V. SAFETY ISSUES AND RECOMMENDATIONS

As the Committee reviewed and analyzed the information regarding aspects of the Fukushima Daiichi accident, we, the members, raised a series of questions regarding safety issues, i.e., emergency power, long-term cooling, containment performance, SFPs, emergency response, plant siting, and design-basis events. In this section we provide a summary of our safety-related recommendations that evolved from the discussion of these questions. The complete set of our questions and answers can be found at the ANS Web site (http://fukushima.ans.org/).

We want to emphasize that these recommendations are consistent with most of the regulatory issues that have been raised by national and international bodies. However, our emphasis is not to directly suggest what regulatory rules or process changes are needed; rather, we focus on the key technical issues that would be the basis for any specific set of regulatory actions.

There is no aspect of the Fukushima Daiichi accident that a priori indicates that the level of safety of NPPs in the United States is unacceptable. The Committee agrees with the U.S. Nuclear Regulatory Commission (NRC) Near-Term Task Force (NTTF) that the current level of safety provides adequate protection to the health and safety of the U.S. public. However, from a public confidence viewpoint, it is unacceptable to have an accident of the visibility and societal consequences of the Fukushima accident occurring somewhere in the world every 25 to 30 years.

There are some major lessons to be learned from the accident that relate to observed vulnerabilities in the design and operation of the Fukushima Daiichi NPPs and to weaknesses in the ability of the NPPs to respond to such an extreme event. We need to examine each of these observed vulnerabilities to see how they relate to U.S. NPPs and address those issues, as necessary.

The following recommendations are consistent with our general conclusion. These recommendations are strictly motivated by our understanding of the Fukushima Daiichi accident and technical shortcomings observed. These recommendations are largely embodied within the suggested regulatory actions proposed by the NTTF.

V.A. Risk-Informed Regulation

The scope of reactor safety design and regulation should be reviewed to consider the adequacy of design bases for natural-phenomenon hazards and the need for extension of the design basis in a graded manner, using risk information, into what have previously been considered beyond-design-basis accidents (BDBAs). A key NTTF recommendation was that such a “risk-informed” approach to safety be installed as the basis for regulation, and we concur.

Historically, nuclear reactor regulations have focused on providing high assurance that events within the design basis of the NPP would not result in severe fuel damage or in a substantial off-site release of radioactive material. Since the release of the NRC’s “Reactor Safety Study” in 1975 (WASH-1400), it has been recognized that reactor risk for the current generation of NPPs is dominated by BDBAs involving substantial fuel melting and failure of the reactor containment. The TMI-2 accident largely confirmed the recognition of the risk dominance of these BDBAs. Some requirements have been imposed on licensees related to beyond-design-basis conditions, such as hydrogen mitigation devices in some NPP designs. In general, though, the insights from risk information and safety assessments have been used to reduce design vulnerabilities that would lead to beyond-design-basis events rather than the mitigation of the consequences of those events.

We are quite aware that a risk-informed approach is a long-term effort and is technically complex. It may lead to a change in the scope of regulatory requirements for beyond-design-basis events, including the development of deterministic acceptance criteria for risk-dominant accident sequences and end states. This could impact both existing and future NPPs. Thus, specific regulatory changes motivated by the Fukushima Daiichi accident should be carefully evaluated from a risk perspective, with input from all stakeholders, including the public, existing NPP owner/operators, and NPP designers.

V.B. Hazards from Extreme Natural Phenomena

The tsunami design bases for the Fukushima NPPs were not consistent with the level of protection required for NPPs. If the return period for a tsunami of the magnitude experienced in Japan is as short as reported (once every 1000 years), a risk-informed regulatory approach would have identified the existing design bases as inadequate.

It has long been recognized that external events, particularly seismic and external flooding events, could be substantial contributors to risk because of the potential for multiple common-cause failures. The Fukushima Daiichi accident raises the issue of whether past risk assessments have underestimated the relative importance of natural-phenomenon hazards to NPP risk. There is little question that the methods of analysis used for analyzing internal event risk are more developed and have smaller associated uncertainties than those used to assess the risk of low-frequency natural-phenomenon hazards.

