nuclear safety or risky nuclear?
DESCRIPTION
Presented to: The Georgia Triangle Lifelong Learning Institute, January 21, 2011 Lecture 2 – Nuclear Energy and Technology Dan Meneley, PhD, PEng Revised and presented to the Ottawa Branch of CNS, April 21, 2011. Nuclear Safety or Risky Nuclear?. Why should we study nuclear reactor safety? - PowerPoint PPT PresentationTRANSCRIPT
Presented to:The Georgia Triangle Lifelong Learning Institute, January 21, 2011Lecture 2 – Nuclear Energy and TechnologyDan Meneley, PhD, PEng
Revised and presented to the Ottawa Branch of CNS, April 21, 2011
1
Why should we study nuclear reactor safety? THE NEED FOR ENERGY
Some useful definitions WHAT ARE WE TALKING ABOUT?
Risk and safety UP FRONT ISSUES -- FROM THE COURSE OUTLINE
A bit of techie talk THE NATURE OF THE BEAST
Experience and lessons from the past PAST PERFORMANCE – INCLUDING THE DAIICHI
DISASTER The Present and Future
GUIDING PRINCIPLES
2
For the past 150 years we have lived on oil. First oil well in North America was drilled in Ontario
Today we burn ≈ 1,000 barrels each second. By 2100 CE we must have other energy sources in place If we can wait 100 million years, there will be new oil formed
Coal can do the job for several centuries But its environmental effects may be unmanageable
Uranium can do the job forever
3
THE NEED FOR ENERGY - 1
The potential energy in heavy elements is immense: 1 kg (U) in CANDU produces about 180 MWh(th) = 60 MWh(e).
Typical 4 - person household’s electricity use: 1,000 kilowatt hours per month = 12 megawatt hours per year So, a mere 200 grams of uranium - 6 to 8 pellets - serves one
household for an entire year. If the same energy were obtained from fossil fuel
The fuel would be 30,000 times heavier For example, about 6,000 kg of coal would be used Carbon dioxide and massive quantities of ash would be produced
Yet we use less than 1% of uranium’s potential energy
New technology is available that can use the remainder
4ΔE = ΔmC2
THE NEED FOR ENERGY - 2
Changes in lifestyle First, the poor people get poorer Then, the rich people get poorer Chaos, health degradation, and starvation follow
Energy wars? We may already be involved in one of them
General collapse of modern civilization Extreme, but possible
5
THE NEED FOR ENERGY - 3
Two sides of the story: The technical, “hard science & engineering”
side The social, human understanding side
6
7
8
At the same time, I might feel perfectly safe and you might feel terribly threatened
Years ago, my brother was a military helicopter pilot. He could terrify me with maneuvers that were routine to him
Nuclear safety discussions take place at the border between technology and psychology
Risk is my topic today Notionally, it is the inverse of safety Objective risk is easier to discuss because it is usually
expressed as the product of probability and consequence Subjective risk is not often recognized, but is vitally
important
9
The insurer (we) is the society at large You are the insured
“We” will compensate you for loss, should it occur
at a price What price will we charge for this assurance?
a price calculated so that we show a profit, on average How will we calculate the price?
by the average sum over all policy holders of the probability of loss times the promised compensation
Will you decide to pay the price? that depends on what you expect to receive from us as the
beneficiary, in both objective and subjective terms
10
You are the beneficiary – today You also pay the premiums Your risk of loss continues over the life of the power plants
We (society) promise you electricity for an eon
High reliability and reasonable cost, at low risk Is this credible?
Your risk of loss is said to be insignificant We also are members of this society We think we know whereof we speak Why should you believe us?
11
Energy, delivered reliably for many generations
The objective value of ample, economical energy Avoided consequences of not having enough energy Available alternatives – can you get a better deal??
12
13
14
Past performance Trust the trustworthy Engineering is a statutory profession – with personal liability
Trust, but verify Watchdogs are useful, even if they’re skilled professionals The Canadian Nuclear Safety Commission is your watchdog
Who else has a deep interest in safety (low risk)?
