Fire Probabilistic Risk Assessment of Nuclear Reactors

By Hossam Shalabi

Author’s note: The focus of this article is how to conduct a fire risk assessment for heavy water nuclear reactors, including the CANDU (CANada Deuterium Uranium) reactor, a Canadian-invented, pressurized heavy-water reactor used for generating electric. Five risk-assessment methodologies from standards that are widely accepted in the industry are discussed in this article and examined to conclude the best method to be used and the required future work needed to perform such an assessment.

Nuclear reactors represent the potential for major catastrophic events; therefore, preventing a reactor failure is a major priority that entails multiple considerations and evaluations that involve factors such as design, fire protection issues, and structural integrity, to name a few. Adding to the potential hazards is the fact that natural disasters, such as earthquakes, can precipitate a disaster involving a reactor.

An example is the Fukushima Daiichi nuclear disaster in Japan, which involved a series of equipment failures, nuclear meltdowns, and releases of radioactive materials at the Fukushima I Nuclear Power Plant, following the 9.0 magnitude Tōhoku earthquake and tsunami on March 11, 2011.1 Units 1, 2, and 3 were operating at full power. Units 4, 5, and 6 were already shut down in scheduled maintenance outages. The operating units shut down automatically, as designed, at the time of the earthquake. At the same time, all offsite power was lost.2

Huge seismic activities knocked out the power at the Fukushima Daiichi Nuclear Power Plant, and ensuing tidal waves disabled the backup generators for cooling systems to the active reactors. This triggered a series of hydrogen explosions and released dangerously high levels of radioactive particles into the atmosphere.3

Fuel rods create high temperatures that boil the water and turn it into steam. In the absence of fresh water to cool the rods, they keep on warming up. As soon as the rods reach more than 1,200°C, an interaction between the zirconium and the steam takes place and splits the hydrogen from the water. That hydrogen can then be released from the reactor core and containment vessel; if it accumulates in adequate quantities-concentrations of 4 percent or more in the air-it can explode. This actually occurred at reactors 1 and 3 and probably reactor 2 as well. The 9.0 magnitude earthquake released a surface energy (Me) of 1.9 ± 0.5 × 1017 joules.4

The source of the hydrogen in the reactor building was leaks in the containment caused by the high pressure and perhaps also high containment temperatures that could have led to deterioration of the major seals (drywell head cover and equipment and personnel airlocks). Another possible source could have been leakage past the containment isolation valves.5 This hydrogen buildup led to hydrogen explosions at the reactor service floor in reactors 1 and 3.

The design of the Boiling Power Reactors in the Fukushima Daiichi site prevented the damage to the reactor core by venting all undesired gases from the 15-centimeter-thick, stainless steel-protected reactor core vessel to the outer concrete buildings. Both reactors 1 and 3 experienced hydrogen explosions that blew the roofs of the reactor buildings, leaving the steel reactor core vessels undamaged, as designed. Hydrogen gas explosions in both reactor buildings above the steel core vessel didn’t produce enough blast overpressure impulse to damage the steel reactor core.


The simplest way to describe risk is that it is a hazard or a dangerous chance. Risk can be measured using Probabilistic or Deterministic risk assessments. Probabilistic Risk Assessment usually answers three basic questions:

  • What can go wrong with the studied industrial unit, and what are the initiating events that lead to adverse consequences?
  • What and how severe are the potential consequences of this initiating event?
  • What are the probabilities or frequencies of these undesirable consequences?

Risk needs to be quantified to have a better understanding of the existing or probable hazards and their consequences. Once risk is quantified, you can enhance additional safety systems and define new procedures or training that will mitigate such risk if required.

Compare that against the statistics of skydiving accidents. According to the United States Parachuting Association, there are an estimated three million jumps per year, and the fatality count for 2010 was only 21. That’s a 0.0007 percent chance of dying from skydiving, compared to a 0.0167 percent chance of dying in a car accident (based on driving 10,000 miles). In layman’s terms, you are about 24 times more likely to die in a car accident than in a skydiving one.6

The National Safety Council compiled an odds-of-dying table for 2008, which further illustrates the relative risks of flying and driving safety. It calculated that the odds of dying in a motor vehicle accident would be one in 98 for a lifetime. For air and space transport (including air taxis and private flights), the odds were one in 7,178 for a lifetime.7

Fire Risk Assessment (FRA)

The current common practices for conducting FRAs of nuclear power plants (NPPs) and the best method for assessing the CANDU are discussed below.

