- Email: [email protected]
Risk perception, safety goals and regulatory decision-making
Reliability Engineering and System Safety 59 (1998) 135-i39
ELSEVIER
PII:S0951-8320(97)00134-8
© 1998 Elsevier Science Limited All rights reserved. Printed in Northern Ireland 0951-8320/98/$19.00
Risk perception, safety goals and regulatory decision-making Lars Hoegberg Swedish Nuclear Power lnspectorate (SKI), SE-106 58 Stockholm, Sweden
Deciding on 'how safe is safe enough?' includes value judgements with implications of an ethical and political nature. As regulators are accountable to governments, parliaments and the general public, regulatory decision-making should be characterized by transparency with respect to how such value judgements are reflected in risk assessments and regulatory decisions. Some approaches in this respect are discussed in the paper, based on more than fifteen years of experience in nuclear regulatory decision-making. Issues discussed include: (1) risk profiles and safety goals associated with severe reactor accidents--individual health risks, societal risks and risk of losing investments; (2) risk profile-based licensing of the Swedish SFR final disposal facility for low and intermediate level radioactive waste. © 1998 Elsevier Science Limited.
risk perceptions of the political decision-makers in governments and parliaments. By definition, governments and parliaments have the final say on risk acceptance and tolerance in a democratic society. Therefore, regulators have to present and discuss risk evaluations and criteria for regulatory decisions in a way that is easily understandable for the political decision-makers, and that address the value judgements of political concern. Obviously, such presentations and discussions should be based on expert analyses of high quality. When a country decides to implement a nuclear power program, it involves a national commitment to maintain a technical and regulatory infrastructure to maintain safety, according to the principles of the International Convention on Nuclear Safety 5. This commitment will last for at least a century, from initiating the program till closure of a final repository for spent fuel or high-level waste from reprocessing. Ideally, there should be a stable regulatory regime over the life of such a program--Alvin Weinberg once spoke of 'a nuclear priesthood'. However, political values and public risk perceptions change over considerably shorter timescales as even a superficial glance at the political history of the twentieth century shows. This is something that the regulator has to realize and live with.
1 INTRODUCTION Regulatory decision-making in the area of nuclear safety is a special case of systems analysis and decision-making related to large societal systems. In dealing with largescale societal systems, the pioneers of modern systems analysis were well aware of the relevance of ethical and political aspects as analysed and discussed by the great philosophers from Plato, Aristotle, Leibniz, Kant and onwards I. In the past decades, the study of risk perception and decision-making has become a mature field in social and political sciences. Individual and societal risk perceptions and public and political acceptance of issues related to nuclear power have been studied in many countries, including Scandinavia 1-4. The purpose of this paper is not to discuss the scientific and philosophical aspects of risk perception and decision-making, but to present some insights and experience gained from Swedish regulatory risk assessment and decision-making on nuclear safety issues in the past decades.
2 BASIC P R E R E Q U I S I T E S AND CONCEPTS
2.1 The prerogative of the political decision-makers 2.2 Risk concepts and the use of risk profiles Regulators are accountable to government, parliament and, in the end, the general public whose health and safety they have been given the task to protect. The laws, ordinances and government directives reflect the value judgements and
There are many different meanings of the word 'risk'. Sometimes it is used simply to mean probability of a specific detrimental consequence, e.g. individual fatality 135
136
L. Hoegberg
risk. Sometimes the mathematical expected value is used, i.e. the product of the probability of an event and the magnitude of its estimated detrimental consequences, e.g. expressed in monetary terms. Use of single values of 'risk' as a basis for decision-making typically involves a number of implicit or explicit value judgements, e.g. that a frequent event with small consequences and a rare event with large consequences are judged equally detrimental, if the expected values in monetary terms are the same. A more comprehensive approach to risk assessment and presentation is provided by multi-attribute techniques. However, it should be noted that the weighting factors introduced in a multi-attribute decision-making model represent value .judgements with implications of an ethical and a political nature. Stakeholders in a regulatory decision include, inter alia, licensees, local communities and environmental groups. These stakeholders typically have different value judgements. Based on SKI experience of communication with such stakeholders, they want the value judgements used in regulatory decisions to be discussed in direct and easily understandable language and not in the framework of weighting factors in a complex mathematical model. In SKI regulatory work, the use of risk profiles rather than some single numerical risk estimate is preferred. Risk profiles include qualitative and quantitative descriptions of representative scenarios (combinations of events, sequences and processes) with detrimental consequences and their estimated probabilities. The selected scenarios should cover all major contributors to risk as far as is reasonably achievable. The detrimental consequences are described in both qualitative and quantitative terms, trying to assign weight to various types of consequences in an explicit way. Comparison with risk profiles provided by nature and various societal activities are made to enable comparisons of consistency in value judgements where appropriate.
