Nuclear safety

Nuclear safety

Nuclear Safety

30 Corporate Drive, Suite 400, Burlington, MA 01803

First edition 2006

Copyright ß 2006, Gianni Petrangeli Published by Elsevier Butterworth-Heinemann.All rights reserved

The right of Gianni Petrangeli to be identified as the author of this work has been asserted

in accordance with the Copyright, Designs and Patents Act 1988

No part of this publication may be reproduced, stored in a retrieval system, or transmitted

in any form or by any means electronic, mechanical, photocopying, recording or otherwisewithout the prior written permission of the publisher

Permissions may be sought directly from Elsevier’s Science & Technology RightsDepartment in Oxford, UK: phone (þ44) (0) 1865 843830; fax (þ44) (0) 1865 853333;email: permissions@elsevier.com Alternatively you can submit your request online byvisiting the Elsevier web site at http://elsevier.com/locate/permissions, and selectingObtaining permissions to use the Elsevier material

Notice

No responsibility is assumed by the publisher for any injury and/or damage to persons orproperty as a matter of products liability, negligence or otherwise, or from any use oroperation of any methods, products, instructions or ideas contained in the material herein.Because of rapid advances in the medical sciences, in particular, independent verification ofdiagnoses and drug dosages should be made

British Library Cataloguing in Publication Data

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

ISBN 13: 978-0-7506-6723-4

ISBN 10: 0-7506-6723-0

For information on all Butterworth-Heinemann publications

visit our web site at http://books.elsevier.com

Printed and bound in the UK

06 07 08 09 10 10 9 8 7 6 5 4 3 2 1

1-2 A short history of nuclear safety technology 2

1-2-1 The early years 2

1-2-2 From the late 1950s to the

Three Mile Island accident 2

1-2-3 From the Three Mile Island accident

to the Chernobyl accident 7

1-2-4 The Chernobyl accident and after 8

3-2 Safety systems and accidents 18

3-3 Future safety systems and plant concepts 233-3-1 General remarks 23

3-3-2 Some passive safety systems fornuclear plants 27

3-3-3 Inherently safe systems in theprocess industries 30References 32

Chapter notes 32

Chapter 4 The classification of accidents and a discussion of some examples 35

4-1 Classification 354-2 Design basis accidents 354-2-1 Some important data foraccident analysis 354-2-2 Example of a category 2 accident:spurious opening of a pressurizersafety valve 40

4-2-3 Example of a category 3 accident:instantaneous power loss to all theprimary pumps 41

4-2-4 Example of a category 4 accident:main steam line break 434-2-5 Example of a category 4 accident:sudden expulsion of a control rodfrom the core 44

4-2-6 Example of a category 4 accident:break of the largest pipe of theprimary system (large LOCA) 464-2-7 Example of a category 4 accident:fuel handling accident 474-2-8 Area accidents 50

v

4-3 Beyond design basis accidents 51

4-3-1 Plant originated accidents 51

4-3-2 Accidents due to human voluntary

5-3 Severe accident management: the

present state of studies and

implementations 57

5-4 Data on severe accidents 58

5-5 Descriptions of some typical

accident sequences 58

5-5-1 Loss of station electric power supply

(TE ¼ transient þ loss of electrical

supply) 58

5-5-2 Loss of electric power with

LOCA from the pump seals

(SE ¼ small LOCA þ loss of

electric power) 61

5-5-3 Interfacing systems LOCA (V) 61

5-5-4 Large LOCA with failure of the

6-2 Dispersion of releases: phenomena 66

6-3 Release dispersion: simple evaluation

techniques 70

6-4 Formulae and diagrams for the

evaluation of atmospheric dispersion 71

Reference 76

Chapter notes 76

Chapter 7 Health consequences of releases 79

7-1 The principles of health protectionand safety 79

7-2 Some quantities, terms and units of measure

of health physics 797-3 Types of effects of radiation doses andlimits 80

7-4 Evaluation of the health consequences

of releases 817-4-1 Evaluation of inhalation doses fromradioactive iodine 81

7-4-2 Evaluation of doses due to submersion

in a radioactive cloud 817-4-3 Evaluation of the doses of radiationfrom caesium-137 deposited on theground (‘ground-shine’ dose) 817-4-4 Evaluation of the dose due todeposition of plutonium on theground 81

7-4-5 Indicative evaluation of long distancedoses for very serious accidents tonuclear reactors 82

7-4-6 Direct radiation doses 82Reference 83

Chapter notes 83

Chapter 8 The general approach to the safety

of the plant-site complex 85

8-1 Introduction 858-2 The definition of the safety objectives

of a plant on a site 858-2-1 The objectives and limits ofrelease/dose 85

8-3 Some plant characteristics for theprevention and mitigation ofaccidents 86

8-4 Radiation protection characteristics 868-5 Site characteristics 87

Chapter 9 Defence in depth 89

9-1 Definition, objectives, levels and barriers 899-2 Additional considerations on the levels

of Defence in Depth 89

11-2 Deterministic safety analysis 95

11-3 Probabilistic safety analysis 97

12-2 The reference points 107

12-3 Foreseeing possible issues for

discussion 107

12-4 Control is not disrespectful 108

12-5 Clarification is not disrespectful 109

14-1 Reactor pressure vessel 11914-1-1 Problems highlighted byoperating experience 11914-1-2 Rupture probability ofnon-nuclear vessels 12014-1-3 Failure probability of nuclearvessels 122

14-1-4 Vessel material embrittlement due toneutron irradiation 124

14-1-5 Pressurized thermal shock 12614-1-6 The reactor pressure vessel ofThree Mile Island 2 12614-1-7 General perspective on theeffect of severe accidents on thepressure vessel 127

14-1-8 Recommendations for the prevention

of hypothetical accidents generated

by the pressure vessel 12814-2 Piping 130

14-2-1 Evolution of the regulatorypositions 130

14-2-2 Problems indicated byexperience 13014-2-3 Leak detection in waterreactors 132

14-2-4 Research programmes onpiping 133

14-3 Valves 13414-3-1 General remarks 13414-3-2 Some data from operatingexperience 134

14-3-3 The most commonly used types

of valve 13514-3-4 Types of valve: critical areas,design and operation 13614-3-5 Valve standards 14014-4 Containment systems 141References 142

Chapter 15 Earthquake resistance 145

15-1 General aspects, criteria andstarting data 145

15-2 Reference ground motion 14815-3 Structural verifications 15815-3-1 Foundation soil resistance 15815-3-2 Resistance of structures 162References 182

Contents vii

Chapter 16

Tornado resistance 185

16-1 The physical phenomenon 185

16-2 Scale of severity of the phenomenon 186

16-3 Design input data 186

17-2 Aircraft crash impact 189

17-2-1 Effects of an aircraft impact 189

17-2-2 Overall load on a structure 189

17-2-3 Vibration of structures and

components 191

17-2-4 Local perforation of structures 191

17-2-5 The effect of a fire 192

17-2-6 Temporary incapacity of the

Chapter 21 Underground location of nuclear power plants 209

References 212

Chapter 22 The effects of nuclear explosions 215

22-1 Introduction 21522-2 Types of nuclear bomb 21522-3 The consequences of a nuclear explosion 21522-4 Initial nuclear radiation 217

22-5 Shock wave 21722-6 Initial thermal radiation 21822-7 Initial radioactive contamination(‘fallout’) 218

22-8 Underground nuclear tests 21822-8-1 Historical data onnuclear weapons tests 21822-8-2 The possible effects of anunderground nuclear explosion 21922-8-3 The possible radiological effects

of the underground tests 220References 220

Chapter 23 Radioactive waste 221

23-1 Types and indicative amounts of radioactivewaste 221

23-2 Principles 222Reference 223

Chapter 24 Fusion safety 225

References 228

Chapter 25

Safety of specific plants and of

other activities 229

25-1 Boiling water reactors 229

25-2 Pressure tube reactors 231

25-9 Ship propulsion reactors 234

25-10 Safe transport of radioactive

substances 234

25-11 Safety of radioactive sources

and of radiation generating

When can we say that

a particular plant is safe? 243

Chapter 29

The limits of nuclear safety:

the residual risk 245

29-1 Risk in general 245

29-2 Risk concepts and evaluations

in nuclear installation safety 24529-2-1 Tolerable risk 24529-2-2 Risk-informed decisions 24629-3 Residual risk: the concept ofloss-of-life expectancy 24729-4 Risk from various energy sources 24729-5 Risk to various human activities 24829-6 Are the risk analyses of nuclearpower plants credible? 24829-7 Proliferation and terrorism 250References 250

Additional references 251

Appendices Appendix 1 The Chernobyl accident 279

A1-1 Introduction 279A1-2 The reactor 279A1-3 The event 281References 284

Appendix 2 Calculation of the accident pressure

in a containment 285

A2-1 Introduction 285A2-2 Initial overpressure 285A2-3 Containment pressure versus time 286A2-3-1 Introductory remarks 287A2-3-2 Calculation method 287A2-3-3 Heat exchanged with the outsidethrough the metal container 288A2-3-4 Heat released by hot metals 288A2-3-5 Heat exchanged with cold metals 289A2-3-6 Heat exchanged with concretelayers 289

A2-3-7 Decay heat 290A2-3-8 Heat removed by the spray systeminternal to the containment 291A2-3-9 Solar heat 291

A2-3-10 Thermal balance in the

interval

292A2-3-11 Considerations on the performance

of the calculation and on thechoice of the input data 292A2-3-12 Example calculation 293References 296

Contents ix

A4-2-4 Ground shine long-term dose 316

A4-3 Explorative evaluation of the radiological

consequences of a mechanical impact

on a surface storage facility for

category 2 waste 316

A4-3-1 Type of repository 316

A4-3-2 Reference impact 316

A4-3-3 Fragmentation and dispersion of

material 317

A4-3-4 Doses 318

A4-3-5 Conclusions 319

A4-4 Explorative evaluation of the radiological

consequences of a mechanical impact

on a transport/storage cask containing

spent fuel 319

A4-4-1 Characteristics of the cask 319

A4-4-2 Reference impact 319

A4-4-3 Amount of significant fission

products in the internal atmosphere

of the cask and external release in

Simplified thermal analysis of

an insufficiently refrigerated core 323

A5-1 Analysis of the core without

refrigeration 323

A5-2 Other formulae and useful data for

the indicative study of the cooling of

a core after an accident 325

References 326

Appendix 6 Extracts from EUR criteria (December 2004) 327

2-1-8-3 List of design basis conditions 3272-1-8 Tables 328

2-1-8-1 Table 1: Radiological criteria

for radioactive releases innormal operation and incidentconditions 328

2-1-8-2 Table 2: Frequencies and

acceptance criteria for normaloperation, incident and accidentconditions 328

2-1-B-1 Criteria for limited impact for

DEC 3292-1-B1-1 Table B1: Criteria for limited

impact for no emergencyaction beyond 800 m fromthe reactor 329

2-1B 1-2 Table B2: Criteria for

limited impact for no delayedaction beyond 3 km from thereactor 330

2-1B 1-3 Table B3: Criteria for limited

impact for no long-termactions beyond 800 m fromthe reactor 330

2-1B 1-4 Table B4: Criteria for

limited impact for economicimpact 330

2-1 B2 Release targets for designbasis category 3 and 4conditions 3302-1-B-2-1 Table B5: DBA release targets for

no action beyond 800 m from thereactor 331

2-1-B-2-2 Table B6: DBA release targets for

economic impact 3312-1-2-3 Operational staff doses during

normal operation andincidents 3312-1-2-6 Probabilistic safety targets 3322-1-3-4 Single failure criterion 3322-1-4-3-2 Complex sequences that may be

considered in DEC 3332-1-6-8 Classification of the safetyfunctions and categorisation

of the equipment 3332-1-6-6-3 Requirements according to

level of safety functions 3342-1-6-8-4 Assignment of equipment

and structures to a safetycategory 334

2-1-6-8-5 Requirements on equipment and

structures according to safety

category 335

2-1-6-8-6 Classification of structures

and equipment according to

the design and construction

A8-3-1 Overall requirements 345

A8-3-2 Protection by Multiple Fission Product

Barriers 346

A8-3-3 Protection and Reactivity Control

Systems 348

A8-3-4 Fluid Systems 349

A8-3-5 Reactor Containment 351

A8-3-6 Fuel and Radioactivity Control 352

Notes 353

Appendix 9

IAEA criteria 355

Appendix 10

Primary depressurization systems 357

A10-1 Initial studies 357

A10-2 Depressurization systems for modern

design reactors 359

References 363

Appendix 11 Thermal-hydraulic transients of the primary system 365

A11-1 General remarks 365A11-2 General program characteristics 366A11-3 Program description 366

A11-3-1 Macro Stampa dati 366A11-3-2 Macro Copia_dati 368A11-3-3 Macro HF 368A11-3-4 Macro HFG 369A11-3-5 Macro VF 369A11-3-6 Macro VFG 370A11-3-7 Macro QS 370A11-3-8 Macro GU 370A11-3-9 Macro GE 372A11-3-10 Macro DT 373A11-3-11 Macro PS 373A11-4 Using the program 377A11-5 Other formulae for the expandeduse of the program 377A11-5-1 ATWS 377A11-5-2 Pressure in a depressurization

water discharge tank 378References 378

Appendix 12 The atmospheric dispersion

of releases 379

Appendix 13 Regulatory framework and safety documents 385

A13-1 Regulatory framework 385A13-2 Safety documents 385A13-2-1 The safety report 386A13-2-2 The probabilistic safety

assessment 388A13-2-3 The environmental impact

assessment 388A13-2-4 The external emergency plan 388A13-2-5 The operation manual, including

the emergency procedures 388A13-2-6 Operation organization

document 390A13-2-7 The pre-operational test

programme 390

Contents xi

A13-2-8 The technical specifications

for operation 390

A13-2-9 The periodic safety reviews 391

References 391

Appendix 14

USNRC Regulatory Guides and

Standard Review Plan 393

A14-1 Extracts from a regulatory guide 393

A14-2 List of contents and extracts from a

sample chapter of the Standard

Review Plan 395

A14-3 Sample chapter 400

Appendix 15

Safety cage 405

A15-1 General remarks 405

A15-2 Available energy 405

A15-3 Mechanical energy which can be

released 405

A15-4 Overall sizing of a structural cage around

the pressure vessel 406

A15-5 Experimental tests on steel cages for

the containment of vessel explosions 408

Reference 408

Appendix 16 Criteria for the site chart (Italy) 409

A16-1 Population and land use 409A16-2 Geology, seismology and soilmechanics 409

A16-3 Engineering requirements 410A16-4 Extreme events from human activities 410A16-5 Extreme natural events 410

Appendix 17 The Three Mile Island accident 411

A17-1 Summary description of the Three MileIsland no 2 Plant 411

A17-2 The accident 413A17-3 The consequences of the accident on theoutside environment 419

A17-4 The actions initiated after the accident 421References 422

Glossary 423 Web sites 425 Index 427

Introduction

I have written this book because of my firm belief

that it is necessary to try to gather and to preserve

in written form, and from one perspective, the

accumulated experience in the fields of nuclear

safety and of radiation protection This is

particu-larly important for countries where nuclear energy

exploitation has been stopped, but where it might

have to be resumed in future The main accent of

this book is on Nuclear Safety

From another point of view, many areas

devel-oped in nuclear safety studies are of interest in

the safety of process plants too and, therefore,

it is worthwhile writing about them Given this

perspective, I have tried to collect the ideas, the

data and the methods which, in many decades of

professional work in several countries, are in my

opinion the most useful for ‘integrated system’

evaluations of the plant safety

I have emphasized the complete site–plant system

more than single details, so the data and the

methods discussed are not those applied in the

many specialized disciplines devoted to the in-depth

study of safety but are those required for overall,

first approximation, assessments In my opinion,

such assessments are the most useful ones for the

detection of many safety-related problems in a

plant and for the drafting of a complete picture of

them The more accurate and precise methods

are, however, essential in the optimization phase

of plant design and of its operational parameters

Specialists in reactor engineering, in

thermal-hydraulics, in radiation protection and in structural

response issues may, therefore, be surprised to readthat simple methods and shortcuts suggested hereare very useful, as my experience and that of other

‘generalists’ suggests

Additionally, this book aims to cover somegeneral and some unusual topics, such as: the overallconditions to be complied with by a ‘safe’ plant, thetrans-boundary consequences of accidents to plants

or to specific activities, the consequences of terroristacts, and so on

On some crucial issues, the views of the world’snuclear specialists are not the same, for example, theviews in Western countries compared with those

in former soviet-bloc countries on the pre-Chernobylapproach to nuclear safety in Eastern Europe: theWest considered the soviet approach to be arelatively lenient one, while the soviets thoughtthat they concentrated on prevention of accidentsrather than on the mitigation of them In thesecases, the text tries to be objective and to quote the

‘Eastern’ view besides the ‘Western’ one, leavingfuture engineers and technical developments todecide on this issue

Except where explicitly indicated, the text refers

to the pressurized water reactor Extrapolation toother kinds of plants is, however, possible

The text complies with internationally recognizedsafety standards, and in particular with InternationalAtomic Energy Agency (IAEA) requirements

On occasions I have digressed, in notes, from themain thrust of the text I have done this for severalreasons: many notes relate facts that qualify or justifywhat is written in a preceding paragraph; some ofthem are numerical examples added for clarification;

xiii

others are simple comments and personal reflections

on the subject These notes are set at the end of each

chapter

I have provided a list of references at the end of

each chapter, however a complete chapter (Additional

references) is almost completely devoted to a list of

some ‘institutional’ references (i.e those published

by the IAEA, by the Organization for Economic

Cooperation and Development (OECD) and by

the United States Nuclear Regulatory Commission

(USNRC) which is one of the richest sources

of publications among Regulatory Bodies) These

additional references are labelled with the superscript

AR Many of these references can be consulted

and even downloaded from the web sites listed in

the Web sites chapter (see p 425)

Calculation sheets mentioned in the text may

be downloaded from the publisher’s web site

(http://books.elsevier.com/companions/0750667230);

the way to use them is described in the text

Finally, I wish to underline that all my experience

suggests to me, after many positive and negative

lessons learned, that today’s nuclear plants can be

completely safe and that significant accidents can

be avoided This is, however, only true on thecondition that safety objectives are carefully pursued

by the organizations involved in the plants; in thisarena, as it will be shown, even organizationsapparently very far from any specific plant must

be, up to a certain extent, included (e.g the bodiesresponsible for the general energy strategy of acountry and the ‘media’)

I will be very grateful to my readers for anysuggestion concerning improvements to the textand also corrections to the mistakes which arecertainly present in it I am fully aware, inparticular, of the subjective nature of the choice ofthe material included: the subject of nuclear safety,

as does that concerning the safety of processplants in general, has become, over time, a disciplinecomposed of many specific rather autonomoussubsections It is not easy, therefore, to choosethe material to be included in a general text likethis one; in this, practical experience of what isnecessary while doing assessment work of plants hasbeen my guide

I am very grateful to all the colleagues who have

cooperated, deliberately or by chance, in supplying

me with the material for these pages I apologize to

them if I don’t name them individually; this is notonly because they are many, but because I am surethat I would inadvertently miss out some names

Gianni Petrangeli

xv

Chapter 1 Introduction

1-1 Objectives

The objectives of nuclear safety consist in ensuring

the siting and the plant conditions need to comply

with adequate principles, such as, for example, the

internationally accepted health, safety and

radio-protection principles In particular, the plant at the

chosen site shall guarantee that the health of the

population and of the workers does not suffer

adverse radiation consequences more severe than

the established limits and that such effects be the

lowest reasonably obtainable (the ALARA – As Low

As Reasonably Achievable – Principle) in all

opera-tional conditions and in case of accidents

These objectives are frequently subdivided into

a General Objective, a Radiation Protection Objective

and a Technical Objective: for example, in the

International Atomic Energy Agency (IAEA) criteria

(see www.iaea.org)

