(updated May 2012)
In relation to nuclear power, Safety is closely linked with Security, and in the nuclear field also with Safeguards. Some distinctions:
Safety focuses on unintended conditions or events leading to radiological releases from authorised activities. It relates mainly to intrinsic problems or hazards.
Security focuses on the intentional misuse of nuclear or other radioactive materials by non-state elements to cause harm. It relates mainly to external threats to materials or facilities.
Safeguards focus on restraining activities by states that could lead to acquisition of nuclear weapons. It concerns mainly materials and equipment in relation to rogue governments. (see also Safeguards paper)
In the 1950s attention turned to harnessing the power of the atom in a controlled way, as demonstrated at Chicago in 1942 and subsequently for military research, and applying the steady heat yield to generate electricity. This naturally gave rise to concerns about accidents and their possible effects. However, with nuclear power safety depends on much the same factors as in any comparable industry: intelligent planning, proper design with conservative margins and back-up systems, high-quality components and a well-developed safety culture in operations.
A particular nuclear scenario was loss of cooling which resulted in melting of the nuclear reactor core, and this motivated studies on both the physical and chemical possibilities as well as the biological effects of any dispersed radioactivity. Those responsible for nuclear power technology in the West devoted extraordinary effort to ensuring that a meltdown of the reactor core would not take place, since it was assumed that a meltdown of the core would create a major public hazard, and if uncontained, a tragic accident with likely multiple fatalities.
In avoiding such accidents the industry has been very successful. In over 14,500 cumulative reactor-years of commercial operation in 32 countries, there have been only three major accidents to nuclear power plants - Three Mile Island, Chernobyl, and Fukushima - the second being of little relevance to reactor design outside the old Soviet bloc.
It was not until the late 1970s that detailed analyses and large-scale testing, followed by the 1979 meltdown of the Three Mile Island reactor, began to make clear that even the worst possible accident in a conventional western nuclear power plant or its fuel would not be likely to cause dramatic public harm. The industry still works hard to minimize the probability of a meltdown accident, but it is now clear that no-one need fear a potential public health catastrophe simply because a fuel meltdown happens. Fukushima has made that clear, with a triple meltdown causing no fatalities or serious radiation doses to anyone, while over two hundred people continued working on the site to mitigate the accident's effects.
The decades-long test and analysis program showed that less radioactivity escapes from molten fuel than initially assumed, and that most of this radioactive material is not readily mobilized beyond the immediate internal structure. Thus, even if the containment structure that surrounds all modern nuclear plants were ruptured, as it has been with at least one of the Fukushima reactors, it is still very effective in preventing escape of most radioactivity.
It is the laws of physics and the properties of materials that mitigate disaster, as much as the required actions by safety equipment or personnel. In fact, licensing approval for new plants now requires that the effects of any core-melt accident must be confined to the plant itself, without the need to evacuate nearby residents.
The three significant accidents in the 50-year history of civil nuclear power generation are:
A table showing all reactor accidents, and a table listing some energy-related accidents with multiple fatalities are appended.
These three significant accidents occurred during more than 14,500 reactor-years of civil operation. Of all the accidents and incidents, only the Chernobyl and Fukushima accidents resulted in radiation doses to the public greater than those resulting from the exposure to natural sources. The Fukushima accident resulted in some radiation exposure of workers at the plant, but not such as to threaten their health, unlike Chernobyl. Other incidents (and one 'accident') have been completely confined to the plant.
Apart from Chernobyl, no nuclear workers or members of the public have ever died as a result of exposure to radiation due to a commercial nuclear reactor incident. Most of the serious radiological injuries and deaths that occur each year (2-4 deaths and many more exposures above regulatory limits) are the result of large uncontrolled radiation sources, such as abandoned medical or industrial equipment. (There have also been a number of accidents in experimental reactors and in one military plutonium-producing pile - at Windscale, UK, in 1957, but none of these resulted in loss of life outside the actual plant, or long-term environmental contamination.) See also Table 2 in Appendix.
It should be emphasised that a commercial-type power reactor simply cannot under any circumstances explode like a nuclear bomb - the fuel is not enriched beyond about 5%.
The International Atomic Energy Agency (IAEA) was set up by the United Nations in 1957. One of its functions was to act as an auditor of world nuclear safety, and this role was increased greatly following the Chernobyl accident. It prescribes safety procedures and the reporting of even minor incidents. Its role has been strengthened since 1996 (see later section). Every country which operates nuclear power plants has a nuclear safety inspectorate and all of these work closely with the IAEA.
While nuclear power plants are designed to be safe in their operation and safe in the event of any malfunction or accident, no industrial activity can be represented as entirely risk-free. Incidents and accidents may happen, and as in other industries, will lead to progressive improvement in safety.
Achieving safety: the record so far
Operational safety is a prime concern for those working in nuclear plants. Radiation doses are controlled by the use of remote handling equipment for many operations in the core of the reactor. Other controls include physical shielding and limiting the time workers spend in areas with significant radiation levels. These are supported by continuous monitoring of individual doses and of the work environment to ensure very low radiation exposure compared with other industries.
Concerning possible accidents, up to the early 1970s, some extreme assumptions were made about the possible chain of consequences. These gave rise to a genre of dramatic fiction (eg The China Syndrome) in the public domain and also some solid conservative engineering including containment structures (at least in Western reactor designs) in the industry itself. Licensing regulations were framed accordingly.
One mandated safety indicator is the calculated probable frequency of degraded core or core melt accidents. The US Nuclear Regulatory Commission (NRC) specifies that reactor designs must meet a 1 in 10,000 year core damage frequency, but modern designs exceed this. US utility requirements are 1 in 100,000 years, the best currently operating plants are about 1 in 1 million and those likely to be built in the next decade are almost 1 in 10 million. While this calculated core damage frequency has been one of the main metrics to assess reactor safety, European safety authorities prefer a deterministic approach, focusing on actual provision of back-up hardware, though they also undertake probabilistic safety analysis for core damage frequency.
