ECCS Integrity Questioned
Prior to the end of the 1960s, the Atomic Energy Commission (AEC) viewed the containment building as the final independent line of defense against the release of radiation. It was generally accepted that even during a severe accident, the consequences would only be felt within the containment. In 1967 a special task force commissioned by the AEC to look into the problem of core melting (China Syndrome) presented their findings that showed that under certain severe accident conditions the integrity of the containment could be breached. This finding forever changed the U.S. government's approach to nuclear power plant regulations. Regulatory focus began to shift from containment design to preventing accidents severe enough to threaten containment. This was the job of a properly designed and functioning ECCS.
The problem facing the AEC regulatory staff was that experimental work and experience with emergency cooling was very limited. Finding a way to test and to provide empirical support for the reliability of emergency cooling became the central concern of the AEC's safety research program. Plans had been underway since the early 1960s to build an experimental reactor, known as the Loss-of-Fluid-Tests (LOFT) facility, at the AEC's reactor testing station in Idaho. Its purpose was to provide data about the effects of a loss of coolant accident. For a variety of reasons, including weak management of the test program, a change of design, and reduced funding, progress on the LOFT reactor and the preliminary tests that were essential for its success were chronically delayed. Despite the complaints of the ACRS and the regulatory staff, the AEC diverted money from LOFT and other safety research projects on existing light-water reactor designs to work in the development of fast-breeder reactors.
In early 1971, some tests in the Semi-Scale Facility at the Idaho National Reactor Testing Station suggested that design of Westinghouse's PWR ECCS was deficient. The experiments were run by heating a simulated, nine-inch core electrically, allowing the cooling water to escape, and then injecting the emergency coolant. To the surprise of the investigators, the high steam pressure that was created in the vessel by the loss of coolant blocked the flow of water from the ECCS. Without even reaching the core, about 90 percent of the emergency coolant bypassed the core and went out the simulated pipe break.
While the Semiscale experiments were arguably not accurate simulations of designs or conditions in power reactors, the outcome of the tests introduced a new element of uncertainty into assessing the performance of ECCS. The AEC's dual role of prompting nuclear power and regulating the industry made addressing this issue difficult. For these reasons, the AEC sought to resolve the ECCS issue as promptly and quietly as possible. It wanted to settle the uncertainties about safety without arousing a public debate that could place hurdles in the way of the bandwagon market.
To address the safety issue the Commission decided to publish the "interim acceptance criteria" for emergency cooling systems that licensees would have to meet. It imposed a series of requirements that it believed would ensure that the ECCS in a plant would prevent a core melt after a loss of coolant accident. The AEC did not prescribe methods of meeting the interim criteria, but in effect, it mandated that manufacturers and utilities set an upper limit on the amount of heat generated by reactors. In some cases, this would force utilities to reduce the power rating of their plants.
When the implications of the Semiscale experiments reached the public, complaints about the AEC's handling of the issue ranged from polite criticism to calls for a licensing moratorium and a shutdown of the eleven plants then operating. Activists from the Union of Concerned Scientists (UCS) sharply criticized the adequacy of the interim criteria. Scientists at the AEC's national laboratories, without endorsing the alarmist language that the UCS used, shared some of the same reservations. This influenced the Atomic Safety and Licensing Board to announced that in light of the uncertainties about ECCS and the interim criteria, it lacked sufficient information to approve new license applications. This opened the way for intervenors in other proceedings to challenge the adequacy of ECCS regulations, and within a short time, led the AEC to convene hearings on the ECCS issue.
Unfortunately, instead of acknowledging the potential significance of the ECCS problem and taking time to fully evaluate the technical uncertainties, the AEC acted hastily to prevent the issue from undermining public confidence in reactor safety or causing licensing delays. This gave credence to the allegations of its critics that it was so determined to promote nuclear power and develop the breeder reactor that it was inattentive to safety concerns. In light of the objections to the interim acceptance criteria for ECCS that the AEC had published in June 1971, the agency decided to hold a rulemaking hearing on the issue that would apply to all licensing cases. The ECCS hearings got underway in early 1972 and stretched 135 days over a period of a year and a half. When they ended, the transcripts of the proceedings filled more than 22,000 pages. The ECCS hearings lead to a final rule that made some small but important revisions in the interim criteria. They also produced acrimonious testimony and front-page headlines that often reflected unfavorably on the AEC's safety programs and that further damaged its credibility.
