Nuclear reactors: How safe is safe?
It was supposed to be a routine power shutdown; but, for 14 tension-filled minutes last June, the fission process boiling away in the nuclear reactor at Browns Ferry, Ala., failed to respond to the systems designed to bring it under control. It was apparently the first such failure in this country's nuclear power history and, according to one industry expert, "could have been a very messy situation, indeed."
Engineers at Browns Ferry had already killed 70 percent of the reactor's power by reducing the water flow that controls the nuclear reaction. The next step in defusing the remaining 30 percent was to hit the "scram" buttons at the heart of the massive control room console. When they did so, however, it quickly became apparent that something was wrong in one of the reactor's most important fail-safe mechanisms.
"Scram" is nuclear industry jargon for the system that plunges boron-or cadmium-filled rods into the reactor's core (boron and cadmium absorb the flying neutrons that sustain a nuclear chain reaction), thus suddenly aborting the nuclear fission process. At Browns Ferry, almost half these rods failed to enter the core because of water accumulated in the hydraulic scram system. Engineers had to pump some of the water and try scramming again several times before all the rods entered the core. This is the only recorded instance of scram failure in the United States.
Scramming the reactor is a regular occurences at places like Browns Ferry, but that doesn't lessen the importance of those two red scram buttons. Every man and woman in the technology-crammed control room -- filled as it is with hotline phones, safety equipment, and public evacuation plans -- knows that those buttons are among the most important safety features of the plant. They are the operator's brakes, the final trump card, the last major defense against disaster.
At Browns Ferry it took 14 minutes to put on those brakes, and in the middle of a nuclear incident, 14 minutes can be an eternity. Had Browns Ferry been at full power when the scram failure occured, or had the reactor been experiencing certain kinds of mechanical malfunctions, the threat to public safety could have been considerable.
"It was fortunate that they were 30 percent power already," explains Carlyle Michelson, head of the Nuclear Regulatory Commission (NRC) unit that studies nuclear power plant incidents with potential safety significance. "Fourteen minutes certainly would not have been enough time if you had been in real trouble."
Enough time for what? In what kind of "real trouble"?
These questions are at the heart of a decade-old debate between NRC staffers and the nuclear industry itself, a debate that promises to become even more strident in coming weeks as the commission considers imposing tough new safety requirements designed to prevent similar scram failures, especially while a nuclear reactor is undergoing an unplanned but predictable breakdown, known as an "anticipated transient."
Anticipated transients happen on the average of one per reactor each year. If allowed to continue uncheckedK, they could lead to substantive safety failures within the complex maze of systems in the reactor. Almost the only way out of these critical junctures is to hit the scram buttons. Failure of the scram system in such situations is commonly referred to as Anticipated Transient Without Scram (ATWS).
There has never been an ATWS in a nuclear power plant, but NRC staffers are afraid that one could happen.
"It's a judgment call, and a tough one," says Dr. Roger Mattson, a former director of systems safety at NRC, who worked on ATWS questions there until recently. But scram has to work "every time there is a challenge to the reactor , and since you get a transient event on the order of once every reactor year, the potential for an ATWS is considerable."
The proposed NRC rule would add two levels of safety systems to preclude at ATWS from becoming a public calamity. First, they would force plant owners to build another start-up mechanism for the scram system. Second, they would require the development of ways to mitigate the consequences of the ATWS, should both scram systems fail.
NRC staff members expect a protracted battle from the nuclear industry over the new ATWS requirements; and they will get one.
"As far as we are concerned, these ATWS precautions are window dressing, argues Dave Rossin, research director of Chicago's Commonwealth Edison, "Because the probabilities of an ATWS are so vanishingly small. The ATWS rule only adds another level of redundancy. . . . We've got to put a stop to this bureaucratic interference someplace. And ATWS is where we are drawing the line."
NRC officials argue that, not only is the new rule necessary to prevent a possible ATWS, but it will also prevent major public dangers arising from simple scram failures, such as the one that occurred at Browns Ferry, which they say could have jeopardized the public even without an ATWS.