2.3 Handling of uncertainties in risk evaluations and decision-making Uncertainties in risk estimates should be explicitly discussed as such uncertainties may play a major role both with regard to risk perceptions and in actual decisionmaking. In fact they may influence the choice of regulatory decision-making strategies 2. Interesting examples with regard to how uncertainties may be taken into account when considering safety options for prevention and mitigation of severe reactor accidents are given in the international peer review 6 of the USNRC NUREG-1150 report 7 on severe accident risks. For example, it was observed in the review report: 'Cases of special interest include sequences where the risk of high consequences is mainly driven by overlapping tails of probability distributions for two events, e.g. the probability that containment pressure exceeds a certain value and the probability of containment failure at that
pressure. One approach to risk management in such cases would be to consider as tolerable a small increment in the probability of an event with small or moderate consequences as a trade-off for a substantial reduction of a large uncertainty band associated with a high-consequence event, even though this event has a low point value estimate of probability.' (6, p. 43.) The filtered containment venting systems installed in Sweden and some other countries exemplify such an approach, where the issue of uncertainties in failure of the containment from overpressure is resolved by accepting a possible small increment in the probability of a minor radioactive release by unwarranted operation of the filtered vent system. As assessments of risks associated with nuclear power reactors largely rely on probabilistic safety assessments (PSA), discussions of uncertainties in PSA results play a role in public and political risk perception. Therefore, it is of interest to discuss which uncertainties might remain with regard to the reliability of the functioning of the safety systems~ as estimated with PSA methods. Known or estimated uncertainties in computer models used and statistical data give one type of indication in this respect. It is also interesting to make a reevaluation of the impact in PSA terms of earlier unknown safety deficiencies that have been identified through improved analysis methods or incidents that have occurred. Such evaluations of empirical experience, both with regard to earlier unidentified technical safety deficiencies and with regard to the types of human errors that are incompletely covered by PSAs, have shown t that there have been uncertainties and lack of completeness in earlier safety evaluations corresponding to about ten to a hundred times higher probability of core damage, related to a reference level of about 10 -5 per year of reactor operation. With such empirical evidence it is, on the one hand, not possible to rule out the possibility that safety deficiencies of similar importance exist at some reactors; deficiencies that have not yet been identified. On the other hand, the same empirical evidence indicates that systematic safety efforts, with recurrent reevaluation of older safety assessments based on operational experience, incidents and the development of assessment methods, have given the capability to identify and attend to earlier unknown safety deficiencies before they have led to serious accidents. Risk assessments and risk perceptions should therefore not only be a matter of interpretation of estimated probabilities of severe core damage, with associated uncertainties, but it is equally important to assess the quality and the credibility of the
*This statement is based on experience from the Swedish program of plant-specific PSAs, as well as the evaluation of the clogged strainer incident at the Barsebeck NPP and findings during the modernization of the Oskarshamn 1 NPP. Findings reported from sucessive generations of PSAs in other countries point the same way, as well as OECD/NEA studies on human errors of commission in the late 1980s.
Regulatory ongoing safety efforts at the plants aimed at preventing any occurrence of serious accidents*. The statement in the previous paragraph reflects the widespread agreement that the quality of the safety work of all organizations, industry as well as regulators, their ‘safety culture’, has a substantial impact on both the actual safety level at nuclear power plants and on risk perception. Commercial airline experience provides some additional empirical data indicating the impact of safety culture in operation and maintenance on risk evaluations and associated uncertainties. Large international airlines all operate aircraft designed to the same international safety regulations and under the same international safety regulations for operation, maintenance and air traffic control. Nevertheless, there is a difference of an order of magnitude or more in accident and serious incident frequency’.
3 SOME EXAMPLES OF RISK CONSIDERATIONS IN REGULATORY DECISIONS 3.1 Reactor safety principles and objectives compared to the ICRP radiation protection principles and objectives The ICRP recommendations on radiation protection principles and objectives” play a fundamental role in the regulation of public health and safety with respect to ionizing radiation. Therefore, it is interesting to compare the ICRP principles for radiation protection with the practical application of reactor safety principles and objectives, as they have developed over the years. The ICRP principles relate mainly to individual and collective health risks, and address the justification of a practice, the optimization of protection, and individual dose and risk limits. The references to potential exposure make it clear that the principles are also aimed at reducing the probability of accidents. Moreover, the ICRP justification and optimization principles imply that some type of risk-cost-benefit considerations should be made, as appropriate. Typically, a ‘reasonable’ cost per mar&v averted, and, hence, human life saved, is implicitly or explicitly used in regulatory decisions by radiation protection authorities. In Scandinavia and many other countries, values in the range 20 000-400 000$ per manSv averted have been used2. According to ICRP, a collective dose of 1 manSv is associated with a late cancer fatality risk of 5x10-*. The reactor safety objectives and principles, such as the defence in depth principle, give more direct emphasis to the avoidance of accidents and the mitigation of their effects. There is no direct referral to optimization of safety in the international reactor safety fundamentals documents, but some countries apply cost-benefit considerations in their regulatory work. On the other hand, safety targets in probabilistic terms such as those given by the IAEA International Nuclear Safety Advisory Group, INSAG”, can be interpreted as what may be reasonably achievable
decision-making
137