Even months after the Three Mile Island (TMI) accident in 1979 it was assumed that there had been no core melt because there were no indications of severe radioactive release even inside the containment. It turned out that in fact about half the core had melted. Until 2011 this remained the only core melt in a reactor conforming to NRC safety criteria, and the effects were contained as designed, without radiological harm to anyone.* Greifswald 5 in East Germany had a partial core melt in November 1989, due to malfunctioning valves (root cause: shoddy manufacture) and was never restarted. At Fukushima in 2011 (a different reactor design with penetrations in the bottom of the pressure vessel) the three reactor cores evidently largely melted in the first two or three days, but this was not confirmed for about ten weeks. It is still not certain how much of the core material was not contained by the pressure vessels and ended up in the bottom of the drywell containments, though certainly there was considerable release of radionuclides to the atmosphere early on, and later to cooling water**.
* About this time there was alarmist talk of the so-called "China Syndrome", a scenario where the core of such a reactor would melt, and due to continual heat generation, melt its way through the reactor pressure vessel and concrete foundations to keep going, perhaps until it reached China on the other side of the globe! The TMI accident proved the extent of truth in the proposition, and the molten core material got exactly 15 mm of the way to China as it froze on the bottom of the reactor pressure vessel. At Fukushima, cooling was maintained just long enough apparently to avoid testing the containment in this way.
** Ignoring isotopic differences, there are about one hundred different fission products in fuel which has been undergoing fission. A few of these are gases at normal temperatures, more are volatile at higher temperatures, and both will be released from the fuel if the cladding is damaged. The latter include iodine (easily volatalised, at 184°C) and caesium (671°C), which were the main radionuclides released at Fukushima, first into the reactor pressure vessel and then into the containment which in unit 2 apparently ruptured early on day 5. In addition, as cooling water was flushed through the hot core, soluble fission products such as caesium dissolved in it, which created the need for a large water treatment plant to remove them.
However apart from these accidents and the Chernobyl disaster there have been about ten core melt accidents - mostly in military or experimental reactors - Appendix 2 lists most of them. None resulted in any hazard outside the plant from the core melting, though in one case there was significant radiation release due to burning fuel in hot graphite (similar to Chernobyl but smaller scale). The Fukushima accident should also be considered in that context, since the fuel was badly damaged and there were significant off-site radiation releases.
Regulatory requirements today for new plants are that the effects of any core-melt accident must be confined to the plant itself, without the need to evacuate nearby residents.
The main safety concern has always been the possibility of an uncontrolled release of radioactive material, leading to contamination and consequent radiation exposure off-site. . Earlier assumptions were that this would be likely in the event of a major loss of cooling accident (LOCA) which resulted in a core melt. The TMI experience suggested otherwise, but at Fukushima this is exactly what happened. In the light of better understanding of the physics and chemistry of material in a reactor core under extreme conditions it became evident that even a severe core melt coupled with breach of containment would be unlikely to create a major radiological disaster from many Western reactor designs, but the Fukushima accident showed that this did not apply to all. Studies of the post-accident situation at Three Mile Island (where there was no breach of containment) supported the suggestion, and analysis of Fukushima is pending.
Certainly the matter was severely tested with three reactors of the Fukushima Daiichi nuclear power plant in Japan in March 2011. Cooling was lost after a shutdown, and it proved impossible to restore it sufficiently to prevent severe damage to the fuel. The reactors, dating from 1971-75, were written off. A fourth is also written off due to damage from a hydrogen explosion.
An OECD/NEA report in 2010 pointed out that the theoretically-calculated frequency for a large release of radioactivity from a severe nuclear power plant accident has reduced by a factor of 1600 between the early Generation I reactors as originally built and the Generation III/III+ plants being built today. Earlier designs however have been progressively upgraded through their operating lives.
It has long been asserted that nuclear reactor accidents are the epitome of low-probability but high-consequence risks. Understandably, with this in mind, some people were disinclined to accept the risk, however low the probability. However, the physics and chemistry of a reactor core, coupled with but not wholly depending on the engineering, mean that the consequences of an accident are likely in fact be much less severe than those from other industrial and energy sources. Experience, including Fukushima, bears this out.
At Chernobyl the kind of reactor and its burning contents which dispersed radionuclides far and wide tragically meant that the results were severe. This once and for all vindicated the desirability of designing with inherent safety supplemented by robust secondary safety provisions and avoiding that kind of reactor design. However, the problem here was not burning graphite as popularly quoted. The graphite was certainly incandescent as a result of fuel decay heat - sometimes over 1000°C - and some of it oxidised to carbon monoxide which burned along with the fuel cladding.
The use of nuclear energy for electricity generation can be considered extremely safe. Every year several thousand people die in coal mines to provide this widely used fuel for electricity. There are also significant health and environmental effects arising from fossil fuel use. To date, even the Fukushima accident has caused no deaths, and the IAEA reported on 1 June 2011: "to date, no health effects have been reported in any person as a result of radiation exposure."
In passing, it is relevant to note that the safety record of the US nuclear navy from 1955 on is excellent, this being attributed to a high level of standardisation in over one hundred naval power plants and in their maintenance, and the high quality of the Navy's training program. Until the 1980s, the Soviet naval record stood in marked contrast.
Achieving optimum nuclear safety
To achieve optimum safety, nuclear plants in the western world operate using a 'defence-in-depth' approach, with multiple safety systems supplementing the natural features of the reactor core. Key aspects of the approach are:
These can be summed up as: Prevention, Monitoring, and Action (to mitigate consequences of failures).
The safety provisions include a series of physical barriers between the radioactive reactor core and the environment, the provision of multiple safety systems, each with backup and designed to accommodate human error. Safety systems account for about one quarter of the capital cost of such reactors. As well as the physical aspects of safety, there are institutional aspects which are no less important - see following section on International Collaboration.
The barriers in a typical plant are: the fuel is in the form of solid ceramic (UO2) pellets, and radioactive fission products remain largely bound inside these pellets as the fuel is burned. The pellets are packed inside sealed zirconium alloy tubes to form fuel rods. These are confined inside a large steel pressure vessel with walls up to 30 cm thick - the associated primary water cooling pipework is also substantial. All this, in turn, is enclosed inside a robust reinforced concrete containment structure with walls at least one metre thick. This amounts to three significant barriers around the fuel, which itself is stable up to very high temperatures.
