Disaster by Design/Safety by Intent #34
Disaster by Design
“Reactor containment” to most people conjures up images of thick concrete walls. That’s probably because all operating U.S. nuclear power plants have thick concrete walls around the reactor pressure vessels (Fig. 1).
The walls of reactor containments are made from reinforced concrete up to five feet thick (Fig. 2). The robustness keeps the containment intact should a pipe connected to the reactor vessel rupture. The fluid jetting from the broken pipe ends would quickly pressurize the containment and cause it to fail, unless the structure was strong enough to withstand that challenge.
A dime. Years ago, it could purchase a cup of coffee. It can still buy a cup of coffee—if accompanied by enough of its currency colleagues.
A dime also represents the thickness of a containment barrier in about two-thirds of the nuclear reactors operating in the U.S. today.
The containment walls surrounding these nuclear reactors may be up to five feet thick, but they have pipes nearly two feet in diameter passing through the walls to carry the flow from the steam generators to the main turbine. Thousands of tubes—each with metal walls about the thickness of a dime—are all that prevents radioactive water from leaking, flashing to steam, and escaping from containment through the steam pipes—each as big around as a very large tree—to the environment.
It’s not a question of whether a thin metal tube inside a steam generator can break. The question is when and where the next steam generator tube failure will happen.
In January 2013, a steam generator tube leak forced operators to shut down the Unit 3 reactor at the San Onofre nuclear plant in California. Degraded steam generator tubes prevented this reactor from ever restarting and caused the permanent shut down of San Onofre Unit 2 as well.
A broken steam generator tube poses a dual threat. First, it allows reactor cooling water to leak out. Second, it allows that leaked reactor water to get past the containment wall. The former can lead to reactor core damage if the emergency systems fail to respond; the latter can lead to large releases of radioactivity to the environment.
Workers must take steps to mitigate broken steam generator tubes to prevent them from leading to bad outcomes. Pressurized water reactors have two to four steam generators. Workers must determine which of the steam generators has the broken tube(s). Their training and response procedures direct them to isolate the “bad” steam generator. The workers do not simply isolate all the steam generators because continued cooling of the reactor core is enhanced when the steam generators with unbroken tubes remain available to transfer the core’s heat away.
Workers isolate a steam generator by closing valves that admit makeup water to the steam generator and, when possible, close valves that carry steam to the main turbine. When valve closure is not an option (not all pressurized water reactors have valves installed in the steam pipes between the steam generators and the main turbine), workers must mitigate the broken tube(s) the hard way—by equalizing the pressure inside the tubes with the outside pressure. They must match the pressure of the water flowing through the reactor vessel with the pressure in the steam generators, and they must maintain that balance. When the pressures are matched, the amount of reactor cooling water (and radioactivity) passing through the broken tube(s) is minimized.
Safety by Intent
Thick concrete walls or metal the width of a dime. Both serve as containment barriers in pressurized water reactors. Both can faithfully fulfill this function IF….
Thick or thin, these barriers illustrate both the strength and the weakness of the defense-in-depth approach to nuclear safety. Defense-in-depth seeks to minimize the chances of the reactor core becoming damaged through a diverse array of reliable emergency cooling and makeup systems.
But these emergency systems, while highly reliable, are not foolproof.
So, the reactor vessel is surrounded by thick concrete walls intended to prevent the large release of radioactivity to the environment from a damaged reactor core.
But this containment barrier, while highly reliable, is not foolproof.
So, as the next Disaster by Design/Safety by Intent posts will describe, emergency plans are required with the objective of getting people out of harms’ way before the radioactive cloud emitted through a defective containment barrier from a damaged reactor core passes by.
But the emergency plans, while highly reliable, are not foolproof.
So, the key to defense-in-depth is having as many barriers as possible and ensuring each barrier is as reliable as achievable.
Anything less is just foolish.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.