Introduction of an Additional Safety Barrier for Nuclear Power Reactors

In the present paper a proposal is formulated to improve the safety of existing and future nuclear reactors. The idea is based upon the introduction of a new safety barrier against the release of radioactivity generated by the fission chain process. The proposal aims at fixing bases for possible strengthening of current Nuclear Reactor Safety by combining the logical frameworks associated with the concepts As-Low-As-Reasonably-Achievable (ALARA), Best-Estimate-Plus-Uncertainty (BEPU), Extended-Safety-Margin (E-SM), Independent-Assessment (IA) and Emergency-Rescue-Team (ERT). The expected impact of the new barrier upon selected nuclear accidents is outlined. The cost for the implementation of the additional barrier is expected to be affordable from a financial viewpoint and to contribute to restoring the public confidence towards nuclear technology.


Introduction
Nuclear Reactor Safety (NRS) constitutes a well-established technology at the time of writing this paper. About five-hundred Nuclear Power Plant (NPP) units have been operated since the demonstration of the capability to control the fission reaction in 1942 and the connection of nuclear fission driven electricity generator to the electrical grid in 1954, e.g. see [1]. A much larger number of reactors (a few thousands) have been constructed and successfully operated for purposes different from electricity production including research and production reactors as well as reactors used for marine propulsion. However, a) the number of NPP built and operated is far below the number envisaged by nuclear pioneers in the 50's and far below a number consistent with the industrial growth, and b) accidents occurred, including a few catastrophic ones which severely impacted the exploitation of the technology.
Two paradoxical situations can be identified for NRS nowadays: first, maturity (this is meant either design-and-operation-capabilities, or reliability-of-safety evaluations) and in terms of was achieved at a time when the number of NPP units commissioned-constructed per year sharply dropped mainly as a consequence of the accidents in Three Mile Island (TMI-2) and in Chernobyl; second, interest from industry in implementing research findings and new ideas after those events declined leading to a sort of misalignment between technological capabilities and implementation status. Furthermore, concepts and principles in NRS were proposed by those who developed the nuclear technology in the middle of the past century and since then are embedded into any step of the process leading to electricity production. Those concepts and principles were adopted by other technologies later on and, still today, appear unsurpassed. The implementation of those concepts and principles shall follow and did follow the progress in understanding and the development of new techniques.
The Defense-in-Depth (DiD) which connects the principle of radioprotection with the design, the construction and the operational features of the nuclear reactors, can be taken as the imaginary skyline which drives the development of NRS. On the one hand, the Design Basis Accidents (DBA) have been introduced to demonstrate the robustness of DiD. On the other hand, safety functions, barriers and (even) calculated safety margins resulting from computational analyses, e.g. [2], constitute perceptible outcomes and provide a measure of the safety of current reactors, see ref. [3].
The established technological picture has been rusted (a) by the nuclear tragedies involving [now] conceivable accidents outside the DBA envelope, like Three Mile Island Unit 2, 1979, Chernobyl Unit 4, 1986 and Fukushima Units 1-4, 2011, and (b) in an elusive way by the evidence, collected in the last two or three decades, of the weakness of what is still considered the safety barrier constituted by the clad of nuclear fuel rods.
Thus, an ambitious proposal is outlined to overcome the occurrence of conceivable accidents and the expected failure of the fuel clad barrier following DBA: the description of an additional safety barrier constitutes the content and the target for the present paper. Methodologies and findings from researches are gathered to form the basis for the design of the additional barrier.
As a preliminary disclaim, two topics which are marginally or not considered hereafter are: human factors as key part of NRS and global political and economic strategies in the world which have an inevitable impact upon the exploitation of nuclear technology, [4].

