Using risk as an inspection tool30 September 1999
Recollection reveals that in practice, assessing risk has always been an important part of maintenance planning. Now, in both Europe and the USA, risk-based in-service inspection is being formalised and converted into a useful tool.
Risk based in-service inspection (RBISI) is based on the simple premise that the objective of in-service inspection (ISI) is to address, and ideally reduce, the risk posed by the failure of passive components. Within this context, risk is defined as the product of the consequence of a failure and the probability of that failure occurring.
In order to reduce the risk, any ISI must first be directed at the areas of highest risk and must then be capable of detecting and sentencing any defective component. The effectiveness of any ISI programme therefore relies on two factors, which can be thought of as two separate efficiencies. The first is the efficiency with which the ISI programme is targeted to the high risk areas; the second is the efficiency associated with the actual inspection itself. The first of these efficiencies is addressed by the ISI programme, whilst the second efficiency is addressed via inspection, qualification and demonstration.
To show how these two functions combine to measure the effectiveness of an ISI programme, the Table on the following page shows the factor by which the risk from passive components is reduced as a function of two inspections. Not surprisingly the matrix is symmetric, and it shows that if a reduction of one decade is sought as a reasonable return for the cost and effort associated with an inspection, then both efficiencies need to be in the order of 95%.
This article confines itself to a general discussion of the “where to look” aspect of an ISI programme which, as the table demonstrates, is by no means the whole of RBISI.
There appears to be a mythology developing that suggests that risk based inspection was invented by the Americans and is being hoisted on an unwilling European market. The truth is, however, somewhat different. The very first paper that can be described as following the risk-based logic was published not in the USA but here in Europe, by EDF and Framatome (A tentative approach to a more rational preparation of in-service inspection programmes, by Buchalet et al, IAEA-SM-21830, 1977).
In the early 1980s, Belgatom followed a similar path and implemented a risk based methodology for a sub-system within its nuclear plant. At Rolls-Royce our work on risk based methodology began in the early 1980s, and a decision to go risk-based was made as early as 1985. Likewise in Sweden, a risk based methodology has been developing since the early eighties.
So did the Americans copy the Europeans? Well the answer is most definitely no. There is no question that Ken Balky at Westinghouse independently thought of the concept of a risk based in-service inspection programme.
The point of real interest must be this general move towards the risk based methodology. For myself, and I know also for Ken Balky, the motivation came from the rapidly developing probabilistic risk assessment (PRA). The application of PRAs, up until that time, had been primarily for active components, stemming from the original WASH 1400 work (An assessment of accident rules in US commercial and nuclear power plants, WASH 1400 NUREG/75/014, NRC, 1975).
Passive components, if there at all, were merely a secondary thought, dealt with by using some average probability spread over an entire system. The logical step to a full passive component analysis using the PRA approach would seem to be inevitable.
CAN RISK BASED ISI DELIVER?
In one sense it can be argued that the risk based methodology is already delivering and has been delivering for many years. This is because the concept of risk has always been an inherent part of our inspection philosophy.
The most obvious example is in the combination of ASME III and ASME XI.
In ASME III the plant is split into three different classes, Classes 1, 2 and 3, which become progressively less likely to lead to core damage. In this way ASME III has separated the plant into three different consequence categories. ASME XI then applies different inspection criterion to these three different classes. If we believe that inspection directly affects the probability of failure, then effectively ASME XI is trying to direct its greatest effort towards reducing the probability of failure of those components where failure has the highest consequence.
By following this logic ASME XI effectively tries to smooth or level out the# risk throughout the plant by reducing the probability of failure of high consequence components. When consequence and probability are combined using this logic, the intent is to even out the distribution of risk across the entire plant.
Is there any difference between the modern risk based ISI approach and those approaches which historically have always used risk as an inherent basis for assessing where to inspect?
The difference between this historical inherent use of risk and what we might call the modern risk based approach can be found in the ASME research books Volume 1. General Document, (Risk Based Inspection – Development of Guidelines) and Volume 2 Part 2. Light Water Reactor (LWR) Nuclear Power Plant Components (Risk Based Inspection – Development of Guidelines).
The recommendation of the ASME working group is towards a much more explicit definition of risk, with the PRA being used as a primary source for the consequence, combined with a numerical assessment of the probability of failure for the passive components that are being modelled within the PRA. In this way, a numerical evaluation of the risk can be achieved. The above shows that the RBISI philosophy is a natural extension of current ISI philosophies but does not of itself answer the question “can it deliver?” To answer this question we must ask ourselves if the new methodology points us more precisely to those areas of the plant that constitute the greatest risk.
It would seem bizarre to argue that a modern PRA cannot better assess the “consequence of failure” (the first element defining risk) than the simple ASME III categorisations to Class 1, 2 and 3. Identifying the consequence via the PRA must deliver a greater accuracy in identifying this one element of the two necessary to define risk.
