risk analysis of nuclear power

Nuclear Power: Risk Analysis

B. JOHN GARRICKIndependent Consultant

Laguna Beach, California, United States

1. Why Risk Assessment?

2. Nuclear Safety Theme

3. Historical Development of Nuclear Plant Safety

4. Nuclear Power Accident Experience

5. Risk Assessment Methodology

6. Important Applications and Benefits

7. Risk Assessment and Regulatory Practice

8. Future Direction of Risk Assessment

Glossary

core The nuclear fuel and fission reaction region in anuclear reactor.

core damage (melt) An accident in which the nuclear fuelis damaged beyond recovery.

defense-in-depth A combination of multiple barriers anddesign basis accident analysis that reasonably assurespublic health and safety and protection of the environ-ment.

design basis accident An accident forming part of the basisfor the design of a nuclear power plant, for which therewill be reasonable assurance that there will be nodamage to the nuclear fuel for that accident.

emergency core cooling system A separate and indepen-dent cooling system for the reactor core in the event of a‘‘loss-of-coolant accident.’’

event tree A cause-and-effect representation of logicinvolving inductive reasoning.

fault tree An effect-and-cause representation of logicinvolving deductive reasoning.

nuclear power plant A commercial electric power-generat-ing station that employs a nuclear reactor as the basicsource of energy.

nuclear reactor An energy-generating system based onnuclear fission and a controlled self-supporting chainreaction.

pinch points The interfacing input and output states of thethree models (plant, containment, site) that make up afull-scope risk assessment for a nuclear power plant.

plant damage states The output of the plant risk modelrepresenting the end states of accident scenarios that area threat to the containment system.

quantitative risk assessment A process of systems analysisthat calculates the likelihood and consequences ofundesirable events and their uncertainties.

risk Answers the three questions about what can gowrong, how likely it is, and what the consequences are.

safety train A separate and independent set of engineeredsafety features for mitigating accidents.

scenario A sequence of events that describes the course ofa nuclear plant accident.

scram The sudden shutdown of a nuclear reactor, usuallyby the rapid insertion of safety rods.

secondary containment An enclosure around a nuclearreactor to provide added protection from the release ofradiation in the event of an accident that fails theprimary containment system.

single-failure criteria A design criteria whereby the failureof a single system or piece of equipment will not resultin any health and safety consequences.

trip An automatic or manual action that shuts down asystem such as the reactor core or major piece ofequipment, e.g., a turbine that provides the shaft powerto the electric generators.

Nuclear power plant safety has been the principaldriver for contemporary methods of quantitative riskassessment. Important contributions include a gen-eral definition of risk, methods for embracing andquantifying uncertainties, and the importance rank-ing of contributors to risk—an essential input forquantitative risk management. Most importantly, theadoption of risk assessment practices by the nuclearpower industry coincides with an era of unprece-dented safety in the performance of nuclear powerplants.

1. WHY RISK ASSESSMENT?

The simple answer to ‘‘why risk assessment?’’ fornuclear power plants is that nations and the worldhave to make decisions about the best energy mix for

Encyclopedia of Energy, Volume 4. r 2004 Elsevier Inc. All rights reserved. 421

the future of planet Earth. Risk to people and theenvironment is a fundamental attribute of societaldecision making. But there is more to it than justdecision making. Early in the development of nuclearpower, it became clear that large inventories ofradiation required a level of safety analysis beyondstandard practices. Nuclear reactors were beingcontemplated for use in generating electricity, andsafety was a concern, especially in light of the stigmaof the dangers of the fission process carried over fromnuclear weapons development. The nuclear powerindustry was forced to seek new methods of safetyanalysis of nuclear power plants to overcome the‘‘fear anything nuclear’’ syndrome that prevailed inthe minds of some members of the public. The newmethods needed to provide answers to three ques-tions: what can go wrong with a nuclear powerplant, how likely is it, and what are the conse-quences? The traditional methods of safety analysis,although somewhat effective in answering questionsabout what can go wrong and the consequences,profoundly failed to answer the question having todo with the likelihood of accidents. The ‘‘likelihood’’question held the key for being able to quantifynuclear power plant risk. In short, for society to haveaccess to nuclear energy systems that have thepotential to end anxieties about energy resources,the industry was forced to come up with a moreconvincing safety case than was possible with pastmethods of analysis.

The nuclear electric power industry has been theleader in the development and widespread use ofquantitative risk assessment (QRA). The U.S. nuclearelectric power industry gave birth to the term‘‘probabilistic risk assessment’’ (PRA); the interna-tional nuclear community sometimes uses theequivalent term ‘‘probabilistic safety assessment’’(PSA). The concept that appears to be best receivedacross different industries is that of quantitative riskassessment. In this discussion, quantitative riskassessment, probabilistic risk assessment, and justplain ‘‘risk assessment’’ are used interchangeably.

Risk assessment has survived and flourished in theU.S. nuclear power industry because it is anexceptional tool to make better decisions. QRA wasable to satisfy the desire of nuclear plant owners tohave a decision tool that quantitatively allows theevaluation of various options that have multipleinput variables. The most important variables to thenuclear plant owners are cost, generation, and risk(public health, worker health, and economic).Although QRA started out as a tool to address thepublic health risk, it facilitated evaluating an entire

spectrum of variables. The industry’s recovery fromthe Three Mile Island Unit 2 accident in 1979 wasgreatly aided by the use of quantitative risk assess-ment because of the ability to better focus on the realsafety issues. In fact, the industry has had animpeccable safety record since embracing contem-porary methods of quantitative risk assessment, andsafety is not the only benefit that has resulted fromthe widespread use of risk assessment in the nuclearpower industry. Risk assessment provides the abilityfor plant personnel to balance cost, generation, andrisk. Although there is no U.S. Nuclear RegulatoryCommission (NRC) requirement for an existingnuclear power plant to maintain a risk assessment,the plants do so, following general industry guide-lines. The NRC does require a prospective licensee tosubmit a PRA with the application for any proposednew nuclear electric power unit in the United States.

