Nuclear Safety

Nuclear Safety

Gianni Petrangeli

Butterworth-Heinemann

Table of Contents

Cover image

Title page

Preface

Acknowledgements

Chapter 1: Introduction

Publisher Summary

1-1 Objectives

1-2 A short history of nuclear safety technology

Chapter notes

Chapter 2: Inventory and localization of radioactive products in the plant

Publisher Summary

Chapter 3: Safety systems and their functions

Publisher Summary

3-1 Plant systems

3-2 Safety systems and accidents

3-3 Future safety systems and plant concepts

Chapter notes

Chapter 4: The classification of accidents and a discussion of some examples

Publisher Summary

4-1 Classification

4-2 Design basis accidents

4-3 Beyond design basis accidents

4-4 External accidents of natural origin

Chapter notes

Chapter 5: Severe accidents

Publisher Summary

5.1 Existing plants

5.2 Future plants: extreme and practicable solutions

5.3 Severe accident management: the present state of studies and implementations

5.4 Data on severe accidents

5.5 Descriptions of some typical accident sequences

5.6 ‘Source terms’ for severe accidents

Chapter 6: The dispersion of radioactivity releases

Publisher Summary

6-1 The most interesting releases for safety evaluations

6-2 Dispersion of releases: phenomena

6-3 Release dispersion: simple evaluation techniques

6-4 Formulae and diagrams for the evaluation of atmospheric dispersion

Chapter notes

Chapter 7: Health consequences of releases

Publisher Summary

7-1 The principles of health protection and safety

7-2 Some quantities, terms and units of measure of health physics

7-3 Types of effects of radiation doses and limits

7-4 Evaluation of the health consequences of releases

Chapter notes

Chapter 8: The general approach to the safety of the plant-site complex

Publisher Summary

8-1 Introduction

8-2 The definition of the safety objectives of a plant on a site

8-3 Some plant characteristics for the prevention and mitigation of accidents

8-4 Radiation protection characteristics

8-5 Site characteristics

Chapter 9: Defence in depth

Publisher Summary

9-1 Definition, objectives, levels and barriers

9-2 Additional considerations on the levels of Defence in Depth

Chapter 10: Quality assurance

Publisher Summary

10-1 General remarks and requirements

10-2 Aspects to be underlined

Chapter 11: Safety analysis

Publisher Summary

11-1 Introduction

11-1 Deterministic safety analysis

11-3 Probabilistic safety analysis

Chapter notes

Chapter 12: Safety analysis review

Publisher Summary

12-1 Introduction

12-2 The reference points

12-3 Foreseeing possible issues for discussion

12-4 Control is not disrespectful

12-5 Clarification is not disrespectful

12-6 Designer report

12-7 Discussion

Chapter notes

Chapter 13: Classification of plant components

Publisher Summary

Chapter 14: Notes on some plant components

Publisher Summary

14-1 Reactor pressure vessel

14-1 Piping

14-3 Valves

14-4 Containment systems

Chapter 15: Earthquake resistance

Publisher Summary

15-1 General aspects, criteria and starting data

15-2 Reference ground motion

15-3 Structural verifications

Chapter 16: Tornado resistance

Publisher Summary

16-1 The physical phenomenon

16-2 Scale of severity of the phenomenon

16-3 Design input data

Chapter 17: Resistance to external impact

Publisher Summary

17-1 Introduction

17-2 Aircraft crash impact

17-3 Pressure wave

17-5 Other impacts

Chapter 18: Nuclear safety criteria

Publisher Summary

18-1 General characteristics

18-2 The US general design criteria

18-3 IAEA criteria

18-4 EUR criteria

18-5 Other general criteria compilations

Chapter notes

Chapter 19: Nuclear safety research

Publisher Summary

Chapter 20: Operating experience

Publisher Summary

20-1 Introduction

20-2 Principal sources

20-3 Some significant events

20-4 The International Nuclear Event Scale

Chapter 21: Underground location of nuclear power plants

Publisher Summary

Chapter 22: The effects of nuclear explosions

Publisher Summary

22-1 Introduction

22-2 Types of nuclear bomb

22-3 The consequences of a nuclear explosion

22-4 Initial nuclear radiation

22-5 Shock wave

22-6 Initial thermal radiation

22-7 Initial radioactive contamination (‘fallout’)

22-8 Underground nuclear tests

Chapter 23: Radioactive waste

Publisher Summary

23-1 Types and indicative amounts of radioactive waste

22-2 Principles

Chapter 24: Fusion safety

Publisher Summary

Chapter 25: Safety of specific plants and of other activities

Publisher Summary

25-1 Boiling water reactors

25-2 Pressure tube reactors

25-3 Gas reactors

25-4 Research reactors

25-5 Sodium-cooled fast reactors

25-6 Fuel plants

25-7 Nuclear seawater desalination plants

25-8 VVER plants

25-9 Ship propulsion reactors

25-10 Safe transport of radioactive substances

25-11 Safety of radioactive sources and of radiation generating machines

Chapter 26: Nuclear facilities on satellites

Publisher Summary

26-1 Types of plant

26-2 Possible accidents and their consequences

Chapter 27: Erroneous beliefs about nuclear safety

Publisher Summary

Chapter 28: When can we say that a particular plant is safe?

Publisher Summary

Chapter 29: The limits of nuclear safety: the residual risk

Publisher Summary

29-1 Risk in general

29-2 Risk concepts and evaluations in nuclear installation safety

29-3 Residual risk: the concept of loss-of-life expectancy

29-4 Risk from various energy sources

29-5 Risk to various human activities

29-6 Are the risk analyses of nuclear power plants credible?

