close this bookAverting Catastrophe
source ref: ebookcat.html
View the documentChapter 1:The Potential for Catastrophe
View the documentChapter 2:Toxic Chemicals
View the documentChapter 3:Nuclear Power
View the documentChapter 4:Recombinant DNA Research
View the documentChapter 5:Threats to the Ozone Layer
View the documentChapter 6:The Greenhouse Threat
View the documentChapter 7: A System for Averting Catastrophe
View the documentChapter 8: Can We Do Better?
View the documentNotes

Chapter 8: Can We Do Better?

 

8
Can We Do Better?

We have already noted that the United States has a better system for diagnosing and averting catastrophes from risky technologies than we had anticipated at the outset of our research. We do not, however, want to overstate this point: it is not a stamp of approval for the overall management of risky technology in the United States. We have been analyzing the possibility of severe physical risks to very large numbers of humans. All we are saying is that there is a good chance in areas of civilian technology that catastrophes will be prevented even in new problem areas where society is not presently expecting trouble. Although it readily could be improved, a monitoring system is in place; and although they could be used better, a repertoire of sensible strategies has been developed to diagnose and prevent potential catastrophes.

We conclude our analysis by examining some of the remaining problems in the management of risky technologies, and by formulating options for improved application of the catastrophe-aversion system.

How Safe Is Safe Enough?

As regulators have developed strategies for coping with potential catastrophes, these very strategies have created a new and sometimes more perplexing problem: when is the catastrophe-aversion system good enough? The question arises

151  

because the strategies can be implemented in any number of ways, from very rigorously to very loosely. The second strategy (proceed cautiously), clearly illustrates the problem: How cautious is cautiously? How cautious should be the implementation of initial precautions: very rigorous (early rDNA), moderate (U.S. fluorocarbons), or mild (scrutiny of new chemicals)? No matter how strictly catastrophe-aversion strategies have been applied, they can always be applied even more rigorously even to the point of an outright ban. The problem would be easily resolved were it not for the fact that the precautions are costly, and each degree of rigor brings additional costs.

Among the cases reviewed here, the problem of weighing the benefits of additional safeguards against the costs is most apparent in the case of nuclear power, and, indeed, is a central element in contemporary nuclear policy debates. Since containment cannot be guaranteed, emphasis is placed on preventing malfunctions and mistakes from triggering serious mishaps. Since prevention requires that all serious possibilities be taken into account, there always seems to be one more set of precautions and expenses that perhaps ought to be undertaken. The increase in precautions (and expenses) brings with it the issue of whether additional precautions are worth the cost. Increasingly, new questions are raised: When have we gone far enough in attempting to avoid potential catastrophe? When are reactors safe enough?

The same problem arises, to varying degrees, in our other cases. For toxic chemicals, is it reasonable to focus regulatory concern on the fifty most potentially hazardous substances? Why not twenty, or one hundred, or even five hundred? How many different types of tests should be required, conducted in how many species of laboratory animals? And how dangerous should a chemical be in order to restrict or prohibit its use? The Delaney amendment specifies a zero tolerance for any food additive that causes cancer in animals. But this requirement clearly is too cautious.[1] As toxicologists become able to detect chemicals at the parts per billion or trillion level, virtually all foods will be found to contain traces of something objectionable. The problem thus is similar to the one faced by

152  

nuclear regulators when they recognized that containment no longer could be guaranteed in large reactors. In both cases, the zero risk option no risk of radiation exposures, no trace of a toxic compound becomes impossible to achieve. Some risk is unavoidable, so the issue is then how much risk is acceptable.

For the greenhouse effect, the same question arises in a somewhat different form. It is not "How far should we go in reducing the risks?" but "How far should we reduce the uncertainties before beginning to reduce the risks?" A potential for catastrophic changes in climate due to greenhouse gases is undeniable, but there remain major uncertainties about the timing and magnitude of the risks as well as the costs associated with the regulatory options. At what point does the likelihood of catastrophe outweigh the costs of action? Possibly this point has not yet been reached, for most scientists and policy makers are still waiting for clarification of the greenhouse threat before deciding whether action is necessary. But this stance rests as much on judgment as on science.

If there is a difference between the greenhouse problem and the nuclear power and toxic substances cases, it is that the nondecision on the greenhouse effect has not been subject to as much controversy. Nevertheless, the potential for yet another open-ended, contentious debate is present, as illustrated by the simultaneous (though coincidental) release in late 1983 of two reports on the greenhouse effect. A National Academy of Sciences report concluded that any responses to the threat should await a reduction in the uncertainties. An EPA report quickly disavowed by the Reagan administration concluded the reverse: uncertainties notwithstanding, action should be taken soon. The issue, while not yet a full-blown controversy, looms ahead: how uncertain is uncertain enough?

Another way to put this is, "How much safety should we purchase?" Because people disagree about how much they are willing to spend to reduce risks to health and to the environment, political battles and compromises over safety expenditures are inevitable. This topic is inherently controversial, so it is no surprise that there are long-running, fiercely contested

153  

debates. When we consider not just the potential for catastrophe and strategies for avoiding it but also the issue of how stringently to employ those strategies to achieve a sensible balance of costs and benefits, the task facing regulators becomes much more demanding. Whereas regulators seem to be learning to handle the catastrophe-aversion problem, they are having a much harder time with the "How safe?" question.