The NRC is requiring that the design bases for all U.S. NPPs be reviewed for natural-phenomenon hazards to assure that they are consistent with the existing regulations. The NRC should also undertake a review of regulations for each of the natural-phenomenon hazards to determine whether they are appropriately risk-informed. For example, the current regulatory approach in the United States for establishing a design basis for floods is deterministic, based on the concept of the maximum possible rainfall. This type of concept, even though inconsistent with nature, may work effectively when dealing with common engineering concerns like assurance of a low frequency of dam failures or bridge failures. However, the criteria that we have established for NPPs are much more stringent. Although it is very difficult to deal with low-probability events, this is the perspective needed for a risk-informed treatment of natural-phenomenon hazards. Such an approach to regulating hazards from extreme natural phenomena should be undertaken.

As part of this approach, the NRC should periodically reanalyze and potentially redefine the design and licensing basis for severe natural events (earthquakes, floods, tsunamis, hurricanes, tornadoes, and fires) using the latest, accepted, best-estimate methodologies with quantified uncertainties and data available that are well vetted and have a strong consensus of technical experts. All risks to NPPs from severe natural events should be periodically (e.g., every decade) reassessed using the same methodologies and data. Based on the outcome of the assessment, the NRC may mandate improvements based on cost-benefit analyses.

V.C. Multiple-Unit-Site Considerations

Recognizing that the high cost and lengthy schedule to obtain site approval are powerful incentives for multiple-unit sites, we recommend that a multiple-unit risk assessment be performed whenever a unit is added to a site. Such a risk analysis should include sensitivities to determine the extent to which multiple-unit considerations increase or decrease the risk. Factors to consider include (1) the extent of system inter-ties between units; (2) reduction of common-cause vulnerabilities (e.g., enhance diversity of locations for EDGs to defeat floods, fires, and plane crashes; enhance physical separation of units to prevent unit-to-unit spreading of problems caused by external as well as internal events such as turbine blade missiles); (3) availability of staff and resources to address a severe accident impacting multiple units simultaneously; (4) effect of potential source terms (e.g., consideration of reactor size, i.e., small modular reactors versus large monolithic NPPs); (5) high degree of standardization among units (i.e., shared learning); (6) shared equipment (e.g., shared EDGs and venting pipes), which has implications for both economics and safety; and (7) impact of multiple-unit cooling.

V.D. Accident Diagnostics Tool

Provide the operators with information regarding the accident progression (e.g., estimates of time to fuel uncovery, time to reach suppression pool saturation, and time to reach containment design pressure), which can then allow them to identify the most effective strategy to manage a prolonged SBO or another BDBA sequence. This information might be provided in the form of pre-prepared charts or generated for the actual conditions of the NPP by a faster-than-real-time simulator that can predict the gross behavior of the essential NPP subsystems (i.e., RPV, suppression pool, and containment) under beyond-design-basis conditions, especially before substantial core damage occurs, so that core damage can actually be prevented.

V.E. NPP Hardware Design Modifications

Analysis of the Fukushima Daiichi accident has identified a series of hardware-related modifications, which may be addressed by near-term regulation. Their relevance and applicability are plant specific; i.e., these changes simply may not be needed in many NPPs, or an alternative approach may be implemented to achieve the intended safety improvements. Ultimately, some type of cost-benefit analysis would determine which improvements make sense for each NPP. Furthermore, if taken one at a time, resolution of these hardware issues may lead to unintended systems-interaction effects. For example, early venting to permit continued RCIC system operation has the potential for conflict with the desire to delay containment venting as long as possible to minimize the release of radioisotopes. Another example is the desire to depressurize the RPV in order to permit low head alternate pumps to be able to add water, which can conflict with the need to have sufficient RPV pressure to run the RCIC/HPCI systems. Therefore, an overall systems-interaction study needs to be undertaken when looking at the combined effect of these recommendations to be certain that substantial safety benefits are actually realized.

We recommend the following:

  1. 1. Reviews of current flooding protection for DC batteries should be made and additional protection provided, or independent connectable DC power should be provided. Direct-current power, especially for instrumentation, is critical for operators to know the current state of the reactor and containment and therefore be in a position to execute emergency procedures accurately. In addition, the power supplies needed for critical instrumentation and critical valve operation (including valves that actuate passive safety systems) or control functions [e.g., steam-driven auxiliary feedwater systems (AFSs)] should be sufficient for the full coping time, currently 4 to 8 hours in the United States, which is likely to be increased to the 24- to 72-hour range by the NRC and industry.