Figure 1. NFPA 551 Review Process


  • National Fire Protection Association (NFPA) 551, Guide for the Evaluation of Fire Risk Assessments.8 This standard was created to guide authorities having jurisdiction (AHJ) in evaluating the suitability and execution of an FRA for a given fire safety problem and approving or evaluating fire and life safety solutions. It presents a framework for the properties of an FRA, specifically where it is used in a performance-based regulatory framework. Consequently, this guide is suited to a building or fire official or AHJ required to evaluate or approve a building design where the design is supported by an FRA.

Neither NFPA 551 nor the Society of Fire Protection Engineers Engineering Guide: Fire Risk Assessment specify particular fire risk assessment methods or try to set acceptance criteria. Instead, they set out the technical review process and documentation those evaluating or approving should use. The review process is illustrated in Figure 1.

NFPA 551 defines five categories of FRA methods. They are listed below in the order of increasing complexity:

  • Qualitative methods.
  • Semi-qualitative criteria-based methods.
  • Semi-qualitative consequence methods.
  • Quantitative methods.
  • Cost-benefit risk methods.

This standard also demonstrates the significance of recognizing the objectives of an FRA and other factors that should be well thought out by those performing fire risk assessments. For each of the five methods above, the characteristics of every single approach are identified and challenges of inputs and outputs, assumptions and limitations, selection of fire scenarios, and uncertainty are discussed.

Figure 2. ISO 16732-1 Process

  • ISO 16732-1 Fire Safety Engineering-Fire Risk Assessment. ISO 16732-1.9 This presents the conceptual basis for FRA. The principles and concepts summarized in the standard can be applied to any fire safety objectives, including life safety, property protection, business continuity, and protection of the environment. The fire risk principles discussed apply to all fire-related incidents and user applications-in other words, the principles can be applied to all types of fire scenarios. The principles’ fundamentals and the quantification of risk are presented for each step of an FRA. These quantification steps are originally placed in the situations of the overall management of fire risk and then described within the framework of fire safety engineering. The probability and consequence used to define scenarios and their characterization are illustrated as steps in fire risk estimation, resulting in the quantification of combined fire risk. There is also guidance for the uncertainty analysis methods, in which the uncertainty related with the fire risk estimates is calculated and the consequences of that uncertainty are understood and assessed. Risk assessment, risk treatment, risk acceptance, and risk communication are included (Figure 2).
  • NFPA 805, Performance-Based Standard for Fire Protection for Light Water Reactor Electric Generating Plants. To properly conduct a nuclear fire Probabilistic Risk Assessment (PRA), analysts have to go through many steps, beginning with specifying the hazard or the outcome that needs to be prevented or reduced. They then identify the initiating events or those activities that could lead to the specified hazards; the frequency of the initiating event; and, finally, assuming that the initiating events and the hazard occurred, identify each combination of failures that led to very specific outcomes.

The next steps are more computational; they involve summing up the probabilities of all those sequences that lead to the same outcome. To determine the likelihood that a particular outcome might occur, these probabilities are multiplied by the frequency of the initiating events. A disaster can also be a sequence of different events; therefore, when developing a scenario to assess, the analyst should model a series of events, a combination of summation and multiplication, or apply other gates or stages.

NFPA 805 sets performance-based goals, objectives, and other criteria for radioactive release and nuclear safety. It describes the essential fire protection programs and their elements as well as minimum design necessities for fire protection systems and features to satisfy the performance criteria. The standard further provides greater use of engineering analysis, fire modeling, and fire PRA. This is where the connection between the two takes place. Fire PRA, including fire science, has evolved in the past two decades, and it is common knowledge nowadays that nuclear plants are safer in terms of operations.10

Figure 3. Fire PRA NRC Regulatory Guide 6850 Task 1-16 Breakdown Diagram

Early fire protection regulations were developed without the benefit of quantitative estimates of risk and before recent advances in performance-based methods such as fire modeling.11 In addition, NFPA 805 focuses on reactor-safety-oriented fire protection, adds appropriate flexibility, and provides a more detailed evaluation of safe-shutdown conditions in the event of a fire. (10) The Nuclear Energy Institute and industry have established guidelines for the implementation of a risk-informed program, which the U.S. Nuclear Regulatory Commission (USNRC) has endorsed, along with some exceptions and additional clarifications.

