2.0 Defense in Depth
In 1964, Ralph Nader had no reason to question that nuclear power was a clean, safe, cost-efficient technology. Then he attended a conference at the Oak Ridge National Laboratory. Over lunch, Nader began asking nuclear engineers some penetrating questions. "They couldn't answer them, or the answers weren't satisfactory," Nader recalls. "'What could happen if a system goes wrong?' I asked. They avoided any such descriptions or said, 'we've got defense in depth' -- and other jargon."- David Bollier (Citizen Action and Other Big Ideas)
The concept of defense in depth is fundamental to nuclear safety. The defense in dapth approach applies not only to reactor design but also to safety management. Definse in Depth assumes that human judgement is flawed, designs are imperfect, constructors can fail to follow plans, and that things can go wrong in numerous ways. Thus a defense in depth approach assumes that things can go wrong in with reactor, and there must be bacj up systems if things go wrong. But things can go wrong with the back up system, and they must also have back up plans.
Defense in depth assumes that the potential causes of nuclear accidents are in many instances controllable. One object of nuclear safety research would be the identification of potential causes of accidents, and the design systems to control those causes. The most fundamental causes of nuclear accidents are hidden in reactor design. Western reactor scientist knew imediately the cause of the Chernobyl accident. It was a fundamental design flaw in the RBMK reactor design. The existence of the problem, was what is called a large positive void coefficient, which lead to positive reactor feedback to increased heat.
What does this mean? It means that the cooling water in the RBMK reactor acts as a preak on the chain reaction. If the cooling water is removed from the reactor, the chain reaction will start to run away. Further more water can be removed from the reactor by heat. If the cooling water inside the reactor gets hot enough, it starts to boil. As the cooloing water boils, the steam forces water outside the reactor, thus removing the nuclear break, increasing reactor heat, which inturn boils more water, etc. So the basic design of the RBMK is flawed and dangerous. Alvin Weinberg, who was an expert on reactor safety noted that when reactors that were similar to the RBMK were designed in the United States during World War II, American scientists were aware of their safety flaw.
Therefore it must be understood that nuclear safety must begin with the recognition that not all reactor designs are equally safe. Some reactor designs are much safer than others, and some reactor designs are inherently safer and perhaps can be even made inherently safe. Other reactors have potentially unsafe design features tht can be worked around.
Thus reactor safety is the primary level of nuclear safety, and the defenses against accidents in a reactor may feature both redundancy and a many leveled safety defense system. The current generation of Light Water Reactors have high levels of safety built in to their designs. Nuclear safety engineers have calculated that the General Electric Evolutionary Simple Boiling Water Reactir is so safe, that it would experience a core meltdown once every 29 million years. In contrast the Yellowstone Super volcano, which is capable of killing milllons of people with an erruption, erupts every 600,000 to 800,000 years. It has been 640,000 years since the last erruption of the Yellowstone super volcano. The likelihood of a major reactor accident and its consequnces, ought to be placed in the context of far more likely natural disasters.
Stepts that can be taken to prevent reactor accidents include:
A. good design based on an up to date understanding of reactor safety,
B. An exhaustive follow through of all safety related reactor features in the procurement of manufactureing materials and replace ment oarts, The actual manufacture and maintence of the reactor, and reactor operations
C. systematic faults detected in procurement, manufacture and operationals, with a prompt and complete follow up.
D. Redundant or fall back systems in the event of the failure of a reactor system.
E. Automatic system response that rely ion the laws of nature, rarher thn opeartor intervention.
F. Reactor siting consistent with reactor safety issues. Experimental reactors placed in remote locations.
G. Reactor staff should be both well trained and highly motivated to follow all safety guidelines.
unit placed in safe state by well-trained staff using
The second level of nuclear safety is accident mitigation. These would include those elements of reactor design that would tend to diminish the effects of a nuclear accident on the public. Mitigation would include both internal reactor design features, and design features of the reactor facility that would tend to mitigate the effects of a major nuclear accident. Mitigation defenses can be in depth. Hence in the event of a core meltdown in a light water reactor, the reactor pressure vessal would pose a significant defense against the escape of solid fission products. The reactor containment dome would form another layer of defense against fission product release, while the isolation of the reactor would lead to the dissipation of radioactive gases, and the precipitation of solid radioactive particles escaping the reactor containment facility prior to contacts with human communities.
