Chapter 1 An Introduction to Probabilistic Safety Assessment

Abstract This chapter introduces the underlying concepts related to probabilistic safety assessment. It describes how risk and safety are to be understood as part of a probabilistic framework. Various types of analysis approaches are described. Lastly, we discuss how the information from safety assessment is used as part of decision making.

1.1 On Risk and Safety

Risk is a part of almost all human endeavor. While ranging in degree from personal hazards to the potential severe consequences associated with complex technological systems, risk nonetheless is embodied in a variety of situations and conditions. When asked, the layperson can generally provide information related to his perception of risk. But, what exactly is risk? And, more importantly, what operation definition do we attach to risk when performing or using a risk analysis? One dictionary definition describes risk as, "the chance of injury, damage, or loss; the degree of probability of loss." This dictionary definition identifies the essential parameters which are necessary to define risk. In this text, we will define risk as: (Kaplan and Garrick, 1981; Breeding et al, 1985) Risk The likelihood of experiencing a specified set of undesired consequences. Since risk can be an abstract idea, immediately present, or simply anticipated, a variety of perceptions and emotions are possible including aversion, grief, and fear (Hume, 1739). The process of risk analysis is based upon the quantification of both the likelihood (how likely is likely?) and the consequences (what do I expect of the actual outcome?). This process encompasses, by its very nature, multiple disciplines which are brought together in an integrated fashion. Probabilistic risk assessment (PRA) thus is defined as: Probabilistic Risk Assessment The systematic process of constructing and quantifying a model representing risk, wherein either (or both) the likelihood and the consequences are treated in a probabilistic fashion.

PRA identifies, probabilistically, 1 the scenarios initiating and leading to the undesired outcome, the likelihood of said scenarios, and the magnitude of the consequences. These three items, the scenario si, the likelihood li, and the negative consequences ci, form the basis of the so-called risk triplet for the ith scenario. (Kaplan and Garrick, 1981) Note that our definition of risk is not universally accepted and may have different application, especially in domains such as finance. Further, many engineering applications tend to blur the distinction between risk and the probability of failure of a technological system. We will keep system performance (measured by metrics such as reliability and availability) separate from the risk associated with such systems. Typically, as system performance improves, the risk level decreases, even if the hazard 2 associated with the system remains constant. The title of this chapter was noted as an introduction to probabilistic safety assessment (PSA). While the terms PRA and PSA are frequently interchanged, risk and safety are not the same entities. As noted in NUREG/CR-4350, safety can, in a sense, be thought of as being the degree to which risk is absent. (Breeding et al, 1985). Unfortunately, it is this in a sense that allows individuals the latitude to use the term safety in a variety of context. For example, in the nuclear power plant regulation environment, we have safety systems, safety analysis, safety margins, safety significant, unreviewed safety questions, ... What do we mean when we say safety and do these different types of safety contexts represent the same thing? While the Code of Federal Regulations (CFR) is somewhat lacking with regard to a precise definition of safety, it may be inferred in various regulation texts. For example, from 10 CFR 50.2: (U.S.NRC, 2002)
Safety-related structures, systems and components means those structures, systems and components that are relied upon to remain functional during and following design basis events to assure: (1) The integrity of the reactor coolant pressure boundary (2) The capability to shut down the reactor and maintain it in a safe shutdown condition; or (3) The capability to prevent or mitigate the consequences of accidents which could result in potential offsite exposures comparable to the applicable guideline exposures set forth in 50.34(a)(1) or 100.11 of this chapter, as applicable.