with existing technology and safety management practices. Comparing the ICRP principles and objectives with reactor safety practices as reflected in insights gained from PSA studies leads to some interesting conclusions. Firstly, it can be concluded that it is not meaningful to try to deduce the cost for a saved human life from level 3 PSAs as a basis for optimization of reactor safety, as the uncertainties in the estimates of individual health risks from reactor accidents are far too large. NUREG-1150’ indicates a span of four orders of magnitude or more between the fifth and ninety-fifth percentile for the estimated individual probability of receiving a promptly fatal dose due to a reactor accident. Evidently, with such a spread in probability estimates, it is meaningless to calculate and compare costs per saved human life as a basis for regulatory decisions-the spread in the cost estimates will be equally large. Secondly, it can be concluded that reactor safety is not driven by optimization based on US $ per potentially averted manSv of collective dose12. Notwithstanding the large uncertainties in probability estimates just mentioned, attempts have been made to calculate the cost-effectiveness of various safety improvements based on the cost per potentially averted manSv, and using some ‘best estimate’ of accident probabilities. Such calculations tend to indicate that only safety improvements costing far less than 100000 $ are ‘cost-effective’ using a criterion of about 100000 $ per manSv potentially averted. As a nuclear power reactor represents a capital investment of about 3 billion $, a probability of a core melt and, hence, loss of plant, of the order of 10V3- 10m4/reactor year is theoretically associated with a ‘risk insurance cost’ of 0.3-3 MS/year, calculated in a simplified way as the expected annual monetary value for loss of investment. Thus, investments in safety improvements of the order of 1- 10 M$ would be sensible with regard to protection of total plant investment if they reduce the probability of a core melt with a factor of ten from the 10e3- 10-4/reactor year core damage frequency range, as such investments would be ‘paid back’ in less than five years by reducing the risk insurance cost as calculated above. Release mitigation measures are not covered by such economic considerations as they only protect the environment and not the investment, whereas preventive measures protect both. It is even doubtful if a reactor containment can be considered cost-effective, using the criterion 100 000 $ per potentially averted manSv if a level of preventive safety has been achieved, corresponding to a core melt probability of 10e4- 10W5/reactor year. Indeed, decisions in Sweden and some other countries to strengthen containments and install filtered venting systems were also taken with the explicit objective to reduce the probability of unacceptable social consequences due to large-scale ground contamination, without going into theoretical cost-effectiveness considerations. Summarizing, it appears that the reactor safety level considered reasonable to require and achieve today is driven by a combination of considerations, notably including protection of the investment and a political aim to reduce
138
L. Hoegberg
as far as reasonably achievable the probability of releases resulting in large-scale ground contamination, with sociopolitical consequences that are difficult to manage for any government--as the Chernobyl accident demonstrated in many European countries. Thirdly, it can be concluded ~3 that the life and health of the individual is protected with substantial margins with respect to ICRP criteria, given the reactor safety level considered reasonably achievable today. The ICRP criteria for individual dose and health risk limits correspond to a maximum increment in annual individual mortality risk of 10 -5, corresponding to a dose increment of 0.2 mSv/ year. In terms of potential exposures, this corresponds to a probability < 2 × 10-3/year for a dose > 100mSv and < 2 × 10-a/year for a dose > 1 Sv. For light-water reactors built to normal Western standards, it would require a core melt accident with containment damage to give such dose levels outside the plant. Thus, it may be concluded that the ICRP health risk limits may be complied with by a reactor that has a probability of a core melt with substantial off-site releases as high as 10% over a total operating life of 40years. This is clearly unacceptable with regard to protection of the investment, of the environment and of society in general. Off-site dose levels such as those cited above can be expected to require substantial emergency measures, such as at least temporary food restrictions and also some evacuation. Also, such probabilities would far exceed what is considered as a reasonably achievable level of reactor safety. Thus, INSAG has stated 11 that the target for existing nuclear power plants, implementing internationally recognized safety principles, is a likelihood of occurrence of severe core damage below about 10-a/reactor year. Application of all such safety principles at future plants should according to INSAG lead to the achievement of an improved goal of not more than about 10 -5 such events per reactor year. Severe accident management and mitigatory measures should reduce by at least a factor of ten the probability of large external releases, requiring off-site response in the short term. The probability of a given individual being actually harmed by a radiation dose, given a reactor accident, is less than unity. This means that for plants applying all the safety principles according to INSAG, the annual probability of individual fatality would be much less than 10 -5-10-6/reactor year, implying that the ICRP individual health risk criteria are met with considerable margins.
3.2 Risk profile-based licensing of the Swedish SFR final disposal facility for low and intermediate level radioactive waste Assessment of risks associated with sources or practices which extend over extremely long times, such as final disposal of spent fuel and high level waste, poses special methodological problems, inter alia connected with assignment of probabilities to events and processes over very long time spans. The assessment techniques are still being
developed and have not yet reached the same degree of maturity as, for example, PSA for nuclear power reactors. However, the same basic approach appears feasible, starting by mapping and selecting scenarios covering the main contributors to risk, and analysing these scenarios with the appropriate state-of-the-art performance assessment models. The end result will typically be estimated source terms for radioactivity released to the biosphere as a function of time associated with each scenario. These source terms may in turn be translated to exposures, keeping in mind that uncertainties in modeling of biospheric pathways, as well as population distribution and socio-economic conditions of the affected population, also grow with time. Estimates of health risk will to a great extent depend on estimated subjective probabilities for each scenario as a whole and for certain critical events and processes within each scenario, such as early failure of one or more spent fuel canisters, or the release delaying properties of the geological formation chosen for the location of the repository. The handling of risk profiles and uncertainties in the licensing of the Swedish SFR final disposal facility for low and intermediate level radioactive waste provides an interesting example. The SFR facility is designed for final storage of some 100000 m 3 of low and intermediate level waste in caverns covered by some 50 m of rock and a few meters of sea water as the facility is situated a few hundred meters outside the shoreline on the coast of the Baltic Sea. For the first thousand years to come, with the Oregrundsgrepen (a bay of the Baltic Sea) as a recipient providing a high degree of dilution and dispersion, the resulting doses to human beings and other living organisms are estimated to be very low and practically negligible in comparison to doses