Accident mitigation would include, the automatic shutdown of a reactor after a partial system failure, the automatic initiation of back up cooling and/or emergency cooling in the event of a primary cooling syetem failure. The design of reactor monitoring panels and system alerts to give clear and concise information about what is happening, without creating an overwelming flow of information. Staff training in accident management. Well defined accident response procedures to be included in staff training. The management of initial recovery after accident related shut down, Well defined accident cleanup and recovery procedures.
A third level of defense would be the management of public consequences after a nuclear accident. These wouldinclude the notification of the NRC, as well as Federal, State and Local officials. Steps which might be taken to manage the consequences of a serious accident include evacuations, bans on the use of potentually contaminated food and.or water. Provisions for safe sheltering of at risk populations, andthe distribution of KI pills, as well as other pre-planed interventions by the federal, state and local governments.
Normal accounts of nuclear safety defense in depth stop at this point. There are however other levels of nuclear safety, A forth level would be a well informed public. Nuclear safety is a genuine matter for public concern. The public should demand the safest nuclear technology possible, and both support nuclear safety research and for monitoring of observance of safety rules and procedures by demanding that reactor operators comply with them, and that the NRC vigerously enforce them.
One of the great flaws of the anti-nuclear movement has been to disempower the public on nuclear safety issues. Figures like Ralph Nader, failed to avail themselves of opportunities to learn more about nuclear safety. Had Ralph Nader really wanted to understand the safety concerns that Alvin Weinberg discussed with Claire Nader and with Ralph himself, had Ralph Nader tried to understand what the ORNL nuclear safety engineer was telling him about defense in depth, the history of the first nuclear era might have ended differently. Had there have been a public outcry for nuclear safety in the 1970's rather than an anti-nuclear movement, the owners of the Three Mile Island reactor, would not havebeen allowed to get away with the safety errors they committed. Had there been a public outcry for safety research, staff safety training, and safe design of reactor control panels, there would have been no Three Mile Island accident. By convincing the public of the ill intentions of safety advocates within the nuclear community, and by convincing the public that nuclear safety was impossible, and therefore it had no stake in the development of nuclear safety improvements, the anti nuclear movement, disempowered the public on nuclear safety issues. It is up to the public to take its power back from the anti-nuclear movement, and assert its right to demand the highest levels of nuclear safety possible. Such a public demand would be a fourth level of nuclear safety defense.
The fifth level of of nuclear safety defense is nuclear safety research, and safe reactor design coupled with the actual replacement with reactors designed to current safety standards by reactors designed with even higher levels of safety. Nuclear safety is something that happens in time. Nuclear safety has a history. It has evolved during its history, and can be expected to continue to do so. It is perhaps unfortunate that the Light Water Reactior emerged early on as the predominant power reactor type. Light Water Reactors have inherent safety flaws. Those flaws can be largely worked around, by engineering reactor modifications, but those modifications are expensive. To much of the history of nuclear safety has been the history of increasingly expensive safety developments for the light water reactor.
Reactor scientist have known since the 1940's that it is possible to eliminate the very possibility of the most serious of reactor accident, the core melt down. Reactors designs developed over 50 years ago posses inherent safety feature that far surpass those of light water reactors. Furthermore one of those two advanced reactor designs, the Liquid Flouride Thorium Reactor,relies on an abundant nuclear fuel, Thorium, which it uses so efficiently that it will provide sustainable nuclear power for millions of years to come. Because of its efficient use of the Thorium fuel cycle, the LFTR also virtually eleminates the long term nuclear waste. Developing and implementing the LFTR reactor designs would not be inordinately expensive, or require an extensive period of time. The development cost for either reactor design would cost less than the cost of two light water reactors, or less than the cost of the imported oil the United States consumes in one week. The manufacturing cost for the LFTR would also be lower that the current cost of building Light Water Reactors. Thus at a relatively small cost the United States could acquire a fifth level of nuclear defense, one which would make the most serious reactor accident impossible, and solve other problems related to the use of nuclear energy in the generation of electrical power.