Reactor Safety: The Emergence of Probabilistic Risk Assessment
22.39 Elements of Reactor Design, Operations, and
Safety
Lecture 7
Fall 2006
George E. Apostolakis Massachusetts Institute of Technology
The Pre-PRA Era (prior to 1975)
• Management of (unquantified at the time) uncertainty was always a concern.
• Defense-in-depth and safety margins became embedded in the regulations.
• “Defense-in -Depth is an element of the NRC’s safety philosophy that employs successive compensatory me asures to prevent accidents or mitigate damage if a malfunction, a ccident, or naturally caused event occurs at a nuclear facility.” [ Co mmission’s White Pa per, Fe bruary, 1999]
• Design Basis Accidents are postu l ated accidents that a nuclear facili ty must be designed and built to with stand without loss to the systems, structures, and components necessary to assure public health and safety.
Farmer’s Paper (1967)
Iod i ne-131 is a major threat to health in a nuclear plant accident.
Attempting to differentiate between credible (DBAs) and incredible accidents (Class 9; multiple protective system failures) is not logical.
If one consid ers a fault, such as a loss-of-cool a nt accident (LOCA), one can determ in e various outcomes, from safe shutdown a n d cooldo wn, to consideration of delays and partial failures of shutdo wn or shutdo wn cooling with potential consequences of radioactivity release.
Loss-of-offsite-power event tree
LOOP Secondary Bleed Recirc. Core Heat Removal & Feed
OK
OK
PDSi PDSj
So u r ce : O a k R i d ge N a ti o n al L a bo r a to r y
Technological Risk Assessment
• Study the system as an integrated socio-technical
system.
Probabilisti c Ris k Assessmen t (PRA ) support s Risk Managemen t b y answerin g th e questions:
• What can go wrong? (accident sequences or scenarios)
• How likely are these scenarios?
• What are their consequences?
The Kaplan & Garrick Definition of Risk
( Risk An alysis , 1 (1981) 11-28)
R {
s i , i ( i ), c i }
s i : s cenario i, i = 1,…,N
i : f requency of s i (aleatory uncertainty)
i ( i )
: pdf of i
(epistemic uncertainty)
c i : consequence i
PRA Model Overview
Leve l I Leve l II Leve l III
PLANT MODEL
CONT AI NMENT MODEL
SITE/CONSEQUENCE MODEL
Results
Containment failure/release sequences
Results
Public health effects
Results
Accident sequences leading to plant damage states
PLAN T MODE
At-power Operation
Uncertainties
Shutdown / Trans ition E v olutions
SCOPE
Internal Events External Events
At Power L evel I Results
CDF = 4.5x10 -5 / yr (Modes 1, 2, 3)
Initiator Contribution to CDF Total:
• Internal Events… 56%
• External Events 44%
– Seismi c Events 24%
– Fires 18%
– Other 2 %
From : K. Kiper, MIT Lecture, 2006 Courtesy of K. Kiper. Used with permission.
Level I Results
• Functional Sequences
Contribut ion CDF
– Transients - S tation Blackout/Seal LOCA 45%
– Transients - Loss of Support Systems/Seal LOCA 29%
– Transients - Loss of Feedwater/Feed & Bleed 12%
– LOCA - I njection/Recirculation Failure 7%
– ATWS - N o Long Term Reactivity Control 6%
– ATWS - R eactor Vessel Overpressurization 2%
From : K. Kiper, MIT Lecture, 2006 Courtesy of K. Kiper. Used with permission.
At Power Level II Results
Release Categories Conditiona l Probability
– Large-Early 0.002
– Small-Early 0.090
– Large-Late 0.249
– Intact 0.659
Large-Early Release Freq (LERF) = 7x10 -8 / yr Large-Early Failure Mode Percen t Contribution
– Containment Bypass 82%
– Containment Isolation Failure 18%
– Gross Containment Failure 0.1%
From : K. Kiper, MIT Lecture, 2006 Courtesy of K. Kiper. Used with permission.
SHUTDOWN
Shutdown, Full Scope, Level 3 PSA (1988) Results: Mean CDF s h ut dow n ~ Mean CD F power
• Dominant CD sequence:
Loss of RHR at reduced inventory .
• Risk dominated by operator actions - c ausing and mitigating events.
• Significant risk reductions with low-cost modifications and controls.
