Safety of CANDU Nuclear Power Stations
19
Safety of CANDU Nuclear Power Stations by V.G. Snell
Transcript of Safety of CANDU Nuclear Power Stations
Safety of CANDUNuclear Power Stationsby V.G. Snell
Safety of CANDUNuclear Power Stationsby V.G. Snell
Dr. Snell heads a section within the Safety Branch of the Reactor PerformanceEngineering Group, Engineering Company, AECL, Sheridan Park, Ontario. A highenergy physicist by training, Dr. Snell has had several years' experience in safety
analysis of nuclear power systems.
November 1978 AECL-6329
A nuclear plant contains a large amount of radio-active material which could be a potential threat topublic health. The plant is therefore designed, builtand operated so that the risk to the public is low.Careful design of the normal reactor systems is thefirst line of defense. These systems are highly resis-tant to an accident happening in the first place, andcan also be effective in stopping it if it does happen.
We back up the normal systems with specialindependent and redundant safety systems. Their solepurpose is to minimize the effects of an accident, orto stop it completely. They include shutdown sys-tems, emergency core cooling systems, and contain-ment systems. We also show that massive impari-ment of any one safety system, together with anaccident, can be tolerated. This "defense in depth"approach recognizes that men and machines areimperfect and that the unexpected happens. Thenuclear power plant need not be perfect to be safe.To allow meaningful judgments, we must know howsafe the plant is. The Atomic Energy Control Boardguidelines give one such measure, but there areseveral reasons why these may over-estimate the truerisk. We interpret the guidelines as an upper limit tothe total risk, and trace their evolution.
line centrale nucteaire contient une grande quantityde materiaux radioactifs qul pourralent menacer lasante du public. Par consequent, la centrale estcongue, construite et exploited de telle fagon que ledanger cncouru par le public solt faible.
Une conception soignee des systemes normauxdu reacteur est la premiere ligne de defense. Enpremier lieu, ces systemes resistent fortement a unaccident et sont en outre capables de I'arreter si I'ac-cident a lieu.
Les systemes normaux sont renforces par dessystemes de surete speciaux, independants et redon-dants. Leur but unique est de reduire au minimum leseffets d'un accident ou de I'arrester completement. IKcomprennent des systemes d'arret, de refroidissementd'urgence du coeur et de confinement.
Le rapport indique egalement que la defaillancemassive d'un des systemes de surete coi'ncidant ave<~un accident, peut etre toleree.
Cette "defense en profondeur" reconnait queI'homme et ses machines ne sont pas parfaits et queI'inattendu peut se produire. Mais il n'est pasnecessaire que la centrale nucleaire soit parfaite pouretre sure.
Afin de pouvoir prendre de bonnes decisions, ilfaut connaitre le degre de surete de la centrale. Lesdirectives de la Commission de controle de I'energieatomique en donnent une certaine mesure, mais il ex-iste plusieurs raisons qui disent que le vrai danger apeut-etre ete surestime. Le rapport interprete cesdirectives comme une limite superieure du dangertotal et retrace leur Evolution.
NATURE OF RISK
• No activity is without some measure of risk.• Most industrial activity involves some public risk.Some of this risk is chronic, such as the continuousrelease of toxic chemicals by trucks, foundries andcoal-burning power plants, and the continuous releaseof small amounts of radioactivity by nuclear powerplants. Society limits the amounts of these releases tovarious degrees. For nuclear plants, the Atomic EnergyControl Board sets limits which minimize the risk topublic health111.
Some risk is acute (accidents), e.g. large releases oftoxic chemicals, explosions, dam failures, collapse ofstructures. The only difference betv ~en these postu-lated accidents and a postulated accident in a nuclearplant is that the public risk from the latter is radiologicalrather than chemical or physical. A nuclear plant has nolarge inventories of toxic, easily-dispersed chemicals,and simply cannot explode like an atomic bomb. Onlyaccidents which can potentially release large amountsof radioactivity pose a risk to public safety.
The words "measure of risk" are important, and weshall devote the second half of this paper to attachingnumbers to the risk. The first half will describe wherethe risks come from, and what we do (in a qualitativesense) to limit them.
SOURCES OF RADIOACTIVITY -BARRIERS TO RELEASE
Figure 1 shows the basic pieces of a C 4 N J U * powerplant. Fissioning uranium fuel in the aar reactorproduces heat. This heat is carried to boilers by a"heavy water" coolant under pressure, which is thenpumped back to the reactor core; the entire circuit iscalled the primary heat transport system. In the boilersthe heavy water gives up the heat to ordinary water,which is turned into steam. The steam runs turbines,which power electrical generators.
As uranium fissions or "burns", it produces radio-active fission products. These fission product "ashes"contain over 99% of the radioactivity in a nuclear powerplant, and are located both in the nuclear reactor itself,and in the bay where spent fuel is stored. In each loca-tion, several physical barriers lie between the radio-activity and the public, and prevent its escape.
In the reactor most of the fission products are lock-ed inside the solid uranium dioxide fuel. They cannotescape unless the fuel becomes very hot. The fuel andthe remaining fission products are sealed in metalsheaths. Figure 2 shows an assembly of sheaths, calleda fuel bundle. All the fuel bundles lie inside a closedheat transport system, and the entire reactor is sur-rounded by a massive containment building. Finally, no
Figure 1 CANDU pressurized heavy water nuclear power process
3. Steampressure turnsturbine
4. Turbine shaft turnsgenerator rotor togenerate electricity
Turbine
Power lines take electric power tocommunities
'Heavy water' coolanttransfers heat from fuel toboiler where ordinary water isturned into steam
6. Lake or river water cools usedsteam to condense it to water
7. Water pumped backto the boiler
Pump
Heat produced byfissioning uranium fuelIn reactor
' C»n»d« Deuterium Uranium
Figure 2 CANDU fuel bundle
Zircaloy end cap
Zircaloy structural end plate Graphite coating
Zircaloy bearing pads
Zircaloy spacers
Zircaloy fuel sheath
Uranium dioxide pellets
' Over 90% of the radioactive fission products are in the
solid fuel.' Less than 10% of the radioactive fission products are
in the fuel sheath gap.
member of the public may live within an exclusion zoneextending for 1 km around the reactor (Fig. 3).
So before any radioactivity from the fuel couldescape in an accident, the barriers formed by the fuel,the sheath, the heat transport system, and the contain-ment would have to be perforated. Beyond that, the ex-clusion zone allows dilution of any release before itcould reach a member of the public.
