Research Article |
Corresponding author: Francesco D’Auria ( dauria@ing.unipi.it ) Academic editor: Boris Gabaraev
© 2022 Francesco D’Auria, Romney B. Duffey.
This is an open access article distributed under the terms of the Creative Commons Attribution License (CC BY 4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Citation:
D’Auria F, Duffey RB (2022) Innovation needs in nuclear reactor safety and risk. Nuclear Energy and Technology 8(2): 77-90. https://doi.org/10.3897/nucet.8.82296
|
After three quarters of a century using nuclear fission to produce energy, Nuclear Reactor Safety and Risk constitutes an established technological sector. A key feature is continuous updating following new discoveries and progress in knowledge, resulting in extensive and elaborate safety methodologies, which are still not internationally accepted, generally applicable or technically consistent. Each country developed its own methods, guides, traditions and requirements to deal with evolving design, safety, siting and licensing issues. There is a clear parallel in societal risk perception between nuclear radiation exposure in accidents and viral infection in pandemics and the fear of the “unknown”. Unfortunately, over the last 20–30 years the declining introduction of electricity by nuclear fission in the countries that contributed most to its earliest development also has broken the bond between new scientific advancements and improvements of existing safety methodologies. By looking at the origins and fundaments of nuclear technology, we consider the following topics of both deterministic and probabilistic interest: a) Loss of Coolant analysis; b) nuclear fuel accident performance weaknesses; c) role of containment and ultimate heat sinks; d) residual risk and emergency system deployment, and e) independent and risk informed decision making assessment. As a key outcome, we propose modifying the traditional licensing methodology, and the use of active and/or passive systems by being subsumed into a broader Engineered Safety Features Management process. Furthermore, we emphasize the need of connecting the As Low As Reasonably Achievable principle with the analyses to demonstrate the safety of nuclear installations minimizing the need for excessive “paper” safety analyses and licensing efforts.
Nuclear reactor safety, risk, perspectives in licensing of nuclear reactors, independent assessment
Nuclear Reactor Safety and Risk (NRSR) constitutes a deep technology anchored on the one hand to the nuclear reactor design and operation and, on the other hand, to the human society. The connection with society has the potential to allow the exploitation of nuclear fission consistently with acceptable risk.
It is difficult or even impossible to classify in a coherent and rational way the existing wide literature dealing with NRSR, including rules, laws, ‘atomic acts’, etc.: this would require, among other things, resources for issuing and size of the paper well beyond or above the current context.
Rather, in the first part of the paper we focus on selected aspects and concepts that provide a synthetic view of NRSR in an unconventional and conventional way, respectively sections 2 and 3. This constitutes the background for the performed investigation.
Namely we introduce the need to address the question (section 2) ‘what is wrong with NRSR and the coupled societal risk perception?’ Although the questions digs in the bottom of human knowledge (technology) and strategy making (politics), we realize the weakness of the question whose relevance depends upon the structure of the society where it applies, in a similar way as the parallel question ‘what should be done to remove the ghost coming from the Hiroshima use of nuclear weapon?
Both above questions remain unsolved; possibly they are unsolvable. However, the attempt to address the former question provides the motivations and a road map to arrive at recommendations suitable for a technology (of NRSR) improvement.
Furthermore, the title of the paper opens to the consideration of innovative reactors, fusion reactors, etc. Here we restrict the scope for the use of results from our investigations to existing (large) nuclear reactors. In different terms, reactors designed in the 50’s of previous century still provide almost 100% nuclear energy production for electricity generation: the safety of those reactors, including hardware modification, needs ‘adaptation’ to the latest knowledge and technology progress.
Having in mind key facts associated with the discussion of the former question we restrict the target of the paper to selected features close to our day-life experience. These are, (a) the consideration of the Large Break Loss of Coolant Accident (LBLOCA), (b) the residual risk, and (c) the independent assessment, discussed in sections 4 to 6.
Initially, nuclear safety was born together with nuclear engineering and the demonstration of the nuclear fission chain and became a dominant aspect of the design of reactors. Considering core damage or melt causing large radioactivity releases, with emergency systems, containment became unavoidable component of a nuclear power plant adding significant cost and licensing complexity. The intent was to reduce potential public radiation exposure, which became a massive mantra of requirements, physical modeling, probabilistic reasoning, complex calculations and national and international regulatory guidance.