The political fallout from the public scrutiny of the AEC resulted in a changes in top level personnel. AEC Chairman Seaborg was replaced by Schlesinger in 1971 and then halfway through the ECCS hearings Schlesinger was replaced by Dixy Lee Ray. Management of the LWR safety research under Milton Shaw, the Director of the Division of Reactor Development and Technology, was the focus of considerable scrutiny. A series of articles appeared in Science magazine that presented serious allegations of inpropriety by that division. These included the allegation that money was bootlegged from the water reactor safety research to accelerate the breeder program and that the division had shown considerable indifference toward needs of the regulatory branch for technical help and forbade direct contact between safety researchers and the AEC regulatory staff.
In 1973, Dixy Lee Ray moved control of the LWR safety program to a new Division Director and pushed for a major expansion in the funding for LWR safety. While Dixy Lee Ray's skills were less nuclear and more as a communicator, this action spurred a huge level of research, particularly in the area of Emergency Core Cooling Systems.
Unfortunately, the changes made at the AEC came to late to save that institution. Political pressure and public scrutiny remained at a high level. Possibly the straw that broke the camels back came in September of 1974 with a very public resignation of a respected technical leader at the Idaho National Engineering Laboratory. His letter of resignation was published on the front page of the New York Times and specified serious allegation against the AEC. The final fallout from the ECCS controversy was the breakup of the AEC. The Energy Reorganization Act of 1974 split the AEC into the Nuclear Regulatory Commission (NRC) and the Energy Research and Development Agency (ERDA). ERDA survived for just a couple of years and was then reorganized into the Department of Energy.
The new emphasis on LWR safety following the ECCS hearings was heavily focused on the Loss-of-Fluid-Test Facility in Idaho.
The Loss-of-Fluid Test Program - Large Break LOCA Studies
The LOFT Program, as initially conceived in 1963, was to investigate the consequences of a large-break LOCA in a commercial PWR due to the rupture of a primary coolant pipe. The entire experimental program was to be limited to a few nonnuclear (with a core simulator) experiments simulating ruptures in reactor primary coolant pipes and one nuclear experiment simulating a rupture in a reactor primary coolant pipe that would result in meltdown of the reactor core. The original goal was to provide quantitative information which would assist in more accurately defining the hazards that might be associated with a large break LOCA.
As the AEC began to recognize the possibility of loss of containment integrity, the LOFT Program was modified to study large-break LOCA phenomena in more detail to remove the uncertainty that clouded this event. This effort was coupled with the need to verify the capability of analytical methods to predict the LOCA response of large power reactors, the performance of engineered safety systems, and the margins of safety inherent in their performance.
A final design change was made in 1969 as the ECCS controversy began to heat up. The LOFT facility would included advanced engineered safeguards with an emphasis on the ECCS. The test program would also be heavily focused on test examining the interaction of ECCS with the coolant system during a LOCA.
The LOFT integral experiment facility was designed to be a scale model of a commercial PWR. In general, coolant volumes and flow areas in LOFT were scaled using the ratio of the LOFT core power (50 MWt) to a commercial PWR core power (3000 MWt). The figure below shows the general layout of components in the test. While the project had been underway since 1963, it wasn't until 1971 that the containment vessel construction was completed. It would be another four years until the remaining construction would be completed. Nonnuclear testing began in 1976 and the first test series - the nonnuclear loss-of-coolant experiment (LOCE) - was completed in April 1978. The first nuclear large break LOCE was performed in December 1978. New issues of relevance arose following the Three Mile Island Accident near Harrisburg, Pennsylvania. By the end of 1982, a diverse set of 43 nonnuclear and nuclear test were perform in the LOFT facility. These included a spectrum of small to large breaks, anticipated transients without scram, station blackout, and loss of feedwater.
