On the 20th anniversary of the Chernobyl disaster, I wanted to share some thoughts about it. As a professional nuclear engineer who works with the IAEA's Chernobyl monitoring team, the Chernobyl disaster hits me awfully close to home. Aaron linked to an excellent photo essay on Chernobyl and I was inclined to comment on it as a response to his post. The length of this response has rapidly exceeded the maximum post length for his blog scripts, so I am posting it here for everyone to read [Thanks for inspiring this, Aaron]. The presentation he linked to is excellent, but it leaves one critical element out—that the real cause of the accident lies in the design of the reactor facility itself.
There were certainly a lot of mistakes made by the operators that evening, some bad judgement, and a bizarre series of unfortunate coincidences. However, the reason these factors were able to lead ultimately to a catastrophic failure of the core containment was simply that the safety system relied on "administrative" controls rather than "engineering" controls.
An engineering control is a system that physically prevents an unwanted event from taking place. Interlocks exist to make it physically impossible to perform some action unless a defined series of prerequisite conditions exist. A simple example of an engineering control is the outward-opening hatch on a submarine—it is physically impossible for a human to open the hatch while the submarine is submerged because the force of the water outside keeps the hatch closed.
An administrative control is a procedure that must be followed (e.g. "ensure that switch A is off before turning switch B on") in order to stay within proper operating parameters. Following the procedure, obeying the rules, etc. will guarantee that a reactor system stays within the state space you want it to be in. However, it requires both voluntary compliance on the part of everyone involved and a lack of mistakes or accidents that put the system outside of the anticipated state space. To put it simply, administrative controls are not robust to human error and force the designer of the system to think of every possible mistake that might be made. In the case of Chernobyl, there were simply too many "off-nominal" constraints placed on the reactor system simultaneously and the human controllers were not able to compensate for the unfamiliar consequences of their actions quickly enough.
It's not that the Soviet reactor designers were unfamiliar with engineering controls; but there were bypass switches on a bunch of them. And as soon as a human can make the choice to cut an engineering control out of the system, it becomes only an administrative control.
I don't see the fault of the disaster lying with the operators on duty that night or even with the people who planned the backup system test which caused so many off-nominal circumstances to come into play. The reason the engineering control overrides existed comes from the unconventional design of the reactor. When the Chernobyl reactors were designed (there are two of them of identical design, one of which continued to operate well into the 1990's), the Soviet military-industrial apparatus dictated that the reactors would have a dual role. On the one hand, they would provide power for the city of Chernobyl and the surrounding region. On the other hand, they would produce plutonium for use in nuclear weapons. Unfortunately, these two requirements do not play well together. A power reactor needs to be on and running pretty much all of the time (we call this the "availability" of the power from the reactor, and in general you shoot for a 90%+ availability). To harvest plutonium from waste fuel, you have to remove the fuel assembleys from the core which generally requires shutting down the core operation.
To reconcile these two conflicting requirements, the designers attempted a novel idea which was to have independant coolant systems for each core fuel assembley. This allows you to shut down a single fuel element and remove it from the system while keeping the others operating and generating power.
The problem with this idea is that it requires a vast array of small coolant pipes coming into and out of the core, packed very closely. Because they are so densly packed, there simply isn't room to make them as thick as you would like. The rule of thumb in reactor design is to have an enormous safety margin for things like material strength, shielding, etc. This in itself is a sort of engineering control; the pipe cannot burst because it is so thick that the pressure required to do so simply couldn't be achieved by flash-boiling all of the water in the system. In Chernobyl's case, these sorts of failsafes were compromised in the interest of meeting the unrealistic design requirements that came down from management.
The thin-walled coolant manifolds were ultimately what led to the demise of the reactor. When the reactor power spiked due to the lack of moderating rods, the coollant couldn't handle the increased heat and boiled, creating an over-pressure situation in the feed manifolds. One of them burst, sending metal shrapnel into the forest of densly-packed thin-walled coolant pipes. More or less instantly, the entire system of coolant piping failed and released the steam load into the core containment vessel which was woefully under-sized to handle this release. Again, shortcuts had been taken to allow for the fuel harvesting equipment above the core which reduced the baffle capacity of the containment vessel. The vessel itself over-pressured and blew the roof off the building. Mind you, this was a 15' thick steel-reinforced concrete roof, so we're talking about a lot of pressure. The containment roof panel was found hundreds of meters away.
