Passive safety: staying on track25 September 2014
Joseph Somsel looks at the unintended consequences of passive safety systems for Casey Jones and the Cannonball Express. The industry should consider the lessons from this famous accident as it looks to adopt passive safety systems in new reactor designs.
Ask any school child in the US to name a famous engineer, and it is almost certain they will say 'Casey Jones!' John Luther 'Casey' Jones was not an engineer in the contemporary sense but the operator-in-charge of a large steam locomotive, a highly technical, responsible, and well-regarded position even today. His heroic actions undoubtedly saved the lives of the passengers on his train, the "Cannonball Express" when it collided with a stalled freight train at a station near Yazoo City, Mississippi in 1900. The root cause was the appropriate actuation of a passive safety system at an inappropriate moment.
The nuclear industry is by no means the first industrial enterprise to face intense public demands for high safety standards. A public relations disaster or other embarrassment is called a 'train wreck' even today. Early rail passenger service had its share of accidents and passenger safety was of great interest to the public, since most intercity transportation was by rail.
Early railroad safety
The biggest shortcoming in the safety of early railroading was brakes. While the engineer could directly control the brakes on the locomotive, brakes on the following cars required manual actuation from the top of the moving cars by a member of the crew called, appropriately enough, the 'brakeman.' The remedy adopted beginning about 1870 (and perfected by 1890) was the Westinghouse
air brake that used an pneumatic line, called the train pipe, that runs the length of the train, connecting each car's brakes to the air compressor and controls in the locomotive. The train pipe has to be kept pressurised to keep the brakes open and the train movable. Venting the train pipe allowed the brakes on every car to close, to slow and stop the train. Also, should one or more cars separate from the train, the air pressure would be released and the lost cars would stop on their own, without crew intervention.
If we call this fail-safe system an early example of a passive safety system, we can see the philosophical similarities with current schemes for passively safe nuclear power plants. The accident also highlighted many factors of railroad safety that can be likened to current nuclear safety thinking and practices.
The locomotive under the charge of Casey Jones that night was a huge machine and one of the more powerful of its day. Weighing 125,000 pounds, its length was mostly fire- tube boiler filled with several tons of saturated water at 180 psig. With six driving wheels six feet tall, it combined both a strong pull and high speeds, making it suitable for the express passenger train that it pulled that day.
The passenger market demanded ever shorter schedules and the railroads responded, especially for competitive routes. That meant higher speeds and trains of the era were often appreciably faster than Amtrak's current speed limit of 79 mph (on most routes.) Arrivals 'on the advertised' were the expectation of customers, management and workers. But given the primitive communications technology of the time (only the telegraph at best) and the preponderance of single-track mileage, coordinated operations were difficult.
The resulting conflict between production and safety was a real and very serious issue for the railroads. Schedule speed and consistency held the same position for the railroads as capacity factor does for today's nuclear fleets.
On the night of Casey's accident, he was asked to serve as a relief engineer for another man who was sick. An ambitious railroader, Casey took the assignment although he had just completed another full run and had only an hour to rest and prepare. (Note that he would have been precluded from taking the assignment under current worker fatigue regulations at a US nuclear plant.) His new train was already an hour behind schedule and Casey strove to make up the time in spite of fatigue, fog, and rain. By skilful driving and probably some risk-taking, his train was only five minutes behind schedule upon his approach to the train station in Vaughn, Mississippi, about 20 miles east of Yazoo City.
The station master in Vaughn was expecting Casey's train and had to work to clear the two freight trains there off the main through-tracks. Unfortunately, while manoeuvring one of the freights off the main line, a train pipe hose between cars decoupled. The passive air brake system worked as designed, immobilising four freight cars on the track ahead of Casey as he approached at 75 mph.
A blocked track is something that was a common occurrence and the railroads had standard operating procedures for the event. These administrative controls involved sending a crew member down the line to warn on-coming traffic. Just beyond the emergency stopping distance, a 'torpedo' was placed on the track. This small explosive charge would provide an audible warning to the approaching engineer when his locomotive's wheels set it off. The crew member would then proceed even further down the line to a normal stopping distance and wave a red lantern at night or a red flag during the day.
