1PIE: postulated initiating event.

2For the concept of core damage, specific criteria have to be specified, as described in Section 5 of this Safety Guide. These criteria may be different for different reactor designs.

3The objectives for core damage frequency in Ref. [4] are (a) 1 × 10^–4 per reactor-year for existing plants and (b) 1 × 10^–5 per reactor-year for future plants. It was not explicitly specified in Ref. [4] for which scope of PSA the numerical values are applicable. It is assumed that a full scope PSA is meant.

4The objective for large off-site releases requiring short term off-site response is 1 × 10^–5 per reactor-year for existing plants. Reference [4] does not specify a numerical value for a large off-site radioactive release for future plants, but states the following qualitative objective: “Another objective for these future plants is the practical elimination of accident sequences that could lead to large early radioactive releases, whereas severe accidents that could imply late containment failure would be considered in the design process with realistic assumptions and best estimate analyses so that their consequences would necessitate only protective measures limited in area and in time.”

5In some States, the target for the risk of death of a member of the public is taken to be 1 × 10^–6 per reactor-year

6PSA for low power and shutdown states is usually performed as part of the same study.

7Instead of the term ‘quality assurance’, the term ‘management system’ is used in Ref. [7]. The term ‘quality assurance’ is left in this Safety Guide in order to comply with widely accepted current practices and terminology used in the area of PSA.

8Several core damage states can be specified, depending on the degree of the damage, for example, in channel type reactors, damage to different numbers of channels is usually considered depending on the severity of the consequences. Another factor in specifying the degree of core damage can be timing, e.g. delayed core damage.

9Other techniques are possible and may be used for specific aspects of the PSA. However, the usual approach is to use a combination of event trees and fault trees and this approach is assumed to be used (see paras 5.4–5.6).

10In the modelling of maintenance outages, it is generally assumed that the plant is operated within the limiting conditions for operation specified in the technical specifications.

11See para. 5.151 for examples of importance measures.

12In this context, a ‘probabilistic model of software failure’ is taken to mean both the probability that, following an initiating event, the correct parameter values are input into the computer system but the correct output is not generated due to an error in the software and the consequences of that error.

13For a specific basic event, the Fussell–Vesely importance measure is the fractional contribution to the total frequency of core damage for all accident sequences containing the basic event to be evaluated.

14The risk reduction worth is the relative decrease in the frequency of core damage if the probability of the particular failure mode is considered to be zero. The risk reduction worth is a direct function of the reliability of the equipment and can be used to assess the contribution of the failure mode to the core damage frequency.

15The risk achievement worth is the relative increase in the frequency of core damage if the failure of the particular item of equipment is considered to be certain. The risk achievement worth is a measure of the importance of the function performed by the equipment. It identifies the equipment playing a major role with regard to safety, even if the failure rate of such equipment is very low.

16The Birnbaum importance measure is a measure of the increase in risk when a component is failed compared with when the component is operating.

17In this context, a point estimate is meant to be either a point estimate usually calculated by a PSA computer code or another parameter or quantile of the probability distribution, such as the mean or median.

18This Safety Guide does not provide recommendations relating to events originating from the impact of war or acts of sabotage or terrorism. However, consideration should be given to incidental hazards posed by military facilities or peacetime activities (e.g. crash of a military aircraft).

19According to Ref. [8], extreme meteorological conditions include extreme temperature, extreme atmospheric moisture, snow precipitation (also blizzards) and ice pack, and lightning. Other hazards may be connected to these, such as frazil ice, frost and hail.

20The following are examples of some potential combined external hazards:

Drought (due to high air temperature) and strong wind and smoke from forest fire;

Strong wind and lightning;

High air temperature and high water temperature;

Snowfall and strong wind;

Drifting snow and strong wind;

Drifting snow and strong wind and frazil ice.

21The warning time is the period necessary for a possible flood to travel from the main source (river, upstream basin, dam, etc.) to the site, and is therefore also directly related to the accuracy of prediction.

22An example of such a combination of hazards is high winds and external floods. Even if each hazard could be screened out, the combination of hazards may have much higher impact on the risk to the plant, for example, when external floods are accompanied by, or even caused by, high winds.

23The following examples of changes are for the purposes of illustration:

Changes in military and industrial facilities within a 30 km radius around the site or changes in nearby transport routes (i.e. railways, aircraft, roads and rivers) leading to changes in the range and magnitude of human-induced external hazards.

Changes in dam construction on rivers above the plant site leading to an increase in the damage potential of the external flood hazard.

Changes in environmental conditions (average annual wind speed and maximum annual wind speed, water level, temperature, local precipitation, etc.) leading to an increase in the frequency of natural external hazards with higher damage potential, etc.

24In Ref. [9], a fire compartment is defined as a building or part of a building that is completely surrounded by fire resistant barriers, i.e. all walls, the floor and the ceiling. In contrast to this, in the context of a PSA for internal fires, a fire compartment could be a wellenclosed room that is not necessarily surrounded by fire resistant barriers.

25Examples of impact categories (see Ref. [12]) are as follows:

Loss of off-site power or station blackout;

Degradation or loss of ultimate heat sink;

Explosion or release of hazardous material;

Degraded or isolated plant ventilation (owing to risk of toxic impact).

26The spectral acceleration provides more comprehensive information than the peak ground acceleration.

27For example, an observed diversity in a river bed can be used for justification of a decreased frequency of associated transportation accidents.

28Aleatory uncertainties arise due to the random or stochastic nature of the events being modelled in the PSA. Epistemic uncertainties arise due to limitations in the state of knowledge.

29Fragility is the conditional probability of failure of a system, structure or component for a given hazard input level.

30The probability of dam failures should be calculated for different levels in the river. It is typical to assume dam failure for a river level above the dam failure design level.

31Note that, in this section, the focus is on the Level 1 PSA. It should be noted, however, that for many applications, it is expected that insights from a Level 2 PSA or even a Level 3 PSA will also be necessary

32Examples of publications providing additional information on application of PSA are IAEA-TECDOC-1200 on Applications of Probabilistic Safety Assessment (PSA) for Nuclear Power Plants [14] and IAEA-TECDOC-1511 on Determining the Quality of Probabilistic Safety Assessment (PSA) for Applications in Nuclear Power Plants [15].

33 For explanation of the various importance measures, see footnotes 13 to 16.

34While errors of commission may not be explicitly included in the PSA model, a discussion of how a change might affect the potential for errors of commission can provide useful additional information that can support the decision on the acceptability of the change.

35Examples include methods developed by, and known as, the Electric Power Research Institute methodology and the Westinghouse Owners Group methodology, which have both been used extensively.

36An example is Section OM of Ref. [17].

37In the United States of America, risk informed quality assurance has been superseded by risk informing the ‘special treatment’ requirements which include quality assurance, but which also include items such as environmental qualification. The reason for this is that even if changing the quality assurance requirements were demonstrated as being feasible, the other special treatment requirements would not allow the change to be implemented. Therefore, the special treatment requirements have to be treated as a whole. This application is addressed through a voluntary regulation, 10 CFR 50.69 [18].