The Chernobyl reactor design wasn't just "bad," it was unquestionably irresponsible. The designers cut into safety margins on numerous critical systems, removed engineering controls, and in general reduced the safe operating margins of the reactor in order to accomodate the design requirements. They knew they were doing it, and in doing so were vastly increasing the possibility of a tragedy. But in essence they had no choice; had they taken the moral high ground and refused to go forward with the design, they would have been replaced by someone who would. The design made the reactor failure inevitable, but the system in which they worked prevented the designers from doing much about it. So, on behalf of a contaminated world, I'd like to thank the Soviet beaurocracy which set us on the path to this disaster.
----
We've come a long way since 1986 and we've learned some tough lessons. Although the American public is still afraid of nuclear power (and has been ever since TMI), the rest of the world is progressing nicely with cleaner, safer, and more fault-tolerant reactor designs. Failsafes are now incorporated at all levels of the design. International oversight and regulation is commonplace. A modern reactor is a tightly-constrained device that is basically a hugely-redundant pile of engineering controls that allows only normal operation to continue. Furthermore, failure of any major system (even catastrophic, unrealistic, instant failure) leads to a smooth shutdown of the reactor. One example of this is designs where the only thing keeping the moderating rods out of the core is the coolant pressure. So even if you were to turn off the coolant pumps (or even instantaneously drain the entire coolant loop), the moderating rods would fall into place and shut down the core—and there's nothing anyone could do to prevent this from happening. It's a failsafe. Another example is the pebble-bed design, where there are no rods at all and the coolant fluid acts as part of the reaction catalyst—again draining or venting the coolant causes the reactor to die off gracefully. Toshiba recently released a reactor design that was so safe and automated that it didn't require any human presence at all other than oversight for our peace of mind.
The existance of extremely safe, peer-reviewed, regulated reactor designs is very important for the future of a power-hungry humanity. One of the reasons we are constantly agreeing to build reactors for other countries is to ensure that they use a design we feel comfortable with them operating (we did it for North Korea, Russia did it for Iran).
Unfortunately, after living through TMI and Chernobyl, it is very difficult to convince anyone that nuclear power can be done safely. It literally takes an advanced degree in reactor engineering to understand the complexity of these systems, where the risks lie, and how they can be mitigated. Even though I have a Ph.D. in Nuclear Science & Engineering, I did not concentrate on reactor design and thus I am still ignorant of the finest details. But I have learned enough to say the following with authority: reactor designs exist that eliminate the possibility for a repeat of TMI or Chernobyl. Human error on a modern reactor can only lead to the unintentional shutdown of the system. I wish I knew a way to convince people of that who didn't have the time or interest to learn about safety margins, reactor design, and nuclear physics.
Thank you for the great response. Your explanation of what happened is literally the best one that I've read in terms of talking about the specifics of what happened and why at Chernobyl. It also explains a lot of the reasoning as to why I feel that nuclear power is still the most viable source for creation of large amounts of power that the world needs.
That said, the one response I _always_ get when discussing nuclear power with people is "what do you do with the waste?" It's a question that I still don't have a good answer for. What can be done with the high-level stuff other than burying it (or shooting it into the sun, egads)?
Yes, the "what about the waste?" question is big. The issue there is that the current reactors in the US are vastly inefficient in that there is no reprocessing. I'm oviously not an expert at all, but from what I understand, spent fuel still has like 95% usable fuel in it that can be reprocessed. If we reprocessed we'd have about 95% less waste, though it would be just as radioactive I believe.
The amount of waste from these reactors is incredibly small even without reprocessing. I went on a hard hat tour of two reactors near my home when I was in college (doing a research paper). We went and stood over the pool with the spent fuel rods in them. The pool was about 75% full, about as big as an olympic size pool. What was amazing to me was that the pool contained all of the spent fuel the reactor put out since it opened! They hadn't even gotten to dry casking anything yet.
BTW, the inside of these plants is the most amazing thing I think i've seen. Just the engineering involved is crazy.
Well that's an excellent question. It's really the only question. Discussing that question in any sort of definitive way is beyond my capability, but I'll give you some of what I know and my opinion.
First, a breif lesson in reactor physics. Reactor fuel is what is referred to as "fissile," meaning that it can sustain a nuclear chain reaction. In a chain reaction, an atomic nucleus "fissions," which means that it splits apart and tends to spray some neutrons around, and these neutrons induce other nuclei to fission. The rate of this cascade is a function of the geometery of the system, the liklihood of interaction between the neutrons and the nuclei, the average number of neutrons given off per fission, the energy spectrum of neutrons given off per fission, the material density, etc. i.e. it's complicated. There are several long-lived isotopes that are fissile. The two most famous are Uranium 235 and Plutonium 239, though there are others. By themselves, these materials are not particularly dangerous. The halflives are so long that the activity is exceedingly low. I've held both uranium and plutonium in my hand; the radiation from these elements is not dangerous (in fact, the real hazard of plutonium, aside from proliferation, is the fact that it is hugely poisonous).