Setting a Safety Goal

In the early 1980s, the Nuclear Regulatory Commission made an explicit attempt to resolve the "How safe?" question for nuclear power plants. We review that attempt here to illustrate the nature of the problem and the reasons that it has proven so difficult to resolve. The lessons that can be drawn from this example apply to most risky technologies.

The notion of explicitly addressing the "How safe?" issue emerged well before Three Mile Island, but the accident provided a strong impetus. Several post-accident analyses recommended that the NRC explicitly identify a safety goal a level of risk at which reactors would be safe enough. Establishing such a goal, advocates believed, would end the interminable debates over whether reactors should be made safer. What quickly became apparent, however, was that establishing a stopping point was far easier to recommend than to achieve. To establish a safety goal, regulators would have to resolve two complex and politically sensitive issues. First, what is an acceptable risk of death and injury? And second, how should regulators determine whether reactors actually pose such an acceptably low risk?

Identifying an Acceptable Level of Risk

A commonly proposed solution to the first problem is to make the acceptable level of risk for nuclear reactors comparable to the risks associated with other technologies.[2] If society has accommodated these other technologies, the argument goes, it is reasonable to assume that society accepts the associated risks.

This approach has proven to be problematic. To begin with, an already accepted technology that bears comparison with

154  

nuclear energy is yet to be found. To illustrate this problem, consider the risks of driving an automobile. One can drive a large car or a small one; one can drive cautiously or recklessly, soberly or drunkenly, with seatbelts or without. In contrast, the risks of nuclear power are not as much within the individual's control; the only option an individual has is to move farther away from a reactor. The nature of the hazard associated with these two technologies differs also. Automobiles produce many fatalities through numerous independent events; a serious reactor accident might provide many fatalities from a single event. So does it make sense to compare automobiles with nuclear reactors? Some say "yes" a death is a death. Others say "no" high-probability, low-consequence risks that are partially subject to individual control are fundamentally different from low-probability, high-consequence risks over which the individual has no control.

A possible way to overcome this difficulty is to compare the risks from other sources of electricity with those from nuclear power. But this leads to a new problem: how to measure those risks. The hazards of coal are well known air pollution, acid rain, and possible overheating of the earth's atmosphere but the level of risk is uncertain.[3] Also in dispute is the range of risks that should be included in such a comparison. Should the risks of mining and transportation be included? What about the risks of waste disposal and sabotage? If the risks of nuclear power are compared to burning oil, what about the risks of a cutoff of oil from the Mideast or the chances of being involved in a war in the Mideast?

Using this comparative approach to define an acceptable level of risk for nuclear power also poses other problems. It assumes that society, after reasoned evaluation, actually has accepted the risks associated with these technologies. Judging from the controversies surrounding air pollution, acid rain, the greenhouse effect, and the health and safety of miners, millions of people do not accept the levels of risk currently posed by coal burning. Moreover, in cases where people seem to accept high risks for an activity that easily could be made significantly safer (such as driving a car), the implicit rejection of precautions that lower risks might not be rational. (Indeed,

155  

it is hard to see how the refusal to fasten seat belts can be anything but irrational.) Should the irrational standards that society applies to driving or other unnecessarily risky activities also be applied to nuclear power?

In spite of these problems, the NRC proposed a safety goal in February 1982, after about a year and a half of deliberations. Reactors would be considered safe enough when, among other requirements:

1. The risk to the population near the reactor of being killed in a reactor accident should not exceed 0.1 percent of the risk of being killed in any kind of an accident; and

2. The risk to the population living within fifty miles of the plant of eventually dying from cancer as a result of a reactor accident should not exceed 0.1 percent of the risk of dying from any other causes.[4]

When first proposed, the second of these goals set off a flurry of controversy because 0.1 percent of the cancer rate for a fifty-mile radius would amount to an average of three cancer fatalities per reactor per year. This would be a total of 13,500 deaths over the next thirty years in an industry comprised of 150 reactors a figure critics argued was too high. The NRC could have responded to this criticism by revising the second goal, but this would have triggered criticism from proponents of nuclear power, who would have argued that the goal was too strict compared with other risks that society accepts. Thus, both parts of the safety goal have remained as originally drafted.

Verifying That the Safety Goal Has Been Met

If, despite the difficulties, an acceptable level of risk could be agreed on by a majority of policy makers, regulators then would have to determine whether the goal actually has been met. To evaluate this, regulators must know the level of safety achieved by the various safety strategies: they must have the right facts. For nuclear regulators, such a task is even more difficult than identifying an acceptable risk level. The NRC recognized this, and announced that because of "the sizeable

156  

uncertainties . . . and gaps in the data base" regarding actual safety levels, the two goals would serve as "aiming points or numerical benchmarks," not as stopping points.[5]

As an illustration of factual uncertainties, consider the first NRC goal concerning the risks of being promptly killed by a reactor accident. Five people in ten thousand are killed by some kind of an accident each year. For a reactor with two hundred people living within a mile, the NRC's goal implies that the annual probability of an accident killing one person should be no more than one in ten thousand.[6] The probability (per reactor per year) of accidents in which ten people are killed should be no more than one in 100 thousand, for one hundred deaths no more likely than one in a million, and so on.

