The Reactor Safety Study: The Birth, Death and Rebirth of PRA
It almost died at birth. The granddaddy of all probabilistic risk assessments, the 1975 Reactor Safety Study (WASH-1400), was greeted with such withering criticism that the Commission disavowed the report's executive summary — a public humiliation that seemed to consign its work to irrelevancy. However, this accident study was rescued by a major reactor accident.
WASH-1400's origins and troubles were rooted in the Atomic Energy Commission's role as a promoter of nuclear power. AEC officials wanted to convince the public that reactor accidents were very unlikely, but until the late 1960s, engineers lacked useable data and accepted risk-assessment methodologies to prove it.
By 1971, NASA and aircraft manufacturers had developed "fault-tree analysis" tools that could be applied to reactor systems to calculate the probability of complex chains of equipment malfunctions. Fault trees were adept at uncovering unexpected system vulnerabilities, but the numerical odds that they produced of core meltdowns were realistic only with sufficient data and imaginative engineers who could identify the many important malfunction sequences that could lead to a meltdown. And that was a tall order for an accident that had never happened before.
Nevertheless, some AEC officials wanted to use fault trees to prove reactor safety by comparing meltdown frequency and consequences to other human-made and natural catastrophes.
MIT professor Norman Rasmussen and AEC staffer Saul Levine directed the $3 million, three-year project. They improved fault-tree methodology far beyond previous efforts, but limited data made its calculations uncertain. Nevertheless, the WASH-1400 team presented the very low accident probabilities in the executive summary with an assurance that belied its underlying uncertainty.
Critics attacked the study's calculations with such vigor that in 1977 the NRC created an outside review committee under Professor Harold Lewis, a physicist at University of California Santa Barbara. The Lewis report praised WASH-1400's methodology but excoriated some of its "indefensible" calculations, "incoherent" language, and an executive summary whose "soothing tones" ignored the uncertainty in its probability estimates. The Commission accepted the findings and cautioned the NRC staff to apply PRA techniques with caution. Tom Murley, later the director of the Office of Nuclear Reactor Regulation, recalled the decision "had a chilling effect on the staff."
PRA was dead. For two months. The 1979 Three Mile Island accident destroyed a reactor, but it saved a report. WASH-1400 had foreseen small loss-of-coolant accidents and operator error as significant contributors to a meltdown risk, as had occurred at TMI. Post-accident blue-ribbon commissions called for greater use of risk assessment, and PRA slowly returned to the regulatory conversation.
By 1982, NRC Chairman Nunzio Palladino observed that PRA was important to licensing reviews, regulatory requirements, new reactor designs, and establishing priorities for research and inspections. Freed from the promotional pressure of proving reactors the safest of all technologies, PRA could simply focus on making reactors safer – something it is still doing today.
By Thomas Wellock, NRC Historian