- Email: [email protected]
Reactor safety and siting
Annals of Nuclear Science and Engineering, Vol. 1, pp. 203 to 207. Pergamon Press 1974. Printed in Northern Ireland
REACTOR SAFETY AND SITING P. TANGUY
Ddpartement de Sfiretd Nucl6aire, CEA, France INTRODUCTION First of all I should like to define the scope of this paper, which is to deal with a vast subject, abundantly discussed and highly controversial. For a few years, problems related to safety and siting of nuclear installations in general and nuclear reactors in particular, have been the object of a dispute between nuclear energy promoters and environmentalists, and this has already resulted in a considerable amount of literature increasing every day. At the same time, nuclear specialists organise many symposia, give many publications on the subject, and to summarize all available material would be a huge work (IAEA Symposium, Feb. 1973; WASH. 1250, 1973). Some people believe that the emphasis currently placed on safety matters is out of proportion with their real significance: for them, the hazards involved in the use of nuclear energy, the reality of which they do not contest, are not so more important than the risks associated with some other industrial activities, and therefore do not justify the huge expenses which are dedicated to them; a correct cost-benefit analysis ought to show that these expenses could be better used elsewhere (1AEA Symposium, May 1973; Congress Foratom, 1973). Some psychologists think that the whole of the present nuclear controversy ought to be replaced in a psycho-analytic perspective; the violent collective reactions against nuclear power plants could represent a projection of phantasms generally unconscious over nuclear weapons and in that case would just be "a come-back of unconscious repressions and a confusion of fears" (Guedeney and Mandel, 1973). It is out of the question for me to deal with so complex a subject on which my competences are limited. I shall therefore omit intentionally the aspect "nuclear controversy" of this paper, although it does not mean of course that I am underestimating its importance. Besides, its consequences on the technical aspects of the problem cannot be ignored: as a matter of fact, some safety studies are directly related to concerns expressed by nuclear energy opponents. So I shall restrict myself in this paper to technical matters, without having the ambition to
cover the whole field, but attempting to outline some particularly important points. METHODOLOGY The definition of nuclear safety is relatively easy, because the concept itself exists in similar form in other industrial areas. The object of safety is to define the nature and the importance of the risks associated with nuclear energy operation, and to propose measures apt to minimize the hazards, as well for the plant workers as for the environment and the public. I shall not deal extensively with the legal and regulatory aspects which differ in every country, but which are nevertheless an essential dimension of safety: nuclear power plants, like other nuclear installations, must be authorized by public authorities; authorizations are issued according to regulatory texts and their enforcement is checked by inspectors. I shall now make a detailed examination of the technical safety assessment necessary for an authorization to be delivered. As a general rule, a safety analysis must be done at each step of the design, construction and operation of the reactor: for the choice of a site, the beginning of construction and during commercial operation, especially in the case of modifications or incidents, and finally when the installation is definitively shut-down, and possibly dismantled. In agreement with Bourgeois (1973), I think it is necessary to outline several points: (1) It is the responsibility of the manufacturer and the operator to demonstrate that the installation they intend to build and operate does not present unacceptable risks for workers and for the environment, and it is important that this demonstration should be provided in written documents, prepared by technical staff well aware of the problems. These documents should be examined by competent experts, with no connections with manufacturers and operators. The experts are not to dictate the measures to be taken to ensure the safety, but to give only an opinion on the proposed provisions. No faultless analysis can probably be guaranteed, but the gathering of well-argued documents is the one
203
204
P. TANGUY
thing apt to give the necessary assurances, in particular to the public authorities. (2) The manufacturers may have to bring some modifications to the installation following the advice formulated during the safety analysis. It is essential that discussions could take place as soon as possible during the construction, in order that eventual modifications could be introduced in the best way in the schedule. Conversely, the manufacturer--and his sub-contractors---ought to know from the beginning the safety requirements and criteria which will be considered during the analysis. (3) The information gained in safety research and from operating experience must be included in the safety analysis. Safety rules and criteria have necessarily a provisional character. Nuclear technology is presently developing rapidly, and components, as well as performance, are in permanent evolution. It seems therefore an illusion to hope, at least for the moment, that a safety analysis could be only an examination for compliance with immutable criteria. Beyond these general aspects, several different approaches can be considered in view of the result to be achieved: ensure a safety level sufficient for the public authorities to issue an authorization. Presently a certain number of concepts seem to emerge on which all safety organizations agree as a basis for their analyses, with some slight differences, at a first level, public protection against the accidental release of