• Lessons that can be learned from the accident to improve commercial nuclear plant safety and security systems and operations;
• Lessons that can be learned from the accident to improve commercial nuclear plant safety and security regulations, including processes for identifying and applying design-basis events for accidents and terrorist attacks to existing nuclear plants.
The focus of this chapter is on nuclear plant safety systems, operations, and regulations. Chapter 6 focuses on offsite nuclear emergency planning and emergency management, whereas Chapter 7 focuses on the nuclear safety culture. As noted in Chapter 1, a discussion of spent fuel and related security issues will be addressed in a subsequent report.
This NAS study is one of many investigations/assessments initiated in the wake of the Fukushima Daiichi nuclear accident (see Table 1.1 in Chapter 1). The reports from these other studies have been invaluable for informing the committee’s thinking about potential lessons learned. The committee has provided a tabular summary of key recommendations from selected reports in Appendix E.
The committee presents three findings and five recommendations in this chapter. These findings and recommendations are organized into two major sections:
1. Nuclear plant systems, procedures, and training; and
2. Nuclear plant safety risks.
These findings and recommendations are directed primarily at the U.S. nuclear power industry and its regulator (U.S. Nuclear Regulatory Commission [USNRC]). However, the committee anticipates that they will also have value for nuclear power industries and regulators in other countries.
FINDING 5.1: Nuclear plant operators and regulators in the United States and other countries have identified and are taking useful actions to upgrade nuclear plant systems, operating procedures, and operator training in response to the Fukushima Daiichi accident. In the United States, these actions include the nuclear industry’s FLEX (diverse and flexible coping strategies) initiative as well as regulatory changes proposed by the U.S. Nuclear Regulatory Commission’s Near-Term Task Force. Implementation of these actions is still under way; consequently, it is too soon to evaluate their comprehensiveness, effectiveness, or status in the regulatory framework.
In the weeks following the Fukushima nuclear accident, many national governments and international bodies initiated reviews of nuclear power plant performance and current safety measures (see Table 1.1 in Chapter 1). Some of the outputs of these efforts are described in Appendix E.
In the United States, two major initiatives were begun:
• The USNRC appointed a six-member task force headed by Dr. Charles Miller, the Near-Term Task Force. Its charge was to perform a “systematic and methodological review of the U.S. Nuclear Regulatory Commission processes and regulations to determine whether the agency should make additional improvements to its regulatory system and to make recommendations to the Commission for its policy direction, in light of the accident at the Fukushima Dai-ichi Nuclear Power Plant” (USNRC NTTF, 2011, p. vii).
• At about the same time, the U.S. nuclear industry, led by the Institute of Nuclear Power Operations (INPO), Nuclear Energy Institute (NEI), and Electric Power Research Institute (EPRI), initiated a voluntary effort to “integrate and coordinate the U.S. nuclear industry’s response to events at the Fukushima Daiichi nuclear energy facility. This will ensure that lessons learned are identified and well understood, and that response actions are
effectively coordinated and implemented throughout the industry” (NEI et al., 2012, p. 1).
Brief discussions of these initiatives and key results to date are provided in Appendix F.
The results from these initiatives that have been documented to date have been helpful to the committee in informing its thinking about potential lessons learned. However, these initiatives were still in progress when the present report was completed; many decisions have yet to be made or fully implemented. Moreover, the committee had neither the time nor resources to carry out in-depth reviews of these initiatives, which in some cases would have required plant-by-plant examinations.
5.1.1 Nuclear Plant Systems
RECOMMENDATION 5.1A: As the nuclear industry and its regulator implement the actions referenced in Finding 5.1, they should give specific attention to improving plant systems in order to enable effective responses to beyond-design-basis events, including, when necessary, developing and implementing ad hoc1 responses to deal with unanticipated complexities. Attention to availability, reliability, redundancy, and diversity of plant systems and equipment is specifically needed for
• DC power for instrumentation and safety system control;
• Tools for estimating real-time plant status during loss of power;
• Decay-heat removal and reactor depressurization and containment venting systems and protocols;
• Instrumentation for monitoring critical thermodynamic parameters in reactors, containments, and spent fuel pools;
• Hydrogen monitoring (including monitoring in reactor buildings) and mitigation;
• Instrumentation for both onsite and offsite radiation and security monitoring; and
• Communications and real-time information systems to support
1 The term “ad hoc” in this finding refers to responses that are not planned and trained on in advance but rather are developed on the spot—operators’ use of car batteries at the Fukushima Daiichi plant (see Chapter 4) is an example of an ad hoc response. This type of on-the-spot reasoning and problem solving is referred to as “knowledge-based” performance in the human factors literature. Knowledge-based performance is necessary when a situation is novel or not fully covered by the available procedural guidance. In these situations individuals need to have a deeper level of understanding of how a system works (e.g., the physical laws and principles that apply) to be able to correctly assess the situation, establish appropriate response goals, and formulate a plan of action to achieve those goals (Rasmussen, 1983; Mumaw et al., 1994).
communication and coordination between control rooms and technical support centers, between control rooms and the field, and between onsite and offsite support facilities.
The quality and completeness of the changes that result from this recommendation should be adequately peer reviewed.
184.108.40.206 DC Power for Instrumentation and Safety System Control
As noted in Chapter 4, the loss of DC power at the Fukushima Daiichi plant severely impacted operators’ ability to monitor the status of reactor pressure, temperature, and water level and operate critical safety equipment. A lesson that emerges from this accident is that high priority must be given to protecting DC batteries and power distribution systems at nuclear plants so that they remain functional during beyond-design-basis events.
Both the USNRC and industry are taking useful steps to improve the ability of nuclear plants to cope during extended loss of power (see Appendix F). The USNRC issued a Mitigation Strategies Order requiring U.S. nuclear plant licensees to implement strategies for coping without permanent electrical power sources for an indefinite period of time. This order is being followed by a formal rulemaking. The industry’s FLEX initiative (Appendix F) is intended to address this USNRC order using installed and portable equipment. The specific strategies to be used will be different for each nuclear plant.
Neither the USNRC order nor FLEX specifically addresses the need to protect station DC batteries and power distribution systems so that they remain functional during beyond-design-basis events. The baseline FLEX strategy for the Peach Bottom plant, for example, simply assumes that station DC batteries and power systems would be available during a beyond-design-basis external2 event and that emergency portable power would be needed only for battery charging (Exelon Generation Company, 2013). However, the functional requirements in NEI (2012) provide for capabilities that can be effective in responding to the loss of DC power. This includes the ability to operate the reactor core isolation cooling system, the capability to read certain instruments, and the capability to depressurize the reactor pressure vessel without DC power.
The Fukushima Daiichi accident demonstrates that without AC or DC power, operators would have a few hours at most to restore critical reactor
2 FLEX was developed specifically to address external events. See Appendix F.
monitoring and cooling functions to prevent core damage.3 If station DC batteries or power distribution systems are destroyed or damaged, there may not be enough time to install backup DC power even if the necessary equipment is available onsite.
Existing battery rooms and associated power distribution systems at U.S. nuclear plants might need to be retrofitted and/or relocated to protect them during beyond-design-basis events. The specific actions required, if any, will be plant specific. That is, it will depend on both the design of the plant as well as the specific event scenarios that emerge from plant risk evaluations.
220.127.116.11 Tools for Estimating Real-Time Plant Status During Loss of Power
During abnormal transients or accident conditions in nuclear reactors, key thermodynamic parameters (e.g., temperature, pressure, and water level in the reactor vessel; temperature, pressure, and radiation level in the containment; and water level and temperature in spent fuel pools) must be known to facilitate appropriate operator actions. Indeed, the reliability of information gained from the instruments is a key to decision making and action taking by operators. Another lesson that emerges from the Fukushima Daiichi accident is that alternative means for estimating these parameters is needed during loss-of-power situations.
Under certain severe accident conditions and with disruption in power supplies, instruments may give faulty information. Although the committee is recommending that critical instruments be upgraded to cope with events that may severely impact their reliability (see Section 18.104.22.168), alternative means are still needed to guide the operators in coping with accident situations in which power is unavailable or unreliable.
Operators and technical support center staff should be provided with upgraded simulation tools and knowledge-based reasoning aids for both training and operation: for example, system-level analysis software installed on independent computers (e.g., laptops with extended battery life) to aid the operators and technical support center staff with the diagnosis of the plant state and appropriate actions under conditions of incomplete or
3 The time limitation has been known since the early days of reactor engineering and can be estimated from basic engineering principles of heat transfer and thermodynamics for a given accident sequence. Some of the earliest estimates of the time to uncover the core and time to core melt are documented in the Reactor Safety Study published in 1975 (USNRC, 1975, Appendixes III and IV). The engineering models and examples of estimates for boiling water reactors are given in Appendix VIII-A of that study (USNRC, 1975), and more recent results are given in the State-of-the-Art Reactor Consequence Analyses Study draft report published in 2012 (Borchardt, 2012b; USNRC, 2013c,d).
confusing information. Such software needs to execute rapidly to provide operators with immediate feedback in crisis situations; have a modern, intuitive graphical interface; and carry out simplified mass and energy balances to give realistic estimates of plant states, particularly critical reactor and containment parameters. The software needs to have an inference engine that uses both operator inputs and a knowledge base of plant systems, including failsafe control logic, and provides prioritized recommendations on diagnostic and corrective actions.
It is also important to provide technical support center staff with similar or greater capabilities, which could include enhancement of simulators to include accident scenarios involving core damage. Currently, operators perform only tabletop exercises for severe accidents because presently available simulators cannot handle core-damage events.
These new capabilities should be integrated with existing procedures, guidance, computational aids, and software tools. Any future changes to procedures, guidance, aids, and software tools also need to be reflected in these capabilities.
The committee recognizes that the real-time decision support tools and aids called for above will require some developmental efforts; the committee judges that the potential benefits of these tools and aids warrant the necessary investments in such efforts. The shortfalls in real-time situation assessment that were exhibited by control room and emergency response center (ERC) staff at the Fukushima Daiichi plant underscore the value of providing real-time decision support tools and aids for plant status assessment and response planning, both for control room and technical support center staff. The committee further judges that the existing thermal-hydraulics knowledge base can be leveraged to create aids for generating real-time estimates of key thermodynamic parameters and liquid level in the reactor pressure vessel and provide real-time support for response planning.
