Nuclear Meltdown

A nuclear meltdown is a term for a severe nuclear reactor accident. This can occur when a nuclear power plant system or component failure causes the reactor core to cease being properly controlled and cooled to the extent that the sealed nuclear fuel assemblies � which contain the uranium or plutonium and highly radioactive fission products� begin to overheat and melt. A meltdown is considered very serious because of the possibility that the reactor containment will be defeated, thus releasing the core’s highly radioactive and toxic elements into the atmosphere and environment. From an engineering perspective, a meltdown is likely to cause serious damage to the reactor, and possibly total destruction.
Several nuclear meltdowns of differing severity have occurred, from localized core damage to complete destruction of the reactor core. In some cases this has required extensive repairs or decommissioning of a nuclear reactor. In the most extreme cases, such as the Chernobyl disaster, deaths have resulted and the near-permanent civilian evacuation of a large area was required.
A nuclear explosion does not result from a nuclear meltdown because, by design, the geometry and composition of the reactor core do not permit the special conditions necessary for a nuclear explosion. However, the conditions that cause a meltdown may cause a non-nuclear explosion. For example, several power excursion accidents have caused coolant to rapidly over pressurize, resulting in a steam explosion.


In some reactor types, the fuel assemblies in the core can melt as a result of a loss of pressure control accident, a loss of coolant accident (LOCA), an uncontrolled power excursion, or any other event that might start a fire around the fuel assemblies.
* In a loss of pressure control accident, the pressure of the confined coolant falls below specification without the means to restore it. In some cases this may reduce the heat transfer efficiency and in others may form an insulating ‘bubble’ of steam surrounding the fuel assemblies . In the latter case, due to localized heating of the steam ‘bubble’ due to decay heat, the pressure required to collapse the steam ‘bubble’ may exceed reactor design specifications until the reactor has had time to cool down.
* In a loss of coolant accident, either the physical loss of coolant (which is typically deionized water, an inert gas, or liquid sodium) or the loss of a method to ensure a sufficient flow rate of the coolant occurs. A loss of coolant accident and a loss of pressure control accident are closely related in some reactors. In a pressurized water reactor, a loss of coolant accident can also cause a steam ‘bubble’ to form in the core due to excessive heating of stalled coolant or by the subsequent loss of pressure control accident caused by a rapid loss of coolant.
* In an uncontrolled power excursion accident, a sudden power spike in the reactor exceeds reactor design specifications due to a sudden increase in reactor reactivity. An uncontrolled power excursion occurs due to significantly altering a parameter that affects the exponential rate of a nuclear chain reaction (examples include ejecting a control rod or significantly altering the nuclear characteristics of the moderator, such as by rapid cooling). In extreme cases the reactor may proceed to a condition known as prompt critical.
* Structural and core-based fires may also severely endanger the core and potentially cause the fuel assemblies to melt. A structural fire may directly heat the fuel assemblies (such as during a fire on lagging of piping near the core) or in other cases it may damage control electronics or wiring preventing operators from quickly responding to other failures . In certain reactor designs it is possible for hydrogen or graphite to ignite inside the reactor core. A fire inside the reactor may be caused by failure to carefully control the amount of hydrogen in the coolant, an air addition to certain types of nuclear reactors, the uncontrolled heating of the coolant or moderator of the reactor by the types of reactor accidents listed above, or by an external source. Fires can be a much more severe casualty for nuclear reactors that are moderated with graphite because without taking proper precautions Wigner energy may accumulate which will greatly increase the severity of the fire (for example, during the Windscale fire).
A nuclear reactor does not have to remain critical for a nuclear meltdown to occur because fires or decay heat can continue to heat the reactor fuel assemblies long after the reactor has shut down.


If the reactor core becomes too hot, it might melt through the reactor vessel (although this has not happened to date) and the floor of the reactor chamber and descend until it becomes diluted by surrounding material and cooled enough to no longer melt through the material underneath, or until it hits groundwater. This type of nuclear meltdown is known as a China Syndrome. Note that a nuclear explosion does not happen in a nuclear meltdown due to the low fissility of the radioactive components. However, a steam explosion may occur if it hits water.
The geometry and presence of the coolant has a twin role, and both cools the reactor as well as slowing down emitted neutrons. The latter role is crucial to maintaining the chain-reaction, and so even without coolant the molten core is designed to be unable to form an uncontrolled critical mass (a recriticality). However, the molten reactor core will continue generating enough heat through unmoderated radioactive decay (‘decay heat’) to maintain or even increase its temperature.


If the reactor core becomes too hot, it might melt through the reactor vessel (although this has not happened to date) and the floor of the reactor chamber and descend until it becomes diluted by surrounding material and cooled enough to no longer melt through the material underneath, or until it hits groundwater. This type of nuclear meltdown is known as a China Syndrome. Note that a nuclear explosion does not happen in a nuclear meltdown due to the low fissility of the radioactive components. However, a steam explosion may occur if it hits water.
The geometry and presence of the coolant has a twin role, and both cools the reactor as well as slowing down emitted neutrons. The latter role is crucial to maintaining the chain-reaction, and so even without coolant the molten core is designed to be unable to form an uncontrolled critical mass (a recriticality). However, the molten reactor core will continue generating enough heat through unmoderated radioactive decay (‘decay heat’) to maintain or even increase its temperature.


