down or decay heat removal systems fail, additional safety systems prevent the escape of fission products to the atmosphere.

Rapid interruption of the nuclear chain reaction is accomplished by inserting control rods which contain neutron-absorbing boron into the core. The control system is designed to shut down the reactor automatically in the event that abnormal conditions develop in the core or primary coolant system. Even after the chain reaction is interrupted, however, the coolant must continue to circulate to remove decay heat. If the coolant pressure drops in a BWR or PWR-indicating that some of the coolant has been lost from the primary system-the core is automatically flooded by an emergency core cooling system (ECCS). If the secondary cooling system fails in a PWR, an auxiliary feedwater system is designed to take over. Other backup cooling systems in these plants include high- and low-pressure injection pumps and spray systems. These safety systems are designed to operate automatically, with no requirement for action by the plant operators.

They are dependent on human action only insofar as they must be designed, constructed, and maintained to function correctly.

The final step in the design for the safety of a nuclear powerplant is to incorporate features that prevent the release of fission products in the event of a fuel-melting accident. This is done using the concept of "defense in depth," that is, providing successive barriers that radioactive materials must breach before endangering the public. The barriers in LWRs are the fuel cladding, the heavy steel of the reactor pressure vessel, and the thick concrete of the containment building that encloses the pressure vessel and other components in the coolant system.

These examples necessarily oversimplify the complex designs and interactions of safety systems. Many safety systems play a role in the routine operation of the plant as well. This sampling serves as background for the subsequent discussions of safety features of LWRS and of alternative designs.

Overview of U.S. Reactors

Of the 84 nuclear reactors with operating licenses in the United States today, about twothirds are pressurized water reactors. They are offered by three companies-Babcock & Wilcox Co., Combustion Engineering, Inc., and Westinghouse Electric Corp. The remaining reactors (with the exception of one HTGR) are boiling water reactors, sold by General Electric Co. These four companies all supply the nuclear steam supply system (NSSS), or the nuclear-related components of the reactor. The balance of the plant consists of such items as the turbine-generator, the auxiliary feedwater system, the control room, and the containment building. The balance of plant design typically is supplied by an architect-engineering (AE) firm, any one of which might team up with a vendor to provide a reactor plant that meets the needs of a particular utility at a specific site. So far, no completely standardized plant design has emerged, although some convergence has occurred among the designs of each nuclear steam system vendor. There is still a great deal of difference among the designs of similar components (e.g., steam generators) and system configurations. This is not surprising considering the various combinations of vendors and AE firms that have been involved in powerplant design. Furthermore, the utilities themselves may customize a reactor design to meet specific site require

ments.

Even without the benefits of a standardized design, the LWRs that have operated in the United States for more than 20 years have had good safety and reliability records. There never has been an accident involving a major release of radioactivity to the environment, and the operating performance, while not spectacular, has been comparable to that of coal-fired powerplants. Still, doubts linger about both the safety and reliability of these LWRs. This section examines the reasons for such concerns, including particular features of these reactors that contribute to concern.

Safety Concerns

The occurrence of several widely publicized accidents such as those at Three Mile Island and Browns Ferry nuclear plants have underscored the potential for a catastrophic accident. These accidents shook some of the confidence in our understanding of nuclear reactors. For example, the scenario that unfolded at Three Mile Island had not been stressed prior to the accident: it involved the loss of coolant through a small leak in a pressure relief valve, whereas safety analysis had previously concentrated on large loss-of-coolant accidents. Most studies of these serious accidents have faulted the plant operators more than the reactor hardware (10), which indicates that LWR designs are not as forgiving of human error as they might be.