A fire PRA is required to meet USNRC Regulatory Guide 1.200, which defines the level of PRA technical adequacy needed before implementing risk-informed applications in plants.12 As for plant transitions, NFPA 805 must be met, as it provides standards for risk-informed, performance-based alternatives to nuclear plants’ current fire protection program.13 The nuclear fire PRA is the future of nuclear regulation because of the complexity and precision of its analysis.

Figure 4. The Risk-Based Decision-Making Methodology

A nuclear fire PRA involves a mathematical or computational process that is repeated. The first step in a fire PRA involves defining the physical boundaries of the analysis and distributing the area within that boundary into analysis sections. This process is more often known as “plant boundary definition and partition.”14 The second task involves selecting components responsible for plant shutdown following a fire.15 These components most likely would include any and all components included in the USNRC 10 Code of Federal Regulations (CFR) 50 Appendix R Post-Fire, a safe shutdown analysis,16 and other components that go beyond the aforementioned appendix as well as the internal PRA of the power plant. These special additional components are chosen because of particular considerations of combined actuations that may threaten the aforementioned credited functions and components. The third task involves selecting cables supporting those components identified in the second task. (14) The fourth and fifth tasks provide qualitative screening and the creation of a plant fire-induced model that reflects the plant’s response to a fire. The next tasks involve fire ignition frequency, quantitative screening, scoping fire modeling, detailed circuit failure analysis, and circuit failure mode likelihood analysis-all involve creating models and analyzing the results caused by failure in the circuits, which causes fire.

Figure 5. SFPE Engineering Guide – Fire Risk Assessment

Next is detailed fire modeling that describes the method of examining the consequences of fire in the power plant. Several scenarios are considered in creating a detailed fire model, but the most important aspect of this task is the number of factors that need to be considered, including initial fire characteristics, fire growth, detection and suppression, fire barrier systems, and damage from heat and smoke. Post-Fire Human Reliability Analysis, seismic fire interactions, fire risk qualification, uncertainty and sensitivity analyses, and fire PRA documentation are the last five tasks in creating a PRA. All in all, the PRA involves 16 interconnected and continuous tasks. (14) The complexity in detail of the PRA makes it an efficient tool for identifying hazards and assessing risks as well as establishing controls in nuclear plants.

In Figure 3, the yellow boxes indicate a new fire scenario with all other associated new data inputs (refer to all yellow boxes). The light blue boxes reflect the moderate change associated with every input of data of the new fire scenario analysis. The dark blue boxes reflect the significant change associated with the data input.

  • Risk-informed, Performance-Based Industrial Fire Protection-3rd Order Risk Informed Performance. The fire PRA method consists of an integrated assessment of the appropriateness of risk, defense-in-depth, and safety boundaries. A fire PRA is conducted by identifying different fire scenarios that may affect the safe operation of the nuclear plant, often through impacts on equipment and actions of humans, as well as estimating the frequency of such scenarios occurring (the likelihood of the hazard identified). PRAs are usually conducted by “risk-based decision makers,” groups of experts including architects; facility and process designers; fire protection and safety engineers; loss control and risk managers; and review and approval groups including building code officials, fire marshals, regulatory agencies, and insurance companies.17

Risk informed, performance-based fire protection is an amalgamation of quantitative risk assessment and decision making, with a clear approach of the fire protection system success performance. “Risk informed” involves using fault tree, success tree, and event tree methodologies. “Performance-based” is probabilistic and quantitative fire protection success measurement. Performance is measured within the tree event model considering three main factors: response effectiveness, online availability, and operational reliability.18

The procedure for this type of analysis involves the following steps:

  • Area Mapping: Identify all areas of the organization where activities occur whether physical or administrative, inside or outside.
  • Gather knowledge of the facility, operations, equipment, and safety features under

√ Normal operations.

√ Abnormal operations.

