- Email: [email protected]
A review of the American Nuclear Society symposium on the probabilistic analysis of nuclear reactor safety
Annals of Nuclear Energy, Vol. 6. pp. 19 to 24.
0306-4549/79/0101-0019 $02.00/0
© Pergamon Press Lid, 1979. Printed in Great Britain
A REVIEW OF THE A M E R I C A N N U C L E A R SOCIETY S Y M P O S I U M O N THE PROBABILISTIC ANALYSIS OF N U C L E A R REACTOR SAFETY J. SHAW
Nuclear Engineering Department, Queen Mary College, University of London, London (Received 2 August 1978)
cess. At present, the practicality of applying this new approach to licensing is in doubt and there is a general feeling throughout the nuclear industry that the use of probabilistic methods might lead to extra safety requirements and hence additional cost. However, it was pointed out that probabilistic analysis is in the early stages of development and that although future work in the field may not affect the licensing procedures it could be used to provide background information of a technical nature. The additional information could quantify licensing and assist in the decision-making process. This aim could be achieved by specifying stopping places for safety analysis at defined levels of probability. This must be done in a non-probabilistic way at present as definitions of plant acceptability are inherent in any licensing policy, otherwise plants would not already have been built, and those that are built must be considered as acceptable. In fact, plants have been operated and therefore accepted before any risks were specified. It was appreciated that attempts to quantify the licensing process at fixed levels of safety and acceptability was a formidable technical and social task. Despite the fact that the probabilistic approach plays little part at present in licensing, and despite the scepticism within the industry, it was thought that the methods could provide at the very least a guide to decision making. The delegates were of the opinion that these new methods should be more generally accepted especially in view of the success of probability analysis in the aircraft industry. Two aircraft (Concorde and airbus) have been found to be acceptable by using the probabilistic approach and this has surely demonstrated that the methods themselves could be applied to the nuclear power plant situation. The delegates agreed that it would be beneficial to the licensing process to provide probabilistic analysis information as background information initially; and then to apply the methods more directly after experience in their application shows definite benefits and rewards.
INTRODUCTION
A symposium on the Probabilistic Analysis of Nuclear Reactor Safety was held in Los Angeles from 8th to 10th May 1978. The conference was sponsored by the Nuclear Reactor Safety Division of the American Nuclear Society in conjunction with the European Nuclear Society and OECD Nuclear Energy Agency. It was attended by approximately 300 delegates from most countries with an active interest in nuclear energy and its development. A total of 100 papers were presented under the general headings of: (a) probabilistic methods in reactor licensing; (b) the methodology of probabilistic safety assessment; (c) application of probabilistic methods to structures, meteorology, safety studies, and external events; (d) the role of probabilistic methods in risk criteria and design problems; (e) computer codes and data systems; (f) probabilistic approach to waste disposal; and (g) risk benefit studies. The proceedings of the symposium have been published by the American Nuclear Society in three volumes. It is intended in this review to summarize the conference and to identify the main issues. The scope of the review will not enable reference to be made to individual papers or authors.
I. P R O B A B I L I S T I C M E T H O D S
IN
REACTOR LICENSING
This session took the form of a panel discussion; members of the panel emphasized the problems associated with the possible application of probabilistic methods to different stages in reactor licensing procedures. For instance, application of probability analysis should enable risk acceptance criteria to be defined with sufficient confidence to give meaningful levels of acceptability at various stages in the licensing pro19
20
J. SHAW
It was emphasized that at present progress in the field has a number of limitations. These are the nonavailability of skilled persons to carry out the analytical work, the lack of general agreement on how to apply the methods, technical difficulties associated with safety related differences between different types of reactor plant, and the lack of technical data. 2. THE M E T H O D O L O G Y O F PROBABILISTIC SAFETY ASSESSMENTS
The papers under this heading were mainly concerned with the development of response surface techniques for nuclear reactor safety analysis. This is a relatively new aspect in probabilistic safety methodology. Response surface techniques have been developed for obtaining probability distributions of the consequences of postulated nuclear accidents. The method involves assigning probability distributions to the system and model parameters of the accident analysis. A limited number of parameter values are selected (these are called knot-points) and used in a deterministic accident analysis code. The results of these analyses are used to generate analytical functions (called response surfaces) that approximate the accident consequences in terms of the selected parameters. The probability distributions and related characteristics of the consequences are calculated using the response surfaces in a Monte Carlo type simulation. Papers were presented in which response surface techniques were developed with several optimal knotpoint selection schemes, interpolation schemes, and fitted second- and third-degree surfaces. Techniques were also given for improving the accuracy of these methods, and areas for future development were outlined. Licensing of reactor systems uses a variety of conservative assumptions for safety analysis. An example is the conservatism in the regulations used for the calculation of peak clad temperature during a loss-ofcoolant accident in a light water reactor. The approach adopted gives strong assurances of safety, but imposes possible excessive restrictions on reactor design and operation. Response surface techniques are being developed which will allow quantification of the conservatism involved, in terms of probability distributions and a quantified assessment of the assumptions made in the safety analysis. Because of long running times of loss-of-coolant accident computer codes, it is not feasible to generate peak clad temperature probability density functions directly from multiple code calculations such as the Monte Carlo method. Response surface approximations can
be developed with relatively few loss-of-coolant accident code calculations. Response surface equations can also be developed to enable the probability density function for the peak clad temperature to be obtained without the excessive computer costs involved in normal methods. The technique has also been used to estimate the relative effect of reactor operating parameters and of equipment failures upon the calculated primary system peak pressure probability distribution during postulated accident sequences. Papers were presented describing a number of possible applications of response surface techniques. 3. APPLICATION OF PROBABILISTIC M E T H O D S
3.1. Structures
