Safety of nuclear power reactors

This EOE article is adapted from an information paper published by the World Nuclear Association (WNA). WNA information papers are frequently updated, so for greater detail or more up to date numbers, please see the latest version on WNA website (link at end of article).

Introduction

Since it arose out of nuclear weapons, nuclear power technology accepted from the start a commitment to devote extraordinary effort to assuring that a meltdown of a nuclear reactor would not take place. It had been assumed that a meltdown of the core would create a major public hazard, and if uncontained, a tragic accident with likely fatalities would occur. In avoiding such accidents, the industry has been outstandingly successful. In 12,000 cumulative reactor-years of commercial operation in 32 countries, there have been only two major accidents involving nuclear power plants—Three Mile Island (Safety of nuclear power reactors) and Chernobyl (Figure 1).

Figure 1. Cumulative reactor-years of operation and major accidents involving nuclear power plants.

It was not until the late 1970s that detailed analyses and large-scale testing, followed by the 1979 meltdown of the Three Mile Island reactor, began to make clear that even the worst realistic casualty to a modern nuclear power plant or its fuel could not cause dramatic public harm. The industry still works hard to minimize the probability of a meltdown accident, but it no longer need fear a potential public health catastrophe.

The decades-long test and analysis program showed that less radioactivity escapes from molten fuel than initially assumed, and that this radioactive material quickly clumps, settles out, dissolves in water and steam, reacts chemically with other material, and plates out on cold structural material. Thus, even if the containment structure that surrounds all modern nuclear plants were ruptured, it would still be highly effective in preventing escape of radioactivity.

It is the laws of physics and the properties of materials that preclude disaster, not required actions by safety equipment or personnel. In fact, regulations now require that the effects of any core-melt accident must be confined to the plant itself, without the need to evacuate nearby residents.

The two significant accidents in the 50-year history of civil nuclear power generation are:

• Three Mile Island (USA 1979), where the reactor was severely damaged but radiation was contained and there were no adverse health or environmental consequences; and
• Chernobyl (Ukraine 1986), where the destruction of the reactor by explosion and fire killed 31 people and had significant health and environmental consequences. The death toll has since increased to about 56.

A table showing all reactor accidents, and a table listing energy-related accidents with multiple fatalities are appended.

These two significant accidents occurred during more than 12,000 reactor-years of civil operation (Figure 1). Of all the accidents and incidents, only the Chernobyl accident resulted in radiation doses to the public greater than those resulting from the exposure to natural sources. Other incidents (and one 'accident') have been completely confined to the plant.

Apart from Chernobyl, no nuclear workers or members of the public have ever died as a result of exposure to radiation due to a commercial nuclear reactor incident. Most of the serious radiological injuries and deaths that occur each year (2-4 deaths and many more exposures above regulatory limits) are the result of large uncontrolled radiation sources, such as abandoned medical or industrial equipment. There have also been a number of accidents in experimental reactors and in one military plutonium-producing pile at Windscale, UK in 1957, but none of these resulted in loss of life outside the actual plant, or long-term environmental contamination.

It should be emphasized that a commercial-type power reactor cannot simply, under any circumstances, explode like a nuclear bomb.

The International Atomic Energy Agency (IAEA) was set up by the United Nations in 1957. One of its functions was to act as an auditor of world nuclear safety. It prescribes safety procedures and the reporting of even minor incidents. Its role has been strengthened in the last decade; every country operating nuclear power plants has a nuclear safety inspectorate and all of these work closely with the IAEA.

While nuclear power plants are designed to be safe in their operation and in the event of any malfunction or accident, no industrial activity can be represented as entirely risk-free. However, a nuclear accident in a western-type reactor is now understood to have severe financial consequences for the owner but minimal off-site consequences.

Background

Operational safety is of primary concern for those working in nuclear power plants. As a precaution, radiation doses are controlled by the use of remote handling equipment for many operations in the core of the reactor. Other controls include physical shielding and limiting the time workers spend in areas with significant radiation levels. These safeguards are supported by continuous monitoring of individual doses and of the work environment to ensure very low radiation exposure compared with other industries.

