INDEPENDENT ASSESSMENT FOR NEW NUCLEAR REACTOR SAFETY

A rigorous framework for safety assessment is established in all countries where nuclear technology is used for the production of electricity. On the one side, industry, i.e. reactor designers, vendors and utilities perform safety analysis and demonstrate consistency between results of safety analyses and requirements. On the other hand, regulatory authorities perform independent assessment of safety and confirm the acceptability of safety of individual reactor units. The process of comparing results from analyses by reactor utilities and regulators is very complex. The process is also highly dependent upon mandatory approaches pursued for the analysis and from very many details which required the knowledge of sensitive proprietary data (e.g. spacer designs). Furthermore, all data available for the design, construction and operation of reactors produced by the nuclear industry are available to regulators. Two areas for improving the process of safety assessment for individual Nuclear Power Plant Units are identified:


Introduction
The paper deals with Nuclear Reactor Safety Technology (NRST) involving fission and water cooled or moderated reactors.NRST is established since several decades, starting from the discovery of nuclear fission.Well known events, the latest one being Fukushima, have challenged the sustainability of nuclear technology and undermined the trust of the public, of the decision makers and even of the scientific community toward nuclear safety.Innovative ideas and proposals are possibly needed to restore the confidence and escape the irreversible loss of competence which also feeds the further degradation of the sustainability for this technology.
The legal branch of NRST is known as licensing.A licensing process is initiated each time the construction is planned of a new nuclear installation where radioactive material is present.Any Nuclear Power Plant (NPP) constitutes a nuclear installation or the concerned facility.The licensing process aims at ensuring the safety of each NPP unit, as well as at protecting the public and the environment from harmful radiations.
A Government Body under the control of a Ministry, typically Industry or Safety-Security Ministry in various Countries, is responsible for the licensing process and mandates the modalities which (typically) are part of the Atomic Energy Act and of the Laws in the concerned country.The Government Body is known as licenser.The licenser must approve the safety demonstration prior to the start of the operation of a facility.
On the other side, there is the owner of the nuclear installation or facility, which is, typically, the operator of the concerned NPP unit or the applicant of the licensing process.The operator is known as licensee.The operator must fulfill all the obligations set by the licenser, namely making available any information detail and data related to the facility.
In between the licenser and the licensee, there are typically other organizations, or institutions, or individuals: examples are the NPP designer and vendor, consultants including technical support organizations and research bodies including universities.Those 'other organizations' cooperate either with the licenser or with the licensee to finalize the licensing process.
Looking at the above terms the licensing process constitutes a perfect process and there is no room for improvement.However, in order to undermine the concept of perfect process, also showing its complexities, let's consider the following facts (just three out of many more examples): a) In order to demonstrate the safety of NPP, analysts need to calculate temperature and stresses in individual fuel pins (thickness of the clad is few tenths of mm) solving a multi-scales and multi-physics problem; providing an analogy in aeronautics, the given problem is similar to demonstrate the integrity of a crystal glass glued on the wing of an airliner following a cycle take-off / trip under any meteorological condition / landing.b) There is evidently no countermeasure for the falling of a meteorite upon a nuclear facility.The same falling in the region around the facility may also generate earthquake and tsunami beyond the design limits of the facility.The issue here is that the probability value for meteorite falling may have changed after the facility has been put in operation.c) Most of the NPP units now in operation have been designed at a time when computers and computational tools and methods were not available.The obvious question arises on how the new findings can be integrated in the old designs.
Furthermore, it is part of the human nature to optimise any aspect, which may generate a benefit: this is the basis of progress of civilization.So, designers continuously improve the system and regulators continuously improve the techniques to check the design.Namely, within the NRST independent assessment, i.e. the safety evaluation made by licenser knowing the construction data of the facility and adopting methods 'independent' of the licensee, is the foundation to finalize the licensing process.So, where is the weakness?
In the attempt to address the question, two areas for improving the licensing process are identified: • New details introduced by industry are not always and systematically requested by regulators for the independent assessment: for instance, the type of glue used to attach the glass to the wing may produce unexpected effects.• New analytical techniques and related capabilities as well as new evidence are not necessarily used in the analyses by regulators and by the industry; for instance any impact in safety demonstration is calculated from the change in probability of a meteorite fall.
The experience gained in a recently completed effort to demonstrate the safety of an NPP in parallel to the safety demonstration provided by the designer helped in triggering the issue (or in answering the question "Where is the weakness?")and in generating insights into the topics of the bullet items above.The concerned effort is the licensing process of Atucha-II in Argentina.Because of here irrelevant events, the design of the NPP was completed at the end of 1980's when construction start and stop also occurred.Construction was resumed at the middle of 2000's when the original design -industry was not any more available to supply a 'new' safety demonstration as requested by the licenser.Consequently, an independent safety analysis was needed.The new safety evaluation was completed and approved by the licenser at the beginning of 2010's, [1].The facility's detailed construction data and the latest computational techniques (i.e.available thirty years after the time of design of the facility) were adopted.Namely, the effort implied the use of the so-called Best Estimate Plus Uncertainty (BEPU) approach, see e.g.ref. [2], and the installation and the operation of an experimental facility [3].
The paper intends to investigate on the two bullet items and, by discussing some of BEPU features, to show how BEPU may represent a reasonable solution for new reactor safety; this could be of benefit for industry and for regulators and, definitely for the acceptance of nuclear plants by the public.

