Managing Safety‐Related Disruptions: Evidence from the U.S. Nuclear Power Industry

Low‐probability, high‐impact events are difficult to manage. Firms may underinvest in risk assessments for low‐probability, high‐impact events because it is not easy to link the direct and indirect benefits of doing so. Scholarly research on the effectiveness of programs aimed at reducing such events faces the same challenge. In this article, we draw on comprehensive industry‐wide data from the U.S. nuclear power industry to explore the impact of conducting probabilistic risk assessment (PRA) on preventing safety‐related disruptions. We examine this using data from over 25,000 monthly event reports across 101 U.S. nuclear reactors from 1985 to 1998. Using Poisson fixed effects models with time trends, we find that the number of safety‐related disruptions reduced between 8% and 27% per month in periods after operators submitted their PRA in response to the Nuclear Regulatory Commission's Generic Letter 88‐20, which required all operators to conduct a PRA. One possible mechanism for this is that the adoption of PRA may have increased learning rates, lowering the rate of recurring events by 42%. We find that operators that completed their PRA before Generic Letter 88‐20 continued to experience safety improvements during 1990–1995. This suggests that revisiting PRA or conducting it again can be beneficial. Our results suggest that even in a highly safety‐conscious industry as nuclear utilities, a more formal approach to quantifying risk has its benefits.     

GIS‐Based Integration of Social Vulnerability and Level 3 Probabilistic Risk Assessment to Advance Emergency Preparedness,Planning, and Response for Severe Nuclear Power Plant Accidents

In the nuclear power industry, Level 3 probabilistic risk assessment (PRA) is used to estimate damage to public health and the environment if a severe accident leads to large radiological release. Current Level 3 PRA does not have an explicit inclusion of social factors and, therefore, it is not possible to perform importance ranking of social factors for risk‐informing emergency preparedness, planning, and response (EPPR). This article offers a methodology for adapting the concept of social vulnerability, commonly used in natural hazard research, in the context of a severe nuclear power plant accident. The methodology has four steps: (1) calculating a hazard‐independent social vulnerability index for the local population; (2) developing a location‐specific representation of the maximum radiological hazard estimated from current Level 3 PRA, in a geographic information system (GIS) environment; (3) developing a GIS‐based socio‐technical risk map by combining the social vulnerability index and the location‐specific radiological hazard; and (4) conducting a risk importance measure analysis to rank the criticality of social factors based on their contribution to the socio‐technical risk. The methodology is applied using results from the 2012 Surry Power Station state‐of‐the‐art reactor consequence analysis. A radiological hazard model is generated from MELCOR accident consequence code system, translated into a GIS environment, and combined with the Center for Disease Control social vulnerability index (SVI). This research creates an opportunity to explicitly consider and rank the criticality of location‐specific SVI themes based on their influence on risk, providing input for EPPR.     

Should the Model for Risk‐Informed Regulation be Game Theory Rather than Decision Theory?

Risk analysts frequently view the regulation of risks as being largely a matter of decision theory. According to this view, risk analysis methods provide information on the likelihood and severity of various possible outcomes; this information should then be assessed using a decision‐theoretic approach (such as cost/benefit analysis) to determine whether the risks are acceptable, and whether additional regulation is warranted. However, this view ignores the fact that in many industries (particularly industries that are technologically sophisticated and employ specialized risk and safety experts), risk analyses may be done by regulated firms, not by the regulator. Moreover, those firms may have more knowledge about the levels of safety at their own facilities than the regulator does. This creates a situation in which the regulated firm has both the opportunity—and often also the motive—to provide inaccurate (in particular, favorably biased) risk information to the regulator, and hence the regulator has reason to doubt the accuracy of the risk information provided by regulated parties. Researchers have argued that decision theory is capable of dealing with many such strategic interactions as well as game theory can. This is especially true in two‐player, two‐stage games in which the follower has a unique best strategy in response to the leader's strategy, as appears to be the case in the situation analyzed in this article. However, even in such cases, we agree with Cox that game‐theoretic methods and concepts can still be useful. In particular, the tools of mechanism design, and especially the revelation principle, can simplify the analysis of such games because the revelation principle provides rigorous assurance that it is sufficient to analyze only games in which licensees truthfully report their risk levels, making the problem more manageable. Without that, it would generally be necessary to consider much more complicated forms of strategic behavior (including deception), to identify optimal regulatory strategies. Therefore, we believe that the types of regulatory interactions analyzed in this article are better modeled using game theory rather than decision theory. In particular, the goals of this article are to review the relevant literature in game theory and regulatory economics (to stimulate interest in this area among risk analysts), and to present illustrative results showing how the application of game theory can provide useful insights into the theory and practice of risk‐informed regulation.     

