Introduction to Probabilistic Risk Assessment with an Example from the

Cassini Mission

Michael V. Frank, Ph.D., PE

Author: Choosing Safety: a guide to using probabilistic risk assessment and decision analysis in complex, high

consequence systems, RFF Press, 2008

Definition of Risk

Uncertainty in achieving a goal, objective or set of requirements

Expressed in terms of probability and consequence Examples:

– Probability of x or more injuries (Probability of no

injuries)– Probability of staying below marketable product

cost (Probability of exceeding marketable product cost)– Probability of staying within schedule for

deliverables (Probability of exceeding schedule)

10/10/2001 (2)

Engineering Analysis

We engineers put numbers to (quantify) most aspects of our products.

Being quantitative allows us to build better products because it tells us how close we are to the desired performance and cost, and

It gives us an objective way of comparing alternatives so we can make an intelligent choice…– Choosing among alternatives is making a

decision. Quantification helps make good decisions

10/10/2001 (3)

Probabilistic Risk Assessment Quantifies Safety

Why not quantify Safety also, so it too can participate, on equal terms, when making a decision about a product?

If Safety is defined as the condition of being protected from harm,

Then we can use Risk as a metric for safety: For example:– Probability of no harm (or probability of x or fewer

injuries)

Probabilistic Risk Assessment is a method for doing this

System Response to Perturbation

Generalized Time

Perturbation

Shutdown

Continuedoperation

Catastrophe

Generalized Time

GeneralizedPerformance

Perturbation

Shutdown

Continuedoperation

Catastrophe

10/10/2001 (6)

Concept of Scenarios

The Perturbation

Aggravative

Mitigative

Protective/preventive

Benign

Consequence of interest to Decision-Maker

Event Tree Concept

10/10/2001 (7)

INITIATING PIVOTAL PIVOTAL PIVOTAL SCENARIO END EVENT EVENT 1 EVENT 2 EVENT 3 NUMBER STATE

1 Good2 Good3 No so Good4 Good5 Not so Good6 Bad7 Really Bad8 Catastrophe

Yes

No A

1-A

1-B

B

Data and Analysis

The Cassini spacecraft and Huygens probe begin their seven-year journey to the ringed planet. The successful launch of Cassini aboard a Titan IVB/Centaur occurred at 4:43 a.m. EDT, October 15, 1997.

Cassini Space Vehicle (CSV)

NSC/PD-25: Presidential Directive

• The President of the United States must approve U.S. launches of nuclear materials

• Cassini Program must provide an FSAR for nuclear risk

• Interagency Nuclear Safety Review Panel (ad-hoc) to review FSAR and independently evaluate nuclear risk.

Interagency Nuclear Safety Review Panel (INSRP)

• Reports to Assistant to the President for Science and Technology Policy in the Executive Office of Science and Technology Policy (OSTP)– President often delegates decision to launch

– For Cassini, the Vice President made the decision with the advise of the Assistant for Science and Technology Policy

• INSRP evaluation of FSAR and independent risk assessment used to make the Go-No Go decision

RTG Cutaway

Radioisotope Thermal-Electric Generator Module Cutaway

(Fuel Pellets are Plutonium-238 Oxide)

Three Accident Categories

• Orbital reentry has highest frequency of occurrence - international implications

• Earth Gravity Assist reentry has potential for largest source terms and cancer fatalities - worldwide exposure

• Launch accidents - highest frequency of largest source terms and exposure to local population

Earth Gravity Assist Reentry Accident

•Steep angle releasesoccur above 150,000 ft.

Aeroshells

Graphite Impact Shells

Fuel Pellets

Orbital Reentry

• Uncertainty in altitude of spacecraft breakup, not in survival of modules

• Experimental drop data demonstrates that Plutonium is bound in module and GIS; Small uncertainty owing to applicability test data to actual situation Aeroshells

Launch Accident

Spacecraft propellant explosion or impact fails RTGs and releases modules Some modules hit by fragments Some modules are dispersed

Space Vehicle Intact Impact

(SVII)

Excerpt from Launch Accident Event Tree Titan Booster Vehicle Destruct (TBVD)

Analysis and Data

Structural strength vs impact velocity– RTG housing failure – Free modules

Ballistic trajectory analysis– Concrete impact– Sand impact– Solid rocket motor unit (SRMU) hit on modules – RTG impact before before Cassini space vehicle blast

Experimental data vs. impact velocities– Fuel release– Impact release– CSV fragment release

16

Continuation of Event Tree

Consequences: Radionuclide Dose of Plutonium Inhalation

Calculate potential dispersion within the atmosphere and deposition onto the Earth’s surface – subject to wind and other atmospheric conditions at the

time of the postulated accident. – Included calculating the deposition and resuspension of

radioactive material along all potential paths to humans – Variability modeled using Monte Carlo techniques– Overlaying demographic information on the calculated

cloud path and deposition yields estimates of overall population doses

Consequences: Number of Latent Cancers from

Radionuclide Calculated potential levels of human uptake of

radionuclides and the amount of ensuing latent cancers in the exposed population – Used standard methods from the International

Commission on Radiological Protection but…– The stochastic nature of human health, breathing

rates, habits etc. Becoming ill from exposure to radiation varies over a population of individuals

Overall Risk Results

Risk Depends on Your Time Perspective

This analysis was performed before launch and reflected our best knowledge at that time

The launch was successful. After a successful launch the risk is zero. – After the successful launch, there is no

chance of harm from the launch

Decision Considerations

The Cassini INSRP team presented findings to Office of Science and Technology Policy, Department of State, and national security personnel

Deliberations centered on:– Perception of risk to Florida population because of the

poor Titan launch record– Chance of Plutonium falling onto foreign soil and

causing harm to Africans– Chance of sensitive US technology falling into the

hands of a foreign government

With giant Saturn hanging in the blackness and sheltering Cassini from the sun's blinding glare, the spacecraft viewed the rings as never before, revealing previously unknown faint rings and even glimpsing its home world.

10/10/2001 (29)

More Information