Technologies are normally developed by entrepreneurs whose primary goal is making money. If the technology is successful, the entrepreneurs prosper as a new industry develops and thrives. In the process, the environmental impacts of this new technology are the least of their concerns. Only after the public revolts against the pollution inflicted upon it does the issue of the environment come into the picture. At that point an adversarial relationship may develop, with the government serving to protect the public at the expense of the industry. Coal-burning technologies have been an excellent example of this development process.

With nuclear energy, everything was to be entirely different. It was conceived and brought into being by the world's greatest scientists. They banded together to obtain government support; the highly publicized letter from Albert Einstein to President Roosevelt in 1941 was a key element in that process. Their motivation was entirely idealistic. None of them thought about making money, and there was no mechanism for them to do so. Their first objective was to save the world from the hideous Hitler, and after World War II it was to protect freedom and democracy through military strength. But from the beginning of the project in the early 1940s, the scientists always felt strongly that this new technology, developed at government expense, would provide great benefits to mankind.

Distinguished scientists like Henry Smythe and Glenn Seaborg held high positions of power all the way up until the early 1970s, and through them many of the greatest and most idealistic scientists, like Enrico Fermi, Eugene Wigner, and Hans Bethe, exerted great influence on the course of events. Directly or indirectly, hundreds of scientists were involved in guiding our national nuclear energy program. They set up national laboratories of unprecedented size in the New York (Brookhaven), Chicago (Argonne), and San Francisco (Berkeley, Livermore) areas and at the wartime development sites in Oak Ridge, Tennessee and Los Alamos, New Mexico. They arranged for an unprecedented level of financial support for research in universities where most of the scientists were based. Their objectives went far beyond development of nuclear technology, and included seeking a thorough understanding of the environmental effects. Their approach ran the gamut from the most basic research to the most practical applications.

The government's side of this enterprise was run by the Atomic Energy Commission (AEC). The AEC was set up at the behest of scientists to remove nuclear energy development from military control. Prominent scientists served as commissioners, often as chairmen. It's General Advisory Committee, made up of some of the nation's most distinguished scientists, exerted very strong influence. The AEC was monitored by the Congressional Joint Committee on Atomic Energy, which included some of the most powerful senators and representatives. A spirit of close cooperation reigned throughout. The goal of all was to provide humankind with the blessings of nuclear energy as expeditiously as possible.

There was a general understanding among all concerned that the scientists had paid their dues — they had given the government's military nuclear weapons, nuclear submarines, and a host of other goodies — and that their new technology was to serve humanity under the guidance of this research enterprise. Government also recognized that this enterprise, in the long run, would serve the public interest, and continues to support it to this day. A recent well-publicized element of that program is the multibillion dollar superconducting supercollider accelerator to be constructed in Texas to study the fundamental nature of matter, with no practical applications in sight.

Use of nuclear energy to generate electricity was a very important part of this research and development program. In order to promote it, the AEC brought in commercial interests beginning in the mid 1950s, but it kept the national laboratories deeply involved. One of the highest priority activities it assigned to them was investigation of the environmental impacts of nuclear power. For the first time in history, environmental impacts were thoroughly investigated before an industry started.

An important part of this effort was to try to "dream up" anything and everything that can possibly go wrong in a nuclear power plant, and investigate the consequences. This was a useful process in deciding on what safety systems to include. But if enough thought and "dreaming up" is devoted to any system, one can always devise a chain of events that can defeat all safety systems and do harm to the workers or the public. Though this is true for every technology, no other technology has ever been subjected to this degree of scrutiny.

These efforts to evaluate the risks of nuclear power plant accidents have been a valuable and successful scientific and engineering undertaking. Researchers broke new ground in the science of risk analysis (their developments are now being applied in other technologies). Results of this research have suggested new areas for investigation of nuclear reactor safety questions, and looking into these areas has been productive. This wide-ranging research program developed a variety of accident scenarios, calculated their consequences, and estimated their probability for occurring.

However, while these efforts were highly laudable, their effects proved to be disastrous. The public did not understand these risk analyses. Its attention became entirely focussed on excerpts stating that nuclear accidents can kill tens of thousands of people. They never seemed to notice that these reports estimated that such an accident can be expected only once in 10 million years. The public doesn't understand probabilities anyhow. Most people recognize little difference between a risk with a probability of once in 10 thousand years and once in 10 million years. The common impression was that a reactor meltdown accident killing tens of thousands of people would occur every few years.

In 1978, a movie called "The China Syndrome," based on this sort of thinking and starring some of Hollywood's top performers, gained widespread popularity. When the Three Mile Island accident followed in 1979, it became the news media story of the decade, complete with days of suspense during which the public was led to believe that a horrible disaster could occur at any moment. This combination of events led to very serious problems for the nuclear power industry.

As a result of these developments, the word meltdown has become a household word. We will use it here, although it is no longer used by risk analysis scientists. In the mind of the public, it refers to an accident in which all of the fuel becomes so hot that it forms a molten mass which melts its way through the reactor vessel. Let's use the word in that sense. The media frequently referred to it as "the ultimate disaster," evoking images of stacks of dead bodies amid a devastated landscape, much like the aftermath of a nuclear bomb attack.

On the other hand, the authors of the two principal reports on the Three Mile Island accident1, 2 agree that even if there had been a complete meltdown in that reactor, there very probably would have been essentially no harm to human health and no environmental damage. I know of no technical reports that have claimed otherwise. Moreover, all scientific studies agree that in the great majority of meltdown accidents there would be no detectable effects on human health, immediately or in later years. According to the government estimate, a meltdown would have to occur every week or so somewhere in the United States before nuclear power would be as dangerous as coal burning.

Even the Chernobyl accident, which was worse in many ways than any meltdown that can be envisioned for an American reactor, caused no injuries outside the plant. That is not to say that it is impossible to have fatalities caused by a meltdown, but it is estimated that in no more than 1 in a 100 meltdowns could any be obviously related to the accident.

Was the Three Mile island Accident a Near Miss to Disaster?

One of the principal reasons for the discrepancy between the public's impressions and the technical analyses is that nuclear reactors are sealed inside a very powerfully built structure called the "containment." Under ordinary circumstances the containment would prevent the escape of radioactivity even if the reactor fuel were to melt completely and escape from the reactor vessel. A typical containment3,4,5 is constructed of 3-foot-thick concrete walls heavily reinforced by thick steel rods (see Fig. 1) welded into a tight net around which the concrete is poured. In fact, there is so much steel reinforcing that special techniques had to be developed to get the concrete to become distributed around it as it is poured. In addition, the inside of the containment is lined with thick steel plate welded to form a tight chamber which can withstand very high internal pressure, as high as 10 times normal atmospheric pressure.

Fig. 1 — Construction worker on the steel-rod-reinforced containment structure of a Westinghouse reactor. Note the thickness and density of the reinforcing rods.

The containment provides a broad range of protection for the reactor against external forces, such as a tornado hurling an automobile, a tree, or a house against it, an airplane flying into it, or a large charge of chemical explosive detonated against it. In a meltdown accident, however, the function of the containment is to hold the radioactive material inside. Actually, it need only do this for several hours, because there are systems inside the containment for removing the radioactivity from the atmosphere. One type blows the air through filters in an operation similar in principle to that of household vacuum cleaners. In another, water sprinklers remove the dust from the air. There are charcoal filter beds or chemical sprays for removing certain types of airborne radioactivity. Most radioactive materials, however, would simply get stuck to the walls of the building and the equipment inside, and thereby be removed from the air. Thus, if the containment holds even for several hours, the health consequences of a meltdown would be greatly mitigated. In the Three Mile Island accident, there was no threat to the containment. The investigations have therefore concluded that even if there had been a complete meltdown and the molten fuel had escaped from the reactor, the containment would very probably have prevented the escape of any large amount of radioactivity.1,2 In other words, even if the Three Mile Island accident was a "near miss" to a complete meltdown (a highly debatable point), it was definitely not a near miss to a health disaster.