In the spent fuel bay, the first two barriers are againthe solid fuel and the fuel sheath. The fuel bundles lie inlarge tanks of water. The tanks'21 are of double-walled re-inforced concrete construction with an interspace bet-ween the walls. The interspace is monitored to detectand collect any leakage of water out of the bay. The baywater is also monitored to measure its temperature andto detect any leakage of radioactivity from the storedfuel (Fig. 4). The exclusion zone again allows dilution ofany release.
tafriorft to ral#M# of radioactivity (Raacfor)
MassiveconcretebuHdtng
transport
Figure 4 Barriers to release of radioactivity (Spent fuel bay)
Outer wall ^
Water shielding and cooling
inner wall Fuel sheath/ /^7^"^—^^^y^^ (nol lo tcal«)
Solid fuel Air gap '
i
Leakagecollectionand
•..'••-\ monitoring
!;• v:;v-;;.;,v ~ i ^ 7 y
" ^ . ^ ^ ^___^ Exclusion zone , ^ » - * '
ACCIDENTS — POTENTIAL CAUSES OF RELEASE
Like most metals, fuel sheaths weaken at hightemperatures. Sheath integrity is therefore at risk if thecooling of the fuel is reduced relative to the power itproduces.
One can imagine the following accidents causingsuch a mismatch:
1. The cooling remains normal, but the power rises(loss of power control).
2. The power is initially controlled, but the coolingdeteriorates. This can happen:— if there is a break in the piping of the primaryheat transport circuit (loss of coolant).— if the coolant flow over the fuel or the steamremoval from the boilers is reduced (loss ofcooling).
The sheath can withstand a range of abnormaltemperatures and loads, and even sheath failure byitself does not imply a release of radioactivity to thepublic, because of other barriers which remain. We aim,where possible, to restore appropriate power — coolingbalance. How we achieve this is discussed in the nextsection.
Sheaths may also fail from mechanical damage,e.g. dropping a fuel bundle, during transfer from thereactor to the spent fuel bay. This can only happen to afew bundles at a time. Containment and the exclusionzone give retention and dilution for such events.
In the spent fuel bay, the power in a fuel bundle ishundreds of times lower than what it was in the reactor.It comes only from the radioactive decay of the fissionproducts formed while the fuel was in the reactor, andcannot increase. In fact, each bundle power is con-tinuously decreasing with time. Loss of cooling of thesefuel bundles could occur by:
1. failure of bay water cooling systems, or2. loss of bay water itself through leaks in the bay
walls*.
The station operator would be alerted to the eventby the monitoring systems described in Sources ofRadioactivity — Barriers to Release. Because the decaypower is so low, both the loss of cooling and anydeterioration of the sheaths would proceed very slowly <3>(days to weeks), allowing ample time for the operator tocorrect the situation.
PROTECTION - DEFENSE IN DEPTH
In an earlier section, we described the barriers torelease of radioactivity. In practice, good design en-sures that an accident is unlikely to occur in the first
* Catastrophic failure of the bay appears highly unlikely. For example, It isdesigned to stay Intact during any earthquake likely to occur In the plantlifetime, Further, large objects, such as fuel transfer flasks which may bemoved over the bay have "cushions" provided, designed to absorb the im-pact energy and prevent damage should they be accidentally dropped Intothe bay.
Figure S CA.NOU reactor How diagram
Light water steam
Light water condensate
Heavy water coolant
Heavy water moderator
Moderatorheat exchanger
place. This is coupled with strict quality control duringmanufacture and installation, and with periodic inspec-tion of the major components during the lifetime of theplant1'1. Public safety is not the only motivation: an acci-dent which takes a plant out of service costs money forreplacement electricity. So there are also soundeconomic incentives for accident prevention, particular-ly for potentially frequent accidents.
Even if an accident occurs, the reactor processsystems (the normal systems which are used to keepthe plant running) can often stop its course or mitigateits effects. Backing these up are separate safetysystems. These have one purpose: to handle accidents.They are independent of the process systems and ofeach other both logically and physically, and are not us-ed in the day-to-day operation of the plant. They can, ifneeded, shut down the reactor (shutdown systems),refill the reactor core with coolant and remove residualor "decay" heat from the fuel (emergency core coolingsystem) and prevent release to the environment ofradioactivity which may escape from the reactor (con-tainment systems).
This safety approach — accideit prevention, acci-dent mitigation, and accident accommodation — iscalled defense in depth. It is characteristic of the designof the entire plant<5>.
Figure 6 Separation of coolant and modtrator
mCoolant i ,(heavy i |water) £
f Gas gap /1 // , ,. / , k-7ft I L l l U r II
a— ~ ~ 3 ~ ~ JfV^-J^M^^Baa^^^Ba^^aa3^^Ba^5al^^iaaai\ ^^-•^•^™^afc^Bi^«^ifc^»™^iai i^
H^ / \ \y^-a.l',^'MlBi:
Heavy water moderator
The approach recognizes that failures occur, andthat systems and human beings are not perfect. Theplant design tolerates such failures and imperfections.It need not be perfect to be safe.
We digress briefly with a thumbnail description ofthe reactor core. The fuel and its heavy-water coolantare contained in hundreds of horizontal zirconium alloytubes called pressure tubes, arranged in a lattice. Ahorizontal, cylindrical vessel (the calandria) surroundsthe pressure tube array, and contains the moderator(Fig. 5). A calandria tube, and a gas gap, insulate eachpressure tube from the moderator (Fig. 6). The mode-rator and coolant systems are therefore separate. Thisis different from most other reactor types — for exam-ple, in U.S. light water reactors, one water circuit doesboth moderation and cooling.
The reactor control and shutdown devices arelocated in the moderator, but do not cross the coolantpressure boundary. They run between columns or rowsof calandria tubes (Fig. 7).
With this background, we return to the three levelsof defense for the classes of accidents we imagined inAccidents — Potential Causes of Release®.
LOSS OF POWER CONTROL
Care is taken in designing the actual devices whichcontrol reactor power (e.g. light-water-filled zone com-partments; absorber, adjuster and booster rods) (Fig. 7).Since they ate not within the coolant pressure boun-dary, they cannot be expelled by coolant pressureloads. Further, they are inherently slow devices, so thatmaximum possible rates of power rise are modest.
Redundancy in the control system is the key topreventing an uncontrolled power rise. All importantsensing instruments are duplicated, for assuranceagainst wrong measurements. The main control com-puters are also duplicated. Either can, by itself, operatethe plant. A continual and sophisticated system of self-checking looks for computer faults, transferring control
to the standby computer if one computer fails, andshutting down the reactor if both computers fail.
Further diversity in preventing loss of power controlis obtained by subsystems of the power control system,largely independent from the rest of it, whose only func-tion is to reduce power under abnormal circumstances.
They are backed up by the shutdown systems,which are entirely independent of the power controlsystem. They are an additional and decisive way ofshutting down the reactor.
