WHAT'S ALL THE FUSS ABOUT?

Introduction

Update

1. "WORST CASE" LOSS OF COOLANT ACCIDENTS (LOCA)

2. THE EMERGENCY CORE COOLING SYSTEM (ECCS)

3. INADEQUACY OF THE CANDU ECCS

4. WEAKNESSES IN THE CONTAINMENT SYSTEM

5. EMERGENCY LIMITS OF PUBLIC RADIATION EXPOSURE

6. REWRITING THE PUBLIC HEALTH STANDARDS

7. REWRITING THE CANDU SAFETY PHILOSOPHY

8. WHAT ABOUT CATASTROPHIC ACCIDENTS IN CANDU?

9. THE NEED FOR OPENNESS AND INDEPENDENT REVIEW

FOOTNOTES

Glossary

Recommendations : Select Committee on Ontario Hydro Affairs

---





INTRODUCTION

Under normal operation, a nuclear reactor is relatively safe. However, under emergency conditions, a reactor can release enormous quantities of radioactive substances into the environment.

People who lack scientific training often feel that the issues surrounding the subject of nuclear safety are too complex for a lay person to understand. This is not true. Most of the important scientific facts are relatively easy to understand, and are not matters of dispute between those who favour nuclear power and those who do not. Disagreement arises mainly over three questions:

1. What is the likelihood of a major nuclear accident?

2. How does one decide on what is an acceptable risk?

3. Are existing standards adequate to provide a reasonable degree of public protection?

The accompanying text is intended to serve as a brief introduction to the subject of nuclear safety in Canada as it relates to five internal safety documents which were leaked to the CCNR in May 1978.

Also included are excerpts from a letter to Dr. Arthur Porter, Chairman of the Royal Commission on Electric Power Planning (June 7, 1978.) and copies of the five internal safety documents, with explanatory notes.

---

UPDATE

Since the nuclear accident at Three Mile Island, the Ontario Legislature's Select Committee on Ontario Hydro Affairs has held extensive hearings on the safety of CANDU reactors and has issued an Interim Report on the subject (December 1979). The transcripts of these hearings and the text of the Interim Report are available in the Legislative Libraries of every province of Canada. A few of the Committee's recommendations are reproduced as an appendix.

---

NUCLEAR SAFETY IN A CANADIAN SETTING:

WHAT'S THE FUSS ALL ABOUT?


1. "WORST CASE" LOSS OF COOLANT ACCIDENTS (LOCA)

If the core of a reactor is not cooled, the intense radioactivity of the irradiated fuel will cause overheating, leading to the rupturing of the fuel "cladding" (or "sheath"), and eventually resulting in the melting of the fuel at about 5000 ^o F. [1] This sequence of events would happen, even if the reactor had been shut down for several hours or even a day or more beforehand. [2]

If all of the fuel in a reactor were to melt, U.S. studies have indicated that the resulting mass of molten fuel would melt through the floor of the reactor building into the ground. [3] The amount of radioactive material that could be released this way is very large -- several billion curies -- and the radioactive gases and volatile substances alone are capable of killing a tremendous number of people. [4] That is why the Royal Commission on Electric Power Planning has suggested that serious consideration be given to building such reactors in underground caverns. [5]

2. THE EMERGENCY CORE COOLING SYSTEM (ECCS)

Because of the above dangers, every reactor has an emergency core cooling system which will supply cooling water to the core in case the primary cooling system is incapacitated through a pipe break. [6] All nuclear reactors presently operating in Canada were originally licensed on the explicit understanding that the ECCS (emergency core cooling system) would prevent "fuel failures" (i.e. rupturing of the cladding) in the event of a LOCA (loss-of-coolant accident) caused by a pipe break. [7]

If the fuel cladding ruptures as a result of inadequate cooling, then dangerous quantities of radioactive gases and volatiles will escape from the fuel into the piping system. [8] These gases will go out the same hole that the water escaped from during the LOCA. This creates a dangerous situation inside the reactor building, and also raises a question as to how much of this radioactive material will escape into the atmosphere outside the plant, thereby endangering the surrounding population. The original design criterion for the CANDU ECCS was that it should guarantee "no significant fuel failures" (abbreviated NSFF). [9]

3. INADEQUACY OF THE CANDU ECCS

In the last two years, it has been discovered by Canadian nuclear authorities that the CANDU ECCS cannot meet the NSFF criterion in any of the nuclear reactors presently operating in Ontario. [10] Even at the small NPD reactor (which is only 20 megawatts), careful analysis has shown that any size of pipe break in any location on the "inlet" side of the reactor (where the coolant enters the core) will cause at least half of the fuel to fail (i.e. the cladding will rupture), and may, in some circumstances, cause all of the fuel to fail. [11] This is in direct contradiction to statements made in the original licensing documents for NPD, which asserted categorically that ECCS would always prevent fuel failures in the event of a LOCA. [12]

At Douglas Point, 200 MW, the power rating has been reduced for safety reasons because ECCS is now known to be relatively ineffective in preventing fuel failures. [13] At Pickering and Bruce, it is acknowledged that ECCS cannot prevent fuel failures in all cases of LOCA, and so it is assumed that as many as one million curies of radioactive iodine may be released from the piping system following a LOCA. [14] This is about 1000 times higher than the maximum permissible atmospheric release of radioactive iodine under the worst accident conditions as postulated by the Atomic Energy Control Board (AECB) in their licensing documents. [15]

4. WEAKNESSES IN THE CONTAINMENT SYSTEM

The containment system of a commercial reactor is designed to contain virtually all of the radioactive steam and gases that would be released from the piping system following a LOCA. However, the containment system can be impaired in a number of ways. At Pickering, personnel airlock doors have been left open on many occasions over a number of years. [16] In one of the Pickering units, a leak in the wall of the reactor building went undetected for 18 months. [17] The operating record at Pickering proves that impairments of containment have occurred with a very much higher frequency than the theoretical target probabilities would indicate. [18]

It is also acknowledged that ventilator dampers could jam open in the event of a LOCA, thereby establishing a path to the atmosphere. [19] Besides, not all CANDU reactors have the very best in containment systems. The NPD reactor has no adequate containment system at all, the Douglas Point reactor has one of doubtful effectiveness, and the standard CANDU-600 reactor (versions of which are being built in Argentina, New Brunswick, Quebec and South Korea), has no vacuum building to "suck up" the radioactive steam and gases that are produced in quantity during a LOCA. [20]

5. EMERGENCY LIMITS OF PUBLIC RADIATION EXPOSURE

In the interests of public health and safety, the AECB will not license a nuclear reactor unless the owner can "prove" that very little radiation will escape into the atmosphere even if there is a "dual failure" -- that is, a LOCA accompanied by an impairment of containment. [21] Specifically, no member of the public shall be exposed to more than 25 rems of whole body radiation or more than 250 rems to the thyroid gland (where the radioactive iodine will automatically concentrate). [22]