The General Nuclear Safety ObjectiveAR1 is to

protect individuals, society and the environment

from harm by establishing and maintaining effective

defences against radiological hazards in nuclear

installations

The Radiation Protection Objective is to ensure

that in all operational states radiation exposure

within the installation or due to any planned release

of radioactive material from the installation is

kept below prescribed limits and as low as reasonably

achievable, and to ensure mitigation of the

radi-ological consequences of any accidents

The Technical Safety Objective is to take all

reasonably practicable measures to prevent accidents

in nuclear installations and to mitigate their

conse-quences should they occur; to ensure with a high

level of confidence that, for all possible accidents

taken into account in the design of the installation,

including those of very low probability, any ological consequences would be minor and belowprescribed limits; and to ensure that the likelihood ofaccidents with serious radiological consequences isextremely low

radi-The target for existing power plants sistent with the Technical Safety Objective has beendefined by the INSAG (International Nuclear SafetyAdvisory Group, advisor to the IAEA DirectorGeneral)AR185 as a likelihood of occurrence ofsevere core damage that is below about 10 4eventsper plant operating year Implementation of allsafety principles at future plants should lead tothe achievement of an improved goal of not morethan about 10 5such events per plant operating year.Severe accident management and mitigationmeasures should reduce the probability of large off-site releases requiring short-term off-site response by

con-a fcon-actor of con-at lecon-ast 10

It has to be observed that these principles, whileindicating the need for strict control of radiationsources, do not preclude the external release oflimited amounts of radioactive products nor thelimited exposure of people to radiation Similarly,the objectives require to decrease the likelihoodand the severity of accidents, but they recognizethat some accidents can happen Measures have to

be taken for the mitigation of their consequences.Such measures include on-site accident manage-ment systems (procedures, equipment, operators)and off-site intervention measures The greater thepotential hazard of a release, the lower must be itslikelihood

The chapters of this book, except the few of themnot concerned with the safety of nuclear installations,deal with the ways for practically achieving theseobjectives

1

1-2 A short history of nuclear safety

technology

1-2-1 The early years

The first reactor, the ‘Fermi pile’ CP1 (or Chicago

Pile 1, built in 1942) was provided with rudimentary

safety systems in line with the sense of confidence

inspired by the charismatic figure of Enrico Fermi

and his opinion concerning the absence of any danger

from unforeseen phenomena The safety systems

(Fig 1-1) were:

 gravity driven fast shutdown rods (one was

operated by cutting a retaining rope with an

axe); and

 a secondary shutdown system made of bucketscontaining a cadmium sulphate solution, which is agood neutron absorber The buckets were located

at the top of the pile and could be emptied onto itshould the need arise

Compared with the set of safety systems sequently considered essential, an emergency coolingsystem was missing as decay heat was practicallyabsent after shut down, and there was no contain-ment system (except for a curtain!) provided as theamount of fission products was not significant.Other reactors were soon built, for both militaryand civil purposes, and since they were constructed

sub-on remote sites (e.g Hanford, WA), they didn’t needcontainment systems

In the light of subsequent approaches used inreactor safety, probably, in this first period, not allthe necessary precautions were taken; however, it isnecessary to consider the specific time and circum-stances present (a world war in progress or justfinished, status of radiation protection knowledgenot yet sufficiently advanced, etc.).1

In the 1980s and 1990s, a revision of the

‘simplified’ approach used for these first reactors(mainly devoted to plutonium production) was made.They were, as a consequence, either shut down ormodified In particular, the following characteristics

or problems were removed or solved:

 the open cycle cooling of the reactors and pressure-resistant containments;

non- the disposal of radioactive waste using unreliablemethods, such as the location of radioactiveliquids in simple underground metallic tankswhich were subject to the risk of corrosion and

Spectator

(Norman Hilberry) ZIP rod

Detector

Recorder

57 layers of uranium and graphite Cadmium rod

THE FIRST REACTOR

2, December 1942

Figure 1-1 Drawing of the CP1 pile Scram – this

term means ‘fast shutdown of a reactor’: various

explanations have been proposed for its origin The

most credited one assumes that it derives from the

abbreviated name of the CP1 safety rod which could

be actuated by an axe In the original design sketches

of the pile, the position of the operator of the axe was

indicated by ‘SCRAM’, the abbreviation of ‘Safety

Control Rod Ax Man’ The designated operator was

the physicist Norman Hilberry, subsequently Director

of the Argonne Laboratory His colleagues used

the name ‘Mister Scram’ The drawing is courtesy of

Prof Raymond Murray

chosen on the assumption that all the primary (and

part of the secondary) hot water (for a water reactor)

was released from the cooling systems

Indeed, since the 1950s, the US ‘Reactor

Safe-guards Committee’, set up by the Atomic Energy

Commission with the task of defining the guidelines

for nuclear safety, had indicated that, for a

non-contained reactor, an ‘exclusion distance’ (without

resident population) should be provided This

distance, R, had to be equal, at least to that given

by Eq 1.1

R ¼ 0:016 ffiffiffiffiffiffiffiPth

p

km, ð1:1Þwhere Pth is the thermal power of the reactor in

kilowatts

For a 3000 MW reactor (the usual size today), this

exclusion distance is equal to approximately 30 km,

which is equal to the distance evacuated after

the Chernobyl accident (Bourgeois et al., 1996)

Evidently, the reference doses for the short-term

evacuation were roughly the same for the two cases

An exclusion distance of this magnitude poses

excessive problems to siting, even in a country

endowed with abundant land such as the USA,

therefore, the decision of adopting a containment is

practically a compulsory one

The first reactor with leakproof and pressure

resistant containment was the SR1 reactor (West

Milton, NY, built in the 1950s) Built to perform tests

for the development of reactors for military ship

pro-pulsion; this reactor was cooled by sodium and the

containment was designed for the pressure

corre-sponding to the combustion of the sodium escaping

from a hypothetical leak in the cooling circuit

In Western countries, moreover, it was required

that the whole refrigeration primary circuit should be

located completely inside the containment, so that,

even in the case of a complete rupture of the largest

primary system pipe, all the escaped fluid would be

confined in the containment envelope The design

pressure of the containment for water reactors

(starting with the Shippingport, Pa, reactor,

moder-ated and cooled by pressurized water) was derived on

the basis of the assumption of the complete release of

the primary water

In Eastern Europe, these criteria were applied to

a lesser degree, as it was accepted that the pressure

vessel alone would be located within the containment

(the rupture of large pipes was considered sufficientlyunlikely to justify this assumption) and that theleakproof containment characteristic need not bevery stringent Thus, at the second Atoms for Peaceconference in Geneva in 1964, the Western visitorswere impressed but surprised by the model of theNovovoronezh reactor, which showed only onesmall containment enclosure around the reactorpressure vessel and was located in a building thatfrom the outside resembled a big public officebuilding Still many years afterwards, the Russianreactors of the VVER 230 series, although providedwith complete ‘Western-style’ containment, had aleakage rate from the containment of the order of

25 per cent each day (to be compared with figures ofthe order of 0.2 per cent each day from typicalWestern containments).2

Apart from differences of approach betweenworld regions, in this period of time and in all thecountries with nuclear reactors, the systems installed

in the plants according to the requirements of thesafety bodies and having the sole purpose of accidentmitigation, were frequently the subject of heateddebates; in particular, the emergency core coolingsystems and the containment systems were oftendiscussed

More precisely, the opinions on the accidentassumptions evolved in the West were divided Thereference situations for the reasonably conceivableaccidents were chosen by the judgement of expertcommittees These situations included the worst

‘credible’ events (such as the complete severance

of the largest primary pipe) The assumptionsconcerning the initiating event were accompanied

by simultaneous conservative assumptions ing malfunctions in safety systems, such as a ‘singlefailure’ consisting in the failure, simultaneous withthe initiating event (pipe failure and so on), of oneactive component of one of the safety systemsdevoted to emergency safety functions during theaccident (water injection system, reactor shutdownsystem and so on).3

concern-On one side, the more cautious experts, generallymembers of public safety control bodies, manyscholars and members of non-governmental organi-zations for the defence of public rights, supported theneed for keeping these conservative assumptions; onthe other side, more optimistic people (members ofmanufacturing industries and of electric utilities)maintained that the above mentioned accident

Chapter 1 Introduction 3

assumptions entailed a true waste of resources (those

necessary to provide nuclear plants with huge

containment buildings and powerful safety systems)

It has to be noted that the ‘optimists’ were by no

means imprudent or reckless: a sincere conviction

existed in the industry that the current accident

assumptions were not well founded.4

The contrast between the optimists and the

pessimists was exacerbated by the foreseeable

circumstance that not all of the logical consequences

of the initially adopted accident assumptions were

from the start clear to technical people As an

example, as far as the effectiveness of emergency core

cooling systems is concerned, it was not understood

from the start that Zircaloy fuel cladding (stainless

steel behaves in a similar way) could react with water

in an auto-catalytic way at relatively low

tempera-tures and could release large quantities of hydrogen

Neither was it understood from the start that the

same cladding could swell before rupturing and could

occupy the space between fuel rods, preventing the

flow of cooling water The existence of these

phenomena was demonstrated by studies and by

tests performed by the Atomic Energy Commission

(AEC) on the Semiscale facility at the US National

Laboratory of Idaho Falls towards the end of the

1960s, when many US reactors had already been

ordered and were being designed or built

Similarly, at the beginning of the 1970s, the

possibility was demonstrated that the break of a

pipe could damage other nearby pipes or other plant

components, starting a chain of ruptures (known as

the ‘pipe whip’ effect)

All of these discoveries, made late in the design

and procurement phases of US reactors, persuaded

the control bodies to stipulate that the inherent

safety systems be improved in order to take them

into account Other requests for improvement

concerned the resistance of the plants to natural

phenomena or to man-made events, in order to reach

a balanced defence spectrum against all of the

realistically possible accidents; in such a way the

defence against new phenomena became analogous

to the defence against the already considered

phenomena having a comparable or lower

probabil-ity These requests for improvement (‘backfitting’)

extended the construction times of the plants,

together with their costs

It can be understood that the industry, whichalready considered the initially adopted accidentassumptions to be excessive, strongly opposed theseaggravating requests As previously said, up to theThree Mile Island (TMI) accident, not all nucleartechnical experts believed in the reasonableness of thecurrent accident assumptions and in the need topursue them with logical rigour and, in the light ofthe up-to-date scientific knowledge, up to theirextreme consequences.5

The increase in costs as a consequence of thecontinuous requests for plant improvements, wasstrongly in contrast with the initial industrialexpectations, which were concisely summarized bythe then chairman of the Atomic Energy Commis-sion, Lewis Strauss, who famously stated thatnuclear energy would become ‘too cheap to meter’

In this period, the expression ‘ratcheting’ was created

to describe the action of the control bodies in thefield of the improvement of the plants concurrentlywith the indications of the progressing studies andresearch

