Chapter 4: Safety Assessment

Quality of Accident Analysis

Quality assurance

Accident analysis needs to be the subject of a comprehensive quality assurance programme applied to all activities affecting the quality of the final results. The quality assurance programme needs to define the quality assurance standards to be applied in accordance with national requirements and internationally recognized good practices. Such a programme would consider the following general principles. Formalized quality assurance procedures and/or instructions need to be developed and reviewed for the whole accident analysis process, including:

    • Collection and verification of plant data;
    • Verification of the computer input deck developed and documentation of detected errors;
    • Validation of plant models.
The responsibilities of all individuals in the organization involved in the analyses need to be clearly specified. Safety analysts need to be trained and qualified, and their qualifications need to be adequately documented. All documents, including calculation notes and results, need to be recorded to allow them to be independently checked by qualified reviewers. An effective control of non-conformance with procedures, as well as control of corrective actions, needs to be introduced. Validated and accepted methods and tools need to be used, and their uses need to be referenced and documented. All sources of data need to be clearly referenced and documented. The results can be checked using one or more of the following techniques, depending on the importance of the analysis:

    • Supervisory review;
    • Peer review;
    • Independent review by a competent individual;
    • Independent calculation of the same case under analysis by a competent individual.
All differences found during the review need to be resolved to the satisfaction of the reviewer and/or line management before the final use of the results. All safety analyses used for plant licensing need to be archived so that the code version, code documentation, input data and calculational results are recoverable.

User effect on the analysis

The user can still have a significant influence on the quality or variability in results of the analysis. This is most evident in the relatively wide variation in results from different organisations and code users participating in international standard problem exercises (see (TECDOC-1872 for examples). Although some of the user-to-user variation is due in part to the use of different computer codes, a substantial variation is also observed when different users employ the same codes as they may select differing but equivalent code inputs. In this case, the "user effect" is also a reflection of the underlying uncertainty in the code models evidenced by uncertainty in best practice code inputs.

Sources of user effect

Negative user effects are introduced by:

    • Insufficient level of experience of the user;
    • Lack of adequate user guidelines and training;
    • Inadequate quality assurance processes to ensure that the input accurately reflects the system being analysed;
    • Limitations in the codes themselves.

Reduction of user effects

User effects can be reduced by:

    • Improving user qualification and training;
    • Establishing a rigorous process for performing safety analyses. The process for a DBA) analysis typically includes the following steps:
    o Identification of the key physical phenomena;
    o Demonstration of the adequacy of the code. The demonstration is based on the code documentation.
    o Identification of the key parameters of the calculation. The key parameters of the calculation are the parameters which represent the dominant physical features: they can be initial conditions, boundary conditions, models and correlations;
    o Quantification of uncertainties;
    o Reflection of uncertainties in the results.
    • Improved user guidelines
    • Continued improvement in codes. Improved checking for input errors and development of more advanced graphical user interfaces will continue to reduce potential user errors.
    • Independent validation of safety studies by each organisation. This validation can be based on a reasonably limited number of experiments taken from the whole validation matrix available.
    • Independent checking and/or peer review of input decks. This is a powerful way of finding user errors. Critical calculations need to be performed by two individuals (or teams) acting independently. Independent checks using a different computer code on the same problem can also be effective.
    • Participation in software user groups and other technical exchange programmes.

Preparation of input data

The preparation of input data takes place in four phases:

    • Collection of plant data: from technical specification, documentation of plant design, operational data.
    • Development of an engineering handbook and input deck: the engineering handbook details all the calculations and assumptions which have been used to develop the input deck from the plant data.
    • Verification of the data: the input deck is checked for formal correctness. i.e. that no erroneous data have been introduced into it and that all formal and functional requirements are fulfilled accurately and therefore will permit its successful use.
    • Validation of input data: the purpose of validating input data is to demonstrate that the model adequately represents the functions of the modelled systems.
For the validation of input models for severe accident analysis, check should be performed for:

    • Steady state response;
    • Mass and energy balances;
    • Time step convergence (sensitivity calculations with variation of the time step size) and spatial convergence (sensitivity calculations with variation of the core/primary system/containment meshing);
    • Behaviour and function of system components;
    • Timing of events (i.e. cladding rupture, onset of zirconium oxidation, beginning of fuel melting, relocation of fuel to the lower plenum, vessel failure);
    • Timing of some key events and key parameters (integral hydrogen generation, fission product release fractions, peak temperatures and pressure response, cavity ablation, etc.).
The predicted plant behaviour should be consistent with the expected plant behaviour. The timing of events in the accident sequence and key parameters, such as the hydrogen generation and peak temperatures, should be checked by engineering judgement, taking into account the experience from integral experiments as well as the results of other available severe accident analyses. This requires a detailed knowledge about the phenomena occurring during a severe accident.