In other words, the safety in safety-related implies the prevention of undesired events based upon an aversion to inherent risk related to design basis events. So, here safety does focus attention on two of the three vectors within our risk triplet,

Probabilistically, as used here, implies that uncertainty permeates throughout the risk model. We will discuss specific types, and their treatment, of uncertainty later. 2 Hazard, from the Arabic al zahr (dice), (Berstein, 1996) for a nuclear power plant is primarily the radionuclide inventory in the reactor core.

namely on the scenario si, and the consequences ci. Absent is the likelihood element. Other areas of the NRCs regulation provide a different take on a safety definition. For example, related to unreviewed safety questions, one finds: (Callan, 1998)
The current rule language states that an unreviewed safety question exists when the probability of occurrence or the consequences of an accident...may be increased...in light of the qualitative consideration of probability during plant licensing, a minimal increase in probability would not impact the basis for the NRC's conclusions on acceptability.

Here, an impact to safety is inferred as a plant modification that results in a nonnegligible increase in risk, which is similar to the definition provided by NUREG/CR-4350. Unfortunately though, this simplistic definition of safety (i.e., safety is the complement of risk) has the flaw in that focusing solely on a lack of risk ignores potential inherent benefits related to the item in question. Nuclear power plant analyses have shown that, in some cases, safety related components do little to prevent risk while other non-safety related components may be valuable to risk mitigation. (Blanchard and Worrell, 2002). Like risk, realized benefits the efficacy may be described by a triplet containing the scenario si, the likelihood li, and the positive consequences ci. Efficacy The likelihood of experiencing a specified set of favorable (or desired) consequences. Coupling efficacy with risk captures both extreme, unlikely events (e.g., core damage, with little positive benefits) and routine operation (e.g., producing power in the absence of plant upsets). Safety may then be formally defined as: Safety The relative trade-off of efficacy to risk. One could then quantify a safety level from: Safety = Efficacy / Risk. For a technological system to be deemed safe by a society, one then requires either (1) a large benefit associated with risky activities, (2) a low level of risk coupled with marginal benefit, or (3) a moderate benefit and level of risk. We do see these kinds of tradeoffs within both private and public activities leading to the perception that a process is safe. For example, the risk related to transportation (primarily personal automobiles) is quite high (see Figure 1.1, where MV represents motor vehicle deaths) yet driving is deemed by many to be safer when compared to less benign activities, primarily due to (1) the benefits that driving provides and (2) individuals are more prone to subject themselves to the risk (as opposed to involuntary risk).

Fig. 1.1 Top 10 leading cause of death of people of all ages in the United States for the year 2007 (NHTSA, 2011).

1.2 On Reliability
Reliability, as a topic, can be described as the approach used to describe and quantify how elements of scenarios behave in terms of failure to carry out their intended functions. Here, the term elements refers to, in general, humans, hardware, and software. As such, reliability analysis can be thought of as a subset of PSA in other words, PSA relies on reliability (or more specifically, unreliability) techniques to understand and evaluate the likelihood of scenarios. When quantifying failures of humans, hardware, or software, we need to consider a variety of topics, including: Models to represent failures, including cases where failures can be restored through actions such as repair or recoveries. How failures relate to scenarios. How data and information are incorporated into the quantification process. Treatment of dependence, including how systems interact and how failure causes might impact multiple components.