– Midloop level monitor, alarm
– Procedures, training
– Administrative controls on outage planning
From : K. Kiper, MIT Lecture, 2006 Courtesy of K. Kiper. Used with permission.
Shutdown PRA Issues
• Risk is dominated by operator actions - importance of HRA.
• Generic studies give useful insights, but risk- controlling factors are plant-specific .
• Shutdown risk is dynamic - average risk is generally low (relative to full power risk), but is subject to risk “spikes.”
• Shutdown risk is more amenable to “management.” At-power risk is designed in.
From : K. Kiper, MIT Lecture, 2006 Courtesy of K. Kiper. Used with permission.
Integrated Risk (All Modes) – 2 002 Update
|
Mode |
Description |
CDF |
Percen t o f Total |
|
|
• Mode 1 |
Full-power (>70% pwr) |
4.28 E-5 |
63% |
|
|
• Mode 2 |
Low-power (<70% pwr) |
0.15 E-5 |
2 % |
|
|
• Mode 3 |
Hot Standby |
0.08 E-5 |
1 % |
|
|
• Mode 4 |
H ot Shutdo wn |
0.05 E-5 |
1 % |
|
|
• Mode 5 |
C old Shutdown |
0.91 E-5 |
13% |
|
|
• Mode 6 |
R efueling |
1 .38 E-5 |
20% |
|
|
• |
Total Core Damage Frequency |
6.86 E-5 |
100% |
|
From : K. Kiper, MIT Lecture, 2006
Courtesy of K. Kiper. Used with permission.
Reactor Safety Study (WASH-1400; 1975)
Prio r Beliefs:
1. Protect against large LOCA.
2. CDF is low (about once every 100 million years, 10 -8 per reactor year) .
3. Co nsequences of accidents wo uld be disastrous.
Majo r Findings
1. Dominant contributors: Small LOCAs and Transients.
2. CDF higher than earlier believed (best estimate: 5x10 -5 , once every 20,000 years; upper bound: 3x10 -4 per reactor year, once every 3,333 years).
3. Co nsequences significantly smaller.
4. Support systems and operator action s very im portant.
Risk Curves
S o urc e : WASH-1400,
U.S. AEC.
Fr e q ue nc y of Fata lit ies Due to Man-Caused Events (RSS)
Risk Assessment Review Group
“We a r e unable t o def i ne whet her the overall probabilit y o f a core melt gi v e n in WASH-14 0 0 is high or low, bu t we ar e certain that the err or ban d s are u n d erstated.”
WA SH-1400 i s "inscrutable."
"…the f a ul t -tree/event-tree meth od ology is sound, and b o th can and sh ould be more widely used b y NRC . "
"PS A me th od s sh ould b e us ed to de al wit h ge neric safe ty iss ues, to formulate n ew regulatory re quirements , to a ssess and revalid ate exis ting r e gul a t o r y req uirements, and to e v alu a te new designs."
Commission Actions (Jan. 18, 1979)
• “…the Commission has reexamined its views regarding the Study in light of the Review Group’s critique.”
• “The Commission withdraws any expli cit or implicit past endorsement of the Executive Summary.”
• “…the Commission does not regard as reliable the Reactor Safety Study’s numerical estimate of the overall risk of reactor accidents.”
Zion and Indian Point PRAs (1981)
• First PRAs sponsored by the industry.
• Comprehensive analysis of uncertainties (Bayesian methods).
• Detailed containment analysis (not all accidents lead to containment failure).
• “External” events (earthquakes, fires) may be significant contributors to risk.
Example PRA Results
M.I.T. Dept. of Nuclea r Engineering Courtesy of K. Kiper. Used with permission. 20
Department of Nuclea r S c ien ce and Engineering
Courtesy of K. Kiper. Used with permission.
Summary of Dominant Sequences
Department of Nuclea r S c ien ce and Engineering
21
M.I.T. Dept. of Nuclea r Engineering
NUREG-1150 and RSS CDF for Peach Bottom
Comparison of Iodine Releases (Peach Bottom)
Quantitative Safety Goals of the US Nuclear Regulatory Commission
(August, 1986)
E a r l y a nd l a t e nt c a nc e r m o r t a l i t y
r i s k s t o an i n d i v i d u al l i v i n g n e ar t h e
p l a n t s h o u l d n o t ex cee d 0 . 1 p ercen t o f t h e ba c k g r o u nd a c c i de nt o r c a nc e r
m or t a l i t y r i s k , ap p r ox i m at e l y
5 x 10 -7 / y ear f o r ea r l y d e a t h a n d
2 x 10 -6 / y ear f o r d e a t h f r o m ca n c e r .