The Chernobyl reactor did not have a containment anything like those used in U.S. reactors. Analyses have shown, that if it had used one, virtually no radioactivity would have escaped, there would have been no threat to human health, and the world would probably have never heard about it.

Roads to Meltdown

Fig. 2 — Cutaway view of a Westinghouse pressurized water reactor.

In order to understand the meltdown accident, we must go back to its origins. A nuclear power reactor is basically just a water heater, evolving heat from fission processes in the fuel. This heats the water surrounding the fuel (see Fig. 2), and the hot water is used to produce steam. The steam is then employed as in coal- or oil-fired power plants to drive a turbine which turns a generator (sometimes called a "dynamo") which produces electric power (see Fig. 3). There are two different types of reactors in widespread use in the United States, pressurized water reactors (PWRs)4 and boiling water reactors (BWRs)5. In the PWR, the heated water is pumped out of the reactor to separate units called "steam generators," where the heat in this water is used to produce steam. In the BWR, the steam is produced directly in the reactor so there is no need for a steam generator.

There are features of the nuclear water heater that differentiate it from water heaters in our basements or the coal- or oil-fired boilers that produce steam for various purposes in industrial plants. First, the waste products from the burning do not go up a chimney or settle to the bottom as an ash, but rather are retained inside the fuel. Nuclear fuel does not crumble into ashes or get converted into a gas when burned, as do coal and oil fuels. Second, these waste products are radioactive, which means that they emit radiation. Third, because of their radioactivity, these wastes continue to heat the fuel even after the reactor is shut down6; it is therefore necessary to continue to provide some water to carry this heat away.

If, for some reason, no water is available to remove this heat (called a loss-of-coolant accident, LOCA), the fuel will heat up and eventually melt.7 Fuel melting releases the radioactivity sealed inside. Some of this radioactivity would come off as airborne dust that has a potential for damaging public health if it is released into the environment. If there is some water in the reactor but not enough, the situation may be even worse, because steam reacts chemically with the fuel-casing material (an alloy of zirconium) at high temperature (2,700°F), releasing hydrogen, an inflammable and potentially explosive gas, and providing additional heat, thereby accelerating the fuel-melting process.

In the Three Mile Island accident,8 the LOCA occurred as a result of a valve failing to close, while the operators were led to believe that it was closed; they had misinterpreted the information available to them from instrument readings. According to one estimate,2 a complete fuel meltdown might have occurred if the water had continued to escape through the open valve for another 30 to 60 minutes.

How close was Three Mile Island to such a complete meltdown? There were many unusual aspects to the instrument readings at the time. Clearly, something very strange was going on. A number of knowledgeable people were trying to figure out what to do. One rightfully suggested closing an auxiliary valve in the pipe through which water was escaping. Within less than a minute after it was closed, a telephone call came in from another expert working at home suggesting that this auxiliary valve be closed,2 so it cannot be claimed that a meltdown was prevented by the luck of one man's recognizing the right thing to do. It is difficult to prove that if neither of the two had thought of closing the valve someone else would have, but there were a lot of people involved in analyzing the information, and there would have been further clues developing before a meltdown would have occurred. Some analyses indicate that there would not have been a complete meltdown even if the valve had not been closed, as there was a small amount of water still being pumped in.

In any case, the widely publicized statement that the Three Mile Island accident came within 30 to 60 minutes of a meltdown seemed to be sufficient to scare the public. I often wonder why this is so — when we drive on a high-speed highway, on every curve we are within a few seconds of being killed if nothing is done — that is, if the steering wheel is not turned at the proper time. And don't forget that even if a meltdown had occurred, there very probably would have been no health consequences, since the radioactivity would have been contained.

As a result of the Three Mile Island accident9 great improvements have been made in instrumentation, information availability to the operators, and operator training. There is now a requirement that a graduate engineer be on hand at all times. There will probably never again be a LOCA arising from faulty interpretation of instrument readings.

With that road to a meltdown now essentially blocked, let us consider what are believed to be the most probable roads now open.

1. LOCA arising from a break in the reactor coolant system.

The cooling water system for transferring heat out of the reactor operates at very high temperature and pressure (600°F, and 2,200 pounds per square inch (psi) in a PWR, or 1,200 psi in a BWR). Therefore, if the system should break open, the water would come shooting out as steam in a process picturesquely called blowdown. Such a break could arise from a failure in the seal of the huge pump that brings the water into the reactor, or from a pressure relief valve opened by a brief pressure surge failing to close, but the most likely cause would be a pipe breaking off, especially at a welded joint.

A series of safety measures is designed to protect the system from breaking open.10 The first of these is very elaborate quality control on materials and workmanship, far superior to that in any other industry. No effort or expense is spared in choosing the highest quality materials and equipment, nor in requiring the most demanding specifications for safety-related parts of the system. The second measure is a highly elaborate inspection program, including X-ray inspection of every weld, and other inspections with magnetic particle and ultrasonic techniques during construction, followed by periodic ultrasonic and visual inspections after the reactor has gone into operation. The visual inspection program, for example, includes removal of insulation from pipes to search for imperfections or signs of cracking. One problem originally discovered by these inspections, "corrosion cracking," is discussed in the last section of this chapter. A third measure is a variety of leak detection systems: ordinarily a large break starts out as a small crack which allows some of the water and the radioactivity it contains to leak out. Leaking water becomes steam as it emerges (its temperature is close to 600°F), increasing the humidity; there are instruments installed to detect this increased humidity. Much of the radioactive material emerging with the leaking water attaches to airborne dust, and there are instruments in place for detecting increased radioactivity in this dust. These systems for detecting increased humidity and increased radioactivity in dust act as sensitive indicators for leaks, therefore serving as early warnings of possible cracks in the system.

If all of these measures should fail, a LOCA would occur. The remaining protection against a meltdown would then be the emergency core cooling system to be discussed below.

2. Loss of electric power (station blackout).

If there should be no electric power to operate the pumps, the water in the reactor would stay there and get hotter and hotter, building up the pressure until relief valves open allowing the water to escape. In addition, the pump seals require cooling water and would fail if it were not supplied due to station blackout, leading to a LOCA as described in (1).

To protect against station blackout, off-site power is normally brought into the plant from two different directions, and several diesel-driven generators are available, any one of which could provide the needed power. These engines are started at frequent intervals to assure their availability when needed, and statistics are kept on their failures to start. In addition, some safety system pumps are driven by steam from the reactor rather than by electric power; normally there would be plenty of this steam available. Control systems for operating pumps and valves are electrically operated, but batteries are available for this purpose.

In some plants, at least, being without electric power for more than about 20 minutes would usually lead to a meltdown.

3. Transients with failure of reactor protection systems.

While a reactor is operating, changes can and do occur which tend to increase the power level of a reactor. For example, the temperature or pressure of the water or its chemical content may change, causing it to absorb fewer neutrons, leaving more neutrons to strike uranium atoms and thus produce more energy. Reactors have "control rods," simple rods made of a material that strongly absorbs neutrons, which are moved in or out of the reactor core to control the power level. In the above example they would be moved in a short distance to absorb more neutrons and thus compensate for the fact that the water was absorbing fewer neutrons, restoring the power to its original level. An incident of this type is called a "transient." Small transients occur frequently in normal reactor operation, and control rods are frequently moved to adjust the power of the reactor.

Occasionally, perhaps once or twice a year, an abnormally large transient occurs which cannot be accommodated by the normal control rods. For example, if the electric power demand should suddenly drop drastically as in the case of a transformer or transmission line failure, the reactor is suddenly in a condition where it is producing far too much heat. For such transients, anticipated to occur many times in a reactor's "lifetime," safety systems automatically insert emergency control rods all the way into the reactor at high speed, absorbing so many neutrons that the chain reaction is completely stopped. This process is called scram.

It is possible that the scram system might fail when one of these anticipated large transients occur. This is called "anticipated transients without scram," or ATWS. An ATWS event would lead to rapid, intense overheating and loss of water — blown out through pressure relief valves. This loss of water would constitute a LOCA. It would also stop the chain reaction.

