Nuclear Safety or Risky Nuclear?
Download
Report
Transcript Nuclear Safety or Risky Nuclear?
NUCLEAR SAFETY
OR
RISKY NUCLEAR?
Presented to:
The Georgia Triangle Lifelong Learning Institute, January 21, 2011
Lecture 2 – Nuclear Energy and Technology
Dan Meneley, PhD, PEng
Revised and presented to the Ottawa Branch of CNS, April 21, 2011
1
OUTLINE OF THIS LECTURE
Why should we study nuclear reactor safety?
Some useful definitions
THE NATURE OF THE BEAST
Experience and lessons from the past
UP FRONT ISSUES -- FROM THE COURSE OUTLINE
A bit of techie talk
WHAT ARE WE TALKING ABOUT?
Risk and safety
THE NEED FOR ENERGY
PAST PERFORMANCE – INCLUDING THE DAIICHI DISASTER
The Present and Future
GUIDING PRINCIPLES
2
ENERGY DELIVERY
For the past 150 years we have lived on oil.
First oil well in North America was drilled in Ontario
Today we burn ≈ 1,000 barrels each second.
By 2100 CE we must have other energy sources in place
If we can wait 100 million years, there will be new oil formed
Coal can do the job for several centuries
But its environmental effects may be unmanageable
Uranium can do the job forever
THE NEED FOR ENERGY - 1
3
WHY THE BIG INTEREST IN THIS TOPIC?
The potential energy in heavy elements is immense:
1 kg (U) in CANDU produces about 180 MWh(th) = 60 MWh(e).
Typical 4 - person household’s electricity use:
1,000 kilowatt hours per month = 12 megawatt hours per year
So, a mere 200 grams of uranium - 6 to 8 pellets - serves one
household for an entire year.
If the same energy were obtained from fossil fuel
The fuel would be 30,000 times heavier
For example, about 6,000 kg of coal would be used
Carbon dioxide and massive quantities of ash would be produced
Yet we use less than 1% of uranium’s potential energy
New technology is available that can use the remainder
THE NEED FOR ENERGY - 2
4
CONSEQUENCES OF ENERGY DEFICIENCY
Changes in lifestyle
First, the poor people get poorer
Then, the rich people get poorer
Chaos, health degradation, and starvation follow
Energy wars?
We may already be involved in one of them
General collapse of modern civilization
Extreme, but possible
THE NEED FOR ENERGY - 3
5
WHAT’S TO TALK ABOUT?
Two sides of the story:
The
technical, “hard science & engineering” side
The social, human understanding side
6
WHAT’S TO TALK ABOUT?
All energy sources are important
But
nuclear energy is uniquely capable of “scaling up”
7
WHAT’S TO TALK ABOUT?
We (all of humanity) are in a fix
We
are addicted to petroleum – a limited resource
There are too many of us to sustain a low energy
existence
8
SAFETY IS A STATE OF MIND
At the same time, I might feel perfectly safe
and you might feel terribly threatened
Years ago, my brother was a military helicopter pilot. He could
terrify me with maneuvers that were routine to him
Nuclear safety discussions take place at the border between
technology and psychology
Risk is my topic today
Notionally, it is the inverse of safety
Objective risk is easier to discuss because it is usually
expressed as the product of probability and consequence
Subjective risk is not often recognized, but is vitally important
9
LET’S TALK LIKE INSURANCE BROKERS
The insurer (we) is the society at large
You
“We” will compensate you for loss, should it occur
at
a price
What price will we charge for this assurance?
a
are the insured
price calculated so that we show a profit, on average
How will we calculate the price?
by
the average sum over all policy holders of the probability of
loss times the promised compensation
Will you decide to pay the price?
that
depends on what you expect to receive from us as the
beneficiary, in both objective and subjective terms
10
NUCLEAR RISK VS LIFE INSURANCE
You are the beneficiary – today
You also pay the premiums
Your risk of loss continues over the life of the power plants
We (society) promise you electricity for an eon
High reliability and reasonable cost, at low risk
Is this credible?
