,:; I

.rri
i: .rl
l:rl
I
...t
;' t",
''i r'ri
i,: l:':ì
_'ì::'T
l:r r,i
r 1 ",'l
I
ii,;,'j
'
. j
;1.1
,,,] PROBABILISTIC RISK ANALYSIS
Its Possible Use in Safeguards Problems
iiii i,.,lr*
Norman C. Rasrnussen
i',i Professor of _Nuclear Engineering
ì :iil,!
Massachusetts fnstitute of Technology
rl.:i'l í-j
,i
Canbridge, Mass. -02139
. ì'i;+
rili:
riiï ¡
,iii,i
'l ¡¡t-r
:i ì,ili
ii:ir¡
r;1.,C
I
,¡ rr':ì
ilrd 1. 0 Introduction
i' it.l
r,J
,ili!
|l:'I
The recently conpleted Reactor Safety Study (RSS) which
,,iå resulted. in the ITASH-1400 report has stimulated considerable
il!:l
llr, interest in the use of this nethodology as a possible way of
:t
1lì,r
!,iil.1
t:i
t,
assessing the risk invoLved in other þa;^ts of'the nuclear fuel
;i ¡itri
i:liil
cycle as well as other societal activities. This paper briefly
I lii l'i
!liìl
' reviews the RSS nethodology and discusses its possible applica-
'' :1
ti.i
i: tion to the safeguards problem. For the reasons discussed herein,
ì.rljì
:!
the Paper'concluães that there are possible applications of these
tr
methodologies for the development of effective safeguards. How-
.ì:
; lrl.
i
everr ân overall quantitative risk assessment of the safeguards
r ,,iiÈ. issues is at present beyond the capability of the methodology.
'r'li
i,iì
..trJ
ilt_i,
2.0 Description of RSS Methodology
-,
:r
Ii
-; In quantitative risk analysis risk is expressed as a
iti;
nii.:' function of the probability of occurrence of an event and the
'1L
i rnagnitude of the consequence being examined. On'e of the most
,l:
.'.
iù
t,: common definitions (but certainly not the only one) is simply
..,]
ii
j, the product of probabiLity and the consequence. Thus such studies
:i*E must evaluate both the likelihood of certain events as well as
j;ii!
their consequences. A variety of methodologies have been deyel-
oped for carrying out these evaluations.
'l{4.

:iií
t*:
;.Í:
'9_:
Z.L Estination of Probabilities
::-i:
lzl
,l,ii. . The principal techniques used by the Reactor Safety
,ä Study were a 'forn oi decisi.on'analysis cätt."d "eyent trees't which
iii defined accident seguences, and a nethod ca1led "fault treesn
,¿.

i which deternined failure probabilities, Event trees start with

an i4itiating event of possible serious consequences and develop
, '|
il
possible accident sequences depending upon the operability of
various plant systerns that influence the Subsequent course of
'::i-:
events. This logic is illustrated by the sinplified event tree
:i
'f for a loss of coolant accident (LOCA) shown ln Figure 1. In
' ':: Figure I the values of P1 through P5 are the probability of fail-
il
Í ure of the functions at the top of [tre figure. The probability
'{
I of successful function is given by (l-Pi). The size of the
:,i
{ radioa.ctive release depends upon just úhãt systems fai1. Various
pQssible consequences are indicated on the figure. For exanple,
,4
iâ
if power fails after a pipe break no other safety systens
d

.1
.¡
willçfectric
operate and so the core will lnelt and there wiLl be à vêry
:l
¡
.tt
;i.
Í; Nuclear M¡terials Menagement
large release. Ih" prgbSÞility.of.such a release is ft x P2.
In calculating the piobability it-is important to consider any
ãäpã"ã""cies Ëetw-"ett n1 "ttg P2 and to take them into account'
ihã-ã;p;ndencies betweËn theiå probabilities are cornrnonly referred
to as i'common mode f ailures '"
As can be seen from Figure 1, a number of-possiu;le.acci-
dent sequencei--rt" identifie¿ Ui such a. diagram' Figure itr is
actually " y"ty-ii*;iii:-e¿ version of the event trees used by
^Study to illustrate the-methodology' The event
ih; Reattor Sá'teiy
ii"ur actually us-ed produce many more accident sequences '
When using the event tree method the analyst must decide
just when i"itiatiñg events nust be considered. For reasons a1-
ready discusseã, tftË principãf -concern. in reactor accidentS is
¿;;;.me1ti'g,whichcänariiefromeitheroverheating.(i...,^ fai1-.
operating at tôã-higfr " po*ãi 1ãve1) or.undercooling-(i-'e'I
of the inherent
ure of plant systems to relnove-the ieat). Because
ii'ãpãitiãi--ðt inater reactori- C"ãgãti"" iemperature coeffíci"l!l
very
ih;'it"áy group deternined*"tt that core rnelt by overpower wasstudy
unlikely conpaied, to core by undercoofingl llY: the
$;;;-;óri- o? tttu effort analyziig undercooling accidents '
Inanalyzingundercoolingaccidents,evglttreesu¡gr9
These inclucled
developed-ior five type: of initiäting events '
size-pipe brea\,,snal1
vesset rupture, Large pipe-brã;k; *;lTum
;i;;-Utè.t, aná trañsiãni events. ffte first four are LoCA's
fr;î'i"g-áifi"tuttt characteristics.down Transients refer to those cases
where the plani ir asked tã-itrut for either a planned orim-un-
planned 1.u"rorr. In the transient case the two questions of
port,ance reactor trip,.and ðo the decay heat re-
"tu,---¿oãJ-iitu
inoval systems function ProPerlY
A1-though the event trees can define the accident
se-
the
quences they do not providJ ã"y *"iftoa for deternining probabili- proba-
tîiï;;'";'^;ír"-àccide'nt. To do' rhis the various failure
ties must be known, Generally there been enough systens
-have notprobabilities so the
failures in reactor tytt"*i-tá fiovide.thes-e
,,fault tree,, rnethod wâs usã¿-io'deternine theie probabilities'
Thefaulttreelogicisthereyerseofthgeventtree
in that it starts with ,o*ã defined final undesired eyentevent'and.
reasons back-iã-i¿ã"tify all the possible causes of this
A sirnplified ¡;"ii-ir""'foi-"iôis'of pow"t to the emergency safety
features" is shown in Figure 2. The iot event t1} !: AC caused
poler
either by tosi of AC pgwÞI poweror loss of DC power, since
provides ttr"-ãnãigi-"ã¿ DC operates the: control circuit'
iiil'i;; piãu"uirity of .!u-i;p evånt is the sun of the probabili-
;ï;; ði-tit"tu tt^ro events (more accuratelv
-if t
iis;,,";,,' ilg;,ötç" ;,i;glÀg I 1. i ,; ll:1"ï ì îi3. i;. :"ti: "å :$"Ïäo -
can be caused
ment of the diagram, constããi.loss of AC poï/er' which loss of on site
by loss of off lite powet. "tá the simultaneous- is rhe producr of
power. Thus"ir,ã-pr"6ã¡iri;t-"i--ioii ðr AC power

