Jump to content

Nuclear meltdown

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 24.159.226.154 (talk) at 22:28, 9 May 2010 (→‎If the containment is breached: Grammar.). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Three Mile Island Nuclear Generating Station consisted of two pressurized water reactors manufactured by Babcock & Wilcox each inside its own containment building and connected cooling towers. TMI-2, which suffered a partial meltdown causing severe fuel damage, is in the background.

A nuclear meltdown is an informal term for a severe nuclear reactor accident that results in core damage from overheating. The term is not recognized by the International Atomic Energy Agency[1] nor by the U.S. Nuclear Regulatory Commission.[2]

A meltdown can occur when a severe, compounded failure of a nuclear power plant system or components causes the reactor core to cease being properly cooled to the extent that the sealed nuclear fuel assemblies – which contain the uranium or plutonium and radioactive fission products – begin to overheat and melt. All Western civil nuclear reactors are located within containment buildings; a containment building is a structure, 1.2 to 2.4 metres (3.9 to 7.9 ft) thick, made of pre-stressed, steel-reinforced, air-tight concrete that surrounds the nuclear reactor. A meltdown is considered very serious because of the possibility that the reactor containment could be defeated, thus releasing the core's radioactive and toxic elements into the atmosphere and environment.

Civil nuclear power has only seen two partial meltdowns outside of the former Warsaw Pact and the former Soviet Union. One incident saw a meltdown that required the reactor be repaired; the other led to the permanent shutdown of the reactor in question.

Within the former Soviet Union, and the former Warsaw Pact, several nuclear meltdowns of differing severity have occurred, from localized core damage to complete destruction of the reactor core. In the most serious example, the Chernobyl disaster, a sudden, massive spike in the heat output of the reactor instantly vaporized the light water coolant, causing a steam explosion that blew the lid off the reactor and shattered the core, igniting the graphite moderator and scattering pieces of the core for miles. Subsequently, the remaining fuel rods (left in the remains of the reactor without coolant) did in fact undergo a partial meltdown, flowing through a drainage pipe into the basement of the reactor building in a fluidized mass later dubbed corium, though the much greater human hazard was the scattered fuel fragments and radioactive smoke plume. The disaster led to the immediate deaths of 56 persons and the indefinite civilian evacuation of a large area.

By design, the geometry and composition of the reactor core do not permit the extraordinary conditions necessary for explosively prompt criticality (i.e- a nuclear detonation of the type caused by nuclear weapons). However, conditions that can cause a meltdown can also cause a steam explosion, as at Chernobyl, which can cause the core to be thrown over a wide area if the reactor is not within a containment building. All Western nuclear reactors are within containment buildings. Each containment building consists of 1.2 to 2.4 metres (3.9 to 7.9 ft) thick pre-stressed, steel-reinforced, air-tight concrete, capable of withstanding tornadoes of OF6 scale (320+ mph winds) and seismic accelerations of at least 2 m/s^2.

Causes

In some reactor types, the fuel assemblies in the core can melt due to the result of heat not being removed from the core. A nuclear reactor does not have to remain critical for a core damage incident to occur because decay heat continues to heat the reactor fuel assemblies after the reactor has shut down, though it decreases significantly with time to the point where natural convection within the coolant combined with heat radiation from the Reactor Pressure Vessel (and reradiation of heat from the RPV to the containment) will be sufficient to keep the core in a permanently steady state. This occurs after a period of days to weeks after control rods are reinserted into the reactor.

Core damage, as this is called, is an incident whose proximate cause is always the loss of sufficient cooling for the nuclear fuel within the reactor core, but whose root cause may result from several factors, including a loss of pressure control accident, a loss of coolant accident (LOCA), an uncontrolled power excursion (not applicable to light water reactors), or a fire within the reactor core (not applicable to light water reactors). Failures in instrumentation and process control systems may amplify or even cause a series of events resulting in loss of cooling, though contemporary improvements in this area, and the philosophy of design conservatism in Western nuclear engineering (known as the precautionary principle, or defense in depth) make this scenario not a majorly credible threat any longer.

Except in certain types of former Soviet reactors, such as the RBMK involved in the Chernobyl incident, which was designed without any containment building, a core damage incident will not by itself result in the release of radioactivity to the environment. This is due to the reactor being contained by 1.2 to 2.4 metres (3.9 to 7.9 ft) thick pre-stressed, steel-reinforced, air-tight concrete, assuring minimal radioactive release in nearly any conceivable circumstance.