* Russian Nuclear Submarines

A number of Russian nuclear submarines have experienced nuclear meltdowns. The only known large scale nuclear meltdowns at civilian nuclear power plants were in the Chernobyl disaster at Chernobyl Nuclear Power Plant, Ukraine, in 1986, and the Three Mile Island accident at Three Mile Island, Pennsylvania, USA, in 1979, although there have been partial core meltdowns at:

Submarine Nuclear-Reactor-Meltdown

* NRX, Ontario, Canada, in 1952

NRX was an experimental heavy water moderated nuclear reactor at the Canadaian Chalk River Laboratory which experienced a partial core meltdown accident on 12 December 1952. The reactor began operation on 22 July 1947.

A heavy water moderated reactor is governed by two main processes. First, the water slows down (moderates) the neutrons which are produced by a nuclear reaction, allowing the high energy neutrons to cause further reactions. No water moderator and the reacton stops. Second, control rods absorb neutrons and adjust the power level or shut down the reactor in the course of normal operation. Either inserting the control rods or removing the heavy water moderator can stop the reaction. A nuclear explosion isn’t possible because the rapid heat release from the accelerating reaction turns the moderating water to steam and removes the water and its moderating effect, as demonstrated in the US boiling water reactor Borax experiments and SL-1 accident.

The NRX reactor design was an early version of the CANDU reactor, with a sealed vertical aluminium calandria with a diameter of 8m and height of 3m. The calandria held about 175 6cm diameter vertical tubes in a hexagonal lattice, 14,000 litres of heavy water and helium gas. The level of water in the reactor could be adjusted to help set the power level. Sitting in the calandria tube and surrounded by air were fuel elements or experimental items.

NRU cutaway diagram

The fuel elements contained fuel rods 3.1m long, 3.1cm in diameter and weighing 55kg, containing uranium fuel and sheathed in aluminium. Surrounding the fuel element was an aluminium coolant tube with up to 250 litres per second of cooling water from the Ottawa river flowing through it.

Twelve of the calandria tubes contained control rods made of boron powder inside steel tubes. These could be raised and lowered to control the reaction, with seven inserted being enough to absorb so many neutrons that no chain reaction could happen. The rods were held up by electromagnets, so that a power failure would cause them to fall into the tubes and terminate the reaction. An air pneumatic system could use air pressure from above to quickly force them into the reactor core or from below to slowly raise them from it. Four of these were called the safeguard bank while the other eight were controlled in an automatic sequence. Two pushbuttons on the main panel in the control room activated magnets to seal the rods to the pneumatic system and the pushbutton to cause the pneumatic blowdown of the rods into the core was located a few feet away.


* EBR-I, Idaho, USA, in 1955
Experimental Breeder Reactor I (EBR-I) is a decommissioned research reactor and U.S. National Historic Landmark located in the desert about 18 miles (29 km) southeast of Arco, Idaho. At 1:50 pm on December 20, 1951 it became the world’s first electricity-generating nuclear power plant when it produced sufficient electricity to illuminate four 200-watt light bulbs.[3][4] It subsequently generated sufficient electricity to power its building, and continued to be used for experimental purposes until it was decommissioned in 1964.

As part of the National Reactor Testing Station (now known as the Idaho National Laboratory), EBR-I’s construction started in late 1949. The reactor itself was designed by a team led by Walter Zinn at the Argonne National Laboratory. In its early stages, the reactor plant was referred to as Chicago Pile 4 (CP-4) and Zinn’s Infernal Pile.[5] Installation of the reactor at EBR-I took place in early 1951 (the first reactor in Idaho) and it began power operation on August 24, 1951. On December 20 of that year, atomic energy was successfully harvested for the first time. The following day the reactor produced enough power to light the whole building. The power plant produced 200kW of electricity out of 1.4MW of heat generated by the reactor.[6]

The design purpose of EBR-I was not to produce electricity but instead to validate nuclear physics theory which suggested that a breeder reactor should be possible. In 1953, experiments revealed the reactor was producing additional fuel during fission, thus confirming the hypothesis. However, on November 29, 1955, the reactor at EBR-I suffered a partial meltdown during a coolant flow test. The flow test was trying to determine the cause of unexpected reactor responses to changes in coolant flow. It was subsequently repaired for further experiments, which determined that thermal expansion of the fuel rods and the thick plates supporting the fuel rods was the cause of the unexpected reactor response.[7]

Although EBR-I produced the first electricity available in-house, a nearby reactor plant called BORAX-III was connected to external loads, powering the nearby city of Arco, Idaho in 1955, the first time a city had been powered solely by nuclear power.

