Treatment of Uncertainties in Probabilistic Risk Assessment

Probabilistic risk assessment (PRA), sometimes called probabilistic safety analysis, quantifies the risk of undesired events in industrial facilities. However, one of the weaknesses that undermines the credibility and usefulness of this technique is the uncertainty in PRA results. Fault tree analysis (FTA) and event tree analysis (ETA) are the most important PRA techniques for evaluating system reliabilities and likelihoods of accident scenarios. Uncertainties, as incompleteness and imprecision, are present in probabilities of undesired events and failure rate data. Fur-thermore, both FTA and ETA traditionally assume that events are independent, assumptions that are often unrealistic and introduce uncertainties in data and modeling when using FTA and ETA. This work explores uncertainty handling approaches for analyzing the fault trees and event trees (method of moments) as a way to overcome the challenges of PRA. Applications of the developed frameworks and approaches are explored in illustrative examples, where the probability distributions of the top event of fault trees are obtained through the propagation of uncertainties of the failure probabilities of basic events. The application of the method of moments to propagate uncertainty of log-normal distributions showed good agreement with results available in the literature using different methods.


Introduction
Accidents at industrial facilities may result in serious consequences to workers, public, property, and the environment. Risk management approaches are aimed at insuring that processes and systems are designed and operated to meet "acceptable or tolerable risk levels" as required by regulatory bodies. Risk assessment usually encompasses the following steps: hazard identification, risk analysis, and risk evaluation. When the risk evaluation is carried out in a quantitative way, the risk assessment is considered a probabilistic risk assessment (PRA).
Fault tree analysis (FTA) and event tree analysis (ETA) are the most used techniques in PRAs. However, uncertainties in PRAs may lead to inaccurate risk level estimations and consequently to wrong decisions [1]. Lack of knowledge about systems under study during the PRAs is one of the main causes of uncertainties, which leads to simplification of assumptions, as well as imprecision and inaccuracies in the parameters used as inputs to PRA (e.g., component reliabilities, failure probabilities, and human error rates).
A framework to use the method of moments for determining the likelihoods of different outcomes from event trees in an uncertain data environment using fault trees is described in this work. Illustrative examples using this approach for propagating uncertainty in basic events of fault trees, following log-normal distributions, are also presented. The probability distributions of top events are compared with analyses available in the literature using different approaches, such as Monte Carlo simulation and Wilks and Fenton-Wilkinson methods.

Basics of risk assessment
There are many concepts of risk used in different scientific, technological, or organization areas. In a general sense, risk can be defined as the potential of loss (e.g., material, human, or environment) resulting from exposure to a hazard (e.g., fire, explosion, or earthquake). Sometimes, risk is measured through the assessment of the probability of occurrence of an undesired event and the magnitude of consequences [2]. In this way, risk assessment encompasses the answers to the following questions [3]: • What can go wrong that may lead to an outcome of hazard exposure (scenario S i )?
• How likely is this to happen, and if so, what is its frequency (F i )?
• If it happens, what are the likely consequences (C i )?
Therefore, risk, R i , for a scenario S i , can be quantitatively expressed as function of these three variables, as given by Eq. (1): According to Christensen et al. [4], hazard is an inherent property of a risk source potentially causing consequences or effects. This hazard concept does not include the probability of adverse outcome, which is the core difference from risk term. In this chapter, hazard is then considered as the properties of agents or situations capable of having adverse effects on facilities, human health, or environment, such as dangerous substance, sources of energy, or natural phenomena.

