Abstract
Nuclear proponents cite new, safer reactor designs to assuage fears about accidents. Yet safety features may lose out to economics, and new plants could be little safer than the current fleet.
No U.S. utility has ordered a new nuclear reactor for 30 years, but this may be about to change in a big way. Spurred by growing concerns about greenhouse gas emissions and flush with the prospect of tens of billions of dollars in public subsidies, nine utilities have applied to the Nuclear Regulatory Commission (NRC) to build and operate 15 new nuclear reactors, and at least a dozen more applications are planned.
Even with subsidies provided by Congress, $5 billion-$9 billion for each new nuclear plant is still a staggeringly expensive proposition. Utilities will be under tremendous pressure to cut costs wherever they can. Unfortunately, in the past the industry has tried to save money all too often by cutting corners on safety. Can a nuclear expansion be carried out without either breaking the bank or exposing the public to unacceptable risk?
Because there hasn't been a serious core-melt accident in the United States since Three Mile Island in 1979, some nuclear power advocates assert that safety concerns are overblown. Although such accidents are unlikely, they are far from impossible. According to NRC estimates, the annual average chance that one of the 104 nuclear reactors in the country will experience a core melt while operating at full power is about 1 in 500 due to internal events such as pipe breaks. Taking into account the risks of external events such as earthquakes and floods and the risks during shutdowns (which are high because the fuel remains hot but some emergency cooling systems may be down for maintenance), this chance rises to almost 1 in 100 per year. In addition, today's reactors are vulnerable to sabotage from the ground or the air in ways that cannot be eliminated by simply increasing the numbers of guns, guards, and gates.
U.S. nuclear power promoters argue that a massive release of radioactive material, comparable to the 1986 Chernobyl disaster in the Soviet Union, can't happen here because U.S. reactors, unlike Chernobyl-type reactors, have robust containment structures. Yet not all U.S. containments could survive the most severe events that can occur, such as a hydrogen explosion. For some containment types, in certain accident scenarios the chance of containment rupture or bypass is nearly 100 percent. A core-melt accident could occur when a reactor is being refueled and the containment hatch is open. Terrorists armed with explosives and seeking to inflict maximum harm would encounter little difficulty breaching a containment structure.
A 9/11-style attack on a nuclear plant could pose a serious threat of breaching any containment structure that is not designed to withstand the deliberate impact of a large passenger jet. Although the NRC has proposed requiring all new plant designs to be evaluated with regard to their vulnerability to aircraft attacks, the rule would not require designers to make changes to their designs to fix deficiencies they may find. Plant designs that have already received NRC certification, such as the AP1000, would be exempt (although Toshiba-Westinghouse has committed to doing the assessment on a voluntary basis).
The consequences of such events at a U.S. nuclear plant could be grave. About 5 million Americans–more than 1 percent of the population–live within 10 miles of a nuclear plant. A 2004 study by this author for the Union of Concerned Scientists and Hudson Riverkeeper found that an event leading to a core melt and containment breach at the Indian Point nuclear plant 25 miles from New York City could be far worse than the 9/11 attacks. It could cause tens of thousands of deaths within weeks from acute radiation syndrome and hundreds of thousands of deaths within decades from cancer. Children could receive high exposures to radioactive iodine as far as hundreds of miles downwind of the plant. Such an event would have a chilling effect on prospects for a U.S. nuclear plant revival.
Unless new nuclear reactors are designed to be significantly safer and more secure against accidents and attacks than the current fleet, a large U.S. nuclear expansion could make the risk of a Chernobyl-scale release of radioactivity uncomfortably high. But the NRC and the nuclear industry are squandering the opportunity to lock in major safety and security improvements for the next generation of nuclear plants. According to a 1986 policy statement, the NRC “expects” new nuclear plants to be safer than current plants but does not require them to be safer. In fact, the NRC sets the bar for acceptable risk of core damage in new plants so low that most operating plants would meet it. Apparently the NRC fears that requiring new plants to be safer than current plants would imply that current plants are not safe enough. But this timid policy has discouraged reactor vendors from designing new plants that are clearly safer than current ones. Consequently, the next generation of plants likely to be built in the United States–which will operate for 60 years or longer–will not provide the major advances in safety and security that are needed.
The current generation of nuclear plants comprises a hodgepodge of different designs. New plants were adjusted to meet evolving regulatory requirements, and older ones were retrofitted to address problems not anticipated when the plants were built. For instance, the concrete and steel containment buildings at U.S. nuclear reactors were not designed to withstand the explosions that could result from the buildup of hydrogen gas during an uncontrolled core melt (generated from the reaction of coolant water and the metal cladding around the nuclear fuel rods). When such an explosion occurred during the Three Mile Island accident, the containment happened to survive because it was bigger and stronger than the regulations required. But if a similar explosion had happened at a reactor with smaller and weaker “pressure suppression” containment, a far larger release of radiation could have occurred. To address this risk, the NRC required that the 13 U.S. reactors with ice-condenser or Mark III pressure-suppression containments be retrofitted with spark plug-like igniters to burn off hydrogen in a controlled manner.
Such retrofits, however, don't completely eliminate the risk. The igniters require alternating current (AC) power to operate. So in the event of a total loss of power, plants such as Duke Energy's Catawba nuclear plant in South Carolina or Entergy's Grand Gulf nuclear plant in Mississippi would be highly vulnerable to containment failure. Although the NRC identified this problem a decade ago, plant owners successfully blocked the commission's attempts to require backup power supplies for the igniters and instead proposed weaker voluntary measures that have yet to be implemented.
