Due to events in Japan, which I don’t need to remind you about, safety as an engineering exercise is a lot more interesting than it was a couple of weeks ago.
Safety calculations have many different forms and many proponents for each, but by far the most common is a simple “expected return” calculation. That is, you estimate the chance of each hazard and multiply by the cost of it happening, and using basic probability come up with an expected cost per year in dollars. Well no one actually uses dollars except the insurance companies, but it’s worth pointing out that the insurance companies are the best at this. No one else is really willing to take the PR hit of saying a life is worth X dollars, though.
Anyway, there are others that say that this is inadequate and that remote but catastrophic events need a different weighting than what I’ll call “operational events” because their ramifications are deeper. What we are seeing in Japan and in particular at the Fukushima plant is that they are totally right. And this affects reactor design choices deeply.
The Boiling Water Reactor (BWR) that Fukushima uses is designed to operate at fairly low temperatures (the steam generating power is only around 250 degrees Celsius) and therefore at relatively low pressures. This makes the operational risk fairly low because only low pressures are involved. And that means you can make the pressure containers weaker because, well, there are not very high pressures involved. And that’s very inexpensive. And that’s very attractive. And safe!
In a “black swan” event, however, like a 9.0 Richter earthquake and accompanying tsunami, operational pressures are irrelevant. Thinks get shook and smashed and the internal temperatures (and consequently pressures) are no longer related to the intended operational conditions. They are now only related to the possible configurations allowed by the laws of physics. Now, these are happily constrained by other BWR design elements like the kind of fuel and so on, but nonetheless they are rather more extreme than the operational safety mitigations protect against. And so now that weaker pressure vessel is looking pretty crap. But, hey, black swan events are in the one-in-a-million range of probabilities! So the ER math works out. It’s worth the risk.
Well, maybe not. Now, I am not going to suggest that a Pressurized Water Reactor is necessarily a better bet — it increases operational risks and they are your day-to-day worry. But maybe a BWR with containment designed for parameters closer to the physical maximum would be a better bet? Well, hindsight is crystalline, of course.
Here’s the calculation that would be better, though, than the chance and cost of a reactor failing versus the cost of making it and the profit generated by it: the cost of a brand or a company failing while an already desperate population gets an extra dose of desperation. I know that sounds mercenary, but I want to find a way to make a fiscal argument so that it’s heard well because industry soon forgets ethical arguments. But cash flow they do not forget.
So, ignoring the safety concerns for a single plant, let’s look at what General Electric actually puts at risk by adopting too simple a calculation (and I am not saying that’s what they did — they may well have done one more like what I propose and it still turned out to be worth their money to make things the way they did). GE does not run a single-plant risk at all, you see.
Rather, their risk includes the risk that any plant with their name on it fails in a public and terrible manner at any time. Okay so right away we can see that operational safety is super important, because now the time frame is reactor-years and not just years. So now a black swan of 1 in 1,000,000 per year is 1 in 1,000,000 per year per reactor. The corporate black eye potential of a thousand reactors is now 1 in 1,000 per year. Yikes! Now that is a gamble that sucks!
Maybe. If we’re talking about GE’s perspective, then we can only really count the cost to them. What’s the cost of a GE reactor failing? And what’s the cost of protecting against a black swan event? Worst case for GE is it goes out of business, totally, dissolving all assets to pay fines and suits. Wikipedia says that’s about $48 billion. So your worst case is 1 in a billion every year per reactor to lose $48 billion. Absolute worst case (and we note that in black swan space we are waving our hands pretty hard by definition). So how much safety is it worth building in over and above the basics and without cost to the customer (because you can’t sell him YOUR safety, trust me) per reactor?
It depends on how many reactors you make — the chance of getting blindsided by the black swan increases every time you sell a reactor. It might actually make sense to stop making them at some point, just because you can elevate your corporate risk beyond acceptable levels just because you have elevated the impossible into distinctly possible — even likely — space by having so many risks on the table at once. If a way-overspecced pressure vessel costs ten million extra dollars to GE, that’s ten billion dollars on a thousand reactors! And that’s a ten trillion dollar ER on a one in a thousand event. Against a $48 million ER for not doing it. So even taking the whole corporate net assets as risked, and accounting for a thousand reactors at once, it’s hard to see it making dollars sense using an ER.
Of course, over 10o years, that’s 100 billion versus 4.8 billion. Still not worth it! If it was only a million bucks? Maybe worth it. Maybe. In dollars.
What are the follow-on costs though?
In a black swan event it’s safe to say that the cost of the failure will not just be the immediate cost of the disaster. It’s not a hundred lives lost directly attributable to the accident itself. It’s also a few hundred thousand people without power at a time when they could really use some power — because they are affected by the same event! It’s the psychological effect of having to worry about radiation poisoning at the same time as your town has been reduced to disorganized lumber. These cannot be dollar values and so they are almost certainly not the manufacturers concern, but the must be the customer’s concern, surely. And I think this is at the heart of this calculation — when considering the most remote kinds of event, we are typically considering natural catastrophes that affect the system under analysis. And that means that the failure, in addition to having direct safety implications, also compounds the damage that is going on around the failure. It is a force multiplier on how much everything sucks and does not occur in isolation, practically by definition.
An ER does not capture this. At all. It is completely unequipped for it. So I think in future we are going to see a lot more attention to more complex modeling methods that answer questions like:
How much does this make the causal disaster worse?
How do we handle impacts that are flat-out untenable (infinite dollar value)?
How do we determine when an impact is completely untenable?
At what point in the probability of an event do we have to assume a surrounding disaster that we might be making worse? Is p=0.0001 implying it? p=0.00001? Something else (I think this is right)?1
These things are not easy and not inexpensive and generally companies are not motivated to solve them unless they can make money on it. That is, after all, the only real metric that we use to judge companies. So that means customers must demand that these cases be addressed even though there is a reasonable expectation that it will never happen to them, and shoulder part of the cost. But I think we will see that and see creative solutions — there’s plenty of room to explore impact mitigation as well as likelihood mitigation.2 For a couple of years there will even be a lot of motivation while the memory of these events are fresh.
The curse of the black swan, however, is that the intervals between are often longer than this memory. And so no matter what we learn today, the odds are good that we will have to learn it again.
- One of the things that you often see in a safety analysis is a hazard based on equipment failure, and that failure is mitigated by requiring multiple components to fail simultaneously in operation, which is a multiplied (independent) probability. A disaster, however, makes them dependent and I think that’s not modeled for the most part. If you posit a natural disaster, you can practically assume multiple simultaneous component failures and that means no matter how low you can make operational p, it is never lower than the disaster p. And that means you have to mitigate impact to get an adequately low value — p bottoms out at p(tsunami). ↩
- It’s worth pointing out that choosing a different power source can be seen as an impact mitigation (certainly if you install a million wind turbines, you have mitigated perfectly against core meltdowns). It’s also worth noting, however, that we heard almost no news about how many were killed when the natural gas processing plant exploded during the tsunami. By that I mean that the actual impact may not change in ways we hope it will if we do the calculation in earnest. But it might. ↩