These barriers are monitored continually. The fuel cladding is monitored by measuring the amount of radioactivity in the cooling water. The high pressure cooling system is monitored by the leak rate of water, and the containment structure by periodically measuring the leak rate of air at about five times atmospheric pressure.
Looked at functionally, the three basic safety functions in a nuclear reactor are:
The main safety features of most reactors are inherent - negative temperature coefficient and negative void coefficient. The first means that beyond an optimal level, as the temperature increases the efficiency of the reaction decreases (this in fact is used to control power levels in some new designs). The second means that if any steam has formed in the cooling water there is a decrease in moderating effect so that fewer neutrons are able to cause fission and the reaction slows down automatically.
In the 1950s and '60s some experimental reactors in the Idaho desert were deliberately tested to destruction to verify that large reactivity excursions were self-limiting and would automatically shut down the fission reaction. These tests verified that this was the case.
Beyond the control rods which are inserted to absorb neutrons and regulate the fission process, the main engineered safety provisions are the back-up emergency core cooling system (ECCS) to remove excess heat (though it is more to prevent damage to the plant than for public safety) and the containment.
Traditional reactor safety systems are 'active' in the sense that they involve electrical or mechanical operation on command. Some engineered systems operate passively, eg pressure relief valves. Both require parallel redundant systems. Inherent or full passive safety design depends only on physical phenomena such as convection, gravity or resistance to high temperatures, not on functioning of engineered components. All reactors have some elements of inherent safety as mentioned above, but in some recent designs the passive or inherent features substitute for active systems in cooling etc. Such a design would have averted the Fukushima accident, where loss of electrical power resulted is loss of cooling function.
The basis of design assumes a threat where due to accident or malign intent (eg terrorism) there is core melting and a breach of containment. This double possibility has been well studied and provides the basis of exclusion zones and contingency plans. Apparently during the Cold War neither Russia nor the USA targeted the other's nuclear power plants because the likely damage would be modest.
Nuclear power plants are designed with sensors to shut them down automatically in an earthquake, and this is a vital consideration in many parts of the world. (see paper on Earthquakes)
The Three Mile Island accident in 1979 demonstrated the importance of the inherent safety features. Despite the fact that about half of the reactor core melted, radionuclides released from the melted fuel mostly plated out on the inside of the plant or dissolved in condensing steam. The containment building which housed the reactor further prevented any significant release of radioactivity. The accident was attributed to mechanical failure and operator confusion. The reactor's other protection systems also functioned as designed. The emergency core cooling system would have prevented any damage to the reactor but for the intervention of the operators.
Investigations following the accident led to a new focus on the human factors in nuclear safety. No major design changes were called for in western reactors, but controls and instrumentation were improved significantly and operator training was overhauled.
A 2007 US Department of Energy (DOE) Human Performance Handbook notes that "The aviation industry, medicine, the commercial nuclear power industry, the US Navy, DOE and its contractors, and other high-risk, technologically complex industries have adopted human performance principles, concepts, and practices to consciously reduce human error and bolster defences in order to reduce accidents and mishaps." "About 80 percent of all events are attributed to human error. In some industries, this number is closer to 90 percent. Roughly 20 percent of occurrences involve equipment failures. When the 80 percent human error is broken down further, it reveals that the majority of errors associated with events stem from latent organizational weaknesses (perpetrated by humans in the past that lie dormant in the system), whereas about 30 percent are caused by the individual worker touching the equipment and systems in the facility. Clearly, focusing efforts on reducing human error will reduce the likelihood of occurrences and events." Following the Fukushima accident the focus has been on the organisational weaknesses which increase the likelihood of human error.
By way of contrast to western safety engineering, the Chernobyl reactor did not have a containment structure like those used in the West or in post-1980 Soviet designs. The main positive outcome of this accident for the industry was the formation of the World Association of Nuclear Operators (WANO), building on the US precedent.
At Fukushima Daiichi in March 2011 the three operating reactors shut down automatically, and were being cooled as designed by the normal residual heat removal system using power from the back-up generators, until the tsunami swamped them an hour later. The emergency core cooling systems then failed. Days later, a separate problem emerged as spent fuel ponds lost water. Detailed analysis of the accident continues, but the main results include more attention being given to siting criteria and the design of back-up power and cooling, as well as provision for venting the containment of that kind of reactor and other emergency management procedures.Nuclear plants have Severe Accident Mitigation Guidelines (SAMG, or in Japan: SAG), and most of these, including all those in the USA, address what should be done for accidents beyond design basis, and where several systems may be disabled.
In 2007 the US NRC launched a research program to assess the possible consequences of a serious reactor accident. Its draft report was released nearly a year after the Fukushima accident had partly confirmed its findings. The State-of-the-Art Reactor Consequences Analysis (SOARCA) showed that a severe accident at a US nuclear power plant (PWR or BWR) would not be likely to cause any immediate deaths, and the risks of fatal cancers would be vastly less than the general risks of cancer. SOARCA's main conclusions fall into three areas: how a reactor accident progresses; how existing systems and emergency measures can affect an accident's outcome; and how an accident would affect the public's health. The principal conclusion is that existing resources and procedures can stop an accident, slow it down or reduce its impact before it can affect the public, but even if accidents proceed without such mitigation they take much longer to happen and release much less radioactive material than earlier analyses suggested.
A different safety philosophy: Early Soviet-designed reactors
The April 1986 disaster at the Chernobyl nuclear power plant in the Ukraine was the result of major design deficiencies in the RBMK type of reactor, the violation of operating procedures and the absence of a safety culture. One peculiar feature of the RBMK design was that coolant failure could lead to a strong increase in power output from the fission process ( positive void coefficient). However, this was not the prime cause of the Chernobyl accident.
