When discussing nuclear safety we are often told by the nuclear industry that they have ‘fail-safes’ , ‘built in redundancy’ etc that make their reactors ‘safe’. In this post I shall explore some of these claims. It will, hopefully, not bring up any surprises for people involved in nuclear safety but will hopefully be useful to others.
The Failure of Fail-safe
A fail-safe design is one in which if a component fails then it does so in a way that minimises the harm done. However, what this often means is that it fails ‘safe’ in what the designers believe is the most probable way. At Fukushima Daiichi 1 something called the ‘isolation condenser’ shutdown because it was thought that the most probable scenario was a pipe break1 – this was the ‘fail-safe’ action. However, during the accident at the plant this effectively left the reactor with no cooling. The fail-safe action therefore resulted in fail-extremely-unsafe. If it had been designed to ‘fail-safe’ by not shutting down then it would fail dangerously if there was a pipe break. For something to be truly ‘fail-safe’ it must fail to a safe condition in all circumstances. This problem of fail-safe has also been discussed elsewhere2.
Redundancy
I will use a rather simple model to explain the problems with ‘redundancy’. The basic idea of redundancy is that you have more than one component able to do the same task. Let us say you have a valve that controls the flow of water in or out of the reactor. We also assume that there is no ‘fail-safe’ position as discussed above. Sometimes we need the water to flow and other times we need water to stop flowing.
The valve is not 100% reliable and could fail. So what we could do is have two valves – if the first fails to shut then we can use the second to stop the flow.
However, we have now created a problem. What happens if we want to water to flow but one of the valves has failed when it has shut. In fact since we now have two valves that could fail we have doubled the probability that they will fail shut.
We could get round this by adding a completely separate pipe.
So now if we cannot get water through the first pipe because a valve is stuck then we can get it through the second pipe.
However, we have now increased the number of valves to four and the number of pipes to two. Valves can leak so we now have four times the probability of a valve leak than we did with one valve. We have also increased the probability of a broken pipe by two.
Worse still is that if the blue box on the right is some important engineering feature such a reactor pressure vessel we have now doubled the number of holes in it for the pipes go through. Such penetrations of the reactor pressure vessel greatly increases the probability ofร a leak of failure of the reactor pressure vessel.
Although redundancy can be a valuable safety feature it always comes at a cost of additional complexity and more components that can fail. At some point adding yet more redundancy actually decreases safety rather than increasing it.
1 Lessons Learned from the Fukushima Nuclear Accident for Improving Safety of U.S. Nuclear Plants, The National Academies, (http://www.nap.edu/catalog.php?record_id=18294)
2 Passive safety: staying on track, Nuclear Engineering International, 25 September 2014 (http://www.neimagazine.com/features/featurepassive-safety-staying-on-track-4385660/)
Leave a Reply