Perspective Chapter: PRA and Protective System Maintenance

1.1 The benefit of hindsight

As described by Kemeny (see [1], p. 43) and Rogovin (see [2], vol. 1, p. 12), the core melt accident at Three Mile Island started when an operator tried to clear a plugged system that supplied water to the primary reactor heat removal system used in electricity production (see [3], for decay heat process details). The operator became involved when a valve installed for the purpose of bypassing around the plugged system was not open ([1], pp. 47–48). Although the actions taken by the operator to clear the plugging were unsuccessful, the heat removal system was supplied with a backup protective system using a completely separate water supply. Unfortunately, the backup system’s valves were inadvertently left shut, rendering it ineffective ([1], p. 47). The NRC requirements imposed through regulation and designed by the plant owners and investors anticipated such a loss of cooling sequence so a fourth separate protective system was supplied that would directly inject cooling water into the reactor core to keep it cool. Up to this point, the reactor system had begun heating up causing a relief valve to open, as designed, to reduce pressure.² Unfortunately, the relief valve failed to close when the pressure dropped back to normal, a malfunction that went unrecognized by the operators. However, the fourth method provided to keep the reactor core from overheating started automatically and began cooling the reactor core. Thus far in the accident sequence, the status of the reactor core protections could be summarized as: (a) main water supply—plugged up, (b) bypass protection of main supply—valve shut, (c) third water supply system—valve shut, (d) reactor system relief valve—stuck open, (e) fourth cooling system—working and cooling.

Because the relief valve stayed open too long, the reactor pressure kept dropping and the water around the core began expand as it boiled. Water from the reactor core was then pushed into a surge volume where the reactor system water level is measured. Although water was actually being continuously lost from the core through the stuck relief valve, the operators were under the impression, based on the surge volume level, that the reactor system was filling up by the fourth (and final) cooling system and they shut it off. At this point, the plant entered a state where it would lose the ability to prevent the reactor core from melting and releasing radioactive material. An interesting detail is that even the malfunction of the relief valve sticking open was also anticipated and therefore a shutoff valve was provided; temperature measurements were put in place so the operators could understand if the relief valve was stuck open and they would know when the shutoff valve should be closed. The operators failed to close the valve even though the temperature measurement indicated they should ([1], p. 46).

Although the several protections put in place would make it almost unimaginable the reactor core could melt, the NRC required a final protective system designed to protect the public in accidents releasing radioactive material from the reactor core. This final protection was a building that could withstand a very high pressure burst and remain effectively airtight. This building is called the “containment building” and it is the final barrier to release of radioactive material in the event of a serious accident.³ Because the containment building was able to contain the radioactive materials until they could be properly managed, the public was not exposed to excessive radioactive material. The following considers what went wrong at Three Mile Island, what went right, and why?

1.2 Probability, reality, and maintenance policy

One may be tempted to look back at the Three Mile Island accident and argue the probability for the accident was extremely unlikely. Acting on such temptations that is, applying ex-ante probabilities to ex-post observations, is improper. The accident at Three Mile Island Unit 2 actually happened rendering the ex-post probability irrelevant. Prior to the accident some experts would say that the probability was very small, possibly on the order of 1 chance in a million. Of the many scenarios anticipated in experts’ analyses of an ex-ante probability, the exact scenario that unfolded was unanticipated making their analyses irrelevant. Personnel misinterpreting indications, the actions taken due to the particular relief valve failure, and errors of commission were unanticipated as a scenario. The procedure for working on the chemical system could have required the operator to place the second protective system in service before starting the work as noted by Kemeny on page 47 of his report. In fact there are effectively limitless scenarios that may play out in the future. Solberg and Njå [4] state in their article “Reflections on the ontological status of risk”, only one of the many (truly infinite) possible scenarios can play out to produce a current “state of affairs”:

The discussion above is meant to point out why the accident at Three Mile Island happened even though the NRC and the plant design engineers endeavored to put in place protective systems intended to prevent progression to core melt. Before the accident occurred, a concerned citizen might question the design engineer in a conversation like the following:

At this point the citizen might reasonably stop asking questions, satisfied the NRC and the plant engineers had really thought of everything that could go wrong in the future.

It is clear that when a substantial hazard is present in a technological system, many questions need to be asked and answered, and many scenarios considered in detail. At Three Mile Island, the particular hazard was the need to remove decay heat from the reactor system over a relatively long period of time. Even though many questions may be asked and answered, once a technological system is started, we take a leap into the unknown. No one can say for sure what future scenarios may play out. Some may lead to great loss, injury, or even death. The maximum level of harm that could result from various failures in a technological system is almost certainly known by the engineers who design it. On the other hand, unless large datasets are available, the numerical probability value they would would occur cannot be known. Depending on the value of the technological system to the social welfare, those valuable enough to be allowed by law are most likely subject to regulation designed to protect citizens’ safety and health.