Your risk of loss is said to be insignificant
We also are members of this society
We think we know whereof we speak
Why should you believe us?
11
WHAT IS AT STAKE HERE?
Energy, delivered reliably for many generations
The objective value of ample, economical energy
Avoided consequences of not having enough energy
Available alternatives – can you get a better deal??
12
WHAT IS AT STAKE HERE?
Objective and subjective risk
The real risk of personal harm – NOT the average, but YOURS
The perception of being safe or unsafe, day by day
13
WHAT IS AT STAKE HERE?
The key measure – TRUST
How
can you know? Whom can you trust?
Past performance, future expectations
Trust but verify – as in international disarmament negotiations
Distrust, but value – as we do all of our important institutions
14
TRUST – BUT WHO SHOULD YOU TRUST?
Past performance
Trust
the trustworthy
Engineering is a statutory profession – with personal liability
Trust, but verify
Watchdogs
are useful, even if they’re skilled professionals
The Canadian Nuclear Safety Commission is your watchdog
Who else has a deep interest in safety (low risk)?
Plant
owners want to protect their investment
Customers want to avoid any radiation accidents
In our case, these are the same people
15
TRUST – BUT WHO SHOULD YOU TRUST (2)
Past performance
People
working in many institutions are less than perfect
The frequency of institutional failure is seen to be large
Distrust, but value – ref. Hugh Heclo ‘On
Thinking Institutionally”
We
cannot live without institutions in many forms
We need to watch them carefully, but respect them
nonetheless
16
ALTERNATIVES – A BETTER DEAL?
It’s a matter of scale
On a small scale, with few people, the job is quite easy
On a massive scale, with billions of people, the job is harder
We ask for solutions to serve billions of people
for hundreds of years
A child now in diapers might find a brand new solution
Until then, nuclear fission energy is the only feasible answer.
Is this a credible statement?
17
RISK OF PERSONAL HARM - ACTUAL
This can be calculated, albeit with uncertainty
Only the average risk can be quantified
Too many variables – individual risk has a wide range of possibilities
Make conservative assumptions
Assume the most sensitive individual
Assume maximum consequences
For example, an infant
Ignore beneficial effects of low dose radiation, for example
Assume extreme failure conditions
Several unlikely events in sequence, conservative assumptions
18
BUT ARE YOU STILL FEELING UNSAFE?
Remember, you live in one of the richest,
safest, best protected societies in all of history.
Canadian
life expectancy at birth today is more than
twice as long (>80) as the poorest – in Swaziland (<40)
Swaziland’s life expectancy at birth today is about the
same as was the US life expectancy at birth in 1850.
19
BUT ARE YOU STILL FEELING UNSAFE?
Subjective risk is high for large events
Aircraft
crash Actual: less than 1 in 9 million per flight
Subjective risk is low for small events
Fatal
car crash Actual: about 1 in 5 thousand per year
Paul Slovic & Elke U. Weber, “Perception of Risk Posed by Extreme Events”, Proc. Conf. ‘Risk
Management Strategies in an Uncertain World’, Apr. 2002
20
IS NUCLEAR ENERGY DANGEROUS?
Of course it is!!
A large amount of potential energy wrapped in a small package
Potential energy must be extracted at a controlled rate
The reaction products (the “ashes” of fission) must be managed
Dangerous, but manageable
We’ve learned a lot over the past five decades
We know how to do this job
Are we perfect? No, but the residual risk is small
Less risky in the future
The technology is mature
Operational training and skill needs are clear
Worldwide institutional arrangements are in order
21
WHAT ARE THE RISKS?
The usual industrial risks
Mainly
heavy objects, live steam, high voltage
Radiological risks
Digging
uranium out of the ground and stimulating it to
fission at a very high rate is a hazardous business
Under strict control, as we will see
Need to protect the plant, operating staff, and public
Sabotage risks
Hostile
attack
Diversion of nuclear materials
22
WHAT IS BEING DONE TO REDUCE RISK?
Who is actually at risk?