These probabilities are miniscule; they are reassuring because they suggest that the NRC expects serious accidents to be extremely rare. But precisely because the probabilities are so small, it would take hundreds of years for an industry of one hundred reactors to accumulate enough experience to show that reactors satisfy the safety goal. Unless actual probabilities are much higher than those deemed acceptable, experience cannot help in determining whether the risks associated with reactors are as low as stipulated by the safety goal.

The only alternative to learning from experience for determining whether the actual probability of reactor accidents satisfies the safety goal is to use analytic techniques such as fault tree analysis; this, in fact, is how advocates of the safety goal propose to proceed. In fault tree analysis, the analyst attempts to identify all the possible sequences of errors and malfunctions that could lead to serious accidents. For each sequence, the probabilities of each of the errors and malfunctions must be estimated, and from these individual probabilities a probability estimate for the entire sequence is derived. Assuming that the various sequences of events are independent, the analyst then totals the probabilities of each of the sequences. This sum represents the probability estimate of a serious accident.

The key to this form of analysis is that the analyst does not attempt to estimate the probability of a serious accident directly. Because such events have never occurred, there is no

157  

data upon which to base an estimate. Instead, the analyst focuses on the sequence of events that would lead to the accident. Unlike the accident itself, the individual events in each of the sequences are relatively common not only in reactors, but also in a variety of industrial enterprises. For example, the nuclear industry has decades of experience with control rod mechanisms (which control the rate of chain reaction in the reactor), so it is possible to develop fairly reliable estimates of the likelihood that the mechanisms will fail. Similarly, from experience with the nuclear and other industries, it is possible to estimate the probability of power failures, pipe failures, pump failures, and so on.

Unfortunately, fault tree analysis is subject to the same uncertainties that have plagued nuclear regulators since the mid-1960s. What if the analysis fails to identify all the possible sequences of malfunctions that could lead to a serious accident? What if safety systems presumed to be independent actually are vulnerable to common faults? What if the probabilities of inherently uncertain problems, such as operator errors and terrorist attacks, have been underestimated? The regulator must thus confront yet another dilemma: the only practical method for determining the actual probability of reactor accidents is to use analytic techniques, but such techniques are subject to considerable uncertainties. At best, analysis can result in estimates of probabilities. The only way to verify these estimates is through experience, but experience, because of the very low probabilities, is of little help.

Determining whether reactors satisfy a safety goal is further complicated by the fact that the consequences of core melts are uncertain. One of the effects of the mid-1960s shift to a prevention philosophy was that all research about the behavior of core melts halted. The argument was that since core melts were to be prevented, there was no need to study them. As a result, little is now known about the consequences of serious mishaps with the core. Among many other unknowns, it is not clear what portion of the radioactive fission products would actually escape from the reactor in a core melt.[7] It is also not known what would happen to the core if it melted entirely. Its heat might dissipate on the containment floor and the core

158  

solidify there instead of melting through. If the molten core came in contact with water accumulated on the containment floor, would it set off a steam explosion? If so, would it be powerful enough to rupture containment?

These and many other aspects of meltdowns are of critical importance in determining the actual risks of reactors, and all of these aspects are uncertain. If the actual risks of reactors are uncertain, then regulators cannot determine with confidence whether the risks associated with reactors are acceptable. They might agree on the levels of risk that would be acceptable, but because of the uncertain probabilities and consequences of reactor accidents, regulators do not know whether the actual risks are as low as required.

In general, most of the proponents of a safety goal failed to appreciate the significance of existing factual uncertainties. They urged the NRC to establish a goal, and (although this step was controversial) the NRC did so. Yet the goal had no impact on the nuclear regulatory process, which currently remains as open-ended and contentious as ever. A safety goal is of little value unless partisans in a dispute can recognize when the goal has been achieved. Ironically, such recognition is prevented by the very uncertainties that made the regulatory process open-ended and led to the demand for a safety goal.

Discussion

Establishing safety goals is the epitome of the analytic approach to risk analysis that dominates professional thinking. Various forms of risk-benefit analysis and cost-benefit analysis are often presented by risk professionals as ways to settle disagreements.[8] To be workable, however, all such analytic methods must confront the same two obstacles that the NRC faced in setting the safety goal: value uncertainties ("And how much for your grandmother?")[9] and factual uncertainties. No analytic methods surmount these obstacles.

With toxic chemicals, for example, regulators are confronted with essentially the same two questions as they are in the nuclear controversy. First, how large a risk of cancer is acceptable? Is it one in one thousand, one in ten thousand,

159  

one in a million? And then there is the factual uncertainty that arises with attempts to establish the actual level of risk. Chemical testing typically is performed with animals. Are the responses in animals comparable to responses in humans? Are the dosage rates comparable? Is it even possible to define the human population at risk? As with nuclear power, these questions are answered largely with assumptions, and to a considerable extent, the assumptions are untestable in practice.

For example, the pesticide EDB produces cancer in animals exposed to high dosage levels. We make the conservative assumption that it will do so in humans as well, but we may never be able to test this assumption. Obviously, we would not want to use humans as test subjects, so the only alternative is to use epidemiological evidence to study exposed populations. Such study is problematic, however, since the population that might be tested for low exposures to EDB might simultaneously have been exposed to so many other possible sources of cancer that it becomes impossible to link cause and effect. We can identify the presence of EDB and, in some cases, levels of exposure to it, but in practice we are not able to establish a close relationship to the possible effects.