The accident destroyed the reactor and killed 56 people, 28 of whom died within weeks from radiation exposure. It also caused radiation sickness in a further 200-300 staff and firefighters, and contaminated large areas of Belarus, Ukraine, Russia and beyond. It is estimated that at least 5% of the total radioactive material in the Chernobyl-4 reactor core was released from the plant, due to the lack of any containment structure. Most of this was deposited as dust close by. Some was carried by wind over a wide area.
About 130,000 people received significant radiation doses (i.e. above internationally accepted ICRP limits) and continue to be monitored. About 4000 cases of thyroid cancer in children have been linked to the accident. Most of these were curable, though about nine were fatal. No increase in leukaemia or other cancers have yet shown up, but some is expected. The World Health Organisation is closely monitoring most of those affected.
The Chernobyl accident was a unique event and the only time in the history of commercial nuclear power that radiation-related fatalities occurred.
The destroyed unit 4 was enclosed in a concrete shelter which now requires remedial work.
An OECD expert report on it concluded that "the Chernobyl accident has not brought to light any new, previously unknown phenomena or safety issues that are not resolved or otherwise covered by current reactor safety programs for commercial power reactors in OECD Member countries. In other words, the concept of 'defence in depth' was conspicuous by its absence, and tragically shown to be vitally important.
A broader picture - other past accidents
There have been a number of accidents in experimental reactors and in one military plutonium-producing reactor, including a number of core melts, but none of these has resulted in loss of life outside the actual plant, or long-term environmental contamination. Elsewhere (Safety of Nuclear Power info paper appendix) we tabulate these, along with the most serious commercial plant accidents. The list of ten probably corresponds to incidents rating 4 or higher on today’s International Nuclear Event Scale (Table 4). All except Browns Ferry and Vandellos involved damage to or malfunction of the reactor core. At Browns Ferry a fire damaged control cables and resulted in an 18-month shutdown for repairs; at Vandellos a turbine fire made the 17-year old plant uneconomic to repair.
Mention should be made of the accident to the US Fermi-1 prototype fast breeder reactor near Detroit in 1966. Due to a blockage in coolant flow, some of the fuel melted. However no radiation was released off-site and no-one was injured. The reactor was repaired and restarted but closed down in 1972.
The well-publicized criticality accident at Tokai Mura, Japan, in 1999 was at a fuel preparation plant for experimental reactors, and killed two workers from radiation exposure. Many other such criticality accidents have occurred, some fatal, and practically all in military facilities prior to 1980.In an uncontained reactor accident such as at Windscale (a military facility) in 1957 and at Chernobyl in 1986, (and to some extent: Fukushima in 2011,) the principal health hazard is from the spread of radioactive materials, notably volatile fission products such as iodine-131 and caesium-137. These are biologically active, so that if consumed in food, they tend to stay in organs of the body. I-131 has a half-life of 8 days, so is a hazard for around the first month, (and apparently gave rise to the thyroid cancers after the Chernobyl accident). Caesium-137 has a half-life of 30 years, and is therefore potentially a long-term contaminant of pastures and crops. In addition to these, there is caesium-134 which has a half-life of about two years. While measures can be taken to limit human uptake of I-131, (evacuation of area for several weeks, iodide tablets), high levels of radioactive caesium can preclude food production from affected land for a long time. Other radioactive materials in a reactor core have been shown to be less of a problem because they are either not volatile (strontium, transuranic elements) or not biologically active (tellurium-132, xenon-133).
Accidents in any field of technology provide valuable knowledge enabling incremental improvement in safety beyond the original engineering. Cars and airliners are the most obvious examples of this, but the chemical and oil industries can provide even stronger evidence. Civil nuclear power has greatly improved its safety in both engineering and operation over its 55 years of experience with very few accidents and major incidents to spur that improvement. The Fukushima Daiichi accident is the first since Three Mile Island in 1979 which will have significant implications, at least for older plants.
Scrams, Seismic shutdownsA scram is a sudden reactor shutdown. When a reactor is scrammed, automatically due to seismic activity, or due to some malfunction, or manually for whatever reason, the fission reaction generating the main heat stops. However, considerable heat continues to be generated by the radioactive decay of the fission products in the fuel. Initially, for a few minutes, this is great - about 7% of the pre-scram level. But it drops to about 1% of the normal heat output after two hours, to 0.5% after one day, and 0.2% after a week. Even then it must still be cooled, but simply being immersed in a lot of water does most of the job after some time. When the water temperature is below 100°C at atmospheric pressure the reactor is said to be in "cold shutdown".
European "stress tests" and US response following Fukushima accidentAssessment of the aspects of nuclear plant safety highlighted by the Fukushima accident is being applied to the 143 nuclear reactors in the EU's 27 member states, as well as those in any neighbouring states that have decided to take part. These comprehensive and transparent risk and safety assessments, the so-called "stress tests", involved targeted reassessment of each power reactor’s safety margins in the light of extreme natural events, such as earthquakes and flooding as natural events, as well as on loss of safety functions and severe accident management following any initiating event. The Western European Nuclear Regulators' Association (WENRA) proposed these in response to a call from the European Council in March 2011, and developed specifications. WENRA is a network of Chief Regulators of EU countries with nuclear power plants and Switzerland, and has membership from 17 countries. It then negotiated the scope of the tests with the European Nuclear Safety Regulators Group (ENSREG), an independent, authoritative expert body created in 2007 by the European Commission comprising senior officials from the national nuclear safety, radioactive waste safety or radiation protection regulatory authorities from all 27 EU member states, and representatives of the European Commission.The reassessment of safety margins is based on the existing safety studies and engineering judgment to evaluate the behaviour of a nuclear power plant when facing a set of challenging situations. For a given plant, the reassessment reports on the most probable behaviour of the plant for each of the situations considered.The results of the reassessment were peer-reviewed and shared among regulators. They may indicate a need for additional technical or organisational safety provisions. WENRA noted that it remains a national responsibility to take any appropriate measures resulting from the reassessment.