2. NUCLEAR SAFETY THEME

Today, nuclear power plant safety analysis employsthe most advanced methods available for assessingthe health and safety of the public. Many of themethods used for nuclear power plants have beenadopted by high-technology industries such as thoseinvolved in space flight, defense systems, chemicalplants, refineries, offshore platforms, and transporta-tion systems. The probabilistic concepts currentlyspearhead the level of sophistication of the analyses,but there are basic tenets and themes that have guidedthe safety management of nuclear electric powerplants from the beginning. The most fundamental ofthese basic tenets is the concept of multiple barriers.

Multiple barriers are a concept of providingenough barriers between radiation and the environ-ment to provide assurance that the likelihood ofsimultaneous breach of all barriers is remote.Examples of barriers in a nuclear power plant arehigh-containment-capacity fuel with cladding, anisolated reactor coolant system, primary reactorbuilding containment, secondary building contain-ment, and exclusion distance. Other defense mechan-isms include automatic control systems, single-failurecriteria (no single failure threatens fuel integrity), andrecovery capabilities from equipment malfunctions.QRA provides the ability to determine what risklevels are achieved by each barrier and at what cost.The value of each barrier is placed in the context ofthe overall risk. A principal factor in implementingmultiple barriers is choosing design basis accidents toevaluate the multiple barriers. The principle behind

422 Nuclear Power: Risk Analysis

the design basis accident is the requirement that theplant design incorporate the capability to withstandspecific hypothetical initiating events and failureswithout causing damage to the nuclear fuel. Thisprocess of multiple barriers and design basis acci-dents is referred to by the NRC as defense-in-depth.

The defense-in-depth concept has generally beenimplemented through the promulgation of veryspecific deterministic regulations. As the nuclearregulations come under review for risk-informingthe regulatory process, it is not expected that themultiple-barriers tenet of regulatory practice willchange in kind, but it will change in degree withmuch better knowledge of the real plant risk. Inparticular, with the availability of much moreadvanced methods for calculating the value ofprotective barriers, the ability exists to optimize thebarriers in terms of risk and cost. Furthermore, thedesign basis concept can be assessed for its useful-ness. This is considered important, as past applica-tion of defense-in-depth in the absence of a risk-informed approach has resulted in a definite increasein the complexity and cost of nuclear power plantswithout commensurate improvement to the overallpublic health risk. Quantifying defense-in-depth isone of the most significant benefits of QRA.

3. HISTORICAL DEVELOPMENT OFNUCLEAR PLANT SAFETY

Nuclear plant safety has two major fronts—thephysical system and the analysis of the physicalsystem. On the physical system front, improvementsin safety design have included the advent ofsecondary containment systems (B1953), the inclu-sion of backup safety systems known as engineeredsafety features, especially with respect to emergencycore cooling systems and electric power (Blate1950s and early 1960s), and the introduction ofseparate and independent safety trains (B1970s). Inthe 1980s and 1990s, nuclear power plants initiatedprograms for scram (sudden reactor shutdown)reduction based on a complete review and analysisof operating transients. As scrams were reduced,public health risk was reduced because there werefewer departures from normal steady-state opera-tion. Also in the 1980s and 1990s, each nuclearpower plant implemented the concept of ‘‘symptom-based procedures’’ for accident control and installedimproved simulators for operator training.

On the analysis front, many events took placeleading to a greatly improved understanding of the

safety of nuclear power plants. It was demonstratedthat the consequences of accidents had little meaningwithout a better understanding of their likelihood. Itbecame clear that it was not enough to do worst-caseand maximum-credible accident analysis. Everydaytransients followed by multiple failures of equipmentand mistakes by operators were more likely thandesign basis accidents to result in reactor core damage.

The need for probabilistic analysis was recognizedas early as the mid-1950s. However, detailedinvestigations of the probability of reactor accidentsdid not begin until about 1965. The first majorreactor safety study to highlight the need for PRA ofreactor accidents was the 1957 U.S. Atomic EnergyCommission report WASH-740, ‘‘Theoretical Possi-bilities and Consequences of Major Accidents inLarge Nuclear Power Plants.’’ Speculative estimateswere made in WASH-740 that a major reactoraccident could occur with a frequency of about onechance in a million during the life of a reactor. Thereport went on to observe that the complexity of theproblem of establishing such a probability, in theabsence of operating experience, made these esti-mates subjective and open to considerable error andcriticism. Although it did not offer many specifics,this study did create interest in probabilistic ap-proaches, and many studies were soon to follow.These included British and Canadian efforts, prob-abilistic analyses of military reactors, and severalstudies sponsored by the U.S. Atomic EnergyCommission. At about the same time, Garrick wrotea Ph.D. thesis on unified systems safety analysis ofnuclear power plants based on a total systems andprobabilistic approach.

