Sage Journals: Discover world-class research

Abstract

The events at Fukushima Daiichi have greatly renewed the public focus on the safety of the existing fleet of nuclear reactors, especially as many US reactors share the same fundamental design—and safety systems—as the affected Japanese reactors. The authors explore the proposition that a transition to increasingly passive safety features in new advanced reactor designs— supplementing, and in some cases superseding, the existing approach of depending on active “defense-in-depth” safety systems—could significantly reduce reactor safety risks. Such passive safety features are highly developed in new small modular reactor designs now under thorough study, designs that may also markedly improve the economic case for nuclear power, based on a factory-built reactor approach. These reactors offer the possibility that US-based manufacturers could regain a significant share of the international nuclear reactor market.

Keywords

active design defense in depth Fukushima Daiichi nuclear energy nuclear reactors passive design safety small modular reactor

For months, and perhaps years, lessons will be learned from the events at the Fukushima Daiichi nuclear power plant in Japan, which will serve as both a laboratory and a classroom. As the sequence of events leading to the accident continued through the accident response, at least one concept was made clear: When operating reactors, defense-in-depth—the technical concept of multiple layers of safety backup systems—must incorporate a series of active backup systems (meaning that they require human intervention) that must be operable to forestall single-point catastrophic failures. Ultimately, defense-in-depth can be vitiated by failures such as the vital diesels during a complete loss of off-site power, tarnishing the very essence of the concept of design-in-depth, including the necessary features of multiple, diverse, and redundant safety systems. This naturally raises the question of whether substantial improvements are in the offing. The short answer is yes, but there is a crucial caveat: The risk of single-point catastrophic failure is reduced significantly if reliance on active safety systems, no matter how superbly engineered, is minimized—that is, if safety measures are largely passive in nature. Unlike active safety features, passive safety features do not require operator intervention or active controls, relying instead on fundamental physical principles—such as natural thermal convection in the presence of gravity—to allay the effects of unexpected events.

But not everything is completely active or passive. As defined by the International Atomic Energy Agency, components and systems—but not structures—having safety functions must operate effortlessly when taking the plant from normal operation to a safe shutdown (IAEA, 1991). For a system or component to be deemed passive, three functions must operate reliably: the “intelligence,” such as a signal or parametric change; the automatic initiation of motive power processes (natural agents, like water, steam, wind, etc., used to move machinery, a motor, mover, etc.); and the means to operate, without operator intervention, going toward and remaining in a shutdown condition.

The tragedy at Fukushima has increased public concerns about nuclear reactor safety. And, consequently, there has been more interest in designing safety systems for new reactors that are passive in nature and are not vulnerable to the kinds of planning and operational failures that seem to have led to the recent disaster in Japan. Passive design features are increasingly seen as an essential component of next-generation reactors and are already on the market. But the game-changer may well be that the new standard for licensable designs will be a design maximally dependent on passive safety features and minimally dependent (if at all) on active safety backup systems. Such redesigns by US manufacturers could potentially secure them a lead in advanced reactor manufacturing and regain a significant place in the international marketplace for nuclear reactors.

Types of reactor systems

The existing 104 nuclear power plants currently operating in the United States include only one generation of nuclear power system: Generation II. Designed in the 1950s, the first systems are known as Generation I reactors; today, there exists only one of these plants in operation in the world, which is in Wales and is scheduled to close in 2012. Most of today’s reactor systems are Generation II, the majority of which are boiling water reactors and pressurized water reactors. And then there are Generation III or Generation III+—essentially Generation II reactors with state-of-the-art design improvements—that are the gigawatt-scale reactor designs now offered by nuclear vendors.¹

Some of the same safety features that were developed for the first nuclear reactors are still used in the most contemporary reactors today. These are features that depend both on active sensor systems and usually on active operations by skilled plant employees, as well as on other common safety systems like highly robust primary containment structures that are designed to withstand both substantial internal stresses (including events such as hydrogen explosions) and external insult (like airplane impacts). These safety systems can depend in detail on the specific type of reactor—whether it is a boiling water reactor or pressurized water reactor.² The general principles of operations—namely, robust construction designed to withstand stresses beyond expectations in the most extreme circumstances (seismic or otherwise) and multiple layers of backup safety systems (to guard against power failures and loss of reactor cooling)—apply to both reactor types as licensed by the US Nuclear Regulatory Commission (NRC).