This continuous process of improvement duced, where it was performed, very safe but alsovery costly and rather complicated plants Indeed,the plants were subject to a series of safety featureadditions to a substantially unchanged basic design

pro-In this period a diverse approach to plant sitingdeveloped and was consolidated in the USA and inWestern Europe In the USA, the plant siting criteria,

as far as demographic aspects were concerned, weresubstantially decoupled from the design features ofthe plant On the contrary, in Europe, criteria for thesite-plant complex were adopted The US site criteria(except for seismic problems and for other externalnatural or man-made events) can be summarised asfollows:

 The existence of an ‘exclusion zone’ around theplant, where no dwellings or productive settle-ments exist, with access under the complete control

of the plant management

 The existence of a ‘low population zone’ aroundthe plant, which could be quickly evacuated(within hours) in case of accident to the plant

 The radioactive products release from the core tothe plant containment conventionally established

as a function of the plant power only: the TIDrelease (Di Nunno et al., 1962)

 A dose limit of 250 mSV (25 rem) total body and

of 3 Sv (300 rem) for the thyroid (children) within

two hours after the accident at the border of the

exclusion zone.6

 Dose limits equal to the preceding ones for the

whole accident duration at the external border of

the low population zone

The exclusion zone was established at a radius of

800–1000 m around the plant and the low population

zone at roughly 5 km from the plant (US Code of

Federal Regulations, 2004a)

The conventional release from the core was as

follows:

 For iodine-131:50 per cent of the core inventory,

of which 50 per cent only is available in the

containment for external release (deposition and

plate out in the primary circuit)

 The iodine available for external release is

91 per cent elemental, 5 per cent particulate and

4 per cent organic iodide (methyl iodide)

 Noble gases are totally released to the

containment

Independent criteria were then established for the

design of the plant

In this approach, the decision about the adequacy

of a proposed site could be taken only on the basis of

the plant power level and, possibly, on the specific

characteristics of its fission product removal systems

(to be evaluated and possibly validated on a case by

case basis)

On the other hand, in Europe, the site selection

criteria usually consider the site-plant complex

Therefore, for example, if a plant with the usual

safety systems could not be located on a specific site

because accident doses exceeded the reference limits,

it was possible to make the plant acceptable for the

same site by the improvement of the systems for fuel

integrity protection in case of accidents

The dose limits varied somewhat between various

countries, but they were of the order of 5 mSv (500

mrem, effective dose) to the critical group of the

population outside the exclusion zone for every

credible accident (design basis accidents); some

increase of this limit up to the level of tens of

millisievert for single specific accidents could also be

accepted In order to evaluate the consequences of

these accidents, then, no conventional figure for the

releases is used (such as the TID figures) On thecontrary, conservative but more realistic assump-tions are adopted; typically, the iodine released inthe containment is assumed equal to the inventory

in the fuel-clad interface, equal to one to fiveper cent of the total core inventory, instead of theTID 50 per cent

In Europe, the need to take account of the specificplant features for the evaluation of the acceptability

of the site arises from the much higher populationdensity in Europe in comparison with that of theUSA (approximately 200 inhabitants per squarekilometre and 30 per square kilometre, respectively)

It is therefore much more difficult to find lowpopulation sites in Europe

The different population densities in Europe andthe USA has also brought about differences inaccident emergency plans: in the USA, the provision

of a complete evacuation of the population within

16 km of the plant in a few hours is adopted, while

in Europe the maximum comparable distance isequal to 10 km It is indeed difficult to assure theevacuation of population centres with tens, hundreds

or thousands of inhabitants Here too, the countries’differences in demographic conditions has to becompensated by additional plant features (generally,the use of double containment provided with inter-mediate filtration systems and the use of elevatedstacks)

The practice in the Far East (Japan, South Korea)

is similar to the European one

These differences in the fundamental approach tosafety among various countries have always beenthought by the general public to be a weakness of thenuclear industry, thereby affecting their acceptance

of nuclear energy These differences have always been

a source of confusion in the mind of the public and,therefore, they aggravate the public distrust in thesafety of this energy source Many attempts havebeen made, in the international and communityarenas where nuclear safety is discussed (IAEA,OECD, EU), to adopt unified criteria (see Chapter18) The aim of agreeing common criteria has beenreached only at the expense of unification at a higherlogical level, therefore leaving untouched the differ-ences previously described, for example leaving to thefreedom of each country the definition of acceptabledistances or doses

Chapter 1 Introduction 5

In this period up to the TMI accident, three other

facts influenced nuclear safety technology: defence

against non-natural external events; the preparation

of the Rasmussen report, WASH 1400; and the

introduction of Quality Assurance (QA) in design,

construction and operation of plants

The first of these, the defence against non-natural

external events, would not deserve specific mention

and discussion, except that its motivation has

changed with time For example, the initial official

incentive for the reinforcement of plant structures

and components of many reactors consisted in the

defence against the accidental fall of an aircraft,

while, subsequently, it was provided to defend

against sabotage performed by the use of aircraft,

but also by explosives of various kinds In effect, the

strengthening of structures and components was

initially made in Germany as a consequence of the

high number of crashes of the Lockheed Starfighter

fighter plane in the 1960s Subsequently, with the

onset of terrorist activity in the 1970s, the need arose

to defend nuclear plants against hypothetical external

attacks conducted with the use of projectiles and of

explosives At this point, it was discovered that the

German protection against the plane crash could also

envelope a sufficient number of sabotage events

based on the use of explosives Therefore, as many

people preferred not to mention these sabotage

protections explicitly, the corresponding provisions

were named in the official documents as ‘protection

against plane crash’

Plant protection against the various effects of the

impact by a fighter aircraft (weighing about 20 t) was

adopted at least in Germany, Belgium, Switzerland

and Italy, while in other countries the protection

against the fall of a smaller sports aircraft was

chosen, frequently only if justified by the proximity

of an airport No country explicitly adopted the

protection against the impact of a wide-bodied

airliner of the Jumbo Jet type (weighing about

350 t), which would be far more onerous (possibly

requiring the underground location of plants) It was

calculated that the protection against the fall of

a fighter aircraft included the protection against

the fall of a large airliner too if the impact takes

place with less damaging characteristics (lower

speed of impact, shallower angle of impact, and

so on) than those which would cause the worst

structural consequences (See Chapter 17 for more

on aircraft impact.)

The second influence, the Rasmussen report, firstpublished in 1975, was sponsored by the NuclearRegulatory Commission (NRC – the successor tothe Atomic Energy Commission in control of peace-ful applications of nuclear energy and the regula-tory body on nuclear safety matters) with the aim ofoutlining an overall picture of all the conceivableaccidents and of their probabilities, in order toidentify the risk connected to a nuclear plant

It was the first time a study that included all ceivable accidents had been made It included lessprobable scenarios too, such as the catastrophicexplosion of a reactor pressure vessel and anestimate of the probability of each of them Itshould be understood that the probability dataconcerning the most unlikely phenomena are scarce

con-or even absent given the impossibility of studyingthese phenomena by experimental tests and thescarcity of applicable real-life data In some ways,quantifying these events in a report was a bolddecision, but, once the objective of the study wasdecided upon, nobody questioned the feasibility of it.Subsequently, once the report was published, criti-cism ensued: some people said that it was inscrutable,others criticized the completeness of the database,and others criticized the inconsistency of the execu-tive summary with the main report In the second,and final, edition some evident insufficiencies werecorrected, but some of the criticisms remainedunresolved Whoever it was who started a riskstudy of the first cars, of the first railway trains or

of the first airplanes, would have met the samedifficulties However, with the passing of time, thereport has remained a fundamental reference for anysafety and risk evaluation Nobody could support thevalidity of the absolute quantitative risk evaluationscontained in it, but, at the same time, the validity

of this study and of the similar ones which followed

is universally acknowledged as far as the relativeprobability estimates are concerned for detection ofweak points in a specific design In substance, theRasmussen report and similar studies are possiblejudgement instruments in the nuclear safety field,although they cannot be used alone Sound engineer-ing evaluations, based on operating experience, even

in different but similar fields, and on research results,are the necessary complement to the probabilisticevaluations

In the history of nuclear safety technology,the Rasmussen report did not solely represent a

methodological advancement Severe accidents

(those accidents more serious than those up to then

considered credible) were included, especially after

the TMI accident, in the design considerations for

nuclear plants

Finally, the start of the application of QA in

nuclear engineering has to be mentioned According

to this management system, the quality of a product

is guaranteed by the control of the production

processes, more than by the control of the products

themselves Certainly this represents remarkable

progress towards the achievement of products

better complying with their specifications, however

the implementation of this system requires a

signifi-cant effort in the field of activity planning and of

the management of the documentation, entailing

a corresponding cost burden

1-2-3 From the Three Mile Island accident

to the Chernobyl accident

In March 1979, during a rather frequent plant

transient, a valve on top of the pressurizer of the

TMI plant (Pennsylvania, USA) remained stuck

open, giving rise to a continuous loss of coolant In

an extremely concise way, an opening in that position

(although this fact had not been sufficiently studied

and publicized in the technical literature) generated

over time a situation of a void reactor pressure vessel

and of a full pressurizer

This accident demonstrated that the attitude of

many technical people towards nuclear safety was

careless and optimistic It could also be concluded

that bad ‘surprises’ caused by a nuclear plant could

be avoided only at the expense of a strong change in

their mindset towards safety itself

These conclusions were shared by practically all

technical people and all over the world Some

optimists still existed, however They were convinced

that all the blame for the accident had to be placed

on the operators who had not correctly diagnosed the

plant conditions in time, and that all the problems

could be solved by the use of more stringently

screened operators

It can be said that this accident completely

changed the attitude of the industry towards

safety in all the OECD countries The provision of

features previously considered to be pointless by

some (such as the presence of a leakproof, pressure

resistant containment) were acknowledged as valid

in the light of the possibility of unforeseeable events.Two organizations were created for the exchange

of information on operational events at nuclearplants and for the promotion of excellence in thenuclear safety field: the Institute of NuclearPower Operations (INPO) in the USA and theWorld Association of Nuclear Operators (WANO)internationally In the USA, within the NRC,

a specific Office was created (Analysis and tion of Operational Data – AEOD) for theanalysis and the dissemination of operating experi-ence Long lists of ‘lessons learned’ were preparedand a ‘Three Mile Island Action Plan’ compiledwhich contained a large number of specificprovisions against the possible repetition of similaraccidents in the future The implementation ofthese provisions cost each plant an amount ofmoney ranging between several million dollars andseveral tens of millions of dollars Above all, twoconcepts were underlined and reinforced: the concept

