DISASTER SCENARIO FOR NUCLEAR SPENT FUEL STORAGE TANK ACCIDENTS

Emergency Planning: The ever-present nuclear threat

Introduction

This year, the government made local authorities that host nuclear power stations formally responsible for devising plans that detail how our emergency services and local councils will respond to a radiological emergency. The plans revolve around a detailed plan for the area immediately around each power station, called the Detailed Emergency Planning Zone  (DEPZ). In this zone, the local authorities have to design countermeasures that are triggered by different levels of radiation being released.

Beyond this tiny zone – the largest is just 3.3km/2 miles away from the relevant power station – the public will have to rely upon the local authorities to miraculously “extend” the zones, with little extra money or resources. The rest of us are left more or less completely exposed.

At a time when the government is sending out mixed messages about the terrorist threat we all face, Greenpeace have commissioned a report that explores how effective our current nuclear emergency plans would be if the unthinkable ever became a reality.

They include scenarios that indicate that our present emergency plans would beoverwhelmed alarmingly quickly, putting the safety of all of us in jeopardy. One such scenario is explained in detail below.

Accidents at British nuclear plants are not uncommon, but so far, apart from Windscale, the accidents have been relatively minor and have not required any of the emergency plans to be fully tested. This is the result of luck more than judgement, however, as our scenarios show. Our investigations indicate that when it comes to nuclear safety we have nothing to be complacent about.

Nuclear Power Stations: A Constant Threat

Each power station has storage space for holding the tonnes of fuel that are waiting to be used and fuel that has already been used. When fuel is spent (used up), it is extremely hot and needs to be stored in water for some months to allow it to cool and lose some its high level radioactivity. The spent fuel is made up of a combination of uranium and plutonium, a by-product of the reactor process, and is extremely radioactive.

If just one tonne of this spent fuel was involved in an accident or terrorist incident that caused a fuel storage tank to break open, then the current emergency plan would berendered ineffective. Such a scenario could result in dangerous levels of high level radiation spreading up to 60km/36 miles in 7 hours and 100 km/60 miles in day. If a release of this kind were to take place at somewhere like Hartlepool power station, just 6 miles from the 89,000 people who live in Hartlepool then the current plans that account for an area of just 0.6 miles around the plant would surely be overwhelmed.

The type of radiation that might escape from a power station would be even more dangerous than the waste inside a nuclear transport because it would not have had the chance to complete the cooling process and lose some of the radiation that is normally very fragile and short lived. If it is released without having any time to cool, then this volatile radiation still exists and is particularly prone to being absorbed by people through the thyroid gland, potentially causing cancer in the future.

Zone Explanations

Zone 1: 1 – 3 km/0 – 2 miles

This is the area immediately around a power station, known as the Detailed Emergency Planning Zone (DEPZ), where local councils are required to draw up plans that will protect the residents living within that area. The plans involve providing one or all of three options. The first is to provide information to the residents on what has occurred and what they should do. The second is to distribute potassium iodate tablets that if taken early can prevent certain types of cancer that are caused by the intake of damaging radiation. If the levels are too dangerous to allow continued exposure to residents, then the local authority must arrange for evacuation for all residents within the DEPZ.

Zone 2: 3 – 10km/2 – 6 miles

This zone contains those people who are most at risk in the event of a nuclear emergency. There is no detailed plan in place to protect them from becoming contaminated. The best on offer is the option of the DEPZ being “extended” to take into account the surrounding area. Exactly how this would be done is not clear at all. To suddenly “extend” this zone up to 10 km/6 miles away from the source of the release would firstly involve the local authority being able to assess the situation, which they would have to do without specialist training and equipment, and also be able to offer the same level of protection to thousands more people. Some councils rely on the operators of the nuclear power stations or groups like the National Radiological Protection Board to carry out this assessment for them, but it is highly likely that this might not be possible, either because communications are down or perhaps the NRPB cannot get to the area quickly enough for their assessment to be effective. In such a circumstance, the councils would be obliged to carry out the assessment themselves.

If an accident were to occur at Hartlepool power station, then this could easily contaminate a 10km/6 mile area around the source of the release. This would then cover the town of Hartlepool itself, a town with a population of 89,000, which would stretch even the most well equipped emergency plan, never mind a plan that only has a DEPZ of 1km,/0.6 miles inside which the only human dwellings are two small businesses.

Zone 3: 10 – 100km/60 miles

Studies commissioned by Greenpeace have revealed that deadly radiation released during a nuclear accident could spread up to 100 km/60 miles away from the site in just 1 day. Exactly how dangerous the radiation would be would depend upon the atmospheric conditions and wind direction at the time of the release, but it is worth remembering that parts of England and Wales are still under government restrictions as a result of the Chernobyl accident in the Ukraine 16 years ago. In this zone you receive no actual assistance in protecting yourself, the most likely advice from your local authorities being to stay inside with the doors and windows closed.