  • Review the plant’s loss incident history, contributing factors, and any structure modifications made.
  • Conduct the risk performance:

√ Program objective.

√ Risk tolerance criteria.

√ Loss scenario development.

√ Initiating event likelihood.

√ Exposure profile modeling.

√ FPS performance success probability.

√ Risk estimation and comparison with risk tolerance.

√ Cost/benefit analysis of risk reduction alternatives. (18)

Risk = Initiating Fire Event Likelihood (F) × FPS Performance Success Probability (PFPS) × Consequences (C)

Risk = ∑ F × PFPS × C

There are three types of risk informed performance-based fire assessment:

  • 1st order risk informed performance: prescriptive codes and standards primarily based on past plant experience.
  • 2nd order risk informed performance: performance-based codes and engineering practices based on fire modeling.
  • 3rd order risk informed performance: performance-based methods that involve risk analysis, risk tolerance benchmarks, and cost/benefit analysis. (18)

When studying 3rd order fire engineering risks assessment, you must establish risk tolerance criteria. You can do this by establishing clear program objectives and comprehensive approaches that could withstand risks and at the same time successfully provide risk-informed or performance-based engineering solutions using analysis, appraisal, and assessment (Figure 4). (17)

ISO/TR 13387-119 summarizes the fire safety engineering assessment process as follows:

  • Qualitative review:

√ Establish fire safety objectives and acceptance criteria definition.

√ Review the design and the proposed fire safety features to establish prescribed design parameters.

√ Determine the building and occupant’s characterization.

√ Identify potential fire hazards and their possible consequences.

√ Develop loss fire scenarios, which is a part of the quantitative analysis.

√ Establish fire safety trial solutions establishment.

√ Indicate the proper methods of analysis.

  • Quantitative analysis: In this phase, a sequential quantitative analysis is passed out using suitable subsystems. Example: Design fires and mathematical models are of subsystems.
  • Analysis against safety criteria outcome assessment: The procedure will be redone if the acceptance criteria are not fulfilled.
  • Presentation and acceptance of results. 20
  • Society of Fire Protection Engineers SFPE Engineering Guide-Fire Risk Assessment.21 The main purpose of FRA is to identify and describe the fire risks and provide related information to ease fire risk management decisions. The aim is to solve the following three questions:
  • What can go wrong?
  • How probable is it that it will happen?
  • What would be the consequences?

PRA differs from fire hazard analysis and consequence analysis in that it also involves estimating the likelihood of occurrence to the assessment.

FRA includes a few steps: identifying the objectives of the assessment, the metrics for assessment, the hazards of concern and the potential fire scenarios; conducting frequency and consequence analyses on the scenarios of concern; and estimating the risk associated with the scenarios. In some cases, FRA may be expanded to assess options for mitigating the risk (through reducing the likelihood of occurrence or consequences), although this is also part of the risk management process, as shown in Figure 5. (16)

The SFPE Fire Risk Assessment Guide does not specify specific risk assessment methods or techniques. However, it highlights the following:

  • A recommended process for fire risk assessment (Figure 5).
  • Tools that may be used for hazard identification.
  • Sources of data for risk assessment.
  • Approaches to consequence modeling.
  • Methods for calculating fire risk.
  • Documentation of fire risk assessment.

This article has presented different fire risk assessment methodologies and their applicability. All of the methods are widely accepted in the industry. Many factors contribute to deciding which method to use. Some of these contributing factors include but are not limited to the purpose of the assessment, the number of details and degree of accuracy required, budget, time, personnel, and data available.

The best methods to use for CANDU fire PRA are NFPA 805 and NUREG 6850. The Canadian NPPs use some portions of NUREG 6850 in performing fire FRAs. Further research and assessments are required to evaluate the applicability of NUREG 6850 to CANDU reactors. This evaluation must include an assessment of the adequacy of using the fire safe shutdown analysis list of credited structures, systems, and components (when prepared in accordance with the requirements of CSA N293-07) for use in the fire PRA (when prepared in accordance with the requirements of NUREG 6850). The evaluation will also include a review of NUREG 6850 applicability to the Canadian Nuclear Safety and Control Act and the General Nuclear Safety and Control Regulations, CSA N293-07 “Fire Protection for CANDU Nuclear Power Plants.”

