It almost died at birth. The granddaddy of all probabilistic risk assessments (PRA), the 1975 Reactor Safety Study (WASH-1400), was greeted with such withering criticism that the Commission disavowed the report’s executive summary -- a public humiliation that seemed to consign its work to irrelevancy. However, this accident study was rescued by a major reactor accident.
WASH-1400’s origins and troubles were rooted in the Atomic Energy Commission’s role as a promoter of nuclear power. AEC officials wanted to convince the public that reactor accidents were very unlikely, but until the late 1960s, engineers lacked useable data and accepted risk-assessment methodologies to prove it.
By 1971, NASA and aircraft manufacturers had developed “fault-tree analysis” tools that could be applied to reactor systems to calculate the probability of complex chains of equipment malfunctions. Fault trees were adept at uncovering unexpected system vulnerabilities, but the numerical odds that they produced of core meltdowns were realistic only with sufficient data and imaginative engineers who could identify the many important malfunction sequences that could lead to a meltdown. And that was a tall order for an accident that had never happened before.
Nevertheless, some AEC officials wanted to use fault trees to prove reactor safety by comparing meltdown frequency and consequences to other human-made and natural catastrophes.
MIT professor Norman Rasmussen and AEC staffer Saul Levine directed the $3 million, three-year project. They improved fault-tree methodology far beyond previous efforts, but limited data made its calculations uncertain. Nevertheless the WASH-1400 team presented the very low accident probabilities in the executive summary with an assurance that belied its underlying uncertainty.
Critics attacked the study’s calculations with such vigor that in 1977 the NRC created an outside review committee under Professor Harold Lewis, a physicist at University of California Santa Barbara. The Lewis report praised WASH-1400’s methodology but excoriated some of its “indefensible” calculations, “incoherent” language, and an executive summary whose “soothing tones” ignored the uncertainty in its probability estimates. The Commission accepted the findings and cautioned the NRC staff to apply PRA techniques with caution. Tom Murley, later the director of the Office of Nuclear Reactor Regulation, recalled the decision “had a chilling effect on the staff.”
PRA was dead. For two months. The 1979 Three Mile Island accident destroyed a reactor, but it saved a report. WASH-1400 had foreseen small loss-of-coolant accidents and operator error as significant contributors to a meltdown risk, as had occurred at TMI. Post-accident blue-ribbon commissions called for greater use of risk assessment, and PRA slowly returned to the regulatory conversation.
By 1982, NRC Chairman Nunzio Palladino observed that PRA was important to licensing reviews, regulatory requirements, new reactor designs, and establishing priorities for research and inspections. Freed from the promotional pressure of proving reactors the safest of all technologies, PRA could simply focus on making reactors safer – something it is still doing today.
Tom WellockNRC Historian 
There is a gap in Mr Wellock's knowledge of the WASH-1400 study. He would find in Appendix III a reference to a report TRG Report 1949(R) I wrote in August 1968 but was published in 1969 which introduced what WASH-1400 called Event Trees. These were designed to identify the accident sequences which resulted in core damage. To this day publications like wikipaedia cannot define the difference between fault trees and event trees properly.
ReplyDeleteContinuously operating plants like nuclear reactors and chemical plants are judged on a frequency/consequences basis whilst NASA which usually deal with short duration missions will calculate the probability of mission success. It is important that a person engaged in safety clearly understands the difference between the terms probability and frequency because they are not interchangeable.
The spokesman for the Lewis Committee actually said "...there is nothing fundamentally wrong with WASH-1400 it is after all only the application of logic to engineering design." I actually slightly disagree with this because had it been true Rasmussen would have put the junction points in event trees in the middle of the columns rather than on the boundary between two systems, thereby eliminating a common error made by newcomers to PRA. Also with a core melt frequency of 1 in 100,000years considerable savings could be achieved if one adopts a lower limit on the frequency where work on a sequence can be safely stopped without significantly affecting the core melt frequency.
In 1969 I showed Winfrith SGHWR operating staff how to perform an event tree analysis of their plant. This identified quite clearly the need for a Guaranteed Feed System and such a system was put in towards the end of 1969/early 1970. It could be claimed to be the first plant to have been modified as a result of a PRA type analysis, well before WASH-1400 was started.
Mike Pugh