29-7 Proliferation and terrorism

Additional references

Appendix 1: The Chernobyl accident

Appendix 2: Calculation of the accident pressure in a containment

Appendix 3: Table of safety criteria

Appendix 4: Dose calculations

Appendix 5: Simplified thermal analysis of an insufficiently refrigerated core

Appendix 6: Extracts from EUR criteria (December 2004)

Appendix 7: Notes on fracture mechanics

Appendix 8: US general design criteria

Appendix 9: IAEA criteria

Appendix 10: Primary depressurization systems

Appendix 11: Thermal-hydraulic transients of the primary system

Appendix 12: The atmospheric dispersion of releases

Appendix 13: Regulatory framework and safety documents

Appendix 14: USNRC Regulatory Guides and Standard Review Plan

Appendix 15: Safety cage

Appendix 16: Criteria for the site chart (Italy)

Appendix 17: The Three Mile Island accident

Glossary

Web sites

Index

Preface

Introduction

I have written this book because of my firm belief that it is necessary to try to gather and to preserve in written form, and from one perspective, the accumulated experience in the fields of nuclear safety and of radiation protection. This is particularly important for countries where nuclear energy exploitation has been stopped, but where it might have to be resumed in future. The main accent of this book is on Nuclear Safety.

From another point of view, many areas developed in nuclear safety studies are of interest in the safety of process plants too and, therefore, it is worthwhile writing about them. Given this perspective, I have tried to collect the ideas, the data and the methods which, in many decades of professional work in several countries, are in my opinion the most useful for ’integrated system’ evaluations of the plant safety.

I have emphasized the complete site-plant system more than single details, so the data and the methods discussed are not those applied in the many specialized disciplines devoted to the in-depth study of safety but are those required for overall, first approximation, assessments. In my opinion, such assessments are the most useful ones for the detection of many safety-related problems in a plant and for the drafting of a complete picture of them. The more accurate and precise methods are, however, essential in the optimization phase of plant design and of its operational parameters. Specialists in reactor engineering, in thermal-hydraulics, in radiation protection and in structural response issues may, therefore, be surprised to read that simple methods and shortcuts suggested here are very useful, as my experience and that of other ’generalists’ suggests.

Additionally, this book aims to cover some general and some unusual topics, such as: the overall conditions to be complied with by a ’safe’ plant, the trans-boundary consequences of accidents to plants or to specific activities, the consequences of terrorist acts, and so on.

On some crucial issues, the views of the world’s nuclear specialists are not the same, for example, the views in Western countries compared with those in former soviet-bloc countries on the pre-Chernobyl approach to nuclear safety in Eastern Europe: the West considered the soviet approach to be a relatively lenient one, while the Soviets thought that they concentrated on prevention of accidents rather than on the mitigation of them. In these cases, the text tries to be objective and to quote the ’Eastern’ view besides the ’Western’ one, leaving future engineers and technical developments to decide on this issue.

Except where explicitly indicated, the text refers to the pressurized water reactor. Extrapolation to other kinds of plants is, however, possible.

The text complies with internationally recognized safety standards, and in particular with International Atomic Energy Agency (IAEA) requirements.

On occasions I have digressed, in notes, from the main thrust of the text. I have done this for several reasons: many notes relate facts that qualify or justify what is written in a preceding paragraph; some of them are numerical examples added for clarification; others are simple comments and personal reflections on the subject. These notes are set at the end of each chapter.

I have provided a list of references at the end of each chapter, however a complete chapter (Additional references) is almost completely devoted to a list of some ’institutional’ references (i.e. those published by the IAEA, by the Organization for Economic Cooperation and Development (OECD) and by the United States Nuclear Regulatory Commission (USNRC) which is one of the richest sources of publications among Regulatory Bodies). These additional references are labelled with the superscript AR. Many of these references can be consulted and even downloaded from the web sites listed in the Web sites chapter (see p. 425).

Calculation sheets mentioned in the text may be downloaded from the publisher’s web site (http://books.elsevier.com/companions/0750667230); the way to use them is described in the text.

Finally, I wish to underline that all my experience suggests to me, after many positive and negative lessons learned, that today’s nuclear plants can be completely safe and that significant accidents can be avoided. This is, however, only true on the condition that safety objectives are carefully pursued by the organizations involved in the plants; in this arena, as it will be shown, even organizations apparently very far from any specific plant must be, up to a certain extent, included (e.g. the bodies responsible for the general energy strategy of a country and the ’media’).

I will be very grateful to my readers for any suggestion concerning improvements to the text and also corrections to the mistakes which are certainly present in it. I am fully aware, in particular, of the subjective nature of the choice of the material included: the subject of nuclear safety, as does that concerning the safety of process plants in general, has become, over time, a discipline composed of many specific rather autonomous subsections. It is not easy, therefore, to choose the material to be included in a general text like this one; in this, practical experience of what is necessary while doing assessment work of plants has been my guide.

Acknowledgements

I am very grateful to all the colleagues who have them if I don’t name them individually; this is not cooperated, deliberately or by chance, in supplying only because they are many, but because I am sure me with the material for these pages. I apologize to that I would inadvertently miss out some names.

Gianni Petrangeli

Chapter 1

Introduction

Publisher Summary

This chapter describes ways for achieving the objectives of nuclear safety. The objectives of nuclear safety can be divided into a general objective, a radiation protection objective, and a technical objective. The general nuclear safety objective entails protecting individuals, society, and environment from harm by establishing as well as maintaining effective defenses against radiological hazards in nuclear installations. The radiation protection objective is to ensure mitigation of the radiological consequences of any accidents. Lastly, the technical safety objective is to take all reasonably practicable measures to prevent accidents in nuclear installations. The target for existing power plants can be defined by the International Nuclear Safety Advisory Group (INSAG). Severe accident management and mitigation measures should reduce the probability of large offsite releases. The entire refrigeration primary circuit should be located completely inside the containment. The expression ratcheting can also be used to describe the action of the control bodies in the field of the improvement of the plants.