  • In a loss of coolant accident, either the physical loss of coolant (which is typically deionized water, an inert gas, or liquid sodium) or the loss of a method to ensure a sufficient flow rate of the coolant occurs. A loss of coolant accident and a loss of pressure control accident are closely related in some reactors. In a pressurized water reactor, a loss of coolant accident can also cause a steam 'bubble' to form in the core due to excessive heating of stalled coolant or by the subsequent loss of pressure control accident caused by a rapid loss of coolant.
  • In a loss of pressure control accident, the pressure of the confined coolant falls below specification without the means to restore it. In some cases this may reduce the heat transfer efficiency (when using an inert gas as a coolant) and in others may form an insulating 'bubble' of steam surrounding the fuel assemblies (for pressurized water reactors). In the latter case, due to localized heating of the steam 'bubble' due to decay heat, the pressure required to collapse the steam 'bubble' may exceed reactor design specifications until the reactor has had time to cool down. (This event is less likely to occur in boiling water reactors, where the core may be deliberately depressurized so that the Emergency Core Cooling System may be turned on).
  • In an uncontrolled power excursion accident (not applicable to light water reactors), a sudden power spike in the reactor exceeds reactor design specifications due to a sudden increase in reactor reactivity. An uncontrolled power excursion occurs due to significantly altering a parameter that affects the neutron multiplication rate of a chain reaction (examples include ejecting a control rod or significantly altering the nuclear characteristics of the moderator, such as by rapid cooling). In extreme cases the reactor may proceed to a condition known as prompt critical. This is especially a problem in reactors that have a positive void coefficient of reactivity, a positive temperature coefficient, are undermoderated, or can trap certain deleterious fission products within their fuel or moderators. Many of these characteristics are present in the RBMK design, and the Chernobyl disaster was caused by such deficiencies. Western light water reactors are not subject to uncontrolled power excursions because loss of coolant decreases, rather than increases, core reactivity; "transients," as the minor power fluctuations within Western light water reactors are called, are limited in LWRs to linear increases in reactivity that will rapidly decrease with time (approximately 200% - 250% of maximum neutronic power for a few seconds in the event of a complete rapid shutdown failure combined with a transient).
  • Core-based fires may also severely endanger the core and potentially cause the fuel assemblies to melt. A fire inside a reactor may be caused by an air addition to certain non-naval military or non-Western nuclear reactors (as it is possible for low-grade graphite to ignite inside the reactor core given oxygen) resulting in the uncontrolled heating of the coolant or moderator of the reactor. It was the exposure of the Chernobyl reactor's extremely hot graphite core to the air that caused the fire that spread the majority of the radioactivity via radioactive smoke after the initial steam explosion breached the reactor shell. Without taking proper precautions Wigner energy may also accumulate within the graphite which will greatly increase the severity of the fire (for example, during the UK military's Windscale fire). Western light water reactors, by design, do not have flammable cores or moderators and are not subject to core fires.
  • Byzantine faults and cascading failures within instrumentation and control systems may cause severe problems in reactor operation, potentially leading to core damage. For example, a failure of an instrument to report liquid levels correctly may logarithmically amplify a minor problem, like a stuck-open relief valve; another example would be a fire within a cable-tray that so severely upsets the control pathways to essential machinery that the reactor is unable to be cooled using normal channels. This has been the route that the two emergencies within civil nuclear power in the West occurred. The Browns Ferry fire saw a fire start within a cable spreading room below the reactor control room. The cables were damaged, and reactor remote control was lost for several hours; however, the core was not damaged because plant personnel manually activated cooling systems. (Modifications including backup cable pathways and a secondary control room for safe shutdown have been installed in all Western plants since that time.) The Three Mile Island accident was caused by a stuck-open pilot-operated pressure relief valve combined with a deceptive water level gauge that caused reactor operators to respond in a technically correct but practically wrong fashion to the emergency, which resulted in core damage. (Modifications to respond to this have included enhanced training for reactor operators, better instrumentation design, and redundant instrumentation pathways.)

Sequence of Events in Western Light Water Reactors

TMI-2 Core End-State Configuration

Within the design of Western reactors, a great deal of work goes into the prevention of a core damage event. Before the core of a nuclear reactor can suffer damage, an extensive number of systems must already have completely failed. For core damage to occur in a Western LWR, there are two required precursors:

  1. A limiting fault (or a set of compounded emergency conditions) that leads to the failure of heat removal within the core (the loss of cooling). This can lead to core "uncovery", or the loss of water cooling the core, leading the core to heat up.
  2. Full failure of the engineered safeguard system. The engineered safeguard system, commonly known as the ECCS (Emergency Core Cooling System) in light water reactors is a system located within every Western LWR that is designed to rapidly cool the core and make it safe in the event of the maximally contingent limiting fault (the design basis accident) that nuclear regulators and plant engineers could imagine.

Over 50 years of operating experience over several hundred reactors has provided every Western LWR with comprehensive measures to prevent limiting faults and ECCS failures.

  1. In the more than fifty years of Western LWR operating experience, of a fleet of several hundred reactors, no limiting fault has ever occurred. The most severe accident was a compounded group of emergency conditions.
  2. There are at least two copies of the ECCS built for every reactor. Each division (copy) of the ECCS is capable, by itself, of responding to the maximally contingent limiting fault (the design basis accident). The latest reactors have as many as four divisions of the ECCS. This is the principle of redundancy, or duplication. As long as at least 1 ECCS division functions, no core damage event can occur to the reactor.
    1. Each of the several divisions of the ECCS has several internal "trains" of components. Thus the ECCS divisions themselves have internal redundancy - and can withstand failures of components within them.
    2. Although no limiting fault has ever occurred in a Western LWR (the most severe incident being a compounded group of emergency conditions), the ECCS has been called on to perform a low number of times in the more than fifty years of Western LWR operating experience within a handful of the hundreds of Western LWRs in operation. As the highly-trained staff of each plant keeps the ECCS in peak condition at all times, that being the staff's first duty - to protect the core, and with the core, the plant, and with the plant, the public - complete failures of the ECCS proper when called upon to function have not occurred.
      1. The Three Mile Island accident was a compounded group of emergencies that led to core damage. What led to this was an erroneous decision by operators to shut down the ECCS during an emergency condition due to gauge readings that were either incorrect or misinterpreted; this caused another emergency condition, that several hours after the fact, led to core uncovery and a core damage incident. If the ECCS had been allowed to function, it would have prevented both uncovery and core damage.

If such a limiting fault were to occur, and a complete failure of all ECCS divisions were to occur, three different physical processes will provide additional time to the plant operators between the start of the limiting fault (the loss of cooling) and the potential escape of molten corium into the containment (a so-called "full meltdown"):