67
fall 1976
ililäl
li: ¡ii4
:r!.1
;il
'nll
Ìl¡ s'ilr the probability of loss of oll.rite,power probability of
'1,
the loss of on site power. This lld !h"
relätio"rrrif ii-iilustrated
the "and" svnbol on ttte figure.- i;-;;"ctice the tree is developed by
further until the ra:-iurãs indicat*a'ry the bottom boxes aïe such,
things as "re1ay f ails to op"rr,;- ,lirlt.i, f ails
f ailures as "operator mista-k"sú and ,,, or such human
'iiest maintenance
The probabit ities of these events are trrown ir;;-;;perienceerrors. r,
and.
similar systems in industrial ;;; ;;ãuy. rvith

The study has been crit icized by some for not including
human errors in ah: analysis. clearly tír"r" p"ãpie- Iiaye either
not read or not understoôd tl.u s¡ggr.' To illüstiate this point
consider Tables 1 and z rox the pwR'and BwR-;t;;;;-irilure
tributions' The column marked "rtui¿rät"" includes failurescon_
various..pieces. of equip-ment, while thoie narked ,,test and of
tenance' and "human erior" áre nain-
lwo tlpåt of rr"*u"-.ã,rr"¿
As noted' part of the common mod.e coílribution is also d.ue to failures,
human errors. From these tables it ïi crear that not
mistakes bv operators and *uiniã"ãt.J-p"tsonnel only have
been includ.ed,
but il-tltl.systems. they aïe dominàni ãontributoïs to rhe overall
unavailability of the system.
Another criticísn
sible to accurately predictoften very
expressed is that it is not pos_
r*ät1 probabilities by these
methods ' rt is true- that sma11 f ailure .;a¿;-ãr" dj.f ficult
to predict accurately by_ fault _very
treà *ãinoat
of probability very ûnritery and su¡ii" failures becauie at such levels
can be important.
However, our fault tree anaiysis rã""ã that the unavailabilities
of !!" systens were not in- tire ;";g;'^;"nera11y regarded as very
srnal1. This is indicated Þy Table! 3'ãnd 4. 'rqotã .rrãi ;b";i'tl +
*}1 systems anaryzed had'""r"ãii"¡iiiti",
l{ the of more';hr;"íö:+".''
0f 40 svstems anaryzed', 39.had. unavairaÀiiitiãi
'than'rõ:¿i-ärrä'^iö'*"r* greater than"
l-0- , s4 *"i" greater
5
The probabilit¡ grearer rhan 10-s.
.of- 19-9/year ttiát-ãppããrr on îhe consequence curves
is not the orobability þ{ systen faiiures but is the probability
of the most serious
"Í:.iãeni. Thisthe
core melt times, the probability_of includes the probability of
worst type'of containment
failure tines. the prõbabil íty 'of-irrð'-iorrt wearher tirnes the
probability.thar tiie wind is'¡i;*i;; iã,u"r¿,
population density. since these raõtois are indeienáent, ? region of very high
quite proper to- murliply their pr;b;biiiti"s tog"ir.,Ë, ro obtain it is
such a sma11 value juit'as it i; ptof"r-to estimate the chance
obtainins heads s0 Lonsecutive of
(L/2)30 I fO-g.
vvu!¡Yv times'in
L¿rt.çr ¡rr flipping ããi", as

using reliability-analysis techniques as d.escribed

above, tire Reãctor_ safetr'study conclucled that in u.s. water re-
actors the probability oî core melt was about I in io,oo0 per
plant per.year. The uncertainty ãrri!n"a to thís number rvas
plus or minus a factor of 5. riris nrrñ¡é,,ou, obtained for
24th and 34th plants of the first roo u.s. reactors. rt would.the
be expected thàt plants b*i;t uùiri'toaay *iÀrri-rr" somervhat
better because of^tþu
impiovenrents i; ã;;i;".