Papers were presented under this heading which dealt with reactor pressure vessel failure, rupture of primary coolant pipes and pressure tubes, fuel cladding failures, and nuclear fuel reliability. A method was outlined for assessing pressure vessel fast fracture probability and formulating the required computer programmes. The need for such a method of analysis is required in view of the difficulty of calculating nuclear component failure probability using statistical data from rare failure rates. The probability of pressure vessel rupture is evaluated using fracture mechanics in a probabilistic form. The final objective is to establish a general method giving a determination of the failure probabilities of different components of the reactor coolant pressure boundary, an assessment of the individual effects of the main parameters on the final result and a basis for determining the interval for in-service inspections. Similar methods have been developed for the calculation of pipe rupture probabilities. Fracture mechanics calculations of flow growths, together with the initial defect size distribution and detection probabilities, are used to predict the probability of a pipe rupture. The techniques can then be applied to the calculation of a complete pipe severance. The effects of proof testing and inspection on the failure rate as a function of time were predicted. The results show that the failure rate is a function of time and is not greatly affected by proof testing, but can be significantly reduced by in-service inspection. In another paper different methods were described for determining the probability of failure of a pressure tube in a heavy water reactor following a loss-ofcoolant accident. In this case temperature and pressure transients are represented in terms of stochastic processes. Two processes are postulated which are
A review of the American Nuclear Society Symposium statistically independent and their structure is defined according to a model of cumulated effects. Using plastic instability as the criterion of failure, the reliability of a zirconium pressure tube is evaluated. A practical example of how response surface methodology can be used in reactor safety assessment was described. The example chosen dealt with the problem of the structural integrity of fuel cladding during a loss-of-coolant accident. 3.2. Meteoroloyy The application of probabilistic analysis to the meterological data used to determine atmospheric dispersion for accident evaluations was dealt with in four papers. In fact the application to meteorological data was one of the first uses of probabilistic methods in reactor safety problems. Various models have been developed and are now currently used extensively throughout the industry. New applications have arisen due to the need for more extensive assessment of environmental radiation doses both as a result of accidents and due to routine operation. Normally, licensing evaluations of radiation doses due to routine gaseous effluents are based upon the assumption that effluents are released at a continuous constant rate. The dose is assumed to be proportional to the product of the constant release rate and the atmospheric dispersion factor both averaged over long periods. It is now considered that these evaluations must account for the intermittent nature of some releases, such as decay tank releases and containment purges. To obtain an accurate assessment of intermittent releases it is necessary to determine a probability distribution of dispersion factor values appropriate to intermittent release periods. A paper described the calculation of probability distributions for time-averaged dispersion factors at a location of interest for a single random release using hourly site meteorological data. The results have shown that the use of annual average dispersion factor values for evaluating doses from intermittent releases will give results which have a low probability of being exceeded by large amounts, and so their use would not grossly underestimate the doses. A second paper described analysis carried out to determine the effect of using more sophisticated plume rise and rainstorm models and the incorporation of wind shear in meteorological calculations. The calculations show that reactor site wind and population distributions are not strongly correlated and that positive and negative correlations occur with nearly equal frequency, which suggests that their effects upon aggregate risk calculations will be largely self-cancelling. Results from risk calculations repeated
21
using different unrelated meteorological data suggest that adequate risk estimates can be obtained for early fatalities, for which wind speed, atmospheric stability and precipitation data are not available, by substituting data from another site, which has similar topography and meteorology. Some important conclusions were drawn from a study on the relative effectiveness of possible public protective measures following large releases of radioactivity into the environment. It appears that in general, evacuation provides the largest reduction in whole body doses although sheltering, particularly when basements are available, might be an acceptable alternative. For large-scale atmospheric releases, most early fatalities will occur within 10 miles of the reactor. Within 5 miles, evacuation is more effective than sheltering. Beyond 5 miles this distinction is less, or not apparent. Within 10 miles, early health effects are strongly influenced by the speed and efficiency of implementation of the protective measures, whereas beyond 10 miles, they are not. 3.3. Safety studies A number of papers were presented in which safety study assessments were described for different problems with different types of reactor using probabilistic analysis. A study of a realistic assessment of accident risks associated with the Clinch River breeder reactor was presented. The objective of this study was to compare the accident risks with other societal risks and to determine whether the risks were comparable to those for previously licensed reactors. The method adopted was to formulate a list of potential accident initiators. Each accident initiator had the potential to lead to an accident sequence involving plant protection devices. Event trees, fault trees, and appropriate occurrence probabilities were determined and radioactivity releases were estimated. Finally, releases to the environment and the public health consequences were evaluated The results showed that the Clinch River breeder reactor operational risks are small compared with other societal risks and are comparable to those for the present light water reactors. A calculation of the failure probability per year of the shut-down heat removal system of the Clinch River breeder reactor was given in another paper. The results gave a failure probability due to the loss of the off-site power initiator ranging from 3 × 10 -4 per yr to 4 × 10 -6 per yr depending on the diesel generator failure probabilities. A third paper described the development of a probabilistic model for evaluating conditions in the containment of a breeder reactor following a core disrup-
22
J. SHAW
tive accident. The model gives possible accident progression sequences, reaction rates and the responses of the engineered safety systems. Other papers described risk assessment studies and probabilistic analysis for the fast flux test facility, and for the high temperature gas-cooled reactor. A value-impact assessment was made of various alternative containment concepts for light water reactors. These different concepts were each compared in terms of their potential for reducing public risk and their construction cost. Probability analysis was used as a basis for determining potential risk reductions that can be obtained with the different containment schemes. The results showed that filtered atmospheric venting offers the greatest potential for reducing public risk for the least impact. Compartment venting and deep underground siting offer similar potential for reducing risk but have greater impacts. Evacuated containment and thinned base mat are low impact alternatives but offer little potential for reducing risk. In safety studies it has been found that public risk is dominated by a few combinations of system failures. It is important in reactor safety studies to identify the accident sequences that dominate risk. A probabilistic method has been developed that deduces these dominant sequences with substantially less effort than was required previously. The method was described. A paper described the probabilistic analysis methods at present adopted by the Electricit6 de France for the study of pressurized water reactor safety systems. Other papers described the validation of a probabilistic approach to the analysis of pressurized water reactor transients by analysis of transients that actually occurred; the impact of component outages on emergency core cooling system unavailability; and the reliability of d.c. power supplies.