"Had they been at full power," speculates Mr. Michelson (who correctly forecast part of the accident sequence at Three Mile Island in a memo widely ignored by nuclear officials both within the industry and the regulatory agencies), "and the rods went in about the way they did, then the power would have dropped to about 20 percent. That's something you can't contend with for very long. Maybe 15 to 20 minutes . It's wouldn't be like 20 seconds, but it would be a very finite length of time. And the problem is that the emergency systems are simply not designed [to cope with such a situation]. Fifteen to 20 minutes of uncontrolled boiling would eventually have to blow the containment out."
Does this mean the reactor would leak radioactive material into the surrounding atmosphere?
"I'm afraid so."
What would the composition of this material be?
"Well, it would certainly not be very clean. It would be pretty radioactive. It's not the kind of thing you would want to spread around the countryside. From there, the scenarios can be drawn in every direction."
Unsettling as such scenarios might seem to the average citizen, they are not the kind of thing that nuclear power plant employees like Mark Budej lose much sleep over.
Mr. Budej is an electrical engineer at the Oyster Creek nuclear power plant in Lacey Township, N.J., which is owned by General Public Utilities, the holding company for Three Mile Island. Youngish, articulate, technically knowledgeable, he is newly responsible for media relations at his plant. He still retains his regular duties as a shift technical adviser, and sleeps at the plant two nights a month to be on call in case of an emergency. While he is there, he sleeps like a baby, knowing that scram has always worked in his plant, and confident that it always will.
He still recalls the first time he witnessed a scram sequence -- "all those lights flashing and the alarms going off, it sure get your heart pounding" -- but he is quick to point out that it has become pretty routine with him.
"I have witnessed at least a half dozen scrams on this reactor, and I've never doubted that they were going to work," he says with calm conviction. "I'll be honest with you, I can put together a number of scenarios [involving scram failure] that could get us into a lot of trouble. But the sequences of things that would have to go wrong are too numerous to count. They are within the realm of possibility, but they are almost completely improbable."
To prove his point, he leads me through a tour of the plant, from security frisks at the front door to futuristic backlot transformers to the slightly rusted hydraulic pipes that look like World War II battlship equipment into the reactor control room, with its electronic components and constants, expert staffing, past the four-foot-thick outer wall of the reactor to the unenclosed spent-fuel pool, where, in 30 feet of water, used nuclear fuel rods start decades of gradually giving off accumulated radioactivity.
As we walk, he points out the levels of backup systems in the plant, reminding me each step of the way that, not only has the scram never failed here , but that there never has been an ATWS in any nuclear power plant, anywhere.
While there's never been an ATWS in ths history of nuclear power plants, both halves of the event -- the anticipated transient, and the scram failure -- have occured independently of each other.
By its very "anticipated" nature, a transient is a frequent thing. And there are numerous occasions on record where turbines have tripped, pipes have burst, electrical systems have shorted out, fuel failures have occurred, reactor low- water-level situations have arisen -- all requiring scrams.
Speculating about the consequences of scram failures at such critical junctures has become a favorite pastime of antinuclear activists and authors eager to capitalize on the current wave of anxiety about nuclear power plant safety.
In his recent novel, "The Dorset Disaster," Alexander Sidar III presents an account of an ATWS at a fictitious power plant in Connecticut. The book, which reads like your average disaster movie (and was conceived with a movie version in mind), gets high technical marks from experts at the NRC for the massive documentation and technical detail it contains, even if it is considered by most to be poor fiction.
Poor fiction or not, the narrative pulls you relentlessly through an elaborately conceived chain of events.
Operators at the fictitious Dorset power plant in Connecticut are following routine procedures when the reactor experiences an anticipated transient known as "a turbine trip," a failure of reactor power to drive the turbine generator. This calls for an immediate reactor scram. But, when the operator punches the two scram buttons, the rods fail to insert, and the steam bottled up in the reactor continues to boil at dangerously high temperatures. In desperation, the operators attempt to shut off the pumps that swirl water through the core, trying to at least slow down the nuclear reaction. But these also fail.
Then the unthinkable happens. Pressure builds up in the primary containment system and the head of the reactor explodes through the wall of the reactor building. Within seconds, a huge plume of radioactive steam erupts into the cold night air.
To this "worst case" mechanical scenario Sidar adds the most unfavorable atmospheric and meteorological conditions, which sweep the radioactive cloud across Connecticut and out to sea, barely missing New York City in the process. The path of radiation causes far more deaths than any estimates of the toll of Hiroshima. (A nuclear reactor is much more radioactively "dirty" than most nuclear bombs because of its much larger supply of radioactive material.)