Safety concerns also arise because nuclear powerplants have encountered hardware malfunctions in virtually every system, including control rods, steam generators, coolant pumps, and fuel rods. The majority of these hardware problems have been resolved by retrofits, changes in methods of operation, and redesign. Some problems are expected as a new reactor matures, but many of the LWR problems have persisted. Others continue to surface, some because of the intense scrutiny of plants following the Three Mile Island accident and others because of the aging of the earlier reactors. Most of the difficulties probably have technically feasible solutions, but it is not always clear that they would be cost effective to implement. Meanwhile, the discovery of new problems and the slow resolution of old ones continues to erode confidence in the safety of LWRs.

Confidence in LWRS might be enhanced if there was an objective standard for judging the safety of these plants. As a step in this direction, the Nuclear Regulatory Commission (NRC) has proposed a set of qualitative and quantitative safety goals for nuclear powerplants on a 2-year trial basis (4). These safety goals will provide a means

for answering the question, "How safe is safe enough?"

There is a fundamental problem with specifying standards for safety: there is no technique for quantifying the safety of a nuclear powerplant in an objective and unambiguous way. One attempt to define nuclear safety is probabilistic risk assessment (PRA), which outlines sequences of events that could lead to accidents and then assigns probabilities to each basic event (12). PRA is becoming a useful tool for such tasks as comparing certain design options in terms of their safety impact. However, the technique is still in its infancy and the results vary widely from one practitioner to the next. The variations occur because the users of PRA must put in their own assumptions about factors contributing to accidents and their probabilities of occurrence. More research is required to establish reasonable and standard assumptions and to refine the process of assessing risk.

Another important component of safety analysis is the consequence of an accident. This depends on the amount of radioactive material that can be released to the environment following a nuclear reactor accident, otherwise known as the nuclear source term. Recent findings indicate that the source terms now used in regulation and risk analysis may overestimate the magnitude of potential fission product releases (5). Only further analysis can tell whether reductions in the source terms can be fully justified, and, if so, the magnitude of the appropriate reduction for each fission product and for each accident scenario. Modeling and analysis programs are now being conducted by NRC and by the Electric Power Research Institute (EPRI), the American Nuclear Society, and by the Industry Degraded Core Rulemaking Program. These studies should eventually produce realistic estimates of fission product releases, but the task is complex and likely to be lengthy.

Reliability Concerns

Reliability and safety concerns are closely related, since the same factors that create concern about the safety of LWRs also raise questions about their reliability. If a safety system

malfunctions or threatens to do so, the plant must be shut down for a lengthy and often expensive period of maintenance. On the other hand, chronic reliability problems are likely to indicate or contribute to fundamental difficulties that could reduce safety.

The reliability of LWRS is easily quantifiable, in contrast to the difficulties in defining safety. Detailed data on reactor performance have been collected since the beginning of the nuclear era, and they can be analyzed to determine trends. Two measures of performance are commonly used-availability and capacity factor. The availability is defined as the percentage of a time period during which the reactor was available for operation (whether or not it was actually in service). The capacity factor is the ratio of the actual amount of electric generation to the total theoretical output of the plant during the same time period. Each of these quantities has some drawbacks as a measure of plant reliability: the capacity factor is affected by the demand for electricity and the plant availability is insensitive to the capability of the plant to operate at full power. Since nuclear powerplants usually are baseloaded, the capacity factor is generally a better measure of reliability. Both capacity and availability are shown in figure 21 as a function of time for all years from 1971 through 1980 (17). To provide a basis for comparison, reliability records are also shown for coal-fired plants larger than 400 megawatts electrical (MWe). It can be seen that the average availability for the two types of plants has been nearly identical at about 69 percent. The average capacity factor for nuclear plants over the same time period was 60 percent, which was 3 percentage points better than for coal. Thus, nuclear plants operate reliably enough compared with their closest counterparts, even though the average performance has not been as outstanding as anticipated by the original nuclear powerplant designers.

It is instructive to reexamine performance data for groups of reactors as well as the industry as a whole. Capacity factors are shown for each reactor type and vendor in table 13 (27). When comparing the data on a lifetime or cumulative basis, it can be seen that there are only slight differences among reactor vendors or types. It also

Percent

71 72

74 75 76 Year of operation

77 78 79

121

74 75 76 77 78 79 80

Year of operation

are as low as 40 percent while those of the best are as high as 80 percent.

The hardware problems discussed above have contributed to low availabilities in some plants. These and other hardware problems have been responsible for lengthy periods of downtime as discussed in detail in volume II. It is concluded there that most of the these problems have been or soon will be resolved (27).

Despite signs of progress, LWRs still are not operating trouble-free. The steam generators in several plants have degraded to the point that it has been necessary to replace them. This repair is estimated to cost between $60 million and $80 million in addition to the cost of purchasing replacement power. Other plants may have to un

dertake expensive retrofits or modify operation to mitigate concerns over pressurized thermal shock (26).

Another impediment to achieving high availability is the stream of retrofits that has followed the accident at Three Mile Island. The Three Mile Island action plan contains about 180 requirements for changes in operational plants; these changes, of course, could not be incorporated into the basic powerplant design, but had to be added to existing systems. This type of retrofitting is seen as a problem by both the nuclear industry as well as its critics since it introduces the possibility of adverse safety consequences. In fact, in some cases, new requirements might reduce rather than enhance safety. This could happen if unanticipated interactions arise or if there is an inadequate understanding of the system the requirement is intended to improve.

The revision in NRC requirements for seismic restraints on piping is often cited as an example of retrofit problems. The restraints in nuclear powerplants are designed to preserve the integrity of pipe by limiting vibrations even if an earthquake should occur. Many plant operators and designers complain that these restraints are expensive to install and that they hold the pipes too rigidly to allow for thermal expansion. Furthermore, some critics of the current seismic requirements feel that piping actually may be more prone to failure in an overconstrained system. These critics assert that today's requirements for seismic restraints result from an attempt to make it easier to analyze conditions in plants rather than from an identifiable need (1).

On the balance, retrofits probably have improved the safety of operating nuclear powerplants. In fact, one assessment of plants before and after the Three Mile Island retrofits concludes that the probability of an accident has been reduced by a factor of 6 in PWRs and by a factor of 3 in BWRs, with the core melt probability for PWRS now only slightly higher than for BWRs. These improvements are attributed primarily to higher reliability of feedwater systems and regulatory and inspection procedures that reduce the probability of human error (19).

Examples of Specific Concerns

Since 1978, NRC has been required by Congress to prepare a list of generic reactor problems. This list is revised annually to reflect new information and progress toward resolution. Each time a new safety issue is identified, NRC assesses the need for immediate action. In some cases, action such as derating (reducing the approved operating power) certain reactors, is taken to assure public health and safety. In other cases, an initial review does not identify any immediate threat to the public, and further research is conducted. Many generic safety issues have been resolved and removed from NRC's list of significant safety items (26).

Table 14 summarizes the 15 most important unresolved safety issues as determined by NRC in 1982. A few of the items on that list will be examined here as examples of the types of concerns that remain about LWRs and some of the factors preventing their resolution.

One of the most widely publicized safety problems is the potential in PWRS for fracture of the reactor vessel from pressurized thermal shock. Reactors are designed to be flooded with relatively cold water if a loss of coolant accident occurs. The sudden temperature differential causes surface strains, known as thermal shock, on the thick metal wall of the reactor vessel and imposes severe differential stress through the vessel wall. While plant designers have understood and accounted for this phenomenon for years, they have only recently discovered that two other factors may make the effect more acute than anticipated. One is that the emergency cooling system is likely to be actuated following a small-break accident (e.g., the one at Three Mile Island) when the reactor vessel is still highly pressurized. In such a situation, the stresses due to thermal shock would be added to those due to internal pressure. The second factor is that the weld and plate materials in some older reactor vessels are becoming brittle from neutron exposure faster than had been expected. Such embrittlement increases the vulnerability of the vessel to rupture following pressurized thermal shock. While the possibility