have been made and results are quite widely varying. One paper detailed an analysis which could be instrumental in quantifying previous results. The method adopts system reliability analysis and probability distribution methods to determine the overall system reliability in severe seismic occurrences. Other work was described on the determination of the incremental seismic risk due to the presence of nuclear power plants using probabilistic analysis. The results of this study show that the incremental risk is generally very small compared to the background seismic risk, even in the case of core melt-out accidents. A method for determining the expected maximum site accelerations from seismic events in surrounding regions, using local seismic history, was described, Two papers dealt with the assessment of seismic risks at the Diablo Canyon power plant (California). Since large earthquakes are relatively rare events risk studies for these events deal inevitably with small probabilities determined from combinations of rare events. Attempts have been made to document the necessary steps that must be taken to evaluate the consequences due to the effects of an earthquake. These steps include defining the possibility of the earthquake, defining the possible accident sequences, applying the failure data and carrying out a fault and event tree probability analysis. The results showed that even when considering the impact of accelerations well in excess of the likely maximum, the risk to the public due to possible earthquake damage was extremely small. The probability of an individual near to the site being exposed to 25 rem whole body is approximately 1 in 7 × 106 per yr. The papers presented on risks associated with other types of external events such as tornados, road, rail, and aircraft crashes concluded that these risks were small.
3.4. External events Under this heading six papers were presented on seismic risks and hazards and two papers covered the risks associated with tornados, road, rail, river traffic and aircraft. Analysis of nuclear power plant safety with respect to severe seismic initiating events is receiving much current attention. The role of the structural and mechanical engineer is important in seismic studies relative to his role in operational accident analysis. Seismic initiated events may be the most critical contributors to the overall risk for important off-site releases. A study of the work carried out so far in this field shows that a number of different approaches
RISK CRITERIA AND DESIGN STUDIES
4. PROBABILISTIC M E T H O D S IN
It has been suggested that maximum risk criteria should be used to guide the design of advanced nuclear plants such as the breeder reactor. If such an approach is to be useful, it must not lead to excessively costly and time-consuming iterations of detailed design and detailed risk assessment. Risk allocation is a systematic procedure for establishing nuclear plant design reliability requirements such that a designed level of risk is achieved at a minimum cost. This procedure uses only approximate cost estimates, risk models and design information. It pro-
A review of the American Nuclear Society Symposium vides the capability to examine the sensitivities of design aims to their uncertainties. The breeder reactor safety programme being carried out by General Electric (U.S.) is developing risk allocation models to support and guide the choice of safety system reliability requirements and thereby to assure a positive relationship between a desired level of risk and safety system reliability. A paper described in detail how risk allocation analysis is used to choose safety function reliability design objectives to meet maximum risk criteria at minimum cost. The allocated parameters provide top level safety reliability requirements for power plant design. This example of risk allocation demonstrates the application of the methodology. Further details are given in a paper which describes a methodology by which quantitative risk and probabilistic safety criteria are used to supplement licensing regulations, and to guide the safety-related design of a large pool type liquid-metal fast breeder reactor. It points out the advantages of the approach, which are that supplementing conventional safety and licensing criteria in this way allows the design assessment to be made with greater confidence and that it provides a basis for the optimization of the safetyrelated aspects of the plant design. Other papers presented information on the application of probabilistic assessments to design studies of particular reactor plants and safety systems. These methods included the probabilistic assessment of a number of postulated common mode failures. Assessments of the engineered safeguards and surety systems for the gas-cooled breeder reactor design, a prototype liquid-metal fast breeder and the pressurized water reactor were presented. In particular, fault tree analysis has been used by Westinghouse (U.S.) to determine various aspects of the design of a reactor trip logic system. Reliability studies of the system were conducted throughout the design stages and this resulted in a system which effectively eliminates spurious plant trips caused by failures within the system itself and yet is as reliable as the present systems. Other papers presented information on probabilistic assessments of common mode failures, fault tree analysis incorporating dependent events, the potential for the reduction of light water reactor core melt probability, human reliability analysis of dependent events, and the common cause failure experience for reliability analysis and design guidelines in nuclear breeder reactors. 4. COMPUTER CODES AND DATA SYSTEMS
Papers were presented in which details were given
23