Probabilistic risk assessment (PRA)
PRA provides an efficient way for quantifying the risks, even in an environment of uncertainties regarding possible scenarios, data, or modeling. Risk assessment is part of risk management carried out before deciding about risk treatment and prioritizing actions to reduce risks (risk-based decision-making). Figure 1 shows a framework for PRA under uncertainty environment [5,6].
PRA starts with the hazard identification and scenario development, proceeds through quantification of frequencies and consequences, and ends with risk analysis and evaluation [5].
The first step of a PRA process consists of finding, recognizing, and recording risk sources (hazard identification). The accident scenario development (sequence or chain of undesired events) consists of identifying the initiating events (IEs) and the sequences of events following these IEs. The latter are the critical events that initiate an accident, such as pipe rupture, overpressures, or explosion. The sequences of events are the combinations of success or failure of the barriers or controls requested by IEs (defense-in-depth layers), for example, emergency shutdown systems, human actions, or physical protection. Each sequence can lead to a desired or undesired outcome (end state) such as uncontrollable release of toxic gases, radiation exposure, or facility shutdown [6].
Fault trees (FTs) and event trees (ETs) are often used in PRAs for quantifying the likelihood of event sequences. FTs quantify frequencies or probabilities of top events (such as IEs or failure of defense-in-depth layers) through causal relationship of basic events (e.g., system components, human actions, or subsystems). ETs identify and evaluate each sequence frequency using data generated by FTs [5].
The consequence assessment of each accident scenario to people, property, or environment depends on many factors, such as magnitude of the event, number of people exposed to harm, atmospheric conditions, mitigating measures, etc. The consequence modeling involves the use of analytical or empirical physical or phenomenological models, such as plume dispersion, blast impact (TNT equivalent), or Monte Carlo simulation [7,8].
Risk analysis is the combination and integration of the probabilities (or frequencies) and the consequences for identified hazards, taking into account the effectiveness of any existing controls and barriers. It provides an input to risk evaluation and decisions about risk treatment and risk management strategies [6].
There are many uncertainties associated with the analysis of risk related to both probability and consequence assessments. An assessment of uncertainties is necessary to perform risk evaluation and to take decisions. The major categories of uncertainties are associated with data, methods, and models used to identify and analyze risks. Uncertainty assessment involves the determination of the variation or imprecision in the results, based on uncertainties of basic parameters and assumptions used in the analyses. Uncertainty propagation of failure probability distributions in FTs and ETs, as well as variability analysis of physical processes (named stochastic uncertainty) and the uncertainties in knowledge of these processes (named epistemic uncertainty), have to be properly accounted for in PRA results [9].
Risk evaluation involves comparing estimated levels of risk with risk criteria defined, once the context of analysis has been established. Uncertainty assessment is important to adjust the categorization of the risk ranking, supporting the  [5,6]). decision-makers in meeting risk criteria of standards and guidelines, as well as in visualizing and communicating risks [10].

Techniques for PRA
The main techniques used for probabilistic risk assessment are fault tree analysis (FTA) and event tree analysis (ETA) [11].
FTA is a graphical relationship among events leading to a "top event" at the apex of the tree. Beginning with the top event, the intermediate events are hierarchically placed at different levels until the required level of detail is reached (the basic events at the bottom of the tree). The interactions between the top event and other events can be generally represented by "OR" or "AND" gates, as shown in Minimal cut sets (MCSs) of a fault tree are the combinations of basic events which are the shortest pathways that lead to the top event. MCSs are used for qualitative and quantitative assessments of fault trees and can be identified with support of Boolean algebra, specialized algorithms, or computer codes [12]. The probability of the top event can be assessed if the probability values or probability density functions (pdfs) of the basic events are available, using the identified MCSs. For instance, using the set theory concepts [13], the probability equations of the two FTs in Figure 2(a) and (b) can be expressed by Eqs. (2) and (3), respectively: where P(A) and P(B) are the independent probabilities of the basic events and P(A|B) and P(B|A) are the conditional (dependent) probabilities.
ETA is also a graphical logic model that identifies and quantifies possible outcomes (accident scenarios) following an undesired initiating event [14]. It provides systematic analysis of the time sequence of intermediate events (e.g., success or failure of defense-in-depth layers, as protective system or operator interventions), until an end state is reached. Consequences can be direct (e.g., fires, explosions) or indirect (e.g., domino effects on adjacent plants or environmental consequences).  shows an example of an event tree construction, starting with the initiating event of frequency of occurrence, λ, where P 1 and P 2 are the probabilities of subsequent events (event 1 and event 2) leading to the possible scenarios S 1 , S 2 , S 3 , and S 4 , with frequencies F 1 , F 2 , F 3 , and F 4 , respectively, each one with different consequences. If the success and the failure of each event are mutually exclusive (binary trees) and the probabilities of event occurrence are independent of each other, the frequency of each scenario is calculated as shown in Figure 3.

