Nuclear Safety

Hazard
A very large inventory of radioactive fission products
some with long half-life (>years)
Radionuclide content of representative LWR spent fuel at discharge and 180
days of representative LMFBR fuel at discharge and 30 days

Activity, Ci/t metal

LWR fuel LMFBR fuel

Half-life
Nuclide Radiations Discharge 180 d Discharge 30 d
T1/2

3 12.3 5.744 x 5.587 x 1.648 x 1.640 x

H y10.73
85
Kr 10 2 x
1.108 10 2 x
1.074 10 3 x
1.473 10 3 x
1.466
y50.5
89
Sr 10 4 x
1.058 10 4 x
9.603 10 4 x
1.333 10 4 x
8.939
d
20.9 6 4 6 5
90
Sr 10
8.425 x 10
8.323 x 10
9.591 x 10
9.572 x
y64.0 4 4 4 4
90
Y 10
8.850 x 10
8.325 x 10
1.214 x 10
9.572 x
h
91
Y 59.0 10 4 x
1.263 10 4 x
1.525 10 5 x
1.794 10 4 x
1.269
d
95
Zr 64.0 10 6 x
1.637 10 5 x
2.437 10 6 x
3.215 10 6 x
2.340
d
3.50 6 5 6 6
95
Nb 10
1.557 x 10
4.689 x 10
3.149 x 10
2.954 x
d
99
Mo 66.0 10 6 x
1.875 10 5 x
3.780 10 6 x
4.040 10 6 x
2.108
h h
99m
Tc 6.0 10 6 x
1.618 10 -14 x
3.589 10 6 x
3.487 10 3 x
2.002
6 -14 6 3
99
Tc 2.1 x 10 5 10
1.435 x 10
1.442 x 10
3.278 x 10
3.293 x
y 10 1 10 1 10 1 10 1
Overarching Objective of Nuclear Safety
Protect staff, public and environment

Prevent uncontrolled release of radioactivity from plant

Implementation
- Heat removal
- Defense-in-depth:
• Physical barriers
• Design, construction and operation
 Heat Removal
98% of all fission products are retained in the fuel pellet
unless the fuel melts
It is important to keep the fuel “cool” under all modes of
normal operation:
1) Power mode (steady-state): fission energy generates
steam which releases energy in turbine and condenser
2) Shutdown mode (turbine not available): decay heat
generates steam, which is dumped directly into
condenser (PWR and BWR) or atmosphere (only PWR)
3) Refueling mode: fuel is kept under water and decay heat
is removed by residual heat removal system (RHRS)
 Defense-in-Depth (physical barriers)
There exist multiple physical barriers between the source of
radioactivity (the fission products) and the environment/
public. The most important barriers are:
1) Fuel pellet: it retains most solid fission products.
2) Cladding: it retains all fission products (gaseous included).
3) Reactor coolant system: robust high-pressure system of
pipes + vessel. Most fission products are soluble in
coolant and/or deposit on cold surfaces of pipes.
4) Containment: seal tight system is the ultimate barrier to
radioactivity release, even if all previous barriers have
failed.
Defense-in-Depth (design, construction and operation)
The concept of defense-of-depth extends to nuclear plant
design, construction and operation.
Emphasis is on prevention, protection and mitigation.
1) Prevention. Minimize causes of failures/accidents before
they occur:
- Design reactor with inherent safety features (e.g. negative
moderator, coolant and fuel
reac
tivity coefficients) and
margins to failure (e.g. MDNBR>1.3)
- Use of chemically compatible materials (e.g. no graphite and
water in core)
- Quality assurance in component manufacturing and
construction (“N-stamp”)
- Thorough training of operators + conservative operation
Defense-in-Depth (design, construction and operation) (2)
2) Protection. Reactor protection system:
- Monitors plant conditions (e.g. measures temperature,
pressure, flow, power, radiation levels)
- Recognizes precursors to transients/accidents