radioactive products relies upon the existence of several successive "barriers" and the safety analysis should consist in checking the validity of each barrier and of its correct operation in normal and abnormal operating conditions. at a second level are examined the "safety functions" which are generally associated directly or indirectly with the barrier behaviour and the corresponding actions which should maintain the integrity of the barriers under all circumstances. at a third level are studied the consequences of hypothetical accidental sequences resulting from transgressions in the operating instructions, defects or failures of components: this is the concept of the "defence in depth." lastly, the safety level obtained is evaluated at least qualitatively, by associating the notions of probability with the various evaluations of consequences of accidents. Later, I shall deal in a more detailed way with the probabilistic aspect of safety reviews. Before leaving
the question of methodology, I want to state that the approach briefly described above, in which accident prevention appears as the prime aspect of the safety analysis, gives to safety a more positive character than the approach reduced to the study of accidents only. If it is possible in some cases to question the somewhat conventional character of the accidental sequences, or "reference accidents," on which the safety would be based, one cannot discuss the soundness of accident prevention. From this point of view, safety is certainly to become involved in many technical aspects of reactors, but its approach is often parallel to that of operators who attempt from their side to ensure the maximum availability of their plants. USE OF PROBABILISTIC NOTIONS Since a safety review has for its object the evaluation of the consequences of various accidental sequences following operating errors or design or construction mistakes, one can achieve a correct estimation of hazards only as far as the probability of occurrence of these accidents can be evaluated. It is therefore natural to introduce probability notions in the safety analyses and an increasing trend toward this can be noticed in many countries since the first ideas were given by Farmer (1967). The techniques used in reliability, failure or decision trees, logical diagrammes, are by now an extremely useful tool, in particular in the examination of barriers and associated functions. Thus when for a given barrier, the accidental transients able to attack its integrity are surveyed, probability techniques allow one to check that no dangerous "critical path" has been overlooked; they bring into evidence the weak points of the systems which ensure the global reliability, and to which it may appear necessary to bring an additional redundancy or diversity; they give the only objective criteria for choosing between various safety actions possible in the case of an incident. There are nevertheless a number of problems still not entirely solved in the use of these reliability techniques in order to give absolute numerical results. As far as the computational means are concerned, the complexity of the systems to be used requires the development of rather heavy and costly computation codes. But the main difficulty lies probably in the present lack of numerical data to be introduced in the codes; statistical experience is generally limited and deals mostly with an obsolescent technology; for some components of importance for safety, probabilities of failure must reach very low levels difficult to be proven experimentally; finally,
Reactor safety and siting
205
when redundant systems are involved, extreme care must be brought to the possibility of "common mode failures" which can make reliability evaluations meaningless. Great effort is currently being made on all those problems and interesting results have already been obtained by numerous organizations; I shall mention only the works of SRS (System Reliability Service) in the United Kingdom and those of USAEC (Pr. RASMUSSEN's group) in the United States. I think it worthwhile as an example to take from a recent report from the C E A (1973) the table in the Appendix, which shows how from a limited experience on French nuclear power plants it has been found possible to deduce ranges for the reliability of certain materials of importance for the safety. Besides, I must say that this work was made using information not initially designed to provide reliability data. Beyond this use of the reliability techniques in safety reviews, an alternate approach was also suggested, which would take as its starting point a maximum figure for the probability of an accident of great magnitude, value judged as acceptable by regulatory staffs, from which the probabilities of acceptable failure for the various reactor components and sub-assemblies would be deduced. One has even proposed a figure of 10-e per reactor per year as a limit of probability for a hypothetical accident giving a marked release of fission products outside the plant (AIF/ANS, 1972). This idea is theoretically attractive, but its practical use could in my opinion raise some difficulties; on one hand, it seems difficult to deduce from the global accident probability a failure probability at the components level, for the reasons already mentioned, and the available operating experience is obviously meaningless for probabilities so low; on the other hand, it is to be feared that a general consensus on a global criterion of this type would not be easy to reach. The proposed figure could always be questioned and it cannot be seen how this would effectively improve the safety of installations. As for me, if I am in favour of a progressive introduction of notions of material reliability and of incident probabilities in safety reviews, I wish that the introduction be conservative and that numerous international contacts would ensure a good harmonization of the points of view of the different countries.
