Fifty years ago, on 25 March 1957, the EURATOM Treaty was signed. Article 1 stipulates that «it shall be the task of the Community to contribute to the raising of the standard of living in the Member States and to the development of relations with the other countries by creating the conditions necessary for the speedy establishment and growth of nuclear industries». Half a year later, on 10 October 1957, the fire at a Windscale reactor in the United Kingdom released massive amounts of radioactivity with, as a direct consequence and for the first time in Europe, very large quantities of contaminated milk and vegetables having to be destroyed.
(656.5805) Residual Risk Project Team - Nevertheless, the October 1957 Windscale accident had surprisingly little effect on public opinion Europe wide. In the UK the then fledgling civil nuclear industry pressed on with its designs for the first nuclear power stations, Magnox, which like Windscale had no secondary containment whatsoever and the UK government maintained its military imperative of plutonium production, seemingly ignoring the risk of a second radioactive release with its continued operation of the second identical Windscale reactor.
By the mid 1960s nuclear power was firmly established in Europe and its expansion continued apace. However, in March 1979 with a total worldwide experience of more than 1,000 years reactor operation, the pressurized water reactor (PWR) at Three Mile Island (TMI) in the United States sustained a severe fuel core melt and the potential for a very significant release of radioactivity to the environment. Such was the impact of TMI and although the nuclear industry implemented substantial upgrading programs in reactors and reactor designs thereafter, no nuclear plant has been ordered in the United States since and over one hundred projects have been completely abandoned. In Europe the majority of nuclear power plants that had been ordered and/or were under construction at the time of TMI were continued with, in account of design modification delays and construction times, installed capacity continuing to rise until by the end of 1985 a total of 155 power reactors were installed and in operation in the European Union.
In fact by 1986 the European nuclear industry was generally quite buoyant because it had, after all, ridden out the TMI storm albeit having to implement some significant backfitted and expensive safety measures. But then Chernobyl occurred, the worst nuclear power plant accident to date, resulting in a massive and hitherto unimaginable radioactive release that spread contamination widely throughout Europe, with its food and agricultural bans preying on the collective conscious of the general public.
The inexplicable nature and very severity of Chernobyl necessitated significant re-examination of nuclear safety, public explanations were demanded from the industry and its regulators; it practically stopped construction of new nuclear power plants. In the 27 current Member States of the European Union a peak of 177 power reactors was reached within two years of the Chernobyl accident. Thereafter and although a number of pre-Chernobyl ordered reactors had been completed and commissioned, plant closures outweighed new commissionings and resulted in a steady decline of operational reactors in Europe down to the level of 145 units of today.
The lessons learned from TMI had not been sufficient to prevent the Chernobyl accident. At first the worldwide nuclear industry response to the Chernobyl disaster was defensive: it arose because of defective Soviet technology, demoralized operatives, lack of secondary containment, and so on, so much so that Chernobyl was a peculiarly Soviet accident 'just waiting to happen' and that 'it could never happen here'. Away from public scrutiny, however, the nuclear regulatory authorities in the European Union and elsewhere have been implementing revised regulatory regimes. These have required the operators to incorporate numerous improvements in human factor and management procedural aspects of plant operation, enhanced training programs and, where practicable, backfitting modifications and revisions to existing plants.
Significantly, for new nuclear builds the regulatory philosophy has nudged the plant designers to increase the role of passive systems to hold or return the plant and its nuclear processes to a stable, safe state; the outcome of abnormal incidents is now more firmly related to the radiological consequence and individual risk of health detriment; incidents and projected radioactive releases have now to be quantified so that an effective off-site emergency response might be prepared in advance; and, perhaps, most of all, the nuclear industry had to be 'transparent' and demonstrate that for continuing operation of its nuclear plants the 'risks were acceptable and the consequences tolerable'.