for a number of computer programme packages for the evaluation of fault trees and for fault tree probability analysis. They included SALP (sensitivity analysis by list processing), a computer assisted technique for binary systems reliability analysis: FAUNET, a programme package for fault tree and network calculations; PL-MOD, a computer code for modular fault tree analysis and evaluation; AUTOET, a computer code which automatically draws a system event tree, eliminating unnecessary branches, and labels each accident sequence with probability, consequences and risks; PATREC, a code for evaluating the reliability of a complex system by fault trees; and SKIRON, a code for evaluating atmospheric dispersion for design basis accident analysis. The data sources which are used at present have provided enough information for risk assessments, even though considerable analysis of the data is required in order to extract appropriate parameters. However, considerable insight and data analysis is necessary to identify accurately the causes of failure in a component so that effective component design changes can be implemented to improve resistance to failure. One of the major constraints in assessing reliability parameters based on previous experience with similar equipment is the inability to accurately account for detailed differences which may have a significant effect on reliability. Hence, one of the basic requirements for probabilistic risk assessment is the availability of component failure rate data. Various organizations collect data in order to evaluate and improve safety, reliability and availability. A number of papers were presented describing the aims and objectives of data systems. A proposal was made for setting up a centralized data system comprising a pool of raw data that could be processed to increase the low credibility of estimated parameters due to the lack of extensive information. A data collection system is being set up in Europe for light water reactors with cooperation of European countries and possibly modified according to experience gained in the U.S. 6. PROBABILISTIC APPROACH TO WASTE DISPOSAL
The risk from radioactive waste disposal in a deep geological, formation has not yet been completely assessed. A ~complete assessment should include credible estimates of the probability of escape of radioactivity into the human environment and the magnitude of the resultant consequences in terms of health effects. In addition, some estimate should be made of the dominant contributors to risk and of the uncer-
24
J. Snnw
tainties in these estimates. A paper described work at present being carried out at Sandia laboratories, U.S. to develop a risk assessment methodology for the evaluation of deep geological waste disposal. The results of this and previous similar analyses are not entirely consistent due to the complexity of the problem and the degree to which the phenomena involved are understood. It was not possible to identify the most credible event from the analyses. The events which are major contributors to risk were volcanic explosion and volcanic movement to the ground surface; the probabilities of these events being of order 10 12 per yr. Other workers have also carried out probabilistic analysis of radioactive release from geological waste disposal; in all cases results were not conclusive as the values of expected risk are sensitive to modelling assumptions and uncertainties and unknowns in the available data. Further work in this field is necessary. One paper presented, described a risk assessment carried out for one of the major conceivable internal accidents at a mixed-oxide fuel fabrication plant. An accident event tree with related probability analysis was deduced for a fire in a hot cell. A spectrum of possible fire magnitudes was assumed and for each event the plutonium release at a stack was evaluated. The results showed that the risk associated with this type of fire accident and, more generally, with internal incidents was low, although high building contamination values could be attained. 7. RISK-BENEFIT STUDIES
Public opposition is an important consideration for those responsible for energy planning. The formulation of socially viable policies requires an understanding of the reasons for this opposition. Nuclear technologists have always recognized the special safety aspects of the nuclear industry and have asserted that no other industry has paid so much attention, from the very onset, to its risks. Nevertheless outspoken, and sometimes militant, public opposition has begun to make itself felt. The concerns expressed by the opposition groups appear to centre upon safetyrelated issues. The end result of this opposition has been that many public decisions, based upon the best possible technical data, turned out to be socially unacceptable. A paper was presented in which the nature of the underlying determinants of public perceptions of energy systems was explored with special attention paid to the role of safety issues in public opposition.
An attitude model was applied to identify the attitudes to nuclear, coal, oil, solar and hydro energy systems. Empirical results are given in which these systems were perceived in terms of four basic dimensions: psychological aspects, economic benefits, sociopolitical implications, and environmental and physical safety issues, A surprising result showed that safety issues made an appreciable contribution to attitudes towards all systems except nuclear, where it was not significant. Attitudes in opposition to nuclear power were primarily due to psychological aspects and concerns about personal and political power. Issues which have been thought by technologists to be straight-forward technical or safety matters are often viewed by the public as being problems of social or psychological importance, not necessarily amenable to technical solution. A second paper discussed the decision analysis approach to risk assessment and used it to show that specifying an acceptably low probability for an outcome involving death implies a value of life. A survey of the implicit values of life used in several instances shows a large inconsistency. It was argued that the probability of death could be lowered without reducing benefits or increasing costs if a single value of life were used in all cases. It was suggested that a value of life computation could be used to assist government decision making, and should be recognized by the designers of a project, either explicitly or implicitly, when the project budget was specified. A paper was presented in which Bayesian decision theory, combined with conventional systems analysis techniques, was applied to assess economic and social cost benefits associated with reprocessing nuclear fuel. It was suggested that the methods could be used to compare economic benefits with social costs arising from other technological risks. Particular attention was given to three categories of social risk associated with reprocessing. These were (a) health, environment, and safety; (b) diversion of fissile material, including sabotage etc.; and (c) nuclear proliferation. Emphasis in the paper was placed on item (c) and the results showed that commercial reprocessing coupled to power reactors contributes approximately 3~% to the total risk of proliferation. Other papers presented under this heading dealt with occupational radiation standards based on morbidity risk, discount rates for social cost benefit analysis, the relationship between catastrophic events and insurance liabilities and public attitudes in relation to the risks presented by new technologies.