  1. The time required for the water to boil away (coolant, moderator). In the event of a transient, upset, emergency, or limiting fault, LWRs are designed to automatically SCRAM (a SCRAM being the immediate and full insertion of all control rods) and spin up the ECCS. This greatly reduces reactor thermal power (but does not remove it completely); this delays core "uncovery", which is defined as the point when the fuel rods are no longer covered by coolant and can begin to heat up.
  2. The time required for the fuel to form corium. After the water has boiled, then the time required for the fuel to reach its melting point will be dictated by the heat input due to decay of fission products, the heat capacity of the fuel and the melting point of the fuel. If the ECCS is activated before the point of fuel failure, core damage will be prevented.
    1. The time for the fuel to reach the critical temperature. In the most contingent scenarios involving Generation II LWRs, between 5 and 30 minutes are required for the fuel to heat beyond the critical fuel surface temperature, 2,200 °F (1,200 °C). This critical temperature is conservative - but is the point beyond which certain types of chemical reactions can threaten the structural integrity of the Zircalloy sheathing. Assuming the ECCS can be activated within the 5 to 30 minutes prior to the excession of this temperature limit, the reactor will return to stability without core damage. The ECCS automatically spins up upon SCRAM, so maximally contingent scenarios predict approximately 40 seconds from event initiation to ECCS activation if at least part of the ECCS is functional. As the ECCS has multiple, redundant backup systems, it is highly unlikely that it will completely fail. No ECCS has ever totally failed when called upon to function in the history of Western nuclear power.
    2. The time between the reaching of the critical temperature and fuel failure. However, if the ECCS cannot be fully or partially activated, then events continue - and the next event, after these 5 to 30 minutes are up, is fuel failure. Fuel failure occurs an indeterminate amount of time after the fuel reaches the critical temperature. Due to this high temperature and certain types of chemical reactions, the Zircalloy fuel sheathing of the fuel rods loses integrity and releases fission products. This will be detected by a rise in ionizing flux within the RPV and the primary coolant piping due to the release of fission products. If the coolant loop is breached, as in a LOCA, ionizing flux levels will rise to excess levels within the primary containment as fission products are released into the containment.
    3. The time between fuel failure and corium formation. Once again, if the ECCS can be fully or partially activated before the accident progresses, the chain of events may be stopped. But otherwise, events will progress. The most heat flux will be at the point in the horizontal and vertical center of the core, and this is where severe fuel failure and debris bed formation begins. The first step beyond simple fuel failure is Zircalloy spallation; due to certain chemical reactions, the Zircalloy sheathing of the fuel rods will begin to spall off of the fuel rods at the point of maximum heat flux; most fuel debris will be caught in between fuel rods, control rods, and core structural elements and not fall to the bottom of the core. A debris bed will begin to form in a semi-spherical plane in the center of the core cylinder, which will expand outwards with time. As heat rises, there will be an upwards bias in the area of fuel failure, and the sphere of fuel failure will begin to move upwards from the center of the core; spalled fuel debris from fuel above the point of maximal heat flux in the center of the core will fall by gravity into the debris bed; as the upwards bias of the fuel debris region becomes more pronounced with time, eventually, all fuel above the central debris bed except for a small outer shell of fuel will spall into the central debris bed. The debris bed will expand horizontally at a slower, but definite rate, though it is highly unlikely that the outer cylinder of unmelted fuel will melt. Eventually, within the debris bed, the cladding debris and/or the control rods will come to the melting point, and will melt, beginning the process of debris bed consolidation. The uranium dioxide, however, has a much higher melting point, and will not melt for some time. As the melting process progresses, the liquid pool of core debris will begin to move downwards, and eventually, when melting has become substantial, it is likely that some of the liquid will flow to the bottom of the RPV. This liquid will probably not initially contain uranium, as the melting point of uranium dioxide is far above that of Zircalloy and the control rods. Eventually, the fuel itself will melt and combine itself with the pool of corium, which is still moving downwards. Once the melt pool has reached the bottom of active fuel, the pool of corium is likely to fall into the bottom of the RPV along with any unmelted core debris. (Note that nearly half of the core at Three Mile Island melted but the molten debris [called "corium" or "melt"] still stayed within the reactor vessel.)
  3. The time required for the corium to breach the primary pressure boundary. This consists of the time required for the molten mixture of the core (the corium or melt) to breach the primary pressure boundary (in light water reactors, this is the reactor pressure vessel). What happens when the corium reaches the bottom of the reactor pressure vessel in a Western light water reactor is the subject of actual experience and considerable speculation, and depends on temperatures, the age of the fuel, the amount of activity the fuel has been exposed to, as well as the physical composition of the RPV, the dimensions of the RPV, and numerous other considerations. It is physically infeasible for the fuel to remain critical in the bottom of the RPV unless reactor trip failure occurred, due to the melt of the control rods and the consequent boration of the uranium-zirconium alloy, in the event boron carbide control rods are used, or if metallic control rods are used, the addition of an additional neutron absorptive metal to the alloy, such as cadmium.) If the worst case is assumed, at least 30 to 150 minutes remains before RPV breach in a maximally contingent Western LWR limiting fault with complete loss of the ECCS, if RPV breach occurs. Even partial ECCS activation can delay this significantly, and provide time for the remainder of the ECCS to be brought back online; it is highly unlikely that the staff of a Western LWR will be completely unable to restore at least part of the ECCS prior to the RPV being breached. Further, it must be noted that RPV breach is not inevitable in the event of corium formation. The Three Mile Island accident proved this - instead, corium is likely to dilute itself with steel and the control rods and form a layer of shielding on the bottom of the RPV, limiting most of the damage to the reactor itself. The American Nuclear Society has said "despite melting of about one-third of the fuel, the reactor vessel itself maintained its integrity and contained the damaged fuel".[3] However the Three Mile Island example, though illustrative of the comprehensive approach of defense in depth against all contingencies, also illustrates the difficulty in predicting such behavior: the reactor vessel was not built for, and not expected to remain intact with, the temperatures it experienced when it the core melted, but possibly because some of the melted material collected at the bottom of the vessel and cooled early on in the accident, it created a resistant shell against further pressure and heat. Such a possibility was not predicted by the engineers who designed the reactor and would not necessarily occur under duplicate conditions, but was largely seen as instrumental in the preservation of the reactor vessel's integrity. (However, it should be noted that the reactor vessel was inside a containment building, as in all non-Soviet nuclear plants, so a failure of the reactor vessel would not automatically mean that radioactive material would be released into the environment.)

If the RPV is not substantially breached by corium, the accident is described as a "partial meltdown", and the chain of events stops when satisfactory cooling of the remaining fuel, corium, and the RPV is restored. A partial meltdown is an INES Level 4 or 5 accident, depending on the degree of damage. If the RPV is substantially breached by corium, the accident is described as a "full meltdown", which is an INES Level 5 accident and can escalate to INES Level 6 if events progress in a highly prejudicial fashion.

If the RPV is breached: Standard failure modes

If the RPV is penetrated by the corium through the means of melting, which has never before happened in a Western light water reactor nuclear power plant, there are both scientific theories and various speculations that exist as to what may or may not occur in such an incident.