LOSS OF COOLANT
Rupture of a pipe without warning is an uncommonevent in any industry. We expect that nuclear piping,with its higher standards for fabrication and inspection,will be better than average17'. If there Is a defect in apipe, we would expect warning of pipe failure before itoccurred; our tests on deliberately predefected tubesshow that they leak before they breaks. Such leakswould be detected by instruments which sensemoisture in the atmosphere of the reactor vault and inthe gap between the pressure tube and the calandriatube, radioactivity in the steam flow to the turbine, andwater on the vault floors. So in most cases appropriatedefensive measures would be taken to prevent orminimize the effect of pipe rupture.
In our safety analysis, however, we assess theresponse of the reactor to the instantaneous failure (atany location) of any pipe, from the largest to thesmallest.
The reactor systems must do two things in such anaccident:
1. Stop the power rise that is caused by coolantescaping from the fuel channels, and shut down thereactor (See Safety Systems). The power increasesbecause the coolant affects the energy of theneutrons so as to make them slightly less effectivein causing fission.
2. Assure a supply of cooling water over the fuel.
For rather small breaks, the normal processsystems can do both: the power control system shutsdown the reactor, and coolant makeup systems main-tain cooling. Naturally they are backed up by the safetysystems.
For large breaks, the power rise and the loss ofcoolant are such that the safety systems are needed.Shutdown systems stop the power rise and shut downthe reactor, and an emergency core cooling systemrestores fuel cooling. Containment is a backup, in caseany fuel sheaths should fail and release radioactivity.(Heat can also be rejected by an independent route —to the bulk moderator. Fuel damage could be severe, ifthis were the only way of removing heat from the core,but the containment barrier would remain. Such abackup cooling route is unique to the CANDU design,because the moderator is at low temperature, and unaf-fected by a loss of coolant.)
LOSS OF COOLING (Intact Primary Circuit)
A loss of cooling in an intact primary circuit is in-herently less severe than a loss of coolant due to a pipebreak, since the heat transport system piping remainsan effective barrier to radioactivity release. An exampleis loss of the electrical power which drives the mainpumps.
Reactor power reduction is affected by the powercontrol system, backed up by the shutdown systems.Heat is rejected by the auxiliary cooling systems (suchas the shutdown cooling system) and/or by natural con-vection to the boilers.
SAFETY SYSTEMS
In this section, we describe the safety systems andtheir capabilities'9""".
Shutdown SystemsCANDU reactors have used three types of shutdownmechanisms. Moderator dump (draining the moderatorout of the caiandria) shuts down the chain reaction byremoving the fluid which slows down the neutrons (Fig.8). For the recent larger cores, we used solid shutoffrods (falling In from the top under the action of gravity,
Figure 8 Shutdown systems: modtrator dump
Moderator
Caiandria
/Dump tank
and sometimes assisted by springs) and injection of li-quid "poison" through tubes directly into the moderatorwater (Fig. 9). The rods and poison stop the chain reac-tion by absorbing the neutrons.
How quickly the shutdown systems must act, andhow strong their neutron absorbing power must be,come from these requirements:
1. They must be able to overtake accidental powerrises. This requirement largely sets the instrumen-tation delay that can be allowed and the speed ofshutdown actions needed.
2. They must reduce post-shutdown power to decaylevels consistent with available cooling. Thisrequirement determines the amount of neutron ab-sorption or "reactivity depth" needed.
As noted earlier, malfunction of the reactor powercontrol system can produce only slow power rises. Itstotal reactivity range (which determines the amount ofneutron absorption needed to stop the accident) is alsomodest — because CANDU reactors use naturaluranium, long-term reactivity control is by on-powerrefuelling, not by reactivity devices. Control systemmalfunctions do not, therefore, set the requirements forthe shutdown system speed or depth.
The power Increase caused by a lossof-coolant isthe only type which would be assisted by the coolantpressure. A large pipe break causes the fastest powerrise, but even this cannot be developed Instantly since
Figure 9 Shutdown systems: shutolf rods andliquid "poison" injection
Shutoff rodguide tubs
Shutoff rod(typical)
Liquid poisonnozzle
Moderator
Liquid poisonpipe (typical) Calandria
the coolant takes time to escape. In technical terms,the break could typically develop a "reactivity"* of 8milli-k per second. The rate of power rise is furtherreduced by the relatively slow rate at which neutronsmultiply in heavy water reactors. The multiplication ratein the U.S. light water reactor is about ien times fasterthan in CANDU's. Thus, even for large breaks, a delay ofabout half-a-second for the shutdown system to react toa signal, a shutdown system capable of reducing reac-tivity by 50 milli-k, and at a rate of about 30 milli-k per se-cond are adequate. This performance is readilyachievable.
The shutdown systems penetrate the moderator butnot the coolant pressure boundary. Since all largecoolant pipes are outside the core, the shutdownsystems would not be subject to the hydraulic forcesdue to a large pipe break, so giving confidence in theirperformance for such events.
Within the reactor core, where the pressure tubesare the pressure boundary, the maximum break size issmall, and the consequences are limited. We would notexpect any significant damage to other in-core com-ponents such as shutdown systems or other pressuretubes'11). Also the pressure tubes are arranged to givemaximum reactivity (a consequence of using naturaluranium fuel) so that almost any accident whichdamages the core would tend by itself to shut the reac-tor down.
The shutdown system characteristics are thereforeset by the large pipe breaks.
' Reactivity measures tht driving fore* behind « chain mctlon. A motorholds «steady powtr at ztro nat reactivity, Incraaiei in power !f the reac-tivity is positive, and decreases If the reactivity Is negative.
Canadian regulatory practice requires the analysisof accidents assuming the impairment of any safetysystem. In particular, one must assume that an entireshutdown system is unavailable. This analysis of powerrises for which shutdown is not credited is difficult buthas been done in the past. More recently, a second in-dependent shutdown system has been added to thedesign, and is now in fact a regulatory requirement112'.At this level of protection, there is no practical purposein analyzing reac.or power rises without shutdown, noris it required.
Emergency Core Cooling SystemThe emergency core cooling system (ECCS) would re-establish fuel cooling following a loss-of-coolant-accident.
For very small breaks in the primary circuit (around6 cm*, or 0.2% of maximum) the normal coolantmakeup system can prevent net loss of fluid from thecircuit. The ECCS serves only as a backup supply. Forslightly larger breaks (up to a percent or so), safetyvalves on the boilers are opened; the heat absorbed, asthe ordinary water boils and escapes through thesevalves, cools and depressurizes the primary coolantsystem down to ECCS pressure before very muchprimary coolant has escaped from the break. The ECCSserves here as a coolant makeup system. For largebreaks (up to the maximum of about 0.5 m*) the ECCSprovides enough flow to reflood the core, regardless ofbreak location.
Flguro 10b MuMt
RMCtor buildings
Vacuum building
R§ll#f duct
The major features of the ECCS are the water supp-ly, injection points, pressure and heat removalpathways.
The ECCS water supply comes from either theheavy water moderator or, in recent plants, an ordinarywater storage tank.