The scope of the assessment takes into account the issues that have been directly highlighted by the events in Fukushima and the possibility for combination of initiating events. Two 'initiating events' are covered in the scope: earthquake and flooding. The consequences of these - loss of electrical power and station blackout, loss of ultimate heat sink and the combination of both - are analysed, with the conclusions being applicable to other general emergency situations. In accident scenarios, regulators consider power plants' means to protect against and manage loss of core cooling as well as cooling of used fuel in storage. They also study means to protect against and manage loss of containment integrity and core melting, including consequential effects such as hydrogen accumulation.Nuclear plant operators start by documenting each power plant site. This analysis of 'extreme scenarios' follows what ENSREG called a progressive approach "in which protective measures are sequentially assumed to be defeated" from starting conditions which "represent the most unfavourable operational states." The operators have to explain their means to maintain "the three fundamental safety functions (control of reactivity, fuel cooling confinement of radioactivity)" and support functions for these, "taking into account the probable damage done by the initiating event." The documents have to cover provisions in the plant design basis for these events and the strength of the plant beyond its design basis. This means the "design margins, diversity, redundancy, structural protection and physical separation of the safety relevant systems, structures and components and the effectiveness of the defence-in-depth concept." This has to put focus on 'cliff-edge' effects, e.g. when back-up batteries are exhausted and station blackout is inevitable. For severe accident management scenarios they must identify the time before fuel damage is unavoidable and the time before water begins boiling in used fuel ponds and before fuel damage occurs. Measures to prevent hydrogen explosions and fires are to be part of this.Since the licensee has the prime responsibility for safety, it is up to the licensees to perform the reassessments, and the regulatory bodies then independently review them.
The exercise covers 147 nuclear plants in 15 EU countries - including Lithuania with only decommissioned plants - plus 15 reactors in Ukraine and five in Switzerland.Operators reported to their regulators who then reported progress to the European Commission by the end of 2011. Information was shared among regulators throughout this process before the 17 final reports went to peer-review by teams comprising 80 experts appointed by ENSREG and the European Commission. The final documents will be published in line with national law and international obligations, provided this does not jeopardise security - an area where each country may behave differently. The process was to be finished in April 2012, but has been extended to June to allow more plant visits and to add more information on the potential effect of aircraft impacts. Drawing on the peer reviews, in April the EC and ENSREG cited four main areas for improving EU nuclear plant safety:- guidance from WENRA for assessing natural hazards and margins beyond design basis; - more importance to periodic safety reviews and evaluation of natural hazards; - urgent measures to protect containment integrity; and - measures to prevent and mitigate accidents resulting from extreme natural hazards.
In June 2011 the governments of seven non-EU countries agreed to conduct nuclear reactor stress tests using the EU model. Armenia, Belarus, Croatia, Russia, Switzerland, Turkey and Ukraine signed a declaration that they would conduct stress tests and agreed to peer reviews of the tests by outside experts. Russia had already undertaken extensive checks. (Croatia is co-owner in the Krsko PWR in Slovenia, and Belarus and Turkey plan to build nuclear plants but have none now.)
Progress reports were submitted in mid September 2011, and the national safety regulators are assessing them. Final reports from licensees are due at the end of October and final national reports are due at the end of the year. In the case of UK and France at least, none has indicated any fundamental weaknesses in design and resilience of the plants.
In the USA the Nuclear Regulatory Commission (NRC) in March 2012 made orders for immediate post-Fukushima safety enhancements, likely to cost about $100 million across the whole US fleet. The first order requires the addition of equipment at all plants to help respond to the loss of all electrical power and the loss of the ultimate heat sink for cooling, as well as maintaining containment integrity. Another requires improved water level and temperature instrumentation on used fuel ponds. The third order applies only to the 33 BWRs with early containment designs, and will require 'reliable hardened containment vents' which work under any circumstances. The measures are supported by the industry association, which has also proposed setting up about six regional emergency response centres under NRC oversight with additional portable equipment.Severe Accident ManagementIn addition to engineering and procedures which reduce the risk and severity of accidents, all plants have guidelines for Severe Accident Management or Mitigation (SAM). These conspicuously came into play after the Fukushima accident, where staff had immense challenges in the absence of power and with disabled cooling systems following damage done by the tsunami. The experience following that accident is being applied not only in design but also in such guidelines, and peer reviews on nuclear plants will focus more on these than previously.
In mid 2011 the IAEA Incident and Emergency Centre launched a new secure web-based communications platform to unify and simplify information exchange during nuclear or radiological emergencies. The Unified System for Information Exchange on Incidents and Emergencies (USIE) has been under development since 2009 but was actually launched during the emergency response to the accident at Fukushima.Earthquakes and VolcanoesThe International Atomic Energy Agency (IAEA) has a Safety Guide on Seismic Risks for Nuclear Power Plants, and the matter is dealt with in the WNA paper on Earthquakes and Nuclear Power Plants.Volcanic hazards are minimal for practically all nuclear plants, but the IAEA has developed a new Safety Guide on the matter. The Bataan plant in Philippines which has never operated, and the Armenian plant at Metsamor are two known to be in proximity to potential volcanic activity.
Flooding - storms, tides and tsunamisNuclear plants are usually built close to water bodies, for the sake of cooling. The site licence takes account of worst case flooding scenarios as well as other possible natural disasters and, more recently, the possible effects of climate change. As a result, all the buildings with safety-related equipment are situated on high enough platforms so that they stand above submerged areas in case of flooding events. As an example, French Safety Rules criteria for river sites define the safe level as above a flood level likely to be reached with one chance in one thousand years, plus 15%, and similar regarding tides for coastal sites.Occasionally in the past some buildings have been sited too low, so that they are vulnerable to flood or tidal and storm surge, so engineered countermeasures have been built. EDF's Blayais nuclear plant in western France uses seawater for cooling and the plant itself is protected from storm surge by dykes. However, in 1999 a 2.5 m storm surge in the estuary overtopped the dykes - which were already identified as a weak point and scheduled for a later upgrade - and flooded one pumping station. For security reasons it was decided to shut down the three reactors then under power (the fourth was already stopped in the course of normal maintenance). This incident was rated 2 on the INES scale.