The breakthrough in the probabilistic risk assess-ment of nuclear power plants came in 1975 with thepublication of the Reactor Safety Study by the U.S.Nuclear Regulatory Commission under the directionof Professor N. C. Rasmussen of the MassachusettsInstitute of Technology. This project marked aturning point in the way people analyzed the safetyof complex facilities and systems. The Reactor SafetyStudy was followed by several major industry studies,such as the risk assessments performed on the Zionand Indian Point nuclear power plants; the newmethods that were introduced in these assessmentshave become standards of many QRA applications.These studies provided a major breakthrough incalibrating the worth of safety features and safe-guards, and therefore, the safety margins of designs.

By the 1980s, the question was no longer ‘‘why,’’but how soon a QRA could be developed for everynuclear power plant in the United States. That goal

Nuclear Power: Risk Analysis 423

has essentially been reached. The benefits of QRA forU.S. nuclear power plants have been demonstrated interms of a reduction in frequency of core damageevents (one reactor core lost in approximately thefirst 450 reactor years of experience versus zeroreactor cores lost in over 2000 actual reactor years ofexperience since the Three Mile Island accident) andimproved generation with a reduction in the cost ofelectricity. The most important benefit is nuclearpower plants with reduced public health risk. QRAhas been effective not only in calibrating the risk ofnuclear power, but has provided better knowledgeof the worth of safety systems and allowed theallocation of safety engineering resources to the mostimportant contributors. Effective risk managementof nuclear electric power plants in the United Stateshas become a reality, not just a goal.

4. NUCLEAR POWERACCIDENT EXPERIENCE

There have only been two accidents worldwide thathave resulted in severe core damage of a nuclearpower plant designed to generate electricity. Theaccidents involved the Three Mile Island Unit 2 plantnear Harrisburg, Pennsylvania, in the United States,and the Chernobyl Nuclear Power Station in theUkraine of the former Soviet Union. Both accidentspermanently damaged the nuclear reactors involved,but only the Chernobyl accident resulted in knownfatalities and injuries. The on-site consequences of theChernobyl accident were very serious; an estimated30 people are believed to have died from acute dosesof radiation and some 300 people required hospitaltreatment for radiation and burn injuries. No off-sitefatalities or injuries have yet been attributed to theChernobyl accident, although the latent effects are yetto be quantified. It is important to put these two veryserious accidents in context with the safety experienceof the nuclear power industry. There are approxi-mately 440 nuclear power plants in the world.Nuclear energy is just over 5% of the world primaryenergy production and about 17% of its electricalproduction. In the United States, there are 103nuclear power plants operating, providing approxi-mately 20% of the nation’s electricity. The worldwideexperience base is approaching 10,000 in-servicereactor-years, of which about 3000 reactor-years isU.S. experience. The experience base is likely beyond10,000 reactor-years if all types of reactors areincluded, such as research, test, weapons, and

propulsion reactors. Some 70% of the nuclear powerplant experience worldwide involves light waterreactors, for which only one accident has occurred,Three Mile Island. This safety record is mostimpressive. The challenge is to keep it that way.

4.1 The Three Mile IslandUnit 2 Accident

The Three Mile Island Unit 2 (TMI-2) nuclear powerplant, located near Harrisburg, Pennsylvania, wentinto commercial operation in December 1978. Theplant was designed to generate approximately800 MW of electricity and used a pressurized waterreactor supplied by the Babcock and Wilcox Com-pany. The accident occurred on March 28, 1979.Routine mechanical malfunctions with the plantresulted in an automatic shutdown (‘‘feedwater trip’’)of the main feedwater pumps, followed by a trip ofthe steam turbine and the dumping of steam to thecondenser. The loss of heat removal from the primarysystem resulted in a rise of reactor system pressureand the opening of the power-operated relief valve.This action did not provide sufficient immediatepressure relief, and the control rods were automati-cally driven into the core to stop the fission process.

These events would have been manageable had itnot been for some later problems, such as with theemergency feedwater systems. Perhaps the turningpoint of the accident was that the opened pressurerelief valve failed to close and the operators failed torecognize it. The result was the initiation of the well-studied small loss-of-coolant accident, known as thesmall LOCA. The improperly open valve, togetherwith some other valve closures that had not beencorrected from previous maintenance activities,created a shortage of places to put the heat loads ofthe plant. The response of the plant was the initiationof high-pressure emergency cooling. High pumpvibration and concern for pump seal failure resultedin the operators eventually shutting down all of themain reactor coolant pumps. It was during the timethat the coolant pumps were off, for 1 to 3 hours,that the severe damage to the core took place. Atabout 2 hours and 20 minutes into the accident, thebackup valve (known as a block valve) to the stuck-open relief valve was closed. This action terminatedthe small LOCA effect of the stuck-open relief valve.Although the accident was then under some level ofcontrol, it was almost 1 month before completecontrol was established over the reactor fuel tem-perature, when adequate cooling was provided by


natural circulation. The consequences of the accidentwere minimal in terms of the threat to public healthand safety, but the damage to the reactor was toosevere to recover the plant.