Cost‐Benefit Analysis for Optimization of Risk Protection Under Budget Constraints

Cost‐benefit analysis (CBA) is commonly applied as a tool for deciding on risk protection. With CBA, one can identify risk mitigation strategies that lead to an optimal tradeoff between the costs of the mitigation measures and the achieved risk reduction. In practical applications of CBA, the strategies are typically evaluated through efficiency indicators such as the benefit‐cost ratio (BCR) and the marginal cost (MC) criterion. In many of these applications, the BCR is not consistently defined, which, as we demonstrate in this article, can lead to the identification of suboptimal solutions. This is of particular relevance when the overall budget for risk reduction measures is limited and an optimal allocation of resources among different subsystems is necessary. We show that this problem can be formulated as a hierarchical decision problem, where the general rules and decisions on the available budget are made at a central level (e.g., central government agency, top management), whereas the decisions on the specific measures are made at the subsystem level (e.g., local communities, company division). It is shown that the MC criterion provides optimal solutions in such hierarchical optimization. Since most practical applications only include a discrete set of possible risk protection measures, the MC criterion is extended to this situation. The findings are illustrated through a hypothetical numerical example. This study was prepared as part of our work on the optimal management of natural hazard risks, but its conclusions also apply to other fields of risk management.     

Insights into the Societal Risk of Nuclear Power Plant Accidents

The elements of societal risk from a nuclear power plant accident are clearly illustrated by the Fukushima accident: land contamination, long‐term relocation of large numbers of people, loss of productive farm area, loss of industrial production, and significant loss of electric capacity. NUREG‐1150 and other studies have provided compelling evidence that the individual health risk of nuclear power plant accidents is effectively negligible relative to other comparable risks, even for people living in close proximity to a plant. The objective of this study is to compare the societal risk of nuclear power plant accidents to that of other events to which the public is exposed. We have characterized the monetized societal risk in the United States from major societally disruptive events, such as hurricanes, in the form of a complementary cumulative distribution function. These risks are compared with nuclear power plant risks, based on NUREG‐1150 analyses and new MACCS code calculations to account for differences in source terms determined in the more recent SOARCA study. A candidate quantitative societal objective is discussed for potential adoption by the NRC. The results are also interpreted with regard to the acceptability of nuclear power as a major source of future energy supply.     

Applications of probabilistic risk assessments: the selection of appropriate tools

Probabilistic risk assessment (PRA) is an important methodology for assessing the risks of complex technologies. This paper discusses the strengths and weaknesses of PRA. Its application is explored in three different settings: adversarial policy processes, regulatory/licensing procedures, and plant safety audits. It is concluded that PRA is a valuable tool for auditing safety precautions of existing or planned technologies, especially when it is carried out as an interactive process involving designers and plant personnel who are familiar with actual, everyday operations. PRA has not proven to be as well-suited in providing absolute risk estimates in public-policy debates concerning the acceptability of a technology, or for the licensing and regulatory procedures. The reasons for this are discussed.     

Scheduling Updates of Probabilistic Risk Assessments: The Arkansas Nuclear One-Unit 1 Experience

This paper presents the results of a study that identified how often a probabilistic risk assessment (PRA)should be updated to accommodate the changes that take place at nuclear power plants. Based on a 7-year analysis of design and procedural changes at one plant, we consider 5 years to be the maximum interval for updating PRAs. This conclusion is preliminary because it is based on the review of changes that occurred at a single plant, and it addresses only PRAs that involve a Level 1 analysis (i.e., a PRA including calculation of core damage frequency only). Nevertheless, this conclusion indicates that maintaining a useful PRA requires periodic updating efforts. However, the need for this periodic update stems only partly from the number of changes that can be expected to take place at nuclear power plants–changes that individually have only a moderate to minor impact on the PRA, but whose combined impact is substantial and necessitates a PRA update. Additionally, a comparison of two generations of PRAs performed about 5 years apart indicates that PRAs must be periodically updated to reflect the evolution of PRA methods. The most desirable updating interval depends on these two technical considerations as well as the cost of updating the PRA. (Cost considerations, however, were beyond the scope of this study.)     