These wide ranging and complex procedures within nuclear reactor safety and risk (NRSR) still did not avoid or prevent the unfortunate nuclear, political and financial disasters of Three Mile Island, Chernobyl and Fukushima. Nuclear safety benefitted from technological development, in some cases preceded and imposed that development, USAEC (1990), and the word “risk” became popular after the Rasmussen report,
Severe initiating events, detailed failure sequences, complicated event trees, procedural human actions, and postulated failure probabilities are combined in producing endless regulations and paper safety cases often far removed from the realities of daily operational requirements and the demands of the commercial market place. The nuclear “scene” quickly became overlaid with well-meaning national energy policies, socio-economic industrial strategies, subsidized power market distortions, commercial and investor self-interests, anti-nuclear factions and continued non-proliferation postures that overshadow truly competitive innovation. Via bi-lateral “technical exchange” or cooperation agreements, the struggle for market share intensified between existing or modified large designs or differing “domestic” variants (e.g. in USA, France, Russia, China, South Korea, Japan, Canada and India, primarily) and multiple small reactor concepts appeared (over 50 at the last count) all vying for government funding and political support as cheap natural gas rendered them uncompetitive.
Fear of the “unknown and invisible” leads to the equally false hope of risk elimination, while how to place real risk in its correct context is a vitally important, and widespread societal issue. Nuclear radiation risk has a perfect parallel and a key analogy with viral infection risk especially if we require any potential exposure to harm - no matter how small - is to be avoided or minimized at any cost. Simply compare the reactions to societal and personal exposure to unseen viruses and radiation when the personal risk is actually quite low, except if having pre-existing conditions, co-morbidities or weak immune system response.
During the recent COVID-19 pandemic, the fear of any small but finite risk of exposure to the virus lead the medical profession and political decision makers to require or recommend desperate countermeasures even when the chance of personal harm or adverse consequences was and is extremely low (e.g. imposing stay in or “lockdown” rules, banning travel and certain societal activities, limiting most gathering sizes, restricting outdoor activities, quarantine and testing requirements, and sometimes symbolic public face-masking). These measures are now known to be largely ineffective against the inevitable spreading of viral mutations and societally embedded global infections, as was also the case in the 1918 flu epidemic. Similarly, the fear of any small but finite exposure to radiation leads the medical profession and political decision makers to require or recommend countermeasures, even when the risk of personal harm or adverse consequences was and is extremely low (e.g. also by imposing evacuations or stay in rules, banning travel, limiting exposure times and amounts, plus assuming an arbitrarily linear exposure risk and regulations). Despite the precise countermeasures being different, the parallels are startling, and show the impact of societal risk perceptions, beliefs and psychological reactions, due to the key role of the fear of the unknown reflected in reactive governmental and political decision-making implemented via regulatory rules and restrictions.
Such “public safety” examples become unduly restrictive and distort the scientific facts by incorrectly justifying excessive prudence and risk avoidance, with the well-intended but misguided simplification is to attain the nirvana of “zero’ or “tolerable” risk. The protocols, agencies or committees provide “evidence based” guidance for decision-makers allowing public bureaucracies not to be accused of permitting undue or unknown risk exposure; or of not promoting or enforcing all possible or even symbolic remedial risk reduction measures. The resulting fear of the unknown then trumps, indeed emotionally overwhelms any purely rational response. Typical policies and goals invariably avoid using or explicitly mentioning nuclear power as a major contributor, while knowing that adding several thousand Gigawatt reactors by 2050 would be needed just to help stabilize – not even reduce – future atmospheric emissions and CO2 concentrations,
Therefore, what is wrong with NRSR and the coupled societal risk perception? The key answer is a fact: the production of electricity by nuclear fission is on decline in the countries that originally contributed to its development because of unnecessary fears and unexpected failures – given the availability of alternate fuels like natural gas, and the ability to sub-contract or outsource industrial manufacturing to “cheap labor” sources. This generated lack of attention by young generations and consequent crystallization of decisional structures within (NRSR) organizations, literally resulted in formation of splendid and rigid arrangements like carbon atoms in a diamond. The interaction with the nuclear industry became both standard and weak, i.e. without the impulse and the strength generating the documents