The trouble is that when these isotopes fission, you are left with two smaller nuclei which are (almost always) also radioactive and have a much shorter half-life (and thus higher activities). However, despite the higher activity, the daughter products don't actually contribute much to the total radioactivity of a piece of fissile material since they don't last very long. Uranium is so slow in decaying that the daughter products aren't produced frequently enough to actually generate radioactive decay at the rate they would if it were a pure sample of the daughter product. It's a condition known as "secular equilibrium." Now, when you set up a nuclear chain reaction, you start fissioning fissile material much more quickly than its spontaneous fission rate. Thus, you can rapidly build up a supply of nasty daughter products and be left with a very "hot" waste product. This is what makes "nuclear waste" such a pain—a high concentration of high-activity fission daughter products.
The key points I want to deliver with this are the following:
1) Unburned fuel for reactors has the really long half-lives that you've probably heard about (tens of thousands to billions of years).
2) The radiation hazard from spent fuel comes from the daughter products, which have considerably shorter half-lives (microseconds to years)
Bearing this in mind, what do we do with spent fuel?
As Brent alluded to, the first thing we need to do is reprocessing. This is analagous to separating the unburned fuel from the waste products. There are numerous ways to do this and modern techniques are getting very good at it. The Japanese use reprocessing to obtain very high total process efficiencies for their nuclear fuel cycle. We basically don't do it at all here, because... it's nuclear and we're afraid of that. Seriously; there is no good reason for why we don't do it other than we can't get funding for it because it's a political death knell in this country to propose it.
But let's pretend that we're France or Japan and we have a healthy reprocessing system in place. Now we've reduced the problem somewhat. We don't have the ridiculous long half-lives to worry about, though we still have basically all of the radioactivity to deal with.
Option A: Shoot it into the sun. Definitely the best end-result... but getting it there is neither cheap nor safe. Infeasible.
Option B: Bury it in a subduction zone. This means bury it in the Earth, really deep, at a point where a tectonic plate is sinking into the mantle of the Earth. In this way, over the millenia, the material will be dragged into the core of the planet, melted, and dilluted. This is an attractive solution as well, but I just don't know how cheap or feasible it is. It does lack the "exploding rocket" danger that exists in Option A, but the time required to get tectonic action to do its thing is really longer than we need to worry about storage anyway (see below).
Option C: In-situ storage. This is what we're doing right now. Every reactor has a storage pool, where we keep the spent fuel rods in water. The basic idea is that we'll keep the waste on site until we figure something better out, which is the weakest exit strategry imaginable. I'm embarrassed.
Option D: Centralized burial, a.k.a. Yucca Mountain. A perfectly acceptable solution in my eyes except no one wants it in their back yard. The transport risks from reprocessing facilities to centralized storage are minimal, the cost is reasonably low, and sites can be chosen with hundreds of thousands of years of anticipated geologic stability. Remember that we're not dealing with egregious half-lives any longer, so this will actually mean that most of the radiological danger of the material will be gone. Furthermore, sites like Yucca Mountain are end-points for groundwater; they are in basins that don't drain. Water there doesn't end up in the oceans (or your drinking water); it just evaporates. This means that colloidal transport shouldn't be too much of a health concern. Finally, with regards to the "not in my back yard" issue... Yucca Mountain is on the Nevada Test Site—an area off limits to pretty much everyone which has already been decimated and contaminated by years of nuclear weapons testing. Even for people living in nearby Las Vegas, the effect of having high-level waste stored at Yucca would basically be nothing. The fear people have of living within a few hundred miles of it is really just more of the same nuclear paranoia that keeps us away from new power plants and reprocessing.
Now I've made Yucca Mountain sound like a pretty appealing option, but I'm misrepresenting it a bit. Because we don't have reprocessing, they're talking about sending "mixed waste" there, which would include some of the ultra-long half-life material. And I'm not convinced that Yucca Mountain is appropriate for storage on that timescale.
