Nuclear Safety

By Gianni Petrangeli

The second edition of Nuclear Safety provides the most up to date methods and data needed to evaluate the safety of nuclear facilities and related processes using risk-informed safety analysis, and provides readers with new techniques to assess the consequences of radioactive releases. Gianni Petrangeli provides applies his wealth of experience to expertly guide the reader through an analysis of nuclear safety aspects, and applications of various well-known cases. Since the first edition was published in 2006, the Fukishima 2011 inundation and accident has brought a big change in nuclear safety experience and perception. This new edition addresses lessons learned from the 2011 Fukishima accident, provides further examples of nuclear safety application and includes consideration of the most recent operational events and data.

This thoroughly updated resource will be particularly valuable to industry technical managers and operators and the experts involved in plant safety evaluation and controls. This book will satisfy generalists with an ample spectrum of competences, specialists within the nuclear industry, and all those seeking for simple plant modelling and evaluation methods.

New to this edition:

• Up to date analysis on recent events within the field, particularly events at Fukushima
• Further examples of application on safety analysis
• New ways to use the book through calculated examples

• Covers all plant components and potential sources of risk, including human, technical and natural factors
• Brings together, in a single source, information on nuclear safety normally only found in many different sources
• Provides up-to date international design and safety criteria and an overview of regulatory regimes

• Language: English
• Publisher: Elsevier Science
• Release date: Nov 16, 2019
• ISBN: 9780128183274

Gianni Petrangeli

Dr. Gianni Petrangeli is Consultant to the IAEA (International Atomic Energy Association) for the preparation of nuclear safety guidelines and participation in safety evaluation missions. He is a researcher for nuclear safety for the European Commission and a member of the Faculty Council for the Doctorate in Nuclear and Industrial Safety, University of Pisa, Italy. Dr. Petrangeli spent time as a Professor of Nuclear & Industrial Safety and Environment at the University of Roma, and at the University of Pisa where he received his Doctorate in Nuclear and Industrial Safety and was also a Professor on Complex Safety Systems.

Book preview

Nuclear Safety

Second Edition

Gianni Petrangeli

Consultant, Formerly ENEA, Italy

Formerly University of Pisa, Italy

Table of Contents

Cover image

Title page

Copyright

Preface

Chapter 1. Introduction

Abstract

1.1 Objectives

1.2 A Short History of Nuclear Safety Technology

Endnotes

References

Further Reading

Chapter 2. Inventory and Localization of Radioactive Products in the Plant

Abstract

References

Chapter 3. Safety Systems and Their Functions

Abstract

3.1 Plant Systems

3.2 Safety Systems and Accidents

3.3 Future Safety Systems and Plant Concepts

Endnotes

References

Further Reading

Chapter 4. The Classification of Accidents and a Discussion of Some Examples

Abstract

4.1 Classification

4.2 Design Basis Accidents

4.3 Beyond Design Basis Accidents

4.4 External Accidents of Natural Origin

Endnote

References

Further Reading

Chapter 5. Severe Accidents

Abstract

5.1 Existing Plants

5.2 Future Plants: Extreme and Practicable Solutions

5.3 Severe Accident Management: The Present State of Studies and Implementations

5.4 Data on Severe Accidents

5.5 Descriptions of Some Typical Accident Sequences

5.6 Source Terms for Severe Accidents

References

Further Reading

Chapter 6. The Dispersion of Radioactivity Releases

Abstract

6.1 The Most Interesting Releases for Safety Evaluations

6.2 Dispersion of Releases: Phenomena

6.3 Release Dispersion: Simple Evaluation Techniques

6.4 Formulae and Diagrams for the Evaluation of Atmospheric Dispersion

6.5 Calculation of Atmospheric Dispersion by Computer Fluid Dynamics Codes

Endnotes

References

Chapter 7. Health Consequences of Releases

Abstract

7.1 The Principles of Health Protection and Safety

7.2 Some Quantities, Terms, and Units of Measure of Health Physics

7.3 Types of Effects of Radiation Doses and Limits

7.4 Evaluation of the Health Consequences of Releases

References

Chapter 8. The General Approach to the Safety of the Plant–Site Complex

Abstract

8.1 Introduction

8.2 The Definition of the Safety Objectives of a Plant on a Site

8.3 Some Plant Characteristics for the Prevention and Mitigation of Accidents

8.4 Radiation Protection Characteristics

8.5 Site Characteristics

Chapter 9. Defence in Depth

Abstract

9.1 Definition, Objectives, Levels, and Barriers

9.2 Additional Considerations on the Levels of Defence in Depth

References

Chapter 10. Quality Assurance

Abstract

10.1 General Remarks and Requirements

10.2 Aspects to Be Underlined

References

Further Reading

Chapter 11. Safety Analysis

Abstract

11.1 Introduction

11.2 Deterministic Safety Analysis

11.3 Probabilistic Safety Analysis

Endnote

References

Chapter 12. Safety Analysis Review

Abstract

12.1 Introduction

12.2 The Reference Points

12.3 Foreseeing Possible Issues for Discussion

12.4 Control Is Not Disrespectful

12.5 Clarification Is Not Disrespectful

12.6 Designer Report

12.7 Discussion

Endnote

References

Chapter 13. Classification of Plant Components

Abstract

References

Chapter 14. Notes on Some Plant Components

Abstract

14.1 Reactor Pressure Vessel

14.2 Piping

14.3 Valves

14.4 Containment Systems

References

Chapter 15. Earthquake Resistance

Abstract

15.1 General Aspects, Criteria, and Starting Data

15.2 Reference Ground Motion

15.3 Structural Verifications

References

Further Reading

Chapter 16. Tornado Resistance

Abstract

16.1 The Physical Phenomenon

16.2 Scale of Severity of the Phenomenon

16.3 Design Input Data

References

Chapter 17. Resistance to External Impact

Abstract

17.1 Introduction

17.2 Aircraft Crash Impact

17.3 Pressure Wave

17.4 Other Impacts

References

Chapter 18. Nuclear Safety Criteria

Abstract

18.1 General Characteristics

18.2 The US General Design Criteria

18.3 IAEA Criteria

18.4 EUR Criteria

18.5 Other General Criteria Compilations

18.6 Possible Future Developments of Safety Methods and Criteria (Gianni )

References

Further Reading

Chapter 19. Nuclear Safety Research

Abstract

Reference

Chapter 20. Operating Experience

Abstract

20.1 Introduction

20.2 Principal Sources

20.3 Some Significant Events

20.4 The International Nuclear Event Scale

References

Chapter 21. Underground Location of Nuclear Power Plants

Abstract

References

Chapter 22. The Effects of Nuclear Explosions

Abstract

22.1 Introduction

22.2 Types of Nuclear Bomb

22.3 The Consequences of a Nuclear Explosion

22.4 Initial Nuclear Radiation

22.5 Shock Wave

22.6 Initial Thermal Radiation

22.7 Initial Radioactive Contamination (Fallout)

22.8 Underground Nuclear Tests

References

Chapter 23. Radioactive Waste

Abstract

23.1 Types and Indicative Amounts of Radioactive Waste

23.2 Principles

References

Further Reading

Chapter 24. Fusion Safety

Abstract

References

Further Reading

Chapter 25. Safety of Specific Plants and of Other Activities

Abstract

25.1 Boiling Water Reactors

25.2 Pressure Tube Reactors

25.3 Gas Reactors

25.4 Research Reactors

25.5 Sodium-Cooled Fast Reactors

25.6 Generation III/III+ Reactors

25.7 Generation IV Reactors

25.8 Fuel Plants

25.9 Nuclear Seawater Desalination Plants

25.10 VVER Plants

25.11 Ship Propulsion Reactors

25.12 Safe Transport of Radioactive Substances

25.13 Safety of Radioactive Sources and of Radiation-Generating Machines

References

Further Reading

Chapter 26. Nuclear Facilities on Satellites

Abstract

26.1 Types of Plant

26.2 Possible Accidents and Their Consequences

Reference

Further Reading

Chapter 27. Erroneous Beliefs About Nuclear Safety

Abstract

References

Chapter 28. When Can We Say That a Particular Plant Is Safe?

Abstract

Chapter 29. The Limits of Nuclear Safety: The Residual Risk

Abstract

29.1 Risk in General

29.2 Risk Concepts and Evaluations in Nuclear Installation Safety

29.3 Residual Risk: The Concept of Loss-of-Life Expectancy

29.4 Risk From Various Energy Sources

29.5 Risk to Various Human Activities

29.6 Are the Risk Analyses of Nuclear Power Plants Credible?

29.7 Proliferation and Terrorism

References

Additional References

IAEA References

MISC, Other References

Appendix 1. The Chernobyl Accident

A1.1 Introduction

A1.2 The Reactor

A1.3 The Event

Further Reading

Appendix 2. Calculation of the Accident Pressure in a Containment

A2.1 Introduction

A2.2 Initial Overpressure

A2.3 Containment Pressure Versus Time

Appendix 3. Table of Safety Criteria

Appendix 4. Dose Calculations

A4.1 Introduction

A4.2 Virtual Population Dose in a Severe Accident

A4.3 Explorative Evaluation of the Radiological Consequences of a Mechanical Impact on a Surface Storage Facility for Category 2 Waste

A4.4 Explorative Evaluation of the Radiological Consequences of a Mechanical Impact on a Transport/Storage Cask Containing Spent Fuel

Appendix 5. Simplified Thermal Analysis of an Insufficiently Refrigerated Core

A5.1 Analysis of the Core Without Refrigeration

A5.2 Other Formulae and Useful Data for the Indicative Study of the Cooling of a Core After an Accident

Appendix 6. European Requirements Revision E, 2016

A6.1 General Overview

A6.2 Sample of Notable Concepts Adopted in Revision E

A6.3 Extracts from EUR Criteria Revision E (2016) (Pressurized Water Reactors)

Appendix 7. Notes on Fracture Mechanics

A7.1 Introduction

A7.2 Current Practice

Appendix 8. US General Design Criteria

A8.1 Introduction

A8.2 Definitions and Explanations

A8.3 Criteria

Appendix 9. IAEA Criteria

Appendix 10. Primary Depressurization Systems

A10.1 Initial Studies

A10.2 Depressurization Systems for Modern Design Reactors

Appendix 11. Thermal-Hydraulic Transients of the Primary System

A11.1 General Remarks

A11.2 General Program Characteristics

A11.3 Program Description

A11.4 Using the program

A11.5 Other Formulae for the Expanded Use of the Program

Appendix 12. The Atmospheric Dispersion of Releases

Appendix 13. Regulatory Framework and Safety Documents

A13.1 Regulatory Framework

A13.2 Safety Documents

Appendix 14. USNRC Regulatory Guides and Standard Review Plan

A14.1 Extracts From a Regulatory Guide

A14.2 List of Contents and Extracts From a Sample Chapter of the Standard Review Plan

A14.3 Sample Chapter

Appendix 15. Safety Cage

A15.1 General Remarks

A15.2 Available Energy

A15.3 Mechanical Energy Which Can be Released

A15.4 Overall Sizing of a Structural Cage Around the Pressure Vessel

A15.5 Experimental Tests on Steel Cages for the Containment of Vessel Explosions

Appendix 16. Criteria for the Site Chart (Italy)

A16.1 Population and Land Use

A16.2 Geology, Seismology and Soil Mechanics

A16.3 Engineering Requirements

A16.4 Extreme Events from Human Activities

A16.5 Extreme Natural Events

Appendix 17. The Three Mile Island Accident

A17.1 Summary Description of the Three Mile Island No. 2 Plant

A17.2 The Accident

A17.3 The Consequences of the Accident on the Outside Environment

A17.4 The Actions Initiated After the Accident

Appendix 18. Other Examples of Practical Use of This Book

A18.1 Quick Review of the Preliminary Safety Analysis Report of a Generation III Pressurized Water Reactor

A18.2 Thermal-Hydraulic Study of a Pressurized Water Reactor

A18.3 Effect of an Earthquake (Friuli 1976) on a Real Building

Websites

Index

Copyright

Butterworth-Heinemann is an imprint of Elsevier

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1GB, United Kingdom

50 Hampshire Street, 5th Floor, Cambridge, MA 02139, United States

Copyright © 2020 Elsevier Ltd. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

ISBN: 978-0-12-818326-7

For Information on all Butterworth-Heinemann publications visit our website at https://www.elsevier.com/books-and-journals

Publisher: Brian Romer

Acquisition Editor: Maria Convey

Editorial Project Manager: Joanna Collett

Production Project Manager: Sruthi Satheesh

Cover Designer: Greg Harris

Typeset by MPS Limited, Chennai, India

Preface

I have written this book because of my firm belief that it is necessary to try to gather and to preserve in written form, and from one perspective, the accumulated memory and experience in the field of nuclear safety and radiation protection. This is particularly important for countries where nuclear energy exploitation has been stopped, but where it might have to be resumed in future. The main accent of this book is on Nuclear Safety.

