Sddhanft, Vol. 11, Parts 1 & 2, October 1987, pp. 263-272. (~) Printed in India.
Safety of nuclear power plants
K S RAM** and K IYER
Department of Mechanical Engineering, Indian Institute of Technolo- gy, Powai, Bombay 400 076, India *On deputation from: Department of Mechanical Engineering, Indian Institute of Technology, Kanpur 208 016, India
Abstract. The safety of operating nuclear power plants of the CANDU type is described in this paper. The need for a systematic study on these types of heavy water reactors similar to the safety studies done on light water reactors is brought out in this paper. Some of the work done on station blackout, operational transients, small and large break loss of coolant accidents is reviewed. Recent nuclear power plant accidents, namely Three-Mile Island-2 and Chernobyl, seem to indicate that an understanding of man-machine interaction and human behaviour under stress is important for the safety aspects and more work needs to be done in these areas.
Keywords. Nuclear power plant; safety; reliability; probabilistic risk assessment; loss of coolant accident.
This paper deals with some of the safety issues related to the pressure tube heavy-water-cooled, heavy-water-moderated and natural uranium fueled CANDU type reactors. This class of reactors is called Pressurised Heavy Water Reactors (PHWR). Measures must be taken to ensure nuclear power plant safety during the various phases starting with 'site selection and design', during "construction', and 'commissioning', and finally during the 'operation' of the plant. Aspects of safety during operation is the topic of this paper. Power plant safety is aimed at protecting the workers, the public and the environment from potential adverse effects of radiation release resulting from failure of safety systems during operation.
Nuclear power plants are safe as long as the energy release from fission reactors is controllable. For achieving this, the integrity of the fuel element, a reliable control system and the primary heat removal system are essential. The integrity of fuel elements is essential as 98% of the radioactive fission products are contained
*To whom correspondence should be addressed. 263
264 K S Ram and K lyer
r'c'r 1 oh, ,cs ~ noutronlc trips ~-- power transie n*,s J ~core and hot element power coolant density
~decay power /
thermal-hydraulics rook discharge
coolant temperature 4 pressure /
s heath/coolant HT C-- I I
I metal/water-- reaction heat
~I/sh~=th temperature radiant heat metal/water reaction/heat bundle/element behaviour
-fission product release/behaviour
:-...H.2_~--,.t con t a i n m e n t pressure | activity release long-term relea ses--~l
I atmospheric dispersion I
weather scenario lease height/location
II --coalant temperature i Pressure --PT/coolant HTC
channel I geometry
fuet 1__ channets
PT sag. strain-~ ~ 1 post contact "--t |
PyCT hehaviOur V I I moderator
I local ~-~ moderator temperature
L . -
i t _ . high buitdin 9 I pressure trtp
ECC conditioning signal
Figure 1. Interaction between thermal hydraulics and neutronics.
by the cladding of the fuel element. The second and third lines of defence in preventing the release of radiation are the primary heat transport system and the containment building. Release of radioactive fission products poses a grave threat to public safety due to the biological effects of radiation exposure. The fuel element integrity is affected by radiation damage, thermal cycling, fission gas pressure build-up etc. Thus a study of the interactions between reactor physics (neutronics) and thermal hydraulics is quite important. A typical interaction is shown in figure 1.
The various sources of energy in a nuclear power plant are the stored energy cf the fuel, latent heat/sensible heat of the coolant, moderator and structures; decay heat, even after shutdown, due to fission products (nearly 7% of steady state immediately after shutdown); and chemical reactions of clad materials (zirconium, graphite and stainless steel) with water and steam at elevated temperatures releasing hydrogen. Besides these, the nuclear transients depending on the amplitude and rate of reactivity insertions release uncontrolled energy leading to fuel and clad melting or bursting, and fuel pin slumping. Such an event releases large quantities of fission gases as in the case of the Chernobyl, USSR, accident in 1986.
