Risk Management in Nuclear Power Plant Configuration: Practices and Applications in China

Abstract

This paper explores the application and evolution of Configuration Risk Management (CRM) systems in Chinese nuclear power plants, focusing on their alignment with the National Nuclear Safety Administration (NNSA)’s technical policies. It examines how CRM integrates risk management action matrices, risk limits, and monitoring tools to manage risks effectively across both second-generation plants with a higher baseline Core Damage Frequency (CDF) and third-generation plants with a lower baseline CDF. The study highlights the significant advancements in CRM system development, including the improvement of risk monitoring tools and the establishment of standardized technical guidelines, and underscores the critical role of ongoing regulatory support and CRM system enhancement to ensure the safe and sustainable operation of nuclear power plants in China, offering valuable insights for future nuclear safety management.

1. Introduction

To ensure the availability and reliability of safety systems, nuclear power plants (NPPs) establish technical specifications [1] that govern their configuration and operation. These address the operational status of safety systems, equipment, and their supporting systems, providing guidelines for the permissible maintenance duration and imposing operational constraints on specific systems or components [2,3]. Typically, these documents are essential for maintaining the safe operation of NPPs. However, they are often insufficient in managing the simultaneous failure of multiple systems or equipment. Although some technical specifications do address multi-system failures, these measures are frequently inadequate due to the inherent complexity and diversity of nuclear plant configurations. International practices have demonstrated that a comprehensive risk management strategy known as Configuration Risk Management (CRM) is the most effective in managing such multi-system failures [4,5].

The configuration risk differs from operational and safety risks in nuclear safety. The former refers to potential risks arising from the design, configuration, and interaction of systems within a nuclear power plant, focusing on how improper system configurations or a lack of redundancy could pose safety hazards. In contrast, the operational risk describes risks arising during daily operations from human errors, operational mistakes, or equipment failures, with an emphasis on issues such as the improper execution of procedures or a failure to maintain equipment. The safety risk is a broader concept that encompasses all risks to the safety of a nuclear facility, including both configuration and operational risks, and evaluates the potential consequences for people, the environment, and equipment. In simple terms, configuration and operational risks are components of the overall safety risk.

CRM is a proactive risk management methodology for nuclear power plants that leverages Living Probabilistic Safety Analysis (Living PSA) [6] models to calculate risk indicators based on the plant’s actual operational configuration. This allows for a dynamic and detailed risk assessment tailored to the plant’s real-time operational conditions, offering robust management of risks associated with complex plant configurations.

CRM serves two main functions regarding NPP operations [7]. First, it assists plant personnel in managing routine maintenance and operational activities, thereby mitigating the risks associated with potential accidents and transient events. Second, it supports operational and maintenance staff in their daily decision-making processes, enhancing their ability to apply Probabilistic Safety Analysis (PSA) insights to improve overall safety and operational efficiency.

CRM uses real-time Living PSA risk models to calculate risk indicators before significant activities such as design changes and maintenance, which are assessed based on their potential to render NPP systems and equipment unavailable. Real-time risk monitoring builds upon CRM by dynamically tracking potential operational risks through the collection of data on the random unavailability of systems and equipment, providing early warning alerts, and allowing for proactive risk management. Together, these two strategies form the foundation of risk-informed decision-making in nuclear power plants. By utilizing real-time risk data in combination with adherence to regulations and standards, contingency plans, and their own experience, nuclear power plants can assess and evaluate potential risks or abnormal situations and develop appropriate operational strategies.

CRM has been in practice internationally for several years, playing a crucial role in optimizing the safety and efficiency of daily maintenance and operational activities at NPPs. In the United States, the Federal Regulation 10 CFR 50.65 [8], “Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,” mandates that before implementing maintenance activities, ranging from monitoring and post-maintenance testing to corrective and preventive maintenance, nuclear power plant operators must assess and manage the potential incremental risks associated with these activities. The U.S. Nuclear Regulatory Commission (NRC) guidelines RG1.174 [9] and RG1.177 [10] further encourage the integration of PSA insights into decision-making processes to enhance safety and management efficiency. Nearly all U.S. NPPs now utilize risk monitors, such as Phoenix and EOOS, for real-time risk evaluation and decision support [11].

Before the introduction of CRM, configuration management in Chinese nuclear power plants primarily focused on technical specifications for individual systems or equipment, which outlined maintenance durations and operational limitations. While these specifications effectively ensured the functionality of single components, they failed to address the potential risks associated with the simultaneous failure of multiple systems and overlooked the impact of system interactions on overall plant safety. Traditional management methods could not meet the growing safety demands due to complex equipment configurations. Recognizing these challenges, the National Nuclear Safety Administration (NNSA) of China, drawing on successful international practices from countries like the U.S., began promoting a structured risk management approach to enhance nuclear power plants’ abilities to manage risks in complex operational environments.