1.3 Protective systems

Technological systems required by regulation are referred to as “protective systems”. Such protective systems overlay technological systems operated for the purpose of maximizing profit. They differ from production systems in that they do not create products with a utilitarian purpose. Instead, protective systems function to reduce the probability that citizens would need to backstop losses from risks taken in owner and investor activities that exceed the investors’ asset value. No one, not those maximizing profit, not the regulator, not the engineers, and not any independent scientific authority can know the probability or likelihood that a technological system in use will or will not cause harm with exactitude.

Protective systems add to the cost of goods and services. In so doing, they will generally balance the reduction of profit margins against the price citizens are willing to pay for the goods and services produced. In competitive markets, profit maximizers will look for opportunities to reduce costs imposed by protective systems. A subtlety created by the process of cost reduction is that profit maximizers will tend to look at all costs that go against their revenue including production costs in maintenance and operation. A reasonable question would be “does it matter to citizens if the maintenance and operational costs of the production systems are reduced if citizens require the regulator to make sure the protective systems are maintained up to standards?” The subtlety created by reducing costs in technological systems other than protective systems is that protective systems are required to protect against harms more often than if the production systems were operating smoothly. Regarding the Three Mile Island accident, Kemeny points out that,

Failure of the condensate polishers at Three Mile Island triggered the sequence of events leading up to the core melting.⁵ This “trigger” is commonly referred to as an “initiating event”; the first event in a series of events that may end with unpleasant consequences. he importance of these initiating events is that the more often they occur, the more often the protective systems will be called upon to operate and because their failure probability can not be known, citizens should be concerned if the maintenance and operational costs of the production systems are reduced to the point more triggers occur.

Whenever a protective system allows an initiating event to progress to harm, it is made obsolete by revision that would address the root cause of its failure. The NRC made substantial changes to protective system requirements in the nuclear reactors it regulates following the Three Mile Island accident. No one can know the probability a technological system that has the potential for harm will, or will not, cause harm over its useful lifetime in the absence of substantial data sets where harm has occurred. This well-known principle is classically described by Cardano and Wilks [5] and more formally by Bernoulli [6].⁶ As technological systems are operated, protective systems that overlay them should be revised as necessary in light of new information to the point the technological systems are judged to be less harmful than the harms they are designed to overcome. Because protective systems add cost to the production of goods and services produced by technological systems, there is a balance, driven largely by market forces, to be struck among the cost of production, profit margin, and protection.

1.4 Predictive modeling for safety: critical protections

The concept of PRA is introduced in here at a very high level. In practice, PRA and other methods used to quantify probabilities and frequencies, are fundamentally derived from logical descriptions of a technological system’s response to an “upset”, or initiating event. Figure 1 is an example of such a logical description that envisions a technological system that “operates”, Z, on an initiating event input, I, to produce “outputs”, O. Z creates at least 2n outputs by assigning probabilities that split I at each of n devices. The splits are conditional such that if P⋅ is the probability for failure of the device, one branch of the split is assigned P⋅, and the other P¯⋅.

Such probability models, with various levels of sophistication, are used to characterize the efficacy of safety-critical protections.⁷ Understanding protective system modeling discussed here necessarily assumes a postgraduate familiarity with stochastic processes distinguishing it from the treatment PRA practitioners use. Stochastic dynamics of safety-critical protections are defined in a general setting allowing treatment of efficacy analysis in a top-down manner starting at general predictive modeling followed by exploration of consequences inherent in the simplifying assumptions required of popular risk quantification methods such as PRA, Quantitative Risk Assessment (QRA), and Probabilistic Safety Assessment (PSA).

Models of efficacious protective system design and management cannot be informed by “probability numbers”—such numbers are unavailable as a practical matter. This is to say, the condition “safe enough” is almost never expressible as a numerical probability as argued by Hansson (see [7, 8, 9], for perspectives on safety). Hence, efficacy of protective systems should rightly be explored in terms of insights from the mathematical structure of stochastic processes serving as predictive models. To this end, the following develops models at a level of abstraction sufficient to capture stochastic structures that agree with practical engineering understandings. Most importantly, a top-down exposition leads to straightforward identification of the particularizing assumptions necessary to calibrate reactor protective system stochastic predictive models with observational data. In other words, the engineering physics that must hold to compute valid statistical estimates of risk metrics can be identified. Hansson in ([10], Section 4) sets the stage where statistical models can be calibrated and where they cannot.

Clearly, hazardous technologies and their protections are engineered systems that operate according to laws of physics, and their operational behaviors are governed by ongoing design, maintenance, and management decisions. These systems are carefully monitored over time so that information gained can direct re-designs and maintenance intended to improve productivity and safety. Of course, our uncertainty regarding how protections might perform in the future is, at best, a reflection of our historical understanding of physical behaviors, both technological and environmental. For example, we cannot forecast the future arrival of possible operational problems, the possibility of which we are a priori unaware.⁸ Thus, any understanding of the efficacy of protections must connect physics with a time-dependent state of knowledge about that physics. In this regard, filtered probability spaces are indispensable when exploring engineered protective system efficacy.

