Probabilistic risk assessment
||This article may lend undue weight to certain ideas, incidents, or controversies. (February 2013)|
Probabilistic risk assessment (PRA) is a systematic and comprehensive methodology to evaluate risks associated with a complex engineered technological entity (such as an airliner or a nuclear power plant).
Risk in a PRA is defined as a feasible detrimental outcome of an activity or action. In a PRA, risk is characterized by two quantities:
- the magnitude (severity) of the possible adverse consequence(s), and
- the likelihood (probability) of occurrence of each consequence.
Consequences are expressed numerically (e.g., the number of people potentially hurt or killed) and their likelihoods of occurrence are expressed as probabilities or frequencies (i.e., the number of occurrences or the probability of occurrence per unit time). The total risk is the expected loss: the sum of the products of the consequences multiplied by their probabilities.
The spectrum of risks across classes of events are also of concern, and are usually controlled in licensing processes – it would be of concern if rare but high consequence events were found to dominate the overall risk, particularly as these risk assessments are very sensitive to assumptions (how rare is a high consequence event?).
Probabilistic Risk Assessment usually answers three basic questions:
- What can go wrong with the studied technological entity, or what are the initiators or initiating events (undesirable starting events) that lead to adverse consequence(s)?
- What and how severe are the potential detriments, or the adverse consequences that the technological entity may be eventually subjected to as a result of the occurrence of the initiator?
- How likely to occur are these undesirable consequences, or what are their probabilities or frequencies?
In addition to the above methods, PRA studies require special but often very important analysis tools like human reliability analysis (HRA) and common-cause-failure analysis (CCF). HRA deals with methods for modeling human error while CCF deals with methods for evaluating the effect of inter-system and intra-system dependencies which tend to cause simultaneous failures and thus significant increases in overall risk.
Nancy Leveson of MIT and her collaborators have argued that the chain-of-event conception of accidents typically used for such risk assessments cannot account for the indirect, non-linear, and feedback relationships that characterize many accidents in complex systems. These risk assessments do a poor job of modeling human actions and their impact on known, let alone unknown, failure modes. Also, as a 1978 Risk Assessment Review Group Report to the NRC pointed out, it is "conceptually impossible to be complete in a mathematical sense in the construction of event-trees and fault-trees … This inherent limitation means that any calculation using this methodology is always subject to revision and to doubt as to its completeness."
In the case of many accidents, probabilistic risk assessment models do not account for unexpected failure modes:
At Japan's Kashiwazaki Kariwa reactors, for example, after the 2007 Chuetsu earthquake some radioactive materials escaped into the sea when ground subsidence pulled underground electric cables downward and created an opening in the reactor's basement wall. As a Tokyo Electric Power Company official remarked then, "It was beyond our imagination that a space could be made in the hole on the outer wall for the electric cables."
When it comes to future safety, nuclear designers and operators often assume that they know what is likely to happen, which is what allows them to assert that they have planned for all possible contingencies. Yet there is one weakness of the probabilistic risk assessment method that has been emphatically demonstrated with the Fukushima I nuclear accidents -- the difficulty of modeling common-cause or common-mode failures:
From most reports it seems clear that a single event, the tsunami, resulted in a number of failures that set the stage for the accidents. These failures included the loss of offsite electrical power to the reactor complex, the loss of oil tanks and replacement fuel for diesel generators, the flooding of the electrical switchyard, and perhaps damage to the inlets that brought in cooling water from the ocean. As a result, even though there were multiple ways of removing heat from the core, all of them failed.
However, a PRA analysis that assumed an initiating event of a beyond design basis tsunami of the magnitude that occurred would have identified most, if not all, of the above consequences. In this case, the challenge is not with the PRA method but with the selection of initiating events. For any given design, a low probability high magnitude initiating event can be assumed for which the design will fail. However, selecting an unrealistically severe initiator defeats the purpose of the analysis, as potential vulnerabilities to realistic scenarios will be masked.
- PRA Software used by the U.S. Department of Energy, Nuclear Regulatory Commission, and NASA
- NASA Paper on PRAs
- Nuclear industry PRA software (CAFTA)
- A collection of links to free publications on PRA
- PRA software RiskSpectrum
- Centrale Nucléaire de Fessenheim : appréciation du risque sismique RÉSONANCE Ingénieurs-Conseils SA, published 2007-09-05, accessed 2011-03-30
- M. V. Ramana (19 April 2011). "Beyond our imagination: Fukushima and the problem of assessing risk". Bulletin of the Atomic Scientists.
- Diaz Maurin, François (26 March 2011). "Fukushima: Consequences of Systemic Problems in Nuclear Plant Design". Economic & Political Weekly 46 (13): 10–12.