- Actuates scram and safety systems

3) Mitigation. When accidents do occur, mitigate

consequences using:
- Engineered safety systems
- Emergency plan/evacuation
 Design-Basis Accident
Classification
Undercooling: decrease in secondary-side heat
removal (e.g. loss of condenser cooling water)
Overcooling: increase in secondary-side heat
removal (e.g. loss of feedwater heating) Overfilling:
increase in reactor coolant inventory
(e.g. mismatch between feedwater and steam flow
in BWR)
Loss of flow: decrease in core flow rate (e.g. trip of
reactor pumps)
Loss of coolant: decrease of reactor coolant
inventory (e.g. break of primary system pipe)
Design-Basis Accident Classification (2)

• Reactivity insertion: uncontrolled insertion of positive

reactivity (e.g. rod drop in BWR)
• Anticipated Transients Without Scram (ATWS): a
relatively frequent abnormal event (transient)
with simultaneous failure to scram (e.g. loss of
feedwater without scram)
• Spent fuel accidents: occurring while handling and
storing spent fuel assemblies (e.g. drop a fuel
assembly, or critical configuration in fuel storage pool)
• External events: an event initiating outside the plant
(e.g. earthquake, hurricane, airplane crash)
 Engineered Safety Systems
Functions
• Shut-down reactor (i.e. stop the chain reaction) and
keep reactor subcritical
•Remove decay heat
•Relieve pressure
•Maintain (or replenish) reactor coolant inventory
Requirements
• Redundancy
• Diversity
• Physical separation
Engineered Safety Systems (2)
Shut-down reactor:
1) Scram control rods (fast acting: <2 sec)
2) Stand-by boron injection (slower acting, never used)

Remove decay heat:

1) Residual Heat Removal System (RHRS) in PWRs
and BWRs, or Isolation Condenser (IC) only in BWRs

BWR example
Engineered Safety Systems (3)
Remove decay heat (cont.):
2) Emergency Feedwater System (EFWS) in PWRs and BWRs

CST = Condensate storage

tank
SG = Steam Generator
----- = Main feedwater system

Note redundancy, diversity and physical separation

M. Gavrilas et al., Safety features of Operating LWRs of Western Design, CRC Press, 1995
Engineered Safety Systems (4)
Relieve pressure
1) BWR: Safety/Relief Valves (SRVs) located on main steam lines
2) PWR: Safety Valves and Power Operated Relief Valve (PORV)
l
ocated on top of pressurizer
SRVs and PORV discharge steam into water pools located inside the
containment

Courtesy of GE Hitachi Nuclear Systems. Used with

permission.

Maintain (or replenish) reactor coolant inventory

The Emergency Core Cooling System (ECCS) comprises:
• High Pressure Coolant Injection (HPCI) kicks in at high P (e.g. <12.5
MPa in PWR)
•Accumulators kick in at intermediate P (e.g. <4-5 MPa in PWR)
•Low Pressure Coolant Injection (LPCI) kicks in at low P (i.e. 0.1 MPa)
 Engineered Safety Systems (5)
Note:
- All ECCS water is highly borated
- HPCI and LPCI are typically active (based on pumps
powered by emergency diesel generators) in some
advanced LWRs they can be passive (no pumps or diesels
needed)
 Large-Break LOCA
Double-guillotine rupture of the largest pipe in primary
system, i.e., cold leg between pump and vessel.
Never happened. It is the worst design-basis accident for
LWRs. Historically, treated as a “bounding” event.

Sequence:
1) System depressurizes (blowdown) and empties very
quickly (<20 sec). Can do nothing about this because it’s
so rapid. Note that the reactor becomes subcritical even if
CRs are not inserted, why?
At this point the core is uncovered. If nothing is done, it
would melt, why?
15
 Large-Break LOCA (2)
2) ECCS (LPCI) kicks in to refill the vessel and reflood the
core. Refill and reflood take a few minutes.

If ECCS fails duringrefill and reflood, one has a severe

accident (partial or complete melting of the core).
However, ECCS is
designed to be redundant and diverse.
Some advanced LWRs have passive ECCS. All existing
LWRs in U.S. have active ECCS, i.e., refill and reflood is
done with pumps.
Note that ECCS water is heavily borated.

