Nuclear meltdown

A nuclear meltdown is a severe nuclear reactor incident that results in core damage and is classified as anywhere from Level 4 to Level 7 of the INES.^[1] This can occur when a severe, compounded failure of a nuclear power plant system or components causes the reactor coreto cease being properly cooled to the extent that the sealed nuclear fuel assemblies – which contain the uranium or plutonium and radioactive fission products – begin to overheat and melt. All Western civil nuclear reactors (including those located in the United States) are located within containment buildings; a containment building is a structure, 1.2 to 2.4 meters thick, made of steel-reinforced, pre-stressed, airtight concrete that surrounds the nuclear reactor. A meltdown is considered very serious because of the possibility that thereactor containment could be defeated, thus releasing the core's radioactive and toxic elements into the atmosphere and environment.

From an engineering perspective, a meltdown is referred to as a core damage incident and may result in serious damage to the reactor.

Civil nuclear power has only seen 2 partial meltdowns outside of the former Warsaw Pact and the former Soviet Union. One incident saw a meltdown that required the reactor be repaired; the other led to the permanent shutdown of the reactor in question.

Within the former Soviet Union, and the former Warsaw Pact, several nuclear meltdowns of differing severity have occurred, from localized core damage to complete destruction of the reactor core. This includes the Chernobyl disaster, which was a power excursion that caused a steam explosion, and resulted in core damage. There was subsequently fuel melt, though the main hazard was the scattered fuel fragments. It lead to deaths of persons and resulted in the indefinite civilian evacuation of a large area.

By design, the geometry and composition of the reactor core do not permit the extraordinary conditions necessary for explosively prompt criticality. However, conditions that can cause a meltdown can also cause a steam explosion, which can cause the core to be thrown over a wide area if the reactor is not within a containment building. All Western nuclear reactors are within containment buildings. Each containment building consists of 1.2 to 2.4 meters of steel-reinforced, pre-stressed, airtight concrete, capable of withstanding tornadoes of OF6 scale (320+ mph winds) and seismic accelerations of at least 2 m/s.

Contents [hide] 1 Causes 2 Sequence of Events in Western Light Water Reactors 2.1 If the RPV is breached: Standard failure modes 2.2 If the RPV is breached: speculative failure modes 2.3 If the containment is breached 3 Other Reactor Types 3.1 The case of CANDU reactors 3.2 The case of gas-cooled reactors 3.3 The case of liquid fluoride thermal reactors 3.4 The case of advanced liquid metal reactors 4 Prevention, Suppression, and Containment of Core Damage Events in Former Soviet Reactors 4.1 Former Soviet (and CIS) RBMKs 4.2 Former Soviet (present Russian & ROW) VVERs 4.3 Failure modes analysis 4.3.1 The Chernobyl incident 4.4 Comparability analysis 5 Effects 6 Reactor design 7 Other theoretical consequences of a nuclear meltdown 8 Meltdowns that have occurred 9 See also 10 References 11 External links

[edit]Causes

In some reactor types, the fuel assemblies in the core can melt (a melting incident - colloquially called a "meltdown" is part of a superset of incidents involving nuclear fuel referred to as core damage incidents) due to the result of heat not being removed from the core. A nuclear reactor does not have to remain critical for a core damage incident to occur because decay heat continues to heat the reactor fuel assemblies after the reactor has shut down, though it decreases significantly with time to the point where natural convection within the coolant combined with heat radiation from the RPV (and reradiation of heat from the RPV to the containment) will be sufficient to keep the core in a permanently steady state. This occurs after a period of days to weeks after control rods are reinserted into the reactor.

Core damage, as this is called, is an incident that may result from several factors, including a loss of pressure control accident, a loss of coolant accident (LOCA), an uncontrolled power excursion (not applicable to light water reactors), or a fire within the reactor core (not applicable to light water reactors). Failures in instrumentation and process control systems may amplify or even cause a series of events resulting in loss of cooling, though contemporary improvements in this area, and the philosophy of extreme conservatism in Western reactor design (known as the precautionary principle, or defense in depth) make this scenario not a credible threat any longer.

Except in certain types of former Soviet reactors, such as the RBMK, which was the type of reactor involved in the Chernobyl incident, and was built without any containment building, a core damage incident will not, by itself, result in the release of radioactivity to the environment due to the core being contained by 1.2 - 2.4 m (4 ft - 8 ft) of pre-stressed, steel-reinforced concrete, assuring minimal radioactive release in nearly any conceivable circumstance.

• In a loss of pressure control accident, the pressure of the confined coolant falls below specification without the means to restore it. In some cases this may reduce the heat transfer efficiency (when using an inert gas as a coolant) and in others may form an insulating 'bubble' of steam surrounding the fuel assemblies (for pressurized water reactors). In the latter case, due to localized heating of the steam 'bubble' due to decay heat, the pressure required to collapse the steam 'bubble' may exceed reactor design specifications until the reactor has had time to cool down. (This event is less likely to occur in boiling water reactors, where the core may be deliberately depressurized so that theEmergency Core Cooling System may be turned on).

