A Critical Look at the Need for Performing Multi-Hazard Probabilistic Risk Assessment for Nuclear Power Plants

Abstract

Probabilistic Risk Assessment (PRA) is one of the technologies that is used to inform the design, licensing, operation, and maintenance activities of nuclear power plants (NPPs). A PRA can be performed by considering the single hazard (e.g., earthquake, flood, high wind, landslide) or by considering multi-hazards (e.g., earthquake and tsunami, high wind and internal fire). Single hazard PRA was thought sufficient to cover the analysis of a severe accident until the Fukushima Daiichi NPP accident in 2011. Since then, efforts were made to consider multi-hazards as well; thus, multi-hazard PRAs are starting to be seen as being indispensable for NPPs. In addition to the changing frequency of global and local natural hazards, other reasons to be highlighted are that the number and diversity of NPPs will probably increase. Moreover, advanced reactors are close to becoming a reality by designing them with passive safety systems, smaller, standardized, and even transportable to make them cheaper across the design, licensing construction, and operation stages. Thus, multi-hazards should be addressed in any future full-scope PRA. Although we found a few studies discussing multi-hazards, a general framework for multi-hazard PRA is still missing. In this paper, we argue that the starting point for any multi-hazard PRA general framework should be the Advanced Non-LWR Licensing Basis Event Selection (LBE) Approach and Probabilistic Risk Assessment Standard for Non-Light Water Reactor (non-LWR) Nuclear Power Plants. For Probabilistic Risk Assessment (PRA), history has shown us the path forward before, with Three Mile Accident being seen as one milestone to understand the necessity of PRA. The Fukushima Daiichi NPP Accident is another milestone in the development of PRA, showing the need for performing multi-hazard PRA for the current and future NPPs.

1. Introduction

Using nuclear technology has many benefits, either for energy or other applications [1] like cancer diagnostics and treatment, non-destructive material testing, thickness, gauge, or level measurements. Nevertheless, just as any other modern technology, it has some disadvantages; for example, depending on the reactor design, nuclear proliferation concerns can be raised [2]. The main requirements of commercial nuclear power are safety, security, and non-proliferation during energy production and the entire fuel cycle. Nuclear safety is necessary to ensure that there is no significant increase in societal health risk compared to other societal risks. More specifically, deterministic and probabilistic safety analyses are performed to assess the likelihood of plant damages and the associated consequences, such as releases of radioactive materials to the environment and acute or latent effects of radiation exposure leading to injuries or deaths [3]. On the other hand, nuclear security ensures nuclear materials and radioactive substances are protected from theft, sabotage, unauthorized access, illegal transfer, or other malicious events [4].

Nuclear safety and security are regulated by national and international agencies, such as the Nuclear Regulatory Commission (NRC) [5] in the United States (US). Regulation of the nuclear industry is based on applying both deterministic and probabilistic methods to assure the requirements are met. Thermal-hydraulic and reactor physics are examples of deterministic calculations. They are generally based on best estimate plus uncertainty analyses. PRA is one of NRC’s endorsed technologies used for risk-informed, performance-based decision-making [6], covering design, construction, operation, and decommissioning stages. PRA generally does quantitative risk estimates for complex, high-risk engineering systems like nuclear power plants, chemical process facilities, waste repositories, and space systems [7]. Specifically, PRA enables the investigation of the probability of accidents and their consequences for nuclear power plants by trying to address the questions: “What can go wrong? How likely is it? What are the consequences?” The answers to these questions form the so-called risk triplet [8].

Although the roots of PRA may extend to the year 1953 through GE-led research called “The Evaluation of Probability of Disaster,” WASH-1400 is the first formal PRA for nuclear power plants [6]. More recently, NRC published Regulatory Guides 1.174, “An Approach for Using Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-Specific Changes to the Licensing Basis [9]” and 1.200 “Acceptability of Probabilistic Risk Assessment Results for Risk-Informed Activities [10]” which are indispensable guides to use PRA insights in the nuclear industry. Furthermore, NUREG/CR-2300 “PRA Procedures Guide: A Guide to the Performance of Probabilistic Risk Assessment for Nuclear Power Plants [11]” gives the methods needed for performing PRAs for NPPs.