System physics are approached in here from an operations perspective to establish the analytical framework within which physical features can be mathematically described as time dependent functionals. This framework will be sufficiently general to accommodate most hazardous production systems. Analytical modeling of operations is concerned with characterizing a system’s temporal dynamics as the evolution of a system’s “state” over time. Almost always, operations is concerned with predicting, up to probability law, transitions among particular sets of system states given certain observable historical behaviors. Such transition dynamics are captured as stochastic processes.

The theory of stochastic processes is mature and provides a valid framework for understanding operations—derivations or detailed explanations of the central results applied in here are found in the widely accessible literature. Avoiding repetition, operation of hazardous systems and their protections are modeled in here by a stochastic point process and cited in the appropriate literature without proof.

2.1 Physics: based modeling in a general stochastic setting

Protective systems safeguard against future accidents. The design of protective systems necessarily relies on deterministic physical laws (physics) embedded within a stochastic framework that analytically captures uncertainty about future protection behaviors. This stochastic setting yields predictive models useful for understanding the efficacy of given protection designs. We establish the following:

Definition 2.1 (Object). A collection of devices, subsystems, systems, and environments enclosed within a specified logical control volume.

Definition 2.2 (State). The unique numerical assignment to specific features of an object’s physical condition (typically in SI units).

Definition 2.3 (State Space). The set of all possible object states.

Definition 2.4 (State Variable). A mapping from the domain of an object’s physical condition into its state space.⁹ Typically, state variables are indexed by time.

Definition 2.5 (State Trajectory). The evolution of an object’s state over a collection of specific time intervals.

Definition 2.6 (Predictive Models). Probability laws with an object’s state variables indexed by time. Predictive models typically include a time t=0 that delineates future from past.

Remark 1 Predictive models do not predict the future. Rather, they frame uncertainty about future physical behaviors in terms of the present state of knowledge.

Objects of modeling interest can be comprised of subordinate objects; that is, an object can be the logical union of other objects. An object is atomic if it is not composed of subordinate objects. It follows that, an object’s state space is defined on the union of its subordinate atomic object state spaces. The state of an object typically evolves over time. Hence, predictive modeling requires not only specifying the state variable mappings that assign state values to material and environmental conditions, but also crafting a mathematical characterization of the interaction of an object’s state variables over time. The control volume defining any object connects its features with the laws of physics that govern its evolution, and it is our understanding of physics that allows us to mathematically characterize the time dependent interaction among an object’s state variables. The time dependent behavior of an object’s state is referred to as a state trajectory. The physical laws that govern state trajectories are, of course, specific to the object being modeled. Inasmuch as one’s interests lie with establishing a mathematical framework within which predictive models for hazardous technologies can be crafted, they need only make reference to specific physics where application dictates.

Remark 2 Valid predictive models must respect two practical engineering constraints: 1) State trajectories are never physically observable beyond the present, and 2) Engineers are not clairvoyants. Valid predictive models are strictly informed by historical information, while allowing for the acquisition of additional information as the object’s future unfolds (see [11], for an interesting perspective). The evolution of information history cannot be omitted from valid predictive models.

2.2 Stochastic modeling: production, protection and environment

When concern lies with the efficacy of protections, Z is understood to model an object representing a hazardous production system protections with S as the object state space, onto which all underlying physics is mapped. Designate three subordinate objects as: a production system, a protective system, and an environment.¹¹ Without loss of generality, assume that these three subordinate objects are mutually exclusive (i.e., their respective control volumes do not intersect); mutual exclusivity does not imply that production, protection, and environment operate independently.

The mutual exclusivity of production, protection, and environment ensures that state space S is formed as the cross product of the subordinate object states. Here,

where

SX is the subspace of production system states,

SR is the subspace of protection system states, and.

SY is the subspace of environment states.

Take the subspaces identified in Eq. (2) to each be a manifold with boundary. By definition, any element of SX numerically characterizes a production state. Similarly, elements of SR quantify protection states, while subsets of SY describe an environmental state within which production and protection exist. Now,

And, by construction Z=XRY, and for all t≥0

where

2.2.1 Dependency among production, environment, and protection

By convention, take all trajectories of X, R, and Y to be càdlàg (right-continuous with left-hand limits). S partitioned with SX,SR, and SY allows framing the interaction among production, protection and environment over time. It is understood that the temporal dynamics of these three stochastic state processes are not mutually independent. Here, with the σ-algebras respectively generated by the processes X, S, Y, and Z written as