Evalua-of Defence in Depth and the concept Evalua-of SafetyCulture

According to a number of experts, in particularfrom the former USSR, the attitude of the industrytowards safety also changed in Eastern Europe afterthe TMI accident: already in early 1980s, Russiandesigners of VVER reactors proposed a number ofmeasures for safety improvements

The Defence in Depth initiative is a conceptmeaning that many, mutually independent, levels ofdefence against the initiation and the progression ofaccidents are created The various levels includephysical barriers, such as the fuel cladding, theprimary system, the containment, etc Five levelsare defined: good plant design, control systems,emergency systems, accident management, and emer-gency plans

The Safety Culture concept is defined as the set ofconvictions, knowledge and behaviour in whichsafety is placed at the highest level in the scale ofvalues in every activity concerning the use of nuclearenergy.7

The result of these initiatives, together withthe Rasmussen report and the TMI accidentconvinced many countries to give attention tosevere accidents Severe accident occurrence wasintroduced as a consideration in the design andoperation of plants

Chapter 1 Introduction 7

A severe accident is defined as one exceeding in

severity the Design Basis Accidents, which are those

against which plant safety systems are designed in

such a way that:

 the core does not exceed the limits of irreversible

damage of the fuel (e.g 1200C maximum

temperature, 17 per cent local oxidation of the

claddings, etc (US Code of Federal Regulations,

2004b);

 the external releases do not exceed the maximum

tolerable ones, according to the national criteria

in force

In many cases it is considered, as an accident

progressively worsens, that the limit for which it

becomes ‘severe’ is the attainment of 1200C in the

fuel cladding since at about this temperature the

progression of the water–cladding exothermic

reac-tion becomes auto-catalytic and proceeds at a

high rate The IAEA definition for severe accidents

is ‘accident conditions more severe than a design

basis accident and involving significant core

degradation’.AR49

All the OECD countries (but also others) agreed

on the advisability of studying and of

imple-menting severe accident management techniques

on their plants These provide equipment and

emergency procedures for severe accidents which, in

the extreme case of reaching a situation close to a

severe accident, prevent its occurrence or, at least,

prevent it from worsening Examples of typical

equipment and procedures for severe accidents are

the following:

 portable electric energy generators, transportable

from the plant to another on the same site or on

a different site;

 procedures to supply electric energy to the

essential loads, in case of total loss of electric

power;

 procedures for the voluntary depressurization of

the primary system in case of loss of the high

pressure emergency injection systems, and so on

By the 1980s, practically all the plants in the

OECD area were equipped with Severe Accident

Management Plans to various degrees of

complete-ness Some countries have progressed further than

others, instigating real plant modifications as a

means of implementing their Accident Management

Plans France, Germany and Sweden (and others)

have installed filtered containment venting systemsdesigned to avoid the rupture of the containment

in case of a severe accident entailing the slow pressurization of the building beyond its strengthlimits (this situation could happen in every accidentscenario without sufficient cooling of the core and ofthe containment) Other countries, such as the USA,concluded that these systems were not needed, on thebasis of a cost–benefit analysis

over-In Italy, a set of criteria was developed, the

‘95–0.1 per cent criterion’, according to which, bythe installation of appropriate systems (including

a filtered venting system for at least one reactor),

a release of iodine higher than 0.1 per cent of thecore inventory could be avoided with a probabilityhigher than 95 per cent, conditional upon coremelt (defined as attainment of a cladding tempera-ture higher than 1200C) Obviously, no singleevents of very low probability were considered,such as a pressure vessel explosion due to amechanical defect A similar criterion was adopted

in Sweden

Among the proposals at this time was one thatconcerned a preventative system for the voluntarydepressurization of the primary system in pressurizedwater reactors (PWRs) and for the passive injection

of water into the primary system for about 10 hours.This core rescue system (CRS) could decrease thecore melt probability by a factor of at least 10.The system was proposed as a modification of thedesign chosen for the Italian Unified NuclearDesign, but was not considered necessary by thedesigners at that time A few years later, the designersapplied it, with modifications, to the passive reactor

AP 600 Another reactor design (this time German)has a similar system The voluntary primary systemdepressurization has subsequently been adopted

by all the more modern PWR designs, such asthe European Pressurized Reactor (EPR) and theSystem 80

1-2-4 The Chernobyl accident and after

In my opinion and the opinion of other experts, therewere two primary causes of the Chernobyl tragedy.The first was that although the plant was certainlyvery good from a production point of view, it hadbeen designed with excessive optimism as far as

safety was concerned Indeed, in some operating

conditions (low power, low steam content in the

pressure tubes) the reactor was very unstable, in the

sense that an increase in power or a loss of coolant

tended to increase its reactivity, increasing the power

auto-catalytically In this way, the destruction of the

reactor and of the plant could be initiated Moreover,

with completely extracted control rods (a situation

forbidden by the operating procedures), the potential

instability was more severe and, additionally, the

use of the scram acted as an accelerator and not as

a brake in the first moments of the rod movement

(an ‘inverted scram’)

The second fatal circumstance was that the

operators were working, on that night in April 1986,

in a condition of frantic hurry for various reasons

Although this reactor had been provided with

leakproof and pressure resistant containment as a

result of the prevailing changes in attitude already

discussed, the containment did not include a

signifi-cant portion of the reactor itself (a remarkable

design decision) In particular, the fuel channel

heads were directly put in a normal industrial

building A completely uncontained accident,

there-fore, happened The reasons for the adverse design

characteristics may have been financial (but expert

opinion differs)

The general lesson to be learned is always the

same: no weak points compromising safety must be

left in a plant Human errors, as in the cases of TMI

and Chernobyl, will succeed in finding them and will

cause disasters and fatalities I don’t believe, as some

anti-nuclear people maintain, that ‘if an accident can

happen, sooner or later it will happen’, however,

experience indicates that accident possibility must be

seriously considered during all the phases of the life

of a nuclear plant.8

However, for the sake of completeness, it has to

be said that the Chernobyl-type reactors were not

well known in the Western world The pertinent

information was kept somewhat confidential because

this reactor could potentially be used for plutonium

production and therefore it was interesting from a

military point of view.9

A confidential safety analysis of an RBMK

reactor, similar to the Chernobyl one, was performed

some years before the accident by a European design

company It concluded that this reactor, in many

respects, did not meet the safety standards in use in

the Western world Copies of this safety analysis were

circulated among the experts after the Chernobylaccident

The Chernobyl accident, with its consequences(both local and afar) had not much to teach theWestern nuclear safety engineers as the reactor’sshortcomings were all accurately known and avoided

in their designs.10

Obviously, it was not possible to convince thepublic that such an accident could only happen inthat specific design of reactor In Italy, for example,some political parties exploited the evident feargenerated in the population and, substantially,led the country towards the immediate and suddendismissal of the nuclear source of power, withunderstandably prohibitive costs

In general, after Chernobyl and as a consequence

of that accident, two ideas gained momentum:

 Nuclear plant design, evolved by successive tions, had become too complicated and it wasuseful to think of simpler systems, based onconcepts of passive rather than active safety

addi- Accidents, even the most severe ones, should havemodest consequences beyond the exclusion zone ofthe plant and so should require smaller emergencyplans, especially concerning the quick evacuation

of the population

The USA was frequently against any tion of its emergency plans in order not to changetheir well-established system of siting decoupledfrom the characteristics of the plants This system,after all, was well accepted by the technical bodiesand by the population

simplifica-The concept of passive safety meant the use ofsystems based on simple physical laws more than

on complex equipment One example is represented

by safety injection systems on water reactors whichuse gravity as a motive force and not pumps.This principle was, for example, adopted in thepassive PWR AP600, certified by the NRC in 1999

It comprises a voluntary fast depressurization tem of the primary circuit and the provision of awater reservoir in the containment located at anelevated position with respect to the reactor vessel.Passive cooling of the containment was also incor-porated in the design Evidently, however, neither

sys-of these new concepts nor the industrial weight sys-ofthe NRC certification are sufficient to immediatelyconvince the investors because, up to now (2005), nonew AP600 has been ordered

Chapter 1 Introduction 9

A weak point of this concept has always been

the reduced power and its consequent bad scale

economy The 600 MWe rating was initially chosen

on the basis of a poll among the US utilities on the

basis that this was the preferred size of a power

station (lower financial risk and correspondence

with the dimension of the electric grids served by

the single utilities) The designers thought that they

could in any case be competitive because of the use of

passive components (i.e with a reduction of installed

components) and because of a general simplification

of the plant It seems now that this objective can be

more easily reached by the AP1000 design (namely

with a power of 1000 MWe), whose design has been

recently (2004) approved by the NRC

A design where the passive safety has been

adopted with a higher degree of caution but with

a strong tendency towards the reduction of

emer-gency plans is the French–German EPR of

approxi-mately 1400 MWe, where many precautions against

severe accidents have been taken (e.g molten core

containment structures, ‘core catchers’, multiple

devices for the quick recombination of hydrogen,

voluntary primary system depressurization, etc.)

New concepts based on passive safety presently

under study are the Pebble Bed Modular Reactor

(PBMR – gas cooled, high temperature, helium

operated, direct cycle turbine generators) supported

by an international group based in South Africa, the

IRIS reactor (a PWR with steam generators

inte-grated in the reactor pressure vessel) and the already

mentioned AP1000 Other concepts still under study

but already proposed exist.AR152, AR244

As usual, the future is difficult to forecast,

however, when nuclear energy will be unquestionably

necessary, it will be generally accepted The investors

will not have the continuous concern of its

com-petitiveness, and the safety of the plants, which is

already at a very good level, will be still more

guaranteed.11

References

Bourgeois, J., Tanguy, P., Cogne´, F and Petit, J.

(1996) La Surete Nucleaire en France et dans le Monde.

Polytechnica, Paris.

Di Nunno J., Baker, R.E.D., Anderson, F.D and

Water-field, R.L (1962) ‘Calculation of distance factors for

power and test reactor sites’, USAEC, TID-14844.

Glasstone, S (1963) Nuclear Reactor Engineering, Van Nostrand, Princeton, NJ.