In 1994 the Kakrapar nuclear power plant near the west coast of India was flooded due to heavy rains together with failure of weir control for an adjoining water pond, inundating turbine building basement equipment. The back-up diesel generators on site enabled core cooling using fire water, a backup to process water, since the offsite power supply failed. Following this, multiple flood barriers were provided at all entry points, inlet openings below design flood level were sealed and emergency operating procedures were updated. In December 2004 the Madras NPP and Kalpakkam PFBR site on the east coast of India was flooded by a tsunami surge from Sumatra. Construction of the Kalpakkam plant was just beginning, but the Madras plant shut down safely and maintained cooling. However, recommendations including early warning system for tsunami and provision of additional cooling water sources for longer duration cooling were implemented.
In March 2011 the Fukushima Daiichi nuclear plant was affected seriously by a huge tsunami induced by the Great East Japan Earthquake. Three of the six reactors were operating at the time, and had shut down automatically due to the earthquake. The back-up diesel generators for those three units were then swamped by the tsunami. This cut power supply and led to weeks of drama and loss of the reactors. The design basis tsunami height was 5.7 m for Daiichi (and 5.2 m for adjacent Daini, which was actually set a bit higher above sea level). Tsunami heights coming ashore were about 14 metres for both plants. Unit 3 of Daini was undamaged and continued to cold shutdown status, but the other units suffered flooding to pump rooms where equipment transfers heat from the reactor circuit to the sea - the ultimate heat sink.
The maximum amplitude of this tsunami was 23 metres at point of origin, about 160 km from Fukushima. In the last century there had been eight tsunamis in the Japan region with maximum amplitudes above 10 metres (some much more), these having arisen from earthquakes of magnitude 7.7 to 8.4, on average one every 12 years. Those in 1983 and in 1993 were the most recent affecting Japan, with maximum heights 14.5 metres and 31 metres respectively, both induced by magnitude 7.7 earthquakes. This 2011 earthquake was magnitude 9.For low-lying sites, civil engineering and other measures are normally taken to make nuclear plants resistant to flooding. Lessons from Blayais have fed into regulatory criteria since 2000, and those from Fukushima will certainly do so. Sea walls are being built or increased at Hamaoka, Shimane, Mihama, Ohi, Takahama, Onagawa, and Higashidori plants. However, few parts of the world have the same tsunami potential as Japan, and for the Atlantic and Mediterranean coasts of Europe the maximum amplitude is much less than Japan.
HydrogenIn any light-water nuclear power reactor, hydrogen is formed by radiolytic decomposition of water. This needs to be dealt with to avoid the potential for explosion with oxygen present, and many reactors have been retrofitted with passive autocatalytic hydrogen recombiners in their containment, replacing external recombiners that needed to be connected and powered, isolated behind radiological barriers. Also in some kinds of reactors, particularly early boiling water types, the containment is rendered inert by injection of nitrogen. It was reported that WANO may require all operators to have hydrogen recombiners in PWRs. As of early 2012, a few in Spain and Japan did not have them.
In an accident situation such as at Fukushima where the fuel became very hot, a lot of hydrogen is formed by the oxidation of zirconium fuel cladding in steam at about 1300°C. This is beyond the capability of the normal hydrogen recombiners to deal with, and operators must rely on venting to atmosphere or inerting the containment with nitrogen.
There is a great deal of international cooperation on nuclear safety issues, in particular the exchange of operating experience under the auspices of the World Association of Nuclear Operators (WANO) which was set up in 1989. In practical terms this is the most effective international means of achieving very high levels of safety through its four major programs: peer reviews; operating experience; technical support and exchange; and professional and technical development. WANO peer reviews are the main proactive way of sharing experience and expertise, and by the end of 2009 every one of the world's commercial nuclear power plants had been peer-reviewed at least once. Following the Fukushima accident these have been stepped up to one every four years at each plant, with follow-up visits in between, and the scope extended from operational safety to include plant design upgrades. Pre-startup reviews of new plants are being increased. See also: paper on Cooperation in Nuclear Power Industry.
The IAEA Convention on Nuclear Safety (CNS) was drawn up during a series of expert level meetings from 1992 to 1994 and was the result of considerable work by Governments, national nuclear safety authorities and the IAEA Secretariat. Its aim is to legally commit participating States operating land-based nuclear power plants to maintain a high level of safety by setting international benchmarks to which States would subscribe.
The obligations of the Parties are based to a large extent on the principles contained in the IAEA Safety Fundamentals document The Safety of Nuclear Installations. These obligations cover for instance, siting, design, construction, operation, the availability of adequate financial and human resources, the assessment and verification of safety, quality assurance and emergency preparedness.
The Convention is an incentive instrument. It is not designed to ensure fulfillment of obligations by Parties through control and sanction, but is based on their common interest to achieve higher levels of safety. These levels are defined by international benchmarks developed and promoted through regular meetings of the Parties. The Convention obliges Parties to report on the implementation of their obligations for international peer review. This mechanism is the main innovative and dynamic element of the Convention. Under the Operational Safety Review Team (OSART) program dating from 1982 international teams of experts conduct in-depth reviews of operational safety performance at a nuclear power plant. They review emergency planning, safety culture, radiation protection, and other areas. OSART missions are on request from the government, and involve staff from regulators, in these respects differing from WANO peer reviews.
The Convention entered into force in October 1996. As of September 2009, there were 79 signatories to the Convention, 66 of which are contracting parties, including all countries with operating nuclear power plants.
The IAEA General Conference unanimously endorsed the Action Plan on Nuclear Safety that Ministers requested in June. The plan arises from intensive consultations with Member States but not with industry, and is described as both a rallying point and a blueprint for strengthening nuclear safety worldwide. It contains suggestions to make nuclear safety more robust and effective than before, without removing the responsibility from national bodies and governments. It aims to ensure "adequate responses based on scientific knowledge and full transparency". Apart from strengthened and more frequent IAEA peer reviews (including those of regulatory systems), most of the 12 recommended actions are to be undertaken by individual countries and are likely to be well in hand already.