It should be noted that 25 rems is not an insignificant dose of radiation. Under normal conditions, the legal limit to which members of the public may be exposed over the course of an entire year is only half a rem, and the AECB guideline is 1/100^th of that. [23] At Hiroshima and Nagasaki, pregnant women exposed to less than 25 rem gave birth to children with shrunken heads and mental retardation. [24]

It should also be noted that these Canadian limits for public exposure are much higher than those proposed by the British Medical Research Council for "Emergency Reference Levels of Radiation Dose" in the event of a nuclear accident. The BMRC recommends a limit of 10 rems of whole body radiation exposure, and/or 30 rems exposure to the thyroid. [25] (25 rems is about 1/10 of what is called the "LD50" or "lethal dose 50". If a group of humans is each exposed to 250 rems whole body radiation, it is anticipated that 50 percent of them will die of "radiation sickness" within 30 days. [26])

6. REWRITING THE PUBLIC HEALTH STANDARDS

When NPD and Pickering and Douglas Point were licensed, it was firmly believed and categorically asserted that the ECCS would prevent fuel failures. [27] On that basis, AECB had no compunctions about issuing licenses -- for, if no gases are released from the piping, none will enter the atmosphere, and so no member of the public could possibly be exposed to more than 25 rems. However, it is now known that the ECCS cannot always prevent fuel failures. That changes the picture considerably. In the event of a LOCA, there could be a great deal of radioactive material in a releasable form. [28]

In response to the present situation, the Inter-Organizational Working Group -- set up by the AECB to review unresolved safety issues -- has just recently recommended (in AECB-1149) that the permissible limits for public exposure under emergency conditions be raised by a factor of four, to 100 rems (and possibly by an additional factor of 10 -- to 1000 rems -- in unusual circumstances; [29] 1000 rem is 100 percent fatal to all those who are exposed to it.)

7. REWRITING THE CANDU SAFETY PHILOSOPHY

Even more startling is that the Inter Organizational Working Group is recommending a complete change in the CANDU safety philosophy. The existing philosophy would protect the public in the event of any "dual failure", in which two systems fail simultaneously (for example, the cooling system and the containment system). [30] The new philosophy proposed by the IOWG would base the degree of public protection on the calculated probability of the accident; the more improbable the accident, the larger the permissible dose, and if the accident is calculated to be too improbable, then no consideration need be given it at all. [31]

Unfortunately, calculated probabilities are notoriously subject to dispute, and notoriously poor indicators of performance. [32] The Royal Commission on Electric Power Planning in Ontario has concluded that the industry's probability figures are very likely in error. [33] The danger here is that by basing public safety on calculations which cannot be checked or monitored, we may be providing only the illusion of security. [34]

Indeed, there are strong indications that some "dual failure" accidents could lead to a complete core meltdown, despite reassurances to the contrary. [35] The RCEPP has concluded that, under the most pessimistic assumptions, with 100 reactors operating in Canada at some future date, the probability of a core meltdown could be as high as once every forty years. [36] If such safety problems exist, they should be frankly acknowledged and seriously addressed -- not swept under the carpet because the "calculated probability" is reassuringly low. [37]

8. WHAT ABOUT CATASTROPHIC ACCIDENTS IN CANDU?

The accidents described in points 2 to 7 above are serious but not catastrophic. Catastrophic nuclear accidents have never been studied in detail in Canada. [38] In the United States, however, a major safety study conducted under the auspices of the Nuclear Regulatory Commission concluded that the probability of a complete core meltdown in a nuclear reactor could be realistically estimated at 1 in 20,000 per reactor per year, which could be off by a factor of five either way. [39]

For information on the possibilities and probabilities for core meltdowns in CANDU reactors, ask for publication CCNR-78-6, entitled "CANDU SAFETY", from the Canadian Coalition for Nuclear Responsibility, Box 236, Station Snowdon, Montreal, Quebec. [40]

9. THE NEED FOR OPENNESS AND INDEPENDENT REVIEW

The most disturbing aspect of CANDU safety is the lack of openness and candor on the part of Ontario Hydro and the other nuclear agencies involved. [41] These nuclear authorities have all given repeated public assurances that the CANDU safety systems are fully adequate to carry out their assigned tasks. [42] The authorities have vigorously upheld the existing regulatory limits for public exposure to radiation under emergency conditions as more than adequate to cope with any conceivable "dual failure". [43] At the same time, Ontario Hydro and the other agencies have repeatedly and explicitly refused to make the pertinent safety calculations available for scrutiny and criticism by members of the independent scientific community. [44]

In view of the seriousness of this safety issue, and the important bearing which safety considerations could have on policy decisions related to the siting of nuclear plants and the rate of nuclear expansion in Canada, such secrecy is politically unjustified. [45] It is especially disturbing when we now know that some of the industry's public assurances of safety are not as well founded as we had been led to believe. [46] The withholding of relevant safety information from the public and from decision makers should not be allowed to continue. In addition, CCNR believes than an independent technical review of CANDU safety (standards and philosophy) is urgently needed so that the most important safety questions may be clarified and hopefully resolved before the industry is allowed to expand significantly. [47]

---

FOOTNOTES
1. "By definition, a major reactor accident would lead to the severe overheating, and subsequent melting of the nuclear fuel, which would give rise to a substantial quantity of radioactive material escaping, after breaching several formidable barriers, into the environment. Clearly, if a major release of this accumulated radioactivity occurred, the consequences would be extremely serious and could involve several thousand immediate fatalities and many more delayed fatalities."

   A Race Against Time,
   Interim Report on Nuclear Power,
   Ontario Royal Commission on Electric Power Planning,
   pp 73,76 (September 1978)

   The fuel sheath is a very thin metal "sleeve" containing the uranium fuel pellets. In the event of an accident, this envelope may rupture at temperatures below 1000 ^o C because of the rapid build-up of internal pressure. When the sheath bursts, all of the radioactive gases in the fuel are liberated, along with about 2 percent of the radioactive iodine. By the time fuel melting occurs, dozens of other radioactive substances, far more dangerous than those initially released, are given off in a gaseous form, along with the remaining 98 percent of the radioactive iodine.

   "It is generally agreed that the greatest threat to health in the event of a major accident is the considerable quantity of iodine-131 which would be released to the atmosphere."

   A Race Against Time, p 73

2. In other words, it is not possible to safeguard against a major reactor accident just by shutting the reactor down:
   "Right after shutdown the heating rate of the reactor is about 7 percent of the full power rate, and then as the radioactivity decays away it decreases; in a few hours it's less than one percent [of full power heat] and it keeps going down. . . . Even one percent is a lot of heat, and if you don't remove that heat it's surely enough to overheat the fuel and melt it; and therein lies the problem that the reactor safety analyst must face -- to assure himself that the heat produced by these decaying fission products is reduced, is removed for periods of weeks or months."

