While most of the severe accident related vulnerabilities arising from the inherent 40 odd year old PHWR design are common with single unit CANDU reactors and a number are also shared with LWR designs of that vintage, an evaluation of a station blackout accident at a multi-unit CANDU station reveals significant challenges to accident management options and potentially unacceptable off site radiological consequences. Opportunities for design improvements are abundant but unfortunately mostly ignored with both accident progression and consequence assessments by the utilities presented in a distorted positive light in defiance of engineered realities and public safety.
Over-pressure protection systems in all relevant reactor systems (PHTS, Calandria, Shield Tank, and Containment) are inadequate for decay heat, let alone for other anticipated severe accident loads. Early passive heat removal by steam generators after a station blackout can be compromised by primary coolant removal into a large pressurizer located well below the pump bowl. There are no emergency means of high pressure water addition to the steam generators or the heat transport system which not only has an inadequate steam relief capacity for over pressure protection such that an early containment bypass by steam generator tube ruptures is a possibility, but also lacks a method of manual depressurization for early accident mitigation. In absence of a retaining LWR like pressure vessel, the reactor cores would release fission products without attenuation into the box like containments that are at 48% per day leak rate at design pressure very leaky and at less than 1 bar design pressure, structurally weakest of all operating reactor containments. The reactor buildings around each individual reactor unit are inverted cup like traps for combustible gases. A large number of safety significant components like the steam generators, pumps and the reactivity control devices are all outside the containment envelope. The production of combustible Deuterium gas from over ten km of carbon steel piping and over 50 tons of Zircaloy can be extremely high making the installed numbers and types of PARS not only inadequate but as early ignition sources also dangerous. Improvements after Fukushima are perfunctory and the analytical methods in support of severe accident management guidelines are outdated and incomplete. A lax and uninformed regulatory regime blindly supporting an intransigent industry resisting basic design enhancements has further exasperated, like it did in Japan, the severe accident related risk from continued operation of these reactors. These conclusions are based on thirty years of working on severe accident related issues at CANDU reactors, conducting extensive design reviews and developing computer codes and analytical methods for accident progression and consequence assessments. It is hoped that open discussions by professional engineers would foster change in name of public safety. It is also feared that nothing will change unless an accident occurs.