Safety of nuclear power plants 265
2. Sources of radiation
The concern in reactor accidents is regarding gaseous or volatile fission product radionuclides. Noble gases xenon and krypton do not pose a serious biological threat as they are inert. Volatile nuclides include iodine, bromine, cesium, rubidium, tellurium, serium and antimony. Only on vaporization of the fuel are significant amounts of Te, Se, Sb released. Their release due to fuel melt is small compared to the other volatile species. The so-called 'source term' calculations are primarily concerned with isotopes of iodine 1351, 1341, 1331, 132I and 1311. Of these 1311 is important from the biological aspect. The maximum permissible concentrations of this iodine isotope are 0.3 picocuries/cc in water and 0.1 10 -3 picocuries/cc of air. 1311 emits beta rays, 90% of the time with 0.606 MeV energy and also gamma rays, 82% of the time with 0.364 MeV energy. Lead of 3 mm thickness is required to reduce the radiation intensity by fifty percent. Typical inventories of fission product radionuclides in a thermal reactor are given in table 1.
It can be seen from the table that iodine isotope inventories are several megacuries in a reactor. The potential release of iodine in an accident and the amount of dilution and diffusion required to bring the concentrations to 10 -16 curies/cc pose challenging problems in reactor safety. Release to the environment can be calculated by using the following expression.
Release to environment = inventory in core release fraction from fuel x release fraction from primary system release fraction from containment.
Thus the safety study involves the estimation of the fractional release due to failure of the engineered safety systems. It is estimated that in the Three-Mile Island-2 (TMI-2) accident an equivalent of 0.001% of 1311 and in Chernobyl, inspire of a severe fire, only about 20% of 1311 was released from the core inventory. Because of the primary system and containment integrity in TMI-2 only a very small fraction of this was released to the environment as borne out by field survey studies.
Table 1. Fission products of significance in reactor accidents after one year of opera- tion at 3000 MW (Th).
At 1 day after Isotope Half-life shut-down shut-down Comment
89Sr 58 days 117 117 Hazard to bone and lung ~Sr 28 years 3-6 3-6
13~I 8.1 days 75 69 132I 2.3 hr 114 0 High volatility, hazard 133I 21 hr 165 78 to the thyroid due to 1341 52 min 189 0 ingestion and inhalation 135I 6-7 hr 165 13
137Cs 26-6 yr 3-8 3-8 Ingestion hazard to muscle (whole body)
13Ru 41 years 77 77 Hazard to kidney 11~6Ru 1 year 4.6 3.6
266 K S Ram and K lver
3. PHWR systems safety
Before issuing an operating license for CANDU reactors, two categories of failures are analysed from the safety point of view (Yaremy 1986a).
The single failure category - analyses total failure of process systems, inspire of redundancy included in the design, leading to release of radioactivity. Safety systems are available. The dual failure category- analyses release of activity under total failure of process system and the safety systems.
Some of the process systems may be broadly classified as: fuel and fuel handling: electrical system; reactor control: reactor components: coolant systems.
The safety systems, often called engineered safety features (ESF), of a nuclear plant are: mechanical and liquid poison shut-down/moderator dumping: emer- gency core cooling; containment.
It is customary to indicate process system and safety system failures in a tabular form to indicate the 'safety assessment matrix' as shown in table 2.
Some of the disadvantages of the single and dual failure.approach are: (1) Difficulty in dealing with safety support system failures, such as electrical supply, instrument air, or service water, whose failure could result in common failure of a process system as well as a safety system. (2) Analysis of potential common-mode events such as earthquakes and aircraft crashes, which could affect both the systems. (3) The need to establish dependence on human involvement in accident management.
Single and dual failure approach methods are supplemented by the safety design matrix approach wherein the initiating event is analysed in terms of the reliability of the individual components or components as building blocks.
Because of the limitations mentioned of the single and dual failure approaches, probabilistic risk assessment (PRA) or probabilistic safety analysis (PSA) methods are being applied to the PHWR systems. The application of PRA and the develop- ment of an appropriate database have not yet reached the state where individual licensing of PHWR is purely based on these statistical evaluations.
4. Safety analysis
Historically, safety issues were studied as early as 1957, when the theoretical possibilities and consequences of major accidents in large nuclear power plants were analysed in the WASH-740 (1957) report. Subsequently the BMI-1910 (1971) report for core melt-down evaluation was published. According to Yaremy (1986b) the Canadian authorities in 1975 used the safety design matrix approach to familiarise designers with the safety problems. Most of these above studies are deterministic in nature and are based on classical approaches. When the WASH-1400 (1975) report on reactor safety study was published, it openedavenues for estimating the probability through the Bayesian approach. Whether it is a classical approach or the Bayesian approach, the steps involved in evaluating the occurrence probability of a top event by the probabilistic risk assessment (PRA) or probabilistic safety analysis (PSA) are shown in figure 2.