The features of the BEPU approach
A textbook is needed for a comprehensive description of BEPU; see e.g.ref. [4].On one side, it is straightforward to discuss the outcomes of a BEPU calculation; on the other side it is difficult to explain shortly what BEPU is.Hereafter some generic BEPU-definition statements are given, see also Fig. 1 for an overview:  The BEPU is a logical process or an approach which connects the understanding in nuclear reactor safety (see also licensing below) with nuclear thermal-hydraulics. The starting point for BEPU is the understanding of the phenomena.Thus, BEPU implies the identification of the accident scenarios which are part of the 'design basis envelope'. BEPU implies the existence of qualified computational tools including best estimate numerical codes dealing with different disciplines, input decks or nodalizations and a method to evaluate the uncertainty.The words 'different disciplines' imply the coupling among codes and the ability to qualify the resulting coupled codes.The term "best estimate" and "realistic" have the same meaning.Both terms are used to indicate that the techniques attempt to predict realistic reactor system response [US NRC Regulatory Guide 1.157, Best Estimate Calculations of Emergency Core Cooling System Performance]  BEPU needs the existence of qualified procedures for the application of the computational tools; see also the discussion in ref. [5]. BEPU needs the existence of qualified code users and of experts capable of evaluating the results and of establishing whether additional analyses are needed. BEPU needs the existence of 'legal' acceptance criteria (e.g.suitable licensing framework). The application of BEPU implies the deep knowledge of the licensing process in the country where the nuclear power plant is built and in the country where the same plant has been designed.Furthermore, advancements in licensing process by different international institutions shall be continuously considered. The structure of the Final Safety Analysis Report (FSAR) must be adapted to BEPU and connections shall be identified among different chapters; this is specifically true in relation to the design of the core, the experimental data drawn during the commissioning period of the plant and the design of operational and emergency procedures. A metaphor can be used to describe BEPU: The knowledge acquired in nuclear thermal-hydraulics resembles a city suddenly abandoned by inhabitants; everything is there at rest and no information is available to trigger the life in the city.A wildexperienced traveler arriving there feels lost and unable to use his competence and the existing and visible knowledge.In the allegory, the wild experienced traveler is the (expert) thermal-hydraulic specialist, the city and its components and systems is the nuclear thermal-hydraulic knowledge and BEPU constitutes the civilization needed to make alive the city. BEPU constitutes a process which implies the widest exploitation of data and information in nuclear thermal-hydraulics: this can be derived from Fig. 1.  BEPU implies the integration between Deterministic and Probabilistic Safety Analysis, i.e.DSA and PSA, respectively, [6].
Due to the above, any BEPU report as well as any BEPU finding should be a living document or periodically updated.Proposed developments in the area include BEPU for all FSAR, see e.g.[7], and the companion paper to the present paper in this Conference, [8].The connection with Independent Assessment Independent Assessment (IA) constitutes (as already mentioned) a recognized concept within NRST which was proposed with the safety technology; so, the IA concept is 'much older' than BEPU.The message we wish to provide here is that nowadays the implementation of IA is not usefull without the additional part of BEPU.
The first step to clarify the message implies the distinction between conservatism and Best-Estimate.Let's attempt to distinguish the two terms in a simplified way, also through the use of examples.
In a conservative approach, unfavourable values are used in order to take into account uncertainties due to limited capability of modelling and limited knowledge of phenomena, and to simplify the analysis [IAEA Specific Safety Guide No. SSG-2: Deterministic Safety Analysis for Nuclear Power Plants].In that case, assumed plant conditions and physical models are set conservatively.For instance, (i) pressure resistant walls are built with a thickness larger than what is resulting from the available theoretical model/equations; (ii) allowed core operational power is lower than the assumed power; (iii) in the case of the crystal glass glued upon the wing of an airliner, the conservative solution to use the glass at the end of the trip is to carry it on board into a protective envelope.Expertise possibly coming from previous built and operated facilities is needed to confirm the acceptability of conservatism.Thus the designer and the owner of the facility (may) have the needed expertise to fix the conservatism.
The word 'Best-Estimate' implies the use of validated models/equations according to the best practice available to the scientific community and the capability to prove the quality of results.However, the word 'uncertainty' which appears in the acronym BEPU also corresponds to lack of precise knowledge.In this case, proper methods, procedures and data are collected to estimate the contribution of the lack of knowledge to the end result (i.e. the design or the operational parameters of the facility).Qualified groups of analysts (may) have the competence needed to estimate the uncertainty.
The last step to clarify the provided message deals with the two bullet statements of the Introduction of this paper.
The industry attitude is toward a more efficient product to win the competition with other industries (first bullet item).This involves, among the other things, the implementation of feedbacks from experience and the transport of applied R & D results into the production.Details of design, construction and operation are continuously modified (well-known example is the configuration of spacer grids in the core).Sample connected-or-consequent facts are: (i) safety impact of any change may not be evaluated as relevant; (ii) there is no benefit to make available (e.g. to licenser) proprietary data.Definitely, some facility related data may not be made available to the licenser, even though the commitment of the licensee to all-dataaccess is kept.
Parallel to industry activity, research is on-going in several areas, e.g. to improve computational methods applicable for safety evaluations.Licensers (other than licensees) may not necessarily be aware of those developments (second bullet item).
Easy inference is that the best possible IA is not performed under present conditions; i.e. not all design details are available, not the most sophisticated methods are used.
The solution is to combine BEPU and IA under a new framework [9].This means the introduction of a new level of safety evaluation which removes the drawbacks discussed under the first and the second bullet item and keeps the IA feature.The proposal in ref. [9] is to create a consortium of competence of senior experts (already called COCONUT = Consor-tium of Competence in Nuclear Technology) who have access to licensee data, perform IA and refer to the licensee, without infringing the data property condition.The same experts guarantee the licenser about fulfilment of regulatory requirements by issuing a parallel BEPU-based FSAR.The complexity of implementing the proposed consortium is recognized together with its cost.

