Risk Assessment Vicki M. Bier (University of Wisconsin- Madison)
Mar 27, 2015
Risk Assessment
Vicki M. Bier
(University of Wisconsin-Madison)
Introduction
• Risk assessment is a means to characterize and reduce uncertainty to support our ability to deal with catastrophe
• Modern risk assessment for engineered systems began with the Reactor Safety Study (1975):– Applications to engineered systems and
infrastructure are common
What is Risk Assessment?
• “A systematic approach to organizing and analyzing scientific knowledge and information for potentially hazardous activities or for substances that might pose risks under specified circumstances” – National Research Council (NRC), 1994
Definitions of Risk
• “Both uncertainty and some kind of loss or damage” (Kaplan and Garrick 1981)
• “The potential for realization of unwanted, negative consequences of an event” (Rowe 1976)
• “The probability per unit time of the occurrence of a unit cost burden” (Sage and White 1980)
• “The likelihood that a vulnerability will be exploited” (NRC 2002)
Paradigm for Risk Assessment
• A form of systems analysis• Answers three questions (Kaplan and Garrick
1981): – “What can go wrong?” – “How likely is it that that will happen?” – “If it does happen, what are the consequences?”
What is Probabilistic Risk Assessment?
• An integrated model of the response of an engineered system to disturbances during operations
• A rigorous and systematic identification of the levels of damage that could conceivably result from those responses
• A probabilistic (that is, quantitative) assessment of the frequency of such occurrences and our uncertainty in that assessment
• A tool to help owners/operators make good decisions about system operations
ESSENCE OF PRA
• A PRA is an assessment of how well a system responds to a variety of situations
• It answers three basic questions:1. What can go wrong during operation?2. How likely is it to go wrong?3. What are the consequences when it goes wrong?
• We answer the first question in terms of scenarios• We answer the second by quantifying our knowledge of
the likelihood of each scenario• We answer the third by quantifying our knowledge of the
response of the system and its operators in terms of:- damage states- release states and source terms- scenario consequences
GRAPHICAL PRESENTATION OF RISKSCENARIO PROBABILITY DAMAGE CUMULATIVE
PROBABILITY
s1
s2
s3
...
sN-1
sN
p1
p2
p3
.
.
.pN-1
pN
x1
x2
x3
.
.
.xN-1
xN
P1=p2+p1
.
.
.
.
.PN-1=PN+pN-1
PN=pN
RISK CURVE
X
p(>x)
P
STRUCTURE OF THE MODERN PRA MODEL
INITIATINGEVENTS
PLANT (ACTIVE SYSTEMS) MODEL
CONTAINMENT STRENGTH AND CORE DAMAGE PROGRESSION MODEL
OFFSITE RADIOACTIVE MATERIAL DISPERSION AND HEALTH IMPACT MODEL
SUPPORT SYSTEMS MODEL
FRONTLINE SYSTEMS – EARLY RESPONSE MODEL
FRONTLINE SYSTEMS – LATE AND CONTAINMENT SAFETY FEATURES RESPONSE MODEL
PLANTDAMAGE STATES
RELEASE CATEGORIES
RISK BY HEALTH EFFECT
TYPE
SUPPORTSYSTEMSTATES
SUBTREEFREQUENCIES
LEVEL
3
2
1
QUANTIFYING SCENARIOS
INITIATINGEVENT x A B C D
SDCBIA
NODE A
NODE B1
NODE C3
)A I|B(f
) I |A(f
) I |A(f1
D C B A I S
)CBIA|D(f)BIA|C(f)IA|)B(f)I|A(f)I()S(
EVENT SEQUENCE QUANTIFICATION
WHERE= the frequency of scenario S= the frequency of initiating event I= the fraction of times system Asucceeds given that I has happened= the fraction of times system Bfails given that I has happenedand A has succeeded= the fraction of times C succeedsgiven that I has happened, thatA has succeeded, and B has failed= the fraction of times D fails given