22.214.171.124 Decay-Heat Removal, Reactor Depressurization, and Containment Venting Systems
The loss of AC and DC power at the Fukushima Daiichi plant severely impacted operators’ ability to remove decay heat from the Unit 1-3 reactors and depressurize reactor press174ure vessels and vent containments, both to restore cooling to the core and to prevent leakage of fission products. Another lesson that emerges from the accident is that strategies and capabilities must be in place for removing decay heat from reactors, depressurizing reactor pressure vessels, and venting containments under loss of AC and DC power conditions.
Reactors continue to generate decay heat even after shutdown (see Chapter 2). This decay heat must be removed reliably over a long period
of time to avoid damage to the integrity of the reactor core. Boiling water reactors (BWRs) have a number of core cooling systems that can be used to remove decay heat (see Chapter 2):
• Low-pressure cooling systems (low-pressure coolant injection system) require power to operate pumps and actuate valves.
• High-pressure cooling systems (isolation cooling,4 reactor core isolation cooling, and high-pressure coolant injection systems) require power to actuate valves.
• “Ad hoc” cooling systems (e.g., injection of water from the fire protection system using diesel-driven fire pumps or fire truck pumps) can be utilized only when reactor pressure vessels are at low pressure (see Chapter 4).
The Fukushima Daiichi accident revealed two problems with the operation of these cooling systems under loss-of-power conditions (Chapter 4):
1. The isolation condenser system in Unit 1 did not function after AC and DC power were lost, apparently because the valves inside containment were closed.
2. Ad hoc low-pressure water injection systems were not effective for cooling the Unit 1-3 reactors because of difficulties in depressurizing reactor pressure vessels and venting containments.
The subtle failsafe logic of the DC electrical system impacted the ability of the isolation condenser system of Unit 1 to function following loss of AC and DC power. This same logic system was also operative in the reactor core isolation cooling system in Unit 2 (however, because of the fortunate time sequencing of the loss of AC power, the Unit 2 system was able to operate for many hours).
There may well be other safety-critical plant control systems and subsystems that could be similarly affected by the near-simultaneous loss of AC and DC power. The design bases for these systems need to be better understood and appropriately reflected in plant operating procedures. Alternatively, such systems need to be redesigned to reduce the subtleties of the interactions.
Section 126.96.36.199 in Chapter 4 describes the careful orchestration required to depressurize a reactor pressure vessel and begin injection of low-pressure water. Depressurization removes heat from the reactor core through steam
4 Isolation condensers can provide cooling for an indefinite period of time as long as water is available on the secondary (shell) side of the heat exchanger and system valves are open. See Chapters 2 and 4.
flashing, which provides time to bring external cooling-water injection systems online. However, steam flashing can also result in the loss of a significant fraction of a reactor pressure vessel’s water inventory. Core damage can occur if low-pressure injection does not restore water levels in a timely fashion.5 Consequently, reactor operators must have well-defined strategies and capabilities for depressurizing reactor pressure vessels and venting containments in a timely manner under loss-of-power conditions. Additionally, there must be a low-pressure heat removal capability that is independent of electrical power.
The use of ad hoc water sources for cooling reactors is not addressed in standard design-basis accidents involving loss of reactor coolant. Moreover, the use of ad hoc water sources requires the availability of portable pumps, not installed core cooling systems. To the committee’s knowledge, the only analysis relevant to the type of scenario that occurred in Unit 1 at Fukushima Daiichi is a rudimentary discussion in EPRI (2012b, Volume 2, Appendix AA).
The U.S. nuclear industry has already identified depressurization as an issue and recognizes that there is a trade-off between lowering pressure and operating steam-driven cooling systems (i.e., reactor core isolation cooling and high-pressure coolant injection systems). Williamson et al. (2013) reported on the BWR Owners’ Group revisions to Emergency Procedures Guidelines. The guidance on depressurization places core cooling as the highest priority: if depressurization of the reactor pressure vessel results in the loss of systems needed for core cooling, then the guidelines specify that operators: (1) terminate depressurization and (2) maintain reactor pressure vessel pressure as low as possible. This guidance applies during all depressurization steps.
The revised guidelines instruct operators of reactors with reactor core isolation cooling systems to lower reactor pressure to about 200 psi (~1.4 MPa) during an extended loss-of-AC-power event. This will enable a more timely response and less loss of water inventory when transitioning to low-pressure cooling sources such as might be provided through FLEX, thereby helping prevent the core from becoming uncovered.
The FLEX guidance (NEI, 2012) also addresses depressurization:
Regardless of installed coping capability, all plants will include the ability to use portable pumps to provide RPV/RCS/SG [reactor pressure vessel/reactor coolant system/steam generator] makeup as a means to provide a diverse capability beyond installed equipment. The use of portable pumps to provide RPV/RCS/SG makeup requires a transition and interaction with installed systems. For example, transitioning from RCIC [reactor
5 The time window could be established through a fuel cladding heatup analysis.
core isolation cooling] to a portable FLEX pump as the source for RPV makeup requires appropriate controls on the depressurization of the RPV and injection rates to avoid extended core uncovery.
There is a specification in this guidance for providing an indefinite capability to depressurize reactor and supply water to the reactor pressure vessel under loss-of-power conditions.6 However, the details of how this strategy will be implemented are left up to each plant.
Moreover, if FLEX is not initially successful and core degradation occurs, radiation levels may impede access to locations where FLEX water and power connections are made—just as radiation levels hindered workers’ responses at the Fukushima Daiichi plant. FLEX would be greatly enhanced if it focused on preventing core damage as well as on mitigating damage severity should it occur.
188.8.131.52 Instrumentation for Monitoring Critical Thermodynamic Parameters
The loss of AC and DC power in Units 1 and 2 at the Fukushima Daiichi plant shut down key monitoring instrumentation for the reactor pressure vessel, drywell, and suppression chamber (see Chapter 4). The DC-powered monitoring instrumentation in Unit 3 shut down when that unit’s batteries were depleted nearly a day and a half later. The validity of readings from working instruments was difficult to ascertain after power was restored. Thermocouples on the exterior surfaces of reactor pressure vessels had been exposed to temperatures above their operating ranges and therefore were likely unreliable. Water-level gauges were likely affected by pressure transients and seawater use for cooling. Some pressure gauges also gave erroneous readings.7 A lesson that emerges from these observations is that robust and diverse monitoring instrumentation that can withstand severe accident conditions is essential for diagnosing problems, selecting and implementing accident mitigation strategies, and monitoring their effectiveness.
The availability and adequacy of monitoring instrumentation were identified as important issues following the Three Mile Island accident in 1979 (see Rempe et al., 2012). In the 1990s, U.S. nuclear power plant licensees and the USNRC addressed this issue through a systematic needs analysis. This analysis involved the identification of (1) sensor information required to monitor key plant functions; (2) locations and operating ranges
6 The indefinite coping time requirement is designed to address outages such as the 72-hour power loss experienced by some units at the Fukushima Daiichi plant. See Chapter 4.
7 See Gauntt et al. (2012b) for further discussion of data reliability during the accident.
of sensors that provide such information, and (3) environmental conditions that these sensors must withstand during the accident sequences that dominate risks. Additional monitoring instrumentation was added to U.S. nuclear plants as a result of this analysis: for example, reactor pressure indications, a wider range of reactor core temperature indications, and more robust temperature sensors.
The Fukushima Daiichi accident demonstrates the need to further harden essential reactor, containment, and spent fuel pool monitoring instrumentation to better withstand severe-accident conditions. The U.S. nuclear industry and the USNRC have already recognized the need for enhanced reactor and containment monitoring instrumentation, in particular with respect to monitoring spent fuel pool water levels (see Appendix F). The committee judges that further work is needed to evaluate the adequacy and reliability of existing reactor, containment, and spent fuel pool monitoring instrumentation for the risk-dominant accident sequences that emerge from the committee’s recommended plant-specific risk evaluations (see Recommendation 5.2A later in this chapter).
The USNRC issued an order8 in March 2012 requiring that all U.S. nuclear power plants install additional water-level instrumentation in their spent fuel pools (see Appendix F). The order required that this instrumentation provide at least three distinct water levels (the following material is quoted from p. 35 of the Order):
1. level that is adequate to support operation of the normal fuel pool cooling system,
2. level that is adequate to provide substantial radiation shielding for a person standing on the spent fuel pool operating deck, and
3. level where fuel remains covered and actions to implement makeup water addition should no longer be deferred.
The USNRC staff provided interim guidance on implementing this order (USNRC, 2012c).
The USNRC’s Advisory Committee on Reactor Safeguards9 (ACRS) commented on the sufficiency of this monitoring instrumentation:
[Water-level monitoring] instrumentation should be capable of detecting unexpected changes in SFP [spent fuel pool] level and provide appropriate alarms to alert the operations staff. Emphasis should be on the ability to detect water level reductions early during the event. The system should
8Order Modifying Licenses with Regard to Reliable Spent Fuel Pool Instrumentation. Available at http://pbadupws.nrc.gov/docs/ML1205/ML12056A044.pdf.
9 Committee member Dr. Michael Corradini is a member of the Advisory Committee on Reactor Safeguards.
also have the capability to track and display changes in the SFP water level. This capability would provide the operations staff with the ability to know whether the rate of water level reduction was accelerating, slowing, or remaining constant. (ACRS, 2012, p. 5)
The [interim staff guidance] should be modified to specify direct measurement of temperature in the SFP. Operators should know, as early as possible, if pool cooling is degrading. Information about SFP temperature provides operators with defense-in-depth information about the status of spent fuel cooling. Temperature information about the approach to boiling may also affect decisions regarding local personnel actions in the vicinity of the SFP. The temperature instrumentation should be simple, capable of being monitored continuously, and displayed in the main control room. (ACRS, 2012, p. 5)
As a result of the systematic evaluation recommended here, nuclear plant licensees and the USNRC might conclude that additional temperature sensors should be placed in pools to provide confirmatory information about the thermodynamic state of water inventories.10
184.108.40.206 Hydrogen Control
Based on what has been known about hydrogen behavior since 1980 (see Appendix G), the explosions and damage to reactor buildings at the Fukushima Daiichi plant should not have been that surprising. They illustrate in dramatic fashion the importance of hydrogen control in severe reactor accidents. Hydrogen explosions in Units 1, 3, and 4 at the Fukushima Daiichi plant caused severe structural damage to reactor buildings, created pathways for radioactive material releases to the environment, and greatly impeded onsite accident responses (see Chapter 4). The explosions also caused damage to fuel handling equipment and cooling systems for these units’ spent fuel pools. Large additional releases of radioactive materials to the environment might have occurred had the integrity of the spent fuel pools in Units 1, 3, and 4 been compromised. The accident highlighted the need to examine the adequacy of current hydrogen mitigation measures in some types of reactor containments.