100km/60 miles and beyond

If you live outside any of the zones above, unfortunately you are still not safe. The two scenarios we have described deal with the possibility of a very small release. To put our 1 tonne of radioactive material into context, the accident that took place at Chernobyl involved between 100 and 130 tonnes of material. The consequences of a comparable release occurring in the UK are impossible to calculate. At best, it would mean massively escalating rates of cancer, the contamination of foodstuffs such as dairy produce, which would therefore have to be avoided, and would cause a mass evacuation from the area surrounding the source of the release. At worst, no one knows.

If the Government decides to go ahead with its recommendation to build more nuclear power stations, the risk of accidents will increase as the number of power stations increase. Nuclear power - and the deadly waste it produces – poses a constant threat to the health and safety of all of us. The best emergency plan is to remove the risk in the first place by phasing out nuclear power for good.

http://www.greenpeace.org.uk/MultimediaFiles/Live/FullReport/5368.pdf

FAILURES OF NUCLEAR REACTORS DURING MAINTENANCE

 

 

UNSAFE PASSIVE SAFETY REACTORS:

UNSAFE PASSIVE SAFETY REACTORS:

http://en.wikipedia.org/wiki/Passive_nuclear_safety#Examples_of_reactors_using_passive_safety_features

Passive nuclear safety is a safety feature of a nuclear reactor that does not require operator actions or electronic feedback in order to shut down safely in the event of a particular type of emergency (usually overheating resulting from a loss of coolant or loss of coolant flow). Such reactors tend to rely more on the engineering of components such that their predicted behaviour according to known laws of physics would slow, rather than accelerate, the nuclear reaction in such circumstances. This is in contrast to some older reactor designs, where the natural tendency for the reaction was to accelerate rapidly from increased temperatures, such that either electronic feedback or operator triggered intervention was necessary to prevent damage to the reactor.

Terming a reactor 'passively safe' is more a description of the strategy used in maintaining a degree of safety, than it is a description of the level of safety. Whether a reactor employing passive safety systems is to be considered safe or dangerous will depend on the criteria used to evaluate the safety level. This said, modern reactor designs have focused on increasing the amount of passive safety, and thus most passively-safe designs incorporate both active and passive safety systems, making them substantially safer than older installations. They can be said to be "relatively safe" compared to previous designs.

Reactor vendors like to call their new generation reactors 'passively safe' but this term is sometimes confused with 'inherently safe' in the public perception. It is very important to understand that there are no 'passively safe' reactors or 'passively safe' systems, only 'passively safe' components of safety systems exist. Safety systems are used to maintain control of the plant if it goes outside normal conditions in case of anticipated operational occurrences or accidents, while the control systems are used to operate the plant under normal conditions. Sometimes a system combines both features. Passive safety refers to safety system components, whereas inherent safety refers to control system process regardless of the presence or absence of safety specific subsystems.

As an example of a safety system with 'passively safe' components, let us consider the containment of a nuclear reactor. 'Passively safe' components are the concrete walls and the steel liner, but in order to fulfil its mission active systems have to operate, e.g. valves to ensure the closure of the piping leading outside the containment, feedback of reactor status to external instrumentation and control (I&C) both of which may require external power to function.

The International Atomic Energy Agency (IAEA) classifies the degree of "passive safety" of components from category A to D depending on what the system does not make use of^[1]:

1.     no moving working fluid

2.     no moving mechanical part

3.     no signal inputs of 'intelligence'

4.     no external power input or forces

In category A (1+2+3+4) is the fuel cladding using none of these: It is always closed and keeps the fuel and the fission products inside and is not open before arriving at the reprocessing plant. In category B (2+3+4) is the surge line, which connects the hot leg with the pressurizer and helps to control the pressure in the primary loop of a PWR and uses a moving working fluid when fulfilling its mission. In category C (3+4) is the accumulator, which does not need signal input of 'intelligence' or external power. Once the pressure in the primary circuit drops below the set point of the spring loaded accumulator valves, the valves open and water is injected into the primary circuit by compressed nitrogen. In category D (4 only) is the SCRAM which utilizes moving working fluids, moving mechanical parts and signal inputs of 'intelligence' but not external power or forces: the control rods drop driven by gravity once they have been released from their magnetic clamp. But nuclear safety engineering is never that simple: Once released the rod may not fulfil its mission: It may get stuck due to earthquake conditions or due to deformed core structures. This shows that though it is a passively safe system and has been properly actuated, it may not fulfil its mission. Nuclear engineers have taken this into consideration: Typically only a part of the rods dropped are necessary to shut down the reactor. Samples of safety systems with passive safety components can be found in almost all nuclear power stations: the containment, hydro-accumulators in PWRs or pressure suppression systems in BWRs.