PRA helps identify the system’s weaknesses, both qualitatively and quantitatively. The goal is to support decision-making in three levels for light water reactors (LWRs). Level 1 PRA focuses on the response of systems and operators to the initiating events by evaluating the core damage frequency, level 2 PRA assesses the containment failure by quantifying fission product releases from the containment, and level 3 PRA evaluates the public health consequences [12].

The discussion until now mainly was focused on LWR technology. Presently, interest in Generation IV, small modular reactors (SMRs), and microreactors is higher than ever. Generally speaking, SMRs are new and advanced designs to produce electrical power up to 300 MW [13]. The innovative idea behind the SMRs is the use of pre-fabricated components and systems, which enables a more flexible deployment with the same inherent safety features common to Generation IV reactor designs [14]. Another intended goal for SMRs is to make them economically competitive with a shorter construction period. According to the International Atomic Energy Agency (IAEA) SMR Booklet [13], there are six different categories for SMRs depending on the coolant and neutron spectrum: (1) land-based water-cooled, (2) marine-based water-cooled, (3) high-temperature gas-cooled, (4) fast neutron spectrum, (5) molten salt, and (6) micro-sized SMRs.

This new concept needs a unique perspective in terms of PRA since the three levels approach for LWRs is no longer appropriate since some of the Generation IV reactor designs have no concept of core damage. To address this gap, the Licensing Modernization Project (LMP) [15] aimed to develop a framework to support designers in developing a more reasonable licensing basis and to support the NRC in developing regulations for advanced non-LWR plants. The LMP methodology is technology-inclusive, risk-informed, and performance-based (TI-RIPB). In parallel, a standard for performing a PRA for non-LWRs was developed as well, called “Probabilistic Risk Assessment Standard for Non-Light Water Reactor Nuclear Power Plants” [16] published jointly by the American Nuclear Society (ANS) and the American Society of Mechanical Engineers (ASME) in early 2021.

To sum up, there is no doubt PRA is a vital tool for complete safety analysis of any reactor design at any design stage. Moreover, it has been continuously refined since it was initially developed and used in 1975 with WASH-1400, until it was standardized for advanced non-LWRs in early 2021. Nevertheless, issues such as multi-hazard PRA for nuclear plants still need to be addressed, which we want to cover in this paper.

The rest of the paper will follow this pathway. In Section 2, we intend to introduce single-hazard PRAs. Section 3 will try to address the basics and why we need to consider multi-hazard PRAs. Section 4’s focus is the quantification of multi-hazard PRA and provides two different views of the quantification of multi-hazard PRA. Section 5 introduces the advanced non-LWR Licensing Basis Event Selection (LBE) approach, and Section 6 investigates the latest PRA standard for non-LWR, and especially tries to address definitions related to the multi-hazard PRA.

2. Single-Hazard PRA for NPPs

One of the PRA elements is the identification of initiating events. The initiating events are perturbations to the plant during a specific plant operating state that challenges its control and safety systems, whose failure could potentially lead to undesirable consequences, such as radioactive material release [16]. In general, an initiating event may result from human actions or equipment failures from causes internal to the plant (e.g., hardware faults, flood, or fires) or external to the plant (e.g., earthquakes or high winds), or combinations thereof. If such events are brought about by the occurrence of the specific hazard, which is a phenomenon that challenges the safe operation of a facility (e.g., external flood), they are called hazard events. While internal hazard events occur inside the NPP, external hazard events [17] occur outside of the NPP boundaries but have an impact on the NPP site.

In traditional PRA, we use event trees as a step-by-step risk analysis technique to evaluate the progression of system failure events followed by an undesired initiating event. The following event is obtained by asking “What happens next?” to eventually get the consequence. Each of the system’s failure events in an event tree is generally obtained by fault tree analysis. A fault tree construction starts with defining the top event, which describes the undesired failure event. We ask, “What caused that?” for the top event and answers will be construction steps for the fault tree. The construction stops either when we reach the basic event or do not have sufficient information to continue. The probabilities for event trees come from fault tree analysis. For single hazard analysis, this process is straightforward since we do not need to model any correlation and interaction of hazards as is needed in multi-hazard analysis. To better understand and quantify the hazard events, classifying the external hazards may be helpful. One may categorize the external events depending on the source of the events as [18]:

• Air-based external events are caused by airspeed, air temperature, air pressure, precipitation, humidity, air contamination, electromagnetic fields, and direct impact from the air.
• Ground-based external events are caused by ground speed, limited ground impact, direct impact from the ground, fire outside the plant, and ground contamination.
• Water-based external events are caused by water speed, water level, water temperature, soil impact, ice impact, solid impurities, water contamination, and direct impact from water.