taken into account in technical safety assessments of new plants. Emphasis is often placed on the particularly satisfying record of nuclear energy in general, and of nuclear reactors in particular, from the point of view of safety, since the number of serious incidents has remained till now extremely reduced, and since there have never been consequences for the public. Few industries can present a similar record and this shows well the importance given to safety concerns by nuclear energy promoters. Nevertheless, reactors presently in operation have unquestionably experienced a number of incidents of various origins, which "could have" resulted in more serious consequences "if" the combination of particular conditions had occurred: for instance, the coincidence of the occurring event with an operating error or another failure, or exceptional operating conditions. When it is wanted to use the experience derived from the operation, for a limited number of years, of a limited number of reactors, in order to extrapolate to very large programmes over a great number of years, it seems necessary to attempt by all means to obtain a thorough analysis for each incident. As a matter of fact, all regulatory provisions in force in the various countries require the reporting and the systematic analysis of all abnormal occurrences during operation. Yet, it is to be feared that some incidents will lack the wide diffusion which would in my opinion be necessary, either because the utilities are not aware of the interest of this diffusion, or because the diffusion is inhibited by commercial considerations or by national susceptibilities, We all know instances where quicker and more complete information on an incident on a reactor of one country could have prevented or limited a further incident on a reactor of another country. Recently, an anonymous letter was even used to make it known to safety authorities that an incident occurred in an installation, which had had strictly no consequences, but which could be most useful for further safety surveys (Nucleonics Week, 1973). I think that all people involved in nuclear safety should attempt to promote a better information exchange at international level, considering possibly special procedures to protect all susceptibilities. In some cases, such as for accidents on aircrafts, the anonymity of the reports has allowed this kind of difficulty to be resolved.
REACTOR OPERATING EXPERIENCE
If it appears normal that advanced nuclear techniques, such as fast neutron reactors, are the object of safety research programmes, some people wonder
It seems necessary to go back to reactor operating experience; the results of this experience must be
RESEARCH PROGRAMMES
206
P. TANGLrY
why research work of a similar extent has to be carried out for proven reactors such as light water reactors, when many units of these types are presently in operation or under construction all over the world. They see a contradiction between the authorization to operate a nuclear reactor without undue risks to the public and appropriation of large amounts of money to solve technical problems related to the safety of installations of the same type. Actually, there is no contradiction. Nuclear safety always results from a compromise based on available knowledge and should adapt itself to the evolution of this knowledge. In a safety assessment, one cannot but take a conservative position, i.e. take what could be considered as excessive margins to be given up only in view of indisputable experimental results. The main purpose of research is then to define the actual meaning of these margins. Simultaneously, research should allow one to establish that no important parameter has been underestimated, and contribute to the present trend of decrease of risk probabilities. An accurate definition of safety research is difficult, since in many fields, the boundary between safety and design is partly arbitrary. This is the case for the reliability studies I mentioned above; this is still more the case for studies relative to fuels, the behaviour of which is essential for design economics as well as for safety. Nevertheless, two main orientations of research can be distinguished: that related to accident prevention. In this class, I shall mention the considerable work carried out on non destructive testing and on in-service inspection of pressurized vessels, that which refers to the concept of defence in depth by improving the analysis of the course of hypothetical accidental sequences: the studies relative to the ECCS for light water reactors are a particularly significant example of this type of research. Presently, all organisms of nuclear research all over the world devote a marked part of their activity to safety studies. I believe that this trend ought to last for several years ahead, if only due to the predictable technique evolution. In a great number of cases, the research work is performed within the frame work of agreements for international cooperation. As a matter of fact, it seems desirable that safety organisms of the different countries could base their safety assessments on common results in order to avoid discrepancies which would be hardly justifiable to the public and
