Exploratory what-if analysis of some debated canister failure modes in the review of a licence application for the construction and operation of a spent nuclear fuel repository in Sweden

Regulatory review of the licence application for construction and operation of a spent fuel repository at the Forsmark site in Sweden involves detailed assessment of both expected and hypothetical failure modes of the copper canister. The copper canister, which is supported by the bentonite buffer and the surrounding crystalline rock in the KBS-3 concept, is expected to provide complete containment of radioactive elements for very long timescales. Detailed assessment shows that there is a small probability on such timescales of canister failure due to corrosion following loss of buffer as well as mechanical failure due to large earthquakes. During the regulatory review process, it was proposed that canisters might also fail due to: (i) corrosion in anoxic oxygen gas free water, (ii) pitting corrosion, (iii) stress corrosion cracking, (iv) creep brittle failure, (v) hydrogen embrittlement. We here provisionally accept a number of alternative assumptions related to these processes as a basis for what-if analysis of their implications. The focus is not to determine the merit or to estimate probability of these cases, but rather to explore their potential significance in the context of the available knowledge about the repository environment. Simplified estimates are made of the consequences in terms of number and timing of canister failures as well as radiological impact. It is judged that poor creep ductility of copper would have larger potential consequences compared to localised corrosion phenomena. Potential corrosion failures are expected to be associated with the small fraction of deposition holes that are most extensively exposed to corrodants.


Introduction
The purpose of geological disposal of spent nuclear fuel and other radioactive wastes is to ensure long-term protection of people and the environment from the hazards such wastes represent. Risks for future generations living in close proximity to a sealed disposal facility should be very small. These objectives are achieved by selecting a site with favorable rock conditions, by using an effective engineered barrier system, and by constructing and operating the repository facility in ways that facilitate long-term safety. The role of a national regulatory body such as the Swedish Radiation Safety Authority (SSM) is to ensure that these objectives are met through thorough independent review and analysis, and by assessing compliance with applicable regulatory criteria. In 2011, the Swedish Nuclear Fuel and Waste Management Company (SKB) submitted a licence application for construction and operation of a spent fuel repository at the Forsmark site in Sweden. The application is based on the KBS-3 concept consisting of three primary barriers; the copper canister, the bentonite buffer and the crystalline bedrock at about 500 m depth.
The applicant's safety assessment (SKB, 2011) addresses the long-term safety of a geological disposal facility at the Forsmark site is based on two key barrier functions, namely complete containment of the spent nuclear fuel in extremely long-lived copper canisters, and retardation of radioactive components in the engineered barriers and the bedrock should canister failure occur. Of key importance is also the long-term evolution of the repository environment and its surroundings as well as the behavior of released radioelements in the biosphere. SSM's review of SR-Site was structured around these main subjects (SSM, 2018). In this paper, we address the failure modes of the copper canister, and in particular assessment of alternative failure modes that have been proposed as causes for "early" failures (e.g. Pettersson, 2012;Szakálos and Seetharaman, 2012). This includes adoption of alternative process assumptions in order to improve understanding of the sensitivity of the overall canister isolation system to such mechanisms, as well as some simplified consequence estimates. The work reported here is based on a selection of results from a series of working meetings and simple elicitation exercises conducted by SSM's internal review group as part of the licensing review.