The injection points are at the reactor headers.These headers are large pipes to which every fuel chan-nel is connected. They are at either end of the core, andabove all the fuel channels (Fig. 5).
The injection system has a relatively low pressuresupply, driven by pumps or gravity. We are also con-sidering adding a higher pressure supply, driven bypumps or pressurized gas accumulators. This sourcecould, among other things, reduce the risk of expensivecleanups for small breaks.
Decay heat would be removed by the boilers,special coolers for water which is recovered from thefloor and re-injected into the core, air coolers in the con-tainment building, and condensation on the contain-ment walls; the dominant heat removal path would de-pend on break size.
Generally speaking, a loss-of-coolant accidentcould damage fuel sheaths'". The damage would beminimal at the small end of the break spectrum,somewhat larger at the large end, and larger in bet-ween. We are not granted foreknowledge of break sizeor location, so we design ECCS systems which give agood overall response across the break range. Forbreaks where fuel damage would occur, containmentand the exclusion zone would be effective in limitingradioactivity releases to the public.
In addition to the ECCS, we noted earlier that thecool, low-pressure moderator is available as a backupmeans of heat removal, since a heat transfer path existsfrom the fuel, through the pressure tube and itssurrounding calandria tube to the moderator fluid andthe moderator heat exchangers (which can remove thereactor decay power) (Fig. 5).
ContainmentThe functions of the containment system (following apipe break) are to:
— cool the escaping coolant and thereby suppressany pressure surge
— contain the activity release, if any, for the durationof the pressure surge
— provide a means of long-term control of radio-activity release using coolers and filters.
In a single unit plant, the reactor has its own in-dependent containment building which includes bothan initial means of pressure suppression (water dous-ing from overhead sprays) and a long-term means ofpressure suppression (air coolers and a filtrationsystem). Its leak rate is typically 0.1 % of its volume perday at its design pressure (Fig. 10a).
In multi-unit containment'13', each reactor vault isconnected by a duct through banks of self-actuatingvalves to a common dousing system (Fig. 10b). This isinside a separate building kept at reduced pressure (thevacuum building). Such an approach is economic onmulti-unit plants and is very effective in pressure sup-pression. Consequently, the tolerable leak rate is larger(1 % of its volume per hour at design pressure).
MEASURE OF RISK
This section describes the amount of risk implied by theoperation of a nuclear power plant"4'.
Before we protect against particular accidents, wemust decide how safe we want the plant to be. Nothingcan be made absolutely safe, and the "safer" we try tomake the plant, the more it costs in terms of safetydevices and reduced output. Indeed, beyond somepoint the improvements in "real" safety may be illusory.
Without numbers for risk, it is as hard to comparethe safety of competing energy technologies as itwould be to compare their economics without knowingtheir cost. Sometimes such quantitative studies givesurprises. It is hard to see much risk in solar power, andperhaps easier to see risk in nuclear power. YetInhaber"5', who studied both in an exploratory analysis,claimed the reverse: he claimed that the public risk ofdeath and of man days lost is higher for solar powerthan nuclear. The main reason is the enormous amountof materials needed for the "benign" technology —these must be manufactured and transported and thatis where most of the risk lies. This type of analysis isstill in its infancy, but the exercise is instructive.
Usually, risk is defined as the probability or frequen-cy of an event multiplied by its consequences. Themeasure of frequency is usually "number of times per 7
year". The measure of consequence for nuclear safetyis usually "radiation dose received by the public". Thismeasure can be put in terms of public health effects, orof radiation released from the station. Nuclear energy isone of the few industries which has had during itsdevelopment and deployment an extensive risk assess-ment. Perhaps as a consequence, we can take pride inlower risks than for most other industries. Modern com-mercial power reactors have an excellent safety record.There have been accidents, as in any industrial opera-tion, but the consequences have been minor; in par-ticular there have been no radiation injuries.
The risk numbers can also be used within a singletechnology to ensure that the design efforts are usedmost effectively. They can put into perspectivenumerous "what if" questions, most of which arbitrarilyassume multiple failures. What is important here is notonly the consequences (which may be spectacular) butalso how often such failures may be expected. If theanswer is "very infrequently", as is usually the case fornuclear safety, the actual risk is probably small.
In short: we cannot make a human activity absolute-ly safe. We can improve its safety. This requires socialresources. At some point society must judge when thelevel of safety is good enough, so it can use theseresources elsewhere.
As an example, for a long time, the people of On-tario by and large accepted the risk of driving carswithout wearing seatbelts. This risk gradually becameto be considered unacceptable, so car manufacturerswere required to install seatbelts in every car and peo-ple were required to wear them. (Seatbelts are a goodexample of a safety system.) Wearing a seatbeltreduces the consequences (but not the probability) ofan accident and therefore the total risk. Reducing riskby reducing the probability of an accident ever occurr-ing is another route to the same goal. We could ac-complish this, if we wished, by better road design andimproved driver training. Using both seatbelts, highwayimprovements and driver education would be an exam-ple of "defense-in-depth".
In safety analysis, we are at liberty to hypothesizeany arbitrary accident. To be useful, these hypothesesshould strike some balance between the probability ofan accident and its consequences. For a given reactordesign, our emphasis on preventing an accident, or onbuilding systems to stop it, is set both by how likely theaccident is, and how severe its effects could be if unter-minated. This approach is followed in setting numericalrisk targets by those countries which have pioneerednuclear energy.
The United Kingdom assesses its designs with theFarmer"1" risk criterion. (The licensing authority acceptsanalysis based on this criterion, but judges on a case-by-case basis.) Farmer used "curies of iodine-131
8 released" as his measure of consequences. His risk
107
10"
105
104
103
10s
10 10* 103 10* 1G5
Iodine-131 release (curies)FlflHra"11 The Farmer riek criterion
N\
\
Acceptablerisk
Unacceptablerisk
k\V
\
106 107
criterion is a continuous curve of maximum release ver-sus frequency of occurrence (Fig. 11).
United States designers used a stepped risk target.Events (including normal operation) are put in one offour categories, depending on their expected frequency.In each category, a limit is set for the amount of fueldamage or the release of radioactivity. The regulatoryauthority states in great detail how to calculate thedamage, but again licenses on a case-by-case basis.
In Canada the Atomic Energy Control Board (AECB) isempowered*17!, among other things, with the licensingof nuclear power plants. The AECB sets numericalguidelines for the frequency and consequences of ac-cidents, but also licenses on a case-by-case basis.Events are postulated to fall into one of two classes'18):
1. Single failures, where a normal reactor system (pro-cess system) is assumed to fail completely.
2 . Dual failures, where a process system is assumedto fail simultaneously with the unavailability of anyone safety system.
This classification grew from the design principle oflogical and physical separation of control and safetysystems, and of each safety system from any other.