could slacken the international development of nuclear energy. SITING The problems related to the siting of nuclear reactors are essentially quite similar, but they present some specific aspects that are to be outlined. In the study of the interactions between the site and the installations, the first point to be considered is that of the radioactive consequences of reactor operation for the environment, regardless of thermal, climatic, aesthetic or other aspects. Radiological consequences should be examined from two angles: discharge in so-called normal operation; this covers all predictable operating incidents, for which exist very accurate national and international standards and with which I shall not deal further. accidental discharges; their importance and eventual consequences should be evaluated within the concept of defence in depth already mentioned. The corresponding studies refer, on one hand to physical data of the various sites--meteorology and atmospheric diffusion which govern the external exposure, often predominant, and hydrogeology, for hazards of contamination for ground water--on the other hand, to biological results depending upon the environment, since the "critical path" may vary widely from one site to the other. In both fields--physical and biological--it is difficult to fix a priori a limit to the extent of the studies, which can be developed almost indefinitely if more and more details are wanted. My personal opinion is that, in the present status of the matter, the main efforts ought to be made on physical studies, atmospheric in particular, in order to be able to make a thorough safety analysis of a given site. But a second point is to be considered and the answer is far from easy: the possible aggression of the site to the plant itself. The seismic problems are obviously the first to come to the mind in this field; in spite of the advances already achieved, our knowledge is still too inaccurate and, as a result, wide safety margins are necessary as soon as the slightest doubt arises over the possibility of an earthquake, and implementation of probabilistic evaluations seems particularly delicate in that matter. Aside from the seism, other types of aggressions ought to be studied, among others, plane crashes, and also those that could be due to
Reactor safety and siting other industrial plants in the vicinity, in particular oil industry. It seems likely that the wish of the public to concentrate what can be regarded as a nuisance will lead to the consideration of a geographical concentration of nuclear and other plants. Great care must be given to possible interactions (missiles, fires, explosions - • .). Lastly, I should like to say a word on the matter of urban siting. Several approaches are possible, including the requirement of additional safety measures when population density increases around the reactor. I think that the problem is not yet mature and a clear answer will possibly be given only when more accurate data will be available on the quantitative importance of hazards resulting from reactors. CONCLUSIONS As a conclusion, I should like to bring up again the international aspect of nuclear safety. N o country can disregard the possibility of accidents occurring in foreign countries, but furthermore, a progressive harmonization of safety policies between the various countries is obviously full of advantages. Yet the difficulties resulting from such an undertaking must be well kept in mind and the approach ought to be very conservative The multiplication of contacts, which could often be more efficient if
207
established in a flexible and rather informal manner, and an extension of information exchanges on operating experience as well as on the results of research programmes, would appear to me as preambles allowing all interested parties to start from a common understanding of the technical problems ruling installation safety. REFERENCES
AIF/ANS--International Conference on Nuclear Solutions to Worm Energy Problems, Washington, 13-17 November (1972). A. Blin (1973). DSN-SETS Internal Report. Bourgeois J. (1973) L'analyse de sfret6 des r6acteurs de puissance en France: principes g6n6raux et applications pratiques. Paper presented at the SEE Congress on the Production of Nuclear Electricity, Vittel. Congrds FORATOM: Centrales nucl6aires en Europe: hier, aujourd'hui, demain. Florence, 15-17 Octobre (1973). Farmer F. (1967) Siting criteria. A new approach. In 1.4EA Symposium on containment and siting o f nuclear power plants, Vienna, April 3-7, 1967. Guedeney C, and Mandel C. L'Angoisse Atomique et les Centrales Nucldaires. Payot, ed. (1973). 1AEA Symposium on Principles and Standards of Reactor Safety, Julich, 5-9 February (1973). L4EA Symposium on Environmental Behaviour of Radionuclides Released in the Nuclear Industry, Aix en Provence, 14-18 (1973). Nucleonics Week, 14 (40) (1973). WASH 1250 (1973) The safety of nuclear power reactors (light water cooled) and related facilities.
APPENDIX
Table 1. Reliability data deduced from reactor experience (excerpt from Blin, 1973)
Type of component
Cumulated time Number of ( × 10~ hr) failures
Mean failure rate it ( × 10 6/hr)
Two sided confidence intervals (90 per cent) •~,min (>(10-~/hr) 2max ( × 10-6[hr)
Channel gas outlet thermocouples
9'6
4
0"4
0"14
0-92
Ionization chambers
9'6
0
0" 1*
0
0"31
391.3 45'9
59 11
0'15 0.24
0.12 0' 13
0,19 0.38
80.6
13
0"16
0.09
0,26
All type relays
858'3
180
0.21
0.18
0,23
Charge machine
2367 hr
20
8"5 × 10-3/hr
M.T.B.F. = 118 hr
31,676 hr
89
2'8 × 10-3/hr
M.T.B.F. = 356 hr
Computer relays input and test output Relays used in protection systems
Blowers
* When no failure has been recorded, a conventional mean failure rate is evaluated from a confidence limit of 60 per cent.