   Dr. Norman Rasmussen, testifying to the
   Cluff Lake Board of Inquiry on
   Uranium Mining in Saskatchewan,
   Transcript Vol. 85, p. 8686
   (Also available from RCEPP as R1061)

   Dr. Rasmussen is the Head of the Nuclear Engineering Dept. at M.I.T. (Massachusetts Institute of Technology). He is the author of the most comprehensive study of reactor accidents to date, known as the "Reactor Safety Study" or the "Rasmussen Report" (WASH-1400), published by the U.S. Nuclear Regulatory Agency (NRA). The study took four years and cost $3 million.

3. "Although the containment building would be expected to remain intact for some time following a core melt, eventually the molten mass would be expected to eat its way through the concrete floor into the ground below."

   Rasmussen Report (WASH-1400)
   Executive Summary, p 7

   "Every core melt in our study is assumed to melt its way through the bottom of the reactor."

   Norman Rasmussen, testifying to the
   Cluff Lake Board of Inquiry into
   Uranium Mining in Saskatchewan,
   Transcript Vol. 85, p 8687, September 1977
   (Also RCEPP-R1061 )

4. "The major health and environmental threat would be due to the escape of fission products to the atmosphere the radioactivity would collect in a "cloud" and would be carried down wind. At distances of two or three kilometres, depending on wind velocity, the cloud would begin to disperse (the dispersal zone could extend to distances of several hundred kilometres) and radioactive materials would be deposited on the ground."

   A Race Against Time, p 73.

   "The worst possible accident at a site like Pickering (assuming none of the safety devices work and using the most pessimistic assumptions regarding behaviour of the reactor core, transport of fission products, meteorological diffusion and wind direction) might result in several thousand deaths, tens of thousands of injuries, and billions of dollars in property damage. In short, a disaster."

   John Beare, Chief,
   Reactor Licensing Division,
   Atomic Energy Control Board,
   "Nuclear Reactor safety and All That",
   AECB-1090, April 6, 1976

   According to the Rasmussen Report, under the worst conditions, a major nuclear accident could result in:

   • about 45,000 cases of radiation sickness requiring hospitalization, of which about 3300 would die;

   • about 45,000 fatal radiation-induced cancers in the thirty-year period following the accident;

   • about 250,000 non-fatal radiation-induced cancers in the thirty-year period following the accident, :

   • about 170 genetically defective children born each year to the population surviving the accident;

   • about $14 billion dollars (1974 dollars) in property damage, mainly due to radioactive contamination of food, water, land, and buildings.

   According to the Burns Report from New Zealand,

   "It is clear that in the worst possible circumstances, in which a major reactor accident as defined occurred when the wind was blowing gently on-shore towards a major population centre and highly productive farmland, the personal, social, and economic consequences for New Zealand could be disastrous to a degree unparalleled in our history "

   Report to the New Zealand Government
   Fact Finding Group on Nuclear Power,
   Government Printing Office,
   Wellington, N.Z., March 1977

5. "Although underground siting would not improve the safety of nuclear stations in an absolute sense, the risk of injury and damage in the event of a major accident would be reduced. However, the additional cost of constructing a nuclear power station would be in the order of 20 percent (and 20 percent of $3 or $4 billion is not inappreciable). Nevertheless, we believe that serious consideration should be given to the proposal."

   A Race Against Time, p 83.

   Dr. Edward Teller, who was the Chairman of the first Reactor Safety Advisory committee in the U.S., has been advocating the construction of nuclear reactors underground for many years. Dr. Alvin Weinberg, who was Director of the Oak Ridge National Laboratory for many years, has been advocating the construction of nuclear reactors in large dedicated "nuclear parks", far removed from population centres, for safety reasons. This latter proposal is also endorsed by the RCEPP as deserving serious consideration (immediately following the above quotation).

6. ECCS designs vary considerably from one reactor to another. For U.S. reactors, there is both a high-pressure and low-pressure emergency cooling system, while for CANDU reactors, there is only a low-pressure system. Unfortunately, the unavailability of the one-and-only ECCS at Pickering has been unexpectedly high, so that in the event of an accident, there might be no emergency cooling available at all (see note 32).

   It is also possible that the accident itself will incapacitate the ECCS. For example, if an earthquake were to cause major pipe breaks on both sides of a CANDU reactor core, then there might be no emergency cooling at all, and a core melt accident might not be humanly preventable. The reason for this is that emergency coolant will not traverse the core of a CANDU reactor unless there is a pressure differential from one end to the other. Thus, if pipes are broken at both ends of the core, the emergency cooling water may just run out through the broken pipes onto the floor without cooling the overheated fuel. These points have been confirmed in private conversations with Canadian nuclear safety experts.

7. The criterion of "no significant fuel failures" (NSFF) was officially assumed -- by all the nuclear authorities -- to have been met by the CANDU ECCS. This assumption was dutifully enshrined as an unqualified assertion in the Official Safety Reports for each and every operating reactor in Canada. These reports play a vital and central role in the licensing process for Canadian CANDU reactors. It has come as somewhat of a shock, therefore, to learn that the original NSFF assumption about the effectiveness of ECCS, which has been taken for granted for so long, was wrong from the outset.

8. At Pickering, for example (according to the Pickering LOCA Report described in Note 9), about one million curies of iodine-131 could be released almost immediately from the piping system following a LOCA, as a result of massive fuel failures; the radioactive iodine will simply go out the same hole in the piping system that caused the LOCA in the first place. Under present AECB requirements, this amount of iodine -- one million curies -- is a thousand times larger than the maximum permissible release of iodine-131 to the atmosphere under the worst credible accident conditions.

   When inhaled or ingested, radioactive iodine concentrates in the human thyroid gland. The Rasmussen Report concluded that up to 250,000 cases of thyroid cancer could result from iodine-131 released from a reactor under the worst credible circumstances, if massive fuel melting occurred. An independent review of the Rasmussen Report, commissioned by the U.S. Nuclear Regulatory Commission, has recently warned that Rasmussen's risk estimates could be unduly optimistic (the Lewis Report, NUREG/CR-0400, published by the US NRC, Sept. 1978 -- see Note 39)

9. The Pickering Loss-of-Coolant Accident (LOCA) Report -- an Ontario Hydro document -- deals with this exact situation. It discusses what would happen if half the fuel in the entire reactor failed, as a result of a LOCA, releasing large quantities of radioactive gases and iodine into the reactor building atmosphere. The Hydro report reaches the reassuring conclusion that, even if all the doors were left open and all the ventilator dampers were open too, thereby establishing several direct paths to the outer atmosphere, virtually none of the radioactive iodine, krypton, or xenon, would escape from the containment system. Unfortunately, the LOCA Report devotes only two paragraphs to this rather amazing conclusion, and provides no information whatsoever as to the assumptions or the calculations that led to this conclusion, except for a single graph. Since the report cost $500,000 to prepare, and since the containment calculations are crucial to public safety, one might have expected more. (See note 44).