Plant owners want to protect their investment Customers want to avoid any radiation accidents In our case, these are the same people
15
Past performance People working in many institutions are less than
perfect The frequency of institutional failure is seen to be
large
Distrust, but value – ref. Hugh Heclo ‘On Thinking Institutionally”
We cannot live without institutions in many forms We need to watch them carefully, but respect
them nonetheless
16
It’s a matter of scale On a small scale, with few people, the job is quite easy On a massive scale, with billions of people, the job is
harder
We ask for solutions to serve billions of people for hundreds of years A child now in diapers might find a brand new solution Until then, nuclear fission energy is the only feasible
answer. Is this a credible statement?
17
This can be calculated, albeit with uncertainty Only the average risk can be quantified
Too many variables – individual risk has a wide range of possibilities
Make conservative assumptions Assume the most sensitive individual
For example, an infant
Assume maximum consequences Ignore beneficial effects of low dose radiation, for example
Assume extreme failure conditions Several unlikely events in sequence, conservative assumptions
18
Remember, you live in one of the richest, safest, best protected societies in all of history.
Canadian life expectancy at birth today is more than twice as long (>80) as the poorest – in Swaziland (<40)
Swaziland’s life expectancy at birth today is about the same as was the US life expectancy at birth in 1850.
19
20
Paul Slovic & Elke U. Weber, “Perception of Risk Posed by Extreme Events”, Proc. Conf. ‘Risk Management Strategies in an Uncertain World’, Apr. 2002
Of course it is!! A large amount of potential energy wrapped in a small
package Potential energy must be extracted at a controlled rate The reaction products (the “ashes” of fission) must be
managed
Dangerous, but manageable We’ve learned a lot over the past five decades We know how to do this job Are we perfect? No, but the residual risk is small
Less risky in the future The technology is mature Operational training and skill needs are clear Worldwide institutional arrangements are in order
21
The usual industrial risks Mainly heavy objects, live steam, high voltage
Radiological risks Digging uranium out of the ground and
stimulating it to fission at a very high rate is a hazardous business
Under strict control, as we will see Need to protect the plant, operating staff, and public
Sabotage risks Hostile attack
Diversion of nuclear materials22
Who is actually at risk? The plant owner, in financial terms Senior management, in terms of their careers The plant operating staff, in physical terms The local population, in lesser physical terms The rest of us, almost entirely in financial terms
Who is doing what, to reduce risk? The plant owners are training, testing, and retraining
staff The Canadian Nuclear Safety Commission is auditing
operations Atomic Energy of Canada is evolving new plant designs Everyone is studying past operations for improvement
ideas23
First, can a reactor blow up like a nuclear bomb?
Absolutely not. (Too weak, too wet, too slow)
Terrorists – who are they? They are actually saboteurs -- why are we so afraid? Are they working for a foreign government, or on their own?
Can they do it on their own? Not unless we let them
Can they make a bomb from nuclear waste? They can make an ordinary bomb a little more dangerous, but
this is very difficult and dangerous – mostly to themselves
24
Diversion of nuclear material to hostile uses This starts, most likely, as a financial transaction and may
then become a tool for sabotage This is a problem to be solved by cooperation between
nations, not by nuclear plant designers Attack on a nuclear facility by an armed group
To be a real threat, the group must have the active support of a national government – and a powerful arsenal
Detection/detention is a job for the national police force Crash of an aircraft into a nuclear station
Almost surely, the crash will cause shutdown of the reactor A shut-down reactor is a pussy cat, not a tiger (Daiichi??) Most of the people killed will have been passengers on the plane
25
The nature of the beast: Compare a coal plant and a nuclear plant . . .