REACTOR SAFETY AND SITING P. TANGUY
Ddpartement de Sfiretd Nucl6aire, CEA, France INTRODUCTION First of all I should like to define the scope of this paper, which is to deal with a vast subject, abundantly discussed and highly controversial. For a few years, problems related to safety and siting of nuclear installations in general and nuclear reactors in particular, have been the object of a dispute between nuclear energy promoters and environmentalists, and this has already resulted in a considerable amount of literature increasing every day. At the same time, nuclear specialists organise many symposia, give many publications on the subject, and to summarize all available material would be a huge work (IAEA Symposium, Feb. 1973; WASH. 1250, 1973). Some people believe that the emphasis currently placed on safety matters is out of proportion with their real significance: for them, the hazards involved in the use of nuclear energy, the reality of which they do not contest, are not so more important than the risks associated with some other industrial activities, and therefore do not justify the huge expenses which are dedicated to them; a correct cost-benefit analysis ought to show that these expenses could be better used elsewhere (1AEA Symposium, May 1973; Congress Foratom, 1973). Some psychologists think that the whole of the present nuclear controversy ought to be replaced in a psycho-analytic perspective; the violent collective reactions against nuclear power plants could represent a projection of phantasms generally unconscious over nuclear weapons and in that case would just be "a come-back of unconscious repressions and a confusion of fears" (Guedeney and Mandel, 1973). It is out of the question for me to deal with so complex a subject on which my competences are limited. I shall therefore omit intentionally the aspect "nuclear controversy" of this paper, although it does not mean of course that I am underestimating its importance. Besides, its consequences on the technical aspects of the problem cannot be ignored: as a matter of fact, some safety studies are directly related to concerns expressed by nuclear energy opponents. So I shall restrict myself in this paper to technical matters, without having the ambition to
cover the whole field, but attempting to outline some particularly important points. METHODOLOGY The definition of nuclear safety is relatively easy, because the concept itself exists in similar form in other industrial areas. The object of safety is to define the nature and the importance of the risks associated with nuclear energy operation, and to propose measures apt to minimize the hazards, as well for the plant workers as for the environment and the public. I shall not deal extensively with the legal and regulatory aspects which differ in every country, but which are nevertheless an essential dimension of safety: nuclear power plants, like other nuclear installations, must be authorized by public authorities; authorizations are issued according to regulatory texts and their enforcement is checked by inspectors. I shall now make a detailed examination of the technical safety assessment necessary for an authorization to be delivered. As a general rule, a safety analysis must be done at each step of the design, construction and operation of the reactor: for the choice of a site, the beginning of construction and during commercial operation, especially in the case of modifications or incidents, and finally when the installation is definitively shut-down, and possibly dismantled. In agreement with Bourgeois (1973), I think it is necessary to outline several points: (1) It is the responsibility of the manufacturer and the operator to demonstrate that the installation they intend to build and operate does not present unacceptable risks for workers and for the environment, and it is important that this demonstration should be provided in written documents, prepared by technical staff well aware of the problems. These documents should be examined by competent experts, with no connections with manufacturers and operators. The experts are not to dictate the measures to be taken to ensure the safety, but to give only an opinion on the proposed provisions. No faultless analysis can probably be guaranteed, but the gathering of well-argued documents is the one
203
204
P. TANGUY
thing apt to give the necessary assurances, in particular to the public authorities. (2) The manufacturers may have to bring some modifications to the installation following the advice formulated during the safety analysis. It is essential that discussions could take place as soon as possible during the construction, in order that eventual modifications could be introduced in the best way in the schedule. Conversely, the manufacturer--and his sub-contractors---ought to know from the beginning the safety requirements and criteria which will be considered during the analysis. (3) The information gained in safety research and from operating experience must be included in the safety analysis. Safety rules and criteria have necessarily a provisional character. Nuclear technology is presently developing rapidly, and components, as well as performance, are in permanent evolution. It seems therefore an illusion to hope, at least for the moment, that a safety analysis could be only an examination for compliance with immutable criteria. Beyond these general aspects, several different approaches can be considered in view of the result to be achieved: ensure a safety level sufficient for the public authorities to issue an authorization. Presently a certain number of concepts seem to emerge on which all safety organizations agree as a basis for their analyses, with some slight differences, at a first level, public protection against the accidental release of radioactive products relies upon the existence of several successive "barriers" and