Passive nuclear safety is a design approach for safety features, implemented in a nuclear reactor, that does not require any active intervention on the part of the operator or electrical/electronic feedback in order to bring the reactor to a safe shutdown state, in the event of a particular type of emergency (usually overheating resulting from a loss of coolant or loss of coolant flow). Such design features tend to rely on the engineering of components such that their predicted behaviour would slow down, rather than accelerate the deterioration of the reactor state; they typically take advantage of natural forces or phenomena such as gravity, buoyancy, pressure differences, conduction or natural heat convection to accomplish safety functions without requiring an active power source. Many older common reactor designs use passive safety systems to a limited extent, rather, relying on active safety systems such as diesel powered motors. Some newer reactor designs feature more passive systems; the motivation being that they are highly reliable and reduce the cost associated with the installation and maintenance of systems that would otherwise require multiple trains of equipment and redundant safety class power supplies in order the achieve the same level of reliability. However, weak driving forces that power many passive safety features can pose significant challenges to effectiveness of a passive system, particularly in the short term following an accident.
Terminology
'Passive safety' describes any safety mechanisms the engagement of which requires little or no outside power or human control. Modern reactor designs have focused on increasing the number of passive systems to mitigate risk of compounding human error.
Despite the increased safety associated with greater coverage by passive systems, all current large-scale nuclear reactors require both external (active) and internal (passive) systems. There are no 'passively safe' reactors, only systems and components. Safety systems are used to maintain control of the plant if it goes outside normal conditions in case of anticipated operational occurrences or accidents, while the control systems are used to operate the plant under normal conditions. Sometimes a system combines both features. Passive safety refers to safety system components, whereas inherent safety refers to control system process regardless of the presence or absence of safety specific subsystems.
An example of a safety system with passive safety components is the containment vessel of a nuclear reactor. The concrete walls and the steel liner of the vessel exhibit passive safety, but require active systems (valves, feedback loops, external instrumentation, control circuits, etc.) which require external power and human operation to function.
The International Atomic Energy Agency (IAEA) classifies the degree of "passive safety" of components from category A to D depending on what the system does not make use of:
- no moving working fluid
- no moving mechanical part
- no signal inputs of 'intelligence'
- no external power input or forces
In category A (1+2+3+4) is the fuel cladding, the protective and nonreactive outer layer of the fuel pellet, which uses none of the above features: It is always closed and keeps the fuel and the fission products inside and is not open before arriving at the reprocessing plant. In category B (2+3+4) is the surge line, which connects the hot leg with the pressurizer and helps to control the pressure in the primary loop of a PWR and uses a moving working fluid when fulfilling its mission. In category C (3+4) is the accumulator, which does not need signal input of 'intelligence' or external power. Once the pressure in the primary circuit drops below the set point of the spring-loaded accumulator valves, the valves open and water is injected into the primary circuit by compressed nitrogen. In category D (4 only) is the SCRAM which utilizes moving working fluids, moving mechanical parts and signal inputs of 'intelligence' but not external power or forces: the control rods drop driven by gravity once they have been released from their magnetic clamp. But nuclear safety engineering is never that simple: Once released the rod may not fulfil its mission: It may get stuck due to earthquake conditions or due to deformed core structures. This shows that though it is a passively safe system and has been properly actuated, it may not fulfil its mission. Nuclear engineers have taken this into consideration: Typically only a part of the rods dropped are necessary to shut down the reactor. Samples of safety systems with passive safety components can be found in almost all nuclear power stations: the containment, hydro-accumulators in PWRs or pressure suppression systems in BWRs.
In most texts on 'passively safe' components in next generation reactors, the key issue is that no pumps are needed to fulfil the mission of a safety system and that all active components (generally I&C and valves) of the systems work with the electric power from batteries.
IAEA explicitly uses the following caveat:
... passivity is not synonymous with reliability or availability, even less with assured adequacy of the safety feature, though several factors potentially adverse to performance can be more easily counteracted through passive design (public perception). On the other hand active designs employing variable controls permit much more precise accomplishment of safety functions; this may be particularly desirable under accident management conditions.
Nuclear reactor response properties such as Temperature coefficient of reactivity and Void coefficient of reactivity usually refer to the thermodynamic and phase-change response of the neutron moderator heat transfer process respectively. Reactors whose heat transfer process has the operational property of a negative void coefficient of reactivity are said to possess an inherent safety process feature. An operational failure mode could potentially alter the process to render such a reactor unsafe.
Reactors could be fitted with a hydraulic safety system component that increases the inflow pressure of coolant (esp. water) in response to increased outflow pressure of the moderator and coolant without control system intervention. Such reactors would be described as fitted with such a passive safety component that could – if so designed – render in a reactor a negative void coefficient of reactivity, regardless of the operational property of the reactor in which it is fitted. The feature would only work if it responded faster than an emerging (steam) void and the reactor components could sustain the increased coolant pressure. A reactor fitted with both safety features – if designed to constructively interact – is an example of a safety interlock. Rarer operational failure modes could render both such safety features useless and detract from the overall relative safety of the reactor.
