encountered, how modifications to the Risk Monitor have been controlled, the results/ experiences/ lessons learned from the use of the Risk Monitor, the risk criteria used and future plans and activities.

Section 4 describes the software packages which are available for the development of a Risk Monitor. This includes the packages which are most widely used (SAFETY MONITOR, EOOS and ORAM-SENTINEL), those which are used in one-off applications (ESSM, LINKITT, etc.) and those which are under development (RISK MONSTER, RiskSpectrum RiskWatcher, etc.). A description of each of these software packages is given which includes the methods used, compatibility with the software used for the basic PSA, capabilities of the software, risk information provided, etc. and includes pictures of the output screens.

Section 5 discussed the technical issues which arise in converting a Living PSA for use in a Risk monitor application and gives guidance on how these issues should be tackled. This includes the PSA requirements, the development of a top logic model, the removal of asymmetries, the treatment of NOT logic, the modelling of cross connections between trains of systems, the modelling of common cause failure/ human error/ dynamic events in the PSA and the verification that the Risk Monitor PSA model is producing the same results as the basic PSA.

Section 6 discusses issues related to the use of the Risk Monitor and again gives guidance on how these issues should be tackled. This includes the development of the interface between plant components and the basic events in the PSA and the design of the Risk Monitor user interface. This section also considers the training required.

Section 7 discusses the Operational Safety Criteria which need to be defined for a Risk Monitor application and the calculation of the Allowed Configuration Time. This includes information on how this is done for the Risk Monitors which are currently in use at nuclear power plants, gives a comparison of these approaches and gives guidance on best practice.

Section 8 discusses the limitations in Risk Monitors. These relate to the limitations in the basic PSA, the limitations in the Risk Monitor software and the difficulties in applying the results produced by the Risk Monitor.

Section 9 gives some regulatory perspectives on the development and use of Risk Monitors.

Section 10 indicates the costs involved in the development of a basic PSA into a Risk Monitor application.

Section 11 gives the conclusions drawn from the work.

Section 12 lists the references cited in the report and includes a wider reading lists of papers describing particular Risk Monitor developments which have been consulted in the production of this report.

2.  Terminology used in the report

2.1  Living PSA and Risk Monitor

The definitions of Living PSA and Risk Monitor given by IAEA have been adopted – see Reference [2]. These are as follows:

Living PSA

This is defined as:

“a PSA of the plant, which is updated as necessary to reflect the current design and operational features, and is documented in such a way that each aspect of the model can be directly related to existing plant information, plant documentation or the analysts' assumptions in the absence of such information. The LPSA would be used by designers, utility and regulatory personnel for a variety of purposes according to their needs, such as design verification, assessment of potential changes to the plant design or operation, design of training programs and assessment of changes to the plant licensing basis."