Besides generating the world’s first electricity from atomic energy, EBR-I was also the world’s first breeder reactor and the first to use plutonium fuel to generate electricity (see also the Clementine nuclear reactor). EBR-1’s initial purpose was to prove Enrico Fermi’sfuel breeding principle, a principle that showed a nuclear reactor producing more fuel atoms than consumed. Along with generating electricity, EBR-1 would also prove this principle.

Decommission and legacy

EBR-I was deactivated in 1964 and replaced with a new reactor, EBR-II. Landmark status for EBR-I was granted by President Lyndon Johnson and Glenn T. Seaborg on August 25, 1966.

It was declared a National Historic Landmark in 1965.[2][8]

The site has been open to the public since 1976, but is only open between Memorial Day and Labor Day. Also on display at the site are two prototype reactors from the Aircraft Nuclear Propulsion Project of the 1950s.

There is also a separate facility called Experimental Breeder Reactor II.


* Windscale, Sellafield, England, in 1957 (see Windscale fire)

The Windscale Piles

The reactors were built in a short time near the tiny village of Seascale, Cumberland, and were known as Windscale Pile 1 and Windscale Pile 2, housed in large, concrete buildings a few hundred feet from one another. The reactors weregraphite-moderated and air-cooled. Because nuclear fission produces large amounts of heat, it was necessary to cool the reactor cores by blowing cold air through channels in the graphite. Hot air was then exhausted out of the back of the core and up the chimney. Filters were added late into construction at the insistence of Sir John Cockcroft and these were housed in galleries at the very top of the discharge stacks. They were deemed unnecessary, a waste of money and time and presented something of an engineering headache, being added very late in construction in large concrete houses at the top of the 400-ft (120 m) chimneys. Due to this, they were known as “Cockcroft’s Folly” by workers and engineers. As it was, “Cockcroft’s Folly” probably prevented a disaster from becoming a catastrophe.

Core design

The reactors themselves were built of a solid graphite core, with horizontal channels through which cans of uranium and isotope cartridges could be passed, to expose the isotope cartridges to neutron radiation from the uranium and produce plutonium and radioisotopes, respectively. Fuel and isotopes were fed into the channels in the front of the reactor, the “charge face”, and spent fuel was then pushed all the way through the core and out of the back—the “discharge face”—into a water duct for initial cooling prior to retrieval and processing to extract the plutonium.


Unenriched uranium metal in aluminium cans with fins to improve cooling was used for the production of plutonium. As this plutonium was intended for weapons purposes, the burn-up of the fuel would have been kept low to reduce production of the heavier plutonium isotopes (240Pu, 241Pu etc.).



* Santa Susana Field Laboratory, Simi Hills, California, in 1959
LA’s secret nuclear meltdown

Photo by Michael Helleman

The world’s first nuclear meltdown happened 30 miles from downtown Los Angeles, and released hundreds of times as much radiation as Three Mile Island. And I’m betting you’ve never heard of it.

I was at the SMMTC board meeting on Thursday night, and two of the parks representatives were arguing about whether Runkle Canyon was owned by the National Park Service or another agency. I pulled out my iPhone to check it out on Google, but was surprised to see that most of the links mentioned a nuclear disaster. I’ve lived in Simi Valley for 5 years, Runkle Canyon is only a few miles from my house, and that was news to me.

Digging in deeper, I discovered that the world’s first commercial nuclear reactorwas opened at Rocketdyne’s Santa Susana Laboratory in 1957, powering 1100 homes in nearby Moorpark. As an experimental facility, it had no concrete containment shell, and it was using the highly reactive element sodium as a cooling agent, rather than water. In 1959, the cooling system failed, 13 out of 43 fuel rods melted, and a large amount of radioactive gas was leaked into the air. No measurements were taken at the time, but the Santa Susana Field Laboratory Advisory Panel report estimates that the total radiation released could have been up to 500 times that of Three Mile Island.

For 20 years the accident was kept secret, with a small report stating that only one fuel rod had melted and no radiation was released. In 1979 a UCLA professor uncovered documents showing the true extent of the accident, and since then there’s been a struggle to reconstruct exactly how much contamination there was, and how to clean it up. Home developers were recently been pushing to buy the site from Boeing and build a residential housing development! Luckily there was a recent agreement to keep the area as open space as a new state park.

I’m still happy here in Simi Valley, but now I’ll be keeping a careful count to catch any newly sprouted fingers or toes. For more information on the accident itself, check out this History Channel excerpt:

* SL-1, Idaho, USA in 1961. (US military)

SL-1 reactor excursion, 1961

compiled by Wm. Robert Johnston
last modified 17 October 2007

Date: 3 January 1961

Location: SL-1 reactor, National Reactor Testing Station, Idaho, USA

Type of event: criticality excursion in research reactor

The SL-1 Reactor Plant at the National Reactor Testing Station near Idaho Falls, Idaho before the 1961 accident.