1-1 Objectives

The objectives of nuclear safety consist in ensuring the siting and the plant conditions need to comply with adequate principles, such as, for example, the internationally accepted health, safety and radio-protection principles. In particular, the plant at the chosen site shall guarantee that the health of the population and of the workers does not suffer adverse radiation consequences more severe than the established limits and that such effects be the lowest reasonably obtainable (the ALARA – As Low As Reasonably Achievable – Principle) in all operational conditions and in case of accidents.

These objectives are frequently subdivided into a General Objective, a Radiation Protection Objective and a Technical Objective: for example, in the International Atomic Energy Agency (IAEA) criteria (see www.iaea.org).

The General Nuclear Safety ObjectiveAR1 is to protect individuals, society and the environment from harm by establishing and maintaining effective defences against radiological hazards in nuclear installations.

The Radiation Protection Objective is to ensure that in all operational states radiation exposure within the installation or due to any planned release of radioactive material from the installation is kept below prescribed limits and as low as reasonably achievable, and to ensure mitigation of the radiological consequences of any accidents.

The Technical Safety Objective is to take all reasonably practicable measures to prevent accidents in nuclear installations and to mitigate their consequences should they occur; to ensure with a high level of confidence that, for all possible accidents taken into account in the design of the installation, including those of very low probability, any radiological consequences would be minor and below prescribed limits; and to ensure that the likelihood of accidents with serious radiological consequences is extremely low.

The target for existing power plants consistent with the Technical Safety Objective has been defined by the INSAG (International Nuclear Safety Advisory Group, advisor to the IAEA Director General)AR185 as a likelihood of occurrence of severe core damage that is below about 10minus;4 events per plant operating year. Implementation of all safety principles at future plants should lead to the achievement of an improved goal of not more than about 10minus;5 such events per plant operating year. Severe accident management and mitigation measures should reduce the probability of large off-site releases requiring short-term off-site response by a factor of at least 10.

It has to be observed that these principles, while indicating the need for strict control of radiation sources, do not preclude the external release of limited amounts of radioactive products nor the limited exposure of people to radiation. Similarly, the objectives require to decrease the likelihood and the severity of accidents, but they recognize that some accidents can happen. Measures have to be taken for the mitigation of their consequences. Such measures include on-site accident management systems (procedures, equipment, operators) and off-site intervention measures. The greater the potential hazard of a release, the lower must be its likelihood.

The chapters of this book, except the few of them not concerned with the safety of nuclear installations, deal with the ways for practically achieving these objectives.

1-2 A short history of nuclear safety technology

1-2-1 The early years

The first reactor, the ‘Fermi pile’ CP1 (or Chicago Pile 1, built in 1942) was provided with rudimentary safety systems in line with the sense of confidence inspired by the charismatic figure of Enrico Fermi and his opinion concerning the absence of any danger from unforeseen phenomena. The safety systems (Fig. 1–1) were:

Figure 1-1 Drawing of the CP1 pile. Scram – this term means ‘fast shutdown of a reactor’: various explanations have been proposed for its origin. The most credited one assumes that it derives from the abbreviated name of the CP1 safety rod which could be actuated by an axe. In the original design sketches of the pile, the position of the operator of the axe was indicated by ‘SCRAM’, the abbreviation of ‘Safety Control Rod Ax Man’. The designated operator was the physicist Norman Hilberry, subsequently Director of the Argonne Laboratory. His colleagues used the name ‘Mister Scram’. The drawing is courtesy of Prof. Raymond Murray.

• gravity driven fast shutdown rods (one was operated by cutting a retaining rope with an axe); and

• a secondary shutdown system made of buckets containing a cadmium sulphate solution, which is a good neutron absorber. The buckets were located at the top of the pile and could be emptied onto it should the need arise.

Compared with the set of safety systems subsequently considered essential, an emergency cooling system was missing as decay heat was practically absent after shut down, and there was no containment system (except for a curtain!) provided as the amount of fission products was not significant.

Other reactors were soon built, for both military and civil purposes, and since they were constructed on remote sites (e.g. Hanford, WA), they didn’t need containment systems.

In the light of subsequent approaches used in reactor safety, probably, in this first period, not all the necessary precautions were taken; however, it is necessary to consider the specific time and circumstances present (a world war in progress or just finished, status of radiation protection knowledge not yet sufficiently advanced, etc.).¹

In the 1980s and 1990s, a revision of the ‘simplified’ approach used for these first reactors (mainly devoted to plutonium production) was made. They were, as a consequence, either shut down or modified. In particular, the following characteristics or problems were removed or solved:

• the open cycle cooling of the reactors and non-pressure-resistant containments;

• the disposal of radioactive waste using unreliable methods, such as the location of radioactive liquids in simple underground metallic tanks which were subject to the risk of corrosion and of consequent leaks;

• the storage of spent fuel elements in leaking pools of water.

1-2-2 From the late 1950s to the Three Mile Island accident

Since the early 1960s and even before, in the West, the criterion of locating power reactors in a leak-proof and pressure resistant containment vessel was established and consolidated. In those cases where a significant release of radioactive products could be possible, the design pressure of the containment was chosen on the assumption that all the primary (and part of the secondary) hot water (for a water reactor) was released from the cooling systems.

Indeed, since the 1950s, the US ‘Reactor Safeguards Committee’, set up by the Atomic Energy Commission with the task of defining the guidelines for nuclear safety, had indicated that, for a non-contained reactor, an ‘exclusion distance’ (without resident population) should be provided. This distance, R, had to be equal, at least to that given by Eq. 1.1.

(1.1)

where Pth is the thermal power of the reactor in kilowatts.

For a 3000 MW reactor (the usual size today), this exclusion distance is equal to approximately 30 km, which is equal to the distance evacuated after the Chernobyl accident (Bourgeois et al., 1996). Evidently, the reference doses for the short-term evacuation were roughly the same for the two cases. An exclusion distance of this magnitude poses excessive problems to siting, even in a country endowed with abundant land such as the USA, therefore, the decision of adopting a containment is practically a compulsory one.