Quantile Uncertainty and Value‐at‐Risk Model Risk

This article develops a methodology for quantifying model risk in quantile risk estimates. The application of quantile estimates to risk assessment has become common practice in many disciplines, including hydrology, climate change, statistical process control, insurance and actuarial science, and the uncertainty surrounding these estimates has long been recognized. Our work is particularly important in finance, where quantile estimates (called Value‐at‐Risk) have been the cornerstone of banking risk management since the mid 1980s. A recent amendment to the Basel II Accord recommends additional market risk capital to cover all sources of “model risk” in the estimation of these quantiles. We provide a novel and elegant framework whereby quantile estimates are adjusted for model risk, relative to a benchmark which represents the state of knowledge of the authority that is responsible for model risk. A simulation experiment in which the degree of model risk is controlled illustrates how to quantify Value‐at‐Risk model risk and compute the required regulatory capital add‐on for banks. An empirical example based on real data shows how the methodology can be put into practice, using only two time series (daily Value‐at‐Risk and daily profit and loss) from a large bank. We conclude with a discussion of potential applications to nonfinancial risks.     

A Tiered Approach for Risk‐Benefit Assessment of Foods

Risk‐benefit analyses are introduced as a new paradigm for old problems. However, in many cases it is not always necessary to perform a full comprehensive and expensive quantitative risk‐benefit assessment to solve the problem, nor is it always possible, given the lack of required date. The choice to continue from a more qualitative to a full quantitative risk‐benefit assessment can be made using a tiered approach. In this article, this tiered approach for risk‐benefit assessment will be addressed using a decision tree. The tiered approach described uses the same four steps as the risk assessment paradigm: hazard and benefit identification, hazard and benefit characterization, exposure assessment, and risk‐benefit characterization, albeit in a different order. For the purpose of this approach, the exposure assessment has been moved upward and the dose‐response modeling (part of hazard and benefit characterization) is moved to a later stage. The decision tree includes several stop moments, depending on the situation where the gathered information is sufficient to answer the initial risk‐benefit question. The approach has been tested for two food ingredients. The decision tree presented in this article is useful to assist on a case‐by‐case basis a risk‐benefit assessor and policymaker in making informed choices when to stop or continue with a risk‐benefit assessment.     

ASME Risk-Based Inservice Inspection and Testing: An Outlook to the Future

Significant research work has been completed in the development of risk-based inservice inspection (ISI) and testing (IST) technology for nuclear power plant applications through the ASME Center For Research and Technology Development. This paper provides technology that has been developed for these engineering applications. The technology includes risk-based ranking methods, beginning with the use of plant probabilistic risk assessment (PRA), for the determination of risk-significant and less risk-significant components for inspection and the determination of similar populations for pumps and valves for inservice testing. Decision analysis methods are outlined for developing ISI and IST programs. This methodology integrates nondestructive examination data, structural reliability/risk assessment results, PRA results, failure data, and expert opinion to evaluate the effectiveness of ISI programs. Similarly, decision analysis uses the output of failure mode and causes analysis in combination with data, expert opinion, and PRA results to evaluate the effectiveness of IST programs. Results of pilot applications of these ASME methods to actual nuclear plant systems and components are summarized. The results of this work are already being used to develop recommended changes in ISI and IST requirements by the ASME Section XI and the ASME Operation and Maintenance Code organizations. A perspective on Code and regulatory adoption is also outlined. Finally, the potential benefits to the nuclear industry in terms of safety, person-rem exposure, and costs are summarized.     

Fuzzy‐Logic‐Based Safety Verification Framework for Nuclear Power Plants

This article presents a practical implementation of a safety verification framework for nuclear power plants (NPPs) based on fuzzy logic where hazard scenarios are identified in view of safety and control limits in different plant process values. Risk is estimated quantitatively and compared with safety limits in real time so that safety verification can be achieved. Fuzzy logic is used to define safety rules that map hazard condition with required safety protection in view of risk estimate. Case studies are analyzed from NPP to realize the proposed real‐time safety verification framework. An automated system is developed to demonstrate the safety limit for different hazard scenarios.     

How Probabilistic Risk Assessment Can Mislead Terrorism Risk Analysts

Traditional probabilistic risk assessment (PRA), of the type originally developed for engineered systems, is still proposed for terrorism risk analysis. We show that such PRA applications are unjustified in general. The capacity of terrorists to seek and use information and to actively research different attack options before deciding what to do raises unique features of terrorism risk assessment that are not adequately addressed by conventional PRA for natural and engineered systems—in part because decisions based on such PRA estimates do not adequately hedge against the different probabilities that attackers may eventually act upon. These probabilities may differ from the defender's (even if the defender's experts are thoroughly trained, well calibrated, unbiased probability assessors) because they may be conditioned on different information. We illustrate the fundamental differences between PRA and terrorism risk analysis, and suggest use of robust decision analysis for risk management when attackers may know more about some attack options than we do.     