FX≡σX=limt→∞FtX=σXu−∞<u≤t,E5

FR≡σR=limt→∞FtR=σRu−∞<u≤t,E6

FY≡σY=limt→∞FtY=σYu−∞<u≤t,E7

FZ≡σZ=limt→∞FtZ=σZu−∞<u≤t.E8

There can exist some BZ=BX∪BR∪BY∈FZ, where BX∈FX,BR∈FR and BY∈FY such that

PBX∩BR∩BY≠PBX⋅PBR⋅PBY.E9

Dependence among X, R, and Y is intuitively clear: The production state X and the protection state R both depend on Y, the common environment within which they operate. So, there is some B∈S such that the likelihood that production and protection are in B at time t≥0 must as a matter of physics depend on the evolution of their common operating environment. For example the arrival of natural disasters and the wear-out rate of equipment are physics-based environmental influences on both production and protection. Thus,

PXt∈BYuu≤t≠PXt∈BPRt∈BYuu≤t≠PRt∈B,E10

and, consequently, X, R are not generally independent. However, the future environment process Y is typically uninfluential on the histories of production and protection; we call this the Lack of Anticipation Property (LAP).

Definition 2.8 (Lack of Anticipation Property). For all t,s≥0 and B∈BS,

PYt+s∈BXuRu:u≤t=PYt+s∈BE11

The LAP plays a central role in predictive modeling of safety-critical protections, and is represented schematically in Figure 3.

3.1 Classification of states for reactor operations with protections

Consider now an object representing a nuclear reactor, its regulated protections, and the environment within which the reactor and protections operate. The state process Z is defined, as before, in Section 2.2.2. Operations modeling and analysis begins with partitioning the state space S according G=GpGpc where Gp∈BS is the set of all persistent states and its complement Gpc is called the transient states. The set Gp is closed under all trajectories. That is, for all s∈Gp and ω∈Ω

thus, once entering the set of all persistent states Gp, a trajectory Ztω cannot depart the set. s∈Gp is an absorbing state if for all ω∈Ω

Clearly, absorbing states are persistent.

As a practical matter, require that all trajectories Ztω,ω∈Ω and t≥0, of the state process terminate with retirement.¹³ Retirement occurs as either, (1) an inconsequential cessation of production, or (2) the consequence of an accident from which the reactor cannot recover. Once the reactor trajectory enters a retirement state, production terminates forever. All retirement states are taken as absorbing. Thus the absorbing states, designated R⊂S, and transient states designated Rc, partition S. The transients states Rc can themselves be partitioned such that N are normal operating states and D distressed operating states. Clearly, the sets {N, D, R} also partition S. The possible state transitions among the elements of this partition are shown in Figure 4.

3.2 The initiating event counting process

Recall that state variables are the three-tuple formed by Zt≜XtRtYt. Thus, when a trajectory Xtω,ω∈Ω and t≥0, of the production state process leaves the normal operating states N∩SX and enters the distressed states D∩SX, an initiating event has occurred. Recalling that by convention all state trajectories are right-continuous and thus càdlàg, all initiating events occur at the exact instant of transition from N∩SX to D∩SX. Arrival of an initiating event indicates that the reactor protective system should engage so as to mitigate potential harm that might arise with the reactor operating in the distressed states. In practice, initiating events are often (although not always) observable.

For all ω∈Ω and t≥0, define

Clearly for t>0,dQt:Ω→01 is a random variable on the measurable space of possible life cycles ΩF. For all ω∈Ω and t≥0, it follows that

form the trajectories of the stochastic process Q=Qtt≥0 inherit the càdlàg property. We call Q the initiating event counting process. Here, as a practical consideration, we will require that Q0ω=0 for all ω∈Ω. That is, we assume that reactor production should be in a normal operating state at time t=0 at the beginning of lifecycle ω.¹⁴

It is a straightforward matter to construct the operations point process T=Tnn∈N which captures the arrival times of initiating events. T is referred to as the initiating event process, and for each ω∈Ω and n∈N,

The initiating event counting process Q plays a central role in our treatment of operations modeling and efficacy analysis of safety-critical reactor protections. Understanding the construction of Q provides important insights (to be discussed in subsequent sections) into the relationship between hazard, risk, and the efficacy.

Remark 5 When assuming that Zt−1G∈F0 and with Qt:ΩFZ→NBN, by construction it is ensured that Qt is Ft–measurable for all t≥0; hence, the initiating event process Q is adapted to the filtration Ftt≥0 which contains the history generated by the state process Z. It is preferable to model operations processes on the filtered probability space ΩFFtt≥0P, because its filtration contains all available information ... not simply the natural filtration FtQt≥0 of Q. When PRA, QRA and PSA are used for risk analysis, they implicitly and strictly rely on the natural filtration

which contains only information about the occurrence times of initiating events, while ignoring all history of the state process Z, maintenance activity, weather, etc.