The first reactor with leakproof and pressure resistant containment was the SRI reactor (West Milton, NY, built in the 1950s). Built to perform tests for the development of reactors for military ship propulsion; this reactor was cooled by sodium and the containment was designed for the pressure corresponding to the combustion of the sodium escaping from a hypothetical leak in the cooling circuit.

In Western countries, moreover, it was required that the whole refrigeration primary circuit should be located completely inside the containment, so that, even in the case of a complete rupture of the largest primary system pipe, all the escaped fluid would be confined in the containment envelope. The design pressure of the containment for water reactors (starting with the Shippingport, Pa, reactor, moderated and cooled by pressurized water) was derived on the basis of the assumption of the complete release of the primary water.

In Eastern Europe, these criteria were applied to a lesser degree, as it was accepted that the pressure vessel alone would be located within the containment (the rupture of large pipes was considered sufficiently unlikely to justify this assumption) and that the leakproof containment characteristic need not be very stringent. Thus, at the second Atoms for Peace conference in Geneva in 1964, the Western visitors were impressed but surprised by the model of the Novovoronezh reactor, which showed only one small containment enclosure around the reactor pressure vessel and was located in a building that from the outside resembled a big public office building. Still many years afterwards, the Russian reactors of the VVER 230 series, although provided with complete ‘Western-style’ containment, had a leakage rate from the containment of the order of 25 per cent each day (to be compared with figures of the order of 0.2 per cent each day from typical Western containments).²

Apart from differences of approach between world regions, in this period of time and in all the countries with nuclear reactors, the systems installed in the plants according to the requirements of the safety bodies and having the sole purpose of accident mitigation, were frequently the subject of heated debates; in particular, the emergency core cooling systems and the containment systems were often discussed.

More precisely, the opinions on the accident assumptions evolved in the West were divided. The reference situations for the reasonably conceivable accidents were chosen by the judgement of expert committees. These situations included the worst ‘credible’ events (such as the complete severance of the largest primary pipe). The assumptions concerning the initiating event were accompanied by simultaneous conservative assumptions concerning malfunctions in safety systems, such as a ‘single failure’ consisting in the failure, simultaneous with the initiating event (pipe failure and so on), of one active component of one of the safety systems devoted to emergency safety functions during the accident (water injection system, reactor shutdown system and so on).³

On one side, the more cautious experts, generally members of public safety control bodies, many scholars and members of non-governmental organizations for the defence of public rights, supported the need for keeping these conservative assumptions; on the other side, more optimistic people (members of manufacturing industries and of electric utilities) maintained that the above mentioned accident assumptions entailed a true waste of resources (those necessary to provide nuclear plants with huge containment buildings and powerful safety systems). It has to be noted that the ‘optimists’ were by no means imprudent or reckless: a sincere conviction existed in the industry that the current accident assumptions were not well founded.⁴

The contrast between the optimists and the pessimists was exacerbated by the foreseeable circumstance that not all of the logical consequences of the initially adopted accident assumptions were from the start clear to technical people. As an example, as far as the effectiveness of emergency core cooling systems is concerned, it was not understood from the start that Zircaloy fuel cladding (stainless steel behaves in a similar way) could react with water in an auto-catalytic way at relatively low temperatures and could release large quantities of hydrogen. Neither was it understood from the start that the same cladding could swell before rupturing and could occupy the space between fuel rods, preventing the flow of cooling water. The existence of these phenomena was demonstrated by studies and by tests performed by the Atomic Energy Commission (AEC) on the Semiscale facility at the US National Laboratory of Idaho Falls towards the end of the 1960s, when many US reactors had already been ordered and were being designed or built.

Similarly, at the beginning of the 1970s, the possibility was demonstrated that the break of a pipe could damage other nearby pipes or other plant components, starting a chain of ruptures (known as the ‘pipe whip’ effect).

All of these discoveries, made late in the design and procurement phases of US reactors, persuaded the control bodies to stipulate that the inherent safety systems be improved in order to take them into account. Other requests for improvement concerned the resistance of the plants to natural phenomena or to man-made events, in order to reach a balanced defence spectrum against all of the realistically possible accidents; in such a way the defence against new phenomena became analogous to the defence against the already considered phenomena having a comparable or lower probability. These requests for improvement (’backfitting’) extended the construction times of the plants, together with their costs.

It can be understood that the industry, which already considered the initially adopted accident assumptions to be excessive, strongly opposed these aggravating requests. As previously said, up to the Three Mile Island (TMI) accident, not all nuclear technical experts believed in the reasonableness of the current accident assumptions and in the need to pursue them with logical rigour and, in the light of the up-to-date scientific knowledge, up to their extreme consequences.⁵

The increase in costs as a consequence of the continuous requests for plant improvements, was strongly in contrast with the initial industrial expectations, which were concisely summarized by the then chairman of the Atomic Energy Commission, Lewis Strauss, who famously stated that nuclear energy would become ‘too cheap to meter’. In this period, the expression ‘ratcheting’ was created to describe the action of the control bodies in the field of the improvement of the plants concurrently with the indications of the progressing studies and research.

This continuous process of improvement produced, where it was performed, very safe but also very costly and rather complicated plants. Indeed, the plants were subject to a series of safety feature additions to a substantially unchanged basic design.

In this period a diverse approach to plant siting developed and was consolidated in the USA and in Western Europe. In the USA, the plant siting criteria, as far as demographic aspects were concerned, were substantially decoupled from the design features of the plant. On the contrary, in Europe, criteria for the site-plant complex were adopted. The US site criteria (except for seismic problems and for other external natural or man-made events) can be summarised as follows:

• The existence of an ‘exclusion zone’ around the plant, where no dwellings or productive settlements exist, with access under the complete control of the plant management.

• The existence of a ‘low population zone’ around the plant, which could be quickly evacuated (within hours) in case of accident to the plant.

• The radioactive products release from the core to the plant containment conventionally established as a function of the plant power only: the TID release (Di Nunno et al., 1962).