The AECB limits the frequencies to once in 3 yearsfor single failures and once in 3000 years for dualfailures (Table 1). Consequences are interpreted asradiation dose to the public and are listed in Table 1.
This gives a stepped approach to public risk,roughly consistent numerically with the risk in Farmer'scontinuous approach. The AECB does not, however,prescribe how the analysis is to be done*18'. So it avoidssitting in judgement on its own methods, and leaves thedesign responsibility with the designers, where it pro-perly belongs.
The AECB also sets exposure limits for normaloperation'18). These are essentially the same as those
Tabto 1 AECB GuktoHms for Accident Condition*
Situation Maximum Frequency Individual O O M Limit Total Population Dace Limit
Single Failure
Dual Failure
1 per 3 years
1 per 3000 years
0.5 rem* whole body3 rem thyroid
25 rem whole body250 rem thyroid
10 4 man-rem whole body10 4 thyroid rem
10s man-rem whole body10* thyroid rem
' A ram la a m u i u r a of llw atfact radiation hat on tha human body.
recommended by the International Commission onRadiological Protection'20', namely:
Individual dose limit — 0-5 rem/year whole body3 rem/year thyroid
Population dose limit —104 man-rem/year whole body10* thyroid rem/year
In practice, these dose limits are translated intoradioactivity emissions limits (Derived Release Limitsor DHL). The DRL's are based on the most criticalpathway for exposure of an individual due to radio-activity released from the station. In fact, the plants aredesigned to achieve an emissions target of 1 % of theORL for the radioactive elements generally emitted, andthis target is usually met'91121'.
In gaining an appreciation of what risk AECB guide-lines actually imply, it must be realized first of all thatreactors do not operate at the guidelines. Indeed,neither frequency nor consequence guidelines are ap-proached in practice. For example, a large loss-of-coolant accident every ten years, while perhaps not toofrequent to jeopardize public safety, would be aneconomic disaster for the plant owner. So the "allowed"frequencies for the more severe failures are never ap-proached in actuality. The consequence guidelines tooare usually upper bounds. Whereas they "allow", for ex-ample, all loss-of-coolant accidents to cause thespecified public doses, in practice the only ones whichcome near are large breaks in a particular location,whose size is a particular fraction of the pipe area. Mostof the breaks would cause small or zero radioactivereleases from the plant. The failures (single or dual)which can release significant radioactivity are thereforea very small fraction of the total number of failures.
In addition, the dose calculations intentionally in-volve very pessimistic assumptions, which increase thepredicted consequences. For the pipe break, it isassumed that:
— the effect of coolant void on reactivity is larger thanit really is; and that the shutdown systems areslower and less effective than in reality, i.e., thepower rise that would occur is overestimated;
— none of the process systems helps out, althoughthey may be able to; it is assumed that only thesafety systems do anything to mitigate the acci-dent;
— the weather is that which maximizes populationdose (atmospheric inversion with a light wind blow-ing in the direction of highest population density),oven though such inversion occurs less than 10%of the time;
— the dose calculated is that for the most susceptibleindividual, e.g., a six-month old baby at the plantboundary for iodine-131.
These assumptions impose large margins. For ex-ample, just using the most likely weather at the Bruce'A' nuclear power plant, rather than the worst occurring10% of the time, reduces the individual dose due toiodine-131 by a factor of six, and using an average adultat the nearest populated site combined with averageweather gives a factor of around fifty.
There are, of course, accident scenarios which donot fit neatly into single-or dual-failure pigeonholes. Forthese, a risk analysis may be done outside the guidelineframework for consideration by the AECB. There arealso other accidents which can be postulated, butwhich are of such low probability that higher releasesthan the guidelines allow may be tolerated. By andlarge, the guidelines are used but judgment both in-side and outside their framework is sometimesnecessary, and licensing is always done on a case-by-case basis. In short, the guidelines are an upper limit tothe total overall risk, as described below.
For single failures, recall that the consequenceguidelines for whole body doses (similar analyses applyto thyroid doses) are 0.5 rem for an individual, and 10"man-rem for the population. The frequency guideline isone event per three years. Doses as low as 0.5 rem haveno detectable early effects, though a slight increase inthe risk of delayed cancer (less than one in ten thou-sand) may result. The 10' man-rem would on averageproduce Vk cases of fatal cancer over the entire expos-ed population, plus one case of curable cancer^. (Itcould also cause perhaps three cases of hereditary
disease, within a factor of five either way.) The total riskfrom the collective whole-body doses to the populationwould thus be in the vicinity of 2'/z cases per three yearsper reactor, or roughly one case a year at the guidelinevalue. If, for example, a 1000 MW(e) reactor serves apopulation of 10s people (1 kWe per capita) the Vkcancer deaths per three years may be compared withsome 4500 cancer deaths from other causes per threeyears in the same population.
For dual failures, recall that the frequency guidelineis once per 3000 years. Whole-body dose guidelines are25 rem for an individual and IC^man-rem for the popula-tion. The individual dose would be associated with arisk of cancer death 50 times that for the 0.5 rem, i.e.,about 0.5%. With the linear dose hypothesis'1', thepopulation exposed to 10s man-rem could experience250 cases of cancer (150 fatal) and 300 hereditarydiseases, within a factor of five either way. Whenallowance i i made for the infrequency of a dual failure,the average annual risk becomes V10 of a case forcancer and hereditary disease, at the guidelineva/ue. These are one tenth the values for single failures.
This calculation does not imply thai these time-averaged risks are acceptable, simply because they arelow. That is a social and political decision. Other fac-tors also intervene. For example, people are lesstolerant of single large accidents than many smallerones, even if the average annual consequences areequal'22*. We do not attempt to include such a weightingin our numbers.
How do w» know Safety Tsrgtts are mat?Our confidence that we can achieve low target risks isbased on several factors. First, for frequency:
— In about 50 reactor-years of Canadian operating ex-perience with power reactors, no member of thepublic has ever been killed or injured, and no workerin the plants has suffered a radiation injury. Therehave been no dual failures, and few single failures,all of which were in fact terminated without harmfulradioactive release. That is enough data to estab-lish that the target frequencies of single failures arebeing achieved. All data available internationally forcivilian power reactors above 30 megawatts give fif-teen hundred reactor-years without a large activityrelease*. There have been accidents in researchreactors, and such mishaps have occurred regard-less of reactor type. Trying to apply such ex-perience to modem power reactors is misleading.Research reactors are used to gain information:both their design and their mode of operation aredifferent from those of power reactors. In any case,most accidents in research reactors happened overten years ago and none caused any major conse-quences to public health. The NRX accident inCanada was no exception*23) <">.
' International Atomic Energy Agency Annual Rapr,«t, )77.
