April 7, 2015

Fig. 1: Map of magnitude of peak horizontal
acceleration of the United States. [1] (Source:
Wikimedia
Commons) |

Depending on the location of a nuclear power plant, one could imagine that structural and operational integrity of the plant in the event of a major seismic event would be a major concern. Earthquake prediction seems to eternally be nascent, resulting in highly public and politicized reactions in the event of their failure. No doubt this is due in part to the apparent randomness of seismic activity and the way its onset seems so utterly outside the reach of humanity. In the case of most events that could threaten the safe use of a nuclear power plant, the path toward risk minimization is the path toward the prevention of the generators of those events: if one is worried about mitigating the damage from sabotage, one does not make a building 'sabotage-proof' so much as preclude the possibility of sabotage by having secure premises. This cannot be so for many natural disasters, earthquakes prominently so. One can attempt to evade this point by choosing sites that have no seismic activity, but this is unsatisfactory. Figure 1 shows a map of the magnitude of peak horizontal acceleration in the United States. There are no places in the world with absolutely no seismic activity, and there likely will not be as long as the mantle of our earth shifts tectonic plates. Because earthquake occurrence is best modeled as a probability map, this map states that at any given point there is a two percent probability that over the course of the next fifty years an acceleration of at least this magnitude will occur. [1] Most nuclear power plants avoid the regions with high magnitudes, but not all: there is one nuclear power plant in southern California, near a region with a high magnitude. Hence, the question is alway one of accurately and precisely knowing the degree of seismic activity such that plants can be designed around the known conditions.

In this report I will give a brief overview of two methodologies presented by the United States Nuclear Regulatory Commission for evaluating the seismic safety of existing nuclear installations. These methodologies, however, are quite widespread. By understanding the similarities and differences between these two metrics we can better understand what it means (and does not mean) for a nuclear power plant to be considered 'safe', both against earthquakes, and in general.

There are two primary methodologies used to assess the seismic safety of a nuclear power plant. They are the seismic margin assessment and the seismic probabilistic risk assessment. The former is deterministic, and the latter probabilistic.

Fundamentally, both methodologies use the same input data from past reports on the seismic activity in the vicinity of the facility, state of soil, materials used in construction of facility, pipes used, et cetera. The scope of safety evaluations is important for controlling the amount of information that must be collected and analyzed. A holistic assessment of the seismic safety of a nuclear power facility is unreasonably labor-intensive, so engineers instead choose 'selected structures, systems, and components' (SSC) to evaluate. Evaluation of these parts of the plant as they currently stand in the power plant, as well as an evaluation of the local seismic conditions, form the core of either assessment methodology. Additionally, both methodologies require peer review from engineers and administrators knowledgeable of the capacities evaluated and additional documentation for record-keeping and for reference in future safety evaluations.

The differences between the two methods arise in the interpretation of that data and the presentation of what 'seismic safety' is. Seismic margin assessments focus on evaluating High Confidence Low Probability Failure (HCLPF) capacities. These are defined as the level of earthquake ground motion at which there is a 95% confidence of an at most 5% probability of failure. [2] Each SSC receives an HCLPF capacity. However, because each SSC factors into the overall operational safety of the plant in different ways (success or failure of a given component could lead to different probabilities of success or failure depending on the type of seismic event considered), the HCLPF capacities must also be considered in the context of 'success paths', which are the series of actions that result in the safe shutdown of the plant. Thus, the HCLPF capacity of a success path is the SSC with the lowest HCLPF capacity -- a success path is judged by its weakest link. However, because multiple success paths exist for safely shutting down a plant, the overall HCLPF capacity of the power plant is defined by the success path with the highest HCLPF value: the ability of a plant to avoid failures is dependent on the most successful path towards shutdown. A nice feature of this seemingly-unintuitive evaluation of the safety of a plant is that it rewards finding a diversity of success paths: the more diverse the success paths (with many different SSCs), the harder it is for a particular defect to ruin the safety of the plant.

Fig. 2: A generic fault tree diagram. Each node
represents an event occurring. Each branch connects two
events and represents some probability of the second event
happening given the first event. Numbers at the end
represent end states for the system. By using fragility
functions to convert these probabilities into assessments on
the seismic load, seismic probabilistic risk assessments
inform workers about likely failure modes and appropriate
responses to them. (Source:
Wikimedia
Commons) |

While seismic margin assessments take probabilities and transform them into confidence margins in order to assess the probability of safe shutdown via a given set of actions, seismic probabilistic risk assessments attempt to fully model the probability of success through event trees and fault trees. Of particular concern for the seismic probabilistic risk assessment is the fragility function, which is the 'conditional probability that a component would fail for a specified ground motion or response-parameter value as a function of that value'. [3] In other words, the fragility function relates the probability of failure of SSCs to the fraction of the force or deformation an SSC must be able to withstand from seismic activity. The probabilities are both in the known and controlled uncertainties of various SSCs but also in our understanding of what we do not know -- our uncertainties in our models. Once fragility functions are defined, then the risk is fully quantified: if an average chance of failure is desired, then integration over all fragility functions given that a failure occurs will yield the answer. The fragility functions highlight the major difference between seismic margin assessments and seismic probabilistic risk assessments: while the seismic margin assessments have an end product of a margin for success, the probabilistic risk assessments attempt to return a full probability distribution for the successful and safe shutdown of a power plant given a set of seismic conditions and actions in response to them.

While seismic margin assessments and seismic probabilistic risk assessments come to conclusions about the safety of a nuclear power plant using rather different statistical arguments, they are far more similar than different. There are no differences in the site data used for the evaluation, nor in the choice of the SSCs evaluated. Seismic margin assessments may not integrate a full probability distribution and instead grow and combine independently-calculated margins (such that the failures in SSC A may not be considered in the failures of SSC B before they are combined), but it attempts to combat this by evaluating on a much more conservative basis in taking the minimum probability of success up until the evaluation of the ability for the plant to shutdown safely in the event of high seismic activity. This might even be considered the preferable approach when epistemic uncertainties (e.g. knowledge of the distribution of potential earthquake magnitudes) dominate, or when a very clear answer is needed. A seismic margin review "gives less information on the seismic safety of a plant" than seismic probabilistic risk assessments, but it does "provide a high confidence statement of the seismic capacity of the plant." [2] Of course, no matter the method of the evaluation of the safety of the power plant, incorrect data will lead to incorrect assessments about the safety. If a power plant never expects an earthquake that produces horizontal accelerations greater than a quarter of the Earth's gravitational acceleration, it will be very unlikely to be able to sustain horizontal accelerations of half the Earth's gravitational acceleration. It is a bitter irony that peer review - which helps combat this shortcoming - is itself fallible.

© Christopher Davis. The author grants permission to copy, distribute and display this work in unaltered form, with attribution to the author, for noncommercial purposes only. All other rights, including commercial rights, are reserved to the author.

[1] M. D. Petersen, *et al.*, "Documentation For
the 2014 Update of the United States National Seismic Hazard Maps," U.S.
Geological Survey, Open-File Report
2014-1091, 2014.

[2] Prassinos, P. G., M. K. Ravindra, and J. B. Savy, "Recommendations to the Nuclear Regulatory Commission on Trial Guidelines for Seismic Margin Reviews of Nuclear Power Plants," NUREG/CR-4482, March 1986.

[3] Budnitz *et al.*, "An Approach to the
Quantification of Seismic Margins in Nuclear Power Plants,"
NUREG/CR-4334,
August 1985.