Appendix I
Probabilistic Risk Assessment
This appendix describes probabilistic risk assessment (PRA) and its current uses at Japanese and U.S. nuclear plants
Numerous definitions exist on the meaning of risk and risk assessment. A working definition of risk is the “set of triplets” definition (Kaplan and Garrick, 1981). It has been used in many applications, but particularly by the nuclear power industry and the U.S. Nuclear Regulatory Commission. According to this definition, the question “What is the risk?” is really three separate questions:
1. What can go wrong?
2. How likely is that to happen?
3. What are the consequences if it does happen?
Risk can be defined mathematically using the following expression:
R = {(Si, Li, Xi)}c
where
R denotes the risk attendant to the system or activity of interest;
Si denotes the ith risk scenario (a description of the ith “what can go wrong” scenario);
Li denotes the likelihood that the ith scenario will happen, with uncertainty; and
Xi denotes the consequences if the ith scenario does happen.
The outer brackets in {(Si, Li, Xi,)} imply “the set of” triplets and the subscript c indicates that the set of triplets is “complete” (i.e., all, or all of the important, triplets are included in the set). In other words, “risk” is a set of scenarios, likelihoods, and consequences. In practice, these can be assembled into a variety of forms to represent the risk of the system being evaluated.
I.2 PROBABILISTIC RISK ASSESSMENT
PRA is a process of probabilistic evidential and inferential analysis of the response of events, systems, or activities to different challenges based on the fundamental rules of logic and plausible reasoning. The risk measure is most often a frequency whose uncertainty is represented by a probability distribution. This is often referred to as the “probability of frequency” format. Frequency is based on observations, which could include something as abstract as a thought experiment, whereas probability calibrates the credibility of the frequency based on the supporting evidence. PRA is a thought process for answering the three basic risk questions stated previously.
PRAs for light-water reactors are classified according to their completeness, or scope:
• Level 1 assesses the risk of core damage generally in the form of core-damage frequency. Level 1 is sometimes referred to as the plant model.
• Level 2 assesses the magnitude and timing of releases of radioactive material from reactor containment and is sometimes referred to as the containment model or the plant plus containment model.
• Level 3 assesses the consequences of containment releases, for example, injuries, fatalities, and economic losses, and is sometimes referred to as the site model or the combination of the plant, containment, and site model.
Level 3 PRAs are frequently referred to as a “full-scope PRAs,” but there is confusion at times as to whether it does or does not include the full treatment of external events, uncertainty analysis, and low-power and shutdown risk. In this report the terms “full scope” or “Level 3” are used interchangeably to mean the full range of internal and external events, low-power and shutdown risk, as well as a comprehensive treatment of the uncertainties involved taken to the endpoint of injuries, fatalities, and economic damage. If multiple reactor units are present at a site, then full-
scope and Level 3 PRAs would include multiunit risks, not just the risks from individual units.
I.3 USE OF PRA IN JAPANESE NUCLEAR PLANTS
The information in this section is distilled from discussions with representatives from the Japanese government, industry, and academia at the committee’s November 2012 meeting in Tokyo.
PRAs for Japanese nuclear plants were not required to be performed by rule prior to the March 2011 earthquake and tsunami; however, the Japanese regulatory agency (Nuclear and Industrial Safety Agency [NISA]1) did require plant owners to perform PRAs to support license issuance and renewal. Moreover, in 1992 the Nuclear Safety Commission strongly recommended that nuclear plant operators identify effective measures for risk reduction based on PRAs of representative boiling water reactors and pressurized water reactors in Japan.
Also in 1992, the Ministry of Economy, Trade and Industry (METI) requested that nuclear plant operators perform periodic safety reviews (PSRs), in which the operators were to perform level 1.5 probabilistic safety analyses (PRAs) and introduce additional measures to ensure safety if the result of the PRA suggested that it was appropriate to do so. The Nuclear Power Engineering Corporation and the Japanese Nuclear Energy Safety Organization (JNES) had established, in addition to methodologies for Level 1 and 2 probabilistic safety analyses (PSAs), procedures to perform seismic PRAs before 2002 when the second round of PSRs were to be performed. But NISA decided in 2003 to leave the execution of PRAs to the plant operators’ discretion, asserting that the execution of PRAs was outside the legal framework for licensing nuclear plants.
