Presentation is loading. Please wait.

Presentation is loading. Please wait.

Risk Assessment Vicki M. Bier (University of Wisconsin- Madison)

Similar presentations


Presentation on theme: "Risk Assessment Vicki M. Bier (University of Wisconsin- Madison)"— Presentation transcript:

1 Risk Assessment Vicki M. Bier (University of Wisconsin- Madison)

2 Introduction Risk assessment is a means to characterize and reduce uncertainty to support our ability to deal with catastrophe Modern risk assessment for engineered systems began with the Reactor Safety Study (1975): –Applications to engineered systems and infrastructure are common

3 What is Risk Assessment? A systematic approach to organizing and analyzing scientific knowledge and information for potentially hazardous activities or for substances that might pose risks under specified circumstances –National Research Council (NRC), 1994

4 Definitions of Risk Both uncertainty and some kind of loss or damage (Kaplan and Garrick 1981) The potential for realization of unwanted, negative consequences of an event (Rowe 1976) The probability per unit time of the occurrence of a unit cost burden (Sage and White 1980) The likelihood that a vulnerability will be exploited (NRC 2002)

5 Paradigm for Risk Assessment A form of systems analysis Answers three questions (Kaplan and Garrick 1981): –What can go wrong? –How likely is it that that will happen? –If it does happen, what are the consequences?

6 What is Probabilistic Risk Assessment? An integrated model of the response of an engineered system to disturbances during operations A rigorous and systematic identification of the levels of damage that could conceivably result from those responses A probabilistic (that is, quantitative) assessment of the frequency of such occurrences and our uncertainty in that assessment A tool to help owners/operators make good decisions about system operations

7 ESSENCE OF PRA A PRA is an assessment of how well a system responds to a variety of situations It answers three basic questions: 1. What can go wrong during operation? 2. How likely is it to go wrong? 3. What are the consequences when it goes wrong? We answer the first question in terms of scenarios We answer the second by quantifying our knowledge of the likelihood of each scenario We answer the third by quantifying our knowledge of the response of the system and its operators in terms of: - damage states - release states and source terms - scenario consequences

8 GRAPHICAL PRESENTATION OF RISK SCENARIOPROBABILITYDAMAGECUMULATIVE PROBABILITY s 1 s 2 s 3... s N-1 s N p 1 p 2 p 3. p N-1 p N x 1 x 2 x 3. x N-1 x N P 1 =p 2 +p 1. P N-1 =P N +p N-1 P N =p N RISK CURVE X p(>x) P

9 STRUCTURE OF THE MODERN PRA MODEL INITIATING EVENTS PLANT (ACTIVE SYSTEMS) MODEL CONTAINMENT STRENGTH AND CORE DAMAGE PROGRESSION MODEL OFFSITE RADIOACTIVE MATERIAL DISPERSION AND HEALTH IMPACT MODEL SUPPORT SYSTEMS MODEL FRONTLINE SYSTEMS – EARLY RESPONSE MODEL FRONTLINE SYSTEMS – LATE AND CONTAINMENT SAFETY FEATURES RESPONSE MODEL PLANT DAMAGE STATES RELEASE CATEGORIES RISK BY HEALTH EFFECT TYPE SUPPORT SYSTEM STATES SUBTREE FREQUENCIES LEVEL 3 2 1

10 QUANTIFYING SCENARIOS INITIATING EVENT xABCD NODE A NODE B 1 NODE C 3

11 EVENT SEQUENCE QUANTIFICATION WHERE = the frequency of scenario S = the frequency of initiating event I = the fraction of times system A succeeds given that I has happened = the fraction of times system B fails given that I has happened and A has succeeded = the fraction of times C succeeds given that I has happened, that A has succeeded, and B has failed = the fraction of times D fails given INITIATING EVENT 1 ABCD NODE B 1 SIMPLIFIED EVENT TREE DIAGRAM

12 STAGES TO EVENT TREE LINKING SCOPING REQUIREMENTS INITATING EVENTS ELECTRIC POWER SYSTEMS OTHER SUPPORT SYSTEMS EARLY FRONTLINE SYSTEMS LATE FRONTLINE SYSTEMS PLANT DAMAGE STATES AFW TANK PUMP 1 PUMP 2 PUMP 3

13 RELATIONSHIP OF FAULT TREES TO EVENT TREES AFW ISOLATION VALVE 1 ISOLATION VALVE 2 GGVM COOLING 1 GGVM COOLING 2 TANK APU MODULE = OR GATE = AND GATE LEGEND INITIAL CONDITIONS STAGE A TOP EVENTS DAMAGE STATE OK PLS LOC/V PLS LOC/V

14 FAULT TREES AND EVENT TREES Both useful Event trees used to display order of events and dependent events Fault trees used to display combinations of events: –Order and dependencies are obscured Logically equivalent

15 RISK MANAGEMENT Develop an integrated plant-specific risk model Rank order contributors to risk by damage index Decompose contributors into specific elements Identify options, such as design and procedure changes, for reducing the impact of the contributor on risk Make the appropriate changes in the risk model: –And re-compute the risk for each option Compute the cost impacts of each system configuration, relative to the base case: –Including both initial and annual costs Present the costs, risks, and benefits for each option

16 RISK DECOMPOSITION (ANATOMY OF RISK) LEVEL OF DMAGETYPE OF RELEASETYPE OF PLANT DAMAGEINITIATING EVENT EVENT SEQUENCESYSTEM UNAVAILABILITYFAILURE CAUSES System B Cause Table INPUT DATA CAUSES FREQUENCIES EFFECTS MAJOR SYSTEM DOMINANT SEQUENCE DOMINANT FAILURE MODES 1.Initiating events 2.Components 3.Maintenance 4.Human error 5.Common cause 6.Environmental 7.Other