Motivation
Focus is given hereafter to two technological motivations for the present study, i.e. in addition to the public un-trust toward nuclear technology and the policies of government which also affect the worldwide energy market.
The former motivation is quite obvious: severe accidents like those occurred in Three Mile Island, Chernobyl and Fukushima are not tolerable. It is clear that zero-risk owing to the operation of NPP is impossible to attain, as well as zero-probability per year of core melt. However, an attempt shall be made to bring the probability of core melt to the value which corresponds to the probability of fall of a disruptive meteorite on the site or in the region of the NPP. Corresponding risk, involving the impact of radiation upon the hit region and the survived population shall be accepted. The following statements by concerned scientists, [5], may be taken as backing the present study:  "In such a dangerous world, a high priority must be placed on efforts aimed at upgrading and enhancing nuclear safety regulatory system. With effective nuclear regulatory system nuclear accident like the Fukushima can be prevented".  "Upgrading and strengthening a nuclear regulatory system is not optional but imperative to prevent the next core meltdown".  "A credible nuclear watchdog must be an independent agency …" [current situation not satisfactory].
The latter motivation derives from an overview of current understanding of nuclear fuel performance during nominal operation and following accidents part of DBA. The condition High-Burnup (HBU) and Beginning of Life (BOL) fuel shall be distinguished, although any distinction is fragile also because of the industry (NPP owner) tendency to attain HBU from any BOL situation. Let's start the overview from the United States Nuclear Regulatory Commission (US NRC) 'preliminary-draft' Regulatory Guide (RG), [6] The weakness of the barrier constituted by the clad is emphasized from recent (experimental and calculational evidence as discussed in [7], [8], [9] and [10].

The Elements of the Additional Barrier
A summary interpretation of the NRS safety barriers, at the light of the discussion in the section above, can be derived from Fig. 1. More details are provided below. the center of the picture; the barrier sometimes associated with the pellet is neglected here), the following barriers are identified (red labels B1 to B5 in the figure):  The B1 deals with fuel and clad (basically clad, according to the assumption above) and is the barrier in relation to which the weakness is discussed in section 1.  The B2 is constituted by the pressure boundary for the primary circuit: this exists in all water-cooled reactors.  The B3, not usually recognized as a barrier in NRS technology: it is designed according to different philosophies and exists in all water-cooled reactors. This is constituted by the installed Engineered Safety Features (ESF) and, noticeably, includes the Emergency Core Cooling Systems (ECCS).  The B4 is constituted by the containment and, including the 'confinement' installed in majority of VVER-440 and the common pressure building installed in one Canadian Deuterium Uranium (CANDU) NPP, exists in all water-cooled reactors.  The B5 is the additional 'risk-informedtechnological' barrier which constitutes the topic of the proposal in the present paper.  Furthermore, the following notes apply:  The B1 and the B2 (clear blue in Fig. 1) are introduced according to design needs of reactors.  The B3, the B4 and the B5 (when available) are designed according to NRS needs.  The B5 is expected to substitute the B1 once B1 weakness is (formally) recognized.  In relation to each barrier, further characterization is provided in Fig. 1 (upper right), e.g. including the attributes 'mechanical', 'concrete', 'electronic', etc.
The additional barrier B5 is constituted by a combination of the following elements, which have a heterogeneous nature and role: the As Low As Reasonably Achievable (ALARA) principle, the Independent Assessment (IA) requirement, the Best Estimate Plus Uncertainty (BEPU) approach, the Extended Safety Margin (E-SM) concept and the Emergency Rescue Team (ERT), now a virtual reality. ALARA, IA, BEPU and E-SM are discussed in [11] with more details given in [2], [12] and [13] and ERT is introduced in [14]. The elements are shortly discussed in sections 3.1 and 3.2, distinguishing between 'software' and 'hardware' and their combined role is outlined in section 3.3.

The 'Software' Elements
ALARA, BEPU and IA constitute the software elements of B5.
Namely, the correspondence between ALARA and BEPU has been identified at first [11], by noting that the best use of computational tools according with current understanding is consistent (or even a direct consequence) of the early established principle imposing the minimizing of the radiation impact upon the environment and the population.
BEPU constitutes an approach which originally drove the application of thermal-hydraulics system codes into the licensing process of water-cooled reactors, e.g. [2] and [12]. Suitable procedures for Verification and Validation, for addressing the scaling issue, for demonstration of quality and calculation of uncertainty in code predictions and for suitable coupling of codes (e.g. neutron physics and thermal-hydraulics) are among the pillars of BEPU.
The IA requirement, although established since the early developments of nuclear technology, later on became of difficult application owing to the increasing sophistication of NPP which implies (more) proprietary data needed for safety demonstration [13].