N uclear Materials Management

 The value of 1 in 20,000 per plant year is at least a
factor of 10 higher than many people expected. However, to de-
termine the significance of this number one must determine the
public. consequences of a core ne1t.
2.2 Estimation of Consequences
The consequences of a core melt accident are a function
of a variety of factors. These include the amount of radioac-
tivity released, the amount of heat released with the radioactive
gases, the prevailing weather conditions, the population density
in the contaminated area, and the value and usè of the property
in the contaminated area.
The anount of radioactivity released following a core
nelt accident depends upon the conditions present in the core at
the tirne of melting, the effectiveness of the radioactivity re-
rnovaL, and the way in which the containment fails. Not surpris-
ingly, the amount released can vary fron very large to quite smalln
depending on these factors. Table 5, taken fron WASH-1400, shows
the probability and fraction of rad.ioactivity released for 9 PWR
and 5 BWR release categories which cover the spectrum of possibil-
ities. Accidents PWR I and 9 and BWR 5 do not involve core melt;
all the rest do. It should be noted that in the event of core
nelt the amount of radioactivity released can yary by rnore than
four orders of nagnitude (i.e., more than a factor of 10r000J.
As night be expected, the smaller releases are significantly more
1ikely than the larger releases.
After release fron the containment, the rate at which
dilution of the radioactivity occurs is an inportant factor, This
depends in part on the prevailing.meteorological conditions, Fâr-
ticularly the atmospheric stability, the nixing height, and
whether or not precipitation occurs. In add.ition, if the released
gases €ontain sizeable amounts of sensible heat [as they do in
many cases), the reLeased gases wiLl rise, thus reducing. signifi-
cantLy the exposure of the people on the ground, Finally, of
course, the number of people affected will depend upon the popu-
lation density in the exposed areas.
fn the WASFI-1400 study a complicated conputer code rt'as
developed to treat the aþove factors. It was used to calculate
the likelihood and magnitude of the vari.ous accident.sr caûs€*
qr¡ences
2,3 Consequencesof Core Melt Accidents
There are a nunber of possible consequences of a release
of radioactivity, including such early effects upon health as
injury and death, and such latent effects as cancers and genetic
and thyroid effects. In addition to these effects on heaLth,
danage to property was considered. For each of these types of
consequences, calculations lrere made to deternine the rnagnitude

F¡ll 1976 69
ffii of each consequence as a function of the probability of occur-
tl: Tence. These results \^iere obtained by using the weâther
and -population. density characteristic of thã sixty- eight data
iir!l

sites
on which the f ir,s t 100 u. s. reactors will operate. ih" curves
for the various risks for an ind.ustry of 100 ïeactors in the
U.S. are shown in Figures 3 through '8,

Figure 3 is the risk curve for fatalities that occur in

the one- to two-month. period following tir" accid.ent. In Figure 4
-medical
the curves represent iilnesses thar wõu1d t"q,titå care
sometine during the first year following the accident. Figurå
shows the increase in the íunber of cancers per year durin! iiru-s
thirty-year period-b_eginning about tãn years^after the
These cancers would bé addeã to the nornal incidence ".ãî¿ã"t.
17,000^per year in the_exposed. population. Figure 6 rate is a
of about
sinilar
cuïve for the^nunber of_gènetic- effects per yeãr d.uring tfrã-¡irsi
generatíon. Only a smal1 fraction
fects and most_are-e{pressed as an of thèse îre the oblious de---
increased. susceptibility t;
genetically related diseases. The normal incid.encã rate of such
effects i: 8,000 per I9ar. The number of cases of thyroia-nããuïes
per year during !h" lJtirty-year period. following ifrã
shown in Figure 7. Thyroid.'nod.uies are smal1 giowthsaccident
on
is
trrã-trry-
roid gland that can be effectively treated by simpte surgery.
such_ growths are quite common.and'occur spontanéô-u;iy at a rate
of about 81000 per year in a normal populätíon the size of the
exposed population,
It is,intere_sting to note that eyen
dent identified (which haã a 1g-9 per year perin reactor
the largest acci-
occurrence
rate), the increase in the number äf cânce.t and genetic
is so sna1l that it could not be srarisrically- id.Ëniifi.u¿defects
presence of the normal occurrence rate. Tliis is not true, i;however,
ih;
for-thyroid nodules,, since in the largest acðident the normal rate
would be doubled. Thus, although a lãrge nuclear accident ;õ"1ã"
be a yery serious event, it is ñot an aãcíd.ent of the unprece-
dented proportions some nuclear critics suggest.
In all cases , ãs wourd be expected, the magnitude of
the possible consequences varies over a conÁiderablã range for
the reasons alr-eady discussed.. It is also i*potiãài to
all the curves-have a sharply d.ecreasing negutive s1ope.note This
that
means that smaller cons-equènces are mucñ rnoie 1ikely ïtr".t i"iãu,
ones. Risk curves of this general type for any of tn" histori_
g?1ly observed risks show tñe same cÍräructerisiic
fires that ki11.ten pgopre aïe much nore ritery-th;; slope.
those
Thus,
ki11 one hundred peopre. This characteristic äf tist curvesthat has
been noted nany authors and generally reflects the fact that
a nurnber of-by
indepenclent factors-affect ihe cons.q,r"tã"r and it