Uncertainty sources in PRA
Many types of data must be collected and treated for use in PRAs in order to quantify the accident scenarios and accident contributors. Data include, among others, component reliability and failure rates, repair times, initiating event probabilities, human error probabilities, and common cause failure (CCF) probabilities. These data are usually represented by uncertainty bounds or probability density functions, measuring the degree of knowledge or confidence in the available data.
Uncertainties can be highly significant in risk-based decisions and are important for establishing research priorities after a PRA process. For well-understood basic events for which a substantial experience base exists, the uncertainties may be small. When data from experience are limited, the probability of basic events may be highly uncertain, and even knowing that a given probability is small, most of the time one does not know how small it is.
The development of scenarios in a PRA introduces uncertainties about both consequences and probabilities. Random changing of physical processes is an example of stochastic uncertainties, while the uncertainties due to lack of knowledge about these processes are the epistemic uncertainties. Component failure rates and reliability data are typically uncertain, sometimes because unavailability of information and sometimes because doubts about the applicability of available data.
PRA of complex engineering systems such as those in nuclear power plants (NPPs) and chemical plants usually exhibits uncertainties arising from inadequate assumptions, incompleteness of modeling, CCF and human reliability issues, and lack of plant-specific data. For this type of facility, the major of sources of uncertainties are [15]: • Uncertainties in input parameters-parameters of the models (e.g., FTs and ETs) for estimating event probabilities and assessing magnitude consequences are not exactly known because of the lack of data, variability of plants, processes or components, and inadequate assumptions.
• Uncertainty about completeness-systematic expert reviewing can minimize the difficulties in assessing or quantifying this type of uncertainty.
The main focus of this work is the treatment of uncertainties regarding numerical values of the parameters used in fault and event trees in the scope of PRA and their propagation in these models. If a probability density function (pdf) is provided for the basic events (e.g., normal, log-normal, or triangular), a pdf or confidence bounds can be obtained for an FT top event or an ET scenario sequence.