The technical improvements found in Generation III reactors are in the areas of fuel technology, thermal efficiency, modularized construction, safety systems (especially the use of passive rather than active systems), and standardized design.³ The goals of these advancements are to increase reactor safety and security margins and to maintain a longer operational life, typically 60 years of operation (and potentially greatly exceeding 60 years) prior to complete overhaul and reactor pressure vessel replacement.⁴ The improvements in design are noticeable in core damage frequencies for Generation III and Generation III+ reactors, which are reported to be significantly lower⁵ than those for Generation II reactors.

The principles of passive safety

Reactor safety systems have three goals: to prevent serious consequences resulting from an accident (preventing the melting of reactor fuel if reactor cooling fails catastrophically); to mitigate damage by allowing for timely, economic restoration to normal operations (like the backup cooling system found in the Westinghouse AP-1000 design); and to delay potential serious impacts by providing advanced indications that severe transients and pre-accident conditions could shortly ensue (sufficient warning time for the plant operator to prevent eventual serious consequences).⁶

The push toward passive safety is fundamentally motivated by a pessimistic view of the man–machine interface. Simply stated: The reliance on safety mechanisms that are based on fundamental laws of nature—with very limited reliance on active sensing or intervention by safety systems (no matter how redundant)—is invariably preferable to even the most redundant active safety systems. This view assumes, of course, that such passive systems can be realized, and this assumption is not always valid. Room exists for operator error or misinterpretation with electrical and mechanical safety controls—room that the passive safety designs are specifically aimed to minimize or mitigate. Or, best of all, to entirely eliminate.

But when considering the issues surrounding safety, it is useful to understand how relevant passive systems are to nuclear reactors. Consider the worst that could happen in a light water reactor: For whatever reason, the reactor needs to be shut down, but the control rods cannot be inserted and the coolant cannot be removed. Thus, the normal devices used to control the reactor’s criticality state are no longer able to actively terminate the chain reactions.⁷ In such an event, extremely serious damage ensues if the circulation pumps have failed because the core continues to operate at full power without any ability to remove the heat. This will certainly lead to melting of the reactor fuel and much of the fuel assembly, as well to a variety of other catastrophic consequences, including a potential breach of the reactor pressure vessel. The most obvious thing to do in this case is to insert some neutron-absorbing material, such as boron, into the coolant. This procedure—often called reactor poisoning—is one of the routes taken at Fukushima; and, as illustrated by the Fukushima experience, it requires human (active) intervention.

So how can this sort of damage be prevented in a passive way? One solution relies on the well-known property of many materials to expand when heated: Under normal operating conditions, the geometry of the fuel assembly in a reactor core is designed so that the core can become critical. Then, if the core fuel assembly is constructed so that the fuel in the fuel assembly moves apart as the core temperature rises above the nominal design operating temperature, a critical reactor can be driven subcritical if this fuel assembly expansion is sufficiently large. In other words, if the cooling fails, and the control rods cannot be inserted, such a reactor will nevertheless shut off as the core temperature rises above nominal operating conditions. Thus, no intervention from any active safety systems would be required, nor would it be necessary to rely on any external or auxiliary power. The chain reaction is terminated purely passively.

In the case of Fukushima Daiichi, the problem was that the reactor safety systems functioned correctly and brought the reactor to a subcritical state. But the eventual failure of the cooling systems meant that the considerable heat released by the decaying fission products (a few percent of the full operating power of the reactor) could not be dissipated, leading to (at least partial) fuel and fuel assembly melting and pressure building up inside the reactor pressure vessel, etc.

Could this type of problem be handled passively? Again, yes: Here, this answer relies upon another fundamental attribute of certain materials—namely, the fact that fluids usually expand when heated and thereby become buoyant. Thus, the type of fluids used as coolant in reactors can convect—that is, fluid will rise if heated from below and, when cooled at the top, will then descend. This circulation is referred to as thermal convection. It has been demonstrated that reactor cores can be designed so as not only to remove the residual decay heat from the fuel assembly via natural thermal convection but also to remove the full heat load produced by a critical operating core. Here, too, there is no need for any active system intervention: One relies on the principle of fluid buoyancy, which operates as long as fluids expand when heated and gravity is present—two conditions that are most certainly always satisfied.

There are a variety of other approaches to passive safety for nuclear reactor designs, all aimed at taking advantage of elementary physical principles to improve the safety performance of reactor designs. It is also interesting to note that some physical principles can be taken advantage of to satisfy both safety and security in a passive manner. The most prominent and obvious example is to take advantage of the fact that liquids naturally flow down and not up: This principle is at work when placing reactors entirely below grade. The idea is that in case of an accidental breach of the pressure vessel, the reactor plant is designed so that the loss of coolant from a light water reactor would be governed by the thickness of the concrete and reinforced steel barriers as well as by the permeability of the soil surrounding the buried reactor vessel and containment structure. Thus, this type of design would have the advantage of providing a sort of warning notice, providing for more emergency response. From the point of view of the nuclear plant, this would also provide an additional security advantage of minimizing its profile exposed to potential attack.

Examples of concrete implementation of passive safety in advanced reactor designs

Most of the new Generation III and Generation III+ reactor systems, including the designs for the existing class of small modular reactors, incorporate passive safety features. These reactor designs take advantage of fundamental physical principles in order to achieve passive safety characteristics—two examples of this can be found in pebble bed reactors and the B&W mPower small modular reactors (see Table 1).

Pebble bed reactors

Originally designed in the 1950s, high-temperature, gas- or liquid-salt-cooled pebble bed reactors are constructed so that when the temperature of the fuel pebbles rises above the nominal operating temperature (possibly because of cooling failure), the pebble graphite shell, which surrounds the fissile material at the pebble core, expands. The result is an increased distance between pebble fissile cores; thus, the pebble bed core goes subcritical. No human intervention is required—the chain reaction is terminated by relying entirely on the fundamental expansion property of the graphite shell material.

B&W mPower small modular reactor

This design includes a number of technological enhancements to preclude the need for active safety features. These improvements include reliance on large in-containment water storage tanks to provide long-term passive decay heat removal from the reactor cooling system; automatic primary loop depressurization in the event of a loss-of-coolant accident, so as to allow for long-term coolant injection; a long-term reactor water flooding capability; and soluble boron injection through pressurized tanks (no electrically driven pumps are required).

Looking forward

Improvements in nuclear reactor designs have led to advanced reactor concepts that meet head-on concerns regarding the safe operation of nuclear power plants. Some of these designs reflect a rather fundamental rethinking of reactor safety: Supplementing the defense-in-depth strategy, the approach, instead, is to start from the worst event that could possibly occur (no matter how unlikely) and ask whether the consequences of such an event could be passively mitigated without relying on human, or active, intervention.

Though such reactor designs, like the pebble bed, have existed for some time, they have typically not been produced commercially because the R&D investments needed to complete the transition from design to commercial practicality have not yet been made. For this reason, the advent of alternative designs that have significant improvements in safety, but at a construction price point that could make them economically competitive, is a potentially transformative development. This advancement is even more promising, given the increase in public concern regarding nuclear reactor safety, because it focuses on reactor designs that are not vulnerable to the same planning and operational failures that seem to have led to the Japanese Fukushima Daiichi disaster. For the US nuclear industry, passive design also has the potential competitive advantage that, in terms of small modular reactors, US manufacturers could regain their once internationally dominant position in reactor manufacturing.

Table 1.

Principal new reactor designs with passive safety features

Vendor	Module MW(e)	Novel passive safety features
NuScale	45 MW(e)	No pumps or mechanics for heat transfer—all done via natural convection; integral fuel-core-steam-generator design (minimizing leak potential); reactor vessel below grade; reactor sits in huge pool; high-pressure containment; worst-case pressure below the containment design pressure; insulating vacuum
mPower™	125 MW(e)	Integrated core and steam generators (minimizing leak potential); reactor sits below grade; passive core safety; longer refueling cycle
Westinghouse	200 MW(e)	Integrated core and steam generators (minimizing leak potential); passive core cooling via gravity-delivered coolant; heat transfer via natural convection
TerraPower™	300 MW(e)	Liquid metal coolant and heat transfer; after initial fuel loading, no further enrichment needed; no reprocessing necessary; multiple levels of containment

Note: Some of these new designs are currently being discussed (and in some cases marketed) by US reactor firms. Source: http://www.nuscalepower.com/ot-Safety-Security-Nuclear-Power.php; http://www.babcock.com/products/modular_nuclear/; http://www.westinghousenuclear.com/smr/index.htm; http://www.terrapower.com/home.aspx.