Today, 21 years since Chernobyl with 8,000 reactor-years experience accumulated worldwide this post-Chernobyl period has passed without major accident, large-scale contamination and severe radiological consequences - is this an achievement or just simply luck?
To answer this question we have scrutinized the safety records of nuclear power plants in selected countries since Chernobyl, noting that large numbers of abnormal events continue to occur. We endeavor to analyze in depth a selection of these events although there are significant obstacles to a systematic and comparative analysis, including:
- Comparing severe events affecting different types of nuclear power plants worldwide is difficult because, first, there are many terms and definitions describing what could be called a nuclear incident and, second, there is no objective, internationally agreed and recognized definition for particularly severe events, both internal and external, that bear the potential for severe radiological consequences.
- Systems evaluating such nuclear events and their potential are not harmonized and are varying markedly from country to country. The quantification or indices determined do not provide a comparable indication of either safety levels or safety achievement.
- Even in case of the International Atomic Energy Agency's INES ( International Nuclear Event Scale) the values attributed to the events are those reported by the operators of the affected plants or of the national regulatory authorities. There is no system of independent evaluation to make comparisons meaningful and, moreover, in some states the nuclear safety regulator may not be entirely free of political persuasion.
- The INES definitions also exclude a large number of events from technically appropriate rating only because they do not involve any immediate radiological effect. On the whole, there seems to be a tendency towards underestimating the importance of events. Although the IAEA developed the INES from the basis of the former French national event scale, it is the national nuclear authorities of the IAEA member states that determine the final index of the event potential, particularly in that the IAEA gives no direction on how 'cliff edge' situations are to be evaluated in the INES.
- No reporting system has been devised that can unambiguously classify the events and accidents rooted in a huge variety of possible causes. For example was the Davis-Besse reactor pressure vessel head hole a (i) materials defect, (ii) management failure which arose from an inadequate, plant-wide safety culture, (iii) a cascade of human errors linking inspection and surveillance, and/or a (iv) quality assurance program failure, or yet some other cause?
- In general a caution approach is adopted when the possible progression of a pulled-up (arrested) event is postulated. Analysis is tending to be based on those remaining downstream safety systems and countermeasures coming into play promptly and effectively, qui in contrast to the fact that a number of upstream safety systems had already failed, which is portraying an optimistic view of what could have resulted into a much more serious event.
- Whilst reactor shutdowns are generally publicly known, the events that cause them are not always publicized. The international nuclear event database maintained by the IAEA is confidential to its members (the IAEA did not respond to repeated information requests by the coordinator of the present study), and some countries tend to keep details of nuclear event reporting as privileged information that is not subject to public disclosure. Furthermore, post 9/11 much more information relating to plant performance under abnormal operation situations is being held back.
The IAEA does not impose nor require that much discipline for signatory countries when evaluating and reporting incidents. In other words, since there are no clearly established internationally agreed benchmarks to describe, categorize and risk assess events from one country to another, it is not clear how useful statistics could be arrived at. Thus, any one country that reports a large number of events could be revealing a severe safety problem in that country or, on the other hand, it could also be the honest characterization of a specific reporting system with unusual openness in communicating events.
This opportunity for anomaly is revealed by comparing just three countries, France, Germany and the United States.
In recent years the French nuclear power plant operator, EDF, has reported annually between 600 and 800 'significant incidents' (increasing tendency) to the nuclear safety authorities. Of over 10,000 events that were reported between 1986 and 2006, most were considered below the INES scale or Level 0 while 1,615 incidents were rated INES Level 1 and 59 Level 2. One event has been given a Level 3 rating2. In comparison, since the implementation of INES in 1991 Germany reported over 2,200 events as Level 0 or below, while 72 events were rated Level 1 or higher. On its part, the US Nuclear Regulatory Commission, over the same time period, has only reported 22 events to the IAEA and rated them on the INES scale, of which 6 below scale, 7 Level 0, 3 Level 1, 5 Level 2 and 1 Level 3.