General description of canister failure assessment
In the applicant's safety assessment (SKB, 2011), three fundamentally different reasons for why canisters might fail to fulfil their prescribed containment function have been explored in detail. These are: (i) isostatic loading of canisters, (ii) canister corrosion failure in deposition holes where the buffer has been eroded, and (iii) excessive shear loading of canisters in deposition holes affected by large earthquakes. The first case is regarded by SKB as a hypothetical example, since canisters are designed and will be manufactured with significant margins to withstand even the most pessimistic external loading conditions. However, for the second and third cases, a low likelihood of canister failures could not be excluded. These two cases are therefore propagated to SKB's risk analysis. Since more rapid general sulphide corrosion of copper following buffer erosion is connected to dilute groundwater conditions at repository depth, this failure mode is conditional on dilution of the present saline groundwater conditions by glacial meltwater intrusion, a situation that is not expected to happen until post-glacial conditions far into the future. The annual probability of a large earthquake in immediate vicinity of the repository site is very low, but it must be recognised that the cumulative probability for such an event having taken place become significant due to the extended time scales involved. In both cases, the principal concern is the small fraction of deposition holes that are intersected either by large features in the rock capable of hosting a significant rock movement, or by the most water-conductive fractures in the near-field rock. SSM recommended additional measures to further strengthen confidence in the robustness of the concept against those types of canister failure modes (SSM, 2018), but nevertheless agrees in broad terms with SKB's handling of the above mentioned cases.
Responses submitted as part of a national consultation, as well as two of SSM's external experts, proposed that canisters may fail much earlier due to other failure modes than those addressed in detail in the SR-Site safety assessment. The failure modes were originally described in different ways, both as a "thought experiment" (Pettersson, 2012), and as a postulation that canisters would fail during the first 1000 years of the post-closure phase (Szakalos and Seethamaran, 2012). The proposed "other" failure modes of the canister have other things in common beyond that they may occur at an earlier stage. For example, they assume that a long period of unsaturated conditions would be of significance, and that canister failure could occur in deposition positions without any coupling to large structures in the bedrock or to water-conducting fractures.
In this paper, we address the following postulated failure modes of the copper canister, by examining the potential implications of alternative assumptions: (i) corrosion caused by anoxic (oxygen gas free) water, (ii) pitting corrosion, (iii) stress corrosion cracking, (iv) creep brittle failure, and (v) hydrogen embrittlement. SKB has provided justifications for why none of these mechanisms is considered a potential cause for canister failure, as part of the original application or as supplementary information. Nevertheless, they remained an essential review topic in SSM's regulatory review of the licence application.

Method
Regulatory assessment of canister failure modes proposed by third parties necessarily requires a thorough analysis of scientific evidence and plausibility that there could be a significant safety impact of these modes during the post-closure period. Such an analysis is outlined in SSM's main review report (SSM, 2018). In this paper, however, we are concerned with an exploration of the sensitivity of overall disposal system performance to the proposed canister failure modes in the context of available knowledge about the repository environment. This is achieved by provisionally accepting a number of alternative assumptions to those on which the applicant's current safety assessment is based, as what may appropriately be called a "thought-experiment" (Pettersson, 2012), without making any detailed analysis of whether these assumptions may be regarded as having merit, or even being completely implausible. By alternative assumptions and alternative failure modes, we in this context mean that they are speculative and not thoroughly justified, or must at present be regarded as improbable. This is clearly only one stage of several in the overall regulatory process, but the outcome is considered to provide useful insight to guide other types of review efforts.
This outlined method is similar to use of "what-if" scenarios and barrier failure schemes that have long since been implemented in safety assessment methodology. For instance in SR-Site, a consequence assessment calculation was included for several purely hypothetical cases, such as the assumed failure of one or more canisters, and/or that all buffers fail, without any specification of a reason for failure (SKB, 2010b(SKB, , updated 2015. Here we have used a step-wise approach to what-if analysis, which involves assessment of the potential extent and timing of canister failures associated with a spe-cific failure mode linked to the assumption of a given degradation process, as well as rough estimate of radiological impact associated with such a case. While acknowledging that this analysis is based on a very approximate approach, we have also for reference purposes compared the what-if outcomes with a simplified but more systematic consequence analysis based on the purely hypothetical assumption that all canisters fail in an evenly-distributed pattern over the different time frames that are relevant for the postulated "early" canister failure modes. The coarse methods implemented in this scoping analysis involve estimating time of canister failure and radionuclide release based on, for example, a constant conservative rate of general corrosion. Detailed structural integrity analysis and its implications for the radiological source term used in the consequence evaluation was beyond the scope of the simplified sensitivity assessment reported here. Assumed rates of degradation are, in turn, dependent on assumptions related to evolution of the near-field environment of the canisters. These are based on interpolation and extrapolation of modelling results from the SR-Site safety assessment (SKB, 2011) combined with judgements made by the SSM review team, taking into account variability in expected conditions for the whole ensemble of deposition holes. For a given parameter, the analysis was sometimes based on selecting a very pessimistic single value or alternatively an approximate parameter distribution derived from SKB's field measurements or literature data. It should be recognized that the estimated numbers of canister failures based on these simplified methods are intentionally speculative, and that a what-if prediction of a large number of early canister failures does not necessarily imply any contradiction with the applicant's safety case, in which very few and only late projected canister failures are derived from much more detailed best estimate considerations.

Expected environmental conditions
Judgements of the significance of canister processes cannot be solely based on experimental investigations, since conditions during experimental work often deviate significantly from the expected repository environment. It is important to recognize the significant amount of information relating to conditions at the proposed repository depth as well as the completed modelling work devoted to explore the long-term evolution of those conditions on safety assessment timescales (SKB, 2011). Without fully accounting for this information, it is easy to draw misleading conclusions about alternative canister degradation processes.
The following factors are considered to be particularly relevant for addressing postulated alternative failure modes (SKB, 2011): -The slow resaturation of the buffer, which varies extensively from a few decades for some deposition holes up to potentially several thousand years for deposition holes without connection to major water conducting features in the bedrock.
-The thermal evolution of canister surfaces, the temperature of which reaches a peak value of just below 100 • C and then decreases to around 40 • C after 1000 years.
-The initial relatively high gamma radiation field which penetrates the canister and gradually diminishes to near background levels during the next few hundred years.
-The evolution of redox conditions near the canister, with a transition from initially oxidising conditions to chemically reducing conditions.
-Other evolutionary aspects of groundwater chemical conditions, such as the timing and effect on the buffer of expected reductions in salinity as well as expected reductions of concentrations of sulphide and organic materials in the vicinity of the canister.
An often-discussed issue related to environmental conditions is the expected significant proportion of deposition holes with very long resaturation times for the buffer. Although predictions regarding such resaturation times are available (Sellin, 2013), these are associated with considerable uncertainty since there is little information about how much water may be extracted from the intact bedrock. The predominantly "dry rock" condition is a distinctive feature of the Forsmark site with the sparseness of fracturing at repository depth clearly demonstrated in the completed site investigations (SKB, 2011). A direct influence of long resaturation times on the engineered barriers was judged to be the very slow loading of a significant fraction of the canisters caused by swelling of the buffer, which mainly affects the plastic deformation of the copper shell. In addition, unsaturated conditions are associated with gas phase transport of potentially corroding species and substrates for microbial processes, such as hydrogen sulphide and methane.

Expected corrosion failures based on current safety assessment
The simplest form of canister failure would be due to general corrosion giving rise to a more or less uniform thinning of the 50 mm thick copper canister shell until it collapses. The basic chemical processes responsible for such corrosion are expected to be the oxidation of pure copper by molecular oxygen and sulphide: 2Cu The initial, relatively small amounts of molecular oxygen within the system would be depleted early on and are expected to result in no more than 1 mm of corrosion (King et al., 2010). Corrosion with sulphide can be distributed between sulphide originating from surrounding groundwater and sulphide that may be generated by microbial sulphate reduction (MSB) utilizing organic components present in the groundwater, buffer and backfill clay barriers. Sulphate is generally available in much higher concentrations than sulphide. MSB is here exemplified with consumption of methane: Corrosion due to sulphide in groundwater reaching the canister surface can be estimated by mass-transfer considerations focussing on the measured distribution of sulphide concentration in groundwater, diffusion of sulphide through the compacted buffer and the distribution of groundwater flows intersecting deposition holes with different hydraulic characteristics. The estimated maximum corrosion rate for intact buffer conditions is in the range of a few nanometres per year (SKB, 2010a(SKB, , updated 2012. During the unsaturated phase sulphide could be supplied to the canister surface in gaseous form (H 2 S(g)) from the backfill. This transport pathway is considerably more rapid compared with the aqueous phase owing to the several orders of magnitude higher diffusion coefficients. Simple scoping calculations suggest a maximum corrosion rate of 400 nm yr −1 as long as the unsaturated conditions prevail and as long as the backfill is capable of providing additional hydrogen sulphide (Lilja et al., 2013). According to information regarding limits to sulphide and organic matter content in the buffer and backfill, SKB estimates that a few mm of general corrosion could take place for those canisters exposed to the longest duration of the unsaturated phase. In any case, based on massbalance considerations, no canister failure could occur due to general corrosion caused by this type of sulphide supply.
The only case in which sulphide from groundwater is judged capable of ultimately causing canister failure due to general corrosion is when the buffer's function as a barrier to advective flow has failed because of exposure to dilute groundwater. In such a situation, the mass transfer of dissolved sulphide would be much more rapid without the presence of an intact buffer. In a deposition hole where the highest estimated flow rate coincides with the highest estimated sulphide levels in groundwater, the corrosion rate may be as high as around 700 nm yr −1 (SKB, 2010a, updated 2012). We do not consider this case any further, since the expected more rapid corrosion is associated with buffer erosion conditions due to glacial meltwater intrusion and is therefore completely unrelated to the potential "early" failure modes addressed here.
These conclusions are based on the applicant's safety case (SKB, 2011) and the processes and mechanisms described are not controversial as such. It is nevertheless unavoidable that the extent of general corrosion caused by these processes is associated with a degree of uncertainty with regard to the repository environment and its long-term evolution, which has to be accounted for, either by probabilistic or deterministic methods. The above-mentioned basic chemical processes are also relevant to consideration of potential localized corrosion phenomena (see below).

Proposed additional failure modes
A key alternative and much-debated corrosion process is the corrosion of copper in pure water free of oxygen gas, which can be written as: Based on some experimental observations, it has been proposed that this reaction will contribute to a slow corrosion of the canister, approaching equilibrium at a hydrogen partial pressure of about 1 mbar (Szakálos et al., 2007;Hultquist et al., 2013). This is the first of the postulated alternative canister degradation mechanisms considered by SSM in its exploratory sensitivity analysis, potentially providing additional general corrosion in relation that caused by sulphide. Thermodynamic data for all well-known solid copper phases suggest the equilibrium hydrogen pressure would in fact be six orders of magnitude lower than that indicated above, which would render the process insignificantly small.
The extent of reaction in the repository environment is calculated based on reported experimental corrosion rates derived from measured hydrogen production in the published studies. It would also have been possible to determine the extent of reaction through mass transfer rates of hydrogen away from the canister surface (on the basis of the local equilibrium assumption), but the kinetic corrosion rate method was regarded as the simplest and most conservative approach. With the selected approach, annual corrosion rates would be in the range 10-100 nm (Hultquist et al., 2015), with higher values being associated with the most elevated temperature immediately after deposition of canister, and lower values with subsequent lower temperatures. No canister failures are considered to be feasible due to this type of corrosion, even if one also considers that contributions from the more established oxygen and sulphide corrosion reactions described above are additive. The integrity of the canister in the context of general corrosion, with or without the postulated alternative process, is achieved through using a substantial corrosion barrier thickness of 50 mm.
The second alternative corrosion failure mechanism considered here is pitting corrosion of copper. The applicant rules out these types of corrosion attack on the basis that a passivating layer of corrosion products would not form on the copper surfaces in the repository environment, neither under the initial oxidising conditions nor in chemically reducing conditions in the presence of sulphide (King et al., 2010). Formation of a stable passivating layer due to general corrosion is generally considered a necessary condition for initiation of pitting corrosion (Frankel, 1998). The specific corroding species are otherwise consumed by general corrosion. The passivating layer may then be disturbed at specific sites, thereby initiating the formation of localised corrosion pits. The basic chemical processes are in principle the same as those described under general corrosion.
For oxidising conditions, the details of this corrosion type are less relevant since the period of oxidising conditions is most probably too short for any serious pitting corrosion to occur regardless of whether a passivating layer may be established. The same argument cannot be used for the effectively indefinite period of reducing conditions with corrosion caused by available sulphide. To assess potential sensitivity to this second "alternative" canister degradation process, it is assumed that a passivating sulphide layer is formed, followed by the formation and propagation of corrosion pits during the entire safety assessment period. The maximum potential extent of pitting corrosion is then simplistically determined by implementing the above-mentioned general corrosion rates for sulphide and accounting for the full range of experimental and recorded pitting factors (PF) from the literature, which are in the range 5-25 (King et al., 2010). "Early" canister failure would require that the highest PF coincides with the highest availability of sulphide, which is mainly suppled to the canister surface by gaseous diffusion. Thus, for example, a PF of 25 combined with a general corrosion rate of 400 nm yr −1 from gas-phase transport of sulphide under unsaturated conditions (see above) would give rise to a localised corrosion of 1 mm per 100 years, or 50 mm in 5000 years.
With such a substantial pitting corrosion, canister failure might therefore be anticipated for the most exposed deposition holes in terms of availability of sulphide under prolonged unsaturated conditions. Considering the use of the upper range of pitting factors alongside a very conservative approach for determining sulphide availability, however, early failure due to pitting corrosion would seem unlikely, even if it is postulated that conditions for pitting corrosion (including formation of a passivating layer) are fulfilled. Sulphide supply would diminish even with a partial resaturation of the buffer and backfill system, as would the fraction of the most degradable organic matter in the backfill. Once the unsaturated phase is completed, the lower corrosion rate caused by diffusion in the aqueous phase would still occur, but would provide much less driving force for potential continued pitting corrosion. Moreover, experimental investigations suggest that pitting factors may decrease as a function of time (Mao et al., 2014).
The third alternative canister degradation process covered in this analysis is stress corrosion cracking (SCC) of the copper shell. Stress corrosion cracking has some resemblance to pitting corrosion in so far as it is a localised process that requires formation of a passivating sulphide layer. Again, it is postulated that a passivating sulphide layer would form, but that it would be disturbed locally by the mechanical loading conditions and resulting tensile stresses (King et al., 2010), rather than by chemical conditions. The canister is for the most part exposed to compressive stress resulting from buffer swelling and hydrostatic pressure, but tensile stress would potentially occur in a small part of the canister around the weld, lid and base corner regions. As with pitting corrosion, the process would be relevant only for deposition holes with a relatively high availability of sulphide distributed over a significant time period in order both to build up a passivating layer and to continue to supply sulphide for progression of localised corrosion until canister failure. This effectively rules out deposition holes with a relatively short period of unsaturated conditions. Tensile stresses in the canister are expected to build up as a consequence of buffer swelling and resaturation, but they will also eventually be relaxed following corresponding deformation of the copper shell onto the cast iron insert. SCC failure of canisters that survive a long period with buffer swelling pressure and canister shell deformation can probably be regarded as very unlikely, even it is assumed that a passivating sulphide layer is formed, since the passivating layer coverage would have to coincide with a region with persistent tensile stresses. The number of affected deposition holes is conservatively assumed to be similar to that adopted in the case of pitting corrosion. The progression of SCC once a protective layer has formed would however probably require smaller quantities of dissolved sulphide compared with the progression of pitting corrosion and postulated failures are therefore assumed to take place more rapidly.