First, terminology is important; however, fashionable changes in nomenclature and revisionist language are not based upon technical investigation or quantitative research and have the potential to bring confusion rather than innovation. The example here is the substitution of: (a) the half-a-century old acronyms Design Basis Accident and Beyond DBA (BDBA) terminology with the terminology Design Basis Conditions (DBC) and Design Extension Conditions (DEC); (b) as an option for safety analysis, of Best Estimate Plus Uncertainty with ‘realistic’ which is not equivalent; (c) replacing deterministic Hypothetical Core Disruptive Accidents (HCDA) with probabilistic Core Damage Frequency (CDF); and (d) reformulating engineering or expert judgment with fashionable risk-informed decision making (RIDM) schemes as proposed and used in conjunction with PSA/PRA for all existing, advanced or new system safety evaluations supporting licensing decisions,
Second, performance of virtual but not real safety improvement activities happened in the immediate aftermath of the Fukushima accident. Communication media emphatically reported that ‘stress tests’ confirm the safety of reactors against the sequence of failures that occurred as a consequence of the earthquake and the unanticipated flooding. The concerns are as follows:
The third consideration has its origins in the 1960’s, when design and construction of reactors materialized without a deep understanding of accident consequences, so systematic planning of research according to needs then filled the knowledge gap. Ironically, once suitable knowledge became available, i.e. nowadays possibly since around the year 2000, the erection of new reactors stopped or slowed down in many countries except by China, Russia and India with their continued state support and preferential funding for large reactors and improved designs. Furthermore, fashionable topics hitting the attention of policy makers and investors and the exigency to keep nuclear laboratory staff working, drove the research in NRSR; available budgets or funding sources rather than needs, then, determine the objective for research and the (presumed) innovation targets. But most R&D today is still focused on so-called “advanced” reactor concepts ideas that, like fusion, have basically existed for 50 years and have not successfully ever penetrated the energy or electricity marketplaces; or on specialized (and expensive) military-type micro-units unsuitable for bulk power systems; or modules and co-generation options that cannot compete with natural gas without subsidies, guaranteed price contracts, and/or emissions credits. This does not prevent the existence of oases of technical progress, like material science and computational methods, useful for many technologies other than nuclear, but does result in wasting ill-directed resources and entrepreneurial funds where enthusiastic but inexperienced concept promoters vie for government development, FOAK and demonstration support funding.
Fourthly, the dramatic events of Three Mile Island, (TMI 1979), Chernobyl (CHE 1986) and Fukushima (FMA 2011) hugely negatively affected the deployment of fission energy, where reactor failures became an emblem for the disaster [here we do not wish to rewrite the history or replace dozens of books and thousands of documents related to each accident]. All were avoidable accidents but only afterwards, compounded by human error and insufficient safety margins. Inadequate operating and emergency procedures, plus lack of attention to a number of minor precursors having little or no connection with the nuclear process itself (e.g. minor valve leakage, misleading water level indication, insufficient safety test data, flooded emergency power sources, inadequate containment buildings, …). TMI occurred because of the operators not being aware of a small leak and then misinterpreting the water content and hence deliberately turning off the ECCS and causing the core to overheat. The CHE situation framework resembles the case of a driver crashing a bus against a wall as once shutdown, restart of fission reactions in any core is difficult because of Xenon build-up as the operators tried to restart. The FMA accident lies in the same picture of a broad natural disaster causing 20000+ deaths but the reactors had inadequate back-up ECCS and cooling systems, so causing the core(s) to overheat.
The benefits and lesson learned after TMI triggered important researches for improvement of NRSR and nuclear technology but also lead to the demise of designs using once-through steam generators, and abandonment of nuclear in many parts of Europe. Similarly, CHE started questionable roadmaps for an extended use of passive systems and the complete abandonment of the graphite moderated – channel type – design. FMA led to intensification of researches to understand what should not happen in a highly safety conscious society, but also possibly to the effective abandonment of the BWR pressure-suppression type of containment design and caused even more expensive BDEE requirements and plant shutdowns.
Like studying the death process of passengers following the failure of an airplane, our fourth consideration is the emotional and policy-driven reactions rather than rational and technology-driven consequences that are the follow-up of TMI, CHE and FMA dramatic events. These largely contributed to the nowadays situation. Safety benefit is even “quantified” by incremental changes to the CDF (a “Delta CDF”) even when far outweighed by the overall dominant uncertainties inherent in human performance particularly when using current PRA/HRA/HEP methods for modeling unpredictable “human performance’.