— No dual failure has ever occurred, so we can onlyestimate the expected frequency. This can be donewithout having to wait until the systems are calledupon in an accident. In-service testing of individualcomponents and systems gives us a measure ofavailability in as little as a year of operation. The ex-pected dual failure frequency can then beestimated by multiplying the observed single failurefrequency by the safety system unavailabilitydemonstrated by tests. The targets, inferred fromAECB guidelines, are that the safety systemsshould be avaiiable at least 999 times out of a thou-sand tries; in other words, for all but 6 hours a year*.If the targets are not met in practice, the utilitytakes the appropriate corrective action to improvethe availability to the target level.In multiplying the single failure frequency by thesafety system unavailability it is assumed that therisk contribution of common mode failures (oneevent causing several failures) is small; later on, wejustify this assumption.
— Fault-tree analysis can combine logically the in-dividual failure rates of various components tocalculate failure rates for the whole system. This isuseful in assessing the design process and pro-vides further evidence that the design can meetreliability targets.
On the consequence side, past history will not in-dicate whether the dose guidelines for serious ac-cidents are in fact achievable, since there have notbeen any in power reactors whose designs are beinglicensed. So we must calculate. These calculations usemathematical descriptions of components and theirphysical behaviour. Methods of individually verifyingthe "models" include:
— heating and pressurizing fuel sheaths to verify ourmodel of deformation;
— making intentional breaks in circuits ranging fromsingle pipes to complex loops to verify ourhydraulic models;
— bursting predefected pressure tubes to verify theleak-before-break principle;
— studying the behaviour of fuel under severe con-ditions.
A comprehensive technical review*25' of this subjectis available.
Event-tree analysis identifies the various possibleaccident sequences following a given event. Wruncombined with fault-tree analysis, population-denutydistributions and frequency of weather types, it can givea good estimate of the actual risk, as opposed to theupper limit of risk, to the public of a nuclear powerplant. To do a thorough job of this requires considerable
* Thi* dependt aonwwhat on the reactor — see Evolution of CtntditnSifrty PMIotophy.
resources of skilled professional manpower; the UnitedStates Reactor Safety Study (RSS) took 70 man-years ofeffort.
For licensing calculations, such a comprehensiveanalysis is unnecessary. The separation of the plant in-to process systems and independent protectivesystems allows the use of pessimistic assumptions tocompute in detail the consequences of fewer, but morestylized, accident sequences. As a result, the estimatedvalues set upper limits to the actual risk.
Sequences which cannot be quantified a priori —for example, common mode failures — inherently occurvery rarely. In Canada it has long been believed thatsuch events make a relatively small contribution topublic risk when care is taken in the design and opera-tion of the plant. To avoid common-mode failures, asnoted, we separate the safety systems and the processsystems from one another both logically and physically.In current designs this goes as far as building two con-trol areas, from either of which different systems canshut down the reactor and remove decay heat. Wherepossible, the two safety systems employ totally dif-ferent principles — for example, the first shutdownsystem uses solid absorber rods falling vertically intothe core, the second uses liquid absorber injected intothe moderator through horizontal pipes. Also, wherepossible they are designed to be "failsafe" — loss ofpower to the shutoff rod clutches, for example, lets therods drop into the reactor, shutting it down.
The general approach was spelled out and practis-ed in the early days of CANDU technology.
Laurence in 1962126' said: "Simultaneous damage inthe process equipment, the protective devices, and thecontainment provisions by one common cause mustalso be considered. Unlike the independent faults, theprobable frequency of this happening is much too smallto determine from past experience. We can do no moreat present than reduce the probability of the three-folddamage from a common cause by careful design andcautious operation so that we have confidence that thisrisk is acceptably small. We are unable to support thisconfidence by direct evidence. That fact does notdetract from the importance of establishing by themethods described that the risk of a bad accidentresulting from the casually independent failures is alsoacceptably small."
The frequency of a common-mode failure can neverbe greater than the frequency of the initiating event. Byitself this can sometimes give acceptably low boundingrisks. For example, suppose a large loss-of-coolantalways caused a loss of injection of emergency corecoolant. A realistic frequency for the first event alone isperhaps 10~4 to 10~5 events per year*27' which would bebelow AECB guidelines for the frequency of a dualfailure.
The same belief was expressed by Laurence in19732": " . . . the Reactor Safety Advisory Committee
set very low limits for the frequency of faults in the pro-cess equipment, and for unreliability in the protectivedevices and the containment provisions, and has in-sisted that the three parts of the plant be functionally in-dependent so that there is little chance that faults in theprocess equipment can damage the protective devicesand the containment provisions also."
We referred earlier to the United States RSS. Theirestimates for the risks of early fatalities and illnesses(Tables 2a and 2b) showed that the public risk from USreactors is low*29'. This study is not used ;n the licensingprocess in Canada (or in the US). We note, however,that:
— a large portion of the risk assessment in the RSSdepends on population distributions and weatherconditions which are independent of reactordesign;
— all water-cooled reactors have a high pressure heattransport system and the frequency and conse-quences of failures in this system should be com-parable;
(U.S. PopaMion Awrap* 7909
TiW
Motor VaNotel
• wdHot
66,71117JJ7
7,4516.H1
SxKT4
9xnr*
3xHT*
1W41.MS1.771
ixur*txtcr*
«4 4x10-*
• * * • 4xWT
In DM (ML
M i2x10-*
~VMy ilpMMnfa (Mraon
I OR 4sNJf WVfl WMfK f
— most water-cooled reactors use ceramic (uraniumdioxide) fuel, in zirconium-alloy sheaths, so thecauses and effects of fuel damage are comparable.We therefore, believe that the results of the RSS are
very roughly applicable to most water-cooled reactors(including CANDU reactors), and in this sense confirmthe judgment that the risks defined by the regulatoryauthority are pessimistic.
EVOLUTION OF CANADIAN SAFETY PHILOSOPHY
The Atomic Energy Control Board and Atomic Energy ofCanada Limited were set up as administratively andfinancially independent organizations reporting to theMinister of what is now called Energy, Mines andResources. They have retained this separation throughthe years. Safety analyses for specific license applica-tions have always been prepared by the designer (orowner). They are subsequently examined by the AECB,which has the necessary expertise to determinewhether the technical issues are adequately treated.The underlying philosophy has been evolving in publicfor the last twenty years, with contributions from bothAECL and the AECB.
We summarize the key publications:As early as 1954, Siddall™ studied predictions of failurerates in the NRU reactor and described a basis for in-service testing. In 1959<3" he extended this in an earlyattempt to quantify the risk from nuclear power and tocompare it with other industrial operations. He assum-ed a priori that nuclear plants could be five times saferthan coal-fired plants, and derived the required reli-abilities of the nuclear plant's control and safetysystems.