In the 1950s, attention had turned from atomic bombs to harnessing the power of the atom in a controlled way, as demonstrated at the University of Chicago in 1942, and applying the steady heat yield to generate electricity. This naturally gave rise to concerns about accidents and their possible effects. In particular, loss of cooling, which results in melting of the nuclear reactor core, motivated studies on both the physical and chemical possibilities as well as the biological effects of any dispersed radioactivity.

At the outset, through the early 1970s, some extreme assumptions were made, giving rise to a genre of dramatic fiction in the public domain (e.g., The China Syndrome) and also some solid conservative engineering, including containment structures (at least in Western reactor designs), in the industry itself. Licensing regulations were framed accordingly.

One mandated safety indicator is the calculated probable frequency of degraded core or core melt accidents. The US Nuclear Regulatory Commission (NRC) specifies that reactor designs must meet a 1 in 10,000 year core damage frequency, but modern designs exceed this. U.S. utility requirements are 1 in 100,000 years, the best currently operating plants are about 1 in 1 million, and those likely to be built in the next decade will have a core damage frequency of 1 in 10 million.

Even months after the Three Mile Island accident in 1979, it was assumed that there had been no core melt because there were no indications of severe radioactive release even inside the containment. However, it was later determined that half of the core had melted. This remains the only core melt in a reactor conformed to NRC safety criteria. Sucessfully, the effects were contained as designed, without radiological harm to the human population. Regulatory requirements today are that the effects of any core-melt accident must be confined to the plant itself, without the need to evacuate nearby residents.

Apart from this accident and the Chernobyl disaster, there have been about ten core melt accidents - mostly in military or experimental reactors. None resulted in any hazard outside the plant from the core melting, though in one case there was some radiation release due to burning graphite.

The main safety concern has always been the possibility of an uncontrolled release of radioactive material, leading to contamination and consequent radiation exposure off-site. Earlier assumptions were that this would be likely in the event of a major loss of cooling accident (LOCA) that resulted in a core melt. Experience has proved otherwise in any circumstances related to Western reactor designs. In light of better understanding of the physics and chemistry of material in a reactor core under extreme conditions, it became evident that even a severe core melt coupled with breach of containment could not create a major radiological disaster from any Western reactor design. Studies of the post-accident situation at Three Mile Island (where there was no breach of containment) support this finding.

It has long been asserted that nuclear reactor accidents are the epitome of low-probability but high-consequence risks. Understandably, with this in mind, some people were disinclined to accept the risk, however low the probability. The physics and chemistry of a reactor core, coupled with but not wholly dependent upon the engineering, mean that the consequences of an accident are likely to be much less severe than those from other industrial or energy sources.

At Chernobyl, the reactor design and burning graphite which dispersed radionuclides far and wide, led to tragic results. The results of this accident ultimately led the industry to depend upon designs with inherent safety mechanisms, supplemented by robust secondary safety provisions.

Mention should be made of the accident to the US Fermi-1 prototype fast breeder reactor that occurred near Detroit in 1966. Due to a blockage in coolant flow, some of the fuel melted. However, no radiation was released offsite and no one was injured. The reactor was repaired and restarted but closed down in 1972.

The use of nuclear energy for electricity generation can be considered extremely safe. As a comparison, it is important to note that several thousands die in coal mines each year in their efforts to provide this widely used fuel for electricity. There are also significant health and environmental effects which arise from fossil fuel use.

Achieving optimum nuclear safety: Western and recent Russian reactors

To achieve optimum safety, nuclear power plants in the western world operate using a 'defense-in-depth' approach, with multiple safety systems supplementing the natural features of the reactor core. Key aspects of the approach are:

• high-quality design & construction;
• equipment that prevents operational disturbances from developing into problems;
• redundant and diverse systems to detect problems, control damage to the fuel, and prevent significant radioactive releases; and
• provisions to confine the effects of severe fuel damage to the plant itself.