• In a loss of coolant accident, either the physical loss of coolant (which is typically deionized water, an inert gas, or liquid sodium) or the loss of a method to ensure a sufficient flow rate of the coolant occurs. A loss of coolant accident and a loss of pressure control accident are closely related in some reactors. In a pressurized water reactor, a loss of coolant accident can also cause a steam 'bubble' to form in the core due to excessive heating of stalled coolant or by the subsequent loss of pressure control accident caused by a rapid loss of coolant.

• In an uncontrolled power excursion accident (not applicable to light water reactors), a sudden power spike in the reactor exceeds reactor design specifications due to a sudden increase in reactorreactivity. An uncontrolled power excursion occurs due to significantly altering a parameter that affects the exponential rate of a nuclear chain reaction (examples include ejecting a control rod or significantly altering the nuclear characteristics of the moderator, such as by rapid cooling). In extreme cases the reactor may proceed to a condition known as prompt critical. This is especially a problem in reactors that have a positive void coefficient of reactivity, such as former Soviet RBMKs, a positive temperature coefficient, or can trap certain deleterious fission products within their fuel or moderators, such as former Soviet RBMKs; the Chernobyl disaster was caused by this condition. Western light water reactors are not subject to uncontrolled power excursions because loss of coolant decreases, rather than increases, core reactivity; "transients," as power fluctuations are called, are limited in LWRs to linear increases in reactivity that will rapidly decrease with time (approximately 125% - 150% of maximum thermal power for a few milliseconds in worst-case scenarios).

• Core-based fires (not applicable to light water reactors) may also severely endanger the core and potentially cause the fuel assemblies to melt. A fire inside a reactor may be caused by an air addition to certain non-naval military or non-Western nuclear reactors (as it is possible for graphite to ignite inside the reactor core given oxygen) resulting in the uncontrolled heating of the coolant or moderator of the reactor. Without taking proper precautions Wigner energy may accumulate which will greatly increase the severity of the fire (for example, during the UK military's Windscale fire). Western light water reactors, by design, do not have flammable cores or moderators and are not subject to core fires.

• Byzantine faults and cascading failures within instrumentation and control systems may cause severe problems in reactor operation, potentially leading to core damage. For example, a failure of an instrument to report liquid levels correctly may logarithmically amplify a minor problem, like a stuck-open relief valve; another example would be a fire within a cable-tray that so severely deranges the control pathways to essential machinery that the reactor is unable to be cooled using normal channels. This has been the route that the two emergencies within civil nuclear power in the West occurred. The Browns Ferry fire saw a fire start within a cable spreading room below the reactor control room. The cables were damaged, and reactor remote control was lost for several hours; however, the core was not damaged because plant personnel manually activated cooling systems. (Modifications including backup cable pathways and a secondary control room for safe shutdown have been installed in all Western plants since that time.) The Three Mile Island accident was caused by a stuck-open power operated pressure relief valve combined with a deceptive water level gauge that caused reactor operators to respond in a technically correct but practically wrong fashion to the contingency, which resulted in core damage. (Modifications to respond to this have included enhanced training for reactor operators, better instrumentation design, and redundant instrumentation pathways.)

[edit]Sequence of Events in Western Light Water Reactors

TMI-2 Core End-State Configuration

Within the design of Western reactors, a great deal of work goes into the prevention of a core damage event. Before the core of a nuclear reactor can suffer damage, an extensive number of systems must already completely failed.
For core damage to occur in a Western LWR, there are two required precursors:

1. A limiting fault (or a set of compounded derangements) that leads to the failure of heat removal within the core (the loss of cooling). This can lead to core "uncovery", or the loss of water cooling the core, leading the core to heat up.
2. Full failure of the ECCS. The ECCS (Emergency Core Cooling System) is a system located within every Western LWR that is designed to rapidly cool the core and make it safe in the event of the maximally contingent limiting fault (the design basis accident) that nuclear regulators and plant engineers could imagine.
   

Over 50 years of operating experience over several hundred reactors has provided every Western LWR with comprehensive measures to prevent limiting faults and ECCS failures.

1. In the more than fifty years of Western LWR operating experience, of a fleet of several hundred reactors, no limiting fault has ever occurred. The most severe incident was a compounded group of derangements.
2. There are at least two copies of the ECCS built for every reactor. Each division (copy) of the ECCS is capable, by itself, of responding to the maximally contingent limiting fault (the DBA). The latest reactors have as many as four divisions of the ECCS. This is the principle of redundancy, or duplication. As long as at least 1 ECCS division functions, no core damage event can occur to the reactor.
   1. Each of the several divisions of the ECCS has several internal "trains" of components. Thus the ECCS divisions themselves have internal redundancy - and can withstand failures of components within them.
   2. Although no limiting fault has ever occurred in a Western LWR (the most severe incident being a compounded group of derangements), the ECCS has been called on to perform a low number of times in the more than fifty years of Western LWR operating experience within a handful of the hundreds of Western LWRs in operation. All times that the ECCS has ever been called upon to perform, it has performed at or beyond expectations. As the highly-trained staff of each plant keeps the ECCS in peak condition at all times, that being the staff's first duty - to protect the core, and with the core, the plant, and with the plant, the public - failures of the ECCS proper when called upon to function have not occurred.
      1. The Three Mile Island accident was a compounded group of derangements that led to core damage. What lead to this was an erroneous decision by operators to shut down the ECCS during a derangement due to gauge readings that were either incorrect or misinterpreted; this caused another derangement, that several hours after the fact, led to core uncovery and a core damage incident. If the ECCS had been allowed to function, it would have prevented both uncovery and core damage.

