[ pour la version française ]
Excerpts from :
- A Race Against Time
1978 Report on Nuclear Power in Ontario by the
Royal Commission on Electric Power Planning
- AECB Submission to the Treasury Board
1989 admission of unresolved safety issues
by the Atomic Energy Control Board
- Nuclear Policy Review: Background Papers
1982 briefs prepared by Canadian nuclear experts
for the Dept of Energy Mines and Resources
- The Safety of Ontario's Nuclear Reactors
1980 Report -- one of three -- by the
Select Committee on Ontario Hydro Affairs
(an all-party committee of the Ontario Legislature)
A Race Against Time
Interim Report on Nuclear Power
~ commonly known as the
Porter Commission Report ~
and Safety Concerns
Ontario Royal Commission on Electric Power Planning
Chairman: Arthur Porter
Toronto, September 1978
from A Race Against Time, pp. 73 - 76:
All operating nuclear reactors accumulate in their cores, as we have indicated, a large quantity of radioactive material. For the most part this is made up of fission products, many of which are short lived and usually very radioactive, and the actinides (e.g. plutonium-239) which are very long lived and highly toxic substances.
By definition, a major reactor accident would lead to the severe overheating, and subsequent melting, of the nuclear fuel, which would give rise to a substantial quantity of radioactive material escaping, after breaching several formidable barriers, into the environment.
The major health and environmental threat would be due to the escape of the fission products to the atmosphere. The most important of these are caesium, ruthenium, tellurium and the fission gases, iodine, krypton and xenon.
Although no such major accident has ever occurred anywhere on earth, it is assumed that if a substantial quantity of radioactivity were to be released to the atmosphere, the radioactivity would collect in a "cloud" and would be carried down wind.
The closer to the reactor building (or within the building), the greater the probability of an individual's being exposed to intense radiation. At distances of two or three kilometres, depending on wind velocity, the cloud would begin to disperse (the dispersal zone could extend to distances of several hundred kilometres) and radioactive materials would be deposited on the ground. In consequence, both prompt and latent cancers would be produced.
It is generally agreed that the greatest threat to health in the event of a major reactor accident is the considerable quantity of the radio-isotope iodine-131 (with a specific activity of 120,000 curies/gram, and a half-life of 8.2 days) which would be released to the atmosphere.
It is well known also that iodine-131, after ingestion or inhalation, concentrates in the thyroid gland and may cause, after a latency period, thyroid cancer. The threat to children in such circumstances is particularly serious because the iodine-131 could be ingested in the form of contaminated milk. A measure which has been proposed to minimize the effect of iodine-131 is the administration of an appropriate dose of potassium iodate within an hour of the ingestion of the radioactive isotope.
Because of its half-life of about 8 days, iodine-131 remains highly radioactive for a few weeks. Subsequently, the major contributor to the radiation field is caesium-134 with a half-life of two years. The radioactivity arising from this isotope would persist for many years.
Apart from the direct radiation to which individuals might be exposed in consequence of the released radioactivity, there would also be a threat to the public in the immediate vicinity of the affected nuclear power station, from radioactively contaminated food and water.
The emergency measures which would be necessary in the event of such a major accident would vary with the circumstances. Immediate evacuation of people living in the vicinity, and down wind, of the station might be necessary. Furthermore, the long term hazards, mentioned previously, would necessitate the isolation of contaminated food and water, and local decontamination procedures and the evacuation of people from heavily contaminated areas might be essential. The existing contingency plans are discussed in a later section.
When we talk about the safety of a nuclear reactor, we are referring essentially to how effectively the fantastic amount of radioactivity contained in the reactor core can be prevented from escaping into the ground and atmosphere in the event of major malfunctions.
Clearly, if a major release of this accumulated radioactivity occurred, as discussed in the previous section, the consequences would be extremely serious and could involve several thousand immediate fatalities and many more delayed fatalities.
from A Race Against Time, pp. 78 - 79
During normal operation, not only is a great deal of radioactivity created in the reactor core but also a great deal of thermal energy [heat]. If the shutdown system fails to operate in response to a fuel temperature rise, caused by a major rupture in the primary coolant circuit, a rapid escalation of heat and temperature would occur. The purpose of the ECCS [EMERGENCY CORE COOLING SYSTEM] is to remove the heat from the core as rapidly as possible.
If, however, both primary coolant and emergency coolant fail there would probably be partial or complete melting of the reactor core. An uncontained complete core meltdown would almost certainly give rise to a large release of radioactivity, the consequences of which were discussed previously.
This would only occur, however, in the very unlikely event of the containment system -- both reactor building and vacuum building -- being breached. [Note that, in the case of a dual mode (or triple mode) failure accident, leading to core meltdown, the vacuum building relieves pressure buildup -- steam is condensed by water sprays -- and also helps to contain the radioactivity.] This could happen, for example, if the melted fuel were to fall to the reactor floor, melt through the floor, escape into the earth and contaminate a large area.
But both Ontario Hydro and AECL have stressed that, in their opinion, even in the highly improbable event of a core meltdown, the containment system would hold. The main reason for this high degree of confidence is the fact that the melted fuel would first fall into the large volume of cool heavy water moderator (about 400,000 litres). This would act as a heat sink -- approximately four hours would be required to evaporate the water, during which period the decay heat of the fuel would be about 1 per cent of that at full power.
Furthermore, the designers contend that the cooling system embedded in the reactor floor combined with an external water source, which could be hooked up manually, would be able to cope with the residual heat.
Assuming absolute independence of the process and safety systems, the probability of a core meltdown per reactor at Pickering is said to be in the order of 1 in 1,000,000 years [once in a million years] . At Bruce, because there are two independent shutdown systems (i.e. shutdown rods and "poison" injection), the theoretical probability per reactor might be considerably lower, perhaps in the order of 1 in 1,000,000,000 years [once in a billion years] .
However, two well-informed nuclear critics who participated in the hearings, Dr. Gordon Edwards and Ralph Torrie, have argued that the probability of a dual failure could be about 100 times higher than the theoretical levels. This estimate is based on failure rates in the high pressure piping of the primary heat transport system being 10 times higher than has been assumed, and also on the fact that the availability of the Pickering ECCS [EMERGENCY CORE COOLING SYSTEM] has been demonstrated to be 10 times lower than postulated by the designers. We believe that the Edwards/Torrie estimate [ of 1 in 10,000 ] is more realistic than the theoretical probability, not least because the Rasmussen Report has concluded that the probability of an uncontained meltdown in a light water (U.S.) reactor is 1 in 20,000 per reactor per year (it has been suggested, moreover, that this figure could be out by a factor of "5 either way").
Assuming, for the sake of argument, that within the next forty years Canada will have 100 operating reactors, the probability of a core meltdown might be in the order of 1 in 40 years, if the most pessimistic estimate of probability is assumed.
Evidence to support the Edwards/Torrie position, which is available in the Pickering Safety Reports, indicates that there were in fact (if the commissioning period is included) six loss of regulation accidents within four years. This compares very unfavourably with the design target of one in 100 years. However, as a result of a major study, involving Ontario Hydro and AECL, several improvements have been incorporated, and there has not been a loss of regulation accident since April, 1975.
We have noted also that the emergency core cooling system has not met the design targets although there is evidence that the reliability of the system is improving.
Of more serious concern is the fact that a leak was discovered in the wall of the Pickering unit 2 reactor building in June, 1974, and may have existed for 1 and 1/2 years -- this leak "would have reduced the ability of the containment system to limit radioactive release after any unit 2 accident since the beginning of 1973".
Measures which have been taken subsequently have resulted in design target levels being achieved. But the concern nevertheless persists because, as Ralph Torrie has pointed out, the "Pickering unit 2 containment would have to operate within target levels for 500 years before the average annual availability would be back within the bounds of the annual regulatory limit".
In assessing the legitimacy of the above limits it should be stressed that no study similar to the Rasmussen study has been undertaken in Canada to assess the reliability of the reactor system as a whole and the consequences of major CANDU reactor accidents.
