Dispelling a certain mythology25 July 2014
Despite a few important errors and omissions, a new book about nuclear accidents is important and well-written. By David Mosey
In one episode of the American animated television series 'The Simpsons', the NRC comes knocking at the door of the Springfield nuclear power station. Woken from his nap, the plant owner, the egregiously evil Mr Burns, responds via the intercom, "there must be some mistake... We, er, we make cookies here: Mr Burns' Olde-Fashioned Good-Time Extra-Chewy--" The NRC team leader forthrightly responds, "get the axe."
James Mahaffey is equally forthright in his account of nuclear events, mishaps, accidents and disasters. His aims are to dispel "a certain mythology" in public and professional perceptions of nuclear accidents, to demonstrate the vast number of ways in which humankind can make a complete pig's breakfast of a perfectly fine concept and, in the final analysis, to show that despite the seemingly long list of pigs' breakfasts, the development of nuclear energy has exacted a remarkably low price in blood (if not treasure). Additionally he argues that an ideal nuclear energy future should not be based on gigawatt- sized reactors, "bloated" versions of the original naval reactor design, but smaller, modular units, ideally incorporating passive safety features.
Mahaffey's catalogue of atomic accidents begins with the early applications of radium and the cavalier approach to its use, first in quack medicines and subsequently in more respectable (if no less risky) applications such as luminous paints for watches and aircraft instruments. He describes the basics of ionising radiation (and its effects) with admirable clarity and neutrality, but he does make clear the importance of trying to get to grips with the concept of probability -- not an easy task. He notes wryly that if everyone had a thorough understanding of probability, then no-one would ever buy a lottery ticket and the entire gambling industry would disappear.
One of the most refreshing aspects of Mahaffey's approach is the way in which he deals with the military imperatives which have driven nuclear development. Traditionally, the nuclear industry emphasises its distance from the military, instead dwelling upon good-time extra chewy cookies in the form of clean, safe, economical energy production ("it's just another way of boiling water"). In fact it would be difficult to identify a nuclear energy development programme anywhere that was not informed or supported to some extent by military imperatives.
Mahaffey devotes a chapter to the wartime development of nuclear weapons in the US and post-war weapons tests, providing clear and simple descriptions of both types of bombs used in the attacks on Japan, and one of the most elegant and accessible expositions of criticality issues that I've ever come across. He also covers the Daghlian and Slotin fatalities (the notorious "tickling the dragon's tail" events at Los Alamos) as well as a number of criticality events involving fissile materials in solution. These are particularly compelling reminders of the subtlety and lethality of this kind of accident, and of the rapidity with which any reactivity transient can develop. Indeed, such events are salutary reminders that it should not be radiation that is regarded as nuclear energy's unprecedented hazard, but the immense amount of energy in the fuel and the inhuman speed with which it can be released.
The familiar reactor accidents (at least, familiar to accident aficionados) are described, including the NRX power transient, the NRU uranium fire, Windscale, SL-1, Fermi 1, Brown's Ferry, Three Mile Island, Chernobyl and Fukushima. But Lucens is omitted, which is rather a pity since I should like to hear what Mahaffey would make of this heavy-water moderated, Magnox -fuelled carbon dioxide- cooled reactor.
There are a few errors and omissions too, especially in his treatment of non- American reactors. For example, Mahaffey is a little confused about the NRX shutdown system design and operation and he does not acknowledge the important lessons of shutdown system design and shutdown trip parameter selection learned from the NRX reactivity accident. He should also be aware that NRX and NRU were both specifically designed to (inter alia) produce plutonium for nuclear weapons. In both reactors air-cooled uranium metal rods were irradiated in the annular space between the reactor vessel and graphite reflector, known as the J-rod annulus, so-called because at the time security considerations dictated that plutonium be referred to as "J metal". (Uranium was "X metal" and heavy water was "polymer".) A significant factor in the Canadian government's decision to go ahead with the construction
of the NRU reactor was the fact that it would produce 60 kg of plutonium a year, valued at $12 million (in 1950 dollars). The plutonium was sold to the US.
In his discussion of the Windscale fire, Mahaffey is a little unfair to William Penny. It is true that in his report (declassified under the 30-year rule at the end of 1987) Penny says that the accident was initiated by a second nuclear heating that was too soon and too rapidly applied by the pile physicist (that is, operator error). However he is at pains to point out that not only did the positioning of the in- core instrumentation give a misleading picture of fuel temperatures, but the only guidance the pile physicist had in applying the nuclear heating was a 92-word memorandum (about half of which Mahaffey quotes at the opening of his chapter on Windscale).
Penny points out that Windscale reactor operations were generally starved of technical support (mainly due to work on the Calder Hall reactors) and there were significant organisational deficiencies, especially in the area of technical support and operational oversight. In other words the operator was set up to make errors by a combination of design and organisational deficiencies. It is most probable that UK prime minister Harold Macmillan suppressed publication of the Penny Report because it showed up serious weaknesses in the UKAEA's management. Macmillan had just returned from America after negotiating a commitment to end the restrictive provisions of the 1946 Atomic Energy Act and most likely felt that the unvarnished Penney report would not have given the Americans confidence in the technical or managerial competence of those charged with running Britain's nuclear programme.
Mahaffey's description of the RBMK reactor's design, especially its control and shutdown system, is a little confused and incomplete. For example, he states "At the bottom of each control rod is a rounded tip made of pure graphite, designed to act as a lubricant to ensure smooth running of the rod in its metal tube.... If a control rod is withdrawn all the way, then the first thing that enters the core during an emergency shutdown is a big chunk of graphite." This is not quite right. In fact the 211 control and safety shutdown rods in the RBMK design run in water-filled tubes (this is a factor in their modest 400 mm/s insertion rate). In order to augment their reactivity worth, the rods have graphite followers suspended beneath them to displace the water as the absorber rod is withdrawn. However these followers are shorter (by about 2.5m) than the core depth, and the suspension link between a rod and its follower is 1.25m long. This means that when the absorber rod is fully withdrawn there will be water spaces 1.25m long above and below the graphite follower. As the rod is inserted from its fully-withdrawn position, the initial negative reactivity insertion at the top of the core is minimised (absorber replacing water) and there is a significant positive reactivity insertion at the bottom of the core (water displaced by graphite). This is not a desirable feature in a shutdown system.
A central argument in Atomic Accidents is that, notwithstanding what seems to be a dauntingly long list of accidents and incidents, the cost in human life worldwide has been modest in comparison with virtually every other developed or developing technology.
Nowhere is the force of this argument more clearly apparent than in Mahaffey's account of mishaps involving nuclear weapons. He notes that there are 65 documented incidents in which US-owned nuclear weapons have been lost, destroyed or damaged over a 44-year period (1945-1989), yet there is not one single case of a weapon detonating accidentally. And an accidental nuclear detonation could not be concealed -- it is the sort of thing one would be bound to notice. This suggests that weapons designers around the world have got a pretty good handle on how to ensure that a nuclear warhead or bomb will only go off when you really mean it.
Of course having a nuclear weapon land in your back garden can be a thoroughly disagreeable experience (and has been so) but it will only be a disagreeable experience to those in the immediate vicinity. Mahaffey also makes the point that an important lesson drawn from these accidents by the US military was that it was not an entirely desirable policy to have bombers carrying nuclear weapons flying about the place, awaiting a possible order to attack. Much better, as any pilot could have told them, to keep them on the ground until you're really sure about launching an attack.
One the greatest strengths of Atomic Accidents is the author's consistently vivid and energetic narrative style; this is a book that is very difficult to put down. Mahaffey keeps a tight focus on the people on the front line -- in the control room, the reactor hall, the reprocessing plant or the cable-spreader room -- and their interaction with the equipment and each other. This focus is heightened by the fact that he names the people involved.
The only drawback is that this level of immediacy and intimacy can overshadow external, more distant factors which may have helped create conditions which made an accident more likely. The coverage of SL-1 is a good example. Mahaffey provides the most convincing (in my view, the only convincing) rationale for the fatal initiating event: the manual withdrawal of the reactor's central control rod. He pinpoints SL-1's principal design flaw: the fact that withdrawal of the central control rod was sufficient to make the reactor supercritical. It is a sobering thought that by the time the operator had withdrawn the control rod 20in, the nuclear portion of the accident was long past; it only took two milliseconds for the reactor to reach about 5000 times full power.