• A dose limit of 250 mSV (25 rem) total body and of 3 Sv (300 rem) for the thyroid (children) within two hours after the accident at the border of the exclusion zone.⁶

• Dose limits equal to the preceding ones for the whole accident duration at the external border of the low population zone.

The exclusion zone was established at a radius of 800-1000 m around the plant and the low population zone at roughly 5 km from the plant (US Code of Federal Regulations, 2004a).

The conventional release from the core was as follows:

• For iodine-131:50 per cent of the core inventory, of which 50 per cent only is available in the containment for external release (deposition and plate out in the primary circuit).

• The iodine available for external release is 91 per cent elemental, 5 per cent particulate and 4 per cent organic iodide (methyl iodide).

• Noble gases are totally released to the containment.

Independent criteria were then established for the design of the plant.

In this approach, the decision about the adequacy of a proposed site could be taken only on the basis of the plant power level and, possibly, on the specific characteristics of its fission product removal systems (to be evaluated and possibly validated on a case by case basis).

On the other hand, in Europe, the site selection criteria usually consider the site-plant complex. Therefore, for example, if a plant with the usual safety systems could not be located on a specific site because accident doses exceeded the reference limits, it was possible to make the plant acceptable for the same site by the improvement of the systems for fuel integrity protection in case of accidents.

The dose limits varied somewhat between various countries, but they were of the order of 5 mSv (500 mrem, effective dose) to the critical group of the population outside the exclusion zone for every credible accident (design basis accidents); some increase of this limit up to the level of tens of millisievert for single specific accidents could also be accepted. In order to evaluate the consequences of these accidents, then, no conventional figure for the releases is used (such as the TID figures). On the contrary, conservative but more realistic assumptions are adopted; typically, the iodine released in the containment is assumed equal to the inventory in the fuel-clad interface, equal to one to five per cent of the total core inventory, instead of the TID 50 per cent.

In Europe, the need to take account of the specific plant features for the evaluation of the acceptability of the site arises from the much higher population density in Europe in comparison with that of the USA (approximately 200 inhabitants per square kilometre and 30 per square kilometre, respectively). It is therefore much more difficult to find low population sites in Europe.

The different population densities in Europe and the USA has also brought about differences in accident emergency plans: in the USA, the provision of a complete evacuation of the population within 16 km of the plant in a few hours is adopted, while in Europe the maximum comparable distance is equal to 10 km. It is indeed difficult to assure the evacuation of population centres with tens, hundreds or thousands of inhabitants. Here too, the countries’ differences in demographic conditions has to be compensated by additional plant features (generally, the use of double containment provided with intermediate filtration systems and the use of elevated stacks).

The practice in the Far East (Japan, South Korea) is similar to the European one.

These differences in the fundamental approach to safety among various countries have always been thought by the general public to be a weakness of the nuclear industry, thereby affecting their acceptance of nuclear energy. These differences have always been a source of confusion in the mind of the public and, therefore, they aggravate the public distrust in the safety of this energy source. Many attempts have been made, in the international and community arenas where nuclear safety is discussed (IAEA, OECD, EU), to adopt unified criteria (see Chapter 18). The aim of agreeing common criteria has been reached only at the expense of unification at a higher logical level, therefore leaving untouched the differences previously described, for example leaving to the freedom of each country the definition of acceptable distances or doses.

In this period up to the TMI accident, three other facts influenced nuclear safety technology: defence against non-natural external events; the preparation of the Rasmussen report, WASH 1400; and the introduction of Quality Assurance (QA) in design, construction and operation of plants.

The first of these, the defence against non-natural external events, would not deserve specific mention and discussion, except that its motivation has changed with time. For example, the initial official incentive for the reinforcement of plant structures and components of many reactors consisted in the defence against the accidental fall of an aircraft, while, subsequently, it was provided to defend against sabotage performed by the use of aircraft, but also by explosives of various kinds. In effect, the strengthening of structures and components was initially made in Germany as a consequence of the high number of crashes of the Lockheed Starfighter fighter plane in the 1960s. Subsequently, with the onset of terrorist activity in the 1970s, the need arose to defend nuclear plants against hypothetical external attacks conducted with the use of projectiles and of explosives. At this point, it was discovered that the German protection against the plane crash could also envelope a sufficient number of sabotage events based on the use of explosives. Therefore, as many people preferred not to mention these sabotage protections explicitly, the corresponding provisions were named in the official documents as ‘protection against plane crash’.

Plant protection against the various effects of the impact by a fighter aircraft (weighing about 20 t) was adopted at least in Germany, Belgium, Switzerland and Italy, while in other countries the protection against the fall of a smaller sports aircraft was chosen, frequently only if justified by the proximity of an airport. No country explicitly adopted the protection against the impact of a wide-bodied airliner of the Jumbo Jet type (weighing about 350 t), which would be far more onerous (possibly requiring the underground location of plants). It was calculated that the protection against the fall of a fighter aircraft included the protection against the fall of a large airliner too if the impact takes place with less damaging characteristics (lower speed of impact, shallower angle of impact, and so on) than those which would cause the worst structural consequences. (See Chapter 17 for more on aircraft impact.)