Nuclear plants with Mark I and Mark II containments worldwide are equipped with nitrogen inerting systems to maintain reduced oxygen concentrations in containment (see Appendix G). Igniters are also used in
10 Water-level sensors provide no information about the thermodynamic state of the pool water until water levels begin to decrease due to boil-off.
The Fukushima Daiichi accident demonstrated in dramatic fashion that inerting the containment is inadequate for preventing hydrogen explosions if the containment fails. This emphasizes the key importance of managing thermal and pressure loads inside containment in order to maintain containment integrity. Being able to safely vent the containment in timely fashion with a minimum release of fission products is a key accident management step that must be available to operators (see Sidebar 2.2 in Chapter 2 for a discussion of venting). Preventing accidental releases of hydrogen into a reactor building even though containment is inerted is important—the large volume of hydrogen generation during a severe accident can overwhelm the inert gas when a hot hydrogen–nitrogen–steam mixture is released into a reactor building. When this mixture leaks into confined spaces outside of containment (i.e., into a reactor building) the steam will condense and a flammable mixture can be formed if the concentration of hydrogen is sufficiently high.
Following the Fukushima Daiichi accident, the USNRC issued orders requiring installation of reliable venting systems in reactors with Mark I and Mark II containments. In June 2013 the USNRC modified this order to require severe-accident-capable venting systems (see Appendix F). These vents should help to reduce hydrogen explosion hazards during severe accidents.
However, the Fukushima Daiichi accident demonstrated that the mere presence of containment vents12 does not eliminate hydrogen explosion hazards during severe accidents. Indeed, the effectiveness of these vents in limiting hydrogen releases in the buildings will depend on their operability under severe accident conditions (e.g., under loss of DC power and compressed air, as happened at Fukushima Daiichi), as well as the interaction of the vents with building ventilation systems.
The committee judges that reexamination is needed of the potential hazards of hydrogen explosions within the secondary containment (i.e., reactor buildings) of Mark I and Mark II plants. Mitigation strategies such as deliberate ignition, passive autocatalytic recombiners, and postaccident inerting that have been previously examined for large dry containments (NRC, 1987) could be reexamined for secondary containments.
11 Plants with ice condenser containments utilize water ice to condense steam generated during an accident. Plants of this design generally have smaller-volume containments than pressurized water reactors with dry containments.
12 All of the units at the Fukushima Daiichi plant had containment vents (see Section 2.5.2 in Chapter 2).
Such efforts are in progress in Japan and other countries with Mark I and II BWR plants. The USNRC has identified hydrogen control as an important safety issue but has designated it as a TIER III issue (see Appendix F) to be addressed at some later time.
Flames propagating in spaces filled with equipment and piping or within a building complex generate turbulence that results in substantial increases in flame speed, accelerating flames from low to high speeds and substantially increasing the pressure loading on structures. The severity of the explosions at the Fukushima Daiichi plant also suggests that the deliberate ignition strategies currently in use in Mark III and ice condensers reactors should be reexamined to determine if they will be adequate for accidents involving severe core damage under loss-of-power conditions.
220.127.116.11 Instrumentation for Onsite Radiation and Security Monitoring
The loss of AC and DC power shut down the Fukushima Daiichi plant’s onsite radiation monitoring and security systems. The loss of the plant’s radiation monitoring systems impeded efforts to monitor radioactive material releases from the Unit 1, 2, and 3 reactors and estimate the timing and magnitude of offsite releases (see Chapter 6).
The loss of onsite security monitoring systems reduced physical protection of the plant grounds and critical plant infrastructure. The reduction of physical protection at the plant increases its vulnerability to attacks from external forces or determined insiders. Additionally, the voluminous amount of information published about the accident provides potential adversaries with data about critical plant systems, their interdependencies, and key personnel; this information could be used to plan and carry out attacks on other nuclear plants. The committee intends to discuss security issues in its second report (see Chapter 1).
A clear lesson learned from the accident is that onsite radiation and security monitoring systems need to be hardened so that they continue to function during severe accidents. Alarm annunciation and communication equipment at U.S. nuclear plants are currently required to have a secondary power supply such as an emergency diesel generator. Additionally, intrusion detection and assessment equipment at the protected area perimeter of the plant is required to have an uninterruptible power supply so that it remains operable in the event of the loss of normal power. This equipment may need to be hardened to protect it against severe accidents. The need for and approaches to hardening should be based on plant-specific risk evaluations recommended elsewhere in this chapter (see Recommendation 5.2A).
18.104.22.168 Communication and Real-Time Information Systems
The Fukushima Daiichi accident highlighted the need for reliable communication links between control rooms and technical support centers, between control rooms and the field, and between onsite and offsite support facilities during severe accidents. The limited means of communication during the Fukushima Daiichi accident degraded the ability of plant personnel to plan and coordinate their response actions. The loss of the offsite emergency response center disrupted lines of communication with local and national government agencies. The loss of communication infrastructure contributed to the central government’s concerns that it was not receiving timely and accurate information about the status of plant.
The USNRC’s Near-Term Task Force (USNRC NTTF, 2011) report highlighted the need for reliable communications equipment (e.g., hardwired telephones, cellular telephones, satellite telephones, radios, and pagers) for communicating onsite and offsite, including during events that may involve extended loss of AC power and/or damage to external telecommunication infrastructure (e.g., phone switches and cell towers). The committee concurs with this assessment.
The committee suggests that there is also a need to ensure the reliability of data communications, both onsite (e.g., between the control room and the technical support center13) and offsite (e.g., between the plant and offsite government and regulatory agencies), particularly during extended AC power loss. The Fukushima Daiichi accident highlighted the importance of real-time information systems (e.g., Safety Parameter Display Systems) for enabling personnel to maintain situational awareness of plant conditions. In discussions with the committee, TEPCO personnel commented that the lack of availability of this system in the control rooms and ERCs contributed to delays in diagnosing plant conditions (see Chapter 4).
The committee also concurs with the Near-Term Task Force recommendation on developing reliable and secure data pathways between U.S. nuclear plants and USNRC headquarters to enable direct and automatic electronic transmission of critical plant parameters during emergencies. The task force report notes that
Having data provided directly from automated sources at the site also gives confidence to government authorities and the public that the plant operator is not filtering the details of an evolving accident. (USNRC NTTF, 2011, p. 55)
13 Technical support centers at U.S. nuclear plants carry out many of the same functions as ERCs at Japanese plants. More information about this and related facilities is provided elsewhere in this chapter.
It is particularly important that these data pathways be functional during extended loss-of-AC power events, multiunit events, and events that affect multiple plants simultaneously.
22.214.171.124 Peer Review
The committee’s call for adequate peer review is intended to increase the quality and completeness of the changes resulting from its recommendations and thereby enhance nuclear plant safety. The committee judges that peer review will also enhance the transparency, credibility, and public confidence in actions taken by industry and its regulator (USNRC) to implement lessons learned from the Fukushima nuclear accident. Peer review has the following characteristics: expert (including national and international perspectives), independent, external, and technical (NRC, 1998, p. 2; see also USNRC, 1998) and is transparent to audiences external to the industry and its regulator.
The nuclear industry and its regulator already carry out a large number of technical and operational reviews. Industry reviews are carried out, for example, by reactor owners’ groups, the Institute of Nuclear Power Operations (see Sidebar 7.2 in Chapter 7), and plant-specific safety review committees. The industry regulator obtains peer reviews from an independent advisory committee, the Advisory Committee on Reactor Safeguards.
The committee acknowledges the importance of these review groups and their continuing engagement in the process of ensuring the adequacy of the U.S. response to the lessons learned from Fukushima. At the same time, it is essential that the regulator and industry be vigilant to the one key lesson from Fukushima, which is the value of independent, informed perspectives that are outside the immediate community of decision makers as provided by peer review in the broad sense described above.
5.1.2 Procedures and Training
RECOMMENDATION 5.1B: As the nuclear industry and its regulator implement the actions referenced in Finding 5.1, they should give specific attention to improving resource availability and operator training to enable effective responses to beyond-design-basis events, including, when necessary, developing and implementing ad hoc responses to deal with unanticipated complexities. Attention to the following is specifically needed:
1. Staffing levels for emergencies involving multiple reactors at a site, that last for extended durations, and/or that involve stranded-plant conditions.14
2. Strengthening and better integrating emergency procedures, extensive damage mitigation guidelines, and severe accident management guidelines, in particular for
• Coping with the complete loss of AC and DC power for extended periods,
• Depressurizing reactor pressure vessels and venting containments when DC power and installed plant air supplies (i.e., compressed air and gas) are unavailable,
• Injecting low-pressure water when plant power is unavailable,
• Transitioning between reactor pressure vessel depressurization and low-pressure water injection while maintaining sufficient water levels to protect the core from damage,
• Preventing and mitigating the effects of large hydrogen explosions on cooling systems and containments, and
• Maintaining cold shutdown in reactors that are undergoing maintenance outages when critical safety systems have been disabled.
3. Training of operators and plant emergency response organizations, in particular,
• Specific training on the use of ad hoc responses for bringing reactors to safe shutdown during extreme beyond-design-basis events, and
• More general training to reinforce understanding of nuclear plant system design and operation and enhance operators’ capabilities for managing emergency situations.
The quality and completeness of the changes that result from this recommendation should be adequately peer reviewed (see Section 126.96.36.199).
188.8.131.52 Staffing Levels
Staffing levels at the Fukushima Daiichi plant were inadequate for managing the accident response (see Chapter 4) because the accident extended over multiple days and involved multiple reactor units. A clear lesson from this accident is that staffing levels and responsibilities at nuclear plants need to be reassessed to ensure that they are adequate for managing complex emergencies.
During an emergency at a nuclear plant in the United States several onsite and offsite emergency response facilities are activated to provide
14 That is, when the plant is cut off from outside supply of materials and personnel.
technical and management support: technical support centers, which provide management and technical support to control room personnel; operational support centers, which are used as an assembly area for damage repair teams; and emergency operations facilities, which provide information about the emergency to federal, state, tribal, and local authorities (USNRC NTTF, 2011, p. 53).
Staffing numbers, roles, and responsibilities at U.S. nuclear plants and these associated emergency response facilities need to be reassessed to ensure that critical personnel functions, including communication and coordination functions, can be supported in complex emergencies, particularly emergencies involving multiple reactor units (at multiunit sites), and/or require 24-hour operations with shift turnovers. The reassessment should ensure that the support facilities are organized and staffed to have high reliability, appropriate levels of authority, and appropriate mixes of knowledge and experience to develop and orchestrate response plans in real time.
The analysis of staffing needs should also take into account any additional functions or workloads arising from the industry’s FLEX initiative to establish regional centers as a common source of emergency equipment (see Appendix F). Although the regional centers can provide equipment and resources that can aid onsite staff in responding to an accident, they are also likely to impose additional burdens on onsite staff to handle communications, coordination, and logistics.
The analysis of staffing needs should also consider stranded-plant conditions—that is, when the plant is cut off from outside supply of materials and personnel. U.S. plants have stranded-plant procedures that address staffing levels if natural disasters restrict access to plants. These should be reviewed and augmented as necessary to ensure the availability of personnel and resources during severe accidents.
184.108.40.206 Emergency Procedures and Guidance
Reactor operators and emergency response center personnel at the Fukushima Daiichi plant lacked written guidance for bringing the plant’s reactors to cold shutdown under loss-of-power conditions. TEPCO (2012b, p. 52) described the situation this way:
[I]n this accident, due to the tsunami impact, which was far beyond the previous estimations, almost all equipment and power sources expected to operate to respond to the accident lost their functions, resulting in a situation that was outside of the assumptions that were made to plan accident response.
An important lesson from this accident is that the written guidance used at nuclear plants to guide operator actions during off-normal events needs to be strengthened and better integrated to address loss-of-power conditions in operating and shutdown reactors.
Nuclear plant operators have written aids to guide them in responding to off-normal events at nuclear plants; these include emergency operating procedures (EOPs), severe accident management guidelines (SAMG), and extensive damage mitigation guidelines15 (EDMGs). Information about development and use of EOPs, SAMG, and EDMGs in the United States is provided in Appendix H.
Off-normal events involving the loss-of-offsite AC power are within the design basis for nuclear plants. Operators are trained to respond to such events using EOPs and other plant procedures such as abnormal operating procedures and alarm response procedures. EOPs typically apply as long as reactor pressure and water level can be monitored and remain within acceptable ranges. The shift supervisor, who is stationed in the control room, and the plant manager have command-and-control responsibilities for implementing EOPs. (Both individuals possess senior reactor operator licenses.)
Operators would transition to SAMG or EDMGs when an off-normal event progresses beyond conditions covered by EOPs. The decision about which of these procedures to use would be based on plant conditions:
• Transition to SAMG would take place when core damage was determined to be imminent. The technical support center director would have command-and-control responsibilities for implementing SAMG. However, the control room could begin implementation if the technical support center was not yet staffed. The goals of SAMG are to stabilize the reactor core, maintain containment, and minimize the release of the core’s radioactive materials after fuel damage has occurred.
• Operators may elect to implement EDMGs when large fires or explosions damage large areas of a plant or disable the plant’s command- and-control structure. Responsibility for implementing EDMGs could reside in the control room, technical support center, or emergency operations facility (see USNRC NTTF, 2011, pp. 46-49). EDMGs provide for the use of portable equipment (e.g., generators, pumps) to restore basic plant monitoring and safety functions.
15 EDMGs provide strategies for maintaining or restoring core cooling and containment (and spent fuel pool cooling) in emergencies involving the loss of large areas of the plant as a result of fires and explosions. These guidelines were developed after the September 11, 2001, terrorist attacks.
The Fukushima Daiichi plant did not have EDMGs, and the SAMG in effect at the plant at the time of the accident proved to be inadequate because it did not anticipate complete loss-of-power conditions. SAMG in place in the United States at the time of the accident also did not anticipate such conditions.
The Fukushima Daiichi accident exposed plant operators to complex conditions and competing demands. Had this accident occurred in the United States, it would have taken plant operators out of EOPs and into EDMGs or SAMG, depending on plant conditions. Arguably, operators in the United States may have been able to use guidelines and equipment available via EDMGs to prevent or delay damage to fuel in the reactor core. If core damage had occurred, then operators could have used SAMG to stabilize the core and maintain containment. However, it is not at all clear that U.S. operators could have prevented core damage given the severity of the accident; to the committee’s knowledge, there is no experience in this regime in the U.S. nuclear industry.
Although most emergency response drills involve scenarios that include core damage, operator training does not routinely exercise the range of SAMG response options and does not involve multiple-unit scenarios. Examination of the factors that drive human responses under such conditions is essential for integrating EOPs, SAMG, and EDMGs.
Recommendation 8 of the USNRC’s Near-Term Task Force (USNRC NTTF, 2011) called for strengthening and integrating EOPs, EDMGs, and SAMG. This recommendation will be implemented through rulemaking, perhaps leading to a final rule in 2016. The enhanced capabilities available through the U.S. nuclear industry’s FLEX initiative will undoubtedly be considered during the rulemaking process.
The committee concurs with this USNRC NTTF assessment and recommends that the following issues be specifically examined and relevant guidance developed where appropriate:
1. Coping with the complete loss of AC and DC power for extended periods (e.g., up to 72 hours during the Fukushima Daiichi accident), not just for standard “station blackout conditions” involving loss of AC power for a limited (4- to 8-hour) duration;
2. Depressurizing reactor pressure vessels and containments when DC power and installed plant air supplies are unavailable;
3. Injecting low-pressure water when plant power is unavailable;
4. Transitioning between reactor pressure vessel depressurization (point 2) and low-pressure water injection (point 3) while maintaining sufficient water levels to protect the core from damage;
5. Mitigating the effects of large hydrogen explosions on cooling systems and containments; and
6. Maintaining cold shutdown in reactors that are undergoing maintenance outages when critical safety systems have been disabled.
With respect to point 6, SAMG are needed not only for operating reactors but also for reactors that are in “cold shutdown,” as was the case for Unit 5 at the Fukushima Daiichi plant (see Chapter 4). Unit 5 was in a maintenance outage when the earthquake and tsunami occurred; its containment was open for inspection, some safety equipment had been disabled, and the reactor pressure vessel was pressurized for leak testing. There was a substantial loss of water inventory in the reactor pressure vessel after cooling system functions were lost. It is not unusual to have one or more reactors in maintenance outages at multiunit plants.
The foregoing underscores the importance of understanding and coping with risks during shutdown conditions. It was increasingly recognized in the global nuclear safety community by the 1990s that core-damage risk at shutdown could be comparable to that at power operation (e.g., IAEA, 1994; Jo et al., 1995). While various plant and operational improvements have been considered since then, it is important to continue to recognize that severe events need to be considered for shutdown conditions.
The ACRS considered the issue of overlapping guidelines and procedures in connection with plant fire response procedures and commented on the need for better integration:
These procedures provide operator guidance for coping with fires that are beyond a plant’s original design basis. Some plant-specific fire response procedures instruct operators to manually de-energize major electrical buses and realign fluid systems in configurations that may not be consistent with the guidance or expectations in the EOPs. Experience from actual fire events has shown that parallel execution of fire procedures, Abnormal Operating Procedures (AOPs), and EOPs can be difficult and can introduce operational complexity. Therefore, these procedures should also be included in the comprehensive efforts to better coordinate and integrate operator responses during challenging plant conditions. (ACRS, 2011, p. 8)
The integration of EOPs, EDMGs, and SAMG will be a complex effort that requires substantial interactions among several parties: plant operations, engineering, and management personnel; reactor owners’ groups; EPRI and INPO; technical experts; and regulators. Extensive testing of the integrated procedures will also be required at each nuclear plant.
The nuclear industry could develop accident management advisory tools to assist in the development of SAMG, assess their effectiveness and
completeness, and better inform operator actions for accident management. The usefulness of such tools will depend on the availability of accurate data for key plant operating parameters, the ability to model accidents that progress beyond the design basis, and the ability to model the potential range of operator actions. It is important that the regulator (the USNRC) have the ability to evaluate the technical accuracy and utility of these tools.
FLEX strategies at individual nuclear plants might need to be augmented to provide the resources required to implement revised SAMG. For example:
• Coping with power loss will likely require the availability of portable batteries, emergency generators, and prepared power cables.
• Depressurizing reactor pressure vessels and containments might require the availability of portable power supplies and compressed gas (air or nitrogen).
• Low-pressure water injection might require the availability of self-powered portable pumps that can generate sufficiently high pressures to overcome a partially depressurized reactor vessel or partially vented containment.
Work is already under way by industry to address some of these issues. For example, the BWR Owners’ Group Emergency Procedures Committee issued revisions to guidelines affecting emergency procedures and severe accidents for boiling water reactors in the United States. Special emphasis in the revised guidance has been given to loss-of-onsite-power scenarios (Williamson et al., 2013). New generic procedures are being implemented through workshops being held throughout the international community, including Japan.
Consideration should also be given to explicitly ensuring that emergency procedures, severe accident management guidelines, and support documents (e.g., blueprints and calculations) are available to workers during loss-of-power events. Initial and continuing training of operators and other workers should include exercising their ability to diagnose plant conditions and implement necessary actions without relying on computer systems that might not be unavailable during such events.