Controversy persists to this day about whether or not these warning signals were really in place. The fireman (or stoker) riding with Casey, who survived by following Casey's direction to jump, claimed that neither the flagman nor the torpedo were there that night. Others have held that the responsible crew-member on the stranded train may have made the decision to help move the cars rather than provide the warnings. This was another production versus safety conflict that could have been an easy decision if the conservative decision- making ethos in today's nuclear industry had been followed.
The passively-safe air brake system, admirable as it is, had one problem that surfaced in this set of circumstances. When the train pipe opens, all the compressed air in the whole train vents. Making the train mobile again required first that the train pipe pressure boundary be restored and then that the air compressor on the locomotive re-pressurise the system. Alternately, the brakeman has to go to each car and turn a handwheel to override the air brakes. Either takes time, especially for a long train. Until then, the cars sit.
When Casey finally realised that there was an obstruction ahead, by the red lights on the rear of the stalled train, he immediately applied his train's air brake system and ordered his fireman to jump since he had no further role to play. Casey had one additional means of slowing the train: the locomotive's separate, mechanical brake system. It could help slow down the train, but required continual hand pressure on the control.
Casey Jones is a hero today because he chose to put the safety of his passengers ahead of his own life (that, and one of his friends and a fellow union member wrote a catchy song about the event.) He rode his braking locomotive into the stalled train, having reduced its speed from its initial 75 mph, a speed certainly fatal to his passengers, to a more survivable 35 mph at the time of collision. Casey was the only fatality that night. He was the single remaining barrier to public safety. The lesson for the nuclear industry is: do not rely on a single point of protection.
So what does this accident tell us about the adaptation of passive safety features in nuclear power plants?
Passive, not perfect
First, all passive systems and features are not created equal or perfect - the terminology remains ambiguous, and encompasses the terms 'inherent' and 'fail-safe.' Some of the best are based on physics and are on the inherent side of the scale. A negative Doppler fuel temperature coefficient is one of my favourites - when fuel gets too hot the fissile species stop absorbing neutrons and hence stop the fission process. Coolant void fraction coefficient in LWRs is another. The Chernobyl accident can be directly attributable to a positive coolant void coefficient inherent in the design - lose liquid coolant and power increases! For current-generation plants, some original 'passive' or fail-safe systems might have caused more problems than they solved. The large accumulators used on PWRs to deal with large break loss of coolant accident (LOCA) proved to be dangerous in shutdown modes as failure to depressurise and isolate from the reactor pressure vessel prior to opening the vessel was a safety hazard to workers. Early containment spray designs sometimes used a 'de-energize to actuate' logic that meant someone flipping the wrong control power breaker could (and did) drench workers in containment and all the equipment there with dilute sodium hydroxide solution. The isolation condenser on early BWRs such as Fukushima Daiichi Unit 1 seems like a fool-proof system yet it too failed to prevent core damage due to capacity limitations.
Importance of the big picture
There are several lessons to be absorbed by designers and regulators of the new batch of passively safe reactors. First, one has to explore ALL the logical situations (and some illogical) that the system will or could contribute to. A too-narrow view of the system is guaranteed to miss 'the big picture.' Plus, one can be sure that the designers of the system will be optimistic about its success while reality will be harsh in its demands.
Probabilistic risk assessment (PRA) and failure modes and effect analysis (FMEA) have proven invaluable tools for reactor designers and operators. PRA at its heart is a reduction exercise - take a big problem and break it down into little actions and events. But reductionism has its limits -- like seeing the big picture. For that an integrative mind- set might provide some balance and insights; this is a difficult change of world-view for most analysts and 'thinking outside the box' is always a challenge with no guarantee of success. Plus there will always be pressure to 'get real' and bound the problem and 'focus', when the task is just the opposite. The Rumsfeldian notion of 'unknown unknowns' needs to be kept in mind.
The major remaining limitation of the PRA art is boundaries, where the analyst draws them and what lies beyond. My favourite example was a system-specific PRA of the residual heat removal system (RHR) in a PWR that I was asked to review and validate in the mid-1980s. The logic for suction valves from the reactor also had a fail-safe design where the motor-operated valves would auto-close on loss of control power to the system. The PRA analysis had set the availability of this control power at 100%, always on, and outside the scope of the analysis. I reminded my management that the reason we had invested in this expensive analysis in the first place was because we had destroyed an RHR pump when the control power was inadvertently secured. This analysis explicitly assumed (in the fine print) that would never be the case. The plant's historical reality was outside the bounds of the analysis.