16
 Large-Break LOCA (3)
Legal limits for LB-LOCAs
Plant must satisfy the following requirements during a LB-
LOCA:
• No fuel melting
• Peak Cladding Temperature (PCT) below 1204 C (2200 F),
to prevent runaway Zr-steam reaction
Zr+2 H2O 2 ZrO2+2 H2+6500 kJ/kgZr
• Max oxidation of cladding <17% of original thickness, to
prevent cladding failure
• Less than 1% cladding oxidation average, to prevent
excessive hydrogen production
• No fuel “ballooning”, to maintain coolable geometry in
core
 The Containment
It encapsulates the “nuclear island” + performs
three functions
1. Public and Environment Protection
 Retention of radioactivity
 Retention of missiles
2. Protection of Plant Systems from
 Natural elements (flood and storms)
 Human actions (crashes and explosions, acts of sabotage)
 Fires
3. Structural Support of Systems
 Routine service loads
 Seismic loads
 Internal loads during accidents
 The Containment (2)
- It is a reinforced-concrete building to perform functions
2 (protection from external events) and 3 (structural
support)
- It has a steel liner to perform function 1 (retention of
radioactivity)

Seismic
reinforcement
h6
Shear
tie
h2 h5

h3 h4

h1

Axial Hoop
reinforcement reinforcement

Image by MIT OpenCourseWare.

System 80+™ Tech Papers, ANS Mtg., ABB-CE,

1992.
 The Containment (3)
The most serious design-basis
challenge to the containment
is pressurization following a
LB-LOCA

Energy “sources”:
- Primary system inventory
- Decay heat
- Chemical reactions (Zr-H2O,
H2 detonation)
- Stored energy in hot structures
 The Containment (4)

• Two basic types of containment:

1) Pressure containment. Designed large enough to accommodate all
mass/energy without exceeding pressure limit during initial spike
2) Pressure-suppression containment. To mitigate the initial pressure
spike, it uses:
• - Suppression pools or
• - Ice condensers
• Long-term (beyond initial pressure spike) all containments need:
- Sprays (keep pressure low + scrub containment atmosphere)
- H2/O2 recombiners or N2 inertization (prevent H2 detonation)
- Dedicated heat exchangers (keep containment cool)
- Venting through filters made of gravel, sand, water, etc.
(done in Sweden, France, Germany, not US)
 The Containment (5)
Pressure Pressure suppression containment
containment (ice condensers)
(large and dry)

B&W, “Steam, Its Generation & Use,” 1972. Sequoyah nuclear power
plant
© Babcock & Wilcox. All rights reserved. This content is excluded from our © source unknown. All rights reserved. This content is excluded from our
Creative Commons license. For more information, see http://ocw.
Creative Commons license. For more information, see http://ocw.mit.edu/
mit.edu/fairuse. fairuse.
 The Containment (6)
Pressure suppression Pressure suppression containment
containment (“doughnut” suppression pool)
(suppression pool)

Image by MIT OpenCourseWare.

A.V. Nero, Jr., A Guidebook to Nuclear Reactors,
1979.
© University of CA press. All rights reserved. This content is excluded from our Creative Commons
license. For more information, see http://ocw.mit.edu/fairuse.
Source: Nero, Anthony V. A Guidebook to Nuclear Reactors.
Berkeley, CA: University of CA Pr, 1979. ISBN: 9780520036611.
 The Containment (7)
Typical design parameters for US containments
Total
Design Allowable Leak Capability
Plant/ Containme
Pressur Rate Pressure
Type nt Free
e (kPa) (vol%/day) (kPa)
(m3)
Volume
Limerick/BWR Mark-II 480 11,600 0.5 1066
Grand Gulf/BWR Mark-III 204 47,300 0.4 515
Sequoyah/PWR Ice Condenser 184 34,000 0.25 446
Peach Bottom/BWR Mark-I 528 8,000 0.5 908
Zion/PWR Large Dry 425 73,600 0.1 1024
Surry/PWR Subatmospheric 411 51,000 0.1 921
Image by MIT OpenCourseWare.
Beyond-Design-Basis (“Severe”) Accidents
Cause of severe accidents is inadequate fuel
cooling, resulting in fuel melting
Can occur only with simultaneous failure of
engineered safety systems
Sequence:
- LB-LOCA with failure of ECCS
- Fuel cladding damage and ballooning
- Coolant flow restriction due to deformed cladding
- Fuel damage and fission product release

