Reviewing the Safety of Nuclear Power Plants — Part 2: Resuming nuclear power generation is a highly dangerous choice that may cause another Fukushima-scale disaster
By Goto Masashi, Doctor of Engineering, Former Nuclear Plant Engineer, Member of Citizens’ Commission on Nuclear Energy
2. Reviewing the safety of nuclear power plants
The first nuclear power plants restarted after the Fukushima disaster were PWRs. However, in the early autumn of 2024, BWRs were restarted. To review the safety of nuclear power plants, I would like to discuss the problems of these light-water reactors, and then review the particular problems of PWRs and BWRs.
2-1 Defining safety
The international basic safety standard, ISO/IEC GUIDE 51:2014, defines safety as a state in which no impermissible risks exist. A risk is generally expressed by the product of the degree of damage multiplied by probability (frequency) (such multiplication is not the only method, but I would prefer not to examine the issue further here). The theory of risks earlier regarded minor damage of high probability equivalent to major damage of low probability; however, after the Fukushima disaster, this basic philosophy is changing (or it seems so at least to me). More specifically, concerning minor or often-seen accidents, the two types of damage can be regarded as equivalent, but a nuclear power plant accident should be regarded as impermissible if the damage is major and deemed to be intolerable, even if its probability is very small. Suppose that the probability of an accident is very low, immense damage cannot be tolerable once it occurs. Such risks should therefore be avoided. I would like to take airliner accidents as a typical case. Airliner accidents are extremely rare (irrespective of the causes) but do occur: on January 2, 2024, there was an airliner crash at Haneda airport, and on December 29 of the same year, an airliner failed to land correctly in Korea. The death tolls of the two accidents were very different, but considering the nature of airliner accidents, the accidents might have resulted in more victims. Especially concerning the Haneda accident, all those on board on the Japan Air Lines plane survived, but this should be regarded as very fortunate.
One thing we should remember when thinking about risks is that those who bring about the risk and those who are influenced by the risk are different. In addition, those who bring about a risk should have some social reasoning for bringing it about. As a precondition, the act of bringing about a risk should be communicated to all those concerned, especially those influenced by the risk, and these people should be able to have access to information and to discuss it as equals in the planning stages.
An airliner accident may result in a high death toll. However, the use of airliners is regarded as unavoidable. This may look the same as nuclear power plants, but airliner accidents and the existence of airliners are socially accepted. When boarding an airliner, many people take out life insurance, which means that airliner accident damage has a social consensus. Especially, deciding to fly or not is up to each person. However, the damage from a nuclear power plant accident is limitless, and even if nuclear power plants may be convenient, they cannot be run without the approval of people in the neighborhood.
2-2 High reliability does not mean high safety
When products are produced in a factory, the reliability, which is how many products are unacceptable (fail) out of the total production, is an important indicator. Reliability can be increased by improving the accuracy of the machines and by reducing the generation of defective products. However, no matter how high the reliability may be and even if unacceptable products may decrease in number, defective products are still produced. Safety is dependent on how serious a product failure may be and whether it is acceptable in terms of human damage. As an example, if a person is injured and the injury is curable, it may be acceptable, but if the injury is irretrievably serious, such as the loss of a hand or vision, or if it is fatal, it cannot be acceptable under any circumstances.
If product reliability is improved and the number of defective products is reduced, it is good for the economy. However, safety is totally different. If a failure may bring about an unrecoverable result such as a human death, it cannot be called safe even if such a failure is extremely rare, no matter how high the reliability may be.
Thus, in the case of machinery, high reliability means fewer failures. But if a failure may produce an impermissible damage, it cannot be called safe. If a machine breaks down frequently and has a low reliability, it is safe if it does not cause a human death or irrecoverable injury.
2-3 Difference between probabilistic safety and deterministic safety
— Difference in engineering philosophy —
Concerning the mechanism of stopping the wheels of rolling stock or similar vehicle by means of a braking system, I would like to introduce two different types of mechanisms from the viewpoint of safety.
Figure 1. Probabilistic Safety and Deterministic Safety (Source: Chapter 6, Special Report 6, Citizen’s Commission on Nuclear Energy.)