Old reactor accidents Louis Slotin, NRX, NRU, SL1, Windscale
World’s largest power plant accident . . . Chernobyl unit 4
World’s 2nd largest power plant accident . . . Three Mile Island unit 2
An accident that that didn’t happen Davis Besse pressurized water reactor
25
THE NATURE OF THE BEAST - 1
26
FLY ASH CARBON DIOXIDE
BOTTOM ASHCOAL
AIR
HEAT ENERGY
CONTROL
URANIUM
HEAT ENERGY
USED FUEL
NEUTRONS
CONTROL
THE NATURE OF THE BEAST - 2
27
Neutrons Slowing Down
• When the number of slow neutrons isconstant, the system is critical.
• Delayed Neutrons appear after ~ 10 seconds.
• FAST NEUTRONS SLOW DOWN IN ABOUT ONE THOUSANDTH OF A SECOND
Leaked Neutrons
Delayed Neutrons from Fission
NeutronsDiffusing Leaked Neutrons
Captured Neutrons
CONTROL THIS TO CONTROL HEAT PRODUCTION
HEAT
Slow Neutrons
U235FISSION
PromptNeutrons
from Fission
• Some neutrons are captured in U238 and produce a useful fuel – Pu239
"ASHES”(FissionProducts)
THE NATURE OF THE BEAST - 3
A power reactor produces a lot of heat energy
A steam turbine uses almost all of this heat The amount of heat added must equal the
amount removed, at all times If too much heat is added (or not enough
heat is taken away), material temperatures rise & water pressures increase
This is a dangerous combination
29THE NATURE OF THE BEAST - 4
29
Power (t) ≈ Power (0) exp [t/(T x 1.36)]
React
ivit
y (
Dim
en
sionle
ss)
Prompt Neutron Lifetime = 1 millisecond
Prompt Neutron Lifetime = 0.01 millisecond
1 0.1 0.01 0.00110100100010000
Time (T) Taken to Double the Reactor Power (Seconds)
.007
.07
.0007
.00007
NormalControlRange
PromptCritical
THE NATURE OF THE BEAST - 5
30
Operating Trajectory
Design Center
Operating Limit
Trip LimitSafety Limit Safety Margin
Operating Margin
Operating Domain
THE NATURE OF THE BEAST - 6
Louis Slotin (1945) Re-Enactment of Slotin Experiment
32
33
First Startup July 22, 1947 Accident 12 Dec 1952 Last Shutdown April 8, 1993
34
1.
Control rod changes were made with the heavy water at a level that permitted the pile to go critical. It would have only required a short time to dump the heavy water to a safe level. This was a mistake in judgment as no instructions had ever been issued against such an operation.
2.
It was realized by both the supervisor and the pile physicist that the operator in the basement was not thoroughly familiar with the pipes and valves. In such a critical hazardous experiment he should have been replaced. (Error in judgment).
3.
Instructions were given over the telephone to change valve settings in a hazardous operation. Contrary to instructions – all such valve changes were to be made on written instruction only.
4.
The physicist had been instructed not to take charge of the control console. This instruction had come from his superintendent and in this case he did not take charge on the request of a supervisor. If he had been fully knowledgeable of the operation of the reactor he would not have made the mistake in buttons even though his instructions were wrong.
35
5.
“Free fall tests” of the safety rods had never been practiced in the reactor. If this had been done it would have been found that the percentage of rod failures due to sticking was high. The clearance in these rods is so small that a bit of dust could cause them to hang up. Also there was some residual magnetism in the headgears that aided the rods in staying up. The reactor had always been operated under the assumption that the rods would fall in without the assistance of the accelerating air. This was never thoroughly tested and, in fact, was not true. (Error in judgment and design.)
6.
The lights indicating the rods in the down position had not been functioning properly. As a result they were generally ignored. An error in design and judgment. It is interesting to note that these lights were being altered as time permitted with the intent that when alterations were complete the operation of the lights would be a requirement for reactor operation.
36
Built in the 1940s for Pu production. Loss of control & fire on Oct 11, 1957
37
First startup Nov 11, 1957. Failure in experimental channel May 24, 1958
38
Operator
US Army developed this conceptfor electricity and heating at remote sites.