Nuclear plant designers say that the new generation is significantly safer than previous designs, pointing to studies showing that the risk of a core melt is at least 100 times lower than the average for today's plants. Those estimates, however, are as notable for what they leave out as for what they consider. They do not take into account the large uncertainties associated with novel safety features that have yet to be demonstrated through operating experience; nor do they include potential damage from earthquakes, which are site-specific and can be one of the biggest risk factors. They also take credit for safety systems that are not highly reliable.
Some of the new plant designs are different from the current generation because they utilize so-called passive safety systems. Passive systems rely on natural forces such as gravity to provide emergency water in the event of a loss of coolant, instead of on active equipment such as motor-driven pumps. The concept sounds good in theory–passive safety systems can work without AC electric power or operator intervention. They are not as simple, however, as they first appear. One problem is that gravity provides a much weaker driving force for coolant flow than the suction provided by pumps. This means that it is harder to predict whether passive systems will work as well as active systems under the full range of potential scenarios.
To cope with uncertainties, reactor designers traditionally employ a “defense-in-depth” strategy, adding redundant and diverse safety systems to compensate in case the first line of protection fails. To cut costs, however, designers of new plants have used the low risk of core melt that they calculate to justify reducing defense-in-depth measures, such as robust containment buildings or power-operated backup systems. The ultimate defense-in-depth system is the containment building, which helps to prevent large releases of radiation into the environment in the event of an uncontrolled core melt. But reinforced concrete and steel containments are major components of the cost of new reactors, and some of the new designs, such as the Toshiba-Westinghouse AP1000, have containments that are not as robust as those of many of today's reactors. For instance, the ratio of containment volume to the thermal power of the AP1000–a measure of the containment's capacity to withstand accidents–is about 600 cubic feet per kilowatt-thermal, 20 percent lower than the average for current U.S. pressurized water reactors, excluding the much weaker ice-condenser plants.
The NRC's timid policy has discouraged reactor vendors from designing new plants that are clearly safer than current ones. Consequently, the next generation of plants likely to be built in the United States–which will operate for 60 years or longer–will not provide the major advances in safety and security that are needed.
NEW REACTOR COMPARISONS
Containment buildings should be large enough and strong enough to remain leak-tight even in the event of significant internal explosions or external impacts, such as a 9/11-type passenger jet attack. in addition to the reactor core, other vulnerable systems, such as those contained in auxiliary buildings, should also be protected by containment. it may be necessary for reactors to be built underground to meet this criterion.
Reactors with passive safety systems may ultimately prove to have significant safety advantages to current reactors, but the uncertainties are still too large to be able to conclude this today. The first generation of passively safe reactors should be equipped with active, nuclear safety-grade backup systems that can be depended on as the last line of defense in case of unexpected failures of the passive systems.
New reactors should be designed with sufficient wet storage capacity to accommodate recently discharged spent fuel until it has cooled enough to be transferred to dry storage, and ample dry storage should be included in the initial design. The density of spent fuel in the pool should be low enough so that in the event of a rapid loss of cooling water from the pool, natural convection would be adequate to keep the fuel cool. Both wet and dry storage should be secured against terrorist attack: Pools should be below grade and located within the containment building.
None of the reactor designs most likely to be deployed in the United States during the next decade is likely to incorporate all of these features.
EDWIN S. LYMAN
Another possible defense-in-depth measure for plants with passive safety features would be to install active backup systems to compensate for uncertainties in passive system performance. However, while the passive designs do incorporate certain active backup systems, they are not required to be “safety-grade”–that is, they do not have to meet the same rigorous reliability standards set by the NRC for primary safety systems. This cuts costs (by a factor of 10 for some equipment) but increases the chance that backup systems will not work when they are needed. This is a problem because some passive plant designs may actually violate the NRC's safety specifications if these backup systems are taken out of the equation.
It is also misleading to call these reactors “passively safe” because operator intervention is sometimes needed. For instance, the NRC's draft safety evaluation report for GE-Hitachi's Economic and Simplified Boiling Water Reactor (ESBWR) points out that “during shutdown, the plant relies on operator actions for accident mitigation more than it does during power operation. Several systems … rely on operators to initiate.”
Some of the reactor designs that U.S. utilities are considering do not take a passive safety approach but instead have enhanced active safety systems. This approach is exemplified by AREVA's Evolutionary Power Reactor (EPR), formerly known as the European Power Reactor. The EPR was designed to meet European safety standards that mandate increased protection against accidents and attacks relative to current plants; as a result the design has a number of features that exceed NRC requirements. It has four redundant sets of emergency cooling systems, while the NRC requires only two. The spent fuel pool is located within a building with a concrete shield to protect against external impacts, whereas at U.S. reactors the pool is far more vulnerable. But perhaps most notable is the EPR's “core catcher” feature. If a core-melt event occurs at a current generation reactor, the molten core will eventually melt through the reactor vessel and drop onto the floor of the containment building, at which point the accident will be virtually impossible to control. The EPR design includes a core catcher, which is a special chamber below the reactor vessel intended to capture and cool the molten core (although it has not been fully demonstrated).
The EPR appears to be a safer design than those plants specifically designed to meet NRC requirements. It's unclear, however, whether the safer design will be able to compete economically against the passively safe plants that have drastically cut their concrete and steel requirements, make greater use of cheaper off-the-shelf components, and don't have costly additional features such as core catchers. Cost estimates for the EPR relative to reactors such as the AP1000 do not show a clear cost disadvantage. But one can expect that extra features will generally add to the cost. If the NRC doesn't raise the safety bar, the cheaper and less robust designs will most likely prevail, and the U.S. public will face unnecessarily high risks of a serious accident or terrorist attack at a nuclear plant for the rest of this century.