The protection against occurrence of an ATWS accident is in the use of high-quality materials and components, and in a good program of inspections and tests. If an ATWS does occur, the emergency core cooling system, to be discussed below, would normally prevent a meltdown.

4. Earthquakes and fires.

Earthquakes can cause any of the above failures and can cause failures in safety systems which would ordinarily mitigate the effects of these failures. Fires, especially in the switch gear, in the control room, or in cables, can lead to failure of various operating or protection systems. For these reasons, nuclear plants are constructed with several features, like bracing and special pipe supports, to minimize effects of earthquakes. In addition, great care is taken in siting plants to avoid proximity to potentially active geological faults. (Widely circulated stories about plants being built on faults are not true). Some of the best earthquake scientists in the nation are involved in this activity, and regulations and procedures are very elaborate.

Any system can be destroyed by a sufficiently powerful earthquake, but in an earthquake strong enough to cause a nuclear reactor meltdown, effects of the meltdown would be a relatively minor addition to the consequences of that earthquake.

All of these accident scenarios lead to loss of water. The chain reaction cannot go on without water, so it is shut down, but one must still worry about heat from radioactivity causing the fuel to melt. This can only be prevented if water cooling is very rapidly restored to the reactor core (where the fuel is located). Reactor designs provide this function through the "emergency core cooling system," ECCS. An ECCS consists of several independent systems for pumping water into the reactor, any one of which would provide sufficient water to save the reactor in most cases — in all cases two would do the job.11 More details are given on the ECCS in the Chapter 6 Appendix.

Without water cooling, reactor fuel heats up very rapidly, and it would require perhaps 30 seconds before water from the ECCS would flood the reactor vessel to a level at which the core is covered. During this time, the fuel would reach temperatures in the range 1,000-2,500°F.

When the water from the ECCS first reaches the hot fuel, it would flash into steam, and at one time there was some concern as to whether this might prevent further water from reaching and cooling the fuel. Some of the first tests of small mock-ups, performed in 1970-1971, indicated that this might be the case. The problem thus received very wide publicity.12 This was the situation that brought the opposition group, Union of Concerned Scientists (UCS), into prominence, as they asked for a halt to reactor licensing until the problem was resolved.13 The culmination was a series of hearings held in Washington extending over a year in 1972-1973.

As a result of the hearings, changes were introduced in reactor operation as a temporary measure to reduce the performance required of the ECCS if a LOCA should occur, and a crash research program costing hundreds of millions of dollars was instigated to settle the unresolved questions. As more sophisticated experimental tests and computer analyses were developed, it became increasingly clear in the 1975-1978 time period that the ECCS would work. There were over 50 tests, far more realistic and sophisticated than the 1971 tests, and all came out favorably. The question was finally resolved in 1978 when a test reactor specifically designed to test the ECCS (called LOFT, for loss of fluid test) came into operation at the Idaho Nuclear Engineering Laboratory and was put through various types of LOCAs. In all cases, the ECCS performed better than had been estimated.14 For example, in the first LOFT test, the best estimate from the computer analysis was a maximum temperature of 1,376°F, the conservative calculation used for the safety analysis gave 2,018°F, but the highest measured temperature was only 960°F. In the second LOFT test, carried out under rather different conditions, these temperatures were 1,360, 2,205, and 1,185°F, respectively. These examples also demonstrate how conservative estimates rather than "best estimates" are generally used in safety analyses. This is good engineering practice, but it is not usually recognized by those who use such estimates to frighten the public.

One type of LOCA in which the ECCS would not prevent a meltdown is a large crack in the bottom of the reactor vessel, since water injected by the ECCS would simply pour out through that crack. This would not occur with pipe breaks since all significant pipes enter the vessel near its top. This problem was intensively investigated by the British as part of their decision to convert from their own type to American-type reactors, and they concluded15 that, in view of the large thicknesses (see Fig. 2) and high quality of the materials used, the probability of a large crack in the reactor vessel is so small as to be negligible. There is also an elaborate inspection program to ensure that the high quality of the reactor vessel material is maintained. One potential problem in this regard, "pressurized thermal shock," has received widespread publicity. It is discussed later in this chapter.

While every effort is being made to block the roads to meltdown, there is always a possibility of a road being opened by successive failures in the various lines of defense we have described. Or perhaps there is some obscure road to meltdown that no one has ever thought of in spite of the many years of technical effort on this problem. If nuclear power becomes a flourishing industry, there probably will be meltdowns somewhere someday. But if and when they occur, there is still one final line of defense — the containment — which should protect the public from harm in most cases. Let's now consider the reliability of that line of defense.

How Secure Is The Containment?

In all of the accident scenarios we have considered, water and steam from inside the reactor pours out into the containment building. When water is pumped in by the emergency core cooling system, some of it overflows, and when it surrounds the fuel it boils into steam, which goes out through the break into the containment. We thus expect the containment to be filled with steam, with a lot of excess water on the floor. This is true in nearly all potential loss-of-coolant accidents, even if the system does not break open, as was the case in the Three Mile Island accident. In addition, heat is being fed into this water and steam by the radioactivity in the fuel, by chemical reactions of steam with the fuel casing, and by burning of the hydrogen generated in those reactions. The most important threat to the security of the containment is that this heat will raise the pressure of the steam to the point where it will exceed the holding power of the containment walls, about 10 times normal atmospheric pressure.

In order to counteract this threat, there are systems for cooling the containment atmosphere.4,16 One such system sprays cool water into the air, a very efficient way of condensing steam; when it exhausts its stored water supply, it picks up water from the containment floor, cools it, and then sprays it into the air inside the containment. Another type of system consists of fans blowing containment air over tubes through which cool water is circulating. There are typically five of these systems, but only one (or in rare cases, two) need be operable in order to assure that the containment is adequately cooled. In most cases, one of the systems is driven by a diesel engine so as to be available in the event of an electric power failure. A more quantitative treatment of the containment cooling problem is given in the Chapter 6 Appendix.

Since they are safety related, these systems are subject to elaborate quality control during their manufacture and are frequently inspected and tested, so it seems reasonable to expect at least most of these systems to function properly if an accident should occur. All of them were functional during the Three Mile Island accident, and that is why it has been concluded2 that the containment would have prevented the escape of radioactivity even if there had been a meltdown there.

Unfortunately, containment security is not always that favorable. Some of the accident scenarios outlined above also affect the containment heat removal systems. For example, electric power failure would prevent pumps from operating. But more important are accidents in which the containment is bypassed.17 For example, in Fig. 3 we see that the steam generator contains tubes that are directly connected to the reactor, but the steam it generates passes out of the containment to the turbine. If the tubes rupture, there is then a direct path for the radioactivity in the reactor to get into the pipe leading to the turbine. If the reactor is still at its very high operating pressure, this high pressure could be transmitted into that pipe and break it open, releasing radioactivity outside the containment.

Two other mechanisms for breaking open the containment have been discussed. One of these is a steam explosion, which has received considerable research attention7 and was publicized in the fictional movie "The China Syndrome." The worst situation is in a meltdown where the molten fuel falls into a pool of water at the bottom of the reactor vessel, producing so much steam so suddenly that the top of the reactor vessel would be blown off and hurled upward with so much force that it would break open the top of the containment building. This is a highly unlikely scenario.

In "The China Syndrome" it is implied that a sufficiently powerful steam explosion can occur when the molten fuel melts its way into the ground and comes into contact with groundwater. Actually, only a tiny fraction of the molten fuel would be coming into first contact with groundwater at any given time, so steam would be produced gradually rather than as a single explosive release. A fictional movie need not be realistic, of course, but it is important for the audience to recognize that point.

The movie also makes an issue of groundwater contamination following a meltdown accident. In actuality, were molten fuel to suddenly come into contact with groundwater, the latter would flash into steam, which would build up a pressure to keep the rest of the groundwater away. There would thus be little contact until the molten fuel cooled and solidified many days later. It would then be in the form of a glassy mass that would be highly insoluble in water, so there would be relatively little groundwater contamination. If that were judged to be a problem, there would be plenty of time to construct barriers to permanently isolate the radioactivity from groundwater thereafter. It is difficult to imagine a situation in which there would be any adverse health effects from groundwater contamination.