1.3 Objectives of PSA

The management of personnel, configuration control of components, and decision making during the operation of complex facilities such as a nuclear power plant is a critical task and raises specific issues that deserve attention. Decisions are to be made by the plant management that may have both risk related and economic consequences. It has been suggested that PSA insights can contribute to making better decisions in the nuclear industry (Apostolakis, 2000). Since nuclear power plants have both a large capital cost and significant operational costs, making the decision process more efficient can lead to potentially large economical savings in addition to reducing or controlling risk levels. PSA provides an important analysis tool for decision making since it attempts to answer the three questions (1) what can go wrong, (2) how likely is it to occur, and (3) what are the outcomes? Note that the scope of PSA has traditionally covered incidents which, by definition, occur leading up to a core melt event. Situations where decisions are made after a core melt event fall into the category of accident management (Catton and Kastenberg, 1998; Jae and Apostolakis, 1992). This distinction of incident-versusaccident management is shown in Figure 1.2, where minor incidents progress to major accidents from upper-left to lower-right. For PSA, we discriminate between the "what can go wrong" scenarios by first categorizing upset conditions (called initiating events). Then, for each initiating event scenario, we determine the mechanisms that respond to the upset condition. For incident management, the scenario will lead up to (and include) damage of the reactor core. When dealing with accident management, the PSA will model physical processes that may eventually result in barrier failures and subsequent release of radionuclides. It is not surprising here that the applicable risk models in the accident management realm find a significant reliance on phenomena treatment such as material interaction, chemical processes, and thermal-hydraulics. Secondly, one identifies the likelihood of the defined scenarios. The execution of this step requires the determination of both the initiating event likelihood (which can take the form of either a probability or frequency) and the likelihood that the plant fails to respond adequately to the upset condition. The plant response characterization includes structures, systems, and component (SSC) failures in addition to human error conditions. Traditionally, the plant response modeling has been carried out via logic-based models which describe the conditions where the plant fails to prevent the occurrence of the undesired outcome. Lastly, for the completion of the PSA model, one identifies the scenario consequences. For nuclear power plants, we are typically concerned with the dispersal of radionuclides from the (now) molten core. Thus, our consequence modeling must include mechanisms representing the movement of material from inside the reactor structure to the affected population and environment. Consequence analysis use models for transport/dispersion, pathways, and dose-health and ultimately allow

us to determine effects such as economic impacts, acute damage, and the predisposition for latent health conditions.

Fig. 1.2 An illustration of the degree of severity between incident and accident management at nuclear power plants.

1.4 Other Approaches to Risk Assessment

While models such as PSA are widely utilized, the application of risk analysis has a long history. Early attempts at risk assessment date back to 3200 BC. (Bernstein, 1996) Modern PSA began primarily via the aerospace industry in the 1950s and 60s, but was revitalized by the nuclear power industry following its stagnation in the late 1960s. (Bedford and Cooke, 2001) Other examples of types of risk assessment include the maximum credible accident and actuarial analysis.

The maximum credible accident approach, also called the worst case approach, represents an attempt to select a scenario that, while still possible, is the worst thing that can happen. This type of analysis focuses solely on the consequences associated with the worst case scenario and serves as a bounding analysis. Typically, the likelihood of realizing the worst case is not considered quantitatively. An example of this type of risk analysis is embodied in the WASH-740 report published by the U.S. Atomic Energy Commission (U.S. AEC, 1957). At the time of publication, the nuclear industry had approximately 100 reactor-years of operation. While it was believed that the possibility of an accident was small, little engineering analysis was available to bolster that claim. Thus, the focus of WASH-740 was to estimate what could possibly happen if a worst-case reactor accident did occur. Consequence estimates range from zero to a maximum of 3,400 lethal exposures in the case of a 50% release of fission products from the reactor core. Of course, the report notes that this outcome can only occur under the adverse combination of several conditions... The maximal offsite property damage was estimated to be up to $7 billion (in 1956 dollars). But, problems associated with this type of analysis include issues such as how likely is it to release 50% of the fission products (considering multiple engineered safety barriers must be traversed), focusing stakeholder attention on extreme outcomes, and the realization that the selected worst case may not be the worst event that could possibly 3 happen. The second, but more common, type of risk assessment that is utilized in addition to PSA is the actuarial approach. Actuarial science is the foundation of the insurance industry and is based on statistical applications of relevant data. For example, in the case of issuing a life insurance policy to an individual, the insurer utilizes causal factors (e.g., sex, age, health, lifestyle) to estimate a probability of dying prior to some future date. From this probability, an insurance premium (i.e., monetary cost) is determined. While this approach works for systems that are represented by large data sets (e.g., human mortality rates, odds for card games, quality control during product manufacturing), the lack of scenario-specific data for nuclear plant operation limits its usefulness within the nuclear industry. Nonetheless, when data is available, statistical analysis is useful and can take on a variety of forms. For example, if we analyze the win/loss measure (in points) for the New England Patriots of the National Football League (see Figure 1.3) during the regular season in 2013, we can plot a risk curve as it relates to the ability of the team to win (have the net points, per game, be greater than zero). Note that in this figure, we are plotting games that had net points (x) below a value but above the next lowest interval. For example, the point labeled 0" implies games that finished with net points between -10 (a loss of 10 points) and 0 (a tie). During the 2013 season, there were a total of four games that fell into this interval. Since the majority of the curve is above the 0 point, this would imply that the Patriots won As de Finetti noted in his discussion of possibility, it may ...be appropriate to only use the phrase absolutely certain when referring to tautologies... (de Finetti, 1970).
3

