Low Probability-High Consequence Events

Harmonizing.

Engineering, “EPA” and terrorism risk assessments

2nd World Congress on RiskGuadalajara, Mexico

June 9th 2008

Richard WilsonMallinckrodt Research Professor of Physics

Harvard University

Rare Nuclear Power accidents first studied by physicistsAdvisory Committee on Reactor Safeguards –

Teller, Wigner, and Feynmanonly accidents less than the

MAXIMUM CREDIBLE ACCIDENTwere considered

The landmark Reactor Safety Study (WASH 1400) in 1975was chaired by a physicist (Rasmussen)

Looked quantitatively at the extreme events(Low Probability; High Consequence)

by a combination of EVENT TREES and FAULT TREES

First task:Define the problem.

Next task: break it into manageable component

partsfactorizable as much as possible

Nuclear Power was the first example

Simplified EVENT TREE for pipe break

Rate of Pipe Breaks F1Probability of ECCS (SF) failure P2Probability of Containment Failure P3Probability of wind blowing to City P4

IF INDEPENDENT

Overall rate = F1x P2 x P3 x P4FAULT TREE can be used to estimate

P2,P3

P4 is calculated very differently by an “EPA” (or “FDA”) style

risk assessment.What is the permissible dose of a substance before it causes harm?

Before 1975 FDA assumed a threshold or Logit response

EPA assume a linear dose-response for cancer endpoints..

Taylor’s theorem suggests it should be linerar at low doses if the end point is the

same naturally and artificially

“EPA” style risk assessmentRadiological effect by epidemiologyNew Chemicals using Animal data

In discussing chemical spills an engineering PRA (event tree)must be used for the front end.

Crucial to harmonize the assessements Do not use different jargon

Are the probabilities coupled?A failure scenario which couples them is called a

Common Mode Failure

Fire, flood or Earthquake can couple the individual steps At Browns Ferry fire in a cable duct led to loss of control.

(solution: use redundant cable ducts)

The event tree enables us to focus on these correlations.Now every reactor has a detailed study

(Jargon - Probabilistic Risk Analysis -PRA)It enables the analyst to find weak points.

In the first PRA (Surry, VA) a simple change for about $50,000 reduced the calculated accident probability by a factor of 5

A saboteur (terrorist) can couple the different steps

Rasmussen said in 1978:“There is nothing a terrorist can do that

those clowns (operators at TMI ) did not do on their own”.

My response: A terrorist can increase the probability!

Especially a group of terrorists

A saboteur can :take a nuclear engineering course

work at a nuclear plant as a “sleeper”

Then he can set off two bombs(1) To break a pipe and

(2) open a containment hole (3) when the wind is blowing to a city

If 6 terrorists act in concert it is easier

Industries now using Event Tree Analysis

1975 Nuclear Power WASH 1400;NUREG 75/014

1978 LNG: Keeney et al Techn. Rev. 81:64 1985 Oil refineries1985 Chemical plants2000 NASA2xxx Building Industry (not yet)Independence of steps not as easy as in nuclear power.

Imagine what a terrorist might do: and

devise a system to make it hard for him to do it. 

Stop the event as early in the chain as possible

(dont let trouble spots fester)

Event Tree Analysis

Suggested Event Scenario

(1) Stop creation of terrorists

(2) Keep weapons out of hands of terrorists(3) Keep potential terrorists away from

sensitive places(4) Make ALL individual targets more secure

Stop a scenario as early in the event chain as possible

Fewer terrorists than targets!

What makes a terrorist?

The organized Al Quaeda of 2001 no longer exists(Scott Atran)

Now organization by internetMadrid bombing was a group from one area of Morocco

terrorists are like ordinary people

2001 terrorists: educated. Not religious(Marc Sageman: “Leaderless Jihad”)

Why more terrorist suspects in Europe than USA?Frustration with lack of integration?

Watch internet grouping

Step 2.Keep weapons out of the hands of

terrorists

Firearms are easily available. Even AK7s But

Atomic Bombs?Biological material?

Nerve gases?

Step 2 keep weapons out of the hands of terrorists.

Only limited possibilities for ordinary weapons - including AK7s

ESSENTIAL FOR NUCLEAR WEAPONSNot easy for chemicals or

biological materials18

Important to prioritize“If you guard your toothbrushes

as carefully as you guard your diamonds You will lose fewer toothbrushes but

you will lose more diamonds!”JH Van Vleck (circa 1955)

Be careful with fissile material: IAEA records

Step 3.Keeping Terrorists at Arm’s length

Make it hard to enter the US keeping terrorists away from facilities

is where US is concentrating efforts

Inevitably conflicts with liberty and human rights 

USSR system of closed areas – (Chelyabinsk, Sverdlovsk)

no longer works   

Step 3

Importance of Secrecy As in military matters:

Strategic (long term issues) should be openTactics (short term issues) should be on a

“need to know”

I know, in general, where to fly an airplane to destroy a nuclear power plant, (not the

containment vessel)but on individual detail, I do not need to know

Step 4. Making Society Safer AEngineering and Industrial facilities

   Do not store a lot of fuel in one place near a lot of people in the same place. (Wigner 1974)

Oil tanks and LNG facilities should be in remote areas.   (In 1848 London decided to keep Petroleum products 30

miles from London bridge in Canvey Island)

Terrorism and Sabotage already considered for nuclear power.