In most texts on 'passively safe' components in next generation reactors, the key issue is that no pumps are needed to fulfil the mission of a safety system and that all active components (generally I&C and valves) of the systems work with the electric power from batteries.

IAEA explicitly uses the following caveat^[1]:

... passivity is not synonymous with reliability or availability, even less with assured adequacy of the safety feature, though several factors potentially adverse to performance can be more easily counteracted through passive design (public perception). On the other hand active designs employing variable controls permit much more precise accomplishment of safety functions; this may be particularly desirable under accident management conditions.

Nuclear reactor response properties such as Temperature coefficient of reactivity and Void coefficient of reactivity usually refer to the thermodynamic and phase-change response of the neutron moderator heat transfer process respectively. Reactors whose heat transfer process has the operational property of a negative void coefficient of reactivity are said to possess an inherent safety process feature. An operational failure mode could potentially alter the process to render such a reactor unsafe.

Reactors could be fitted with a hydraulic safety system component that increases the inflow pressure of coolant (esp. water) in response to increased outflow pressure of the moderator and coolant without control system intervention. Such reactors would be described as fitted with such a passive safety component that could - if so designed - render in a reactor a negative void coefficient of reactivity, regardless of the operational property of the reactor in which it is fitted. The feature would only work if it responded faster than an emerging (steam) void and the reactor components could sustain the increased coolant pressure. A reactor fitted with both safety features - if designed to constructively interact - is an example of a safety interlock. Rarer operational failure modes could render both such safety features useless and detract from the overall relative safety of the reactor.

[edit] Examples of passive safety in operation

Traditional reactor safety systems are active in the sense that they involve electrical or mechanical operation on command systems (e.g., high-pressure water pumps). But some engineered reactor systems operate entirely passively, e.g., using pressure relief valves to manage overpressure. Parallel redundant systems are still required. Combined inherent and passive safety depends only on physical phenomena such as pressure differentials, convection, gravity or the natural response of materials to high temperatures to slow or shut down the reaction, not on the functioning of engineered components such as high-pressure water pumps.

Current pressurized water reactors and boiling water reactors are systems that have been designed with one kind of passive safety feature. In the event of an excessive-power condition, as the water in the nuclear reactor core boils pockets of steam are formed. These steam voids moderate fewer neutrons, causing the power level inside the reactor to lower. The BORAX experiments and the SL-1 meltdown accident proved this principle.

A reactor design whose inherently safe process directly provides a passive safety component during a specific failure condition in all operational modes is typically described as relatively fail-safe to that failure condition.^[1] However most current water cooled and moderated reactors, when scrammed, can not remove residual production and decay heat without either process heat transfer or the active cooling system. In other words, whilst the inherently safe heat transfer process provides a passive safety component preventing excessive heat in operational mode "On", the same inherently safe heat transfer process does not provide a passive safety component in operational mode "Off (SCRAM)". The Three Mile Island accident exposed this design deficiency: the reactor and steam generator were "Off" but with loss of coolant it still suffered a partial meltdown.^[2]

See also: Nuclear fuel response to reactor accidents

Third generation designs improve on early designs by incorporating passive or inherent safety features ^[3] which require no active controls or (human) operational intervention to avoid accidents in the event of malfunction, and may rely on pressure differentials, gravity, natural convection, or the natural response of materials to high temperatures.

In some designs the core of a fast breeder reactor is immersed into a pool of liquid metal. If the reactor overheats, thermal expansion of the metallic fuel and cladding causes more neutrons to escape the core, and the nuclear chain reaction can no longer be sustained. The large mass of liquid metal also acts as a heatsink capable of absorbing the decay heat from the core, even if the normal cooling systems would fail.

The pebble bed reactor is an example of a reactor exhibiting an inherently safe process that is also capable of providing a passive safety component for all operational modes. As the temperature of the fuel rises, Doppler broadening increases the probability that neutrons are captured by U-238 atoms. This reduces the chance that the neutrons are captured by U-235 atoms and initiate fission, thus reducing the reactor's power output and placing an inherent upper limit on the temperature of the fuel. The geometry and design of the fuel pebbles provides an important passive safety component.

Single fluid fluoride molten salt reactors feature fissile, fertile and actinide radioisotopes in molecular bonds with the fluoride coolant. The molecular bonds provide a passive safety feature in that a loss-of-coolant event corresponds with a loss-of-fuel event. The molten fluoride fuel can not itself reach criticality but only reaches criticality by the addition of a neutron reflector such as pyrolytic graphite. The higher density of the fuel^[4] along with additional lower density FLiBe fluoride coolant without fuel provides a flotation layer passive safety component in which lower density graphite that breaks off control rods or an immersion matrix during mechanical failure does not induce criticality. Gravity driven drainage of reactor liquids provides a passive safety component.