From another point of view, many areas developed in nuclear safety studies are of interest in the safety of process plants too and, therefore, it is worthwhile writing about them. Given this perspective, I have tried to collect the ideas, the data, and the methods which, in many decades of professional work in several countries, in my opinion are the most useful for evaluation of integrated system of the plant safety.

I have emphasized the complete site–plant system more than single details, so the data and the methods discussed are not those applied in the many specialized disciplines devoted to the in-depth study of safety but are those required for overall, first approximation, assessments. In my opinion, such assessments are the most useful ones for the detection of many safety-related problems in a plant and for the drafting of a complete picture of them. The more accurate and precise the methods are, the more essential it is in the optimization phase of plant design and of its operational parameters. Specialists in reactor engineering, thermal hydraulics, radiation protection, and structural response issues may, therefore, be surprised to read that simple methods and shortcuts suggested here are very useful, as my experience and that of other generalists suggestions.

In addition, this book aims to cover some general and some unusual topics, such as the overall conditions to be complied with by a safe plant, the transboundary consequences of accidents to plants or to specific activities, the consequences of terrorist acts, and so on.

On some crucial issues the views of the world’s nuclear specialists are not the same, for example, the views in Western countries compared with those in former soviet-bloc countries on the pre-Chernobyl approach to nuclear safety in Eastern Europe: the West considered the soviet approach to be a relatively lenient one, while the soviets thought that they concentrated on prevention of accidents rather than on the mitigation of them. In these cases the text tries to be objective and to quote the Eastern view besides the Western one, leaving future engineers and technical developments to decide on this issue.

Except where explicitly indicated, the text refers to the pressurized water reactor. Extrapolation to other kinds of plants is, however, possible.

The text complies with internationally recognized safety standards, and in particular with International Atomic Energy Agency (IAEA) requirements.

On occasions I have digressed, in notes, from the main thrust of the text. I have done this for several reasons: many notes relate facts that qualify or justify what is written in a preceding paragraph; some of them are numerical examples added for clarification, while others are simple comments and personal reflections on the subject. These notes are set at the end of each chapter.

I have provided a list of references at the end of each chapter; however a chapter (Additional references) lists some organizations that offer institutional references [IAEA, Organization for Economic Cooperation and Development (OECD), and United States Nuclear Regulatory Commission (USNRC) that is one of the richest sources of publications among the regulatory bodies]. Many of these references can be consulted and even downloaded from the websites listed in the Web sites chapter.

Calculation sheets mentioned in the text may be downloaded from the publisher’s website (http://dx.doi.org/10.17632/4hc54vnzx6.2); the way to use them is described in the text.

Finally, I wish to underline that all my experience suggests to me, after many positive and negative lessons learned, that today’s nuclear plants can be completely safe and that significant accidents can be avoided. This is, however, only true on the condition that safety objectives are carefully pursued by the organizations involved in the plants; in this arena, as it will be shown, even organizations apparently very far from any specific plant must be, up to a certain extent, included (e.g., the bodies responsible for the general energy strategy of a country and the media).

This situation does not exclude that future nuclear plants should be cheaper and safer than today’s nuclear plants. The organization WENRA (see Section 1.2.4) has very courageously put an accent on the need that future plants be safer than present ones by design: a long-awaited statement by many professionals interested in nuclear safety. I personally, among others, asked the participants to a closed meeting of a top European Organizations to think over the overwhelming benefit of a statement like this in the 1980s, even taking into account the possible wrong use of it by some sectors of public opinion and press. It must be remembered, indeed, that existing safe plants benefit from the accumulated operational experience and ensuing modifications to plant features and their operation: this is an added safety value which, for future different types of plants, must be overcompensated by an increase of safety through design.

I also stress the need that future plants be cheaper than present ones: from the safety point of view, this feature will make plant surveillance and safety-useful modifications easier to accept by investors (see Chapter 18: Nuclear Safety Criteria).

I am confident that from the list of Generation IV reactors presently under study (Section 1.2.4), one plant with the above-listed characteristics will emerge. Very recently, some facts (see Nuclear News, 2019 for Canada) seem to indicate the start of an investor’s interest in Generation IV reactors (MOLTEN SALT REACTOR and HTGR) beyond the research activities going on in many organizations worldwide.

In general terms, cheaper and safer nuclear reactors should have the following good fundamentals or basic characteristics:

• Reduced internal pressure of components

• Reduced presence of highly corrosive fluids

• Reduced presence of flammable materials

• Self-shutdown in the case of dangerous disturbances

• Intrinsically safe siting (reduced danger of destructive earthquakes, inundations, and slides)

The choice of a future, cheaper and safer, reactor type, moreover, should not be influenced (as it might be) by the intertwined relation between peaceful uses of nuclear energy and military uses of it (Uekoetter, 2012; McPhee, 1974). In particular, Thorium-fuelled reactors should not be penalized.

This issue is not dealt with in this book for the lack of reliable and public numerical data. However, in the light of past experience and choices, this issue is important.

I will be very grateful to my readers for any suggestion concerning any improvements to the text and also corrections to the mistakes which are certainly present in it. I am fully aware, in particular, of the subjective nature of the choice of the material: the subject of nuclear safety, as does that concerning the safety of process plants in general, has become, over time, a discipline comprising many specific rather autonomous subsections. It is not easy, therefore, to choose the material to be included in a general text like this one; in this, practical experience of what is necessary while doing assessment work of plants has been my guide.

References

1. McPhee J., 1974. The Curve of Binding Energy (Chapters 19–22).

2. Nuclear News, ANS (American Nuclear Society), issue April 2019, International, page 33.

3. Uekoetter F. Fukushima and the lessons of history: remarks on the past and future of nuclear power. Source: RCC Perspectives, No 1, Europe After Fukushima: German Perspectives on the Future Nuclear Power Rachel Carson Center 2012;9–32.

Chapter 1

Introduction

Abstract

The objectives of nuclear safety consist in ensuring the siting and the plant conditions need to comply with adequate principles, such as the internationally accepted health, safety, and radioprotection principles. In particular, the plant at the chosen site shall guarantee that the health of the population and of the workers does not suffer adverse radiation consequences more severe than the established limits and that such effects be the lowest reasonably obtainable [the ALARA (as low as reasonably achievable) Principle] in all operational conditions and in case of accidents.

Keywords

Nuclear safety; plant site; operational conditions; health; radiation; accidents

1.1 Objectives

The objectives of nuclear safety consist in ensuring the siting and the plant conditions need to comply with adequate principles, such as the internationally accepted health, safety, and radioprotection principles. In particular, the plant at the chosen site shall guarantee that the health of the population and of the workers does not suffer adverse radiation consequences more severe than the established limits and that such effects be the lowest reasonably obtainable [the ALARA (as low as reasonably achievable) Principle] in all operational conditions and in case of accidents.

These objectives are frequently subdivided into a general objective, a radiation protection objective, and a technical objective, for example, in the International Atomic Energy Agency (IAEA) criteria (see www.iaea.org).

The general nuclear safety objective (IAEA Fundamental Safety Principles SF-1, 2006) is to protect individuals, society, and the environment from harm by establishing and maintaining effective defences against radiological hazards in nuclear installations.

The radiation protection objective is to ensure that in all operational states radiation exposure within the installation or due to any planned release of radioactive material from the installation is kept below prescribed limits and ALARA, and to ensure mitigation of the radiological consequences of any accidents.

The technical safety objective is to take all reasonably practicable measures to prevent accidents in nuclear installations and to mitigate their consequences should they occur; to ensure with a high level of confidence that, for all possible accidents taken into account in the design of the installation, including those of very low probability, any radiological consequences would be minor and below prescribed limits; and to ensure that the likelihood of accidents with serious radiological consequences is extremely low.

The target for existing power plants consistent with the technical safety objective has been defined by the International Nuclear Safety Advisory Group (advisor to the IAEA Director General) as a likelihood of occurrence of severe core damage that is below about 10−4 events per plant operating year. Implementation of all safety principles at future plants should lead to the achievement of an improved goal of not more than about l0−5 such events per plant operating year. Severe accident management and mitigation measures should reduce the probability of large offsite releases requiring short-term offsite response by a factor of at least 10.

It has to be observed that these principles, while indicating the need for strict control of radiation sources, do not preclude the external release of limited amounts of radioactive products nor the limited exposure of people to radiation. Similarly, the objectives require to decrease the likelihood and the severity of accidents, but they recognize that some accidents can happen. Measures have to be taken for the mitigation of their consequences. Such measures include onsite accident management systems (procedures, equipment, operators) and offsite intervention measures. The greater the potential hazard of a release, the lower must be its likelihood.

The chapters of this book, except the few of them not concerned with the safety of nuclear installations, deal with the ways for practically achieving these objectives.

1.2 A Short History of Nuclear Safety Technology

1.2.1 The Early Years

The first reactor, the Fermi pile CP1 (or Chicago Pile 1, built in 1942) was provided with rudimentary safety systems in line with the sense of confidence inspired by the charismatic figure of Enrico Fermi and his opinion concerning the absence of any danger from unforeseen phenomena. The safety systems (Fig. 1.1) are as follows:

• Gravity-driven fast shutdown rods (one was operated by cutting a retaining rope with an axe).

• A secondary shutdown system made of buckets containing a cadmium sulfate solution, which is a good neutron absorber. The buckets were located at the top of the pile and could be emptied onto it should the need arise.

Figure 1.1 Drawing of the CP1 pile. Scram—this term means fast shutdown of a reactor: various explanations have been proposed for its origin. The most credited one assumes that it derives from the abbreviated name of the CP1 safety rod which could be actuated by an axe. In the original design sketches of the pile, the position of the operator of the axe was indicated by SCRAM, the abbreviation of Safety Control Rod Ax Man. The designated operator was the physicist Norman Hilberry, subsequently Director of the Argonne Laboratory. His colleagues used the name Mister Scram. Courtesy Prof. Raymond Murray.

Figure 1.2 Sketch for a discussion on a break in a pressure tube reactor.

Compared with the set of safety systems subsequently considered essential, an emergency cooling system was missing as decay heat was practically absent after shut down, and there was no containment system (except for a curtain!) provided as the amount of fission products was not significant.

Other reactors were soon built, for both military and civil purposes, and since they were constructed on remote sites (e.g., Hanford, Washington); they did not need containment systems.

In the light of subsequent approaches used in reactor safety, probably, in this first period, not all the necessary precautions were taken; however, it is necessary to consider the specific time and circumstances present (a world war in progress or just finished, status of radiation protection knowledge not yet sufficiently advanced, etc.).¹

In the 1980s and 1990s, a revision of the simplified approach used for these first reactors (mainly devoted to plutonium production) was made. They were, as a consequence, either shut down or modified. In particular, the following characteristics or problems were removed or solved:

• the open cycle cooling of the reactors and nonpressure-resistant containments;

• the disposal of radioactive waste using unreliable methods, such as the location of radioactive liquids in simple underground metallic tanks which were subject to the risk of corrosion and of consequent leaks; and

• the storage of spent fuel elements in leaking pools of water.

1.2.2 From the Late 1950s to the Three Mile Island Accident

Since the early 1960s and even before, in the West, the criterion of locating power reactors in a leakproof and pressure-resistant containment vessel was established and consolidated. In those cases where a significant release of radioactive products could be possible, the design pressure of the containment was chosen on the assumption that all the primary (and part of the secondary) hot water (for a water reactor) was released from the cooling systems.

Indeed, since the 1950s, the US Reactor Safeguards Committee, set up by the Atomic Energy Commission (AEC) with the task of defining the guidelines for nuclear safety, had indicated that for a noncontained reactor, a low population zone should be provided. This distance, R, had to be equal, at least to that given by Eq. (1.1).

(1.1)

where Pth is the thermal power of the reactor in kilowatts.

For a 3000 MW reactor (the usual size today), this exclusion distance is equal to approximately 30 km, which is equal to the distance evacuated after the Chernobyl accident (Bourgeois et al., 1996). Evidently, the reference doses for the short-term evacuation were roughly the same for the two cases. An exclusion distance of this magnitude poses excessive problems to siting, even in a country endowed with abundant land such as the United States; therefore the decision of adopting a containment is practically a compulsory one.