Other than classifying the events, having a list of potential single external events is crucial. For example, US NRC [19] and International Atomic Energy Agency (IAEA) [17,20,21] have their publications that contain potential single external events.

According to the NUREG-1407 Procedural and Submittal Guidance for the Individual Plant Examination of External Events (IPEEE) for Severe Accident Vulnerabilities [19], the events evaluated for IPEEE are:

• Seismic events
• Internal fires
• High winds and tornadoes
• External floods
• Transportation and nearby facility accidents
• Lightning
• Severe temperature transients, including extreme heat and extreme cold
• Severe weather storms
• External fires
• Extraterrestrial activity
• Volcanic activity

As an example for single-hazard PRA, the Final Safety Evaluation Report Related to Certification of the AP1000 Standard Design (NUREG-1793, Initial Report) [22] may give some insights. The AP1000 PRA analyzed three hazard events, seismic, internal fires, and internal floods. For example, the fire risk analysis was performed for both at-power and shutdown using the available plant-specific design information, fire safety data, and the plant internal events PRA model. The goal was to obtain the core damage frequency (CDF) associated with internal fire. The CDF was about 5.6 × 10⁻⁸ per year at-power and about 8.8 × 10⁻⁸ per year during the shutdown. The NRC commented on the results showing the design is capable of withstanding internal fires.

In general, a full-scope PRA study requires the analysis of external flooding, hurricanes, or other external events applicable to the specific site. Thus, the PRA performed for the design certification for any reactor design needs to be updated when site-specific and plant-specific data become available.

3. Multi-Hazard PRA for NPPs

Concurrent and successive occurrences of more than one hazard are defined as multi-hazard [23]. In the nuclear industry, multi-hazards are often overlooked in PRA since no general framework is available for such an analysis.

Figure 1 shows the papers published related to the multi-hazard risk assessment between 1983 and 2021, with the given keywords on top of the figures. Figure 1a shows only nuclear-based multi-hazard risk assessment; the figure on the right-hand side (Figure 1b) displays all research based on multi-hazard risk assessment. The interest in the multi-hazard risk assessment tends to increase, especially after the Fukushima NPP accident in March 2011. Moreover, most of the publications on multi-hazards come from the US, leading the published papers with 61 articles. France has 27 articles, Germany, Italy, and Japan have 13 articles each, Canada and the Republic of Korea have 12 articles each, and so on during the same period.

Multi-hazard PRA became a topic after the Fukushima NPP accident in March 2011. According to the World Health Organization (WHO) [24], the Great East Japan Earthquake was a 9.0-magnitude earthquake followed by a tsunami in the eastern coastal. According to the International Nuclear Event Scale (INES) [25], this event, caused by a multi-hazard, led to a level 7 accident at Fukushima Daiichi NPP, the highest level, according to the International Nuclear Event Scale (INES). While the Three Mile Island accident in the US made PRA crucial, the Fukushima Daiichi accident showed the necessity for multi-hazard PRA.

Multi-hazard PRA is a more complex analysis, and it is more challenging to assess its necessity compared to the single hazard analysis [26]. As discussed above, the accidents made PRA crucial for NPP; moreover, climate change and the growing population lead to an increase in the frequency of local, regional, or global hazards. This increase may lead to a higher impact on the critical infrastructures, such as NPPs than anticipated when they were designed.

In comparison to single hazard analysis, multi-hazard PRA requires different analysis methods since every hazard has its own characteristics [27]. Therefore, to better understand and find ways to quantify multi-hazard PRA, a feasible approach could be to categorize the multi-hazards and define standard parameters.