The Canadian NPPs use some portions of NUREG 6850 in performing fire FRAs. Research is required to assess the applicability of NUREG 6850 to CANDU reactors. The generic fire ignition frequencies provided in NUREG 6850 represent only the U.S. industry experience. For example, there are differences in systems, structures, and components between CANDU reactors and U.S. reactors: Some fires that are negligible in light water reactors and are screened out by NUREG 6850 may have more significant consequences in CANDU reactors. CANDU uses heavy water moderator and heavy water coolant, whereas the U.S. reactors mainly use light water.


1. “Japan’s unfolding disaster ‘bigger than Chernobyl.’” New Zealand Herald. April 2, 2011.


3. The Fukushima Dai-ichi Nuclear Disaster and the Future of Nuclear Energy Programs in Japan and East Asia, June 2012.

4.”“>Archived from the original on April 18, 2011. Retrieved March 12, 2011.




8. NFPA 551, Guide for the Evaluation of Fire Risk Assessments, National Fire Protection Association, Quincy, MA, 2013.

9. ISO 16732-1:2012, Fire Safety Engineering-Guidance on Fire Risk Assessment, International Organization for Standardization, Geneva, Switzerland, 2012.

10. SMiRT2112th International Seminar on Fire Safety in Nuclear Power Plants and Installations, München, Germany, September 13-15, 2011 TUV SUD, State of the art of fire risk analysis of performance-based approach and fire brigade strategy.

11. ERIN Engineering and Research Inc, (2008). Fire FRA Methods Enhancement Additions, Clarifications, and Refinements to EPRI 1019189. Available at [Accessed June 30, 2014].

12. “An Approach for Determining the Technical Adequacy of Probabilistic Risk Assessment Results for Risk-Informed Activities,” Regulatory Guide 1.200, June 2008.

13. National Fire Protection Association 805: Performance-Based Standard for Fire Protection for Light-Water Reactor Electric Generating Plants, 2010.

14. United States Nuclear Regulatory Commission (US NRC), “About NRC.” Available at [Accessed June 27, 2014].

15. “Treatment of internal fires in probabilistic safety assessment for nuclear power plants.” Vienna: International Atomic Energy Agency, 1998. (Safety reports series, ISSN 1020-6450, no. 10) STI/PUB/1062 ISBN 92-0-103298-6.

16. 10 CFR Part 50-Domestic Licensing of Production and Utilization Facilities, 2014.

17. Risk informed, Performance-Based Industrial Fire Protection. (2011). Fire Risk Forum Publication. Retrieved on November 10, 2011 from

18. Barry, Thomas F. (2002). Risk-Informed, Performance-Based Industrial Fire Protection. Tennessee Valley Publishing. Retrieved on November 10, 2011 from

19. “Pre-ISO Evaluation and Analysis.” (2011). Emergency Services Consulting International. Retrieved on November 10, 2011 from

20. “Design Fires for Fire Safety Engineering: a State of the Art Review.” Alex Bwalya, research associate; Noureddine Benichou, research officer; and Mohamed Sultan, senior research officer, the National Research Council of Canada , Institute for Research in Construction, Fire Risk Management program, Ottawa K1A 0R6, Ontario, Canada.

21. Engineering Guide-Fire Risk Assessment, Society of Fire Protection Engineers, Bethesda, Md., November 2006.

HOSSAM (SAM) SHALABI has a bachelor’s degree in applied science (chemical engineering) from the University of Ottawa, a master’s degree in fire safety engineering from Carleton University, and a master’s degree in engineering management from the University of Ottawa. He is a PhD candidate for fire safety engineering at Carleton University. He is a licensed professional engineer in the Professional Engineering Ontario’s Program. He is a Six Sigma Master Black Belt certified, certified ISO 14001 lead auditor, certified ISO 9001 lead auditor, and certified OSHAS 18001 lead auditor. He has more than 10 years of experience in applying fire safety engineering principles and techniques in the nuclear and oil and gas industries as a manufacturing and engineering consultant. Shalabi is a subject matter expert at Canadian Nuclear Laboratories for fire modeling.

Real-World Risk Assessment
Risk Management: Planning to Avoid Losses

More Fire Engineering Issue Articles
Fire Engineering Archives

No posts to display