from naturally existing radiation sources. For longer time spans, after some 1500 years, there are larger uncertainties, as the ongoing landrise in that part of the Baltic then will put the SFR facility well inside the new shoreline. A key issue in the licensing process was the risks associated with about 10 TBq of longlived nuclides that the SFR facility may contain, notably if wells were drilled in the vicinity of the repository. Today, you will typically find at least one drilled well per square kilometer in similar rural environments in Sweden. In the licensing review ~4 made by SKI and the Swedish Radiation Protection Institute, SSI, it was found that, in a realistic case, the resulting radiation doses would likely be considerably lower than those which man receives from natural sources. However, it was noted that a dose calculation, which attempts to predict a probable outcome, including realistic assumptions on releases of radioactive substances from the repository and further transport to and distribution via various pathways in the biosphere would require considerable efforts and would be difficult to prove strictly. The licensing review calculations of the consequences were therefore made using simplified models, where the simplification was made so as to overestimate the consequences with high assurance. Values for different parameters, such as adsorption data, groundwater flow,
Regulatory decision-making food and water consumption data, etc., were also chosen in such a way that the consequences were overestimated. According to the estimates made in the licensing review such an approach led to individual doses around 1 mSv/ year to a few persons drinking water from a well downstream the repository. If, in addition, combinations of improbable circumstances are taken into account, doses of the order of 10 mSv/year might occur as extreme cases (ceiling values). The radiation doses thus calculated under pessimistic assumptions exceed the reference values applied by SSI to the protection of individuals from nuclear activities, but they are not higher than the normal variation in exposure from natural sources. They are, for example, of the same order of magnitude as the doses that radoncontaining water from wells may cause, which amount to a few millisieverts per year. The appearance of individual doses in the range 1 - 1 0 mSv/year were estimated to be improbable, as this presumes that a combination of mutually independent, pessimistic assumptions are simultaneously fulfilled, such as an uncontrolled well in the vicinity of the repository as an exposure path, and a detrimental formation of complex ions from cellulose residues. However, quantitative probability estimates were not considered meaningful as a basis for decisions. In summary, and considering the pessimistic assumptions, SKI and SSI concluded that the SFR facility presented a risk profile with respect to probability of exposure of limited groups that did not deviate significantly from what the Swedish society accepts today with respect to exposure from naturally occurring radioactive substances without requiring special measures to be taken by society. Based on these findings and conclusions the operating licence was granted. As a licensing condition, the licensee was required to take certain measures to reduce the most important of the uncertainties that might contribute to doses in a longer time perspective, such as reducing the amount of complex-forming substances in the waste packages. It should be noted that this licensing decision was endorsed by the Boards of both SKI and SSI, and that these two boards include members of the Swedish Parliament, as well as independent experts.
4 CONCLUSIONS In conclusion, it may be stated that there are no simple decision-making models and criteria that can be applied to the problems of risk assessment, risk perception and regulatory and political decision-making related to nuclear power. Thus, it appears from the analysis presented in this paper that the reactor safety level considered reasonable to require and achieve today is driven by a combination of considerations, notably including protection of the investment and a political aim to reduce as far as reasonably achievable the probability of releases resulting in largescale ground contamination, with socio-political consequences that are difficult to manage for any government.
139
It may also be concluded that the life and health of the individual is protected with substantial margins with respect to the internationally recognized radiation protection criteria of ICRP, given the reactor safety level considered reasonably achievable today. In safety assessments of final repositories for long-lived radioactive waste, quantitative risk calculations over very long time spans are associated with large uncertainties. However, comparisons with risk profiles generated by naturally occurring radioactive substances and the associated uncertainties may be useful. Communicating the value judgements and criteria used in regulatory decisions and the resulting level of protection in direct and easily understandable language represents a real challenge to regulators as they are accountable to political decision-makers and the general public.
REFERENCES 1. West Churchman, C., The Systems Approach. Delta Books, Dell, New York, 1968. 2. Principles for decisions involving environmental and health risks. Final report of a Joint Nordic Research Project in Nuclear Safety, Nordic Liaison Committee for Atomic Energy, Stockholm, 1989. 3. Drottz-Sjrberg, B.-M., Perception of Risk. Studies of Risk Attitudes, Perceptions and Definitions. Stockholm School of Economics, Center for Risk Research, Stockholm, 1991. 4. Ethical aspects on nuclear waste. Report from the Swedish consultative committee for nuclear waste management (KASAM) and the National Board for Spent Nuclear Fuel, SKN Report 29, Stockholm, 1988. 5. Convention on Nuclear Safety. IAEA Legal Series no. 16, Vienna, 1994. 6. Special committee review of the Nuclear Regulatory Commission's severe accident risks report (NUREG-1150). NUREG-1420, USNRC, Washington, DC, 1990. 7. Severe accident risks: an assessment for five U.S. nuclear power plants. NUREG- 1150, USNRC, Washington, DC, 1989. 8. The status with regard to safety and radiation protection at the Swedish nuclear power plants for the operational year 1994/95. Joint report by the Swedish Nuclear Power Inspectorate (SKI) and the Swedish Radiation Protection Institute (SSI), SKI Report 95:63 (SSI Report 95-27), Stockholm, 1995. 9. Flight Safety Foundation, Icarus Committee, cited in the Swedish Government Committee Report SOU, 1995, p. 57. 10. 1990 Recommendations of the International Commission on Radiological Protection. ICRP Publication 60, Pergamon Press, Oxford, 1991. 11. Basic safety principles for nuclear power plants. Report by the International Nuclear Safety Advisory Group, INSAG-3, IAEA, Vienna, 1988. 12. Bengtsson, G. & Hrgberg, L., Status of achievements reached in applying optimisation of protection in prevention and mitigation of severe accidents. Proceedings of an ad hoc meeting on the Application of Optimisation of Protection in Regulation and Operational Practices, OECD/NEA, Paris, 1988. 13. Potential exposure in nuclear safety. Report by the International Nuclear Safety Advisory Group, INSAG-9, IAEA, Vienna, 1995. 14. Operating permit for the SFR final disposal facility for reactor waste. SKI Licensing Decision, May 20, 1992 SKI File No. 7.41-880433; see also SKI Technical Report 92:16.