Fifthly, consideration is given to two key statements in a recent article [Stakeholder coordination essential for nuclear to innovate, April 6, 2021, Reuters Events, Nuclear]. The first is “From the utilities, innovation must mean improved safety and lower cost while the regulator considers new technology as something that must be categorized and quantified before it’s given the green light amid concerns surrounding the risks of changing a legacy safety system”. The second [attributed to Kemal Pasamehmetoglu, Associate Director at Idaho National Laboratory], asserts “The issue is not that we don’t have ideas. The issue, as we found out, is that getting those ideas to the finish line is difficult in nuclear. It is expensive and quite often people with innovative ideas don’t have access to the facilities to test their ideas”. An obvious note is the difference of society and technological contexts compared with late 40’s and 60’s of the previous century. Today, both nuclear industry proponents and existing regulators appear to be addressing new non-PWR challenges by introducing generalized “technology neutral” and “risk informed” criteria for so-called “advanced” or non-specific “modular” designs but without actually demanding or fully funding the complex technology background, prototype demonstrations and experience necessary for new commercial deployments. As a consequence, researchers (with and without innovative ideas) can get funding to continually perpetuate the current technological status; well-meaning (wealthy) entrepreneurs are persuaded to invest in re-packaged but already known/proven developmental and commercial dead ends; while sincere nuclear business and political supporters provide influence, access and high-level contacts but themselves obviously cannot provide anything new technology. The result is a critical waste of time and resources, avoiding the needed reforms of the embedded fundamental processes.
Sixthly, in principle the modern RIDM concept allows “safety” assessments to nominally encompass uncertainties using some formulation of expert judgment that must be informed by relevant data. The specific Risk Informed Decision Making (RIDM) requirement is ensuring a negligible or “tolerable” probability of core damage for the multitude of possible or potentially different initiating events or hazards forming the finite BDEE collection or set {flood, fire, hurricane, ice storm, typhoon, earthquake, cyber-attack …}. Quantitative evaluation must include the reliability of ‘active’ and ‘passive’ emergency back-up systems to supply or restore power and cooling using applicable and “exchangeable” data for nuclear and non-nuclear systems for a wide range of known catastrophic events. Unfortunately, the risks and uncertainties (both aleatory and epistemic) of core damage caused by prolonged loss of power and cooling may be underestimated in RIDM, today. The governing paradigm used by nuclear plant regulators for quantifying or assessing risk consequence up to now is standard PRA/PSA methods (also promulgated as ASME and ANS “standards”) using multiple event trees and Boolean logic sequences, and are deemed “complementary to deterministic analyses”,
In general, the existing RIDM paradigm develops hypothetical F-C risk-informed boundaries or “performance based” activity release “targets”. The implication of any such “limit” or region (whether risk-informed or not), is small, or incremental changes in postulated annual frequency, ΔF, with a large consequence, C, have equivalent relative acceptable incremental safety improvement, risk significance, or decisional “value” as small consequences, ΔC, with large frequency, F. The NEI proposed an allowable “risk significant” annual frequency-consequence evaluation “target” using regulatory public dose exposure limits measured in rem exposure,
A comprehensive picture of Nuclear Reactor Safety and Risk needs whole textbooks or even an encyclopedia. A related figure of merit for the size of information at the basis of NRSR derives from considering the Code of Federal Regulations (CFR) in the US and the IAEA in Vienna. Hundreds of CFR and IAEA documents form what is nowadays NRSR: these include thousands of (properly cited) reports and publications. We limit ourselves to comment using snapshot concepts from those documents without introducing rigorous definitions or demonstrating interconnections existing within the NRSR structure. To this aim, we distinguish principles (and concepts), expected achievements and available tools and procedures.
As presently constituted, the NRSR basis can be synthesized as a set of overlapping but complementary principles that provide a complete whole but are themselves interleaved as shown in Fig.
ALARA is an operational goal and a foundational principle. As Low As Reasonably Achievable (ALARA) is the translation and use of the good engineering practice driving human civilization, and is equivalent to ‘the best one can do’. Cost-benefit studies, Best Estimate Plus Uncertainty (BEPU) approach and Integrated Risk Informed Decision Making (IRIDM) strategy are examples of technology driven or oriented by ALARA.