• The prompt fatal i t y goal appl ies to an aver age indi vi dual l i v i ng i n the region betw een the site boundary and 1 mile beyond this boundary.
• The latent cancer fatality g oal applies to an average i ndi vi dual livi n g in the region betw een the site boundary an d 10 mi l e s beyond this boundary.
Societal Risks
• Annual Individual Occupational Risks
• All industries 7 x 1 0 -5
• Coal Min i ng: 24x10 -5
• Fire Fighting: 40x10 -5
• Police: 32x10 -5
• US President 1 ,900x10 –5 (!)
• Annual Public Risks
• Total 870x10 -5
• Heart Disease 271x10 -5
• All cancers 200x10 -5
• Motor vehicles: 15x10 -5
From: Wilson & Crouch, Ri s k /Benefit Analysis, Harvard University Press, 2001.
Subsidiary Goals
• The average core damage frequency (CDF) should be less th an 10 -4 /ry (once every 10,000 reactor years)
• The large early release frequency (LERF) should be less than 10 -5 /ry (once every 100,000 reactor years)
Large Early Release Frequen cy
LERF is being used as a surrogate for the early fatality QHO.
It is defined as the frequency of those accidents leading to sign ificant, unmitigated releases from containment in a time frame prior to effective evacuation of the close-in population such that there is a potential for early health effects.
Such accidents generally include unscrubbed releases associated with early containment failure at or shortly after vessel breach, containment bypass events, and loss of containment isolation.
PRA Model Overview and Subsidiary Objectives
CDF
10 -4 /ry
LERF
10 -5 /ry
QHOs
Leve l I Leve l II Leve l III
PLANT MODEL
CONT AI NMENT MODEL
SITE/CONSEQUENCE MODEL
Results
Public health effects
Results
Containment failure/release sequences
Results
Accident sequences leading to plant damage states
PLAN T MODE
At-power Operation Shutdown / Trans ition Evolutions
SCOPE
Internal Events External Events
Uncertainties
“Acceptable” vs. “Tolerable” R isks (UKHSE)
Risk cann o t be ju stif ied sav e in ext raordin ary circu mst ances
Con t rol m e asu res m u st be in tro du ced f or risk in t his reg ion to driv e resid u al ri sk t o w a rd s th e broad l y accept a ble re g io n
Le ve l of re s i du a l ri s k reg a rded as insig nif icant -- f u rt her ef f o rt t o redu ce risk n o t like l y t o be req uired
In creasin g in d i vi d u al ri sks an d so cietal co ncern s
UN A C CE P T A B L E R E G I O N
TO LERA BLE REGIO N
B R OA DLY A CCEPTA B LE REGI ON
PRA Policy Statement (1995)
• The use of PRA should be increased to the extent supported by the state of the art and data and in a manner that complements the defense-in-depth philosophy.
• PRA should be used to reduce unnecessary conservatisms associated with current regulatory requirements.
Risk-Informed Decision Making
for Licensing Basis Changes (RG 1.174, 1998)
Comply with Regulations
Maintain Defense-in- Depth Philosophy
Maintain Safety Margins
Integrated Decision Making
Risk Decrease, Neutral , or Small Increase
Monitor Performance
10 -5
10 -6
Region I
Region II
Region III
R egi on I
- No changes R egi on II
- S mall Changes
- T rack Cum u lative Im pacts R egion III
- V ery Small Changes
- More flexibility with respect to Baseline
- T rack Cum u lative Impacts
10 -5
10 -4
CDF
CDF
Acceptance Guidelines for Core Damage Frequency
Risk-Informed Framework
Traditional “Deterministic” Approaches
• Unquantified Probabilities
• Design-Basis Accidents
• Structuralist Defense in Depth
• Can impose heavy regulatory burden
• Incomplete
Risk- Informed Approach
• Combination of traditional and
risk-based approaches
Risk-Based Approach
• Quantified Probabilities
• Scenario Based
• Realistic
• Rationalist Defense in Depth
• Incomplete
• Quality is an issue