There is some experimental evidence of a SCC mechanism for copper in sulphide environments (Taniguchi and Kawasaki, 2008), in addition to the better known SCC mechanisms that can occur in the presence of nitrite, ammonia and acetate under oxidising conditions (King et al., 2010). However, the variants under oxidising conditions should be much less viable on the basis that sufficient tensile stress in the shell is not expected to be developed during the brief initial oxidising period following closure of a deposition tunnel.
The next potential alternative canister degradation mechanism is mechanical in nature and completely unrelated to corrosion. For manufacturing reasons there is a small gap of at 72 B. Strömberg et al.: Exploratory what-if analysis of some debated canister failure modes most a few milimeters between the copper shell and the cast iron insert of the canister. Since the insert is the load-bearing component, the shell has to deform plastically until the gap is closed, which is an expected evolution in response to development of the buffer swelling pressure and the restoration of the hydrostatic pressure at repository depth. The required level of deformation of the shell is in general quite small but the deformation of the corner regions is larger (SKB, 2013) and therefore more critical in this context. The challenge posed by this mechanical loading is the potential for creep embrittlement of the copper to occur during this period of slow deformation.
The applicant has conducted a range of experiments demonstrating that phosphorus-doped OFP copper will with a considerable margin have sufficient creep ductility to accommodate the required range of deformation (creep ductility requirement is set to at least 15 %). If the buffer in deposition holes becomes resaturated on a timescale of decades, the rate of deformation can be expected to be similar from a mechanistic point of view to that observed in long-term creep experiments. The deformation process will also be facilitated by the higher canister temperatures from spent fuel residual heat during this period. However, in deposition holes with extremely slow buffer resaturation times the canister would be considerably cooler during the deformation stage and both loading and deformation would take place much more slowly. Predictions of creep behaviour for such a very long-term slow deformation would be much more confident based on a fundamental creep model rather than experimental results. However, it has been argued that SKB's existing creep model (Sandström, 2014), which accounts for the beneficial role of phosphorus for copper creep ductility, is in doubt (Pettersson, 2012). Some experiments suggest that grain boundary sliding, which may induce formation of intergranular cracks under creep conditions, is in fact not appreciably impeded by phosphorous, which is a mechanism that has been proposed to explain its beneficial role (Sandström and Wu, 2013). In particular, a similar level of grain boundary sliding in phosphorus-doped copper (OFP-copper) and in pure oxygen-free copper (OF-copper) has been observed (Pettersson, 2010). There appears also to be no firm evidence of accumulation of phosphorus in grain boundary areas, which has been proposed in the model for creep behaviour.
The postulated "alternative" assumption adopted in SSM's exploratory analysis is that the creep ductility may be as low as 1 % for OFP-copper under conditions of very slow canister deformation, consistent with some experimental data from creep experiments with pure oxygen-free (OF) copper (Pettersson, 2012). Numerical simulations of canister loading convincingly demonstrate that creep ductility in this range is most probably not sufficient to accommodate the predicted strains in the weld root area (SKB, 2013). It is difficult to translate this alternative assumption into a specific number of failed canisters, however, partly because there is no clear basis to define a limit between rapid ductile deformation and the hypothetical very slow brittle deformation based on existing information, and partly because the distribution of deposition holes subject to rapid and slow resaturation is uncertain. Nevertheless, it would most probably be a considerably larger fraction of the total number of disposed canisters compared to the hypothetical corrosion failures discussed above. Furthermore, as the postulated failure is related to the development of tensile stresses on the canisters, and unrelated to variability in chemical conditions, the only differentiating factors are the timescale on which loading takes place (varying according to resaturation times for the deposition holes) and possible manufacturing variation in material properties and canister geometries between canisters.
The final alternative degradation mechanism considered in SSM's exploratory analysis is hydrogen embrittlement of copper. The hydrogen content of the metal originates in part from canister manufacturing, and it has been shown that gamma radiation may increase hydrogen uptake as a result of radiolysis of the surrounding water. Even hydrogen that is generated from corrosion of copper under reducing conditions may also be partially incorporated into the metal. The most apparent influence of hydrogen is the so-called "hydrogen sickness" phenomenon, which is caused by reaction with copper oxides and the resulting formation of water molecules in grain boundaries. This is postulated to be a potential cause of failure at the grain boundaries and subsequent canister rupture.
