*Fukushima has changed our approach to nuclear safety to more emphasis on accident mitigation. *

At these hearings the elephant in the room was not Elmer the traffic safety elephant well know to Canadian children but the Fukushima safety elephant. It shook up the way we look at nuclear safety.

The essential lesson from Fukushima is that future reactor accidents are much more probable than what we might like to think. Since then accident mitigation has become an urgent consideration as shown by the emphasis on emergency planning at the hearings.

According to the World Nuclear Association there have been almost 15,000 years of power reactor operation from about 1960 to the end of 2012. During that time there have been three serious nuclear accidents – “black swans” (Three Mile Island, Chernobyl, and Fukushima). This makes the probability of a serious accident about 1 in 5,000 or 2 x 10-4 per reactor year. One can play with this number by changing the number of reactors that melted down (three at Fukushima or not counting TMI as a serious accident) and so on but it’s the order of magnitude of the meltdown probability that is really of interest.

Each of these events occurred in a different reactor types (PWR, RMBK and BWR) in countries with differing nuclear cultures and regulation regimes. Aside from stressing the importance of overriding issues such as human error, institutional failure and design defects, it is difficult to know where to go with the black swan approach in analyzing reactor safety. Although certainly one can draw lessons from them after the fact as is being done for Fukushima, notably compensating measures for the complete loss of electrical power in a reactor plant (“total station blackout”) and further measures to prevent hydrogen explosions.

Contrast this with the traditional approach to reactor safety known as PSA (Probabilistic Safety Analysis/Assessment). This approach tries to examine all possible accident event sequences and figure out the probability associated with each sequence. In practice it’s very complicated and there can be hundreds or even thousands of events and sequences. To give an overly simplified example, let’s consider an accident sequence that starts with event A: a cooling pipe breaks, then B: a sensor fails to indicate the break, then C: the reactor operator doesn’t see the reactor temperature increasing, then D: a switch activating the emergency core cooling system doesn’t work, then E: the operator pushes the wrong button to correct this and F: a core meltdown occurs because the reactor overheats.

This too simple example illustrates some of the key aspects of PSA. The validity of the approach depends on the accuracy of the probabilities assigned to the individual events since the overall accident probability (of event F for example) is obtained by multiplying the probabilities of the individual events in the sequence. Some might be well known; perhaps the B sensor is used in many applications and its failure rate is well documented from experience. At the other end of the scale there are probabilities that one can merely guess at e.g. the initiating pipe break probability might be hard to evaluate. Another very important condition is that the probability of a certain event happening is independent of other events. This may not always be the case: event C implies an incompetent operator and therefore, event E may be more likely. For completeness all possible accident sequences need to be evaluated. There isn’t any way to be sure completeness has been achieved. Unfortunately, there wasn’t an event sequence at Fukushima that started with: “suppose there was a tsunami wave higher than the protective sea wall”.

Safety analysts in Canada and internationally continue to use PSA. In fact people have made whole careers in the nuclear industry putting bells and whistles on the basic PSA framework. While it has proven useless for predicting accident probabilities, PSA is useful for highlighting and correcting potential problems. In the context of the example above, perhaps a more reliable type of switch D could be installed or better training is needed for operators in terms of events C and E. The other important reason for continuing PSA is that there doesn’t seem to be any worthwhile alternative. As CNSC staff pointed out, PSA is still the international standard approach to reactor safety.

The problem is that PSA comes up with accident probabilities of the order of one in a hundred thousand or one in a million or even one in ten million per reactor year that are completely out of whack with the one in five thousand observed accident frequency. At the hearings I was disappointed to hear staff from the CNSC and OPG bandy about terms such as a “10-6 accident”, usually without the “per reactor year” unit giving the erroneous implication that these were realistic accident probabilities. In the best interpretation this could be excused as bad communications using nuclear jargon and in the worst interpretation a dishonest attempt to minimize the probability of an accident.

Much more serious was OPG and the CNSC using PSA as a basis for emergency planning. Statements were made that can be roughly paraphrased as “their (PSA) probability is so low that we don’t consider accidents with offsite consequences more than a few kilometers from the site” and “OPG has identified two catastrophic accident scenarios but their PSA probabilities are in the order of 10-7 and so we can safely ignore them”. Using PSA, discredited by experience as a method of predicting accident probabilities, is unscientific and intellectually dishonest. Thus, in my opinion, the hearings witnessed a disgraceful performance on the part of the institutions charged with our nuclear safety.