The other possible mechanism for breaking the containment, a hydrogen explosion, has received substantial research attention18 and achieved notoriety in the Three Mile Island accident. The consensus of the research seems to be that even if all the hydrogen that could be generated in an accident were to explode at once, the forces would not be powerful enough to break most containments, including the one at Three Mile Island.18 Moreover, in nearly all circumstances the hydrogen would be produced gradually, and there are many sources of sparks (e.g., electric motors) which would cause it to burn in a series of fires and/or small explosions not nearly large enough to threaten the containment.

Three of the U.S. pressurized water reactor (PWR) containments store large volumes of ice inside to reduce steam pressure in an accident. Since the presence of ice is a failproof method for cooling the surroundings and thereby avoiding high steam pressure, it was not considered necessary to build the containment walls so powerfully or to make the containment volumes so large. These containments are more vulnerable to a hydrogen explosion,18 and therefore they are fitted with numerous gadgets for generating sparks to be extra certain that hydrogen ignites before large quantities can accumulate.19

The boiling water reactor (BWR) containments are much smaller in volume than those of PWRs; hence, they are more vulnerable to pressures generated by a hydrogen explosion. Some of these BWRs are operated with an inert gas filling the containment.20 Since there is no oxygen present, hydrogen cannot combine with oxygen to explode. Other BWRs, however, are at substantial risk of containment failure due to hydrogen explosions, although the failure mode is such that most of the radioactivity would not escape.17 It would exit through a pool of water which would dissolve and thus retain the radioactive materials.

Of course, explosions inside the containment, even if they do not crack the walls, can damage equipment, and this can cause problems. For example, if explosions disabled all of the heat removal systems, the containment might be broken by steam pressure. However, the probability for disabling many separate systems would be very small.

The systems we have described in this section and the previous one for averting a catastrophic accident constitute a "defense in depth," which is the guiding principle in designs for reactor safety. If the quality assurance fails, the inspections ordinarily provide safety. If the inspection programs fail, the leak detection saves the day. If that fails, the ECCS protects the system. And if the ECCS fails, the containment averts damage to the public. Moreover, each of these systems is itself a defense in depth; for example, if one of the ECCS water injection systems fails, another can do its job, and if both fail a third can provide sufficient water.

One sometimes hears statements to the effect that reactors are safe if everything goes right, but if any piece of equipment fails or if an operator makes a mistake, disaster will result. This statement is completely WRONG. In reactor design it is assumed that all sorts of things will go wrong — pipes will break, valves will stick, motors will fail, operators will push the wrong button, and so on, but there is "defense in depth" to cover these malfunctions or series of successive malfunctions.

Of course the depth of the defense is not infinite. If each line of defense would crumble, one after the other, there could be a disaster. But as the depth of the defense is increased, the probability for this to happen is rapidly decreased. For example, if each line of defense has a chance of failure equal to that of drawing the ace of spades out of a deck of shuffled cards — one chance in 52, the probability for five successive lines of defense to fail is like the chance of drawing the ace of spades successively out of five decks of well-shuffled cards — one chance in 52 x 52 x 52 x 52 x 52, or one chance in 380 million!

There have been cases where one of the lines of defense has failed in nuclear power plants. Utilities have been heavily fined by the NRC for such things as leaving a valve closed and thereby compromising the effectiveness of one of the emergency systems. These incidents are often given publicity as failures that could lead to a meltdown. But the media coverage rarely bothers to point out that there are several lines of defense remaining unbreached between these events and a meltdown — not to mention that there is still a major line of defense, the containment, remaining even if a meltdown occurs.

The Probabilities

In considering the hazards of a reactor meltdown accident, once again we find ourselves involved in a game of chance governed by the laws of probability. By setting up additional lines of defense, or by improving the ones we now have, we can reduce the probability of a major accident, but we can never reduce it to zero. This should not necessarily be discomforting since we already are engaged in innumerable other games of chance with disastrous consequences if we lose — natural phenomena like earthquakes and disease epidemics, and manmade threats like toxic chemical releases and dam failures, to name a few. In fact, participating in this new game of chance may save us from participating in others brought on by alternative actions, and it may therefore reduce our total risk: building a nuclear power plant may remove the need for a hydroelectric dam whose failure can cause a disaster, or for a coal-burning power plant whose air pollution might be disastrous. The important question is: what is the probability of a disastrous meltdown accident?

Several studies have been undertaken to answer this question. The best known of these was sponsored by the NRC and directed by Dr. Norman Rasmussen, an MIT professor.7 It extended over several years, involved many dozens of scientists and engineers, and cost over $4 million before its final report was issued in 1975. The report bore document designation "WASH-1400" and was titled "Reactor Safety Study" (RSS). It was a probabilistic risk analysis (PRA) based on a method known as "fault tree analysis," which had been developed to evaluate safety problems in the aerospace industry. It is described briefly in the Chapter 6 Appendix.

The history of the RSS does not stop in 1975. The Union of Concerned Scientists (UCS) published a critique of it21 in 1977 with its own probabilities, and we will quote some of its conclusions. An independent review panel chaired by Professor Harold Lewis of the University of California was commissioned by the NRC and reported22 in 1978. The principal finding of the Lewis panel was that the uncertainties in the probabilities given by the RSS were larger than originally stated, but that there is no reason to believe that the probabilities were either too large or too small. The Lewis panel also took exception to the 12-page Executive Summary issued with the RSS. The NRC accepted the Lewis panel report in 1979, so in our references to the RSS we will not use either the Executive Summary or the uncertainty estimates. In the late 1970s there were similar RSSs carried out in West Germany and in Sweden, using similar methodology and obtaining similar results. During this period, the RSS was pooh-poohed by opponents of nuclear power and was interpreted by the media and hence by the public as controversial.

Nevertheless, the NRC continued to encourage development and improvement of PRA methodology, and PRAs were carried out for over a dozen U.S. reactors at a typical cost of $5 million each (the RSS had analyzed only two reactors, one PWR and one BWR). With all of this activity and effort, new ideas and procedures were developed, and older ones were shown to be wanting and were abandoned. During this period important new scientific and technical developments surfaced, and these were incorporated. For example, there were intensive studies of the chemical form of released radioactivity,23 which had only been guessed at in the RSS, and greatly improved estimates were obtained on the strength of containments. A new appreciation of the importance of earthquakes and fires arose,17 and extensive research was devoted to analysis of their impact.

While the RSS was carried out by one team in 2 years at a time when PRA methodology was in its infancy and when there had been very little operating experience with nuclear reactors, these newer studies were done by many different teams over periods of more like 10 years, when PRA methodology was much more mature and there was many times as much operational experience, including several "accidents" of various magnitude, by far the worst of which was the one at Three Mile Island.

One interesting new development has been abandonment of the word meltdown, largely replaced by core damage. In the early thinking about reactor accidents, the idea became prevalent that if any appreciable fuel melting would occur, the problem would continue to escalate until all of the fuel became a molten mass with an unstoppable internal heat source (the radioactivity). Hence it would melt its way through the reactor vessel and anything else that got in its way — down through the Earth and all the way to China was the picturesque exaggeration that led to the name "China Syndrome." More detailed studies showed that these ideas were grossly oversimplified, and the Three Mile Island accident was a clear counterexample — most of the fuel melted, but it did not even get out of the reactor vessel. It is even difficult to answer the question "Was the Three Mile Island accident a meltdown?" because that word is not clearly defined. "Core damage," on the other hand, allows discussion of the wide variety of circumstances that are now believed to be possible. It also allows consideration of the several "precursors" to core damage that have already been experienced in reactor operation. By noting what further failures could have caused these incidents to escalate into core damage and estimating the probabilities for these further failures, one can arrive at an independent estimate of the probability for a core damage accident. The results of the new PRAs are discussed in some detail in the Chapter 6 Appendix. There are many differences between these and the RSS, but when all is said and done, the bottom lines turn out to be quite similar.17 It is therefore not unreasonable to use the RSS results. There is a big advantage in doing so since the RSS gives many more details that are useful in the discussion. We therefore base the following discussion on the RSS.