Fortunately, at least in Western plants, there is an airtight containment building consisting of pre-stressed, steel-reinforced, air-tight concrete 1.2 to 2.4 metres (3.9 to 7.9 ft) thick that stands between the molten corium and the outside world. Though radiation would be at a high level within the primary containment, doses outside of it would be insignificant. Further, modern containments are designed - or have been retrofitted - to allow for the orderly release of pressurized gasses that may be generated in an event without releasing radionuclides. (This is done by piping a pressure release valve to a series of activated carbon and HEPA filters that are designed to trap any radionuclides in the event that pressure release from the containment becomes necessary.) Hydrogen/oxygen recombiners also are installed within the containment to prevent any combination of gasses from building up within that could deflagrate and threaten containment integrity.

In a melting event, the RPV is highly unlikely to fail all at once as metal under heat stress but not extensive linear or shear stress normally fails slowly. As such, one spot or area on the RPV will become hotter than other areas, and will eventually come to the melting point. When it melts, corium will pour in a slow stream into the cavity under the reactor. Though the cavity is designed to remain dry, several NUREG-class documents advise operators to flood the cavity in the event of a fuel melt incident, and the presence of water there will cause steam to be evolved, and the containment will become pressurized from this steam. Automatically, water sprays on the top and the sides of the containment will pump large quantities of water into the steamy environment to keep the pressure down and protect containment integrity. If hydrogen is evolved and oxygen is present, catalytic recombiners will rapidly convert the hydrogen and oxygen back into water, and route the evolved water to the containment spray tank to be used to cool steam. One positive effect of the corium falling into water is that it is comprehensively cooled and returned to a solid state.

Extensive water spray systems within the containment along with the ECCS, when it is reactivated, will allow operators to spray water within the containment to cool the core on the floor and reduce it to a low temperature.

This assures that even with a molten core cooling within the containment building, there is almost no possibility of any offsite dose of significance to local citizens; for example, in the Three Mile Island event in 1979, a theoretical person standing at the plant property line during the entire event would have received a dose of approximately 2 millisieverts (200 millirem), between a chest X-ray's and a CT scan's worth of radiation. This was due to outgassing by an uncontrolled system that, today, would have been backfitted with activated carbon and HEPA filters to prevent radionuclide release.

Cooling will take quite a while, until the natural decay heat of the corium reduces to the point where natural convection and conduction of heat to the containment walls and re-radiation of heat from the containment allows for water spray systems to be shut down and the reactor put into safe storage. Thus, if all else fails, the containment can be sealed and abandoned in place with release of extremely limited offsite radioactivity. Pressure management will have to be observed carefully, at least in the near term and responded to as indicated. After a number of years for fission products to decay - probably around a decade - the containment can be reopened for decontamination and demolition.

Still, even though the secondary containment consists of pre-stressed, steel-reinforced, air-tight concrete between 1.2 to 2.4 metres (3.9 to 7.9 ft) thick, there is a possibility, however remote, that the containment could be breached after the core damage event occurred. This might take place if:

  1. An earthquake capable of producing accelerations of plant equipment to more than .2 g (2 m/s2) occurred - with the plant at the precise epicenter;
  2. A tornado of Old Fujitsa Scale 6 with 320+ mph winds hit it (no tornado of scale OF6 has ever occurred; by definition, it is an impossible tornado).
  3. It was struck by a meteorite.

If the RPV is breached: speculative failure modes

Though modern science and engineering indicates that though a core damage event is a dramatic incident, it is of limited public concern, as public safety is unlikely to be threatened by a core damage event. However, some have used creativity and their imaginations to speculate as to failure modes for Western nuclear reactors.

One highly speculative scenario consists of the Reactor Pressure Vessel failing all at once - essentially - the bottom falling out of the RPV - solid steel 6 inches thick failing all at the same time. In this extraordinarily speculative scenario, the entire mass of corium could drop into a pool of water (for example, coolant or moderator) and cause an extremely rapid evolution of steam called a Fuel-Coolant Interaction (FCI). The high rate of pressure rise within the containment could theoretically threaten integrity if rupture disks leading to filtered outgas trains were not available to ensure that the public was protected from radioactive release in such a scenario. Also, if air is available any exposed flammable substances will probably burn fiercely. Since there are few, if any, flammable substances within the containment, this is not a major concern.

Though events threatening containment integrity are presently considered essentially incredible in modern 'large-dry' containments, another extremely speculative and generally disregarded theory called an 'alpha mode' failure - the term popularized in anti-nuclear circles by the somewhat speculative 1975 Rasmussen (WASH-1400) study - could see containment integrity threatened by a fuel-coolant interaction within the RPV, leading to extremely rapid steam evolution, leading to an overpressure event within the RPV, leading to a failure of its structural integrity, and the consequent ejection of the top part of the RPV (called the "head") at the inside of the containment as a flying object. Due to the weight of the RPV head, as this is called, the containment could be threatened if the RPV head collided with it. (The WASH-1400 report was replaced by better-based newer studies, and now the Nuclear Regulatory Commission has disavowed them all and is preparing the over-arching State-of-the-Art Reactor Consequence Analyses [SOARCA] study - see the Disclaimer in NUREG-1150.)

Another speculative scenario sees a buildup of hydrogen within the containment. If hydrogen were allowed to build up within the containment, it could lead to a deflagration event. The numerous catalytic hydrogen recombiners located within the reactor core and containment will prevent this from occurring; however, prior to the installation of these recombiners in the 1980s, the Three Mile Island containment (in 1979) suffered a massive hydrogen explosion event in the accident there. The containment withstood this event and no radioactivity was released by the hydrogen explosion, clearly demonstrating the level of punishment that containments can take, and validating the industry's approach of defense in depth against all contingencies. Some, however, do not accept the Three Mile Island incident as sufficient proof that a hydrogen deflagration event will not result in containment breach.

