Why bad numbers are bad for our safety

As a recent article in the Globe and Mail has made clear, there are serious unanswered questions about the vulnerability of the critically important pressure tube systems in aging CANDU reactors. Instead of relentlessly pursuing answers to questions about a huge discrepancy between operator predictions and actual performance when it comes to factors that could cause pressure tubes to fail, the Canadian Nuclear Safety Commission (CNSC) has resorted to hunting for ways to justify allowing reactors that are in absolute violation of its own safety rules to continue operating. This culminated in a startling claim from CNSC staff that it was acceptable to rely on reactor safety systems if the cause of the problem could not be found, even if a pressure tube ruptured. This from a supposedly independent safety authority that claims that it always puts the safety of people first before industry profits.

Here is an explanation from nuclear expert Dr. Gordon Edwards on why the CNSC’s desire to turn a blind eye to growing problems in aging reactors is a recipe for disaster:

When industry predictions based on mathematical models are shown to be unreliable, there is no longer the necessary degree of control to ensure confidence in safety. The proper thing to do is to either shut the reactors down until the problem is fully resolved or at the very least to “derate” the reactors significantly (make them operate at a significantly lower percentage of full power) so as to ease the pressure on the affected components (the degraded pressure tubes) and to provide a greater margin of error in the event of an accident.

In the late 1990s, two very small reactors, MAPLE-1 and MAPLE-2, each generating only 10 megawatts of heat, were “written off” by Atomic Energy of Canada Ltd. (AECL) and never put into operation because the reactor behaved in a manner inconsistent with the predictions that had been made based on mathematical models. Other laboratories in Canada and the USA were asked to help AECL to determine the “root cause” of the discrepancy. Eight factors were explored as possible reasons for the behaviour, but the experts were unable to pin down the root cause. Those reactors were simply scrapped for safety reasons. (That decision was made by AECL, not by CNSC.)

The two most serious types of reactor accidents that can jeopardize workers, the public, and the environment, are Loss of Coolant Accidents (LOCAs) and Loss of Regulation Accidents (LORAs).

As the 1979 Three Mile Island Accident and the 2011 Fukushima accident illustrate, loss of coolant can, in the worst case, lead to fuel melting and offsite releases of radioactivity. Similarly, as shown by the NRX partial meltdown of 1952 and the 1986 Chernobyl accident, Loss of Regulation can result in a “runaway” power surge that severely damages the core of the reactor, including the fuel.

Both types of events compromise safety.

In the case of the CANDU reactor design, a loss of coolant automatically causes a surge in power. This is called the “positive void coefficient of reactivity” and that power surge has to be counteracted very quickly. Otherwise you will have a Loss of Regulation accident simultaneously with a Loss of Coolant Accident — a “double whammy”.

In the case of a large loss-of-coolant, CANDU reactor shutdown has to be accomplished within 2 seconds to prevent core damage. This is the main reason why the CANDU reactor is the only commercial power reactor design that requires not one, but two independent fast shutdown systems. It is absolutely essential to be able to shut a CANDU reactor down very fast when a LOCA happens to prevent severe core damage.

So, in any CANDU reactor, there is a constant threat that a LOCA will also trigger a LORA – two emergencies for the price of one. This is an undesirable feature that was also a characteristic of the Chernobyl reactor that melted down in 1986, the NRX reactor that self-destructed in 1952, and the Lucens reactor in Switzerland that blew itself to pieces in 1969.

In CANDU reactors, weakening of the pipes (pressure tubes) that carry the coolant makes it more likely such a pipe may crack, break, or even burst. This is especially true during a LOCA because the superheated coolant is lost and the sudden injection of cold emergency coolant water causes a thermal shock that can cause embrittled metal to shatter (as happens to a very hot glass jar when cold water is poured in).

Meanwhile, hundreds of pressure tubes, inside the core of the reactor, have been subjected to deterioration caused by the intrusion of hydrogen gas into the metal wall of the pipe. This “embrittles” the metal, making the pressure tube more likely to crack, break or burst. The condition is age-related.

In the case of the four Pickering B reactors, they have not been retubed even though they have far exceeded the time that would normally trigger a refurbishment. There is no other CANDU in the world that has operated for such a long time without replacing the pressure tubes. Given the present disconnect between prediction and performance, the reactors should be shut down so as not to compromise safety.

Moreover, the two Pickering A reactors now operating are the only CANDU reactors in the world that do not have the two independent safety systems that all other CANDU reactors are required to have.

Given the location of these plants and the large population density of the GTA, these two reactors should be either retired immediately or shut down to have a second independent shutdown system installed.

Relying on safety systems another bad idea

Dr. Frank Greening also has supplied some context for the CNSC’s claim that it is acceptable to rely on reactor safety systems even if the CNSC, Bruce Power and OPG have no real idea what is causing excessive hydrogen build up in pressure tubes that has led to real-world levels well beyond what the companies’ models say should be there and what the CNSC previously considered safe:

The CNSC suggests that a single pressure tube failure is not a big deal and basically no worse than getting a flat tire on your car while driving down the highway. In reality, a single pressure tube failure is a very serious event.

On Aug.1, 1983, a pressure tube ruptured in Pickering Unit 2 while the Unit was at full power. It turned out that pressure tube G16 had formed a small crack near its outlet end which grew in a matter of seconds into a 2-meter-long gash. This size of crack led to a significant loss of coolant and major collateral damage to the Unit. The tube failure was so disruptive to the reactor core that several fuel bundles disintegrated, leaving fuel debris lodged in the pressure tube crack. It took well over an hour to stabilize and safely shutdown the damaged Unit 2 reactor while thousands of liters of highly radioactive D2O poured out of the reactor core and collected in the vault.

In addition, the Unit’s fueling machine was severely damaged so that it was not possible to begin defueling channel G16 until Sept. 1, 1983 after the fueling machine had been repaired. Eventually, the decision was made to replace all the pressure tubes in Pickering Units 1 and 2 – a very complex and costly undertaking, which was eventually completed in mid-1986 and mid-1987 respectively, meaning that the P2G16 pressure tube failure ultimately caused a major loss of electricity production from Pickering Units 1 and 2 and cost OPG well over $100 million to fix.

Interestingly, the final accident report issued by OPG in 1984 noted:

“Measurements of the deuterium content at the outlet end of pressure tube G16 were about 100 mg/kg equivalent hydrogen. Forecasts of about 30 mg/kg equivalent hydrogen had been made during plant design for this time of reactor life. Deuterium Ingress mechanisms and rates are now being reviewed.”

Recommendations

  • The Bruce B reactors should be shut down or de-rated to no more than 70% of full power as a precautionary measure.

  • The four Pickering B reactors should be shut down as they have never been retubed and are past the age when they should have undergone a complete refurbishment.

  • The two operational Pickering A reactors should be shut down until or unless a second fast shutdown system is added to them – they are the only CANDU reactors operating in the world with only one fast shutdown system.