In relation to Eastern Europe particularly, since the late 1980s a major international program of assistance was carried out by the OECD, IAEA and Commission of the European Communities to bring early Soviet-designed reactors up to near western safety standards, or at least to effect significant improvements to the plants and their operation. The European Union also brought pressure to bear, particularly in countries which aspired to EU membership.
Modifications were made to overcome deficiencies in the 11 RBMK reactors still operating in Russia. Among other things, these removed the danger of a positive void coefficient response. Automated inspection equipment has also been installed in these reactors.
The other class of reactors which has been the focus of international attention for safety upgrades is the first-generation of pressurised water VVER-440 reactors. The V-230 model was designed before formal safety standards were issued in the Soviet Union and they lack many basic safety features. Four are still operating in Russia and one in Armenia, under close inspection.
Later Soviet-designed reactors are very much safer and have Western control systems or the equivalent, along with containment structures.
Ageing of nuclear plants
Several issues arise in prolonging the lives of nuclear plants which were originally designed for 30 or 40-year operating lives. Systems, structures and components (SSC) whose characteristics change gradually with time or use are the subject of attention.
Some components simply wear out, corode or degrade to a low level of efficiency. These need to be replaced. Steam generators are the most prominent and expensive of these, and many have been replaced after about 30 years where the reactor otherwise has the prospect of running for 60 years. This is essentially an economic decision. Lesser components are more straightforward to replace as they age, and some may be safety-related as well as economic. In Candu reactors, pressure tube replacement has been undertaken on some older plants, after some 30 years of operation.
A second issue is that of obsolescence. For instance, older reactors have analogue instrument and control systems, and a question must be faced regarding whether these are replaced with digital in a major mid-life overhaul, or simply maintained.
Thirdly, the properties of materials may degrade with age, particularly with heat and neutron irradiation. In some early Russian pressurized water reactors, the pressure vessel is relatively narrow and is thus subject to greater neutron bombardment that a wider one. This raises questions of embrittlement, and has had to be checked carefully before extending licences.
In respect to all these aspects, periodic safety reviews are undertaken on older plants in line with the IAEA safety convention and WANO's safety culture principles to ensure that safety margins are maintained.
Equipment performance is constantly monitored to identify faults and failures of components. Preventative maintenance is adapted and scheduled in the light of this, to ensure that the overall availability of systems important for both safety and plant availability are within the design basis, or better than the original design basis. Collecting reliability and performance data is of the utmost importance, as well as analysing them, for tracking indicators that might be signs of ageing, or indicative of potential problems having been under-estimated, or of new problems. The results of this monitoring and analysis are often shared Industry-wide through INPO and WANO networks. The use of probabilistic safety analysis makes possible risk-informed decisions regarding maintenance and monitoring programs, so that adequate attention is given to the health of every piece of equipment in the plant. This process is similar to that in other industries where safety is paramount, eg aviation. Reliability Centered Maintenance was adapted from civil aviation in the 1980s for instance, and led to nuclear industry review of existing maintenance programs.
In the USA most of the more than one hundred reactors are expected to be granted licence extensions from 40 to 60 years. This justifies significant capital expenditure in upgrading systems and components, including building in extra performance margins. There is widespread agreement that further extensions may be justified, and this prospect is driving research on ageing to ensure both safety and reliability in older plants.
The IAEA has a safety knowledge base for ageing and long-term operation of nuclear power plants (SKALTO) which aims to develop a framework for sharing information on ageing management and long term operation of nuclear power plants. It provides published documents and information related to this.
Reporting nuclear incidents
The International Nuclear Event Scale (INES) was developed by the IAEA and OECD in 1990 to communicate and standardise the reporting of nuclear incidents or accidents to the public. The scale runs from a zero event with no safety significance to 7 for a "major accident" such as Chernobyl. Three Mile Island rated 5, as an "accident with off-site risks" though no harm to anyone, and a level 4 "accident mainly in installation" occurred in France in 1980, with little drama. Another accident rated at level 4 occurred in a fuel processing plant in Japan in September 1999. Other accidents have been in military plants .
The International Nuclear Event Scale For prompt communication of safety significance
Source: International Atomic Energy Agency
Since the World Trade Centre attacks in New York in 2001 there has been concern about the consequences of a large aircraft being used to attack a nuclear facility with the purpose of releasing radioactive materials. Various studies have looked at similar attacks on nuclear power plants. They show that nuclear reactors would be more resistant to such attacks than virtually any other civil installations - see Appendix 3. A thorough study was undertaken by the US Electric Power Research Institute (EPRI) using specialist consultants and paid for by the US Dept. of Energy. It concludes that US reactor structures "are robust and (would) protect the fuel from impacts of large commercial aircraft".
The analyses used a fully-fuelled Boeing 767-400 of over 200 tonnes as the basis, at 560 km/h - the maximum speed for precision flying near the ground. The wingspan is greater than the diameter of reactor containment buildings and the 4.3 tonne engines are 15 metres apart. Hence analyses focused on single engine direct impact on the centreline - since this would be the most penetrating missile - and on the impact of the entire aircraft if the fuselage hit the centreline (in which case the engines would ricochet off the sides). In each case no part of the aircraft or its fuel would penetrate the containment. Other studies have confirmed these findings.
Penetrating (even relatively weak) reinforced concrete requires multiple hits by high speed artillery shells or specially-designed "bunker busting" ordnance - both of which are well beyond what terrorists are likely to deploy. Thin-walled, slow-moving, hollow aluminum aircraft, hitting containment-grade heavily-reinforced concrete disintegrate, with negligible penetration. But further (see Sept 2002 Science paper and Jan 2003 Response & Comments), realistic assessments from decades of analyses, lab work and testing, find that the consequence of even the worst realistic scenarios - core melting and containment failure - can cause few if any deaths to the public, regardless of the scenario that led to the core melt and containment failure. This conclusion was documented in a 1981 EPRI study, reported and widely circulated in many languages, by Levenson and Rahn in Nuclear Technology.