This apparent disharmony arises because there are simply no common criteria established to compare frequency and severity of nuclear events from country to country. In this respect, any reliance upon the present collage of INES rated events statistics to establish an international safety evaluation would be grossly misleading.
The first conclusion of this study is that many nuclear safety related events occur year after year, all over the world, in all types of nuclear plants and in all reactor designs and that there are very serious events that go either entirely unnoticed by the broader public or remain significantly under-evaluated when it comes to their potential risk.
A recent joint IAEA/NEA (Nuclear Energy Agency of the OECD) Report on "Nuclear Power Plant Operating Experiences" covering the years 2002-2005 concluded:
"Almost all of the [200] events reported during that period have already occurred earlier in one form or another. It shows that despite the existing exchange mechanisms in place at both national and international levels, corrective measures, which are generally well-known, may not reach all end-users, or are not always rigorously or timely applied."
The widespread belief that nuclear safety will be actually enhanced because of a lessons-learned process turns out ill-conceived. It is an open question whether the actual discussions within the nuclear expert community can lead to an improvement of nuclear safety in the reality of nuclear power plant operation.
Abnormal events are triggered by a variety of reasons: some are directly a result of design errors, sometimes fundamental or sometimes apparently trivial; other events can be traced back to latent construction, manufacturing and materials faults and/or deficiencies that have remained hidden in the plant; and there are unforeseen and unprepared for external events that unexpectedly challenge the plants and their safety systems; and finally there is the human dimension, including simple slip ups, omissions and misunderstandings, or more complex and deeply rooted institutional errors and, of increasing concern following 9/11, the possibility of organized malicious acts against nuclear plants.
Some of these events and incidents that have occurred could have evolved into serious accidents, had the defects, malfunctions, etc. not been discovered in time (near-misses); other incidents might be taken as early warnings or as precursors of serious accidents; and there are the so-called recurring events whereby a pattern of failures is repeated time after time at different plants. Sometimes, there develops an element of self-congratulation by the nuclear industry when an incident is brought to a 'successful' close, so much so that this overrides the various serious concerns that the incident should not have been triggered in the first place.
Not that those who lead the worldwide nuclear industry are complacent over these issues. During a biennial general meeting of the World Association of Nuclear Operators (WANO General Meeting, Berlin, October 2003), Chairman Hajimu Maeda warned of a creeping lethargy that begins with "loss of motivation to learn from others... overconfidence... (and) negligence in cultivating a safety culture due to severe pressure to reduce costs following the deregulation of the power market." Those troubles, if ignored, "are like a terrible disease that originates within the organization" and can, if not detected, lead to "a major accident" that will "destroy the whole organization".
Nuclear plants are complex, hazardous facilities. It follows that this very complexity spawns a multifaceted array of potential failure mechanisms and routes, so many in fact that it is seemingly impossible to marshal these into any semblance of order.
The second conclusion is that no great reliance should be placed on the International Nuclear Event Scale (INES), either for determining the absolute severity of one abnormal event from another nor, indeed, for determining the absolute safety achievements of any one country. However, in one respect the INES can be quite revealing: as three countries operating much the same type of nuclear power plant, under much the same regulatory and management systems in place, should not produce such disparencies in their respective nuclear safety achievements, the summarized data above are solely an indicator of their openness and/or reporting practices within INES.
The third conclusion of this research is that because the INES reporting system serves very little purpose there is need for its overhaul and modification - if at all possible - to provide a comprehensive reporting system that identifies not just the severity and potential impact of abnormal incidents, which the present INES barely achieves, but which sets out unifying rules of post-accident analysis and categorization so that existing trends may be monitored and emerging cause of failure identified. Such a revised INES reporting system should include facility to analyze and categorize human actions, including terrorist acts.
A selection of significant events that might assist in the framework development of a new INES reporting and analyzing system is annexed to this summary. These events illustrate the major categories of cause of failure in plants over the past 20 years but, that said, given the complexity of engineered systems and the ingenuity of mankind there are other causes of accidents that have yet to be discovered.