The Nuclear Safety Commission established a working group in July 2001 for reviewing seismic design guidelines. After deliberations lasting almost 5 years, a revised Seismic Design Examination Guideline was published (in 2006). The new guideline specified a design-basis seismic motion having a return period of about 10,000 years based on the probabilistic seismic hazard evaluation. Plant operators were requested to make efforts to reduce the risks from such hazards as low as practically achievable consistent with guidance given in the Report on Safety Goals published in December 2003.
Based on a proposal by JNES, the Standards Committee of the Atomic Energy Society of Japan (AESJ) compiled the requirements for seismic PSA and the specific methods to satisfy the requirements of “AESJ seismic PSA
_________________
1 This agency was abolished and a new organization, the Nuclear Regulation Authority, took over its regulatory responsibilities in September 2012. See Chapter 2.
guidelines” before 2006. After publication of the NSC’s new guidelines, all nuclear plant operators in Japan were requested by NISA to review the validity of the design-basis earthquake for their plants based on the new guideline and a seismic PRA. The process had not been completed before 2011.
With respect to tsunamis, in 1999 the Federation of Electric Power Companies asked the Japan Society of Civil Engineers (JSCE) to study a method to assess the characteristics of tsunamis for nuclear plant design in Japan. In response, the JSCE published “Tsunami Assessment Method for Nuclear Power Plants in Japan” in 2002.2 The paper proposed a deterministic method for evaluating tsunami hazards. The JSCE subsequently began an effort to develop a probabilistic method for evaluating tsunami hazards. It published a draft report in 2009 and a final report in 2011. Both reports are in Japanese and could not be reviewed by the committee. The AESJ initiated a PRA for tsunami hazards at nuclear power plants in May 2011 and published a final report in December 2011. This report also is in Japanese.
The PRAs performed in support of license issuance were generally Level 1 with some consideration of Level 2 parameters (referred to as a Level 1.5 PRA). PRAs performed to support license renewals were Level 1 and were updated every 5 years. All were single-unit PRAs except for shared systems. According to Japanese nuclear industry representatives, sharing of systems is atypical at Japanese plants.
PRAs included internal events only, but they covered both full-power and shutdown operations. Unlike in the United States, online maintenance of safety systems is not performed in Japan; maintenance is only performed when a reactor is shut down. Consequently, PRAs were not performed to assess risk during online maintenance.
The PRAs performed by TEPCO at the Fukushima Daiichi and Fukushima Daini plants predicted a core-damage frequency of about 1 × 10−6 per reactor-year during full-power operations and generally less than that (approximately 1 × 10−7 per reactor-year) during most phases of shutdown. The scenarios considered include station blackouts; however, because the PRAs were performed on a unit-by-unit basis, the scenarios assumed that power would be available from a neighboring unit. As noted in Chapter 4, this was not the case for Units 1, 2, and 3 at the Fukushima Daiichi plant in the aftermath of the March 2011 earthquake and tsunami.3
Although PRAs performed by the Japanese nuclear industry did not include external events, AESJ had developed PRA guidelines for earthquakes in 2006. There were no PRA guidelines for tsunamis at the time of
_________________
2 A 2006 English translation (JSCE, 2006) of this document is available.
3 However, as discussed in Chapter 4, Unit 5 was cross-tied to an operating emergency diesel generator in Unit 6.
the March 2011 earthquake and tsunami. However, at the time of the committee’s November 2012 meeting in Tokyo, PRA guidelines for tsunamis were in development, PRA guidelines for earthquakes had been updated, and PRA guidelines for fire events were under consideration.
The JNES, an independent administrative agency of the Japanese government, leads the work on PRA methods and practices. The nuclear industry’s regulator does not maintain staff specializing in PRA. The private sector and academia perform research relating to the science of PRA, with the private sector’s contributions pertaining mainly to reactor design.
TEPCO’s PRA expertise resides in the technical specification groups at its plants, which are responsible for onsite risk management. These groups are generally responsible for producing the 5-year license renewal PRAs. There is no dedicated PRA staff at the plants or in company headquarters.
TEPCO officials noted that scenarios from a plant PRA may inform operator training, but there is not a one-to-one correspondence between PRA scenarios and training exercises. These officials also noted that several different plants share a single training center, so plant-specific scenarios are not practical.
The committee requested more detailed information from TEPCO about the scope, format, and results of its plant-specific PRAs and the treatment of uncertainties. However, none of the plant-specific PRA documents had been translated into English so the committee was not able to review them independently.