3.3 The accident counting process

When safety-critical protections function properly a distressed reactor (i.e., Xt∈D∩SX) will avoid an accident and return to the set of normal operating states in N. Accidents are events influencing states of nature outside the control volume within which a nuclear reactor’s state process Z develops. Accidents are always a consequence of protection failure that causes collateral harm.¹⁵ For our purposes, when an initiating event leads to any level of collateral harm, then that event becomes an epoch of an accident.¹⁶ Possible time delays are allowed for between the arrival of an initiating event and any eventual collateral harm.¹⁷ To this end, distressed state D⊂S is partitioned into those states C that impact physics outside the system control volume causing collateral harm and E=D/C those distressed states that do not cause collateral harm. Partitioning D allows an operations characterization of an accident:

Definition 3.1. An Epoch of accident occurs when the trajectory XtRtω,ω∈Ω is such that the production state process X enters C∩SX⊂D⊂S while the state of the protection process R is in D∩SR.

Guided by the transition diagram of Figure 5, a modification of Figure 4, showing the partitioning of distressed states D into C and E, the accident counting process and the accident point process can be constructed.

Remark 6 Note that in the interval following an initiating event indicating that the state process has moved into distress, the system state can possibly transition many times between accident states in C and non-accident distressed states in E before either returning to normal or being retired. In practical modeling scenarios, state transitions across the partition of distressed states might take months (or even years). Thus, the initiating event leading to distress might not exceed to an accident for quite some time. In such situations, knowing that an initiating event has just occurred does not necessarily reveal whether or not the system state is on a trajectory of accident.

Now, define

Note that the time Tmω of the mth arriving epoch of an accident is given by

When m is the index of the last arriving epoch of an accident before retirement, all subsequent accidents are taken by convention to occur at infinity. Clearly, the random sequence TmCm∈N is a thinning of the initiating event process T. The point process TC≜TmCm∈N is the accident process.¹⁸

With QtC being the number of arriving accidents in the interval (0, t], it follows that for each ω∈Ω,t≥0, and m∈N

and, in practice with QtCω=0 for all ω∈Ω,

QC≜QtCt≥0 is called the accident counting process. By construction, QC is adapted to the filtration of ΩFFtt≥0P.

Remark 7 When assuming that Zt−1G∈F0, the accident counting process QC is, clearly, subordinate the initiating event counting process Q. That is, each epoch of arrival in QC is also an epoch of arrival in Q. It is important to note, however, that while both QC and Q are adapted to the natural filtration Ftt≥0,QCis not adapted to the natural filtration FtQt≥0 of the initiating event process Q. Thus, the history of initiating events alone contains insufficient information to construct the accident thinning—a physics-based insight often overlooked in popular quantitative risk methodologies.

Finally, as a notational convenience, define for all ω∈Ω and t≥0

where At:SBS→(01,B01 is a random variable of the filtered probability space ΩFFtt≥0P. Clearly,

We call A=Att≥0 the protection availability process, which inherits càdlàg properties from R. Substituting Eq. (17) and Eq. (25) into Eq. (24) gives

for all ω∈Ω and t≥0. And, it follows directly from Eq. (22) and Eq. (27) that for all m∈N,ω∈Ω and t≥0

The importance of Eq. (27) is that it gives the dynamic relationship between the number of accidents over time in terms of arriving initiating events and the reliability of protections. It should be clear from the construction of Eq. (27) from trajectories of the state process Z that the stream of arriving initiating events and the reliability of protections are not generally independent since both random phenomena are stochastically dependent on the dynamics of the environment process Y. Further, Eq. (22) establishes the relationship between the accident time point process TC and initiation event arrivals and protection reliability where, again, stochastic dependence between initiating event arrivals and protection reliability cannot be ignored. Eqs. (22) and (27) play a central role in the developments presented in Sections 4 and 5.

4.1 Case 1: At−1Gf∈F0

By definition, Gf∈F is the collection of all states in S where protection is unavailable. Thus, any failure mode for protection must be reflected as a state s∈Gp⊂S. When Gp∈F0, it follows that every possible failure mode must be known at time t=0 since the pre-image of G−f through the random variable At appears in F0. By definition the filtration Ftt≥0,F0⊂Ft for all t>0 implies that At−1Gp∈Ft for all t≥0. It now follows that for any u>0At+u−1Gp∈Ft and, since τ is an Ft stopping time, τ>t,Aτ−1Gp∈Ft. In other words, when all possible states where protection is unavailable (including protection failure modes) are understood at time t=0, then

gives the likelihood that the next arriving initiating event will result in an accident.

4.2 Case 2: At−1Gf∉F0

Suppose now that there exist protection failure modes that are unknown at time t=0. This implies that At−1Gf∉F0. When At−1Gf is not F0-measurable there can be no guarantee that At−1Gf will be Ft-measurable for any 0<t<∞. That is, for any u>0, we cannot ensure that At+u is Ft-measurable. And, because τ>0, we cannot ensure that Aτ is Ft-measurable even though τ is an Ft stopping time. In fact there will always be some t>0 where Aτ∉Ft which implies that EAτFt is not well-defined. From the failure of EAτFt to satisfy the definition of a random variable on Ω, it can be concluded that when there are undiscovered protection failure modes, Eq. (31) cannot hold.