70
N uclear Materials Management
 is very unlikely that the worst conditions would prevail at any
given time.
Figures 9, 10, and 11 illustrate this point. In these
figures historic risk curves for a number of man-caused and natural
risks are plotted and compared to the nuclear risk curve for
fatalities and property damage. Such curves for the other conse-
quences are not shown because no reliable historical data exist
for then. There seens 1itt1e doubt., horvever, that modern techno-
logical society produces cancers and genetic effects by other
means. one obvious example is the radiation dose received by
victins of accidents as a result of X rays. There are many other
examples.
3.0 Safeguards Applricâtions of Quantitative Risk Assessment
In regard tô the nuclear polarer issues, the WASH-1400
study has stimulated the question of whether these methods can be
used to assess risks in the other parts of the fuel cycIe. There
is no reason that they could not be applied to the reprocessing
plant. For a number of reasons, horvever, f do not believe that
the safeguards risks can be quantified using these procedures.
One of the basic assumptions ín the RSS nethodology is
that failures are basically random in nature. 0f course, such
studies must recognize that some of the failures may haye depen-
dencies. The dependencies between these failures are referred to
as the "common mode failure problem" in reactor safety. Neverthe-
1ess, except for these corrections, the basic assumption of ran-
dornness is made. This assumption allows one to estimate a system
failure by an appropriate mathematical combination of the failure
rates of its parts. In the case of deliberate huinan action, âs
in inagined diversion scenarios, such an assunption is surely not
val id .

This is not the only problern. As we have discussed, a

risk assessment also requires a prediction of the magnitude of
the consequences. Such an assessment requires knowing at least
a probability distribution of the possible yield of a nuclear
explosion and infornation as to rvhere the detonation rnight occur.
Clearly, the point of detonation would not be random relative to
híghly populated areas. Thus, in the consequence analysis we
are also faced with problems that seen to be beyond the capability
of present techniques.

Fall 1976 71
 Faced with problems of this type it is sonetimes possible
to make a useful anaiysis by assuming conservatively q9s:imistic
'exist.
values .rvhere uncertaiities In sone cases one f inds that
the risü obtained in this l{ay is sti11 smal1 enough to
"ifirãru
be acceptable. Horvever, in the safeguards case many of the prob-
abilities can be d^efendéd as being only if they are
*Incõnservative holvever,
aisigned valuei of nearly unity. this case, if one
considers the maximum consequeice to have a fairly high probability
the risks are certainly unacceptable '
From r¿hat has been said So far it rnay appear that we are
caught in a nuclear "catch 22." That isr_there is no way to con-
vince oursefves that rtIe have dealt with this problern in an accept-
able way. Horvever, I do not believe this is the case.

It seems to me that thê approach that mustmaterial be followed is

to make the unautho rizeð. access to special nuclear VeTy
difficult. In essence we must make the probability.of access so
sma11 that u"'rãr, if all other probabilities in the risk assessment
ãi"-""ity ttre-Uenef it of nuclèar power st111 outrveighs the risk.
Ifwefocusonjustthispartofthe.problem,l?19iy the
effectivenerr-oi the safäguards syËtern, I believe reliability
ã"ãryrir techni[uåt-.utt bã very vã1uab1e- I notice thât t]rere
are three papurd in tomorrow rnôrning -s papers_i
t sessions on just this topic '
yet seen_ any -of*these
Ãiirr",iãñ-r'rrã"* not-4-ãr l-:1:"T:-tl:
;ä;ä;-ã; K.;ä;i.u; i' representt
basä¿ o1-tl'1:^::::l: ?:Y*T.fo:-11:",
u-P11Ti:li$^l'i:tii..:tT:"?:l
Ñsi,
iä"räËiiity äãiðguãras an-arysi-s . From tireìr, !1:1"t it appears the
'rriår'^'i"r'å"ã--i""ð.-rt
other two þapers are on the same general subj ect'
I do not belieye the basic input infornation needed to
accuratery q,rattiify-itrã ef fectiveness õf a saf eguard- system is
currently availablb. However, I beligveroad efforts such â's the
Kendrick'paper have started uå down the of fornulating- these
¡;;b1ems in^ r".it-a-way that we can better understand just whlt
ii"áa àf information âre lacking ., I f tothis tyP.e of . work continues,
hope that tnese
à"á I hope it wi1l, it is reasonable quantitative
*"tfrod, *ay sorneaay produce neaningful assessments
of the effectiv.eness of vari'ous syltens. These assessments would
be particu1""iy"ïuf"rU1"'itt-thu eârty stages of facility design
*ft"it modifications can be readily nade '

It is comforting that to date the effectiveness of safe-

guards systems has been essentially perfect. i|ie allnumber recognize,
of
ñorru,r"t , that there Seens to be an' ever-increasing
senseless and irrational acts of violence. In 1ight.of thist it
is essential to continually improve safeguard:. technique: .' .1 .