  2. 2. Reviews of the current capability to defend against floods should be done and changes made, if necessary, to ensure that adequate dike height and a minimal set of on-site AC power sources are available. This could include adequate protection of EDGs and/or diversity in power and water sources and location for an alternate AC power source as defined in 10 CFR 50 [14]. NPP equipment added to meet either aircraft crash impact (10 CFR 50.150 [15]) or loss of large area (Interim Compensatory Measures Order EA-02-026, Sec. B.5.b, now 10 CFR 50.54(hh)(2) [16]) could also address this recommendation.

  3. 3. Improve the robustness of the RCIC system in BWRs. Currently, RCIC system longevity in an SBO is limited by a number of factors:

a. High suppression pool temperatures can lead to pump cavitation (net positive suction head problems) or problems in cooling the shaft bearings.

b. High containment pressures may cause the turbine to trip.

c. An inadequate DC power reserve may lead to loss of the ability to control the RCIC system.

d. A high room temperature may make access for manual operation difficult.

e. Current emergency procedure guidelines require emergency RPV depressurization when the suppression pool temperature becomes high.

We note here that there is new hardware available that is capable of operating indefinitely even without AC or DC power or operator intervention, if there is the ability to vent the containment to maintain suppression pool temperatures at <120°C (248°F). The same technology is used for steam-driven AFSs in PWRs, so PWRs could also benefit from the adoption of improved steam turbine–driven pumps.

  1. 4. Improve primary coolant pump seal leakage for SBO scenarios in PWRs. With no seal cooling, significant pump seal leakage may occur. Hardware fixes are known to exist for a few pump models, but coverage of the PWR fleet does not exist at this time.

  2. 5. Improve the reliability of the ability to depressurize the RPV and maintain it depressurized in SBO conditions. The isolation condenser system or the RCIC system (HPCI system) should not be the single line of defense for fuel safety in an SBO in BWRs. Since the most likely alternate emergency pumps are low pressure, the ability to use them requires reliable depressurization. An additional consideration for NPPs that use direct-acting SRVs is the assurance that these valves can be opened and remain open with high containment back pressure. In PWRs, reviews should be made of the ability to reduce primary- and secondary-system pressures to allow alternate low-pressure makeup under extended SBO conditions, in case of failure of the AFS.

  3. 6. Improve the reliability of the containment hard-piped vents, and extend the application to all Mark I, II, and III BWR containments. In SBO or any other emergency in which the ability to remove heat from the containment is lost, these containments must be vented in <1 day to avoid containment overpressure failure.

  1. a. The current configurations should be reviewed for valve type, failure mode upon loss of power, or compressed nitrogen.

  2. b. If rupture disks are used, it should be possible to bypass them (or to burst them) in order to permit venting at low containment pressure and when the core is safe to support long-term RCIC system operation by limiting the peak suppression pool temperature.

  3. c. Vent exhaust should be to a dedicated release point, not to a common header that could allow backflow to other NPPs or buildings.

  1. 7. Review the current NPP instrumentation with a view of providing the operator with more knowledge about the course of a degraded core accident, for example,

  1. a. thermocouples in the RPV, including the
    lower head, that can read temperatures up to 1000°C (~1800°F)

  2. b. hydrogen concentrations and gross gamma
    radiation measurements at key locations in the reactor building in BWRs.

  1. 8. Review key instrumentation in BWR containments as well as penetrations or other seals for operability and accuracy during an extended SBO, considering that under some circumstances portions of the drywell, wetwell, and/or suppression pool may exceed the qualification temperature that has historically been based on design-basis loss-of-coolant-accident considerations.

  2. 9. As a defense-in-depth measure, system studies should be made of the efficacy of providing hydrogen mitigation in the reactor building that surrounds BWR containments. The type of technology (e.g., fail-open louvers, igniters, passive autocatalytic recombiners, or active hydrogen recombiners), number and location of devices, and expected rates of local accumulations if containment leaks occur should all be inputs to the study.

  3. 10. As a defense-in-depth measure, previous studies of the use of filters on containment vents in both PWRs and BWRs should be updated to include the effects of extended SBOs. The efficacy—considering potentially high steam/gas temperatures being processed—impact on residual risk to the local environment, etc., should be included in order to determine the benefits compared to the costs of any implementation. European experience and testing should also be included.