Some reactors such as the liquid metal and molten salt variants use Thorium-232 fuel which is more abundant in nature than Uranium isotopes and requires no enrichment. The difficulty of enrichment in the Uranium fuel cycle provides a passive safety component against nuclear proliferation. Neutron capture of Thorium-232 breeds both the fissile Uranium-233 and trace amounts of Uranium-232 by neutron knock-off. Neutron cross-section and decay products of Uranium-232 complicate designs and damage electronics if built into nuclear weapons, although Operation Teapot demonstrated its plausibility. Isolation of Uranium-233 from Uranium-232 is not currently believed possible providing a partial passive safety component against nuclear proliferation.

Low power pool-type reactors such as the SLOWPOKE and TRIGA have been licensed for unattended operation in research environments because as the temperature of the low-enriched (19.75% U-235) uranium alloy hydride fuel rises, the molecular bound hydrogen in the fuel cause the heat to be transferred to the fission neutrons as they are ejected.^[5] This Doppler shifting or spectrum hardening^[6] dissipates heat from the fuel more rapidly throughout the pool the higher the fuel temperature increases ensuring rapid cooling of fuel whilst maintaining a much lower water temperature than the fuel. Prompt, self-dispersing, high efficiency hydrogen-neutron heat transfer rather than inefficient radionuclide-water heat transfer ensures the fuel cannot melt through accident alone. In uranium-zirconium alloy hydride variants, the fuel itself is also chemically corrosion resistant ensuring a sustainable safety performance of the fuel molecules throughout their lifetime. A large expanse of water and the concrete surround provided by the pool for high energy neutrons to penetrate ensures the process has a high degree of intrinsic safety. The core is visible through the pool and verification measurements can be made directly on the core fuel elements facilitating total surveillance and providing nuclear non-proliferation safety. Both the fuel molecules themselves and the open expanse of the pool are passive safety components. Quality implementations of these designs are arguably the safest nuclear reactors.

[edit] Examples of reactors using passive safety features

Three Mile Island Unit 2 was unable to contain about 480 PBq of radioactive noble gases from release into the environment and around 120 kL of radioactive contaminated cooling water from release beyond the containment into a neighbouring building. The pilot-operated relief valve at TMI-2 was designed to shut automatically after relieving excessive pressure inside the reactor into a quench tank. However the valve mechanically failed causing the PORV quench tank to fill, and the relief diaphragm to eventually rupture into the containment building.^[7] The containment building sump pumps automatically pumped the contaminated water outside the containment building.^[8] Both a working PORV with quench tank and separately the containment building with sump provided two layers of passive safety. An unreliable PORV negated its designed passive safety. The plant design featured only a single open/close indicator for the PORV rather than separate open and close indicators.^[9] This rendered the mechanical reliability of the PORV indeterminate directly, and therefore its passive safety status indeterminate. The automatic sump pumps and/or insufficient containment sump capacity negated the containment building designed passive safety.

The notorious RBMK graphite moderated, water cooled reactors of Chernobyl Power Plant disaster were designed with a positive void coefficient with boron control rods on electromagnetic grapples for reaction speed control. To the degree that the control systems were reliable, this design did have a corresponding degree of active inherent safety. The reactor was unsafe at low power levels because erroneous control rod movement would have a counter-intuitively magnified effect. Chernobyl Reactor 4 was built instead with manual crane driven boron control rods that were tipped with the moderator substance, graphite, a neutron reflector. It was designed with an Emergency Core Cooling System (ECCS) that depended on either grid power or the backup Diesel generator to be operating. The ECCS safety component was decidedly not passive. The design featured a partial containment consisting of a concrete slab above and below the reactor - with pipes and rods penetrating, an inert gas filled metal vessel to keep oxygen away from the water cooled hot graphite, a fire-proof roof, and the pipes below the vessel sealed in secondary water filled boxes. The roof, metal vessel, concrete slabs and water boxes are examples of passive safety components. The roof in the Chernobyl Power Plant complex was made of bitumen - against design - rendering it ignitable. Unlike the Three Mile Island accident, neither the concrete slabs nor the metal vessel could contain a steam, graphite and oxygen driven hydrogen explosion. The water boxes could not sustain high pressure failure of the pipes. The passive safety components as designed were inadequate to fulfil the safety requirements of the system.

The General Electric Company ESBWR (Economic Simplified Boiling Water Reactor, a BWR) is a design reported to use passive safety components. In the event of coolant loss, no operator action is required for three days.^[10]

The Westinghouse Electric Company AP-1000 ("AP" standing for "Advanced Passive") is a design reported to use passive safety components. In the event of an accident, no operator action is required for 72 hours.^[11]

The integral fast reactor was a fast breeder reactor run by the Argonne National Laboratory. It was a sodium cooled reactor capable of withstanding a loss of (coolant) flow without SCRAM and loss of heatsink without SCRAM. This was demonstrated throughout a series of safety tests in which the reactor successfully shut down without operator intervention. The project was canceled due to proliferation concerns before it could be copied elsewhere.