The RSS estimates that a reactor meltdown may be expected about once every 20,000 years of reactor operation; that is , if there were 100 reactors, there would be a meltdown once in 200 years.7 The report by the principal organization opposed to nuclear power, Union of Concerned Scientists (UCS),21 estimates one meltdown for every 2,000 years of reactor operation. In U.S.-type reactors, there have been over 2,000 years of commercial reactor operation worldwide plus almost 4,000 years of U.S. Navy reactor operation all without a meltdown (in the sense they are using the word). If the UCS estimate is correct, we should have expected three meltdowns by now, whereas according to the RSS, there is a 30% chance that we would have had one.

We now turn to the consequences of a meltdown. Since it gives more detail, we will quote the results of the RSS here; the UCS viewpoint can be roughly interpreted as multiplying all consequences by a factor of 10.

In most meltdowns the containment is expected to maintain its integrity for a long time, so the number of fatalities should be zero. In 1 out of 5 meltdowns there would be over 1,000 deaths, in 1 out of 100 there would be over 10,000 deaths, and in 1 out of 100,000 meltdowns, we would approach 50,000 deaths (the number we get each year from motor vehicle accidents). Considering all types, we expect an average of 400 fatalities per meltdown; the UCS estimate is 5,000. Since air pollution from coal burning is estimated to be causing 30,000 deaths each year in the United States (see Chapter 3), for nuclear power to be as dangerous as coal burning there would have to be 75 meltdowns per year (30,000 / 400 = 75), or 1 meltdown every 5 days somewhere in the United States, according to the RSS; according to UCS, there would have to be a meltdown every 2 months. Since there has never been a single meltdown, clearly we cannot expect one nearly that often.

It is often argued that the deaths from air pollution are not very alarming because they are not detectable, and we cannot associate any particular deaths with coal burning. But the same is true of the vast majority of deaths from nuclear reactor accidents. They would materialize only as slight increases of the cancer rate in a large population. Even in the worst accident considered in the RSS, expected only once in 100,000 meltdowns, the 45,000 cancer deaths would occur among a population of about 10 million, with each individual's risk being increased by 0.5%. Typically, this would increase a person's risk of dying from cancer from 20.0% to 20.5%. This risk varies much more than that from state to state — 17.5% in Colorado and New Mexico, 19% in Kentucky, Tennessee, and Texas, 22% in New York, and 24% in Connecticut and Rhode Island — and these variations are rarely, if ever, noticed. It is thus reasonable to assume that the additional cancer risks, even to those involved in this most serious meltdown accident considered in the RSS, would never be noticed.

If we are interested in detectable deaths that can be attributed to an accident, we must limit our consideration to acute radiation sickness, which can be induced by very high radiation doses, about a half million millirems in one day resulting in death within a month. This is a rather rare disease: there were three deaths due to it in the early years among workers in U.S. government nuclear programs, but there have been none for over 25 years now.

According to the RSS, there would be no detectable deaths in 98 out of 100 meltdowns, there would be over 100 such deaths in one out of 500 meltdowns, over 1,000 in one out of 5,000 meltdowns, and in one out of 100,000 meltdowns there would be about 3,500 detectable fatalities.

The largest number of detectable fatalities to date from an energy-related incident was an air pollution episode in London in 1952 in which 3,500 deaths directly attributable to the pollution occurred within a few days.24 Thus, with regard to detectable fatalities, the equivalent of the worst nuclear accident considered in the RSS — expected once in 100,000 meltdowns — has already occurred with coal burning.

But the nuclear accidents we have been discussing are hypothetical, and if we want to consider hypothetical accidents, very high consequences are not difficult to find. For example there are at least two hydroelectric dams in the United States whose sudden rupture would kill over 200,000 people.7 There are hypothetical explosions of liquefied natural gas that can wipe out a whole city. If we get into possibilities of incubating or spreading germs, or of subtle chemical effects, we can easily imagine even more devastating scenarios arising due to air pollution from coal or oil burning plants.

It is sometimes said that nuclear accidents may be extremely rare, but when they occur they are so devastating as to make the whole technology unacceptable. From the above comparisons it is clear that this argument holds no water. For another perspective, we embrace a technology that kills 50,000 Americans every year. Every one of these deaths is clearly detectable, and that technology seriously injures more than 10 times that many. I refer here to motor vehicles. Even if we had a meltdown every 10 years, a nuclear power accident would kill that many only once in a million years.

The Worst Possible Accident

One subject we have not discussed here is the "worst possible nuclear accident," because there is no such thing. In any field of endeavor, it is easy to concoct a possible accident scenario that is worse than anything that has been previously proposed, although it will be of lower probability. One can imagine a gasoline spill causing a fire that would wipe out a whole city, killing most of its inhabitants. It might require a lot of improbable circumstances combining together, like water lines being frozen to prevent effective fire fighting, a traffic jam aggravated by street construction or traffic accidents limiting access to fire fighters, some substandard gas lines which the heat from the fire caused to leak, a high wind frequently shifting to spread the fire in all directions, a strong atmospheric temperature inversion after the whole city has become engulfed in flame to keep the smoke close to the ground, a lot of bridges and tunnels closed for various reasons, eliminating escape routes, some errors in advising the public, and so forth. Each of these situations is improbable, so a combination of many of them occurring in sequence is highly improbable, but it is certainly not impossible.

If anyone thinks that is the worst possible consequence of a gasoline spill, consider the possibility of the fire being spread by glowing embers to other cities which were left without protection because their firefighters were off assisting the first city; or of a disease epidemic spawned by unsanitary conditions left by the conflagration spreading over the country; or of communications foul-ups and misunderstandings caused by the fire leading to an exchange of nuclear weapon strikes. There is virtually no limit to the damage that is possible from a gasoline spill. But as the damage envisioned increases, the number of improbable circumstances required increases, so the probability for the eventuality becomes smaller and smaller. There is no such thing as the "worst possible accident," and any consideration of what terrible accidents are possible without simultaneously considering their low probability is a ridiculous exercise that can lead to completely deceptive conclusions.

The same reasoning applies to nuclear reactor accidents. Situations causing any number of deaths are possible, but the greater the consequences, the lower is the probability. The worst accident the RSS considered would cause about 50,000 deaths, with a probability of one occurrence in a billion years of reactor operation. A person's risk of being a victim of such an accident is 20,000 times less than the risk of being killed by lightning, and 1,000 times less than the risk of death from an airplane crashing into his or her house.7

But this once-in-a-billion-year accident is practically the only nuclear reactor accident ever discussed in the media. When it is discussed, its probability is hardly ever mentioned, and many people, including Helen Caldicott, who wrote a book on the subject, imply that it's the consequence of an average meltdown rather than of 1 out of 100,000 meltdowns. I have frequently been told that the probability doesn't matter — the very fact that such an accident is possible makes nuclear power unacceptable. According to that way of thinking, we have shown that the use of gasoline is not acceptable, and almost any human activity can similarly be shown to be unacceptable. If probability didn't matter, we would all die tomorrow from any one of thousands of dangers we live with constantly.

Land Contamination

Another aspect of a reactor meltdown accident that has been widely publicized is land contamination. The most common media version is that it would contaminate an area the size of the state of Pennsylvania, 45,000 square miles. Of course this depends on one's definition of "contaminate." It could be said that the whole world is contaminated, because there is natural radioactivity everywhere; or that the state of Colorado is contaminated because the natural radiation there is twice as high as in most other states. However, the Federal Radiation Council in the United States and similar official agencies in other countries have adopted criteria for the upper level of contamination that is acceptable before people must be evacuated. This level corresponds roughly to doubling or tripling the average lifetime dose that would be received from natural radiation and medical X-rays, or 2 to 5 times as much extra radiation as would be received by the average American from moving to Colorado. It is still 4 to 10 times less than the natural radiation received by people living in some areas of India and Brazil. Studies of these people have given no evidence of health problems from their radiation exposure.25

With this definition, the worst meltdown accident considered7 in the RSS — about 1% of all meltdowns might be this bad — would contaminate an area of 3,000 square miles, the area of a circle with a 30-mile radius. About 90% of this area could be cleaned up by simply using fire hoses on built-up areas, and plowing the open ground, but people would have to be relocated from the remaining 10%, an area equal to that of a circle with a 10-mile radius.