0306-4549/79/0101-0019 $02.00/0
© Pergamon Press Lid, 1979. Printed in Great Britain
A REVIEW OF THE A M E R I C A N N U C L E A R SOCIETY S Y M P O S I U M O N THE PROBABILISTIC ANALYSIS OF N U C L E A R REACTOR SAFETY J. SHAW
Nuclear Engineering Department, Queen Mary College, University of London, London (Received 2 August 1978)
cess. At present, the practicality of applying this new approach to licensing is in doubt and there is a general feeling throughout the nuclear industry that the use of probabilistic methods might lead to extra safety requirements and hence additional cost. However, it was pointed out that probabilistic analysis is in the early stages of development and that although future work in the field may not affect the licensing procedures it could be used to provide background information of a technical nature. The additional information could quantify licensing and assist in the decision-making process. This aim could be achieved by specifying stopping places for safety analysis at defined levels of probability. This must be done in a non-probabilistic way at present as definitions of plant acceptability are inherent in any licensing policy, otherwise plants would not already have been built, and those that are built must be considered as acceptable. In fact, plants have been operated and therefore accepted before any risks were specified. It was appreciated that attempts to quantify the licensing process at fixed levels of safety and acceptability was a formidable technical and social task. Despite the fact that the probabilistic approach plays little part at present in licensing, and despite the scepticism within the industry, it was thought that the methods could provide at the very least a guide to decision making. The delegates were of the opinion that these new methods should be more generally accepted especially in view of the success of probability analysis in the aircraft industry. Two aircraft (Concorde and airbus) have been found to be acceptable by using the probabilistic approach and this has surely demonstrated that the methods themselves could be applied to the nuclear power plant situation. The delegates agreed that it would be beneficial to the licensing process to provide probabilistic analysis information as background information initially; and then to apply the methods more directly after experience in their application shows definite benefits and rewards.
INTRODUCTION
A symposium on the Probabilistic Analysis of Nuclear Reactor Safety was held in Los Angeles from 8th to 10th May 1978. The conference was sponsored by the Nuclear Reactor Safety Division of the American Nuclear Society in conjunction with the European Nuclear Society and OECD Nuclear Energy Agency. It was attended by approximately 300 delegates from most countries with an active interest in nuclear energy and its development. A total of 100 papers were presented under the general headings of: (a) probabilistic methods in reactor licensing; (b) the methodology of probabilistic safety assessment; (c) application of probabilistic methods to structures, meteorology, safety studies, and external events; (d) the role of probabilistic methods in risk criteria and design problems; (e) computer codes and data systems; (f) probabilistic approach to waste disposal; and (g) risk benefit studies. The proceedings of the symposium have been published by the American Nuclear Society in three volumes. It is intended in this review to summarize the conference and to identify the main issues. The scope of the review will not enable reference to be made to individual papers or authors.
I. P R O B A B I L I S T I C M E T H O D S
IN
REACTOR LICENSING
This session took the form of a panel discussion; members of the panel emphasized the problems associated with the possible application of probabilistic methods to different stages in reactor licensing procedures. For instance, application of probability analysis should enable risk acceptance criteria to be defined with sufficient confidence to give meaningful levels of acceptability at various stages in the licensing pro19
20
J. SHAW
It was emphasized that at present progress in the field has a number of limitations. These are the nonavailability of skilled persons to carry out the analytical work, the lack of general agreement on how to apply the methods, technical difficulties associated with safety related differences between different types of reactor plant, and the lack of technical data. 2. THE M E T H O D O L O G Y O F PROBABILISTIC SAFETY ASSESSMENTS
The papers under this heading were mainly concerned with the development of response surface techniques for nuclear reactor safety analysis. This is a relatively new aspect in probabilistic safety methodology. Response surface techniques have been developed for obtaining probability distributions of the consequences of postulated nuclear accidents. The method involves assigning probability distributions to the system and model parameters of the accident analysis. A limited number of parameter values are selected (these are called knot-points) and used in a deterministic accident analysis code. The results of these analyses are used to generate analytical functions (called response surfaces) that approximate the accident consequences in terms of the selected parameters. The probability distributions and related characteristics of the consequences are calculated using the response surfaces in a Monte Carlo type simulation. Papers were presented in which response surface techniques were developed with several optimal knotpoint selection schemes, interpolation schemes, and fitted second- and third-degree surfaces. Techniques were also given for improving the accuracy of these methods, and areas for future development were outlined. Licensing of reactor systems uses a variety of conservative assumptions for safety analysis. An example is the conservatism in the regulations used for the calculation of peak clad temperature during a loss-ofcoolant accident in a light water reactor. The approach adopted gives strong assurances of safety, but imposes possible excessive restrictions on reactor design and operation. Response surface techniques are being developed which will allow quantification of the conservatism involved, in terms of probability distributions and a quantified assessment of the assumptions made in the safety analysis. Because of long running times of loss-of-coolant accident computer codes, it is not feasible to generate peak clad temperature probability density functions directly from multiple code calculations such as the Monte Carlo method. Response surface approximations can
be developed with relatively few loss-of-coolant accident code calculations. Response surface equations can also be developed to enable the probability density function for the peak clad temperature to be obtained without the excessive computer costs involved in normal methods. The technique has also been used to estimate the relative effect of reactor operating parameters and of equipment failures upon the calculated primary system peak pressure probability distribution during postulated accident sequences. Papers were presented describing a number of possible applications of response surface techniques. 3. APPLICATION OF PROBABILISTIC M E T H O D S
3.1. Structures