If such a limiting fault were to occur, and a complete failure of all ECCS divisions were to occur, three different physical processes will provide additional time to the plant operators between the start of the limiting fault (the loss of cooling) and the potential escape of molten corium into the containment (a so-called "full meltdown"):

1. The time required for the water to boil away (coolant, moderator). In the event of a limiting fault, LWRs and CANDUs are designed to automatically SCRAM (a SCRAM being the immediate and full insertion of all control rods) and spin up the ECCS. This greatly reduces reactor thermal power (but does not remove it completely); this delays core "uncovery", which is defined as the point when the fuel rods are no longer covered by coolant and can begin to heat up.
2. The time required for the fuel to form corium. After the water has boiled, then the time required for the fuel to reach its melting point will be dictated by the heat input due to decay of fission products, the heat capacity of the fuel and the melting point of the fuel. If the ECCS is activated before the point of fuel failure, core damage will be prevented.
   1. The time for the fuel to reach the critical temperature. In the most contingent scenarios involving Generation II LWRs, between 5 and 30 minutes are required for the fuel to heat beyond the critical fuel surface temperature, 1100^oC or 2200^oF. This critical temperature is conservative - but is the point beyond which certain types of chemical reactions can threaten the structural integrity of the Zircalloy sheathing. Assuming the ECCS can be activated within the 5 to 30 minutes prior to the excession of this temperature limit, the reactor will return to stability without core damage. The ECCS automatically spins up upon SCRAM, so maximally contingent scenarios predict approximately 40 seconds from event initiation to ECCS activation if at least part of the ECCS is functional. As the ECCS has multiple, redundant backup systems, it is highly unlikely that it will completely fail. No ECCS has ever failed when called upon to function in the history of Western nuclear power.
   2. The time between the reaching of the critical temperature and fuel failure. However, if the ECCS cannot be fully or partially activated, then events continue - and the next event, after these 5 to 30 minutes are up, is fuel failure. Fuel failure occurs an indeterminate amount of time after the fuel reaches the critical temperature. Due to this high temperature and certain types of chemical reactions, the Zircalloy fuel sheathing of the fuel rods loses integrity and releases fission products. This will be detected by a rise in radioactivity within the RPV and the primary coolant piping due to the release of fission products. If the coolant loop is breached, as in a LOCA, radiation levels will rise to excess levels within the primary containment as fission products are released into the containment.
   3. The time between fuel failure and corium formation. Once again, if the ECCS can be fully or partially activated before the accident progresses, the chain of events may be stopped. But otherwise, events will progress. Some time will pass between fuel failure and corium formation; design conservatism, however, puts the moment of corium formation as beginning at the point of fuel failure. Once the core melts, it will almost certainly destroy the fuel bundles and internal structures of the reactor vessel (although it may not penetrate the reactor vessel). (Note that nearly half of the core at Three Mile Island melted but the molten debris [called "corium"] still stayed within the reactor vessel.)
3. The time required for the corium to breach the primary pressure boundary. This consists of the time required for the molten metal of the core (the corium) to breach the primary pressure boundary (in light water reactors this is the pressure vessel; in CANDU reactors this is the calandria). What happens when reactor fuel melts in a Western reactor is the subject of actual experience and considerable speculation. This will depend on temperatures and boundary materials. Whether or not the fuel remains critical in the conditions inside the damaged core or beyond will play a significant role. Time estimates indicate in a maximally contingent Western LWR limiting fault with complete loss of the ECCS, there remains between at least 30 and 150 minutes from corium formation prior to RPV breach, if RPV breach occurs. Even partial ECCS activation can delay this significantly, and provide time for the remainder of the ECCS to be brought back online. It's highly unlikely that the staff of a Western LWR will be completely unable to restore at least part of the ECCS prior to the RPV being breached. It must be noted that RPV breach is not inevitable in the event of corium formation. The Three Mile Island incident proved this - instead, corium is likely to dilute itself with steel and the control rods and form a layer of shielding on the bottom of the RPV, limiting most of the damage to the reactor itself. TheAmerican Nuclear Society has said "despite melting of about one-third of the fuel, the reactor vessel itself maintained its integrity and contained the damaged fuel".^[2] However the Three Mile Island example, though illustrative of the comprehensive approach of defense in depth against all contingencies, also illustrates the difficulty in predicting such behavior: the reactor vessel was not built for, and not expected to remain intact with, the temperatures it experienced when it the core melted, but possibly because some of the melted material collected at the bottom of the vessel and cooled early on in the accident, it created a resistant shell against further pressure and heat. Such a possibility was not predicted by the engineers who designed the reactor and would not necessarily occur under duplicate conditions, but was largely seen as instrumental in the preservation of the reactor vessel's integrity. (However, it should be noted that the reactor vessel was inside a containment building, as in all non-Soviet nuclear plants, so a failure of the reactor vessel would not automatically mean that radioactive material would be released into the environment.)