It becomes apparent, on reflection, that there is something inappropriate about applying an analytic solution to risk disputes. Even putting aside all the practical difficulties of verifying when a safety goal has actually been achieved, the idea that conflicts of value can be reduced to a formula is at odds with the way that real people and real societies actually function. Of course, as discussed, society does in a certain sense, implicitly accept various levels of risk from technologies now in use. But most people find it morally offensive to plan explicitly for the number of deaths and injuries that will be acceptable. Thus, it is not surprising that there is reluctance to directly confront the "How safe?" problem, even if it is "rational" to do so.

Moreover, while governments frequently deal with value-charged social issues (such as abortion), these issues rarely are quickly resolved. Instead, elements of the issue will repeatedly show up on governmental agendas over decades, producing compromises that gradually evolve with changing social mores.

160  

Analytic strategies rarely, if ever, affect these outcomes, and there is little reason to expect that the value side of risk disputes will depart from this pattern. To be workable, theories of risk management must be compatible with how society's value decisions actually are made.

In principle, establishing a safety target is a perfectly rational approach to improving the catastrophe-aversion system. In practice, it requires that touchy and politically charged value judgments be backed up by factual judgments that are difficult or impossible to verify. So analysis inevitably falls short, as illustrated in the cases studied. While analysis often can be useful as an adjunct, it rarely is a substitute for judgment and strategy.

A Strategic Approach to Improved Risk Management

To improve the efficiency and effectiveness of the catastrophe-aversion system, we must adopt a more strategic approach. We see four promising steps.

1. Attack egregious risks those clearly worse than others even after allowing for uncertainties;

2. Seek and employ alternatives that transcend or circumvent risks;

3. Develop carefully prioritized research strategies to reduce key uncertainties;

4. Be actively prepared to learn from error, rather than naively expecting to fully analyze risks in advance or passively waiting for feedback to emerge.

Attack Egregious Risks

Because resources always are limited, society is forced to set priorities. Dollars spent to avert catastrophes are not available for social services. Money spent to avert one type of catastrophe is not available for averting other types. Priority

161  

setting can be done in a relatively systematic manner, or it can be done haphazardly. Priorities are now set haphazardly; we are grossly inconsistent in our attempts to reduce various kinds of risks.

For example, chemical wastes are many times greater in volume than radioactive wastes, and some are actually longer lived. Yet they tend to be buried in insecure landfills near the surface of the earth, rather than in the deep geological repositories being designed for radioactive wastes; and EPA regulations require that hazardous wastes be contained for only thirty years, compared with ten thousand years for radioactive wastes. And why do we worry about some exposures to radioactivity and not about others? In the mid-1970s, Swedish scientists examining newer housing found high levels of radon from concrete containing alum shale, high in radium. Researchers subsequently have found alarming levels of indoor radon in many parts of the United States; even average homes expose occupants to a cancer risk greater than that posed by most dangerous chemicals. Remedial steps to reduce radon risks are available, but regulation had not been initiated by 1986.[10]

This inconsistency in our approach to risks is by no means an exception, as we can see from the following data:[11]

 

Safety Measure

 Estimated Cost
per Life Saved
Cancer screening programs $10,000+
Mobile cardiac emergency units $30,000
Smoke protectors $50,000+
Seat belts $80,000
Emergency core cooling system $100,000
Scrubbers to remove sulfur dioxide
from coal-fired power plants

$100,000+
Auto safety improvements, 1966–1970 $130,000
Highway safety programs $140,000
Kidney dialysis treatment units $200,000
Automobile air bags $320,000

162  

 

Safety Measure

 Estimated Cost
per Life Saved
Proposed upholstered furniture flammability standard

$500,000
Proposed EPA drinking water
regulations

$2.5 million
Reactor containment building $4 million
EPA vinyl chloride regulations $4 million
OSHA coke fume regulations $4.5 million
On-site radioactive waste treatment system for nuclear power plants

$10 million
OSHA benzene regulations $300 million
Hydrogen recombiners for nuclear reactors

$3 billion

This study shows that certain design changes in nuclear reactors would cost as much as $3 billion per life saved, whereas additional highway safety could be achieved for as little as $140,000 per life. Other analyses have resulted in somewhat different estimates, but it is clear that there is a vast discrepancy concerning funds spent to save lives from various threats.

Focusing political attention on the overall costs of averting risks would help balance such gross discrepancies. One course would be to establish a government agency or congressional committee with authority to set priorities for risk reduction. A more realistic option would make total expenditures subject to a unified congressional authorization procedure. Currently, competing proposals for risk abatement do not confront one another. New safety procedures required by the NRC for electric utilities that use nuclear power in no way impinge on the amount spent for highway safety, nor does either of these expenditures influence expenditures for testing and regulation of chemicals. The result is that safety proposals are not compared with each other, so neither government nor the media nor the public is forced to think about comparative risks.