Peer reviews of these procedures, guidance, and strategies will be needed to ensure that they are based on appropriate sets of plant damage states and do not contain unidentified “cliff-edge” effects.16
16 That is, plant damage states that would prevent an adequate response using FLEX and revised SAMG.
220.127.116.11 Training of Operators and Plant Emergency Response Organizations
The Fukushima Daiichi accident demonstrated that extreme beyond-design-basis events pose multiple challenges to human performance, including challenges to situation assessment, planning, decision making, communication, coordination, and task execution. Because events of this complexity had not been anticipated, the training received by the Fukushima Daiichi operational and ERC staff did not sufficiently prepare them for these extreme challenges. Given this experience, U.S. nuclear power plant training for responding to extreme beyond-design-basis events should be reviewed to ensure that it is sufficiently effective. This includes training for control room operators, technical support center personnel, and other plant personnel who would be involved in decision making and response to severe accidents.17
The committee judges that two types of training are important:
1. Specific training on the use of strategies for bringing reactors to safe shutdown during extreme beyond-design-basis events. This includes training on
• Operation of reactor heat removal systems, including failsafe logic of control systems and manual-control backup options, with special attention being paid to scenarios where AC and DC power sources fail in different sequences;
• Depressurizing reactors while tracking and controlling reactor water level, pressures, and temperatures;
• Means for injecting low-pressure water from various plant sources; and
• Recognizing instrument failures and degradations and developing alternative means to obtain critical monitoring data, especially with respect to reactor water level and pressure, containment pressure, and temperatures.
The plant-specific risk evaluations recommended by the committee (see Recommendation 5.2A) will be important sources of scenarios for this training. The training should also account for conditions that are likely to be encountered during these scenarios: poor lighting, flooding, high radiation, fires, and other plant damage. The role of other support systems, for example, instrument air, should also be considered in the training.
17 At present, U.S. nuclear plants have accredited training programs that are conducted annually for a range of maintenance, engineering, technical personnel, and operators.
2. More general training intended to support effective performance of the broader emergency response organization. This includes training not only for control room operators but also the Shift Technical Advisor resident in the control room, and technical support staff operating out of the technical support center and emergency operations facility. It is important that this training (i) reinforce fundamental understanding of nuclear plant system design and operation—this includes having a full grasp of the capabilities of all plant equipment (not just so-called “safety critical” equipment) and how it can be marshaled in emergency situations; and (ii) enhance capabilities for managing emergency situations including, for example, capabilities for the following:
• Reasoning with missing, conflicting, and misleading data (e.g., from degraded sensors);
• Reasoning that requires understanding complex system interlocking, automated system behavior, and failsafe operation;
• Reasoning under data overload conditions;
• Managing competing demands on attention;
• Prioritizing and making goal trade-offs;
• Developing and implementing mitigation plans that are not fully covered by available procedures and guidance;
• Communicating and coordinating activities within and across physical locations and shifts; and
• Establishing and exercising clear roles, responsibilities, and lines of authority within and across the various control centers (e.g., control room, technical support center, emergency operations facility), particularly in situations where roles and responsibilities have to be dynamically redefined in response to evolving situations.
The objective of this training is to develop capacities to respond adaptively in the face of unforeseen situations. These training activities would help build the kinds of problem-solving, decision-making and communication skills that were demonstrated to be critically important in the Fukushima Daiichi accident.
There is extensive literature that can be drawn on for training techniques to improve cognitive skills for responding adaptively under high-stress conditions. This includes training for decision making under stress (Cannon-Bowers and Salas, 1998); training for emergency responders (Wall et al., 2004); and training for coping with complex severe accident conditions (Mumaw et al., 1994).
Training to improve cognitive skills is intended as an adjunct to, rather than a substitute for, development of robust preplanned procedures and decision support tools for guiding performance. In general, availability
of effective decision support is the preferred solution because cognitive performance is prone to error under high-stress, time-pressured conditions. However, as the Fukushima Daiichi accident illustrates, reliance on cognitive skills can become critically important when ad hoc responses are required for coping with unanticipated situations that are not well handled by the available procedural guidance and decision support.
The Fukushima Daiichi accident also highlighted the importance of training to enable efficient planning and execution of manual actions that may need to be performed under harsh time-pressured conditions (e.g., lack of lighting and high radiation levels). This includes manual actions that may be needed when remote control capabilities are lost (e.g., planning and execution of manual valve operation for containment venting); and movement and activation of portable auxiliary equipment (e.g., portable pumps) that might be called for as part of severe accident response strategies such as FLEX.
Many of the committee-identified lessons learned for nuclear plant systems, procedures, and training (Sections 5.1.1 and 5.1.2) have been anticipated in previous analyses, some over three decades ago. A 1981 Oak Ridge National Laboratory (ORNL) report (Cook et al., 1981), for example, examines the consequences of an unmitigated station blackout at Browns Ferry, a BWR/4 Mark I plant in Alabama. Among the insights gained from that study are the following:
• Neither existing training nor emergency operating procedures adequately prepared operators for an unmitigated station blackout accident.
• The plant could cope with loss of offsite AC power as long as onsite AC power and/or station DC batteries were available. Station battery lifetime was a primary determinant of accident sequence progression timing.
• Plant instrumentation (sensors, detectors, indicators, and annunciators) would not be functional and/or provide reliable information once DC power was lost and core damage was initiated. Operators would be “flying blind” during the most critical phases of the accident.
ORNL also published several papers on the role of BWR reactor buildings in severe accidents (Greene, 1986, 1987, 1988, 1990; Greene and Hodge, 1986). The analyses in those papers suggested that
• Intact reactor buildings could play a significant role in mitigating the consequences of severe accidents in BWRs.
• Hydrogen explosion-induced differential pressures in BWR Mark I reactor buildings could exceed their design differential pressures by a factor of four. Consequently, hydrogen explosions present a real potential for reactor building failure and secondary containment bypass.
Greene (2014) provides an interesting historical perspective on severe accident initiation, progression, and mitigation in BWRs. The author posits that many lessons learned from this work have been forgotten or ignored. Indeed, he observes that
Based on historical BWR station blackout studies, and given the hybrid short-/long-term station blackout sequence that occurred at Fukushima Daiichi, we have little reason to be surprised about the course and timing of events that occurred in Fukushima Daiichi Units 1-3.
The committee agrees that the Fukushima accident was not a technical surprise and was in fact anticipated by previous severe reactor accident analyses. Indeed, there is a well-documented and logical progression of knowledge regarding severe reactor accidents, beginning with WASH-740 (AEC, 1957) and continuing through to the present-day State-of-the-Art Reactor Consequence Analyses (USNRC, 2013c,d). There is a continuing stream of technical reports, papers, conferences, and books that sustain and augment the knowledge base. See Sidebar 5.1 for a brief description of the history of severe accident analysis.
FINDING 5.2: Beyond-design-basis events—particularly low-frequency, high-magnitude (i.e., extreme) events—can produce severe accidents at nuclear plants that damage reactor cores and stored spent fuel. Such accidents can result in the generation and combustion of hydrogen within the plant and release of radioactive material to the offsite environment. There is a need to better understand the safety risks18 that arise from such events and take appropriate countermeasures to reduce them.
RECOMMENDATION 5.2A: The U.S. nuclear industry and the U.S. Nuclear Regulatory Commission should strengthen their capabilities for identifying, evaluating, and managing the risks from beyond-design-basis events. Particular attention is needed to improve the identification of such events; better account for plant system interactions and the per-
18 Risk is defined and discussed in Appendix I.
The U.S. Atomic Energy Commission sponsored the first major study of the theoretical consequences of severe accidents at large nuclear power plants in the mid-1950s. This study was performed by Brookhaven National Laboratory and resulted in the WASH-740 report (AEC, 1957). The subsequent Reactor Safety Study, which was issued as the WASH-1400 report in 1975 (USNRC, 1975), concluded that a severe accident was “the only way that potentially large amounts of radioactivity could be released by melting the fuel in the reactor core.” All risk studies performed subsequent to WASH-1400 have found this to be the case.
Industry also advanced the state of the art of severe accident analysis in the early 1980s as a result of the full-scope PRAs performed for the Indian Point, Zion (Commonwealth Edison, 1981; Consolidated Edison, 1982), and Limerick nuclear plants (Philadelphia Electric Company, 1981). These PRAs made major advancements to severe accident analysis, particularly with respect to containment response analysis and to radiological source-term analysis.
A substantial research program on severe accident phenomenology was planned and initiated by the USNRC following the Three Mile Island Unit 2 accident in 1979. This program included experimental and analytical studies of accident phenomenology (i.e., the physical, chemical, and radiological processes that occur during a severe accident). In 1980, the USNRC issued a Federal Register Notice for a proposed rulemaking on severe accident design criteria (USNRC, 1980d). In parallel with this regulatory effort, the nuclear industry sponsored the Industry Degraded Core Rulemaking (IDCOR) program. This program, which was active during 1981-1984, also involved experiments and analytical studies. The USNRC later withdrew the proposed rulemaking and issued a severe accident policy statement in 1985 (USNRC, 1985) which set the regulatory course for ad-
formance of plant operators and other critical personnel in responding to such events; and better estimate the broad range of offsite health, environmental, economic, and social consequences that can result from such events.
RECOMMENDATION 5.2B: The U.S. Nuclear Regulatory Commission should support industry’s efforts to strengthen its capabilities by providing guidance on approaches and by overseeing independent review by technical peers (i.e., peer review).
RECOMMENDATION 5.2C: As the U.S. nuclear industry and the U.S. Nuclear Regulatory Commission carry out the actions in Recommendation 5.2A, they should pay particular attention to the risks from
dressing severe accidents. The USNRC also issued a policy statement on safety goals (USNRC, 1986).
By the mid-1980s, new computational models of severe accident phenomenology had been developed and subjected to peer review. Studies of reactor severe accidents and their public health consequences were being carried out throughout the 1980s in many countries with light-water reactor programs. Many conferences and symposia took place, and papers and reports were widely disseminated. In the United States, a major update of the WASH-1400 report was issued (USNRC, 1990). It evaluated severe accident risks at five nuclear plants.
Beginning in 1988, the U.S. nuclear industry performed assessments of severe accident vulnerabilities for each licensed nuclear power plant. These individual plant examinations were done for both internal and external event initiators and were essentially PRAs. The USNRC issued its perspectives documents starting in the late 1990s (USNRC, 1997a, 2002c) which summarized the plant vulnerabilities and proposed modifications for each plant.
At present, severe accident studies are continuing in most countries with light-water reactors. Many international conferences and symposia feature studies on refinement of tools and confirmation of theoretical models based on experiments. Most university programs on nuclear engineering cover severe accidents in their curricula, and the topic is covered in contemporary textbooks and monographs on reactor safety. Short courses on severe accidents are typically offered in conjunction with conferences on PRA. Severe accident management guidelines have been developed and refined based on insights from phenomenological studies.