Although there is more than one way to categorize the multi-hazards, in this paper, we prefer to walk through the categorization given in

Table 1. Multi-hazard categorization [28].

Categories		Details
Number of events and hazards	Number of events	Single event: one event and one hazard Multi-event: two or more events, including secondary event
	Number of hazards	Single hazard: one hazard (it may be caused even by multi-event) Multi-hazard: two or more hazards (it may be caused even by a single event)
Order of event	Independent event [Independent]	Two or more events that are independent of each other
	Simultaneous event [Concurrent]	Two or more events caused by a single source
	Sequential event [Successive]	Occurred by secondary event

[28], which suggests the order of events is also important to classify the events besides the number of events.

Multiple definitions for multi-hazard PRA can be found in the literature; thus, providing descriptive definitions is necessary to understand Table 1:

• Hazards are phenomena that challenge the safe operation of a NPP, such as a seismic occurrence or high wind.
• Hazard event is an event caused by the occurrence of the specified hazard described in terms of various levels of some characteristic measure of its intensity, such as the peak ground acceleration for seismic hazards or wind speed for high wind hazards.
• Initiating events cover natural and human-made perturbations to the plant that can challenge control and safety systems, whose failure can lead to undesired consequences, such as radioactive material release. An initiating event can result from various hazard events internal (e.g., hardware fault, flood, fire) or external to the plant (e.g., earthquakes, high winds).
• Hazard analysis is the process of determining an estimate of the expected frequency of exceedance over a specified time interval of various levels of some characteristic measure of the intensity of the hazard, such as water level in a flood.
• Secondary hazard is a hazard induced by another hazard, such as a landslide caused by an earthquake.
• Multi-hazard is phenomenon in which one hazard occurs concurrently with another hazard, such as seismic and flooding.
• Multi-hazard (initiating) event is the occurrence of two or more correlated or uncorrelated events, such as an earthquake of a specific peak group acceleration and high winds of a specific wind speed.

Although some of the definitions are not common and highlight the need for a common language in multi-hazard PRA, the relationship between hazards, which may make analysis trivial or complex, needs to be considered in any approach.

In multi-hazard PRA, both internal and external events need to be addressed. External events are the events that occur outside the NPP. The hazard of the external events may either be the natural environment or man-made. However, multi-hazard PRA is not only related to external events but also related to internal events. For example, a large break loss of cooling (LBLOCA) initiating event can happen during an earthquake [29]. A well-known example is the Fukushima Daiichi NPP accident, an internal accident induced by an external earthquake and tsunami. The lesson learned from this accident is that the PRA for external events, combined events, and external hazards causing internal events needs to be revised. Therefore, there is a need for developing a framework that considers the combination of external events by taking the likelihood of the risk contributors and their effects into account.

In general, hazard events can occur either individually or in a combination of each other. Two combined hazard events occur either simultaneously or within a short duration of time. Moreover, they may also cause an internal event, such as equipment failure. This simple illustration is just like the accident of Fukushima Daiichi NPP. The takeout from this example is that considering the different events as being independent may not always be a reasonable assumption to make. Such simplification ignores the correlation between events and may lead to unintended consequences.

Identification of individual hazards depends on screening analysis, which is established to collect information on plant characteristics concerning internal and external hazards, statistical methods, and experiences concerning the investigation of hazards and their impacts on the plant [30].

Any hazards can be treated in four steps [31]:

• Initial data collection can be either site- or plant-specific. Then, the data is the source for screening analysis.
• Identification of hazards is the following step upon data gathering. The source for the hazards may be either natural or man-made.
• Hazard screening analysis aims to screen out the insignificant item or the items that have insignificant effects.
• Detailed hazards analysis analyzes the relevant hazards that affect the structures, systems, or components (SSCs).

The current practice considers two or more hazard events as independent events and evaluates the total frequency as the product of single frequencies. It is straightforward and makes evaluation extremely easy; however, this is not always appropriate.