LNT is an unobtainable aspiration. The Linear No Threshold (LNT) is the principle issued by International Commission for Radiation Protection (ICRP) effectively stating that even very low radiation exposure is harmful. Even though not necessarily mentioned, this principle has the potential to enforce or to stay behind any acceptance threshold within the framework of NRSR. In effect, LNT is the competitor and the alternative of ALARA where the emissions equivalent would be ‘even a microgram of CO2 damages the environment’ for the automotive industry; or ‘any one gram of methane affects climate change’ for livestock raising. Radiation hormesis and non-linear effects need proper consideration.
The Safety Goal is a design target. The Safety Goal (SG) is the practical bridge between ALARA and LNT, although it does not mention any of those, e.g. IAEA formulation in
Fail-to-Safe is the desirable end state. The target behind the Fail-to-Safe (FS) principle-concept is ensuring that failure of any structure and/or component adopted for safety purpose shall not aggravate the evolution, complexity and consequences of any accident. In the past, the relatively small number of components made check of compliance of any nuclear reactor unit against the concerned principle easier. Nowadays, the targets of minimizing planned and unplanned outages, refining operating margins and improving the overall efficiency and performance of the system led to the increase in the sophistication and number of Instrumentation and Control (I & C) components. These unavoidably interact among each other, create a huge number of paths for failure and make difficult the demonstration of fulfillment for the principle, as in the recent crash of Boeing 737-Max,
Defense-in-Depth (DiD) is simply a recognition that mistakes and accidents do occur. DiD is the correct way to establish a conceptual and dynamic distance between harmful radiations and the environment, being the interface between Safety Requirements and design-construction features of reactors (the terminology derives from the military field where the objective is to protect the defense force). Prevention and mitigation are part of DiD, where traditionally, multiple levels are distinguished, both physically and probabilistically. A correct application of DiD shows, among other things, the positive safety impact of utilizing diversity and redundancy, defense against common mode failures, and the usefulness of only adding a limited array of specific “engineered” systems because of the dominant contribution of human performance and reliability to real outcomes and accidents. The term DiD is sometimes used improperly in literature, specifically when perspective research activities are concerned with innovative fission and fusion reactors.
Safety Functions (SF), Safety Barriers (SB) and Safety Margins (SM) concepts are to minimize the potential dangers from inadequacies in design or operation. NRSR makes wide use of the SF, SB and SM concepts, bringing to the design, among other things, of Emergency Cooling Systems (ECCS), the wider category of Emergency Safety Features (ESF) and to the need for a containment building. Related to SF and SB, SM constitute a deeper feature for NRSR: SM are the target of analyses; performing of analyses needs suitable computational tools, design details of the system (including SF and SB) and acceptance limits (set by regulators). Containment deserves two comments: a) venting is a proper design feature, though competing with LNT, or better, limited by LNT; b) additional use of containment strength appears necessary, e.g. discussed in section 3.
Independent Assessment (IA) is a means to ensure rigorous review of all these prior elements and claims. IA implies the capability to perform analysis by regulators independent of industry, going ahead particularly as embodied in “concept-neutral” and “performance based”, e.g.
The Liability and Responsibilities of the Owner/Operator is a fundamental risk tenet related to the overall risk and managerial structure. The liability, i.e. the legal responsibility arising from the possession and safe operation of an asset, must fall on the owner and is a well-understood principle, e.g. commonly applied to vehicles even if the Owner is not the Operator. This is valid notwithstanding the presence of a regulator that, among the other things, has the responsibility to fix proper rules to make the risk from the asset societally acceptable. The financial investment and anticipated income from the operation of any large nuclear reactor are of the order of 10 Billion USD; however, a nuclear disaster may cause a damage and related costs in the order of Trillion USD. No private (owning) industry can survive the market and social consequences when a massive amount of radiation diffuses into the environment following an accident, as only normal decommissioning funds are set aside and Nuclear Liability Laws do not cover investor risk exposure. Therefore, in nuclear technology, as in other fully licensed cases like inadvertent oil and chemical spills, assigning blame, responsibility and penalties ends up in court, so limiting the financial liability-of-the-owner principle needs a change, discussed more in section 5.
