Fukushima simply worked and is still working. With 3 reactor buildings laying in ruins and a dry spent fuel pit, that may seem like a strange statement to make but bear with me and I’ll back it up.
The media likes to refer to what happened at the plant as a disaster. To me it’s hard to have a large disaster when only one person was killed (the crane operator killed by the Unit 1 hydrogen explosion) and no one was injured. Further, no member of the public was injured or killed or even exposed to a harmful amount of radiation.
The earthquake was a disaster. The tsunami was a disaster. The plant destruction, while a financial disaster to TEPCO, is what I call an incident.
We’ve now had 4 core melt incidents (1 at TMI-2 and three at Fukushima) and the result has been the same in each case. Instead of the molten core melting through the building and heading for China (the China Syndrome) as the detractors of nuclear power would have you believe, the systems worked as designed, contained the aftermath and no member of the public was harmed. (Other than psychologically from the carryings-on of the irresponsible media and certain government officials.) In other words, the plants simply worked, even when faced with stresses far beyond what anyone could have anticipated.
There is a reason why they worked. The reason lays with the two bedrocks of nuclear power engineering – Engineered Safeguards and Defense in Depth.
“Engineered Safeguards” means that every component and structure in the plant that can affect safety is actively engineered to be safe. Many times over. “Defense in Depth” means that more than one safety system addresses each identified risk. To use the analogy of a soldier, he is not only provided with a bullet-resistant flak jacket but also enclosed in an armored personnel carrier and that carrier is located behind a strong wall or berm.
Every component that affects safety is duplicated at least twice. That means that there are two redundant indicators of reactor water level, for example. Two HPCI pumps when one will do the job. Two sets of batteries. Multiple diesel generator sets. For really critical things such as the containment of radioactive materials, there are several layers of protection, one inside the other (defense in depth). There’s the reactor building that is inside the primary containment vessel that is inside the secondary containment and so on.
The strength of these components and systems is based on “design basis” incidents. 500 year floods, 500 year earthquakes, loss of all off-site power, multiple simultaneous plant component failures and so on. These are known as “maximum credible events” (MCE). The engineers typically design the systems to withstand twice the MCE and then some.
It is anticipated that something beyond an MCE might happen, something that would overwhelm the plant’s systems. If that happens, the systems are designed to fail gracefully and with the least potential to harm civilians.
It is not possible to imagine every possible MCE beforehand so some learning has been involved. For example, before TMI-2, an almost total core melt was not considered a credible event. If a LOCA (loss of coolant accident) happened, the multiply redundant cooling systems were designed to minimize core damage. The engineers didn’t anticipate that an operator would turn off said systems as happened at TMI.
Thus the huge production of hydrogen as the fuel cladding reacted with the steam and remaining cooling water was not provided for. The hydrogen concentration built up in TMI-2’s containment building and eventually exploded. The PWR (pressurized water reactor) containment building is also the primary pressure boundary to the outside world and so was designed strong enough to contain this explosion. The net result was simply an ominous rumble.
Based on that experience, a “lesson learned” was that a total core failure was a credible event and that the resulting hydrogen production had to be provided for. In US plants, that consists of hydrogen recombiner systems (catalytic reactors that combine the hydrogen and oxygen back into water) and a containment hydrogen ignition system (glow-plug like things mounted in the top of the containment and designed to ignite the hydrogen before it reaches an explosive concentration).
There was a whole book’s worth of “lessons learned” that came out of TMI-2. They were published by the NRC as RegGuide 1.97. Every US plant had to make modifications to incorporate these lessons learned. There will be a similar book published from what is learned from Fukushima after the dust settles.
Before Fukushima, the total loss of off-site power AND the loss of the multiply redundant diesel generators was considered to be a non-credible event. It follows that a total station blackout was not considered credible. Fukushima has taught us that such a blackout is possible. Even as I type, US utilities are scrambling to procure semi-trailer-mounted “portable” generators and diesel-powered pumps and to locate them on high ground above any possible flooding event.
Back to Fukushima working. It was anticipated that excess pressure might build up in the containment vessel duding an incident and so containment atmospheric vents were provided. These vents could discharge either into the reactor building or to the atmosphere. The operators chose to vent to the reactor building, not knowing about the hydrogen from the core damage (station blackout, no instruments, remember.) and what followed were the hydrogen explosions.
Even when the relatively lightly constructed reactor building was destroyed by the hydrogen explosion, the reactor vessel was not harmed. It and the form-fitting containment structure are safely nestled in many feet of concrete. On top is a lid called the “missile shield” (many feet of steel reinforced concrete) that is designed to protect against such events.
So even though the station suffered a total blackout AND the reactor lost all its cooling water AND the reactor building exploded, the reactor vessel and containment vessel did their jobs and contained the core debris. The tiny bit that did escape was harmless to anyone outside the plant site boundary, the ill-advised evacuation notwithstanding. In other words, the system worked.
No other industrial process provides for such a degree of protection to the public. The Bhopal, India chemical plant explosion demonstrated what a “simple” chemical explosion could to – thousands killed and many more injured.
Nuclear power is not only the safest and cleanest form of large scale power production, it is probably the safest large scale industrial process period. To the engineers who designed these plants I say “Good Job!”.