Papers were presented under this heading which dealt with reactor pressure vessel failure, rupture of primary coolant pipes and pressure tubes, fuel cladding failures, and nuclear fuel reliability. A method was outlined for assessing pressure vessel fast fracture probability and formulating the required computer programmes. The need for such a method of analysis is required in view of the difficulty of calculating nuclear component failure probability using statistical data from rare failure rates. The probability of pressure vessel rupture is evaluated using fracture mechanics in a probabilistic form. The final objective is to establish a general method giving a determination of the failure probabilities of different components of the reactor coolant pressure boundary, an assessment of the individual effects of the main parameters on the final result and a basis for determining the interval for in-service inspections. Similar methods have been developed for the calculation of pipe rupture probabilities. Fracture mechanics calculations of flow growths, together with the initial defect size distribution and detection probabilities, are used to predict the probability of a pipe rupture. The techniques can then be applied to the calculation of a complete pipe severance. The effects of proof testing and inspection on the failure rate as a function of time were predicted. The results show that the failure rate is a function of time and is not greatly affected by proof testing, but can be significantly reduced by in-service inspection. In another paper different methods were described for determining the probability of failure of a pressure tube in a heavy water reactor following a loss-ofcoolant accident. In this case temperature and pressure transients are represented in terms of stochastic processes. Two processes are postulated which are
A review of the American Nuclear Society Symposium statistically independent and their structure is defined according to a model of cumulated effects. Using plastic instability as the criterion of failure, the reliability of a zirconium pressure tube is evaluated. A practical example of how response surface methodology can be used in reactor safety assessment was described. The example chosen dealt with the problem of the structural integrity of fuel cladding during a loss-of-coolant accident. 3.2. Meteoroloyy The application of probabilistic analysis to the meterological data used to determine atmospheric dispersion for accident evaluations was dealt with in four papers. In fact the application to meteorological data was one of the first uses of probabilistic methods in reactor safety problems. Various models have been developed and are now currently used extensively throughout the industry. New applications have arisen due to the need for more extensive assessment of environmental radiation doses both as a result of accidents and due to routine operation. Normally, licensing evaluations of radiation doses due to routine gaseous effluents are based upon the assumption that effluents are released at a continuous constant rate. The dose is assumed to be proportional to the product of the constant release rate and the atmospheric dispersion factor both averaged over long periods. It is now considered that these evaluations must account for the intermittent nature of some releases, such as decay tank releases and containment purges. To obtain an accurate assessment of intermittent releases it is necessary to determine a probability distribution of dispersion factor values appropriate to intermittent release periods. A paper described the calculation of probability distributions for time-averaged dispersion factors at a location of interest for a single random release using hourly site meteorological data. The results have shown that the use of annual average dispersion factor values for evaluating doses from intermittent releases will give results which have a low probability of being exceeded by large amounts, and so their use would not grossly underestimate the doses. A second paper described analysis carried out to determine the effect of using more sophisticated plume rise and rainstorm models and the incorporation of wind shear in meteorological calculations. The calculations show that reactor site wind and population distributions are not strongly correlated and that positive and negative correlations occur with nearly equal frequency, which suggests that their effects upon aggregate risk calculations will be largely self-cancelling. Results from risk calculations repeated
21
using different unrelated meteorological data suggest that adequate risk estimates can be obtained for early fatalities, for which wind speed, atmospheric stability and precipitation data are not available, by substituting data from another site, which has similar topography and meteorology. Some important conclusions were drawn from a study on the relative effectiveness of possible public protective measures following large releases of radioactivity into the environment. It appears that in general, evacuation provides the largest reduction in whole body doses although sheltering, particularly when basements are available, might be an acceptable alternative. For large-scale atmospheric releases, most early fatalities will occur within 10 miles of the reactor. Within 5 miles, evacuation is more effective than sheltering. Beyond 5 miles this distinction is less, or not apparent. Within 10 miles, early health effects are strongly influenced by the speed and efficiency of implementation of the protective measures, whereas beyond 10 miles, they are not. 3.3. Safety studies A number of papers were presented in which safety study assessments were described for different problems with different types of reactor using probabilistic analysis. A study of a realistic assessment of accident risks associated with the Clinch River breeder reactor was presented. The objective of this study was to compare the accident risks with other societal risks and to determine whether the risks were comparable to those for previously licensed reactors. The method adopted was to formulate a list of potential accident initiators. Each accident initiator had the potential to lead to an accident sequence involving plant protection devices. Event trees, fault trees, and appropriate occurrence probabilities were determined and radioactivity releases were estimated. Finally, releases to the environment and the public health consequences were evaluated The results showed that the Clinch River breeder reactor operational risks are small compared with other societal risks and are comparable to those for the present light water reactors. A calculation of the failure probability per year of the shut-down heat removal system of the Clinch River breeder reactor was given in another paper. The results gave a failure probability due to the loss of the off-site power initiator ranging from 3 × 10 -4 per yr to 4 × 10 -6 per yr depending on the diesel generator failure probabilities. A third paper described the development of a probabilistic model for evaluating conditions in the containment of a breeder reactor following a core disrup-
22
J. SHAW
tive accident. The model gives possible accident progression sequences, reaction rates and the responses of the engineered safety systems. Other papers described risk assessment studies and probabilistic analysis for the fast flux test facility, and for the high temperature gas-cooled reactor. A value-impact assessment was made of various alternative containment concepts for light water reactors. These different concepts were each compared in terms of their potential for reducing public risk and their construction cost. Probability analysis was used as a basis for determining potential risk reductions that can be obtained with the different containment schemes. The results showed that filtered atmospheric venting offers the greatest potential for reducing public risk for the least impact. Compartment venting and deep underground siting offer similar potential for reducing risk but have greater impacts. Evacuated containment and thinned base mat are low impact alternatives but offer little potential for reducing risk. In safety studies it has been found that public risk is dominated by a few combinations of system failures. It is important in reactor safety studies to identify the accident sequences that dominate risk. A probabilistic method has been developed that deduces these dominant sequences with substantially less effort than was required previously. The method was described. A paper described the probabilistic analysis methods at present adopted by the Electricit6 de France for the study of pressurized water reactor safety systems. Other papers described the validation of a probabilistic approach to the analysis of pressurized water reactor transients by analysis of transients that actually occurred; the impact of component outages on emergency core cooling system unavailability; and the reliability of d.c. power supplies.