4.3 The practical implications of undiscovered protection failure modes

It is reasonable at this juncture to consider the extent to which protection failure modes not identified in F0 are problematic. Let τd be the time of first discovery of a heretofore undiscovered protection failure mode. Some observations that can be normatively understood are:

• The discovery time τd of a specific heretofore undiscovered failure mode is random and measurable with respect to probability space ΩFP.

• τd is not an Ftt≥0 stopping time. Clearly, τ≤tc∉Ft.

• Any protection failure mode will almost surely be found over the lifecycle of protections.

• It is possible that a failure mode is first discovered through accident postmortem analysis (i.e., the failure mode caused an accident upon its first appearance).

• For any time t≥0 a non-clairvoyant cannot rule out the possibility of remaining undiscovered protection failure modes.

• If undiscovered failure modes are in play, the filtration Ftt≥0 has not yet converged and all predictive PQ metrics must be formed conditioned on the current information represented in filtration Ftt≥0 ... which does not include all information represented in F.

• Nearly all historical nuclear reactor accidents have been attributed to heretofore unanticipated protection failures.

If there is sufficient confidence in a non-clairvoyant belief that that all protection failure modes have been discovered, then all information impacting protection design will be found in the tail σ-algebra T, where

By definition, T⊂F and characterizes design information in the remote future of A. In the remote future of protections, there can be no undiscovered failure modes.

Typically, PQ methodologies (e.g., PRA, QRA, PSA) implicitly rely on the assumption that events associated with protections are T-measurable, because this assumption guarantees the existence of

The expected value E[A] and its statistical estimator A¯ play essential roles in PRA, QRA and PSA, and they are only practically accessible under the assumption that all available information is in the tail σ-algebra T. The estimator A¯, when computed with data collected other than in T will always underestimate the true value of E[A], a dangerous bias.

5.1 Cumulative assumption: there are no unknown-unknowns

As discussed in Section 4, assuming that there are no as yet undiscovered states requires that

for B∈BS and t≥0. Recall that by definition of the filtration Ftt≥0Ft-measurability is also ensured. This modeling assumption cannot be verified so long as a reactor is not retired. Obviously, with the random time τ:Ω→0∞ taken as the time of discovery of the last heretofore undiscovered state, τ is not Ft-measurable for any t<∞, which implies that there cannot be an observable condition confirming that there are not more undiscovered states. Clearly, the no unknown-unknowns assumption reflects a (believed) near clairvoyant understanding of the technologies being modeled.

5.2 Cumulative assumption: there are no absorbing states

The absence of absorbing states implies that either all s∈S are transient, or there exists at least one non-singular collection of persistent states Bα∈S,α∈A such that

and when a state trajectory enters Bα it never exits, visiting each state s∈Bα, infinitely often. Further,

which implies that each state trajectory must eventually enter a non-singular collection of persistent states that it visits infinitely often.

The PRA methodology implicitly rejects the possibility that all states in S are transient, and therefore accepts that all state trajectories visit some collection of states infinitely often. Further, PRA some of the states visited infinitely often are accidents (else there would be no reason to perform PRA). It follows that accepting the assumption that reactors are never retired (either through an accident or cessation of operations), there will be accidents ad infinitum.

5.3 Cumulative assumption: CDF is well defined

Accepting Assumptions 1 and 2, it is feasible to investigate CDF. Here, as before, QtC, counts the number of core damage events a reactor suffers in the interval [0, t]. CDF is a frequency and thus is the limiting number of core damage events per unit time. That is,

Definition 5.1 (Core Damage Frequency).

whenever convergence to a constant occurs a.s.

CDF is treated as a numerical constant. However, convergence of Eq. (37) is not guaranteed. Further, even when CDF converges, there is no guarantee that its limit is a constant; convergence to a random variable is a completely plausible circumstance. It must be emphasized that CDF is a numerical constant, estimates of which are used to gauge the risk of suffering a core damage event.

The existence of CDF is determined in part on the dynamics of initiating event arrivals. The limiting arrival rate λ of initiating events is defined as follows.

Definition 5.2 (Initiating Event Frequency).

convergence occurs a.s. In general λ can be a random variable, and convergence to a constant occurs only when λ=Eλ.

Recall that QC and Q are right-continuous. It follows directly from definitions 5.1 and 5.2 that when λ is a constant,

where, often the split fraction is

Thus, CDF is the product of the initiating event frequency with the proportion of initiating events that exceed to core damage. Typically, estimating λ is straightforward. Estimating p is more challenging. Note that while p takes values in the interval [0, 1], it is defined as the limiting value of a ratio of random variables. However, under certain circumstances p can be interpreted as the probability that an arriving initiating event will exceed to core damage. One such circumstance occurs when initiating events form an ordinary Poisson process. Then, the well-known Poisson Arrivals See Time Averages (PASTA) result applies, and p can be computed as the limiting unavailability of reactor protections (see [14]). Unfortunately, the assumptions needed to justify PASTA defy practical justification. Consequently, estimating p is quite difficult in practice.