In assessing the impacts of this land contamination, I believe the appropriate measure is the monetary cost; the cost of decontaminating, relocating people, compensating for lost property and lost working time, buying up and destroying contaminated farm products, and so on. Some might argue that it is unfair to concentrate on money and ignore the human problems in relocation, but that is part of reality. Forced relocation is a common practice in building hydroelectric dams (which flood large land areas), highway construction, slum clearance projects, and so forth, and in these contexts the monetary cost and advantages to be gained are always the prime consideration in deciding on whether to undertake the project.

In most meltdowns, the cost would be less than $50 million (all costs are in 1975 dollars); in 1 out of 10 meltdowns, it would exceed $300 million; in 1 out of 100 meltdowns, it would exceed $2 billion; and once in 10,000 meltdowns, it would be as much as $15 billion.

Over all cases, the average cost would be about $100 million. Generating electricity by coal burning is estimated26 to do about $600 million per year in property damage, destroying clothing, eroding building materials, and so forth. Thus it would require six meltdowns per year — one every 2 months — for the monetary cost to the public from reactor accidents to equal that from coal burning. Clearly, health impacts are more important than property damage in determining the risks of generating electricity, but the relative risks of nuclear power and coal are not very different for the two.

Public Misunderstanding

In this chapter we have shown that there have been serious misunderstandings of reactor meltdown accidents in the public mind. In most such accidents there would be no harm to the public, and the average meltdown would cause 400 fatalities and do $100 million in off-site damage. Even in the worst 0.001% of accidents, the increased cancer risk to those involved is much less than that of moving from other parts of the country to New England. This is a far cry from the public image of many thousands of dead bodies lying around in a vast area of devastation, and it certainly is not "the ultimate disaster." Only a tiny fraction of the public recognizes that for nuclear accidents to be as dangerous as coal burning, we would have to experience a meltdown every 5 days.

The consequences of the misunderstandings have been tragic. Surely no one believes that we will have a meltdown every five days, or even every few months. We have never even had a large scale evacuation, which would be the first step if there was any apparent danger to the public. Mass evacuations following other type accidents are quite common. Chemical spills lead to evacuation of hundreds of people several times per year in the United States. In 1979, as a result of an accident of a railroad tank car carrying a dangerous chemical, there was a mass evacuation from a suburb of Toronto, involving over 100,000 people for several days.

Nevertheless, because of the misunderstandings attending nuclear accidents, utilities have continued to build coal-fired rather than nuclear plants. Every time this is done, thousands of Americans are condemned to a premature death.

Nonsafety Issues

Any new technology is bound to encounter numerous technical problems that must be ironed out, and there has never been any reason to believe that nuclear technology should be an exception in this regard. However, contrary to the situation in other industries, technical problems in the nuclear industry often received widespread media exposure, causing them to be interpreted as safety issues.

Nearly any technical problem can indeed become a safety issue if it is consistently ignored. If an automobile runs out of lubricating oil, it could stall on a railroad crossing, which is clearly a safety problem. But the oil level is easy to check, there is a warning light indicating loss of oil pressure, and if the oil did run out, ominous grinding noises would alert you before the car would stall. Loss of lube oil is therefore not ordinarily considered to be a safety problem. It can be inconvenient, costly to fix, and may cause expensive damage to the engine, but it surely ranks far down on any list of safety hazards in automobiles. However, if the problem were not so familiar to a large segment of the population, the publicizing of one such case could easily scare people with stories about the possibility of automobiles stalling on railroad crossings or in other precarious situations due to loss of lube oil.

Analogous situations have been reported as safety issues for the nuclear industry. Let us review a few of them here.

Pressurized Thermal Shock27

The thick steel vessel housing the reactor is normally very hot because of the high temperature of the water inside (600°F). If, due to some malfunction, the inside is suddenly filled with cool water, the vessel experiences what is called "thermal shock." If it is then subjected to high pressure — producing pressurized thermal shock (PTS) — there is an increased tendency for the vessel to crack, rather than simply to stretch, if a small crack or imperfection already exists. The importance of PTS problems depends on quantitative details — how much of a thermal shock followed by how much pressure causes how much of an increased tendency to crack. Under ordinary conditions these quantitative details indicate that there is nothing to be concerned about. However, just as radiation can damage biological tissue, it can damage steel by knocking electrons and atoms out of their normal locations. This radiation damage to the reactor vessel aggravates its susceptibility to PTS.

Scientists recognized this problem over 20 years ago and they found a simple remedy for it — reducing the quantity of copper in the steel alloy from which the vessel is fabricated. This remedy was implemented in 1971, and all reactor vessels fabricated since that time have had no problems with PTS.

Reactor vessels fabricated before 1971 are kept under periodic observation to keep track of the problem. For many years, the NRC, burdened by other more urgent problems, put off considering PTS by adopting a very conservative screening criterion to indicate when further action on it would be undertaken. In 1981, time for action according to that criterion was only 1 or 2 years away in some reactors; hence, the NRC began to look into the problem in more detail by requesting information from various power plants. Misinterpreting these requests, a prominent newspaper ran a page-one story28 headlined "Steel Turned Brittle by Radiation Called a Peril at 13 Nuclear Plants," broadly implying that serious safety problems were immediately at issue. Opponents of nuclear power soon began trumpeting that message. They claimed that reactor vessels would crumble like glass under PTS, although no such behavior has ever been observed in the numerous laboratory tests of PTS. In 1981-1982, the NRC and the nuclear industry delved into the PTS problem rather deeply. In 1982, the NRC came up with new conclusions and regulations.

When the radiation damage reaches the stage where action is required, several remedies are available, although not all are applicable in all situations. One way to postpone the problem is to redistribute the fuel in the reactor so as to reduce the radiation striking the walls of the vessel — this is now being done in several plants. One remedy for PTS is to keep the water storage tanks heated to reduce the thermal shock that would be caused by sudden water injections. Another option is to change operating procedures to reduce the suddenness with which this water can be introduced. The most complete remedy, which is also the most time consuming and expensive, is to heat the reactor vessel to a very high temperature (850°F) to anneal out the radiation damage; this would, in fact, make the vessel as good as new.

The NRC standard is a conservative one. It is based on the assumption that there is a small crack or flaw in the vessel, although these vessels are very carefully inspected and no small cracks or flaws have been found. The vessel is typically 8 inches thick, so the outside is exposed to considerably less radiation and thermal shock than the inside; therefore, even if there should be cracking inside, it would probably not extend all the way through the thickness of the vessel and there would consequently be no danger from it.

As long as the problem is recognized, is under constant surveillance, has remedies, and will not be allowed to reach the danger point, it seems fair to classify pressurized thermal shock as a technical problem rather than as a safety issue. It should therefore receive the attention of scientists and engineers, but there is no reason for the public to preoccupy itself with it.

Stress Corrosion Cracking of Pipes29

There have been a number of situations in which pipes in boiling water reactors have been found to have cracks. Since a pipe cracking open is a widely heralded potential cause for a LOCA, this problem has received extensive media coverage as a potential threat, especially when the first such crack was discovered in 1975. However, researchers have established that this type of cracking develops very slowly and is easily detected by ultrasonic tests in its very initial stages. If not, it leads to slow leaks which are readily detected and repaired. Stress corrosion cracking is therefore not a safety issue.

