Probabilistic risk analysis for the NASA space shuttle: a brief history and current work

While NASA managers have always relied on risk analysis tools for the development and maintenance of space projects, quantitative and especially probabilistic techniques have been gaining acceptance in recent years. In some cases, the studies have been required, for example, to launch the Galileo spacecraft with plutonium fuel, but these successful applications have helped to demonstrate the benefits of these tools. This paper reviews the history of probabilistic risk analysis (PRA) by NASA for the space shuttle program and discusses the status of the on-going development of the Quantitative Risk Assessment System (QRAS) software that performs PRA. The goal is to have within NASA a tool that can be used when needed to update previous risk estimates and to assess the benefits of possible upgrades to the system.     

Comparison of techniques for modeling accident progression in dynamic aerospace applications with and without repair

This paper discusses the use of the multiple event tree and single event tree approaches in Probabilistic Risk Assessments for aerospace applications. The issue is how repair can affect the modeling. Four simple examples are presented to show how even a seemingly simple system can become a complex PRA model if the less than optimum approach is used. In cases of repair, it is suggested that the multiple event tree approach is the more appropriate model. In cases of no repair, it is suggested that the single event tree approach is the easier PRA modeling solution.     

Living PRAs made easier with IRRAS

The Integrated Reliability and Risk Analysis System (IRRAS) is an integrated PRA software tool that gives the user the ability to create and analyze fault trees and accident sequences using an IBM-compatible microcomputer. This program provides functions that range from graphical fault tree and event tree construction to cut set generation and quantification.

IRRAS contains all the capabilities and functions required to create, modify, reduce and analyze event tree and fault tree models used in the analysis of complex systems and processes. IRRAS uses advanced graphic and analytical techniques to achieve the greatest possible realization of the potential of the microcomputer. When the needs of the user exceed this potential, IRRAS can call upon the power of the mainframe computer.

The role of the Idaho National Engineering Laboratory in the IRRAS program is that of software developer and interface to the user community. Version 1.0 of the IRRAS program was released in February 1987 to prove the concept of performing this kind of analysis on microcomputers. This version contained many of the basic features needed for fault tree analysis and was received very well by the PRA community. Since the release of Version 1.0, many user comments and enhancements have been incorporated into the program providing a much more powerful and user-friendly system. This version is designated ‘IRRAS 2.0’. Version 3.0 will contain all of the features required for efficient event tree and fault tree construction and analysis.     

A study on importance measures and a quantification algorithm in a fire PRA model

In the current quantification of fire probabilistic risk assessment (PRA), when components are damaged by a fire, the basic event values of the components become ‘true’ or one (1), which removes the basic events related to the components from the minimal cut sets, and which makes it difficult to calculate accurate component importance measures. A new method to accurately calculate an importance measure such as Fussell-Vesely in fire PRA is introduced in this paper. Also, a new quantification algorithm in the fire PRA model is proposed to support the new calculation method of the importance measures. The effectiveness of the new method in finding the importance measures is illustrated with an example of evaluating cables’ importance.     

Failure Prevention Through the Cataloging of Successful Risk Mitigation Strategies

The objective of this paper is to introduce the method to add mitigation strategy data to the generated risk event effect neutralization (GREEN) method knowledgebase to improve its ability to effectively mitigate risks. Risk mitigation is the creation and selection of mitigation strategies to reduce, measure, or control risks in a system. Currently, a vast majority of risk mitigation strategies are created based on the engineering expertise of the engineers on a project. The GREEN method provides a means for engineers to supplement their experience by generating risk mitigation strategies based on past successful risk mitigation strategies using the failure modes of the potential risks that the product faces. In order to better aid the engineer in selecting the best possible risk mitigation strategy for a particular risk, more information on mitigation strategies needs to be cataloged in the GREEN knowledgebase. This paper outlines and demonstrates the method for adding new data on mitigation strategies to the knowledgebase, and presents a case study of how this information is added and used to mitigate product risks.     

Insights from the benchmark exercises and impact on methodological development

In order to understand the state of the art in Probabilistic Risk Assessment (PRA) and to quantify and qualify the uncertainties involved, the Joint Research Centre has organised a series of benchmark exercises related to realistic problem cases. Four exercises dealt with, respectively; systems reliability analysis, common cause failure analysis, human reliability assessment and event sequence modelling and quantification. In this paper the main results and conclusions of the four benchmark exercises are summarised. Furthermore, it is discussed how identified weaknesses or open problems have been addressed in recent methodological developments.     