The Molten-Salt Reactor Experiment was a molten salt reactor run by the Oak Ridge National Laboratory. It was a fluoride salt cooled reactor in which the fuel molecules function also as a molten fluoride salt coolant. It featured thermochemical freeze valves in which the molten salt was actively cooled to freezing point by air in flattened sections of the Hastelloy-N salt piping to block flow. If the reactor vessel developed excessive heat or if electric power was lost to the air cooling, then the fuel and coolant could thermochemically penetrate the valve into drain tanks away from the neutron reflector becoming sub-critical enroute for passive or active water cooling.^[12] During testing, it was observed that about 6–10% of the calculated 54 Ci/day (2.0 TBq/day) production of tritium diffused out of the fuel system into the containment cell atmosphere and another 6–10% reached the air through the heat removal system.^[13] Inhalation of 70 GBq of tritium is equivalent to an adult human dose of 3 Sv ^[14] in which 50% of cases would be expected to die within 30 days. The fluoride salt molecular bond passive safety component failed to prevent tritium production from fission thus presenting a proliferation risk. The fluoride salt molecular bonds did not prevent tritium from leaking into the containment.

The fleet of BWRs and PWRs operating within the last 10 years in the United States have reported on 42 occasions a quarterly average daily tritium emission level of more than 22 mCi/day (70 GBq/day) from a power plant.^[15] During the first quarter of 2001 Palo Verde Unit 1 released on average 9 Ci/day (333 GBq/day) tritium gas.^[15] The passive safety component of water as neutron moderator failed to prevent excessive tritium gas (hydrogen with 2 neutrons) from being released from the plant as gas for dilution with air rather than water diluted tritiated water. Inhalation of tritium is absorbed at almost twice the rate as ingested tritium.^{[14]
-----      ---------          -------             -------                   --------                 ---------                  ----------}

 Newest U.S. Nuclear Plants Aim to Balance Safety and Costs

see web pages for Figures:   http://me1065.wikidot.com/ap1000

http://www.scientificamerican.com/article.cfm?id=new-nuclear-designs-balance-safety-and-cost&print=true

By David Biello  | Wednesday, March 23, 2011 | 38

Next generation of reactors in U.S., up for review by the Nuclear Regulatory Commission, are meant to provide cooling even in the absence of power.

The first new nuclear reactor ordered in the U.S. in roughly three decades is beginning to take shape near Augusta, Ga. Southern Company and its partners have dug 27.5 meters down to reach bedrock and are now refilling the hole to provide a stable, anchored foundation for what is likely to be the first of a new generation of reactors in the U.S.: two new AP1000 models at the Vogtle Electric Generating Plant that stand next to two older pressurized water reactors, which came online in the 1980s—the first of some 14 AP1000s and 20 new reactors in total that may be built in the U.S. in the next 15 years.

"The nuclear revival is underway in Georgia," said Jim Miller, chief executive ,Southern Nuclear Operating Co., the subsidiary charged with administering the corporation's nuclear power plants in February. "It will provide safe, clean, reliable, low-cost electric energy to our customers for generations to come."

Of course, that was before the accident at Fukushima  nuclear power plant in Japan, following the 9.0-magnitude earthquake and subsequent tsunami. That power plant boasted six boiling-water reactors built in the 1970s by General Electric, Toshiba and Hitachi, and capable of pumping out more than 4 gigawatts of electricity. It also proved incapable of withstanding the twin perils of an earthquake that disconnected it from the electrical grid and a tsunami that wiped out back-up diesel generators and flooded electrical equipment.

"First you rely on the grid," explains Scott Burnell, a spokesman for the U.S. Nuclear Regulatory Commission, which oversees safety at the 23 such boiling water reactors in operation in this country. "If the grid is no longer available, you use diesel generators. If there is an issue with the diesels, you have a battery backup. And the batteries usually last long enough for you to get the diesels going."That did not prove to be the case at Fukushima Daiichi. But new reactor designs—including the Economic Simplifed Boiling Water Reactor from GE-Hitachi that passed its safety rating from the NRC on March 9, two days before the quake—are meant to provide cooling even in the absence of power.

For example, the AP1000s being built in Georgia boast "passive" safety features—safety technology that kicks in with or without human intervention or electricity. In the case of the Westinghouse AP1000 design that means cooling water sits above the reactor core and, in the event of a potential meltdown like at Fukushima Daiichi or Three Mile Island in Pa., will, with the opening of a heat-sensitive valve, simply flow water into the reactor, dousing the meltdown. "Never has so much money been spent to prove that water runs downhill," Westinghouse spokesman Vaughn Gilbert told Scientific American in 2009.