Examples of passive safety in operation
Traditional reactor safety systems are active in the sense that they involve electrical or mechanical operation on command systems (e.g., high-pressure water pumps). But some engineered reactor systems operate entirely passively, e.g., using pressure relief valves to manage overpressure. Parallel redundant systems are still required. Combined inherent and passive safety depends only on physical phenomena such as pressure differentials, convection, gravity or the natural response of materials to high temperatures to slow or shut down the reaction, not on the functioning of engineered components such as high-pressure water pumps.
Current pressurized water reactors and boiling water reactors are systems that have been designed with one kind of passive safety feature. In the event of an excessive-power condition, as the water in the nuclear reactor core boils, pockets of steam are formed. These steam voids moderate fewer neutrons, causing the power level inside the reactor to lower. The BORAX experiments and the SL-1 meltdown accident proved this principle.
A reactor design whose inherently safe process directly provides a passive safety component during a specific failure condition in all operational modes is typically described as relatively fail-safe to that failure condition. However most current water-cooled and -moderated reactors, when scrammed, can not remove residual production and decay heat without either process heat transfer or the active cooling system. In other words, whilst the inherently safe heat transfer process provides a passive safety component preventing excessive heat while the reactor is operating, the same inherently safe heat transfer process does not provide a passive safety component if the reactor is shut down (SCRAMed). The Three Mile Island accident exposed this design deficiency: the reactor and steam generator were shut down but with loss of coolant it still suffered a partial meltdown.
Third generation designs improve on early designs by incorporating passive or inherent safety features which require no active controls or (human) operational intervention to avoid accidents in the event of malfunction, and may rely on pressure differentials, gravity, natural convection, or the natural response of materials to high temperatures.
In some designs the core of a fast breeder reactor is immersed into a pool of liquid metal. If the reactor overheats, thermal expansion of the metallic fuel and cladding causes more neutrons to escape the core, and the nuclear chain reaction can no longer be sustained. The large mass of liquid metal also acts as a heatsink capable of absorbing the decay heat from the core, even if the normal cooling systems would fail.
The pebble bed reactor is an example of a reactor exhibiting an inherently safe process that is also capable of providing a passive safety component for all operational modes. As the temperature of the fuel rises, Doppler broadening increases the probability that neutrons are captured by U-238 atoms. This reduces the chance that the neutrons are captured by U-235 atoms and initiate fission, thus reducing the reactor's power output and placing an inherent upper limit on the temperature of the fuel. The geometry and design of the fuel pebbles provides an important passive safety component.
Single fluid fluoride molten salt reactors feature fissile, fertile and actinide radioisotopes in molecular bonds with the fluoride coolant. The molecular bonds provide a passive safety feature in that a loss-of-coolant event corresponds with a loss-of-fuel event. The molten fluoride fuel can not itself reach criticality but only reaches criticality by the addition of a neutron reflector such as pyrolytic graphite. The higher density of the fuel along with additional lower density FLiBe fluoride coolant without fuel provides a flotation layer passive safety component in which lower density graphite that breaks off control rods or an immersion matrix during mechanical failure does not induce criticality. Gravity driven drainage of reactor liquids provides a passive safety component.
Low power swimming pool reactors such as the SLOWPOKE and TRIGA have been licensed for unattended operation in research environments because as the temperature of the low-enriched (19.75% U-235) uranium alloy hydride fuel rises, the molecular bound hydrogen in the fuel cause the heat to be transferred to the fission neutrons as they are ejected. This Doppler shifting or spectrum hardening dissipates heat from the fuel more rapidly throughout the pool the higher the fuel temperature increases ensuring rapid cooling of fuel whilst maintaining a much lower water temperature than the fuel. Prompt, self-dispersing, high efficiency hydrogen-neutron heat transfer rather than inefficient radionuclide-water heat transfer ensures the fuel cannot melt through accident alone. In uranium-zirconium alloy hydride variants, the fuel itself is also chemically corrosion resistant ensuring a sustainable safety performance of the fuel molecules throughout their lifetime. A large expanse of water and the concrete surround provided by the pool for high energy neutrons to penetrate ensures the process has a high degree of intrinsic safety. The core is visible through the pool and verification measurements can be made directly on the core fuel elements facilitating total surveillance and providing nuclear non-proliferation safety. Both the fuel molecules themselves and the open expanse of the pool are passive safety components. Quality implementations of these designs are arguably the safest nuclear reactors.
Examples of reactors using passive safety features
Three Mile Island Unit 2 was unable to contain about 480 PBq of radioactive noble gases from release into the environment and around 120 kL of radioactive contaminated cooling water from release beyond the containment into a neighbouring building. The pilot-operated relief valve at TMI-2 was designed to shut automatically after relieving excessive pressure inside the reactor into a quench tank. However the valve mechanically failed causing the PORV quench tank to fill, and the relief diaphragm to eventually rupture into the containment building. The containment building sump pumps automatically pumped the contaminated water outside the containment building. Both a working PORV with quench tank and separately the containment building with sump provided two layers of passive safety. An unreliable PORV negated its designed passive safety. The plant design featured only a single open/close indicator based on the status of its solenoid actuator, instead of a separate indicator of the PORV's actual position. This rendered the mechanical reliability of the PORV indeterminate directly, and therefore its passive safety status indeterminate. The automatic sump pumps and/or insufficient containment sump capacity negated the containment building designed passive safety.
The notorious RBMK graphite moderated, water-cooled reactors of Chernobyl Power Plant disaster were designed with a positive void coefficient with boron control rods on electromagnetic grapples for reaction speed control. To the degree that the control systems were reliable, this design did have a corresponding degree of active inherent safety. The reactor was unsafe at low power levels because erroneous control rod movement would have a counter-intuitively magnified effect. Chernobyl Reactor 4 was built instead with manual crane driven boron control rods that were tipped with the moderator substance, graphite, a neutron reflector. It was designed with an Emergency Core Cooling System (ECCS) that depended on either grid power or the backup Diesel generator to be operating. The ECCS safety component was decidedly not passive. The design featured a partial containment consisting of a concrete slab above and below the reactor – with pipes and rods penetrating, an inert gas filled metal vessel to keep oxygen away from the water-cooled hot graphite, a fire-proof roof, and the pipes below the vessel sealed in secondary water filled boxes. The roof, metal vessel, concrete slabs and water boxes are examples of passive safety components. The roof in the Chernobyl Power Plant complex was made of bitumen – against design – rendering it ignitable. Unlike the Three Mile Island accident, neither the concrete slabs nor the metal vessel could contain a steam, graphite and oxygen driven hydrogen explosion. The water boxes could not sustain high pressure failure of the pipes. The passive safety components as designed were inadequate to fulfill the safety requirements of the system.
The General Electric Company ESBWR (Economic Simplified Boiling Water Reactor, a BWR) is a design reported to use passive safety components. In the event of coolant loss, no operator action is required for three days.
The Westinghouse AP1000 ("AP" standing for "Advanced Passive") uses passive safety components. In the event of an accident, no operator action is required for 72 hours. Recent version of the Russian VVER have added a passive heat removal system to the existing active systems, utilising a cooling system and water tanks built on top of the containment dome.
The integral fast reactor was a fast breeder reactor run by the Argonne National Laboratory. It was a sodium cooled reactor capable of withstanding a loss of (coolant) flow without SCRAM and loss of heatsink without SCRAM. This was demonstrated throughout a series of safety tests in which the reactor successfully shut down without operator intervention. The project was canceled due to proliferation concerns before it could be copied elsewhere.
The Molten-Salt Reactor Experiment (MSRE) was a molten salt reactor run by the Oak Ridge National Laboratory. It was nuclear graphite moderated and the coolant salt used was FLiBe, which also carried the uranium-233 fluoride fuel dissolved in it. The MSRE had a negative temperature coefficient of reactivity: as the FLiBe temperature increased, it expanded, along with the uranium ions it carried; this decreased density resulted in a reduction of fissile material in the core, which decreased the rate of fission. With less heat input, the net result was that the reactor would cool. Extending from the bottom of the reactor core was a pipe that lead to passively cooled drain tanks. The pipe had a "freeze valve" along its length, in which the molten salt was actively cooled to a solid plug by a fan blowing air over the pipe. If the reactor vessel developed excessive heat or lost electric power to the air cooling, the plug would melt; the FLiBe would be pulled out of the reactor core by gravity into dump tanks, and criticality would cease as the salt lost contact with the graphite moderator.
The General Atomics HTGR design features a fully passive and inherently safe decay heat removal system, termed the Reactor Cavity Cooling System (RCCS). In this design, an array of steel ducts line the concrete containment (and hence surround the reactor pressure vessel) which provide a flow path for air driven natural circulation from chimneys positioned above grade. Derivatives of this RCCS concept (with either air or water as the working fluid) has also been featured in other gas-cooled reactor designs, including the Japanese High-temperature engineering test reactor, the Chinese HTR-10, the South African PBMR, and the Russian GT-MHR. While none of these designs have been commercialized for power generation research in these areas is active, specifically in support of the Generation IV initiative and NGNP programs, with experimental facilities at Argonne National Laboratory (home to the Natural convection Shutdown heat removal Test Facility, a 1/2 scale air-cooled RCCS) and the University of Wisconsin (home to separate 1/4 scale air and water-cooled RCCS).