It has not been determined to what extent a molten mass can melt through a structure (although that was tested in the Loss-of-Fluid-Test Reactor described in Test Area North's fact sheet[4]). The Three Mile Island accident saw an "impromptu test" of this question, with an actual molten core within an actual structure; the molten corium failed to melt through even the relatively thin Reactor Pressure Vessel after over six hours of exposure, due to dilution of the melt by the control rods and other reactor internals, comprehensively validating the industry's insistence on defense in depth against core damage incidents. Though this has never happened - some in the anti-nuclear movement speculate that a molten reactor core could actually penetrate the reactor pressure vessel and the 1.2 to 2.4 metres (3.9 to 7.9 ft) of pre-stressed, steel-reinforced, air-tight concrete of the reactor containment structure below the reactor containment structure, and burn down (via a melt-concrete interaction) to groundwater.

If the containment is breached

The longer the reactor operators are able to retain the fission products within the core will reduce the size of the radioactive release. This is because the most highly radioactive isotopes in a fission product mixture are short lived. For example if all the iodine in a core was released one week after criticality was terminated by a SCRAM then the thyroid dose suffered by the population would be lower than if the iodine had escaped the plant one hour after the reactor was scrammed. Thyroid dose can be minimized, in any event, by the consumption of potassium iodide.

Other Reactor Types

There are other types of reactors within the non-Soviet world that have different capabilities and safety profiles than the LWR does. Advanced varieties of several of these reactors have the potential to be inherently safe, which would make them not vulnerable to operating transients, derangements, and/or limiting faults that in other reactor types might lead to core damage.

The case of CANDU reactors

CANDU reactors present a special case. They are designed with at least one, and generally two, large low-temperature and low-pressure water reservoirs around its fuel/coolant channels. The first is the bulk heavy-water moderator (a separate system from the coolant), and the second is the light-water-filled shield tank. It has been shown that even under severe loss-of-coolant conditions these backup heat sinks are sufficient to prevent either the fuel meltdown in the first place (using the moderator heat sink), or the breaching of the core vessel should the moderator eventually boil off (using the shield tank heat sink). [Allen et al.] Other, less destructive failure modes aside from fuel melt will probably occur in a CANDU rather than a meltdown, such as deformation of the calandria into a non-critical configuration. All CANDU reactors are located within standard Western containments as well.

The case of PIUS LWRs

The PIUS (process inherent ultimate safety) LWR designs, originally engineered by the Swedes in the late 1970s and early 1980s, are LWRs that by virtue of their design are not vulnerable to core damage. They are Generation IV designs that must be tested prior to deployment, but provide a path to future inherently safe LWR technology.

The case of uranium hydride moderated reactors (TRIGA and others)

The TRIGA-type reactor, designed and built by U.S. firm General Atomics, and used for research at universities and medical facilities is very well known for being inherently safe and completely invulnerable to core damage. The design is so safe that "uncontrolled power excursions" are not a safety hazard but a feature of the design and can deliberately induced by reactor operations personnel, so as to "pulse" the reactor to produce a burst of neutrons during routine operations, the reactor automatically and naturally returning to a normal neutronic state after being "pulsed" due to the physical composition of the fuel. Core damage is physically impossible, as if the reactor gets too hot, it shuts down on a molecular level and heat generation ceases.

Power reactors, including the Deployable Electrical Energy Reactor, a larger-scale mobile version of the TRIGA for power generation in disaster areas and on military missions, and the TRIGA Power System, a small power plant and heat source for small and remote community use have been put forward by interested engineers, and shares the safety characteristics of the TRIGA due to the uranium zirconium hydride fuel used.

The Hyperion Power Module, a reactor that uses uranium hydride as a moderator and fuel, similar in chemistry and safety to the TRIGA, also possesses these extreme safety and stability characteristics, and has attracted a good deal of interest in recent times.

The case of gas-cooled reactors

One type of Western reactor, known as the advanced gas-cooled reactor (or AGCR), built by the United Kingdom, is not very vulnerable to loss of cooling accidents or to core damage except in the most extreme of circumstances. By virtue of the relatively inert coolant (carbon dioxide), the large volume and high pressure of the coolant, and the relatively high heat transfer efficiency of the reactor, the timeframe for core damage in the event of a limiting fault is measured in days. Restoration of some means of coolant flow will prevent core damage from occurring.

Other types of highly advanced gas cooled reactors, generally known as high-temperature gas-cooled reactors (HTGRs) such as the Japanese High Temperature Test Reactor and the United States' Very High Temperature Reactor, are inherently safe, meaning that meltdown or other forms of core damage are physically impossible, due to the structure of the core, which consists of hexagonal prismatic blocks of silicon carbide reinforced graphite infused with TRISO or QUADRISO pellets of uranium, thorium, or mixed oxide buried underground in a helium-filled steel pressure vessel within a concrete containment. Though this type of reactor is not susceptible to meltdown, additional capabilities of heat removal are provided by using regular atmospheric airflow as a means of backup heat removal, by having it pass through a heat exchanger and rising into the atmosphere due to convection, achieving full residual heat removal. The VHTR is scheduled to prototyped and tested at Idaho National Laboratory within the next decade (as of 2009) as the design selected for the Next Generation Nuclear Plant by the US Department of Energy. This reactor will use a gas as a coolant, which can then be used for process heat (such as in hydrogen production) or for the driving of gas turbines and the generation of electricity.

A similar highly-advanced gas cooled reactor originally designed by West Germany (the AVR reactor) and now developed by South Africa is known as the Pebble Bed Modular Reactor. It is an inherently safe design, meaning that core damage is physically impossible, due to the design of the fuel (spherical graphite "pebbles" arranged in a bed within an metal RPV and filled with TRISO (or QUADRISO) pellets of uranium, thorium, or mixed oxide within). A prototype of a very similar type of reactor has been built by the Chinese, HTR-10, and has worked beyond researchers' expectations, leading the Chinese to announce plans to build a pair of follow-on, full-scale 250 MWe, inherently safe, power production reactors based on the same concept. (See Nuclear power in the People's Republic of China for more information.)

The case of liquid fluoride thermal reactors

Liquid fluoride thermal reactor The LFTR is designed to naturally have its core in a molten state, as a eutectic mix of thorium and fluorine salts. As such, a molten core is reflective of the normal and safe state of operation of this reactor type. In the event the core overheats, a metal plug will melt, and the molten salt core will drain into tanks where it will cool in a non-critical configuration. Since the core is liquid, and already melted, it cannot be damaged.