the safety analysis should consist in checking the validity of each barrier and of its correct operation in normal and abnormal operating conditions. at a second level are examined the "safety functions" which are generally associated directly or indirectly with the barrier behaviour and the corresponding actions which should maintain the integrity of the barriers under all circumstances. at a third level are studied the consequences of hypothetical accidental sequences resulting from transgressions in the operating instructions, defects or failures of components: this is the concept of the "defence in depth." lastly, the safety level obtained is evaluated at least qualitatively, by associating the notions of probability with the various evaluations of consequences of accidents. Later, I shall deal in a more detailed way with the probabilistic aspect of safety reviews. Before leaving
the question of methodology, I want to state that the approach briefly described above, in which accident prevention appears as the prime aspect of the safety analysis, gives to safety a more positive character than the approach reduced to the study of accidents only. If it is possible in some cases to question the somewhat conventional character of the accidental sequences, or "reference accidents," on which the safety would be based, one cannot discuss the soundness of accident prevention. From this point of view, safety is certainly to become involved in many technical aspects of reactors, but its approach is often parallel to that of operators who attempt from their side to ensure the maximum availability of their plants. USE OF PROBABILISTIC NOTIONS Since a safety review has for its object the evaluation of the consequences of various accidental sequences following operating errors or design or construction mistakes, one can achieve a correct estimation of hazards only as far as the probability of occurrence of these accidents can be evaluated. It is therefore natural to introduce probability notions in the safety analyses and an increasing trend toward this can be noticed in many countries since the first ideas were given by Farmer (1967). The techniques used in reliability, failure or decision trees, logical diagrammes, are by now an extremely useful tool, in particular in the examination of barriers and associated functions. Thus when for a given barrier, the accidental transients able to attack its integrity are surveyed, probability techniques allow one to check that no dangerous "critical path" has been overlooked; they bring into evidence the weak points of the systems which ensure the global reliability, and to which it may appear necessary to bring an additional redundancy or diversity; they give the only objective criteria for choosing between various safety actions possible in the case of an incident. There are nevertheless a number of problems still not entirely solved in the use of these reliability techniques in order to give absolute numerical results. As far as the computational means are concerned, the complexity of the systems to be used requires the development of rather heavy and costly computation codes. But the main difficulty lies probably in the present lack of numerical data to be introduced in the codes; statistical experience is generally limited and deals mostly with an obsolescent technology; for some components of importance for safety, probabilities of failure must reach very low levels difficult to be proven experimentally; finally,
Reactor safety and siting
205
when redundant systems are involved, extreme care must be brought to the possibility of "common mode failures" which can make reliability evaluations meaningless. Great effort is currently being made on all those problems and interesting results have already been obtained by numerous organizations; I shall mention only the works of SRS (System Reliability Service) in the United Kingdom and those of USAEC (Pr. RASMUSSEN's group) in the United States. I think it worthwhile as an example to take from a recent report from the C E A (1973) the table in the Appendix, which shows how from a limited experience on French nuclear power plants it has been found possible to deduce ranges for the reliability of certain materials of importance for the safety. Besides, I must say that this work was made using information not initially designed to provide reliability data. Beyond this use of the reliability techniques in safety reviews, an alternate approach was also suggested, which would take as its starting point a maximum figure for the probability of an accident of great magnitude, value judged as acceptable by regulatory staffs, from which the probabilities of acceptable failure for the various reactor components and sub-assemblies would be deduced. One has even proposed a figure of 10-e per reactor per year as a limit of probability for a hypothetical accident giving a marked release of fission products outside the plant (AIF/ANS, 1972). This idea is theoretically attractive, but its practical use could in my opinion raise some difficulties; on one hand, it seems difficult to deduce from the global accident probability a failure probability at the components level, for the reasons already mentioned, and the available operating experience is obviously meaningless for probabilities so low; on the other hand, it is to be feared that a general consensus on a global criterion of this type would not be easy to reach. The proposed figure could always be questioned and it cannot be seen how this would effectively improve the safety of installations. As for me, if I am in favour of a progressive introduction of notions of material reliability and of incident probabilities in safety reviews, I wish that the introduction be conservative and that numerous international contacts would ensure a good harmonization of the points of view of the different countries.