the majority of their games (the actual winning percentage was 12/16 = 75%). Also, one should note that it is unlikely to have many events (either wins or losses) at the extreme ends of the curve since it is difficult to win or lose a football game by more than 30 points. These types of games would be considered a type of high consequence, low probability events.
8

Losses
Frequency (events/season = x)
6 5

Wins

0 -30 -20 -10 0 +10 +20 +30 +40 Net Points (< x)

Fig. 1.3 An illustration of a type of risk curve where more area (under the cure) to the right of zero indicates a higher percentage of wins (a positive consequence).

While the worst-case and actuarial approaches are used in risk assessment, the analytical approach forms the basis for many modern PSA applications. Rather than relying on a worst-case analysis, PSA is a known as a best-estimate analysis method, implying that the PSA will model risk in its most likely configuration. Further, PSA does not rely exclusively on statistical data for events such as core damage and, instead, deductively represents via reasoning the pieces that contribute to core damage. An important part of this deductive approach is probabilistic (e.g., the occurrence of an initiating event, the failure of a SSC), but additionally PSA relies on non-probabilistic (i.e., deterministic) models. For example, if all the redundant portions of a safety system fail, it is a given that the safety system itself is failed. Of course, the likelihood that a single redundant portion of the system fails is probabilistic, which indicates that PSA is a blending of stochastic and deterministic models.

1.5 An Introduction to Traditional Risk Assessment

In a PSA, analysts determine lists of upset conditions (initiating events), the plant response to said upsets (accident sequences), and the performance of specific plant systems (typically captured in fault trees). Further, as the PSA is decomposed into additional layers of detail, one reaches the lowest level of the PSA, representing individual component behavior (basic events). These component modules generally contain either (1) subjective information about a component's likelihood of not performing its intended function, (2) actual failure data, or a combination of (1) and (2). The realm of subjective modeling using probabilistic information falls under the umbrella of Bayesian methods and will be discussed in additional detail in later chapters. At a high level, our Bayesian PSA model is a mixture of deterministic and stochastic (better described by the term aleatory) modules. For example, both a fault tree and its underlying system success criteria are deterministic. But, because we do not know when a particular component in the system will be inoperable, failures of the component are represented via an aleatory model. These deterministic and aleatory models have parameters associated with them, where each parameter may be uncertain. This second type of uncertainty is classified as epistemic, indicating that our state of knowledge about a portion of the model is incomplete. To better understand the techniques that make up current nuclear power plant PSAs, the major parts of the analysis will be described. In general, a full-scope PSA involves three "levels." The first level contains the logic models (e.g., fault trees and event trees) and probability data representing the outcome of damage to the reactor core. The second level concerns the plant response to the core damage progression (primarily the containment and associated systems). The third level focuses on the off-site consequences resulting from the damaged core and containment. These levels are called Level 1, Level 2, and Level 3, respectively (U.S. NRC 1988a). Figure 1.4 illustrates these three levels and the information that is extracted from each level. Note that PSAs for other domains such as aerospace, security, and facility analysis use similar approaches.

10

Fig. 1.4 The three PSA analysis levels and their primary analysis focus.

