Examples of reactors using passive safety features

Three Mile Island Unit 2 was unable to contain about 480 PBq of radioactive noble gases from release into the environment and around 120 kL of radioactive contaminated cooling water from release beyond the containment into a neighbouring building. The pilot-operated relief valve at TMI-2 was designed to shut automatically after relieving excessive pressure inside the reactor into a quench tank. However the valve mechanically failed causing the PORV quench tank to fill, and the relief diaphragm to eventually rupture into the containment building. The containment building sump pumps automatically pumped the contaminated water outside the containment building. Both a working PORV with quench tank and separately the containment building with sump provided two layers of passive safety. An unreliable PORV negated its designed passive safety. The plant design featured only a single open/close indicator for the PORV rather than separate open and close indicators. This rendered the mechanical reliability of the PORV indeterminate directly, and therefore its passive safety status indeterminate. The automatic sump pumps and/or insufficient containment sump capacity negated the containment building designed passive safety.

The notorious RBMK graphite moderated, water cooled reactors of Chernobyl Power Plant disaster were designed with a positive void coefficient with boron control rods on electromagnetic grapples for reaction speed control. To the degree that the control systems were reliable, this design did have a corresponding degree of active inherent safety. The reactor was unsafe at low power levels because erroneous control rod movement would have a counter-intuitively magnified effect. Chernobyl Reactor 4 was built instead with manual crane driven boron control rods that were tipped with the moderator substance, graphite, a neutron reflector. It was designed with an Emergency Core Cooling System (ECCS) that depended on either grid power or the backup Diesel generator to be operating. The ECCS safety component was decidedly not passive. The design featured a partial containment consisting of a concrete slab above and below the reactor - with pipes and rods penetrating, an inert gas filled metal vessel to keep oxygen away from the water cooled hot graphite, a fire-proof roof, and the pipes below the vessel sealed in secondary water filled boxes. The roof, metal vessel, concrete slabs and water boxes are examples of passive safety components. The roof in the Chernobyl Power Plant complex was made of bitumen - against design - rendering it ignitable. Unlike the Three Mile Island accident, neither the concrete slabs nor the metal vessel could contain a steam, graphite and oxygen driven hydrogen explosion. The water boxes could not sustain high pressure failure of the pipes. The passive safety components as designed were inadequate to fulfil the safety requirements of the system.

The General Electric Company ESBWR (Economic Simplified Boiling Water Reactor, a BWR) is a design reported to use passive safety components. In the event of coolant loss, no operator action is required for three days.

The Westinghouse Electric Company AP-1000 ("AP" standing for "Advanced Passive") is a design reported to use passive safety components. In the event of an accident, no operator action is required for 72 hours.

The integral fast reactor was a fast breeder reactor run by the Argonne National Laboratory. It was a sodium cooled reactor capable of withstanding a loss of (coolant) flow without SCRAM and loss of heatsink without SCRAM. This was demonstrated throughout a series of safety tests in which the reactor successfully shut down without operator intervention. The project was canceled due to proliferation concerns before it could be copied elsewhere.

The Molten-Salt Reactor Experiment was a molten salt reactor run by the Oak Ridge National Laboratory. It was a fluoride salt cooled reactor in which the fuel molecules function also as a molten fluoride salt coolant. It featured thermochemical freeze valves in which the molten salt was actively cooled to freezing point by air in flattened sections of the Hastelloy-N salt piping to block flow. If the reactor vessel developed excessive heat or if electric power was lost to the air cooling, then the fuel and coolant could thermochemically penetrate the valve into drain tanks away from the neutron reflector becoming sub-critical enroute for passive or active water cooling. During testing, it was observed that about 6–10% of the calculated 54 Ci/day (2.0 TBq/day) production of tritium diffused out of the fuel system into the containment cell atmosphere and another 6–10% reached the air through the heat removal system. Inhalation of 70 GBq of tritium is equivalent to an adult human dose of 3 Sv in which 50% of cases would be expected to die within 30 days. The fluoride salt molecular bond passive safety component failed to prevent tritium production from fission thus presenting a proliferation risk. The fluoride salt molecular bonds did not prevent tritium from leaking into the containment.

The fleet of BWRs and PWRs operating within the last 10 years in the United States have reported on 42 occasions a quarterly average daily tritium emission level of more than 22 mCi/day (70 GBq/day) from a power plant. During the first quarter of 2001 Palo Verde Unit 1 released on average 9 Ci/day (333 GBq/day) tritium gas. The passive safety component of water as neutron moderator failed to prevent excessive tritium gas (hydrogen with 2 neutrons) from being released from the plant as gas for dilution with air rather than water diluted tritiated water. Inhalation of tritium is absorbed at almost twice the rate as ingested tritium.

