Characterizing the Probability Law on Time Until Core Damage With PRA:
Consequences of Assuming Poisson Initiating Event Processes

Certain modeling assumptions underlying Probabilistic Risk Assessment (PRA) allow a simple computation of core damage frequency (CDF). These assumptions also guarantee that the time remaining until a core damage event follows an exponential distribution having parameter value equal to that computed for the CDF. While it is commonly understood that these modeling assumptions lead to an approximate characterization of uncertainty, we offer a simple argument that explains why the resulting exponential time until core damage distribution under–estimates risk. Our explanation will first review operational physics properties of hazard functions, and then offer a non–measure–theoretic argument to reveal the the consequences of these properties for PRA.¹¹1The conclusions offered, here, hold for any possible operating history that respects the underlying assumptions of PRA. Hence, the measure–theoretic constructs on filtered probability spaces is unnecessary for our developments. We will then conclude with a brief discussion that connects intuition with our analytical development.

A nuclear reactor can experience at most one core damage event. This catastrophic terminus is the central outcome with respect to which we shall characterize risk. In particular, we recognize the probability law on the time until core damage as a finite–characterization of risk. To this end, Probabilistic Risk Assessment (PRA) offers a means for computing the probability distribution on the time until core damage. The PRA methodology relies on certain assumptions that may or may not agree with physics characterizing reactor operations. When these assumptions are not in harmony with the underlying operational physics, the PRA assessment of risk becomes (at best) approximate; the quality of the approximated probability law yielded by PRA remains an open question.

In the development that follows, we will identify physical and operational features that are generally shared by any maintained system (e.g., a nuclear reactor) that can potentially succumb to a catastrophic failure. We then review the analytical assumptions underlying PRA and rationalize these assumptions with the previously identified physical and operational features. We will then identify direct implications on risk (i.e., the probability distribution on time until core damage) when the assumptions underlying PRA cannot be completely rationalized. We will conclude that PRA generally underestimates risk. Finally, we cite some well–known results that help reveal the implicit difficulties in quantifying the quality of PRA generated approximations of risk … which remains a very important open research question.

Physical and Operational Features of Maintained Systems: A maintained system can be described, “Any system where restorative action is taken to lessen the likelihood of failure.” We shall characterize the likelihood of failure in the usual probabilistic sense as $R(t)\triangleq P(T>t)$, with the random variable $T$ being the time of first system failure after time $t=0$. Thus, we accept that $T$ is a continuous nonnegative random variable. We note that, the likelihood of failure is, thus, parametrically characterized by the hazard function $h(t)$, where

where,

It follows that by differentiating (1) that

Consider Figure 1 showing a hypothetical hazard function behavior following maintenance interventions (epochs) that result in discontinuities; we do not require that $h(t)$ be continuous.²²2The hazard $h(t)$, i.e., the propensity for first system failure in the next instant of time, will surely be discontinuous with downward jumps at epochs of successful maintenance. Importantly, note that $h(t)$ and $R(t)$ carry exactly the same information (as one is uniquely determined by the other). This information includes a given (fixed) history of maintenance prior to the epoch of first system failure. For any given maintenance history, there will correspond a unique hazard trajectory $h(t)$, $t\geq 0.$ Further, operational physics requires that any fixed hazard trajectory $h(t)$ should have the following properties that we identify as principles of rational hazard.

Principles of Rational Hazard

1. 1.

   $0<h(t)<\infty$, $\forall t\geq 0$; hazard is positive and finite.

2. 2.

   $\lim_{s\downarrow 0}h(t+s)=h(t)$, $\forall t,s\geq 0$; hazard is right–continuous.

3. 3.

   $\lim_{s\downarrow 0}\frac{h(t+s)-h(t)}{t-s}\geq 0$, $\forall t\geq 0$; hazard is non–decreasing almost everywhere.

4. 4.

   $\lim_{s\downarrow 0}h(t)-h(t-s)<0$; hazard decreases only at each of the (at most countable number of) epochs of successful maintenance.

5. 5.

   $h(0)=\inf_{t\geq 0}h(t)$; without loss of generality, the system is as good–as–new at time zero.

