The Mathematical Risk RA corresponding to an event A is defined as

Ra = PaHa (4.3)

where Pa and Ha denote respectively the probability and the hazard associated with A. For example if A denotes a particular Severe Accident, then Ha would be the likely number of cancers from the quantity of fission products released, Pa the probability of A per annum and Ra the expected incidence of radiologically induced cancers per year. Though the above definition reasonably maintains a constant risk as the hazard increases in severity but its probability correspondingly decreases, unquantifiable human aspects frequently complicate a risk assessment. Certain forms of death for instance are regarded with greater repugnance than others, and in such cases there is an instinctive demand for an indefinably smaller risk. Hence, the risk from a Severe Accident must be related to the natural incidence of thyroid cancer in particular. Risk of death from other causes are of course useful as a means of placing this event in perspective, and some recent statistics are given in Table 4.1. It shows that our reactions to externally and self — imposed risks are markedly different, and this constitutes an apparently intractable facet of risk presentation to the general public. For example, the likely number of thyroid cancers caused by the Three Mile Island-2 accident are shown in Section 4.4 to be orders of magnitude less than deaths from the natural incidence, yet as shown by Table 4.1 people

campaign vociferously against the dangers of nuclear power while quietly accepting relatively much larger self-imposed risks. In addition, by involving just the tractable issues of plant operability and public health, risk assessments for nuclear power have become unbalanced. Dunster [168], for example, asserts that “If we are wishing to make a judgement about the merits for being an energy-consuming society, we must consider not only the risks of generation but also the benefits.” During a televised interview [169], Jonas Salk[58] similarly commented, “We are so often preoccupied with the dangers to our society that we tend to overlook the opportunities.”

Event tree methods are being increasingly used by manufacturers and licensing authorities in the presentation of all types of safety cases. Fundamentally, this graphical technique involves the construction of flow diagrams like those used in computer programming. Each branch as in Figure 4.1 represents a mutually exclusive event that it is assigned a conditional probability to reflect both the likelihood of the event and the completeness[59] of current knowledge. A hazard value or function is also attached to each branch, which in the context of a Severe Accident represents the additional mass of radioiodides released by the event. The joint probability, hazard and risk of any final or intermediate fault condition are then calculated from a tree by visual inspection. Apart from simplifying calculations, event trees provide a systematic unambiguous presentation of probable accident sequences and serve to highlight those posing the dominant risk. In this way, they identify improvements necessary in the safety features of a design and suggest the most cost-effective implementation.

P — Probability, H — Hazard, R — Mathematical risk

A*, (B*) — Not A, (B)

p = PB./ APA = P(A B), H3 = HA + HB./ A, *3 = P3. H3

Figure 4.1 A Careful Punter’s Event Tree

Using upper bounds for the conditional probabilities and risks of accident events, Farmer [157] published the first probabilistic risk analysis for the siting of Advanced Gas Cooled Reactors. The later and much more comprehensive Reactor Safety Studies by Rasmussen [167]and the Federal German Risk Study [65,97] are also notable for specifying the spreads on probability estimates. However, the US

Reactor Safety Study [167] omits the important role of operators in either alleviating or exacerbating an accident situation. Furthermore, it assumes that accidents lead exclusively to either an assured cooling of the core or a “melt-down” with an inevitable breach of the containment. The later Three Mile Island-2 accident clearly demonstrates the impor­tance to safety and risk assessments of both of operator responses and of a partially degraded core yet intact containment situation. Accordingly, extensive theoretical and experimental research on degraded core situations was subsequently assembled on a multinational collab­orative basis. As justified to some extent by the following discussions, these investigations principally centered around

i. Robustness of fuel cladding to extreme reactivity insertions or coolant flow reductions [77].

ii. Coolability of a degraded core both inside and outside the reactor vessel [93,94,100,181,182].

iii. Rupture of a reactor vessel by the shock mechanical loads [88,102,103] or missiles created by internal explosions (fuel-coolant interactions [86,89,90,146]).

iv. Rupture of the containment by missiles [68,105,106] from external sources, or by hydrogen explosions in the particular case of a water-cooled reactor.

v. Formation and propagation of aerosols [104,170,171].

vi. Passive safety systems exploiting natural circulation [108,109].

In Section 4.4 below, Farmer’s Criterion [157] quantifies these require­ments as do later recommendations.