Editor’s note

The views and opinions expressed in this article do not necessarily state or reflect those of the United States government or any agency thereof, Argonne National Laboratory, or the University of Chicago.

Footnotes

1

It is notable that there are no Generation III plants in the United States at a time that such reactors are (and were) being installed elsewhere. Examples of Generation III reactors on the market include the Westinghouse AP-1000 and the GE Hitachi Advanced Boiling Water Reactor (ABWR). Roughly contemporaneously with the development of Generation III designs, further advances were made by European and Canadian designers, for example leading to reactor designs such as the EPR (formerly known as the European Pressurized Reactor) and the Advanced CANDU Reactor (ACR-1000), usually labeled Generation III+ designs. These focused yet more attention on passive safety features and operational efficiency.

2

The family of nuclear reactors known collectively as light water reactors (LWRs) are cooled and moderated using water composed of the dominant (“ordinary”) isotopes of hydrogen and oxygen, which are 11 percent less dense than “heavy” water. The first PWRs were developed in the 1950s, as part of a United States Navy program started immediately after the end of World War II, and led by Captain Hyman Rickover. BWRs were, in contrast, developed largely within the civilian nuclear reactor program managed by Argonne National Laboratory and led by researcher Samuel Untermyer II at the Argonne-West facilities (today known as Idaho National Laboratory).

3

In the United States, Generation III reactors, unlike the other reactors, are regulated by NRC regulations based on 10 CFR Part 52.

4

Confirmatory research to investigate nuclear plant aging beyond 60 years is needed to allow these reactors to operate over such extended lifetimes.

5

The damage frequencies for these reactors are reported to be several orders of magnitude lower than for Generation II reactors.

6

This article focuses on the prevention of consequences. However, it should be noted that passive safety systems focused on delaying or anticipating serious consequence have been designed and are being deployed.

7

This type of incident is extremely implausible for modern reactor designs, but the point of raising it here is to illustrate that even the worst type of incident—no matter how implausible—can actually be dealt with passively.

Author biography

Robert Rosner is the William E. Wrather distinguished service professor in the departments of Astronomy and Astrophysics and Physics at the University of Chicago. Rosner recently stepped down as director of Argonne National Laboratory, where he had also served as chief scientist. His research is mostly in the areas of plasma astrophysics and astrophysical fluid dynamics and magnetohydrodynamics (including especially solar and stellar magnetic fields); high-energy-density physics; boundary mixing instabilities; combustion modeling; applications of stochastic differential equations and optimization problems; and inverse methods.

Rebecca Lordan, a former chemist, is a master of public policy student at the Harris School of Public Policy Research at the University of Chicago, with particular interests in international control of the nuclear fuel cycle and its relationship to nuclear nonproliferation.

Stephen Goldberg is the special assistant to the director at Argonne National Laboratory, USA, where he is actively engaged in several international projects on the economics of nuclear energy, as well as in a key study on the economics of small modular reactors and supporting studies for the US Department of Energy’s international Framework for Nuclear Energy Cooperation. Previously, he worked at the US Office of Management and Budget (OMB) as its representative on nuclear security to the National Security Council. At OMB, he helped complete several major nonproliferation agreements, including an agreement where the United States would purchase highly enriched uranium from Russia to use as nuclear fuel in its power plants. Goldberg received the Executive Office of the President’s highest award for efforts to complete several major international nuclear nonproliferation agreements. He also received a series of outstanding achievement awards at the US Nuclear Regulatory Commission in recognition of efforts to provide technical and economic advice to the Commission, including the licensing of the Seabrook Nuclear Station. He is senior advisor to the Academy’s Global Nuclear Future Initiative.

References

IAEA (1991) Safety Culture . Safety series no. 75-insag-4. Report by the International Nuclear Safety Advisory Group. Available at: http://www-pub.iaea.org/MTCD/publications/PDF/Pub882_web.pdf .