)CBIA|D(f)BIA|C(f)IA|)B(f)I|A(f)I()S(
)S()I()I|A(f
)IA|)B(f
)BIA|C(f
)CBIA|D(f
INITIATINGEVENT
1
A B C D
SD C B A I
SCENARIO
NODE B1
SIMPLIFIED EVENT TREE DIAGRAM
STAGES TO EVENT TREE LINKING
SCOPINGREQUIREMENTS
INITATINGEVENTS
ELECTRICPOWERSYSTEMS
OTHERSUPPORTSYSTEMS
EARLYFRONTLINESYSTEMS
LATEFRONTLINESYSTEMS
PLANTDAMAGESTATES
AFW
TANK
PUMP1
PUMP2
PUMP3
RELATIONSHIP OF FAULT TREES TO EVENT TREES
AFW
ISOLATIONVALVE 1
ISOLATIONVALVE 2
GGVM COOLING 1
GGVM COOLING 2
TANKAPU
MODULE
= “OR” GATE
= “AND” GATE
LEGEND
INITIALCONDITIONS
STAGE A TOP EVENTS
DAMAGE STATE
OK
PLS
LOC/V
PLS
LOC/V
FAULT TREES AND EVENT TREES
• Both useful
• Event trees used to display order of events and dependent events
• Fault trees used to display combinations of events:– Order and dependencies are obscured
• Logically equivalent
RISK MANAGEMENT
• Develop an integrated plant-specific risk model• Rank order contributors to risk by damage index• Decompose contributors into specific elements• Identify options, such as design and procedure changes,
for reducing the impact of the contributor on risk • Make the appropriate changes in the risk model:
– And re-compute the risk for each option
• Compute the cost impacts of each system configuration, relative to the base case:– Including both initial and annual costs
• Present the costs, risks, and benefits for each option
RISK DECOMPOSITION(ANATOMY OF RISK)
LEVEL OF DMAGE TYPE OF RELEASE TYPE OF PLANT DAMAGE INITIATING EVENT
EVENT SEQUENCE SYSTEM UNAVAILABILITY FAILURE CAUSES
System B Cause Table
INPUT DATA
CAUSES
FREQUENCIES
EFFECTS
X
P P P
P CDF CDFPDS
MIEs
IE A B C
MAJOR SYSTEM
DOMINANTSEQUENCE
B
LOGIC
DOMINANT FAILURE MODES
1 2 3 4 n
1. Initiating events
2. Components
3. Maintenance
4. Human error
5. Common cause
6. Environmental
7. Other
REACTOR TRIP SYSTEM CAUSE TABLECONTRIBUTORS TO SYSTEM FAILURE FREQUENCY
CAUSE FREQUENCY--FAILURES PER 10,000 DEMANDS
Common cause failures of reactor trip breakers
5.1 (occurred at Salem in February 1983)
Multiple independent failures of reactor trip breakers
0.39
Reactor trip system in test mode and one breaker fails
0.032
TOTAL 5.5
This analysis was performed in November 1982
SUCCESSFUL RISK MANAGEMENTA FEW EXAMPLES DUE TO PLG STUDIES
DESCRIPTION APPROXIMATE BENEFIT
PRA identified that interaction of two buildings during an earthquake dominated the risk of an operating plant. Installing rubber bumpers between the buildings eliminated the problem.
Factor of 10 reduction in core damage frequency.
PRA allowed the utility to justify installation of a non-safety grade AFW pump sharing common lines, instead of the usual safety grade post-TMI requirement.
Core damage frequency reduction, and millions of dollars.
PRA identified station blackout as the major contributor to core damage frequency. It also identified a procedure change to direct operators to manually cross-connect like buses from the adjacent unit.
33% reduction in core damage frequency.
The PRA identified a peculiarity in the AC power supply in which the three so-called redundant, independent fuel-oil transfer pumps to the emergency diesel-generators were not independent at all. One pump actually depended on the operation of the other two diesels. A simple correction of the power supply logic fixed the problem.
