U.S. NRC Blog

Transparent, Participate, and Collaborate

The Reactor Safety Study: The Birth, Death and Rebirth of PRA

Saul Levine, above, and Norman Rasmussen directed the project.

It almost died at birth. The granddaddy of all probabilistic risk assessments (PRA), the 1975 Reactor Safety Study (WASH-1400), was greeted with such withering criticism that the Commission disavowed the report’s executive summary — a public humiliation that seemed to consign its work to irrelevancy. However, this accident study was rescued by a major reactor accident.

WASH-1400’s origins and troubles were rooted in the Atomic Energy Commission’s role as a promoter of nuclear power. AEC officials wanted to convince the public that reactor accidents were very unlikely, but until the late 1960s, engineers lacked useable data and accepted risk-assessment methodologies to prove it.

By 1971, NASA and aircraft manufacturers had developed “fault-tree analysis” tools that could be applied to reactor systems to calculate the probability of complex chains of equipment malfunctions. Fault trees were adept at uncovering unexpected system vulnerabilities, but the numerical odds that they produced of core meltdowns were realistic only with sufficient data and imaginative engineers who could identify the many important malfunction sequences that could lead to a meltdown. And that was a tall order for an accident that had never happened before.

Nevertheless, some AEC officials wanted to use fault trees to prove reactor safety by comparing meltdown frequency and consequences to other human-made and natural catastrophes.

MIT professor Norman Rasmussen and AEC staffer Saul Levine directed the $3 million, three-year project. They improved fault-tree methodology far beyond previous efforts, but limited data made its calculations uncertain. Nevertheless the WASH-1400 team presented the very low accident probabilities in the executive summary with an assurance that belied its underlying uncertainty.

Critics attacked the study’s calculations with such vigor that in 1977 the NRC created an outside review committee under Professor Harold Lewis, a physicist at University of California Santa Barbara. The Lewis report praised WASH-1400’s methodology but excoriated some of its “indefensible” calculations, “incoherent” language, and an executive summary whose “soothing tones” ignored the uncertainty in its probability estimates. The Commission accepted the findings and cautioned the NRC staff to apply PRA techniques with caution. Tom Murley, later the director of the Office of Nuclear Reactor Regulation, recalled the decision “had a chilling effect on the staff.”

PRA was dead. For two months. The 1979 Three Mile Island accident destroyed a reactor, but it saved a report. WASH-1400 had foreseen small loss-of-coolant accidents and operator error as significant contributors to a meltdown risk, as had occurred at TMI. Post-accident blue-ribbon commissions called for greater use of risk assessment, and PRA slowly returned to the regulatory conversation.

By 1982, NRC Chairman Nunzio Palladino observed that PRA was important to licensing reviews, regulatory requirements, new reactor designs, and establishing priorities for research and inspections. Freed from the promotional pressure of proving reactors the safest of all technologies, PRA could simply focus on making reactors safer – something it is still doing today.

Tom Wellock
NRC Historian

One response to “The Reactor Safety Study: The Birth, Death and Rebirth of PRA

  1. Michael Pugh November 22, 2011 at 12:48 pm

    Commissioner Apostolakis has in several of his early papers credited Professor Reg Farmer’s 1967 paper (which introduced a frequency/consequences Criterion based on the release of Iodine-131) as the beginning of PRA. The Chief Engineer of the UKAEA Steam Generating Heavy Water Reactor (SGHWR) Design Office gave me a copy of this paper in April 1968 and asked me to use it to optimise his design. I found it impossible to use in its original form, and concluded that the way to do the optimisation was to complete a whole plant risk assessment. I persuaded Prof. Farmer (through intermediaries, since I was a basic grade engineer at the time.) to accept the need for a whole plant analysis, to change the slope of his Criterion to -1 from -3/2 and to define his Criterion for releases below 1,000curies on a good neighbour basis. I wrote a paper in August 1968 to tell the designers the unwelcome news that in future they would have to design each of the reactor systems to a reliability target. In this paper [TRG Report 1949(R)] I introduced diagrams (which WASH-1400 called Event Trees) to determine which accident sequences led to core damage and by knowing the initiating event frequency and the reliability target for each system (failure per demand) was able to calculate the frequency of all the end points in the sequence diagram. The whole plant risk being the sum of all sequences which cause core damage. We also adopted a lower limit on frequency where no further work was needed. This can save a lot of money.
    I believe the cost of WASH-1400 was reported at the time to be $6 million not the $3 million quoted by you. When the Lewis Committee reported at its Press Conference the spokesman said ;- “…there is nothing fundamentally wrong with WASH-1400, it is, after all, only the application of logic to engineering design.”. I cannot totally agree with this. Had it been truly logical WASH-1400 would have put the junction points in the event trees in the middle of the columns and not on the boundary between two systems. This would have ensured that everyone would have been clear which system was failing.
    I once wrote to NRC asking whether my paper influenced WASH-1400, I received a polite but firm reply that his job was to promote the things NRC had done. There can be no doubt my paper was available to the WASH-1400 project, because it is misquoted in Appendix III. The author of this Appendix took the failure probability I set for a relief valve system and used it as the failure rate for a single valve. The number of people, often senior workers in PRA, who talk as though probability and frequency are interchangeable quantities always surprises me.
    Although my paper was written in August 1968 I was not allowed to publish it until Prof. Farmer had published a revision to the slope of his Criterion. My paper was further delayed by UKAEA editors because I wanted to criticise the AEC use of a Maximum Credible Accident (MCA) approach. This was hiding the fact that the reliability targets for most reactor safety systems are set by the less severe but more frequent accidents than the MCA. In the end I was allowed to criticise MCA but not the AEC and.my paper was published in early 1969.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 1,448 other followers

%d bloggers like this: