Just what is considered to be a serious accident depends on one's point of view - where one stands on an issue depends on where one sits. Those who fear radiation regard any accident, however minor, as serious. A utility would regard as very serious, from a financial standpoint, any accident that damaged the reactor enough to put it out of service, even if no radioactive material were released. The potential financial penalty serves as a powerful incentive for the utility to maintain safety. As far as the public as a whole is concerned, an accident that releases enough radioactive material to require evacuation of communities around the plant would be regarded as serious; and that is the definition used here. "Severe accident" is the term used to describe those that are not sufficiently serious to require an evacuation but which are still of major safety significance.
For most people nuclear safety, or danger in their minds, is not so much a question of the day-to-day operation of plants as the fear of a serious accident. As already mentioned, Slovic and his associates showed the existence of a vast gulf in the perception of the risk of a serious accident between the public and professional risk analysts. More than one in four members of the public polled expected 100,000 or more fatalities in a disastrous year. The professionals estimated many fewer fatalities even in the event of a serious accident, but most of the difference was due to the professionals allowing for the very low probability of the event in assessing the risk. In contrast, the public focussed on the worst possible consequences, the fatalities, and almost entirely ignored the estimates of low probability. They exhibited scepticism, consciously or unconsciously, correctly or incorrectly, of predictions by "experts".
A regulator, such as the CNSC, must base its regulations and licence requirements on the best professional estimates available to it. However, it cannot disregard public opinion if it is to gain and retain support. Similarly the nuclear industry must recognize the public's concerns: too often in the past professional risk analysts have insisted that their estimates are the "correct" ones and that all that is needed is to "educate" the public. To understand the gulf in perception, let us examine what underlies their beliefs, first for the professionals, then the public.
In Canada, the basic principle for CANDU reactors, set in the late 1950s, was that the risk from nuclear electricity should be less than that from other means of electricity generation, notably the coal-fired plants which would be replaced. From this were derived the reliability requirements for the normal operating system and the safety systems. The normal operating system had to be designed so that a major failure would occur no more frequently than once in three years: and that all systems should be designed so that the coincidental failure of the normal operating system and one of the safety systems would occur no more frequently than once in three thousand years. The resulting hypothetical serious accident was estimated to cause fatal levels of radiation to anyone at the plant boundary, assuming worst weather conditions and no emergency measures, such as evacuation. These design criteria, since incorporated in regulatory requirements, represent the earliest professional estimates in Canada.
In the U.S. professional estimates for light-water reactors can be traced back to "The Brookhaven Report" ("Theoretical Possibilities and Consequences of Major Accidents in Large Nuclear Power Plants", WASH-740) published by the U.S. Atomic Energy Commission (USAEC) in 1957. The conclusions of this study estimated the possible effects of a "maximum credible accident" as being 3400 deaths, 43,000 injuries and property damage of $7 billion. The results were widely quoted, especially by nuclear opponents, but usually without any mention of the unrealistic assumptions underlying the results, e.g., the worst meteorological conditions and that half the reactor core is released without any examination of how this might occur. The estimate of probability, or rather improbability, of one in a hundred thousand to one in a billion per reactor-year was also widely ignored.
Partly to counter the unfounded fears caused by the 1957 report the USAEC commissioned a much more rigorous and realistic analysis of the probability and consequences of a serious accident in one of its light water reactors. The resulting "Rasmussen Report" ("The Safety of Nuclear Power Reactors and Related Facilities", WASH-1400), published in 1975, estimated that almost all the serious accidents that could be imagined would have much less severe consequences; and that an accident with the consequences of the 1957 study would have a probability of only one in a billion reactor-years. This new study was still not applicable in detail to CANDU reactors but was considered to be generally relevant in that several of the key factors are common to both designs, e.g., containment behaviour and atmospheric dispersion.
In conducting the Ontario Nuclear Safety Review, the Commissioner, F. Kenneth Hare, required Ontario Hydro (now Ontario Power Generation) to analyze the consequences of a severe accident in a CANDU reactor. For this purpose it was simply assumed, without examining how, that the largest pipe carrying coolant to the reactor core suffered an instantaneous failure resulting in a loss-of-coolant accident for the fuel: and coincidentally that both independent shut-down systems failed to shut down the reactor, again without examining how this might happen. The combination of these failures is almost unimaginable. Despite the popular belief that the consequences would be catastrophic, exhaustive calculations indicated that most probably any radioactive material released from the damaged reactor would be retained within the containment building: at worst, a pressure pulse within the containment building could cause cracks in its walls, through which small amounts of radioactive material would be released briefly, before the cracks closed. Such small releases would not require evacuation of surrounding communities, i.e., it would not be a "serious accident" as defined here.
To understand why these professional estimates are so different from the average person's fears of a serious nuclear accident, we have to imagine a slow-motion visualization of this hypothetical accident. The first effect of the loss of coolant is to allow steam bubbles to form around the fuel. This results in a rapid increase in reactor power. The two independent shutdown systems are there to arrest this increase but, under the assumed conditions, these are unavailable. However, as heavy-water moderator is ejected, by steam formation within it, this lack of moderating material (even if not in the "moderator") serves to stop the chain reactor, i.e., to shut down the reactor. All this occurs in the first four seconds. Even though the reactor is shut down, the fission products in the fuel are still generating large amounts of decay heat. However, emergency core coolant is provided for this function. And in addition, there is a shutdown cooling system to remove decay heat.
For other unlikely combinations of failures, the large volume of cool water in the moderator, unique to the CANDU reactors, provides a means of absorbing heat from the fuel to prevent severe damage to the reactor core. Beyond the moderator vessel (the calandria), there is enough water in the surrounding shield tank to cool the calandria, and hence prevent it failing, for at least 24 hours. This would allow time to introduce alternative means of cooling. These examples of the defence-in-depth approach help to explain why CANDU reactors have been described as being of "a safe and robust design"; and help people to understand why many fears of a reactor accident are grossly exaggerated.
The vastly different perception of a serious reactor accident by members of the public stems, in the first place, from simple and subconscious word associations: atomic bombs and atomic energy in the early days, and nuclear weapons and nuclear energy now. Many people are still unaware that nuclear reactors simply cannot explode like nuclear weapons. These associations are reinforced by the media which, either deliberately or out of ignorance of the science involved, illustrate features on nuclear energy with images of mushroom clouds: and are shamelessly exploited by critics of nuclear energy. For instance, they compare the amount of radioactive material in a reactor with the amounts produced at Hiroshima and Nagasaki, concealing the fact that the vast majority of the bomb deaths were due to blast and fire, not radiation, and that the number of deaths were comparable to those in conventional fire-bomb raids on Tokyo. Some technologies are common to weapons and the peaceful applications but several are unique to the weapons. Chapter 12 explains how even the common technologies, far from encouraging weapons proliferation, are being used to control it.
With this subconscious association, novels, films and even academic studies about the aftermath of an all-out nuclear war provide people's images of what to expect from a serious reactor accident. Films such as "The China Syndrome", based on the premise of a serious reactor accident, make the images more vivid. (The term "China Syndrome" was derived from a tongue-in-cheek suggestion that in a serious accident the reactor core could melt, then continue melting its way through the earth's core to arrive at China. Stated explicitly, the title is obviously nonsense, but viewers are unaware of technical aspects of the film that are misleading. Hollywood produces scary science-fiction films such as "The China Syndrome" and "Jurassic Park" to entertain, not to educate.) "The China Syndrome" did for nuclear energy what "Jaws" did for sharks' image.
In March of 1979 at the Three Mile Island light-water reactor near Harrisburg, Pennsylvania, an accident occurred. It was the most severe to that time but whether it was "serious" by the present definition is debatable. There was a huge, panic-driven, voluntary evacuation of the surrounding area, but the actual release of radioactive material was so little that the authorities did not call for an official evacuation. Financially, the accident was serious for the utility since the reactor could not be restored and the clean-up was extremely expensive. And there is no question that it was very serious psychologically in affecting the public's attitude to nuclear energy.
A simple interpretation of the cause of the accident is that it was initiated by an equipment failure, a valve that failed to close, compounded by several operator errors. Following the accident, a twelve-member Presidential Commission (the "Kemeny Commission", named after the chairman) was established to inquire into the circumstances and causes. Its report shows that the situation was much more complex. Altogether 18 faults or errors were identified as being part of the initiating sequence or of being primary, exacerbating, contributing and underlying causes. The equipment failure was attributable to a manufacturing error, indicating a weakness in the manufacturer's quality assurance (QA) program. There were five design errors, two errors by the regulator and eleven operating errors. A deeper analysis showed that the individual operators were being unfairly blamed for operating errors where the institution to which they belonged had put them in situations where committing errors was almost inevitable. At Three Mile Island these institutional failings included:
Following the accident all nuclear utilities reviewed their own reactor designs and operations to determine what changes should be undertaken in the light of the experience. These changes were largely at the detailed level and less attention was paid to addressing the problem of institutional failings, despite the stress that the Kemeny Report placed on this aspect.
Whether or not the accident was a "serious" one, it was a disaster as far as the various authorities communicating with the public. Too many authorities were involved in issuing uncoordinated communiqués and interpretations. In a vacuum of reliable, authoritative information thousands of media representatives flooded the area, competing to secure stories, the scarier the better, and interviewing any "expert" ready to express an opinion.
Perhaps the major reason that the accident had such a profound psychological effect was the duration of the threat: for nearly a week there was widespread belief that a devastating release of radioactive material could occur at any moment. The matter of the "hydrogen bubble" epitomized the dread, its cause and the mishandling of the information. Two days into the emergency the Nuclear Regulatory Commission (NRC) speculated on the possibility of enough hydrogen to result in a major explosion collecting at the top of the reactor vessel. Eventually it was admitted that the speculation had been based on faulty science. The Presidential Commission's report stated:
"The great concern about a potential hydrogen explosion inside the TMI-2 reactor came with the weekend. That it was a groundless fear, an unfortunate error, never penetrated the public consciousness afterward, partly because the NRC made no effort to inform the public it had erred. ... the NRC could have determined from the information available at that time that no excess oxygen was being generated and there was no real danger of explosion."
In contrast to the great psychological harm caused by the prolonged accident, especially to the surrounding community, any physical effects due to radiation were extremely small. Some radioactive material was released from the plant but so little that estimates assuming the validity of the linear non-threshold hypothesis (Chapter 7) predict less than one cancer death for the public within a 50-mile radius of the plant. However, this did not prevent the widespread propagation of myths. Allegations of excess infant deaths and hypothyroidism were examined and officially rejected with cause, but the myths continued unabated. Some of the more fanciful myths that were similarly debunked are:
In circumstances such as those that existed at Three Mile Island there is a natural tendency to blame every adverse occurrence on the accident.
Just as the international nuclear industry was recovering its reputation for safety, damaged by the Three Mile Island accident, a really serious reactor accident occurred at Chernobyl in the Ukrainian Republic of the former U.S.S.R. in April 1986. If communications with the public at Three Mile Island suffered from the presence of too much media the reverse was true for Chernobyl. The world's first awareness of the accident came from Swedish reports of unusually high levels of radioactivity in the atmosphere. For many months afterwards information about the accident was filtered through the U.S.S.R. authorities, raising suspicions that unpleasant facts were being suppressed.
More than a decade later, with increasing openness in the former U.S.S.R. and as a result of international studies and conferences largely organized by the IAEA, the facts are now well established. This does not, however, stop the continuing repetition of many myths.
The reactor concerned was one of a four-reactor plant. Its fuel was quite similar to that used in other power reactors internationally, and it was water-cooled. The big difference was in its moderator, graphite, operated at elevated temperatures. At the time of the accident, the reactor was being shut down for scheduled maintenance, and it was already at low power. In this nearly unstable condition, and under pressure to maintain production to satisfy the electrical demand of Kiev, the operating utility decided to test whether there was enough mechanical energy in the rotating generator to supply emergency power for nearly a minute after the steam supply was cut off. This test had not been performed during commissioning and had not been properly reviewed for safety before local approval. Several operator errors, some involving serious violations of existing procedures but some understandable given the condition of the reactor, resulted in a power surge beyond the capacity of the normal control system. This invoked the emergency shutdown system but, due to a subtle design weakness, this reaction initially increased the power. As a result the coolant water vaporized and burst the surrounding tubes; and the steam reacted with the hot graphite to cause an explosion. This was a conventional steam explosion, possibly a hydrogen-oxygen chemical explosion, but not a nuclear explosion. The building housing the reactor, not a containment building such as is mandatory in Canada and most other countries, was destroyed. Many fires were started and the graphite moderator ignited. The fires, the explosion and the decay heat from the fission products all contributed to releasing these products and other radioactive material to the environment. It took the U.S.S.R. authorities about ten days to control the situation sufficiently to terminate the major release of radioactive materials; and several months to enclose the remaining ruins in a new outer structure (the "sarcophagus").
Twenty-nine of the plant workers died during or shortly after the accident, most as a consequence of fighting the fires; and about 200 of them suffered acute radiation syndrome. There was widespread radioactive contamination, causing evacuation of the surrounding area. The contamination was significant in parts of Europe and could even be detected later in North America, albeit at a level insignificant to health. A 1996 conference of 845 scientists, organized by two UN agencies and other organizations provided an authoritative account of the actual effects of the accident. Perhaps the most frequently asked question about Chernobyl is: "Can it happen here?". An answer is to list six significant causes of the Chernobyl accident that could not occur in Canadian reactors.
The most severe accidents to have occurred to power reactors in Canada have been ruptures of single pressure tubes in Ontario Hydro's Pickering reactors in 1974 and 1983. In each case the damage was confined to a single channel; coolant escaped from the primary circuit but was recovered in sumps designed for the purpose; there was no release of radioactive material from the containment building; and there was no harm to workers or the public. The operators shut down the reactors by normal, routine means: the automatic shutdown systems were not called upon. The causes of the failures were human error during construction of the reactors and inadequate quality assurance, compounded by a design weakness, not caught by the design audit.
To help the public and the media understand nuclear events, and to prevent them reporting every incident as a major disaster, the IAEA published the International Nuclear Event Scale for the prompt communication of news having safety significance. This seven-level scale can be compared with the Richter Scale by which people can tell the severity of an earthquake. The lowest level on the nuclear scale, 1, described as an anomaly, would typically cover equipment failure, human error and procedural inadequacies beyond authorized limits but without safety significance. The highest level, 7, described as a major accident, would involve the external release of a large fraction of the radioactive material in a large facility, e.g., a power reactor. The Chernobyl accident is the only example of a level 7 event: The accident at Three Mile Island was a level 5 event, described as an accident with off-site risk; and the events at Pickering would have been rated as level 2 "incidents". A 1998 report by the Paul Scherrer Institute in Switzerland presented an Energy-related Severe Accident Database for the frequency of events causing fatalities for a variety of energy chains. It defines the threshold of what it terms a "severe accident" as 5 fatalities, 10 injured, 200 evacuees, 10,000 tons of hydrocarbons released, 25 square kilometres of land requiring cleanup and US$5M of economic costs. Chernobyl is the only nuclear reactor accident that would meet this criterion. A more recent Swiss study showed that for severe accidents that might occur nuclear energy would cause fewer deaths and injuries than any other large-scale energy source.
The IAEA scale may help to assuage public fears in the long term. However, our opinions, once formed, are hard to change. Psychologists find that people presented with new information accept or reject it depending on whether it reinforces or attacks their pre-existing opinions. Thus, those who already dreaded a reactor accident believed that TMI and Chernobyl demonstrated how dangerous nuclear energy is. Those already comfortable with nuclear energy pointed to TMI as showing how even a severe accident, resulting in a total destruction of the reactor core, need not cause detectable health effects; while Chernobyl showed that just about the most serious reactor accident imaginable had health consequences less than many conventional industrial accidents, and much less than the annual toll on highways.
In view of repeated warnings against complacency, we should consider where improvements are desirable:
When all the risks associated with generating nuclear electricity are assessed the total must be compared with the total from other potential means of generating electricity if policy decisions are to be made responsibly. For this purpose it is important to include all associated risks from construction of the plant through production of the fuel, e.g., mining and transport of coal or uranium, and disposal of the wastes, as well as the obvious operation of the plant. This has been done in several studies that show similar results. A Canadian one, by the CNSC's independent Advisory Committee on Nuclear Safety, estimates that of the available options for generating large-scale electricity in Canada, nuclear electricity poses less risk than coal-fired electricity to both the public and workers, while it poses slightly greater risk than hydroelectricity to the public but about the same risk to workers.
In April of 2003 seven people died in a natural-gas explosion in a strip mall in Toronto. On one day in 1998, October 18, hundreds of people died from accidents involving fossil fuels: 700 in a fire following the burst of a gasoline pipeline in Nigeria and 45 in the explosion of an oil pipeline in Colombia. Each year about fifty Canadians are electrocuted, i.e., they die from using electricity. If any of these accidents had happened at a nuclear plant there would have been an immediate demand to shut down all such plants. There have been no fatal accidents in Canadian nuclear generating stations in 40 years operation, while annual fatalities resulting from other energy sources are accepted as inevitable.
Can nuclear energy be too safe? Conventional wisdom is that however safe current nuclear plants are, they should be made safer if this is possible. After all, we have nothing to lose by making them safer, do we? The answer is that we do: if we devote any of our limited resources to making safer an activity that is already safer than the average, then these resources are not available to improve the safety of the less safe activities. Thus the good intention results in the overall safety being less than it might be. A 1991 study by the U.S. Office of Management and Budget found that the cost of measures to comply with the Environmental Protection Agency's regulations, in U.S. dollars per potential premature death, varied from about $200,000, for drinking water standards for chloroform, to about $6 trillion, for the disposal of wood-preserving chemicals as hazardous waste.
For those who read carefully, the realization that safety should not be demanded at any cost is in the CNSC's statement of its mission as:
"... to ensure that the use of nuclear energy in Canada does not pose undue risk to health, safety, security and the environment"
- note the qualification "undue". Elsewhere, it has suggested that:
"... expenditures in excess of $100,000 to reduce a collective dose by 1 person-Sv are not justified".
The regulatory agencies of several countries have considered this question of safe-enough versus too-safe. The conclusions of the U.K.'s Health and Safety Executive are reasonably representative: an individual risk of death under one in a million per year is generally regarded as negligible, while over one in a hundred thousand per year is intolerable. This is broadly consistent with the basis for regulating power reactors in Canada.
| Go to Contents of Chapter or of Book |