The regulatory framework established by the NNSA plays a crucial role in managing configuration risks at nuclear power plants in China. In 2017, the NNSA issued the “Technical Policy for Improving the Effectiveness of Maintenance at Nuclear Power Plants (Trial)” [12], which provides guidelines for operators on monitoring and managing maintenance activities, as well as the risks associated with maintaining plant structures, systems, and equipment. This laid the foundation for further risk management initiatives. Building on this, the NNSA introduced the “Technical Policy for Configuration Risk Management of Nuclear Power Plants (Trial)” [13] in 2019, which mandates the implementation of Configuration Risk Management (CRM) systems at all nuclear power plants in China. Its main objective is to establish and refine CRM systems at each plant, enhancing the scientific basis and effectiveness of safety management decision-making. The policy emphasizes the evaluation and management of risks related to plant configurations, ensuring that safety measures are robust and operational integrity is maintained. Furthermore, the NNSA’s most recent policy, the “Safety Regulations for Commissioning and Operation of Nuclear Power Plants” (Nuclear Safety Law HAF103) [14], strengthens the requirement for operators to implement CRM systems as a key component of their configuration management practices. This comprehensive regulatory framework ensures that configuration risks are systematically assessed and managed across all nuclear power plants in China, promoting a higher standard of safety and operational reliability.

In response to these regulatory requirements, a dedicated working group focused on maintenance regulations and CRM has been formed in China to promote and oversee the standardization of CRM practices across nuclear power plants. It is also responsible for developing related policy documents to ensure the effective implementation of CRM. A “pilot-first, then nationwide rollout” approach has been planned for advancing CRM. This means that CRM systems will first be established and operated at selected pilot plants, with the intention of gradually expanding their application to all nuclear plants in China. At present, CRM implementation at pilot plants is progressing steadily.

This paper provides an in-depth examination of the current application of CRM technology in Chinese nuclear power plants. By analyzing global best practices and China’s regulatory frameworks, it highlights both the advancements and technical challenges associated with CRM implementation and discusses future developments in the field.

This paper is organized as follows: Section 2 introduces the concept of Configuration Risk Management (CRM), the framework’s elements, and associated methods. Section 3 discusses the key technical issues encountered in CRM implementation across nuclear power plants in China. Section 4 presents three case studies that demonstrate the role of CRM in planning operational and maintenance strategies for nuclear plants. The paper concludes with the Discussion and recommendations for further advancing the implementation of CRM.

2. CRM Practices in China

2.1. Reference Case: U.S. CRM System

The U.S. NRC, through RG 1.174 and RG 1.177, mandates that license holders conduct risk assessments when applying PSA. These assessments are divided into three levels: the first two assess whether risk acceptance criteria are met and identify high-risk combinations, while the third requires each license holder to develop a program to properly evaluate the risks associated with out-of-service equipment. The NRC also calls for the identification of high-risk configurations arising from maintenance and other operational activities and the implementation of compensatory measures.

As specified by 10 CFR 50.65(a)(4), license holders must evaluate the risks posed by maintenance activities before their implementation and take corresponding risk management actions. This regulation limits the incremental risks introduced by various plant configurations, serving as an additional provision to the technical specifications.

To comply with these regulations, nearly all U.S. nuclear power plants have established Configuration Risk Management Programs (CRMPs) to evaluate and manage the risks introduced by equipment outages. CRMPs are documents of a lower tier than the technical specifications, managed according to the Technical Requirements Manual (TRM). Any modifications to CRMPs are subject to NRC approval if they affect the plant’s licensing basis. When there is a change in the plant configuration, risk assessments are conducted following CRMP guidelines to determine whether the risk limits are met and whether appropriate risk management actions should be taken. Risk monitors are widely used as key tools in CRMPs due to their ability to quickly and effectively evaluate plant configuration risks.

2.2. Adoption and Implementation of CRM Systems in China

The process of implementing a CRM system includes determining the risk limits, establishing a risk management matrix, evaluating the configuration risks, and taking appropriate actions. The expected outcomes and methods of implementing CRM systems for nuclear power plants are illustrated in Figure 1.

2.2.1. Risk Limits

The license holder of a nuclear power plant is responsible for ensuring strict compliance with regulatory requirements while simultaneously establishing a set of risk limits specifically tailored to the plant’s unique operational and environmental conditions. These limits serve as a critical tool for categorizing and managing various levels of risk that the plant may encounter throughout its life cycle.

Typically, the CRM limits for a nuclear power plant incorporate both instantaneous risks and cumulative risk increments. Instantaneous risks are often measured using metrics such as the Core Damage Frequency (CDF) and Large Early Release Frequency (LERF), which assess the likelihood of accidents occurring in real time. In contrast, cumulative risk increments, including the Incremental Core Damage Probability (ICDP) and Incremental Large Early Release Probability (ILERP), focus on the long-term probability of risk accumulation.