The present report should be seen as a precursor investigation into what should be a longer-term extensive study into the identification, notification, systematic analysis and evaluation, risk assessment, classification and lessons-learned action implementation of safety relevant events in all nuclear facilities in all countries.
So long as nuclear plants and facilities continue to operate there will remain a residual risk. Precursive events cannot be eliminated, the possibility of a future severe accident cannot be entirely excluded and it is unwise to dismiss the possibility of any undesirable incident occurring on the grounds of its remote probability alone. Finally, it is folly indeed to assume that all initiating events might be reasonably foreseen - after all, who foresaw the nature and mode of operandi of the 9/11 attacks?
Sixteen Selected Significant Events in Nuclear Power Plants in Nine Countries Since the Chernobyl Accident in 1986
The Residual Risk Project Team has selected 16 events from nine countries that illustrate that nuclear reactor safety remains far from perfect. This is not a ranking of the most significant events but rather a selection of known significant events that also reflect the specific knowledge and experience of the members of the Residual Risk Project Team. They were classified into nine categories
Advanced Material Degradation (before break)
3 April 1991 Shearon Harris (USA)
On 3 April 1991 workers at the Shearon Harris pressurized water reactor in New Hill, North Carolina discovered damaged piping and valves within the alternate minimum flow system provided for the pumps in the emergency core cooling system. The piping and valve damage was serious, had an accident occurred the water needed to cool the reactor core would have instead poured out onto the floor through the ends of broken components. The NRC calculated the severe core damage risk from this event to be 6 x 10-3 or 0.6% per reactor year. The event was not rated on the IAEA INES scale.
6 March 2002 Davis Besse (USA)
On 6 March 2002, workers discovered a pineapple-sized hole in the carbon steel reactor vessel head at the Davis-Besse pressurized water reactor in Oak Harbor, Ohio. The boric acid of the primary coolant had completely eaten through the 6-inch (15 cm) thick carbon steel wall to expose the 5 mm thin stainless steel liner. A government study estimated that the hole would have widened to the point where the liner ruptured in another 2 to 11 months of operation. Because Davis-Besse ran 18 months between refueling outages, had the damage been missed during the 2002 outage, it seems likely that a loss of coolant accident would have occurred. The NRC calculated the severe core damage risk from this event to be 6 x 10-3 or 0.6% per reactor year and rated it INES level 3.
Significant Primary Coolant Leaks
18 June 1988, Tihange-1 (Belgium)
On 18 June 1988, while the pressurized water reactor was operating, a sudden leak occurred in a short, unisolable section of emergency core cooling system (ECCS) piping. The leak rate was in the order of 1,300 liters per hour. The source of leakage was a crack - 9 cm long on the inside surface of the pipe and 4.5 cm long on the outside surface - extending through the wall of the piping. The risk of a pipe rupture in the emergency core cooling system is considerable if the emergency safety injection system is activated as large quantities of cooling water are injected in case of a loss of coolant accident in an already degraded safety situation.
12 May 1998, Civaux-1 (France)
The Civaux-1 pressurized water reactor was shut down for five days, when, during start-up tests, a 25 cm diameter pipe of the main residual heat removal system cracked open and a large leak (30,000 liters per hour) occurred in the primary cooling circuit. The reactor core needs to be cooled permanently, even when it is shut down, in order to evacuate the significant amount of residual heat of the fuel. It took nine hours to isolate the leak and reach a stable situation. An 18 cm long crack on a weld was identified and 300 m3 of primary coolant had leaked into the reactor building. The unit had been operating for only six months at 50% power level maximum prior to the event. The operator, EDF, suggested rating this event at level 1 on the INES scale, but the safety authorities decided on level 2.