US Code of Federal Regulations (2004a) ‘Part 100: Reactor Site Criteria’, US Government.

US Code of Federal Regulations (2000b) ‘Part 50.46: Acceptance Criteria for Emergency Cooling Systems for Light Water Nuclear Power Reactors’, US Government.

Chapter notes

1 What radiation dose did Fermi and the other scientists absorb during the first criticality? Taking into account that the reactor was kept in a critical state for roughly half an hour and that the power was equal to about 0.5 W, an order

of magnitude evaluation using current data [Glasstone, 1963] shows that the dose due to neutrons and to gamma rays was of the order of 10 Sv (1 mrem); very low indeed.

2 According to a number of experts, in particular from the former USSR, this situation is not to be viewed as the outcome of a more rigorous attitude in the West than in the East There were different safety philosophies in East and West: the former focused on accident prevention without much care of the high cost (at least in the case of VVER reactors), the latter focused more on mitigation of accidents, with a strong effect on the results from cost–benefit considerations The debates on relativism in philosophy (ethics or epistemology, for example) have some similarity with these arguments Indeed, relativism has not to be identified, as some of its critics say, with the thesis that all points of view are equally valid, but with the thesis that one thing (moral values, beauty, knowledge, taste, meaning and nuclear safety criteria, too) is relative to some particular framework or standpoint (e.g the individual subject, a culture, an era, a language or a conceptual scheme) Moreover, no standpoint is uniquely privileged over all others With these kinds of highly controversial similarities,

it is easy to understand that any attempt to resolve the issue

by discussions may scarcely be productive and that only the future will indicate where the relative merits are higher.

3 This method of defining the accidents to be considered in the design was subsequently named the ‘deterministic method’, to be distinguished from the ‘probabilistic method’ based on the evaluation of the probability of the various accidental events Presently, however, the choice criteria are generally a combination of the two approaches.

4 ‘Pipes leak, pipes crack, pipes are corroded, but pipes don’t break’, one of the senior US industry engineers used

to repeat And indeed, in the light of subsequent ‘experience’ (now equivalent to more than 10 000 reactor-years of operation) very few guillotine breaks of large pipes have happened Moreover, most of these cases have not

happened in primary pipes, but in pipes not submitted to the

most stringent design and operation practices (periodic

inspections and so on) Only two cases have happened in

two feed-water pipes, weakened by erosion On the other

hand, the figures based on the assumption of a complete

break of the largest pipe in the plant affords protection from

a number of different events not explicitly considered, such

as the flange bolts breaking in large valves (several cases

of ‘near misses’ of this kind have happened), the partial

rupture of pump casings caused by rotor failure, etc.

5 Towards the end of the 1960s, two eminent nuclear

designers discussed with a safety reviewer the pipe rupture

assumptions for a pressure tube reactor under design The

technical problem under discussion is sketched in Figure 1-2.

If the cooling water pipes ruptured, the designers declared

that the cooling of the fuel contained in each pressure

channel was ensured as a valve at the inlet of each channel

(shown in the drawing) would be closed in order to force the

emergency cooling water to flow into the channel and to

cool the fuel before reaching the rupture point and spilling

into the containment When the safety reviewer pointed out

that this design objective would not be reached if the

rupture had happened in the position marked with an X,

their answer was ‘Safety is not a game with rigid and

meticulous rules, sir! More room should be left to technical

judgement!’ It has to be appreciated that in the nuclear

safety profession everybody knows that an accidental break

has to be assumed at every location on every pressure pipe

and that, in these conditions, the plant must continue to be

safe; so, it is ridiculous that somebody tries to resort to the

difference between nuclear safety and a game in order to

justify a departure from this rule concerning the break

location.

Many years afterwards, this sentence came again to my

mind after the TMI accident in which the only rupture

position for which the primary water loss could have created

the situation of an ‘empty pressure vessel and filled up

pressurizer’ which totally confused the operators and

induced them to shut off the emergency injection system

was precisely the one which happened, namely at the top of

the pressurizer This anecdote is representative of a state of mind prevalent in the industry in the period of time up to the TMI accident, that is that the current accident assumptions were excessive so that their implementation could be rather flexible without adverse consequences.

6 The reference, in the US criteria, to 250 mSv total body and 3 Sv thyroid doses may be intriguing for some people Indeed, nowadays, no acceptance criterion includes such high figures: the effective dose limits for design basis accidents (credible accidents) are 10 to 100 times lower Indeed, in the 1950s and 1960s, the figures adopted in the

US criteria were officially considered as maximum tolerable doses for serious accidents Over time, however, progress in radiation protection knowledge has brought about an additional decrease in the tolerability limits, therefore the figures initially adopted in the USA have become ‘comple- tely conventional numbers’, losing their (uncertain) original physical–biological meaning The question arises as to why these figures have not been updated Here, as in many other cases in the nuclear safety field, perhaps the consideration has prevailed that any reduction of the limits could be interpreted as a disapproval of already built and operating plants, for which the original figures were adopted The site criteria have, however, always been thought to give acceptable protection to the population.

7 Two things are surprising when the operating experience

of nuclear plants is considered The first one is the astonishing coincidence of different adverse facts which is

at the origin of many serious accidents (TMI and Chernobyl included) The second is the surprising intervention of resolving factors in sequences of events already well advanced in their progress towards a disaster (the Browns Ferry Fire (Alabama, 1975), many discoveries ‘at the last minute’ of very dangerous cracks in pressure vessels, and so on).

It is thought that the motivation of many of these surprising events is the presence of a special atmosphere or mindset in the group of people responsible for the construction and the operation of a plant This atmosphere can be either favourable or adverse to safety Perhaps, the

Pressure channel

Isolation valve

Emergency injection line

Normal cooling line

Figure 1-2 Sketch for a discussion on a break in a pressure tube reactor

Chapter 1 Introduction 11

possible presence of it should be in some way considered in

probabilistic analyses as a ‘concurrent event’ of any accident

studied As an example, letting our imagination wander, the

initiating event ‘small pipe break’ could be studied in

coincidence with ‘hectic atmosphere because of the need to

conclude an operational phase or a test’, with a probability

which now could be estimated of the order of 10 per cent.

Obviously, the practical answer to these remarks is

‘prevention’, namely the strengthening of Defence in Depth

and of Safety Culture.

8 The forgotten safety criterion: Many safety criteria have

been discussed and written about, but one which requires

that a nuclear plant should never be constructed and

operated in haste has not been proposed yet Perhaps, more

than one criterion is involved here For example, one of the

specific requirements might be that ‘no nuclear plant can

operate if its power is essential to the grid’, as happens when

reserve energy is not available to allow it to be stopped in

cases of unforeseen events, emergencies, or to perform

inspection, maintenance or tests In the case of Chernobyl,

the existence of a similar criterion would have allowed the

power station superintendent to oppose the request to

continue to operate beyond the programmed time.

Obviously, such a criterion could be opposed by the

strong supporters of the cost convenience of nuclear

energy I think, on the contrary, that without subtracting

anything from the great merits of nuclear energy, a more

realistic attitude is necessary.

A good example in which a plant was operated for

production needs with a lack of power reserve in the grid,

against the opinion of many experts, happened between

1995 and 1996 (American Nuclear Society, 1996) In that

period, a power station was operated in various months in

order to support the power demand during the winter

period, despite strong doubts about the strength of the

reactor pressure vessel (presence of cracks and doubts on

the possible excessive neutron embrittlement of the vessel

material) These doubts were expressed by a group of

European specialists, which opposed the continuation of the

plant operation What the most pessimistic people feared

did not happen but, for those knowing the facts, it was a

worrying situation: the burst of a reactor pressure vessel of a

water reactor must be absolutely prevented within reliable

safety margins, as it can give rise to an accident of the

severity of the Chernobyl one.

9 At the time when Finland was planning its first nuclear

power station, because of existing commercial agreements,

technical experts contacted Russian experts in order to

explore the possibility of the supply of a Russian-designed

reactor When, during one of the meetings, the Finn

responsible for nuclear safety and the Russian responsible

for the peaceful use of nuclear energy were discussing the various types of reactors available, the RBMK reactor (the Chernobyl type) was considered too The Finnish expert asked for a copy of the safety report of this reactor, but the Russian answered that the safety report could be provided only to the buyers of the reactor The Finn persisted, saying that Finland seriously intended to buy, but received a final answer that this type of reactor could not be sold outside the Soviet Union (for national security reasons).

10 The major lesson which was learnt from the Chernobyl accident was that it was demonstrated that a catastrophic accident could have consequences up to distances not yet imagined before In this connection, it is not completely true, as many people have said, that the dispersion of the releases up to great distances was due solely to the upward propulsion caused by the explosion and by the fire of the reactor The very large quantity of radioactive releases was the primary factor, although with an additional contribution by the explosion/fire phenomenon.

11 The symptoms of an illness might be around us, a desire

to disregard past experience of accidents, which, if it should continue to grow, might really impair the safety of nuclear plants On the one hand, a past WANO (World Association

of Nuclear Operators) president has publicly declared, from his special observation point, that the interest in the lessons of experience is decreasing among operators.

On the other hand, discussions with some designers of specific countries indicate that the pre-TMI accident mind- set is surfacing again, exemplified by self confidence and optimistic bias Moreover, some plant operators have stated with annoyance that after more than twenty years since the TMI accident, people still keep on studying it and that it is time to forget because what had to be learnt has been learnt already These are all wrong attitudes because keeping alive the memory of the lessons of the past will avoid the carelessness that has caused the accidents

in the first place.

It is just as important to extract lessons from lesser incidents, those ‘semi-accidents’ which could have evolved into a disaster In this field, the NRC keeps records that include the evaluation and publication of results.

The media, too, can strongly contribute to the progress

of safe nuclear energy It is not necessary for it to always praise its virtues, but it should give special attention to the exactness of the news given and avoid emotive reporting, in particular as far as the gravity of the small accidental events which continuously happen in every industrial plant and therefore also on nuclear plants As a reaction to sensationalism, the stakeholders in the nuclear industry react with a confidentiality policy which is detrimental to the progress of safety.