ELSEVIER
PII:S0951-8320(97)00134-8
© 1998 Elsevier Science Limited All rights reserved. Printed in Northern Ireland 0951-8320/98/$19.00
Risk perception, safety goals and regulatory decision-making Lars Hoegberg Swedish Nuclear Power lnspectorate (SKI), SE-106 58 Stockholm, Sweden
Deciding on 'how safe is safe enough?' includes value judgements with implications of an ethical and political nature. As regulators are accountable to governments, parliaments and the general public, regulatory decision-making should be characterized by transparency with respect to how such value judgements are reflected in risk assessments and regulatory decisions. Some approaches in this respect are discussed in the paper, based on more than fifteen years of experience in nuclear regulatory decision-making. Issues discussed include: (1) risk profiles and safety goals associated with severe reactor accidents--individual health risks, societal risks and risk of losing investments; (2) risk profile-based licensing of the Swedish SFR final disposal facility for low and intermediate level radioactive waste. © 1998 Elsevier Science Limited.
risk perceptions of the political decision-makers in governments and parliaments. By definition, governments and parliaments have the final say on risk acceptance and tolerance in a democratic society. Therefore, regulators have to present and discuss risk evaluations and criteria for regulatory decisions in a way that is easily understandable for the political decision-makers, and that address the value judgements of political concern. Obviously, such presentations and discussions should be based on expert analyses of high quality. When a country decides to implement a nuclear power program, it involves a national commitment to maintain a technical and regulatory infrastructure to maintain safety, according to the principles of the International Convention on Nuclear Safety 5. This commitment will last for at least a century, from initiating the program till closure of a final repository for spent fuel or high-level waste from reprocessing. Ideally, there should be a stable regulatory regime over the life of such a program--Alvin Weinberg once spoke of 'a nuclear priesthood'. However, political values and public risk perceptions change over considerably shorter timescales as even a superficial glance at the political history of the twentieth century shows. This is something that the regulator has to realize and live with.
1 INTRODUCTION Regulatory decision-making in the area of nuclear safety is a special case of systems analysis and decision-making related to large societal systems. In dealing with largescale societal systems, the pioneers of modern systems analysis were well aware of the relevance of ethical and political aspects as analysed and discussed by the great philosophers from Plato, Aristotle, Leibniz, Kant and onwards I. In the past decades, the study of risk perception and decision-making has become a mature field in social and political sciences. Individual and societal risk perceptions and public and political acceptance of issues related to nuclear power have been studied in many countries, including Scandinavia 1-4. The purpose of this paper is not to discuss the scientific and philosophical aspects of risk perception and decision-making, but to present some insights and experience gained from Swedish regulatory risk assessment and decision-making on nuclear safety issues in the past decades.
2 BASIC P R E R E Q U I S I T E S AND CONCEPTS
2.1 The prerogative of the political decision-makers 2.2 Risk concepts and the use of risk profiles Regulators are accountable to government, parliament and, in the end, the general public whose health and safety they have been given the task to protect. The laws, ordinances and government directives reflect the value judgements and
There are many different meanings of the word 'risk'. Sometimes it is used simply to mean probability of a specific detrimental consequence, e.g. individual fatality 135
136
L. Hoegberg
risk. Sometimes the mathematical expected value is used, i.e. the product of the probability of an event and the magnitude of its estimated detrimental consequences, e.g. expressed in monetary terms. Use of single values of 'risk' as a basis for decision-making typically involves a number of implicit or explicit value judgements, e.g. that a frequent event with small consequences and a rare event with large consequences are judged equally detrimental, if the expected values in monetary terms are the same. A more comprehensive approach to risk assessment and presentation is provided by multi-attribute techniques. However, it should be noted that the weighting factors introduced in a multi-attribute decision-making model represent value .judgements with implications of an ethical and a political nature. Stakeholders in a regulatory decision include, inter alia, licensees, local communities and environmental groups. These stakeholders typically have different value judgements. Based on SKI experience of communication with such stakeholders, they want the value judgements used in regulatory decisions to be discussed in direct and easily understandable language and not in the framework of weighting factors in a complex mathematical model. In SKI regulatory work, the use of risk profiles rather than some single numerical risk estimate is preferred. Risk profiles include qualitative and quantitative descriptions of representative scenarios (combinations of events, sequences and processes) with detrimental consequences and their estimated probabilities. The selected scenarios should cover all major contributors to risk as far as is reasonably achievable. The detrimental consequences are described in both qualitative and quantitative terms, trying to assign weight to various types of consequences in an explicit way. Comparison with risk profiles provided by nature and various societal activities are made to enable comparisons of consistency in value judgements where appropriate.