Major accident on Jan 3, 1961. Three operators killed
(1) As far as possible, design, construction and operation should be the responsibility of a single organization.
(2) Responsibility for safety and all facets of reactor operation should be unequivocally defined -- ("a line organization should be used, not a committee").
(3) Safety review should be carried out by a single competent group external to the operating organization - reviews repeated by competing safety groups can "unduly harass the operating group and thereby reduce safety."
(4) The ultimate responsibility for operational safety must ultimately rest on the immediate operating team at the reactor - "in the final analysis the reactor shift supervisor and, in turn, the operator at the control console should have the authority to shut down the reactor if either believes it to be unsafe."
39
40
March 28, 1979
Good design
No overpower pulse
Poor operation
Bad procedures
Effective containment
41
April 26, 1986
The plant designer won a Lenin prize Safety cautions from Kurchatov Inst. were
ignored Test procedure was mandated from Moscow Effective command of the plant operation was
turned over to the test team – they were ignorant
Safety protective systems were disabled Operation at low power continued in spite of ban Test was continued in spite of serious operator
errors
42
43
Circa March 2002
An accident that did not happen
During the 1990s: Ontario “fell out of love” with nuclear energy An open “retirement package” was offered to staff
More than 10,000 employees took the package and retired About 4,000 skilled nuclear operations staff left the
company Nuclear Operations was placed under extreme stress
In 1997: Seven large nuclear units were shut down,
voluntarily Morale in the nuclear fleet hit rock bottom Due to strong leadership within middle management
No serious consequences ensued
44
Design basis – 5.2 to 5.7 metres Measured wave – 14 metres (TEPCO update) Consequent multi-unit station blackout Human errors
Insufficient grid protection from earthquake (地震 ) jishin
Fossil units shut down, so the offsite grid collapsed Insufficient protection of emergency power supply
Diesels in basement, fuel tanks at grade Inter- unit electrical connections?
Failure to review promptly following Kobe event (1995)
45
Human error dominated in all of these events
Machines are much too stupid to make mistakes Humans also perform spectacular “saves”
Pickering pressure tube failure Dislocation of OH nuclear operations in 1997 and
beyond Hudson River airline pilot landing in Hudson River Chilean coal mine rescue
Studying others’ accidents is educational It helps to avoid having to study one’s own accidents The practice builds care, caution – and humility
46
47
A thing of the Future
0
RISK LEVEL
UNCERTAINTY
48
Environ-ment & Public
MitigationEmergency Response
Dilution
Shutdown Fuel Cooling
Containment Exclusion Zone
SDS1 & SDS2
ECCS & Moderator
Building & Spray Dousing
Sheltering, Evacuation
Safety Systems
PreventionDisciplined Operation
Management Procedures
Automatic Control
Regulating Systems
Detection & Correction of Faults
Automatic Response to Faults
Maintenance, UER Procedures
Setback, Stepback
Process Systems
Radio- active
Material
Quality Design and
Construction
Disciplined Engineering
Also known as Defence in Depth
Revie
wMaint
ainUpgra
de
Defence in Time
49
The human cycle of Performance
⌃
InstitutionalFactors?
Caution
Safety
Danger
ConfidenceNeglect
Doubt
Complaisance
Decay
Failure
Increasing risk
Decreasing risk
Uniquely
50
SCIENTIFIC- TECHNICAL COMMUNITY
SAFETY STANDARDS AUTHORITY
PEOPLE AND
GOVERNMENT
OPERATING ORGANIZATION
DESIGNER- MANUFACTURER-
CONSTRUCTOR
PUBLIC RESPONSIBILITY
SAFETY PERFORMANCE REGULATOR
REGULATORYRESPONSIBILITY
INDUSTRY RESPONSIBILITY
Reactivity rises
Loss of control?
Safety shutdown fails?
