A New Look at Nuclear Safety Design Criteria
This is an attempt at an interdisciplinary look at safety, especially where it concerns progressive, complex failures. Electric motors have 'service factor' stamped onto each motor. The number that follows is a designation implying durability and toughness. Will it last a long time? Can it operate reliably in heat, dust, adverse conditions? Will you be replacing it soon?
I have studied many things, been fascinated by many engineering feats and failures. There is no one field that this is applicable for, but I have a growing suspicion that if I can find the 'always' litmus test of when to shift the 'design mode' or 'criteria' to what I am beginning to call 'service factor', these failures may be averted. 'Service factor' is a concept of a rubber band that can stretch to encompass a problem, a final or most basic level of safety or need to preserve life. A mountain climber falls and that fall is arrested by his dynamic, stretchable safety line. I have absorbed many reports from many sources concerning the failures of Japan's reactors. To have sited the diesel back up generators at sea level, with electrical connections in a basement, behind an inadequate seawall,,,, if these reports are accurate , is criminally stupid. But why? Or how were these decisions made? Why would someone put the diesel backup in a pit? I do understand the need for cooling, but not at the risk of non-functionality.
The premise is: The plant was designed to a specific criteria, I believe that was the survival of an 8.2 seismic event. These GE 1 reactors require cooling water at all times, and as with most to all nuclear reactors or fuel storage pools, they ONLY survive with a steady diet of electricity to run the pumps. If there IS a catastrophic event, total destruction, absolutely unanticipated strength,,, let us say a 10.0 event, a meteor struck nearby, the tsunami was 300 feet tall. That IS EXACTLY when and why you need the backup diesel generators. They exist for no other reason. They were required and installed specifically for when the grid is down and no help can reach. So to design them to the same 8.2 seismic criteria is just plain wrong. They need a different set of eyes. The diesel backup generators need to be designed to an entirely separate concept that I liken to a service factor, a robustness.
I found myself the other day reading about new bridge technologies, materials, engineering, processes. New technologies often or even usually result in failures. No computer or calculation will always give you all of the knowledge you need. Some must be gained the hard way in bridge building. There is a new bridge, a bridge that may represent a real leap in bridge building that is to be constructed and installed this summer in Detroit. It is one of 24 bridges to be replaced this summer,,,, but this one is to use all carbon fiber reinforcement, zero steel. The cost of the carbon fiber yarns and braided lines is huge, adding a quarter of a million dollars to the material costs for that one bridge. It MAY, however increase the life expectancy from 50 years to 100 years. It is much like silvaculture, the growing of trees. What we plant, we shall never see harvested. And while that may seem a diversion from our discussion of 'service factor', I believe it is part of the discussion. Not only are we unlikely to see the result of our engineering daring or advances (future), but what was taught to us, what is being taught today to budding engineers, may be quite correct or quite wrong (past). The methods of material and process design carry a flaw. The flaw built in by a previous generation's teaching, teachings, or even teachers.
So back to our bridges. Galloping Gerty? The Tacoma Narrows bridge that so spectacularly failed in a wind induced harmonic progressive failure. Foot bridge of creative design in London? The London Millennium Footbridge had a very disconcerting sway when first opened? The collapse of Interstate 35 bridge in Minneapolis, Minnesota?
The failure of the deep water oil well on the Gulf of Mexico last summer.
The failure of levees and seawalls during and after Hurricane Katrina.
The flooding of a small house in Michigan caused by a spring time filled river.
All of these have failures, I believe and if you will allow, because the actual conditions exceeded the design criteria. The house did not fail, the levees did not fail, the deep water drilling rig did not fail, the bridges did not fail. In each case, the design criteria was exceeded. The failure began in the 'how to design' segment of an engineering course. The one hundred year flood plain does not mean that the house will be dry for one hundred years. It means that in 10,000 years it is only going to happen about 100 times. It could happen 3 times in the next 10 years and STILL be the one hundred year flood plain. We design to a criteria. The rubber band of safety for the small house is people have eyes and legs, they can run. The house maybe needed a remodeling and all electrical replaced anyway. But a nuclear reactor carries an extreme consequence if it fails. It needs a different rubber band.
Levees in Katrina were designed to a category 3 hurricane. Katrina was a 4 and still the system nearly made it. Once again, eyes, legs , and minds, are the safety backups. The failure was not the dikes, it was the evacuation. The evacuation needed some feature of service factor, redundancy. Once again though, everything, all decisions built to a specific criteria. Perhaps the pumps of New Orleans should have been built with a service factor? (Backup diesel generator?)
Deep water drilling? Boy, there is one I am still working on. I don't know. I do know, the basal cause of the disaster last summer in the Gulf was a pressure few had before experienced..