There are a variety of approaches for crafting estimators of p that incorporate the joint histories of initiating event arrivals, protection maintenance activity, environmental conditions, etc. Monte Carlo methods, owing to their adaptability to complex engineering models, have gained acceptance and popularity for estimating p and other statistics. These methods are not, however, a panacea because they require characterizing probability laws on subordinate stochastic processes that must be mapped into the dynamics of protection availability in order to build useful estimators. Characterizing probability laws on stochastic processes is often impractical due to the intensive data support required for all but the most stylized processes.

In order to better appreciate the manner in which CDF jointly depends on the arrival of initiating events and the efficacy of reactor protections, we will appeal to the martingale characterization of stochastic point processes (see [15]). For practical considerations, we require that initiating events occur one at a time a.s.

Since the trajectories of Q are nonnegative non-decreasing and proceed in jumps of size one a.s., clearly EQt+uFt≥Qt for all t,u≥0. Thus, Q forms a sub-martingale on the filtered probability space ΩFFtt≥0P. Appealing to the standard results from the martingale calculus (see [16]), it now follows from the Doob-Mayer Decomposition Theorem that

where the process M≜Mtt≥0 forms an Ft–martingale with compensator Λtt≥0. Hence,

for all t,u≥0, and Λt is increasing a.s. and Ft–predictable, with

Here, λt is well-defined whenever for all nonnegative, Ft-predictable Ctt≥0

is satisfied. M is called the initiating event martingale.

When well defined, λt is a unique Radon-Nikodym derivative defined on the usual equivalence class, with the stochastic intensity process λtt≥0 adapted to Ftt≥0 and predictable. Informally, λt=EdQtFt− and can be understood as the propensity for an initiating event to arrive in the next instant of time given the history of initiating events and reactor protections.

Now, consider the martingale transform MtC of protection unavailability 1−At with respect to Mt of Eq. (41), where MtC=def∫0t1−AudMu=∫0t1−AudQu−∫0t1−AudΛu.

Proposition 1 (Core Damage Martingale)MC≜MtCt≥0 is a martingale whenever the stochastic intensity process of arriving initiating events λtt≥0 exists.

Proof: Since At is Ft–predictable and 0≤Atω≤1 for all ω∈Ω and t≥0, it follows that MtCt≥0 is also an Ft–martingale (see [17]), and noting that QtC=∫0t1−AudQu counts the number of core damage events in the interval [0, t], we have that

and, substituting from Eq. (43) gives

We refer to MC as the Core Damage Martingale and its compensator is given by

Remark 8Eq. (46) stands as the most general available expression characterizing the relationship among core damage events, the arrival of initiating events, and the efficacy of reactor protections. It is important to keep in mind that, for all t≥0,MtC,QtC,λtC,At, and (in particular) λt are all random variables. Hence, Eq. (46) is nontrivial and must be examined in the context of stochastic integration.

Consider now, the following proposition:

Proposition 2 (Existence of CDF) If

then λC exists (and is possibly a random variable) and for almost (a.a.) ω∈Ω

where, 0<λCω<∞. That is,

Proof: Proposition 2 is an obvious consequence of Definition 5.1 and Eq. (46).

Remark 9 Clearly, CDF exists only if

Proposition 2 reveals the challenge in estimating CDF. In the absence of observed core damage events, predictive estimates of CDF must be formulated in terms of phenomena that can be observed. To this end, analysts must rely on observations of initiating event arrival times, and reactor protection performance (principally in the form of maintenance records and failure data). These observations are, of course, insufficient to capture the joint dynamics of Atλtt≥0 needed to directly employ the strong law relationship of Proposition 2, where,

Monte Carlo methods do not escape the difficulty of computing λC. A and λt≥0 are not mutually independent (even when Q is Poisson with rate λ) and λt is not directly observable. Since this dependence requires a Monte Carlo model to rely on an accurate characterization of the probability law on the joint stochastic process Atλtt≥0, it is clear that the data requirements to support accurate estimation of this probability law are beyond the practical reality of reactor unit operations records.

5.4 Cumulative assumption: arriving initiating events see time averages

Important insights regarding CDF are revealed by exploring the expectation of MC. In particular, we are interested in the consequences of the stochastic dependence the state of system protections Att≥0 and the arrival of initiating events Qtt≥0 and consequently λtt≥0. Consider now,

Proposition 3 (Moment Convergence) Suppose that

Then,

And, with the additional condition that λC=EλC<∞,

Proof: Recall that almost sure convergence implies convergence in expectation (see [18]). Hence, Eq. (54) follows directly from Proposition 2. Nonnegativity of the integrand in Eq. (54) allows a routine application of Tonelli’s Theorem to exchange the order of expectation and integration to show Eq. (55) (see [19]). Finally, λC=EλC<∞ implies that

thus, ensuring the existence of CDF.