believe the development "ttâ ptop"t inpleñentation of reliability

;;;itti, *"thods cãn contribirte^ to thõse improvernents which have
alrvays been the goal of this society'

Nuclear Materials Managemenl

 CONTRTBUTIONS TO PT¡R SYSTÐM UNAVÀIIÀBILTITES
Table 1
Contribution (t)
Test and Hulûan Conullon .
Hardrvare Mainteriance ErroË Hodes {at
System

Reactor proÈection 65 35
ÂuxiliarY feedwater¡
86
0-8 hours after sma1l LOCÀ 5 9
8-24 houls after s¡nall LOCÀ 100
l4
0-8 hours without' offsite Pofler <l 56
l4 80
Contairunent spray lnjection 6

Conseguence tirniting control¡

Ht; single train 74 I t3 1
67
Hi; both tralns 27 6
I3
Hl-Hl; singte traln 61 26
2 92
Ht-Ili; both trains 6

Emergency coolanÈ I'njectlon;

åccr¡mulators 59 41
Low-pressure injection 16 23 60 I
High:pressure inJectlon 80 l9 1

Safety lnJectlon cont¡ol¡

Single t¡aln 57 42 t
l3 68
Both trains 19
37
Contaf.nnent spray reci¡culation 7 56
ContaÍnment heaE re¡noval 86 1l
<1 68
Lort-Pressure reclrculation 31
75
High-pressure recirculation 23
Contal.nnent leakage ¡00
77 2A
Sodl.r¡¡n hYdroxide adldit'ion 3

coNlRrBUTroNs ro BltR sYSrEu uNÀvÀil.åBrLrrrEs

fable 2

Contrlbuti.on (t)
Test and Hu¡ÍaD Cqumn
üqilcs

(aI
Reactor protection ?3 ,o
vapor suppresslon:
l,arge LOCÀ 100
S¡nall LOCÀ 100
E ßergency coolant injecÈlon:
Icw-pressure coolant. injection 1? 83
core- apraY tnjection 8 92 (al
ÀutodteþressurL zatLon <l 1ss
xigh-plessure coolant Lnjection l5 85
RCICS l4 86
ContaLnment leakage:
targe IÐCÀ
98
Dr¡nrcII >6 ln.2) <l
2
100
Drlnrell 1-4 tn.2) t 96
lletwell >6 in.2) <l r00
?feÈwe].l (r-4 ln.2)
S¡nall LOCÀ 100
ãigh-pressure servLce wafer:
nequired within 30 ¡¡lnutes
neáuired withín 25 hours t0
? 14
43 r[:l
.úPCBS anit CSIS punp cooling (ES9l) 100 <1 .1(aÌ
SeconåarY sontain$ent e00

73
Fall 1976
 Table3P!.{RCAT,CUTJ\TEDSYSÍEMUNÀVÀII,ÀBTLITIES(22SYSTEMS)
Percentage of Systerns in
Median unavailability o, Nu¡nber of systens Each UnavailabiLiÈy Range

to-l<e.,<10-'t 5 238
¡'¡
ro-4:Qr,l .to-3 4 Ì8r ì

SQ¡l .10 -
-J 77'$(a)
t0-"
-? 10,
-r
r0-:Qrq.l0- -ì 3- ï: I

Í:i
',1
Tabte 4 EwR CAIÆIr,ÀTED SySTEM I'NÀVÀILIBILITrES (L8 svsrEMs)
l.:

ì
Percentage of Systems in
Median unavailability O, Number of systens Each unavailabiríty Range

t.l,,i ro-6 S o¡{ < 1o-5 t 6t

''i
- 22*
: ro-5 Í Q¡¡ < to-4 4',

ro-4 3 Q" < 1o-3 7 393 I

,i,i
ro-3 < Qu < 1o-2 3. ie -sr i ,r*t'l
'il,
, Io-23Q¡4<Lo-1 l. 16.s8 I
',li

t;
.