Atomic Energy Control Board
Ottawa, October 16, 1989.
from AECB Submission to the Treasury Board of Canada
- This submission addresses the question of whether the resources of the AECB should be increased to provide more effective, thorough and timely regulation of the nuclear industry and hence to ensure that industry adequately protects health, safety, security and the environment, and whether to make this regulation more visible to the public.
- An outline of the deficiencies that exist in the regulation of nuclear reactors, radioisotopes, and several other specific areas is presented. Comparisons are made with other countries, and the recommendations of the Standing Committee on Energy, Mines and Resources and other independent observers are outlined.
- The conclusion of this analysis is that the Atomic Energy Control Board (AECB), the federal agency responsible for nuclear regulation since 1946 under the Atomic Energy Control Act, does not have the resources to regulate major sections of the nuclear industry with the thoroughness and effectiveness that is needed to ensure industry is meeting its safety obligations, and that the Canadian public would expect.
- Over the last 37 years, the federal government has spent about $4 billion in nuclear energy research and development, leading to the development of an industry which is estimated to contribute $4 billion annually to the Canadian economy and 30,000 direct jobs, many in high-tech fields.[ A detailed analysis of federal subsidies to nuclear energy research and development shows that the actual figure is about 4 times larger than that given here. ]
By 1993, two thirds of Ontario's electrical power will be generated by nuclear energy. Clearly, nuclear energy has been and can continue to be the source of substantial benefits to Canadians.
If sufficient care is taken by designers, operators and users, nuclear energy can be used safely. Effective regulation is essential to ensure such care is taken so that the clear benefits of nuclear power can be realized. Ineffective regulation can be an underlying cause of a severe accident, as it was at Chernobyl.
- Many Canadians are not prepared to accept assurances of safety that are not demonstrable and transparent. The government announced, through its Regulatory Reform Strategy, that the Minister of Energy, Mines and Resources is to consider ways to increase the transparency and openness of the AECB, the composition of the Board, and the desirability of expanding the number of members to include representatives of industry, labour and the public. If implemented, these measures should contribute to public confidence. This submission addresses in part, the response to that strategy.
Nuclear Power Plants
- When modern nuclear power plants were being designed in Canada two decades ago, their complexity and potential for catastrophic consequences were recognized. The plants were designed to high standards, and special safety systems were incorporated to prevent or reduce the consequences of malfunctions. Reactor designers and owners adopted a relatively simple process for evaluating plant safety. "Worst credible" accident scenarios were investigated to ensure that their consequences would be acceptably low. It was then assumed that the consequences of less severe but more likely accidents would be acceptable.
Since that time, experience in Canada and the rest of the world has demonstrated that this approach to safety is too simplistic. It is recognized now that, through the combination of a series of comparatively common failures which, on their own, are of little consequence, accidents can develop in a myriad of ways (as demonstrated most vividly at Three Mile Island and Chernobyl). This makes the calculation of consequences of potential accidents very difficult, research to simulate accident consequences is often incomplete, and, perhaps most significant, human errors are an unquantifiable element.
As a result, there is a legacy of unresolved safety issues that should be addressed further. This issue is particularly important as twelve of Canada's largest reactors are close to Toronto.
- AECB's review of safety has also been too simplistic. Spot checks of a fairly small number of the key areas were thought to be sufficient. These spot checks have uncovered enough safety problems to demonstrate that more thorough review is essential, since the risk posed by nuclear power plants may be higher than once believed.
- The size and complexity of the task of ensuring and demonstrating the safety of nuclear power plants has not increased suddenly -- it has been building up for the last decade. It has led reactor designers, operators and regulators around the world to demand far more thorough analyses which are far more complex, and a far more detailed understanding of how a plant can malfunction, than was required in the past.
The task is overwhelming the AECB. It does not have the resources to analyze and understand this increased level of knowledge and information. Three examples will illustrate the problem.
- The licensing of Darlington nuclear power plant may be delayed significantly (at a cost of about $20 million per month) because the AECB did not have the staff to verify that the Darlington shutdown system met adequate standards.