In 1988 Sandia National Laboratories in USA demonstrated the unequal distribution of energy absorption that occurs when an aircraft impacts a massive, hardened target. The test involved a rocket-propelled F4 Phantom jet (about 27 tonnes, with both engines close together in the fuselage) hitting a 3.7m thick slab of concrete at 765 km/h. This was to see whether a proposed Japanese nuclear power plant could withstand the impact of a heavy aircraft. It showed how most of the collision energy goes into the destruction of the aircraft itself - about 96% of the aircraft's kinetic energy went into the its destruction and some penetration of the concrete, while the remaining 4% was dissipated in accelerating the 700-tonne slab. The maximum penetration of the concrete in this experiment was 60 mm, but comparison with fixed reactor containment needs to take account of the 4% of energy transmitted to the slab. See also video clip.
Much of the radioactive material would stick to surfaces inside the containment or becomes soluble salts that remain in the damaged containment building. Some radioactive material would nonetheless enter the environment some hours after the attack in this extreme scenario and affect areas up to several kilometres away. The extent and timing of this means that with walking-pace evacuation inside this radius it would not be a major health risk. However it could leave areas contaminated and hence displace people in the same way as a natural disaster, giving rise to economic rather than health consequences.
Looking at spent fuel storage pools, similar analyses showed no breach. Dry storage and transport casks retained their integrity. "There would be no release of radionuclides to the environment".
Similarly, the massive structures mean that any terrorist attack even inside a plant (which are well defended) and causing loss of cooling, core melting and breach of containment would not result in any significant radioactive releases.
However, while the main structures are robust, the 2001 attacks did lead to increased security requirements and plants were required by NRC to install barriers, bulletproof security stations and other physical modifications which in the USA are estimated by the industry association to have cost some $2 billion across the country.
See also Science magazine article 2002 and Appendix 3 .
Switzerland's Nuclear Safety Inspectorate studied a similar scenario and reported in 2003 that the danger of any radiation release from such a crash would be low for the older plants and extremely low for the newer ones.
The conservative design criteria which caused most power reactors to be shrouded by massive containment structures with biological shield has provided peace of mind in a suicide terrorist context. Ironically and as noted earlier, with better understanding of what happens in a core melt accident inside, they are now seen to be not nearly as necessary in that accident mitigation role as was originally assumed.
Advanced reactor designs
The designs for nuclear plants being developed for implementation in coming decades contain numerous safety improvements based on operational experience. The first two of these advanced reactors began operating in Japan in 1996.
One major feature they have in common (beyond safety engineering already standard in Western reactors) is passive safety systems, requiring no operator intervention in the event of a major malfunction.
The main metric used to assess reactor safety is the likelihood of the core melting due to loss of coolant. These new designs are one or two orders of magnitude less likely than older ones to suffer a core melt accident, but the significance of that is more for the owner and operator than the neighbours, who - as Three Mile Island and Fukushima showed - are safe also with older types. (As mentioned in the box above, studies related to the 1970s plant in USA show that even with a breach of containment as well, the consequences would not be catastrophic.)
Safety relative to other energy sources
Many occupational accident statistics have been generated over the last 40 years of nuclear reactor operations in the US and UK. These can be compared with those from coal-fired power generation. All show that nuclear is a distinctly safer way to produce electricity.
Deaths from energy-related accidents per unit of electricity
Coal-fired power generation has chronic, rather than acute, safety implications for public health. It also has profound safety implications for the mining of coal, with thousands of workers killed each year in coal mines (see Appendix).Hydro power generation has a record of few but very major events causing thousands of deaths. In 1975 when the Banqiao, Shimantan & other dams collapsed in Henan, China, at least 30,000 people were killed immediately and some 230,000 overall, with 18 GWe lost. In 1979 and 1980 in India some 3500 were killed by two hydro-electric dam failures, and in 2009 in Russia 75 were killed by a hydro power plant turbine disintegration.
Three simple sets of figures are quoted in the Tables below and that in the appendix. A major reason for coal's unfavourable showing is the huge amount which must be mined and transported to supply even a single large power station. Mining and multiple handling of so much material of any kind involves hazards, and these are reflected in the statistics.
Comparison of accident statistics in primary energy production(Electricity generation accounts for about 40% of total primary energy)
* Basis: per million MWe operating for one year, not including plant construction, based on historic data which is unlikely to represent current safety levels in any of the industries concerned.Sources: Sources: Ball, Roberts & Simpson, 1994; Hirschberg et al, Paul Scherrer Institut 1996, in: IAEA 1997; Paul Scherrer Institut, 2001.
Sources:IAEABall, Roberts & Simpson, Research Report #20, Centre for Environmental & Risk Management, University of East Anglia, 1994;
IAEA 2005, Chernobyl Forum report: Chernobyl's Legacy: Health, Environmental and Socio-Economic Impacts.IAEA 1997, Sustainable Development and Nuclear Power, Paul Scherrer Institut 2001, Severe Accidents in the Energy Sector,Twilley R C 2002, Framatome ANP's SWR1000 reactor design, Nuclear News, Sept.EPRI Dec 2002 report Deterring Terrorism: Aircraft Crash Impact Analyses Demonstrate Nuclear Power Plant's Structural Strength on NEI web site Chapin D.M., Levenson M., Pate Z.P., Rockwell T et al 2002, Nuclear Power Plants and their Fuel as terrorist Targets, Science, Sept 2002; with Letters & Response, Science 10 Jan 2003.Levenson, M. & Rahn, F. 1981, Realistic Estimates of the Consequences of Nuclear Accidents, Nuclear Technology 53:99-110, ANS, May 1981.
Stoiber, Carl 2007, World Nuclear University Summer Institute.OECD/NEA 2010, Comparing Nuclear Accident Risks with those from other energy sources. NEA No. 6861.
Facebook | Twitter | YouTube | Google+ | Blog | WNA Update | Jobs | Nuclear Portal | Glossary | eShop | Picture Library
© World Nuclear Association. All Rights Reserved 'Promoting the peaceful worldwide use of nuclear power as a sustainable energy resource'