Big energy release
High temperature
Steam Explosion
No Fuel Cooling?
Containment Rupture? Fuel Ejection Out of Reactor?
Widespread Distribution of Radioactive Fission Products?
51
Prompt Neutron Lifetime = 1 millisecond
Prompt Neutron Lifetime = 0.01 millisecond
1 0.1 0.01 0.00110100100010000
.007
.07
.0007
.00007
The important overall conclusions are as follows:
The discharge of steam from a failed calandria vessel must consider the available physical heat transfer mechanisms and compartment volumes. This becomes the dominant discharge into containment volumes over and above the discharge from the initiating LOCA pipe rupture and determines the extent of over-pressurization of the containment envelope. Thus, containment integrity margins can be expected to be larger than in Pickering A for designs which have water filled reactor (calandria) vaults (Pickering B, CANDU-6) or shield tanks (Bruce A & B, Darlington) which will further condense steam discharged from a failed calandria vessel, or for plants which have large multi-unit shared containment volumes (Bruce A & B, Darlington). Since Pickering A has an acceptable margin it may be inferred that the margins for other CANDU plant will also be acceptable.
The original 1987 analysis was considered at the time by some, and to this date by others, to be speculative. This reassessment has demonstrated that the analysis was in fact robust and the conclusions remain significantly conservative and essentially unchanged by knowledge gained and discoveries made in the intervening years.
CANDU plants are capable of withstanding extremely unlikely events causing early core disruption without significant risk to the public.
Long term fuel cooling is required by all power reactors – they must have an ultimate heat sink
Continuing electrical power supply is required by most water reactors 52
Prof. J.C. Luxat
This reactor was vulnerable Weak design Poor operation Bad management
After this accident: Design improved Operating procedures changed Better control systems installed Management was changed IAEA and WANO plant
inspections were initiated
53
5454
Core Uncovered Fuel Overheating Fuel melting - Core Damaged
Core Damaged but retained in vessel
Some portions of core melt into lower
RPV head
Containment pressurizes.
Leakage possible at drywell head
Releases of hydrogen into
secondary containment
Info. From Duane Arnold(BWR Mark 1)
55
Daiichi did not produce such large health consequences
Concentrated fuel mass, small amount of hot, high pressure water around fuel
Poor maintenance practice
Operator misunderstanding
Management laxity
Poor procedures based on bad regulatory demands
Lucky outcome56
57
•Water is added when Tcore exit> 650 C•Steam is vented to containment•Ultimate heat sink --- conduction + convection to atmosphere
DepressurizeSimilar to BWR Mark I Primary Containment Concept
58
Much more cool, low pressure water than either PWR or BWRFiltered containment vent, passive hydrogen-oxygen recombiners
CANDU 6 Dousing system
Power setback and stepback capability Unit continues to run on its own power supply
Duplicate service transformers – unit & station Auto-transfer on loss of UST
Emergency supplies on site Multi-unit sites – (China, Korea, Romania,
Ontario) Inter-unit transfer bus
Grid feed-in logic – (Ontario) System recognizes station as potential power customer
Future modifications? Ultimate heat sink?
59
60
Log
Fre
qu
en
cy
Log Consequence
Trends with increasingexperience, knowledge, and realistic consequence assessment
DisasterRange
DirectExperience
Range
RiskAssessment
Range
Regulatory RiskAcceptance Curve
Realistic accident modelingand consequence assessment
“Smart” components and systems
Utility economics & performance requirements
What will tomorrow bring? We don’t know – just wait, and the future will come Oil and gas supplies will wane The population of the earth will rise Climate will change, in one way or the other
Nuclear fission energy will be available for all Yes, someone might invent a better way, someday
But just in case they do not: There is plenty of uranium for many thousands of years There is enough uranium available to supply ALL human
energy needs for as long as we live on this earth This technology can be safely managed, in the past
Will people reject the nuclear energy solution?
Doubtful– but buildup might be delayed until time runs out
61