- Retraining of reactor operators has never been reviewed by the AECB, despite finding many shortcomings in their initial training. A recent review of operational safety by a team from the International Atomic Energy Agency (IAEA) has confirmed that retraining is not up to the same standards as initial training, and that the AECB should establish requirements in this area.
- The first analysis by a licensee that attempts to identify realistic causes of accidents at a Canadian nuclear plant has still not been reviewed by the AECB, a year and a half after receiving it.
- Atomic Energy of Canada Limited (AECL) has requested a regulatory review of its new CANDU-3 design. The AECB cannot meet AECL's request as it cannot responsibly devote resources to an uncommitted project when it cannot even address the issues relating to operating reactors. As a result, the marketability of the CANDU-3 may be prejudiced as it relies on "up front" licensing to reduce its capital costs to make it competitive. New Brunswick, Saskatchewan, Ontario and most recently, Quebec, are all considering CANDU-3 , as are some foreign countries.
- Reports of significant events that have occurred in Canadian reactors show that human error plays a part in more than 50 percent of all such events. Both the nature and the probability of human error is difficult to quantify, and hence the probability of serious accidents which are a combination of system failure and incorrect human response is difficult to predict. To understand the contributions of human error to accidents, and ensure they are factored into plant design and operators' training so that accidents like Three Mile Island can be avoided, cannot be done with current resources.
- The consequences of a severe accident can be very high. The accident at Chernobyl has cost the Soviet economy about $ 16 billion including replacement power costs. The accident has generated anti-nuclear sentiment in the USSR and throughout the world. Three Mile Island has cost the USA $ 4.8 billion even though the Three Mile Island accident had essentially no radiation impact on the public. The accident was a major contributor to the public distrust of nuclear power in the USA.
- The years of successful accident-free operation which are a hallmark of the Canadian nuclear program are not, by themselves, proof of adequate safety. Canada has amassed about 170 years of operation of large reactors, compared with 480 years in the US and 270 years in the USSR at the time of Three Mile Island (1979) and Chernobyl (1986) respectively. The likelihood of serious accidents cannot be judged from statistics such as these, and CANDU plants cannot be said to be either more or less safe than other types.
- Each year there are a variety of significant events at Canadian nuclear power plants with safety implications. There is a significant backlog of required maintenance, operating documentation is out of date, inspections are incomplete and deficiencies in operating plants may require design modifications.
The AECB has concluded that operation of the Bruce A station during 1987 was only marginally satisfactory and that significant improvements were necessary. Ontario Hydro has accepted this conclusion and is now increasing operating and maintenance staff levels at all of its plants.
These observations clearly indicate that a strong regulatory agency is essential to ensure industry meets its obligations to operate safely.
- Despite the problems discussed in this document the AECB still concludes that nuclear power plants are acceptably safe. However "safe" does not mean "risk-free". It means that, on balance, the benefits of generating electricity with nuclear power plants outweigh the risks. This is a judgment by the AECB based on its technical evaluations and inspections.
Given the potential consequences of severe accidents everything possible should be done in order to increase the confidence in the AECB's judgment by improving the depth and breadth of its technical evaluations and inspections. The AECB considers that the scope and depth of the reviews on which it makes its judgments currently is insufficient. The resources needed to ensure that licensees are taking all possible measures to prevent accidents and for the AECB to take enforcement action when they do not are also currently insufficient.
- As with most other countries, including the USA, Canada's regulatory philosophy has been that the licensee -- the owner and operator of a nuclear facility -- has the primary responsibility for the safety of both workers and the public. The task of the regulatory body is to ensure that responsibility has been properly discharged.
The philosophy must not change. What must change, even though licensees such as Ontario Hydro are highly competent, is the depth and rigour of the regulatory audit. The regulator must be as competent and up to date as the licensee to ensure deficiencies are both identified and corrected.
- Although no formal consultation with the nuclear industry has taken place, discussions with Ontario Hydro and AECL show that they support an increase in the Board's resources to ensure it is a strong, publicly visible regulatory body, that can respond in a timely and competent manner to their requests for licensing review, and agree that in certain areas an increase in the depth of regulatory audit may be justified. They would not support an increase which would result in unnecessary questions, and would strongly oppose an increase that would imply any switch of the primary responsibility for safety from them to the AECB. The AECB believes the resources it seeks is consistent with these views.