Further, although the thick steel vessel containing the nuclear reactor is encased in a further shell of 1.2-meter-thick concrete, that shell is surrounded by a building that is open to the sky. Should the concrete containment vessel begin to heat up during a meltdown, natural convection would pull in cooling air.

But that open-air building was initially rejected by NRC for a lack of structural strength. The U.S. regulator argued that it would not withstand a severe shock such as an earthquake or airplane impact, because it was initially planned to be built from pre-fabricated concrete and steel modules in order to save money.

The modified design now under review by the NRC employs more steel reinforcement as well as improved venting (maintaining such venting has proved critical at Fukushima Daiichi).

 But some critics, such as engineer Arnie Gundersen of Fairewinds Associates, have further concerns. For instance, if the containment building housing the reactor core were to spring a leak—as appears to have happened at Fukushima Daiichi— radioactive material would be wafted up and out of the AP1000 thanks to that same natural convection.

In the end, all nuclear power plants suffer from a balancing act between absolute safety and acceptable cost. "With earthquakes, there are limits to what you can do," says nuclear engineer Michael Golay of the Massachusetts Institute of Technology. "What risk are you willing to tolerate?”

Mirage of Fail Safe Engineering

Robert Rapier

As I have said many times, all of our energy options require trade-offs. I can’t think of any that don’t have some negative consequences and risks associated with their production and/or use. One job of the engineer is to minimize those risks down to an acceptable level. Often times, public expectation mistakenly assumes that “acceptable” means that accidents should never occur, but there are many reasons why that metric will never be achieved.

We sometimes find out — as we did with the Deepwater spill — that even seemingly basic safety measures have been overlooked. While an accident like that is a black eye for the offshore oil industry, the industry will learn some valuable lessons and the risk of a similar future accident should be lessened. But beyond the human and environmental toll, there is a real financial toll for the industry and thus strong economic incentive to do a thorough job of engineering safe systems.
The Deepwater incident certainly stalled momentum for offshore drilling in the U.S. by reminding us that the consequences of our drive to access energy can be severe indeed. A nuclear accident has the same potential for stalling momentum in the nuclear field. Since Deepwater, I have wondered many times whether the nuclear industry has a Deepwater that is simply awaiting a series of unlikely events before a major accident occurs.
Don’t get me wrong, I support nuclear power and believe it is going to become an ever-more-important source of energy as fossil fuel supplies decline. Japan is the third largest user of nuclear power in the world with 53 52 reactors providing 34.5% almost 34.5% of their electricity. I am sure Japan would much rather produce all of their electricity with wind and solar power, but the very scale of energy usage in developed countries combined with Japan’s lack of fossil fuel resources is why I foresee continued strong growth in the nuclear industry.
Risks, Probability, Economics, and the Price of Failure
But there really isn’t such a thing as “fail safe engineering.” That is simply because we can’t guard against every possible outcome. The nuclear plant in Japan that seems to have been destroyed in the wake of last week’s devastating tsunami was engineered to protect against numerous possible scenarios. Earthquakes? Without a doubt. Earthquake followed by a tsunami? Almost certainly. Earthquake plus a tsunami plus random occurrences X and Y? That’s where you get into very low probability events that can’t always be engineered against in an economical way.
For example, in a chemical plant, there is a real probability that 1). Lightning will strike a storage tank; 2). A meteorite will strike a storage tank. However, only one of those probabilities is high enough to devote money toward preventing its occurrence. There are things we can do to mitigate against both of these outcomes. But the cost of mitigating against a meteorite strike — combined with the very low probability of a tank being struck by a meteorite — means that we live with that possibility.

While the previous is a somewhat absurd example, it is an example that entered my thoughts many times over the years as we attempted to engineer safe processes. It is a simple example to show why you can’t economically engineer against all possible outcomes. If a process has a 1% chance of happening every 20 years, the worst possible outcome is a broken fingernail, and it will cost a million dollars to prevent it — we call that an acceptable risk and move on. If the chance of happening is the same and the possible outcome is death, we modify the design.

But as you can probably guess there is a tremendous amount of gray area. The 1% chance of a broken fingernail in 20 years may become a much worse outcome if a couple of other low probability events happened. If Events A, B, and C each have a 1 in 1000 chance of happening at any particular time, the combination may have (depending on lots of variables), a (1/1000)*(1/1000)*(1/1000) chance of happening in connection with each other, which is a probability of 1 in a billion. A very common reason accidents occur is that we either didn’t consider that A, B, and C could all happen at the same time, or we underestimated the probability of them doing so. I have been involved in many incident investigations where I heard “Who could have imagined that those events would all line up as they did?”