taken into account in technical safety assessments of new plants. Emphasis is often placed on the particularly satisfying record of nuclear energy in general, and of nuclear reactors in particular, from the point of view of safety, since the number of serious incidents has remained till now extremely reduced, and since there have never been consequences for the public. Few industries can present a similar record and this shows well the importance given to safety concerns by nuclear energy promoters. Nevertheless, reactors presently in operation have unquestionably experienced a number of incidents of various origins, which "could have" resulted in more serious consequences "if" the combination of particular conditions had occurred: for instance, the coincidence of the occurring event with an operating error or another failure, or exceptional operating conditions. When it is wanted to use the experience derived from the operation, for a limited number of years, of a limited number of reactors, in order to extrapolate to very large programmes over a great number of years, it seems necessary to attempt by all means to obtain a thorough analysis for each incident. As a matter of fact, all regulatory provisions in force in the various countries require the reporting and the systematic analysis of all abnormal occurrences during operation. Yet, it is to be feared that some incidents will lack the wide diffusion which would in my opinion be necessary, either because the utilities are not aware of the interest of this diffusion, or because the diffusion is inhibited by commercial considerations or by national susceptibilities, We all know instances where quicker and more complete information on an incident on a reactor of one country could have prevented or limited a further incident on a reactor of another country. Recently, an anonymous letter was even used to make it known to safety authorities that an incident occurred in an installation, which had had strictly no consequences, but which could be most useful for further safety surveys (Nucleonics Week, 1973). I think that all people involved in nuclear safety should attempt to promote a better information exchange at international level, considering possibly special procedures to protect all susceptibilities. In some cases, such as for accidents on aircrafts, the anonymity of the reports has allowed this kind of difficulty to be resolved.
REACTOR OPERATING EXPERIENCE
If it appears normal that advanced nuclear techniques, such as fast neutron reactors, are the object of safety research programmes, some people wonder
It seems necessary to go back to reactor operating experience; the results of this experience must be
RESEARCH PROGRAMMES
206
P. TANGLrY
why research work of a similar extent has to be carried out for proven reactors such as light water reactors, when many units of these types are presently in operation or under construction all over the world. They see a contradiction between the authorization to operate a nuclear reactor without undue risks to the public and appropriation of large amounts of money to solve technical problems related to the safety of installations of the same type. Actually, there is no contradiction. Nuclear safety always results from a compromise based on available knowledge and should adapt itself to the evolution of this knowledge. In a safety assessment, one cannot but take a conservative position, i.e. take what could be considered as excessive margins to be given up only in view of indisputable experimental results. The main purpose of research is then to define the actual meaning of these margins. Simultaneously, research should allow one to establish that no important parameter has been underestimated, and contribute to the present trend of decrease of risk probabilities. An accurate definition of safety research is difficult, since in many fields, the boundary between safety and design is partly arbitrary. This is the case for the reliability studies I mentioned above; this is still more the case for studies relative to fuels, the behaviour of which is essential for design economics as well as for safety. Nevertheless, two main orientations of research can be distinguished: that related to accident prevention. In this class, I shall mention the considerable work carried out on non destructive testing and on in-service inspection of pressurized vessels, that which refers to the concept of defence in depth by improving the analysis of the course of hypothetical accidental sequences: the studies relative to the ECCS for light water reactors are a particularly significant example of this type of research. Presently, all organisms of nuclear research all over the world devote a marked part of their activity to safety studies. I believe that this trend ought to last for several years ahead, if only due to the predictable technique evolution. In a great number of cases, the research work is performed within the frame work of agreements for international cooperation. As a matter of fact, it seems desirable that safety organisms of the different countries could base their safety assessments on common results in order to avoid discrepancies which would be hardly justifiable to the public and