10. Apparently, the discovery was first made in connection with the licensing of the Bruce "A" nuclear generating station back in 1976. Analysis showed that the Bruce ECCS would not necessarily prevent massive fuel failure following a LOCA (as revealed in INTERNAL SAFETY DOCUMENT #1). But all Safety Reports submitted to the AECB prior to 1976 had assumed and asserted that the CANDU ECCS would unquestionably prevent any large-scale fuel failures! Following this embarassing discovery, in July 1976, AECB asked the operators at all commercial CANDU reactors to reassess the effectiveness of ECCS in each individual case.

    By late 1977, the answer was clear: None of the CANDU ECCS systems at any of the operating reactors could be counted on to meet the original NSFF design criterion ("no significant fuel failures"), despite explicit assurances to the contrary which had been given to the AECB during the licensing of these same reactors.

    CANDU designers are currently speculating about the feasibility of installing a high-pressure emergency cooling system in all new CANDU reactors, since it is acknowledged that no modification to the existing low-pressure system will allow it to meet the NSFF criterion. (See INTERNAL SAFETY DOCUMENT #1 for details.)

    Both the Pickering and Bruce nuclear generating stations are provided with huge "vacuum buildings" to suck up the vast quantities of radioactive steam which would be released from the piping system following a LOCA. It is hoped that this device will prevent most of the radioactive steam from escaping into the atmosphere surrounding the nuclear plant in the event of an accident. (See Note 13, however.)

11. See INTERNAL SAFETY DOCUMENT #4: [ REPORT OF THE REACTOR AND ACCELERATOR LICENSING DIVISION ON EMERGENCY COOLING AT NPD ] , especially the chart on p.8, which shows very plainly that an inlet header rupture of any size, in any location, will lead to at least half of the fuel (i.e. the fuel in Type A channels) not rewetting -- which means that the sheath would rupture and radioactive gases and vapours would escape. The inlet header is the largest pipe on the "inlet" side of the core, where the cooling water enters the fuel channels.

12. As pointed out in INTERNAL SAFETY DOCUMENT #3: [ LETTER from Chandra to RSAC re: Emergency Cooling at NPD ] , the findings of the RALD Report mentioned in the previous note, flatly contradict statements made in the Final Hazards Report, upon which the licensing of the NPD reactor was based. It seems clear that NPD is presently operating in violation of its license, and in fact some AECB employees have admitted privately that if the NPD reactor were located near Toronto it would probably be shut down. The modifications proposed for the NPD ECCS are of dubious value, since they will not bring the system into compliance with the NSFF criterion either.

13. The Douglas Point reactor does not have a vacuum building, and so it is now operating (under AECB orders) at only 70 percent of full power because of the inadequacy of its ECCS. The CANDU reactors currently under construction in New Brunswick, Argentina, Quebec and South Korea do not have vacuum buildings either. Neither does the NPD reactor. In the event of massive fuel failures with impaired containments, it is difficult to see how the radioactive gases could be effectively contained for very long.

14. The figure of one million curies of iodine-131 is cited in the Pickering LOCA Report mentioned in Note 9, in which it is assumed that the Pickering ECCS is fully available and is not impaired in any way. At Bruce, the figure would be more than twice as large, since a LOCA would affect the entire core rather than half the core as at Pickering. In INTERNAL SAFETY DOCUMENT #1 [ "Minutes of RSAC (Reactor Safety Advisory Committee) Meeting re Bruce "A" Operating License" ] , it is pointed out that the Bruce "A" reactors would have to operate at about 65 percent of capacity before the ECCS could meet the NSFF criterion.

    In the same document, Bill Morison of Ontario Hydro observes that such a derating would cost Ontario Hydro about $35 million per year.

15. In the event of the worst credible "dual mode" accident, which is considered to be a LOCA accompanied by a failure of the containment system, the AECB requires the owner of a nuclear plant to prove that no more than 1100 curies of I-131 will escape to the atmosphere. (This limit of 1100 curies is derived from a dose limitation of 250 rems to the thyroid gland for a member of the public in the event of such an accident.)

    Each little fuel bundle in an operating CANDU reactor contains about 2,500 curies of I-131 in an immediately releasable form, and about 70,000 curies of I-131 that could be released subsequently. There are three or four hundred fuel channels in a commercial size CANDU reactor, each channel containing from eight to twelve fuel bundles.

    In the event of certain kinds of LOCAs, massive fuel failures would not be preventable by any means, and so millions of curies of radioiodine could be released from the piping system. If the containment is simultaneously impaired, the situation is not good --especially if the vacuum building is unavailable for any reason.

16. Here are two examples:

    "Losses of containment occurred four times in the quarter as a result of airlock door seal failures. . . . Misoperation of the airlocks, particularly during maintenance, has been a continuing problem."

    Pickering GS Quarterly Technical Report,
    Fourth Quarter, 1973 (Ontario Hydro)

    "During a routine airlock check on March 9, the outer door seals of the pressure relief duct personnel airlock were found deflated . . . thus establishing a 15 square inch path to atmosphere. . . . The probable duration of the fault was 3 days, as it was last used on March 6. . . . A check of the pressure relief duct equipment airlock; on March 16 [ just 10 days later ] revealed that the lower seal was deflated. . . . All airlocks are being modified . . . [ and ] a more formal approach to airlock inspection has been arranged."

    Pickering GS Quarterly Technical Report,
    First Quarter, 1976 (Ontario Hydro).

17. "A leak was discovered in the wall of the Unit Two Reactor Building at Pickering on June 29, 1974, "that would have reduced the ability of the containment system to limit radioactivity release after any Unit 2 accident since the beginning of 1973" (a period of 18 months!)

    Pickering GS Quarterly Technical Report,
    Second Quarter, 1974 (Ontario Hydro).

    This incident is described on p. 79 of the RCEPP Interim Report on Nuclear Power, A Race Against Time.

18. According to AECB licensing documents, the containment system of a CANDU reactor is supposed to be fully available, in an unimpaired-state, 99.9 percent of the time. To meet this target, the containment system cannot be impaired more than 8 and a half hours per year.

    Thus the three-day loss-of-containment in March of 1976 (described in note 16) would require almost 8 and a half years of continuous operation with no impairment of containment whatsoever in order to meet the 99.9 percent criterion! But this, in itself, is longer than any of the Pickering units have so far been in service!

    Correspondingly, the 18-month loss-of-containment discovered in June of 1974 (also described in Note 16) would require about l500 years of continuous operation with absolutely perfect containment in order to meet the 99.9 percent availability target. In other words; there is no possibility that Pickering will ever achieve its target of 99.9 percent availability of containment, no matter how long it operates.