This issue became relevant when entrapped oxide particles were found in friction stir welds in copper specimens (Savolainen et al., 2008). In order to avoid these type of defects, welding in the presence of an inert shielding gas has been developed and proven to be effective in the mitigation of oxide formation (Björck et al., 2017). The "alternative" assumption in this case is to postulate that the gas shielding would not be fully effective during the sealing of all canisters, owing to faults occurring during operation of the encapsulation facility, and that this could eventually cause canister failures by hydrogen embrittlement. The failure mode can probably be entirely avoided given sufficient attention. The number of associated canister failures would in any case be very small.
6 Results from consequence analysis Table 1 shows the estimated canister failures and radiological consequences associated with the alternative canister degradation assumptions and related hypothetical failure modes described in the previous section. It is important to note that the results presented in Table 1, regardless of the apparent precision that arises as an artefact of the simplified assessment method, should be regarded as rough, order of magnitude estimates. Nevertheless, pitting corrosion failures are few and distributed over a long period leading to compara- Although a similar number of canisters are affected, based on assumptions relating to deposition hole resaturation time and the availability of gaseous sulphide, the failures are assumed to occur earlier and over a more limited period. No failures are associated with alternative models for general corrosion. The most significant consequences arising from the crude sensitivity analysis for alternative canister degradation processes occur for the creep embrittlement case, because the potential number of relevant deposition holes is considerably larger when the creep ductility is postulated to be as low as 1 %. Hydrogen embrittlement is associated with a small number of canister failures, equivalent to that for stress corrosion cracking. Conditional dose levels, assuming that the postulated failure mechanisms are indeed capable of occurring, clearly exceed the regulatory target (approximately 16 µSv yr −1 ) only for the creep case. The absolute number of canister failures shown in the table provide an indication of the sensitivity to, and relative importance of, the alternative process assumptions discussed above, but otherwise have little relevance. These numbers are derived to be consistent with the adopted process assumptions and arguments as well as with some quantifiable entities such as assumed resaturation rates for deposition holes, selected corrosion rates and concentration of corroding species, but significant discretion had to be used for failure modes associated with mechanical conditions. As such, and because the postulated canister failure modes are hypothetical and speculative in nature, these numbers have no relevance to a compliance assessment. They are clearly far from being bestestimate cases. Nevertheless, in SSM's review process it was generally felt that the use of a quantitative framework, even if simplistic in nature, contributed to a higher degree of clarity of understanding as well as consistency when judging the relative importance of different process arguments. This ultimately led to an improved understanding of system sensitivity within the review team compared with previous attempts based solely on a qualitative and descriptive approach.
Results from the isostatic loading case in the SR-Site safety assessment (SKB, 2011) were used as a basis for calculating dose consequences associated with the defined cases discussed in this paper (Table 1). Since the timing and extent of canister failure are quite different for different cases, a degree of interpolation and extrapolation had to be undertaken in order to arrive at the figures in Table 1. This, in turn, introduced an additional level of uncertainty. Understanding of the potential significance of such uncertainty was subsequently addressed by comparisons with more rigorous calculations carried out by SSM's external experts. Figure 1 shows the results of a set of calculation cases based on the assumption that all 6000 canisters in the repository fail in an evenly-distributed fashion over a specific time interval after closure: 100, 300, 1000, 6000 and 100 000 years (Pensado, 2017). These cases are unrelated to any specific canister failure mechanism and are different from any of the cases proposed by the applicant, since they utilise artificially imposed distributions for canister failure times. It can be seen that the most severe consequences are quite similar for both sets of calculations (Table 1 and Fig. 1) taking into account the assumed number of failed canisters and results showing annual individual doses in the range 0.3-1 mSv. The average dose per failed canister is, however, somewhat lower than that derived from the applicant's compliance demonstration. This is because canister failures in SSM's external expert analysis are associated with intact buffer conditions, and not specifically linked to preferential flow paths in the rock. By contrast, in the SR-Site safety demonstration, preferential flow paths are assumed to be either a contributing factor for canister failure (in the case of general corrosion), or to be formed at the time of canister failure (in the case of failure due to a large earthquake) (SKB, 2011). The postulated, hypothetical failures discussed in this paper would on the contrary be associated preferentially with intact rock conditions, since deposition hole intersection with preferential flow paths promote rapid buffer resaturation.