Nuclear M¡terials Managemenl

it
!¡
TABLE ¡-.5 SU}LV¡¡\RY OT' AECTDENTS INVOÍJVXNG CORE
lo
\
C't

DT'îÅTION 9¡ÂRN¡NG ELWÀIIO¡¡ coNtÀtNEENl

PÃ08Â3fl/l1t OF OS T!Y.! FOR
TIH.E /tF ENDN,GY
rnrcfrox oF coRE :lwEttoRy r¡¡ensr¡(o)
RE¡E^SE RstE¡isE nELEÀsE EvÀcuÀTro¡l nnü¡.su RELEÀSE
CÀTIGoRY Rcðctor-lr (Hr) (Hr) (ltr! i"ãiäIll (to6 stu,¿sr) xe-r.' of,s. r cs-Rb ro-sb Ba-sr Ru(b)
"o(cl
P'rfR I gxlo-7 2,9 0.5 1.0 25 526
(d)
0.9 6xto-3 o.? 0.4 0.4 0.05 0.4 3xl0-3
P..\'R 2 8x10 - tt 0.5 1.0 0 170 0.9 ?x1o-3 0.7 0.5 0.3 0.06 0.02 4xI0 -
PhT, 3 4xl0 - 5.0 1.5 2.0 0 t¡
'0.8 gxto'3 o.z 0.2 0.3 0.02 0.03 3x1o'3
I|$!R 4 5xlO-? 2rø 1.0 2.0 0 I 0,6 2xlo-3 o.09 0.0.1 0.03 5xl0-ì'- 3x1O-1- 4xIO -tt
P'ñ'R 5 ?xIO 2,0 4.0 1.0 0 0.3 0.3 2xlo-3 o.o3 gxro-3 s¡<to-3 lxto-3 6xl0-a ?x10-q-
6xI0 - 0.3 2xlo-3 Bxlo-4 BxI0-¿' 1xl0-1- 9xI0-q- 7.t10 -
rlfR 6 12.0 t0.0. 1.0 q -( -R-
N/À 1x10
Ph.R ? 4x10 - I0.o 10.0 1.0 0 N/À 6xl0-t- 2xI0-ç- 2x10-q- 1xl0-q- 2x10-q- Ix10-fi- Ixlo-e- 2:(I0 -t
1x10 - lxlO-A-
-E-
Phlt I 4xI0 0.5 0.5 rvA 0 N/¡r 2xlo't 5xlo-6 lxto-4 5x10 ' -L -A
00
Þ}lt' I 4xlo-{ 0.s 0.5 n/Â 0 N/À -Ê, -o
3xl0-?xIO-lxl0 -1 6nlo -1 1r.10-o- Ixlo -tl-'

BI{R 1 lrl10 -t- 2.O 2.0 t¿

25 130 t.o zxl0-3 o.do 0.¡¡o o.?o 0.05 0.5 5xto-3
E"{R 2 6rl0-6 30,0 t.0 2.0 0 30 1.0 ?xlo-3 0.90 0.50 o.3o o.lo 0,c3 4x:.0-3
Dtt? 3 2xIO - 30.0 t.0 2.0 25 20 t.o ?xto-3 o.to o.to 0.30 o.or o.o2 Jxto'J
flrT, 4 z*ro-6
_¿
5.0 2.O 2.0 25 lV¡ o.G ?xlo-4 Sxlo-{ 5xro-3 dxl0-3 6xr0-{ 6xl0-4 lxro-¿'
lxl0 -¡ -o -ll ,lxto-'
-ô -1t -t,
!r/¡R S 3.9 5.0 .N/Ã 150 N./À 5xl0-' 2x10-' 6x10-*' 8x10-'n ox10-'"

l¡l ¡\ discusslon of Èhe J.totopac uscd ln thc study ls founil tn Appcnå,.ix VI, Background on the lsotopo grou¡rs and relc¡sc
ncch¿nls¡¡¡ ls fo.¡nil ln Àppcndlx Vtt.
þ, Inclu¿es Y.o, Rh, lle¡ Cor

lc) lncludag tlðr & Cor Ptr lar llbr l¡ir Cltr lu, llp, Zlr .

(dt À:lo$Gr Gncrgy ¡cle¡se ttte than thl¡ vatue appitcr to palt o! ttrc Þcrlo{ oves rhlch thc r¡dllo¡etlvlry fs bclng :oloascd.
the effect of lowcg energy role¡sÇ tatct on consequencês ts foun¿l ln þpenilt:c vt.

Y
(,r
 , r*.1

!('ì
FTGURE 1

SIrufiPL¡FIFD EVE[\!-r'TREE FO[:r A LTCA !ru

A TYP¡CAL ¡\! L! CN-ËAIi POWËR PLAhIT'
PIPE ELEETRIC ECCS Ftsst0ll s0ilTÂtl$,tEÌ{T
BREAK PCII¡'IER PRODUCT INTEûRITY
REhIt)VAL

Very Small Release P1

Srnall Release Pl"Pb

tails l-p¡
Srnall Release P1xP4

l'{edium Release P1 XP4XP5

z
r'l
lD
!¡
Large Release P1 xP3
3
llvailable
Þ
ID

¡¡
5
3 Very Large Release P1*PgxP4
,Þ
!¡
F
ô
I
rD
t
Very Large Release PlxPz
 F.IGURE 2

SËTVil PLHFNffi M HîAULT- TRËË

ffiEN HIHffiTFåHffi PffiWffiffiS
LCISS OF PüWEET TO ESF'S

L0SS tF P{L!. [-ffi$$ TF A\ü PÜWEM

t)0 PowE[r TO BÛT ¡ BËJ$E$

A GATE
Lû$s ffi t: LffiSS TF

n GATE OFF $[TE

f{T PüWEß
8l\j slTE
AO POWE¡T

77
F¡ll 1976
,iijii;,r.
ri;i;j.;
ili;i:r'
l0-r

x
^oÞ
Þ
B 10-4
g
.ã
o
a.