Level 1 PSA is used to identify and quantify scenarios leading to core damage. This process involves determining significant initiating events, generally those that challenge normal plant operation and that must be successfully dealt with to prevent core damage. Once these initiators are identified, possible plant responses must be determined. The response depends on the different combinations of successes and failures of the systems involved. When the systems have been determined, they must be modeled (usually with fault trees) to identify credible failure modes and unavailabilities. Finally, a full-scope Level 1 PSA quantifies the plant's core damage frequency (CDF) and its associated uncertainty, including at power and reduced power operation. To determine the Level 1 results, initiating event frequencies and equipment failure/unavailability probabilities must be ascertained. Level 2 PSA is used to evaluate and quantify subsequent material releases from core damage. This analysis involves filtering the Level 1 sequences to a practical

11

number for detailed analysis, typically by grouping Level 1 cut sets into a smaller set of plant damage states. Assessment of containment performance with Level 1 accident sequence analyses is handled much the same as Level 1 analysis by using fault tree models to estimate failure probabilities. A common metric out of the Level 2 models is the large early release frequency (LERF). The Level 2 analysis evaluates the impacts to the plants engineered safety barriers that are designed to limit the release of radionuclides. Level 3 PSA addresses not only Level 1 and 2 issues but evaluates and quantifies resulting consequences to the public and environment as well. Thus, questions such as weather conditions, population levels surrounding the plant site, and dispersion (from containment) characteristics are important in this analysis. Common metrics out of the Level 3 analysis includes early and latent fatalities. Only those scenarios that breach the engineered safety barriers will be a factor in the Level 3 consequence results. An illustration of the spatial nature of these three types of PSA Levels is shown in Figure 1.5 using a typical boiling water reactor (BWR) plant diagram. Pressurized water reactors (PWR) have similar types and numbers of safety barriers. For any of the three PSA levels, an additional subdivision has been historically used to define the type of upset or initiating event condition. Specifically, the breakdown between internal events and external events is used to identify initiators that occur within the plant or outside the plant, respectively. Note though that this distinction becomes somewhat blurred since initiators such as a loss of offsite power may happen at the plant (e.g., in the switch yard) or may occur at a geographically distant location. Further, events such as floods and fires can occur either internal or external to the plant, but these have typically been lumped exclusively in the category of external events.

12

Fig. 1.5 The spatial depiction of the three PSA analysis levels and the engineered safety barriers that are part of the analysis.

Due to the complex models required, computer tools have been developed to provide a modeling framework for traditional PSA tasks. For example, event trees can be built to determine accident sequences using initiating events and systems. The individual systems as named on the event trees can be modeled using logic

13

fault tree editors. Initiating events and other failure events that comprise each system can be assigned frequencies or probabilities. Minimal cut sets (i.e., a minimally sufficient group of failures that can lead to an undesired outcome) can be generated to quantify fault trees and sequences. A PSA analyst has tools available to perform a variety of different uncertainty and sensitivity analyses. In general, the capabilities of these tools encompass the following items: Initiating events Accident sequences (also called sequences or event tree sequences) Event trees (also called event tree logic or sequence diagrams) End states (also called end state partitions) Systems analysis (also called fault tree analysis) Cut set generation (also called cut set solving) Uncertainty analysis (also called uncertainty propagation or sampling) Importance measures. These identified PSA areas are considered vital for most traditional PSA analyses, regardless whether they are based upon traditional logic (i.e., fault- and eventtrees) models or other approaches such as simulation.