[edit]If the RPV is breached: Standard failure modes

If the RPV is penetrated by the corium through the means of melting, which has never before happened in a Western nuclear power plant, there are both scientific theories and various speculations that exist as to what may or may not occur in such an incident.

Fortunately, at least in Western plants, there is an airtight containment building consisting of pre-stressed, steel-reinforced concrete 1.2 - 2.4 meters thick (4 to 8 feet thick) that stands between the molten corium and the outside world. Though radiation would be at a high level within the primary containment, doses outside of it would be insignificant. Further, modern containments are designed - or have been retrofitted - to allow for the orderly release of pressurized gasses that may be generated in an event without releasing radionuclides. (This is done by piping a pressure release valve to a series of activated carbon and HEPA filters that are designed to trap any radionuclides in the event that pressure release from the containment becomes necessary.) Hydrogen/oxygen recombiners also are installed within the containment to prevent any combination of gasses from building up within that could deflagrate and threaten containment integrity.

In a melting event, the RPV is highly unlikely to fail all at once as metal under heat stress but not extensive linear or shear stress normally fails slowly. As such, one spot or area on the RPV will become hotter than other areas, and will eventually come to the melting point. When it melts, corium will pour in a slow stream into the cavity under the reactor. Though the cavity is designed to remain dry, the presence of water there will cause steam to be evolved, and the containment will become pressurized from this steam. Automatically, water sprays on the top and the sides of the containment will pump large quantities of water into the steamy environment to keep the pressure down and protect containment integrity. If hydrogen is evolved and oxygen is present, catalytic recombiners will rapidly convert the hydrogen and oxygen back into water, and route the evolved water to the containment spray tank to be used to cool steam. One positive effect of the corium falling into water is that it is comprehensively cooled and returned to a solid state.

Extensive water spray systems within the containment along with the ECCS, when it is reactivated, will allow operators to spray water within the containment to cool the core on the floor and reduce it to a low temperature.

This assures that even with a molten core cooling within the containment building, there is almost no possibility of any offsite dose of significance to local citizens; for example, in the Three Mile Island event in 1979, a theoretical person standing at the plant property line during the entire event would have received a dose of approximately 2 millisieverts (200 millirem), between a chest X-ray's and a CT scan's worth of radiation. This was due to outgassing by an uncontrolled system that, today, would have been backfitted with activated carbon and HEPA filters to prevent radionuclide release.

Cooling will take quite a while, until the natural decay heat of the corium reduces to the point where natural convection and conduction of heat to the containment walls and re-radiation of heat from the containment allows for water spray systems to be shut down and the reactor put into safe storage. Thus, if all else fails, the containment can be sealed and abandoned in place with release of extremely limited offsite radioactivity. Pressure management will have to be observed carefully, at least in the near term and responded to as indicated. After a number of years for fission products to decay - probably around a decade - the containment can be reopened for decontamination and demolition.

Still, even though the secondary containment consists of pre-stressed, steel-reinforced concrete between 1.2 - 2.4 meters thick, there is a possibility, however remote, that the containment could be breached after the core damage event occurred. This might take place if:

1. An earthquake capable of producing accelerations of plant equipment to more than .2 g (2 m/s²) occurred - with the plant at the precise epicenter;
2. A tornado of Old Fujitsa Scale 6 with 320+ mph winds hit it (no tornado of scale OF6 has ever occurred; by definition, it is an impossible tornado).
3. It was struck by an asteroid.

[edit]If the RPV is breached: speculative failure modes

Though modern science and engineering indicates that though a core damage event is a dramatic incident, it is of limited public concern, as public safety is unlikely to be threatened by a core damage event. However, some have used creativity and their imaginations to speculate as to failure modes for Western nuclear reactors.

One highly speculative scenario consists of the Reactor Pressure Vessel failing all at once - essentially - the bottom falling out of the RPV - solid steel 6 inches thick failing all at the same time. In this extraordinarily speculative scenario, the entire mass of corium could drop into a pool of water (for example, coolant or moderator) and cause an extremely rapid evolution of steam called a Fuel-Coolant Interaction (FCI). The high rate of pressure rise within the containment could theoretically threaten integrity if rupture disks leading to filtered outgas trains were not available to ensure that the public was protected from radioactive release in such a scenario. Also, if air is available any exposed flammable substances will probably burn fiercely. Since there are few, if any, flammable substances within the containment, this is a trivial concern.

Though events threatening containment integrity are presently considered essentially incredible in modern 'large-dry' containments, another extremely speculative and generally disregarded theory called an 'alpha mode' failure - the term popularized in anti-nuclear circles by the extremely speculative 1975 Rasmussen (WASH-1400) study - could see containment integrity threatened by a fuel-coolant interaction within the RPV, leading to extremely rapid steam evolution, leading to an overpressure event within the RPV, leading to a failure of its structural integrity, and the consequent ejection of the top part of the RPV (called the "head") at the inside of the containment as a flying object. Due to the weight of the RPV head, as this is called, the containment could be threatened if the RPV head collided with it. (The WASH-1400 report was replaced by better-based newer studies, and now the Nuclear Regulatory Commission has disavowed them all and is preparing the over-arching State-of-the-Art Reactor Consequence Analyses [SOARCA] study - see the Disclaimer in NUREG-1150.)

Another highly speculative scenario sees a buildup of hydrogen within the containment. If hydrogen were allowed to build up within the containment, it could lead to an deflagration event. The numerous catalytic hydrogen recombiners located within the reactor core and containment will prevent this from occurring; however, prior to the installation of these recombiners in the 1980s, the Three Mile Island containment (in 1979) suffered a massive hydrogen explosion event in the accident there. However, the containment easily withstood this event and no radioactivity was released by the hydrogen explosion, clearly demonstrating the level of punishment that containments can take, and validating the industry's approach of defense in depth against all contingencies.

It has not been determined to what extent a molten mass can melt through a structure (although that was tested in the Loss-of-Fluid-Test Reactor described in Test Area North's fact sheet^[3]). The Three Mile Island accident saw an "impromptu test" of this question, with an actual molten core within an actual structure; the molten corium failed to melt through even the relatively thin Reactor Pressure Vessel after over six hours of exposure, due to dilution of the melt by the control rods and other reactor internals, comprehensively validating the industry's insistence on defense in depth against core damage incidents. Though this has never happened - some in the anti-nuclear movement speculate that a molten reactor core could actually penetrate the reactor pressure vessel and the four to eight feet of pre-stressed, steel-reinforced, air-tight concrete of the reactor containment structure and burn down (via a melt-concrete interaction) to groundwater.

[edit]If the containment is breached

The longer the reactor operators were able to retain the fission products within the core will reduce the size of the radioactive release. This is because the most highly radioactive isotopes in a fission product mixture are short lived. For example if all the iodine in a core was released one week after criticality was terminated by a SCRAM then the thyroid dose suffered by the population would be lower than if theiodine had escaped the plant one hour after the reactor was scrammed. Thyroid dose can be minimized, in any event, by the consumption of potassium iodide.

[edit]Other Reactor Types

There are other types of reactors within the non-Soviet world that have different capabilities and safety profiles than the LWR does. Advanced varieties of several of these reactors have the potential to be inherently safe, which would make them not vulnerable to operating transients, derangements, and/or limiting faults that in other reactor types might lead to core damage.

[edit]The case of CANDU reactors

CANDU reactors present a special case. They are designed with at least one, and generally two, large low-temperature and low-pressure water reservoirs around its fuel/coolant channels. The first is the bulk heavy-water moderator (a separate system from the coolant), and the second is the light-water-filled shield tank. It has been shown that even under severe loss-of-coolant conditions these backup heat sinks are sufficient to prevent either the fuel meltdown in the first place (using the moderator heat sink), or the breaching of the core vessel should the moderator eventually boil off (using the shield tank heat sink). [Allen et al.] Other, less destructive failure modes aside from fuel melt will probably occur in a CANDU rather than a meltdown, such as deformation of the calandria into a non-critical configuration. All CANDU reactors are located within standard Western containments as well.

[edit]The case of gas-cooled reactors

One type of Western reactor, known as the advanced gas-cooled reactor (or AGCR), built by the United Kingdom, is not very vulnerable to loss of cooling accidents or to core damage except in the most extreme of circumstances. By virtue of the relatively inert coolant (carbon dioxide), the large volume and high pressure of the coolant, and the relatively high heat transfer efficiency of the reactor, the timeframe for core damage in the event of a limiting fault is measured in days. Restoration of some means of coolant flow will prevent core damage from occurring.

Some highly advanced gas cooled reactors, such as the United States' High Temperature Gas Cooled Reactor, have a high level of passive safety against such incidents, with an emergency core cooling system consisting of regular atmospheric airflow passing through a heat exchanger and rising into the atmosphere due to convection, achieving full residual heat removal. The HTGR is scheduled to prototyped and tested at Idaho National Laboratory within the next decade (as of 2009) as the design selected for the Next Generation Nuclear Plant by the US Department of Energy. This reactor will use prismatic blocks of carbon infused with TRISO pellets of uranium or thorium, be buried underground, and use a gas as a coolant, which can then be used for process heat (such as in hydrogen production) or for the driving of gas turbines and the generation of electricity.