Conclusions
BEPU is needed to assess the conservatism in the design and the operation of NPP.Possibly, suitable conservatism can only be introduced by NPP designers or owners based on expertise which comprises operation of similar plants, proprietary best estimate analyses and measured data.In other terms, designers / owners of NPP are expected to own bestestimate information and to make available conservative information to the regulator.This covers the best available data and prevents the disclosure of proprietary information.A licenser, on the other hand, may not have the expertise of the designer / owner and may not be able to fix suitable conservative values for parameters which are input to the analyses for safety demonstration.Thus, BEPU may reveal as the only logical approach for the licenser for an independent assessment of the licensee submission: the uncertainty in input parameters is derived 'independently' and substitutes, and eventually is consistent with, the conservatism of the licensee based on proprietary best estimate information.
Furthermore, a) BEPU process or approach uses knowledge of system thermal-hydraulics.
b) The BEPU idea may be seen as having a direct connection with the "As Low As Reasonably Achievable (ALARA)" principle for minimizing the contact between harmful radiations and humans: BEPU approach implies the best tool to estimate fission product releases and the margins to the related acceptability thresholds.c) BEPU must be adopted for the entire FSAR (the BEPU extension from nuclear thermal-hydraulics to the entire FSAR topics is not discussed in this paper): this appears a logical follow-up of the findings and of the expertise gained by the scientific community during the last couple of decades in the nuclear safety evaluation area.
The key conclusion for the paper is the need to combine BEPU and Independent Assessment.A specifically created consortium of competence may demonstrate to be functional to this aim within an innovative safety framework.
Finally, BEPU approach including BEPU used by independent assessors and BEPU covering the entire FSAR, guarantees a higher level of confidence in the safety evaluation than what is reached and accepted nowadays.Namely, BEPU activities constitute software types of activity, as such; the safety level of existing nuclear facilities is not modified by performing BEPU analyses; only if inconsistencies are found related to acceptability criteria, changes in hardware or safety parameter limits may follow from BEPU studies.However, the completion of BEPU activities may be the basis of creating an additional barrier to the release of fission products; this can be achieved by considering the extensions of the concept of safety margins [10]; a well-based series of revised safety signals can be planned following BEPU analyses for the entire FSAR.
The BEPU connected with Independent Assessment involving the application to the entire FSAR and the design / implementation of NPP signals continuously measuring the extended safety margins, have the potential to reduce by a quantifiable way the possibility of core degradation, disasters like Three Mile Island, Chernobyl and Fukushima can be prevented.

Fig. 1 -
Fig. 1 -The BEPU process focusing on Accident Analysis and Chapter 15 of FSAR (NOTE: Acronyms and symbols in the figure not defined in the paper are, in alphabetic order: ITF = Integral Test Facility; SETF = Separate Effect Test Facility; SYS TH = System Thermal-Hydraulics; V & V = Verification and Validation; Ṁ ECC = Mass flow-rate of injected Emergency Core Cooling; Ṁ w,COND = Condensed mass flow-rate penetrating the core; Ṁ s, G = Upward mass flow-rate of steam and gas; T sat = saturation temperature; T w = water temperature).