External Initiators in Probabilistic Reactor Accident Analysis—Earthquakes, Fires, Floods, Winds

This article discusses the methodologies presently available for analyzing the contribution of "external initiators" to overall risks in the context of PRA (probabilistic risk assessment) of large commercial nuclear power reactors. "External initiators" include earthquakes, fires and floods inside the plant, external floods, high winds, aircraft, barge, and ship collisions, noxious or explosive gases offsite, and so on. These are in contrast to "internal initiators" such as active or passive plant equipment failures, human errors, and loss of electrical power. The ability to consider external initiators within PRA has undergone major advances in recent years. In general, uncertainties associated with the calculated risks from external initiators are much larger than those associated with internal initiators. The principal uncertainties lie with development of hazard curves (such as the frequency of occurrence of an event exceeding a given size: for example, the likelihood of a hurricane with winds exceeding 125 knots). For assessment of earthquakes, internal fires and floods, and high winds, the methodology is reasonably mature for qualitative assessment but not for quantitative application. The risks from other external initiators are generally considered to be low, either because of the very long recurrence time associated with the events or because the plants are judged to be well designed to withstand them.     

Communicating Low‐Probability High‐Consequence Risk,Uncertainty and Expert Confidence: Induced Seismicity of Deep Geothermal Energy and Shale Gas

Subsurface energy activities entail the risk of induced seismicity including low‐probability high‐consequence (LPHC) events. For designing respective risk communication, the scientific literature lacks empirical evidence of how the public reacts to different written risk communication formats about such LPHC events and to related uncertainty or expert confidence. This study presents findings from an online experiment (N = 590) that empirically tested the public's responses to risk communication about induced seismicity and to different technology frames, namely deep geothermal energy (DGE) and shale gas (between‐subject design). Three incrementally different formats of written risk communication were tested: (i) qualitative, (ii) qualitative and quantitative, and (iii) qualitative and quantitative with risk comparison. Respondents found the latter two the easiest to understand, the most exact, and liked them the most. Adding uncertainty and expert confidence statements made the risk communication less clear, less easy to understand and increased concern. Above all, the technology for which risks are communicated and its acceptance mattered strongly: respondents in the shale gas condition found the identical risk communication less trustworthy and more concerning than in the DGE conditions. They also liked the risk communication overall less. For practitioners in DGE or shale gas projects, the study shows that the public would appreciate efforts in describing LPHC risks with numbers and optionally risk comparisons. However, there seems to be a trade‐off between aiming for transparency by disclosing uncertainty and limited expert confidence, and thereby decreasing clarity and increasing concern in the view of the public.     

“What—Me Worry?”1“Why So Serious?”:2 A Personal View on the Fukushima Nuclear Reactor Accidents

Infrequently, it seems that a significant accident precursor or, worse, an actual accident, involving a commercial nuclear power reactor occurs to remind us of the need to reexamine the safety of this important electrical power technology from a risk perspective. Twenty‐five years since the major core damage accident at Chernobyl in the Ukraine, the Fukushima reactor complex in Japan experienced multiple core damages as a result of an earthquake‐induced tsunami beyond either the earthquake or tsunami design basis for the site. Although the tsunami itself killed tens of thousands of people and left the area devastated and virtually uninhabitable, much concern still arose from the potential radioactive releases from the damaged reactors, even though there was little population left in the area to be affected. As a lifelong probabilistic safety analyst in nuclear engineering, even I must admit to a recurrence of the doubt regarding nuclear power safety after Fukushima that I had experienced after Three Mile Island and Chernobyl. This article is my attempt to “recover” my personal perspective on acceptable risk by examining both the domestic and worldwide history of commercial nuclear power plant accidents and attempting to quantify the risk in terms of the frequency of core damage that one might glean from a review of operational history.     

