ORNL
Search Magazine  
   

From Sand Buckets to Passive Safety

ORNL research supports reactor safety in a new age

Two buckets filled with sand once stood next to the control rod drive system at the Oak Ridge Graphite Reactor, the world's first continually operated nuclear reactor. Each bucket provided a weight on a plunger that could be released if a loss of power occurred—pressurizing a hydraulic drive system and pushing control rods into the reactor to shut it down.

These sand tanks were part of a gravity-powered backup system for shutting down ORNL's historic Graphite Reactor.
Nuclear safety has always been based on multiple layers of protection. These sand tanks were part of a gravity-powered backup system for shutting down ORNL's historic Graphite Reactor.

Although crude, this Rube Goldberg–like contraption was part of the original 1943 reactor design, which included not one but three different shutdown mechanisms, providing multiple layers of protection in the event of a runaway reaction. While sand buckets are no longer considered useful safety tools, the philosophy behind them continues to influence the design of modern reactor safety systems.

Defense in depth

"The U.S. nuclear design philosophy is built on a defense-in-depth basis," says George Flanagan, a research scientist in ORNL's Reactor and Nuclear Systems Division. "It means we have system behind system behind system. Defense in depth is a concept that Oak Ridge was involved in from the very beginning."

Today, ORNL researchers continue to support improvements in reactor safety, beginning with the first line of defense—fuel cladding. This layer of protection is found in the reactor core, where fuel pellets are assembled into long fuel rods. Each rod is made of a zirconium alloy, which acts as a wrapper to keep radioactive gases and solids from being released from the fuel. However, under extreme conditions, such as a loss of coolant in the reactor core, the zirconium alloy cladding can react with water and high temperatures to produce hydrogen gas. This sort of reaction is suspected to be the cause of explosions at the tsunami- and earthquake-damaged Fukushima Daiichi reactor complex in Japan earlier this year.

"We are looking at improving the fuel cladding for the current type of light-water reactors," Flanagan says. "This new cladding is made of a ceramic instead of metal, and we are testing it at ORNL's High Flux Isotope Reactor. If it's successful, and we can license it for use in the current fleet of reactors, the improved cladding will reduce the likelihood of hydrogen production in the event of an accident."

Two more physical barriers, the thick-walled reactor vessel and the containment structure that houses the entire reactor, form the next stages of defense-in-depth protection. In addition to these physical barriers, there are a number of other safeguards, including multiple shutdown systems and independent cooling systems, to provide adequate cooling if the normal cooling system fails.

The instrumentation and control components that monitor the reactor operations and provide feedback to the operator are critical to the performance of these safety systems. As the current fleet of reactors transitions from analog to digital instrumentation, ORNL is helping the nuclear industry and regulators make a safe crossover. "There is concern that when facilities upgrade to digital control systems, there might be cross-talk between safety and nonsafety systems or that signals might be subject to interference," Flanagan says. "ORNL's role is to confirm that the digital instrumentation and controls are as good as the analog ones. We play a major role in helping the Nuclear Regulatory Commission make those kinds of decisions."

Passive safety systems

In addition to improving safety measures for existing light-water reactors, ORNL researchers are also involved in analyzing next-generation reactor designs that include new approaches to safety. The current generation of reactors relies on "active" cooling systems composed of pumps, valves and other moving parts. Because each these active components could fail, as the industry looks to the next generation of reactors, designers are rethinking the active approach to safety and are considering passive cooling systems which do not depend as much on moving parts.

These so-called passive reactors are designed to harness water's natural ability to absorb large amounts of heat and include tanks containing millions of gallons of water above the reactor core. If emergency cooling is required, the reactor can be depressurized, allowing the water to drain into the core powered only by gravity. A subsequent cycle of steam production and condensation would substantially cool the reactor without operator intervention or the need for battery power, diesel generators or moving parts. "The idea is to use basic physics—such things as gravity and condensing steam—to cool the reactor," Flanagan says. "These phenomena occur naturally and don't rely on pumps and valves."

The shift toward a passive safety approach, among other new ideas in reactor design, also requires a rethinking of the traditional license review process. For example, ORNL is helping the NRC prepare to license a small modular reactor for the first time. "The review process that the NRC uses, called a Standard Review Plan, is tailored entirely to large light-water reactors," Flanagan says. "The NRC has decided that they probably can't use that process for this new type of reactor, so we are rewriting the entire review manual for small modular reactors."

Widening the margin

Despite the trend from active to passive cooling systems, Flanagan emphasizes that newer designs still contain the independence, diversity and redundancy that characterize traditional reactor safety plans. "Nobody is considering throwing away the defense-in-depth concept," he says. Passive reactor designs, however, are expected to widen the safety margin by improving upon traditional approaches.

"Calculations show that passive safety systems might be an order of magnitude safer than active systems. It doesn't mean the active systems aren't safe, but there is a margin you gain by going passive," Flanagan says.

This safety margin, in large part due to the defense-in-depth design philosophy, is unique to the nuclear industry. "No other industry has this kind of safety margin built in," Flanagan says. "When a large industrial plant has an accident, there's nothing between the plant and the public other than the site boundary fence. Nobody puts a containment building around these kinds of plants, but the nuclear power industry provides such protection around their reactors and has done so from the very beginning."—Morgan McCorkle