A similar highly advanced gas cooled reactor designed by South Africa is known as the Pebble Bed Modular Reactor and brings nuclear safety to a new level. It is an inherently safe design, meaning that core damage is physically impossible, due to the design of the fuel (spherical graphite "pebbles" piled in a heap within an RPV with flecks of uranium, plutonium, or thorium embedded within). A prototype of this type of reactor has been built by the Chinese and has been proven quite effective in the tests that Chinese researchers have done with it. It is quite possible that China, rather than the Western nations, may be the first large-scale implementer of this leading edge nuclear technology due to their high level of respect for science and engineering and comparatively small and highly efficient regulatory agencies.

[edit]The case of liquid fluoride thermal reactors

Liquid fluoride thermal reactors are designed to naturally have their core in a molten state, as a eutectic mix of thorium and fluorine salts. As such, a molten core is reflective of the normal and safe state of operation of this reactor type. In the event the core overheats, a metal plug will melt, and the molten salt core will drain into tanks where it will cool in a non-critical configuration.

[edit]The case of advanced liquid metal reactors

Advanced liquid metal reactors, such as the Integral Fast Reactor have a coolant with very high heat capacity, sodium metal. As such, they can withstand a loss of cooling without SCRAM and a loss of heat sink without SCRAM, qualifying them as inherently safe.

[edit]Prevention, Suppression, and Containment of Core Damage Events in Former Soviet Reactors

The former Soviet Union and presently the Russians build specialized types of nuclear reactors distinctive in their independent origin from those in the West as well as in their designs and safety systems which reflect that different national origin. Their two major reactor designs and the safety systems thereof - both those of the the VVER, a type of pressurized water reactor, and the RBMK, a type of graphite moderated, light water cooled reactor, are discussed below.

[edit]Former Soviet (and CIS) RBMKs

^{[weasel words]}

Former Soviet RBMKs, however, found only in Russia and the CIS, do not have containment buildings, are naturally unstable (tending to dangerous power fluctuations), and also have ECCS systems that are considered grossly inadequate by Western safety standards.

Unity of purpose and effort within the Soviet nuclear power program was also hindered by the non-propulsion-related military uses to which RBMKs were put, while being used as nuclear power plants. These military uses proved a dangerous distraction from the peaceful use of nuclear energy.

• RBMK ECCS systems:
  • Only have one division and have less than sufficient redundancy within that division.
  • Though the large core size of the RBMK makes it less energy-dense than the Western LWR core, it makes it harder to cool.
• The RBMK is moderated by graphite.
  • In oxygen, and at high temperatures, graphite is flammable.
  • Graphite accumulates Wigner energy which must be removed - a nontrivial operation.
• The RBMK tends towards dangerous power fluctuations:
  • Control rods used to be tipped with graphite, a material that slows neutrons and thus speeds up the chain reaction.
  • Water is used as a coolant, but not a moderator. If the water boils, cooling is lost, but moderation is not lost. This is termed a positive void coefficient of reactivity. Western reactors have negative void coefficients, with the exception of CANDU reactors. CANDU reactors have a low positive void coefficient, and also have two separate, rapidly acting shutdown systems that will automatically trip and make the reactor safe within a trivial timeframe if reactor period goes below a certain point.
  • Control rods can become stuck if the reactor suddenly heats up and they are moving.
  • Xenon 135, a neutron absorbent fission product, has a tendency to build up in the core and burn off unpredictably in the event of low power operation. This can lead to inaccurate neutronic and thermal power ratings.
• The RBMK does not have any containment above the core.
  • The only substantial solid barrier above the fuel is the upper part of the core, called the upper biological shield, which is a piece of concrete interpenetrated with control rods and with access holes for refueling while online.
  • Other parts of the RBMK were shielded better than the core itself.
• Rapid shutdown (SCRAM) takes 10 to 15 seconds. Western reactors take 1 - 2.5 seconds.

Western aid has been given to provide certain real-time safety monitoring capacities to the human staff. Whether this extends to automatic initiation of emergency cooling is not known. Training has been provide in safety assessment from Western sources, and Russian reactors have evolved in result to the weaknesses that were in the RBMK. However, numerous RBMKs still operate.

It is safe to say that it might be possible to stop a loss of coolant event prior to core damage occurring, but that any core damage incidents will probably assure massive release of radioactive materials. Further, dangerous power fluctuations are natural to the design.

Lithuania joined the EU recently, and upon acceding, it has been required to shut the two RBMKs that it has at Ignalina NPP, as such reactors are totally incompatible with the nuclear safety standards of Europe (and the US, Japan, China, Canada, India, etc.). It will be replacing them some safer form of reactor.

[edit]Former Soviet (present Russian & ROW) VVERs

The VVER is a former Soviet-origin pressurized light water reactor that is far more inherently stable and inherently safe than the former Soviet RBMK. This is because it uses light water as a moderator (rather than graphite), has well understood operating characteristics, and has a negative void coefficient of reactivity. In addition, some have been built with more than marginal containments, some have quality ECCS systems, and some have been upgraded to international standards of control and instrumentation. Present generations of VVERs (the VVER-1000) are built to Western-equivalent levels of instrumentation, control, and containment systems.