The studies on multi-hazard PRA in the nuclear industry are not mature yet; however, a couple of efforts are currently ongoing. NARSIS [32] aims to review, analyze and improve the safety assessment methodologies. A practical approach was presented for performing an earthquake-induced landslide PRA for NPP [33]. Another study [34] demonstrated the results from a survey of multi-hazard PRA that was conducted using a Bayesian network (BN) with Bayesian inference. One comparatively older study [35] developed a systematic methodology to assess and rank the risk from multiple hazards in a community. The final example study [36] describes NRC’s Office of Nuclear Regulatory Research’s initial efforts to support a portion of the Level 3 project, namely, the multi-hazard Level-2 PRA for LWRs.

4. Quantification of Multi-Hazard Risk

A couple of methods and research efforts on multi-hazards are mentioned at the end of the previous section; however, they all focused on specific scenarios rather than a general framework. In addition to these scenarios, there are also some available quantification methods for multi-hazards in the non-nuclear industries. The INFRARISK project developed a reliable stress test on European Critical Infrastructure using integrated tools for decision support [37]. One of the focal points of the INFRARISK was developing a methodology for extreme natural hazards and cascading events. This study quantified the earthquake-induced landslides through a case study. Another effort [38] developed a quantitative approach of multi-hazard risk assessment based on vulnerability surface and joint return period of hazards specifically focused on the risk of crop losses in the Yangtze River Delta region of China. The authors claimed that the methodology can be used in other areas as well. A study [39] used the Choquet integral multiple linear regression model to overcome the problem of nonlinear additivity, which is one of the difficulties for multi-hazard quantification. Additionally, this study considered the effects of magnification on the severity of disasters and the vulnerability of victims in multi-hazard cases.

The main take-away message from the mentioned studies is that the composite individual risk of multi-hazard events is more significant than the simple addition of the risk of each hazard. This conclusion is also the motivation for the work on multi-hazard PRA in the nuclear industry. Current PRA methods do not address the multi-hazard events, so it is crucial to develop a general framework to quantify multi-hazards. This can be done in several steps like modeling the physical phenomena considering the multi-hazards, gathering data, evaluating and generalizing the methodology for different types of reactors and failure modes, and verifying the framework through a peer review panel process. Currently, we are in the phase of modeling physical phenomena considering multi-hazards. This section introduces two recent preliminary efforts on the quantification of multi-hazard risk, specifically in the nuclear industry.

4.1. Sampling-Based Multi-Hazard PRA Algorithm

This method starts with an existing methodology for single hazard events and then quantifies multi-hazard events [40]. The current method for a single hazard event quantification is External Event Probabilistic Safety Assessment (EE-PSA) [41], which predicts the possibility of damage to the reactor core due to external hazards. EE-PSA is an integrated process that obtains a single risk value by performing an external analysis, fragility analysis, accident scenario analysis, and risk quantification. In addition, EE-PSA considers the inherent randomness (aleatory uncertainty) and the state of uncertainty (epistemic uncertainty) associated with these analyses and quantifications.

The way to quantify the single hazard EE-PSA is based on the Electrical Power Research Institute (EPRI) separation-of-variable (SOV) method [41]. It is important to note that this method uses the Boolean algebra laws assuming the independence between events to evaluate system fragility, which is valid only if there are no partial dependencies between components. One way to handle partial dependency is using the Bayesian network techniques [34]. Another way is using the sampling-based risk quantification method, also known as Direct Quantification of Fault Tree using the Monte Carlo simulation (DQFM) [42], which considers partial dependencies between components based on the fragility analysis.

Defining fragility analysis is necessary to understand the hazard phenomena better. The fragility analysis is the process used to calculate the conditional probability of failure of a component due to a hazard by considering the aleatory and epistemic uncertainty [40]. Although many approaches are widely used, the safety factor [41] and response factor methods [43] are the most common.