Look at high consequence scenarios in every industry

Natural DISASTERS can SUGGEST NASTY TERRORIST actions

(1)Substation failure in Naperville ILL shut down landing system at O'Hare (and cut off my son's E mail)

(2) Broken relay shut down NE electricity for 5 hours (1967)(3) Storm cut major transmission lines in France for 4 days

(4) 1944 at Clapton Sands off duty US soldiers shot at insulators and shut down the line to Naval base

If:20 terrorist sharp shooters each choose a transmission

tower in a remote area and at noon each shot at an insulatorMAYBE AT THE SAME TIME

other terrorists release SARIN in subway....

Anyone guess the consequence?

Emergency exits are not used in USACoconut Grove Night club in 1941 they were

lockedAt the Rhode Island Fire people did not use them

Fire protection, etc must be practiced.

In 1957 Andrea Doria collision in calm weather in fog and sank in 3 hours

100 people diedBritish troopship with families sunk in 1/2 hour

engineer killed in explosion all others saved!

Step 4 – Making Life Safer B

B Biological Processes Reducing Natural Epidemics also trains people to

reduce the risk of biological terrorism1919 Flu; 2005 SARS

In disease spread there are 2 crucial numbers:(i) average number of people a single person infects ~ 2.5

(ii) time between infections ~ 10 days BUT look at exceptions

Some postulated terrorist events are newRadiological bomb

Anthrax spores dispersed by high explosiveFor these: The first 5 minutes may be crucial

A “dirty bobm” or “Radiological Bomb” will kell only a few but make

areas unihabitable (USING POST-CHERNOBYL

RULES)

A Pandemic (like 1918 flu) can be started by terrorists and can kill 70

million

“If you still want to belong to an organization dedicated to killing Americans, there’s always the tobacco lobby.”

Alex Gregory, Cartoonbank.com

Possible “easy” terrorist Actions

Anthrax released in a high explosive bomb upwind of city can kill more people than a plutonium bomb

Silver cyanide plating solution dumped in reservoir after filtration

(possible in Oxford in 1949)

Biological material released in subway

Known Terrorist Groups with Assumed reasons for Frustration

Tamil Tigers - Sri LankaIRA - Ireland

Hamas military wing - Palestine/IsraelHezbollah - Lebanon

Basque separatists - SpainTaliban – NW Pakistan

“If there is hope and you kill a terrorist you have one terrorist less

If there is no hope and you kill a terrorist you have 10 terrorists more”

(Israeli General: Also Yugoslav experience in WWII)

Act promptly to reduce (i) from 2.5 to 0.99At least 60% of all people must cooperate

(Successes - small pox;

Wash handsWear face mask especially infected people (Japan)

Don't go to work/school or travel if feverQuarantine; need for societal agreement

In community:radio temperature to central place to identify a

cluster of high fever. Then start more drastic action promptly

Airline Pilots will now resist a hijackingBar cockpit doors

Maybe set to control from ground or automatic

Use emergency exits regularly“The public may leave at the end of each

performance by all exit doors and at that time the doors shall be open”

Lord Chamberlain's regulations, UK

Easy access to first aid boxesIn a recent inspection in Boston, they were

locked up and noone had the key!

Few plans for a major fire at WTC? (FEMA report instructive for what it missed out)

Insulation not tested for durabilityFire and initial impact destroyed all safety

mechanisms (Common mode failure not foreseen!)

Helicopter fire fighters?Protect buildings by cables from

towers or balloons?

Some terrorists are now educated. Also some act in concert

    Sabotage and terrorism are unfortunate facts of life.

  They will be with us until the end of

the human race. 

We must not let terrorism distort our lives.

Other risks are bigger.Car accidents:

45,000/yr vs. 3,500 onceDrugs destroy society more

Security vs. FreedomOur human rights are what makes life worth living.

Crucial Importance of Readiness for Response

If a terrorist knows that there will be a quick and intelligent response

it will be less attractive

Inspect the insulation of all buildings over 50 stories high.

(expensive but possible;

e.g. apply a heat source to steel in one location and compare the

temperature - time profile with calculation)