2.3 Handling of uncertainties in risk evaluations and decision-making Uncertainties in risk estimates should be explicitly discussed as such uncertainties may play a major role both with regard to risk perceptions and in actual decisionmaking. In fact they may influence the choice of regulatory decision-making strategies 2. Interesting examples with regard to how uncertainties may be taken into account when considering safety options for prevention and mitigation of severe reactor accidents are given in the international peer review 6 of the USNRC NUREG-1150 report 7 on severe accident risks. For example, it was observed in the review report: 'Cases of special interest include sequences where the risk of high consequences is mainly driven by overlapping tails of probability distributions for two events, e.g. the probability that containment pressure exceeds a certain value and the probability of containment failure at that
pressure. One approach to risk management in such cases would be to consider as tolerable a small increment in the probability of an event with small or moderate consequences as a trade-off for a substantial reduction of a large uncertainty band associated with a high-consequence event, even though this event has a low point value estimate of probability.' (6, p. 43.) The filtered containment venting systems installed in Sweden and some other countries exemplify such an approach, where the issue of uncertainties in failure of the containment from overpressure is resolved by accepting a possible small increment in the probability of a minor radioactive release by unwarranted operation of the filtered vent system. As assessments of risks associated with nuclear power reactors largely rely on probabilistic safety assessments (PSA), discussions of uncertainties in PSA results play a role in public and political risk perception. Therefore, it is of interest to discuss which uncertainties might remain with regard to the reliability of the functioning of the safety systems~ as estimated with PSA methods. Known or estimated uncertainties in computer models used and statistical data give one type of indication in this respect. It is also interesting to make a reevaluation of the impact in PSA terms of earlier unknown safety deficiencies that have been identified through improved analysis methods or incidents that have occurred. Such evaluations of empirical experience, both with regard to earlier unidentified technical safety deficiencies and with regard to the types of human errors that are incompletely covered by PSAs, have shown t that there have been uncertainties and lack of completeness in earlier safety evaluations corresponding to about ten to a hundred times higher probability of core damage, related to a reference level of about 10 -5 per year of reactor operation. With such empirical evidence it is, on the one hand, not possible to rule out the possibility that safety deficiencies of similar importance exist at some reactors; deficiencies that have not yet been identified. On the other hand, the same empirical evidence indicates that systematic safety efforts, with recurrent reevaluation of older safety assessments based on operational experience, incidents and the development of assessment methods, have given the capability to identify and attend to earlier unknown safety deficiencies before they have led to serious accidents. Risk assessments and risk perceptions should therefore not only be a matter of interpretation of estimated probabilities of severe core damage, with associated uncertainties, but it is equally important to assess the quality and the credibility of the
*This statement is based on experience from the Swedish program of plant-specific PSAs, as well as the evaluation of the clogged strainer incident at the Barsebeck NPP and findings during the modernization of the Oskarshamn 1 NPP. Findings reported from sucessive generations of PSAs in other countries point the same way, as well as OECD/NEA studies on human errors of commission in the late 1980s.
Regulatory ongoing safety efforts at the plants aimed at preventing any occurrence of serious accidents*. The statement in the previous paragraph reflects the widespread agreement that the quality of the safety work of all organizations, industry as well as regulators, their ‘safety culture’, has a substantial impact on both the actual safety level at nuclear power plants and on risk perception. Commercial airline experience provides some additional empirical data indicating the impact of safety culture in operation and maintenance on risk evaluations and associated uncertainties. Large international airlines all operate aircraft designed to the same international safety regulations and under the same international safety regulations for operation, maintenance and air traffic control. Nevertheless, there is a difference of an order of magnitude or more in accident and serious incident frequency’.
3 SOME EXAMPLES OF RISK CONSIDERATIONS IN REGULATORY DECISIONS 3.1 Reactor safety principles and objectives compared to the ICRP radiation protection principles and objectives The ICRP recommendations on radiation protection principles and objectives” play a fundamental role in the regulation of public health and safety with respect to ionizing radiation. Therefore, it is interesting to compare the ICRP principles for radiation protection with the practical application of reactor safety principles and objectives, as they have developed over the years. The ICRP principles relate mainly to individual and collective health risks, and address the justification of a practice, the optimization of protection, and individual dose and risk limits. The references to potential exposure make it clear that the principles are also aimed at reducing the probability of accidents. Moreover, the ICRP justification and optimization principles imply that some type of risk-cost-benefit considerations should be made, as appropriate. Typically, a ‘reasonable’ cost per mar&v averted, and, hence, human life saved, is implicitly or explicitly used in regulatory decisions by radiation protection authorities. In Scandinavia and many other countries, values in the range 20 000-400 000$ per manSv averted have been used2. According to ICRP, a collective dose of 1 manSv is associated with a late cancer fatality risk of 5x10-*. The reactor safety objectives and principles, such as the defence in depth principle, give more direct emphasis to the avoidance of accidents and the mitigation of their effects. There is no direct referral to optimization of safety in the international reactor safety fundamentals documents, but some countries apply cost-benefit considerations in their regulatory work. On the other hand, safety targets in probabilistic terms such as those given by the IAEA International Nuclear Safety Advisory Group, INSAG”, can be interpreted as what may be reasonably achievable
decision-making
137