The 'Hardware' Elements
E-SM and ERT constitute the hardware elements of B5. Safety Margins (SM) are well known words in NRS: suitable safety margins must be demonstrated and are part of design, construction and operation of existing reactors. The acronym E-SM, [12], implies a substantial increase in the number of parameters which shall be at the origin of one independent SM, the combination of two or several SM to create a sort of macroscopic SM and an about two orders of magnitude increase of signals from any operating reactors. The last feature suggested to include E-SM among the new hardware needed to implement B5.
The ERT consists of a group of highly trained and specialized rescuers, [14], who owns suitable machinery and equipment (helicopters, Diesel Generators, DG, etc.) and the access to each nuclear reactor installed within an assigned geographic region. Here, 'access' means: (a) availability of plugs to connect DG feed-pump delivery sides to primary and secondary circuits of reactor and to ensure cooling of even damaged core; ERT team should arrive at the concerned site within one-hour (i.e. a time span lower than the time needed for massive core melt), based on E-SM signals; (b) possibility to induce scram of the reactor from remote location (this capability is already available in some Countries in special Nuclear Center under the control of a Government regulatory Institution).

A sketch for the Barrier
The summary sketch of the elements which constitute B5 is given in Fig. 2: the B5 is proposed here in order 'to substitute' B1 which is found to be unsuited or weak according to recent studies.
Let's first substantiate the terms adopted for defining the B5 in Fig. 1: a risk-informed technological barrier, needing electronic / computational system, ERT supported. The words 'risk-informed' requires full consideration of Probabilistic Safety Assessment (PSA) techniques as well as integration of those techniques into the Integrated Risk Informed Decision Making (IRIDM) framework [15]. The word 'technological' reflects the need of consistency between the elements of the barrier and the technology growth including the database of knowledge (e.g. a new magnitude of earthquake in an assigned geographical region): the B5 shall be constantly upgraded. The word 'electronic' gives the proper emphasis to: a) the consideration of Instrumentation and Control (I & C) into the safety analysis; b) the design, the installations and the operation of (an order of magnitude) 10 4 detectors for fulfilling the E-SM element needs. The word 'computational' stresses the importance of analyses which are qualified and independent from the designer-owner of the reactor. The words 'ERT supported' emphasized the need for ERT: E-SM continuously monitors the NPP, the environment and the workers actions and solicit the intervention of ERT. The B5 safety barrier is a dynamic system tailored to each reactor, although design philosophy as well as procedures and databases are in common to all reactors.
The concerned NPP Unit is the starting point for the design of B5 (top left in the diagram): the information database dealing with design, construction and operation of the reactor is relevant. The regulatory framework at the basis of the licensing of the Unit (i.e., the item 'NRS requirements at the top of the diagram) shall form the second database needed to start the process for constituting the B5. ALARA is a driving principle in this connection.
The role of Final Safety Analysis Report (FSAR), including any licensing document issued in relation to the NPP Unit is clarified as follows. A 'standard' FSAR, according to regulations is available for any existing Unit or is expected to be issued for new (future) built reactors. This is part of the second database mentioned in the previous paragraph. A new FSAR, independent of the first one and basically including the same information is expected to be created and to form a cross-cutting element for the B5: the new FSAR is called BEPU-FSAR, central element in the diagram; its cross-cutting nature is visualized by the dotted bounded ellipse on the central-left of the diagram.
The BEPU techniques and/or approach (central element in the diagram), originally derived from nuclear thermal-hydraulics and applied for accident analysis, [11], are extended to cover any analytic parts of the (new) FSAR, [16], leading to the so called BEPU-FSAR (i.e. the 'new' FSAR).
IA, left of the diagram, constitutes a requirement for the 'new' FSAR. Independent assessors should have access to the NPP Unit design and licensing information (first and second database above mentioned) and develop the 'new' FSAR, [13]. Because of the proprietary nature of information in the databases, although independent assessors are not in competition with industry (either designer or owner of the NPP), the IA is expected as the critical element for the overall process.
The E-SM set of safety margins and corresponding transducers on the field (central bottom of the diagram) can be determined by a specific procedure, [12], supported by the outcomes of BEPU-FSAR analyses.
The ERT operation (bottom right of the diagram) is expected to be informed by the E-SM, i.e. horizontal arrow in the diagram.
The combination of BEPU application (noticeably leading to BEPU-FSAR) and E-SM, driven by IA and under the umbrella of ALARA, with the support of ERT, forms the additional dynamic safety barrier (bottom of diagram).