The first reactor with leakproof and pressure-resistant containment was the SR1 reactor (West Milton, New York, built in the 1950s). Built to perform tests for the development of reactors for military ship propulsion; this reactor was cooled by sodium and the containment was designed for the pressure corresponding to the combustion of the sodium escaping from a hypothetical leak in the cooling circuit.

In Western countries, moreover, it was required that the whole refrigeration primary circuit should be located completely inside the containment, so that, even in the case of a complete rupture of the largest primary system pipe, all the escaped fluid would be confined in the containment envelope. The design pressure of the containment for water reactors (starting with the Shippingport, Pa, reactor, moderated and cooled by pressurized water) was derived on the basis of the assumption of the complete release of the primary water.

In Eastern Europe, these criteria were applied to a lesser degree, as it was accepted that the pressure vessel alone would be located within the containment (the rupture of large pipes was considered sufficiently unlikely to justify this assumption) and that the leakproof containment characteristic need not be very stringent. Thus at the second Atoms for Peace conference in Geneva in 1964, the Western visitors were impressed but surprised by the model of the Novovoronezh reactor, which showed only one small containment enclosure around the reactor pressure vessel and was located in a building that from the outside resembled a big public office building. Still many years afterward, the Russian reactors of the VVER 230 series, although provided with complete Western-style containment, had a leakage rate from the containment of the order of 25% each day (to be compared with figures of the order of 0.2% each day from typical Western containments).²

Apart from differences of approach between world regions, in this period of time and in all the countries with nuclear reactors, the systems installed in the plants according to the requirements of the safety bodies and having the sole purpose of accident mitigation, were frequently the subject of heated debates; in particular, the emergency core cooling systems and the containment systems were often discussed.

More precisely, the opinions on the accident assumptions evolved in the West were divided. The reference situations for the reasonably conceivable accidents were chosen by the judgment of expert committees. These situations included the worst credible events (such as the complete severance of the largest primary pipe). The assumptions concerning the initiating event were accompanied by simultaneous conservative assumptions concerning malfunctions in safety systems, such as a single failure consisting in the failure, simultaneous with the initiating event (pipe failure and so on), of one active component of one of the safety systems devoted to emergency safety functions during the accident (water injection system, reactor shutdown system, and so on).³

On one side, the more cautious experts, generally members of public safety control bodies, many scholars and members of nongovernmental organizations for the defence of public rights, supported the need for keeping these conservative assumptions; on the other side, more optimistic people (members of manufacturing industries and of electric utilities) maintained that the above-mentioned accident assumptions entailed a true waste of resources (those necessary to provide nuclear plants with huge containment buildings and powerful safety systems). It has to be noted that the optimists were by no means imprudent or reckless: a sincere conviction existed in the industry that the current accident assumptions were not well founded.⁴

The contrast between the optimists and the pessimists was exacerbated by the foreseeable circumstance that not all of the logical consequences of the initially adopted accident assumptions were from the start clear to technical people. As an example, as far as the effectiveness of emergency core cooling systems is concerned, it was not understood from the start that Zircaloy fuel cladding (stainless steel behaves in a similar way) could react with water in an autocatalytic way at relatively low temperatures and could release large quantities of hydrogen. Neither was it understood from the start that the same cladding could swell before rupturing and could occupy the space between fuel rods, preventing the flow of cooling water. The existence of these phenomena was demonstrated by studies and by tests performed by the AEC on the Semiscale facility at the US National Laboratory of Idaho Falls toward the end of the 1960s, when many US reactors had already been ordered and were being designed or built.

Similarly, at the beginning of the 1970s, the possibility was demonstrated that the break of a pipe could damage other nearby pipes or other plant components, starting a chain of ruptures (known as the pipe whip effect).

All of these discoveries, made late in the design and procurement phases of US reactors, persuaded the control bodies to stipulate that the inherent safety systems be improved in order to take them into account. Other requests for improvement concerned the resistance of the plants to natural phenomena or to man-made events, in order to reach a balanced defence spectrum against all of the realistically possible accidents; in such a way the defence against new phenomena became analogs to the defence against the already considered phenomena having a comparable or lower probability. These requests for improvement (backfitting) extended the construction times of the plants, together with their costs.

It can be understood that the industry, which already considered the initially adopted accident assumptions to be excessive, strongly opposed these aggravating requests. As previously said, up to the Three Mile Island (TMI) accident, not all nuclear technical experts believed in the reasonableness of the current accident assumptions and in the need to pursue them with logical rigor and, in the light of the up-to-date scientific knowledge, up to their extreme consequences.⁵

The increase in costs as a consequence of the continuous requests for plant improvements was strongly in contrast with the initial industrial expectations, which were concisely summarized by the then chairman of the AEC, Lewis Strauss, who famously stated that nuclear energy would become too cheap to meter. In this period, the expression ratcheting was created to describe the action of the control bodies in the field of the improvement of the plants concurrently with the indications of the progressing studies and research.

This continuous process of improvement produced, where it was performed, very safe but also very costly and rather complicated plants. Indeed, the plants were subject to a series of safety feature additions to a substantially unchanged basic design.

In this period a diverse approach to plant siting developed and was consolidated in the United States and in Western Europe. In the United States, the plant siting criteria, as far as demographic aspects were concerned, were substantially decoupled from the design features of the plant. On the contrary, in Europe, criteria for the site–plant complex were adopted. The US site criteria (except for seismic problems and for other external natural or man-made events) can be summarized as follows:

• The existence of an exclusion zone around the plant, where no dwellings or productive settlements exist, with access under the complete control of the plant management.

• The existence of a low population zone around the plant, which could be quickly evacuated (within hours) in case of accident to the plant.

• The radioactive products release from the core to the plant containment conventionally established as a function of the plant power only: the Technical Information Document 14844 (TID) release (Di Nunno et al., 1962).

• A dose limit of 250 mSV (25 rem) total body and of 3 Sv (300 rem) for the thyroid (children) within 2 hours after the accident at the border of the exclusion zone.⁶

• Dose limits equal to the preceding ones for the whole accident duration at the external border of the low population zone.