  4. 11. The possibility of an earthquake that damages the SFP wall and liner, causing spent-fuel containment of the water to be lost, should be evaluated. Because the SFPs are outside the reactor containment, to mitigate the consequences of such an accident, a hardened means (e.g., a strong pipe) should be provided that would allow the continued provision of water to the SFPs from the outside, without resorting to improvised approaches such as a helicopter water drop or concrete fire pump. Note that most NPPs in the United States already have hardened makeup-water paths for SFPs, as a result of the NRC-mandated post-9/11 safety and security enhancement efforts. A wide range of water-level measurements and temperature measurements for SFPs should also be made available to the operators in the control room.

V.F. Severe Accident Management Guidelines

Immediately following the Fukushima Daiichi accident, the NRC surveyed U.S. NPPs to determine how effectively severe accident management guidelines (SAMGs), a voluntary initiative of the industry, had been implemented in U.S. NPPs. The results of that review indicated inconsistencies and deficiencies, particularly with regard to the training of personnel. The approaches taken by the different owners’ groups toward the development of SAMGs were found to be substantially different. The NRC needs to develop a consensus with industry regarding the intent and scope of SAMGs, including the manner in which they interface with emergency operating procedures. Then, the SAMGs need to be revised at NPPs according to the new criteria. To the extent that the SAMGs require information regarding the status of NPP parameters, additional instrumentation (appropriately qualified) may need to be installed into operating NPPs.

Examples of additional considerations include the following:

common-mode failures at multiple-unit sites, e.g., loss of common heat sink

proximity effects from multiple units, i.e., problems at one reactor cascading into problems at adjacent units

specific consideration of the use of seawater, where appropriate

shutdown accidents (e.g., SFP inventory, RPV draining, dropped fuel bundle)

potential need for additional backups (Plan B), including managing reactor pressure while
depressurizing to permit continued RCIC/HPCI system operation

early containment venting, if no fuel failure, to support extended operation of the
RCIC/HPCI systems.

V.G. Command and Control During a Reactor Accident

One serious issue that arose from the Fukushima Daiichi accident was an unclear chain of command when the site emergency was declared. The Committee recommends that the predefined command-and-control system currently employed in the United States for emergency situations at NPPs be reviewed to ensure that necessary accident management decisions can be taken promptly at the proper operational level. It is important to have a chain of command that can react swiftly to an accident and thereby minimize the overall consequences for society, i.e., where responsibility and competence are properly matched.

V.H. Emergency Planning

The need for a clear approach to emergency planning in case of a serious accident is recognized in the United States. In the case of the Fukushima Daiichi accident, the Japanese government issued notices for mandatory evacuation of residents within 12 miles of the site and voluntary evacuation within 18 miles of the site immediately following the declaration of a site emergency. Subsequently, the NRC in collaboration with other federal agencies issued an evacuation alert for U.S. citizens within 50 miles of the site. At the time, the NRC justified the alert on the basis of a loss of water inventory in the SFP of Unit 4 and the subsequent possible release of radioactive materials outside of containment. The NRC News Release [17] that provided the technical basis for the evacuation decision was puzzling, since it was based on technical calculations from a simplified computer model for upper-bound radioactive material releases from severe reactor accidents, not for the spent fuel.

Although this concern of SFP overheating and fuel damage was found to be incorrect, the technical basis for this decision was never clarified. The Committee feels that the technical basis should be clarified to better understand the source of the uncertainties. Also, a more risk-informed approach to emergency planning should be developed for U.S. NPPs. The DOE has expertise in this area, and the NRC should work together with the DOE to improve emergency planning activities.

V.I. Health Physics

The Committee collected information that has been published in the open literature for radiation exposure, release and deposition of radioactive materials, and contamination of water and food sources. It is important to note that data collection and analyses continue as this report is being written. It is too early to make any firm conclusions regarding these data and the definitive health impacts to workers or to members of the public. While these data do suggest that off-site health consequences may be minimal, it will take much longer to confirm the health impacts. 

V.J. Societal Risk Comparison

We recommend that a quantitative assessment of the societal benefits and risks relating to all energy sources be performed. The assessment should take into account the following aspects: (1) risk from accidents; (2) risks from normal operation such as release of effluents; (3) reliability/continuity of supply (e.g., intermittency of renewables); (4) indirect costs to secure the fuel supply (i.e., military efforts dedicated to ensuring stable oil flow to the United States); and (5) the cost of the energy technology, including both internal costs and externalities. The Committee is aware of the ExternE project (1995) [18] by the European Commission as an example of past work that could be used as a starting point for a future study.