Safety provisions include a series of physical barriers between the radioactive reactor core and the environment, and multiple safety systems, each with backup and designed to accommodate human error. Safety systems account for about one-quarter of the capital cost of such reactors.

There are several safety provisions in a typical nuclear power plant. The fuel is in the form of solid ceramic (UO₂) pellets, and radioactive fission products remain bound inside these pellets as the fuel is burned. The pellets are packed inside sealed zirconium alloy tubes to form fuel rods. These are confined inside a large steel pressure vessel with walls up to 30 cm thick – the associated primary water cooling pipework is also substantial. All this, in turn, is enclosed inside a robust reinforced concrete containment structure with walls at least one meter thick.

But the main safety features of most reactors are inherent – 'negative temperature coefficient' and 'negative void coefficient'. The negative temperature feature means that beyond an optimal level, as the temperature increases, the efficiency of the reaction decreases (this feature is used to control power levels in some new designs). The void coefficient feature means that if any steam has formed in the cooling water, there is a decrease in moderating effect so that fewer neutrons are able to cause fission and the reaction slows down automatically.

Beyond the control rods which are inserted to absorb neutrons and regulate the fission process, the main engineered safety provisions are the back-up emergency core cooling system (ECCS), used to remove excess heat (though it is more to prevent damage to the plant than for public safety), and the containment. Additionally, nuclear power plants are designed with sensors that would shut down the facility automatically in the event of an earthquake, a vital consideration in many parts of the world.

The basis of design assumes a threat where, due to accident or malign intent (e.g., terrorism), there is core melting and a breach of containment. This double possibility has been well studied and provides the basis of exclusion zones and contingency plans. Apparently, during the Cold War, neither Russia nor the U.S. targeted the other's nuclear power plants because the potential damage was modest.

The Three Mile Island accident in 1979 demonstrated the importance of safety systems. Despite the fact that about half of the reactor core melted, radionuclides released from the melted fuel mostly plated out on the inside of the plant or dissolved in condensing steam. The containment building housing the reactor further prevented any significant release of radioactivity. The reactor's other protection systems also functioned as designed. The emergency core cooling system would have prevented any damage to the reactor but for the intervention of the operators.

Investigations following the accident led to a new focus on the human factors in nuclear safety. No major design changes were called for in Western reactors, but controls and instrumentation were improved and operator training was overhauled.

By way of contrast, the Chernobyl reactor did not have a containment structure like those used in the West or in post-1980 Soviet designs, resulting in significant radioactive contamination of the surrounding area.

A different safety philosophy: early Soviet-designed reactors

The April 1986 disaster at the Chernobyl nuclear power plant in the Ukraine was the result of major design deficiencies in the RBMK reactor, the violation of operating procedures, and the absence of a safety culture. One peculiar feature of the RBMK design was that coolant failure could lead to a strong increase in power output from the fission process (positive void coefficient). However, this was not the prime cause of the Chernobyl accident.

The Chernobyl accident was a unique event and the only time in the history of commercial nuclear power that radiation-related fatalities have occurred. The accident destroyed the reactor and killed 56 people, 28 of whom died within weeks from radiation exposure. It also caused radiation sickness in a further 200-300 staff and firefighters, and contaminated large areas of Belarus, Ukraine, Russia, and beyond. It is estimated that at least 5% of the total radioactive material in the Chernobyl-4 reactor core was released from the plant, due to the lack of any containment structure. Most of this was deposited as dust nearby; some was carried by wind over a wide area. The destroyed unit 4 was enclosed in a concrete shelter ("sarcophagus"), which now requires remedial work.

About 130,000 people received significant radiation doses (i.e., above internationally accepted limits set by the International Commission on Radiological Protection (ICRP)) and are being closely monitored. About 4,000 cases of thyroid cancer in children have been linked to the accident. Most of these were curable, though about nine have been fatal. No increase in the incidence of leukemia and other cancers has yet been revealed, though it is expected. The World Health Organization (WHO) is closely monitoring most of the affected population.

