Risk Assessment and Probabilistic Risk Assessment (PRA) Mario. H. Fontana PhD.,PE Research Professor Arthur E. Ruggles PhD Professor The University of Tennessee 1 Definition of Risk • Risk = Probability of occurrence x consequences. We will focus on Core Damage, or Large Early Release as consequences. • PRA models are normally consequence specific. 2 Total Risk = Σpici Total risk would include releases, core damage, and others. 3 Probability • Probability is a way to predict stochastic events • Common events: probability fairly well known. (e.g., MOCV failure rate, lots of data) • Rare events: Less well known. Much less data. • New Systems and Components: No data… 4 Consequences • Conseqences from nuclear reactor accidents could be – damage to plant – Impact to environment – Loss of land use – Cost of evacuations, sheltering, etc – Health (morbidity) effects – Life threatening effects 5 Fault Trees • Fault trees are used to determine the probability of a “top event” (e.g., core damage). • Top event defines the failure or success of a system or component • Fault tees use a structure of logical operations to calculate the probability of the top event as a result of “basic events” inputs 6 Fault Trees (2) • The undesired event is stated at the top of the tree • The fault tree gates specify logical combinations of basic events that lead to the top event • Fault trees can be used to identify system weaknesses 7 Fault Trees (3) • Fault trees can help recognize interrelationships between fault events • Fault trees consist of logic gates and basic events as inputs to the logic gates • Logic Gates: Boolean operations (union or intersection) of the input events • Basic Events: Faults such as a hardware failure, human error, or adverse condition 8 AND Gate • Event 6 and event 7 must occur to “pass” the gate. P(Q) =P(A)*P(B) 9 Amplifier Failure Mode Probabilities, NUREG 0492 10 Probabilities add for the OR gate, since either input, or both, will pass failure through. P(Q)=P(A)+P(B) 11 Basic event • Basic events provide input to the fault tree, such as failure of a component or system, expressed as a probability. The circle indicates that no further development is necssary Basic event 1 1.000E-2 EVENT-1 Basic event 2 1.000E-2 EVENT-2 12 Additional Gates (SAPHIRE) ADDITIONAL GATES --E-- 2 3 GATE-7-0 N/M Gate (2 out of 3) EVENT-7-1 EVENT-7-1 INHIBIT Gate ADDNL-GATES-&-SYMBOLS - Additional gates & symbols 8 TRANS-7-2 TRANSFER Gate --E-EVENT-7-3 HOUSE Event --E-EVENT-7-4 UNDEVELOPED Event 2007/09/19 Page 7 13 Steps to building a fault tree • Identify a top event as a failure to perform a function (system, component, or human failure, for example) • Identify events that could contribute to failure of the top event (usually logic gates) • Identify further “lower level” events that could contribute to the intermediate event 14 Steps to building a fault tree (2) • Continue until reach basic events, which comprise inputs (such as component failures) to the tree • Saphire then will perform the calculations 15 Outputs from Saphire calculations • Calculate failure probability of top event • Calculate failure probability of intermediate events • Identify cut sets – Cut set is a sequence of events that proceed from the basic event to the top event in an unbroken sequence – Minimal cut sets are cut sets that contain minimal number of events that are not contained in other cut sets. 16 Outputs from Saphire calculation (2) • Provide importance factors that indicate relative importance of Basic events • e.g, RIR, Risk increase ratio: Ratio of top event failure probability with a given Basic event failure probability set to 1 (“guaranteed failure”) and the rest remaining at their baseline value. • There are several other measures that will be discussed later(See Saphire) 17 Outputs from Saphire calculation (3) • Calculate uncertainty of top event failure probability given uncertainty distributions of the basic events. • Usually calculations are done with point probability values (no distribution) but others can be done with different inputs – Normal, log normal, uniform, histogram, many others 18 Cut Sets • A cut set is the path by which one or more basic events lead to the top event. • For example, – a one element cut set identifies where failure of one basic event causes failure of the top event – a two element cut set shows how failure of two basic events cause failure of the top event • Obviously, one element cut sets should be avoided. (Like one bolt holding on a wing of an airplane – one failure causes one disaster.) 