Returning, now, to the characterization of general maintained systems, we introduce the follow proposition.

We now observe that since time $t=0$ can, without loss of generality, be set to any maintenance epoch that returns the system to a good–as–new condition, maintained systems that conform to the principles of rational hazard will have a time of first failure distribution (for all possible maintenance trajectories) that is bounded above by an exponential distribution with parameter equal to the initial hazard.

The general stochastic processes governing a maintained system’s temporal behavior prior to core damage are so complicated as to go beyond practical computational analysis. Hence, simplified models are employed that yield approximate characterizations of core damage risk: PRA is the most commonly used methodology to quantify core damage risk. Essential to the PRA methodology is that the first (and only) core damage events arrives according to a Poisson process.³³3Although other reactors at large commercial multi-unit sites may continue to operate (for example, the Three Mile Island site experience and the Chernobyl experience), the reactor(s) involved in the accident is(are) have historically been decommissioned. An exception may be Fukushima where three reactors avoided core damage but have not yet been restarted. An analytical consequence of Poisson arrivals is that the time until the first (and only) core damage event follows an exponential distribution, and the parameter of this distribution takes a value identical to what is termed core damage frequency (CDF).⁴⁴4Clearly, CDF does not imply that there exists multiple core damage events; the (assumed Poisson) arrival process of core damage terminates upon a damage epoch. Thus, it is well understood that CDF simply refers to expected number of arrivals per-unit time of the un-terminated Poisson model characterizing the time of the first (and only) core damage event. A specific value of CDF is computed using the PRA predictive modeling methodology and noting that

we have that

Clearly, when core damage is approximated as a Poisson arrival, the practical effects of degradation and maintenance are not represented. That is, Poisson arrivals assume that the system hazard remains constant over all time.⁵⁵5Note that the constant hazard, characteristic of eq(2), satisfies each of the five principles of rational hazard. Hence, by PRA approximation, a system remains in the good–as–new condition until the occurrence of core damage.

Practitioners, of course, recognize that the constant hazard trajectories characteristic of PRA are inconsistent with reality. Thus, the quality of core damage risk characterization of eq(2) is of central importance. To this end, we note that all stochastic approximations can be classified according to one of two properties: 1) the approximation provides a bound, or 2) the approximation does not provide a bound. Bounding approximations are typically ordinal, giving a means to gauge true system performance as being “at least as good as” or “never any worse than” characterizations. Non-bounding approximations typically rely on a distance metric, where system performance can be gauged as within some quantifiable (computable) distance from the approximation.

Under the principles of rational hazard and the concomitant stochastic ordering proposition, the PRA approximation of eq(2) represents an uninformative lower bound on core damage risk. That is: “The risk of core damage by time $t$ will always be higher than that predicted by the PRA approximation.”⁶⁶6The uninformative lower bound on core damage risk is an obvious consequence of Poisson modeling, where the effects of degradation and maintenance are not captured.

In order to improve the quality of the PRA approximation one could seek to relax one or more of the rational hazard principles with the objective of finding either a better bound or a quantifiable distance metric between the PRA approximation and stochastic system behavior. However, it is unlikely that the PRA approximation can be used to obtain a better bound or quantify distance to stochastic system behavior without a more detailed characterization of degradation and maintenance. Including degradation and maintenance information (e.g., histories of equipment failure and repair) reveals the difficulties in modeling hazard processes which are generally represented as the stochastic intensity of certain underlying marked–point processes.

Finally, we note that there exists a large and established literature reporting results on approximating general stochastic point processes by Poisson processes. This line of investigation largely centers on “Stein’s Method” (also referred to as the “Stein–Chen” method) to develop bounds on distance metrics characterizing how closely a Poisson process approximates a stationary point process. The works of Barbour and Holst (1989), Chen and Xia (2004), and Chatterjee et al. (2005) and their references provide a fairly complete coverage of the state–of–the–art in Poisson approximations. While these bounded distance metrics provide useful devices in proving certain contraction properties associated with weak–convergence arguments for limit theorems, none lends itself to direct quantification. Only incremental progress along this line of investigation has been made in recent years.