19. According to Mr. Liberty Pease, the man in charge of safety analysis at AECL's Power Projects Laboratory, the worst loss-of-containment accident accompanying a LOCA is considered to be the failure of a ventilation damper to close. (RCEPP Transcript, Vol. 1, pp. l7374)

20. Vacuum buildings are expensive. They are not considered to be economically justified unless four or more nuclear reactors can be built together in one location, all connected to a single vacuum building. Reactors without vacuum buildings have a "dousing system" which is designed to condense the large quantities of steam that are produced during a LOCA, thereby relieving the internal pressure that would tend to push radioactive gases out into the atmosphere.

21. According to AECB licensing documents, the "design base" accident for containment of radioactivity is a hypothetical LOCA (caused by a large pipe break on the "inlet" side of the reactor core) accompanied by a partial loss-of-containment (caused by a ventilation damper refusing to close). The maximum permissible radioactive releases to the atmosphere in such a case are 700,000 curies of radioactive noble gases and 1100 curies of iodine-131. Since iodine is much more reactive, both chemically and biologically, than the noble gases, the iodine limitation is of greatest significance in terms of public health.

22. Whole body radiation is mainly due to external exposure from the radioactive cloud passing overhead; thyroid exposure comes about as a result of inhaling and ingesting the radioactive iodine, which also contributes to the whole body dose because of the penetrating gamma radiation that it emits.

23. For purposes of comparison, the maximum permissible dose of radiation for atomic workers is only 5 rems per year. Many researchers believe that this 5-rem limit is too high, especially in view of recent epidemiological studies which have shown substantial increases in cancer rates among atomic workers in the U.S. For further information, see the articles by Karl Morgan and Joseph Rotblat in the September 1978 issue of the Bulletin of the Atomic Scientists.

    In Canada, members of the general public living near nuclear power plants can be legally exposed to 1/2 rem per year. This is twenty times larger than the corresponding dose limitation in the United States; however, the AECB has established an official guideline of 1/200th of a rem per year as a target for public exposure from a nearby nuclear power plant under normal operating conditions.

    In the event of a "dual mode" accident, however, members of the public can be legally exposed to 25 rems of whole body radiation -- 5,000 times larger than the official AECB guideline for limiting routine public exposure to radiation !

24. This effect, known as microcephaly, is due to in utero exposure of the foetus. It is described in the 1972 BEIR ("Biological Effects of Ionizing Radiation") Report, published by the U.S. National Academy of Sciences. It is well known that foetuses are much more susceptible to radiation damage than adults are. Back in the 1950s, Dr. Alice Stewart showed that a single diagnostic X-ray to the abdomen of a pregnant woman during the first six weeks of pregnancy could cause a 50 percent increase in the incidence of childhood cancer and leukemia. Such diagnostic X-rays may deliver as little as 1 rem of radiation. See John W. Gofman, "The Cancer and Leukemia Consequences of Medical X-rays", Osteopathic Annals, November 1975.

25. British Medical Research Council, Criteria for Controlling Radiation Doses to the Public After Accidental Escape of Radioactive Material, HMSO, London, 1975.

26. For the LD-50, see p. 23 of the Flowers Report, entitled Nuclear Power and the Environment, Sixth Report of the. Royal Commission on Environmental Pollution, HMSO, September 1977.

27. These assertions are contained in the official Safety Reports submitted to the AECB for the licensing of the various reactors. In the case of the NPD reactor, the Final Safety Report is referred to as the Final Hazards Report. (Since then, it seems that the nuclear industry has decided to avoid using words such as "hazards" in official documents.)

28. See Notes 8, 14 and 15.

29. The IOWG is a small group, set up by the President of the AECB in September 1977, with representation from AECB, AECL, Ontario Hydro, Hydro-Quebec, and the New Brunswick Power Corporation. The Chairman is Wladimir Paskievici of the Ecole Polytechnique in Montreal.

    On November 18, 1978, the AECB released the Final Report of the IOWG as AECB-1149. The IOWG Report recommends major changes in the safety requirements and public health standards associated with accidents at Canadian nuclear power plants. The announced deadline for public comment on these proposed changes is January 31, 1979; however, the deadline has since been extended by two months to allow for the preparation of a major commentary by CCNR.

    The changes of greatest significance are the following:

    • emergency limits of radiation exposure for members of the general public would be increased by a factor of four (from 25 rem to 100 rem), with an additional factor of ten increase possible if it proves uneconomlc for the designers or operators to meet the new, increased limit. (See Notes 23 and 31.)

    • standards of public protection would depend entirely upon the calculated probability of an accident, despite the fact that such probabilities have been shown to be unreliable (see RCEPP Interim Report, pp. 78-79) and the existing criterion, which does not depend on probabilities, has been in effect for more than ten years. (See Note 32.)

    • if the calculated probability of an accident is sufficiently low, there would be no regulatory limit to the radiation exposure that members of the general public could receive, even in cases where the present standards would limit such public exposure to less than 25 rems;

    • all regulatory limits for the population exposure (which is proportional to the expected number of excess cancers and genetic defects following irradiation of a population) in the event of a nuclear accident would be abolished.

    The Atomic Energy Control Board denies that there is any connection between the admitted inadequacies of the Emergency Core Cooling System and the proposed relaxations in safety standards. However, they have not provided a justification for the proposed changes, which seems contradictory to the "ALARA" concept (that radiation exposure should be kept As Low As Reasonably Achievable) -- unless the present limit of 25 rems is not reasonably achievable.

    During the Nuclear Hearings of the RCEPP, when asked why there was no public participation on the IOWG, the President of the AECB replied that "it is none of the public's business".

30. According to current AECB licensing criteria, which have been in existence for more than ten years, no member of the public shall be exposed to more than 25 rems of whole body radiation or more than 250 rems to the thyroid in the event of any "dual mode" failure (i.e. a failure of two independent systems simultaneously). Traditionally, the dual mode failure of most concern has been a LOCA accompanied by a loss of containment, since this creates a path to the atmosphere for radioactive materials to escape. However, it is possible that other types of dual mode accidents, not now considered in much detail, could be far more dangerous than this one.

    In their Summary Argument to the RCEPP, Gordon Edwards and Ralph Torrie discussed several types of dual mode accidents which could lead to a complete core meltdown. These include

    1. loss of regular coolant plus loss of emergency coolant,
    2. loss of regular coolant plus failure to shutdown, and
    3. loss of regulation plus failure to shutdown.
    In cases (2) and (3), there would be a power surge which could cause overheating and disassembly of the core, probably leading to a core meltdown.

    The dual mode accidents discussed in the previous paragraph have not been considered to be of major public significance by the AECB, because the containment system is assumed to be intact. However, since a complete core meltdown will inevitably breach the containment (see Note 3), this assumption is unwarranted. In addition to melting through at the bottom of the reactor, a core meltdown can create a direct path to the atmosphere by overpressure damage caused by the generation of large volumes of non-condensable gases, or by projectiles hurled through the containment by the steam explosions and/or the chemical explosions which would accompany such a meltdown. These details are confirmed by the Rasmussen Report.