The second element, that of the probability of failure of the passive components, is probably the most controversial. The use of real-world data would seem to be an obvious way of devising failure probabilities whose reality cannot be argued. Unfortunately, such data do not exist for many of the passive component areas of interest because such failures are themselves very rare. Where statistics do exist they can only provide a point estimate of the mean probability of failure. This single estimate cannot itself be used for risk based methodology simply because it only gives a single value. If that value was used throughout, then all the probabilities of failure of all the components would become the same, and the analysis defaults to a consequence driven measure and not a true risk measure.
It is a breakdown of the failure data which is the most difficult to achieve in any risk based methodology. The most obvious answer to this problem is to use probabilistic based structure reliability analysis. However, there are some that will question the ability of these methods to predict the true probability of failure of passive components. It should be appreciated that the basic mechanistic understanding used in these models is the same as that used to evaluate any fit-for-purpose analysis. Thus if we challenge the predicted probability of failure from this aspect, we must also challenge any fit-for-purpose analysis based on the same mechanistic understanding. Clearly such a conclusion would have far-reaching effects.
The saviour for risk based ISI comes from the fact that within any given plant we need only identify a relative risk. Even if we do not feel that it is possible to evaluate the true risk, understanding how the risk is distributed about the plant is the essence of RBISI. We have already said that the PRA gives us a distribution of the consequence for passive components, and it would seem reasonable that mechanistic modelling, together with real-world data, could provide a relative distribution of the probability of failure. Putting these two together gives a relative distribution of the risk. In the RBISI philosophy, inspection will be concentrated on those areas of greatest risk within a given plant.
THE CURRENT SITUATION
In the US the implementation of RBISI is now well advanced. However, within this implementation, there are two different approaches that are being used. These two approaches are reflected in two different code cases currently before ASME XI. Code-Case N577 and Code-Case N578 reflect these two slightly different philosophies. Code-Case N577 is much closer to that of the ASME research recommendations, while Code-Case N578 tends to steer away from the more formal numerical assessment of risk.
In this way N578 tries to avoid the tricky question of a numerically evaluated risk, tending more to the older approach of just considering consequence and probability of failure as two independent axes of a simplified risk plot.
The adoption of the terminology “risk informed ISI” by the US Nuclear Regulatory Commission shows the tendency in the US to think of this whole process as much more a way of using risk to assist or guide the ISI process, rather than an absolute in its own right. Thus, while Code-Case N577 stays faithful to the philosophy of the research group and evaluates a numerical risk, it too (very sensibly in the authors opinion) falls back on operational know-how to have the final say on the risk significant listing.
Within Europe, as has already been noted, the most extensive use of a risk based methodology within the civil field is that of Sweden. In the United Kingdom, Rolls-Royce has implemented a full risk based inspection philosophy for the Rolls-Royce nuclear submarines. On the civil side, the UK regulator, the Nuclear Installations Inspectorate, would argue that periodic safety reviews are themselves risk based, in that they are plant-specific and they consider both consequence and probability, though no formal use of PRA or probabilistic modelling seem to be used.
Within the European Union’s research framework there are two working groups currently active in the risk based field. The first of these is the European Network of Risk-Informed In-Service Inspection (EURIS), which is sponsored by the European Union’s DG XII directorate. EURIS is attempting to identify a European philosophy towards RBISI. The second group, sponsored by DG XI, is undertaking a pilot study for risk based ISI on one system of a nuclear power plant.
IS IT APPLICABLE TO EUROPE?
Given what has been said about the origins of risk based methodology, and given the activities that are already under way within Europe, it would seem that there are many who believe that RBISI is perfectly applicable within the European framework. Indeed one can argue that the more enabling nature of the European regulatory scene is better placed to accept the risk based methodology than the more formal code-defined safety environment in the US. This is because risk is by definition a plant-specific methodology, and while many plants may be built to a similar specification there are none that are identical. Safety systems, constructions, the proximity of safety equipment to potential passive failure sites and a whole host of detail must be considered when trying to evaluate the distribution of risk about a plant. Thus the enabling nature of the European regulatory scene makes it easier to integrate the risk based concept within individual plants. There seems to be no reason why this methodology should not be extensively used in the European regulatory framework.
DEBATE & DECISIONS
There will inevitably be considerable debate as to whether or not PRAs can satisfactorily describe a given plant, in terms either of active or passive components. It is also inevitable that there will be debate about the ability to evaluate the probability of failure of different passive components within the complexity of the nuclear power plant. However, if some form of prioritisation is required for inspection, then risk would seem to be a very commendable measure. It is also a measure which has an historical precedence set for it.
To use just one element of risk, either the consequence or the probability of failure, as a separate means of identifying an ISI programme would seem to miss the obvious combination of the two elements. One might conclude that risk, in one form or another, will dominate our in-service inspection programmes for the foreseeable future, as one might argue that, in practice , it has done in the past.