The SL-1 reactor was a prototype of a reactor intended for easy assembly at remote facilities such as DEW line stations in the Arctic. It used 15 kg of uranium fuel (enriched to 91% U-235), was water moderated, and had a thermal power capacity of 3 MWt. Five aluminum-clad cadmium control rods provided reactor control. The SL-1 had operated 2 years, with an 11-day shutdown for maintenance being completed at the time of the incident.

Three workers were reassembling the control rod drives on 3 January in preparation for startup the following day. At about 9:01 PM the three workers were on top of the reactor when one manually removed the center control rod as rapidly as possible, over a 0.5-second period. The reactor became supercritical, with a total energy release of 1.3 x 108 joules (comparable to 30 kg of TNT), producing a steam explosion. The worker who extracted the rod was killed instantly, impaled on the building’s ceiling by a control rod. The other two men were burned and thrown by the steam explosion, one dying instantly from impact with a shielding block and the other sustaining head injuries of which he died 2 hours later (maximum dose sustained was possibly 350 rad). The release of radioactive material was largely contained to the building.

The SL-1 Reactor Accident site today.

Emergency responders were alerted by an automated alarm and arrived at the site at 9:10 PM. High radiation readings were measured in the reactor building, delaying entry. At 10:50 PM several responders and contractor personnel removed one man alive, who died shortly afterwards. One body was removed from the reactor building on 4 January and the other on 9 January. Of personnel/responders involved, 22 received doses of 3-27 rads from entering the building and/or handling the casualties.

The reason that the control rod was withdrawn is unknown, since none of the workers survived and the facility did not have appropriate data recording systems. The control rods in SL-1 had some tendency to stick, sometimes causing difficulty during manual extraction. One hypothesis is that the worker accidentally withdrew the control rod too far in an effort to overcome a stuck condition. The amount of withdrawal involved was about 50 cm, possibly difficult to achieve accidentally, and the particular control rod involved had not been sticking for the past six months. Another hypothesis is that the rod was intentionally withdrawn in an act of murder-suicide; this was the conclusion of the investigation of the incident.

Consequences: 3 fatalities, all from mechanical/thermal effects of the explosion.

The SL-1 reactor being removed from the reactor building after the 1961 accident.

* Enrico Fermi Nuclear Generating Station, Michigan, USA, in 1966

Enrico Fermi Nuclear Generating Station

The Enrico Fermi Nuclear Generating Station is a nuclear power plant on the shore of Lake Erie near Monroe in Frenchtown Charter Township, Michigan. It is approximately halfway between Detroit, Michigan and Toledo, Ohio. Two units have been constructed on this site. The first unit’s construction started in 1963, and the second unit reached criticality in 1988.

The plant is named after the Italian nuclear physicist Enrico Fermi, most noted for his work on the development of the first nuclear reactor as well as many other major contributions to nuclear physics. Fermi won the 1938 Nobel Prize in Physics for his work on induced radioactivity.

On October 5, 1966 Fermi 1 suffered a partial fuel meltdown, although no radioactive material was released.

On August 8, 2008, John McCain conducted a 45-minute tour of the plant, becoming the first actively campaigning presidential candidate to visit a nuclear plant

Located on Lake Erie between two population centers — Detroit, Michigan, and Toledo, Ohio — the Enrico Fermi plant has two reactors, though only one is operating currently. Fermi 1 suffered a partial meltdown in 1966, though no radioactivity was released. It operated for a further nine years before being deactivated. The event inspired a best-selling book and at least one protest song.
The site’s second reactor, Fermi 2, continues to operate and, coincidentally, has the same make and model number of the reactors at the Fukushima plant in Japan.
In 2003, a power outage forced the Fermi 2 reactor offline for six hours, and the unit’s backup generators failed to perform as planned. Though the site is not located in a seismically active region, the area does suffer from tornadoes and flooding. Last June, the plant suffered a near miss when a tornado passed directly through its two cooling towers.


* Chapelcross, Dumfries and Galloway, Scotland, in 1967

Chapelcross Nuclear Power Station

Nuclear power station, 2006
Nuclear power station
© John Holmes

The site of the former Chapelcross Nuclear Power Station lies near Annan in Dumfries and Galloway. The site was originally home to part of RAF Annan, a World War II airfield and Tactical Exercise Unit (TEU), and the power station was built on part of the old airfield.

Built between 1955 and 1960 by Merz and McLellan, as consultant engineers, and LJ Cowes and partners, as associate architects, the station became operational in February 1959, notable as being both the first nuclear power station in Scotland, and one of the oldest in Britain.

The station was equipped with four 50 MWe Magnox reactors, had its own processing plant nearby (the adjacent Chapelcross Processing Plant, operated by the MoD), and was designed to perform two functions: the production of weapons grade plutonium for the military, and electricity production for the civilian market.