could slacken the international development of nuclear energy. SITING The problems related to the siting of nuclear reactors are essentially quite similar, but they present some specific aspects that are to be outlined. In the study of the interactions between the site and the installations, the first point to be considered is that of the radioactive consequences of reactor operation for the environment, regardless of thermal, climatic, aesthetic or other aspects. Radiological consequences should be examined from two angles: discharge in so-called normal operation; this covers all predictable operating incidents, for which exist very accurate national and international standards and with which I shall not deal further. accidental discharges; their importance and eventual consequences should be evaluated within the concept of defence in depth already mentioned. The corresponding studies refer, on one hand to physical data of the various sites--meteorology and atmospheric diffusion which govern the external exposure, often predominant, and hydrogeology, for hazards of contamination for ground water--on the other hand, to biological results depending upon the environment, since the "critical path" may vary widely from one site to the other. In both fields--physical and biological--it is difficult to fix a priori a limit to the extent of the studies, which can be developed almost indefinitely if more and more details are wanted. My personal opinion is that, in the present status of the matter, the main efforts ought to be made on physical studies, atmospheric in particular, in order to be able to make a thorough safety analysis of a given site. But a second point is to be considered and the answer is far from easy: the possible aggression of the site to the plant itself. The seismic problems are obviously the first to come to the mind in this field; in spite of the advances already achieved, our knowledge is still too inaccurate and, as a result, wide safety margins are necessary as soon as the slightest doubt arises over the possibility of an earthquake, and implementation of probabilistic evaluations seems particularly delicate in that matter. Aside from the seism, other types of aggressions ought to be studied, among others, plane crashes, and also those that could be due to
Reactor safety and siting other industrial plants in the vicinity, in particular oil industry. It seems likely that the wish of the public to concentrate what can be regarded as a nuisance will lead to the consideration of a geographical concentration of nuclear and other plants. Great care must be given to possible interactions (missiles, fires, explosions - • .). Lastly, I should like to say a word on the matter of urban siting. Several approaches are possible, including the requirement of additional safety measures when population density increases around the reactor. I think that the problem is not yet mature and a clear answer will possibly be given only when more accurate data will be available on the quantitative importance of hazards resulting from reactors. CONCLUSIONS As a conclusion, I should like to bring up again the international aspect of nuclear safety. N o country can disregard the possibility of accidents occurring in foreign countries, but furthermore, a progressive harmonization of safety policies between the various countries is obviously full of advantages. Yet the difficulties resulting from such an undertaking must be well kept in mind and the approach ought to be very conservative The multiplication of contacts, which could often be more efficient if
207
established in a flexible and rather informal manner, and an extension of information exchanges on operating experience as well as on the results of research programmes, would appear to me as preambles allowing all interested parties to start from a common understanding of the technical problems ruling installation safety. REFERENCES
AIF/ANS--International Conference on Nuclear Solutions to Worm Energy Problems, Washington, 13-17 November (1972). A. Blin (1973). DSN-SETS Internal Report. Bourgeois J. (1973) L'analyse de sfret6 des r6acteurs de puissance en France: principes g6n6raux et applications pratiques. Paper presented at the SEE Congress on the Production of Nuclear Electricity, Vittel. Congrds FORATOM: Centrales nucl6aires en Europe: hier, aujourd'hui, demain. Florence, 15-17 Octobre (1973). Farmer F. (1967) Siting criteria. A new approach. In 1.4EA Symposium on containment and siting o f nuclear power plants, Vienna, April 3-7, 1967. Guedeney C, and Mandel C. L'Angoisse Atomique et les Centrales Nucldaires. Payot, ed. (1973). 1AEA Symposium on Principles and Standards of Reactor Safety, Julich, 5-9 February (1973). L4EA Symposium on Environmental Behaviour of Radionuclides Released in the Nuclear Industry, Aix en Provence, 14-18 (1973). Nucleonics Week, 14 (40) (1973). WASH 1250 (1973) The safety of nuclear power reactors (light water cooled) and related facilities.
APPENDIX
Table 1. Reliability data deduced from reactor experience (excerpt from Blin, 1973)
Type of component
Cumulated time Number of ( × 10~ hr) failures
Mean failure rate it ( × 10 6/hr)
Two sided confidence intervals (90 per cent) •~,min (>(10-~/hr) 2max ( × 10-6[hr)
Channel gas outlet thermocouples
9'6
4
0"4
0"14
0-92
Ionization chambers
9'6
0
0" 1*
0
0"31
391.3 45'9
59 11
0'15 0.24
0.12 0' 13
0,19 0.38
80.6
13
0"16
0.09
0,26
All type relays
858'3
180
0.21
0.18
0,23
Charge machine
2367 hr
20
8"5 × 10-3/hr
M.T.B.F. = 118 hr
31,676 hr
89
2'8 × 10-3/hr
M.T.B.F. = 356 hr
Computer relays input and test output Relays used in protection systems
Blowers
* When no failure has been recorded, a conventional mean failure rate is evaluated from a confidence limit of 60 per cent.