Factual uncertainties prevent precise comparisons among risks, but precise comparisons often are not needed. There are such gross discrepancies in our approaches to different risks that much can be done to reduce these risks without having to

163  

confront the intractable uncertainties. Compared to attacking egregious risks that have been relatively unattended, making precise comparisons among risks that already are regulated seems like fine tuning. While it might be nice to make precise comparisons and resolve the "How safe?" debate, doing so is not as important as attacking the egregious risks. Unfortunately, such fine tuning preoccupies professional risk assessors, regulators, and political activists and results in a waste of time and energy.

Transcend or Circumvent Risks

A second strategic approach would take advantage of risk-reduction opportunities that circumvent troublesome risks. The greenhouse issue provides a good illustration. As discussed in chapter 6, virtually all attention devoted to this problem has focused on carbon dioxide emissions from combustion of fossil fuels. Yet fossil fuels are considered fundamental to contemporary life, and the costs of significant reductions in their use could be severe; so there is widespread reluctance to take any action without a much better understanding of the risks. The net effect is that we wait and debate whether the risk is real enough to warrant action. Until the uncertainties are reduced, there is no rational basis for resolving the debate.

But there may be an alternative. Carbon dioxide is not the only contributor to the greenhouse problem. Other gases, such as nitrous oxide, are also major factors. It is conceivable that emissions of these other gases might be easier to control and might thereby offer an opportunity to at least delay or reduce the magnitude of the greenhouse effect. The 1983 NAS and EPA studies make note of this possibility but do not analyze it in any detail.[12] By early 1986 little sustained attention had been paid to the policy options potentially available for reducing non-CO2 greenhouse gases.

Similarly, discussions of the options for combating the greenhouse effect have focused on costly restrictions on the use of high carbon fuels, but it may be possible to achieve at least some of the benefits of such restrictions through a much less costly combination of partial solutions. This combination

164  

of solutions might include partial reforestation, plus research on crop strains better adapted to dry climates, plus partial restrictions on only the highest carbon fuels.

Another means of circumventing uncertainties about a risk is to develop a method of offsetting the risk. Quite inadvertently, the ozone threat eased when it was found that low-flying airplanes emit chemicals that help produce ozone. Could a similar approach be pursued deliberately for some technological risks? In the greenhouse case, deliberate injection of sulphur dioxide or dust into the atmosphere might result in temporary cooling similar to that achieved naturally by volcanic dust. Deliberate intervention on such a scale might pose more environmental danger than the original problem, but careful analysis of this possibility surely is warranted.

The case of nuclear power provides another possible approach to circumventing risks and uncertainties about risks. Interest is growing in the notion of inherently (or passively) safe reactors reactors for which there is no credible event or sequence of events that could lead to a meltdown. The reactor concepts now receiving the most attention include small high temperature gas cooled reactors and the PIUS reactor (a light water reactor with the core immersed in a pool of borated water).[13] Preliminary analyses indicate that these reactors are effectively catastrophe proof. Even if the control systems and cooling systems fail, the reactors will still shut themselves down.

Skeptics argue that the concept of inherent safety probably cannot be translated into practice, and that such reactors in any case would not be economical. But in the history of commercial power reactors there has never before been a deliberate attempt to build an inherently safe reactor, and some analysts believe that these new reactors can provide, if not "walk away" safety, at least substantially reduced risks. If this is true, these new reactor concepts provide the opportunity to short circuit much of the "How safe?" debate for nuclear power plants. If it can be shown that such reactors are resistant to core melts in all credible accident scenarios, then many of the open-ended and contentious safety arguments could be avoided. While we do not know whether inherently safe reactors will prove feasible, and while there are other controversial

165  

aspects of the nuclear fuel cycle (particularly waste disposal), nonetheless, the possibility that reactors could approach inherent safety is well worth considering. Resistance to this concept apparently is due more to organizational inertia than to sound technical arguments. Thus, in spite of the fact that the concept of inherent safety has been in existence for thirty years, society has been subjected to a bitter and expensive political battle, that a more strategic approach to this topic might have circumvented.

A very different approach to transcending factual uncertainties is to compromise. When policy makers are at an impasse over how safe a technology is or should be, it may at times be possible to reach a solution that does not depend on the resolution of the uncertainties. This strategy is already used, but it is not employed consciously enough or often enough. Because each opportunity for creative compromise necessarily is unique, there can be no standard operating procedure. However, examples of the advantages of compromise abound.

For example, the Natural Resources Defense Council, EPA, and affected industries have reached several judicially mediated agreements that have accomplished most of the limited progress made to date against toxic water pollutants.[14] Another example is the negotiated approach to testing of priority chemicals adopted in 1980 by EPA toward the chemical industry. The possibility of creative compromise was not envisioned by the framers of the Toxic Substances Control Act, but neither was it prohibited. Numerous protracted analysis-based hearings and judicial challenges thereby have been avoided, and judging from the limited results available to date, testing appears to be proceeding fairly rapidly and satisfactorily.

Had compromises and tradeoffs been the basis for setting standards throughout the toxic substances field, many more standards could have been established than actually have been.[15] Then they could have been modified as obvious shortcomings were recognized. Of course, compromise agreements can be very unsatisfying to parties on either side of the issue who believe they know the truth about the risks of a given endeavor. But, by observing past controversies where there was under- or overreaction to possible risks, there is a fair

166  

prospect that all parties to future controversies gradually will become more realistic.

