Probabilistic risk assessment has a clear strength: it forces discipline. It makes you name failure modes, quantify them, and confront combinations that intuition alone would miss. Within that domain—where systems can be cleanly decomposed and dependencies bounded—it is one of the best tools we have.
Its limits begin at the same place its usefulness does.
PRA assumes that a plant can be represented as a set of events and conditional paths. That requires the world to be made of things that are separable, stable, and sufficiently well understood that a probability can be attached to them. Pumps either run or fail. Valves open or don’t. Power is either available or lost. Even when dependencies are included, they must be reduced to something countable.
Real accidents do not respect that structure.
They start as ordinary disturbances and then evolve. Signals degrade without fully failing. Systems remain partially functional. Operators act on information that is delayed, conflicting, or incomplete. Boundaries that were clear on paper begin to blur: control logic crosses system lines, support systems become shared constraints, and actions that are locally correct accumulate into a global dead end.
To make such situations calculable, PRA has to thin them. It groups complex interactions into common-cause factors, truncates unlikely combinations, and replaces evolving conditions with fixed branches. The model remains internally consistent, but it no longer carries the full weight of what it represents.
The issue is not that PRA is wrong. It is that it is selective.
It describes well the kinds of failures that can be specified in advance. It is much less capable of describing the conditions that emerge only as the event unfolds—when independence erodes, when objectives conflict, and when systems that were designed to protect begin to constrain one another.
The familiar language of defense-in-depth is often supported by PRA as a set of independent layers. In practice, those layers are tied together by shared infrastructure, control systems, and human action. Independence is not a binary property; it degrades under stress. PRA can acknowledge this, but only in simplified form.
So PRA does not eliminate uncertainty. It organizes the part of uncertainty that can be expressed as discrete, predefined events.
What remains outside that structure is not negligible. It is simply harder to quantify—and it is often where the most consequential accident sequences take shape.
Used well, PRA sharpens thinking. Used alone, it can give a false sense that what has been quantified is the whole of the risk.
It never is.
For example, an emergency procedure is written to be followed, not interpreted.
And yet, in the control room, it always is.
Not out of carelessness, but because no procedure can fully declare its own context. It tells you what to do, but only partially why. The operator supplies the missing frame—quietly, instantly—based on experience, recent history, and what the situation resembles.
That is where a particular kind of error lives. Not a slip. Not a violation. An interpretation.
At Fukushima Daiichi nuclear disaster, isolation condenser valves were closed following loss of offsite power—consistent with ordinary shutdown practice. Under normal conditions, closing them helps manage cooldown and prevents overcooling. It is a familiar action, rooted in routine.
But the plant was no longer in a routine state.
What had changed was not the instruction itself, but the meaning of the situation. Loss of offsite power, in isolation, looks like a transient. Something expected. Something bounded. Procedures for it exist, and they are practiced.
But here, it was not a transient. It was the beginning of a cascade: loss of power, loss of cooling, loss of indication. The same initial condition carried a very different trajectory.
The procedure did not lie. The action was not absurd. The operators were not negligent.
The frame was wrong.
Probabilistic risk assessment does not see this well.
PRA can model valve failures, loss of power, even operator error as a probability attached to a step. But it struggles with frame substitution—when a familiar signal is unconsciously mapped to the wrong scenario, and the correct procedure is applied in the wrong world.
There is no component to fail. No parameter drifting out of range. Just a quiet shift in interpretation:
this looks like that.
And so the response follows that, not this.
In reports, this often collapses into a line item: “operator action.” A probability. Perhaps adjusted with a human reliability factor.
But the deeper mechanism remains untouched.
Because this is not about failure to follow procedure. It is about successfully following the wrong one.
And it tends to appear precisely where systems are designed to look familiar—where abnormal begins by imitating the normal.
Loss of offsite power is one of those conditions. It sits on the boundary between routine and emergency. Most of the time, it resolves. The mental model it triggers is usually correct.
Until it isn’t.
And when multiple small cues begin to diverge—indications missing, responses slower, systems not behaving quite as expected—the operator is already inside a frame that explains them away. Each inconsistency is absorbed, not as contradiction, but as noise.
PRA counts errors. It does not easily count misplaced confidence in a correct action.
***
If a plant is inherently fragile in shutdown, the logic of risk assessment can quietly turn on its head.
On paper, Probabilistic Risk Assessment (PRA) is meant to guide safer decisions by comparing scenarios: continue operation with a known fault, or shut down and remove the initiating condition. But PRA does not exist in a vacuum. It reflects the plant you give it.
If shutdown states are designed to be riskier than they should be—poor decay heat removal margins, dependence on active systems, loss of redundancy once power is reduced—then the model will faithfully report that risk. And once it does, a subtle but powerful conclusion follows: remaining at power can appear safer than shutting down.
At that point, PRA is no longer just describing risk. It is shaping behavior.
A small leak, a degraded pump, a valve that does not fully stroke—under normal engineering judgment, these would trigger a controlled shutdown. But if the PRA shows that shutdown sequences carry higher core damage frequency—due to transients, reliance on vulnerable support systems, or loss of stable thermal conditions—the “least-risk” option becomes continued operation with known defects.
This is not a misuse of PRA in the narrow sense. The calculations may be entirely correct. The problem lies upstream:
Shutdown is treated as an afterthought in design, not as a primary safety state.
Decay heat removal paths are weaker or more complex than at power. System dependencies increase rather than decrease when the reactor is taken offline.
The result is a plant that is operationally biased—not by policy, but by physics and architecture. PRA simply exposes that bias and, in doing so, legitimizes it.
Over time, this creates a dangerous normalization. Faults that would once have been unacceptable become tolerable because shutting down is framed as the greater risk. The plant drifts into a regime where it is safest only as long as nothing else goes wrong.
The deeper issue is that risk comparison is being used to compensate for design imbalance. PRA is answering the question it was given—“which option is less risky?”—but no one steps back to ask why the options are so poorly aligned in the first place.
A well-balanced plant should not force that choice. Shutdown should be a risk-reducing action by design, not a scenario that has to be defended probabilistically against continued operation.
Otherwise, you end up with a system where the safest place to be is exactly where you already are—faults included—and the act of trying to make it safer becomes, on paper, the most dangerous move you can make.