have been made and results are quite widely varying. One paper detailed an analysis which could be instrumental in quantifying previous results. The method adopts system reliability analysis and probability distribution methods to determine the overall system reliability in severe seismic occurrences. Other work was described on the determination of the incremental seismic risk due to the presence of nuclear power plants using probabilistic analysis. The results of this study show that the incremental risk is generally very small compared to the background seismic risk, even in the case of core melt-out accidents. A method for determining the expected maximum site accelerations from seismic events in surrounding regions, using local seismic history, was described, Two papers dealt with the assessment of seismic risks at the Diablo Canyon power plant (California). Since large earthquakes are relatively rare events risk studies for these events deal inevitably with small probabilities determined from combinations of rare events. Attempts have been made to document the necessary steps that must be taken to evaluate the consequences due to the effects of an earthquake. These steps include defining the possibility of the earthquake, defining the possible accident sequences, applying the failure data and carrying out a fault and event tree probability analysis. The results showed that even when considering the impact of accelerations well in excess of the likely maximum, the risk to the public due to possible earthquake damage was extremely small. The probability of an individual near to the site being exposed to 25 rem whole body is approximately 1 in 7 × 106 per yr. The papers presented on risks associated with other types of external events such as tornados, road, rail, and aircraft crashes concluded that these risks were small.
3.4. External events Under this heading six papers were presented on seismic risks and hazards and two papers covered the risks associated with tornados, road, rail, river traffic and aircraft. Analysis of nuclear power plant safety with respect to severe seismic initiating events is receiving much current attention. The role of the structural and mechanical engineer is important in seismic studies relative to his role in operational accident analysis. Seismic initiated events may be the most critical contributors to the overall risk for important off-site releases. A study of the work carried out so far in this field shows that a number of different approaches
RISK CRITERIA AND DESIGN STUDIES
4. PROBABILISTIC M E T H O D S IN
It has been suggested that maximum risk criteria should be used to guide the design of advanced nuclear plants such as the breeder reactor. If such an approach is to be useful, it must not lead to excessively costly and time-consuming iterations of detailed design and detailed risk assessment. Risk allocation is a systematic procedure for establishing nuclear plant design reliability requirements such that a designed level of risk is achieved at a minimum cost. This procedure uses only approximate cost estimates, risk models and design information. It pro-
A review of the American Nuclear Society Symposium vides the capability to examine the sensitivities of design aims to their uncertainties. The breeder reactor safety programme being carried out by General Electric (U.S.) is developing risk allocation models to support and guide the choice of safety system reliability requirements and thereby to assure a positive relationship between a desired level of risk and safety system reliability. A paper described in detail how risk allocation analysis is used to choose safety function reliability design objectives to meet maximum risk criteria at minimum cost. The allocated parameters provide top level safety reliability requirements for power plant design. This example of risk allocation demonstrates the application of the methodology. Further details are given in a paper which describes a methodology by which quantitative risk and probabilistic safety criteria are used to supplement licensing regulations, and to guide the safety-related design of a large pool type liquid-metal fast breeder reactor. It points out the advantages of the approach, which are that supplementing conventional safety and licensing criteria in this way allows the design assessment to be made with greater confidence and that it provides a basis for the optimization of the safetyrelated aspects of the plant design. Other papers presented information on the application of probabilistic assessments to design studies of particular reactor plants and safety systems. These methods included the probabilistic assessment of a number of postulated common mode failures. Assessments of the engineered safeguards and surety systems for the gas-cooled breeder reactor design, a prototype liquid-metal fast breeder and the pressurized water reactor were presented. In particular, fault tree analysis has been used by Westinghouse (U.S.) to determine various aspects of the design of a reactor trip logic system. Reliability studies of the system were conducted throughout the design stages and this resulted in a system which effectively eliminates spurious plant trips caused by failures within the system itself and yet is as reliable as the present systems. Other papers presented information on probabilistic assessments of common mode failures, fault tree analysis incorporating dependent events, the potential for the reduction of light water reactor core melt probability, human reliability analysis of dependent events, and the common cause failure experience for reliability analysis and design guidelines in nuclear breeder reactors. 4. COMPUTER CODES AND DATA SYSTEMS
Papers were presented in which details were given
23