Safety of nuclear power plants 267
Table 2. Safety assessment matrix (Yaremy 1986b).
Special safety systems
Shut-down Emergency Process failures 1 or 2 core cooling Containment
Fuel and fuel handling x x x x
Fuel failure in the core Fuel failures during fuel handling
Electrical system x x
Complete and partial loss of off-site and main generator power supplies
Reactor control x x x
Reactivity disturbances from wrongful use of reactivity devices at both full and low power Loss of primary pressure control Loss of secondary pressure control
Reactor components x x x
Flow blockage in a fuel channel Failure ol primary heat transport system pump circulation Loss of shield cooling Loss of shut-down cooling Loss of service water
Coolant systems x
Failure in the major pipes of the primary heat transport system Feeder failure End fitting failure Steam main failure Loss of feedwater supply etc.
One of the significant conclusions of the WASH-1400 (1975) reactor safety study is that the risk to the public from nuclear power reactors arise primarily from core melt-down accidents. A committee was appointed to estimate the conservative or nonconservative nature of the results of the reactor safety study (Lewis 1978). Subsequent to the TMI-2 accident, there are several studies reevaluating the 'source terms' i.e. the inventory of radioactive sources which could be potentially released in an accident and it is believed that earlier calculations overestimated the release of the 131I isotope.
268 K S Ram and K lyer
accident I sequences I mode[ s I
/ initiating 1 events (events/yr)
1 I I I I I I
s ta t i s t i cs
j ( fauit t rees )
_ rel iabi l i ty I model - parametersl~ I . . . . models v -
Figure 2. Event tree models, either classical or Bayesian.
Quantifying the uncertainties based on 'engineering judgement' was suggested by Erdmann et al (1981). Engineering judgement is a rational way to quantify the knowledge accumulated by a specialist, and means exist to remove or minimize bias. When an expert uses engineering judgement to reach a quantified value for a parameter of interest, how for off is he and how wide is his range of uncertainty? Capen (1976) states that single judgements are less valuable than group averages, but he also states that the more expert the judges, the larger is the band of uncertainty they will assign. Recently mathematical models have benn developed (N D Singpurwala, private communication, 1986) for decision-making under uncertainty. These models include a correlation parameter (negative or positive) between two expert opinions, to help the analyst in making decisions. The proceedings of the international seminar on the role of data and judgement in probabilistic risk and safety analysis, published in Nuclear Engineering and Design (May 1986, Vol. 92, no. 2) contain several articles on this subject.
Safety of nuclear pov~er plants 269
5. Safety assessment of Indian PHWR
The prime safety concern for any nuclear reactor is the event of core melt. Such an event is improbable if the primary coolant system is operating under normally designed conditions. Some of the safety features inherent in the PHWR design are, low power density (12 kW/l) large moderator volume at nearly atmospheric pressure and low temperature (-70C) acting as heat sink and an overall negative temperature coefficient of reactivity. The high pressure coolant (at 10 MPa and 300C) is distributed in several channels connected in two separate loops reducing the probability for total dry-out accident. Other incorporated engineered safety features include (i) reactivity control by two independent mfchanisms namely electromech;mical and (pneumatic) liquid poison shut-down, (ii) moderator dump for quick shut-down, (iii)poison injection into the moderator for reactivity control, (iv) double containment with a suppression pool (or dousing tank) to absorb the latent heat released in case of an accident, (v) emergency core cooling facility containing both high pressure and low pressure injection options.
Thus, safety analyses deal with the transients that affect the primary coolant system. For the present, the events are categorized under four broad headings and relevant analytical work carried out for Indian PHWR is outlined.
Station blackout: Complete loss of off-site power results in the unavailability of the primm'y coolant pumps, thus seriously impairing the primary heat transport. The frequency of such an event for Indian conditions is reported to be around one every month. Thermal-hydraulic analysis carried out for such transients by Gupta et al (1986) indicates two alternate schemes to maintain system integrity. These are (a) use of natural c...