The development of these risk limits must ensure that they can effectively differentiate between varying levels of risk, ranging from the routine operational risk to more severe scenarios, while also taking into account the resources necessary for implementing appropriate risk mitigation strategies. These considerations are crucial for optimizing the allocation of resources, ensuring that risk management activities are both efficient and effective.

Table 1. Example of risk limits.

Operating Configuration Risk Limits	Risk Area	Maintenance Configuration Risk Limits
CDF < CDF 2 Times Above Baseline LERF < LERF 2 Times Above Baseline	Normal Control Area (Green Zone)	ICDP < 10−6, ILERP < 10−7
CDF 2 Times Above Baseline ≤ CDF < 10−3/Reactor Year LERF 2 Times Above Baseline < LERF	Risk Management Area (Yellow Zone)	10−6 ≤ ICDP < 10−5, 10−7 ≤ ILERP < 10−6
CDF ≥ 10−3/Reactor Year	Unacceptable Risk Area (Red Zone)	ICDP ≥ 10−5, ILERP ≥ 10−6

illustrates a typical risk limit setting, demonstrating how the plant’s risk limits are defined to balance the risk of both operating and maintenance activities. This table serves as a reference for establishing an acceptable level of risk and determining the appropriate risk management actions needed to ensure plant safety and regulatory compliance.

Note:

• The use of the cumulative risk limits ICDP < 10⁻⁶ and ILERP < 10⁻⁷ is recommended to calculate the allowable configuration time, taking the smaller of the two values. After evaluating the non-quantifiable factors and implementing risk control measures, the allowable configuration time can be extended by up to 10 times.
• The instantaneous risk indicator, the CDF, should not reach 10⁻³/reactor year during maintenance activities.
• A risk management matrix should be established based on the defined risk limits.

Each unit of a nuclear power plant should develop a risk management matrix based on the established risk limits to ensure effective decision-making and risk mitigation. This matrix categorizes risks into three primary zones, aligned with the classifications of the risk limit zones: the normal control zone, which represents acceptable risks, the risk management zone, which requires monitoring and control; and the unacceptable risk zone, which necessitates immediate corrective actions.

Table 2. Example of the risk management matrix.

Operation (Random Unavailability)	Risk Area	Maintenance (Planned Unavailability)
Proceed with relevant production activities according to existing requirements, with no new risk management requirements.	Normal Control Area (Green Zone)	Proceed with relevant testing, maintenance, and other activities as planned.
Risk needs to be controlled, relevant maintenance should be completed as soon as possible, and risk management measures should be implemented if necessary.	Risk Management Area (Yellow Zone)	Evaluate the impact of non-quantifiable factors and develop risk management measures.
The risk is unacceptable and immediate action is required.	Unacceptable Risk Area (Red Zone)	Entry into this configuration is not permitted.

provides a typical example of such a risk management matrix, offering a structured approach for the operating units of nuclear power plants to further subdivide and prioritize the risk management zones based on their specific operational, maintenance, and safety requirements. The matrix visually distinguishes these levels using the following colored zones, arranged in descending order of severity—green for the normal control zone, yellow for the risk management zone, and red for the unacceptable risk zone. This color-coding system enables the quick identification of risks, facilitating timely responses and ensuring the plant’s ongoing safety and regulatory compliance.

2.2.2. Evaluation of Configuration Risks and Corresponding Actions

Operating CRM: In the event of operational anomalies in a nuclear power plant unit that result in one or more safety-critical systems being unavailable, the unit must not only adhere to the measures specified in the technical specifications but also employ risk monitoring tools to assess the configuration risks associated with the system’s status. Based on the identified risk zone, appropriate corrective actions must be taken. Specifically, within the green zone, normal maintenance activities can proceed without significant concern, as the risks are considered acceptable. In the yellow zone, maintenance should be expedited to minimize the duration of the elevated risk, with the allowable time for the system configuration based on cumulative risk limit calculations. In this zone, compensatory measures, such as backup systems or enhanced monitoring, may need to be implemented to mitigate the risk. In the red zone, where the risks exceed the acceptable limits, immediate corrective actions are required to reduce the risk levels. If the unit is operating at full power in this zone, the immediate shutdown of the reactor for fallback is essential to return the risk level to within acceptable limits and ensure safety.