The most recent risk study that uses current severe accident information is the State-of-the-Art Reactor Consequence Analyses Project (USNRC, 2013c,d). The USNRC is also performing a Level 3 risk analysis of a pressurized water reactor, which will be completed in the next few years.
beyond-design-basis events that have the potential to affect large geographic regions and multiple nuclear plants. These include earthquakes, tsunamis and other geographically extensive floods, and geomagnetic disturbances.
A design-basis event is a postulated event that a nuclear plant system, including its structures and components, must be designed and constructed to withstand without a loss of functions necessary to ensure public health and safety. Such events can include malfunctions of plant structures or components due to manufacturing defects or wear or failures caused by outside agents, for example, natural hazards. An event that is beyond design basis has characteristics that could challenge the design of plant structures
Extreme external events—that is, large-magnitude environmental events such as earthquakes and floods that have recurrence intervals of centuries to millennia—have the potential to cause failures in multiple plant operating and safety systems, resulting in core-damage accidents that involve the release of explosive hydrogen within the plant and release of radioactive materials to offsite environments. The Fukushima Daiichi accident demonstrated that the health19 (including mental well-being), environmental, economic, and social consequences of such accidents can be considerable.
The accident at the Fukushima Daiichi nuclear plant has prompted the U.S. nuclear industry and its regulator, the USNRC, to take several actions (Appendix F) to better understand and mitigate the risks from extreme external events. Of relevance to the present discussion are the following three actions (see Appendix F, especially Table F.1, for details):
1. The USNRC requested that nuclear plant licensees perform detailed inspections (referred to as “walkdowns”) of currently installed seismic and flooding protection features at U.S. nuclear plants and identify, correct, and report any degraded conditions.
2. The USNRC also requested that nuclear plant licensees use present-day information to reevaluate seismic and external flooding effects and hazards that could impact plants to determine if plant structures, systems, and/or components need to be updated.
3. The USNRC ordered nuclear plant licensees to implement strategies for coping without permanent electrical power sources for an indefinite amount of time.
These initiatives are important and necessary steps to evaluate and mitigate the risks associated with beyond-design-basis external events. However, as currently organized, they are one-time efforts directed at two specific external hazards (i.e., seismic and flooding hazards). In the committee’s judgment, there is a need for a broader examination of extreme external hazards that can affect nuclear plant safety. The committee’s recommendation that the U.S. nuclear industry and USNRC strengthen their capabilities for identifying and evaluating the risks associated with beyond-design-basis external events is intended to address this broader need.
There are several approaches that could be used to address the committee’s recommendations. The choice of approaches involves nontechnical policy considerations and, for regulatory actions, would also require input
19 See Section 6.1.1 in Chapter 6 for more details on health effects from the Fukushima Daiichi accident.
from potentially affected stakeholders. Whatever approaches are adopted, however, the committee suggests that they
• Be implemented by the nuclear industry with oversight from regulators,
• Use established and credible risk evaluation tools and criteria,
• Use peer review to assess the quality and completeness of the risk evaluations, and
• Be updated as new information about extreme external hazards becomes available.
The nuclear industry in the United States and many other countries already uses a risk evaluation method that could be used to examine risks from beyond-design-basis external events such as occurred at the Fukushima Daiichi plant: probabilistic risk assessment (PRA). PRA is used routinely in the United States and many other countries for designing and operating nuclear plants. Information about the development and use of PRA can be found, for example, in Bley et al. (1992), Keller and Modarres (2005), and Garrick (2008).
PRAs are required for new nuclear plants in the United States but not for existing plants. Nevertheless, they exist in various forms for all existing plants and are used extensively in decision making about plant operations. Appendix I defines PRA and examines its applications in Japan and the United States.
PRAs in use at existing U.S. nuclear plants would need to be enhanced to make them useful for assessing beyond-design-basis external events such as occurred at the Fukushima Daiichi plant; in particular, they would need to
1. Integrate external events, including extreme events: earthquakes; floods (including tsunamis); and other offsite events that can disrupt electrical power, damage the electrical grid, and make it difficult to resupply equipment, fuel, communication systems, and personnel. Such “other” offsite events could include, for example, regional failures of the electric power grid as a result of equipment malfunctions, human error, terrorism (not discussed in this report), or geomagnetic disturbances (see Sidebar 5.2). Such regional-scale events could simultaneously affect multiple nuclear plants.
2. Account for potential interactions among plant components (e.g.,
Coronal mass ejections (CMEs) are massive bursts of charged plasmas from the surface of the Sun that travel through space at hundreds of kilometers per second. They can produce severe geomagnetic disturbances (e.g., terawatt-scale oscillating electrical currents) if they encounter Earth’s magnetosphere, which in turn can induce quasi-DC currents in electrical transmission lines. These currents can enter and exit power systems at transformer grounds, disrupting power system operations and damaging equipment (EPRI and NEC, 2011).
Large CME-induced geomagnetic disturbances have affected the electrical and communications infrastructure in North America during recent history:
• The “Carrington Event” in September 1859 produced aurorae that could be seen as far south as Cuba and Hawaii. This event induced currents in telegraph lines causing large-scale failures of telegraph systems; some systems continued to operate even after they were disconnected from their power sources (Carlowicz and Lopez, 2002).
• In May 1921, the largest CME of the 20th century, the “Great Storm,” disabled most telegraph service in the United States and damaged underwater trans-Atlantic cables.
• A CME in March 1989 collapsed the Hydro-Québec power grid and nearly toppled the U.S. grid. The net cost of the grid failure was estimated to be $13.2 million; some damaged transmission-system equipment was not returned to service for several months (Bolduc, 2002, p. 1794).
3. Account for potential interactions among reactors at multiunit plants.21
4. Account for situations that could hamper plant recovery efforts (e.g., blocked roads or a damaged electrical grid) and slow offsite assistance.
5. Account for the performance of plant operators and other critical personnel. This includes a consideration of situational challenges (e.g., unavailability of or misleading sensor indications and lack of relevant procedural guidance) that are likely to arise in severe accidents, and the individual, team, and organizational decision-making processes that are
20 The isolation condenser failure in Unit 1 at the Fukushima Daiichi plant is an example of such an interaction. See Chapter 4.
21 PRAs for existing plants generally address risk on a unit-by-unit basis. Furthermore, essentially all existing risk-informed rules and regulations are based on single-unit analyses.
Riley (2012, p. 1) notes that “By virtue of their rarity, extreme space weather events [e.g., geomagnetic disturbances], such as the Carrington event of 1859, are difficult to study, their rates of occurrence are difficult to estimate, and prediction of a specific future event is virtually impossible.” Nevertheless, Riley (2012) and Kappenman (2010, 2012) suggest that such events have occurrence frequencies on the order of one or more per century; Kappenman (2012) also suggests that extreme geomagnetic disturbances can cause severe damage to the electrical grid. A 2011 JASON report (MITRE, 2011) questions the plausibility of Kappenman’s worst-case scenario for damage to the electrical grid from an extreme geomagnetic disturbance but also calls for a study of the vulnerability of the U.S. grid.
The potential impacts of CME-induced geomagnetic disturbances on the electrical grid are well recognized (e.g., CENTRA, 2011; EPRI and NEC, 2011). Measures can be taken to protect the grid from damage from such disturbances, as was done, for example, by Hydro-Québec following the 1989 CME (see Bolduc, 2002). In 2013, the Federal Energy Regulatory Commission ordered the development of electrical grid reliability standards for geomagnetic disturbances (FERC, 2013). The standards are to be developed over a 2-year period and implemented thereafter. It could be several more years before a plan is developed and executed to implement those standards.
The USNRC has initiated a phased rulemaking to ensure long-term cooling and unattended water makeup of spent fuel pools that could be affected by prolonged disruptions to the electrical grid resulting from geomagnetic disturbances (USNRC, 2012e). This action was initiated in response to a petition asserting that prolonged outages of the North American power grid caused by geomagnetic disturbances could result in diesel generator fuel depletion and failure of resupply.
likely to influence performance under time-pressured, high-stress conditions. Additional discussion of human performance during severe accidents is provided in Appendix J.
6. Consider22 the offsite health, environmental, economic, and social consequences that can result from severe nuclear accidents:
• Health: death and injury (including mental distress) resulting from evacuations and exposures to radioactive releases.
• Environmental: contamination of air, water, and land; waste remediation and disposal costs.
22 Some offsite consequences of severe nuclear accidents are difficult to quantify, especially some types of health and social consequences. Nevertheless, the Fukushima Daiichi nuclear accident demonstrated that such consequences can be substantial (see Chapter 6). Silva et al. (2013) describe a methodology for assessing some health, economic, social, and environmental consequences from severe nuclear accidents.
The response of engineering safety systems in Units 1 and 2 at the Fukushima Daiichi plant to the loss of AC and DC power revealed a subtle but significant vulnerability of control systems; this vulnerability has important implications for risk analysis. As noted in Chapter 4, the power in both the AC and DC circuits was lost nearly simultaneously, resulting in a “race” between DC logic circuits commanding the failsafe closure of the isolation valves and the loss of AC power to the valve motors. This race had different outcomes in Unit 1 and Unit 2: In Unit 1, the isolation condenser’s AC-operated valves inside containment were effectively closed before the power failed; in Unit 2, in contrast, the valves for the reactor core isolation cooling system remained open. These different outcomes were apparently determined by small differences in the timing and sequence of power failures resulting from the flooding of multiple power sources and distribution systems.
The situation where two signals compete to perform actions is known as a race condition. This condition can occur whenever electronic logic circuits and computers are used to control safety systems. Such systems can be found in technologies ranging from nuclear power plants to your automobile. When a race condition is not anticipated or correctly resolved, the consequences can range from merely annoying (e.g., causing your personal computer to “blue screen”) to catastrophic (e.g., disabling the isolation condenser in Unit 1 at the Fukushima Daiichi plant).
Understanding race conditions is of increasing importance in both system design and safety analysis (Levenson, 1995). The control system must not only handle all permutations of input states under normal operating conditions but also the failure of power supplies for the logic controller and all controlled systems. It is essential that the logic controller and controlled systems wind up in predictable and safe states following a power loss or transient. This did not happen at the Fukushima Daiichi plant: following the complete loss of AC and DC power, operators had no idea of the status of almost all critical systems.