The plant owner, in financial terms
Senior management, in terms of their careers
The plant operating staff, in physical terms
The local population, in lesser physical terms
The rest of us, almost entirely in financial terms
Who is doing what, to reduce risk?
The plant owners are training, testing, and retraining staff
The Canadian Nuclear Safety Commission is auditing operations
Atomic Energy of Canada is evolving new plant designs
Everyone is studying past operations for improvement ideas
23
CAN TERRORISTS MAKE NUCLEAR BOMBS?
First, can a reactor blow up like a nuclear bomb?
Absolutely
Terrorists – who are they?
They are actually saboteurs -- why are we so afraid?
Are they working for a foreign government, or on their own?
Can they do it on their own?
not. (Too weak, too wet, too slow)
Not unless we let them
Can they make a bomb from nuclear waste?
They can make an ordinary bomb a little more dangerous, but this
is very difficult and dangerous – mostly to themselves
24
TERRORISTS, CONTINUED
Diversion of nuclear material to hostile uses
This
starts, most likely, as a financial transaction and may
then become a tool for sabotage
This is a problem to be solved by cooperation between
nations, not by nuclear plant designers
Attack on a nuclear facility by an armed group
To
be a real threat, the group must have the active support of
a national government – and a powerful arsenal
Detection/detention is a job for the national police force
Crash of an aircraft into a nuclear station
Almost
surely, the crash will cause shutdown of the reactor
A shut-down reactor is a pussy cat, not a tiger (Daiichi??)
Most of the people killed will have been passengers on the plane
25
SOME SPECIFICS OF NUCLEAR RISK
The nature of the beast:
Old reactor accidents
Chernobyl unit 4
World’s 2nd largest power plant accident . . .
Louis Slotin, NRX, NRU, SL1, Windscale
World’s largest power plant accident . . .
Compare a coal plant and a nuclear plant . . .
Three Mile Island unit 2
An accident that that didn’t happen
Davis Besse pressurized water reactor
THE NATURE OF THE BEAST - 1
25
IS NUCLEAR SAFETY DIFFERENT? -- YES
HEAT ENERGY
FLY ASH
CARBON DIOXIDE
HEAT ENERGY
NEUTRONS
AIR
CONTROL
CONTROL
COAL
BOTTOM ASH
URANIUM
USED FUEL
THE NATURE OF THE BEAST - 2
26
The Neutron Chain Reaction
• When the number of slow neutrons is
constant, the system is critical.
Leaked Neutrons
Neutrons Slowing
Down
• Delayed Neutrons appear after
~ 10 seconds.
• FAST NEUTRONS SLOW DOWN IN ABOUT
ONE THOUSANDTH OF A SECOND
Delayed Neutrons
from Fission
Prompt
Neutrons
from
Fission
"ASHES”
(Fission
Products)
Neutrons
Diffusing
Leaked Neutrons
CONTROL THIS TO
CONTROL HEAT
PRODUCTION
U235
FISSION
Slow Neutrons
HEAT
THE NATURE OF THE BEAST - 3
Captured
Neutrons
• Some neutrons are captured in U238
and produce a useful fuel – Pu239
27
HEAT BALANCE – THE KEY TO CONTROL
A power reactor produces a lot of heat energy
A steam turbine uses almost all of this heat
The amount of heat added must equal the
amount removed, at all times
If too much heat is added (or not enough heat
is taken away), material temperatures rise &
water pressures increase
This
is a dangerous combination
THE NATURE OF THE BEAST - 4
29
HOW FAST CAN HEAT BE RELEASED?