The exclusion zone was established at a radius of 800–1000 m around the plant and the low population zone at roughly 5 km from the plant (US Code of Federal Regulations, 2004a).

The conventional release from the core was as follows:

• For iodine-131:50% of the core inventory, of which 50% only is available in the containment for external release (deposition and plate out in the primary circuit).

• The iodine available for external release is 91% elemental, 5% particulate, and 4% organic iodide (methyl iodide).

• Noble gases are totally released to the containment.

Independent criteria were then established for the design of the plant.

In this approach, the decision about the adequacy of a proposed site could be taken only on the basis of the plant power level and, possibly, on the specific characteristics of its fission product removal systems (to be evaluated and possibly validated on a case-by-case basis).

In contrast, in Europe, the site selection criteria usually consider the site–plant complex. Therefore for example, if a plant with the usual safety systems could not be located on a specific site because accident doses exceeded the reference limits, it was possible to make the plant acceptable for the same site by the improvement of the systems for fuel integrity protection in case of accidents.

The dose limits varied somewhat between various countries, but they were of the order of 5 mSv (500 mrem, effective dose) to the critical group of the population outside the exclusion zone for every credible accident (design basis accidents); some increase of this limit up to the level of tens of millisievert for single specific accidents could also be accepted. In order to evaluate the consequences of these accidents, then, no conventional figure for the releases is used (such as the TID figures). On the contrary, conservative but more realistic assumptions are adopted; typically, the iodine released in the containment is assumed equal to the inventory in the fuel–clad interface, equal to 1%–5% of the total core inventory, instead of the TID 50%.

In Europe, the need to take account of the specific plant features for the evaluation of the acceptability of the site arises from the much higher population density in Europe in comparison with that of the United States (approximately 200 inhabitants per square kilometer and 30 per square kilometer, respectively). It is therefore much more difficult to find low population sites in Europe.

The different population densities in Europe and the United States have also brought about differences in accident emergency plans: in the United States, the provision of a complete evacuation of the population within 16 km of the plant in a few hours is adopted, while in Europe the maximum comparable distance is equal to 10 km. It is indeed difficult to assure the evacuation of population centers with tens, hundreds, or thousands of inhabitants. Here too, the countries’ differences in demographic conditions have to be compensated by additional plant features (generally, the use of double containment provided with intermediate filtration systems and the use of elevated stacks).

The practice in the Far East (Japan, South Korea) is similar to the European one.

These differences in the fundamental approach to safety among various countries have always been thought by the general public to be a weakness of the nuclear industry, thereby affecting their acceptance of nuclear energy. These differences have always been a source of confusion in the mind of the public and, therefore, they aggravate the public distrust in the safety of this energy source. Many attempts have been made, in the international and community arenas where nuclear safety is discussed (IAEA, OECD, EU), to adopt unified criteria (see Chapter 18: Nuclear Safety Criteria). The aim of agreeing on common criteria has been reached only at the expense of unification at a higher logical level, therefore leaving untouched the differences previously described, for example, leaving to the freedom of each country the definition of acceptable distances or doses.

In this period up to the TMI accident, three other facts influenced nuclear safety technology: defence against nonnatural external events; the preparation of the Rasmussen report, WASH 1400; and the introduction of quality assurance (QA) in design, construction, and operation of plants.

The first of these, the defence against nonnatural external events, would not deserve specific mention and discussion, except that its motivation has changed with time. For example, the initial official incentive for the reinforcement of plant structures and components of many reactors consisted in the defence against the accidental fall of an aircraft, while, subsequently, it was provided to defend against sabotage performed by the use of aircraft, but also by explosives of various kinds. In effect, the strengthening of structures and components was initially made in Germany as a consequence of the high number of crashes of the Lockheed Starfighter fighter plane in the 1960s. Subsequently, with the onset of terrorist activity in the 1970s, the need arose to defend nuclear plants against hypothetical external attacks conducted with the use of projectiles and of explosives. At this point, it was discovered that the German protection against the plane crash could also envelope a sufficient number of sabotage events based on the use of explosives. Therefore as many people preferred not to mention these sabotage protections explicitly, the corresponding provisions were named in the official documents as protection against plane crash.

Plant protection against the various effects of the impact by a fighter aircraft (weighing about 20 t) was adopted at least in Germany, Belgium, Switzerland, and Italy, whereas in other countries the protection against the fall of a smaller sports aircraft was chosen, frequently only if justified by the proximity of an airport. No country explicitly adopted the protection against the impact of a wide-bodied airliner of the Jumbo Jet type (weighing about 350 t), which would be far more onerous (possibly requiring the underground location of plants). It was calculated that the protection against the fall of a fighter aircraft included the protection against the fall of a large airliner too if the impact takes place with less damaging characteristics (lower speed of impact, shallower angle of impact, and so on) than those which would cause the worst structural consequences (see Chapter 17, Resistance to External Impact, for more on aircraft impact.)

The second influence, the Rasmussen report, first published in 1975, was sponsored by the Nuclear Regulatory Commission (NRC—the successor to the AEC in control of peaceful applications of nuclear energy and the regulatory body on nuclear safety matters) with the aim of outlining an overall picture of all the conceivable accidents and of their probabilities, in order to identify the risk connected to a nuclear plant. It was the first time a study that included all conceivable accidents had been made. It included less probable scenarios too, such as the catastrophic explosion of a reactor pressure vessel and an estimate of the probability of each of them. It should be understood that the probability data concerning the most unlikely phenomena are scarce or even absent given the impossibility of studying these phenomena by experimental tests and the scarcity of applicable real-life data. In some ways, quantifying these events in a report was a bold decision, but, once the objective of the study was decided upon, nobody questioned the feasibility of it. Subsequently, once the report was published, criticism ensued: some people said that it was inscrutable, others criticized the completeness of the database, and others criticized the inconsistency of the executive summary with the main report. In the second, and final, edition some evident insufficiencies were corrected, but some of the criticisms remained unresolved. Whoever it was who started a risk study of the first cars, of the first railway trains or of the first airplanes, would have met the same difficulties. However, with the passing of time, the report has remained a fundamental reference for any safety and risk evaluation. Nobody could support the validity of the absolute quantitative risk evaluations contained in it, but, at the same time, the validity of this study and of the similar ones which followed is universally acknowledged as far as the relative probability estimates are concerned for detection of weak points in a specific design. In substance, the Rasmussen report and similar studies are possible judgment instruments in the nuclear safety field, although they cannot be used alone. Sound engineering evaluations, based on operating experience, even in different but similar fields, and on research results, are the necessary complement to the probabilistic evaluations.