Chapter 2 Inventory and localization

of radioactive products

in the plant

One of the primary objectives of nuclear safety is to

contain within the plant the radioactive products

there present It is, therefore, essential to know the

amount and the normal location of these products

Almost all the radioactive products are contained

in fuel located in the reactor itself or in used fuel

which is still stored at the plant, in the spent fuel pool

or, less frequently, in dry containers for temporary

storage

Table 2-1 lists the half-life and total radioactivity

for the nuclides in a 1000 MWe water reactor in

equilibrium conditions (that is after a certain

opera-tion time) At the start of the operaopera-tion, the amount

of some nuclides with a long half-life continuously

increases until it reaches, after several months, a

practically constant saturation level

For the preliminary evaluations of the

conse-quences of accidents, it is usually sufficient to

consider the doses due to:

 noble gases (direct cloud radiation dose);

 iodine (inhalation dose);

 caesium (mainly long-term doses due to radiation

from the radioactivity deposited on the ground –

‘ground shine’);

 tritium (fusion machines and specific reactors),

plutonium (fall of satellites, fuel treatment plants

which handle plutonium)

The nuclides are grouped according to a criterion

adopted in many ‘source term’ (complex of external

releases in an accident) studies This classification

takes into account important factors in the release

evaluation, such as the volatility of the element or its

probable compounds and their chemical/physical

properties

In a rather indicative way, it can be assumed that

if in an uncontrolled (severe) accident X per cent ofthe noble gases inventory is released, the releases ofiodine and of caesium may reach 0.1X per cent, andthe releases of other products roughly the 0.01Xper cent Each conceivable accident, however, hasspecific aspects which may strongly alter theseindicative percentages, here mentioned in order togive an average measure of the natural releasepotential of the various isotopes

The radioactive products contained in the fuelare normally located in the sinterized uraniumdioxide of the reactor fuel (the uranium dioxide fuel

is shaped into pellets, roughly 1 cm in diameter,inserted in long zirconium alloy (zircalloy) cylinders).The matrix of these cylinders (roughly 40 000),grouped in bundles to form the fuel elements, is thereactor core

A fraction ranging from 0.5–5 per cent (USNRC,1992) of the more volatile radioactive products(noble gases, iodine, caesium) is contained in the gapbetween the uranium pellets and the containmentcylinder (cladding) For sake of conservatism, how-ever, sometimes the accident release evaluationsare made assuming that this percentage is equal to

10 per cent (this is the value suggested, for example,

by USNRC Regulatory Guide 1.25 on fuel elementdrop accidentsAR316) During accidents without coremelt but entailing a severe threat to the fuel (of amechanical and/or thermal nature), these radioactiveproducts may escape from the fuel and be released tothe primary system In general, it is assumed that atleast noble gases, iodine and caesium are released

in this way

13

Nuclide Half-life (days)

Radioactivity (Bq  1018) (MCi)

Even during normal operation, the primary

cool-ant contains a certain amount of radioactivity, partly

due to nuclides formed by the irradiation in the core

of elements dispersed in the coolant (oxygen,

hydro-gen, cobalt, iron, etc.) and partly due to the presence

of defective (fissured) claddings in the core which let

a part of the gap inventory escape into the coolant

The concentration of radioactive products in the

water depends on the entity of fissures (in general,

it is assumed that 1–2 per cent of the elements

have fissures) and on the effectiveness of the primary

water purification system

The degree of contamination of the primary

coolant by iodine-131 (the most significant isotope)

normally assumed in the study of accidents is equal

to roughly 104–105Bq g 1, corresponding to a total

of the order of tens of terabequerels for the whole

primary system (i.e hundreds of curies)

For iodine-131 (the same considerations are valid

for caesium), the effects of the phenomenon of ‘iodine

spike’ are, in addition, taken into consideration (this

is an increase in the release of these radioactive

products from the fissured fuel rods caused by power

variations) The phenomena involved are connected

with the ingress and subsequent exit of water through

the gap and with likely fracturing of the fuel matrix

Guidance on figures to be used can be found in

USNRC (1996) The normal values are:

 A factor of 50 on the normal iodine content in the

primary water (that is up to a total of 100–1000

TBq for all the primary system)

 A factor of 500 on the rate of release of the iodinefrom the fuel, whose order of magnitude can be,for each fissured rod, 10 4–10 3TBq h 1

 A peak time duration of 1–5 hours

Radioactive products are present in decay storagetanks for gases extracted from the primary waterbefore their release to the atmosphere Not all theplants use these tanks since the decay of waste gases

is frequently obtained by delay lines that temporarilyadsorb the gases on activated carbon Where decaytanks are used, a rupture of one of them is serious.The total inventory of the stored gases is subdivided

in several (typically eight) tanks The most relevantexternal doses are those connected with the irradia-tion from the cloud of noble gases, whose totalinventory may be of the order of 104TBq

For completeness, although the accidents cussed may have minor consequences, it must beadded that other radioactive products are contained

dis-in the plant, madis-inly dis-in the form of solid waste

References

USNRC (1996) ‘Standard review plan for the review of safety analysis reports for nuclear power plants’, NUREG-0800.

USNRC (1992) ‘Accident source terms for light-water nuclear power plants’, NUREG-1465.

Chapter 2 Inventory and localization of radioactive products in the plant 15

Chapter 3 Safety systems and their functions

3-1 Plant systems

By necessity, a nuclear power plant is composed of

the parts required to generate electric power (the

‘process’ parts or systems) but also of a complexity

of safety systems The name ‘safety systems’ here

indicates all those systems which are not strictly

necessary to the plant operation or to health

pro-tection under normal conditions, but rather to those

that prevent the progression of accidents and fore avert the large release of radioactive products.Accident prevention is a major activity of designers,operators and control bodies Figure 3-1 will remindthe reader of the components of a typical pressurizedwater reactor (the PWR – the most common design

there-in the world)

The process components are: the reactor (R) itself,where the nuclear chain reaction takes place and the

Secondarycontainment

Primarycontainment

heat is produced which will finally be transformed

into electric energy; the steam generator (SG), where

the heat is used to produce high pressure steam; the

turbine (T), where the steam energy is transformed

into mechanical rotation energy; and, finally, the

electric generator (G), which produces the electric

energy to be supplied to the grid

As can be seen in the drawing, the process fluid,

that is water in the form of liquid or vapour,

circulates in two distinct systems, the primary and

the secondary system, which mutually exchange heat

in the steam generator

Another important component of the primary

system is the pressurizer (PR), whose function is that

of an expansion volume and of a pressurization

component The latter function being obtained by

electric heaters The pressurizer keeps the circuit

water at a higher pressure than its saturation

pressure, thereby suppressing the steam production

in the primary system (The pressurizer was

signifi-cant in the Three Mile Island (TMI) accident.)

The safety systems have three main objectives:

the quick emergency shutdown of the chain

reaction; the emergency cooling of the reactor after

shutdown; and, finally, the containment of

radio-active products after their accidental release from

the reactor The quick shutdown is obtained by the

insertion, by gravity, of control rods (CR) in the

reactor and, as a backup, by the injection of a

liquid neutron ‘poison’ (boron) in the primary water

The emergency cooling of the reactor is necessary

because the radioactive products accumulated in the

nuclear fuel continue to generate heat after the

shutdown of the chain reaction (decay heat) (see

Figs 3-2 and 3-3)

The emergency cooling systems are both passive

ones (that is those practically without moving

components, such as pumps) and active ones By

way of examples, Figure 3-1 shows a passive

system (accumulators, AC, kept under pressure by

compressed nitrogen) and an active system (I)

The containment comprises a combination of

special buildings and engineered systems The figure

shows a complete ‘double containment’ system,

similar to those adopted in many countries In this

design, an internal reinforced concrete building,

strong enough to resist the accident pressure of the

worst design basis accident, is internally lined by

steel in order to guarantee optimum leakproof

characteristics (primary containment) Isolation

valves (V) will close in case of accident, alwaysfor leak proofing reasons The first building isenclosed in another reinforced concrete building(secondary containment) in order to further improvethe retention of radioactive products and theshielding from direct radiation; it has also thefunction of affording protection against externalimpact events

The area between the two containments is kept

at a negative pressure with respect to the externalenvironment by means of filtered suction systems (Aand F) The primary containment is provided withcooling and water spray systems in order to decrease,

in case of accident, both the internal pressure andthe amount of free radioactive products

3-2 Safety systems and accidents

The safety systems are designed to cope with a set ofaccidental events (design basis accidents or DBAs),either originating inside the plant or outside it Thisset also includes events of such a low probability thattheir occurrence during the life of the plant shouldnot be feared

As an example, the following events are includedwithin the DBAs: an instantaneous guillotine break

of the largest pipe of the primary circuit; the suddenexpulsion of a control rod from the core; and themaximum potential seismic event on the plant site

An accident at a nuclear power plant can becaused by many combinations of anomalous initiat-ing event, malfunction and human error The types ofpossible accidental situations are studied in thespecific safety analysis of each plant and the safetysystems described above are designed to prevent, ormitigate the effects of all the accidents chosen asDBAs Table 3-1 provides an approximate indication

of the effectiveness of various safety systems inlimiting external releases in a typical loss of coolantaccident (the break of a large primary circuit pipe).The figures are for the release of iodine-131 (oftenassumed as the reference isotope in indicativeevaluations of ‘source terms’ and for a 1000 MWereactor) As can be seen, the reduction of the releasescaused by the safety systems is very significant andcorresponds to a factor of the order of one million.The study of the safety of a plant is not, however,limited to the study of the serious and unlikely designbasis accidents For many years, the most serious

accidents, named ‘severe accidents’ have also been

the subject of studies and research

Some definitions of safety criteria (IAEA Safety

Criteria and EUR Requirements) specify a third class

of accidents that lies between the two already

mentioned These include:

 operating transients without scram (ATWS);

 complete loss of alternate electric power in the

power station;

 containment bypass accidents

This class does not require the same conservativedesign provisions required by DBAs (high safetymargins for mechanical strength, strict qualityassurance requirements, etc.) However, substantialcore integrity is required as a consequence of theimplementation of accident management measures.The main reasons for the general interest in severeaccidents are primarily the intention of improving theprotection of the plant by its extension to the field ofthe most serious accidents, and the need to know

2030405060708090100

10E2

(=100)

Time after shutdown [sec]

Vaporizing water Burning kerosene

Figure 3-2 Decay power for a 2775 MWt reactor (10% over best estimate)