The safety factor method [41] is described in Equation (1) below, where $\mathsf{\Phi }[.]$ is the standard Gaussian cumulative distribution of the term in brackets, a denotes the hazard intensity, A_m is the median hazard performance value, and ${\beta }_c=\sqrt{{\beta }_r{}^2+{\beta }_u{}^2}$ is the composite log-standard deviation, including randomness and uncertainty.

$$f_0=\mathsf{\Phi }\left[\frac{\ln \frac{a}{A_m}}{{\beta }_c}\right]$$

(1)

The response factor method [43] is described in Equation (2), where the actual response R and capacity C define the fragility distribution, R_m and C_m are the median values associated with response and capacity, respectively. ${\beta }_{Rc}$ and ${\beta }_{Cc}$ represent a log standard deviation concerning the randomness and uncertainty for response and capacity, respectively.

$$f_0=\mathsf{\Phi }\left[\frac{\ln \frac{R_m}{C_m}}{\sqrt{{\beta }_{Rc}{}^2+{\beta }_{Cc}{}^2}}\right]$$

(2)

The approach for determining fragility uses the response factor method with safety factor inputs in the given study [40]. Using the response factor method provides a good separation between response and capacity. The safety factor needs less input value than the response factor. Moreover, a sampling-based fragility assessment method, called DQFM [42], also has an advantage over the response factor method.

4.2. Trustworthiness of Risk Assessment

A novel study [44] focuses on the realism and trustworthiness of risk assessment. The study introduces trustworthiness as a risk assessment metric that shows confidence in the background knowledge, suitability, comprehensiveness, and completeness of PRA. Background knowledge, assumptions, conservatism, and sensitivity analysis fundamentally affect a risk analysis’s realism and trustworthiness. Strong background knowledge and the modeling’s fidelity are two main attributes of the suggested framework for evaluating trustworthiness. The hierarchical tree for trustworthiness evaluation represents different attributes and a 4-level approach to assessing trustworthiness to provide the reader the means how to evaluate the trustworthiness.

The level of trustworthiness of risk assessment is evaluated using a weighted average of the leaf attributes and using the Equation (3) is where ω_i, which is is the weight of the leaf attribute, measures its relative contribution to the trustworthiness of risk assessment, n is the number of the leaf attributes, and the trustworthiness score, A_i. The i-th leaf attribute is calculated based on the scoring guidelines, which can be reached in a related work’s Appendix.

$$T={\displaystyle \sum }_i^n{\omega }_i{A}_i$$

(3)

The weights are determined based on the Dempster Shafer-Analytical Hierarchy Process (DST-AHP) [45]. After obtaining the trustworthiness, the weighted posterior method integrates the risk index with the trustworthiness of the PRA for a single hazard group. After integration, the risk is expressed in terms of a subjective distribution on the probability that a given consequence will occur. Then, the estimated risk from different hazard groups is aggregated. In other words, risk distributions from different hazard groups are simply added, as shown in Equation (4).

$$Ris{k}_{total}={\displaystyle \sum }_i^n\left(Ris{k}_i/T\right)$$

(4)

$Ris{k}_{total}$ is the total risk considering the level of trustworthiness, $\left(Ris{k}_i/T\right)$ is the risk from the hazard group i given in the level of trustworthiness, and n is the number of hazard groups.

The suggested framework can be applicable to risk-informed decision-making. However, even if the Dempster-Shafer is used to capture the uncertainty in the expert elicitation process of the relative weights of the attributes, uncertainty in the scoring was deferred to be addressed in a future study.

4.3. The Need for a General Multi-Hazard PRA Framework

As it can be seen in the previous two sub-sections, preliminary efforts have been put into evaluating multi-hazard events for NPPs; however, a general multi-hazard PRA framework still needs to be developed. The general multi-hazard PRA framework should include the necessary quantification methods to estimate the expected exceedance frequency of multi-hazard initiating events, both correlated and uncorrelated. Moreover, their combined effect on the plant control and safety systems should be systematically evaluated to enable the development and quantification of realistic event sequences of safety systems and human responses to such multi-hazard initiating events. The ultimate goal is to design and demonstrate the safety of advanced reactors in a wider range of challenging conditions since ignoring correlated or uncorrelated hazards may lead to unintended consequences.

5. Advanced Non-LWR Licensing Basis Event Selection (LBE) Approach

The U.S. NRC provides different guidance to reactor designers and applicants depending on if they are licensing a LWR or a non-LWR: Appendix A to 10 CFR Part 50 lists the general design criteria for LWRs [46] and regulatory guide 1.232 provides the guidance for developing principal design criteria for non-LWRs [47]. The guidance applies for all production and utilization facilities licensed under 10 CFR Part 50 or Part 52.