9 February 1991 Mihama-2 (Japan)
A steam generator tube rupture occurred at Mihama-2 pressurized water reactor. This was the first such incident in Japan where the emergency core cooling system was actuated. The utility investigated the rupture and found that it was a complete circumferential tube failure. The utility found that the failure due to high cycle fatigue caused by vibration. By design, all tubes in specific locations in the steam generator are supposed to be supported by anti-vibration bars. However, the subject tube was found not to be supported appropriately because of a reported "incorrect insertion" of the adjacent anti-vibration bars.
Reactivity Risks
12 August 2001, Philippsburg (Germany)
A deviation from the specified boron concentration - a neutron absorber needed to slow down or stop the nuclear reaction - in several flooding storage tanks during the restart of the plant was reported to the authorities. In addition, the liquid level had not reached the required value fixed in the operational instructions for the start-up and was only implemented with a delay. The emergency core cooling system will only work effectively if it is operated according to the design basis conditions. Subsequent investigations revealed that significant deviations from start-up requirements and violations from related instructions seemed to be common probably for several years and took place in other German nuclear plants.
1 March 2005 Kozloduy-5 (Bulgaria)
In the process of power reduction at the Russian designed pressurized water reactor (WWER) the operators identified that three control rod assemblies remained in the upper end position. The follow-up movement tests of the remaining control rod assemblies identified that 22 out of 61 could not be moved with the driving mechanisms. The exact number of control rod assemblies unable to scram (to drop due to the gravity only) remains unknown but it is thought to be between 22 and 55. The WWER-1000 scram system is designed to put the reactor in safe shutdown if one control rod assembly at the most is jammed in the upper position. The operator had originally rated the incident INES level 0, but the safety authorities finally admitted to a level 2 rating.
Fuel Degradation (outside reactor core)
Paks (Hungary) 2003
Design deficiencies of a chemical system built to clean 30 partially irradiated fuel assemblies from magnetic deposits in a special tank (outside of the vessel of the pressurized water reactor) caused insufficient cooling of all assemblies, which were heavily damaged. A subsequent IAEA investigation identified eight separate design errors. The system was developed, manufactured and delivered by Areva NP. During the accident radioactive releases were about four times the noble gases and almost 200 times the Iodine-131 and aerosols released by all 58 French pressurized water reactors during the whole of 2003. The event was reclassified as Level 3 on the INES scale after an initial Level 2 rating.
Fires and Explosions
14 December 2001, Brunsbüttel (Germany)
A hydrogen explosion caused a high degree of damage to the spray system piping of the boiling water reactor. The head spray line is used for cooling the inner surface of the reactor pressure vessel head and the flange area upon plant shutdown. Some parts of the 5.6 mm diameter pipes were ruptured. An approximately 2.7 m long piping section had burst and was completely destroyed. Some sections of the piping were missing. Prior to this event the possibility of severe explosions caused by radiolysis gas during normal operation was nearly excluded.
Station Blackout
18 March 2001 Maanshan (Taiwan)
The pressurized water reactor was affected by a total loss of external and internal power supply. Power supply is crucial to evacuate residual heat from the reactor core. The plant is situated near the sea. Salt deposit on insulators due to foggy weather caused instability of the high voltage grid. During a switch to the grid a short circuit in a power switch of the emergency power line occurred and caused a cable fire. A breaker and switchgear was totally destroyed by the fire and the diesel generators could not be started up manually because of heavy smoke. It took about two hours to restore power supply.
25 July 2006, Forsmark, Sweden
A short circuit in an outdoor switching station of the grid nearby the boiling water reactors caused the emergency shutdown (scram) of unit 1 and, in a complex scenario, led to a number of subsequent failures at the plant. Due to a design error, the disconnection of the plant from the grid and the switch to house load operation - where the power plant uses its own power to operate essential auxiliaries - did not function as planned. An inappropriate converter adjustment led to the failure of the attempt to connect safety related equipment to the emergency power supply. The start up of two of the four emergency diesel generators was aborted, which lead to a partial blackout even in the main control room. Due to the lack of information about the important parameters for a period of time the exact state of the plant and the consequences of potential actions to perform were unclear. The shift team decided nevertheless to try to reconnect the plant to the grid, which was performed successfully.