The inclusion of race conditions in risk analysis is complicated by several factors. First, it requires a more detailed analysis of the logic controller software and hardware, power circuits, and structures, systems, and components than are usually considered in a plant-level risk assessment. Second, race conditions often happen when multiple abnormal conditions and seemingly unlikely combinations of events take place. These combinations are frequently found at extreme values of parameters, sometimes referred to as corner conditions, within the event space and fault sequences being considered as part of a risk analysis. Third, many
• Economic: loss of economic activity as well as support for evacuated populations, cleanup of contaminated areas, and relocation and/or resettlement of affected populations.
• Social: disruptions to families and communities; loss of trust.
power plant systems are large and respond slowly because of the inertia in the plant’s systems and components—except for the logic controller and electrical circuits. This creates a mismatch that has to be analyzed carefully; specialized engineering analysis may be required to examine high-consequence, low-probability corner conditions (e.g., multiple, nearly simultaneous power failures on buses that are expected to be independent).
The simultaneous loss of all AC and DC power at Fukushima Daiichi appears to be a corner condition that the plant’s engineering systems were not designed to handle. The unknown state of multiple safety-related components and the inability to actuate those components greatly complicated management of the accident and may have contributed to its severity. This condition was manifested in at least three plant systems (see Chapter 4):
• The closure of isolation valves for Unit 1 and 2 cooling systems, as discussed previously.
• The interaction of containment venting with the standby gas treatment systems. Because the AC-powered dampers used to close the standby gas treatment systems were in an unknown position and could not be operated, the venting of the containments may have allowed hydrogen gas to enter the plant’s reactor buildings. Gravity-operated dampers in Units 1, 2, and 3 appeared to be effective in preventing hydrogen backflow into those units. Hydrogen backflow into Unit 4 apparently did result because dampers were never installed because they were considered unnecessary (TEPCO, 2012b, p. 351).
• The interaction of water injection by fire truck pumps with the condensate makeup water system. A sequence of valves was used to connect the fire protection plumbing to the reactor pressure vessel using components of the condensate makeup water system. Unfortunately, the valves leading to the condensate storage tank were open, diverting water flow from the reactor and reducing the effectiveness of core cooling.
The increased use of embedded controllers in process control, including the ongoing upgrades of nuclear power plant control rooms, and the unanticipated corner and race conditions at Fukushima indicate that increased attention to race and corner conditions is needed in future risk assessment for nuclear power plants as well as future design and verification and validation activities for next-generation nuclear power plants.
7. Include quantitative uncertainty estimates for event probabilities. Extreme events are understood to have low probabilities of occurrence, but those probabilities frequently have high associated uncertainties. Such events must not be prematurely screened out of PRAs without good justifi
Although tsunamis in the Atlantic Ocean Basin do not occur with the frequency of those in the Pacific and Indian Ocean Basins, the potential for tsunami generation is high in some locations. One such location is the eastern margin of the United States.
This margin has a broad and gently sloping continental shelf comprising sediments derived from erosion of the North American continent. Sediment slumps and slides along the outer edges of this shelf have the potential to create large tsunamis. Slumps and slides could be initiated by earthquake shaking or by the release of methane hydrates, which are plentiful along the continental margin. (Hydrate release could be caused by ocean warming or by uncovering by a previous slide.)
Driscoll et al. (2000) propose that the sediment slides along the shelf margin can be characterized by power-law distributions—that is, by a large number of small-scale slides and a small number of large-scale slides. An example of such a large-scale slide is the Albemarle-Currituck slide shown in Figure S5.2. This slide displaced approximately 150 km3 of sediment, similar to the Grand Banks slide described in Appendix K. Such slides are both infrequent and unpredictable. Within about half an hour of such a slide, ocean surface levels above the slide will decrease rapidly by a few meters. This would be followed by a rapid increase in ocean surface levels minutes to about an hour later. A large, rapidly moving coherent slide has the potential to produce a tsunami of considerable size. Its effect on coastal regions, however, will depend on factors such as the tidal cycle, ocean floor topography, and coastal geometry.
FIGURE S5.2 (A) High-resolution image of the continental shelf and slope offshore of Virginia and North Carolina showing the Albemarle-Currituck slide and several large canyons. (B) Inset map showing location of image in (A). (C) Close-up image of continental shelf edge showing gas blowouts. SOURCE: Driscoll et al. (2000).
There are advantages and disadvantages to using PRA to evaluate risks from beyond-design-basis external events. The primary advantages are the following:
• PRAs are based on well-established risk assessment principles.
• PRAs are already being used to assess and mitigate internal hazards at nuclear plants and to establish maintenance and test protocols. Consequently, plant licensees are familiar with their use.
• PRAs can be used to identify non-rare-event scenarios that result from plant design or operational flaws that are not uncovered in the design-basis regulatory review.
• PRAs can provide an integrated examination of plant design and operations.
• If executed properly, PRAs can provide a systematic examination of external hazards and their potential consequences. They can be useful for examining hazard mitigation strategies, for making backfit-rule decisions (Sidebar 5.5), and for emergency planning (see Chapter 6).
The primary disadvantages are the following:
• PRAs are expensive and can be time-consuming to produce and maintain.
• Extending the scope of PRAs will require additional technical expertise, especially in containment response analysis and offsite impacts. Obtaining this expertise could be difficult for industry and the USNRC.
• PRAs that have been performed generally do not adequately account for human error in design, construction, maintenance, and operation of nuclear plants (Appendix I) or for intentional sabotage.
• The results of PRAs are limited by experts’ ability to recognize all relevant phenomena, including potentially important external hazards, and by uncertainties and incompleteness of estimates of accident probabilities and consequences.
• The results of full-scope (i.e., Level 3) PRAs (see Appendix I) are also limited by the ability to validate phenomenological modeling of core damage and radioactive release as well as consequence modeling.
23 Progress Energy (2008) has developed a PRA for tsunamis for a new plant that it proposes to build in Levy County, Florida. Pacific Gas and Electric Company (2010) has produced a trial probabilistic tsunami hazard analysis for its Diablo Canyon nuclear plant.
“Backfitting” is any mandated modification to the design or operations of an already-licensed nuclear plant under 10 CFR § 50.109. Except in some narrowly designed circumstances,a the USNRC requires that its staff estimate all the costs to the licensee and the USNRC of the proposed backfit and balance these costs against the potential benefits in reduced risks to the facility, its employees, and the public. If the benefits exceed the costs then the proposed backfit is determined to be cost-effective.
The USNRC’s Regulatory Analysis Technical Evaluation Handbook (USNRC, 1997b) provides guidance on how to carry out the required analysis. PRA plays a central role in estimating the risk reduction for the proposed backfit.
A backfit analysis was carried out recently by the USNRC for adding filtered vents to the containments of Mark I and Mark II boiling water reactors (see Chapter 2 for a description of these reactors) to reduce the release of radioactive materials to the environment following a core meltdown. The analysis used a simple PRA for containment failure modes and the MELCOR code for estimating how much radioactivity would escape from containment for each failure mode. Population radiation doses, population evacuations, and land contamination areas were calculated for a reference plant (the Peach Bottom plant in Pennsylvania) and averaged over weather and wind conditions at the plant location. The quantitative analysis (see Appendix L) concluded that the cost of installing filtered vents on reactors with Mark I and Mark II containments would exceed the benefits. Installation of filtered vents therefore failed the backfit cost-benefit test based on this quantitative analysis.
Appendix L describes the hypothetical costs for the accident at the Peach Bottom plant used in the USNRC’s backfit analysis and compares them with the projected costs for the accident at the Fukushima Daiichi plant. This comparison illustrates the sensitivity of cost estimates to assumptions made about the accident scenario, the plant, and its location. As shown in Appendix L, the likely costs for the Fukushima Daiichi nuclear accident exceed the estimated costs for the hypothetical accident at the Peach Bottom plant by a factor of about 33.
a Section 50.109 states that “The Commission shall always require the backfitting of a facility if it determines that such regulatory action is necessary to ensure that the facility provides adequate protection to the health and safety of the public and is in accord with the common defense and security.”
Dr. Kiyoshi Kurokawa, chair of the Japanese Diet report on the Fukushima Daiichi accident (NAIIC, 2012), commented to the committee at its Tokyo meeting that the problem is not how to estimate rare events, but rather how to identify events that are not rare but go unrecognized. The insight captured by this remark is that unrecognized events need not be low
probability. There is a need to guard against missing events, even higher probability events, that result from limitations in identification processes.
If used mechanically without recognizing and acknowledging these limitations, PRAs can supplant judgment and undermine the regulatory policy-making process.24 For example, PRAs that underestimate the uncertainties in event probabilities or that contain incomplete consequence estimates can result in misleading cost-benefit evaluations for regulatory decisions under the backfit rule (Sidebar 5.5). Appendix L compares the estimated costs of the Fukushima Daiichi accident to the hypothetical costs for a core-melt accident at a U.S. nuclear plant to illustrate the sensitivity of cost estimates to PRA assumptions. Appendix L suggests that USNRC cost estimates for backfit analyses do not include a full accounting of costs and consequences arising from severe nuclear accidents. It is essential that the USNRC fully account for the costs of severe nuclear accidents when making backfit decisions.
An opportunity exists to use the accident progression at the Fukushima Daiichi nuclear plant to validate and improve severe accident system models (e.g., MAAP and MELCOR; see Chapter 4) and thereby enable higher-fidelity consequence modeling, for both onsite events and for offsite releases of radioactive materials during accidents, including the types of long-term releases to groundwater that are occurring at the Fukushima Daiichi plant. Efforts to improve these models have already been initiated (Gauntt et al., 2012b; EPRI, 2013). An extensive post-Fukushima code validation effort is being carried out in Japan (Yamanaka, 2012) and the Nuclear Energy Agency has initiated a code benchmark effort involving eight member states including the United States.25 It is important that these efforts be taken to completion for the reasons noted above.
In the course of this study, the committee identified three types of external events that merit attention in the recommended risk assessments: large earthquakes; large floods, including those caused by tsunamis (see Sidebar 5.4 and Appendix K); and geomagnetic disturbances produced when coronal mass ejections encounter Earth’s magnetosphere (see Sidebar 5.2). The latter two types of events have the potential to affect large geographic regions and offsite electrical power supplies to multiple nuclear plants. Adequate preparation requires the identification of these events and, to
24 Although risk assessment is an integral part of evaluating nuclear plant safety, the principal strategy for designing and regulating nuclear plants remains the long-standing defense-in-depth philosophy. This strategy involves the use of multiple redundant components and systems to compensate for potential mechanical and human failures as well as providing a buffer against the uncertainties inherent in risk assessment. See Keller and Modarres (2005) for further discussion of the relationship between defense in depth and PRA.
the extent possible, quantification of their expected frequencies, including uncertainties, and consequences.