The second influence, the Rasmussen report, first published in 1975, was sponsored by the Nuclear Regulatory Commission (NRC – the successor to the Atomic Energy Commission in control of peaceful applications of nuclear energy and the regulatory body on nuclear safety matters) with the aim of outlining an overall picture of all the conceivable accidents and of their probabilities, in order to identify the risk connected to a nuclear plant. It was the first time a study that included all conceivable accidents had been made. It included less probable scenarios too, such as the catastrophic explosion of a reactor pressure vessel and an estimate of the probability of each of them. It should be understood that the probability data concerning the most unlikely phenomena are scarce or even absent given the impossibility of studying these phenomena by experimental tests and the scarcity of applicable real-life data. In some ways, quantifying these events in a report was a bold decision, but, once the objective of the study was decided upon, nobody questioned the feasibility of it. Subsequently, once the report was published, criticism ensued: some people said that it was inscrutable, others criticized the completeness of the database, and others criticized the inconsistency of the executive summary with the main report. In the second, and final, edition some evident insufficiencies were corrected, but some of the criticisms remained unresolved. Whoever it was who started a risk study of the first cars, of the first railway trains or of the first airplanes, would have met the same difficulties. However, with the passing of time, the report has remained a fundamental reference for any safety and risk evaluation. Nobody could support the validity of the absolute quantitative risk evaluations contained in it, but, at the same time, the validity of this study and of the similar ones which followed is universally acknowledged as far as the relative probability estimates are concerned for detection of weak points in a specific design. In substance, the Rasmussen report and similar studies are possible judgement instruments in the nuclear safety field, although they cannot be used alone. Sound engineering evaluations, based on operating experience, even in different but similar fields, and on research results, are the necessary complement to the probabilistic evaluations.

In the history of nuclear safety technology, the Rasmussen report did not solely represent a methodological advancement. Severe accidents (those accidents more serious than those up to then considered credible) were included, especially after the TMI accident, in the design considerations for nuclear plants.

Finally, the start of the application of QA in nuclear engineering has to be mentioned. According to this management system, the quality of a product is guaranteed by the control of the production processes, more than by the control of the products themselves. Certainly this represents remarkable progress towards the achievement of products better complying with their specifications, however the implementation of this system requires a significant effort in the field of activity planning and of the management of the documentation, entailing a corresponding cost burden.

1-2-3 From the Three Mile Island accident to the Chernobyl accident

In March 1979, during a rather frequent plant transient, a valve on top of the pressurizer of the TMI plant (Pennsylvania, USA) remained stuck open, giving rise to a continuous loss of coolant. In an extremely concise way, an opening in that position (although this fact had not been sufficiently studied and publicized in the technical literature) generated over time a situation of a void reactor pressure vessel and of a full pressurizer.

This accident demonstrated that the attitude of many technical people towards nuclear safety was careless and optimistic. It could also be concluded that bad ‘surprises’ caused by a nuclear plant could be avoided only at the expense of a strong change in their mindset towards safety itself.

These conclusions were shared by practically all technical people and all over the world. Some optimists still existed, however. They were convinced that all the blame for the accident had to be placed on the operators who had not correctly diagnosed the plant conditions in time, and that all the problems could be solved by the use of more stringently screened operators.

It can be said that this accident completely changed the attitude of the industry towards safety in all the OECD countries. The provision of features previously considered to be pointless by some (such as the presence of a leakproof, pressure resistant containment) were acknowledged as valid in the light of the possibility of unforeseeable events. Two organizations were created for the exchange of information on operational events at nuclear plants and for the promotion of excellence in the nuclear safety field: the Institute of Nuclear Power Operations (INPO) in the USA and the World Association of Nuclear Operators (WANO) internationally. In the USA, within the NRC, a specific Office was created (Analysis and Evaluation of Operational Data – AEOD) for the analysis and the dissemination of operating experience. Long lists of ‘lessons learned’ were prepared and a ‘Three Mile Island Action Plan’ compiled which contained a large number of specific provisions against the possible repetition of similar accidents in the future. The implementation of these provisions cost each plant an amount of money ranging between several million dollars and several tens of millions of dollars. Above all, two concepts were underlined and reinforced: the concept of Defence in Depth and the concept of Safety Culture.

According to a number of experts, in particular from the former USSR, the attitude of the industry towards safety also changed in Eastern Europe after the TMI accident: already in early 1980s, Russian designers of VVER reactors proposed a number of measures for safety improvements.

The Defence in Depth initiative is a concept meaning that many, mutually independent, levels of defence against the initiation and the progression of accidents are created. The various levels include physical barriers, such as the fuel cladding, the primary system, the containment, etc. Five levels are defined: good plant design, control systems, emergency systems, accident management, and emergency plans.

The Safety Culture concept is defined as the set of convictions, knowledge and behaviour in which safety is placed at the highest level in the scale of values in every activity concerning the use of nuclear energy.⁷

The result of these initiatives, together with the Rasmussen report and the TMI accident convinced many countries to give attention to severe accidents. Severe accident occurrence was introduced as a consideration in the design and operation of plants.

A severe accident is defined as one exceeding in severity the Design Basis Accidents, which are those against which plant safety systems are designed in such a way that:

• the core does not exceed the limits of irreversible damage of the fuel (e.g. 1200°C maximum temperature, 17 per cent local oxidation of the claddings, etc. (US Code of Federal Regulations, 2004b);

• the external releases do not exceed the maximum tolerable ones, according to the national criteria in force.

In many cases it is considered, as an accident progressively worsens, that the limit for which it becomes ‘severe’ is the attainment of 1200°C in the fuel cladding since at about this temperature the progression of the water-cladding exothermic reaction becomes auto-catalytic and proceeds at a high rate. The IAEA definition for severe accidents is ‘accident conditions more severe than a design basis accident and involving significant core degradation’.AR49

All the OECD countries (but also others) agreed on the advisability of studying and of implementing severe accident management techniques on their plants. These provide equipment and emergency procedures for severe accidents which, in the extreme case of reaching a situation close to a severe accident, prevent its occurrence or, at least, prevent it from worsening. Examples of typical equipment and procedures for severe accidents are the following:

• portable electric energy generators, transportable from the plant to another on the same site or on a different site;

• procedures to supply electric energy to the essential loads, in case of total loss of electric power;

• procedures for the voluntary depressurization of the primary system in case of loss of the high pressure emergency injection systems, and so on.

By the 1980s, practically all the plants in the OECD area were equipped with Severe Accident Management Plans to various degrees of completeness. Some countries have progressed further than others, instigating real plant modifications as a means of implementing their Accident Management Plans. France, Germany and Sweden (and others) have installed filtered containment venting systems designed to avoid the rupture of the containment in case of a severe accident entailing the slow over-pressurization of the building beyond its strength limits (this situation could happen in every accident scenario without sufficient cooling of the core and of the containment). Other countries, such as the USA, concluded that these systems were not needed, on the basis of a cost-benefit analysis.