Early Fataliries, X

F5-gure 3
I Probabitiry Ðistribution f.or Early Fatalitics
LOO Reactors per year for

Note: Approxirnate uncertainties are estírnatecl

to ba represented by
factors.of 7i4 anrl n
rnagnîtr¡clcs and by factors
oi 1/5 and 5 on probaLrilities.
"T-:-"lrrQuene_

N uclea¡ Materials Management

^\ÞÉ
Þ
rL

.g
3C¡
È

tOl loz l0' tu- I ru

Ea¡ly lllna¡¡, X

Figure 4 probability ÞistribuLion for Iiarly ll-ì.ness per Year for

IOO Iteactors

Approxirnate uncertaintías ars estimated to b: represented by

fati<,rs of 1i.4 and4 on consec¡uence rnagnitudes and by factors
öl 715¡nd 5 on Probobilities

79
Fall 1976
 10-1 I I I TTTTT ¡ I I tltl

lo{

to-3

x
/\
€
I

R to+
\
Ë
J'
-ã
I
Ê-

i lo-Ë
\

\
"1þ tot la? lo3 ¡o{ ¡oE
Lätenl Canoer Fatalitîer per Year, X

I'igu.re '5 Prol¡ability Ðist.r.ibution for Latent. Cancer.Fatat-ity Incidence

per Year for LOO Re¿rclors

I'Jotc: Appro>:irnate trncertainlies ¿re ertimated to be rcpresented by

factors of UG and 3 on consequrnce magnituclus and by factors
cf 115 and 5 on probobïlities"

80
N uclear Materials M¡nagement
 I llt¡ll ¡ I I lll¡*
to-r f ¡rril --l
:

70.z
:
=

1g-3

---
x
lùE \
o
Þ
O^
B 10*¡
g
6
.&
CI \

10+
\

10-6

t t I lllll t I rlltlr I I I tt \, , , ,.,,, ¡ I I I tltl

103 104
"TF 100 101
Genetic'Effecis per Yoar, X

Iriqure 6 Probability nistribution for Incidcnce of Genetic Effects

Per Year for LOO Reactors

Note:A¡tproximaleuncertai¡rtîesarecrtimatedtobercpressntectby
factors
fatiors of 7l3and 6 on conscqueRce magniluctes and by
o1 115 and 5 on Probabilíties'

81
fall1976
 .Ax
L
6
Þ

'ÈÞ
&
æ
Þ
o
À

to-7 L
too ro? lf
lhyroid NoduÌe¡ per Year, X

Figure 7 Probabil.ity DisÈribution for Tþroid Nodure rncidence per

Year for IOO Reactors

Noie: Approxirnate t¡ncertaintìes ¿re estinr¿terl to be representect

by factors oî 713 and 3 on conssquencû magrtitucles ancl by
factors o1 1/5 and 5 on probabiliiies.

E2
N ucle¡¡ M¡teri¡ls Management
 7ù-2

x
/ùÈ
É
C'
P
Þ 10-4
E
Ë
'3J'
('
9-

70:l 1010 t0t¡

rfi6
ProPartY I)amaga - Dollar'r' X

g t-lpro¡aÌ¡iLity Distribubion for Propcrty riarn:rge per Year

Figure
for l'OO Reacbor's

to ba rcpresented by
ÌJote: Approximate uncertoîntiesare estimatad
'rvlv' t{"i"rr-"i.ltsand 2 on consegt¡$nce rnagnittrdus and lry factors
of 1-5 anct 5 o¡¡ Probirbilities

83
Fall 19io
 $N
\'$i

,]
l
I
¡
I
:.

I
-t--
l:
I
,;i,:
t'.. I
it

I Ri'i
|1.:
I
';
tt
,',i
'il i
1.'
l.l

'

I I \t ;

100 Nuclear Power Plants

---$- ---|_

J.

ti,
1g 10c,oc0 1.O00.o00
Falalitias, X
!.;'

i,.,r,:
tl
Fiqure 9 Frequency of t'tan-Car¡sed Eve¡rts Involving
,l;; r faÈaLities.
t:

,i¡
Note¡: î. Fatalìrieg dr¡o lo ôuto acc¡<rE nts ¡rro not shor.¿n boc¡uso da¡¡¡ aro not cvall¿¡t¡is
lor largo Gon3equirncf¡ ccc¡d.rnls. ãccidents cnuso alrou! 5O.OOO f¡talitie¡
pêf yåar. ^uto
lr
?. Sot ¡øêllon 6.4 îo¡ a cli¡ct¡¡¿lon ol confirJenco bôr¡ndr rrppticablo to tlro nor¡
:
huclcal curvo. Soe ¡uctior¡ 5.5 tor ¡ha confi.Jsnco bot¡ncis õn ttro nucleaf curu¡.

lir

8{ N uclear Material¡ Management

 rll
l¡r
llr
-l---_-l-r- I
lll

--,_l-
I
x
h
ai
c,

i \-i
Þc
3
1r¡
I
---i---l---r- ;
C'
c ¡lll
e¡
J
g
¡r- iiil
¡;rr
\lltt
Itrt
It

i,ll
-100 Nucl¿ar Power Plants
i
I
ir I I
J J- f-
I \tl
I
I

Fatalitirr, X

Fiqure 1.0 Fréguency of ìlat'r¡r¿¡I Events Involving

' Fatalities.
Note: of coÜf ict¿nce l)ounds a¡rplieìblÊ ro tt¡e ooo
see section 6"4 for a ttisctrs¡ion
n$cle¿r curva see lectîon 5.5 for the confideace bounds
on Úle nr¡cte¡r ctlfva.