All calculations that translate an assumed number and timing of canister failures into estimates of radiological consequence need to quantify the radionuclide release from spent nuclear fuel in contact with groundwater, radionuclide retardation and transport in the engineered barriers, near-field rock and the far-field rock, as well as exposure pathways in the biosphere. The calculations by SSM's external experts presented in Fig. 1 are based on similar conceptual models to those used by the applicant, but the modelling software, parameter values and detailed modelling assumptions differ somewhat. In general, however, results from direct attempts to reproduce the applicant's consequence assessment calculations are in agreement with those presented in SR-Site, with calculated doses at a similar level and general trends being in good agreement (Walke et al., 2015;Xu et al., 2015).

Discussion
The analysis of long-term safety for geological disposal of radioactive wastes is a significant challenge, mainly due to the very long timescales involved. Confidence in long-term safety can be gradually improved through a scientific research program, site characterisation efforts and refinement of engineered barrier manufacturing, testing and emplace-ment. Since it is difficult to draw definitive conclusions about the protective capability of single barriers in isolation, it has long been recognised that a multi-barrier system is needed, enabling a combination of several safety functions to be deployed. In this paper, we have described a simplistic approach to evaluate the relative potential significance of a number of postulated alternative assumptions related to the containment safety function of the copper canister in SKB's KBS-3 concept. The copper canister is one of three primary barriers in the KBS-3 concept, with the other two being the bentonite buffer and the surrounding crystalline rock. The alternative canister assumptions explored in this exploratory analysis are not part of the applicant's safety case, but have been proposed in various contexts as being worthy of consideration. The approach here does not include a thorough analysis of the merits and weaknesses of the alternative assumptions and their implications for canister degradation, which is done elsewhere (SSM, 2018). What is included is rather a simple sensitivity study of the implications of assuming that such mechanisms can occur in the context of available knowledge about the repository environment.
It should nevertheless be noted that some of the information about the repository environment assumed in the analysis is very conservative. This includes estimates of gaseous hydrogen sulphide diffusion to the canister surfaces, which is the essential driving force for potential localised corrosion phenomena related to sulphide. In general, limitation of sulphide supply is the key factor affecting the potential significance of the explored localised corrosion processes.
Poor material properties, such as creep ductility, are considered capable of having larger potential consequences than the existence of localised corrosion phenomena, such as stress corrosion cracking and pitting corrosion, related to the presence of sulphide. This is because the external driving force for hypothetical failures in the mechanical failure case, i.e. very slow development of tensile stresses from external forces imposed on the canister, can be expected to be relevant for a relatively large proportion of the deposition holes. This, in turn, is a consequence of the otherwise favourable characteristics of the intact rock at the Forsmark site. Potential corrosion failures, by comparison, are linked to a much smaller fraction of the deposition holes -those that are both very slow to resaturate and most extensively exposed to corrodants. Such exposure is conditional on the coincidence of two primary factors: sufficient and persistent access to gaseous pathways to the copper canister and a persistent microbial generation of sulphide in the backfill. The postulated canister deformation failure cases are also more dependent on detailed design constraints, as opposed to localised corrosion, which is related to the more fundamental question of material selection for the canister shell.
Data availability. No data sets were used in this article.