In an article published in the online magazine Spectrum Eliza Strickland has charted the first 24 hours at Fukushima. A sobering description of the difficulty of the task facing the operators in the wake of the tsunami.
Her article identified a number of specific lessons about nuclear plant design, so in this post I thought I’d look at whether more general lessons for high consequence system design could be inferred in turn from her list.
Lesson 1. Emergency generators should be installed at high elevations or in watertight chambers.
More generally, common cause events will tend to dominate risk for high consequence systems. Diverse redundancy is therefore essential when developing high consequence systems.
Lesson 2. If a cooling system is intended to operate without power, make sure all of its parts can be manipulated without power.
More generally, safety systems should be de-coupled from and independent of normal service systems for operation. This independence also needs to be formally demonstrated. Ideally such systems should rely purely upon fundamental physical principals (passive safety).
Because we cannot anticipate all emergency scenarios allow for operator intervention and management of safety system responses. In the most extreme case ‘battle short’ capability may be needed to provide a ‘use until destruction’ capability for vital equipment.
Lesson 3. Keep power trucks on or very close to the power plant site
More generally, any disaster large enough to cause a major plant emergency is large enough to cause disruption outside the plant boundary as well. Plan for and expect a ‘broken back’ phase in any response. Design systems with redundancy and damage tolerance to provide a refractory period while a response is marshalled.
Lesson 4. Install independent and secure battery systems to power crucial instruments during emergencies.
More generally, and as per lesson one, critical service subsystems (with one to many relationships) must be designed with diverse redundancy in mind. For example consider the use of solar or wind power to backup up battery power for a bootstrap minimum set of instrumentation.
Lesson 5. Ensure that catalytic hydrogen recombiners (power-free devices that turn dangerous hydrogen gas back into steam) are positioned at the tops of reactor buildings where gas would most likely collect (1).
As Trevor Kletz once remarked; once you have an explosive atmosphere, a spark is bound to turn up sooner or later. More generally, eliminate hazards as a priority. If you cannot eliminate the hazard (remove the hydrogen gas) then design critical systems for graceful degradation and damage limitation.
1. Three Mile Island reactor vessel also suffered a hydrogen explosion, so the ability to detect and safely deal with hydrogen build up would seem to be a recurring safety system requirement.