Power plant design
The new nuclear safety construct1 November 2012
The occurrence of a rare but destructive natural event (the earthquake and tsunami that damaged the Fukushima Daiichi nuclear power plant) challenges the parameters of the nuclear power plant design basis. It also demonstrates that the concept of nuclear safety should be expanded to prevent the social effects of disruption caused by a nuclear accident. A more rigorous approach should consider all risks, according to a task force set up by nuclear standards body ASME.
The design basis for operating nuclear power plants has served the nuclear industry well from a public health and safety perspective. Although the design basis for operating plants has been the foundational public health and safety strategy for the nuclear industry, the thousands of reactor-years of operating experience accumulated worldwide now provide an opportunity to improve safety beyond the design basis and, in doing so, evolve toward a new safety construct. Indeed, rare yet credible events can occur which may exceed the design basis and potentially lead to an accident with major socio-political and economic costs associated with significant radioactivity releases to the environment. No new, overarching safety construct has yet emerged for existing and future nuclear plants as a result of the Fukushima Daiichi experience. What appears to be needed is an objective standard for preventing, interdicting, and mitigating severe accidents, to prevent or minimize core melting and extensive offsite contamination, using an all-risk approach. Such a standard should be built upon the historically-acceptable design basis, supplemented by additional safety measures to increase the level of defence-in-depth and reduce risk, suggests an ASME task force in its report “Forging a New Nuclear Safety Construct” published in June 2012.
The New Nuclear Safety Construct can be defined as:
The set of planned, coordinated, and implemented systems ensuring that nuclear plants are designed, constructed, operated, and managed to prevent extensive societal disruption caused by radioactive releases from accidents, using an all-risk approach.
Deterministic vs probabilistic
In the deterministic approach, the design basis for a feature (structure, system, or component) in a nuclear power plant is defined by an analysis of its effectiveness for the conditions it is intended to control or mitigate. The conditions to be addressed in the design, the methods of analysis, and the acceptance criteria are specified in advance by regulatory authorities for safety features (for example, emergency shutdown and cooling of the reactor) and by the owner of the plant for non-safety-related equipment.
For plants now in operation, the design basis accidents and events specified in the deterministic approach used in their design generally involved single initiating events, conservative assumptions and models, aggravating single failures and loss of offsite power, and no expectation of severe core damage. Engineers provide design margins in the deterministic approach to nuclear power plant design. A design margin is the distance between the bounding prediction of a load or other condition and the point at which the potential for failure due to that condition becomes non-negligible. Design margins, usually called safety margins when discussing specific nuclear safety-related issues, help account for uncertainties and unknowns, as well as wear and tear, for example, corrosion, or cyclic fatigue of a pipe.
Operating experience has revealed some limitations in the deterministic approach to the design basis, particularly in the areas of common-cause failures and human error. One example was the failure of the deterministic approach in the design of TMI-2 to sufficiently account for operator error in interpreting readings from the level instrumentation for a leak high in the pressurizer of the reactor, leading the operators to prematurely terminate emergency core cooling. Another example was the inability of the single failure criterion, widely used in the deterministic design approach, to anticipate the risk associated with maintenance errors that caused common-cause failures in the reactor scram system at the Salem Nuclear Power Plant.
The probabilistic risk analyses (PRA) in 1975’s pioneering “Reactor Safety Study: An Assessment of Accident Risks in U.S. Commercial Nuclear Power Plants” and those that followed take a fundamentally different approach to the assessment of safety than the deterministic approach. At its core, PRA attempts to answer three fundamental questions through development of an integrated model of the as-built, as-operated plant (as well as new plant designs), namely, what can go wrong, how likely is it to occur, and what are the consequences? The PRA approach is more comprehensive than traditional deterministic approaches in addressing accident scenarios, causes of system and human failures, and treatment of uncertainties.