Laurence132) arrived at similar numbers by requiringthat large releases of radioactivity (from what we wouldnow call a triple failure) have a frequency less than 1O~5
per year. He believed this risk was both less than other12 industrial risks and achievable in practice. His target
implied the separation of reactor systems into three./pes, each with a target failure rate which could bedemonstrated:
— process systems (10"' failures per year)— protective systems (1 failure per 109 demands)— containment systems (1 failure per 100 demands)
He refined these somewhat a year lateral to 0.3 peryear for process failures, and 3 x 10"3 for protective andcontainment system unavailabilities.
Dose guidelines for what we now call a dual failure(of the process and protective systems) were noted in apaper in 1964 by Laurence et al<33». They suggested theexclusion zone should be large enough to limit the doseto a member of the public to 25 rem whole-body and 250rads to the thyroid except under extremely infrequentweather conditions.
Boyd<34> added single failures in 1967. He acceptedLaurence's 1962 frequency guidelines. For dose guide-lines he proposed for normal operation, values in linewith ICRP recommendations; and for accidents:
— single failure of a process system:— to an individual, 0.5 rem whole-body
3 rem thyroid— to the population, 10* man-rem whole-body
104 rem thryoid
— dual failure of a process and protective or contain-ment system:— to an individual, 25 rem whole-body
250 rem thyroid— to the population, 106 man-rem whole-body
106 rem thyroid.In calculating accidental doses, the worst weather con-ditions occurring 10% of the time were to be used.
In 1972, Hurst and Boyd<181 removed the separateclassification of containment as opposed to other safe-ty systems. Any process system failure would now beanalyzed with any safety system failure as part of thedual-failure matrix. A second shutdown system couldbe considered a separate entry in this matrix if it was in-dependent, in design and operation, of both processand safety systems and if it was capable of accom-modating any serious process failure. At the same time,because of larger fission product inventories of laterreactors and the large accident matrix, the unavailabilitytargets for the safety systems were reduced to 10~3, andthe process system failure frequency of 1 in 3 years wasinterpreted as a total, combined failure rate of all suchsystems. This is close to where we are now. Of course,the details will continue to change, but the basic ap-proach has remained notably consistent.
The evolution of safety requirements poses an in-teresting question: what about reactors which weresatisfactorily licensed under then-current guidelines,but which do not necessarily meet newer ones? Arethey unsafe? Not really — the risk per reactor has
always been small, and what is important is the totalrisk from all reactors. Guidelines which become morestringent with time reflect more the largai number ofreactors than a judgment as to the adequacy of any par-ticular one.
Of course, older reactors may be reassessed ifsignificant new information or better analytical techni-ques become available. A judgment is then made as towhether the original estimate of public risk is still valid-Such a judgement relies on both the results of the acci-dent analysis and on the probability of the initiatingevent. The latter often dominates, so that the total riskid not too sensiiive to changes in the details and scopeof the accident analysis. An AECB view on this questionhas been presented by Beare and Duncan'35'.
Similarly, the designer (even in a constantregulatory ciimate) may on his own improve the designin a manner that decreases public risk. This does notimply that he fesls the older designs have become un-safe, although such criticisms have been levelled. Asnoted by Pease*36', to counter such a criticism decisivelythe designer would have to refuse to change his designbeyond the first licensed reactor — hardly a construc-tive position.
Largt Conaaqumc* EwntsThere is considerable public preoccupation with largeconsequence events. In fact, catering to specific"disasters" is unlikely to change public risk by a signifi-cant amount. This may seem surprising at first sight,but it follows from the very low frequency of suchevents.
It has already been noted that the average publicrisk under the AECB guidelines is less for dual failuresthan for Toe milder single failures, because of the lowerfrequency. Going beyond the guidelines, one can infer amaximum triple failure frequency of (1 process failureper 3 years) x (1 safety system failure per 1000demands)2 of 1 in 3 million years.
To estimate the consequences approximately, wecan take those for the less frequent one-in-ten-million-year event of the RSS<MI, which has 110 early and (atmost) 18,000 delayed deaths. This approximation yieldsan average of 18,110/(3 x 10s) or 0.006 deaths per year.(Even assuming the consequences of the one-in-a-thousand-million-year event occur in a triple failure, theconsequences are only 0.02 deaths per year onaverage.) This calculation, admittedly crude, suggeststhe average risk decreases with increasing accidentseverity. There Is no law of nature that says this must beso. However, it parallels human experience in otherfields.
Laurence and Boyd<37> have put it well. Defendingthe Canadian regulatory practice to an international au-dience, they said: "The misleading use of hackneyedphrases is deplored; for example, the expression "max-imum credible accident" may lead to oversight of some
bad accidents that are not a negligible risk for very largenuclear power stations in very densely populatedareas." At that time Canada was almost alone in theworld in requiring analysis of failure of any safetysystem. Indeed, in 1961, when first setting up reliabilitytargets for the three plant divisions (process, protectiveand containment systems), Laurence'32* said: "Em-phasis on the worst credible accident has distracted in-terest from the less serious accidents which may be amore important risk because they are more probable.The usefulness of the concept is limited also by thevagueness of the world 'credible' to describe the pro-bability of an occurrence in the life of the plant. It doesnot lead, therefore, to ?, recognizable standard for safetyapproval. A standard of acceptance that is expressed inmore quantitative terms is needed to guide thedesigner."
CONCLUSION
The past safety record of CANDU reactors is im-pressive. Continuing care in design and operation, inthis highly safety conscious industry, should keep it so.
13
REFERENCES
14
<1) H. B. Newcombe, Nuclear Power: The CanadianIssues, a submission from Atomic Energy ofCanada Limited to the Royal Commission on Elec-tric Power Planning. Atomic Energy of CanadaLimited, Report AECL-5800, "Public HealthAspects of Radiation", Chap. 3 (April 1977).
(2) Generation - Nuclear, a submission from OntarioHydro to the Royal Commission on Electric PowerPlanning, 1977 Final Hearings (June 1977).
(3) Reactor Safety Study. An Assessment of AccidentRisks in US Commercial Nuclear Power Plants,United States Nuclear Regulatory Commission,Report WASH-1400, Appendix 1, Sect. 5 (October1975).
(4) CSA Standards N285.4, "Periodic Inspection ofCANDU Nuclear Power Plant Components"(February 1975).
(5) G. A. Pon, Nuclear Power Reactor Safety, AtomicEnergy of Canada Limited, Report AECL-5694(October 1976).
(6) V. G. Snell, Nuclear Power: The Canadian Issues,Atomic Energy of Canada Limited, ReportAECL-5800, "Safety of CANDU Reactors", Chap. 2(April 1977).
(7) W. S. Gibbons and B. Hackney, Survey of PipingFailures for the Reactor Primary Coolant Pipe Rup-ture Study, GEAP-4574 (May 1964).
(8) P. A. Ross-Ross et al., Experience with ZirconiumAlloy Pressure Tubes, Atomic Energy of CanadaLimited, Report AECL-4262 (August 1972).