Maintenance CRM: Prior to the initiation of any maintenance activities, it is imperative that the unit conducts a thorough assessment of the configuration risks associated with the proposed maintenance plan. This assessment should be carried out using advanced risk monitoring tools to ensure a comprehensive understanding of the potential hazards and vulnerabilities within the nuclear power plant. Based on the identified risk zone, appropriate actions must be determined and implemented. In the green zone, maintenance activities can proceed under standard operational controls, as the associated risks are deemed to be within acceptable limits. However, in the yellow zone, where the risks are elevated but still manageable, it is essential to evaluate the influence of non-quantifiable factors, such as environmental conditions, that may impact overall safety and performance. In this case, detailed risk management measures should be formulated to address these uncertainties and mitigate any potential adverse effects. In the red zone, where the risks exceed the acceptable limits, maintenance activities are not permitted under any circumstances. The configuration presents an unacceptable level of risk, and the unit must refrain from proceeding with maintenance until the system is restored to a safe configuration. If the evaluation indicates that performing the scheduled maintenance activities under the current configuration poses a significant risk, the unit must promptly adjust the maintenance time window to mitigate the exposure to such risks.

Upon calculating the configuration risks, the unit should conduct a thorough review of the results to identify the primary contributors to the risk within the current system configuration. Based on this analysis, the unit must take appropriate actions to mitigate these risks, ensuring that the safety and operational integrity of the facility are maintained. If necessary, compensatory measures should be implemented to safeguard against potential failures or incidents during the maintenance process.

In terms of risk calculation, China primarily relies on the Risk Spectrum software developed by the Swedish company Relcom. Due to its ability to provide comprehensive risk assessments, this software has been widely adopted across numerous nuclear power plants in China. Additionally, several Chinese research institutions have proactively developed and localized risk analysis tools to better meet local needs. A notable example is the SPACal PSA software developed by the Shanghai Nuclear Engineering Research and Design Institute (SNERDI). The quantitative techniques applied in CRM primarily utilize the PSA Small Event Tree—Large Fault Tree method. The model used in this analysis was the independent regulatory PSA model, developed by a technical support unit commissioned by the NNSA.

For NPPs, the system configurations of each plant can be automatically read through the computerized work order system, serving as inputs for the CRM model. Regulatory bodies primarily focus on key testing activities within the plants. Specific configuration information for the nuclear power plants, based on the reports they provide, can be manually selected using the CRM model.

3. Technical Challenges in the Implementation of CRM in China

In recent years, the NNSA of China has actively promoted the application of CRM technologies in nuclear safety regulation. This initiative has been met with a positive response from all nuclear power plants, significantly contributing to the development of a risk-informed nuclear safety regulatory framework. Similar to other nations, China has predominantly drawn on technical concepts and management guidelines from the United States as a reference. However, during the implementation process, several technical challenges have emerged that require careful attention. The following section addresses these challenges, aiming to provide valuable technical insights for nuclear power plants regarding CRM application.

3.1. Clarification of Risk Limit Setting

Both operating and maintenance CRM utilize the same cumulative risk limits. During an unexpected operational anomaly in a nuclear power plant unit, if the instantaneous risk enters the yellow zone while the corresponding cumulative risk from maintenance activities remains within the green zone, the unit may continue functioning under normal operational control. These risk limits are designed to account for the full spectrum of initiating events. In the absence of an internal or external PSA model, the risk limits should at least include Level 1 and 2 PSA models for internal events during power operation and low-power shutdown conditions.

The NNSA of China encourages nuclear power plants to adopt more stringent risk limits than the recommended values in order to further minimize risks and enhance safety.

3.2. Considerations for Risk Zoning

An international survey of nuclear power plant risk zoning indicated that there are more plants with four defined risk zones (green, yellow, orange, and red) than those with only three zones (green, yellow, and red). Technical policies typically recommend the use of three risk zones, as, from a nuclear safety regulation standpoint, the yellow and orange zones share similar characteristics, both necessitating risk control and management. When four zones are used, the limit for the orange zone is usually set at ten times the baseline CDF, with the required safety measures being largely comparable to those for the yellow zone. Whether compensatory measures are needed depends not on the level of instantaneous risk, represented by the CDF, but rather on whether the allowable configuration time (calculated from the ICDP limit) is adequate.

3.3. Considerations for Determining Operating Configuration Risk Limits

In China, there are no significant differences in the CRM methods and processes used between second-generation and third-generation NPPs. However, because the CDF of third-generation NPPs is typically one order of magnitude lower than that of second-generation NPPs, adjustments need to be made when setting risk thresholds. This ensures the consistency and comparability of risk assessments between the two generations of plants.

Four primary methods are internationally recognized for determining the operating configuration risk limits and use (1) recommended values outlined in guidelines, (2) multiples of the baseline risk, (3) calculations based on the cumulative risk limits and the duration for which the nuclear power plant remains in a specific configuration, or (4) the risk values derived from a single specific system or piece of equipment being out of service. These methods are often used in combination when establishing risk limits. Method 3, which calculates the operating configuration risk limits using cumulative risk limits and a fixed configuration duration (e.g., 24 h, 72 h, or one week), and method 4, which utilizes the risk value from the failure of a specific system or piece of equipment, do not hold significant practical value. The approach adopted in technical policies combines methods 1 and 2, integrating both absolute and relative values. This effectively manages risks for both generation II (with a higher baseline CDF, such as the Qinshan Phase I plant) and III nuclear power plants (with a lower baseline CDF, such as AP1000 and Hualong No. 1).

The statistical analysis of over 50 nuclear power plants worldwide revealed that approximately half of the plants set the lower limit of the risk management area (i.e., the upper limit of the green zone) at twice the baseline risk, with most setting it at less than 10 × 10⁻⁴/reactor year. For the upper limit of the risk management area (i.e., the lower limit of the red zone), about half of the plants adopted the recommended value of 10⁻³/reactor year, as specified in NUMARC93-01 [13]. Around 35% used multiples of the baseline risk (10–100 times), with values ranging from 10⁻⁴/reactor year to 10⁻³/reactor year.

Some nuclear power plants in China argue that setting the risk limits for the risk management area at twice the baseline risk is overly stringent, expressing concerns that the unit may enter the yellow zone during operation. However, this concern is unfounded, as the operational yellow zone typically corresponds to the maintenance green zone, and normal operational control is sufficient. Entering the yellow zone simply indicates a need for risk control, with maintenance activities being time-bound. In fact, technical specifications already encompass related requirements, which take precedence.

3.4. Development and Application of Configuration Risk Management Tools

When a nuclear power plant is engaged in CRM during operations and maintenance activities, it is essential to develop an implementation plan, establish a CRM system promptly, and develop and deploy a risk monitoring tool. The successful implementation of CRM is crucial to ensuring that the nuclear power plant’s safety level is not only maintained but also potentially enhanced.

In China, a total of 27 units across 11 nuclear power plants—including Daya Bay, Ling’ao, Qinshan, Tianwan, and Hongyanhe—have been equipped with risk monitors, with 54 units in operation at present. These risk monitors are primarily employed for real-time risk monitoring, managing and controlling risk indicators, scheduling maintenance, and assessing the risks associated with daily maintenance activities. The CRM tools must support a full-range PSA model and deliver excellent functionality and performance.

The NNSA is in the process of gradually formulating and releasing technical guidelines for the development and use of risk monitors in nuclear power plants. These guidelines will ensure the quality of risk monitors using appropriate evaluation methods, such as peer reviews.

3.5. Data Management Policy

In this specific application of CRM, the primary target users are nuclear safety regulators. In their analyses, they use real-time data collected by the nuclear power plant, and the transmission and reporting of this data strictly adhere to China’s “Regulations on Reporting by Nuclear Power Plant Operating Units.” These regulations ensure the security and confidentiality of the data, preventing the risk of sensitive data leakage. Furthermore, all data processing is conducted within the framework of relevant laws and standards, ensuring that, during the CRM application process, data analysis and maintenance work are effectively supervised and managed, thereby safeguarding nuclear safety.

4. CRM System Application: Case Studies in China

This section provides practical case studies to illustrate the process of CRM evaluation in nuclear power plants, demonstrating its application in real-world scenarios.

4.1. Background

Guided by the NNSA and under the Ministry of Ecology and Environment (CMEE), the Nuclear and Radiation Safety Center (NRSC) and other collaborating institutions have independently developed and established the “NNSA Nuclear Power Plant Risk Monitoring Platform (NPPRMP).” This platform enables nuclear safety regulatory bodies to conduct independent and efficient risk evaluations and management activities for operating nuclear power plants. It serves as a crucial tool with which for regional supervisory stations to assess the effectiveness of plant maintenance activities and CRM implementation, thereby enhancing the regulatory oversight of nuclear power plant operations.

The NPPRMP supports supervisory efforts by providing a comprehensive tool for reviewing and supervising risk management practices, ensuring that nuclear plants adhere to safety laws and guidelines. This platform equips regulatory bodies to assess risks, identify potential hazards, and evaluate the effectiveness of risk mitigation measures implemented by plants.

For the purpose of this analysis, three scenarios were examined at a selected nuclear power plant under two distinct conditions: (1) normal operation and (2) shutdown conditions. In both hypothetical conditions, the NNSA NPPRMP was employed as an analytical tool to conduct CRM evaluations. The evaluation process focused on the assessment of the risk associated with these scenarios, providing a detailed understanding of the plant’s CRM practices and the potential impact on its safety performance.

These case studies offer valuable insights into the functionality of the NPPRMP as a monitoring and evaluation tool, demonstrating its effectiveness in real-world nuclear power plant risk management.

4.2. Case Analysis

In the following CRM case studies, the following assumptions were made:

(1)

Model: The independent regulatory PSA model developed by the NNSA-commissioned technical support unit was utilized.

(2)

Risk calculation algorithm: The Minimum Cut Set method was employed for risk evaluation.

(3)

Assumptions for PSA modeling:

■

Pipe ruptures were not considered.

■

Common-causes failures were not considered for rupture and external leakage failure modes but were for internal leakage failure modes.

■

During normal reactor operation, the systems or equipment put into service were assumed to be free from placement issues caused by human error.

4.2.1. Case I: Two Safety Injection Pumps Were out of Service

In this case study, the unit was operating under Residual Heat Removal (RRA) cooling shutdown conditions. During this period, it was assumed that both safety injection pumps within the Safety Injection System (SIS), RIS001PO and RIS002PO, were unavailable due to failures. The estimated duration of unavailability for these pumps was projected to be 10 h. This scenario presented a critical condition, as safety injection pumps are essential for delivering coolant to the reactor core in an emergency.

The NPPRMP was employed to assess the associated risks. The analysis interface, as shown in Figure 2, presents several critical components essential for effective risk assessment and management. Specifically, it provides the following key information:

• Basic input information for the analysis: This includes crucial parameters such as the duration of equipment unavailability, operating conditions, target equipment for the analysis, and failure mode. These inputs are fundamental in determining the scope and context of the risk evaluation.
• Basic risk information for the nuclear power plant: This includes vital risk data for the plant, such as the baseline CDF and risk limits. These benchmarks are essential for comparing the current risk levels against predefined safety limits and for informing subsequent decision-making and risk management actions.
• Evaluation results: The results of the risk analysis are presented in both qualitative and quantitative formats. Key quantitative metrics include the instantaneous CDF, ICDP, Allowed Configuration Time (ACT), and the percentage of initiating events. These metrics offer detailed insights into the plant’s risk profile under the analyzed conditions. Additionally, the interface displays the current risk management zone, Configuration Risk Management requirements, and necessary risk mitigation actions. These actions may include prioritizing recovery efforts, identifying critical and sensitive equipment, and addressing high-risk activities to minimize potential hazards and optimize operational safety.

Based on the analysis, it was observed that the instantaneous risk of the unit was 1.86 × 10⁻²/reactor year, and the ICDP was 2.12 × 10⁻⁵. The corresponding CRM requirements were as follows: the plant’s risk was within the unacceptable risk area (red zone), meaning that the risk exceeded the acceptable limits, the unit needed to fall back immediately, and attention should be paid to key sensitive equipment. The specific risk evaluation results are shown in

Table 3. Risk assessment and analysis results for Case I.

Risk Evaluation for RIS001PO and RIS002PO
1. Overview of Maintenance Activities
Maintenance Activity Description		Unavailability of RIS001PO and RIS003PO
Type of Maintenance Activity		Planned         Random√
Estimated Maintenance Duration		10.0 h
Unit Operating Mode		RRA cooling shutdown conditions
List of Affected SSCs		RIS001PO, RIS003PO
2. Risk Assessment Results
Instantaneous Risk	Category	Baseline Risk (/Reactor Year)	Evaluated Risk (/Reactor Year)	Risk Increment (/Reactor Year)	Risk Increase Ratio (Times)
	CDF	8.64 × 10−6	1.86 × 10−2	2.12 × 10−5	2152.8
Cumulative Risk	Category	Cumulative Value
	ICDP	6.89 × 10−8
Risk Limits	Category	Green Zone	Yellow Zone		Red Zone
	CDF	<1.96 × 10−5	1.96 × 10−5~3.30 × 10−4		≥3.30 × 10−4
	ICDP	<3.30 × 10−7	3.30 × 10−7~3.30 × 10−6		≥3.30 × 10−6
Risk Area		Unacceptable Risk Area (Red Zone)
Allowed Configuration Time (ACT)		Immediate fallback
3. Risk Management Measures
Configuration Risk Management Requirements		The unit’s risk is in the unacceptable risk area. An immediate fallback is required. Attention should be paid to key sensitive equipment.
Key Sensitive Equipment		RRA018VP
		RRA115VP

.

4.2.2. Case II: Two Auxiliary Feedwater Pumps Were out of Service for Testing Under Normal Operational Conditions

In this case, the unit was operating under normal operational conditions. ASG001PO and ASG003PO (the 001# and 003# auxiliary feedwater pumps of the Auxiliary Feedwater System, ASG) were scheduled for testing, during which they would be unavailable for 10 h. The specific risk evaluation results are shown in

Table 4. Risk assessment and analysis results for Case II.

Risk Evaluation for ASG001PO and ASG003PO
1. Overview of Maintenance Activities
Maintenance Activity Description		Planned unavailability of ASG001PO and ASG003PO
Type of Maintenance Activity		Planned√         Random
Estimated Maintenance Duration		10.0 h
Unit Operating Mode		Normal Operation (RP)
List of Affected SSCs		ASG001PO, ASG003PO
2. Risk Assessment Results
Instantaneous Risk	Category	Baseline Risk (/Reactor Year)	Evaluated Risk (/Reactor Year)	Risk Increment (/Reactor Year)	Risk Increase Ratio (Times):
	CDF	9.78 × 10−6	7.01 × 10−5	6.03 × 10−5	7.17
Cumulative Risk	Category	Cumulative Value
	ICDP	6.89 × 10−8
Risk Limits	Category	Green Zone	Yellow Zone		Red Zone
	CDF	<1.96 × 10−5	1.96 × 10−5~3.30 × 10−4		≥3.30 × 10−4
	ICDP	<3.30 × 10−7	3.30 × 10−7~3.30 × 10−6		≥3.30 × 10−6
Risk Area		Risk Management Area (Yellow Zone)
Allowed Configuration Time (ACT)		2 days
3. Risk Management Measures
Configuration Risk Management Requirements		The unit’s risk is in the risk management area. Risk control is needed, and the maintenance activities should be completed as soon as possible. Attention should be paid to key sensitive equipment while controlling the ACT.
Key Sensitive Equipment		CFI031TF
		RIS019VP
		RCV033VP
		RCV223VP
		LHQ001AP

.

Based on the analysis, the instantaneous risk of the unit was 1.86 × 10⁻²/reactor year, the ICDP was 2.12 × 10⁻⁵, and the ACT was 2 days. The corresponding CRM requirements were as follows: The plant’s risk was within the risk management area (yellow zone). Risk control was needed, and the maintenance activities should be completed as soon as possible. Attention should be paid to key sensitive equipment while controlling the ACT.

Case II was based on a testing plan implemented prior to the adoption of CRM for the unit. At the time of implementation, this plan was considered acceptable. However, following the adoption of CRM and the subsequent configuration risk assessment, it was found that the testing plan introduced a certain level of risk to the unit. As a result, the evaluation recommended that the unit improve the testing plan to better align with the current risk management strategies.

4.2.3. Case III: One Auxiliary Feedwater Pump Was out of Service for Testing Under Normal Operational Conditions

In this case, the unit continued to operate under normal operational conditions, with testing conducted solely on the ASG001PO pump, which was scheduled to be out of service for 10 h. As shown in

Table 5. Risk assessment and analysis results for Case III.

Risk Evaluation for ASG001PO
1. Overview of Maintenance Activities
Maintenance Activity Description		Planned unavailability of ASG001PO
Type of Maintenance Activity		Planned√         Random
Estimated Maintenance Duration		10.0 h
Unit Operating Mode		Normal Operation (RP)
List of Affected SSCs		ASG001PO
2. Risk Assessment Results
Instantaneous Risk	Category	Baseline Risk (/Reactor Year)	Evaluated Risk (/Reactor Year)	Risk Increment (/Reactor Year)	Risk Increase Ratio (Times):
	CDF	9.78 × 10−6	9.87 × 10−6	9.00 × 10−8	1.01
Cumulative Risk	Category	Cumulative Value
	ICDP	1.03 × 10−10
Risk Limits	Category	Green Zone	Yellow Zone		Red Zone
	CDF	<1.96 × 10−5	1.96 × 10−5~3.30 × 10−4		≥3.30 × 10−4
	ICDP	<3.30 × 10−7	3.30 × 10−7~3.30 × 10−6		≥3.30 × 10−6
Risk Area		Normal Control Area (Green Zone)
Allowed Configuration Time (ACT)		>30 days
3. Risk Management Measures
Configuration Risk Management Requirements		The unit’s risk is in the normal control area. The risk is acceptable and normal maintenance activities can be scheduled.
Key Sensitive Equipment		None

, the risk area during this period was found to be the green zone, indicating that the unit was operating within the normal control area where the associated risk was considered acceptable. Consequently, normal maintenance and testing activities could be scheduled without any immediate concerns regarding the system’s stability or safety.

Case III served as a comparison to Case II, with the key difference being that the other auxiliary feedwater pump remained available. The comparison highlights how the CRM method can effectively facilitate a comparative analysis of different operational, maintenance, and testing scenarios, optimizing plans by assessing various risk factors and improving overall risk management.

5. Discussion and Conclusions

This paper has contributed to the understanding of Configuration Risk Management (CRM) systems’ application and development in Chinese nuclear power plants, with a particular focus on their implementation and associated challenges in alignment with the National Nuclear Safety Administration (NNSA)’s technical policies.

In recent years, Chinese nuclear power plants have made significant progress in establishing and enhancing their CRM systems under the guidance of the NNSA. With the gradual implementation of the CRM framework, nuclear power plants have achieved notable improvements in risk assessment, the development of monitoring tools, and risk management. They are not only able to assess configuration risks more scientifically but can also integrate multiple risk factors into a unified management structure, thereby improving their decision-making quality and operational efficiency.

In particular, the development of risk monitoring and assessment tools has provided strong support for daily operational management in nuclear power plants. The peer-reviewed analysis of their use at the Daya Bay Nuclear Power Plant, as well as the proactive development of measures at other nuclear plants, indicates that the CRM framework is contributing to good practice across different plants, further promoting technological advancement throughout the industry. Furthermore, the framework’s systematic deployment and guidance from the NNSA and its maintenance regulation working group have guaranteed the continuous promotion of CRM, ensuring that each task is carried out safely under unified standards. CRM fosters a collaborative environment where public safety officials, regulatory agencies, designers, and plant operators work together to ensure that the design, operation, and maintenance of nuclear power plants minimize risks and maximize safety. Through information sharing and the use of advanced risk management tools, these stakeholders can effectively manage potential hazards, securing the long-term safety and sustainability of nuclear power plants.

However, despite the progress in CRM framework implementation in nuclear power plants, there are still areas that need further improvement. Firstly, the CRM system’s functionality and associated tools need to be optimized further to meet the increasingly complex operational requirements of nuclear plants. Secondly, there is some variation in the understanding and execution of CRM across different nuclear plants, highlighting the need for standardized technical guidelines to ensure uniformity and efficiency in the implementation process.

In conclusion, significant progress has been made in the construction and implementation of the CRM system in Chinese nuclear power plants. Through systematic risk assessment and the development of monitoring tools, the CRM framework provides a comprehensive solution for risk management, contributing to improved safety, reliability, and operational efficiency. By integrating risk factors into a unified structure, nuclear power plants can make more informed decisions, optimize operational strategies, and proactively implement risk mitigation measures. China’s CRM system reflects a localized approach that accounts for the rapid growth of the domestic nuclear power industry and the specific regulatory environment. As discussed in this paper, the implementation of CRM systems has the potential to significantly impact regulatory frameworks and policies related to nuclear safety and operational efficiency. By employing Living PSA models, CRM provides a dynamic, real-time risk management approach that can enhance the resilience and sustainability of nuclear power plants. China’s CRM system emphasizes real-time and continuous risk monitoring based on actual operational configurations. Furthermore, it prioritizes the establishment of a strong governmental regulatory framework and the development of policies to ensure consistency across various nuclear power plants. This integrated approach facilitates better decision-making, improves long-term safety and reliability, and proactively identifies high-risk configurations, contributing to the sustainable development of nuclear power in China.

However, to achieve comprehensive CRM application across all nuclear plants, it is essential to further clarify the relevant technical requirements and develop more detailed technical guidelines, particularly for the implementation of the “Nuclear Power Plant Commissioning and Operation Safety Code” (HAF103). Additionally, standardization efforts should be further advanced to create national, industry, and group standards, providing clear technical guidance for CRM implementation. Moreover, the continued promotion of regulatory requirements and technical policies is crucial to encourage more nuclear plants to develop CRM systems, enhance the functionality of risk monitoring tools, and apply these tools widely in their actual operations.

Based on China’s extensive experience in Configuration Risk Management (CRM) within nuclear power plants, both the regulatory frameworks issued by authorities and the practical work undertaken by the plants demonstrate mature management systems and technical capabilities. These achievements provide a valuable model for international cooperation, with substantial potential for technical exchange, collaborative standard creation, and joint project development. Such efforts could significantly contribute to the advancement of global nuclear power plant risk management, fostering a shared improvement in safety standards and operational efficiency across the industry. Looking ahead, with the continuous improvement and promotion of the CRM framework, China’s nuclear power industry will be better equipped to handle increasingly complex operational challenges and provide valuable technical support and experience-based insights for global nuclear safety management.

Due to space limitations, this paper primarily explored the broad application of CRM technologies in China and did not delve into specific PSA models and calculations. It also did not provide detailed examples of how Configuration Risk Management has directly improved safety outcomes or decision-making processes. The authors plan to address these aspects in a separate paper. Specifically, future research will examine China’s CRM approach and compare it with the methodologies employed by international organizations such as the WANO, IAEA, and NRC to better illustrate the similarity and distinctiveness of China’s procedures. This comparative analysis will highlight the unique elements of China’s approach to Configuration Risk Management, focusing on its localized strategies in response to domestic challenges. Additionally, case studies and practical examples will be explored to demonstrate how CRM has enhanced safety outcomes and decision-making processes within Chinese nuclear power plants, offering valuable insights into its impact on operational efficiency and risk mitigation.