ML19308B969
| ML19308B969 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 04/28/1975 |
| From: | Budnitz R, Castleman A, Lewis H BROOKHAVEN NATIONAL LABORATORY, CALIFORNIA, UNIV. OF, SANTA BARBARA, CA, LAWRENCE LIVERMORE NATIONAL LABORATORY |
| To: | |
| References | |
| TASK-TF, TASK-TMR EN-43893, NUDOCS 8001170710 | |
| Download: ML19308B969 (14) | |
Text
--.---_ _
f J
i
-r i
lE hl l
I
{
REPORT TO THE AMERICAN PHYSICAL SOCIETY i
BY THE STUDY GROUP ON LIGHT-WATER REACTOR SAFETY F
28 April 1975 s.';
H. W. Lewis (Chairman)
University of California, Santa Barbara l
R. J. Budnitz Lawrence Berkeley Laboratory l
A. W. Castleman Brookhaven National Laboratory l
D. E. Dorfan University of California, Santa Cruz F. C. Finlayson Aerospace Corporation l
R. L. Gar. vin International Business Machines Corporation L. C. Hebel Xerox Corporation i
S. M. Keeny, Jr.
The MITRE Corporation i
R. A. Muller University of California, Berkeley 1
T. B. Taylor International Research and Technology Corporation G. F. Smoot University of California, Berkeley F. von Hippel Princeton University A
l APS Council Review Coaimittee:
j s
s Hans Bethe Cornell University
[
W.K.H. Panofsky Stanford Linear Accelerator Center i
V. F. Weisskopf Massachusetts Institute of Technology l
Supported by the National Science Foundation and the Atomic Energy Commission.
Contract EN-43893.
To be published in the Reviews of Modern Physics.
l l
l l
8001170 7/O /9l E
4
I FOREWORD AND ACKNOWLEDGEMENTS 1
The American Physical Society has engaged over the past few years in activities beyond those traditional for the Society.
In 1973 the Society explored mechanisms by which it could contribute to the allevia-tion of the energy crisis.
In addition to other activities, it was y
decided to sponsor a study of reactor safety, an important subject with substantial scientific and technological content.
This is the report i
of that year-long study by a dozen part-time participants with varicus levels of prior experience in the reactor field.
The group met in Los Alamos during the month of August,1974, and also had approximately a dozen two-day meetings, many phone calls, and much correspondence.
h The group is grateful to all the genuine experts who gave liberally of their time in educating us about this intricate subject.
In turn, we hope that our report will help inform the scientific and technical comunity about some of the technical issues of reactor safety.
We particularly acknowledge the contributions of S. Johnson, G.
Brockett, and P. Davis, who served as consultants and who provided con-tinuing support to our. Study.
Their patient exposition of the fine points of reactor design, operation and regulation was invaluable.
We also particularly acknowledge the contributions of D. H. Coward, who helped organize the group,and of H. A. Bethe, W. K. H. Panofsky, and V. F. Weisskopf, who served as the APS Council Review Comittee.
The cooperation of the reactor community and of experts in related fields such as biological effects of radiation was outstanding, and we acknowledge the help of the many representatives of the vendors, reactor iii
designers, safety analysts, and others who provided us with infomation.
In particular, members of the staffs of the AEC* Division of Reactor Safety Research and of the AEC Directorate of Licensing gave willingly of their time and resources; the individuals involved are too numerous to mention by name. Also, the group is grateful for briefings and coopera-tion from all four American vendors of light-water reactors: Babcock &
]
Wilcox, Combustion Engineering, General Electric, and Westinghouse.
It is fair to say that we do not feel that we have been excluded from any information necessary to our task.**
We were fortunate that early in our study, we were given copies in preliminary draft of the AEC-sponsored study of reactor safety (chaired by Professor Norman Rasmussen of M.I.T., and known as WASH-1400). WASH-1400 is a detailed event-tree and fault-tree analysis of light-water reactor accident sequences.
Its purpose was to make a quantitative estimate of the likelihood of accident consequences of a given severity. We did not undertake a review of that study as such, although it will be mentioned frequently in our report.
- Since this work was begun the Atomic Energy Commission has been split in two parts:
the Energy Research and Development Administration (ERDA) and the Nuclear Regulatory Commission (NRC), aM the exact distribution of the reponsibility that formerly resided in the AEC between ERDA and NRC is still not clear.
For this reason we have referred throughout the report to the AEC with the understanding that the reader will interpret all forward-looking references to the AEC as really directed to the relevant components of ERDA or NRC.
- There is one exception.