In 1967 there was a partial meltdown in reactor No 2, and the reactor was closed for two years, then successfully restarted in 1969. The true extent of the 1967 accident was not revealed for many years, and the press were told that no radioactivity had been released. The meltdown appears to have begun with breakage of a fuel rod, which then caught fire.

In 1987, reports claimed high instances of leukaemia in the area, but later studies have challenged their veracity.

In 1996, the station’s operational license was extended to 2006, but in 1998, the discovery of a forty year old hairline crack in one of the four heat exchangers resulted in a six month shutdown.

In 2001, a basket of spent fuel elements was dropped and lay undetected for several days, however an investigation found that apart from the delay in detecting this occurrence, there was no hazard to either plant operators or the public.

In 2003, an RAF Hercules aircraft breached the No-Fly Zone around Chapelcross. Subsequent investigation revealed that the MoD had logged five similar breaches in the preceding three years: Torness in East Lothian; Dungeness in Kent; and Berkeley in Gloucestershire, where three breaches were recorded. As the plants were not designed specifically to withstand aircraft crashes, following the events of September 11, 2001, the British Government doubled the No-Fly zone to two nautical miles.

Power production at the plant ended in 2004, to be followed by the defuelling phase, with fuel being progressively removed from the reactors and sent to Sellafield for treatment, and marking the start of the decommissioning process. The premature closure of the station was brought about by a combination of operational problems and a fall in energy prices, as the plant was dependent on the export of electricity to England.

In May 2007, the most public part of this process took place as the four 300 foot cooling towers were demolished in ten seconds by controlled explosion.[1]

In July 2008, formal permission was given for the start of the defuelling process of the four reactors, which will take some 3.5 years.[2]

In February 2009, the start of operations to remove the spent uranium fuel rods from the reactors was announced.[3]

In April 2009, the first flasks carrying spent nuclear fuel from the reactors left Chapelhall, en route to the reprocessing facility at Sellafield in Cumbria. Over the next three years some 300 similar journeys will be completed, transporting 38,000 spent rods in total.[4]

The plant was operated by government owned British Nuclear Fuels Ltd (BNFL), but transferred to the Nuclear Decommissioning Authority when decommissioning began, and had employed over 400 staff. Apart from new employment opportunities arising from the decommissioning operation (a 100 year process), there is a proposal for a wood burning power station to be constructed in the area. Fuelled by fast-growing, coppiced willow trees, and estimated to cost some £30 million, provide hundreds of jobs during the construction phase, and seventy full-time jobs on completion.


Chernobyl – Russia

* A1 plant at Jaslovské Bohunice, Czechoslovakia in 1977. 25% of the fuel elements in a heavy water moderated carbon dioxide cooled 100 MW(e) power reactor were damaged due to operator error. The operators failed to remove silica gel packs from a new fuel element. The silica gel was used to keep the unused fuel dry during storage and transport. The silica gel packs blocked the flow of the coolant resulting in overheating of the fuel and the pressure channel holding it. As a result of overheating the heavy water leaked into the part of the reactor where the fuel elements are accommodated, the cladding was subject to corrosion and a considerable amount of radioactivity leaked into the primary cooling circuit. Through leaks in the steam boilers (similar basic design to a MAGNOX or AGR plant) some parts of the secondary circuit became contaminated. Not all of these were caused by a loss of coolant and in several cases (the Chernobyl disaster and the Windscale fire, for example) the meltdown was not the most severe problem.
Chernobyl – Russia

The Chernobyl disaster was a nuclear accident that occurred on 26 April 1986 at the Chernobyl Nuclear Power Plant in the Ukrainian SSR (now Ukraine). It is considered the worst nuclear power plant accident in history, and it is the only one classified as a level 7 event on the International Nuclear Event Scale.

The disaster began during a systems test on 26 April 1986 at reactor number four of the Chernobyl plant, which is near the town of Pripyat. There was a sudden power output surge, and when an emergency shutdown was attempted, a more extreme spike in power output occurred, which led to a reactor vessel rupture and a series of explosions. This event exposed the graphite control rods of the reactor to air, causing them to ignite. The resulting fire sent a plume of highly radioactive smoke fallout into the atmosphere and over an extensive geographical area, including Pripyat. The plume drifted over large parts of the western Soviet Union, Eastern Europe, Western Europe, and Northern Europe. Large areas in Ukraine, Belarus, and Russia were evacuated, and over 336,000 people were resettled. According to official post-Soviet data,[1][2] about 60% of the fallout landed in Belarus.

The accident raised concerns about the safety of the Soviet nuclear power industry, as well as nuclear power in general, slowing its expansion for a number of years and forcing the Soviet government to become less secretive about its procedures.[3][notes 1]

Russia, Ukraine, and Belarus have been burdened with the continuing and substantial decontamination and health care costs of the Chernobyl accident. More than fifty deaths are directly attributed to the accident, all among the reactor staff and emergency workers. Estimates of the number of deaths potentially resulting from the accident vary enormously; the World Health Organization suggest it could reach 4,000 while a Greenpeace report puts this figure at 200,000 or more.