Chapter 3 Safety systems and their functions 19

phenomenologies and probabilities of these accidents

in order to perform less uncertain evaluations of the

global risk of a plant (probability risk assessment or

PRA) of the type of the famous Rasmussen report

What are the possible causes, the typical

phenom-ena and the possible course of events in a severe

accident? Here, a concise and necessarily incomplete

description will be attempted The typical sequences

entail damage and melt of the core, interaction of the

molten core with the pressure vessel and afterwards

with the containment floor and, finally, perforation

of the containment itself

The damage and the melt of the core mayhappen for two reasons only, notwithstanding thelarge number of the possible sequences:

 the late or missing shutdown of the chain reaction,when required;

 insufficient decay heat removal from the reactor.For PWRs, in particular, the decay heatdominates the stage in severe accidents Figure 3-2illustrates the behaviour of the decay power withtime for a 2775 MWt reactor It shows the corre-spondence between this power and the amount of

10E5 10E6

10E5

10E4

10E4

10E3

Figure 3-3 Decay energy for a 2775 MWt reactor

water which could be evaporated per second by it

(the corresponding amount of equivalent burnt

kerosene per second is also shown) As can be seen,

after a few hours, a really small flow rate of water is

sufficient to cool the core (about 10 l s 1, that is the

normal flow rate of a 50 mm diameter pipe)

Contrasting this is the transient situation of a reactor

where the rupture of a large diameter pipe has

occurred (a large loss of coolant accident or LOCA)

In this case the reactor vessel quickly empties (in a

few tens of seconds) and therefore it has to be quickly

refilled in order to keep the core covered and

therefore adequately cooled In this situation, it is

essential that the emergency cooling systems have

large flow rates (of the order of thousands of litres

per second) The ‘re-flooding’ of the core places the

largest flow rate demand on the safety injection

systems

The first consequences of uncontrolled

over-heating of the core are the fissuring of the fuel

claddings (at about 1073–1173 K (800–900C)), while

their normal operating temperature is about 623 K

(350C)) and their subsequent oxidation reaction

with water or with steam (above 1473 K (1200C))

which generates heat and hydrogen

It has to be remembered that, during their life in

the reactor, the fuel tubes become significantly

pressurized because of the development of fission

gases inside them (up to several tens of atmospheres)

and, therefore, once fissured, they tend to quickly

release to the outside (if the reactor pressure is low,

as in many accidents) all the accumulated volatile

products

The amount of hydrogen which can be generated

by a normal size reactor may reach 700–800 kg: a verylarge quantity!

The most severe hazard caused by hydrogenrelease is that it will be released, sooner or lateraccording to the conservative assumptions made insevere accident studies, into the primary containmentatmosphere where it may cause, in the presence ofair, explosions or relatively slow combustion In bothcases, the internal pressure in the primary contain-ment will increase and its integrity will be endan-gered The containment safety margins againstinternal pressure are, however, normally high.1

If the accident is allowed to progress in an trolled way, the temperature of the reactor core willcontinue to increase and it can be assumed that atabout 1973 K (1700C) the not yet oxidised, zircalloycladdings will melt, and at about 3073 K (2800C) theuranium oxide pellets will melt completely

uncon-The liquid mass that could be formed in this way(named ‘corium’) collects on the bottom of thereactor vessel and may perforate it as the genera-tion of decay heat continues The TMI accidentprogressed up to the threshold of this event, withouttrespassing it, however A large quantity of moltenand re-solidified ‘corium’ was indeed found on thebottom of the vessel, which, however, was notperforated Once the base of the vessel has beenbreached, the corium could pour on the bottom ofthe primary containment, usually made of a verythick layer of reinforced concrete (1–5 m) Oncontact, any water residing here would be vaporizedincreasing the pressure inside the containment

Table 3-1 An example of the effectiveness of safety system Release of 131I due to loss of coolant(current reactors)

In core 3.5  10 6  fast shutdown; Prevent releases from the fuel

matrix and decrease releases from the gaps (dissolution, plate out).

In the gaps 3.5  10 4  emergency cooling.

Primary containment 3.5  103  primary containment; Leak proof: reduction factor

of 20 for a 0.5% leakage per day and 10 days of pressurization.

 removal and cooling systems.

Secondary containment 1.8  102  secondary containment; Segregate radioactive products.

 activated carbon filters.

Chapter 3 Safety systems and their functions 21

Today a ‘steam explosion’ under these conditions

(the sudden contact and physical interaction of high

temperature corium with water on the containment

bottom) is generally thought to be very unlikely and,

perhaps, physically impossible, at least not of such a

magnitude to cause the rupture of the containment

Contact between the corium and the containment

concrete is, on the contrary, certain The chemical–

physical attack of the concrete itself with the

consequent production of gases (even of explosive

ones, such as carbon monoxide and hydrogen)

raises the possibility of perforation of the

contain-ment wall Gas production and combustion, and the

continued production of heat from the corium will

necessarily cause the pressure to increase within

the containment up to its rupture value (2–4 times

the design pressure), unless the perforation of the

containment floor, due to the concrete attack by

the corium, intervenes first This typical scenario is

the one foreseen under the extreme assumption of a

lack of any intervention able to stop the progress of

the accident in the time period from its inception

up to the rupture of the containment (which is

expected to happen after 20 hours to 5 days,

depending on the specific characteristics of the

plant) The time periods indicated here refer to a

reactor which had operated continuously for a long

time before the accident

More than 400 civilian power reactors operate in

the world today and they have altogether

accumu-lated more than 10 000 reactor years of operation

The principal accidents which have occurred are the

TMI accident (1979) and the Chernobyl accident

(1986) The accident at the experimental Windscale

reactor (1957, see Chapter 20) is also an interesting

reference for the study of the consequences of serious

accidents

The TMI accident (see Chapter 1) was due to

a relief valve on the pressurizer (indicated S in

Fig 3-1) remaining stuck open during a normal plant

transient The operators didn’t become aware for

hours of this opening in the primary circuit because

they had, from the available instrumentation,

contrasting indications about the level of water in

the circuit itself Indeed, the pressure and

tempera-ture instruments indicated that the water in the

core was boiling, while the level instruments in

the pressurizer indicated a primary circuit full of

liquid In deciding what to do, they made the

wrong choice and believed the level instrumentation

Consequently, they blocked the emergency waterinjection systems which had been automaticallyactuated The core overheated and partially melted.The releases were negligible from the health pro-tection point of view because of the presence of aneffective containment

The fact that TMI didn’t result in a public healthcatastrophe has to be ascribed to the Defence inDepth principle systematically adopted as Westernsafety practice The concept provides multipleredundant and diverse barriers against radioactivereleases, well beyond what could be thought strictlynecessary TMI showed that this principle offersprotection against the unforeseen and the unknownpossible events

Chernobyl, on the contrary, is an example of whatcan happen if a completely opposite principle isapplied, that to do only what is necessary for safety

In RBMK reactors, like the Chernobyl reactor, thesafety margins were not stringent enough Forexample, the plant had a containment system forthe primary circuit but it was only partial: the reactoritself, and in particular the fuel channel heads, werenot included in it The designers thought that it wassufficient only to install protective monitoringinstrumentation Figure 3-4 shows the containmentfor a typical 900 MWt PWR and the Chernobylreactor containment

In addition to the Chernobyl design deficiencies,there was evidence of human error and the voluntaryviolation of safety rules, both for production reasonsand in the incorrect appreciation of the real danger.Chernobyl can with good reason be consideredrepresentative of the maximum possible accident to

a power reactor

Unfortunately, the abundant information supplied

by the designers does not allow us to conclude thatthe corrective measures adopted in other reactors

of the same type (about 20) are sufficient to rule outthe danger of another severe accident, possiblywith different modalities The accident, indeed, hashighlighted a dangerous vulnerability of this type

of reactor, which is generic in nature, and which isnot specifically tied with the sequence of events thathappened at Chernobyl in 1986 In particular, a weakpoint of the reactor is its upper closure plate, towhich 1700 fuel channels and the control rods arefastened There is no containment present above theplate: a major hazard during possible accidentalinternal over-pressurization of the reactor

Figures 3-5 and 3-6 show the significant

differ-ences between the dynamics of the Chernobyl and the

TMI accidents Figure 3-5 illustrates the crucial phase

of the Chernobyl accident and shows how it

essen-tially comprised an uncontained ‘explosion’ of the

reactor Figure 3-6 shows the damaged state of the

TMI-2 reactor core and vessel after the accident, and

results from many years of research (OECD, 1993)

As can be seen, in the case of TMI-2, and unlike

Chernobyl, a slow ‘core melt’ took place, without

explosive phenomena and with the absence of

intrinsic instabilities The following, also derived

after many studies, gives a quantitative measure of

the sequence of events in the same accident:

 0–100 minutes: Loss of coolant and core exposure;

 100–174 minutes: Start of core damage;

 174–180 minutes: Temporary operation of the

primary pump;

 180–224 minutes: Prolonged heating-up of core;

 224–226 minutes: Displacement of core material;

 226 minutes: Stabilization of the debris

It is possible to classify the types of significant

accidents on a scale of increasing severity and, on

the basis of available data, assign to them orders

of magnitude of releases and of probabilities (see

Table 3-2)

The download file, DRYCORE (on this book’s

companion website, http://books.elsevier.com/

companions/0750667230) provides some data and

methodology for evaluations on a barely refrigerated

or completely dry core These methods help, forexample, in evaluating the time to the start of meltdown after shutdown of a core (or part of a core)without refrigeration

3-3 Future safety systems and plant concepts3-3-1 General remarks

The nuclear reactors now operating incorporate bothpassive and active safety features (see pp 9 and 26).For example, reactors have a passive limitation ofpower excursions through a negative power coeffi-cient of reactivity, which is, for most of them, theoutcome of the early recognition that a powerexcursion might be difficult to limit in the presence

of self-enhancing dynamic reactor features On theother hand, most reactor emergency cooling systemsare active The variety of solutions does not reflect

a precise choice in the early days of nuclear powertowards active or passive systems, rather it reflectsthe best choice for the designers of that time Passiveand intrinsic safety solutions were adopted whenthey were recognized as being effective and econom-ically convenient Moreover, the fundamentalsafety functions required in a nuclear reactor arelimited to reactor shutdown, reactor and contain-ment cooling, and containment of radiotoxic

CHERNOBYL

Light uppercontainment

PWR

Figure 3-4 PWR containment and Chernobyl (RBMK 1000) containment (roughly to the same scale)

Chapter 3 Safety systems and their functions 23