Unit-4

SAFETY AND RISK:

 Safety was defined as the risk that is known and judged as acceptable. But, risk is a potential that something unwanted and harmful may occur. It is the result of an unsafe situation, sometimes unanticipated, during its use.

Probability of safety = 1 – Probability of risk

 Risk = Probability of occurrence × Consequence in magnitude

Different methods are available to determine the risk (testing for safety)

1. Testing on the functions of the safety-system components.

2. Destructive testing: In this approach, testing is done till the component fails. It is too expensive, but very realistic and useful.

3. Prototype testing: In this approach, the testing is done on a proportional scale model with all vital components fixed in the system. Dimensional analysis could be used to project the results at the actual conditions.

4. Simulation testing: With the help of computer, the simulations are done. The safe boundary may be obtained. The effects of some controlled input variables on the outcomes can be predicted in a better way.

RISK-BENEFIT ANALYSIS

 The major reasons for the analysis of the risk benefit are:

1 To know risks and benefits and weigh them each

2 To decide on designs, advisability of product/project

3 To suggest and modify the design so that the risks are eliminated or reduced

There are some limitations that exist in the risk-benefit analysis. The economic and ethical limitations are presented as follows:

1. Primarily the benefits may go to one group and risks may go to another group. Is it ethically correct?

2. Is an individual or government empowered to impose a risk on someone else on behalf of supposed benefit to somebody else? Sometimes, people who are exposed to maximum risks may get only the minimum benefits. In such cases, there is even violation of rights.

3. The units for comparison are not the same, e.g., commissioning the express highways may add a few highway deaths versus faster and comfortable travel for several commuters. The benefits may be in terms of fuel, money and time saved, but lives of human being sacrificed. How do we then compare properly?

4. Both risks and benefits lie in the future. The quantitative estimation of the future benefits, using the discounted present value (which may fluctuate), may not be correct and sometime misleading.

Voluntary Risk

Voluntary risk is the involvement of people in risky actions, although they know that these actions are unsafe. The people take these actions for thrill, amusement or fun. They also believe that they have full control over their actions (including the outcomes!) and equipment’s or animals handled, e.g., people participate in car racing and risky stunts.

 Testing becomes inappropriate when the products are

1 Tested destructively

2 When the test duration is long, and

3 When the components failing by tests are very costly. Alternate methods such as design of experiments, accelerated testing and computer-simulated tests are adopted in these circumstances.

SAFETY LESSONS FROM ‘THE CHALLENGER’

The safety lessons one can learn in the Challenger case are as follows:

1. Negligence in design efforts. The booster rocket casing recovered from earlier flights indicated the failure of filed-joint seals. No design changes were incorporated. Instead of two O-rings, three rings should have been fixed. But there was no time for testing with three rings. At least three rings could have been tried while launching.

2. Tests on O-rings should have been conducted down to the expected ambient temperature i.e., to 20 of. No normalization of deviances should have been allowed.

3. NASA was not willing to wait for the weather to improve. The weather was not favourable on the day of launch. A strong wind shear might have caused the rupture of the weakened O-rings.

4. The final decision making of launch or no-launch should have been with the engineers and not on the managers. Engineers insisted on ‘safety’ but the managers went ahead with the ‘schedule’.

5. Informed consent: The mission was full of dangers. The astronauts should have been informed of the probable failure of the O-rings (field joints). No informed consent was obtained, when the engineers had expressed that the specific launch was unsafe.

 6. Conflict of interest (Risk vs. Cost): There were 700 criticality-1 items, which included the field joints. A failure in any one of them would have cause the tragedy. No back-up or standby had been provided for these criticality-1 components.

7. Escape mechanism or ‘safe exit’ should have been incorporated in the craft. McDonnell

The Three Mile Island and Chernobyl case

The Three Mile Island Unit 2 (TMI-2) reactor, near Middletown, Pa., partially melted down on March 28, 1979. This was the most serious accident in U.S. commercial nuclear power plant operating history, although its small radioactive releases had no detectable health effects on plant workers or the public. Its aftermath brought about sweeping changes involving emergency response planning, reactor operator training, human factors engineering, radiation protection, and many other areas of nuclear power plant operations. It also caused the NRC to tighten and heighten its regulatory oversight. All of these changes significantly enhanced U.S. reactor safety.