Three Mile Island


The Three Mile Island accident was a partial core nuclear meltdown in Unit 2 (a pressurized water reactor manufactured by Babcock & Wilcox) of the Three Mile Island Nuclear Generating Station in Dauphin County, Pennsylvania near Harrisburg, United States in 1979.

The power plant was owned and operated by General Public Utilities and Metropolitan Edison (Met Ed). It was the most significant accident in the history of the USA commercial nuclear power generating industry, resulting in the release of up to 481 PBq(13 million curies) of radioactive gases, and less than 740 GBq (20 curies) of the particularly dangerous iodine-131.[1]

The accident began at 4 a.m. on Wednesday, March 28, 1979, with failures in the non-nuclear secondary system, followed by a stuck-open pilot-operated relief valve (PORV) in the primary system, which allowed large amounts of nuclear reactor coolant to escape. The mechanical failures were compounded by the initial failure of plant operators to recognize the situation as a loss-of-coolant accident due to inadequate training and human factors, such as human-computer interaction design oversights relating to ambiguous control room indicators in the power plant’s user interface. In particular, a hidden indicator light led to an operator manually overriding the automatic emergency cooling system of the reactor because the operator mistakenly believed that there was too much coolant water present in the reactor and causing the steam pressure release.[2] The scope and complexity of the accident became clear over the course of five days, as employees of Met Ed, Pennsylvania state officials, and members of the U.S. Nuclear Regulatory Commission (NRC) tried to understand the problem, communicate the situation to the press and local community, decide whether the accident required an emergency evacuation, and ultimately end the crisis. The NRC’s authorization of the release of 40,000 gallons of radioactive waste water directly in the Susquehanna River led to a loss of credibility with the press and community.[2]

File:Carter leaving Three Mile Island.gif

In the end, the reactor was brought under control, although full details of the accident were not discovered until much later, following extensive investigations by both a presidential commission and the NRC. The Kemeny Commission Report concluded that “there will either be no case of cancer or the number of cases will be so small that it will never be possible to detect them. The same conclusion applies to the other possible health effects”.[3] Several epidemiological studies in the years since the accident have supported the conclusion that radiation releases from the accident had no perceptible effect on cancer incidence in residents near the plant, though these findings are contested by one team of researchers.[4]

Public reaction to the event was probably influenced by The China Syndrome, a movie which had recently been released and which depicts an accident at a nuclear reactor.[5] Communications from officials during the initial phases of the accident were felt to be confusing.[6] The accident crystallized anti-nuclear safety concerns among activists and the general public, resulted in new regulations for the nuclear industry, and has been cited as a contributor to the decline of new reactor construction that was already underway in the 1970s.

The incident was rated a five on the seven-point International Nuclear Event Scale: Accident With Wider Consequences.