4.2 Chernobyl Nuclear PowerStation Accident

The Chernobyl nuclear power plant in the formerSoviet Union involved a 1000-MW (electrical)boiling water, graphite-moderated, direct-cycle reac-tor. The Chernobyl accident occurred on April 26,1986, and was initiated during a test of reactorcoolant pump operability from the reactor’s ownturbine generators. The purpose of the test was todetermine how long the reactor coolant pumps couldbe operated, using electric power from the reactor’sown turbine generator under the condition of turbinecoast down and no steam supply from the reactor.However, the experimenters wanted a continuoussteam supply, so they decided to conduct theexperiment with the reactor running—a seriousmistake. The test resulted in a coolant flow reductionin the core and extensive boiling. Because of theinherent properties of this reactor design, the chainreaction increases on boiling, rather than decreases asin U.S. plants, and a nuclear transient occurred thatcould not be counteracted by the control system. Theresult was a power excursion that caused the fuel tooverheat, melt, and disintegrate. Fuel fragments wereejected into the coolant, causing steam explosions andrupturing fuel channels with such force that the coverof the reactor was blown off. This accident resulted inapproximately 30 fatalities from acute doses ofradiation and the treatment of some 300 people forradiation burn injures. The off-site consequences arestill under investigation. Latent effects are expected,but they have not been quantified.

In summary, nuclear power suffered a severesetback from both of these accidents, although publicsupport for nuclear power was already beginning todecline. Nuclear plants under construction werecanceled and no new U.S. nuclear plants have beenordered since 1979. The fact that the TMI-2 accidentdid not result in any radiation injuries or fatalitiesand the Chernobyl reactor type is no longer in themix of viable power reactors has not removed thefear that some segments of the public have of nuclearpower. However, the superior performance andsafety record in the United States since these twoaccidents has allowed the NRC to approve powerupgrades and license extensions for several U.S.nuclear power plants.

5. RISK ASSESSMENTMETHODOLOGY

Quantitative risk assessments of nuclear power plantsare generally based on the following principles:

� The quantitative expression of risk should be inthe form of a structured set of scenarios, each havinga corresponding likelihood and consequence.

� Each risk scenario should take the form of asequence of events, starting with an event that upsetsan otherwise successful operation or system, andproceeding through a series of subsequent events tothe end state that terminates the scenario (i.e., theconsequences of the scenario).

� The set of scenarios must be complete in thesense that all of the important contributors to riskare included.

� The end states of the scenarios should reflectinitial, cascading, and collateral consequences orlevels of damage where appropriate.

� The scenarios must be quantified in terms ofclearly defined risk measures, be realistic, incorpo-rate uncertainties, and be based on the supportingevidence.

� The results should rank the contributors to riskin order of importance and must be presented in away that supports decision making.

The overarching principle on which risk assess-ment methodology for nuclear power plants isfounded is that when we ask the question ‘‘what isthe risk?’’ we are really asking the following threequestions: (1) what can go wrong, (2) how likely is it,and (3) what are the consequences? In the notation ofthe practitioners of risk assessment, this ‘‘triplet’’definition of risk by Kaplan and Garrick is repre-sented as follows:

R ¼ Si;Li;Xið Þf gc;

where Si denotes risk scenario i, Li denotes thelikelihood of that scenario, and Xi denotes the con-sequences or damage level of that scenario. The anglebrackets enclose the triplets, the curly brackets mean‘‘a set of,’’ and the subscript c denotes complete,meaning that all of the important scenarios areincluded in the set.

An overview of the basic structure of a nuclearpower plant quantitative risk assessment is shown inFig. 1. There are basically three models within a full-scope quantitative risk assessment—the plant model,the containment model, and the site model. The plantmodel begins with the consideration of different


initiating event categories and has as output differentplant damage states. The plant damage states areinput to the containment model, and its outputs aredifferent release states that become the input tothe site model. The output of the site model is thecalculated health and environmental risks. Theinterfaces between the models are ‘‘pinch-points’’ thatallow the models to be developed indepen-dently, which greatly facilitates the organization andtransparency of the analysis. Figure 1 also illustrateswhat is described in the next section as the ‘‘eventtree,’’ ‘‘fault tree’’ format for structuring scenarios. Aconsulting firm, Pickard, Lowe and Garrick, Inc.,developed the modular event tree structure forquantitative risk assessment, a variation of the ReactorSafety Study methodology. The U.S. Nuclear Regula-tory Commission and the American Nuclear Societyhave adopted the same three-model structure in theirprocedures guide on quantitative risk assessment. Theyidentified the plant, containment, and site modelscumulatively as Levels I, II, and III, respectively.

5.1 Structuring the Scenarios ðSiÞScenario structuring encompasses the methods,algorithms, and insights needed to identify andportray the risk scenarios (Si). Two common methods(Approach 1 and Approach 2) are used for scenariodevelopment and are sometimes referred to as thebottom-up and top-down approaches. They have thefollowing characteristics:

1. Given a set of initiating events, the structuring ofscenarios is done so the end state of each scenariois the condition that terminates the scenario.That is, the scenario determines the end state.

2. Given an end state, project backward todetermine the potential scenarios that couldoccur to arrive at that end state.

The most common logic diagrams for representingthe two methods are event trees and fault trees. Anevent tree starts with an initiating event and proceedsto identify the succeeding events, including branches,that eventually terminate into possible undesirableconsequences. An event tree, therefore, is a cause-and-effect representation of logic. Event trees are thelogic diagrams of preference for Approach 1. A faulttree starts with the end state or undesired conse-quence of interest and attempts to determine all ofthe contributing system states. Therefore, fault treesare effect-and-cause representations of logic and arethe logic diagram preference for Approach 2. That is,an event tree is developed by inductive reasoningwhereas a fault tree is developed by deductivereasoning. A key difference in the two representa-tions is that a fault tree is only in ‘‘failure space’’ andthe event tree includes both ‘‘failure and successspace.’’ The choice between the two is a matter ofcircumstances and preference. Often the two areused in combination such that the event treeprovides the basic scenario space of events andbranch points, and the fault trees are used to quantify

and

Event1A

Event2A

Failures atbranch point

To basic events

Radionuclidereleasestates

Containmentmodel (II)

Sitemodel (III)

Health andenvironmentaleffects

Success

Branch point

Failure

Plant model Core damage

Containment model

Site model environmentaleffects

frequency

Large early-releasefrequency

Health and

oror

Event2B

Event1A

Event2C

To basic events

orand

Event2D

1. Equipment failures2. Human errors3. External events

Initiating events

Initiatingevents

Branchpoint

Plantdamagestates

Plantmodel (I)

FIGURE 1 Event tree/fault tree structure of a nuclear plant quantitative risk assessment.


the ‘‘split fractions’’ at the branch points asillustrated in Fig. 1.

5.2 Defining Consequences Xið ÞSimply put, consequences are the end states of thescenarios. There are two perspectives of conse-quences and both are used in analyzing the risk ofnuclear power plants. One perspective is to take eachrisk scenario to whatever point that is a reasonabletermination of the scenario. The scenarios are thenassembled by different consequences, or damagestates. The other perspective is to define the damagestate of interest in advance, such as ‘‘core melt,’’‘‘radionuclide releases,’’ ‘‘radiation dose to humans,’’‘‘injuries,’’ ‘‘fatalities,’’ and ‘‘property damage,’’ andconsider only the scenarios that have as their endstate the undesired damage state(s). Although exam-ples of both approaches exist, current practice is tofocus on ‘‘core melt’’ as the primary basis formeasuring risk because core melt is a precursor tolarge radiation releases. One other damage state hasbeen defined to serve as a surrogate for consequencesbeyond core melt, and that is ‘‘a large early-releasefrequency’’ of radiation. The choice is dependent onthe requirements provided to the analyst as to how tostructure the scenarios and end states.

5.3 Quantifying the Scenarios Lið ÞTo quantify the likelihood, Li, of different accidentscenarios, it is first necessary to define the concept oflikelihood. Most often the methodology adopts the‘‘probability-of-frequency’’ principle to define like-lihood. The frequency parameter is presented as aprobability distribution to communicate frequencyuncertainty. The actual quantification of the riskscenarios is done with the aid of the event tree (seeFig. 2). The event tree branch points are determinedby actions, activities, and equipment (top events) thatcan alter or truncate the path of a scenario orsequence of events. An example of an action that

could alter the path of a scenario is a decision by areactor operator to shut down a cooling system. Anexample of an activity might be the activation of amitigating system, such as an emergency coolantsystem, and an example of an equipment event mightbe the failure of a source of electric power. Top eventsare placed in the boxes across the top of the diagram(Fig. 2) and are denoted A, B, C, and D. The eventtree is a powerful tool because it makes visible all ofthe actions, equipment, processes, events, and fea-tures that affect an event. The diagram shown inFig. 2 has only two outcomes emerging from a branchpoint (e.g., success or failure). However, an event treecan have multiple outcomes from a branch point toaccount for different degrees of degradation of asystem. An individual scenario is a single paththrough the tree as illustrated by the highlighted lines.

Each scenario or path through the event tree canbe described by an algebraic expression (shown inFig. 2). Using input data for the initiating event andevidence-based split fractions at the branch points,the algebraic expression can be converted to anequation for calculating the frequency of individualscenarios. The remaining step is to embed thefrequencies into appropriate probability distributionsto communicate their uncertainties. There arevarious techniques for carrying out this operation,but the one often preferred is based on Bayes’theorem. Bayes’ theorem is the fundamental, logicalprinciple governing the process of inferential reason-ing. It answers the question: ‘‘How does theprobability of a given hypothesis change when weobtain a new piece of evidence?’’

Once the scenarios have been quantified, theresults take the form of the graph in Fig. 3. Eachscenario has a probability-of-frequency curve quan-tifying its likelihood of occurrence. Figure 3 showsthe curve for a single scenario or a set of scenarios

Pro

babi

lity

(P)

Frequency (Φ)

FIGURE 3 Probability-of-frequency curve for a specific con-

sequence.

S = I A B C Dφ(S) = φ(I) f (A|I) f (B|IA) f (C|IAB) f (D|IABC)

IABCD=S

f(B|lA)

f(A|l)

1−f(A|l)

Node A

Node C3

Node B1

DCBAIInitiatingevent

FIGURE 2 Quantification of a scenario using an event tree.


leading to a single consequence. Showing differentlevels of damage, such as the risk of varying injuriesor fatalities, requires a different type of presentation.The most common form is the classical ‘‘risk curve,’’also known as the ‘‘frequency-of-exceedance’’ curve,or the even more esoteric label, the ‘‘complementary-cumulative-distribution function.’’ This curve isconstructed by ordering the scenarios by ‘‘increasinglevels of damage’’ and cumulating the probabilitiesfrom the bottom up in the ordered set against thedifferent damage levels. Plotting the results on log–log paper generates curves, as shown in Fig. 4.

