4.1 REACTOR ACCIDENT CLASSIFICATION BY PROBABILITIES

The robustness of an engineering system is limited by economic factors in the sense that expenditure is only justified in making the plant adequate for its intended purpose. Failure to recognize this principle results in the equipment losing its market or not being built, through either excessive price, or on the other hand lack of reliability and performance. Where a catastrophic failure in components could be the precursor to loss of life, and a nuclear power station is not unique in this respect,1 reliability and performance necessarily include the safety of the plant’s operators and of the general public. Under these circum­stances, the statistical risks to life and to the environment must be quantified, provided with ranges of uncertainty, and compared with other risks present in everyday life. Such an unambiguous scientific approach orients designers toward definite goals, identifies “weak links” in a proposed system, and most importantly establishes quanti­tative criteria for a decision-making process [156].

1 Refer to Section 1.3 regarding failure of the Banqiao Dam.

Nuclear Electric Power: Safety, Operation, and Control Aspects, First Edition. J. Brian Knowles.

© 2014 John Wiley & Sons, Inc. Published 2014 by John Wiley & Sons, Inc.

The various fault conditions of a nuclear power station may be broadly classified in terms of the probabilities of their occurrence [59,65]. Historically the distinction made is according to

DESIGN BASE ACCIDENTS with a typical aggregate probability < 3 x 10“4 per operating year

SEVERE OR OUTSIDE DESIGN BASE ACCIDENTS with a typical aggregate probability of < 10“7 per operating year

Because of the considerable operating experience with conventional plant items like feedpumps, turbines and electrical distribution systems, the probabilities for many design base accidents can be specified with relatively small uncertainties. From a mathematical or philosophical view, data exists from which a relative frequency based estimate of a failure probability can be made in an a posteriori sense. On the other hand, Severe Accidents can involve events outside direct experience (e. g., fuel-coolant interactions involving tonne quantities). In this case, failure probabilities must be assessed a priori with relatively larger uncertainties by an informed judgment of the available indirect evi­dence. These two probabilities are patently quite different in concept, and in fact form the basis of the Venn and Bayesian philosophies [159,160]. However, by regarding the experience of plant component failures and current scientific knowledge about the underlying physical processes in a Severe Accident as information that allows judgments to be refined, it is possible to pursue a unified conceptual approach [176]. Thus all probabilities in nuclear power plant risk assessments may be considered as Bayesian in concept and having the familiar combinatorial properties.[52]

Design Base Accidents (DBA) usually originate from the failure of a single comparatively inexpensive component. On the other hand Severe Accidents which were described as hypothetical before Three Mile Island have relatively low probabilities because they generally[53] originate from multiple failures of massive static structures and/or plant protection systems whose reliability is deliberately enhanced by

redundancy. With these observations in mind, typical design goals may be related to the probability of a fault’s occurrence [59,65]. Thus normal operational fault transients with a probability of greater than 3 x 10“[54] per year are required neither to prejudice the design life of a plant nor progress beyond the failed item. Restricted progression of damage is permissible for less probable faults within the Design Basis, but there must be only a minimal release of fission products. From these more serious design base faults designers select by past experience, certain so-called “limiting events”4 for which the adequacy of safety systems is confirmed by experiments and digital simulations. All other events within the design basis are then argued to have less serious conse­quences (e. g., lower fuel temperatures, higher coolant flows, etc.) than the limiting events, thereby establishing the safety of the plant for Design Base Accidents. Section 3.4 illustrates the ad hoc methodology behind the design of DBA control strategies.

Severe Accidents in nuclear power plants are characterized by the melting of a significant part of their fuel inventory. Some 98% of a plant’s radionuclides are locked away in the fuel’s crystal lattice [65] and the actual amounts increase with operational life (burn-up). Melting allows their accrescence for a potentially large atmospheric release (> 1 kCi), and to protect the locality licensing regulations after Three Mile Island typically stipulate [59,65,91,108]

1. The aggregate probability of all Severe Accidents must be no greater than 10“7 per operating year.

2. The most exposed individual is subject to a quantified not unreason­able hazard. At Three Mile Island this person received less than 20% more than the natural background [66] dose[55] of 2-3 mSV.

3. The number of addition cancers expected is demonstrably very much less than the normal incidence [157].

4. The obligatory preparation of a well-conceived evacuation plan for plant staff and public. Fatalities at Three Mile Island were caused by road accidents in the panic exodus.

5. The mandatory simulator training of plant staff and a designated hierarchy of responsibility based on professional skills and ex­perience.

Measures to achieve these objectives will be outlined below. The dangers posed by some reactor fission products will be addressed next.