    For more details on potentially catastrophic dual mode failures, see the Edwards/Torrie Summary Argument to the RCEPP, available from CCNR.

31. Specifically, the IOWG proposals are to set limits of radiation exposure for members of the public according to the following scheme:

    IOWG PROPOSALS	Calculated Probability of Nuclear Accident	Permissible Radiation	Dose of (in rems)
    		Whole Body	Thyroid
    mostly single-mode failures	1 in 10 1 in 100 1 in 1000	0.05 0.50 5.00	0.50 5.00 50.00
    mostly dual-mode failures	1 in 10,000 1 in 100,000 1 in 1,000,000	10 100 1000	100 300 1000

    These limits are considerably more lax than the existing limits of 25 rem to the whole body and 250 rems to the thyroid for any dual-mode failure.

    The IOWG also recommends in a famous "loophole clause", that the above limits of radiation exposure may be increased by a factor of 10 if it proves uneconomic for the designers or the operators of a nuclear plant to stay within the above limits. For a discussion of the loophole clause, see INTERNAL SAFETY DOCUMENT #5: [ Letter from T.J. Molloy to RSAC and Report to the President of AECB. ] (See Note 46.)

    Any accident with a calculated probability of less than 1 in 10 000 000 need not be considered at all in the regulatory process, according to the IOWG. In other words, there is no limit to how much radiation members of the public may be exposed to in such circumstances. In this connection, see Notes 30 and 32.

32. At Pickering, there are a number of engineered systems which are of principle importance in safeguarding against accidental releases of radiation. Very few of these systems have been able to meet their availability targets, despite the fact that these targets are used in calculating the probabilities of hypothetical accidents.

    Containment

    The containment system is a case in point. In every official accident analysis, it is assumed that the containment is unimpaired 99.9 percent of the time. This is very far removed from the actual operating experience at Pickering (see Note 16).

    Emergency Cooling

    Similarly, the ECCS is assumed to be available 99.9 percent of the time in official accident scenarios, but it has not been available as often as it should at Pickering. Consider the following quotations, taken from the same two reports as those cited in Note 16:

    "The expected unreliability of the emergency core cooling system remains unacceptably high. . . . One shutdown cooling isolating valve . . . failed to open on routine testing on October 19. It had last been tested successfully on October 12. The valve was then opened manually and left open until November 12 when it was repaired during an outage." [ unavailability of ECCS = about13 times the target]

    Pickering GS. Quarterly Technical Report,
    Fourth Quarter, 1973 (Ontario Hydro).

    "A fault occurred on each of units 1, 2 and 4, which caused actual past unavailability [ of ECCS; emphasis in original ] . . . . Unit 1 -- On January 30, during routine testing of the shutdown cooling isolation valves, the motor. . . burnt out while re-closing, leaving the valve jammed in the closed position. [ unavailability of ECCS = about 4 hours, almost twice as high as the target unavailability of 1 in 1000 ]. Unit 2 -- On March 26, the dump tank outlet valve . . . could only be partially re-closed during a routine test [ unavailability of ECCS = about 102.5 hours; more than 47 times higher than the unavailability target ]. Unit 4 -- . . . on March 19, the emergency test isolating valve . . . was left closed for a period of 66 minutes. . . . [ unavailability of ECCS = about half of the unavailability target ].

    Pickering GS. Quarterly Technical Report,
    Fourth Quarter, 1973 (Ontario Hydro).

    Loss-of Regulation

    Loss-of-regulation accidents (resulting in an uncontrolled power surge) have also occurred much more frequently than the theoretical reliability target would indicate. As the RCEPP notes, "there were in fact (if the commissioning period is included) six loss of regulation accidents within four years. This compares very unfavourably with the design target of 1 in 100 years." (A Race Against Time, p.79)

    In a loss-of-regulation accident, "operation at excessive fuel power levels could lead to melting of the UO2 fuel and/or failure of the fuel sheaths and/or overpressure rupture of the heat transport system [ i.e. a LOCA ] if not promptly terminated. In such an event, "the containment might not be able to cope with the energy release", and it is suggested that even scramming the reactor might not prevent consequences from occurring. (scram = fast shutdown) (Source: AECL Publication pp. 32, 1977.)

    Pipe Breaks

    The probability of a large pipe break causing a LOCA is officially estimated at about 1 in 1000 reactor years of operation. With 100 reactors operating in Canada at some future date, therefore, we might expect a major LOCA about once every ten years. However, there is reason to believe that the actual frequency of large pipe breaks could be considerably higher than the theoretical figure.

    As the Lewis Committee (set up by the U.S. Nuclear Regulatory Commission to review the Rasmussen Report) points out, the "estimate of failure probability distribution of pipes . . . spans several orders of magnitude," so that any probability estimate for a pipe break could be out by a very large margin. Moreover, the probability estimates for pipe breaks in a nuclear plant are based on past experiences in non-nuclear industries, which, the Lewis Committee observes, "could be different from cases in which high pressure and high radiation flux occur simultaneously. . . the estimates are no longer 'objective' according to our use of the term, and all of the value judgments must then be made visible and the scope of the uncertainties discussed and estimated." (See also Note 39)

    Lewis Committee Report, NUREG/ CR.-0400,
    U.S. Nuclear Regulatory Commission,
    September 1978.

33. A Race Against Time, pp. 78-79.

34. The danger, of course, is twofold: one, that we are dead wrong in our probability assumptions; and two, that accidents will happen which nobody ever even thought about -- like the Brown's Ferry fire in Alabama in 1975, started by a workman with a candle, which managed to incapacitate seven independent systems, including the regular cooling, the low-pressure emergency cooling, and the high-pressure emergency cooling of the 1100 MW reactor. Only chance and determination prevented a meltdown, as the operators, in a smoke-filled control room, with an inoperative internal communication system, rigged up spare pumps (never designed to perform a safety function) to keep the core from boiling away its vessel-full of water. The man who designed the safety systems at Brown's Ferry, and later resigned in concert with two of his colleagues to dramatize the safety issue, was General Electric Nuclear Engineer Gregory Minor, whose testimony to the Cluff Lake Board of Inquiry can be found in the Cluff Lake Transcript.

35. See Note 30.

36. A Race Against Time, p.79. This is taken straight from the Rasmussen report, which estimates the probability of a core melt as 1 in 20,000 per reactor per year. The estimate is presented by Dr. Rasmussen as "realistic" rather than "conservative", with the caveat that it could be out by a factor of five either way. Thus the probability could be as high as 1 in 4000 or as low as 1 in 100,000. With 100 reactors operating, therefore, one might have to expect a meltdown about once every forty years.