A framework to integrate software behavior into dynamic probabilistic risk assessment

Software plays an increasingly important role in modern safety-critical systems. Although, research has been done to integrate software into the classical probabilistic risk assessment (PRA) framework, current PRA practice overwhelmingly neglects the contribution of software to system risk. Dynamic probabilistic risk assessment (DPRA) is considered to be the next generation of PRA techniques. DPRA is a set of methods and techniques in which simulation models that represent the behavior of the elements of a system are exercised in order to identify risks and vulnerabilities of the system. The fact remains, however, that modeling software for use in the DPRA framework is also quite complex and very little has been done to address the question directly and comprehensively. This paper develops a methodology to integrate software contributions in the DPRA environment. The framework includes a software representation, and an approach to incorporate the software representation into the DPRA environment SimPRA. The software representation is based on multi-level objects and the paper also proposes a framework to simulate the multi-level objects in the simulation-based DPRA environment. This is a new methodology to address the state explosion problem in the DPRA environment. This study is the first systematic effort to integrate software risk contributions into DPRA environments.     

Development of a new quantification method for a fire PSA

For an internal fire analysis, fire scenarios are developed carefully and quantified in a sequential and iterative way in a traditional fire Probabilistic Safety Assessment (PSA). However, there has been no proven explicit method to avoid these iterative quantifications till now. This study presents the Jung's Single Top And Run (JSTAR) method that facilitates a simultaneous single quantification of all fire scenarios. The JSTAR method could be employed at the fire PSA phases of a quantitative screening or detailed analysis. Using the JSTAR method, accurate fire risks of a fault tree that has many negates could be calculated by avoiding the frequent house event propagations of the fire scenario conditions. Furthermore, the proposed JSTAR method is a simple and explicit method to build a single-top external event PSA model for a risk-monitoring system.The JSTAR method could be implemented easily by developing a small automatic conversion tool. Depending on the maintenance policy of a fire PSA model, a single-top fire PSA model that is created by the conversion tool could be maintained permanently or it could be temporarily generated and discarded. The use of the JSTAR method is recommended for all external event PSAs such as an internal flooding risk analysis.     

Procedure for the analysis of errors of commission during non-power modes of nuclear power plant operation

The continued, historical occurrence of human interactions which place nuclear power plants in a condition of potentially heightened risk is of increasing interest to regulators, utility management, and industry observers alike. These Errors of Commission (EOCs), as they are often called, lead to a variety of questions such as: ‘Can the event lead to a potentially dangerous condition such as core damage? By what failure mechanisms? With what frequency? What defences does the plant have to mitigate the event? Are these actions in the Probabilistic Risk Assessment (PRA) model of the plant?’. EOCs are often excluded from the bounds of a typical PRA model, yet they have the potential for being significant contributors to risk. This paper is the second of two describing procedures for the analysis of the potential for significant errors of commission. The first paper addressed operations at power while this paper describes the procedure for non-power operations. Each procedure describes a method for identifying the opportunities for error, identifying failures modes of functions, systems, or components that could arise from such errors (referred to in this paper as error expressions), and the identification of the most significant of these EOCs based on consideration of consequences, recovery potential, and likelihood.     

Development and application of a Risk Assessment Tool

Probabilistic Safety Assessment (PSA) is a powerful method for evaluating the safety of nuclear facilities. PSA models are the basis of risk monitors, which can be utilized for monitoring the plant risk. The objective of this work was to develop a risk monitoring software tool, which could match the requirements for a risk monitor, according to standard reference documents. We tried to implement all required features in a user-friendly interface. In this paper a newly developed risk monitor called Risk Assessment Tool (RAT) is presented, and its main features and capabilities are introduced. Some of these features are: graphical event/fault tree developing interface, a 30-day risk profile, performing importance analysis, different administrative levels, and handling time-dependent failure data. In order to have an actual application, a case study is performed for Tehran Research Reactor, and the results are compared to the results obtained from a well-known reliability software package. In most cases, the results from two software tools match well.     