Although risk assessment results such as thoseillustrated in Figs. 3 and 4 can be beneficial inproviding a perspective on the actual risks and inprioritizing contributors to risk, they are not themost important output of the risk assessment.The most important output is the revelation of thedominant contributors to the risk, which arenecessary for effective risk management. The con-tributors are buried in the results assembled togenerate such curves as those in Figs. 3 and 4.Numerous techniques can be used to extract andrank contributors. Most advanced risk assessmentsoftware packages contain algorithms for ranking theimportance of contributors to a risk measure.

6. IMPORTANT APPLICATIONSAND BENEFITS

Since the Reactor Safety Study in 1975, majorgovernment and industry studies have provided thesignature of what is meant by probabilistic riskassessment as practiced in the nuclear power field.These studies and applications include the joint effortof the U.S. Nuclear Regulatory Commission and theAmerican Nuclear Society in the development of the

industry’s PRA procedures guide, the collaborativeindustry effort on the Oconee nuclear plant riskassessment, and the NRC’s evaluation of five lightwater reactor designs culminating in the 1990 report,NUREG-1150. But the studies most responsible forspecializing the Reactor Safety Study methodology toplant-specific risk assessments were the industry-sponsored Zion and Indian Point studies. The twoefforts, the Reactor Safety Study and the Zion andIndian Point studies, are now discussed further.

It was the U.S. Atomic Energy Commission thatundertook the Reactor Safety Study under thedirection of Professor Norman C. Rasmussen of theMassachusetts Institute of Technology. The studytook 3 years to complete and was a turning point inthe way to think about the safety of nuclear powerplants, or, for that matter, the safety of any natural orengineered system. It should be noted that theReactor Safety Study was initiated before the EnergyReorganization Act of 1974 abolished the U.S.Atomic Energy Commission. This Act transferredto the Nuclear Regulatory Commission all thelicensing and related regulatory functions assignedto the Atomic Energy Commission by the AtomicEnergy Act of 1954.

The Reactor Safety Study, using the Surry nuclearpower plant (pressurized water reactor) and the PeachBottom nuclear power plant (boiling water reactor) asreference designs, calculated the risk from the opera-tion of 100 current-design light water reactors locatedin the United States. The methodology was foundedon the principle of a structured set of accidentsequences, or scenarios. The sequences were devel-oped using fault tree and event tree logic diagrams,quantified on the bases of the supporting evidence,and then assembled into different consequences suchas core damage frequencies, radiation release frac-tions, and off-site radiation effects to people andproperty. The principal findings of the study were thatthe risk associated with the operation of selectednuclear power plants is extremely small and that thedominant contributor to risk is not the large loss-of-coolant accident, previously emphasized as the designbasis accident. Transients and small loss-of-coolantaccidents often are the major contributors to risk. TheReactor Safety Study also highlighted the importantrole of the reactor operators in maintaining the safetyof nuclear power plants.

The public and scientific community had mixedreactions to the Reactor Safety Study. Their primarycriticism of the study was that the ‘‘uncertaintyanalysis’’ was weak and the report lacked ‘‘scrut-ability.’’ The initial reaction of the NRC to the

Consequence (X)

Fre

quen

cy (

Φ)

X1

Φ1

P3P2

P1

FIGURE 4 Risk curve for varying consequences, where the

consequence is a variable.


criticism was to withdraw their endorsement of thestudy. In spite of the criticisms of the study, there wasstrong support for the use of the methodology,especially from the plant owners. This favorableresponse, together with the fact that the Three MileIsland accident was among the event sequencesaddressed in the study, led the NRC to change theirposition and once again support the study.

The nuclear power industry was responsible forcarrying the lessons learned from the Reactor SafetyStudy to the practical level of better understanding thesafety of individual nuclear plants. Several studiesfollowed on the heels of the Reactor Safety Study andthe most comprehensive of these were the riskassessments performed on the Zion nuclear plantnear Chicago and the Indian Point 2 and 3 plants nearNew York City. Under legal challenges at high-population-density sites, industry chose probabilisticrisk assessment as a way to develop the necessaryevidence of the safety of their plants. The Zion andIndian Point plants became, more or less, the testcases. The Zion and Indian Point assessments werefull-scope studies, meaning that they analyzed theplant, its containment, and the off-site consequences.Challenged in the courts, the owners and operators ofthe plants defended the safety of their plants using therisk assessments as their primary evidence. They weresuccessful. The conclusion was reached that thenuclear power plants at the high-population-densitysites presented public health risk profiles similar tothose at less populated sites. As a result, the nuclearpower plants at the high-population-density sites werenot shut down—a major achievement at the time.

The Zion and Indian Point studies contained manyfirsts, including the ‘‘triplet definition’’ of risk; theywere the first comprehensive studies of core meltphenomena and containment response in a probabil-istic format and were the first to employ a modular-ized event tree ‘‘pinch-point’’ format to representbeginning-to-end accident sequences, the first toperform uncertainty analysis at the component andbasic event levels and to propagate the uncertaintiesthrough the scenarios, the first to explicitly includeexternal events (such as earthquakes and fires) in thebasic risk model, and the first to employ an atmo-spheric dispersion model for dose calculations thatallowed for changes in plume direction. Otheranalytical concepts introduced by the Zion/IndianPoint studies included the ‘‘probability-of-frequency’’format for measuring risk and the ‘‘master logicdiagram’’ method for determining initiating events.Many of these methods have become standards forcontemporary risk assessments.