Methods of uncertainty propagation used in PRA
There are several available methods for propagating uncertainties such as analytical methods (method of moments and Fenton-Wilkinson (FW) method), Monte Carlo simulation, Wilks method (order statistic), and fuzzy set theory. They are different from each other, in terms of characterizing the input parameter uncertainty and how they propagate from parameter level to output level [16].
The analytical methods consist in obtaining the distribution of the output of a model (e.g., fault or event trees) starting from probability distribution of input parameters. An exact analytical distribution of the output however can be derived only for specific models such as normal or log-normal distributions [17].
The Fenton-Wilkinson (FW) method is a kind of analytical technique of approximating a distribution using log-normal distribution with the same moments. It is a moment-matching method for obtaining an exact analytical distribution for the output (closed form). This kind of closed form is helpful, when more detailed uncertainty analyses are required, for instance, in parametric studies involving uncertainty importance assessments, which require re-estimating the overall uncertainty distribution many times [18].
The method of moments is another kind of analytical method where the calculations of the mean, variance, and higher order moments are based on approximate models (generally using Taylor series). As the method is only an approximation, when the variance in the input data are large, higher order terms in the Taylor expansion have to be included. This introduces much more complexity in the analytical model, especially for complex original models, as in the case of PRAs [19].
The Monte Carlo simulation estimates the output parameter (e.g., probability of the top event of an FT) by simulating the real process and its random behavior in a computer model. It estimates the output occurrence by counting the number of times an event occurs in simulated time, starting to sample the pdf from the input data [20].
The fuzzy set theory is used when empirical information for input data are limited and probability theory is insufficient for representing all type of uncertainties. In this case, the so-called possibility distributions are subjectively assigned to input data, and fuzzy arithmetic is carried out. For uncertainty analysis in FTAs, instead of assuming the input parameter as a random variable, it is considered as a fuzzy number, and the uncertainty is propagated to the top event [21].
The Wilks method is an efficient sampling approach, based on order statistics, which can be used to find upper bounds to specified percentiles of the output distribution. Order statistics are statistics based on the order of magnitudes and do not need assumptions about the shape of input or output distributions. According to the authors' knowledge, this method has been of little use in the field of reliability modeling and PRA, although it is used in other aspects of NPP safety, such as uncertainty in input parameters associated with the loss-of-coolant accident (LOCA) phenomena [22].
The mentioned methods for uncertainty propagation have many differences and similarities, advantages and disadvantages, as well as benefits and limitations. Table 1 summarizes a comparison of these methods.
A brief discussion about the comparison of the mentioned methods is given as follows.
The method of moments is an efficient technique that does not require the specification of the probabilistic distributions of the basic event probabilities. It is difficult to be applied to complex fault trees with many replicated events [23]. This can be solved with the use of computer codes that automatically get the minimal cut sets (MCSs) of the fault trees. It is a simple method, easily explainable and suited for screening studies, due to inherent conservatism and simplicity [24].
The Monte Carlo simulation is computationally intensive for large and complex systems and requires pdf of input data. It has the disadvantage of not readily revealing the dominant contributors to the uncertainties. With current computer technology and availability of user-friendly software for Monte Carlo simulation, computational cost is no longer a limitation.
The fuzzy set theory does not need detailed empirical information like the shape of distribution, dependencies, and correlations. Fuzzy numbers are a good representation of uncertainty when empirical information is very scarce. It is inherently conservative because the inputs are treated as fully correlated [25].
The Fenton-Wilkinson (FW) method improves the understanding of the contributions to the uncertainty distribution and reduces the computational costs involved, for instance, in conventional Monte Carlo simulation for uncertainty estimation. It is applicable only when the uncertainties in the basic events of the model are log-normally distributed. FW estimates are most accurate in the central range, and the tails of the distributions are poorly represented. The Wilks method requires relatively few samples and is computationally inexpensive. It is useful for providing an upper bound (conservative) for the percentiles of the uncertainty distribution. However, its calculated values are less accurate than the FW estimates over practically the entire range of the distribution. For both Wilks and FW methods, the greatest errors are found in the low tails of the distributions, but in almost all reliability applications the high tails are of more interest than the low tails [26].

Method of moments for uncertainty propagation in FTA and ETA
The method of moments uses first and second moments of the input parameters (mean and variance) to estimate the mean and variance of the output function using propagation of variance or coefficient of variation. As a measure of uncertainty, the coefficient of variation is defined as a ratio of the standard deviation to the mean, which indicates the relative dispersion of uncertain data around the mean. The uncertainty measure is a readily interpretable and dimensionless measure of error, differently for standard deviation, which is not dimensionless [27].
In PRA, the method of moments can be used to propagate the uncertainties of the inputs (i.e., event probabilities) and propagate the uncertainty for the outputs. The probability density functions (pdfs) for the inputs can be estimated from reliability data of gathered components or from historical records of undesired events. Hypothesizing that the events (or basic events) are independent, probabilistic approaches for propagating uncertainties in FTs and ETs are given as follows in Sections 4.1 and 4.2, respectively [28].

