A look at the nuclear crisis in Japan and safety of nuclear power plants. This article describes the inherent danger and defenses, and calls for a different approach in the design for new plants.
By Jim McInvale
Published: 3/21/2011
One day last week I stood in a hospital lobby with my friend Joe looking up at a monitor showing video of a smoking Japanese reactor building. The rolling banner at the bottom included the words: "explosion", "nuclear", and "meltdown". He turned to me and asked, "So on a scale of one to five, five being the worst, how bad is this?"
He asked me knowing that I’d spent 30 years in the commercial nuclear industry as both an operator and engineer. I thought for a moment, answered, "Four", and looked back to the screen. I then added, "High four". Nuclear safety in this business means keeping the public safe from highly radioactive fission products. When several reactor cores are in rubble, the spent fuel is uncovered and possibly on fire, and everyone within miles of the plant is forced to flee their homes, the game has been lost. The plant owner, TEPCO, was now just trying to keep the score from getting too far out of hand.
My friend’s question was a good question because, given the tsunami of bad news and bad information, it is hard to get a clear perspective, even for those of us familiar with nuclear power plant design. In order to gain perspective, one must understand both the danger and the defenses.
The danger, as I mentioned, is an inventory of highly radioactive fission products. The basic source of energy in all operating power reactors is the "explosion", or fission, of a Uranium or Plutonium atom; an event prompted by its absorption of a meandering neutron. When fuel atoms fission, they break apart into several smaller radioactive atoms with a large release of energy and a few high speed neutrons. Most of these neutrons wander off and get lost in the wilderness or die an early death by poisoning (absorption by a non-fuel atom). Even if one avoids these fates, it will, like many of us, suffer a lifetime of collisions and grow old and lethargic until it eventually encounters another fuel atom. Then, being too listless to escape, it meets with a violent end. Its life was not in vain, however, for in its demise, it continues the nuclear cycle of life - the chain reaction. Millions of trillions of such tiny dramas happen every second in a power reactor and produce a large inventory of radioactive fission products. "Radioactive" means that the nuclei of these atoms emit high energy particles and waves that wreak paths of ionizing destruction when they pass through organic matter- like Aunt Clara.
The defenses against the danger are fission product barriers. Three are employed at most reactors and they are, from inside out: the fuel cladding, the reactor coolant system pressure boundary, and the containment structure. Fuel is usually fabricated in the form of small ceramic pellets which are stacked into pencil-sized tubes about 12 feet in length and seal welded closed. The tubes are referred to as cladding and represent the first barrier. When a reactor is at power, the fuel pellets produce tremendous amounts of heat that must be removed in order to keep the cladding (a Zirconium alloy) from overheating, for at temperatures around 1800 degrees F, the cladding starts to burn in water and produces explosive hydrogen gas as an oxidation product.
Fuel rods are bundled into assemblies and a collection of assemblies form the reactor core. The reactor vessel holds the core, and along with the connecting piping, pumps and components, form the pressure tight reactor coolant system (RCS) - the second barrier. The RCS not only serves as the second barrier, but also provides cooling to protect the first - the clad. RCS components are made from inches-thick high strength metal, and are designed for the high pressures of both normal operations and transient conditions (thousands of pounds per square inch, or psi.)
The final barrier is containment, typically a steel reinforced concrete structure with a steel liner. Containment structures are designed, built, and tested to remain leak tight and intact for pressures usually in the range of 50 to 100 psi so that for all accident conditions, even when the other barriers fail, fission products will not reach the environment. Chernobyl had no containment structure, and that is the main reason it became the worst disaster in the history of commercial atomic power - a clear five on my friend’s scale.
The three fission product barriers must remain intact during normal operation and postulated accident conditions. A shutdown nuclear reactor continues to produce significant energy (decay, or residual heat) long after the reactor is shutdown and there is nothing anyone can do to stop it. For that reason, safety systems must remove decay heat in order to protect the integrity of the fission product barriers long after the accident occurs. It is also noteworthy that the barriers are not completely independent of each other - failure of one can compromise the others. For instance, cladding failure that produces Hydrogen gas creates the risk of explosions that can challenge both the RCS and containment.
The highly radioactive spent fuel discharged from reactors is stored (for several years at least) in deep pools to provide cooling and shielding, but not within a high pressure system and not inside of a containment structure. The thinking is that the spent fuel cannot create enough energy to initiate accidents that would threaten the cladding integrity, and if cooling should be lost, there would be ample time to recover. We now see the flaw in that reasoning - freshly discharged fuel needs more protection.
All reactors currently in operation are actively safe, and though these words may sound reassuring, we should be anything but reassured. Active safety means that when an accident happens, instrumentation systems must detect and initiate automatic signals to start pumps, stroke valves, and fire up emergency power generators. Of course redundancy is designed into safety systems so that any single failure will not defeat a safety function, but the greater the number of components that must perform, the higher the chances that more than one will fail when needed.
Additionally, plant operators must take the proper actions (or at least not take improper ones) to protect safety. The worst nuclear accident in the US was the 1979 event at Three Mile Island - an event that would not have happened were it not for well-intentioned but improper operator action. Only the containment kept fission products from reaching the environment.
There are two fundamental problems with the concept of active safety. First, all of those safety systems need power to operate. The calamity at Fukushima Daiishi resulted directly from a loss of all AC power when the tsunami swept away offsite power to the facility and rendered the on-site emergency diesel generators inoperable. The loss of all AC power event is known as a station blackout and it is the Achilles heel of reactor designs based on active safety systems.
The concept of active safety presumes that the worst case scenarios can be anticipated and that systems can be designed to prevent and mitigate them. That presumption is the second problem. In his book, The Black Swan, Nassim Nicholas Taleb demonstrates the flaw in that logic. For most of human history, he points out, all swans were known to be white, and when the first black swans were observed a long history of intelligence was swept away in an instant. We will always be shocked at the impact of the improbable and unanticipated, yet it is in our nature to believe that we can anticipate and prevent the next catastrophe.
There are reactors designed to remain safe without active safety systems, and with little or no intervention necessary. In these designs, post accident energy and decay heat are removed by methods of natural convection, both within the RCS and within the containment. Fission product barriers are protected without reliance upon AC power, and the passively safe design protects us from events that we cannot even imagine. None of these have been constructed, though some are planned. Unfortunately, they must be built on smaller scales than some of the very large designs that are more economically attractive to plant owners and operators.
Shell-shocked is the best term to describe the look that I and many of my colleagues wore to work this week. For years we’ve told family and friends, in all sincerity, that nuclear power was safe. Our faith has been shaken by the events in Japan and now, when they turn their looks of skepticism upon us, we can only chagrin and bear it. I still believe that nuclear power is safe, but not as safe as it could and should be.
Joe and I were in the hospital lobby that day awaiting the arrival of our new grandson. He and the people of his time will inherit a world that we leave them. The new nuclear plants that we build today will be theirs one day, and they deserve something better than the contaminated, smoldering ruins in north eastern Japan.
He asked me knowing that I’d spent 30 years in the commercial nuclear industry as both an operator and engineer. I thought for a moment, answered, "Four", and looked back to the screen. I then added, "High four". Nuclear safety in this business means keeping the public safe from highly radioactive fission products. When several reactor cores are in rubble, the spent fuel is uncovered and possibly on fire, and everyone within miles of the plant is forced to flee their homes, the game has been lost. The plant owner, TEPCO, was now just trying to keep the score from getting too far out of hand.
My friend’s question was a good question because, given the tsunami of bad news and bad information, it is hard to get a clear perspective, even for those of us familiar with nuclear power plant design. In order to gain perspective, one must understand both the danger and the defenses.
The danger, as I mentioned, is an inventory of highly radioactive fission products. The basic source of energy in all operating power reactors is the "explosion", or fission, of a Uranium or Plutonium atom; an event prompted by its absorption of a meandering neutron. When fuel atoms fission, they break apart into several smaller radioactive atoms with a large release of energy and a few high speed neutrons. Most of these neutrons wander off and get lost in the wilderness or die an early death by poisoning (absorption by a non-fuel atom). Even if one avoids these fates, it will, like many of us, suffer a lifetime of collisions and grow old and lethargic until it eventually encounters another fuel atom. Then, being too listless to escape, it meets with a violent end. Its life was not in vain, however, for in its demise, it continues the nuclear cycle of life - the chain reaction. Millions of trillions of such tiny dramas happen every second in a power reactor and produce a large inventory of radioactive fission products. "Radioactive" means that the nuclei of these atoms emit high energy particles and waves that wreak paths of ionizing destruction when they pass through organic matter- like Aunt Clara.
The defenses against the danger are fission product barriers. Three are employed at most reactors and they are, from inside out: the fuel cladding, the reactor coolant system pressure boundary, and the containment structure. Fuel is usually fabricated in the form of small ceramic pellets which are stacked into pencil-sized tubes about 12 feet in length and seal welded closed. The tubes are referred to as cladding and represent the first barrier. When a reactor is at power, the fuel pellets produce tremendous amounts of heat that must be removed in order to keep the cladding (a Zirconium alloy) from overheating, for at temperatures around 1800 degrees F, the cladding starts to burn in water and produces explosive hydrogen gas as an oxidation product.