It seemed to me that the earthquake and tsunami in Japan were VERY predictable. One such seismic event of the same size had not been seen in 140 plus years, statistically MAYBE that is a one in 500 year event. As discussed, even a one in five hundred years ON AVERAGE, means you can still have 3 such events in the next ten years. That it will happen IS a fact, it HAS happened. It statistically WILL, with some certainty happen again. The back up diesel generators are ONLY installed, they are ONLY there, for the unthinkable eventuality of total destruction of the grid, of the roads. So to site your ultimate rubber band, the diesel backup generators in a vulnerable position???? To design them to the SAME 8.2 design criteria??? Then if you do exceed an 8.2 event, you have lost all of your possibles, except the 3 to 10 hours of battery backup. My thoughts are that it is something like sitting on your seat belt, the safety goggles are in the tool box, the hardhat is on the job site in the back of the pickup truck, the gloves are in your pocket. It angered me that the plant and ALL its features would be designed to withstand an 8.2 on the Richter Scale. 9.0 tremors do occur there, the last was 140 something years ago. They built it to a 100 year 'flood plain' mentality.?, an 8.2 shaking? , or the tsunami that results from that, or the 100 year maximum LIKELY typhoon? You may design the plant to such a limitation, but the ultimate safety backup MUST survive. Must survive. Why else would you bother to install it?
The nuclear plants in Japan, and all of the nuclear plants here in the US, are built to exacting design criteria of specific magnitudes of earthquake, height of tsunami wave, height of storm surge and wind speed in a typhoon, or tornado. Building codes here and in Japan specify the structure and method of every house. It IS a minimum specific, built to the very least that can withstand a given force or time. Floodplains are a ubiquitous part of any siting of a structure, 50 year flood plain, 100 year flood plain, 500 year flood plain. These are design criteria. Seismic events for a given locale are also routinely defined. Built to withstand, built to support. BUT,,,,,,,,,,
Apple and oranges. Electric motors ALL have a 'service factor' designation. Less than a 1.0, maybe a .85? , will not last long. It is a light weight designation for something either rarely run, or of little importance and easy to unbolt so it can be replaced. Service factors higher than 1.0 last years. The service factor on one of my compressor motors is a 2.25. It is a heavily built beast of a motor that can start under load and has for decades at a time.
If I want to hoist a ten ton load with a crane, do I use a wire rope with a breaking strength of 10 tons? No, I do not. Breaking strength and working loads on ropes, lines, cables, are multiples of difference. A 1/4 inch line may have a maximum working strength of 150 pounds, and a breaking strength when new of 1,200 pounds. That ten ton load is going to be hoisted with a cable with a breaking strength of 100 tons. Seat belts are designed to withstand forces of 4 tons and 5 tons, gloves are a thicker 'skin' that I can change and throw away.. These are designed to service factors.
If a nuclear plant NEEDS its backup diesel generator, by its very definition, something has occurred well beyond its design criteria. In that extreme event is precisely why you have it there in the first place. It must start and run flawlessly.
But that is not what we do, what we teach, or what we inspect for. AT ALL.
Is there, here in the United States, or in Japan, or possibly anywhere in the world, is there a differential made in the design criteria, (loads imposed by earthquake, typhoon, hurricane, tsunami, flood plain, or other potential catastrophe), between the basal design and construction criteria of a nuclear plant, and the service factor design that should be applied to its backup diesel generator?
If not,, hence, ALL nuclear power plants need to use Japan as a wake up call.
""What precipitated the problems at the reactors in Japan is so far in the extreme, it was beyond human imagination," said Gary Was, professor of nuclear engineering at the University of Michigan, which has the nation's top nuclear engineering program.
"It was apocalyptic," said John Lee, also a professor of nuclear engineering at U-M." (Quoted from the Detroit Free Press.)I arrived at this small insight by listening to Dr. John Lee and Dr. Gary Was of the University of Michigan, defend, explain away that all of this failure was just a series, a chain of improbable failures, possibly unavoidable in the face of this specific event. I heard similar things from the NRC, from the Japanese Nuclear Safety Commission, from MANY or even ALL of the top engineers. AND they are quite correct as well. The back up diesel generators WERE designed to the same extreme criteria of an 8.2, the '100 year flood plain'.
The diesel Generators are, however, NOT , SHOULD NEVER BE, designed to the same criteria. They need to be designed to a service factor. The Japanese generators should not have their electrical connections under the buildings, those basements are now flooded. And you need a pump and a light to get the water out. Salt water can permanently disable a generator. These should never have been put behind an open top seawall, at or near sea level. They sit in a bath tub of salt water today. Useless
They should have been placed high up on the hillside. They could have been placed high and dry above the reactors. They could have been in an armored enclosure with a snorkel to breathe through, an armored enclosure that could be opened after the water recedes. They should be run up, tested once a month. They should have randomized, surprise visits by inspectors with a stop watch saying, "Start you backup generator. You have 5 minutes. Go."
Nuclear power plants live and die, by the availability of a constant and reliable source of electricity. It is even conceivable that a simple dominoes type power failure, as we have all experienced, could tip off a nuclear disaster. The first backup is the nuclear generator's own electrical output. The second backup is taking electricity from the grid. The third backup is the onsite diesel generator. The fourth backup are batteries that can give 3 to 10 hours of service. There are addition levels available in other designs, pumpless, passive cooling, either by siting a reservoir high enough, or a piping system that utilizes waste heat, expansion and contraction, to circulate the water.
But I see no substitute for the diesel backup independent generator. And an independent one month supply of fuel.
Design to a criteria on all normal and extreme concerns. However, know when to design to a service factor for safety. A rubber band. A rubber band stretches to enclose a random set, of disparate size, a robustness. If you must design to a criteria only, 8.2 for the reactor, but 10.2 for the diesel backup generator.
A horseshoe nail may save a kingdom.