for a number of computer programme packages for the evaluation of fault trees and for fault tree probability analysis. They included SALP (sensitivity analysis by list processing), a computer assisted technique for binary systems reliability analysis: FAUNET, a programme package for fault tree and network calculations; PL-MOD, a computer code for modular fault tree analysis and evaluation; AUTOET, a computer code which automatically draws a system event tree, eliminating unnecessary branches, and labels each accident sequence with probability, consequences and risks; PATREC, a code for evaluating the reliability of a complex system by fault trees; and SKIRON, a code for evaluating atmospheric dispersion for design basis accident analysis. The data sources which are used at present have provided enough information for risk assessments, even though considerable analysis of the data is required in order to extract appropriate parameters. However, considerable insight and data analysis is necessary to identify accurately the causes of failure in a component so that effective component design changes can be implemented to improve resistance to failure. One of the major constraints in assessing reliability parameters based on previous experience with similar equipment is the inability to accurately account for detailed differences which may have a significant effect on reliability. Hence, one of the basic requirements for probabilistic risk assessment is the availability of component failure rate data. Various organizations collect data in order to evaluate and improve safety, reliability and availability. A number of papers were presented describing the aims and objectives of data systems. A proposal was made for setting up a centralized data system comprising a pool of raw data that could be processed to increase the low credibility of estimated parameters due to the lack of extensive information. A data collection system is being set up in Europe for light water reactors with cooperation of European countries and possibly modified according to experience gained in the U.S. 6. PROBABILISTIC APPROACH TO WASTE DISPOSAL
The risk from radioactive waste disposal in a deep geological, formation has not yet been completely assessed. A ~complete assessment should include credible estimates of the probability of escape of radioactivity into the human environment and the magnitude of the resultant consequences in terms of health effects. In addition, some estimate should be made of the dominant contributors to risk and of the uncer-
24
J. Snnw
tainties in these estimates. A paper described work at present being carried out at Sandia laboratories, U.S. to develop a risk assessment methodology for the evaluation of deep geological waste disposal. The results of this and previous similar analyses are not entirely consistent due to the complexity of the problem and the degree to which the phenomena involved are understood. It was not possible to identify the most credible event from the analyses. The events which are major contributors to risk were volcanic explosion and volcanic movement to the ground surface; the probabilities of these events being of order 10 12 per yr. Other workers have also carried out probabilistic analysis of radioactive release from geological waste disposal; in all cases results were not conclusive as the values of expected risk are sensitive to modelling assumptions and uncertainties and unknowns in the available data. Further work in this field is necessary. One paper presented, described a risk assessment carried out for one of the major conceivable internal accidents at a mixed-oxide fuel fabrication plant. An accident event tree with related probability analysis was deduced for a fire in a hot cell. A spectrum of possible fire magnitudes was assumed and for each event the plutonium release at a stack was evaluated. The results showed that the risk associated with this type of fire accident and, more generally, with internal incidents was low, although high building contamination values could be attained. 7. RISK-BENEFIT STUDIES
Public opposition is an important consideration for those responsible for energy planning. The formulation of socially viable policies requires an understanding of the reasons for this opposition. Nuclear technologists have always recognized the special safety aspects of the nuclear industry and have asserted that no other industry has paid so much attention, from the very onset, to its risks. Nevertheless outspoken, and sometimes militant, public opposition has begun to make itself felt. The concerns expressed by the opposition groups appear to centre upon safetyrelated issues. The end result of this opposition has been that many public decisions, based upon the best possible technical data, turned out to be socially unacceptable. A paper was presented in which the nature of the underlying determinants of public perceptions of energy systems was explored with special attention paid to the role of safety issues in public opposition.
An attitude model was applied to identify the attitudes to nuclear, coal, oil, solar and hydro energy systems. Empirical results are given in which these systems were perceived in terms of four basic dimensions: psychological aspects, economic benefits, sociopolitical implications, and environmental and physical safety issues, A surprising result showed that safety issues made an appreciable contribution to attitudes towards all systems except nuclear, where it was not significant. Attitudes in opposition to nuclear power were primarily due to psychological aspects and concerns about personal and political power. Issues which have been thought by technologists to be straight-forward technical or safety matters are often viewed by the public as being problems of social or psychological importance, not necessarily amenable to technical solution. A second paper discussed the decision analysis approach to risk assessment and used it to show that specifying an acceptably low probability for an outcome involving death implies a value of life. A survey of the implicit values of life used in several instances shows a large inconsistency. It was argued that the probability of death could be lowered without reducing benefits or increasing costs if a single value of life were used in all cases. It was suggested that a value of life computation could be used to assist government decision making, and should be recognized by the designers of a project, either explicitly or implicitly, when the project budget was specified. A paper was presented in which Bayesian decision theory, combined with conventional systems analysis techniques, was applied to assess economic and social cost benefits associated with reprocessing nuclear fuel. It was suggested that the methods could be used to compare economic benefits with social costs arising from other technological risks. Particular attention was given to three categories of social risk associated with reprocessing. These were (a) health, environment, and safety; (b) diversion of fissile material, including sabotage etc.; and (c) nuclear proliferation. Emphasis in the paper was placed on item (c) and the results showed that commercial reprocessing coupled to power reactors contributes approximately 3~% to the total risk of proliferation. Other papers presented under this heading dealt with occupational radiation standards based on morbidity risk, discount rates for social cost benefit analysis, the relationship between catastrophic events and insurance liabilities and public attitudes in relation to the risks presented by new technologies.