Reduce Uncertainties
Focused Research

A third option for strengthening the catastrophe-aversion system is to create research and development programs focused explicitly on reducing key factual uncertainties. This seems an obvious approach, yet it has not been pursued systematically in any major area of technological risk except for recombinant DNA. Of course, regulatory agencies have research and development (R&D) programs that investigate safety issues, but priorities ordinarily are not well defined and research tends to be ill matched to actual regulatory debates.

The greenhouse case again provides a good illustration, particularly since the uncertainties associated with it are so widely recognized as being at the heart of the debate about whether or not action is required. The NAS report could not have been more explicit about the importance of the uncertainties to the greenhouse debate:

Given the extent and character of the uncertainty in each segment of the argument emissions, concentrations, climatic effects, environmental and societal impacts a balanced program of research, both basic and applied, is called for, with appropriate attention to more significant uncertainties and potentially more serious problems.[16]

Yet as clearly as the report recognizes the importance of the factual uncertainties, it fails to develop a strategy for dealing with them. It merely cites a long list of uncertainties that requires attention. As we discussed in chapter 6, the NRC listed over one hundred recommendations, ranging from economic and energy simulation models for predicting long-term CO2 emissions, to modeling and data collection on cloudiness, to the effects of climate on agricultural pests.

Certainly answers to all of these questions would be interesting and perhaps useful; but, just as certainly, answers to some of them would be more important than answers to others. What are the truly critical uncertainties? What kinds of

167  

information would make the biggest differences in deciding whether or not to take action? As R&D proceeds and information is gained, are there key warning signals for which we should watch? What would be necessary to convince us that we should not wait any longer? Policy makers and policy analysts need a strategy for selectively and intelligently identifying, tracking, and reducing key uncertainties.

A similar problem arises in the case of nuclear power. In principle, nuclear regulators should systematically identify the central remaining safety uncertainties the issues that will continue to lead to new requirements for regulations. Regulators should then devise a deliberate R&D agenda to address such uncertainties. A prime example is uncertainty about the behavior of the reactor core once it begins to melt. Clearly, this lies at the heart of the entire nuclear debate, since the major threat to the public results from core melts. Yet, as we discussed earlier, virtually no research was performed on core melts in the 1960s and 1970s.

Information and research resulting from the experience of Three Mile Island now have called into question some of the basic assumptions about core melts. For example, if the TMI core had melted entirely, according to the Kemeny Commission it probably would have solidified on the containment floor.[17] Even the nuclear industry had assumed that a melted core would have gone through the floor. Moreover, it appears that there were a variety of ways in which the core melt could have been stopped. Prior to the accident, the common assumption was that core melts could not be stopped once underway. Also overestimated, according to some recent studies, is the amount of radioactive material predicted to escape in a serious reactor accident: prior assumptions may have been ten to one thousand times too pessimistic.[18]

If such revised ideas about reactor accidents were to be widely accepted, they would have a substantial effect on the perceived risks of reactor accidents. But all such analyses are subject to dispute. To the extent feasible, therefore, it clearly makes sense to invest in research and development that will narrow the range of credible dispute without waiting for the equivalent of a TMI accident. As with the greenhouse effect,

168  

what is needed is a systematic review of prevailing uncertainties and an R&D program devised to strategically address them. The uncertainties that make the biggest difference must be identified, those that can be significantly reduced by R&D must be selected, and an R&D program focused on these uncertainties must then be undertaken. In other words, a much better job can be done of using analysis in support of strategy.

Reduce Uncertainty
Improve Learning from Error

As noted previously, learning from error has been an important component of the strategies deployed against risky technologies. But learning from error could be better used as a focused strategy for reducing uncertainties about risk. As such, it would constitute a fourth strategic approach for improving the efficiency and effectiveness of the catastrophe-aversion system.

The nuclear power case again offers a good illustration of the need to prepare actively for learning from error. Suppose that a design flaw is discovered in a reactor built ten years ago for a California utility company. Ideally, the flaw would be reported to the Nuclear Regulatory Commission. The NRC would then devise a correction, identify all other reactors with similar design flaws, and order all of them to institute the correction. In actual operation, the process is far more complicated and the outcome far less assured.

To begin with, in any given year the NRC receives thousands of reports about minor reactor mishaps and flaws. The agency must have a method of sifting this mass of information and identifying the problems that are truly significant. This is by no means a straightforward task, as exemplified by the flaw that triggered the Three Mile Island accident. A similar problem had been identified at the Davis-Besse reactor several years earlier, but the information that was sent to the NRC apparently was obscured by the mass of other data received by the agency. Several studies of the TMI accident noted this unfortunate oversight, and concluded that the NRC and the nuclear industry lacked an adequate mechanism for monitoring feedback. In response, the nuclear industry established an

169  

institute for the express purpose of collecting, analyzing, and disseminating information about reactor incidents. This action represents a significant advance in nuclear decision makers' ability to learn from experience.

Even with a well-structured feedback mechanism, there are still other obstacles to learning from experience. One such obstacle arises from the contentious nature of current U.S. regulatory environments, which can actually create disincentives to learning. Given the adversarial nature of the nuclear regulatory environment, many in the nuclear industry believe that they will only hurt themselves if they propose safety improvements in reactor designs. They fear that opponents of nuclear power will use such safety proposals to argue that existing reactors are not safe enough, and that regulators will then force the industry to make the change on existing reactors, not just on new ones. This would add another round of costly retrofits.