Finally, even the soundest passively safe system will involve tradeoffs. Air brakes stop trains when you want them to, but they stop trains when you desperately need to move them too. A designer needs to uncover those tradeoffs and communicate them so that all parties understand the downside risks as well as the upside advantages. The alternative is waiting for a few train wrecks to learn from hard experience.
Had PRA analysis technology been available in Casey's day, how would the new air brakes have been treated? Drawing the analysis boundary just around the train, it would be recognised as a major innovation well worth the investment and rapid implementation (as it was). But railroads are more than just single trains; they include tracks too, and more significantly, they depend on the people that operate them, day and night, in weather fair and foul. Would a thorough analysis have included accounting for an eager-beaver engineer who was able to unexpectedly shave an hour off his expected arrival time delay? Would there have been standing orders and training for the brakeman on the stranded train as to his priorities - move the cars or provide the warning? I suspect that the experienced railroaders knew of the tradeoffs with air brakes but didn't let the best be the enemy of the good.
Today's railroads, in developed countries at least, now require sophisticated train control and communications system. In the US, a controversial and technically- challenging 'Positive Train Control' system (PTC) mandated by the US Congress is being implemented at present. The core mission of PTC is keeping a trailing train from approaching a preceding train closer than stopping distance. Ironically even a fully-implemented and functional PTC might not have prevented Casey's accident. Its weakness is that the transmitter for the train position is located in the lead locomotive, with the (recognised) difficulty of making the system know where the end of the train is.
That problem should ring a bell in the minds of nuclear engineers. Every designer of nuclear power plants sets boundaries and boundary conditions - it's a necessity of any design process. How high the flood waters rise, how long will off-site power be unavailable, how strong can the steel in the reactor pressure vessel be.
Current nuclear power plant safety considerations and scenarios are imposed by regulators based on decades of analysis, experiment and experience. In the US, the requirements are extensive, broad and detailed. But for the new reactors, the base concerns remain the same as for existing LWRs (codified in 10 CFR 50 and 52) - other designs like gas or liquid metal-cooled reactors will also use existing guidance, albeit less developed. One would expect more recent concerns like the tsunami at Fukushima and its extended station blackout to be explored.
Yet, looking at the new designs (as much as is publicly available) one sees a similarity of concept but remarkably different implementations compared to current LWRs. For example, NuScale's design has RHR heat exchangers that unlike LWRs depend on natural circulation on both sides, primary and secondary. This is a passive feature for sure, but natural circulation regimes have failed numerous times in practice before. While natural circulation in a reactor core has been generally reliable, fluid flows in two directions, driven by two temperature deltas, get more complicated and hence less assured. Holtec's SMR design boasts of having vital equipment underground. That's great for tornadoes and aircraft impacts but might be a detriment during floods. Most or all of the designs forgo safety-related diesel generators and some even eliminate safety-related batteries.
The focus in most of them is justifiably to have the end state of the event to preclude release of radioactive material. Usually this involves losing decay heat to the atmosphere or to a huge, captive heat sink without pumps, or active, 'intelligent' components or controls. Historically, nuclear regulation took something of a blind alley in the 1970s by focusing far too narrowly on large, double-ended guillotine pipe breaks in the primary coolant system, what we called the design basis loss of coolant accident, or DBA-LOCA: the thinking being that if you design for the end of the world, everything else would take care of itself. After decades of operating experience were accumulated (with no guillotine breaks) and the application of PRA techniques, we realized that big pipe breaks were not the risk we feared they were. In fact, the most risk- significant plant components in the plant other than the reactor vessel -- small steam-driven standby water pumps in almost all LWRs -- were often not even originally classified as safety-related.
The NRC and the industry realise that some new ground is being broken here. Designers and regulators will apply the lessons learned from the many thousands of reactor-years of safe operation (and the few, but spectacular, failures) in their work. New areas of interest have resulted in specific, active research and development programmes. Understanding which 'old' measures and regulations to apply will be important too, as there could be unnecessary economic burdens placed on the designs that could limit their share of the power generation market.
As we rely more and more on what we mean to be passively safe designs, let us stay humble about what we think we know and what remains unknown to us. In other words, let's resist the temptation to over-sell the new designs. They may not be the advancements that we intend them to be.
Joseph Somsel is a degreed nuclear engineer with a master's in business administration and experience at operating nuclear utilities, reactor vendors, and architect/engineers.