Nuclear Policy Review
Cat. No. M23-14/81-2E
Energy Mines and Resources
Government of Canada
from Nuclear Policy Review: Background Papers
LOSS OF COOLANT ACCIDENTS
[WITHOUT FUEL MELTING]
The major concerns in considering a LOCA [LOSS-OF-COOLANT ACCIDENT] are the radiation doses which would be received by an individual living near the plant boundary and the total radiation dose to all the people in the vicinity of the plant. The predicted consequences are subject to uncertainties in many areas. Three of the major areas of uncertainty are:
i) the quantity of radioactive gases and vapours which escape from the fuel and into the reactor containment building;
ii) the quantity of radioactive gases which escape containment;
iii) the weather conditions which prevail at the time of the accident.
The uncertainties in the quantity of radioactive gases and vapours which escape from the fuel include the uncertainties about the effectiveness of any ECCS [EMERGENCY CORE COOLING SYSTEM] .
Will the ECCS [EMERGENCY CORE COOLING SYSTEM] be successful in rewetting and cooling the fuel in the reactor as predicted on the basis of extrapolations from laboratory tests? Is it possible that the rewetting of some fuel channels will delay for an extended period of time the rewetting of others due to ''short-circuiting'' of the emergency coolant? Will fuel bundle and fuel channel distortions under accident conditions interfere with cooling by the ECCS [EMERGENCY CORE COOLING SYSTEM] to the point that additional gaseous fission products will be released from the uranium oxide fuel?
There are no simple answers to these and other questions and therefore an analysis of the consequences of a LOCA [LOSS OF COOLANT ACCIDENT] involves a process of conservative assumptions in some cases and best engineering judgment based on extrapolations from available experimental information in others.
The uncertainties in the quantity of radioactive materials which escape containment are associated with the deposition of fission products in containment, the efficiency of filters, the correctness of operator actions associated with venting of the containment, and the leak tightness of the containment.
Weather conditions can also be a significant variable. For a given release of radioactive material from the plant, the predicted radiation dose to an individual at the plant exclusion boundary could easily vary by a factor of ten or more depending on the assumptions that are made with respect to the prevailing weather conditions and therefore the dilution of radioactive materials in the atmosphere.
There is a fourth factor which would affect the radiation dose to people; protective actions such as evacuation of the affected populace or distribution of tablets of a stable iodine compound. Use of such tablets can greatly reduce the radiation dose resulting from inhalation of radioactive elements of iodine.
The assumption is made that there would not be any evacuation of people or distribution of tablets despite the fact that the release of radioactive materials are assumed to continue for many days.
from Nuclear Policy Review: Background Papers -- pp. 210-211:
Core meltdown accidents of the type to be described here have never occurred in any commercial power reactor, although the sequence of events at Three Mile Island went partway along the path. Nor has any study on core meltdown accidents been done for the CANDU reactor (although initial examination of possible sequences is being sponsored as part of the AECB's research program).
CORE MELTDOWN ACCIDENTS
In the absence of relevant Canadian information, the work done by N. C. Rasmussen, as described in the Reactor Safety Study (WASH-1400) issued in 1975 by the U.S. Nuclear Regulatory Commission is used. The following information borrows extensively from that document and although not strictly applicable to CANDU reactors, does give useful illustrative information on very serious potential accidents.
The differences in the design of CANDU and U.S.A. light water reactors can significantly alter the sequence of events, and can reduce or increase the probability and the consequences of an accident.
from Nuclear Policy Review: Background Papers -- pp. 210-211:
The Reactor Safety Study defined two broad types of situation that might potentially lead to melting of the reactor core: a LOCA [LOSS OF COOLANT ACCIDENT] , and transients.
[LOSS OF COOLANT ACCIDENT] , the normal cooling water would be lost from the main cooling system but core melting would normally be prevented by the action of the ECCS [EMERGENCY CORE COOLING SYSTEM] .