An OECD expert report on the accident concluded that "the Chernobyl accident has not brought to light any new, previously unknown phenomena or safety issues that are not resolved or otherwise covered by current reactor safety programs for commercial power reactors in OECD Member countries".

International efforts to improve safety

The International Atomic Energy Agency (IAEA) has given high priority to addressing the safety of nuclear power plants in eastern Europe, where deficiencies remain. The European Union (EU) is encouraging changes, particularly in countries that aspire to gain EU membership.

A major international program of assistance has been carried out by the OECD, IAEA, and the Commission of the European Communities to bring early Soviet-designed reactors to near Western safety standards, or at least to effect significant improvements to the plants and their operation.

Modifications have been made to overcome deficiencies in the 12 [[RBMK reactor]s] still operating in Russia and Lithuania. Among other things, the danger of a positive void coefficient response has been eliminated. Automated inspection equipment has also been installed in these reactors.

The other class of reactors under the focus of international attention for safety upgrades is the first-generation of pressurized water VVER-440/230 reactors. These were designed before formal safety standards were issued in the Soviet Union and they lack many basic safety features. Eleven are operating, under close inspection, in Bulgaria, Russia, Slovakia, and Armenia. Later Soviet-designed reactors are much safer and the most recent ones have Western control systems or the equivalent, along with containment structures.

There is a great deal of international cooperation on nuclear safety issues, in particular the exchange of operating experience under the auspices of the World Association of Nuclear Operators (WANO). In practical terms this is the most effective international means of achieving very high levels of safety through its four major programs: peer reviews; operating experience; technical support and exchange; and professional and technical development. WANO peer reviews are the main proactive way of sharing experience and expertise.

WANO was formed following the Chernobyl accident to maximise the safety and reliability of nuclear plant operation. It held its inaugural meeting in Moscow in 1989. With Regional Centres in Atlanta, Moscow, Paris and Tokyo and a coordinating centre in London, WANO links all 115 operators of nuclear power plants in 34 countries.

In 1996, the Nuclear Safety Convention came into force. It is the first international legal instrument covering the safety of nuclear power plants worldwide. It commits participating countries to maintain a high level of safety by setting international benchmarks to which they subscribe and against which they report. It has 65 signatories and has been ratified by 41 states.

Aging of nuclear plants

Several issues arise in prolonging the lives of nuclear plants which were originally designed for 30 or 40-year operating lives. Systems, structures and components (SSC) whose characteristics change gradually with time or use are the subject of attention.

Some components simply wear out, corode or degrade to a low level of efficiency. These need to be replaced. Steam generators are the most prominent and expensive of these, and many have been replaced after about 30 years where the reactor otherwise has the prospect of running for 60 years. This is essentially an economic decision. Lesser components are more straightforward to replace as they age, and some may be safety-related as well as economic. In Candu reactors, pressure tube replacement has been undertaken on some older plants, after some 30 years of operation.

A second issue is that of obsolescence. For instance, older reactors have analogue instrument and control systems, and a question must be faced regarding whether these are replaced with digital in a major mid-life overhaul, or simply maintained.

Thirdly, the properties of materials may degrade with age, particularly with heat and neutron irradiation. In some early Russian pressurized water reactors, the pressure vessel is relatively narrow and is thus subject to greater neutron bombardment that a wider one. This raises questions of embrittlement, and has had to be checked carefully before extending licences.

In respect to all these aspects, periodic safety reviews are undertaken on older plants in line with the IAEA safety convention and WANO's safety culture principles to ensure that safety margins are maintained.

In the USA most of the more than one hundred reactors are expected to be granted licence extensions from 40 to 60 years. This justifies significant capital expenditure in upgrading systems and components, including building in extra performance margins. There is widespread agreement that further extensions may be justified, and this prospect is driving research on ageing to ensure both safety and reliability in older plants.

The IAEA has a safety knowledge base for ageing and long term operation of nuclear power plants (SKALTO) which aims to develop a framework for sharing information on ageing management and long term operation of nuclear power plants. It provides published documents and information related to this.