Representatives from government, industry, and academia expressed reticence about the usefulness of Level 2 and 3 PRAs; they noted that the consensus in Japan was that the methodologies used to treat uncertainties were still quite immature. According to these representatives, more deterministic approaches are preferred over PRA in Japan; many representatives emphasized that PRA is just one of many tools to assess and mitigate risk.
I.4 USE OF PRA IN U.S. NUCLEAR PLANTS
PRAs are not required by rule for existing U.S. nuclear plants; however, they exist for all plants and are used extensively in decision making about plant operations. Most of these PRAs are Level 1 with some Level 2 considerations included to have a basis for determining large early-release frequencies of fission products. The PRAs include external-event analysis, but their scopes vary and in most cases are somewhat limited, particularly with respect to the use of probabilities to define external-event frequencies. Only a few plants have PRAs that include external flood risks or low-power shutdown risks. A few plants also have Level 3 PRAs, but those PRAs are generally dated. Level 1 plant PRAs are mature and comprehensive.
There is currently no regulatory requirement for nuclear plant PRAs to
be periodically updated unless a commitment to do so is included as a part of a plant’s license conditions. Nevertheless, most plants update their PRAs approximately every 3 years. Also, if the PRA is used as a basis for a license renewal, or to support a risk-informed change to a plant’s licensing basis, the industry regulator, the U.S. Nuclear Regulatory Commission, requires that it be current (USNRC, 2009b).
Under 10 CFR Part 52,4 Level 1 and Level 2 PRAs are required for new nuclear plants. The PRAs must include the consideration of internal and external events5 and address all plant operating modes (i.e., full power to shutdown). All new plants licensed under 10 CFR Part 52 are also required to update their PRAs on a regular basis. These updated PRAs are subject to review by the USNRC. Design-specific PRAs are also required by the USNRC for certifications of new nuclear plant designs.6
Except as noted above, the USNRC does not conduct detailed reviews of or issue safety evaluation reports on PRAs. The USNRC staff does, however, perform audits of PRAs to develop lines of inquiry during routine inspections. A plant PRA only needs to be adequate for the licensee to justify a general characterization of plant risk; the USNRC does not require licensees to expand the scope or improve the quality of their PRAs except as needed to support licensing actions. In addition, the USNRC only undertakes a detailed review of a PRA when a licensee submits it as part of a “risk-informed” change to the plant’s licensing basis (USNRC, 2012a). Of course, the licensee may never choose to make a risk-informed change in the plant, in which case the opportunity for a detailed review is never triggered.
PRAs are used by licensees and the USNRC to evaluate the impact on risk of plant modifications and online or outage maintenance. PRAs are also used to support the licensees’ inspection and surveillance activities and to risk-inform USNRC oversight, inspection, and enforcement activities. PRAs are often used as a basis for selecting equipment to be monitored under the “Maintenance Rule” (10 CFR § 50.657) and to support determinations regarding the risk significance of plant transients and the safety implications of reportable events.
PRAs have become increasingly important in developing risk-informed information to support license amendments. They are also used to update a plant’s technical specifications and the safety parameter displays in the
_________________
4 Licenses, Certifications, and Approvals for Nuclear Power Plants. Available at http://www.nrc.gov/reading-rm/doc-collections/cfr/part052/.
5 Work is currently under way to strengthen external-event analyses, particularly with respect to fires, earthquakes, and floods.
6 It is important to note that the safety of operational nuclear plants in the United States will be dominated by the currently existing plants for many years to come.
7 Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. Available at http://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-0065.html.
control room. Perhaps one of the most important applications of PRAs is for training. The use of plant-specific PRAs in training varies from plant to plant; operators in many plants are now being trained on plant-specific simulators using actual accident sequences derived from that plant’s PRA.
The USNRC has developed independent risk models for each nuclear plant under the Standardized Plant Analysis Risk (SPAR) program (USNRC, 2007). SPAR models are compared with licensees’ PRAs; the results of these comparisons are used to make revisions to the SPAR models or to document unresolved technical issues. SPAR models are used in the USNRC’s inspection and oversight programs and to support the Accident Precursor Program, Incident Investigation Program, and generic safety issue resolution process. SPAR models are also used to perform risk-informed reviews of license amendments.
The USNRC is currently examining the use of Level 3 PRAs for nuclear plant regulation (Borchardt, 2012b). USNRC staff are developing a Level 3 PRA for an existing nuclear plant (Vogtle) in Georgia. This PRA is planned to be completed over the next several years.
________________