    However, Canadian nuclear proponents have argued that the probability of a meltdown in a CANDU reactor (caused by a loss of both regular and emergency cooling) would be less than one in a million. They reach this conclusion by the following "sophisticated" analysis:

    Probability of a Pipe Break:	1 in 1000
    Probability of no ECCS:	1 in 1000
    Probability of meltdown:	1 in (1000 x 1000) = 1 in 1,000,000

    In their Summary Argument to the RCEPP, Gordon Edwards and Ralph Torrie argued that the probability of a small pipe break was at least ten times larger than the probability of a large pipe break, because there is so much more small piping in the CANDU reactor. They also demonstrated, using the operating record of Pickering, that the unavailability of ECCS was closer to 1 in 100 than to 1 in 1000. See Note 32 for more detail. This leads us to a revised probability estimate for meltdown as (1 in 100) x (1 in100) = 1 in 10,000. The RCEPP has accepted this estimate as "more realistic" than the industry's estimate (A Race Against Time, p.78). With 100 reactors operating at some future time, if this figure too could be out by a factor of five either way, we might expect a meltdown as often as once every twenty years.

    In view of the dispute between the Canadian nuclear proponents and their critics over the probability of a meltdown, the following reflection by Norman Rasmussen at the Cluff Lake Board or Inquiry may be of interest:

    "That probability of 1 in 20,000 was substantially higher, in fact, than people in the nuclear industry had at least felt it was prior to the time we did this study. I think if you would have interviewed people in the nuclear industry, they would have estimated it would be 1 in a million to melt the core. In fact, I myself, had made such an estimate prior to doing this study, and those who say I went in with a preconceived idea -- I may well have, but I found out it was wrong by about a factor of 50, by our best estimate after careful study."

    One of the reasons for the high probability obtained by Rasmussen is the much greater frequency of small pipe breaks compared with large pipe breaks.

    Aa for the CANDU reactor, Dr. Rasmussen had this to say:

    "I spent a day, three or four years ago, at Ontario Hydro, discussing American light water reactors and CANDU reactors, and I have read some literature on the CANDU so I have some understanding of what they are and what safety problems the have. And my conclusion is, although the Canadian design philosophy differs in some of its approaches as to how one determines what is a safe reactor, that it achieves in my judgment, about the same safety level so far as I can tell."

    Norman Rasmussen, testifying at the
    Cluff Lake Board of Inquiry,
    RCEPP-R1061, p. 8629.

    It is clear from the context that Rasmussen is thinking about complete core meltdowns in making this statement.

37. A representative of Ontario Hydro, under cross-examination at the Royal Commission on Electric Power Planning, went so far as to say that the probability of a meltdown in a CANDU reactor is less than 1 in 10,000,000, although he admits that he knows of no study which reaches this conclusion. He also believes, without the benefit of proof, that a certain piping system in the concrete floor of the Pickering reactor building can cool overheated nuclear fuel sufficiently to prevent a melt-through. This possibility was outright rejected by Norman Rasmussen's study team (see Note 3). According to the Rasmussen Report, once a meltdown progresses to a certain point, nothing can stop it. You may cool the outside of the molten mass, but the intense heat generated from within will still devour any structural materials in its way. Rasmussen figures that melt-through would occur in less than an hour, and that no effective preventative measures can be taken at that stage.

38. This came as quite a surprise to me. I thought that Canadian nuclear proponents had based their conviction that nuclear power is safe on the fact that the possibility of catastrophic accidents had been carefully studied and shown to be of no real concern. The truth of the matter is that scientists in the Canadian nuclear establishment have not even thought about potentially catastrophic accidents, except in the vaguest of ways. Such an attitude is not very reassuring.

39. This, of course, is WASH-140O, the Rasmussen Report (also known as the Reactor Safety Study), published by the U.S. Nuclear Regulatory Commission. The Lewis Committee (mentioned at the end of Note 32) has concluded that the error bands in Rasmussen's probability estimate are certainly understated, and that the health risks from reactor accidents were so badly misrepresented in the Executive Summary as to be seriously misleading. Just recently, the U.S. Nuclear Regulatory Commission withdrew most of its support for the Rasmussen study, saying that it "does not regard as reliable the Reactor Safety Study's numerical estimate of the overall risk of a reactor accident. . . . The Commission withdraws any explicit or implicit past endorsement of the Executive Summary [ of the Safety Study, because the summary ] is a poor description of the contents of the report, should not be portrayed as such, and has lent itself to misuse in the discussion of reactor risks."

    It is sobering to realize that all of the risk estimates from reactor accidents submitted to the Royal Commission on Electric Power Planning by Atomic Energy of Canada Limited, Ontario Hydro, and the Atomic Energy Control Board were based on the Executive Summary of the Rasmussen Report.

    The Inhaber Report, published by the Atomic Energy Control Board, also bases its estimate of public risk from nuclear accidents on the Executive Summary of the Rasmussen Report. The Inhaber Report concludes that nuclear power is safer than almost any other form of energy, including solar space heating for homes! It is much more open to criticism than the Rasmussen Report -- CCNR hopes to prepare a critique of the Inhaber Report later this year.

40. See also Notes 30 and 36.

41. I recently had an experience with an "available" safety document that was worthy of Franz Kafka. Having been informed by telephone that the controversial "Pickering Loss-of-Coolant Accident Report" had finally been made publicly available by Ontario Hydro (after eighteen months of wrangling), I asked that a copy be sent down to me here in Montreal. Instead, they sent a man down by plane, who took a taxi from Dorval Airport to Vanier College with the document in his briefcase, allowed me about two hours to look at it, would not allow me to photocopy a single page, a single table, or a single chart, and then flew off again!

42. See, for example, the Ontario Hydro Memorandum to the RCEPP entitled Generation, Nuclear: ". . . The consequences of possible failure in the high quality routine operating systems would be mitigated by reliable safety systems which are designed to limit radiation exposure of members of the public to values less than those set by the regulatory agency in Canada. . . . [ The safety systems include ] an emergency coolant injection system [ ECCS ] to provide water for adequate cooling of the reactor fuel should all other means of cooling the fuel be unavailable." (pp. 17-19)

    See also the AECL submissions to the RCEPP on reactor safety.

43. See, for example, the Ontario Hydro Memorandum to the RCEPP entitled, Generation: Technical : ". . . The AECB establishes radiation doses to the public during normal and abnormal nuclear station conditions. . . . The AECB issues licenses [when they] are convinced that adequate safety will be provided. . . . The stations contain engineered safety systems which act to limit the consequences of any unlikely event [ and to ] prevent the release of radioactive material in excess of regulatory limits under the most severe postulated conditions." (pp. 2.1-40,41 -- see also Note 30)

44. When Bill Morison of Ontario Hydro was asked under cross-examination at the RCEPP if he would make relevant safety calculations available for scrutiny, he replied that he would not. When John Sainsbury was asked if AECL would supply the detailed calculations showing that very little radioactivity would escape into the atmosphere even if one million curies of iodine-131 were released from the piping system and, simultaneously, there was a hole in the containment system (see Note 9), Mr. Sainsbury replied that the information is classified "and is therefore not available". (Letter dated January 25, 1979.) Mr. Sainsbury is Manager of the Licensing Branch of Reactor Performance Engineering for AECL.

45. "When an issue is, at once, as complex and as crucial as is the case with nuclear power, then a responsible dialogue and extensive, wide-ranging public participation are fundamentally important if wise and just decisions are to be made. . . . We have concluded that if an informed and reasonably sophisticated public involvement in the energy debate is to be achieved, then greater and freer public access to information is essential. . . . An aura of secrecy still shrouds the contemporary nuclear industry . . . [which] has often led to public suspicion that unfavourable data are withheld. . . . The nuclear industry must continue to become more open to public scrutiny."

    A Race Against Time, p.65.

46. The accompanying internal safety documents are replete with examples. In INTERNAL SAFETY DOCUMENT #1, "Committee members pointed out that maintenance of the sheath [ i.e. no fuel failures following a LOCA ] is very important to certain safety arguments made in public." (p.2) Again, in INTERNAL SAFETY DOCUMENT #5, "Some members were concerned about possible public reaction to publication of [ the IOWG Safety ] requirements containing such an escape clause [ referring to the additional factor of ten increase in radiation limits described in Note 31 ] . . . . One member felt that the Board, in writing regulations under the new act, should keep to itself such judgments, thus making it unnecessary to state that exceptions to the design criteria would be made." (p.2)

47. The U.S. Nuclear Regulatory Commission has set a precedent by establishing the Lewis Committee to independently assess the Rasmussen Report (see Notes 8, 32 and 39). In announcing their withdrawal of support for the Rasmussen study, the US NRC indicated that reactors which have been licensed in the U.S. on the basis of Rasmussen's calculations will have their licenses reviewed.

---

GLOSSARY

AECB:	The Atomic Energy Control Board is the Canadian Nuclear Regulatory Agency, responsible for licensing nuclear facilities in accordance with regulations which it sets, so as to protect the public from nuclear hazards. The AECB also sets permissible levels of radiation exposure for workers and for the public.
AECL:	Atomic Energy of Canada Limited, a Federal Crown Corporation charged with the task of conducting nuclear-related research and development and marketing its products, both here and abroad.
CCNR:	The Canadian Coalition for Nuclear Responsibility, a broadly based, loosely knit coalition of over 200 member groups across Canada. The Coalition has been asking for a national inquiry into nuclear power since its founding in 1975. It has called for a temporary moratorium on the licensing of new nuclear facilities until such an inquiry has been completed.
Cladding:	Synonymous with "sheath".
Core:	The central part of the reactor, which contains the uranium fuel, and which must be cooled at all times -- even after shutdown.
Curie:	Unit of measurement for radiation; one curie is equivalent to 37 billion radioactive disintegrations per second (it's a lot!). See also "rem".
Dual Failure:	A nuclear accident involving the simultaneous failure of one "process system" and one "safety system". "Process systems" include the primary cooling system and the power regulation system; "safety systems" include the containment system, the ECCS, and the emergency shutdown systems.
Dual-Mode Failure:	Synonymous with Dual Failure.
ECCS:	The emergency core cooling system, designed to supply emergency cooling to the core of a nuclear reactor in the event of a LOCA.
Fission Products:	The highly radioactive substances which are created inside the sheath during the nuclear fission process; literally, the fission products are "broken bits of uranium atoms".
Fuel Failure:	A rupture of the sheath of irradiated nuclear fuel, thereby releasing radioactive noble gases and iodine into the piping system of a reactor.
IOWG:	The Inter-Organizational Working Group, a small committee set up by the AECB in 1977, with representation from AECL, AECB, Ontario Hydro, Hydro-Quebec, and the New Brunswick Power Corporation, to review contentious safety issues.
Meltdown:	A nuclear accident in which the core of the reactor overheats and melts through the floor of the reactor building into the ground.
Noble Gases:	Gases which are chemically and biologically inactive, such as helium, argon, krypton and xenon. A number of radioactive noble gases are created inside the fuel sheath as fission products.
Non-Condensable Gases:	Gases which, unlike steam, cannot be condensed by a dousing system to relieve the pressure buildup caused by their generation.
NPD:	("Nuclear Power Demonstration"). The NPD reactor is a small experimental 20 MW power reactor, jointly owned by AECL and Ontario Hydro, which is used to train operators for Canadian nuclear power plants.
NSFF:	("No Significant Fuel Failures"). The original design criterion for the CANDU ECCS was that, in the event of a LOCA, there should be adequate emergency cooling to prevent fuel failures.
RALD:	The Reactor & Accelerator Licensing Division of AECB.
RCEPP:	The Royal Commission on Electric Power Planning for Ontario, which published an Interim Report on Nuclear Power in September, 1978, entitled A Race Against Time.
Reactor Core:	Synonymous with "core".
rem:	A unit of radiation exposure. Only large exposures will cause radiation sickness followed by "prompt fatality", but even small exposures may cause cancer, leukemia, or birth defects in subsequent generations. It is now generally acknowledged that the harmful effects of low-level radiation are much greater than was thought ten years ago.
RSAC:	The Reactor Safety Advisory Committees of the AECB (one in each province where there are operating reactors). These committees consist of unpaid volunteer scientists who study the Safety Reports and assist in the licensing deliberations for Canadian reactors.
Sheath:	A thin tube, made of a metal called "zircalloy", which contains the uranium fuel pellets and the dangerous fission products.
Unavailability:	A measure of the time during which a particular engineered system is incapable of performing the function for which it is designed in an unimpaired fashion, expressed as a fraction of the total time interval under consideration.
Volatiles:	Substances which are not gases at "normal" temperatures, but which can be rendered into a gaseous state by overheating.

A few recommendations from the

Ontario Legislature's .
Select Committee on Ontario Hydro Affairs

- December 1979 -

• The AECB should commission a study to analyze the likelihood and consequences of a catastrophic accident in a CANDU reactor. The study should be conducted by recognized experts outside the AECB, AECL and Ontario Hydro. It should be funded by a special grant from the Federal Government. If this study is not commissioned by July 1, 1980, the Province of Ontario should ensure that it is undertaken.

• The AECB should broaden its membership to include representation from the general public as well as the informed technical community.

• The AECB should make its proceedings of decisions more widely known. Its meetings should be open to the public unless there is a reason for keeping one closed.

• The rules under which the Board operates, including specific licensing criteria, should be the subject of public hearings when formulated or changed. The AECB should have general powers of interpretation and the power to grant exemptions. Interpretations and exemptions must, however, be publicly explained in a timely manner in the Board's reasons for a particular decision.

---

[ Reactor Accidents Sub-Directory ] [ COMPLETE DIRECTORY ]

ccnr@web.net


Since March 27th 1996, there have been over
100,000 outside visitors to the CCNR web site, plus

(counter reset July 2nd 1998 at midnight)