This accident is unimaginably devastating by comparison with the potential mishap at Browns Ferry. It is a worst-case scenario. An antinuclear activist's nightmare. The "end of the world" type of ATWS.
Will it ever happen?
Technical experts at the NRC and in the industry contacted for this story say , "No."
Could it happen?
They almost all say, "Yes," an opinion that is evidently predominant throughout the industry.
"He did his homework," comments Bob Bernero, chief of the NRC division that does risk analysis on nuclear accidents. "He used an accident scenario that has been discussed for a long time. Browns Ferry experienced a part of the failure he described. He added another conceivable failure, an RCP trip circuit. It's an improbable combination of events . . . but it is conceivable."
Mr. Bernero is quick to add that "conceivable" means just that: something one could technically conceive of, not something on expects to happen, like "a jumbo jet crashing into Yankee Stadium and killing 20,000 people, the kind of thing we don't like to talk about as a society."
Nuclear scientists at General Electric, which builds the type of reactor described in "The Dorset Disaster," are quite willing to talk about such ATWS theories, and to say they are so much nonsense.
"The author of that book postulates a sequence of failures that we think is inconceivable," Hank Pfefferlen, a reactor licensing manager at General Electric , argues. "Even the total scram failure is a pretty big pill to swallow. But the subsequent failures are even more unimaginable. The head blowing off is just impossible. The bolts that hold it down would stretch and thereby relieve the pressure. And not even then would you get a leak into the atmosphere." A secondary containment shell would hold the radioactive material.
"We design for unexpected things like this."
People like Bob Pollard, a former NRC staffer who left to join the antinuclear Union of Concerned Scientists, don't think they design well enough.
"'The Dorset Disaster' mechanism is not only potential," he argues. "Once the rods fail to insert and the recirc pump sticks, it is a certainty. In my view, what happened in that book is clearly a probability. Whether the probability is great or not, you have to ask yourself, considering the possible consequences, if the risk is acceptable. The question this nation has to answer is: Are the benefits of nuclear power worth the choice?"
The choice he describes is one that Carl Michelson and his NRC colleagues think about every day of their lives. Discussing the Browns Ferry incident, as well as the chain of other minor and major mishaps in nuclear power plants, Mr. Michelson muses:
"Does it shake your confidence when things like this happen? Clearly, it must. What you do about it is a tough philosophical problem, though. You have to ask yourself, do I always have to react to these situations; or can I go around discovering the problems before they happen?
"The only reasonable alternative to shutting down every nuclear power plant is to watch everything that is happening. We try to learn from each experience. We think the Browns Ferry incident was a nice event, in that we learned an awful lot without costing a lot.
"It turned out to be a simple plumbing problem. Something a high school student could have fixed, if he had thought about it. The problem was we hadn't thought about it. We were surprised. We ought not to have been surprised. But we were."
Will some much more ugly "surprise" sneak up on the experts at the NRC and in the industry and make us all wish they had installed ATWS safety systems?
"It really is a difficult call," says Warren Minners, the NRC staff member who presented the proposed rule to the commissioners. "One day I'm sure that [ scram backup] is absolutely necessary, and then the next I think it's not."
Mr. Minners ism sure of one thing, however:
"There is going to be another major nuclear accident in this country. I don't think anybody is going to get killed. But there is a significant possibility that you're going to have to give up a whole bunch of landscape because of contamination. Maybe as much as a square mile."
NRC people like Mr. Minners believe that ATWS accidents are possible, and they are asking for new safety systems to prevent them. Antinuclear activists think they are inevitable and want nuclear plants shut down. Nuclear industry sources are arguing that the technology and expertise they have built into the plants make further protection against ATWS unnecessary and redundant.
Mark Budej is clearly a believer in the technology and expertise side of the argument.
"The challenge for this industry in the '80s is public acceptance, not more safety," he maintains, as he swings his car onto the dusty road leading away from the Oyster Creek nuclear power plant. Then, he glances back at the crisp, efficient-looking reactor building for a moment and says with steel-cord conviction:
"There's an awful lot of technology in there. And you gotta believe in it."