The case of advanced liquid metal reactors

Advanced liquid metal reactors, such as the U.S. Integral Fast Reactor and the Russian BN-350, BN-600, and BN-800, all have a coolant with very high heat capacity, sodium metal. As such, they can withstand a loss of cooling without SCRAM and a loss of heat sink without SCRAM, qualifying them as inherently safe.

Prevention, Suppression, and Containment of Core Damage Events in Former Soviet Reactors

The former Soviet Union and presently the Russians build specialized types of nuclear reactors distinctive in their independent origin from those in the West as well as in their designs and safety systems which reflect that different national origin. Their two major reactor designs and the safety systems thereof - both those of the VVER, a type of pressurized water reactor, and the RBMK, a type of graphite moderated, light water cooled reactor, are discussed below.

Former Soviet (and CIS) RBMKs

[weasel words]

Former Soviet RBMKs, however, found only in Russia and the CIS, do not have containment buildings, are naturally unstable (tending to dangerous power fluctuations), and also have ECCS systems that are considered grossly inadequate by Western safety standards.

Unity of purpose and effort within the Soviet nuclear power program was also hindered by the non-propulsion-related military uses to which RBMKs were put, while being used as nuclear power plants. These military uses proved a dangerous distraction from the peaceful use of nuclear energy.

  • RBMK ECCS systems:
    • Only have one division and have less than sufficient redundancy within that division.
    • Though the large core size of the RBMK makes it less energy-dense than the Western LWR core, it makes it harder to cool.
  • The RBMK is moderated by graphite:
    • In the presence of both steam and molecular oxygen, at high temperatures, graphite forms synthesis gas and with the water gas shift reaction the resultant hydrogen burns explosively.
    • In the presence of sufficient oxygen pressure, at fluctuating temperatures corresponding to fluctuating power output, graphite may burn directly.
  • The RBMK tends towards dangerous power fluctuations:
    • Control rods used to be tipped with graphite, a material that slows neutrons and thus speeds up the chain reaction.
    • Water is used as a coolant, but not a moderator. If the water boils, cooling is lost, but moderation is not lost. This is termed a positive void coefficient of reactivity. Western reactors have negative void coefficients, with the exception of CANDU reactors. CANDU reactors have a low positive void coefficient, and also have two separate, rapidly acting shutdown systems that will automatically trip and make the reactor safe within a trivial timeframe if reactor period goes below a certain point.
    • Control rods can become stuck if the reactor suddenly heats up and they are moving.
    • Xenon 135, a neutron absorbent fission product, has a tendency to build up in the core and burn off unpredictably in the event of low power operation. This can lead to inaccurate neutronic and thermal power ratings.
  • The RBMK does not have any containment above the core.
    • The only substantial solid barrier above the fuel is the upper part of the core, called the upper biological shield, which is a piece of concrete interpenetrated with control rods and with access holes for refueling while online.
    • Other parts of the RBMK were shielded better than the core itself.
  • Rapid shutdown (SCRAM) takes 10 to 15 seconds. Western reactors take 1 - 2.5 seconds.

Western aid has been given to provide certain real-time safety monitoring capacities to the human staff. Whether this extends to automatic initiation of emergency cooling is not known. Training has been provide in safety assessment from Western sources, and Russian reactors have evolved in result to the weaknesses that were in the RBMK. However, numerous RBMKs still operate.

It is safe to say that it might be possible to stop a loss of coolant event prior to core damage occurring, but that any core damage incidents will probably assure massive release of radioactive materials. Further, dangerous power fluctuations are natural to the design.

Lithuania joined the EU recently, and upon acceding, it has been required to shut the two RBMKs that it has at Ignalina NPP, as such reactors are totally incompatible with the nuclear safety standards of Europe (and the US, Japan, China, Canada, India, etc.). It will be replacing them with some safer form of reactor.

The MKER - a modernized graphite moderated channel type reactor

The MKER is a modern Russian-engineered channel type reactor that is a very distant descendant of the RBMK and approaches the concept of graphite moderated channel type reactor from a different and superior direction, optimizing the benefits, and fixing the flaws of the original RBMK design.

There are several unique features of the MKER's design that make it a credible and interesting option:

  • One unique benefit of the MKER's design is that in the event of a challenge to cooling within the core - a pipe break of a channel, the channel can be isolated from the plenums supplying water, decreasing the potential for common-mode failures.
  • The lower power density of the core greatly enhances coolability while graphite moderation enhances neutronic characteristics into beyond light water ranges.
  • The passive emergency cooling system provides a high level of protection by using natural phenomena to cool the core rather than depending on motor-driven pumps.
  • The containment structure is modern and designed to withstand a very high level of punishment.
  • Refueling is accomplished while online, ensuring that outages are for maintenance only and are very few and far between. 97-99% uptime is a definite possibility.
  • Lower enrichment fuels can be used, and high burnup can be achieved due to the moderator design.
  • Neutronics characteristics have been revamped to optimize for purely civil fuel fertilization and recycling.

Due to the enhanced quality control of parts, advanced computer controls, comprehensive passive emergency core cooling system, and very strong containment structure, along with a negative void coefficient and a fast acting rapid shutdown system, the MKER's safety can generally be regarded as being in the range of the Western Generation III reactors, and the unique benefits of the design may enhance its competitiveness in countries considering full fuel-cycle options for nuclear development.

Former Soviet (present Russian & ROW) VVERs

The VVER is a former Soviet-origin pressurized light water reactor that is far more inherently stable and inherently safe than the former Soviet RBMK. This is because it uses light water as a moderator (rather than graphite), has well understood operating characteristics, and has a negative void coefficient of reactivity. In addition, some have been built with more than marginal containments, some have quality ECCS systems, and some have been upgraded to international standards of control and instrumentation. Present generations of VVERs (the VVER-1000) are built to Western-equivalent levels of instrumentation, control, and containment systems.

