Nuclear Energy Activist Toolkit #21
By NRC’s regulations, safety systems for the nation’s nuclear plants are designed to perform their intended functions despite the worst-case postulated single failure. “Single failure” is defined in the regulations:
A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.
“Multiple failures resulting from a single occurrence” include things like all components supplied from an emergency diesel generator stopping when that emergency diesel generator fails.
This single failure criterion leads to redundancy—when safety studies rely on one pump to perform some essential role, two or more are installed. Redundancy assures that the role gets performed even if a pump fails.
In boiling water reactors, the High Pressure Coolant Injection (HPCI) system is installed to provide makeup cooling water to the reactor if a small pipe ruptures and drains away cooling water. The HPCI system has only one pump that is very reliable, but not immune to failure. So, the Automatic Depressurization System (ADS) was added to boiling water reactor designs to satisfy the single failure criterion. If the HPCI system fails, the ADS will automatically reduce the pressure inside the reactor vessel to allow an array of low pressure makeup systems to supply cooling water to the reactor vessel.
But fires at nuclear power plants are treated differently within NRC’s regulations:
Shutdown systems installed to ensure post-fire shutdown capability need not be designed to meet seismic Category I criteria, single failure criteria, or other design basis accident criteria, except where required for other reasons, e.g., because of interface with or impact on existing safety systems, or because of adverse valve actions due to fire damage.
In other words, when developing protective measures against nuclear plant fires, designers did not have to postulate equipment failures except for damage directly caused by the fire itself. When fire studies rely on one pump to handle the fire, only one pump need be installed.
Bottom Line
The first step in procedures used by operators responding to an accident at a nuclear power plant should be to start a fire (or to start a barbeque at the plants in the southeast). Doing so would prevent any and all worker errors or equipment malfunctions from making the consequences worse. At least on paper it would.
For some reason, equipment that must be assumed to fail during an accident is assumed to function flawlessly during a fire.
And if owners installed an eternal flame at their nuclear power plants, they’d have immunity from equipment failures. They wouldn’t need a second emergency diesel generator or Automatic Depressurization System—they’d have a fire which is even better than the multitude of backup safety components.
At least on paper. Burn the paper, protect a reactor.
The UCS Nuclear Energy Activist Toolkit (NEAT) is a series of post intended to help citizens understand nuclear technology and the Nuclear Regulatory Commission’s processes for overseeing nuclear plant safety.