A combination of equipment malfunctions, design-related problems and worker errors led to TMI-2's partial meltdown and very small off-site releases of radioactivity.

The accident began about 4 a.m. on Wednesday, March 28, 1979, when the plant experienced a failure in the secondary, non-nuclear section of the plant (one of two reactors on the site). Either a mechanical or electrical failure prevented the main feed water pumps from sending water to the steam generators that remove heat from the reactor core. This caused the plant's turbine-generator and then the reactor itself to automatically shut down. Immediately, the pressure in the primary system (the nuclear portion of the plant) began to increase. In order to control that pressure, the pilot-operated relief valve (a valve located at the top of the pressurizer) opened. The valve should have closed when the pressure fell to proper levels, but it became stuck open. Instruments in the control room, however, indicated to the plant staff that the valve was closed. As a result, the plant staff was unaware that cooling water was pouring out of the stuck-open valve.

As coolant flowed from the primary system through the valve, other instruments available to reactor operators provided inadequate information. There was no instrument that showed how much water covered the core. As a result, plant staff assumed that as long as the pressurizer water level was high, the core was properly covered with water. As alarms rang and warning lights flashed, the operators did not realize that the plant was experiencing a loss-of-coolant accident. They took a series of actions that made conditions worse. The water escaping through the stuck valve reduced primary system pressure so much that the reactor coolant pumps had to be turned off to prevent dangerous vibrations. To prevent the pressurizer from filling up completely, the staff reduced how much emergency cooling water was being pumped in to the primary system. These actions starved the reactor core of coolant, causing it to overheat.

Without the proper water flow, the nuclear fuel overheated to the point at which the zirconium cladding (the long metal tubes that hold the nuclear fuel pellets) ruptured and the fuel pellets began to melt. It was later found that about half of the core melted during the early stages of the accident. Although TMI-2 suffered a severe core meltdown, the most dangerous kind of nuclear power accident, consequences outside the plant were minimal. Unlike the Chernobyl and Fukushima accidents, TMI-2's containment building remained intact and held almost all of the accident's radioactive material.

Federal and state authorities were initially concerned about the small releases of radioactive gases that were measured off-site by the late morning of March 28 and even more concerned about the potential threat that the reactor posed to the surrounding population. They did not know that the core had melted, but they immediately took steps to try to gain control of the reactor and ensure adequate cooling to the core. The NRC's regional office in King of Prussia, Pa., was notified at 7:45 a.m. on March 28. By 8 a.m., NRC Headquarters in Washington, D.C., was alerted and the NRC Operations Center in Bethesda, Md., was activated. The regional office promptly dispatched the first team of inspectors to the site and other agencies, such as the Department of Energy and the Environmental Protection Agency, also mobilized their response teams. Helicopters hired by TMI's owner, General Public Utilities Nuclear, and the Department of Energy were sampling radioactivity in the atmosphere above the plant by midday. A team from the Brookhaven National Laboratory was also sent to assist in radiation monitoring. At 9:15 a.m., the White House was notified and at 11 a.m., all non-essential personnel were ordered off the plant's premises.

By the evening of March 28, the core appeared to be adequately cooled and the reactor appeared to be stable. But new concerns arose by the morning of Friday, March 30. A significant release of radiation from the plant's auxiliary building, performed to relieve pressure on the primary system and avoid curtailing the flow of coolant to the core, caused a great deal of confusion and consternation. In an atmosphere of growing uncertainty about the condition of the plant, the governor of Pennsylvania, Richard L. Thornburgh, consulted with the NRC about evacuating the population near the plant. Eventually, he and NRC Chairman Joseph Hendrie agreed that it would be prudent for those members of society most vulnerable to radiation to evacuate the area. Thornburgh announced that he was advising pregnant women and pre-school-age children within a five-mile radius of the plant to leave the area.

