THE USES AND BENEFITS OF PROBABILISTIC RISK ASSESSMENT IN NUCLEAR REACTOR SAFETY* Robert A. Bari. Brookhaven National Laboratory Upton, NY USA

Transcription

1 BNL-NUREG THE USES AND BENEFITS OF PROBABILISTIC RISK ASSESSMENT IN NUCLEAR REACTOR SAFETY* Robert A. Bari Department of Nuclear Energy Brookhaven National Laboratory Upton, NY USA BNL-NUREG DE and Themis P. Speis Office of Nuclear Regulatory Research United States Nuclear Regulatory Commission Washington, DC USA ABSTRACT Probabilistic risk assessment (PRA) has proven to be an important tool in the safety assessment of nuclear reactors throughout the world. Decision making with regard to many safety issues has been facilitated by both general insights from and direct application of this technology. Key uses of PRA are discussed and some examples of successful applications are cited. The benefits and limitations of PRA are also discussed as well as the broader outlook for applications of PRA. INTRODUCTION Probabilistic risk assessment (PRA) has had a profound effect on the discipline of nuclear reactor safety. While probabilistic notions, both qualitative and quantitative, were employed even in the earliest developments in nuclear reactor safety, it was the Reactor Safety Stu y' 1 ' (WASH-1400) which clearly demonstrated that a fully integrated probabilistic/deterministic evaluation of the risks at a nuclear power plant could be performed. The legacy *This work was performed under the auspices of the U.S. Nuclear Regulatory Commission.

2 of WASH-1400 is well known and oft recounted in the many papers that have been written over the past fifteen years' 2 '. It is, however, worthwhile to briefly summarize the essential features of this study that have been used (and improved on) in the many PRAs that have been done worldwide. These are: 1) an integrated, comprehensive model of the plant; 2) computation of in-plant damage risk indices and offsite health and economic risk indices; 3) incorporation of human errors and common-mode failures in the plant model; 4) physical analysis of core meltdown phenomena and associated fission product behavior; 5) determination of containment failure modes in relation to specific accident sequences; 6) off-site consequence assessment. Methodology improvements have been made over the years to the WASH-1400 model in several areas. These include: hardware and human failure data assessment; meltdovn progression analysis; containment response and event tree development; treatment of uncertainties; and analysis of external events. Perhaps the greatest change in PRA since its inception is in its use in decision making by both the people who own and operate nuclear power plants and the people who regulate them. In the years immediately following the publication of WASH-1400, PRA was viewed with distrust by many. It was viewed as an analysis tool with much arbitrariness in the inputs which addressed subjects not central to reactor safety. While the conventional approach to safety analysis tended to be prescriptive and conservative, PRA tended to be exploratory and realistic. In the aftermath of the accident at the Three Mile Island-2 plant, new safety programs and agendas were developed in several countries. PRA began to gain acceptance because it provided an enhanced perspective for safety issues that would have been difficult to resolve by the coiventional approach alone.

3 USES OF PRA The purpose of WASH-1400 was to assess the risk posed by commercial nuclear power plants in the United States. Current PRAs have many potential uses and are often performed with multiple uses in mind. In fact, the end uses of a PRA determine its scope and depth. Some of the now more familiar uses of PRA are to: a) identify design and/or operational deficiencies; b) facilitate decision making with regard to cost-beneficial modifications or alternatives in operation or design; c) guide inspection procedures; d) provide a risk-based rationale for modification of plant technical specifications; e) enhance operations management; f) provide a perspective for severe accident phenomenology and associated issues; g) provide key insights for the development of accident management programs; h) aid in the development of realistic emergency preparedness strategies. This is a partial list and there are many examples of the successes of PRA for each of these items. Only a few are given below. With regard to item a), deficiencies in plant design have been found in many PRAs. Here we cite a study' 3 ' that was specifically aimed at finding systems interactions in a particular plant. The deficiency occurred in the plant's electrical power system and it was found by a detailed, systematic and painstaking fault tree approach. The deficiency was not at first obvious, but once it was understood and confirmed it led to an immediate modification by the plant owner. Interestingly, this deficiency violated the licensing basis of the plant (single failure criterion) but escaped detection in the initial safety review by the conventional approach. With regard to item c), the United States Nuclear Regulatory Commission (USNRC) inspection process has been enhanced through the application of PRA insights 14 '. Inspection planning and resource prioritization has traditionally

4 been difficult because of the need to have a prior understanding of a given plant's strengths and weaknesses. Here PRA has been used to obtain valuable information about plant systems, equipment, and human actions which would have noc been otherwise easily obtainable. PRA insights, in the hands of an experienced field inspector has proven to be extremely beneficial in selecting and prioritizing inspection items at many plants. With regard to item f), as described in Reference 5, severe accident evaluations and research progressed to the point that the USNRC issued on August 8, 1985, a Severe Accident Policy Statement (50 FR 32138), which concluded that existing plants posed no undue risk to the public. However, based on USNRC and industry experience with plant specific PRAs, the USNRC also acknowledged that systematic examinations would be beneficial in identifying plant specific vulnerabilities to severe accidents for which further safety improvements may be appropriate. Such systematic evaluations have been named Individual Plant Examinations (IPEs), and they represent the cornerstone of the USNRC's integration plan for closure of severe accident issues. This plan has been recently published (USNRC SECY , May 25, 1988), and the IPE element of it was defined in USNRC Generic Letter No (November 23, 1988), sent to all licensees holding operating licenses and construction permits for nuclear power reactor facilities. The IPE process will involve significant utility and USNRC staff efforts, and it is estimated to be completed within the next three years. The guiding philosophy of the IPEs can be defined in terms of their impact sought for each utility, as follows (not listed in order of priority): 1. To help develop an appreciation of severe accident behavior in a broad sense, 2. To form the basis for understanding the most likely severe accident sequences that can be expected in its plant(s), 3. To gain a quantitative understanding of the probabilities of core damage and fission product releases, and