How can extreme event prior data and non-nuclear specific information be used in a ‘concept neutral’ regulatory and safety system design process? There is well established risk informed guidance already available: ‘…it is very certain that, when it is not in our power to determine what is true, we ought to act according to what is most probable’, Rene Descartes, 1596–1650.
The problems we now face are how to make prior rare and other “failure” knowledge useful and applicable for predicting - and indeed anticipating - the quantitative probability of future events, with the intent to reinforce and validate the extensive “paper” bottom-up PRA/PSA calculations and submissions, so we can quantify, accept and believe the predictive uncertainties and reduce intolerable financial risks. What do we expect from the implementation and consideration of NRSR principles and requirements? The not-in-depth answer is as follows:
Public trust as well as costs, being different in different regions of the world, contribute to determining and defining the current situation for nuclear technology.
The survey of NRSR is incomplete without mentioning the way to implement and check from principles (section 3.1) to achievements (section 3.2), which occurs within the licensing process of individual nuclear units and imply the interaction between industry and regulators. Tools, procedures and related applications within Deterministic Safety Analysis (DSA) and Probabilistic Safety Analysis (PSA) provide the desirable interconnection between principles and achievements. The key aspect is the qualification for those tools and procedures, as well as for the application modalities.
Furthermore, very low probability accidents with large consequences occur in any technology and industry (space, military, chemical, oil, transport, etc.) particularly at the dawn of development; these are unavoidable and are inherently part of the process to progress in civilization.
Detailed discussions of those topics are beyond the scope for the present paper and provided elsewhere, e.g.
These two ‘types” of initiating events overlap, but are treated independently and artificially separated as being deterministic (top down for LOCA) or probabilistic (bottom up for BDEE) in origin for historical reasons. Then, in formal NRC and licensing FSARs the LOCA and BDEE occupy different Chapters 15 and 19, respectively. In response to any initiating event, the fundamental concern is non-restoration of power and losing capability to cool the reactor core, although considering the reliability of ‘active’ and ‘passive’ emergency back-up systems using applicable data for nuclear and non-nuclear systems (or the accident management field, not further discussed in this paper). The ESF, ECCS and EPS (Electrical Power Supply) are all designed to minimize the consequences. Any reactor design or concept must be robust and survive a Loss of Coolant Accident (LOCA) or BDEE, which constitute both an old issue and a new challenge for NRSR, e.g.
Choice of coolant-moderator → Temperature and cycle to achieve acceptable thermal efficiency → Design pressure or temperature → Need for retaining pressure or coolant boundary → Probability of Initiating event(s) → Possibility that pressure boundary is broken → LOCA and/or possible loss of cooling → Probability of core damage, P(CD) → Probability or frequency of external activity release
In addition to LOCA role in design of Pressurized and Boiling Water Reactors (PWR and BWR), the ‘old-issue’ feature derives from skepticism about results of analyses, whether deterministic, best-estimate and/or probabilistic. The ‘new-challenge’ features derive from:
For LOCA, debate in progress within the international community, as well as delay in updating the rules, has the purpose to prevent reduction in the nominal reactor power, the decrease of burn-up and of the time permanence of fuel in the core. Possible way-outs are (assuming that a ‘new’ ECCS takes into account of RG 1.224-draft):
RIDM progress is compounded by the emergence of new rules and methods that are claimed to be based on PSA and “allowable” or “tolerable” risks of core damage and activity release targets,
The statement of belief using this logic is that prior core damage events, like FMA and TMI, can only provide guidance for “risk informed” posterior judgments because: “It is the qualitative insights from operational experience that are useful in regulatory decision making, not the frequencies of core damage and release derived from this experience”,
There are at least two more definitions and many implications of something being “exchangeable”, beyond the implied common grammatical usage of substituting some item for another of “equivalent value”. Mathematically and statistically, “exchangeable” is defined for probabilistic sequences by: “… the probability is invariant under any permutation of (distribution values) xi”,
Strategies depicted or needed may contradict pillar analyses (not principles) in reactor design and NRSR applications,
For reducing the explosive threat from hydrogen production associated with core damage from Zircaloy-water and/or graphite-water reactions, important progresses occurred in designing ATF; related researches are ongoing as a valid response by industry and national R&D programs to the issues raised in RG 1.224-draft and RG 1.200-draft. However, demonstration that selected ATF may withstand corrosion erosion damage mechanisms (e.g. those identified in
Our proposal (item iv above) starts from noting that LOCA and BDEE should be part of the design and safety of all reactors,
The characterization of residual risk may benefit of the following paradigm-discussion also constituting the background for the ESF RIDM rule,
In order to interpret the probability of a catastrophic event, in general we do not know precisely when and if the event happens; the probability of occurrence, is independent of the system, and can be infinitesimally small so we do not have any exact predictive capability. Conventionally adopted are the wording ‘rare event’, or ‘black swan’ to characterize this situation,
Thus, the similarities between apparently dissimilar catastrophic events both having the invisible and spreading potential for harm are: a) basic unpredictability of the event occurrence as to time, place and extent; b) occurrence of the event whatever effective countermeasures taken at the design and personal levels to reduce the probability of the event. The last statement is true in case of perfect human-system design and in the case of NPP, NRSR principles are applied to the best of the knowledge; and in the case of a COVID virus, preventive health measures and principles are applied also to the best of the knowledge. Under these circumstances, we can introduce a quantum-mechanics type of principle; the event is independent of the system (i.e. only connected with its existence) and is not a function of its complexity but only of the probability of actually being observed (as in the case of Schrödinger’s cat).