On the other hand, this problem has caused expensive shutdowns for repairs, and has therefore been an important problem for power plant owners. They have consequently invested tens of millions of dollars on research to overcome it. The first fruit of this research was to gain an understanding of the problem: welding stainless steel pipe joints caused some of the chromium that makes that material corrosion resistant to migrate away, reducing its local concentration from the normal 17% to below the 12% minimum for resistance to corrosion by excess oxygen in the water. Moreover, once this migration of chromium is started by the welding, the heat of the reactor water continues the process. A combination of this corrosion with stress on the material was found to cause the cracking.

Once the problem was understood, researchers rapidly found solutions. A new alloy with less carbon and more nitrogen, called nuclear-grade stainless steel, was developed which virtually eliminates the problem in new pipe. Investigators found that in the old type pipe, the chromium migration could be reversed by heating the welded joint in a furnace to 1,950°F, or by putting a lining of weld metal inside the pipe before the outside is welded. In addition to avoiding the chromium migration, methods have been developed to relieve the stress by running cooling water inside the pipe while the joint is being welded, or by heating the outside of the pipe while cooling the inside after the welding is completed. This last method is applicable without removing installed pipes. All of these methods are now being applied in operating plants. Moreover, researchers are developing methods for reducing the free oxygen content in the water, the principal chemical agent responsible for the corrosion. All three factors, chromium migration, mechanical stress, and a corrosive chemical agent, are necessary to cause the cracking, and all three of them have been reduced by these measures. An automated ultrasonic testing system has been developed to predict which welds are most likely to fail and to estimate their remaining service life. All this progress has put stress corrosion cracking of pipes well under control.

Steam Generator Tube Leaks30

Fig. 3 — Diagram (highly simplified) of pressurized water reactor power plant. Water is heated to 6,000°F by energy released in fission reactions in the reactor (it is prevented from boiling by maintaining high pressure), and pumped into the steam generator, where its heat is transferred to a secondary water system. The water in the latter is thereby boiled to make steam which drives the turbine — otherwise there would be no tendency for the steam to rush through the turbine and thereby cause it to turn. The steam is condensed in the condenser by cooling it with water brought in from some outside source. The water formed by condensation is pumped back into the steam generator to be reused.

A diagram of a pressurized water reactor (PWR) is shown in Fig. 3. The water in the reactor is kept under sufficiently high pressure that it does not boil and become steam. Rather it is pumped through the tubes of "steam generators" where it transfers its heat to the water from a separate "secondary" system, causing the latter to boil into steam. This has some advantage (and some disadvantages) over the simpler system of generating the steam by boiling the water in the reactor, as in the BWR. One of the advantages is that the water from the reactor, which contains radioactive contaminants, never gets into the other areas of the plant (turbine, condenser, etc.), so less attention to radioactivity control is needed in those areas.

However, leaks in steam generator tubes do allow radioactivity to reach those areas, and since they have minimal radioactivity control, it can easily escape from there into the environment. A large fraction of American PWRs have experienced problems with steam generator tube leaks. There are many thousands of these tubes in a steam generator; therefore leaking tubes can simply be plugged-up at both ends without affecting operation. However, when the number of plugged tubes exceeds about 20% of the total, as it has in some plants, the electrical generating capacity is significantly reduced. This represents a costly loss of revenue to the utility. In at least three cases, the utility has decided to replace their steam generators, a rather expensive alternative requiring many months of shutdown.

From the safety viewpoint, the worst accident worthy of consideration in this area is a sudden complete rupture of a few tubes. Such an accident might be expected once every several years. This is what happened at the Ginna plant near Rochester, New York, in January 1982. That accident generated a great deal of publicity, but the maximum exposure at any off-site point was 0.5 mrem,31 less than the average American receives from natural sources every day. Since there were no people staying all day at such points, no member of the public received even that much exposure. The total of the exposures to the whole population in the area was less than 100 mrem, which gives only 1 chance in 80,000 that there will ever be a single death resulting. On the other hand, it has been a costly problem for utilities, and a great deal of research has been devoted to solving it.

Eight separate classes of failures have been

identified — denting, erosion-corrosion, fatigue, fretting, intergranular attack, pitting, stress corrosion cracking, and wastage. Researchers have developed a number of different methods for reducing these problems and for avoiding them in new plants. They have also developed new methods for detecting, locating, evaluating, and repairing leaks.

The NRC keeps a close watch on these problems to be certain that public safety is not compromised, in spite of the very small potential of steam generator leaks to cause radiation exposure to the public. It requires frequent testing for leaks, and has strict limits on the amount of leakage that can be tolerated before the reactor is shut down for repairs. It also maintains research programs to achieve improved understanding, evaluations, and predictability of future problems. The industry itself is also doing a great deal of research on the problem.

Chapter 6 Appendix

Probabilistic Risk Analysis

Probabilistic risk analysis, widely known as PRA, is the science of estimating the probability that some event will occur. The type of PRA used in analyzing reactor accidents, called "fault tree analysis," begins with identifying all "routes" leading to a meltdown. Each route consists of a succession of failures, like pipes cracking, pumps breaking down, valves sticking, operators pushing the wrong button, and so on. Since a given route will not lead to meltdown unless each of these failures occurs in turn, the probability of meltdown by that route is obtained by multiplying the probabilities for each individual failure. For example, if one particular route to meltdown consists of a pipe cracking badly — expected once in 1,000 years of operation — followed by a pump failing to operate — expected once in 100 trials — followed by a valve sticking closed — expected once in 200 attempts to open it, the chance that each of these three failures will occur successively in a given year is

= _____1_____

There has been extensive experience in many industries with pipes cracking, pumps failing, and valves sticking, so the probabilities for these are known (they depend on the quality of the pipes, pumps, and valves). It is these probabilities, obtained from experience, that are used in the calculations.

Once the probabilities for each route to meltdown are calculated, the probabilities for all possible routes must be added up to obtain the total probability for a meltdown. This is the largest source of uncertainty, since there is no way to be certain that all possible routes have been included. However, with many dozens of independent researchers thinking about these questions for many years, it seems reasonable to believe that at least most of the important routes have been considered.

The Emergency Core Cooling System — Preventing Core Damage11

Following a reactor shutdown, as in an accident, radioactivity in the fuel continues to generate heat at a rate shown by the curve6 in Fig. 1. Ten seconds after shutdown, heat generation is at 5% of the full-power rate, and this drops to 3% after 3 minutes, 1% after 3 hours, and 0.3% after 5 days. If this heat is not carried away, the fuel will melt.

Under normal circumstances, the reactor fuel is submerged in rapidly flowing water, which picks up this heat and carries it to some other part of the plant where it is transferred to other systems. There are several things that can go wrong with this routine:

  1. The other system may fail and be unable to accept this heat. (Such a failure — the breakdown of a pump in combination with valves on backup pumps being left closed for reasons still not explained — initiated the Three Mile Island accident, although that problem was quickly corrected and would have caused no trouble if it were not for other problems.)
  2. The water flow may be blocked (as by a hydrogen bubble in the late stages of the Three Mile Island accident).
  3. The water may escape slowly through a small leak or open valve. (This was the most important failure in the Three Mile Island accident; a valve failed to close and the operators did not recognize that fact.)
  4. The system may burst open, releasing the pressure and thereby converting the water (which is at 600°F) into steam that would come shooting out through the opening — blowdown — leaving the reactor fuel with no water cooling.

In situations (1) and (2), the water will overheat and begin to boil, and the resulting steam will be released through pressure relief valves; these situations therefore also result in loss of water.

If the fuel is not covered with water, it will overheat and eventually melt; thus in all of these situations, it is important to inject more water into the reactor to replace that which is lost. In situations (1), (2), and (3), the reactor remains at high pressure (more than a 100 times normal atmospheric pressure); it therefore requires special high-pressure pumps to inject water into it. There are typically three or four of these "high-pressure injection systems" (HPIS).4,7 They provide enough water to make up for boil-off caused by the amounts of heat shown by the horizontal lines labelled "HPIS" in Fig. 1. As an illustration of their meaning, if three HPIS are working, enough water is injected to match the heat evolving from the fuel after 6 minutes; after that time, therefore, the total water in the system begins to increase. Up to that time, a calculation shows, only 2% of the water has been boiled away.