Generic Issues - Reactor Sump Plugging
28 July 1992, Barseback-2 (Sweden)
A leaking pilot valve in the boiling water reactor in Barsebäck initiated automatically safety functions like reactor scram, high-pressure safety injection, core spray and containment spray systems. The steam jet from an open safety valve was impinging on thermally insulated equipment. Insulating material was washed into the suppression pool and affected the emergency core cooling system, which is essential for heat removal in case of a leak the reactor coolant. Similar incidents occurred in several countries and the problem turned out to apply to many, if not most, of the light water reactors in the world.
Natural Events
27 December 1999, Blayais-2 (France)
The Blayais nuclear power plant site was flooded after heavy storms resulting in certain key safety equipments of the plant being under over 100,000 m3 of water, for example safety injection pumps and the containment spray systems of units 1 and 2. The electrical system was also affected. Power supply was interrupted. Flying objects and debris rendered any intervention dangerous. All four units on the site were shut down. For the first time, the national level of the internal emergency plan (PUI) was triggered. The event was given an INES Level 2 rating.
Security Events and Malicious Act
7 February 1993, Three Mile Island (USA)
An unauthorized vehicle entered the owner-controlled area (OCA) of the Three Mile Island (TMI) nuclear power plant. No physical barriers were present to delay access. The vehicle continued to the protected area (PA) of the nuclear plant, smashed one of the entry gates, before crashing through a corrugated metal door and entering the turbine building of the Unit 1 reactor, which was operating at full power. The vehicle stopped 19 meters inside the turbine building, striking and damaging the insulation on an auxiliary steam line. A Site Area Emergency, the second highest emergency classification level, was declared. This was the second time this had occurred at the TMI plant (the first being the TMI Unit 2 meltdown in 1979). The intruder was not apprehended until four hours after he entered the site.
July 2000, Farley (USA)
During an "Operational Safeguards Response Evaluation," or OSRE - war-game-type exercise to evaluate whether nuclear power plant security forces could effectively defend against an adversary team - the security force at Farley could not prevent the mock adversary team from simulating the destruction of entire target sets in two out of four exercises (and therefore simulating a core meltdown); and simulating the destruction of "significant plant equipment" in a third exercise.
29 August 2002, 17 TEPCO Reactors (Japan)
The Tokyo Electric Power Company (TEPCO) operates 17 boiling water reactors and was also one of the most respected large companies in Japan. On 29 August 2002 the Japanese Nuclear Industrial Safety Agency (NISA), shocked the nation with the public revelation of a massive data falsification scandal at TEPCO. At that point 29 cases of "malpractice" had been identified, including the falsification of the operator's self-imposed inspection records at its nuclear power plants over many years. In the follow-up, all of the 17 TEPCO units had to be shut down for inspection and repair. It was reported later that these practices had gone on for as long as 25 years and the total number of events is put at nearly 200 so far. However, revelations of cover-ups and malpractice have extended to all major nuclear operators in Japan and continue to date. In the latest case, in early April 2007 Hokuriku Electric has admitted to a criticality incident at its Shika-1 boiling water reactor. The incident had been covered up for almost eight years.
The report "Residual Risk: An Account of Events in Nuclear Power Plants Since the Chernobyl Accident in 1986" May 2007. Project co-ordinator Mycle Schneider.
Written by: Kastchiev, Kromp, Kurth, Lochbaum, Lyman, Sailer, Schneider.
The report can be downloaded at:
http://www.greens-efa.org/cms/topics/dokbin/181/181995.residual_risk@en.pdf
 |
 |
 |
 |
|
 |
 |
 |
 |