Fuel rods are bundled into assemblies and a collection of assemblies form the reactor core. The reactor vessel holds the core, and along with the connecting piping, pumps and components, form the pressure tight reactor coolant system (RCS) - the second barrier. The RCS not only serves as the second barrier, but also provides cooling to protect the first - the clad. RCS components are made from inches-thick high strength metal, and are designed for the high pressures of both normal operations and transient conditions (thousands of pounds per square inch, or psi.)
The final barrier is containment, typically a steel reinforced concrete structure with a steel liner. Containment structures are designed, built, and tested to remain leak tight and intact for pressures usually in the range of 50 to 100 psi so that for all accident conditions, even when the other barriers fail, fission products will not reach the environment. Chernobyl had no containment structure, and that is the main reason it became the worst disaster in the history of commercial atomic power - a clear five on my friend’s scale.
The three fission product barriers must remain intact during normal operation and postulated accident conditions. A shutdown nuclear reactor continues to produce significant energy (decay, or residual heat) long after the reactor is shutdown and there is nothing anyone can do to stop it. For that reason, safety systems must remove decay heat in order to protect the integrity of the fission product barriers long after the accident occurs. It is also noteworthy that the barriers are not completely independent of each other - failure of one can compromise the others. For instance, cladding failure that produces Hydrogen gas creates the risk of explosions that can challenge both the RCS and containment.
The highly radioactive spent fuel discharged from reactors is stored (for several years at least) in deep pools to provide cooling and shielding, but not within a high pressure system and not inside of a containment structure. The thinking is that the spent fuel cannot create enough energy to initiate accidents that would threaten the cladding integrity, and if cooling should be lost, there would be ample time to recover. We now see the flaw in that reasoning - freshly discharged fuel needs more protection.
All reactors currently in operation are actively safe, and though these words may sound reassuring, we should be anything but reassured. Active safety means that when an accident happens, instrumentation systems must detect and initiate automatic signals to start pumps, stroke valves, and fire up emergency power generators. Of course redundancy is designed into safety systems so that any single failure will not defeat a safety function, but the greater the number of components that must perform, the higher the chances that more than one will fail when needed.
Additionally, plant operators must take the proper actions (or at least not take improper ones) to protect safety. The worst nuclear accident in the US was the 1979 event at Three Mile Island - an event that would not have happened were it not for well-intentioned but improper operator action. Only the containment kept fission products from reaching the environment.
There are two fundamental problems with the concept of active safety. First, all of those safety systems need power to operate. The calamity at Fukushima Daiishi resulted directly from a loss of all AC power when the tsunami swept away offsite power to the facility and rendered the on-site emergency diesel generators inoperable. The loss of all AC power event is known as a station blackout and it is the Achilles heel of reactor designs based on active safety systems.
The concept of active safety presumes that the worst case scenarios can be anticipated and that systems can be designed to prevent and mitigate them. That presumption is the second problem. In his book, The Black Swan, Nassim Nicholas Taleb demonstrates the flaw in that logic. For most of human history, he points out, all swans were known to be white, and when the first black swans were observed a long history of intelligence was swept away in an instant. We will always be shocked at the impact of the improbable and unanticipated, yet it is in our nature to believe that we can anticipate and prevent the next catastrophe.
There are reactors designed to remain safe without active safety systems, and with little or no intervention necessary. In these designs, post accident energy and decay heat are removed by methods of natural convection, both within the RCS and within the containment. Fission product barriers are protected without reliance upon AC power, and the passively safe design protects us from events that we cannot even imagine. None of these have been constructed, though some are planned. Unfortunately, they must be built on smaller scales than some of the very large designs that are more economically attractive to plant owners and operators.
Shell-shocked is the best term to describe the look that I and many of my colleagues wore to work this week. For years we’ve told family and friends, in all sincerity, that nuclear power was safe. Our faith has been shaken by the events in Japan and now, when they turn their looks of skepticism upon us, we can only chagrin and bear it. I still believe that nuclear power is safe, but not as safe as it could and should be.
Joe and I were in the hospital lobby that day awaiting the arrival of our new grandson. He and the people of his time will inherit a world that we leave them. The new nuclear plants that we build today will be theirs one day, and they deserve something better than the contaminated, smoldering ruins in north eastern Japan.
By Jim McInvale
Published: 3/21/2011