Recalling the definition of covariance, it immediately follows that.

Corollary 1 When λC=EλC<∞, then

Proof: Simply apply the definitions of CDF and covariance.

Corollary 2 When λC=EλC<∞,

if and only if EλtFt=Eλt for all t≥0.

Proof: It need only be shown that cov1−Atλt=0 if and only if EλtFt=Eλt. First, assume that EλtFt=Eλt for all t≥0 for all t≥0. Note that

Thus, it follows from the definition of covariance that cov1−Atλt=0. With cov1−Atλt=0 it follows trivially that

Corollary 3. When, EλtFt=Eλt=λ<∞ and At→a.s.A, then

Proof: It follows from Eq. (58) that when EλtFt=Eλt=λ<∞,

and when At→a.s.A,

Eq. (61) follows.

Remark 10 It is important to appreciate that Corollary 3 does not imply that the state of reactor protections A is independent of initiating event arrivals Q. The condition EλtFt=λ is simply congruent with the lack of anticipation property of At.²² The conditions establishing Corollary 3 allow for the possibility that initiating events can cause a failure of system protections (in addition to the possibility protections were already failed immediately prior to arrival).

Recall Eq. (38). Perhaps the most important consequence of assuming that arriving initiating events see time averages is:

Corollary 4. When EλtFt=λ, then

Proof: Substitute Eq. (61) into Eq. (39).

5.5 Cumulative assumption: initiating events form a Poisson process

Eq. (61) admits, as a special case, the condition that the initiating event counting process Q forms an ordinary Poisson process of rate λ. By the Watanabe characterization, it is well known that the stochastic intensity of a counting process is a fixed constant if and only if that counting process forms an ordinary Poisson process. Thus, when Q forms an ordinary Poisson process of rate λ, its intensity λt=λ for all t≥0, where λ is a positive valued constant. Returning to Eq. (46), it follows that the constant λ can be moved outside the integral, giving

With the elements of the compensator of the core damage martingale a.s. constant for all t≥0 as given by Eq. (65), a special case of Corollary 3 is created. The condition EλtFt=λ given in Corollary 3 is more general (and difficult to calibrate with historical data) than under the Poisson initiating event assumption (see [20]).

Remark 11 The Poisson initiating event assumption does not imply independence between A and Q; on the contrary, A and Q remain dependent since there is the possibility that arriving initiating events will disrupt protections and lead to an accident. Wolff gives a full development of Poisson arrivals see time averages, (see [14]).

An obvious benefit gained when Q is assumed Poisson is that statistical calibration of λ becomes accessible using historical data. Since all Poisson processes are stationary and ergodic, the parameter λ is easily estimated since

for a.a. ω∈Ω.

Assuming that Q is Poisson does not change Eq. (61). But, all Poisson processes implicitly carry the very strong independent increments requirement, meaning here that the number of initiating events appearing in any collection of disjoint time intervals are mutually independent. In practice, the independent increments condition is an extremely difficult to justify.

5.6 Cumulative assumption: the protection process is stationary and ergodic

Returning to Corollary 3 with A=limt→∞At, it is clear that for a.a. ω∈Ω the split fraction p is given by

Calibrating p with historical data, as is preferred with PRA, is generally inaccessible in the limit. However, assuming that the protection availability process A is both stationary and ergodic guarantees that A is measurable with respect to its tail σ-algebra for all t≥0, and thus

for any fixed t>0. Clearly, the best available estimate of the split fraction p along the (only) historically available ω is given by

Typically, practitioners rationalize stationarity and ergodicity of A by claiming knowledge of a long history of protection operations augmented with an extensive observed history of initiating events and equipment maintenance activity. Based on a experience they will designate where to establish time t=0, in Eq. (69). However, the approximation Eq. (69) suffers a bias that is a consequence of well designed protections: The speed of convergence of Eq. (67) depends on observing initiating events that will cause protections to fail. Obviously, well designed reactor protections will experience few (if any) such events. This implies that even under the assumption that A is stationary and ergodic the Eq. (69) will be positively biased for all t<∞.

5.7 Cumulative assumption: protection unavailability is independent of all initiating events

The optimistic bias of Eq. (69) disappears under the additional assumption that A and Q are independent stochastic processes. Under this circumstance, since both the initiating event process T and the protection availability process A are adapted to the filtration Ftt≥0 as described in Section 2, it follows that

for all t≥0 and n∈N. Independence of A and Q is congruent with the belief that reactor protections are so robust as to never fail due to the impact of an initiating event. Or, equivalently, an initiating event will induce an accident only if it finds protections already out of service upon arrival.

Of course, the model assumption that A and Q are independent stochastic processes is very strong and hardly justifiable in practice. That said, PRA methodology relies directly on the cumulative assumptions leading to Eq. (69). The assignment of the split fraction value p appeals to ad hoc analysis (e.g., penetration factor) where little or no observed historical calibration data can be found.