In the history of nuclear safety technology, the Rasmussen report did not solely represent a methodological advancement. Severe accidents (those accidents more serious than those up to then considered credible) were included, especially after the TMI accident, in the design considerations for nuclear plants.

Finally, the start of the application of QA in nuclear engineering has to be mentioned. According to this management system, the quality of a product is guaranteed by the control of the production processes, more than by the control of the products themselves. Certainly this represents remarkable progress toward the achievement of products better complying with their specifications; however, the implementation of this system requires a significant effort in the field of activity planning and of the management of the documentation, entailing a corresponding cost burden.

1.2.3 From the Three Mile Island Accident to the Chernobyl Accident

In March 1979, during a rather frequent plant transient, a valve on top of the pressurizer of the TMI plant (Pennsylvania, United States) remained stuck open, giving rise to a continuous loss of coolant. In an extremely concise way, an opening in that position (although this fact had not been sufficiently studied and publicized in the technical literature) generated over time a situation of a void reactor pressure vessel and of a full pressurizer.

This accident demonstrated that the attitude of many technical people toward nuclear safety was careless and optimistic. It could also be concluded that bad surprises caused by a nuclear plant could be avoided only at the expense of a strong change in their mindset toward safety itself.

These conclusions were shared by practically all technical people and all over the world. Some optimists still existed, however. They were convinced that all the blame for the accident had to be placed on the operators who had not correctly diagnosed the plant conditions in time, and that all the problems could be solved by the use of more stringently screened operators.

It can be said that this accident completely changed the attitude of the industry toward safety in all the OECD countries. The provision of features previously considered to be pointless by some (such as the presence of a leakproof, pressure resistant containment) was acknowledged as valid in the light of the possibility of unforeseeable events. Two organizations were created for the exchange of information on operational events at nuclear plants and for the promotion of excellence in the nuclear safety field: the Institute of Nuclear Power Operations in the United States and the World Association of Nuclear Operators (WANO) internationally. In the United States, within the NRC, a specific office was created (Analysis and Evaluation of Operational Data) for the analysis and the dissemination of operating experience. Long lists of lessons learned were prepared and a TMI Action Plan compiled which contained a large number of specific provisions against the possible repetition of similar accidents in the future. The implementation of these provisions cost each plant an amount of money ranging between several million dollars and several tens of millions of dollars. Above all, two concepts were underlined and reinforced: the concept of defence in depth and the concept of safety culture.

According to a number of experts, in particular from the former USSR, the attitude of the industry toward safety also changed in Eastern Europe after the TMI accident: already in early 1980s, Russian designers of VVER reactors proposed a number of measures for safety improvements.

The defence in depth initiative is a concept meaning that many, mutually independent, levels of defence against the initiation and the progression of accidents are created. The various levels include physical barriers, such as the fuel cladding, the primary system, and the containment. Five levels are defined: good plant design, control systems, emergency systems, accident management, and emergency plans.

The safety culture concept is defined as the set of convictions, knowledge, and behavior in which safety is placed at the highest level in the scale of values in every activity concerning the use of nuclear energy.⁷

The result of these initiatives, together with the Rasmussen report and the TMI accident convinced many countries to pay attention to severe accidents. Severe accident occurrence was introduced as a consideration in the design and operation of plants.

A severe accident is defined as one exceeding in severity the Design Basis Accidents, which are those against which plant safety systems are designed in such a way that:

• The core does not exceed the limits of irreversible damage of the fuel (e.g., 1200°C maximum temperature and 17% local oxidation of the claddings) (US Code of Federal Regulations, 2004b).

• The external releases do not exceed the maximum tolerable ones, according to the national criteria in force.

In many cases it is considered, as an accident progressively worsens, that the limit for which it becomes severe is the attainment of 1200°C in the fuel cladding since at about this temperature the progression of the water–cladding exothermic reaction becomes autocatalytic and proceeds at a high rate. The IAEA definition for severe accidents is accident conditions more severe than a design basis accident and involving significant core degradation (IAEA, Safety of Nuclear Plants: Design, SSR-2/1).

All the OECD countries (but also others) agreed on the advisability of studying and of implementing severe accident management techniques on their plants. These provide equipment and emergency procedures for severe accidents which, in the extreme case of reaching a situation close to a severe accident, prevent its occurrence or, at least, prevent it from worsening. Examples of typical equipment and procedures for severe accidents are the following:

• portable electric energy generators, transportable from the plant to another on the same site or on a different site;

• procedures to supply electric energy to the essential loads, in case of total loss of electric power; and

• procedures for the voluntary depressurization of the primary system in case of loss of the high pressure emergency injection systems, and so on.

By the 1980s, practically all the plants in the OECD area were equipped with Severe Accident Management Plans to various degrees of completeness. Some countries have progressed further than others, instigating real plant modifications as a means of implementing their Accident Management Plans. France, Germany, and Sweden (and others) have installed filtered containment venting systems designed to avoid the rupture of the containment in case of a severe accident entailing the slow overpressurization of the building beyond its strength limits (this situation could happen in every accident scenario without sufficient cooling of the core and of the containment). Other countries, such as the United States, concluded that these systems were not needed, on the basis of a cost–benefit analysis.

In Italy, a set of criteria were developed, the 95%–0.1% criterion, according to which, by the installation of appropriate systems (including a filtered venting system for at least one reactor), a release of iodine higher than 0.1% of the core inventory could be avoided with a probability higher than 95%, conditional upon core melt (defined as attainment of a cladding temperature higher than 1200°C). Obviously, no single events of very low probability were considered, such as a pressure vessel explosion due to a mechanical defect. A similar criterion was adopted in Sweden.

Among the proposals at this time was one that concerned a preventative system for the voluntary depressurization of the primary system in pressurized water reactors (PWRs) and for the passive injection of water into the primary system for about 10 hours. This core rescue system could decrease the core melt probability by a factor of at least 10. The system was proposed as a modification of the design chosen for the Italian Unified Nuclear Design, but was not considered necessary by the designers at that time. A few years later, the designers applied it, with modifications, to the passive reactor AP600. Another reactor design (this time German) has a similar system. The voluntary primary system depressurization has subsequently been adopted by all the more modern PWR designs, such as the European Pressurized Reactor (EPR) and the System 80.