However, even with these positive developments, certain older VVER models raise a high level of concern, especially the VVER-440 V230.[5]

The VVER-440 V230:

  • Has no containment building. Has a structure capable of confining steam surrounding the RPV. This is a volume of thin steel, perhaps an inch or two in thickness, grossly insufficient by Western standards.
  • Has no ECCS. Can survive at most one 4 inch pipe break (there are many pipes greater than 4 inches within the design).
  • Has six steam generator loops, adding unnecessary complexity.
    • However, apparently steam generator loops can be isolated, in the event that a break occurs in one of these loops. The plant can remain operating with one isolated loop - a feature found in few Western reactors.
  • Interior of RPV is plain alloy steel, exposed to water. There is no layer of Inconel 600 or even stainless steel. This can lead to rust, if the reactor is exposed to water. Since the VVER is a pressurized water reactor, it is foreseeable that VVER RPVs can rust.
    • One point of distinction in which the VVER surpasses the West is the reactor water cleanup facility - built, no doubt, to deal with the enormous volume of rust within the primary coolant loop - the product of the slow corrosion of the RPV.
  • This model is viewed as having inadequate process control systems.

The Bulgarians had a number of VVER-440 V230 models, but they opted to shut them down upon joining the EU rather than backfit them, and are instead building new VVER-1000 models. Many non-EU states maintain V230 models, including Russia and the CIS. Many of these states - rather than abandoning the reactors entirely - have opted to install an ECCS, develop standard procedures, and install proper instrumentation and control systems. Though confinements cannot be transformed into containments, the risk of a limiting fault resulting in core damage can be greatly reduced.

The VVER-440 V213 model was built to the first set of Soviet nuclear safety standards. It possesses a modest containment building, and the ECCS systems, though not completely to Western standards, are reasonably comprehensive. Many VVER-440 V213 models possessed by former Soviet bloc countries have been upgraded to fully automated Western-style instrumentation and control systems, improving safety to Western levels for accident prevention - but not for accident containment, which is of a modest level compared to Western plants. These reactors are regarded as "safe enough" by Western standards to continue operation without major modifications, though most owners have performed major modifications to bring them up to generally equivalent levels of nuclear safety.

During the 1970s, Finland built two VVER-440 V213 models to Western standards with a large-volume full containment and world-class instrumentation, control standards and an ECCS with multiply redundant and diversified components. In addition, passive safety features such as 900-tonne ice condensers have been installed, making these two units safety-wise the most advanced VVER-440's in the world.

The VVER-1000 type has a definitely adequate Western-style containment, the ECCS is sufficient by Western standards, and instrumentation and control has been markedly improved to Western 1970s-era levels.

Failure modes analysis

In the Chernobyl accident, the fuel became non-critical when it melted and flowed away from the graphite moderator - however, it took considerable time to cool. If hot uranium dioxide is combined with iron(II) oxide a eutectic is formed which may cause the fuel to become more mobile than it would otherwise be.[6]

It should be noted that the molten core of Chernobyl (that part that didn't vaporize in the fire) flowed in a channel created by the structure of its reactor building (e.g., walls and stairways) and froze in place before a core-concrete interaction could happen. In the basement of the reactor at Chernobyl, a large "elephant's foot" of congealed core material was found. Furthermore, the time delay and the lack of a direct path to the atmosphere (such as a containment building is designed to provide) would work to significantly ameliorate the radiological release. Any steam-explosions/FCI which occurred would probably work mainly to increase cooling of the core-debris. However, if the basement of the reactor building were penetrated the groundwater itself would likely be severely contaminated, and its flow could carry the contamination far afield.

The Chernobyl incident

Even while the Chernobyl accident had dire[quantify] off-site effects, much of the radioactivity remained within the building. If the building were to fail and dust was to be released into the environment then the release of a given mass of fission products which have aged for twenty years would have a smaller effect than the release of the same mass of fission products (in the same chemical and physical form) which had only undergone a short cooling time (such as one hour) after the nuclear reaction has been terminated. However if a nuclear reaction was to occur again within the Chernobyl plant (for instance if rainwater was to collect and act as a moderator) then the new fission products would have a higher specific activity and thus pose a greater threat if they were released. N.B. to prevent a post accident nuclear reaction steps have been taken (such as adding neutron poisons to key parts of the basement).

Comparability analysis

It may safely be assumed that with RBMKs of any type, any limiting fault followed by partial or total ECCS failure or failure to SCRAM when indicated will result in core damage and radioactive release to the environment.

The following assumptions may be made about the VVER reactors:

  • VVER-440 V230 models WITHOUT substantial upgrades: Assume that limiting fault (LBLOCA) will result in core damage if ECCS suffers any degradation in performance, delayed activation, or failures. Assume that radioactive release to environment is assured if RPV is breached.
  • VVER-440 V230 models WITH substantial upgrades: Assume that limiting fault (LBLOCA) is less likely to result in core damage than unmodified V230; in particular, ECCS will have sufficient capacity to respond to limiting faults with some redundancy. Confinement strengthening may prevent radioactive release in some core damage scenarios.
  • VVER-440 V213: Assume that limiting fault (LBLOCA) will successfully be responded to by ECCS, and that reserve capacity does exist for ECCS; this will prevent core damage in most circumstances. If core damage does occur, assume that - depending on severity - radioactive release to the environment could take place with stock containment.
  • VVER-440 V213 Finnish installations: Assume will perform at level of "newer" (post-1975) Generation II Western PWR.
  • VVER-1000: Make assumptions based on "newer" (post-1975) Generation II reactors.

Effects

The effects of a nuclear meltdown depend on the safety features designed into a reactor. A modern reactor is designed both to make a meltdown highly unlikely, and to contain one should it occur. In the future passively safe or inherently safe designs will make the possibility exceedingly unlikely.

In a modern reactor, a nuclear meltdown, whether partial or total, should be contained inside the reactor's containment structure. Thus (assuming that no other major disasters occur) while the meltdown will severely damage the reactor itself, possibly contaminating the whole structure with highly radioactive material, a meltdown alone will generally not lead to significant radiation release or danger to the public. The effects are therefore primarily economic[7].