The Application of the Barrier
A trivial (rough and approximate) use of the barrier during the course of the 'historical' severe accidents which hit the nuclear technology and an (again rough and approximate) evaluation of the cost are at the origin of the notes in the following subsections.
A detailed thermal-hydraulic description of the Three Mile Island, Chernobyl and Fukushima events can be found in [17], till the time when an irreversible (i.e. a situation in relation to which current technological capabilities to prevent further excursion of the event are challenged) core damage occurred. The provided information (not reported here) is the background for the notes related to the expected performance of the B5 in those cases.

Three Mile Island Accident
In case of the TMI-2 accident, B5 would have stopped ERT was not needed.

Chernobyl Accident
The conditions which caused and/or are the roots for the explosion came into place at least 24 hours before the event. A number of mismatches between measured parameter values and allowed parameter values occurred different times in this period. The issue was that the operators decided to ignore and /or were demanded to ignore those mismatches. A critical human factors problem occurred.
ERT intervention became needed because of the repeated controversial actions by NPP operators. At first, a remote ERT controlled scram would have occurred. An ERT team, properly supported by Country Army should have intervened removing negligent operators. The Chernobyl accident would have not occurred.

Fukushima Accidents
Events in Fukushima Units 1 to 3 are considered here. The signal challenging the B5 in each of the three units would have been the earthquake: its magnitude above the design value would have caused scram (which actually happened during the event) and would have alerted ERT (clearly this did not happen).
ERT intervention needed because of the severity of the earthquake and of the consequent tsunami (possible satellite-based measurement of the tsunami wave height should have contributed to the alert of the ERT team). Proper ERT action would have prevented extended core damage.

Cost of the Additional Barrier
Dealing with (absolute) cost of B5 imposes three preliminary notes, where values are given in US$: (a) the cost of one NPP Unit, typically 1000 Mwe size is in the range 5-10 Billion; (b) the cost for recovering from a severe accident including damage to land and to population (cases of Chernobyl and Fukushima) is in the order of magnitude of 1 Trillion; (c) the selling value of electricity produced in two-months operation of one Unit, this means 1/300 time for the overall NPP life (assumed 60 years), is around 50 Million.
The rough estimation for the cost of the additional 'dynamic' barrier B5, design and operation gives: cost comparable with (c) value, around 1% of the (a) value; and around 0.005% of the (b) value.
One may further elaborate on the cost of B5 by noting that X% of the total cost can be shared by many NPP units (e.g. databases, computational tools, skill of analysts, etc.) and Y% is the cost which applies to each 'individual' Unit. Typical values for X and Y can be 70 and 30, respectively.

Conclusions
The decline of nuclear technology, appearing irreversible so far mostly in the Countries where it was developed, and the assembling of recent research findings brought to the proposal for a new safety barrier for existing and new nuclear reactors.
The unacceptability of severe accidents expected from the operation of NPP, the need to pursue in a rigorous way the independent assessment and the weaknesses, now evident, of the fuel clad as a barrier against the release of fission products, suggested the proposal for a resilient-dynamic additional safety barrier.
The BEPU methodological approach pursued by independent assessors plus an extended-detailed monitoring of the plant status, plus the support in extreme situations by a NPP external rescue team, contribute to form the additional barrier which is expected:


to reduce the probability of core melt down to values which correspond to the fall on the reactor of a site damaging meteorite,  to reduce the current risk of large radioactivity release for a factor in the range 10 -100,  to have the potential to contribute in restoring the public trust towards nuclear technology.
Although selected pieces of the overall spectrum of activities for the new barrier are established achievements for the current technology, thorough investigations shall be planned to confirm the feasibility of the barrier. Namely, this applies in relation to a) the identification of parameters to be monitored which constitute a suitable set of E-SM, b) the demonstration of reduction of the core melt probability, and c) the confirmation of the availability of financial resources and competences to design and operate the barrier. A suitable solution for the IA should also be attained, possibly considering the proposal in a referenced paper (i.e. [13]).
Finally, current safety culture including international institutions dealing with nuclear safety appears adequate and appropriate even for creating the framework for the present proposal. However, it shall be accepted that human factors in a broad sense, i.e. individuals initiating a war or planning a terroristic attack against a nuclear installation and the extreme natural event like the fall of a large meteorite on the site, put challenges to the release of fission products which cannot be confined or satisfactorily weakened by any safety barrier.