However, even with these positive developments, certain older VVER models raise a high level of concern, especially the VVER-440 V230. ^[4]

The VVER-440 V230:

• Has no containment building. Has a structure capable of confining steam surrounding the RPV. This is a volume of thin steel, perhaps an inch or two in thickness, grossly insufficient by Western standards.
• Has no ECCS. Can survive at most one 4 inch pipe break (there are many pipes greater than 4 inches within the design).
• Has six steam generator loops, adding unnecessary complexity.
  • However, apparently steam generator loops can be isolated, in the event that a break occurs in one of these loops. The plant can remain operating with one isolated loop - a feature found in few Western reactors.
• Interior of RPV is plain alloy steel, exposed to water. There is no layer of Inconel 600 or evenstainless steel. This can lead to rust, if the reactor is exposed to water. Since the VVER is a pressurized water reactor, it is foreseeable that VVER RPVs can rust.
  • One point of distinction in which the VVER surpasses the West is the reactor water cleanup facility - built, no doubt, to deal with the enormous volume of rust within the primary coolant loop - the product of the slow corrosion of the RPV.
• This model is viewed as having inadequate process control systems.

During the 1970s, Finland built 2 VVER-440 V230 models, however, the Finns built them to Western standards with a full containment, world-class instrumentation and control standards, presumably RPVs that were manufactured using stainless steel or Inconel, and the addition of an ECCS. The Bulgarians also had a bunch of VVER-440 V230 models, but they opted to shut them down upon joining the EU rather than backfit them, and are instead building new VVER-1000 models. Many non-EU states maintain V230 models, including Russia and the CIS. Many of these states - rather than abandoning the reactors entirely - have opted to install an ECCS, develop standard procedures, and install proper instrumentation and control systems. Though confinements cannot be transformed into containments, the risk of a limiting fault resulting in core damage can be greatly reduced.

The VVER-440 V213 model was built to the first set of Soviet nuclear safety standards. It possesses a modest containment building, and the ECCS systems, though not completely to Western standards, are reasonably comprehensive. Many VVER-440 V213 models possessed by former Soviet bloc countries have been upgraded to fully automated Western-style instrumentation and control systems, improving safety to Western levels for accident prevention - but not for accident containment, which is of a modest level compared to Western plants. These reactors are regarded as "safe enough" by Western standards to continue operation without major modifications, though most owners have performed major modifications to bring them up to generally equivalent levels of nuclear safety.

The VVER-1000 type has a definitely adequate Western-style containment, the ECCS is sufficient by Western standards, and instrumentation and control has been markedly improved to Western 1970s-era levels.

[edit]Failure modes analysis

In the Chernobyl accident, the fuel became non-critical when it melted and flowed away from the graphite moderator - however, it took considerable time to cool. If hot uranium dioxide is combined with iron(II) oxide a eutectic is formed which may cause the fuel to become more mobile than it would otherwise be.^[5]

It should be noted that the molten core of Chernobyl (that part that didn't vaporize in the fire) flowed in a channel created by the structure of its reactor building (e.g., walls and stairways) and froze in place before a core-concrete interaction could happen. In the basement of the reactor at Chernobyl, a large "elephant's foot" of congealed core material was found. Furthermore, the time delay and the lack of a direct path to the atmosphere (such as a containment building is designed to provide) would work to significantly ameliorate the radiological release. Any steam-explosions/FCI which occurred would probably work mainly to increase cooling of the core-debris. However, if the basement of the reactor building were penetrated the groundwater itself would likely be severely contaminated, and its flow could carry the contamination far afield.

[edit]The Chernobyl incident

Even while the Chernobyl accident had dire^[quantify] off-site effects, much of the radioactivity remained within the building. If the building were to fail and dust was to be released into the environment then the release of a given mass of fission products which have aged for twenty years would have a smaller effect than the release of the same mass of fission products (in the same chemical and physical form) which had only undergone a short cooling time (such as one hour) after the nuclear reaction has been terminated. However if a nuclear reaction was to occur again within the Chernobyl plant (for instance if rainwater was to collect and act as a moderator) then the new fission products would have a higher specific activity and thus pose a greater threat if they were released. N.B. to prevent a post accident nuclear reaction steps have been taken (such as adding neutron poisons to key parts of the basement).

[edit]Comparability analysis

It may safely be assumed that with RBMKs of any type, any limiting fault followed by partial or total ECCS failure or failure to SCRAM when indicated will result in core damage and radioactive release to the environment.