Incorporating organizational factors into Probabilistic Risk Assessment (PRA) of complex socio-technical systems: A hybrid technique formalization

This paper is a result of a research with the primary purpose of extending Probabilistic Risk Assessment (PRA) modeling frameworks to include the effects of organizational factors as the deeper, more fundamental causes of accidents and incidents. There have been significant improvements in the sophistication of quantitative methods of safety and risk assessment, but the progress on techniques most suitable for organizational safety risk frameworks has been limited. The focus of this paper is on the choice of “representational schemes” and “techniques.” A methodology for selecting appropriate candidate techniques and their integration in the form of a “hybrid” approach is proposed. Then an example is given through an integration of System Dynamics (SD), Bayesian Belief Network (BBN), Event Sequence Diagram (ESD), and Fault Tree (FT) in order to demonstrate the feasibility and value of hybrid techniques. The proposed hybrid approach integrates deterministic and probabilistic modeling perspectives, and provides a flexible risk management tool for complex socio-technical systems. An application of the hybrid technique is provided in the aviation safety domain, focusing on airline maintenance systems. The example demonstrates how the hybrid method can be used to analyze the dynamic effects of organizational factors on system risk.     

Calculating conditional core damage probabilities for nuclear power plant operations

A part of managing nuclear power plant operations is the control of plant risk over time as components are taken out of service or plant upsets are caused by initiating events. Unfortunately, measuring risk over time proves to be challenging, even with modern probabilistic risk analyses (PRAs) and PRA tools. In general, the process of measuring the operational risk would satisfy three desires: (1) the measurement would provide the risk magnitude for a particular event or over a period of time; (2) the risk results could be summed for a period of time to obtain a cumulative risk profile; and (3) the measurement process would be tractable while still using the current modeling techniques and tools. This paper demonstrates the calculation of the conditional core damage probability (CCDP) for the two cases of component outages and initiating events. In addition, two potential complications were identified that must be addressed when performing a CCDP calculation. The first complication, determining the appropriate nonrecovery probabilities to be applied to an inoperable component or initiating event, addresses the possibility of the plant operators preventing damage to the plant from their actions. The second complication, adjusting common-cause probabilities specific to the plant configuration, accounts for the fact that the PRA common-cause probabilities built into the model are applicable only during nominal conditions. The examples presented in the paper illustrate the potential under-estimation in CCDP when modifications to common-cause probabilities are ignored. These underestimation errors ranged from a factor of two to over a factor of six underestimation in CCDP.     

Database development and uncertainty treatment for estimating pipe failure rates and rupture frequencies

Estimates of failure rates for nuclear power plant piping systems are important inputs to Probabilistic Risk Assessments (PRA) and risk informed applications of PRA. Such estimates are needed for initiating event frequencies for Loss of Coolant Accidents and internal flooding events and for risk informed evaluations of piping system in-service inspection programs. A critical issue in the estimation of these parameters is the treatment of uncertainties, which can exceed an order of magnitude deviation from failure rate point estimates. Sources of uncertainty include failure data reporting issues, scarcity of data, poorly characterized component populations, and uncertainties about the physical characteristics of the failure mechanisms and root causes. A methodology for quantifying these uncertainties using a Bayes' uncertainty analysis method was developed for the EPRI risk informed in-service inspection program and significantly enhanced in subsequent applications. In parallel with these efforts, progress has been made in the development of pipe failure databases that contain the quantity and quality of information needed to support piping system reliability evaluations. Examples are used in this paper to identify technical issues with previous published estimates of pipe failure rates and the numerical impacts of these issues on the pipe failure rates and rupture frequencies are quantified.     

Retrospective review of experience with using the NUPRA software

The models used in probabilistic risk assessment (PRA) by the nuclear industry are supported by a wide variety of computer software. In fact, prior to the publication of the WASH-1400 in 1974, researchers and practitioners had already initiated the software development process leading to today's advanced and user-friendly PC-based software packages. NUS Corporation initiated its PC code development in the early 1980s. After testing a number of prototypes, a first integrated package supporting all parts of the Level 1 PRA was launched in 1987. This software package, called NUPRA, is an implementation of an approach based on minimal cutset equations and it has been used to install ten PRA studies on a PC. Insights from applications are now used to enhance the current NUPRA package to cover Level 2 and Level 3 analysis needs. In this paper the experience of using the NUPRA software is documented.     