Reactivity (Dimensionless)
.07
Prompt
Critical
.007
Prompt Neutron Lifetime
= 1 millisecond
Prompt Neutron Lifetime
= 0.01 millisecond
.0007
.00007
10000
1000
100
10
1
0.1
0.01
0.001
Time (T) Taken to Double the Reactor Power (Seconds)
Normal
Control
Range
Power (t) ≈ Power (0) exp [t/(T x 1.36)]
THE NATURE OF THE BEAST - 5
29
SAFE OPERATING DOMAIN
Operating Trajectory
Design Center
Operating Limit
Operating Domain
Trip Limit
Safety Limit
THE NATURE OF THE BEAST - 6
Operating Margin
Safety Margin
30
OLD ACCIDENTS
Louis Slotin (1945)
Re-Enactment
of Slotin Experiment
32
National Research Experimental -- NRX
First Startup July 22, 1947
Accident 12 Dec 1952
Last Shutdown April 8, 1993
33
NRX HUMAN ERRORS (1)
Control rod changes were made with the heavy water at a level that permitted
1 the pile to go critical. It would have only required a short time to dump the
. heavy water to a safe level. This was a mistake in judgment as no instructions
had ever been issued against such an operation.
It was realized by both the supervisor and the pile physicist that the operator in
2 the basement was not thoroughly familiar with the pipes and valves. In such a
. critical hazardous experiment he should have been replaced. (Error in
judgment).
Instructions were given over the telephone to change valve settings in a
3
hazardous operation. Contrary to instructions – all such valve changes were to
.
be made on written instruction only.
The physicist had been instructed not to take charge of the control console.
This instruction had come from his superintendent and in this case he did not
4 take charge on the request of a supervisor. If he had been fully knowledgeable
. of the operation of the reactor he would not have made the mistake in buttons
even though his instructions were wrong.
34
NRX HUMAN ERRORS (2)
“Free fall tests” of the safety rods had never been practiced in the reactor.
If this had been done it would have been found that the percentage of rod
failures due to sticking was high. The clearance in these rods is so small
that a bit of dust could cause them to hang up. Also there was some
5. residual magnetism in the headgears that aided the rods in staying up.
The reactor had always been operated under the assumption that the rods
would fall in without the assistance of the accelerating air. This was
never thoroughly tested and, in fact, was not true. (Error in judgment
and design.)
The lights indicating the rods in the down position had not been
functioning properly. As a result they were generally ignored. An error
in design and judgment. It is interesting to note that these lights were
6. being altered as time permitted with the intent that when alterations were
complete the operation of the lights would be a requirement for reactor
operation.
35
Windscale Production Reactors - UK
Built in the 1940s for Pu production. Loss of control & fire on Oct 11, 1957
36
NATIONAL RESEARCH UNIVERSAL - NRU
First startup Nov 11, 1957. Failure in experimental channel May 24, 1958
37
SL-1: Stationary low power reactor #1
Major accident on Jan 3, 1961. Three operators killed
US Army developed this concept
for electricity and heating
at remote sites.
Operator
38
SL-1 LESSONS LEARNED PROF. T.J. THOMPSON
(1) As far as possible, design, construction and operation should be
the responsibility of a single organization.
(2) Responsibility for safety and all facets of reactor operation should
be unequivocally defined -- ("a line organization should be used, not a
committee").
(3) Safety review should be carried out by a single competent group
external to the operating organization - reviews repeated by
competing safety groups can "unduly harass the operating group and
thereby reduce safety."
(4) The ultimate responsibility for operational safety must ultimately
rest on the immediate operating team at the reactor - "in the final
analysis the reactor shift supervisor and, in turn, the operator at the
control console should have the authority to shut down the reactor if
either believes it to be unsafe."