5 4. To provide the technical basis for reducing core damage and fission product release probabilities, if necessary, by appropriate hardware and procedures modifications. Further, as noted in Reference 6, while simplified methodologies have been developed which the NRC feels to be adequate for the purpose of the IPEs, the licensees are receiving encouragement to conduct a Level 1 PRA along with a containment performance assessment. The insight and results of this type of study would be of essential value for such activities as plant specific Generic Issue resolution, licensee renewal policy and the identification and prioritization of the technical issues to be evaluated, and plant specific accident management procedures. BENEFITS OF PRA The benefits of performing a PRA follow directly from the uses as described in the previous section. An oft cited benefit to a plant owner/operator is the enhanced knowledge of plant design and behavior that is accrued during the conduct of the PRA. Clearly, for the regulator the main benefit from PRA is an enhanced information base to support decision making with regard to outstanding safety issues. Specific discussions of benefits of PRA are amply given in References 2, 4, 6, 7, 8. Perhaps the most significant recent development in PRA is the concept of a living PRA - a model of the plant which is kept up to date and used in the assessment of a variety of safety and operational issues or questions. In some cases, it would be of interest and beneficial to know the impact of, for example, a design modification. If a PRA for a plant is maintained and current with the existing design, then the risk impact can be computed and evaluated. This information would be beneficial to the decision making process in determining design tradeoffs. This idea extends to modifications in the operation of the plant as well.

6 CAVEATS AND LIMITATIONS A discussion of the value of PRA to the practice of nuclear reactor safety would not be complete without a discussion of the limitations of PRA. This again is a well worn topic and the reader is referred to a paper by Lewis C9) for a good discussion of this topic. Lewis discusses intrinsic and practical limitations of PRA. Intrinsic limitations arise because of the very nature of the subject. They include such things as completeness, data base inadequacies, and limitations due to the logic structure implied by the fault tree/event tree approach. Practical limitations refer to how PRA is currently practiced. Lewis (and many others) caution against relying on the bottom line risk numbers obtained from the PRA. The bottom line risk numbers are often characterized as the least reliable (e.g., see Reference 6) outcome of a PRA. Nevertheless, to obtain the sought after insights and plant comprehension, one proceeds inevitably toward the bottom line in the performance of a PRA, separating the important from the unimportant as the analysis moves toward the bottom line. A PRA combines probabilistic and deterministic analyses to obtain its final results. It is important to do both of these analyses with sufficient care so as not to compromise the end uses of the PRA. The scope and depth of deterministic, physical analyses directly affect and control both the success criteria that are used in a Level 1 PRA analysis and the physical consequences that are the output of a Level 2 PRA analysis. Oversimplification of the analysis of physical phenomena (e.g., primary and containment system thermal hydraulics and response, transient reactivity behavior, etc.) may lead to essential distortions of the risk profile. Similarly, the probabilistic aspects (e.g., data base development) of the PRA are subject to assumptions and biases that can strongly impact the risk profile. An outstanding merit of PRA is that the methodology, by its very nature, accounts for and facilitates the display and communication of uncertainties in events and phenomena. Uncertainties, which are also present in other types of

7 safety analyses, are straightforwaraly revealable by PRA - and an assessment of uncertainty is a necessary element of rational decision making. OUTLOOK PRA has grown in acceptance and use worldwide in the nuclear reactor safety arena over the last decade. It is now an essential ingredient in reactor safety programs in many countries. Based on the cumulative methodological developments and applications, it is now being extended for use in other disciplines, e.g., nuclear waste management; chemical plant safety and operation; space applications. In conclusion, we believe that PRA provides a logical, disciplined approach to complex technological facilities and their operation. And, with suitable adaptation, the successes that are enjoyed by PRA in nuclear reactor safety can be realized in other arenas of technology as well.

8 REFERENCES 1. Reactor Safety Study, USNRC, WASH-1400, October, Good examples may be found in the ANS/ENS conference proceedings on PkA. These include: Newport Beach, Calif. (1978); Port Chester, NY (1981); San Francisco, Calif. (1985); Zurich, Switzerland (1987); and Pittsburgh, PA (1989). 3. R. Youngblood et al., Fault Tree Application of the Study of Systems Interactions at Indian Point 3, NUREG/CR-4207, January K. M. Campe et al., PRA Guidance in Nuclear Regulatory Commission Inspection Efforts, Proceedings of the ANS/ENS International Topical Meeting on Probability, Reliability, and Safety Assessment, Pittsburgh, PA, April 2-7, 1989, pp T. P. Speis et al., The Examination of Containment Systems Performance in Individual Plant Examinations, ibid, pp A. C. Thadani, PSA Application: Is it Really Worth it?, ibid, pp J. R. Chapman, Yankee Atomic Electric Company Uses of PRA, ibid, pp T. P. Speis, Regulatory Uses of PRA/PSA by the USNRC, Proceedings of the ENS/ANS Meeting on Probabilistic Safety Assessment and Risk Management, Zurich, Switzerland, Aug. 30-Sept. 4, 1987, pp H. W. Lewis, Probabilistic Risk Assessment Merits and Limitations, Proceedings of the Fifth International Meeting on Thermal Nuclear Reactor Safety, Karlsruhe, Germany, Sept. 9-13, 1984, pp