with existing technology and safety management practices. Comparing the ICRP principles and objectives with reactor safety practices as reflected in insights gained from PSA studies leads to some interesting conclusions. Firstly, it can be concluded that it is not meaningful to try to deduce the cost for a saved human life from level 3 PSAs as a basis for optimization of reactor safety, as the uncertainties in the estimates of individual health risks from reactor accidents are far too large. NUREG-1150’ indicates a span of four orders of magnitude or more between the fifth and ninety-fifth percentile for the estimated individual probability of receiving a promptly fatal dose due to a reactor accident. Evidently, with such a spread in probability estimates, it is meaningless to calculate and compare costs per saved human life as a basis for regulatory decisions-the spread in the cost estimates will be equally large. Secondly, it can be concluded that reactor safety is not driven by optimization based on US $ per potentially averted manSv of collective dose12. Notwithstanding the large uncertainties in probability estimates just mentioned, attempts have been made to calculate the cost-effectiveness of various safety improvements based on the cost per potentially averted manSv, and using some ‘best estimate’ of accident probabilities. Such calculations tend to indicate that only safety improvements costing far less than 100000 $ are ‘cost-effective’ using a criterion of about 100000 $ per manSv potentially averted. As a nuclear power reactor represents a capital investment of about 3 billion $, a probability of a core melt and, hence, loss of plant, of the order of 10V3- 10m4/reactor year is theoretically associated with a ‘risk insurance cost’ of 0.3-3 MS/year, calculated in a simplified way as the expected annual monetary value for loss of investment. Thus, investments in safety improvements of the order of 1- 10 M$ would be sensible with regard to protection of total plant investment if they reduce the probability of a core melt with a factor of ten from the 10e3- 10-4/reactor year core damage frequency range, as such investments would be ‘paid back’ in less than five years by reducing the risk insurance cost as calculated above. Release mitigation measures are not covered by such economic considerations as they only protect the environment and not the investment, whereas preventive measures protect both. It is even doubtful if a reactor containment can be considered cost-effective, using the criterion 100 000 $ per potentially averted manSv if a level of preventive safety has been achieved, corresponding to a core melt probability of 10e4- 10W5/reactor year. Indeed, decisions in Sweden and some other countries to strengthen containments and install filtered venting systems were also taken with the explicit objective to reduce the probability of unacceptable social consequences due to large-scale ground contamination, without going into theoretical cost-effectiveness considerations. Summarizing, it appears that the reactor safety level considered reasonable to require and achieve today is driven by a combination of considerations, notably including protection of the investment and a political aim to reduce
138
L. Hoegberg
as far as reasonably achievable the probability of releases resulting in large-scale ground contamination, with sociopolitical consequences that are difficult to manage for any government--as the Chernobyl accident demonstrated in many European countries. Thirdly, it can be concluded ~3 that the life and health of the individual is protected with substantial margins with respect to ICRP criteria, given the reactor safety level considered reasonably achievable today. The ICRP criteria for individual dose and health risk limits correspond to a maximum increment in annual individual mortality risk of 10 -5, corresponding to a dose increment of 0.2 mSv/ year. In terms of potential exposures, this corresponds to a probability < 2 × 10-3/year for a dose > 100mSv and < 2 × 10-a/year for a dose > 1 Sv. For light-water reactors built to normal Western standards, it would require a core melt accident with containment damage to give such dose levels outside the plant. Thus, it may be concluded that the ICRP health risk limits may be complied with by a reactor that has a probability of a core melt with substantial off-site releases as high as 10% over a total operating life of 40years. This is clearly unacceptable with regard to protection of the investment, of the environment and of society in general. Off-site dose levels such as those cited above can be expected to require substantial emergency measures, such as at least temporary food restrictions and also some evacuation. Also, such probabilities would far exceed what is considered as a reasonably achievable level of reactor safety. Thus, INSAG has stated 11 that the target for existing nuclear power plants, implementing internationally recognized safety principles, is a likelihood of occurrence of severe core damage below about 10-a/reactor year. Application of all such safety principles at future plants should according to INSAG lead to the achievement of an improved goal of not more than about 10 -5 such events per reactor year. Severe accident management and mitigatory measures should reduce by at least a factor of ten the probability of large external releases, requiring off-site response in the short term. The probability of a given individual being actually harmed by a radiation dose, given a reactor accident, is less than unity. This means that for plants applying all the safety principles according to INSAG, the annual probability of individual fatality would be much less than 10 -5-10-6/reactor year, implying that the ICRP individual health risk criteria are met with considerable margins.
3.2 Risk profile-based licensing of the Swedish SFR final disposal facility for low and intermediate level radioactive waste Assessment of risks associated with sources or practices which extend over extremely long times, such as final disposal of spent fuel and high level waste, poses special methodological problems, inter alia connected with assignment of probabilities to events and processes over very long time spans. The assessment techniques are still being
developed and have not yet reached the same degree of maturity as, for example, PSA for nuclear power reactors. However, the same basic approach appears feasible, starting by mapping and selecting scenarios covering the main contributors to risk, and analysing these scenarios with the appropriate state-of-the-art performance assessment models. The end result will typically be estimated source terms for radioactivity released to the biosphere as a function of time associated with each scenario. These source terms may in turn be translated to exposures, keeping in mind that uncertainties in modeling of biospheric pathways, as well as population distribution and socio-economic conditions of the affected population, also grow with time. Estimates of health risk will to a great extent depend on estimated subjective probabilities for each scenario as a whole and for certain critical events and processes within each scenario, such as early failure of one or more spent fuel canisters, or the release delaying properties of the geological formation chosen for the location of the repository. The handling of risk profiles and uncertainties in the licensing of the Swedish SFR final disposal facility for low and intermediate level radioactive waste provides an interesting example. The SFR facility is designed for final storage of some 100000 m 3 of low and intermediate level waste in caverns covered by some 50 m of rock and a few meters of sea water as the facility is situated a few hundred meters outside the shoreline on the coast of the Baltic Sea. For the first thousand years to come, with the Oregrundsgrepen (a bay of the Baltic Sea) as a recipient providing a high degree of dilution and dispersion, the resulting doses to human beings and other living organisms are estimated to be very low and practically negligible in comparison to doses