- In the event of a LOCA
However, if the ECCS [EMERGENCY CORE COOLING SYSTEM] failed to act, melting of metallic components of the core and eventually of the uranium oxide fuel itself would probably occur.
The term ''transient'' refers to those situations where there is an uncontrolled increase in reactor power or a loss of normal cooling flow, both of which require the reactor to be shut down. Following shutdown, the decay heat removal systems act to keep the core from overheating.
However, if the reactor fails to shut down or the decay heat removal systems fail, melting of the core would ensue.
The Rasmussen study conservatively assumed that if any melting occurred, then complete core melting would occur. It was then predicted that the molten core, consisting of a mixture of molten uranium oxide, stainless steel, zirconium, and other core structural materials, could melt through the bottom of the 20 cm thick steel reactor vessel and through the 3.69 metre thick concrete base slab of the containment structure.
The study estimated the time for going through the reactor vessel to be 1 to 1 and 1/2 hours and through the base slab to be an additional 13 to 28 hours. The molten mass was then predicted to sink into the ground an additional 3 to 15 metres before coming to rest.
(This sequence of events is often referred to as the ''China Syndrome'', because the molten core heads in the general direction of China.)
However, much of the core's radioactive material, which strictly speaking has escaped from containment, is prevented from reaching the environment because the ground acts as an effective filter. Further, considerable radioactive decay would have occurred by the time groundwater leaching could contribute to the spread of contamination. Thus, while this was considered the most likely sequence following a major core meltdown, it would not necessarily produce a dispersal of the bulk of the core's radioactive material into the environment.
Much larger consequences could be associated with core meltdowns which also cause failures in the containment structure above ground. If the containment sprays malfunction or are damaged by flying debris (generated by a LOCA [LOSS OF COOLANT ACCIDENT] or transient) the steam being released from the reactor core would not be condensed.
This steam, along with various vapours and noncondensible gases, could cause failure of the containment structure due to overpressurization.Hot zircaloy from the fuel sheaths and steel would also react with water to produce large volumes of hydrogen. Detonation of this hydrogen (reacting with oxygen) might damage the containment or, if not, the heat of combustion combined with high steam pressure would at least add to the pressure loads on the structure.
A further contributor to containment pressurization would be the large quantities of carbon dioxide generated as the molten core melts through the concrete base slabs. Another possibility is one in which the molten fuel falls into the pool of water in the bottom of the reactor vessel with the formation of flying debris which could, in turn, damage the containment structure. All post-meltdown occurrences which threaten todamage or breach the containment structure can result in the release of substantial amounts of radioactive material to the environment.
from Nuclear Policy Review: Background Papers -- pp. 210-211:
Consequences and Frequency
The Reactor Safety Study calculated the health effects and the probability of occurrence for many possible combinations of radioactive material release magnitude, weather conditions, and population exposure. In addition to these health effects, a nuclear accident may contaminate the surrounding area and require relocation of the populace.
The Safety of Ontario's
Select Committee on
Ontario Hydro Affairs
an all-party committee of
the Ontario Legislature
Toronto, June 1980.
fromThe Safety of Ontario's Nuclear Reactors -- pp. 9 - 10
It is not right to say that a catastrophic accident is impossible . . . . The worst possible accident . . . could involve the spread of radioactive poisons over large areas, killing thousands immediately, killing others through increasing susceptibility to cancer, risking genetic defects that could affect future generations, and possibly contaminating large land areas for future habitation or cultivation.
fromThe Safety of Ontario's Nuclear Reactors -- p. 37The AECB should commission a study to analyze the likelihood and consequences of a catastrophic accident in a CANDU reactor. The study should be directed by recognized experts outside the AECB, AECL and Ontario Hydro. It should be funded by a special grant from the federal government. If this study is not commissioned by July 31, 1980, the province of Ontario should ensure that it is undertaken.
[ N O T E :
SUCH A STUDY
HAS NOT YET
BEEN CARRIED OUT ]
[ Reactor Accidents Sub-Directory ] [ COMPLETE DIRECTORY ]
Since March 27th 1996, there have been over
100,000 outside visits to the CCNR web site, plus
(counter reset June 3rd 1998 at midnight)