In practice, however, a nuclear meltdown is often part of a larger chain of disasters (although there have been so few meltdowns in the history of nuclear power that there is not a large pool of statistical information from which to draw a credible conclusion as to what "often" happens in such circumstances). For example, in the Chernobyl accident, by the time the core melted, there had already been a large steam explosion and graphite fire and major release of radioactive contamination (as with almost all Soviet reactors, there was no containment structure at Chernobyl).

Reactor design

Although pressurized water reactors are more susceptible to nuclear meltdown in the absence of active safety measures, this is not a universal feature of civilian nuclear reactors. Much of the research in civilian nuclear reactors is for designs with passive safety features that would be much less susceptible to meltdown, even if all emergency systems failed. For example, pebble bed reactors are designed so that complete loss of coolant for an indefinite period does not result in the reactor overheating. The General Electric ESBWR and Westinghouse AP1000 have passively-activated safety systems. The CANDU reactor has two low-temperature and low-pressure water systems surrounding the fuel (i.e. moderator and shield tank) that act as back-up heat sinks and preclude meltdowns and core-breaching scenarios [Allen et al.].

Fast breeder reactors are more susceptible to meltdown than other reactor types, due to the larger quantity of fissile material and the higher neutron flux inside the reactor core, which makes it more difficult to control the reaction.

Accidental fires are widely acknowledged to be risk factors that can contribute to a nuclear meltdown. It is for this reason that circuit integrity measures are used for the electrical wiring that runs between control rooms and reactors. Ideally, a reactor is equipped with two "shutdown trains" or two sets of wires so that if one should fail, the other can be used to shut down the reactor. This common procedure became the subject of controversy during the Thermo-Lag scandal, when whistleblower Gerald W. Brown notified the NRC that the fire testing used to qualify Thermo-Lag was inadequate, meaning the fire-resistance rating thought to exist was in fact much lower, which meant that the majority of NRC licensees did not have operable protection of its safe shutdown wiring. Similar criticisms were leveled by US Congressman Ed Markey at the use of combustible silicone foam as firestops. The problem did not occur in German plants as operators must follow not just the directives of their federal regulators but are also required to follow the local building code, which makes product certification mandatory. Bounding in US and Canadian plants is not based on product certification. The Canadian disclosures by Gerald W. Brown revealed that Canadian plants also used unbounded silicone foam and Elastaseal based on indefensible test reports. The safe shutdown trains, typically consisting of wiring inside of cable trays used single-sided "fireproofing", consisting of sheet metal and proprietary intumescent sheets, for three dimensional cable trays. The disclosures were made public by the Canadian Broadcasting Corporation's "The National" program, which caused the proceedings of the Select Committee on Ontario Hydro Nuclear Affairs to take place. Still, to this date, neither the NRC, nor the Canadian Nuclear Safety Commission require product certification, which is mandatory for civilian construction.

Other theoretical consequences of a nuclear meltdown

If the reactor core becomes too hot, it might melt through the reactor vessel (although this has not happened to date) and the floor of the reactor chamber and descend until it becomes diluted by surrounding material and cooled enough to no longer melt through the material underneath, or until it hits groundwater. This type of nuclear meltdown is known as a China Syndrome. Note that a nuclear explosion does not happen in a nuclear meltdown due to the low fissility of the radioactive components. However, a steam explosion may occur if it hits water.

The geometry and presence of the coolant has a twin role, and both cools the reactor as well as slowing down emitted neutrons. The latter role is crucial to maintaining the chain-reaction, and so even without coolant the molten core is designed to be unable to form an uncontrolled critical mass (a recriticality). However, the molten reactor core will continue generating enough heat through unmoderated radioactive decay ('decay heat') to maintain or even increase its temperature.

Meltdowns that have occurred

A number of Russian nuclear submarines have experienced nuclear meltdowns. The only known large scale nuclear meltdowns at civilian nuclear power plants were in the Chernobyl disaster at Chernobyl Nuclear Power Plant, Ukraine, in 1986, and the Three Mile Island accident at Three Mile Island, Pennsylvania, USA, in 1979, although there have been partial core meltdowns at:

Not all of these were caused by a loss of coolant and in several cases (the Chernobyl disaster and the Windscale fire, for example) the meltdown was not the most severe problem.

See also

References

  • Rasmussen N. (editor) (1975) Reactor Safety Study WASH-1400, USNRC
  • P.J. Allen, J.Q. Howieson, H.S. Shapiro, J.T. Rogers, P. Mostert and R.W. van Otterloo, "Summary of CANDU 6 Probabilistic Safety Assessment Study Results", Nuclear Safety, Vol 31 No 2 Ap-Jn 1990.
  1. ^ International Atomic Energy Agency (IAEA) (2007). IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection (2007 edition ed.). Vienna, Austria: International Atomic Energy Agency. ISBN 9201007078. Retrieved 2009-08-17. {{cite book}}: |edition= has extra text (help)
  2. ^ United States Nuclear Regulatory Commission (USNRC) (2009-09-14). "Glossary". Website. Rockville, MD, USA: Federal Government of the United States. pp. See Entries for Letter M and Entries for Letter N. Retrieved 2009-10-03.
  3. ^ ANS : Public Information : Resources : Special Topics : History at Three Mile Island : What Happened and What Didn't in the TMI-2 Accident
  4. ^ Test Area North
  5. ^ http://www.insc.anl.gov/neisb/neisb4/NEISB_1.1.html INL VVER Sourcebook
  6. ^ S.V. Bechta, E.V. Krushinov, V.I. Almjashev, S.A. Vitol, L.P. Mezentseva, Yu.B. Petrov, D.B. Lopukh, V.B. Khabensky, M. Barrachin, S. Hellmann, K. Froment, M. Fisher, W. Tromm, D. Bottomley, F. Defoort and V.V. Gusarov, Journal of Nuclear Materials, 2007, 362, 46
  7. ^ Partial Fuel Meltdown Events
  8. ^ Page 300, Radioactivity, Ionizing Radiation and Nuclear Energy, Jiŕí Hála and James D. Navratil, Published by Konvoj (Brno) 2003, ISBN 807302053X
Retrieved from "https://en.wikipedia.org/w/index.php?title=Nuclear_meltdown&oldid=361161120"