Another obstacle to learning from experience can arise from the nature of the industry. For example, the nuclear industry is comprised of several vendors who over the years have sold several different generations of two different types of reactors to several dozen unrelated utility companies. Furthermore, even reactors of the same generation have been partially custom designed to better suit the particular site for which they were intended. This resulting nonuniformity of reactor design is a significant barrier to learning from experience, because lessons learned with one reactor are not readily applicable to others.

The design flaw uncovered at our hypothetical California utility's ten-year-old reactor probably can be generalized to the few reactors of the same generation (unless the flaw was associated with some site-specific variation of the basic design). It is less likely to apply to reactors built by the same vendor but of different generations, much less likely to apply to reactors of the same general type made by other vendors, and extremely unlikely to apply to other reactor types. Furthermore, lessons gained from experience in maintaining and operating reactors are also hard to generalize. Since reactors are owned by independent utilities, the experience of one util-

170  

ity in operating its reactor is not easily communicated to other utilities. In many respects, therefore, each utility must go through an independent learning cycle.

There also are significant barriers to learning about most toxic chemicals. The large number of such chemicals, the vast variety of uses and sites, and the esoteric nature of the feedback make the task of monitoring and learning from experience extraordinarily difficult. Yet the EPA's tight budget and the limited resources of major environmental groups means that routine monitoring will not get the attention that is given to other more pressing needs. What a good system for such monitoring would be is in itself a major research task, but just obtaining reliable information on production volumes, uses, and exposures would be a place to start.

The point, then, is that active preparation is required to promote learning from experience. The institutional arrangements in the regulatory system must be devised from the outset with a deliberate concern for facilitating learning from error. In the nuclear power case, the ideal might be a single reactor vendor, selling a single, standardized type of reactor to a single customer. The French nuclear system comes close to this pattern.[19]

Conclusion

In summary, there are at least four promising avenues for applying risk-reduction strategies more effectively. The first strategy is to make an overall comparison of risks and to focus on those that clearly are disproportionate. The second is to transcend or circumvent risks and uncertainties by employing creative compromise, making technical corrections, and paying attention to easier opportunities for risk reduction. The third strategy is to identify key uncertainties and focus research on them. The fourth is to prepare from the outset to learn from error; partly this requires design of appropriate institutions, but partly it is an attitudinal matter of embracing error as an opportunity to learn. Finally, implicit throughout this study is a fifth avenue for improvement: by better under-

171  

standing the repertoire of strategies available for regulating risky technologies, those who want to reduce technological risks should be able to take aim at their task more consciously, more systematically, and therefore more efficiently.

Of these, the first strategy probably deserves most attention. Attacking egregious risks offers simultaneously an opportunity to improve safety and to improve cost effectiveness. As an example, consider the 1984 Bhopal, India, chemical plant disaster.[20] The accident occurred when:

A poorly trained maintenance worker let a small amount of water into a chemical storage tank while cleaning a piece of equipment;

A supervisor delayed action for approximately one hour after a leak was reported because he did not think it significant and wanted to wait until after a tea break;

Apparently as an economy measure, the cooling unit for the storage tank had been turned off, which allowed a dangerous chemical reaction to occur much more quickly;

Although gauges indicated a dangerous pressure buildup, they were ignored because "the equipment frequently malfunctioned";

When the tank burst and the chemical was released, a water spray designed to help neutralize the chemical could not do so because the pumps were too small for the task;

The safety equipment that should have burned off the dangerous gas was out of service for repair and anyway was designed to accommodate only small leaks;

The spare tank into which the methyl isocyanate (MIC) was to be pumped in the event of an accident was full, contrary to Union Carbide requirements;

Workers ran away from the plant in panic instead of transporting nearby residents in the buses parked on the lot for evacuation purposes;

The tanks were larger than Union Carbide regulations specified, hence they held more of the dangerous chemical than anticipated;

172  

The tanks were 75 percent filled, even though Union Carbide regulations specified 50 percent as the desirable level, so that pressure in the tank built more quickly and the overall magnitude of the accident was greater.

The length of this list of errors is reminiscent of the Three Mile Island accident. The difference between the two incidents is that TMI had catastrophe-aversion systems that prevented serious health effects, while at least two thousand died in Bhopal and nearly two hundred thousand were injured. Even though the U.S. chemical industry is largely self-regulated, most domestic plants employ relatively sophisticated safety tactics that use many of the strategies of the catastrophe-aversion system. Still, questions remain about how effectively these strategies have been implemented.[21] For example, a 1985 chemical plant accident in Institute, West Virginia, while minor in its effects, revealed a startling series of "failures in management, operations, and equipment."[22]

The Bhopal and Institute incidents suggest that, relative to other risks, safety issues in chemical manufacturing deserve more governmental attention than they previously have received. In addition to whatever changes are warranted at U.S. chemical plants, special attention should be paid to the process of managing risk at many overseas plants owned by U.S. firms. If the practices at the Bhopal plant were typical, safety strategies abroad are haphazard. While the Bhopal incident has led to a fundamental review of safety procedures in chemical plants worldwide, it should hardly have required a catastrophe to reveal such a vast category of hazard. This oversight demonstrates that some entire categories of risk may not yet be taken into account by the catastrophe-aversion system.