Moreover, the risk metrics for non-LWRs are different from the traditional risk metrics that are used for licensing LWRs. Core Damage Frequency (CDF), Large Early Release Frequency (LERF), or Conditional Containment Failure Probability (CCFP) are the surrogates for the Quantitative Health Objectives (QHO) for currently operating LWRs [48]. However, for advanced non-LRWs, a set of frequency-consequence criteria called F-C Target is used [15].

There are several different categories of events that need to be included during the licensing process. In LMP, the licensing basis events (LBEs) are the whole set of event sequences considered during the design and licensing phases, which include Anticipated Operational Occurrences (AOOs), Design Basis Events (DBEs), and Beyond Design Basis Events (BDBEs). The definition of design basis accidents (DBAs) is different from the current or common use for LWRs. They have postulated event sequences that are used to set design criteria and performance objectives for the design of safety-related structures, systems, and components. DBAs are derived from DBEs based on the capabilities and reliabilities of safety-related structures, systems, and components needed to mitigate and prevent event sequences, respectively.

The given categories in Figure 2 are based on the 5th and 95th percentiles of the event-sequence frequency of occurrence per plant-year, while the F-C Target (i.e., blue line) is based on both frequencies and consequences, as follows:

• AOOs are expected to occur with a frequency greater than 10⁻²/plant-year during the plant’s life, either include single or multiple reactor modules. The F-C Target for high-frequency AOOs until 10⁻¹/plant-year are based on an iso-risk profile defined by annual exposure limits of 10 CFR 20 [49], in other words, 100 mrem/plant-year. The frequencies between 10⁻¹/plant-year and 10⁻²/plant-year, the F-C Target is set at a reference value of 1 rem by considering the Environmental Protection Agency (EPA) Protective Action Guide (PAG) limits [50].
• DBEs are expected to occur between the frequencies 10⁻²/plant-year and 10⁻⁴/plant-year, meaning the less frequent events. The F-C Target for this part is 1 rem at 10⁻²/plant-year with 25 rem at 10⁻⁴/plant-year with the dose calculated at the Exclusion Area Boundary (EAB) for the 30 days following the release.
• BDBE frequency is less than 10⁻⁴/plant-year with the upper limit 5 × 10⁻⁷/plant-year, meaning that rare events can be excluded from the BDBE category. The F-C Target for this case is 25 rem at 10⁻⁴/plant-year with 750 rem at 5 × 10⁻⁷/plant-year to ensure that the QHO for early health effect does not exceed individual BDBEs.

Also, it is essential to note that:

• The frequency-dose evaluation line includes increasing and decreasing risk arrows to evaluate the risk significance of each LBE.
• The frequency-dose anchor points in the figure are used to define the shape of the curve. The lines between anchor points are straight lines on a log-log frequency-dose graph.
• Finally, the event sequences with frequencies less than 5 × 10⁻⁷/plant-year are kept in the PRA results to confirm no cliff-edge effects.

The current regulatory infrastructure was developed for reactor licensing in the 1960s and 1970s by considering the technology available at the time. On the other hand, the LBE approach addresses the following:

• The plant initiating event and event sequences are associated with the design and site.
• The response of the design and its structures, systems, and components (SSC) to initiating events and event sequence.
• Margins provided by the facility’s response regarding prevention and mitigation of radiological releases.
• Adequacy of the defense-in-depth (DID) philosophy.

Moreover, one of the important elements of the LBE approach is having the F-C target. Performing either single or multi-hazard PRA will have a point on the F-C curve. This approach could give an indication on whether performing a multi-hazard PRA for the specific design with specific plant and site conditions is necessary or not.

6. Overview of Current Probabilistic Risk Assessment Standard for Non-Light Water Reactor (Non-LWR) Nuclear Power Plants

Probabilistic Risk Assessment Standard for Non-Light Water Reactor Nuclear Power Plants [16] is an American National Standard released on 8 February 2021. The Standard supports risk-informed decisions for advanced non-light water reactor NPPs and describes a method for applying the requirements for specific applications. The standard is applicable beginning from the design phase, and includes licensing, procurement, construction, operation, and maintenance of advanced non-LWR NPPs.