7. RISK ASSESSMENT ANDREGULATORY PRACTICE

As a result of the Energy Reorganization Act of 1974,the U.S. Nuclear Regulatory Commission is respon-sible for licensing and regulating nuclear facilities,including nuclear power plants, and materials, andfor conducting research in support of the licensingand regulatory process. The NRC’s primary regula-tory responsibility is to provide reasonable assuranceof adequate protection of public health and safetyand protection of the environment from operationsand accidents involving nuclear facilities and materi-als. The legacy of the NRC in the development anduse of risk assessment is unique for regulatory bodies.The vision of the NRC of the need for probabilisticmethods was reflected in their decision to sponsor theReactor Safety Study when such an evaluation wasnot required by the regulations.

During the time when the Reactor Safety Studywas being reviewed and the NRC had temporarilyrejected it due to early criticisms, the nuclear powerindustry was taking the initiative to use themethodology for better assessing the risk of itsplants. The impressive results coming out of theindustry studies together with other events favorabletoward the Reactor Safety Study caused the NRC toagain embrace the technology and to seek ways ofeffectively applying it. Some of the actions takenwere the publishing of frequency-based safetygoals(1986), requiring limited-scope individual plantexaminations based on probabilistic methods todetermine if any nuclear power plant was an ‘‘out-lier’’ with respect to public health risk (1988), and, inabout this same time frame, issuing two new ruleshaving to do with the treatment of loss of allelectrical power and requirements to reduce the riskof transients. Perhaps the most significant actiontaken by the NRC toward embracing the concept ofquantitative risk assessment was the 1995 publishingof a policy statement on the use of probabilistic riskassessment methods in nuclear regulatory activity.Quoting from the PRA policy statement, ‘‘The use ofPRA technology should be increased in all regulatorymatters to the extent supported by the state of the artin PRA methods and data, and in a manner thatcomplements the NRC’s deterministic approach andsupports the NRC’s traditional defense-in-depthphilosophy.’’

Even with what appeared to be an aggressivemove on the part of the NRC toward encouragingthe use of probabilistic risk assessment, there wereonly small changes in the regulations with respect to


the licensing process. The NRC recognized thisproblem and beginning in 1997 sought ways tomake changes to the regulations to begin a moreformal transition into a ‘‘risk-informed’’ approach toregulation. Several initiatives were put in place tostimulate risk-informing the regulatory process. Twoexamples are new rules having to do with thetreatment of loss of all electrical power and require-ments to reduce the risk of transients. Meanwhile, itwas important for the NRC to make it clear whatthey mean by ‘‘risk-informed’’ regulation. The bestanswer to that came from a white paper prepared bythe Commission in 1998 on ‘‘Risk-Informed, Perfor-mance-Based Regulation.’’ Quoting from the whitepaper, ‘‘A risk-informed approach to regulatorydecision-making represents a philosophy wherebyrisk insights are considered together with otherfactors to establish requirements that better focuslicensee and regulatory attention on design andoperational issues commensurate with their impor-tance to health and safety.’’ The current position ofthe NRC is a ‘‘risk-informed’’ approach to regula-tion. It is made very clear in the white paper ‘‘that theCommission does not endorse an approach that isrisk-based,’’ if what is meant by risk based is thatsafety decisions are solely based on the numericalresults of a risk assessment.

What all this means is that the licensing process isin a transitional phase, from deterministic andprescriptive regulations, to regulations that are lessprescriptive and increasingly risk oriented, but notrisk based. In the meantime, license applications andamendments must be accompanied with analysesthat provide risk insights, but are in compliance withthe deterministic requirements still in place.

8. FUTURE DIRECTION OFRISK ASSESSMENT

The future direction of quantitative risk assessmentin the risk management of nuclear power plants isdependent on several factors: advancements inunderstanding accident phenomena, upgrading ofrisk assessment methodologies, regulatory activities,and security requirements.

8.1 Advancements in UnderstandingAccident Phenomena

The current practice for nuclear power plant riskassessments is to make two basic calculations, core

damage frequency and large-early-release frequency.In the future, calculations will need to include publichealth effects (immediate fatalities and latent cancerfatalities). These calculations of health effects willneed to make use of the recent work with respect torealistic source terms for radiation releases. There isa lack of a dose–response model that reflects actualhealth effects for all levels and rates of radiation.Clearly, more accurate models of the real healtheffects are needed.

There is a need for realistic thermal hydrauliccalculations that can form the basis of improvedsuccess criteria for the QRA models. In many cases,these success criteria are based on design basisaccident calculations that do not effectively representthe performance capability of plant equipment. Designbasis accident calculations also do not allow for theproper quantification of operator actions to activateequipment or to recover failed equipment. A realisticevaluation is needed of the thermal hydraulic interac-tion of the reactor coolant system and other fluidsystems during accidents such as steam generator tuberuptures and intersystem loss of coolant accidents.

8.2 Upgrading of RiskAssessment Methodologies

QRA has greatly advanced since the breakthrougheffort of the Reactor Safety Study. Improvements inthe models include uncertainty analysis; the treatmentof human reliability; consideration of external threatssuch as earthquakes, severe storms, and fires;importance ranking of contributors; and the fine-tuning of the models to better represent plant-specificdetails. There are still many areas for improvement.One very attractive direction would be for the riskassessments to be cast into different forms for use bydifferent groups. The specialization could be not onlyfor the risk assessment teams, but also for riskmanagers, those responsible for accident managementand emergency response, and the public (risk com-munication). Each group has a different need for theinformation coming out of a risk assessment, andspecializing the information by need could have amajor impact on the acceptance and use of the results.