Conclusion

It is far too early to speculate on the sequence of events that led to the current situation at the Fukushima Daiichi nuclear plant. Of course we know that the earthquake/tsunami was involved, but in the end it won’t surprise me if some other low probability events were involved. Plants often operate at non-optimal conditions for a variety of reasons (maintenance, for instance), and it could be that the design for earthquake/tsunami was fine, but random Event C — deemed a low probability at the same time of an earthquake/tsunami — contributed.

The purpose of this essay is to communicate why it is practically impossible to design systems incapable of failure. 
The best we can do is to design systems so that if they do fail, they fail in a safe way.

For instance, if a valve in a pipeline fails, we can design it to fail closed (if, for instance it had the potential to feed fuel to a fire) or open (if it was preventing pressure build-up in a system).

These are the sorts of lessons that are learned when accidents take place, which have made our energy production and delivery infrastructure much safer over time. But it will always involve some element of risk, and at times very difficult trade-offs.

http://www.consumerenergyreport.com/2011/03/14/mirage-of-fail-safe-engineering/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+R-squared+%28R-Squared%29

Passive Safe Reactors

Passively safe reactors rely on nature to keep them cool

by David Baurac

Imagine a nuclear power plant so safe that even the worst emergencies would not damage the core or release radioactivity. And imagine that this is achieved not with specially engineered emergency systems, but through the laws of nature and behavior inherent in the reactor's materials and design. This goal, known in the nuclear industry as "passive safety," is pursued and even claimed by a number of reactor concepts.

Argonne's advanced fast reactor(AFR) has demonstrated its passive safety conclusively on a working prototype. "Back in 1986, we actually gave a small prototype advanced fast reactor a couple of chances to melt down," says Argonne nuclear engineer Pete Planchon, who led the 1986 tests. "It politely refused both times."
He's joking, but only partly.
The reactor was Experimental Breeder Reactor-II (EBR-II), located at Argonne-West in Idaho. EBR-II was a small experimental facility, an AFR prototype with a 20-megawatt electrical output. Under Planchon's guidance, a series of experiments were conducted at EBR-II, starting at extremely low power and culminating in two landmark tests at full power that convincingly demonstrated the passive safety advantages of the AFR concept.
"We subjected the reactor," Planchon says, "to what are considered two of the most serious accident initiators for liquid-metal reactors: a loss of pumped coolant flow through the core and a loss of heat removal from the primary system. Both tests were performed at full reactor power with the automatic shutdown features intentionally disabled.
"Before the tests," he adds, "we had installed special systems to let us stop the reactor at any time. But they weren't needed, because the reactor performed exactly as we predicted."
In the first test, with the normal safety systems intentionally disabled and the reactor operating at full power, Planchon's team cut all electricity to the pumps that drive coolant through the core, the heart of the reactor where the nuclear chain reaction takes place. In the second test, they cut the power to the secondary coolant pump, so no heat was removed from the primary system.
"In both tests," Planchon says, "the temperature went up briefly, then the passive safety mechanisms kicked in, and it began to cool naturally. Within ten minutes, the temperature had stabilized near normal operating levels, and the reactor had shut itself down without intervention by human operators or emergency safety systems."
The reactor was shut down permanently in 1994, having completed its research mission. But for 30 years, it operated safely and reliably while providing all the electricity for Argonne-West, the 900-acre site Argonne operates near Idaho Falls, Idaho. The reactor was a prototype AFR and demonstrated once and for all the technology's passive safety.
The basic purpose of reactor safety is to protect the public and plant workers from harmful radiation exposure.
Walt Deitrich, Argonne reactor safety expert, explains how modern reactor design approaches that task: "The goal of modern safety design is to provide this protection by relying on the laws of nature, rather than on engineered systems that require power to operate, equipment to function properly and operators to take correct actions in stressful emergency situations. We call this approach, which relies on the laws of nature, 'passive safety.'
"To achieve this," he continues, "you have to provide for passive performance of three basic safety functions: You have to maintain a proper balance between heat generation and heat removal, you have to remove decay heat, and you have to contain radioactive materials, primarily fuel and fission products." Decay heat comes from radioactive materials in the core, even when the reactor is shut off.
The AFR's passive safety is based on three key aspects of its materials and design: its liquid sodium coolant, its pool-type cooling system and its metal alloy fuel.

http://www.anl.gov/Media_Center/logos20-1/passive01.htm#core

 Cooling with a sodium pool : The sodium coolant is a highly efficient heat-transfer material and has the additional advantage of operating at normal atmospheric pressure. In the typical commercial reactor, the water coolant must be pressurized at 100-150 times normal to keep it from boiling away. But sodium can cool the core at normal pressure, because its boiling point is 300-400 degrees Celsius (575-750 degrees Fahrenheit) higher than the core's operating temperature.