Risk assessment is now recognized as the best available method for identifying and addressing uncertainties in safety decisions based on predictions of plant performance under abnormal and extreme conditions. Moreover, integration of PRA results with deterministic defence-in-depth considerations, as described in the US Nuclear Regulatory Commission’s Regulatory Guide 1.174 and International Atomic Energy Agency’s Safety Guide INSAG-25 will yield even more robust safety decisions. Based on review of past accidents and seeing the utility of PRAs in forecasting the outcome of other rare events, the ASME Task Force considers that all-modes, all-risk, full-scope risk assessments, including level 3 (consequence) analysis, should be combined with deterministic approaches, to achieve greater defence-in-depth for all nuclear power plants. In addition, to take maximum advantage of such improvements in state-of-the-art of risk assessment, the ASME Task Force considers that generic, high-level safety goals for new plants should be agreed internationally, with the aim of reducing the probabilities of core damage accidents and limiting radioactive releases to the environment.
However, even PRA is not all-knowing. Therefore, an all-risk approach is needed to turn the question around so that engineers provide systems and actions to ensure core cooling and prevent large releases of radioactivity for any rare yet credible event. In the words of Prime Minister Yoshihiko Noda on the first anniversary of the Great East Japan Earthquake and Tsunami, “Crisis management requires us to imagine what may be outside our imagination.” Such a consideration is important for assembling the new safety construct.
While public health and safety will continue to be the dominant safety criteria for nuclear power plants, there are other, significant consequences of nuclear power plant accidents that deserve serious attention. In the case of the Fukushima Daiichi accident, these other significant consequences include: radiological contamination of a large populated area in Japan, initial relocation of more than 100,000 people for radiological protection, broad psychological stress on the Japanese people, the loss of economic productivity of the contaminated areas until remediated or deemed safe, wholesale curtailing of nuclear power generation across Japan, and accompanying substantial economic impact in Japan and other countries. It is this contrast between the lack of radiological public health effects and the substantial societal impact from the Fukushima Daiichi accident that claimed the attention of the ASME Task Force and resulted in the main thrust of its proposed approach for forging a new safety construct.
The key accident management lesson that should be taken from this accident is the need to prevent large radioactive releases that could cause major disruption of society with attendant socio-political and economic consequences of unacceptable proportions. The only reasonable manner in which to approach this issue is to use an all-risk approach. Because socio-political and economic impacts cannot be confined by geo-political borders, this approach should be applied on a global basis.
The Fukushima Daiichi accident has reinforced the longstanding principal safety approach of maintaining core cooling over a wide range of events, because this is the most effective method of preventing significant radioactive releases with their potentially-enormous socio-political and economic impact on society. The accident has indicated that the events now needing to be protected against include large fires and explosions, extreme natural phenomena, station blackouts of indefinite duration, and combinations of internal failures that can cause the loss of normal and backup core cooling that provide protection from the traditional design-basis events. This reasoning leads to the all-risk approach in the New Nuclear Safety Construct.
The proposed all-risk approach to accident management, with appropriate consideration of probability of occurrence, associated uncertainties, and potential consequences, including cliff-edge effects, would address a broad range of challenges to safety of nuclear power reactors and spent fuel facilities, including internal hazards, external hazards, and security threats, during all modes of plant operation. These challenges would be addressed in a risk-informed manner for both design-basis events and events exceeding the design basis, including rare yet credible events. The effectiveness of the capability to mitigate challenges and their consequences for all risks is key to identifying the appropriate enhancements to be considered.
This approach is likely to result in changes to all phases of accident management, including equipment, procedures, guidance, and training and qualification of personnel. Finally, there is a need for a uniform global standard of excellence for accident management capability including the definition of the level of extreme external events against which plants, plant workers, and the general public must be protected. That is, there should be accident management measures in place, and maintained in a state of readiness, as part of the design basis and coping capabilities to deal with rare yet credible events.
Emergency planning (EP) would benefit from a more risk-informed, performance-based approach for defining requirements and performing regulatory oversight, particularly for new nuclear plants, but also for operating plants. This would be in contrast to the current deterministic approach in the US.
This article is based on extracts from the June 2012 American Society of Mechanical Engineers’ report “Forging a New Nuclear Safety Construct: The ASME Presidential Task Force on Response to Japan Nuclear Power Plant Events”, available for free download on www.tinyurl.com/8p2njby
The report represents the position of the Task Force, not necessarily ASME.
Although the Task Force lays out its position in the report, it suggests that the first step toward implementation would be to organize an international workshop to discuss how to implement its ideas. It even includes a list of questions: