Challenges in Application of BEPU for Risk Evaluation

Abstract of the technical paper/presentation presented at:
ANS Best-Estimate Plus Uncertainty International Conference (BEPU 2018)
May 13–19, 2018

Prepared by:
Dumitru Serghiuta and John Tholammakkil
Canadian Nuclear Safety Commission


Aging and operating life extension and R&D discovery issues, as well as the cumulative effects of simultaneous or subsequent design changes in a nuclear power plant – which can be larger than the accumulation of the individual effects of each change – can challenge original safety margins. That is, in some instances, the traditional framework of deterministic safety assessment predicts erosion of margins, but with all regulatory requirements maintained. However, this traditional framework cannot indicate the sufficiency of the remaining margin to accommodate uncertainties in input parameters used for the assessment.

The use of the level-3 reliability approach and the concept of functional failure frequency could provide the basis for defining a safety margin metric that would include a limit for the probability of functional failure, as well as a more complete evaluation of protective systems in the risk space. However, the use of a best-estimate plus uncertainties (BEPU) method is necessary, in order to quantify the level of confidence, because BEPU has the ability to explicitly model and quantify uncertainties. Along with the functional failure concept, a BEPU method provides a better framework for representation of actual design within an integrated probabilistic-deterministic model.

This paper reviews the attributes and challenges of applying the functional failure concept and the use of BEPU methods in evaluating reactor protective systems in the risk space. To illustrate, the paper uses the case of the effectiveness of CANDU reactor shutdown systems. A risk-informed formulation is first introduced for estimation of a reasonable limit for functional failure probability using a Swiss cheese model.

The illustrative results were generated using the computer codes HELIOS and NESTLE-CANDU in a stochastic procedure driven by the computer code DAKOTA. This modelling was used to simulate the large-break loss-of-coolant accident (LBLOCA) power pulse by using combinations of core neutronic characteristics randomly generated from postulated subjective probability distributions with deterministic constraints and fixed transient bundle-wise thermal-hydraulic conditions.

As in any risk analysis, there are several challenges in realistically estimating probabilities of exceeding a prescribed design or regulatory limit. Key challenges discussed in the paper include: the use of complex, computationally intensive predictive models; modelling completeness; assumptions about input distributions; validation; separation of uncertainties; and selection of statistical models and algorithms. The use of hybrid deterministic-probabilistic methods may address these challenges to a certain extent, but it can also be argued that these methods would tend to skew the actual risk by introducing data points corresponding to unrealistic, or even unphysical, situations.

To obtain a copy of the abstract's document, please contact us at or call 613-995-5894 or 1-800-668-5284 (in Canada). When contacting us, please provide the title and date of the abstract.
Date modified: