MBE4105 – Nuclear Reactor Safety

Probabilistic Risk Assessment (PRA)

Jiyun Zhao
Associate Professor
Dept. of Mechanical and Biomedical Engr.
City University of Hong Kong

1
Part I: Characteristics of Risk and Probabilistic
Risk Assessment (PRA)

2
 Characteristics of Risk
Risk is defined as a feasible detrimental outcome of an
activity or action (e.g., launch or operation of a spacecraft)
subject to hazard(s). Risk is characterized by two
quantities:

1) the magnitude (or severity) of the adverse

consequence(s) that can potentially result from the
given activity or action, and
2) by the likelihood (probability) of occurrence of the given
adverse consequence(s).

If the measure of consequence severity is the number of

people that can be potentially injured or killed, risk
assessment becomes a powerful analytic tool to assess
safety performance.
3
 Characteristics of Risk

Risk is the product of consequence magnitude and

frequency:

4
 Characteristics of Risk
As an example of typical societal risks, the United States
experienced roughly 15 million automobile accidents in 1971.
On the average, approximately 1 in 10 caused an injury and 1
in 300 resulted in a death. A population of 200 million persons,
thus, was subjected to the following automobile accident risks:

5
Characteristics of Risk

6
 General Perception of Risks
While risks themselves may be somewhat readily calculated, human
attitudes toward risks are much more complex. A very rough correlation of
risk magnitude and relative attitude is provided in Table 14-4 for death by
involuntary society activities. The reference risk is that from death by
“natural causes” of about 10-2 per person year based on an average
lifetime of roughly 70 years.

7
 General Perception of Risks

In contrast with the involuntary societal risks,

individuals are found to accept voluntary risks which
are greater by up to two orders of magnitude. Some
sports, for example, have death risks as high as 10-2
per person year. Individuals seem willing to put
themselves at risk at levels they would find
completely unacceptable if imposed upon them by
society.

8
 General Perception of Risks

The perception of risk appears to be colored more by the

consequence magnitude than by the frequency. Although the
overall risk from air travel is found to be much less than that
from the private automobile, for example, a plane crash that
kills 200 persons tends to be viewed with greater alarm than a
much higher death toll from automobile accidents on a typical
holiday weekend. The former, in fact, may cause some to
cancel future air travel plans. The latter is likely to have no
identifiable impact on automobile travel.

9
 Technological Risk Perception

The perception of risk from technological development is

generally colored by the extent to which materials and
processes are understood. To the general public, familiar and
long-established operations are often viewed as less
threatening than those which are new or mysterious, even
when the latter may have substantially lower risks.

It is natural for individuals to feel most comfortable with those

technologies of which they have the greatest understanding.
Radiation tends to be viewed as “new, deadly. and silent” by
many. This, of course. makes it, and nuclear energy in
general, prime candidates for the existence of disparities
between actual and perceived risks.

10
 Technological Risk Perception

The quantification of risk is not meaningful as an isolated

concept. The real significance is in providing a basis for
comparison of a proposed undertaking to its alternatives and
to the general background of human and natural events. On
this basis, risk assessment has become very important for
development of nuclear reactor systems.

The conclusions of such evaluations, although they may be

technically meaningful, have more general significance only
to the extent that they can provide for heightened public
understanding.

11
 Probabilistic Risk Assessment (PRA)
If the severity of the consequence(s) and their
likelihood of occurrence are both expressed
qualitatively (e.g., through words like high, medium,
or low), the risk assessment is called a qualitative
risk assessment.

In a quantitative risk assessment or a probabilistic

risk assessment, consequences are expressed
numerically (e.g., the number of people potentially
hurt or killed) and their likelihoods of occurrence are
expressed as probabilities or frequencies (i.e., the
number of occurrences or the probability of
occurrence per unit time).
12
 Probabilistic Risk Assessment (PRA)
Probabilistic Risk Assessment (PRA) has emerged
as an increasingly popular analysis tool especially
during the last decade. PRA is a systematic and
comprehensive methodology to evaluate risks
associated with every life-cycle aspect of a complex
engineered technological entity (e.g., facility,
spacecraft, or power plant) from concept definition,
through design, construction and operation, and up
to removal from service.

13
 Probabilistic Risk Assessment (PRA)
Probabilistic Risk Assessment usually answers three
basic questions:
1. What can go wrong with the studied
technological entity, or what are the initiators or
initiating events (undesirable starting events) that
lead to adverse consequence(s)?
2. What and how severe are the potential
detriments, or the adverse consequences that
the technological entity may be eventually
subjected to as a result of the occurrence of the
initiator?
3. How likely to occur are these undesirable
consequences, or what are their probabilities or
14
frequencies?
Event Trees

15
Fault Trees

16
 Fault Trees
Data used with the fault trees included that for
component failures, human error, and testing and
maintenance time. The human error was found to
have a probability of up to 100 times greater than
that for component failure. The testing and
maintenance was included in recognition that the
related down-time is equivalent to system failure.
One hour off-line per week, for example, is
equivalent to a 6 x 10-3 /year non-availability or
failure rate.

17
 What are the benefits of PRA?
Early forms of PRA had their origin in the aerospace industry
before and during the Apollo space program. Later on, other
industries (e.g., nuclear power industry, chemical industry),
US Government laboratories and US Government agencies
expanded PRA methods to higher levels of sophistication in
order to assess safety compliance and performance.

In recent years, Government regulatory agencies, like the

Nuclear Regulatory Commission and the Environmental
Protection Agency have begun to use risk-based or risk-
informed regulation as a basis for enhancing safety. The use
of PRA is expected to grow both in the Government and in
the private sectors.

18
 What are the benefits of PRA?

Early on, industry began using PRA reluctantly, at the

request of some regulatory agencies, to assess
safety concerns. For example, the NRC required that
each nuclear power plant in the US perform an
independent plant evaluation (IPE) to identify and
quantify plant vulnerabilities to hardware failures and
human faults in design and operation. Although no
method was specified for performing such an
evaluation, the NRC requirements for the analysis
could be met only by applying PRA methods.

19
 What are the benefits of PRA?
After completing the compulsory PRA efforts, however,
performing organizations usually discovered benefits beyond
mere compliance with regulation. These have included new
insights into and an in-depth understanding of:
• Design flaws and cost-effective ways to eliminate them in
design prior to construction and operation;
• Normal and abnormal operation of complex systems and
facilities even for the most experienced design and
operating personnel;
• Design flaws and hardware-related, operator-related and
institutional reasons impacting safety and optimal
performance at operating facilities and cost-effective ways
to implement upgrades;
• Approaches to reduce operation and maintenance costs
while meeting or exceeding safety requirements;
• Technical bases to request and receive exemptions from 20
unnecessarily conservative regulatory requirements.
Part II: The Reactor Safety Analysis: Deterministic
versus Probabilistic

21
 Reactor Safety Analysis

How safe is safe enough? This is a long standing

question in the development of nuclear reactors.
The defense-in-depth philosophy mandates safety
systems that are independent, diverse, and
redundant. When using this philosophy of design it
is hard to decide if two emergency core cooling
systems are enough or if there should be three or
four or more. To make these decisions, nuclear
reactor designers use two methods.

22
 Reactor Safety Analysis
Deterministic method uses postulated accidents and the
single failure criterion. Designers would assume that there was
an accident, such as a loss of coolant, and a single failure of
the single most important component to respond to the event,
such as the failure of a single safety injection pump. Nuclear
reactors were, and still are, designed such that given these
circumstances and conservative calculation methods, the core
will not melt, and no radiation would be released. After doing
this safety analysis to show that in a series of postulated
accidents and single failures there is no core melt, a reactor is
deemed safe enough.

The problem with this method is that multiple, more frequent

events, are treated the same as rare, catastrophic failures.
Additionally it gives no quantitative value to the risk posed by
23
nuclear plants.
Deterministic Safety Analysis

24
 The Single-Failure Criterion
• Fluid and electric systems are considered to be
designed against an assumed single failure if
neither (1) a single failure of any active
component (assuming passive components
function properly) nor (2) a single failure of a
passive component (assuming active components
function properly), results in a loss of the
capability of the system to perform its safety
functions.
• The intent is to achieve high reliability (probability
of success) without quantifying it.
• Looking for the worst possible single failure leads
to better system understanding. 25
 Probabilistic Risk Assessment (PRA)

A second way to look at the problem is to use the

probability of failure as a guide. If this probabilistic
method is to be used, the best way to start
answering the question of “How safe is safe
enough?” is to find out what risks people accept
in their daily lives.

26
Occupational and Total Annual Fatality Risks

Industry Fatality frequency

All industries 7x10-5
Coal Mining 24x10-5
Fire fighting 40x10-5
Police 32x10-5
US President 1,900x10-5
Public
Total 870x10-5
Heart Disease 271x10-5
All Cancers 200x10-5
All Accidents 50x10-5
Motor vehicles 14x10-5 27
 Probabilistic Safety Analysis (PSA)
As a probabilistic safety goal, the NRC issued the
Quantitative Health Objectives (QHO) such that the
risk from a nuclear power plant should constitute
less than 1/1000th of the total risk to those living
near the power plant. This leads to the individual
fatality goal of 5x10-7 per year early fatality risk for
those within one mile of the site boundary. This is
1/1000th of the accidental deaths in United States.
There is also a goal of less than 2x10-6 latent
cancer risk for all of those within ten miles of the
site boundary, this is 1/1000th of all cancer deaths.

28
Probabilistic Safety Analysis (PSA)

29
 The Pre-PRA Era (prior to 1975)
• Management of (unquantified at the time) uncertainty was
always a concern.
• Defense-in-depth and safety margins became embedded in
the regulations.
• “Defense-in-Depth is an element of the NRC’s safety
philosophy that employs successive compensatory
measures to prevent accidents or mitigate damage if a
malfunction, accident, or naturally caused event occurs at
a nuclear facility.” [Commission’s White Paper, February,
1999]
• Design Basis Accidents are postulated accidents that a
nuclear facility must be designed and built to withstand
without loss to the systems, structures, and components
necessary to assure public health and safety.
30
 Historical Risk Studies
• Farmer’s Paper (1967)
He considered the public acceptability of risk, (e.g. from nuclear reactors),
arguing that a whole spectrum of events needs to be considered - not just
the Maximum Credible Accident, but also those of less consequence but
which were much more probable.
• Reactor Safety Study:WASH-1400 (1975)
• Risk Assessment Review Group Report (1979)
• German Risk Study (1979)
• Zion (near Chicago) and Indian Point (NEAR NYC) PRAs
(1981)
• NUREG-1150 (1990)
NUREG-1150 ("Severe Accident Risks: An Assessment for Five U.S.
Nuclear Power Plants", published December 1990 by the Nuclear
Regulatory Commission [NRC])
• Individual Plant Examinations
31
 The Reactor Safety Study: WASH-1400

An especially important finding of WASH-1400 was that

transients, small LOCAs, and human errors make important
contributions lo overall risk.

Following the TMI-2 accident, interest in PSA methodology

increased dramatically as attention was focused on events
that could be precursors to severe core damage accidents.
The subsequent accident at Chernobyl increased the
attention even more.

Recently, the NRC issued requirements for each U.S. power

reactor to perform an independent plant examination using
PRA methods.
32
 Probabilistic Risk Assessment (PRA)

There are four basic steps in PRA:

1. Define End States
2. Identify Initiating Events
3. Develop Event and Fault Trees
4. Quantify

33
 Probabilistic Risk Assessment (PRA)
The end states of most interest for nuclear reactors are core
damage and radiation release.

The initiating events fall into two categories:

1. external events such as fires, floods, and earthquakes
2. and internal events such as turbine trip, reactivity
insertion, and loss of coolant.

Event and fault trees are tools that logically connect a

sequence of basic events intended to respond to an initiating
event with end states.

The frequency of initiating events and probability of failure of

basic events are input into the event and fault trees. The
frequency of end states is then calculated. 34
 Level 1 PRA

Level 1 ends at core damage. Here thermal-

hydraulic and reactor physics calculations
are done for each scenario with a significant
frequency to determine if the core is
damaged.

35
 Level 2 PRA

Level 2 ends at release with the source term

defined. The probability and amount of
radioactive materials released from
containment given the sequences from the
Level 1 PRA are calculated.

36
 Level 3 PRA

Level 3 ends at dose to public with the early

and latent fatality risks explicitly calculated.
The dose to the public from the source term
from the Level 2 PRA is calculated using
meteorological and other radioactive material
transport calculations. The results of a Level 3
PRA can be directly compared to the QHOs.

37
PRA Model Overview

38
Transition of a Risk Assessment

39
 Core damage frequency

Core damage frequency (CDF) is defined as the

sum of the frequencies of those accidents that
result in uncovery and heatup of the reactor core to
the point at which prolonged oxidation and severe
fuel damage involving a large fraction of the core
(i.e., sufficient, if released from containment, to
have the potential for causing offsite health effects)
is anticipated.

40
 Large early release frequency
Large early release frequency (LERF) is defined
as the frequency of those accidents leading to
significant, unmitigated releases from containment
in a time frame prior to effective evacuation of the
close-in population such that there is the potential
for early health effects. Such accidents generally
include unscrubbed releases associated with early
containment failure shortly after vessel breach,
containment bypass events, and loss of
containment isolation.

41
 Probabilistic Risk Assessment (PRA)

Using the results of several PRAs, the NRC has developed

subsidiary goals to the QHOs. This allows a designer to use a
Level 1 or Level 2 PRA, which are less difficult to complete
than a Level 3 PRA, to show approximate compliance with the
QHOs.

These subsidiary goals are a Core Damage Frequency (CDF)

below 10-4 (Level 1) and a Large Early Release Frequency
(LERF) of 10-5 (Level 2).

Typically CDF is considered a good surrogate for the latent

cancer risk and LERF is considered a good surrogate for the
early fatality risk.
42
 Probabilistic Risk Assessment (PRA)

Another important, and currently more often used, output of a

PRA is the risk importance of safety systems.

Using the results of the PRA and the event and fault tree
logic, the safety systems most important to safety can be
found. The measures most typically used are Fussell-Vesely
(FV) and Risk Achievement Worth (RAW). FV basically
measures how often failure of a system is expected to be a
contributor to risk. RAW measures how much higher the risk
would be if a system was removed from the design. These
importance measures are used to rank the risk importance of
systems.

43
 Probabilistic Risk Assessment (PRA)

The mean risk of nuclear reactors operating in the

United States typically meets the QHOs by an
order of magnitude. CDF is typically estimated
around 10-5 per year and LERF is typically
estimated around 10-6 per year.

44
Risk-Informed Framework

45
Part III: The Reactor Safety Study: WASH-1400

46
 The Reactor Safety Study: WASH-1400

The pioneering report (WASH-1400, 1975) entitled,

“Reactor Safety Study: An Assessment of Accident
Risk in U.S. Commercial Nuclear Power Plants” was
the first attempt to provide a realistic and systematic
assessment of the risks associated with utilization of
commercial nuclear power reactors. The basic
probabilistic risk assessment [PRA] approach in
WASH-1400 is still illustrative of current practices,
even though significant refinements have been
introduced.

47
 The Reactor Safety Study: WASH-1400

The goals of the WASH-1400 study were to:

• perform a realistic quantitative assessment of risk
to the public from reactor accidents
• develop methodological approaches for
performing the assessments and understand
their limitations
• provide an independent check on the
effectiveness of reactor safety practice of industry
and government and identify areas for future
safety research

48
 The Reactor Safety Study: WASH-1400

The first goal stressed that the assessment be

realistic, e.g., as opposed to conservative
evaluations required for licensing purposes.

The WASH-1400 study was directed by Professor

Norman Rasmussen (thus it is sometimes referred
to as the “Rasmussen Report”).

49
 The Reactor Safety Study: WASH-1400

The following steps outline the basic flow of the

reactor safety study:
1. definition of reactor accident sequences which
have the potential for putting the public at risk
2. estimation of occurrence probabilities and
radioactivity releases for the sequences
3. consequence modeling for health effects and
property damage from the releases
4. overall risk assessment and comparison to
non-nuclear risks

50
 Release Magnitudes
The magnitude of the fission-product release from the reactor
containment building varies among the accident scenarios.
The quantity of each species entering the general
environment depends on:
• its prerelease inventory,
• the transport of species from the core to the containment,
• and the mode by which the containment is breached

The WASH-1400 study evaluated potential release

magnitudes for each major accident scenario. Event tree
methodology was used extensively for such purposes.

51
 Consequence Modeling

The consequence model for the WASH-1400

study included detailed evaluations of:
• atmospheric dispersion of radionuclides
• population distribution
• evacuation
• health effects
• property damage

52
Major findings of WASH-1400

53
 Reactor Accident Risk

The WASH-1400 study drew the following general

conclusions for the reference 100-LWR population
expected to be operating during the l980s:
1. The most likely core meltdown accident has
modest consequences to the public,
2. Reactor accidents have consequences which are
no larger, and often much smaller, than those to
which the population is already exposed,
3. The frequency of reactor accidents is smaller
than that of most other accidents which have
similar consequences.

54
Reactor Accident Risk

55
Reactor Accident Risk

56
Reactor Accident Risk

57
Reactor Accident Risk

58
At Power Level 1 Results

59
At Power Level 1 Results

60
At Power Level 2 Results

61
Shutdown

62
Shutdown PRA Issues

63
64
NUREG-1150 and WASH-1400 CDF for Peach Bottom

65