1.2.4 The Chernobyl Accident and After

In my opinion and the opinion of other experts, there were two primary causes of the Chernobyl tragedy. The first was that although the plant was certainly very good from a production point of view, it had been designed with excessive optimism as far as safety was concerned. Indeed, in some operating conditions (low power, low steam content in the pressure tubes) the reactor was very unstable, in the sense that an increase in power or a loss of coolant tended to increase its reactivity, increasing the power autocatalytically. In this way, the destruction of the reactor and of the plant could be initiated. Moreover, with completely extracted control rods (a situation forbidden by the operating procedures), the potential instability was more severe and, additionally, the use of the scram acted as an accelerator and not as a brake in the first moments of the rod movement (an inverted scram).

The second fatal circumstance was that the operators were working, on that night in April 1986, in a condition of frantic hurry for various reasons.

Although this reactor had been provided with leakproof and pressure resistant containment as a result of the prevailing changes in attitude already discussed, the containment did not include a significant portion of the reactor itself (a remarkable design decision). In particular, the fuel channel heads were directly put in a normal industrial building. A completely uncontained accident, therefore, happened. The reasons for the adverse design characteristics may have been financial (but expert opinion differs).

The general lesson to be learned is always the same: no weak points compromising, safety must be left in a plant. Human errors, as in the cases of TMI and Chernobyl, will succeed in finding them and will cause disasters and fatalities. I do not believe, as some antinuclear people maintain, that if an accident can happen, sooner or later it will happen; however, experience indicates that accident possibility must be seriously considered during all the phases of the life of a nuclear plant.⁸

However, for the sake of completeness, it has to be said that the Chernobyl-type reactors were not well known in the Western world. The pertinent information was kept somewhat confidential because this reactor could potentially be used for plutonium production and therefore it was interesting from a military point of view.⁹

A confidential safety analysis of an RBMK reactor, similar to the Chernobyl one, was performed some years before the accident by a European design company. It concluded that this reactor, in many respects, did not meet the safety standards in use in the Western world. Copies of this safety analysis were circulated among the experts after the Chernobyl accident.

The Chernobyl accident, with its consequences (both local and afar) had not much to teach the Western nuclear safety engineers as the reactor’s shortcomings were all accurately known and avoided in their designs.¹⁰

Obviously, it was not possible to convince the public that such an accident could only happen in that specific design of reactor. In Italy, for example, some political parties exploited the evident fear generated in the population and, substantially, led the country toward the immediate and sudden dismissal of the nuclear source of power, with understandably prohibitive costs.

In general, after Chernobyl and as a consequence of that accident, two ideas gained momentum:

1. Nuclear plant design, evolved by successive additions, had become too complicated and it was useful to think of simpler systems, based on concepts of passive rather than active safety.

2. Accidents, even the most severe ones, should have modest consequences beyond the exclusion zone of the plant and so should require smaller emergency plans, especially concerning the quick evacuation of the population.

The United States was frequently against any simplification of its emergency plans in order not to change their well-established system of siting decoupled from the characteristics of the plants. This system, after all, was well accepted by the technical bodies and by the population.

The concept of passive safety meant the use of systems based on simple physical laws more than on complex equipment. One example is represented by safety injection systems on water reactors which use gravity as a motive force and not pumps. This principle was, for example, adopted in the passive PWR AP600, certified by the NRC in 1999. It comprises a voluntary fast depressurization system of the primary circuit and the provision of a water reservoir in the containment located at an elevated position with respect to the reactor vessel. Passive cooling of the containment was also incorporated in the design. Evidently, however, neither of these new concepts nor the industrial weight of the NRC certification are sufficient to immediately convince the investors because, up to now (2005), no new AP600 has been ordered.

A weak point of this concept has always been the reduced power and its consequent bad scale economy. The 600 MWe rating was initially chosen on the basis of a poll among the US utilities on the basis that this was the preferred size of a power station (lower financial risk and correspondence with the dimension of the electric grids served by the single utilities). The designers thought that they could in any case be competitive because of the use of passive components (i.e., with a reduction of installed components) and because of a general simplification of the plant. It seems now that this objective can be more easily reached by the AP1000 design (namely with a power of 1000 MWe), whose design has been recently (2004) approved by the NRC.

A design where the passive safety has been adopted with a higher degree of caution but with a strong tendency toward the reduction of emergency plans is the French–German EPR of approximately 1400 MWe, where many precautions against severe accidents have been taken (e.g., molten core containment structures, core catchers, multiple devices for the quick recombination of hydrogen, and voluntary primary system depressurization).

In 2001 The Generation IV International Forum (DOE + other members) was created with the purpose to develop more economical and safer nuclear reactors for the future. It can be said that cheaper may also mean safer plants since some aversion from expenses in plant modifications required for safety reasons, might be attenuated.

The following reactors were identified:

• gas cooled fast reactor;

• lead cooled fast reactor;

• molten salt reactor (including the fast, thorium fueled breeder reactor, also studied by the SAMOFAR Consortium in Europe);

• sodium cooled fast reactor;

• supercritical water-cooled reactor; and

• very high temperature gas reactor.

To be noted, here, is the WENRA (Western National Regulators Association) statement in 2010:

New Nuclear Power Plants to be licensed across Europe in the next years will be safer than existing ones, especially through improvements in the design.

A statement like this one by an official international body was awaited by many safety specialists from years 1980s (after TMI accident). This delay was motivated by the possible negative reaction by the public concerning the safety of existing reactors (notwithstanding the favorable factor of the available operating experience).

1.2.5 Fukushima Accident and its Lessons

The Fukushima accident happened on March 11, 2011, as a consequence of a destructive tsunami following a Magnitude 9 earthquake offshore the East coast of Japan. A 15-m-high run-up wave hit the Fukushima six boiling water reactors (three of which in operation and all six to be considered vulnerable).

The inundation design height was 5.7 m above sea level; this subject was still under discussion on the basis of new evidence when the accident happened. All electric power was lost in Reactors 1, 2, and 3 and their core melted with development of an explosive cloud inside the containment, which eventually exploded. No early fatalities due to radiation were recorded, although estimates of future possible deaths (according to the still discussed linear dose-damage assumption) range in the hundreds of