Therefore, human civilization must simultaneously accept residual risk and attempt to identify and quantify what is acceptable risk, which here is associated with the ‘ultimate’ probability. In the parallel cases of NPP core damage and pandemic viral infection risks: 1) adding up of safety barriers and countermeasures does not prevent the existence of their failures; 2) a non-perfect or sub-optimized systems cause a higher probability of occurrence for the catastrophic event; 3) adding complexity (layered defenses and/or countermeasures) makes more difficult the achievement of a perfect system. In different words, increasing the complexity of any system or sub-systems may reduce the possibility of damage by an assigned event but unavoidably increases the possible number of events that bring to the same damage.
We can now define an ultimate probability, connected with the nature of the system but independent of the system under consideration, in such a way that it is meaningless to attempt any design having a lower failure probability. For the virus and the NPP, the ultimate probabilities are the event-probability ‘killing of a person by an immune system attacker’ and ‘catastrophic events causing destruction upon the NPP site’, respectively. Therefore, we define:
Then, we summarize the paradigm-discussion as the following inequalities and equivalences:
pCE-B > pCE (1)
≈ (2)
PU ≲ pCE (3)
PU ≡ fU (4)
PLOCA/BDEE ≫ pCE (5)
Here one may note that adding sophisticated controls may bring to an increase in pCE value (i.e. increasing into pCE-B), e.g. equation (1). The equation (2) symbolically reflects the Schrödinger cat observational existence conditions, while equation (4) is a prerogative of regulators.
For new “non-LWRs”, the NEI proposed an allowable “risk significant” annual Frequency-Consequence, F-C, evaluation “target” using regulatory public dose exposure limits measured in rem,
Implementation of safety rule is the prerogative of regulators only who are not formally concerned about financial losses and risks. Therefore, we submit the proposal below, with the support of the diagram in Fig.
We qualitatively report selected parameters in the vertical axis versus decreasing values of the probability of accidents. Corresponding to nominal (or normal) operation, one may infer LOCA occurrence and ultimate probability, i.e. the RIDM limit, or PU Nominal operation is the ‘probability’ event during the operating life of any reactor. Reactor-dependent value for the LBLOCA probability of occurrence, eventually extended to the entire spectrum of DBA, constitutes the intermediate value. What is currently reported as severe accident (SA) or BDEE probability might involve towards Large Releases (LR) of radioactivity to environment (i.e. sum of probabilities of occurrence for all SA-LR events) and constitutes the smallest value on the right of the horizontal axis.
The expected containment response and the ECCS rule originated by
Containment protects the environment, should an accident occur having probability lower than PU. However, the amount of radiation in the containment is substantially different for accident having probabilities larger or smaller than PLOCA/BDEE (because of unavoidable containment leakages one may also expect different releases to environment). Containment bypass, or LR condition, constitutes the residual risk. The graded approach characterizes the current ECCS rule: acceptability thresholds are more stringent for most probable events. The proposed ESF RIDM rule keeps the same ECCS rule,
Rough definitions unavoidably characterize the parameters in Fig.
Connected with the ESF RIDM rule, regulators could allow the reduction of liability of NPP owner for accidents having probability lower than PU.The NPP owner could contribute a maximum value for damages in such conditions.