"Basically," says Deitrich, "the sodium pool eliminates the possibility of the coolant boiling away during an accident and leaving the core uncovered, which is one of the more serious potential trouble spots in a light-water reactor. By submerging the core in thousands of gallons of liquid sodium, you provide the reactor with an immense heat sink that adds greatly to its safety. If the reactor starts to overheat, the pool can absorb vast amounts of heat and never approach its boiling point."   And the pool design, he adds, passively removes decay heat if the normal heat-removal systems fail. "When a reactor shuts down," he explains, "it continues to produce heat, because the core contains a large inventory of radioactive material that releases energy as it decays. But in our AFR concept, natural convection in the sodium pool can transport the decay heat to downstream systems. All of this can be done passively, without need for active systems or components."

Other benefits of sodium cooling :Sodium also increases the reliability and long life of components, partly because it does not corrode common structural materials, such as stainless steel. "Our experience in decommissioning EBR-II," says John Sackett, Argonne's deputy associate laboratory director for Argonne-West, "shows that materials and components in the core can operate in liquid sodium without significant damage or corrosion. We removed components from the sodium pool after 30 years and found them just as shiny as the day they went in. We saw original marks that welders and other craftsmen had made 30 years earlier when they created the component."

Other sodium properties also enhance reactor safety and reliability. For example, sodium is chemically compatible with the metal fuel. This makes small failures in the cladding, the stainless-steel tubes that encase the fuel, far less likely to grow. In addition, sodium tends to bind chemically with several important radioactive fission products, which reduces radioactive releases if fuel fails. Although sodium can be dangerous if allowed direct contact with air or water, with appropriate care, it makes a nearly ideal coolant. "Properly handled, as we did for 30 years at EBR-II, sodium offers significant advantages over water as a coolant," says Deitrich.

Advantages of metallic fuel : The third leg of AFR safety is its metallic fuel — an alloy of uranium and other metals. Metal fuel provides inherent, "reactivity feedback" mechanisms that alter a reactor's power when its core temperature changes.

The primary feedback in a metal-fuel reactor comes from thermal expansion of fuel, sodium and steel around the core. Simply put, when the core temperature increases, the fuel, sodium and the stainless steel components in the core expand, and that tends to shut down the reactor.
"When the fuel expands," Deitrich explains, "the distances between the fissile nuclei increase. This slows the chain reaction, because the neutrons necessary to drive it strike fewer fissile nuclei."  Radial expansion of the core also limits reactor power. "Normally," he says, "the sodium and steel around the core reflect neutrons back into the core to help maintain the chain reaction. But when sodium and steel expand, more neutrons escape from the core and are unavailable to drive the reaction."

The safety bottom line for the AFR is that all these natural feedback mechanisms tend to maintain coolant temperature near its normal 500 degrees C (930 degrees F) operating value — well below sodium's 900 C (1,650 F) boiling point — even when the reactor loses its engineered cooling systems. If an AFR started to overheat, the natural properties inherent in its materials and design would step in to shut it down without the intervention of human operators or specially engineered safety systems.  "When you put all these things together," Deitrich concludes, "you have a high level of passive safety. We've demonstrated all these effects in a working reactor. Each individual effect is predictable and so is their combination. Together, they provide a natural and reliable safety response based on features inherent in the advanced fast reactor concept." 

http://www.anl.gov/Media_Center/logos20-1/passive02.htm

What is a fast reactor?

Nuclear reactors produce energy by a process called fission. Fission occurs when an atom of fissile material is struck by a neutron, becomes unstable and splits, producing fission fragments and high-energy neutrons. In an operating reactor, one of these neutrons will strike another fissile atom to maintain a steady chain reaction. Fission also releases heat, which is used to produce steam to spin an electrical generator.

Reactors can be classified according to the energy of the neutrons that cause fission. Present day commercial power reactors are called "thermal" reactors because the neutrons have been slowed to thermal energy using a "moderator" — usually water. By contrast, a "fast" reactor uses neutrons of much higher energy to cause fission. A fast reactor does not have a moderator.

The only fissile material found in nature is uranium-235, which makes up less than 1 percent of natural uranium. While some fissile plutonium is produced in a thermal reactor, it is not enough to replace the uranium-235 used. In a fast reactor, however, enough plutonium can be produced to more than make up for the uranium-235 used. In addition, many of the long-lived actinides that can not be fissioned in a thermal reactor can be burned in a fast reactor, so the fast reactor is capable of destroying the major source of long-lived radiotoxicity in spent fuel. Thus, the fast reactor can create new fuel and destroy long-lived nuclear waste while it produces electricity.

http://www.anl.gov/Media_Center/logos20-1/afr.htm

 
http://nuclearinfo.net/twiki/pub/Nuclearpower/WebHomeCostOfNuclearPower/AP1000Reactor.pdf