39
Three Mile Island-2 Final Reactor Configuration
March 28, 1979
Good design
No overpower pulse
Poor operation
Bad procedures
Effective containment
40
CHERNOBYL UNIT 4
April 26, 1986
41
CHERNOBYL – SOME CONTRIBUTING FACTORS
The plant designer won a Lenin prize
Safety cautions from Kurchatov Inst. were ignored
Test procedure was mandated from Moscow
Effective command of the plant operation was
turned over to the test team – they were ignorant
Safety protective systems were disabled
Operation at low power continued in spite of ban
Test was continued in spite of serious operator
errors
42
Davis-Besse Vessel
Head Corrosion
Circa March 2002
An accident that did not happen
43
ANOTHER ACCIDENT THAT DIDN’T HAPPEN
During the 1990s:
Ontario
“fell out of love” with nuclear energy
An open “retirement package” was offered to staff
More than 10,000 employees took the package and retired
About 4,000 skilled nuclear operations staff left the company
Nuclear
Operations was placed under extreme stress
In 1997:
Seven
large nuclear units were shut down, voluntarily
Morale in the nuclear fleet hit rock bottom
Due to strong leadership within middle management
No serious consequences ensued
44
---- AND ONE THAT DID HAPPEN (津波)TSUNAMI
Design basis – 5.2 to 5.7 metres
Measured wave – 14 metres (TEPCO update)
Consequent multi-unit station blackout
Human errors
Insufficient
grid protection from earthquake (地震) jishin
Fossil units shut down, so the offsite grid collapsed
Insufficient
protection of emergency power supply
Diesels in basement, fuel tanks at grade
Inter- unit electrical connections?
Failure
to review promptly following Kobe event (1995)
45
LESSONS LEARNED?
Human error dominated in all of these events
Machines
are much too stupid to make mistakes
Humans also perform spectacular “saves”
Pickering
pressure tube failure
Dislocation of OH nuclear operations in 1997 and beyond
Hudson River airline pilot landing in Hudson River
Chilean coal mine rescue
Studying others’ accidents is educational
It
helps to avoid having to study one’s own accidents
The practice builds care, caution – and humility
46
What is Risk?
A thing of the Future
RISK LEVEL
0
UNCERTAINTY
47
Systems Design for Risk Reduction
Also known as Defence in Depth
Prevention
Radioactive
Material
Quality
Design and
Construction
Disciplined
Operation
Automatic
Control
Detection &
Correction
of Faults
Automatic
Response
to Faults
Disciplined
Engineering
Management
Procedures
Regulating
Systems
Maintenance,
UER Procedures
Setback,
Stepback
Process Systems
Mitigation
Shutdown
SDS1 &
SDS2
Defence
in Time
Fuel
Cooling
ECCS &
Moderator
Containment
Exclusion
Zone
Emergency
Response
Building &
Spray Dousing
Dilution
Sheltering,
Evacuation
Environment &
Public
Safety Systems
48
⌃
Risk and People -- To Err is Human
Complaisance
The human cycle of
Performance
Neglect
Institutional
Factors?
Confidence
Decreasing risk
Decay
Safety
Danger
Increasing risk
Failure
Caution
Doubt
49
A RISK MANAGEMENT SYSTEM
PUBLIC
RESPONSIBILITY
PEOPLE
AND
GOVERNMENT
SAFETY
STANDARDS
AUTHORITY
SCIENTIFICTECHNICAL
COMMUNITY
OPERATING
ORGANIZATION
DESIGNERMANUFACTURERCONSTRUCTOR
INDUSTRY
RESPONSIBILITY
SAFETY
PERFORMANCE
REGULATOR
REGULATORY
RESPONSIBILITY
50
BUT WHAT IF EVERYTHING GOES WRONG?
Reactivity rises
Loss of control?
Safety shutdown fails?
.07
.007
Big energy release
Prompt Neutron Lifetime
= 1 millisecond
Prompt Neutron Lifetime
= 0.01 millisecond
.0007
High temperature
Steam Explosion
.00007
10000
1000
100
10
1
0.1
0.01
0.001
No Fuel Cooling?
Containment Rupture? Fuel Ejection Out of Reactor?
Widespread Distribution of Radioactive Fission Products?
51
CONCLUSION - PICKERING “A” WORST ACCIDENT
Prof. J.C. Luxat
The important overall conclusions are as follows:
The discharge of steam from a failed calandria vessel must consider the available physical heat
transfer mechanisms and compartment volumes. This becomes the dominant discharge into
containment volumes over and above the discharge from the initiating LOCA pipe rupture and
determines the extent of over-pressurization of the containment envelope. Thus, containment
integrity margins can be expected to be larger than in Pickering A for designs which have water
filled reactor (calandria) vaults (Pickering B, CANDU-6) or shield tanks (Bruce A & B, Darlington)
which will further condense steam discharged from a failed calandria vessel, or for plants
which have large multi-unit shared containment volumes (Bruce A & B, Darlington). Since
Pickering A has an acceptable margin it may be inferred that the margins for other CANDU plant
will also be acceptable.