The standard contains 18 PRA elements covering the technical requirements necessary to be addressed in developing a full-scope PRA for advanced non-LWR NPPs. These are Plant Operating State Analysis (POS), Initiating Event Analysis (IE), Event Sequence Analysis (ES), Success Criteria Development (SC), Systems Analysis (SY), Human Reliability Analysis (HR), Data Analysis (DA), Internal Flood PRA (FL), Internal Fire PRA (F), Seismic PRA (S), Hazards Screening Analysis (HS), High Winds PRA (W), External Flooding PRA (XF), Other Hazards PRA (O), Event Sequence Quantification (ESQ), Mechanistic Source Term Analysis (MS), Radiological Consequence Analysis (RC), and Risk Integration (RI).

A critical look at the whole standard is necessary to assess its applicability to multi-hazard PRAs. In this section, we look only at the IE element [52,53,54] since this element forms the basis for multi-hazard PRA. There are three core steps for IE, that is identifying, grouping, and quantifying.

The first step is the identification of initiating events. The IE is used to identify all initiating events for both modeled plant operating states and the plant pre-operational stage with sources of radioactive material. The point that needs to be highlighted is that the requirement also touches on multi-hazard events. It considers the initiating events caused by a combination of hazards like seismically induced fires and flooding caused by fire sprinkler actuation. After the identification is complete, the initiating events are grouped to make the analysis more manageable. This grouping enables the estimation of the frequency of each modeled event sequence and event sequence family efficiently and realistically. The third step requires the quantification of the annual frequencies for each initiating event group.

In regard to multi-hazard, the standard does not explicitly define multi-hazard events. However, some related definitions in the standard include coexistent, concurrent, primary, and secondary hazards. The explanations for each of them are given below.

• Coexisting hazard: a hazard that is secondary to and/or concurrent with another hazard.
• Concurrent hazard: a hazard that co-occurs with the occurrence of another hazard resulting from a common cause (e.g., high winds concurrent with storm surge event caused by a hurricane or a moderate wind event concurrent with a significant rainfall event).
• Primary hazard: Hazards that are not the consequence of other preceding hazards.
• Secondary hazard: It is used in connection with, and in contrast to, a primary hazard. It is an additional hazard effect that is induced by the primary hazard.

Noteworthy to mention is that the coexistent hazards are mentioned many times in the standard. For instance, the effects of coexistent hazards on the fragilities included in the high winds PRA scope should be addressed, if applicable. Another example is the need to identify and address the coexisting hazards for flooding. These examples show that the importance of considering multi-hazard events.

The hazard screening analysis is critical to deciding which multi-hazard events should be included in the detailed analysis. The first objective of hazard screening is identifying the hazards that may affect the NPPs. The first step is vital to capture the multi-hazards. The standard asks not only to identify the site and hazards but also to identify the secondary hazards associated with hazards and hazard groups. Defining screening criteria is the second objective followed by performing previously described quantitative screening criteria. The supporting requirement for this objective also considers that the screened-out hazard or hazard group could not result in worse effects as another hazard with a significantly higher frequency. The defined quantitative screening criteria require addressing the secondary hazards as well. Finally, even the screening criteria are not well defined at this point, and the multi-hazard events still need to be identified even if, ultimately, they can be screened out.

7. Conclusions

Multi-hazard risk quantification has become a necessary ingredient of a full-scope PRA in the nuclear industry since the Fukushima Daiichi NPP accident. Although the frequency of a multi-hazard event is small, even negligible in many cases, the consequences can be sufficient to challenge the regulatory limits.

Currently, 443 NPPs are in operation, and 50 NPPs are under construction [55], meaning at least a 10% increase in nuclear power plants. Assuming that the advanced reactors will be in our daily lives in 10 years, now is the right time to develop a general framework for assessing multi-hazard risks to inform the current design activities of advanced reactors.

A straightforward and verifiable technique applicable for different types of advanced reactors for multi-hazard PRA is inevitable for the next couple of years. As we discuss in this paper, the LMP approach provides the foundation for a licensing basis that can incorporate multi-hazard events. Also, the non-LWR PRA standard prescribes the requirements needed to be addressed for performing a full-scope PRA, although multi-hazards are not fully accounted for across all the PRA elements.