Disaster by Design/Safety by Intent

, former director, Nuclear Safety Project | October 1, 2015, 6:00 am EDT
Bookmark and Share

Nuclear power reactor designs feature multiple diverse safety components to prevent a fuel meltdown and the release of radiation should a meltdown occur. Called defense-in-depth, these multiple barriers would all have to fail for radiation to be released. If any individual barrier was 100% reliable, the remaining barriers would not be necessary. But because neither any individual barrier nor all the barriers collectively guarantee protection, each barrier must be as effective as possible if the inherent risks are to be minimized.

The protection afforded by multiple diverse safety measures will be weakened if problems with individual safety components are tolerated rather than corrected, making it more likely that an extreme event can overwhelm all the barriers to cause disaster.

In a new series of blog posts—Disaster by Design/Safety by Intent—UCS will explore how defense-in-depth can be eroded, and how it can be enhanced.

The New Series of Posts

NRC inspector (Source: NRC)

NRC inspector (Source: NRC)

The series will discuss times when the designs of plants, their equipment, and their operating and maintenance procedures were found to be deficient. The series will also describe events—such as turbine failures, transformer faults, and heavy rainfall—that undermined safety. And the series will discuss times when human failures—inadequate maintenance, unresolved safety problems, miscommunications, and ineffective preparations—reduced the effectiveness of the protective barriers. Tolerating such flaws and failures is tantamount to designing for disaster.

The series will also discuss the other side of the ledger—times when the path to disaster was effectively blocked by existing barriers, when deficient barriers were pro-actively fixed, and when additional barriers were installed. Such measures make a disaster less likely and lessen the consequences of a disaster should it occur.

The goal of this series is for the Nuclear Regulatory Commission (NRC) and the nuclear industry to reduce the number of unresolved safety problems and to implement additional safety measures, thereby strengthening the barriers that guard against nuclear disaster.

Posted in: Disaster by Design, Nuclear Power Safety Tags: , ,

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

Show Comments

Comment Policy

UCS welcomes comments that foster civil conversation and debate. To help maintain a healthy, respectful discussion, please focus comments on the issues, topics, and facts at hand, and refrain from personal attacks. Posts that are commercial, self-promotional, obscene, rude, or disruptive will be removed.

Please note that comments are open for two weeks following each blog post. UCS respects your privacy and will not display, lend, or sell your email address for any reason.

  • Bob Doyle

    I have become aware of an ‘old’ nuclear reactor that was totally overlooked by the government in the 1960’s and 1970’s even though it was designed at Oak Ridge National Labs. It is a liquid or molten salt reactor that used thorium. The design, because it used liquid fuel instead of solid fuel, allows the reactor to run at atmospheric pressure and is walk-away safe. It runs at a higher temperature than the light water reactors, which is more efficient, and the reaction can extract 99% of the energy from the fuel. This is in contrast to an efficiency of 0.5% for the light water reactors. We need to build these reactors and get rid of all the water-cooled pressurized inefficient light water reactors. Please seek this technology out – Google “thorium”

    • Thanks for your comment. UCS did some initial exploring on the thorium proposals and had this to say: http://www.ucsusa.org/sites/default/files/legacy/assets/documents/nuclear_power/thorium-reactors-statement.pdf

    • dinkydave

      Good try, Bob. True, a molten thorium salt reactor did operate, as a test, for 5 years. There were challenges, but nothing bad happened. If this idea is so good, why nothing since? Why has private money not been invested? One problem is that some of the Th222 becomes, not the desired U233 but U232. In the decay chain of the U232 isotope is a powerful gamma emitter, so this is a problem for thousands of years.

      Another problem I can see with high temp molten salt at room pressure–this heat has to be turned into high pressure steam to turn a turbine to generate electricity. Now, an eventual leak of 1200psi steam into your molten salt? Wet HF in your system? If, as you wish, the whole world goes this way, events like this will occur. What then?

  • steamshovel2002


    I hope you discuss the problems with Pilgrim’s Meteorological Tower. I discovered and notified the NRC in the beginning of 2013. I made a complaint about the met tower in my 2013 2.206 concerning the safety relief valves. It would have been much more effective and efficient if all the big special inspections occurred as a result of the 2013 storm Nemo trip and LOOP. I discovered it in the storm Nemo Trip and LOOP. Just an entry in the NRC’s timeline of the accident with no further elaboration. I was shocked at seeing this. Basically the Towers were obsolete and they were thinking of replacing it…so why do maintenance on it. It is disgusting, how many bites of the apple does it take to get these guys to fix it? I went on a fragment of information…I felt the agency was blocking me from gaining more information on this. This attitude was what dragged this on for so long. I get the idea the agency blocks information on an event until the components are adequately fixed. They wouldn’t allow outsiders to watch in real time a licensee and agency struggle to bring a component back into licensing, and bungling it over and over. All we get is the prettified version of events. If they allowed us to see everything, I don’t believe Pilgrim would have had such a deep decline.

    My blog written as it occurred:


    The pathetic new inspection report:


  • steamshovel2002

    Actually, you get what is going on. If they gave me real time information on an ongoing violation or event contrary to licensing that I discovered, effectively they’d lose control of the facility and give that power to me.

    Effectively limiting disclosures and information across the board….it puts the
    control of the facility 100% in the hands of the licensee and NRC exspeciually
    when a facility is contrary run to agency rules and plant licensing.
    This thing is all about control!