In fact, for raw un-reprocessed spent fuel like we have in America, I think the best option is in-situ storage... because we can keep it there until we get our head out of our collective asses and agree to reprocess our spent fuel. This will probably happen in the long run anyway, since the world's supply of Uranium is actually quite limited. I've heard estimates that at current consumption rates we've only got enough for about 300 years. And in the meantime, more and more countries are turning to nuclear power to ameliorate their energy crises. This will only reduce the 300 year figure. So in less than that time we'll either have to start reprocessing our fuel or start using breeder reactors, which create new fuel during the course of the burnup (it's a complicated and long story). It would be a shame to bury our mixed waste at Yucca Mountain, only to decide 150 years from now that we desperately need that spent fuel for reprocessing.
Regarding the quantity of waste from a reactor, consider the following:
An average nuclear reactor generates about 30 tons of radioactive waste during its lifetime of several decades. All of that waste stays in the facility.
An average coal-burning power plant releases about a ton of waste per year into the atmosphere, a significant portion of which is radioactive sulphur. This is in addition to the thousands of tons of waste per year that are produced in the form of a slag pile of burnt anthracite.
Mouser: this is a great post. I'm pretty interested in this issue, and I crave authoritative facts, and your presentation is excellent. Clearly you haven't had any Ambien in the past hour.
If this gets as many comments and questions as I'd like to think it will, would you consider turning it into a document/FAQ/something? I imagine a fair amount of the info is available on wikipedia, but what I haven't seen is a FAQ that directly and briefly addresses common objections and questions -- possibly by referring to specific online/wiki references.
PECCADILLO: Option A, blast it into the sun, is sort of misguided. It's about twice as easy to blast something straight out into the Oort cloud as it is to drop it into the sun. Furthermore, it's more failsafe, in that if you somehow miss, you're much less likely to end up with a load of crap in a nasty eccentric orbit.
QUESTION: I've previously heard and been impressed by the coal vs. nuclear waste comparison. However, I don't know how to compare nuclear-waste radioactives to the radioactive byproducts of coal. Can you tell me how many curies we're talking about in each case here?
I think it's also significant to note that the coal plant is merely redistributing existing radioisotopes, whereas the nuclear plant is increasing the world supply of radioactivity [1].
[1] Uber-technically, I think it's just speeding up the rate at which that radioactivity is released, since the U-235 would have decayed _eventually_, but since it speeds it up by a factor of 10^6 or so, this caveat seems largely irrelevant to me.
Robin: I will consider it, though I can't believe that a better resource for what you're looking for isn't out there. Also, the facts regarding Chernobyl that I've given here are what I remember from reading a detailed report on it during graduate school. I've already found one error:
The lid of the containment vessel did get blown off, but it fell right back down onto the core, though on its side. It was the roof of the actual building that was shattered into pieces and found as far away as several hundred meters.
What is the mechanics that makes it "easier" to escape the Sun's grav field versus flying right into it? My intuition tells me that it's much more energetically favorable (== cheap) to fly into the sun vs. 00t into the 000rt cl00ud, but maybe that's not what you meant.
Radiation from burning coal: Have a read through this. Here's the statistics:
2.6 kCuries. That's a HUGE amount of radioactivity. And that's a per-year estimate, and only for plants in the United States. They go on to estimate that the total radiation given off by global coal burning by the year 2040 will be 2.7 MEGACURIES. That is roughly three times the activity released during Chernobyl.
And finally, just to drive the point home:
So you're looking at two orders of magnitude greater dose as a result of having a coal plant versus a nuclear plant. Suck on that, Green Party.
To your final point, Robin, it is even more important to realize that a significant portion of the radioactive effluent from a coal plant is airborne, and thus can make it into your lungs—where it is incredibly more damaging to your health. The radioactive emmissions from a nuclear plant are basically undetectable when compared against background levels.
Having said all of this, and while the fact that you get more radioactive dose from a coal plant than a nuclear plant is morosely humorous, I think the real damage from coal burning is the CO2 and acid rain (and not to mention the land-scarring mining used to retrieve the enormous volume of coal burned each year). The health risk from released radioisotopes pales in comparison.
Great analysis. Thanks!
The mechanics of dropping waste into the sun vs. chucking it out of the solar system has to do with angular momentum. You can't drop something into the sun -- if you "drop" it, it keeps orbiting with the Earth. You gotta cancel the Earth's orbital velocity, which is 29.8 km/s. On the other hand, escape velocity from the Sun (at the orbit of Earth) is 43.6 km/s. You've already got 29.8 of it, so you have to get an extra 13.8 relative to the Earth.
So, hitting the sun requires DeltaV of 30, whereas hitting Alpha Centauri requires DeltaV of 13.8. About a factor of 5 in energy.
The weird thing is that it would be even harder to hit the sun from Venus, or from Mercury, since they have higher orbital velocities.