85
F¡ll 197ó
 ?o-1
NA TURAL
t___

,, i
ß-2
CAUSED
EVENTS
îL\l
X
\.h
:,,'
,,:;,
l;;i'' A\

î-r
:,[I l_
il, l ft'
{)
,f
i
10-3
U'
,.ti
.,i,;li
,l;:
:

c(.,
',,'.;.i' rrl I
Ii, I
'::l
ilir.::
¡,
ct't
c)
10*4
Ii i.rl, :'tt
ot
L
'i.,,i IL
':,1:
'r : Ì'l
!:
10-5
;l;
Lil,
r;i.
,t;, :,
.|,; ,

'ir,= 10-6
,li I ii
ii;;:j;
'ìi:,,,,
'i'r i

j
'¡ :i:r

|)':: :
!.

:,i: ì,

i..:1; ß7 108 109 1010 101 1

Property Damage [Dollars] tl\

, :il

Fiqure 1I' rrequency of Àccidents Involving Property

' Danage

Notes: . 1. Property damage rlue to auto accidents is not included lrec¿use

data are not avaîlable for lov.r probabil;ty events. Auto accïdents
cause ebout $15 billion dam.rge each year.
2. See sectïon 6-4 lor a discussion of conf ícl¿ncu. bounds applicable
to the non nucleðr curve. See sectisn 5.5 for the confidence
bsuncts on the nuclear ctrrve.
l

B6 Nucle¡r M¡terial¡ Managen

 DI SCUSS I ON

SILVE KALLMAN - LEDOUX COMPANY: You mentioned that a number of

persons are kil1ed by airplane accidents. -You specified that
ä nurnber of those weïe kilfed on the ground by airplanes falling -
,rpon ih"t. Your next category stated-the number of peoqle ki11ed
by falling obj ects. l4y. question is: Were the number of pe9P1e
tiffe¿ by-faliing airplanes included in the second category?
DR. RASMUSSEN: I?d like to give that gentleman a gold star. frve
presented that slide several-hundred tines in the last few years
änd no one has asked that question. Frankly, I d.ontt know the
answer. Those numbers were taken directly fron the United
States Statistical Abstracts where they are categorized that
wâI
'
DAVE RUD0LPH - Perhaps another way of illuminating
EDTOW COMPANY:
iir" q,r"ttdary has been used recently by the j.nterveners: Looking
to a counte'r-part of the "maximun credible acci.dent." Do you
have a viewpoint on this kind of transference?
DR. RASMUSSEN: Our worst hypothetical airplane crash ki11ed
EOTOOO becausÀ it cráshed iito the stands i^¡hen thgy were crowded.
If'you assune the maximum credible accident in safeguards to
be ; successfuiiy iabricated weapon detonated in the heart of a
*á¡õr-ðity, i-i'i'obvious that thè consequences are horrendous.
I dontt know if thatts a neaningful exeicise at all, and T donrt
see how it hetps cope with the problem.
We know what the problen is. rve go! to deny terrorists access
We
io iftii kind of material. We have tõ do whatever is required
;; ã;f;"d-;g"itt"f "tty viable threats that rnigft be..made. I donrt
see how the .õ"ð"pi-ôf "***imurn credible acðident" (which is
now dalled th;--;á'e;ign Uasis accident" and is defined so that a
set of equiproãrrt-ðátt"Uu designed-to deal with it) can be applied
io thê ¿eitoñaiion of a large-nuclear explosive in a city'
FRED SCHMIDT - UNIVERSITY OF WASHINGTON: Last year a. rniddle
tank car
loaded with cfrfoiinã rolled off a railroad trackThe in the
of Seattle. fãriü"átãfy it ãidtt't break open.. event received
1it,tle publi.iiy until !everal io*".thousands of peonlepointed
rnonths tatei when someone
might
our rhat, if ii'itää-b;"k;;-ópã"' éven ki11eà. Su,ch tñinss ro11
have been rhoroughly gass"¿-ãi- ii',."and ver
through searrï;it;iå Ëiåtãtri """if ði.rl*årr"iñ"
It'áou1d easily be a target'
they are not targets 9f terr'orists.
It also seens to ne that a terrorist organi zation can- relatively
easily buy ro,ðõ0"'ão"i-of.TÑT-whyãnd use ii to blow up the Chicago
don't rltgse rhings_g:.rt if we
rrade center ii;; ;;;piãl . tô vulnerable
really believà ã,rr ,ociety is to teirori'sts?
I!ve looked at this question
DR. RASMUSSEN: ltrell Fred., quite
some and
have concluded that we are vul.nerable to derrorist acts '
we,ve seen some on a smal1 ;;;ià. rir"-answer to your question

87
Fall 1976
 is that most terrorists do not set out to kiLl or naim or damage
the. largest possible nunber. of people they could" nàineir-iñ-;i-
want to draw attention to.themsèlvès or their cause. Theú d.o-'
of course, :oTe yeII danaging_ things (look at rrerãn¿, ioí -.. '
example)
" I do be]ieve,we
with terrorist-problens
ánd-have õ¡ten stated, thât if faced
have a lot of thingé to worry
other than nuclear power ,lalggt-:. I further Èelieve thâtabout
will not knuckle under" ltlerll ttput in the reserves, as wesoiiety
need'
to defend ourse.l-ves, and_wi1l not give up nuclear power because
of terrorist threais" That would-not UË lggi.rf iince we would
next .have to giye up every other technology [hat a threat could
be made_ upgn and that inciudes most tächnõiogies. I do think
it nay be logical to put some effort into defend.ing ourselves
if we see a threat. devel_oping.

88
Nucle¡r M¡teriele Menegement