Early in our study we became interested in the l
safety record (in particular primary system integrity) of naval reactors, l
s2 which, though smaller, have accumulated more reactor years of service than have the civilian reactors of comparable design. We made a major effort to obtain sufficient information, with due regard for questions of classifi-cation and national security, to help us in our study. We were refused any access by Admiral H.G. Rickover.
iv
r Jf The gracious hospitality of the Los Alamos Scientific Laboratory and the administrative assistance of the staff of the American Physical Society are also acknowledged.
This Study was supported by the National Science Foundation and the U.S. Atomic Energy Commission.
The study participants have all agreed on both the broad conclusions and the more detailed individual recommendations contained in the body o the report.
We believe this is significant in view of the diverse back-grounds of the group.
Our individual technical expertise ranges widely, covering theoretical and experimental physics, chemistry, and engineerin While a few of the group had some background in reactor safety, the majority of the group had not previously considered these issues. Some of the group had participated in previous technical assessments of broad national issues; for several others, this study was a first experience.
We are pleased with the degree of consensus that we have achieved; albeit j
regretful that more time was not available for further investigation of some of the important issues involved.
t 0
e i
f i
O I-l I.
SUMMARY
OF CONCLUSIONS AND MAJOR RECOMMENDATIONS A central issue in the operation of light-water reactors is the prevention of a major release and widespread dispersal of raaioactivity, which could have serious consequences to the public. The safety record of light-water reactors to date has been excellent, in that there has been no major release of radioactivity. These reactors have been de-signed with numerous safety features, engineered to prevent foreseeable accidents.
These safety features are backed up by other safety features intended to prevent major release of radioactivity in the event of an accident.
Moreover, very conscientious efforts have been made in developing the procedures and practices involved in licensing, quality assurance, operation, and inspection of these reactors to insure sound construction and operation within specified safety limits.
In the course of this study, we have not uncovered reasons for sub-i stantial short-range concern regarding risk of accidents in light-water reactors. While at present a complete quantitative assessment of all important aspects of reactor safety and behavior under unusual cir-cumstances cannot be made, we are confident that a much better quantita-tive evaluation and consequent improvements of the safety situation can be achieved over the next decade if certain aspects of the safety research j
program are substantially improved and the results of the research are I
implemented.
Because of the serious potential consequences of a major re-lease of radioactivity and in view of existing safety-related technolog-l lI l
t ical opportunities, we believe that there should be a continuing major 1
4 l
]
effort to improve light water reactor safety as well as to understand and mitigate the consequences of possible accidents.
Our recommendations kl
[.
e
I-2 are directed towards these objectives.
A.
Safety through Careful Design, Construction, and Operation The safety philosophy of the nuclear industry has emphasized design which can provide tolerance against malfunctions.
This approach has laid a good foundation for reactor safety, and it has resulted in reactors de-signed, constructed, and operated for safety, not only under normal oper-ating conditions but also in a wide range of abnormal circumstances.
A great deal of research, development, and quality coatrol has gone into guaranteeing the integrity of the fuel elements and cladding, the integ-rity of the enclosing primary system, the general structural soundness of the entire reactor, and the ability to control the reactor under both normal and abnormal conditions.
'\\
Although we have not been able to analyze all of the many possible failure sequences for light-water reactors, one which we have studied in detail is the possible failure of the integrity of the primary reactor pressure vessel.
We find that reactor vessels are constructed of mater-ials chosen with care and are designed with substantial safety factors.
The reactor vessel is subject to careful scrutiny and testing.
Based on our study, we believe that catastrophic rupture of the primary pres-sure vessel'is not likely to be an important contributor to accident init-iation; however, this is dependent upon maintaining a strong quality assurance program.
Primary system piping is also subject to careful scrutiny and i
I testing.
The well-known cases of cracks in pipes and failures of valves in reactor operation, on the one hand, reflect deficiencies in fabrication W"
n-M9w
F 4
I-3 or design; but, on the other hand, they are a demonstration of the success of the overall safety system and procedures which identified their existence early enough to prevent more serious consequences.
Continued open discussion and analysis of such failures can lead to improvements in safety and can pro-k vide the data base for a more accurate estimate of the probability of more serious incidents.
These defects underline the on-going need for the nuclear industry and the regulatory bodies to continue improvement of inspection and test techniques.
It is important that licensing and regu-lation be conducted in such a way as to continue to ensure openness in the quality assurance program and to provide better-quantified evaluation of the success i
of the program.
We also note that human error on the part of reactor l
operators seems to initiate or aggravate at least a few incidents each year of potential safety significance.
In fact, unless diligence is maintained, quality assurance and human error may well represent a limiting factor in maintaining safe operation.
q It is difficult to quantify accurately the probability that any i
g accident-initiating event might occur.
Many aspects need to be better understood through experi,ence and research before such calculations are tractable.
Although the probabilities of major accidents seem small, l
their quantification deserves more attention within the reactor safety comunity than it has received up to now. We did not have the resources to carry out an independent evaluation of this aspect of the recent AEC Reactor Safety Study (draft WASH-1400), but we recognize that the N
i
[
event-tree and fault-tree approach can have merit in highlighting relative j
strengths and weaknesses of reactor systems, particularly through com-H' wever, based on our parison of different sequences of reactor behavior.
o experience with problems of this nature involving very low probabilities, 4
t I
1-4 I
we do not now have confidence in the presently calculated absolute values I
of the probabilities of the various branches.
We have reservations about the present almost exclusive emphasis in the licensing process on the ' design basis accident' concept in which certain highly stylized accidents are used as yardsticks against which the perfonnance of various systems is evaluated. While we agree that analysis of such accidents is an important check upon the general safety of reactor designs, we are concerned that other types of possible accidents f may consequently receive insufficient attention in design, construction, licensing, and operation.
B.
Primary Engineered Safety Features In our study, we centered much attention on the " engineered safety features".
Because these features are not used in normal operation but are specifically intended to prevent an abnormal incident from becoming an accident, there is only limited operating experience with them.
In addition, because of the complexity of the phenomena involved, these features are very difficult to simulate on a computer or to test in sim-ulated accident conditions.
Therefore, there is a lack of well-quantified understanding of the performance of some of these special systems under some severe accident conditions.
One of the most important of the engineered safety features is the fast-acting SCRAM system for shutting down the chain reaction in the event of an emergency.
Certain transients which are anticipated to occur from time to time (press'ure, temperature, reactivity) might play an im-portant role in accident initiation.
It is very important to shut down m
m
I-5 the chain reaction during a large transient.
While the SCRAM designs, as now prescribed, seem to us to be highly reliable, not enough is known about the effects of transients in the extremely unlikely event that the reactor does not SCRAM.
We believe that insufficient attention has been given to the analysis of transients, although it is encouraging that these areas are new being given intensive study.
In addition, we are concerned about transient behavior which might occur simultaneously with a massive electrical failure. While there are redundant off-site power sources, 3
the emergency on-site (diesel) power sources are a recognized weak point.
The emergency core cooling system (ECCS) is the engineered safety feature that has received the most publicity, attention, and research.
The ECCS is intended to provide emergency cooling to prevent the reactor 1
3 fuel from melting or losing structural integrity in the event there is aj a loss of primary system fluid.
1 We have no reason to doubt that the ECCS will function as' g
E designed under most circumstances requiring its use.
However, no i
comprehensive, thoro ;ghly quantitative basis now exists for evaluating S
ECCS performance, becaus~e of inadequacies in the present data base and calculational codes.
In addition, it is not clear that the I
present approximate calculations, even though based on generally conservative detailed assumptions, will in all cases yield con-servative assessments of ECCS perfonnance.
We have examined the AEC reactor safety research program intended to resolve these uncertainties.
Expanded experimental tests and advanced I;
calculational code development are now under way, with the goal of U1 1
\\
y l
1 11 t
g
I-6 accomplishing a sufficient quantitative comparison between calculation and experiment so that the technical community can reach consens effectiveness.
That consensus can only be reached through several years of effort, using improved research techniques, and with more open p and review of the results.
We doubt that a complete quantitative evalua-tion of ECCS effectiveness can be achieved through the present pro m.
We recommend below several possible approaches for improvement C.
Agcident Containment and Consequences The last line of defense in preventing or mitigating the release of radioactivity is a further set of engineered safety features designed as a i
k backstop in case of significant failure of the preceding safety featur es.
The greater part of this last safety umbrella is the containment ma hi I
c nery and building which encloses the entire reactor primary system These containments, which have worked well in controlling routi ne and minor radio-active emissions, have not yet been subjected to test by a large-scale controlled or accidental release.
More research toward increasing the effectiveness of containment devices would be prudent, along with more vigorou ursuit of the possibilities for major improvements in containment design Although a major release of radioactivity is unlikely
, it is im-portant to calculate the types and extent of consequences of rel eases under various circumstances.
We have found that these calculations are very difficult.
There are significant uncertainties in nearly every category of potential consequences:
acute deaths, latent cancers, and property damage / denial.
We have made no independent studies of acute f
l j
I-7 effects, the estimates of which are particularly dependent upon de-i tails of local siting, weather, and population, and upon important uncer-tainties in acute biological effects of radiation.
However, for the same releases and the same basic references for the biological effects as taken I
. in Draft WASH-1400, we estimate substantially larger long-term consequences, particularly concerning land damage / denial and_p.ossible_ latent cancers
/ ~
from exposures to individuals who live in areas which are contaminated below the evacuation thresholds used in Draft WASH-1400. The social sig-nificance of the long-term consequences depends in part upon the probabil-ity of the assumed release, regarding which we have made no independent assessment.
However, the uncertainties in estimates of consequences need f
to be resolved because they have important implications in reactor design, siting policy, and protection against potential sabotage.
In analyzing P
l the societal risk-benefit balance of commercial nuclear reactors, one f
must be able to estimate with reasonable confidence both the probability and consequences of system failure; research must continue on both.
i Considering the great social importance of reactor safety and the i
large present and future capital investment in light-water reactors, the current funding of safety research is relatively small.
We believe t
that the many technological opportunities for the enhancement of reactor I
safety warrant the investment of additional funds in safety research.
}
We understand that substantial revisions are being considered before 4
publication of the final WASH-1400 report (private communication, NRC, 17 March 1975).
I e
s
I-8 D.
Major Recomendations Many recommendations are made in the body of this Report. A few of the major ones are sumarized here, but in each case the reader is referred l
to the main text for detailed discussions of the background and rationale.
I f
Our major recomendations, which have not been ranked according to their importance, include the following:
- 1) Human engineering of reactor controls, which might significantly reduce the chance of operator errors should be improved. We also encourage the automation of more control functions and increased operator training with simulators, especially in accident-simulation mode.
- 2) Measures should be taken to quantify the effectiveness of the present quality assurance program, using both the analysis of experience already reported and new measurements on the quality assurance system.
- 3) The techniques used in Draft WASH-1400 for the calculation of accident sequences and their probabilities should be:
employed to estimate quantitatively whether assumed subsystem failure data are compatible with the observed individual small accidents; used to provide parametric studies of the effects of phenomena e
which are ill-understood in the identified sequences; refined so that they can be used for continuing risk assessment on a routine basis with a growing data base of failure data.
f
,o' u
I-9
- 4) The Draft WASH-1400 analysis of accident consequences should be redone taking into account the modifications discussed in our report, in l
order to obtain corrected consequence estimates.
The results will help to determine the magnitude of the benefits which might be obtained from the introductions of design changes and means of consequence mitigation.
- 5) The problem of sabotage and its effect on increasing the risk of radioactivity release should be studied carefully. We have no way of estimating the present likelihood of sabotage; however, we 1
believe that reactor security can be improved and have specific recom-I mendations for studies that go beyond those already underway.
- 6) The ECCS safety margin should be quantified, and if necessary, improved through one or more of the following approaches:
1
. the substitution of more easily analyzable or more effective ECCS concepts; 1
. a much stronger theoretical and calculational development effort combined with a much improved experimental program, the results of which must be published openly for evaluation by the i
technical comunity; a series of large-scale experiments along with some standardiza-e tion of reactors.
Detailed planning and analysis for this approach k
should begin immediately in case it should be decided in the future l
that it is needed.
i
~
i There should be increased emphasis on realistic calculations and ex-periments as opposed to those which merely attempt to set upper limits ~
on the behavior of a reactor in an accident.
In view of the number a
e
I-10 of reactors now operating and being planned, we believe it is important that the reactor safety research program quickly take major steps to bring about a convincing resolution of the uncertainties in EECS perfo rmance.
7)
In the area of safety research, more emphasis should be placed on seeking improvements in containment methods and technology.
In particular, contro' led venting of the containment building in case of overpressure should be studied. A careful assessment should also be made of the bene-fits and costs of alternative siting policies, such as remote, underground, and nuclear-park siting.
- 8) There should be more effort to resolve major uncertainties in esti-mating consequences, including improvement of the biological-effects data base.
Techniques for mitigation of consequences should be developed, 1
especially in connection with the problens of decontamination after a I' large accident.
- 9) While we strongly endorse the substantial improvements that have been made in the safety research programs and in the openness to scrutiny by 1
the technical public in the last two years, additional measures should be taken to continue to improve the research program and techniques and to assure that the results of both experimental and computer code l development work related to safety are openly published.
k
_ _ _ _ _ _ _ _ - - - - - - - - - - - - - - - - - -.