19 Cut sets (2) • Minimal cut sets are the smallest set of events that can cause failure of the top event. Cut sets that contain events already contained in a smaller set are discarded. What’s left are minimal cut sets. 20 Larger Model Engine fails to start CLASS-DEMO Internal fuel pump damage 1.000E-2 EVENT-F.4 Fuel supply fails Ignition fails Starter inoperable GATE-F.1 GATE-IG-1 GATE-S.1 No gas in tank Fuel injection failure Battery fails GATE-F.2 EVENT-IG.1 1.000E-2 1.000E-2 EVENT-F.7 Battery fails 1.000E-2 Spark plug wire no 3 fails GATE-F.3 EVENT-IG-5 1.000E-2 Gasoline not free of gunk 1.000E-2 EVENT-F.5 2 EVENT-IG.2 Fuel injectors fouled 1.000E-2 EVENT-IG.1 Spark plugs wires or plugs failed Distributor system fails Battery fails 1.000E-2 4 GATE-1G.2 Spark plug wire 1 fails 1.000E-2 EVENT-IG.3 Starter fails 1.000E-2 EVENT-IG.1 Spark plug wire no 2 fails 1.000E-2 EVENT-IG.4 EVENT-S.1 Spark plug wire no 4 fails 1.000E-2 EVENT-IG.6 Gasoline filter failed 1.000E-2 EVENT-F.6 21 CLASS-DEMO - Demonstration for class 2007/09/24 Page 1 Cut sets Engine fails to start CLASS-DEMO Internal fuel pump damage 1.000E-2 EVENT-F.4 Fuel supply fails Ignition fails Starter inoperable GATE-F.1 GATE-IG-1 GATE-S.1 No gas in tank Fuel injection failure Battery fails GATE-F.2 EVENT-IG.1 1.000E-2 1.000E-2 EVENT-F.7 Battery fails 1.000E-2 Spark plug wire no 3 fails GATE-F.3 EVENT-IG-5 1.000E-2 Gasoline not free of gunk 1.000E-2 EVENT-F.5 2 EVENT-IG.2 Fuel injectors fouled 1.000E-2 EVENT-IG.1 Spark plugs wires or plugs failed Distributor system fails Battery fails 1.000E-2 4 GATE-1G.2 Spark plug wire 1 fails 1.000E-2 EVENT-IG.3 Starter fails 1.000E-2 EVENT-IG.1 Spark plug wire no 2 fails 1.000E-2 EVENT-IG.4 EVENT-S.1 Spark plug wire no 4 fails 1.000E-2 EVENT-IG.6 Gasoline filter failed 1.000E-2 EVENT-F.6 22 CLASS-DEMO - Demonstration for class 2007/09/24 Page 1 EVENT TREES • Event trees start with an initiating event, branch to the right as various safety functions are questioned for success (up) or failure (down) (ref Saphire manual) • Event trees – Identify accident sequences – Identify safety system functions – Quantify sequence frequencies 23 EVENT TREE DEVELOPMENT Plant familiarization Define safety functions and success criteria Select initiating events Determine plant response Define accident sequences & plant damage states Identify system failure criteria Develop fault trees & link to event tree 24 EVENT TREE TERMINOLOGY • Initiating event • Top event – Safety systems intented to respond to the initiating event • Branching – Underneath a top event – Up= success, Down= failure • Pass – No branch beneath a top event • Sequence – Branching path, initiating event to end state • End states – consequences and probabilities 25 Event tree- Reactor Loss of Offsite Power Loss of offsite power initiating Emergency core cooling system Containment system LOSP ECCS CCS EVENT TREE LOSP - # END-STATE-NAMES 1 OK-NO-RELEASE 2 SOME-LATE-RELEASE 3 MEDIUM-LATE-RELEASE 4 LARGE-EARLY-RELEASE 2007/10/07 Page 2 26 Emergency Core Cooling System Fault Tree (ECCS) Emergency core cooling system ECCS Loss of heat sink 1.000E-2 EVENT-ECCS-1 Loss of diesel power 1.000E-2 EVENT-ECCS-2 Loss of water source 1.000E-2 EVENT-ECCS-3 27 ECCS - Emergency core cooling system 2007/10/09 Page 1 Summary • Risk assessment is a powerful tool for – Forcing disciplined approach to analysis of safety issues – Forcing understanding of the system being evaluated – Providing methods for estimating modes of failures – Providing methods for estimating probabilities of failures – Identifying areas where more information is needed – Identifying acceptability and/or areas needing improvement 28