In Italy, a set of criteria was developed, the ‘95-0.1 per cent criterion’, according to which, by the installation of appropriate systems (including a filtered venting system for at least one reactor), a release of iodine higher than 0.1 per cent of the core inventory could be avoided with a probability higher than 95 per cent, conditional upon core melt (defined as attainment of a cladding temperature higher than 1200°C). Obviously, no single events of very low probability were considered, such as a pressure vessel explosion due to a mechanical defect. A similar criterion was adopted in Sweden.

Among the proposals at this time was one that concerned a preventative system for the voluntary depressurization of the primary system in pressurized water reactors (PWRs) and for the passive injection of water into the primary system for about 10 hours. This core rescue system (CRS) could decrease the core melt probability by a factor of at least 10. The system was proposed as a modification of the design chosen for the Italian Unified Nuclear Design, but was not considered necessary by the designers at that time. A few years later, the designers applied it, with modifications, to the passive reactor AP 600. Another reactor design (this time German) has a similar system. The voluntary primary system depressurization has subsequently been adopted by all the more modern PWR designs, such as the European Pressurized Reactor (EPR) and the System 80.

1-2-4 The Chernobyl accident and after

In my opinion and the opinion of other experts, there were two primary causes of the Chernobyl tragedy. The first was that although the plant was certainly very good from a production point of view, it had been designed with excessive optimism as far as safety was concerned. Indeed, in some operating conditions (low power, low steam content in the pressure tubes) the reactor was very unstable, in the sense that an increase in power or a loss of coolant tended to increase its reactivity, increasing the power auto-catalytically. In this way, the destruction of the reactor and of the plant could be initiated. Moreover, with completely extracted control rods (a situation forbidden by the operating procedures), the potential instability was more severe and, additionally, the use of the scram acted as an accelerator and not as a brake in the first moments of the rod movement (an ‘inverted scram’).

The second fatal circumstance was that the operators were working, on that night in April 1986, in a condition of frantic hurry for various reasons.

Although this reactor had been provided with leakproof and pressure resistant containment as a result of the prevailing changes in attitude already discussed, the containment did not include a significant portion of the reactor itself (a remarkable design decision). In particular, the fuel channel heads were directly put in a normal industrial building. A completely uncontained accident, therefore, happened. The reasons for the adverse design characteristics may have been financial (but expert opinion differs).

The general lesson to be learned is always the same: no weak points compromising safety must be left in a plant. Human errors, as in the cases of TMI and Chernobyl, will succeed in finding them and will cause disasters and fatalities. I don’t believe, as some anti-nuclear people maintain, that ‘if an accident can happen, sooner or later it will happen’, however, experience indicates that accident possibility must be seriously considered during all the phases of the life of a nuclear plant.⁸

However, for the sake of completeness, it has to be said that the Chernobyl-type reactors were not well known in the Western world. The pertinent information was kept somewhat confidential because this reactor could potentially be used for plutonium production and therefore it was interesting from a military point of view.⁹

A confidential safety analysis of an RBMK reactor, similar to the Chernobyl one, was performed some years before the accident by a European design company. It concluded that this reactor, in many respects, did not meet the safety standards in use in the Western world. Copies of this safety analysis were circulated among the experts after the Chernobyl accident.

The Chernobyl accident, with its consequences (both local and afar) had not much to teach the Western nuclear safety engineers as the reactor’s shortcomings were all accurately known and avoided in their designs.¹⁰

Obviously, it was not possible to convince the public that such an accident could only happen in that specific design of reactor. In Italy, for example, some political parties exploited the evident fear generated in the population and, substantially, led the country towards the immediate and sudden dismissal of the nuclear source of power, with understandably prohibitive costs.

In general, after Chernobyl and as a consequence of that accident, two ideas gained momentum:

• Nuclear plant design, evolved by successive additions, had become too complicated and it was useful to think of simpler systems, based on concepts of passive rather than active safety.

• Accidents, even the most severe ones, should have modest consequences beyond the exclusion zone of the plant and so should require smaller emergency plans, especially concerning the quick evacuation of the population.

The USA was frequently against any simplification of its emergency plans in order not to change their well-established system of siting decoupled from the characteristics of the plants. This system, after all, was well accepted by the technical bodies and by the population.

The concept of passive safety meant the use of systems based on simple physical laws more than on complex equipment. One example is represented by safety injection systems on water reactors which use gravity as a motive force and not pumps. This principle was, for example, adopted in the passive PWR AP600, certified by the NRC in 1999. It comprises a voluntary fast depressurization system of the primary circuit and the provision of a water reservoir in the containment located at an elevated position with respect to the reactor vessel. Passive cooling of the containment was also incorporated in the design. Evidently, however, neither of these new concepts nor the industrial weight of the NRC certification are sufficient to immediately convince the investors because, up to now (2005), no new AP600 has been ordered.

A weak point of this concept has always been the reduced power and its consequent bad scale economy. The 600 MWe rating was initially chosen on the basis of a poll among the US utilities on the basis that this was the preferred size of a power station (lower financial risk and correspondence with the dimension of the electric grids served by the single utilities). The designers thought that they could in any case be competitive because of the use of passive components (i.e. with a reduction of installed components) and because of a general simplification of the plant. It seems now that this objective can be more easily reached by the AP1000 design (namely with a power of 1000 MWe), whose design has been recently (2004) approved by the NRC.

A design where the passive safety has been adopted with a higher degree of caution but with a strong tendency towards the reduction of emergency plans is the French-German EPR of approximately 1400 MWe, where many precautions against severe accidents have been taken (e.g. molten core containment structures, ‘core catchers’, multiple devices for the quick recombination of hydrogen, voluntary primary system depressurization, etc.).