(9) L. P M M and R. Wilson, Pressurized Heavy-WaterReactor Safety. A paper presented at the Sessionon Heavy-Water Reactors, Canadian NuclearAssociation 16th Annual Meeting, Toronto, On-tario, 13-16 June 1976. Atomic Energy of CanadaLimited, Report AE&--5520 (September 1977).
(10) L. Pease and V. G. Snail, Safety of Heavy-WaterReactors. Paper IAEA-CN-36/181 presented at theIAEA International Conference on Nuclear Powerand its Fuel Cycle, Salzburg, Austria, 2-13 May1977. Atomic Energy of Canada Limited, ReportAECL-5709 (May 1977).
(11) P. A. Ross-Ross, Experiments on the Conse-quences of Bursting Pressure Tubes in aSimulated NPD Reactor Arrangement, AtomicEnergy of Canada Limited, Report AECL-1736(February 1963).
(12) Atomic Energy Control Board Licensing Docu-ment 13, "The Use of Two Shutdown Systems inReactors" (January 1977).
(13) E. W. Fee and G. E. Shaw, Vacuum ContainmentSystems for Multi-Unit Nuclear Power Stations,Society Francaise de la Radioprotection, V l l m e
Congres International sur le Confinement de laRadioactivity dans ('Utilisation de I'EnergieNucteaire, Versailles (May 1974).
(14) J. A. L. Robertson, AECL's Final Argument Relat-ing to Nuclear Energy Before the RCEPP, AtomicEnergy of Canada Limited, Report AECL-6200(March 1978).
(15) H. Inhaber, Risk of Energy Production, AtomicEnergy Control Board, Report AECB-1119 (March1978).
(16) F. R. Farmer, Siting Criteria - A New Approach.Proceedings of IAEA Symposium on the Contain-ment and Siting of Nuclear Power Plants, Vienna,pp. 303-329 (April 1967).
(17) Atomic Energy Control Act, 1946, Chap. 37, Sect.1, as amended in Chap. 47 (1953-1954).
(18) D. G. Hurst and F. C. Boyd, Reactor Licensing andSafety Requirements, Paper 72-CNA-102. Pre-sented at the 12th Annual Conference of the Cana-dian Nuclear Association, Ottawa (June 11-14,1972).
(19) G. Hake, P.J. Barry and F.C.Boyd, CanadaJudges Power Reactor Safety on ComponentQuality and Reliable System Performance, Apaper presented at the 4th United Nations Interna-tional Conference on the Peaceful Uses of AtomicEnergy, Geneva, 6-16 September 1971. AtomicEnergy of Canada Limited, Report AECL-3974(September 1971).
(20) Recommendations of the International Commis-sion on Radiological Protection, ICRP Publica-tions 9 (1966) and 26 (1977).
(21) Generation - Environmental, Submission from On-tario Hydro to the Royal Commission on ElectricPower Planning with respect to the Public Infor-mation Hearings (March 1976).
(22) Reactor Safety Study. An Assessment of AccidentRisks in US Commercial Nuclear Power Plants,United States Nuclear Regulatory Commission,Report WASH-1400, Appendix 1, Sect. 2.2 (October1975).
(23) W. B. Lmris, The Accident to the NRX Reactor onDecember 12, 1952, Atomic Energy of CanadaLimited, Report AECL-232 (July 1953).
(24) D. G. Hurst, The Accident to the NRX Reactor, PartII, Atomic Energy of Canada Limited, ReportAECL-233 (October 1953).
(25) !.. Pease and S. Sawaf, Heavy-Water ModeratedPressure Tube Reactor Safety. Presented to the In-ternational Conference on World Nuclear Power;American Nuclear Society/European NuclearSociety, Washington, November 1976. AtomicEnergy of Canada Limited, Report AECL-5856(August 1977).
(26) G. C. Laurence, Operating Nuclear Reactors Safe-ly. Proceedings of Symposium on Reactor Safetyand Hazards Evaluation Techniques I, Vienna(1962).
(27) S. H. Bush, Reliability of Piping in Light WaterReactors, international Symposium on Applica-tion of Reliability Technology to Nuclear PowerPlants, International Atomic Energy Agency, Vien-na (October 1977).
(28) G. C. Laurence, Nuclear Power Safety in Canada.Presented to the Meeting of the Niagara-FingerLakes Section of the A.N.S. (January 26,1972).
(29) Reactor Safety Study. An Assessment of AccidentRisks in US Commercial Nuclear Power Plants,United States Nuclear Regulatory Commission,Report WASH-1400, Main Report pages 112-113(October 1975).
(30) E. SkMall, A Study of the Serviceability and Safetyin the Control System of the NRU Reactor. AtomicEnergy of Canada Limited, Report AECL-399(1954).
(31) E. SkWall, Statistical Analysis of Reactor SafetyStandards. Nucleonics Week, Vol. 17, pp. 64-69.
Atomic Energy of Canada Limited, ReportAECL-498 (1959).
(32) G. C. Laurence, Required Safety in Nuclear Reac-tors. Atomic Energy of Canada Limited, ReportAECL-1923 (1961).
(33) G. C. Laurence, F. C. Boyd, J. H. Jennekens,J. B. Sutherland and P. E. Hamel, Reactor SafetyPractice and Experience in Canada. Presented tothe Third International United Nations Conferenceon the Peaceful Use of Atomic Energy, Geneva1964, Session 3.6, p. 318. Atomic Energy ofCanada Limited, Report AECL-2028.
(34) F. C. Boyd, Containment and Siting Requirementsin Canada. Proceedings of IAEA Symposium onthe Containment and Siting of Nuclear PowerPlants, Vienna, April 1967. Atomic Energy ControlBoard, Report AECB-1018.
(35) J. W. Beare and R. M. Duncan, Siting - The Meansby Which Nuclear Facilities are Integrated into aCanadian Community. Presented to the IAEA-NEA Symposium on the Siting of NuclearFacilities, Vienna, December 9-13, 1974. AtomicEnergy Control Board, Report AECB-1079.
(36) L. Pease, Transcripts of the Royal Commission onElectric Power Planning, Debate Stage Hearings,Toronto, Ontario. Vol. 174, p. 25,597 (November 22,1977).
(37) G. C. Laurence and F. C. Boyd, Trends in ReactorSafety - A Canadian View. Presented to the Inter-national Nuclear Industries Fair, Basel (October6-11,1969).
NoM: The report died In Reference (29) ihould be read in the context ofa recently published review (U.S. Nuclear Regulatory Report —NUREQ/CR-0400) by an ad hoc review group, H.W. Lewis, Chairman(September 8,1978). 15
Atomic Energy L'Energie Atomiqueof Canada Limited du Canada, Limltee
AECL-6329November 1978
La present publication est6galement disponible en frangais