from naturally existing radiation sources. For longer time spans, after some 1500 years, there are larger uncertainties, as the ongoing landrise in that part of the Baltic then will put the SFR facility well inside the new shoreline. A key issue in the licensing process was the risks associated with about 10 TBq of longlived nuclides that the SFR facility may contain, notably if wells were drilled in the vicinity of the repository. Today, you will typically find at least one drilled well per square kilometer in similar rural environments in Sweden. In the licensing review ~4 made by SKI and the Swedish Radiation Protection Institute, SSI, it was found that, in a realistic case, the resulting radiation doses would likely be considerably lower than those which man receives from natural sources. However, it was noted that a dose calculation, which attempts to predict a probable outcome, including realistic assumptions on releases of radioactive substances from the repository and further transport to and distribution via various pathways in the biosphere would require considerable efforts and would be difficult to prove strictly. The licensing review calculations of the consequences were therefore made using simplified models, where the simplification was made so as to overestimate the consequences with high assurance. Values for different parameters, such as adsorption data, groundwater flow,
Regulatory decision-making food and water consumption data, etc., were also chosen in such a way that the consequences were overestimated. According to the estimates made in the licensing review such an approach led to individual doses around 1 mSv/ year to a few persons drinking water from a well downstream the repository. If, in addition, combinations of improbable circumstances are taken into account, doses of the order of 10 mSv/year might occur as extreme cases (ceiling values). The radiation doses thus calculated under pessimistic assumptions exceed the reference values applied by SSI to the protection of individuals from nuclear activities, but they are not higher than the normal variation in exposure from natural sources. They are, for example, of the same order of magnitude as the doses that radoncontaining water from wells may cause, which amount to a few millisieverts per year. The appearance of individual doses in the range 1 - 1 0 mSv/year were estimated to be improbable, as this presumes that a combination of mutually independent, pessimistic assumptions are simultaneously fulfilled, such as an uncontrolled well in the vicinity of the repository as an exposure path, and a detrimental formation of complex ions from cellulose residues. However, quantitative probability estimates were not considered meaningful as a basis for decisions. In summary, and considering the pessimistic assumptions, SKI and SSI concluded that the SFR facility presented a risk profile with respect to probability of exposure of limited groups that did not deviate significantly from what the Swedish society accepts today with respect to exposure from naturally occurring radioactive substances without requiring special measures to be taken by society. Based on these findings and conclusions the operating licence was granted. As a licensing condition, the licensee was required to take certain measures to reduce the most important of the uncertainties that might contribute to doses in a longer time perspective, such as reducing the amount of complex-forming substances in the waste packages. It should be noted that this licensing decision was endorsed by the Boards of both SKI and SSI, and that these two boards include members of the Swedish Parliament, as well as independent experts.
4 CONCLUSIONS In conclusion, it may be stated that there are no simple decision-making models and criteria that can be applied to the problems of risk assessment, risk perception and regulatory and political decision-making related to nuclear power. Thus, it appears from the analysis presented in this paper that the reactor safety level considered reasonable to require and achieve today is driven by a combination of considerations, notably including protection of the investment and a political aim to reduce as far as reasonably achievable the probability of releases resulting in largescale ground contamination, with socio-political consequences that are difficult to manage for any government.
139
It may also be concluded that the life and health of the individual is protected with substantial margins with respect to the internationally recognized radiation protection criteria of ICRP, given the reactor safety level considered reasonably achievable today. In safety assessments of final repositories for long-lived radioactive waste, quantitative risk calculations over very long time spans are associated with large uncertainties. However, comparisons with risk profiles generated by naturally occurring radioactive substances and the associated uncertainties may be useful. Communicating the value judgements and criteria used in regulatory decisions and the resulting level of protection in direct and easily understandable language represents a real challenge to regulators as they are accountable to political decision-makers and the general public.
REFERENCES 1. West Churchman, C., The Systems Approach. Delta Books, Dell, New York, 1968. 2. Principles for decisions involving environmental and health risks. Final report of a Joint Nordic Research Project in Nuclear Safety, Nordic Liaison Committee for Atomic Energy, Stockholm, 1989. 3. Drottz-Sjrberg, B.-M., Perception of Risk. Studies of Risk Attitudes, Perceptions and Definitions. Stockholm School of Economics, Center for Risk Research, Stockholm, 1991. 4. Ethical aspects on nuclear waste. Report from the Swedish consultative committee for nuclear waste management (KASAM) and the National Board for Spent Nuclear Fuel, SKN Report 29, Stockholm, 1988. 5. Convention on Nuclear Safety. IAEA Legal Series no. 16, Vienna, 1994. 6. Special committee review of the Nuclear Regulatory Commission's severe accident risks report (NUREG-1150). NUREG-1420, USNRC, Washington, DC, 1990. 7. Severe accident risks: an assessment for five U.S. nuclear power plants. NUREG- 1150, USNRC, Washington, DC, 1989. 8. The status with regard to safety and radiation protection at the Swedish nuclear power plants for the operational year 1994/95. Joint report by the Swedish Nuclear Power Inspectorate (SKI) and the Swedish Radiation Protection Institute (SSI), SKI Report 95:63 (SSI Report 95-27), Stockholm, 1995. 9. Flight Safety Foundation, Icarus Committee, cited in the Swedish Government Committee Report SOU, 1995, p. 57. 10. 1990 Recommendations of the International Commission on Radiological Protection. ICRP Publication 60, Pergamon Press, Oxford, 1991. 11. Basic safety principles for nuclear power plants. Report by the International Nuclear Safety Advisory Group, INSAG-3, IAEA, Vienna, 1988. 12. Bengtsson, G. & Hrgberg, L., Status of achievements reached in applying optimisation of protection in prevention and mitigation of severe accidents. Proceedings of an ad hoc meeting on the Application of Optimisation of Protection in Regulation and Operational Practices, OECD/NEA, Paris, 1988. 13. Potential exposure in nuclear safety. Report by the International Nuclear Safety Advisory Group, INSAG-9, IAEA, Vienna, 1995. 14. Operating permit for the SFR final disposal facility for reactor waste. SKI Licensing Decision, May 20, 1992 SKI File No. 7.41-880433; see also SKI Technical Report 92:16.