If only one HPIS is providing water, the rate at which water is provided is not equal to the rate at which it boils off until after 5.5 hours, according to Fig. 1. By that time, nearly 40% of the water would be boiled away, but there would still be more than enough left to keep the fuel covered. Thus any one of three or four HPIS would normally provide enough water to prevent a meltdown, or even damage to the fuel due to overheating. (In the Three Mile Island accident, the HPIS were turned off by the operators because they misinterpreted the information available to them as indicating that there was too much water in the reactor.)

In situation (4), the water is lost by blowdown in a matter of seconds; it is therefore important to get a lot of water back into the system immediately. This would be accomplished by systems called "accumulators" — large tanks filled with water at about one third the pressure in the reactor. The water in these tanks is normally kept out of the reactor by a valve which is held shut by the higher pressure from the reactor side. But if the pressure in the reactor should fall below that in the accumulator tanks, the latter would push the valve open, rapidly dumping the water from those tanks into the reactor. Note that this is a failproof system, not requiring electric power or any human action. There is enough water in two accumulators to keep the fuel covered for about 15 minutes before boil-off would lower its level below the top of the fuel.

Another element of the emergency core cooling system for adding water following a blowdown is two low-pressure injection systems (LPIS), either of which would provide enough water to cover the fuel in about 3 minutes, and enough to more than compensate for water boil-off at all times.4,7 If either of these goes into operation by the time the water from the accumulator becomes insufficient, there can be no danger of damage to the fuel due to lack of water. But even if they fail, any one of the HPIS could provide sufficient water for this purpose. (They inject much more water when the reactor is at low pressure.)

Note that both the HPIS and the LPIS require electric power to drive pumps. If there should be an electric power failure following a blowdown, there would thus be about 15 minutes — the time during which water from the accumulators keeps the fuel covered — to restore electric power, as by starting up one of the diesel generators.

In summary, if even one of the three or four HPIS works, it is very difficult to imagine a situation in which insufficient water would be provided to prevent damage to the fuel. In the event of blowdown, either one of the LPIS or one of the HPIS would avert a meltdown.

The New PRAs17

In 1989, the Nuclear Regulatory Commission published a review of the state of the art PRAs on five U.S. nuclear power plants, three PWRs and two BWRs, including the two originally evaluated in the RSS and three relatively new plants with very different types of containment. Only two of the five plants, one PWR and one BWR, were analyzed for earthquakes and fires. We will base the following discussion on that review, but the results of PRAs on other plants are similar.

The core damage probabilities due to internal failures (i.e., causes other than earthquakes and fires) in chances per million in 1 year is about 4 for the BWRs, 50 for two of the PWRs, and 340 for the other PWR. The reason for this last high risk is now recognized and is being corrected — this requires redesign of the reactor cooling water pump seal. For the two reactors where external events are included in the study, earthquakes add 40 chances per million for the BWR and 70 for the PWR, and fires add 20 for the BWR and 12 for the PWR. For both of the BWRs and one of the PWRs, the most important internal initiator is station blackout, although in one of the BWRs, the ATWS (anticipated transients without scram) accident is of nearly equal importance. In the two remaining PWRs, pipe-break LOCA is most important in one and pump seal failure LOCA is dominant in the other. For earthquakes, the most important initiator is loss of station power, but breaks in the high-pressure system are of nearly equal importance. For fires, station blackout is dominant in the BWR, and pump seal failure due to loss of its cooling water is most important in the PWR. Studies of earthquakes and fires in other reactors than the five considered here lead to similar conclusions.

The RSS studied two reactors, and both of them are also included here. For these, the core damage probability in the new studies, including earthquakes and fires which were not included in the RSS, is about the same as the meltdown probability in the RSS. For the internal failures it considered, the RSS was over conservative by a factor of 5 for the PWR and by a factor of 20 for the BWR, but its lack of consideration of earthquakes and fires makes up for this difference.

While the above figures give the impression that BWRs are much safer than PWRs, this is partly compensated by better containment performance for the latter. The probability for early containment failure and bypass, which are necessary conditions for appreciable health impacts, is 2% in the PWR with the high risk of core damage and 15% in the other two PWRs, versus about 50% in the BWRs. In core damage initiated by fire and earthquakes, these probabilities are about 3% and 10%, respectively, in the PWR versus 65% and 90% in the BWR.

The bottom line for these analyses is the number of deaths expected per year of operation. The number of deaths is the product of the probability for a core damage incident times the average number of deaths from such an accident. For internal initiators, the results are 0.015 deaths per year from the PWRs and 0.003 from the BWRs. The RSS gave about 0.04 for both. For fires, they are 0.0003 for the PWRs and 0.04 for the BWRs. No estimates were developed for earthquakes, because an earthquake that would cause core damage is one that would destroy dams, bridges, buildings, and roads, which would affect evacuation plans and sheltering from buildings. An alternative approach is to calculate by what percentage the nuclear plant releases would increase the total death rate from the earthquake. Best current estimates are 0.1%.

Nearly all of the above deaths would be from cancer many years later and could not be related to the accident. The average number of early deaths, within weeks following the accident, are 2, 25, and 70 millionths per year for the PWRs and 0.01 and 0.03 millionths per year for the BWRs. In the RSS they were 30 and 10 millionths per year for the PWR and BWR respectively.

Protections Against Containment Rupture11

In nearly all scenarios for serious reactor accidents, a great deal of water ends up in the containment building. When heat is added to water, the latter can be converted into steam, which increases the pressure inside. If this pressure exceeds the maximum that the containment can withstand, the containment will rupture, allowing the release of radioactive material into the environment. The integrity of the containment thus depends on keeping the net heat evolved within the containment below the maximum allowable quantity.

This allowable amount in the absence of containment cooling is shown in Fig. 2 by the curve labeled "no cooling" it increases with time because some heat is diffusing into the concrete walls, where it does not contribute to increasing the steam pressure. The sources of heat are shown by the dashed lines in Fig 2. The one source present in all cases is that generated by the radioactivity in the fuel. Its rate of evolution was shown in Fig. 1, and from that curve it is straightforward to calculate the total heat evolved up to any time; that is the dashed curve labeled "radioact" in Fig. 2. If blowdown occurs, the energy from it adds to the total, giving the dashed curve labeled "+ blowdown." If the emergency core cooling system fails to restore cooling, there will be a chemical reaction between the fuel-cladding material, zirconium, and steam, which releases additional heat, bringing the total up to that shown by "+Zr-Steam." That reaction generates hydrogen, and if this hydrogen burns, it contributes additional energy, bringing the total to the dashed curve labeled "+Hyd. Burn."

From Fig. 2 we see that the total energy released exceeds the allowable quantity with no cooling after 8 hours, even if only the radioactivity contributes, after 4 hours if there is a blowdown, and much sooner if the fuel overheats enough to allow the Zr-Steam reaction. Clearly, it is necessary to have systems for cooling the containment atmosphere.

There are two types of systems for doing this.4 One of these is the containment spray system (CSS), which sprays water into the air to condense the steam. There are typically three of these. They would exhaust their stored water supply after 1-2 hours, leaving the water on the containment floor. The system would then be switched to pick up water from the containment floor, pass it through pipes surrounded by cool water from a separate source outside the containment, and then spray it into the containment air to achieve cooling. If one of these three systems is operating, there can be no danger of breaking the containment due to excess pressure inside. This can be seen from the curve labeled "+1-CSS" in Fig. 2 which shows that the heat removed exceeds that provided by all sources combined by a large margin.

Another provision for containment cooling in some power plants is "containment fan coolers" (CFC), which blow air from the containment atmosphere over pipes carrying cooling water from a separate source outside the containment. There are typically five CFC, and the amount to which one or two of these increases the allowable amount of heat input is shown by the curves labeled "1-CFC" and "2-CFC" in Fig. 2. We see that if only one CFC is working, the cooling appears to be slightly insufficient to prevent containment rupture for the first 14 hours if all of the heat inputs contribute fully. However, if two of the five CFC are working, there is no problem with containment failure due to excess pressure.

[next chapter]