17 REACTOR TRIP SYSTEM CAUSE TABLE CONTRIBUTORS TO SYSTEM FAILURE FREQUENCY CAUSEFREQUENCY--FAILURES PER 10,000 DEMANDS Common cause failures of reactor trip breakers 5.1(occurred at Salem in February 1983) Multiple independent failures of reactor trip breakers 0.39 Reactor trip system in test mode and one breaker fails TOTAL5.5 This analysis was performed in November 1982

18 SUCCESSFUL RISK MANAGEMENT A FEW EXAMPLES DUE TO PLG STUDIES DESCRIPTIONAPPROXIMATE BENEFIT PRA identified that interaction of two buildings during an earthquake dominated the risk of an operating plant. Installing rubber bumpers between the buildings eliminated the problem. Factor of 10 reduction in core damage frequency. PRA allowed the utility to justify installation of a non- safety grade AFW pump sharing common lines, instead of the usual safety grade post-TMI requirement. Core damage frequency reduction, and millions of dollars. PRA identified station blackout as the major contributor to core damage frequency. It also identified a procedure change to direct operators to manually cross-connect like buses from the adjacent unit. 33% reduction in core damage frequency. The PRA identified a peculiarity in the AC power supply in which the three so-called redundant, independent fuel-oil transfer pumps to the emergency diesel- generators were not independent at all. One pump actually depended on the operation of the other two diesels. A simple correction of the power supply logic fixed the problem. Factor of 50 reduction in core damage frequency. PRA study showed that risk to population beyond two miles did not depend on evacuation. Recommended reduction in EPZ. Reduction of EPZ from 10 to one or two miles considered by NRC.

19 Data Analysis Input parameters are quantified from available data: –Typically using expert judgment and Bayesian statistics –Due to sparseness of directly relevant data Hierarchical (two-stage) Bayesian methods common: –Partially relevant data used to help construct prior distributions Numerous areas in which improvements can be made: –Treatment of probabilistic dependence –Reliance on subjective prior distributions –Treatment of model uncertainty

20 Dependencies The failure rates (or probabilities) of components can be uncertain and dependent on each other: –For example, learning that one component had a higher failure rate than expected may cause one to increase ones estimates of the failure rates of other similar components Failure to take such dependence into account can result in substantial underestimation of the uncertainty about the overall system failure rate: –And also the mean failure probability of the system Historically, dependencies among random variables have often been either ignored: –Or else modeled as perfect correlation

21 Dependencies The use of copulas or other multivariate distributions has become more common: –But tractable models still are not sufficiently general to account for all realistic assumptions, such as E(X|D) > E(Y|D) for all D High-dimensional joint distributions are also challenging: –Correlation matrices must be positive definite –There can be numerous higher-order correlations to assess Cooke et al. developed a practical method for specifying a joint distribution over n continuous random variables: –Using only n(n 1) 2 assessments of conditional correlations –(Bedford and Cooke 2001; Kurowicka and Cooke 2004)

22 Subjectivity PRA practitioners sometimes treat the subjectivity of prior distributions cavalierly: –Best practice for eliciting subjective priors is difficult and costly to apply –Especially for dozens of uncertain quantities The use of robust or reference priors may minimize the reliance on judgment: –Although this may not work with sparse data

23 Probability Bounds Analysis Specify bounds on the cumulative distribution functions of the inputs: –Rather than specific cumulative distributions –(Ferson and Donald 1998) These bounds can then be propagated through a model: –The uncertainty propagation process can be quite efficient –Yielding valid bounds on the cumulative distribution function for the final result of the model (e.g., risk) Can take into account not only uncertainty about the probability distributions of the model inputs: –But also uncertainty about their correlations and dependence structure This is especially valuable: –Correlations are more difficult to assess than marginal distributions –Correlations of 1 or -1 may not yield the most extreme distributions for the output variable of interest (Ferson and Hajagos 2006)

24 Exposure to Contamination Regan et al. (2002) compare a two-dimensional Monte Carlo analysis of this problem to the results obtained using probability bounds The qualitative conclusions of the analysis (e.g., that a predator species was potentially at risk from exposure to contamination) remained unchanged: –Even using bounds of zero and one for some variables Bounding analysis can help support a particular decision: –If results and recommendations are not sensitive to the specific choices of probability distributions used in a simulation

25 Model Uncertainty Uncertainty about model form can be important Assessing a probability distribution over multiple plausible models is frequently not reasonable: –All models are wrong, some models are useful (Box) –Models are not a collectively exhaustive set –Some models are intentionally simple or conservative Bayesian model averaging avoids giving too much weight to complex models (Raftery and Zheng 2003): –But still relies on assigning probabilities to particular models –Using Bayes theorem to update those probabilities given data

26 Joint Updating In general, one will be uncertain about both model inputs and outputs One would like to update priors for both inputs and outputs consistently: –With the wider distribution being more sensitive to model results Raftery et al. (1995) attempted this (Bayesian synthesis): –But that approach is subject to Borels paradox –Since it can involve conditioning on a set of measure zero Joint updating of model inputs and outputs is largely an unsolved problem


Download ppt "Risk Assessment Vicki M. Bier (University of Wisconsin- Madison)"

Similar presentations


Ads by Google