Method of moments applied to FTA
The uncertainty propagation in a fault tree begins with the propagation of uncertainties of basic events through "OR" and "AND" gates, until it reaches the top event. The fault tree should be represented by MCSs in order to avoid direct dependence between intermediate events, facilitating probabilistic calculations.
For an "OR" gate of a fault tree, the probability of the output event, P or , is given by Eq. (4): where P i denotes the probability of ith (i = 1, 2, 3, …, n) independent events (or basic events) and n is the number of input events.
The uncertainty propagation through the "OR" gate is given by Eq. (5) that calculates the coefficient of variation of output, C 0 or , as function of the coefficients of variation of inputs, C 0 i , according to Eqs. (6) and (7) [29]: where s i denotes the standard deviations of ith (i = 1, 2, 3, …, n) input, n is the number of input events, and s or is the standard deviation of the output of "OR" gate.
For an "AND" gate of a fault tree, the probability of output event, P and , is given by Eq. (8): where P i denotes the probability of ith (i = 1, 2, 3, …, n) independent events (or basic events) and n is the number of input events.
The uncertainty propagation through the "AND" gate is given by Eq. (9). It calculates the coefficient of variation of output, C and , as function of the coefficients of variation of inputs, C i , according to Eqs. (10) and (11) [29]: C and ¼ s and P and , where s i denotes the standard deviations of ith (i = 1, 2, 3, …, n) input, n is the number of input events, and s and is the standard deviation of output of the "AND" gate.

Method of moments applied to ETA
Uncertainty propagation in an event tree is similar (or analogous) to uncertainty propagation of an "AND" gate of a fault tree. The frequency of occurrence of each accident scenario, F seq , is given by Eq. (12), where λ is the frequency of occurrence of the initiating event and P i denotes the probabilities of ith (i = 1, 2, 3, …, n) subsequent independent events leading to the accident scenario and n is the number of input events. These values can be obtained from fault trees constructed for each ith event or system failure of the event tree.
The uncertainty propagation through the accident sequence is given by Eq. (13) that provides the coefficient of variation of accident sequence, C seq , as function of the coefficients of variation of subsequent events, C i , according to Eqs. (14) and (15), respectively: where s i denotes the standard deviations of ith (i = 1, 2, 3, …, n) subsequent event of the sequence, n is the number of input events, and s seq is the standard deviation of the accident sequence.

Propagation of log-normal distributions
Many uncertainty distributions associated with the basic events of fault trees (reliability or failure probability data) often can be approximated in reliability and safety studies by log-normal functions. If a random variable ln(x) has a normal distribution, the variable x has then a log-normal distribution. The log-normal probability density function (pdf), f(x) is then given by Eq. (16) [30]: where μ and σ are the mean and the standard deviation of ln(x), respectively (i.e., these are the parameters of the "underlying" normal distribution).
EF is often used as an alternative to the standard deviation of "underlying" normal distribution, σ, for characterizing the spread of a log-normal distribution, and these two quantities are related by Eq. (18): The mean, P, and standard deviation, s, of the log-normal variable, x, can be given by the following Eqs. (19) and (20), respectively:

Illustrative examples
In order to validate the proposed approach for implementing the method of moments, two cases were tested.

Case study 1
The first case, taken from Chang et al. [8], introduces a fault tree (Figure 4) describing a generic top event "system failure," T, with seven basic events (X(1) to X(7)), characterized by the log-normal distributions. This simple example was chosen in order to compare the results of the method of moments with the uncertainty propagation analyses using Monte Carlo simulation.
The log-normal distributions assigned to the basic events (represented by median and mean values of probabilities, error factors, and standard deviations) are shown in Table 2. An analysis of the fault tree shows that its minimal cut sets (MCSs) are X(1), X(6), X(7), X(2)X(4), X(2)X(5), X(3)X(4), and X(3)X(5), which are used to estimate the top event probability and propagate the uncertainties. The application of the method of moments is carried out in a bottom-up approach. Starting from basic events of the fault tree, the coefficients of variation of the intermediate events are estimated using Eqs. (4)-(7) for "OR" gates and Eqs. (8)- (11) for "AND" gates. This procedure is repeated interactively until the top event is reached, and its standard deviation is obtained. Considering that, in the same way as the basic events, the top event has also a log-normal distributions, Eqs. (16)- (20) are used to estimate the 5th percentile, median, and 95th percentile for the top event, as shown in Table 3. These estimates are slightly lower than the values obtained by Chang et al. [8] with the Monte Carlo simulation (percent Fault tree analysis for a generic top event "system failure" (adapted from Chang et al. [8] Table 2. Basic event distribution for a generic top event "system failure" (χ 50 and EF values were taken from Ref. [8]).
difference less than 4%). This good agreement can also be verified through the probability density function (obtained with Eq. (16)), as shown in Figure 5.

Case study 2
The second case study illustrates the application of the method of moments for assessing the uncertainty of a fault tree taken from a probabilistic safety analysis of a nuclear power plant (NPP). The fault tree shown in Figure 6 was constructed using MCSs and basic event distributions provided by El-Shanawany et al. [26]. It represents a fault tree analysis for the top event "nuclear power plant core melt," taking into account loss of off-site and on-site power systems and failure of core residual heat removal. The basic events A, B, C, D, E, F, G, H, I, J, K, L, and M are related to off-site power system failure, operator errors, emergency diesel generators (EDGs) failures, pump failures, and common cause failures (CCFs). A detailed description of each one of these basic events is given in the caption of Figure 6. An accurate logical analysis of this drawn fault tree can demonstrate that its MCSs are ABC, ABD, ABE, ABF, ABH, ABI, ABJ, AFG, and AKLMH, which describes the illustrative example analyzed in the literature.
The log-normal distributions assigned to the basic events (represented by mean values of probabilities, error factors, and standard deviations) are shown in Table 4. Such distributions are also used in Ref. [26], to compare the results of this Ref. [8]. 2 Current work. Table 3.
Comparison of top event probabilities obtained by Monte Carlo simulation and by method of moments. current work, using the method of moments, with the analyses of uncertainty propagation using Wilks method, Monte Carlo simulation, and Fenton-Wilkinson (FW) method.

Figure 6.
Fault tree analysis for a nuclear power plant core melt.

Mean of log-normal pdf (P)
Error factor of log-normal pdf (EF)  Table 4. Basic event distribution for illustrative example (P and EF values were taken from Ref. [26]).
The application of the method of moments is carried out in a similar way as in the first case study. Considering that the top event is also log-normally distributed, its 5th percentile, median, and 95th percentile are estimated. As can be seen in Table 5, the median values of the method of moments show a good agreement with Wilks method and are 25.8% and 20.4% greater than the results of Monte Carlo simulation and FW method, respectively. This is also illustrated in Figure 7, where the cumulative distribution function obtained by method of moments is compared with the data in the mentioned literature [26]. As can be seen, the results of the method of moments agree reasonably with the Wilks method, being slightly lower, moving toward the analyses of uncertainty propagation using Monte Carlo simulation, which is considered for many purposes to be close to the exact solution for simple models.
Overall, uncertainty propagation using the method of moments in fault trees, as shown in the two case studies, or in event trees, is quite simple in small systems and does not require the specification of probability density functions of basic events but only their means and standard deviations. For more complex systems and large fault and event trees, computer implementation of the described bottom-up approach can be performed, for instance, using specialized computer software for obtaining the minimal cut sets and quantitatively assessing the top event Ref. [26]. 2 Current work. Table 5.
Comparison of core melt frequency obtained by the method of moments with data from literature.

Figure 7.
Comparison of cumulative distribution function for core melt frequency obtained by the method of moments with data from literature [26].
probabilities [31], as well as matrix computations for obtaining the standard deviations along the trees, as proposed by Simões Filho [32].

Final remarks
This work addresses the uncertainty propagation in fault and event trees in the scope of probabilistic risk assessment (PRA) of industrial facilities. Given the uncertainties of the primary input data (component reliability, system failure probabilities, or human error rates), the method of moments is proposed for the evaluation of the confidence bounds of top event probabilities of fault trees or event sequence frequencies of event trees. These types of analyses are helpful in performing a systematic PRA uncertainty treatment of risks and system reliabilities associated with complex industrial facilities, mainly in risk-based decision-making.
Two illustrative examples using the method of moments for carrying out the uncertainty propagation in fault trees are presented, and their results are compared with available analyses in literature using different uncertainty assessment approaches. The method of moments proved to be conceptually simple to be used. It confirmed findings postulated in literature, when dealing with simple and small systems. More complex systems will require the support of specialized reliability and risk assessment software, in order to implement the proposed approach.