The primary application of LOFT research results has been to verify the capability of the Nuclear Regulatory Commission's best-estimate thermal-hydraulic computer codes such as RELAP and TRAC and to assess the conservatisms of the "Evaluation Model" Methodology that commercial power plants must performed as part of their plant safety analysis. To establish improved or "best-estimate" understanding of reactor phenomena, a methodology was established for comparing calculational differences between computer code results from models of LOFT and a commercial PWR. An iterative effort was carried out during the LOFT project and afterwards that involved an extensive study of calculational uncertainties to understand the root cause of calculation differences between LOFT and commercial PWR modeled events. The results from the 43 test provided a large database of information that was used to improve human understanding of phenomena occurring during a LOCA event.
Probably the most interesting finding from the LOFT large break LOCA test was the assessment of the conservatisms of the "Evaluation Model" used for nuclear power plant safety analysis calculations of large break LOCAs. The "Evaluation Model" was one of the major results from the ECC Hearings in the early 1970s. The procedures and requirements for nuclear power plant, large-break LOCA modeling are described in Appendix K of 10CFR50 (Code of Federal Regulations). "Appendix K", as it is normally referred as, provides a conservative approach to defining safety limits for thermal-hydraulic phenomena. This was necessary in light of the phenomenological uncertainties of the LOCA event in the early 1970s. During the LOFT large break LOCA experiments, a number of realities came to light that quantified the degree of conservatism of the Appendix K approach. The relative conservatism of Appendix K was specifically addressed in the areas of
The LOFT experimental program examined a full range of possible nuclear power plant upset events. Most of these were examined during the early part of 1980s. The LOFT program, as originally conceived, was primarily designed for large break LOCA studies; but events, such as the Three Mile Island accident, introduced new opportunities to expand the scope of the active experimental program.
Probabilistic Risk Assessment
Prior to the breakup of the AEC, the AEC commissioned the "Reactor Safety Study" report, also known as the Rasmussen report or by its document number WASH-1400. The purpose of the study was to estimate the probability of a severe reactor accident, an issue that the AEC had never found a satisfactory means of addressing. To direct the study the AEC had recruited by Norm Rasmussen, a professor of nuclear engineering at MIT. Rasmussen, assisted by AEC staff members, applied new methodologies and sophisticated "fault-tree" analyses to project the likelihood of a serious nuclear accident.
The Rasmussen report, while hailed as a pioneering effort that enlightened a complex subject, also drew criticism from both inside and outside the NRC. Some authorities suggested that the study failed to account for the many paths that could lead to major accidents. Others complained that the data in the report did not support its executive summary's conclusions about the relative risks of nuclear power. After considering the arguments on both sides of the issue, the Commission in January 1979 issued a policy statement that withdrew its full endorsement of the study's executive summary.
This luke warm support would soon haunt the NRC as they would received much of the blame for creating the conditions that would exasperate the accident at Three Mile Island. Nevertheless, after the accident at Three Mile Island (TMI), which was economically disastrous but not injurious to public health, the contributions that PRA studies could make to reactor safety were recognized. PRA studies of existing plants are now conducted to (1) determine areas that are significant contributors to the probability of a severe accident and (2) evaluate the effect of proposed design or operating changes on severe accident probability and consequences. A PRA assessment of the ability of new plant designs to reduce the probability of severe accidents is one of the ways such designs are now evaluated. Since thermal-hydraulic design changes are likely to be partially evaluated through a PRA study, an acquaintance with general approach is required.
The Accident at the Three Mile Island Power Plant
Much has been written to account the events that happen on March 28, 1979. While no lives were lost and relatively little radiation released offsite, the accident resulted in a total loss of the three month old plant; thus, costing the utility billions in its investment, cleanup and, eventually, the complete decontamination and decommissioning. At this high cost much was learned about the safety of light-water-reactor nuclear power plants. There was some good news - the containment performed as was hoped - and there was a lot of bad news. Nonetheless, the accident at TMI spurred a lot of safety research that to some extent continues today.
The accident at TMI-2 didn't have to happen. In fact, a very similar accident occurred at a sister plant 18 months earlier. The primary difference in the earlier accident was that the plant was operating at a very low power. Following an investigation of that accident, safety engineers for the plant designer, Babcock and Wilcox, realized that improper operator response to this accident could cause a serious accident. Bert Dunn, manager of the safety analysis division, drafted a memorandum for distribution to owners of all Babcock and Wilcox plants that underscored the potential dangers of this situation and advised specific operator guidance that would've likely prevented the total loss of the TMI-2 plant. Unfortunately, this message was never received by the personel responsible for operating the Babcock and Wilcox designed plants.