First Application of FISK,the Freshwater Fish Invasiveness Screening Kit,in Northern Europe: Example of Southern Finland

The climatic conditions of north temperate countries pose unique influences on the rates of invasion and the potential adverse impacts of non‐native species. Methods are needed to evaluate these risks, beginning with the pre‐screening of non‐native species for potential invasives. Recent improvements to the Fish Invasiveness Scoring Kit (FISK) have provided a means (i.e., FISK v2) of identifying potentially invasive non‐native freshwater fishes in virtually all climate zones. In this study, FISK is applied for the first time in a north temperate country, southern Finland, and calibrated to determine the appropriate threshold score for fish species that are likely to pose a high risk of being invasive in this risk assessment area. The threshold between “medium” and “high” risk was determined to be 22.5, which is slightly higher than the original threshold for the United Kingdom (i.e., 19) and that determined for a FISK application in southern Japan (19.8). This underlines the need to calibrate such decision‐support tools for the different areas where they are employed. The results are evaluated in the context of current management strategies in Finland regarding non‐native fishes.     

Recent Case Studies and Advancements in Probabilistic Risk Assessment

During the period from 1977 to 1984, Pickard, Lowe and Garrick, Inc., had the lead in preparing several full scope probabilistic risk assessments for electric utilities. Five of those studies are discussed from the point of view of advancements and lessons learned. The objective and trend of these studies is toward utilization of the risk models by the plant owners as risk management tools. Advancements that have been made are in presentation and documentation of the PRAs, generation of more understandable plant level information, and improvements in methodology to facilitate technology transfer. Specific areas of advancement are in the treatment of such issues as dependent failures, human interaction, and the uncertainty in the source term. Lessons learned cover a wide spectrum and include the importance of plant specific models for meaningful risk management, the role of external events in risk, the sensitivity of contributors to choice of risk index, and the very important finding that the public risk is extremely small. The future direction of PRA is to establish less dependence on experts for in-plant application. Computerizing the PRAs such that they can be accessed on line and interactively is the key.     

Integrating a Top‐Down and a Bottom‐Up Approach: Formal and Informal Risk‐Handling Strategies in a Utility Company

In this study, we bring together a top‐down and a bottom‐up approach of risk handling. We do so by conceptualizing and qualitatively and quantitatively measuring formal and informal risk‐handling strategies in a Dutch utility company. We conceive of formal risk handling as regulating, training, and educating safety and enforcing rule compliance, while we distinguish three different informal risk‐handling strategies: discretionary specialization, tacit knowledge, and taking personal responsibility. We show that the formal risk‐handling strategy and the three informal risk‐handling strategies can be measured separately. Hence, we have validated the measurement of all four strategies derived from two different risk‐handling approaches. Moreover, we have demonstrated that the perceived use of the four strategies has different effects on unsafe behavior: formal risk handling and tacit knowledge decrease it, discretion increases it, and taking personal responsibility has no effect on unsafe behavior.     

A Probabilistic Framework for Risk Analysis of Widespread Flood Events: A Proof‐of‐Concept Study

This article presents a flood risk analysis model that considers the spatially heterogeneous nature of flood events. The basic concept of this approach is to generate a large sample of flood events that can be regarded as temporal extrapolation of flood events. These are combined with cumulative flood impact indicators, such as building damages, to finally derive time series of damages for risk estimation. Therefore, a multivariate modeling procedure that is able to take into account the spatial characteristics of flooding, the regionalization method top‐kriging, and three different impact indicators are combined in a model chain. Eventually, the expected annual flood impact (e.g., expected annual damages) and the flood impact associated with a low probability of occurrence are determined for a study area. The risk model has the potential to augment the understanding of flood risk in a region and thereby contribute to enhanced risk management of, for example, risk analysts and policymakers or insurance companies. The modeling framework was successfully applied in a proof‐of‐concept exercise in Vorarlberg (Austria). The results of the case study show that risk analysis has to be based on spatially heterogeneous flood events in order to estimate flood risk adequately.     

Probabilistic Risk Analysis for a High-Level Radioactive Waste Repository

A probabilistic risk analysis (PRA) for a high-level radioactive waste repository is very important since it gives an estimate of its health impacts, allowing comparisons to be made with the health impacts of competing technologies. However, it is extremely difficult to develop a credible PRA for a specific repository site because of large uncertainties in future climate, hydrology, geological processes, etc. At best, such a PRA would not be understandable to the public. An alternative proposed here is to develop a PRA for an average U.S. site, taking all properties of the site to be the U.S. average. The results are equivalent to the average results for numerous randomly selected sites. Such a PRA is presented here; it is easy to understand, and it is not susceptible to substantial uncertainty. Applying the results to a specific repository site then requires only a simple, intuitively acceptable "leap of faith" in assuming that with large expenditures of effort and money, experts can select a site that would be at least as secure as a randomly selected site.