1.6 Decision-Making and PSA

Decision-making has been part of human activities for numerous years. Lacking predictive information about a future event, decision-making historically focused on guessing potential outcomes of one or more realized choices. As decision making evolved, the underlying processes behind the methodology evolved to include probabilistic phenomena. Including the effects of these phenomena a reflection of a stochastic nature helped to provide realism in decision-making. Consequently, the roots of formal decision making are tied to fundamental shifts of thought that occurred in the European Renaissance, circa 1600 to 1700, related to the genesis of modern statistical theory. Unfortunately though, many of the important concepts and insights related to decision-making did not become widely considered until the middle of the 20th century with publications such as von Neumann and Morgenstern's book on game theory (von Neumann and Morgenstern, 1944). A variety of decisions are made every day at every nuclear power plant. Most of these decisions are routine, but, on occasion, significant decisions must be made. Currently, little formal decision making is used in practice. Nonetheless, informal decision making is used, both by the plant operators and the regulators. For example, the NRC regulates nuclear power plant operation through a combination of several regulatory processes. One of these processes, safety oversight, includes activities such as inspection, assessment of performance, evaluation of experience, and other general support activities. As part of these regulatory activities, a variety of

14

PSA-based risk metrics is utilized. A portion of these NRC activities include programs such as the significance determination process (SDP), generic issue resolution, and risk-informing special treatment requirements. The SDP is a method used to assist in risk-worth determination of inspection incidents. The SDP uses PSA models to estimate an "annualized CDF." Decision making then takes place via knowledge of the annualized CDF. Specifically, decision criteria is provide via regions (and associated colors) of interest: Red Yellow White Green Increase is > 10-4/yr Increase is between 10-5/yr and 10-4/yr Increase is between 10-6/yr and 10-5/yr Increase is < 10-6/yr

The process of generic issue resolution is also a quantitative process similar to than that of SDP. Consideration is taken in calculating both a CDF (specific to various decision alternatives) and the regulatory cost burden associated with decision alternatives. Then, to assess the cost-effectiveness of a particular plant alternative, a dollar-to-person-rem averted ratio is generated. Historically, a value of $1,000 per person-rem has been used by the NRC as an upper bound in deciding whether corrective measures may be appropriate. In 1995, this criteria was changed to $2,000 per person-rem. (U.S. NRC, 1997) The risk-informing special treatment requirements process is a part of risk-informing 10 CFR part 50. Within this process, one proposed option is to make the special treatment requirements (e.g., quality assurance, environmental qualifications, reporting) risk-informed. This proposed modifications would utilize a new definition in 10 CFR 50.2 that depicts which components are "safety-significant." Components that are safety-significant would be within the scope of the requirements. Conversely, components that are deemed to not be safety-significant would be outside the scope unless specifically added by the plant operators or the NRC. In order to determine the significance of components, a plant PSA would be used to help determine applicable components using traditional PSA importance measures (Lambert, 1975; Cheok, Parry, and Sherry, 1998). It is desired that the importance measures should
"be chosen such that results can provide...information on the relative contribution of an SSC (system, structure, or component) to total risk. Examples of importance measures that can accomplish this are the Fussell-Vesely (F-V) importance and the Risk Reduction Worth (RRW) importance. Importance measures should also be used to provideinformation on the safety margin available should an SSC fail to function. The Risk Achievement Worth (RAW) importance and the Birnbaum importance are example measures that are suitable for this purpose." (U.S. NRC, 2000)

Proposed decision criteria are based upon these two importance measures, F-V and RAW. If a component exhibits a measure value larger than the target for either