 Noble gases + volatile fission products (I, Br, Cs , Rb,Te ,

Se, Sr , Ba)
 Non-volatile fission products remain with the fuel
 Beyond-Design-Basis (“Severe”)

Accidents
(2)
Sequence (cont.):
- Fuel melts and relocates to bottom of reactor vessel
- Molten fuel breaches vessel
- Molten fuel spreads on containment floor and is cooled (solidified) by
water below vessel
- Concrete floor decomposition results in generation of large amounts
of CO2 which further pressurizes the containment

- H2 from cladding/water reaction further pressurizes the containment

- If pressure is very high, containment can develop cracks and some
fission products will escape into atmosphere
 Beyond-Design-Basis (“Severe”)

Accidents
(3)
Sequence (cont.):
- Fission products form a plume (cloud-shine) and can be transported
to ground by settling and rain-out (ground-shine)

- Population is irradiated
Plum
e
Cloud Fresh
shine produce

Rain Immediat
e Inhalation Fresh
ingestion milk
Plume
Skin
Shine from
contaminatio
ground
n
contamination
S
(ground shine)
Hot
Spot
Image by MIT OpenCourseWare.
 Emergency Plan/Evacuation
Last resort. In case of severe accidents, if significant radioactivity
release from the plant is expected, population within 10 miles
radiation exposure.

Seabrook
Station
 Quantification of Nuclear Risk
Risk (= frequency of an event its consequences) can be
quantified through the use of Probabilistic Risk
Assessment (PRA)
- A complex event (e.g. a nuclear accident) is broken into a sequence of
individual events (e.g. failure of a safety pump, failure of a valve, containment
bypass, etc), each with a given probability to occur
- The probability of the sequence is calculated using the formal rules of
probabilities (essentially AND/OR logic operators)
- The consequences of the event (e.g. human fatalities due to release of a
certain amount of radioactivity) are calculated and risk curves (frequency vs
consequences) can be constructed to compare the risk from various events, or
even various technologies.

PRA was pioneered by the nuclear industry, but its use is now
widespread, e.g. aviation and space industry, chemical industry,
economics, etc.
 Quantification of Nuclear Risk (2)
Average Loss in Life Expectancy Due to Various Causes

Cause Time (days)

Being unmarried-male Cigarette 3500
smoking-male Heart disease 2250
Being unmarried-female 2100
Being 30% overweight Being a coal 1600
miner Cancer 1300
Cigarette smoking-female 1100
Less than eighth-grade education Living 980
in unfavorable state 800
Serving in the U.S. army in Vietnam 850
Motor vehicle accidents 500
Using alcohol (U.S. average) Being 400
207
murdered (homicide)
Accidents for average job 130
Job with radiation exposure Accidents 90
for "safest" job 74
40
Natural background radiation (BEIR,
30
1972) Drinking coffee
8
Oral contraceptives
6
Drinking diet soft drinks
5
Reactor accidents (Kendall, 1975)
Reactor accidents (Wash-1400, 2
1975) Radiation from nuclear 2**
industry
0.02 **
PAP test
Smoke alarm in home Air bags in 0.02 **
car -4
-10
From WASH-1400, 1975 -50

These numbers include the risk from **Assumes that all U.S. power is
nuclear.

severe accidents! Image by MIT OpenCourseWare.

 Protect Public and Environment

Nuclear Safety
Heat Removal Effective Regulator (NRC)
• Steady-state Peer Oversight (INPO)
• Shutdown Defense in Depth
• Refueling

Physical Barriers Design, Construction and Operation

• Fuel pellet • Prevention (inherently stable design, QA,
• Cladding operator training, conservative operation, etc.)
• Coolant • Protection (reactor protection system)
system • Mitigation:
• Containment - engineered safety systems
- emergency plan/evacuation