The following assumptions may be made about the VVER reactors:

• VVER-440 V230 models WITHOUT substantial upgrades: Assume that limiting fault (LBLOCA) will result in core damage if ECCS suffers any degredation in performance, delayed activation, or failures. Assume that radioactive release to environment is assured if RPV is breached.
• VVER-440 V230 models WITH substantial upgrades: Assume that limiting fault (LBLOCA) is less likely to result in core damage than unmodified V230; in particular, ECCS will have sufficient capacity to respond to limiting faults with some redundancy. Confinement strengthening may prevent radioactive release in some core damage scenarios.
• VVER-440 V230 Finnish models: Assume will perform at level of Generation II Western PWR.
• VVER-440 V213: Assume that limiting fault (LBLOCA) will successfully be responded to by ECCS, and that reserve capacity does exist for ECCS; this will prevent core damage in most circumstances. If core damage does occur, assume that - depending on severity - radioactive release to the environment could take place with stock containment.
• VVER-1000: Make assumptions based on "newer" (post-1975) Generation II reactors.

[edit]Effects

The effects of a nuclear meltdown depend on the safety features designed into a reactor. A modern reactor is designed both to make a meltdown highly unlikely, and to contain one should it occur. In the future passively safe or inherently safe designs will make the possibility exceedingly unlikely.

In a modern reactor, a nuclear meltdown, whether partial or total, should be contained inside the reactor's containment structure. Thus (assuming that no other major disasters occur) while the meltdown will severely damage the reactor itself, possibly contaminating the whole structure with highly radioactive material, a meltdown alone will generally not lead to significant radiation release or danger to the public. The effects are therefore primarily economic^[6].

In practice, however, a nuclear meltdown is often part of a larger chain of disasters (although there have been so few meltdowns in the history of nuclear power that there is not a large pool of statistical information from which to draw a credible conclusion as to what "often" happens in such circumstances). For example, in the Chernobyl accident, by the time the core melted, there had already been a large steam explosion and graphite fire and major release of radioactive contamination (as with almost allSoviet reactors, there was no containment structure at Chernobyl).

[edit]Reactor design

Although pressurized water reactors are more susceptible to nuclear meltdown in the absence of active safety measures, this is not a universal feature of civilian nuclear reactors. Much of the research in civilian nuclear reactors is for designs with passive safety features that would be much less susceptible to meltdown, even if all emergency systems failed. For example, pebble bed reactors are designed so that complete loss of coolant for an indefinite period does not result in the reactor overheating. TheGeneral Electric ESBWR and Westinghouse AP1000 have passively-activated safety systems. TheCANDU reactor has two low-temperature and low-pressure water systems surrounding the fuel (i.e. moderator and shield tank) that act as back-up heat sinks and preclude meltdowns and core-breaching scenarios [Allen et al.].

Fast breeder reactors are more susceptible to meltdown than other reactor types, due to the larger quantity of fissile material and the higher neutron flux inside the reactor core, which makes it more difficult to control the reaction.

Accidental fires are widely acknowledged to be risk factors that can contribute to a nuclear meltdown. It is for this reason that circuit integrity measures are used for the electrical wiring that runs between control rooms and reactors. Ideally, a reactor is equipped with two "shutdown trains" or two sets of wires so that if one should fail, the other can be used to shut down the reactor. This common procedure became the subject of controversy during the Thermo-Lag scandal, when whistleblower Gerald W. Brown notified the NRC that the fire testing used to qualify Thermo-Lag was inadequate, meaning the fire-resistance rating thought to exist was in fact much lower, which meant that the majority of NRC licensees did not have operable protection of its safe shutdown wiring. Similar criticisms were leveled by US Congressman Ed Markey at the use of combustible silicone foam as firestops. The problem did not occur in German plants as operators must follow not just the directives of their federal regulators but are also required to follow the local building code, which makes product certification mandatory. Bounding in US and Canadian plants is not based on product certification. The Canadian disclosures by Gerald W. Brown revealed that Canadian plants also used unbounded silicone foam and Elastaseal based on indefensible test reports. The safe shutdown trains, typically consisting of wiring inside of cable traysused single-sided "fireproofing", consisting of sheet metal and proprietary intumescent sheets, for three dimensional cable trays. The disclosures were made public by the Canadian Broadcasting Corporation's "The National" program, which caused the proceedings of the Select Committee on Ontario Hydro Nuclear Affairs to take place. Still, to this date, neither the NRC, nor the Canadian Nuclear Safety Commission require product certification, which is mandatory for civilian construction.

[edit]Other theoretical consequences of a nuclear meltdown

If the reactor core becomes too hot, it might melt through the reactor vessel (although this has not happened to date) and the floor of the reactor chamber and descend until it becomes diluted by surrounding material and cooled enough to no longer melt through the material underneath, or until it hitsgroundwater. This type of nuclear meltdown is known as a China Syndrome. Note that a nuclear explosion does not happen in a nuclear meltdown due to the low fissility of the radioactive components. However, a steam explosion may occur if it hits water.

The geometry and presence of the coolant has a twin role, and both cools the reactor as well as slowing down emitted neutrons. The latter role is crucial to maintaining the chain-reaction, and so even without coolant the molten core is designed to be unable to form an uncontrolled critical mass (a recriticality). However, the molten reactor core will continue generating enough heat through unmoderated radioactive decay ('decay heat') to maintain or even increase its temperature.