FINDING 5.3: Four decades of analysis and operating experience have demonstrated that nuclear plant core-damage risks are dominated by beyond-design-basis accidents. Such accidents can arise, for example, from multiple human and equipment failures, violations of operational protocols, and extreme external events. Current approaches for regulating nuclear plant safety, which traditionally have been based on deterministic concepts such as the design-basis accident, are clearly inadequate for preventing core-melt accidents and mitigating their consequences. Modern risk assessment principles are beginning to be applied in nuclear reactor licensing and regulation. The more complete application of these principles in licensing and regulation could help to further reduce core-melt risks and their consequences and enhance the overall safety of all nuclear plants, especially currently operating plants.
RECOMMENDATION 5.3: The U.S. Nuclear Regulatory Commission should further incorporate modern risk concepts into its nuclear reactor safety regulations. This effort should utilize the strengthened capabilities for identifying and evaluating risks that are described in Recommendation 5.2A.
The committee uses the term modern risk concepts to mean risk that is defined in terms of the risk triplet (What can go wrong? How likely is that to happen? What are the consequences if it does happen? [see Appendix I]) and subject to the limitations for quantitative analyses described in Section 5.2, especially with respect to uncertainties and incompleteness of estimates of accident probabilities and consequences. Implementing this recommendation fully would likely require changes to some current USNRC regulatory procedures, for example, those used for backfit analyses (see Sidebar 5.5 and Appendix L).
It has been recognized since the 1950s that risks to the public from the operation of nuclear power plants are dominated by accidents involving core damage and radioactive material releases.26 Nuclear plants were
26 Radioactive material releases from spent fuel pools that lose their water inventories have also been suggested as a source of risk to the public (see, e.g., Alvarez et al., 2003; NRC, 2004b). Spent fuel safety and security will be examined in next phase of this study (see Chapter 1).
initially sited at large distances from population centers27 to reduce these risks—in the event of a severe accident any released radioactive materials would be dispersed (i.e., diluted) in the atmosphere before reaching the public (Okrent, 1981). The remote siting of plants also minimized the need for detailed investigations of accident sequences, simplified the modeling of health consequences, and resulted in the development of conservative hazard analyses (e.g., AEC, 1957). The nuclear reactor siting criteria produced as a result of these analyses (i.e., 10 CFR Part 10028 and TID-1484429) were adopted in some fashion by other national regulatory authorities.
The siting criteria recognized the maximum credible accident as a core-melt accident with a specified radioactive fission-product source term. The source term was used to calculate doses at a nuclear plant’s site boundary and for assessing the plant’s containment performance.
In contrast, nuclear reactor systems were designed using a different concept, namely the design-basis accident (DBA). A DBA is a stylized accident, for example, a loss-of-coolant accident or transient overpower accident,30 that is required (by regulation) to be considered in a reactor system’s design. The current generation of U.S. nuclear plants were designed, licensed, and built under these different siting and design criteria.
It was recognized in the 1960s that accident likelihoods (i.e., the probability that a postulated accident would occur) needed to be considered in nuclear plant safety analyses. Farmer (1967) suggested a probability-based technique for analyzing nuclear plant safety. This technique, referred to then as “probabilistic reliability analysis” but known today as “probabilistic risk assessment” (i.e., PRA), was beginning to be used in the British aeronautical industry. In the United States, work on PRA was advanced by reports from a U.S. engineering firm (Holmes and Narver, Inc.) that advocated for the use of advanced systems-engineering methods for modeling the reliability of safety systems; by Garrick (1968), who developed a probabilistic-based methodology for analyzing the safety of nuclear power plants; and finally by the first Reactor Safety Study (USNRC, 1975). The latter study inspired many first-of-a-kind nuclear plant risk assessments (Garrick, 2008).
Although these early nuclear plant PRAs were recognized for their
27 Of course, population growth has occurred around many nuclear plants since they were constructed, and so some plants may no longer be located far from population centers. The risk implications of such growth may not have been anticipated during the original licensing proceedings for some plants.
28 Reactor site criteria; available at http://www.nrc.gov/reading-rm/doc-collections/cfr/part100/.
29 AEC (1962).
30 A transient is a “change in the reactor coolant system temperature, pressure, or both, attributed to a change in the reactor’s power output.” See http://www.nrc.gov/reading-rm/basic-ref/glossary/transient.html.
innovative methodologies, they also were found to be lacking in some important respects. For example, the General Accounting Office (now the Government Accountability Office), in commenting on the first PRA for the Indian Point nuclear plant in New York, noted that:
While many analysts consider the Indian Point PRA to be the state of the art in risk assessment, it suffers from the same fundamental problems as all PRAs: uncertainty and incomparability of results. Also, although the study identified the dominant contributors to risk, it did not identify the precise level of risk from operating the Indian Point nuclear powerplants. (USGAO, 1983, p. 2)
PRA is fundamentally different than DBA analysis: in DBA analysis a particular accident is postulated and deterministically analyzed. In contrast, a PRA considers a myriad of possible accident sequences, each having greater-than-zero probability values, even though they may be small.
In 1975 the USNRC applied PRA to a pressurized water reactor at the Surry Power Station in Virginia and a boiling water reactor at the Peach Bottom Atomic Power Station in Pennsylvania to estimate accident risks and their sources. This analysis (USNRC, 1975) provided a standard methodology as well as a benchmark for future studies; it also reaffirmed the conclusion that severe accidents involving core melts and radioactive material releases dominated risks to the public from nuclear plants. It also spurred research in Britain, Germany, and the United States to better understand physical core-melt processes.
The USNRC (1975) analysis had a minimal impact on nuclear plant regulation and operation in the years immediately following its publication. However, its influence has grown steadily. Deterministic analyses continued to be used to analyze DBAs and assess containment systems. Deterministic approaches were thought to be sufficiently conservative to be protective of public health.
The 1979 Three Mile Island accident (Walker, 2004) altered this perception. This accident involved multiple equipment malfunctions and operator actions that allowed an operational transient to evolve into a core-melt accident over a period of a few hours. The accident resulted in a significant amount of fuel melting in the reactor core and fission product release from the core into containment. The containment successfully prevented any major releases to the environment. However, the accident raised doubts about the comprehensiveness of deterministic approaches for nuclear plant safety analyses and assumptions about operator performance. It also highlights a lack of understanding of the physical processes that can threaten containment integrity. Deterministic approaches for nuclear safety analyses
reflect a major effort in understanding complex processes but they do not cover all scenarios.
The 1986 Chernobyl accident in Ukraine reinforced these doubts. This accident occurred in a Soviet-era reactor having an unstable design31 and was initiated by a series of inappropriate operator actions. The accident resulted in major offsite radioactive material releases with acute fatalities and long-term health effects (see Chapter 6).
Following these accidents, the USNRC established a policy (USNRC, 1995) on using PRA to complement regulations. The policy states that
1. The use of PRA technology should be increased in all regulatory matters to the extent supported by the state-of-the-art in PRA methods and data and in a manner that complements the [US]NRC’s deterministic approach and supports the [US]NRC’s traditional defense-in-depth philosophy.
2. PRA and associated analyses (e.g., sensitivity studies, uncertainty analyses, and importance measures) should be used in regulatory matters, where practical within the bounds of the state-of-the-art, to reduce unnecessary conservatism associated with current regulatory requirements, regulatory guides, license commitments, and staff practices. Where appropriate, PRA should be used to support the proposal of additional regulatory requirements in accordance with 10 CFR 50.109 (Backfit Rule). Appropriate procedures for including PRA in the process for changing regulatory requirements should be developed and followed. It is, of course, understood that the intent of this policy is that existing rules and regulations shall be complied with unless these rules and regulations are revised.
3. PRA evaluations in support of regulatory decisions should be as realistic as practicable and appropriate supporting data should be publicly available for review.
4. The Commission’s safety goals for nuclear power plants and subsidiary numerical objectives are to be used with appropriate consideration of uncertainties in making regulatory judgments on the need for proposing and backfitting new generic requirements on nuclear power plant licensees.
This policy, coupled with additional Commission guidance issued in 1999, has resulted in a variety of risk-informed program-specific improvements: for example, the maintenance rule for operating reactors,32 the
31 This Soviet-designed RBMK reactor has a positive void coefficient, so it becomes more reactive with increasing steam content in the core. RBMK reactors also do not have containments.
32 10 CFR § 50.65, Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants. Available at http://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-0065.html.
The Fukushima accident, which was initiated by an extreme external event, further confirms the need for more expeditious consideration of risk-informed approaches to safety, particularly for beyond-design-basis events. The USNRC’s Near-Term Task Force (USNRC NTTF, 2011; see Appendix F) recommended that the agency establish “a logical, systematic, and coherent regulatory framework for adequate protection that appropriately balances defense-in-depth and risk considerations” (USNRC NTTF, 2011, p. ix). Another USNRC task force (USNRC, 2012a) has recommended that a risk management regulatory framework be adopted by the Commission.
The Nuclear Energy Institute has commented on the lack of progress in implementing risk-informed regulations (RIRs):
Over the past five years, progress in RIR has been stunted. A variety of factors have contributed to this, but the result has been a growing distrust of risk-informed processes. Ironically in the post-Fukushima era, where nuclear power faces many decisions that could be better informed by a risk perspective, the reluctance to use PRA in new regulatory activities has removed a valuable tool from the process. (NEI, 2013, p. 1)
The difficulty in expanding risk-informed regulations has been greater than some had anticipated. On the other hand, expansion has continued steadily in spite of resistance in some quarters of the USNRC and industry.
The committee judges that the broader use and expanded scope of modern risk concepts in nuclear reactor safety regulations could improve safety and lead to better policy decisions.
33 10 CFR § 50.61, Fracture Toughness Requirements for Protection Against Pressurized Thermal Shock Events. Available at http://www.nrc.gov/reading-rm/doc-collections/cfr/part050/part050-0061.html.