Reporting nuclear incidents

The International Nuclear Event Scale (INES) was developed by the IAEA and OECD in 1990 to communicate and standardize the reporting of nuclear incidents or accidents to the public (Table 1). The scale runs from a "0" event with no safety significance to "7" for a "major accident" such as Chernobyl. Three Mile Island rated 5, as an "accident with off-site risks" though no harm came to anyone. A level 4 "accident mainly in installation" occurred in France in 1980, with little effect. Another accident rated at level 4 occurred in a fuel processing plant in Japan in September 1999. Other accidents have been in military plants.

Terrorism

Since the 2001 World Trade Center attacks in New York, concern has grown over the consequences of large aircraft being used to attack a nuclear facility with the purpose of releasing radioactive materials. Various studies have looked at similar attacks on nuclear power plants. They show that nuclear reactors would be more resistant to such attacks than virtually any other civil installations. A thorough study was undertaken by the U.S. Electric Power Research Institute (EPRI) using specialist consultants and paid for by the U.S. Department of Energy (DOE). It concluded that U.S. reactor structures "are robust and (would) protect the fuel from impacts of large commercial aircraft".

The analyses used a fully-fueled Boeing 767-400 of over 200 tonnes as the basis, at 560 km/h – the maximum speed for precision flying near the ground. The wingspan is greater than the diameter of reactor containment buildings and the 4.3 tonne engines are 15 [[meter]s] apart. Hence, analyses focused on single engine direct impact on the centerline – since this would be the most penetrating missile – and on the impact of the entire aircraft if the fuselage hit the centerline (in which case the engines would ricochet off the sides). In each case, it was found that no part of the aircraft or its fuel would penetrate the containment. Other studies have confirmed these findings.

In 1988, Sandia National Laboratories in the U.S. demonstrated the unequal distribution of energy absorption that occurs when an aircraft impacts a massive, hardened target. The test involved a rocket-propelled F4 Phantom jet (about 27 tonnes, with both engines close together in the fuselage) hitting a 3.7-meter thick slab of concrete at 765 km/h. The objective was to test whether a proposed Japanese nuclear power plant could withstand the impact of a heavy aircraft. It showed how most of the collision energy goes into the destruction of the aircraft itself – about 96% of the aircraft's kinetic energy went into the its destruction and some penetration of the concrete, while the remaining 4% was dissipated in accelerating the 700-tonne slab. The maximum penetration of the concrete in this experiment was 60 mm, but comparison with fixed reactor containment must take account of the 4% of energy absorbed in moving the slab.

Looking at spent fuel storage pools, similar analyses showed no breach. Dry storage and transport casks retained their integrity. These analyses concluded that "there would be no release of radionuclides to the environment".

Similarly, the massive structures mean that any terrorist attack even inside a plant (which are well defended), causing loss of cooling, core melting, and breach of containment, would not result in any significant radioactive releases.

Switzerland's Nuclear Safety Inspectorate studied a similar scenario and reported in 2003 that the danger of any radiation release from such a crash would be low for the older plants and extremely low for the newer ones.

The conservative design criteria which caused most power reactors to be shrouded by massive containment structures with biological shield has provided peace of mind in a suicide terrorist context. Ironically and as noted earlier, with better understanding of what happens in a core melt accident inside, they are now seen to be not nearly as necessary in that accident mitigation role as was originally assumed.

Advanced reactor designs

The designs for nuclear power plants being developed for implementation in the coming decades contain numerous safety improvements based upon operational experience. The first two of these advanced reactors began operating in Japan in 1996.

The main feature they have in common (beyond safety engineering already standard in Western reactors) is passive safety systems, requiring no operator intervention in the event of a major malfunction.

These designs are one or two orders of magnitude safer than older ones in respect to the likelihood of core melt accidents, but the significance of that is more for the owner than the neighbors, who – as Three Mile Island showed – are safe also with older types.

Safety relative to other energy sources