Within a short time, chemical reactions in the melting fuel created a large hydrogen bubble in the dome of the pressure vessel, the container that holds the reactor core. NRC officials worried the hydrogen bubble might burn or even explode and rupture the pressure vessel. In that event, the core would fall into the containment building and perhaps cause a breach of containment. The hydrogen bubble was a source of intense scrutiny and great anxiety, both among government authorities and the population, throughout the day on Saturday, March 31. The crisis ended when experts determined on Sunday, April 1, that the bubble could not burn or explode because of the absence of oxygen in the pressure vessel. Further, by that time, the utility had succeeded in greatly reducing the size of the bubble.

The NRC conducted detailed studies of the accident's radiological consequences, as did the Environmental Protection Agency, the Department of Health, Education and Welfare (now Health and Human Services), the Department of Energy, and the Commonwealth of Pennsylvania. Several independent groups also conducted studies. The approximately 2 million people around TMI-2 during the accident are estimated to have received an average radiation dose of only about 1 millirem above the usual background dose. To put this into context, exposure from a chest X-ray is about 6 millirem and the area's natural radioactive background dose is about 100-125 millirem per year for the area. The accident's maximum dose to a person at the site boundary would have been less than 100 millirem above background.

In the months following the accident, although questions were raised about possible adverse effects from radiation on human, animal, and plant life in the TMI area, none could be directly correlated to the accident. Thousands of environmental samples of air, water, milk, vegetation, soil, and foodstuffs were collected by various government agencies monitoring the area. Very low levels of radionuclides could be attributed to releases from the accident. However, comprehensive investigations and assessments by several well respected organizations, such as Columbia University and the University of Pittsburgh, have concluded that in spite of serious damage to the reactor, the actual release had negligible effects on the physical health of individuals or the environment.

A combination of personnel error, design deficiencies, and component failures caused the Three Mile Island accident, which permanently changed both the nuclear industry and the NRC. Public fear and distrust increased, NRC's regulations and oversight became broader and more robust, and management of the plants was scrutinized more carefully. Careful analysis of the accident's events identified problems and led to permanent and sweeping changes in how NRC regulates its licensees – which, in turn, has reduced the risk to public health and safety.

Here are some of the major changes that have occurred since the accident:

 • Upgrading and strengthening of plant design and equipment requirements. This includes fire protection, piping systems, auxiliary feed water systems, containment building isolation, reliability of individual components (pressure relief valves and electrical circuit breakers), and the ability of plants to shut down automatically;

• Identifying the critical role of human performance in plant safety led to revamping operator training and staffing requirements, followed by improved instrumentation and controls for operating the plant, and establishment of fitness-for-duty programs for plant workers to guard against alcohol or drug abuse;

• Enhancing emergency preparedness, including requirements for plants to immediately notify NRC of significant events and an NRC Operations Centre staffed 24 hours a day. Drills and response plans are now tested by licensees several times a year, and state and local agencies participate in drills with the Federal Emergency Management Agency and NRC;

• Integrating NRC observations, findings, and conclusions about licensee performance and management effectiveness into a periodic, public report;

• Having senior NRC managers regularly analyze plant performance for those plants needing significant additional regulatory attention;

• Expanding NRC's resident inspector program – first authorized in 1977 – to have at least two inspectors live nearby and work exclusively at each plant in the U.S. to provide daily surveillance of licensee adherence to NRC regulations;

• Expanding performance-oriented as well as safety-oriented inspections, and the use of risk assessment to identify vulnerabilities of any plant to severe accidents;

• Strengthening and reorganizing enforcement staff in a separate office within the NRC;

Establishing the Institute of Nuclear Power Operations, the industry's own "policing" group, and formation of what is now the Nuclear Energy Institute to provide a unified industry approach to generic nuclear regulatory issues, and interaction with NRC and other government agencies;

• Installing additional equipment by licensees to mitigate accident conditions, and monitor radiation levels and plant status;

• Enacting programs by licensees for early identification of important safety-related problems, and for collecting and assessing relevant data so operating experience can be shared and quickly acted upon; and

 • Expanding NRC's international activities to share enhanced knowledge of nuclear safety with other countries in a number of important technical areas.