The original 1987 analysis was considered at the time by some, and to this date by others, to
be speculative. This reassessment has demonstrated that the analysis was in fact robust and
the conclusions remain significantly conservative and essentially unchanged by knowledge
gained and discoveries made in the intervening years.
CANDU plants are capable of withstanding extremely unlikely events causing early core
disruption without significant risk to the public.
Long term fuel cooling is required by all power reactors – they must have an
ultimate heat sink
Continuing electrical power supply is required by most water reactors
52
RESULT – ANOTHER EXAMPLE
This reactor was vulnerable
Weak design
Poor operation
Bad management
After this accident:
Design improved
Operating procedures changed
Better control systems installed
Management was changed
IAEA and WANO plant inspections
were initiated
53
YET ANOTHER EXAMPLE
Core Uncovered
Fuel Overheating
Fuel melting - Core
Damaged
Info. From
Duane Arnold
(BWR Mark 1)
Core Damaged but
retained in vessel
Some portions of
core melt into lower
RPV head
Containment
pressurizes. Leakage
possible at drywell
head
Releases of hydrogen
into secondary
containment
54
54
HIROSHIMA, THEN AND NOW
Daiichi did not produce such large health consequences
55
MELTDOWN IN A PWR
Concentrated fuel mass, small
amount of hot, high pressure
water around fuel
Poor maintenance practice
Operator misunderstanding
Management laxity
Poor procedures based on bad
regulatory demands
Lucky outcome
56
THE SOLUTION – Westinghouse AP 1000
Similar to BWR Mark I Primary Containment Concept
Depressurize
•Water is added when Tcore exit> 650 C
•Steam is vented to containment
•Ultimate heat sink --- conduction + convection to atmosphere
57
ANOTHER SOLUTION - COOLING IN CANDU
Much more cool, low pressure water than either PWR or BWR
Filtered containment vent, passive hydrogen-oxygen recombiners
Calandria
Vessel
Fuel
Channels
Debris spreading &
cooling area
Shield Tank
Can remove 0.4% decay
power. Takes >20 hours to
heat up and boil off with no
heat removal
Moderator
Can remove 4.4% decay power
Takes >5 hours to
heat up and boil off
with no heat removal
CANDU 6 Dousing system
58
CANDU POWER SUPPLY RELIABILITY
Power setback and stepback capability
Unit
continues to run on its own power supply
Duplicate service transformers – unit & station
Auto-transfer
on loss of UST
Emergency supplies on site
Multi-unit sites – (China, Korea, Romania, Ontario)
Inter-unit
Grid feed-in logic – (Ontario)
System
transfer bus
recognizes station as potential power customer
Future modifications?
Ultimate
heat sink?
59
Notional Risk Curves, and Trends
Log Frequency
Direct
Experience
Range
Risk
Assessment
Range
Disaster
Range
Utility economics &
performance
requirements
“Smart” components
and systems
Trends with increasing
experience, knowledge, and
realistic consequence assessment
Log Consequence
Regulatory Risk
Acceptance Curve
Realistic accident modeling
and consequence assessment
60
TODAY’S CONCLUSIONS
What will tomorrow bring?
We don’t know – just wait, and the future will come
Oil and gas supplies will wane
The population of the earth will rise
Climate will change, in one way or the other
Nuclear fission energy will be available for all
Yes, someone might invent a better way, someday
But just in case they do not:
There is plenty of uranium for many thousands of years
There is enough uranium available to supply ALL human energy
needs for as long as we live on this earth
This technology can be safely managed, in the past
Will people reject the nuclear energy solution?
Doubtful–
but buildup might be delayed until time runs out
61