New concepts based on passive safety presently under study are the Pebble Bed Modular Reactor (PBMR – gas cooled, high temperature, helium operated, direct cycle turbine generators) supported by an international group based in South Africa, the IRIS reactor (a PWR with steam generators integrated in the reactor pressure vessel) and the already mentioned AP1000. Other concepts still under study but already proposed exist.AR152, AR244

As usual, the future is difficult to forecast, however, when nuclear energy will be unquestionably necessary, it will be generally accepted. The investors will not have the continuous concern of its competitiveness, and the safety of the plants, which is already at a very good level, will be still more guaranteed.¹¹

Chapter notes

Figure 1-2 Sketch for a discussion on a break in a pressure tube reactor.

References

Bourgeois, J., Tanguy, P., Cogné, F., Petit, J. La Surete Nucleaire en France et dans le Monde. Paris: Polytechnica; 1996.

Di Nunno, J., Baker, R. E.D., Anderson, F. D., Waterfield, R. L. Calculation of distance factors for power and test reactor sites. USAEC, TID-14844. 1962.

Glasstone, S. Nuclear Reactor Engineering. Princeton, NJ: Van Nostrand; 1963.

US Code of Federal Regulations. Part 100: Reactor Site Criteria. US Government; 2004.

US Code of Federal Regulations. Part 50.46: Acceptance Criteria for Emergency Cooling Systems for Light Water Nuclear Power Reactors. US Government; 2000.

¹ What radiation dose did Fermi and the other scientists absorb during the first criticality? Taking into account that the reactor was kept in a critical state for roughly half an hour and that the power was equal to about 0.5 W, an order of magnitude evaluation using current data [Glasstone, 1963] shows that the dose due to neutrons and to gamma rays was of the order of 10 μSv (1 mrem); very low indeed.

² According to a number of experts, in particular from the former USSR, this situation is not to be viewed as the outcome of a more rigorous attitude in the West than in the East. There were different safety philosophies in East and West: the former focused on accident prevention without much care of the high cost (at least in the case of VVER reactors), the latter focused more on mitigation of accidents, with a strong effect on the results from cost-benefit considerations. The debates on relativism in philosophy (ethics or epistemology, for example) have some similarity with these arguments. Indeed, relativism has not to be identified, as some of its critics say, with the thesis that all points of view are equally valid, but with the thesis that one thing (moral values, beauty, knowledge, taste, meaning and nuclear safety criteria, too) is relative to some particular framework or standpoint (e.g. the individual subject, a culture, an era, a language or a conceptual scheme). Moreover, no standpoint is uniquely privileged over all others. With these kinds of highly controversial similarities, it is easy to understand that any attempt to resolve the issue by discussions may scarcely be productive and that only the future will indicate where the relative merits are higher.

³ This method of defining the accidents to be considered in the design was subsequently named the ‘deterministic method’, to be distinguished from the ‘probabilistic method’ based on the evaluation of the probability of the various accidental events. Presently, however, the choice criteria are generally a combination of the two approaches.

⁴ ‘Pipes leak, pipes crack, pipes are corroded, but pipes don’t break’, one of the senior US industry engineers used to repeat. And indeed, in the light of subsequent ‘experience’ (now equivalent to more than 10000 reactor-years of operation) very few guillotine breaks of large pipes have happened. Moreover, most of these cases have not happened in primary pipes, but in pipes not submitted to the most stringent design and operation practices (periodic inspections and so on). Only two cases have happened in two feed-water pipes, weakened by erosion. On the other hand, the figures based on the assumption of a complete break of the largest pipe in the plant affords protection from a number of different events not explicitly considered, such as the flange bolts breaking in large valves (several cases of ‘near misses’ of this kind have happened), the partial rupture of pump casings caused by rotor failure, etc.

⁵ Towards the end of the 1960s, two eminent nuclear designers discussed with a safety reviewer the pipe rupture assumptions for a pressure tube reactor under design. The technical problem under discussion is sketched in Figure 1-2. If the cooling water pipes ruptured, the designers declared that the cooling of the fuel contained in each pressure channel was ensured as a valve at the inlet of each channel (shown in the drawing) would be closed in order to force the emergency cooling water to flow into the channel and to cool the fuel before reaching the rupture point and spilling into the containment. When the safety reviewer pointed out that this design objective would not be reached if the rupture had happened in the position marked with an X, their answer was ‘Safety is not a game with rigid and meticulous rules, sir! More room should be left to technical judgement!’ It has to be appreciated that in the nuclear safety profession everybody knows that an accidental break has to be assumed at every location on every pressure pipe and that, in these conditions, the plant must continue to be safe; so, it is ridiculous that somebody tries to resort to the difference between nuclear safety and a game in order to justify a departure from this rule concerning the break location.

Many years afterwards, this sentence came again to my mind after the TMI accident in which the only rupture position for which the primary water loss could have created the situation of an ‘empty pressure vessel and filled up pressurizer’ which totally confused the operators and induced them to shut off the emergency injection system was precisely the one which happened, namely at the top of the pressurizer. This anecdote is representative of a state of mind prevalent in the industry in the period of time up to the TMI accident, that is that the current accident assumptions were excessive so that their implementation could be rather flexible without adverse consequences.

⁶ The reference, in the US criteria, to 250 mSv total body and 3 Sv thyroid doses may be intriguing for some people. Indeed, nowadays, no acceptance criterion includes such high figures: the effective dose limits for design basis accidents (credible accidents) are 10 to 100 times lower. Indeed, in the 1950s and 1960s, the figures adopted in the US criteria were officially considered as maximum tolerable doses for serious accidents. Over time, however, progress in radiation protection knowledge has brought about an additional decrease in the tolerability limits, therefore the figures initially adopted in the USA have become ‘completely conventional numbers’, losing their (uncertain) original physical-biological meaning. The question arises as to why these figures have not been updated. Here, as in many other cases in the nuclear safety field, perhaps the consideration