15

F-V or RAW, then the component is deemed to be safety-significant. The target importance measure values are: F-V > 0.005 (for either CDF or LERF) RAW > 2 (for either CDF or LERF) A key tenant to these risk-informed processes is that the risk model plays a central role to informal decision-making (Brewer and Canady, 1999). This decision making generally takes place by use of a risk threshold, for example the values specified on F-V and RAW above. Alternatively, a common risk metric that is used is the change in CDF, or CDF. These metrics then play a part in the larger context of risk-informed applications at current plants. Unfortunately though, many ad-hoc methods of decision making suffer from several flaws. Common problems in these activities include: (1) focusing on a single metric (e.g., importance measures for core damage) as a primary decision-driver, (2) lacking consideration of other decision alternatives outside the initial focus, (3) ignoring non-risk attributes, and (4) not using methods such as "sanity checks" to question the validity of decision results. Note that even formal decision-making is subjective, but a formal process forces one to indicate what attribute(s) is important, why is it important, and how much emphasis is paid to the attribute(s) as it relates to decision-making. At this point, we simply note a couple of identifying features of formal decision making that are absent in many of the applications discussed earlier. First, formal decision making integrates a multi-attribute approach (via utility theory) while informal applications typically focus on a single metric type (e.g., in the case of importance measures, the CDF). Second, formal decision making utilizes decisionmaker preference as an integral part of the analysis. Informal decision-making applications generally do not address this issue, and if they do, are somewhat subjective. Third, formal decision making relies on quantitative expectation as the basis for preferential ranking of decision alternatives. Many informal decision-making applications focus on "thresholds" (e.g., the colored regions for SDP, $2,000 per person-rem, F-V < 0.005) which then brings up the question as to the proper decision metric. For example, if the application has a goal that risk be below a value of X, then expected value as a measure may not be desirable since it is a measure of central tendency. Instead, the decision-maker may be interested in ensuring that the probability of exceeding the risk threshold is low (Smith, Knudsen, and Calley, 1999). In this case, one is focusing on the concept of risk as an upper-bound in relationship to the cut-off criteria. While PSA does provide a tractable, deliberate, and disciplined technique of evaluating the safety of nuclear power plants, it cannot answer the most difficult regulatory question of all, namely "How safe is safe enough?" The answer to this question is political and sociological, in addition to technical, but the PSA may provide insight into the question by framing the risks of interest. For example, a PSA could be used to estimate the likelihood of causing public fatalities from the operation of nuclear power plants. The risk metric could then be used to compare the risk

16

of this activity against other activities or processes that may cause fatalities. This type of comparison was performed as part of the first full-scope PSA performed in the 1970s, known by its report number of WASH-1400. WASH-1400, also known as the Rasmussen Report after Professor Norman Rasmussen of M.I.T. compared estimates of risk encountered from a fleet of 100 nuclear power plants against risks from both human-caused (see Figure 1.6) and natural events (see Figure 1.7) in a risk curve format. Like the risk curve we discussed earlier, the WASH-1400 results indicated that there may be high consequence, low probability events associated with operating nuclear power plants. One of the criticisms of the WASH-1400 risk curves was the fact that the uncertainty of the risk estimates are not discussed. For example, chlorine-release events that result in at least 100 fatalities are somewhat rare in that they are seen only once in a hundred years. But, this estimate is based on actuarial statistics and, as such, is uncertain the frequency of these events may be larger or smaller. So, while the WASH-1400 risk curves indicated that operating nuclear power plants is generally a less-risky proposition (fatality-wise) that other human endeavors, as the magnitude of the risk increases (or the likelihood decreases) then we become more uncertain about the relative safety of nuclear power. But, as Clemen points out, in addition to complexity as an issue, a decision can be difficult because of the inherent uncertainty in the situation (Clemen, 1996). At some point though, decisions are made to build or not-to-build and operate or not-to-operate nuclear power plants. PSA is one tool that may be used to assist in decision making when asking these types of questions.

17

Fig. 1.6 Frequency of technological events involving fatalities including nuclear power plant operations (WASH-1400).

18

Fig. 1.7 Frequency of natural events involving fatalities including nuclear power plant operations (WASH-1400).

19

1.7 Postscript
For general information on reactor safety and the evolution of safety analyses, refer to Section 1 in NUREG/CR-6042, Perspectives on Reactor Safety. For information on PSA methods found in aerospace applications, see NASA/SP-2011-3421, Probabilistic Risk Assessment Procedures Guide for NASA Managers and Practitioners, Second Edition.

Exercises
1. Create a risk curve similar to that shown in Figure 1.3 for the New England Patriots during the 2012 regular season. Comparing the 2012 curve to the 2013 one, which season would be classified as more successful? According to the analysis that was performed for WASH-1400 in the 1970s, what is the frequency of 100 nuclear power plants causing at least 1000 fatalities?

2.