Factor of 50 reduction in core damage frequency.
PRA study showed that risk to population beyond two miles did not depend on evacuation. Recommended reduction in EPZ.
Reduction of EPZ from 10 to one or two miles considered by NRC.
Data Analysis
• Input parameters are quantified from available data:– Typically using expert judgment and Bayesian statistics– Due to sparseness of directly relevant data
• Hierarchical (“two-stage”) Bayesian methods common:– Partially relevant data used to help construct prior distributions
• Numerous areas in which improvements can be made:– Treatment of probabilistic dependence – Reliance on subjective prior distributions – Treatment of model uncertainty
Dependencies
• The failure rates (or probabilities) of components can be uncertain and dependent on each other:– For example, learning that one component had a higher failure
rate than expected may cause one to increase one’s estimates of the failure rates of other similar components
• Failure to take such dependence into account can result in substantial underestimation of the uncertainty about the overall system failure rate:– And also the mean failure probability of the system
• Historically, dependencies among random variables have often been either ignored:– Or else modeled as perfect correlation
Dependencies
• The use of copulas or other multivariate distributions has become more common:– But tractable models still are not sufficiently general to account
for all realistic assumptions, such as E(X|D) > E(Y|D) for all D
• High-dimensional joint distributions are also challenging:– Correlation matrices must be positive definite– There can be numerous higher-order correlations to assess
• Cooke et al. developed a practical method for specifying a joint distribution over n continuous random variables: – Using only n(n1)2 assessments of conditional correlations– (Bedford and Cooke 2001; Kurowicka and Cooke 2004)
Subjectivity
• PRA practitioners sometimes treat the subjectivity of prior distributions cavalierly:– Best practice for eliciting subjective priors is
difficult and costly to apply– Especially for dozens of uncertain quantities
• The use of “robust” or “reference” priors may minimize the reliance on judgment:– Although this may not work with sparse data
Probability Bounds Analysis• Specify bounds on the cumulative distribution functions of the
inputs: – Rather than specific cumulative distributions – (Ferson and Donald 1998)
• These bounds can then be propagated through a model: – The uncertainty propagation process can be quite efficient– Yielding valid bounds on the cumulative distribution function for the final
result of the model (e.g., risk)• Can take into account not only uncertainty about the probability
distributions of the model inputs:– But also uncertainty about their correlations and dependence structure
• This is especially valuable:– Correlations are more difficult to assess than marginal distributions– Correlations of 1 or -1 may not yield the most extreme distributions for
the output variable of interest (Ferson and Hajagos 2006)
Exposure to Contamination
• Regan et al. (2002) compare a two-dimensional Monte Carlo analysis of this problem to the results obtained using probability bounds
• The qualitative conclusions of the analysis (e.g., that a predator species was “potentially at risk” from exposure to contamination) remained unchanged: – Even using bounds of zero and one for some variables
• Bounding analysis can help support a particular decision:– If results and recommendations are not sensitive to the specific
choices of probability distributions used in a simulation
Model Uncertainty
• Uncertainty about model form can be important • Assessing a probability distribution over multiple
plausible models is frequently not reasonable:– “All models are wrong, some models are useful” (Box) – Models are not a collectively exhaustive set– Some models are intentionally simple or conservative
• Bayesian model averaging avoids giving too much weight to complex models (Raftery and Zheng 2003):– But still relies on assigning probabilities to particular models– Using Bayes theorem to update those probabilities given data
Joint Updating
• In general, one will be uncertain about both model inputs and outputs
• One would like to update priors for both inputs and outputs consistently:– With the wider distribution being more sensitive to model results
• Raftery et al. (1995) attempted this (Bayesian synthesis): – But that approach is subject to Borel’s paradox – Since it can involve conditioning on a set of measure zero
• Joint updating of model inputs and outputs is largely an unsolved problem