Monday, June 30, 2008

A Primer on Nuclear Safety: 1.4 Complexity

1.4 Complexity

If reactors are able to operate in unsafe conditions, there is an open invitation for an accident to happen. Light water reactors are complex systems. The one billion electric watts reactors so beloved by the civilian nuclear industry from the 1970’s onward, are large and very complex systems. Things can go wrong with them, go badly wrong due to seemingly minor design features involving secondary systems.

Reactors ought to be built so that safety features prevent the operation of the reactor if safety systems are not functioning, and furthermore operators should not have the power to prevent system shut down for safety reasons. People make mistakes. If you give people the power to make mistakes, you ought to assume they will. To take away from people the power to operate a reactor under conditions in which it is unsafe to do so, is to “fool proof” the reactor.

Unfortunately it is quite possible to engineer reactors with deeply flawed safety systems. Sometimes the flaws can be simple, but some very dangerous flaws are complex. Imagine the existence of multiple minor design flaws in different systems, none of which are sufficient by themselves to create a major problem. But in combination they can trigger a serious accident.

For example safety requires back up systems. Let us consider some design features of the Pressurized Water Reactor. Coolant water flows through the reactor, and picks up heat produced by nuclear fission. The coolant then flows away from the reactor, carrying the heat with it. Water in a reactor is like water in a pot, enough heat will make it boil, We saw the when water entered the Oklo natural reactors, the moderating effect of the water triggered a chain reaction, and the heat from the chain reaction made the water boil. In pressurized water reactor the water is kept under pressure. This allows the water to get hotter than its normal boiling point. The higher temperature will allow the reactor to produce power more efficiently, but the gain of efficiency comes at a cost. Both the complexity and the safety problems of reactor systems are magnified by pressurizing hot water inside the reactor.

In a Pressurized Water Reactor, coolant water flows though the reactor, and then out of the reactor into a heat exchange for the steam generator. The heat exchange does two things. It removes heat from the highly pressurized water of the reactor’s primary coolant system. Secondly the heat exchange causes the secondary coolant water to boil and turn into steam. The hot steam flows into a steam turbine where the pressure from the steam turns the turbine.

In order to keep the reactor safe, it must be continuously cooled both during and after a chain reaction. I will presently explain why the after is important. To keep the reactor cooled water must be kept flowing through the primary and secondary coolant systems. If something goes wrong with either the primary or the secondary coolant system, then a third coolant system, the emergency coolant system needs to begin operations immediately.

What can go wrong with the coolant systems? All sorts of things can go wrong. Valves in the systems can get stuck. Pumps can break. Water under high temperature and pressure can leak. The heat exchange between the primary and secondary coolant systems can leak. One system can be taken off line for servicing. A second system is brought on line to provide water, but for some reason it fails. Then a third system, which is, kept in reserve for back up is brought on line, and the unexpected happens, it fails. Suddenly a system, which is vital for the reactors safety and which had triple redundancy has failed.

A widespread power outage can trip a reactor’s safety shutdown system. In order that the reactor cooling system maintain operations pumps have to be kept in operation. Even when the reactor is not operating, heat from the radioactive decay of fission products has to be removed. There are diesel backup generators, but they won’t start. The warranties on the starter batteries were up, but the request for a purchase order got tied up when an administrator took his family on vacation, and no one realized that the request was parked on his unattended desk.

The increasing decay heat from the reactor trips an automatic start up of the emergency coolant system, but the system cannot operate. The emergency coolant system requires electricity from one of the four emergency diesel generators, whose starter batteries have all failed. The electricity is needed to pump emergency coolant water into the reactor’s core. Suddenly a minor administrative glitch, the failure to obtain a signature on a purchase order request, is turning a minor problem into an major accident.

Now if I were writing the plot to an old Hollywood movie, the reactor overheats until it explodes in a huge fireball, followed by a mushroom shaped cloud. Radiation falls on a tiny creature, which immediately undergoes a mutation and begins to grow and learn how to speak Japanese. The creature grins as it contemplates its quest to find Jane Fonda in order to purchase an exercise tape.

Let us take a brief detour into reality. Nuclear safety is about understanding things that can go wrong in complex systems, and preventing em from happening, in so far as that is possible. In so far as it is not possible, nuclear safety is about minimizing damages. Our detour will eventually take us to Three Mile Island, where our lessons on nucleare safety will be brought into a sharper focus.


Anonymous said...

The warranties on the starter batteries were up, but the request for a purchase order got tied up when an administrator took his family on vacation, and no one realized that the request was parked on his unattended desk.

Errmmhh, no. There are many modes of failure in a PWR but out of warranty batteries is not among them. If a primary safety equipment in a NPP falls out of compliance, the reactor is closed right away by the NRC. And the administrator doesn't come back from vacation. He's been fired. Same goes for his boss and his boss' boss and so on.

Charles Barton said...

Anon. I am trying to explain how a series of improbable events can lead to a major reactor accident. If you would pay attention to my discussion of the history of reactor safety, you will find that i point to a time when the predecessor of the NRC, the AEC, and in especially Milton Shaw, fought bitterly against this concept. There was for a time a continuation of the AEC's legacy at the NRC. I wonder if the Three Mile Island accident reflected that attitudes of the AEC during the early 1970's were not completely dead at the NRC in 1979.

There have been cases in which diesel backups in other countries failed to start. So the case of the executive who takes his family on vacation the day before the purchase order lands on his desk, could have happened outside the NRC's jurisdiction, and even if it happened inside the US, I am sure that the NRC would investigate before it fixes blame.

Anonymous said...


I understand your point of view however there is another perspective.

If a jumbo jet was designed in such a way that it could dive into the ground at 500 miles per hour without hurting anybody, then aircraft accidents would only have an economic cost. That is not possible with airliners, but next generation reactors are designed to contain a full meltdown without hurting anybody. Under these conditions the level of effort expended in preventing accidents can be based on an economic analysis rather than an emotional analysis in which human life is a factor. Spending $100billion to save a $5billion dollar investment once in 500 years makes no sense.

By making logical unemotional decision about the level of protection required, nuclear power can produce cheaper kilowatt hours than fossil fuel power plants. By making nuclear powered economically attractive it can replace fossil plants much faster and thereby save far more lives by reducing the emissions from fossil plants and by making energy cheap clean and abundant.

Perhaps you are leading up to this point in the future posts.


Charles Barton said...

Bill, The impulse behind the nuclear safety issue is not entirely rational. Never-the-less, the importance of the safety issue for the public was recognized during the Manhattan project by scientist like Fermi. Scientist like Fermi, Teller and Weinberg all viewed safety as the major stumbling block to public acceptance of nuclear power.

The Soviets example demonstrated that ignoring reactor safety issues would lead to unacceptable consequences. There are safety issues with the light water reactor that cannot be denied. While itis possible to make LWRs quite safe, it is also expensive to do so. The potential safety advantages of PBRs and LFTRs are undoubtedly among the Keys to loweringt nuclear cost.


Blog Archive

Some neat videos

Nuclear Advocacy Webring
Ring Owner: Nuclear is Our Future Site: Nuclear is Our Future
Free Site Ring from Bravenet Free Site Ring from Bravenet Free Site Ring from Bravenet Free Site Ring from Bravenet Free Site Ring from Bravenet
Get Your Free Web Ring
Dr. Joe Bonometti speaking on thorium/LFTR technology at Georgia Tech David LeBlanc on LFTR/MSR technology Robert Hargraves on AIM High