Examples of passive safety in operation

Traditional reactor safety systems are active in the sense that they involve electrical or mechanical operation on command systems (e.g., high-pressure water pumps). But some engineered reactor systems operate entirely passively, e.g., using pressure relief valves to manage overpressure. Parallel redundant systems are still required. Combined inherent and passive safety depends only on physical phenomena such as pressure differentials, convection, gravity or the natural response of materials to high temperatures to slow or shut down the reaction, not on the functioning of engineered components such as high-pressure water pumps.

Current pressurized water reactors and boiling water reactors are systems that have been designed with one kind of passive safety feature. In the event of an excessive-power condition, as the water in the nuclear reactor core boils pockets of steam are formed. These steam voids moderate fewer neutrons, causing the power level inside the reactor to lower. The BORAX experiments and the SL-1 meltdown accident proved this principle.

A reactor design whose inherently safe process directly provides a passive safety component during a specific failure condition in all operational modes is typically described as relatively fail-safe to that failure condition. However most current water cooled and moderated reactors, when scrammed, can not remove residual production and decay heat without either process heat transfer or the active cooling system. In other words, whilst the inherently safe heat transfer process provides a passive safety component preventing excessive heat in operational mode "On", the same inherently safe heat transfer process does not provide a passive safety component in operational mode "Off (SCRAM)". The Three Mile Island accident exposed this design deficiency: the reactor and steam generator were "Off" but with loss of coolant it still suffered a partial meltdown.

Third generation designs improve on early designs by incorporating passive or inherent safety features which require no active controls or (human) operational intervention to avoid accidents in the event of malfunction, and may rely on pressure differentials, gravity, natural convection, or the natural response of materials to high temperatures.

In some designs the core of a fast breeder reactor is immersed into a pool of liquid metal. If the reactor overheats, thermal expansion of the metallic fuel and cladding causes more neutrons to escape the core, and the nuclear chain reaction can no longer be sustained. The large mass of liquid metal also acts as a heatsink capable of absorbing the decay heat from the core, even if the normal cooling systems would fail.

The pebble bed reactor is an example of a reactor exhibiting an inherently safe process that is also capable of providing a passive safety component for all operational modes. As the temperature of the fuel rises, Doppler broadening increases the probability that neutrons are captured by U-238 atoms. This reduces the chance that the neutrons are captured by U-235 atoms and initiate fission, thus reducing the reactor's power output and placing an inherent upper limit on the temperature of the fuel. The geometry and design of the fuel pebbles provides an important passive safety component.

Single fluid fluoride molten salt reactors feature fissile, fertile and actinide radioisotopes in molecular bonds with the fluoride coolant. The molecular bonds provide a passive safety feature in that a loss-of-coolant event corresponds with a loss-of-fuel event. The molten fluoride fuel can not itself reach criticality but only reaches criticality by the addition of a neutron reflector such as pyrolytic graphite. The higher density of the fuel along with additional lower density FLiBe fluoride coolant without fuel provides a flotation layer passive safety component in which lower density graphite that breaks off control rods or an immersion matrix during mechanical failure does not induce criticality. Gravity driven drainage of reactor liquids provides a passive safety component.

Some reactors such as the liquid metal and molten salt variants use Thorium-232 fuel which is more abundant in nature than Uranium isotopes and requires no enrichment. The difficulty of enrichment in the Uranium fuel cycle provides a passive safety component against nuclear proliferation. Neutron capture of Thorium-232 breeds both the fissile Uranium-233 and trace amounts of Uranium-232 by neutron knock-off. Neutron cross-section and decay products of Uranium-232 complicate designs and damage electronics if built into nuclear weapons, although Operation Teapot demonstrated its plausibility. Isolation of Uranium-233 from Uranium-232 is not currently believed possible providing a partial passive safety component against nuclear proliferation.

Low power pool-type reactors such as the SLOWPOKE and TRIGA have been licensed for unattended operation in research environments because as the temperature of the low-enriched (19.75% U-235) uranium alloy hydride fuel rises, the molecular bound hydrogen in the fuel cause the heat to be transferred to the fission neutrons as they are ejected. This Doppler shifting or spectrum hardening dissipates heat from the fuel more rapidly throughout the pool the higher the fuel temperature increases ensuring rapid cooling of fuel whilst maintaining a much lower water temperature than the fuel. Prompt, self-dispersing, high efficiency hydrogen-neutron heat transfer rather than inefficient radionuclide-water heat transfer ensures the fuel cannot melt through accident alone. In uranium-zirconium alloy hydride variants, the fuel itself is also chemically corrosion resistant ensuring a sustainable safety performance of the fuel molecules throughout their lifetime. A large expanse of water and the concrete surround provided by the pool for high energy neutrons to penetrate ensures the process has a high degree of intrinsic safety. The core is visible through the pool and verification measurements can be made directly on the core fuel elements facilitating total surveillance and providing nuclear non-proliferation safety. Both the fuel molecules themselves and the open expanse of the pool are passive safety components. Quality implementations of these designs are arguably the safest nuclear reactors.

Passive Nuclear Safety

Passive nuclear safety is a safety feature of a nuclear reactor that does not require operator actions or electronic feedback in order to shut down safely in the event of a particular type of emergency (usually overheating resulting from a loss of coolant or loss of coolant flow). Such reactors tend to rely more on the engineering of components such that their predicted behaviour according to known laws of physics would slow, rather than accelerate, the nuclear reaction in such circumstances. This is in contrast to some older reactor designs, where the natural tendency for the reaction was to accelerate rapidly from increased temperatures, such that either electronic feedback or operator triggered intervention was necessary to prevent damage to the reactor.

Terming a reactor 'passively safe' is more a description of the strategy used in maintaining a degree of safety, than it is a description of the level of safety. Whether a reactor employing passive safety systems is to be considered safe or dangerous will depend on the criteria used to evaluate the safety level. This said, modern reactor designs have focused on increasing the amount of passive safety, and thus most passively-safe designs incorporate both active and passive safety systems, making them substantially safer than older installations. They can be said to be "relatively safe" compared to previous designs.

Reactor vendors like to call their new generation reactors 'passively safe' but this term is sometimes confused with 'inherently safe' in the public perception. It is very important to understand that there are no 'passively safe' reactors or 'passively safe' systems, only 'passively safe' components of safety systems exist. Safety systems are used to maintain control of the plant if it goes outside normal conditions in case of anticipated operational occurrences or accidents, while the control systems are used to operate the plant under normal conditions. Sometimes a system combines both features. Passive safety refers to safety system components, whereas inherent safety refers to control system process regardless of the presence or absence of safety specific subsystems.

As an example of a safety system with 'passively safe' components, let us consider the containment of a nuclear reactor. 'Passively safe' components are the concrete walls and the steel liner, but in order to fulfil its mission active systems have to operate, e.g. valves to ensure the closure of the piping leading outside the containment, feedback of reactor status to external instrumentation and control (I&C) both of which may require external power to function.

The International Atomic Energy Agency (IAEA) classifies the degree of "passive safety" of components from category A to D depending on what the system does not make use of:

  1. no moving working fluid
  2. no moving mechanical part
  3. no signal inputs of 'intelligence'
  4. no external power input or forces

In category A (1+2+3+4) is the fuel cladding using none of these: It is always closed and keeps the fuel and the fission products inside and is not open before arriving at the reprocessing plant. In category B (2+3+4) is the surge line, which connects the hot leg with the pressurizer and helps to control the pressure in the primary loop of a PWR and uses a moving working fluid when fulfilling its mission. In category C (3+4) is the accumulator, which does not need signal input of 'intelligence' or external power. Once the pressure in the primary circuit drops below the set point of the spring loaded accumulator valves, the valves open and water is injected into the primary circuit by compressed nitrogen. In category D (4 only) is the SCRAM which utilizes moving working fluids, moving mechanical parts and signal inputs of 'intelligence' but not external power or forces: the control rods drop driven by gravity once they have been released from their magnetic clamp. But nuclear safety engineering is never that simple: Once released the rod may not fulfil its mission: It may get stuck due to earthquake conditions or due to deformed core structures. This shows that though it is a passively safe system and has been properly actuated, it may not fulfil its mission. Nuclear engineers have taken this into consideration: Typically only a part of the rods dropped are necessary to shut down the reactor. Samples of safety systems with passive safety components can be found in almost all nuclear power stations: the containment, hydro-accumulators in PWRs or pressure suppression systems in BWRs.

In most texts on 'passively safe' components in next generation reactors, the key issue is that no pumps are needed to fulfil the mission of a safety system and that all active components (generally I&C and valves) of the systems work with the electric power from batteries.

IAEA explicitly uses the following caveat:

... passivity is not synonymous with reliability or availability, even less with assured adequacy of the safety feature, though several factors potentially adverse to performance can be more easily counteracted through passive design (public perception). On the other hand active designs employing variable controls permit much more precise accomplishment of safety functions; this may be particularly desirable under accident management conditions.

Nuclear reactor response properties such as Temperature coefficient of reactivity and Void coefficient of reactivity usually refer to the thermodynamic and phase-change response of the neutron moderator heat transfer process respectively. Reactors whose heat transfer process has the operational property of a negative void coefficient of reactivity are said to possess an inherent safety process feature. An operational failure mode could potentially alter the process to render such a reactor unsafe.

Reactors could be fitted with a hydraulic safety system component that increases the inflow pressure of coolant (esp. water) in response to increased outflow pressure of the moderator and coolant without control system intervention. Such reactors would be described as fitted with such a passive safety component that could - if so designed - render in a reactor a negative void coefficient of reactivity, regardless of the operational property of the reactor in which it is fitted. The feature would only work if it responded faster than an emerging (steam) void and the reactor components could sustain the increased coolant pressure. A reactor fitted with both safety features - if designed to constructively interact - is an example of a safety interlock. Rarer operational failure modes could render both such safety features useless and detract from the overall relative safety of the reactor.