In Figure 1, a), “Braking system with probabilistic construction,” the braking system is off when the button (switch) is off. When the button is depressed, the power supply is turned on, activating the electrical magnet and the braking system. In this case, if any component in the circuit, including the switch, battery, cord, or electrical magnet fails, the braking system will not operate. The braking system may fail according to the failure probability (opposite to reliability) of the components, and the more components, the higher the probability of failure. Suppose there are 100 components, the probability of failure of the components is higher by 100 times. If any of the components breaks down, electrical power will not flow around the circuit, and the braking system will not work. Namely, when any component has failed when the button is depressed to activate the braking system in an emergency, the system does not work and a collision may occur. The more components, the higher the probability of the component failure according to the number of components, increasing the number of accidents. This is called a probabilistic configuration, and such safety is called probabilistic safety.
In the braking system of a deterministic configuration shown in Figure 1, b), electrical current is always flowing and the braking system is kept off by means of an electrical magnet that works against the heavy bob (gravity), pushing up the braking system. If the button (switch) is released, the electric power is cut off, turning off the electrical magnet, and the braking system is activated by gravity. In such a configuration, the more components, the more frequently a failure may occur. However, when a failure occurs, the braking system is applied automatically and, in principle, no accident will occur. More components may cause more failures, but even if a failure occurs, the braking system, as the safety system, will work without fail. If such a system is used for the safety of important machinery, accidents will be extremely rare, and such a safety system is called deterministic safety. Any equipment that is associated with safety should be configured according to this approach. Probabilistic safety is useful as an economic indicator, namely, to evaluate reliability in a plant, but as a safety measure to protect human lives, it is basically insufficient.
However, even if such a “deterministic” configuration is used, “absolute safety” is not necessarily realized. The mechanism of the activation of a braking system is deterministically safe; however, there are such prerequisites as that the shoe (the component that makes the braking system take effect) is not worn, that the braking system drive mechanism is not broken down, and that the wheels and axle are not broken in some way. This discussion of mechanisms represents a conceptual design philosophy, and the integrity of peripheral components should be checked separately; however, whether the mechanism is in a “probabilistic configuration” or a “deterministic configuration” is a decisively critical point for safety as a safety device. To prevent the failure of the braking system drive mechanism and wear of the braking system shoe, design with sufficient tolerances and a proper maintenance control mechanism are required.
Nuclear power partially includes this kind of “deterministic configuration”; for example, the control rod drive system and reactor protection system, but a major part of nuclear power does not use “deterministic configurations”; for example, the cooling system and primary containment vessel system do not. Those promoting nuclear power say: “Although safety is not perfect, multiple layers of protection and deep-layer protection should be able to realize sufficient safety” (author’s comments italicized); nevertheless, to rely on such a principle as the basic philosophy of safety is questionable.
2-4 Characteristics of nuclear power generation technology
(1) Generation of radioactive substances and the impacts of exposure to radiation
Unlike normal chemical reactions, nuclear reactions change the nucleus itself: various radioactive substances are produced, and these have different half-life periods (the period in which the dose is reduced by half as the substance emits radiation), including those with short half-life periods, those that have very long half-periods of over tens of thousands of years, and even those that do not exist in the natural environment. Accordingly, the radioactive waste resulting from atomic fission after power generation includes various radioactive substances, and tens of thousands years are required before the radioactive impact on the environment ceases. Radioactive rays damage human cells and require strict dose control. The organizations that promote nuclear power have historically attempted to ignore or hide the long-term impact of radioactivity in the investigation and research on the radioactive damage of Hiroshima atomic bomb victims. The impact of the radioactivity of nuclear power generation (especially low-dose exposure) has been underestimated or ignored, and unscientific arguments have been disseminated.
Radiation is not visible, and there is no low-limit threshold for radiation, which means that exposure to radiation should be avoided as far as possible. Radioactive substances taken into the body with food or air intake expose the human body to radioactive substances internally (internal exposure). Accordingly, a person may be exposed to radiation without noticing. The exposure due to high-radioactivity plumes immediately after the Fukushima disaster has not been properly examined. Unless radioactivity is controlled properly, people may suffer from exposure.