The catastrophe-aversion system likewise was not applied, until recently, to hazardous waste in the United States. State and federal laws made no special provision for toxic waste prior to the 1970s; there were no requirements for initial precautions, or for conservatism in the amounts of waste that were generated. Systematic testing for underground contamination was not required, and waste sites were not monitored for potential problems. It is a tribute to the resilience of the

173  

ecosystem that after-the-fact cleanup now in progress has a good chance of keeping damage from past dumping below catastrophic levels. The next step is to find ways of limiting the generation of new wastes.

What does all this add up to? In our view, society's standard operating procedure should be as follows:

First, apply each of the catastrophe-aversion strategies in as many areas of risk as possible;

After this has been accomplished, proceed with more detailed inquiry, debate, and action on particular risks.

To pursue detailed debates on a risk for which a catastrophe-aversion system already is operative, continuing to protect against smaller and smaller components of that risk, is likely to be a misallocation of resources until the full range of potential catastrophes from civilian technologies has been guarded against. The "How safe?" questions that have become so much the focus of concern are matters of fine tuning; they may be important in the long run, but they are relatively minor compared to the major risks that still remain unaddressed.

Concluding Note

At the outset of this volume we quoted a highly respected social critic, Lewis Mumford, who claimed in 1970 that "The professional bodies that should have been monitoring our technology . . . have been criminally negligent in anticipating or even reporting what has actually been taking place." Mumford also said that technological society is "a purely mechanical system whose processes can neither be retarded nor redirected nor halted, that has no internal mechanism for warning of defects or correcting them."[23] French sociologist Jacques Ellul likewise asserted that the technological

system does not have one of the characteristics generally regarded as essential for a system: feedback. . . . [Therefore] the technological system does not tend to modify itself when it develops nuisances or obstructions. . . . [H]ence it causes the increase of irrationalities.[24]

174  

Reflecting on different experiences several decades earlier, Albert Schweitzer thought he perceived that "Man has lost the capacity to foresee and forestall. He will end by destroying the earth."[25]

Although one of us began this investigation extremely pessimistic and the other was hardly an optimist, we conclude that Mumford, Ellul, Schweitzer, and many others have underestimated the resilience both of society and of the ecosystem. We found a sensible set of tactics for protecting against the potentially catastrophic consequences of errors. We found a complex and increasingly sophisticated process for monitoring and reporting potential errors. And we found that a fair amount of remedial action was taken on the basis of such monitoring (though not always the right kind of action or enough action, in our judgment).

Certainly not everyone would consider averting catastrophe to be a very great accomplishment. Most citizens no doubt believe that an affluent technological society ought to aim for a much greater degree of safety than just averting catastrophes. Many industry executives and engineers as well as taxpayers and consumers also no doubt believe that sufficient safety could be achieved at a lower cost. We agree with both. But wanting risk regulation to be more efficient or more effective is very different from being caught up in an irrational system that is leading to catastrophic destruction. We are glad and somewhat surprised to be able to come down on the optimistic side of that distinction.

Finally, what are the implications of the analysis in this volume for environmentally conscious business executives, scientists, journalists, activists, and public officials? Is it a signal for such individuals to relax their efforts? We do not intend that interpretation. The actions taken by concerned groups and individuals are an important component of the catastrophe-aversion system described in these pages. To relax the vigilance of those who monitor errors and seek their correction would be to change the system we have described. Quick reaction, sometimes even overreaction, is a key ingredient in that part of regulating risky technologies that relies on trial and error. So to interpret these results as justifying a reduction of efforts would be a gross misreading of our message.

175  

Instead, we must redirect some of our concern and attention. Environmental groups should examine whether they could contribute more to overall safety by focusing greater attention on egregious risks that have not been brought under the umbrella of the catastrophe-aversion system instead of focusing primarily on risks that already are partially protected against. The Union of Concerned Scientists, for example, devotes extended attention to analyses of nuclear plant safety but has contributed almost nothing on the dangers of coal combustion, international standards for chemical plants, or toxic waste generation egregious risks that have not been taken into account by catastrophe-aversion strategies. Regardless of whether contemporary nuclear reactors are safe enough, there is no question that they have been intensively subjected to the restraints of the catastrophe-aversion system. We doubt that much more safety will be produced by further debate of the sort that paralyzed nuclear policy making during the 1970s and 1980s. In general, we believe it is time for a more strategic allocation of the (always limited) resources available for risk reduction.

The main message of this volume, however, has been that the United States has done much better at averting health and safety catastrophes than most people realize, considering the vast scope and magnitude of the threats posed by the inventiveness of science and industry in the twentieth century. Careful examination of the strategies evolved to cope with threats from toxic chemicals, nuclear power, recombinant DNA, ozone depletion, and the greenhouse effect suggests that we have a reasonably reliable system for discovering and analyzing potential catastrophes. And, to date, enough preventive actions have been taken to avoid the worst consequences. How much further improvement will be achieved depends largely on whether those groups and individuals concerned with health and safety can manage to win the political battles necessary to extend and refine the strategies now being used. Because we have a long way to go in the overall process of learning to manage technology wisely, recognizing and appreciating the strengths of our catastrophe-aversion system may give us the inspiration to envision the next steps.

to previous section to next section