The TMI-2 reactor was a standard Babcock and Wilcox PWR. This reactor consists of a reactor vessel, a pressurizer, four coolant pumps, and two once-through steam generators. Hot-leg piping carries heated coolant from the two reactor outlet nozzles to the inlets of the steam generators. Two cold-leg pipe runs from each steam generator provide paths for coolant to be pumped to the reactor inlet nozzles. Typical engineered safety system features include the control rods, high-pressure injection (from the emergency core cooling system), borated water storage tank, and the building sump (for ECCS recirculation water supply).
Even with the establishment of stable cooling in the TMI-2 core, the effects of the accident were far from over. The utilities, Metropolitan Edison and General Public Utilities, faced the task of recover use of the TMI-2 facility and modifying the similar TMI-1 unit to allow resumption of service. The nuclear industry began taking steps to reduce the likelihood of further accidents in reactors of the same and different designs. In addition, a wide range of government investigations, including that of the President's Commission on the Accident at Three Mile Island (also called the Kemeny Commission), were begun.
The commissions final report was released to the public on October 31, 1979. Its findings and recommendations took to task the reactor operators, the utility, the nuclear industry, and especially, the U.S. Nuclear Regulatory Commission. The recommendations section of the report is extensive. It called for sweeping changes in the operation and regulation of nuclear reactors. Its seven parts include the following important observations and recommendations:
1. The Nuclear Regulatory Commission - has "a number of inadequacies" such the Kemeny Commission "proposes a restructuring" that concentrates the agency's responsibilities more on reactor safety.
If there was one area to find fault with that mostly influenced the consequences of the TMI-2 accident, it would likely be traced to the human error resulting from inadequate presentation of plant data in the control room. The plant itself performed as expected and even the Kemeny Report agree that the event validated some aspects of the engineered safeguards. Despite the substantial degree of core melting that occurred, containment was not breached. From all indications, the amount of radioactivity released into the environment as a result of the accident was very low. With TMI the human error would become part of a new focus for the industry with regard to safety research at the end of the 1970s and into the 1980s.
2. The Utility and Its Suppliers - "must dramatically change its attitudes toward safety and regulations" and "must also set and police its own standards of excellence to ensure the effective management and safe operation of nuclear power plants."
3. Training of Operating Personnel - need the "establishment of agency-accredited training institutions for operators and immediate supervisors of operators" with utility and NRC responsibility for adequate reactor-specific training.
4. Technical Assessment - improve the person-machine interface, probably using computers, perform risk assessment with emphasis on small-break LOCAs including multiple failures and special attention to human failure, and research LOCA-scenario areas where data is insufficent.
5. Worker and Public Health and Safety - research low-level and other effects and assure that the utilities conduct advance planning for emergency radiation response.
6. Emergency Planning and Response - "must detail clearly and consistently the actions public officials and utilities should take in the event of off-site radiation doses resulting from release of radioactivity" and should educate the public about nuclear power, radiation, and protective actions.
7. The Public Right to Information - federal and state agencies as well as the utilities "should make adequate preparations for a systematic public information program so that in time of a radiation-related emergency, they can provide timely and accurate information to the news media and the public in a form that is understandable.
1) R. A. Knief, Nuclear Energy Technology, Hemisphere Publishing Company, New York, 1981.
2) NRC SHORT HISTORY, http://www.nrc.gov/who-we-are/short-history.html.
2a) "Containing the Atom: Nuclear Regulation in a Changing Environment, 1963-1971, University of California Press, 1992.
3) D. Okrent, Nuclear Reactor Safety: On the History of the Regulatory Process, University of Wisconsin Press, 1981.
4) Parris Emery, "America's Atomic Sweetheart: Dixy Lee Ray, A Biography of Washington's Maverick Governor," 1982.
5) L. S. Tong and J. Weisman, Thermal Analysis of Pressurized Water Reactors, American Nuclear Society, La Grange Park, Illinois, 1996.