It is known that, in some applications, radioactivity is useful for human activities, such as medical radiation and nondestructive inspection using radioactive substances. However, in terms of energy supply, there are other promising sources. It must be remembered that daring to use nuclear energy will place irrevocable burdens on the future of humanity, includes the possibility of causing disasters, and is required to be controlled for hundreds of years once it is started.
(2) Uncontrollable energy level
A nuclear accident occurs when an “external event (such as a natural phenomenon, airliner crash, or terrorism),” “internal event (failure of a device, piping, etc.),” and/or human error occurs alone or in combination (Figure 2).
Figure 2. Three Factors of an Accident
The background to an accident is associated with various environmental factors, such as the economy and social factors, regulations/standards, the nature of organizations and the culture, etc. A problem peculiar to a natural phenomenon is that the biggest possible size is unknown. As an example, if an earthquake is caused by an active fault or faults, it is not always possible to know all the subterranean conditions. Several earthquakes may occur at the same time, producing an unexpectedly large earthquake. As for tsunami, although this was a special case, the biggest ever tsunami occurred in 1958, at Lituya Bay in Alaska, U.S. A tsunami of 524 meters in wave height was experienced when an earthquake of magnitude 7.7 occurred, involving a large-scale hillside collapse. Such a gigantic tsunami may occur under very limited conditions, but in the long term, tsunamis of tens of meters can occur in the seas close to Japan. In fact, a tsunami of tens of meters in height occurred near Indonesia after a volcano exploded. A nuclear power plant accident rarely occurs, but safety can only be secured when the largest possible scale of physical phenomena are assumed. This is one of the lessons learned from the Fukushima disaster.
If a nuclear accident occurs, the energy level rises over time. A nuclear plant is therefore designed with multiple safety mechanisms to suppress the energy level. However, if the multi-layer protection fails to suppress the energy, the energy level rises up rapidly and exceeds far beyond the limits of the strength of the protection materials. With other technologies, the energy level is suppressed naturally if an accident is left to itself, but nuclear power energy may reach a destructive level beyond the material limits. When energy suppression fails, both pressure and temperature will immediately exceed the limits. Controlling a nuclear accident is a struggle against time. (Figure 3)
Figure 3. Nuclear power plant energy rises without limit
(3) How to handle the gray zone
Suppose that there is a safe situation and a dangerous situation, there will also be a gray zone where it is unknown whether the situation is safe or dangerous (Figure 4).
Figure 4. Gray Zone Issues
If the “danger detection approach,” which is to cease operations if a danger (or symptom thereof) is detected, the operation is continued because the situation is regarded as being in the gray zone. This is because, in the danger detection approach, the situation is regarded as being in the gray zone, and thus as safe, if the danger cannot be confirmed.
On the other hand, when the “safety confirmation approach” is used, the operation is given the green light only when safety is confirmed, so that if the situation is in the gray zone, safety cannot be confirmed and operation is suspended (lower part B in Figure 4).
One problem of the danger detection approach is the nondestructive inspection that detects the failure of metal materials. This inspection is common in nuclear power plants. However carefully ultrasonic nondestructive inspection is performed, failure detection is difficult in some areas, such as welds. The nondestructive inspection of critical components should be carefully performed, and accident countermeasures are required on the assumption that failures may be overlooked. Nondestructive inspection is a technique of the danger detection approach and must be conducted carefully from the standpoint of human errors, such as detection failures, and from the viewpoint of safety. When the integrity of the coating of the steel materials of large structures such as the primary containment vessel of aged nuclear power plants more than 40 years old is inspected under the name of “special inspection,” or nondestructive inspection is conducted to find fatigue cracking, the inspectors should be aware that there are weakness in the danger detection approach. At the Roppongi Hills complex in Tokyo, a child was caught in a large revolving door and was killed in the accident. The operator of the complex said that the door was safe because the infrared sensing device would detect any child and stop the door.” In reality, the infrared sensing device failed to operate, resulting in an irrevocable accident. This indicates that the danger detection approach has limits. Some people say danger detection approach techniques are justifiable safety measures although “the measures cannot confirm safety when a sensor fails.” The public believe such arguments and are duped, because this leads to irrevocable accidents. The Fukushima disaster teaches us that nuclear power plant accidents occur in exactly the same way. In the next part of this series, I would like to discuss accidents and technological safety.