In fact SL-1 suffered from three main design problems: the aforementioned neutronics issue; the questionable performance of the aluminium-nickel alloy used for core construction and fuel cladding; and the design of the control rod drives, whose disassembly and re-assembly required manual raising of each control rod by about six inches. When Combustion Engineering Incorporated took over contractual responsibility for SL-1 in February 1959, in response to a request from the AEC they carried out an evaluation of SL-1 and made the following recommendations:
- Not enough was known about the long-term in-core performance of the Al-Ni alloy, but it looked rather dodgy so far; stainless steel was probably a preferable material
- A new SL-1 core should be designed and it should have an adequate shutdown margin with any one control rod removed
- The control rod drive mechanisms should be redesigned.
These recommendations were accepted by the AEC and arrangements were made for the procurement of a new core, to be available by spring 1961. Yet no changes appear to have been made to the existing SL-1's operating regime or maintenance procedures, despite the clear identification of design deficiencies. In the operating life of the reactor a number of deficiencies became apparent, yet did not prompt any substantive action. In a remarkably restrained display of hindsight, the covering letter for the final report to the AEC on the SL-1 accident, USAEC General Manager C. A. Nelson did note, "It is known that certain undesirable conditions had developed with respect to the reactor and its operation, some having their origin in the design of the reactor and others in the cumulative effects of reactor operation." Quite.
Another example of where distant, external factors can set up operators for failure is Chernobyl 4.
The positive SCRAM effect of driving in absorber rods from their fully-withdrawn position was discovered in 1983 during start-up of Ignalia 1 (Lithuania). The commissioning teams proposed measures to eliminate this effect (including design changes to the absorber rods) but these were not implemented, nor were these undesirable features communicated to the operating community. Even worse, neither was the fact that maintaining a certain minimum number of absorbers in the core was absolutely necessary to protect against power transients. To have clearly informed the operators of this rather alarming feature would have been tacit admission that the RBMK design included major violations of the safety standards and regulations in force at the time.
Specific violations of the contemporary safety standards included:
- The strong positive void coefficient and the design of the emergency protection system
- No emergency or warning signals were provided for some of the most important reactor parameters
- The design of the RBMK Emergency Protection System would not quickly and reliably terminate the chain reaction when certain reactor parameters reached dangerous levels and would not provide a sufficiently rapid rate of power reduction under all emergency operating conditions.
It is worth noting that maintaining a safe control rod configuration required knowledge of the positions of all the 211 absorber rods. The computer and instrumentation used to provide this information were located 50m from the control console. The computer system took between 10 minutes and 25 minutes to provide the information. Under the most optimistic assumptions, the operators' knowledge of rod configuration would be ten minutes out of date. A lot can happen in ten minutes.
In fairness to Mahaffey, one must admit that any attempt to recount nuclear accidents and incidents without any errors or omissions would produce a book that would not only be unreadable but also would require a fork-lift truck to carry it about the place.
James Mahaffey is a fine writer. Engaging, lucid, informal and frequently (and satisfyingly) irreverent, at his best his style resembles the great satirist and mathematician Tom Lehrer's sardonic, technically-informed delivery. He also shares Lehrer's satisfaction in anatomising humankind's more fatuous missteps and his intellectual integrity. Atomic Accidents deserves the widest audience.
To this reviewer Mahaffey's most important achievement is to remind us that when things really go pear-shaped it is the people in the front line we depend upon. We depend upon their professionalism, dedication, resourcefulness, gallantry and self-sacrifice. As Atomic Accidents demonstrates, that dependency is well-founded. ¦
About the author
David Mosey is the author of Reactor Accidents (2nd edition 2006, ISBN # 1-903-07745-1, from the publishers of Nuclear Engineering International, available to buy online via www.getthatmag.com/energy.html). He worked for 30 years in the Canadian nuclear industry, including 18 years in nuclear safety functions of Ontario Hydro and its successor companies.