8.3 Regulatory Activities

The responsibility for the safety of the public in theUnited States with respect to radiation from nuclearreactors lies with the owners of the nuclear electricpower plants. The owners of the nuclear units have


used their existing quantitative risk assessments toinstitute effective and efficient risk managementprograms at each nuclear power plant in the UnitedStates. Each nuclear power plant has a risk assess-ment that is maintained to industry guidelines.Engineers, maintenance persons, and operators ateach nuclear power unit are aware of the results ofthe risk assessment and use them to actively managerisk. The superior safety record of nuclear electricpower in the United States coincides with this newapproach to risk management.

The NRC has a legal responsibility to ‘‘providereasonable assurance of adequate protection ofpublic health and safety.’’ The QRAs have demon-strated that most of the deterministic-based existingregulations do not efficiently address the dominantcontributors to public health risk. Some of them donot address the dominant contributors at all. Theregulations must be changed such that the regula-tions aid both the regulator and the licensee tomanage public health risk in an effective and efficientmanner. The NRC is slowly moving toward regula-tions that address public health risk using the insightsgained from the licensee QRAs. This is evidenced inthe recent changes to the rules governing themonitoring of maintenance and the implementationof the Reactor Oversight Process. But the pace ofchange to ‘‘risk inform the regulations’’ has beenslow. The best course is for industry to play an activerole in the development of future regulations that are‘‘risk informed’’ and for the NRC to allocate thenecessary resources to quickly change the regulationsto be effective and efficient.

8.4 Security Requirements

An important new area for receiving benefits fromrisk assessment has to do with combating terrorism.Nuclear plants are often mentioned as a possibletarget for a terrorist attack and it is important thatsuch a threat is linked to the vulnerability of theplants. Of course, there has already been a lot ofwork done in this area for nuclear power plants andevents such as aircraft impact have always been aconsideration in the safety assessment of nuclearplants. It is just that the threat now seems more realthan ever before, and the question is what riskassessment can do to help protect plants from suchthreats. Although a great deal is known about thevulnerability of nuclear plants, there has not yet beena systematic process of connecting such vulnerabil-ities to specific threats. This will require cooperationbetween the experts on the threat of terrorism, the

intelligence community, and experts on risk assess-ment. Fortunately, some progress is being made, butit, too, is slower than it should be.

SEE ALSO THEFOLLOWING ARTICLES

Ecological Risk Assessment Applied to EnergyDevelopment � Nuclear Engineering � Nuclear Fuel:Design and Fabrication � Nuclear Fuel Reprocessing� Nuclear Fusion Reactors � Nuclear Power Econom-ics � Nuclear Power Plants, Decommissioning of �

Nuclear Proliferation and Diversion � Nuclear Waste� Occupational Health Risks in Nuclear Power �

Public Reaction to Nuclear Power Siting andDisposal

Further Reading

Garrick, B. J. (1968). ‘‘Unified Systems Safety Analysis for Nuclear

Power Plants.’’ Ph.D. Thesis, University of California,

Los Angeles.Kaplan, S., and Garrick, B. J. (1981). On the quantitative

definition of risk. Risk Anal. 1(1), 11–27.

Pickard, Lowe and Garrick, Inc., Westinghouse Electric Corpora-tion, and Fauske and Associates, Inc. (1981). ‘‘Zion Probabil-

istic Safety Study.’’ Prepared for Commonwealth Edison

Company, Chicago, Illinois.

Pickard, Lowe and Garrick, Inc., Westinghouse Electric Corpora-tion, and Fauske and Associates, Inc. (1982). ‘‘Indian Point

Probabilistic Safety Study.’’ Prepared for Consolidated Edison

Company of New York, Inc., and the New York Power

Authority, New York.U.S. Atomic Energy Commission (AEC). (1957). ‘‘Theoretical

Possibilities and Consequences of Major Accidents in Large

Nuclear Power Plants.’’ Report WASH-740 (March, 1957).

AEC, Washington, D.C.U.S. Nuclear Regulatory Commission (NRC). (1975). ‘‘Reactor

Safety Study: An Assessment of Accident Risks in U.S.

Commercial Nuclear Power Plants.’’ Report WASH-1400(NUREG-75/014). NRC, Washington, D.C.

U.S. Nuclear Regulatory Commission (NRC). (1978). ‘‘Risk

Assessment Review Group Report to the U.S. Nuclear

Regulatory Commission’’(H. W. Lewis, chairman). ReportNUREG/CR-0400 (September, 1975). NRC, Washington, D.C.

U.S. Nuclear Regulatory Commission (NRC). (1983). ‘‘PRA

Procedures Guide—A Guide to the Performance of PRAs for

Nuclear Power Plants.’’ Report NUREG/CR-2300 (January1983). NRC, Washington, D.C.

U.S. Nuclear Regulatory Commission (NRC). (1990). ‘‘Severe

Accident Risks: An Assessment for Five U.S. Nuclear PowerPlants.’’ Report NUREG-1150. NRC, Washington, D.C.

U.S. Nuclear Regulatory Commission (NRC). (1995). ‘‘The

Probabilistic Risk Assessment (PRA) Policy Statement. 60 FR

42622 (August 16, 1995).’’ NRC, Washington, D.C.U.S. Nuclear Regulatory Commission (NRC). (1999). ‘‘White

Paper on Risk-Informed and Performance-Based Regulation.

SECY-98–144 (February 24, 1999).’’ NRC, Washington, D.C.


risk analysis of nuclear power

Documents