An integrated probabilistic risk analysis decision support methodology for systems with multiple state variables

Probabilistic risk analysis (PRA) methods have been proven to be valuable in risk and reliability analysis. However, a weak link seems to exist between methods for analysing risks and those for making rational decisions. The integrated decision support system (IDSS) methodology presented in this paper attempts to address this issue in a practical manner. In consists of three phases: a PRA phase, a risk sensitivity analysis (SA) phase and an optimisation phase, which are implemented through an integrated computer software system. In the risk analysis phase the problem is analysed by the Boolean representation method (BRM), a PRA method that can deal with systems with multiple state variables and feedback loops. In the second phase the results obtained from the BRM are utilised directly to perform importance and risk SA. In the third phase, the problem is formulated as a multiple objective decision making problem in the form of multiple objective reliability optimisation. An industrial example is included. The resultant solutions of a five objective reliability optimisation are presented, on the basis of which rational decision making can be explored.     

Constrained optimization of test intervals using a steady-state genetic algorithm

There is a growing interest from both the regulatory authorities and the nuclear industry to stimulate the use of Probabilistic Risk Analysis (PRA) for risk-informed applications at Nuclear Power Plants (NPPs). Nowadays, special attention is being paid on analyzing plant-specific changes to Test Intervals (TIs) within the Technical Specifications (TSs) of NPPs and it seems to be a consensus on the need of making these requirements more risk-effective and less costly. Resource versus risk-control effectiveness principles formally enters in optimization problems. This paper presents an approach for using the PRA models in conducting the constrained optimization of TIs based on a steady-state genetic algorithm (SSGA) where the cost or the burden is to be minimized while the risk or performance is constrained to be at a given level, or vice versa. The paper encompasses first with the problem formulation, where the objective function and constraints that apply in the constrained optimization of TIs based on risk and cost models at system level are derived. Next, the foundation of the optimizer is given, which is derived by customizing a SSGA in order to allow optimizing TIs under constraints. Also, a case study is performed using this approach, which shows the benefits of adopting both PRA models and genetic algorithms, in particular for the constrained optimization of TIs, although it is also expected a great benefit of using this approach to solve other engineering optimization problems. However, care must be taken in using genetic algorithms in constrained optimization problems as it is concluded in this paper.     

Linear Statistical Models

Risk assessment of rare natural hazards, such as large volcanic block and ash or pyroclastic flows, is addressed. Assessment is approached through a combination of computer modeling, statistical modeling, and extreme-event probability computation. A computer model of the natural hazard is used to provide the needed extrapolation to unseen parts of the hazard space. Statistical modeling of the available data is needed to determine the initializing distribution for exercising the computer model. In dealing with rare events, direct simulations involving the computer model are prohibitively expensive. The solution instead requires a combination of adaptive design of computer model approximations (emulators) and rare event simulation. The techniques that are developed for risk assessment are illustrated on a test-bed example involving volcanic flow.     

Markov models for evaluating risk-informed in-service inspection strategies for nuclear power plant piping systems

As part of an EPRI sponsored research project to develop technology for risk informed in-service inspection evaluations, new methods and databases were developed to predict piping system reliability. The methods include a Markov modeling technique for predicting the influence of alternative inspection strategies on piping system reliability, and Bayes' uncertainty analysis methods for quantifying uncertainties in piping system reliability parameters. This article describes these methods and associated databases needed for their quantification with particular emphasis on the application of the Markov piping reliability model. Insights are developed regarding reliability metrics that should be used in Probabilistic Risk Assessments for estimating time dependent frequencies of loss of coolant accidents and internal flooding events. The methodology for developing estimates of all the input parameters of the piping reliability models is described including the quantitative treatment of uncertainties in risk informed applications. Examples are presented to demonstrate the practical aspects of applying the Markov model and developing the inputs needed for its quantification.     

ARAMIS project: a comprehensive methodology for the identification of reference accident scenarios in process industries

In the frame of the Accidental Risk Assessment Methodology for Industries (ARAMIS) project, this paper aims at presenting the work carried out in the part of the project devoted to the definition of accident scenarios. This topic is a key-point in risk assessment and serves as basis for the whole risk quantification.

The first result of the work is the building of a methodology for the identification of major accident hazards (MIMAH), which is carried out with the development of generic fault and event trees based on a typology of equipment and substances. The term “major accidents” must be understood as the worst accidents likely to occur on the equipment, assuming that no safety systems are installed.

A second methodology, called methodology for the identification of reference accident scenarios (MIRAS) takes into account the influence of safety systems on both the frequencies and possible consequences of accidents. This methodology leads to identify more realistic accident scenarios. The reference accident scenarios are chosen with the help of a tool called “risk matrix”, crossing the frequency and the consequences of accidents.

This paper presents both methodologies and an application on an ethylene oxide storage.