The overall regulatory structure of NRSR risks (ironically) collapses owing to inadequate fulfillment of the Independent Assessment (IA) principle. During the 50’s of previous century, when putting the bases for the design of existing reactors, an intimate connection existed for staff/personnel of both industry and regulator: hence, IA was possible. Nowadays, sophistication of design and proprietary data make IA (almost) impossible as stated in section 2. Here we are extending IA into the broader RIDM uncertainty quantification domains, and not restricting the concept to limited reviews as defined and used elsewhere for PRA, NEI (2019), or to the formalized use of expert solicitation proposed for assessing seismic occurrence risk,
Current DSA and PSA performed outside of the industry appear to be likely based on virtual and generic analysis while not fully reflecting the actual reactor construction and operational realities. At least two solutions are possible.
Niels Bohr already proposed in 1950 in his letter to United Nations,
A second possible solution was proposed by
In pursuing the analysis, we also uncovered a number of aspects which constitute a corollary and a complement to the major conclusions below, so these are randomly reported hereafter, not in order of importance:
Nuclear fission technology deployment is on the brink of extinction in some countries that mostly contributed to its early development. Reactor safety is also at a decisive crossroads where keeping to traditional paradigms for risk assessment, definitely losing competences by young generations, excessive economic investment and market risk and lack of trust by the public may occur.
These summary statements justify the ideas in the present paper as a means to help unify and update the historical basis for safety design and regulations, and therefore we expect opposition to their acceptance and implementation. The timely parallel of the personal and societal fear from the probability of exposure to invisible viral infection and to radiation helps to illustrate the key issues of public risk perception, i.e. the need for effective countermeasures, as well as quantifying and communicating uncertainties while minimizing the financial and societal risks.
We bring together the aspects of probabilistic and deterministic safety methods, attempting to unify within one framework the rigid rules and historical paradigms for LOCA and PRA for analyzing the onset of core damage due to DBE/BDEE of all types. We propose three sets of conclusions, respectively related to comments on Nuclear Reactor Safety and Risk (NRSR), the proposal of the Engineered Safety Features Risk Informed Decision Making (ESF RIDM) rule as a substitute of the Emergency Core Cooling (ECCS) and Probabilistic Risk Assessment (PRA) rule, and a way forward to deal with Independent Assessment (IA).
As Low as Reasonably Acceptable (ALARA) principle and Best Estimate Plus Uncertainty (BEPU) approach, need proper and definitive acceptance by major players in the technology and licensing for all reactor concepts and designs. ALARA, rather than Linear No Threshold (LNT) hypothesis should be at the origin of safety objective and consequential safety requirements. The concept of beyond design extreme events (BDEE) should play a role in decision-making; for instance, the risk exposure and liability of industry-owner-investors for the consequences caused by a core damage accident even without large radiation release is not economically sustainable. It also discourages investment in new concepts and innovative design evolutions.
Invoking a quantum-mechanics analogy to the principle of observational existence, even in the case of a “perfectly designed” system, shows a probability of disruptive failure and/or core damage, as there is never zero risk. Correspondingly, an ultimate probability value, PU has been introduced: design quality shall be consistent with PU that is associated with the expected frequency of a rare event. One hypothesis is that PU is the probability or frequency of the fall of a powerful meteorite on the reactor site. The current ECCS rule became obsolete following the discovery of nuclear fuel failure mechanisms, should a Loss of Coolant Accident (LOCA) occur; therefore, we proposed a new ESF RIDM rule, where the containment is a robust barrier against radiation releases. Proper LOCA and BDEE considerations in safety demonstrations are the key elements of the ESF RIDM rule, where all events with probability higher than PU cause doses to public and to the environment below current artificial health limits.
We note that ‘virtual’ safety analyses are part of both Deterministic Safety Assessment (DSA) and Probabilistic Safety Assessment (PSA), because of lack of availability of industry proprietary data (the safety is inside the details). Therefore, we propose a deep change in the application of the IA principle where groups of respected and concerned scientists and engineers shall perform open IA work to proper supporting regulators and to improve industry-owner design. Rather than just providing informative “guidance” or “review report” messages to regulatory bodies, we consider open IA applicability as the key obstacle for a suitable risk reduction and for re-gaining public trust towards nuclear energy.