Japan’s Fukushima Daiichi



Summarised daily events

 Timeline of the Fukushima nuclear accidents

  • 11 March: 14:46 JST (05:46 UTC): Tōhoku earthquake and tsunami. The Japanese government declared a nuclear power emergency due to the failure of the reactor cooling systems in reactors of Fukushima I and evacuated thousands of residents living with 2 km of the reactor.[16][17]
  • 12 March: while evidence of partial meltdown of the fuel rods in unit 1 was growing, a hydrogen explosion destroyed the roof of its reactor building. The explosion injured four workers, but the reactor containment inside remained intact.[18][19] Hydrogen and steam had been vented from the reactor to reduce pressure within the containment vessel and built up within the building.[20][21] Operators of the plant began using sea water for emergency cooling, which would permanently damage the reactor.[22] The evacuation zone was extended to 20 km, affecting 170,000–200,000 people, and the government advised residents within a further 10 km to stay indoors.[23][24] The release of fission products from the damaged reactor core, notably radioactive iodine-131, led Japanese officials to distribute prophylactic iodine to people living around Fukushima I and Fukushima II.[25] One worker was confirmed to be ill.
  • 13 March: a partial meltdown was reported to be possible at unit 3. As of 13:00 JST, both reactors 1 and 3 were being vented to release overpressure and re-filled with water and boric acid for cooling and inhibition of further nuclear reactions.[26] Unit 2 was possibly suffering lower than normal water level but was thought to be stable, although pressure inside the containment vessel was high.[26] The Japan Atomic Energy Agency announced that it was rating the situation at unit 1 as level 4 (accident with local consequences) on the International Nuclear and Radiological Event Scale.[27][28]
  • 14 March: the reactor building for unit 3 exploded[29] injuring eleven people. There was no release of radioactive material beyond that already being vented but blast damage affected water supply to unit 2.[30] The president of the French nuclear safety authority, Autorité de sûreté nucléaire (ASN), said that the accident should be rated as a 5 (accident with wider consequences) or even a 6 (serious accident) on INES.[31]
  • 15 March: damage to temporary cooling systems on unit 2 by the explosion in unit 3 plus problems with its venting system meant that water could not be added, to the extent that unit 2 was in the most severe condition of the three reactors.[32] An explosion in the “pressure suppression room” caused some damage to unit 2’s containment system.[32][33] A fire broke out at unit 4 involving spent fuel rods from the reactor, which are normally kept in the water-filled spent fuel pool to prevent overheating. Radiation levels at the plant rose significantly but subsequently fell back.[34] Radiation equivalent dose rates at one location in the vicinity of unit 3 recorded 400 millisieverts per hour (400 mSv/h).[27][35][36]
  • 16 March: At approximately 14:30 on 16 March, TEPCO announced its belief that the fuel rod storage pool of unit 4—which is located outside the containment area[37]-may have begun boiling, raising the possibility that exposed rods could reach criticality.[38] By midday, NHK TV was reporting white smoke rising from the Fukushima I plant, which officials suggested was likely coming from reactor 3. Shortly afterwards, all but a small group[39] of remaining workers at the plant had been placed on standby because of the dangerously rising levels of radioactivity up to 1,000 mSv/h.[8][40] TEPCO had temporarily suspended operations at the facility due to radiation spikes and had pulled all their employees out.[41] A TEPCO press release stated that workers had been withdrawn at 06:00 JST because of abnormal noises coming from one of the reactor pressure suppression chambers.[42] Late in the evening, Reuters reported that water was being poured into reactors 5 and 6.[43]
  • 17 March: During the morning, Self-Defense Force helicopters four times dropped water on the spent fuel pools of units 3 and 4.[44] In the afternoon it was reported that the unit 4 spent fuel pool was full with water and none of the fuel rods was exposed.[45] Construction work was started to supply a working external electrical power source to all six units of Fukushima I.[46] Starting at 7 pm, police and fire water trucks with high pressure hoses attempted to spray water into the unit 3 reactor.[47] Japanese authorities informed the IAEA that engineers were laying an external grid power line cable to unit 2.[27]

A Tokyo Fire Department water tower; other TFD water towers have been deployed to Fukushima.

  • 18 March: Tokyo Fire Department dispatched thirty fire engines with 139 fire-fighters and a trained rescue team at approximately 03:00 JST. These include a fire truck with a 22 m water tower[48] For the second consecutive day, high radiation levels had been detected in an area 30 kilometers (18.6 miles) northwest of the damaged Fukushima I nuclear plant. The reading was 150 microsieverts per hour.[49] Japanese authorities upgraded INES ratings for cooling loss and core damage at unit 1 to level 5 and issued the same rating for units 2 and 3.[27] The loss of fuel pool cooling water at unit 4 was classified as level 3.[27] In a 24-hour period ending at 11 am local time, radiation levels near the plant had declined from 351.4 to 265 μSv/hour, but it was unclear if the water spraying efforts were the cause of the decrease.[50]
  • 19 March: A second group of 100 Tokyo firefighters replaced the previous team. They used a vehicle that can project water from a height of 22 meters for cooling spent nuclear fuel storage pool inside the reactor of Unit 3.[51] Water was sprayed into the reactor for a total of 7 hours during the day. TEPCO reported afterward that the water had been effective in lowering the temperature around the spent fuel rods to below 100 °C.[52][verification needed]
  • 20 March: External power was reconnected to unit 2 but work continued to make equipment operational. Repaired diesel generators at unit 6 provided power to restart cooling on units 5 and 6 which were returned to cold shutdown and their fuel cooling ponds returned to normal operating temperatures. [53][54][55] TEPCO announced that pressure in reactor 3’s containment vessel was rising, and that it might be necessary to vent air containing radioactive particles to relieve pressure, Japanese broadcaster NHK reported at 1:06.[53][56][dead link] The operation was later aborted as TEPCO deemed it unnecessary.[53] While joining in a generally positive assessment of progress toward overall control, chief cabinet secretary Edano “confirmed for the first time that the nuclear complex — with heavy damage to reactors and buildings and with radioactive contamination throughout — would be closed once the crisis was over.”[4]
  • 21 March: Ongoing repair work was interrupted by a recurrence of grey smoke from the south east side of unit 3 (the general area of the spent fuel pool) seen at 15:55 and dying down by 17:55. Employees were evacuated from unit 3 but no changes in radiation measurements or reactor status were seen. No work was going on at the time (such as restoring power) which might have accounted for the fire. White smoke, probably steam, was also seen coming from unit 2 at 18:22 JST, but this was accompanied by a temporary rise in radiation levels. A new power line was laid to unit 4 and unit 5 was transferred to its own external power from transmission line instead of sharing the unit 6 diesel generators.[57][58]
  • 22 March: Smoke was still rising from units 2 and 3 but was less visible and was put down to steam following operations to spray water onto the buildings. Repair work resumed after having been halted because of concerns over the smoke, but no significant changes in radiation levels occurred so it was felt safe to resume work. Work continued to restore electricity and a supply cable was connected to unit 4. Injection of sea water into units 1-3 continued.


The Fukushima I nuclear accidents (福島第一原子力発電所事故 fukushima daiichi genshiryoku hatsudensho jiko?) are a series of ongoing equipment failures and releases of radioactive materials at the Fukushima I Nuclear Power Plant, following the 2011 Tōhoku earthquake and tsunami on 11 March 2011. The plant comprises six separate boiling water reactors maintained by the Tokyo Electric Power Company (TEPCO). Reactors 4, 5 and 6 had been shut down prior to the earthquake for planned maintenance.[3]The remaining reactors were shut down automatically after the earthquake, but the subsequent tsunami flooded the plant, knocking out emergency generators needed to run pumps which cool and control the reactors. The flooding and earthquake damage prevented assistance being brought from elsewhere. On 20 March, The New York Times reported that Yukio Edano, the government’s chief cabinet secretary, “confirmed for the first time … that the nuclear complex would be closed once the crisis was over.”[4]

From 11 March on, there was evidence of partial core meltdown in reactors 1, 2, and 3; hydrogen explosions destroyed the upper cladding of the buildings housing reactors 1, 3, and 4; an explosion damaged the containment inside reactor 2; and multiple fires broke out at reactor 4. In addition, spent fuel rods stored in spent fuel pools of units 1-4 began to overheat as water levels in the pools dropped. Fears of radiation leaks led to a 20 km (12 mile) radius evacuation around the plant.

TEPCO employees and workers from other companies not involved in essential work were temporarily evacuated after an explosion was heard in the suppression chamber of reactor building 2.[5] Employees returned after it was confirmed that there had not been a containment breach but evacuated again on 16 March following a spike in radiation.[6][7][8] On 18 March, Japanese officials designated the magnitude of the danger at reactors 1, 2 and 3 at level 5 on the 7 point International Nuclear Event Scale (INES).[9]

Many international leaders have expressed concerns about the accidents. Leaks of radioactive material beyond the plant’s boundaries have not been high enough to constitute any significant danger to the public, but the Japanese Government and TEPCO have been criticized for poor communications over the incident.[10][11]

Power was restored to parts of the plant on 20 March after a kilometer long grid power cable had been laid to new switch gear, although it was unclear what condition the various pumps and machinery were in after the floods, fires and explosions.[12] On 19 March, Japan banned the sale of food raised in the Fukushima area up to 100 km (65 miles) from the damaged facility due to contamination above safe limits.[13] Traces of radioactive iodine were found in drinking water in Tokyo, 210 km (135 miles) from the reactors, but were not deemed harmful to health.




Nuclear meltdown

From Wikipedia, the free encyclopedia

Three Mile Island Nuclear Generating Station consisted of two pressurized water reactors manufactured byBabcock & Wilcox, each inside its own containment building and connected cooling towers. Unit 2, which suffered a partial meltdown causing severe fuel damage, is in the background.

A nuclear meltdown is an informal term for a severe nuclear reactor accident that results in core damage from overheating. The term is not officially defined by the International Atomic Energy Agency[1] or by the U.S. Nuclear Regulatory Commission.[2]However, it has been defined to mean the accidental melting of the core of a nuclear reactor,[3] and is in common usage a reference to the core’s either complete or partial collapse. “Core melt accident” and “partial core melt”[4] are the analogous technical terms. For a technical overview, see the behavior of nuclear fuel during a reactor accident.

A core melt accident occurs when the heat generated by a nuclear reactor exceeds the heat removed by the cooling systems to the point where at least one nuclear fuel element exceeds its melting point. This differs from a fuel element failure, which is not caused by high temperatures. A meltdown may be caused by a loss of coolant, loss of coolant pressure, or low coolant flow rate or be the result of a criticality excursion in which the reactor is operated at a power level that exceeds its design limits. A meltdown is considered a serious event because of the potential for release of radioactive material into the environment.


Nuclear power plants generate electricity by heating fluid via a nuclear reaction to run a generator. If the heat from that reaction is not removed adequately, the fuel assemblies in a reactor core can melt. A core damage incident can occur even after a reactor is shut down because the fuel continues to producedecay heat. This decay heat dissipates with time.

A core damage accident is caused by the loss of sufficient cooling for the nuclear fuel within the reactor core. The reason may be one of several factors, including a loss-of-pressure-control accident, a loss-of-coolant accident (LOCA), an uncontrolled power excursion or, in some types, a fire within the reactor core. Failures in control systems may cause a series of events resulting in loss of cooling. Contemporary safety principles of defense in depth ensure that multiple layers of safety systems are always present to make such accidents unlikely.

The containment building is intended to prevent the release of radioactivity to the environment. This is due to the reactor being contained within a 1.2-to-2.4-metre (3.9 to 7.9 ft) thick pre-stressed, steel-reinforced, air-tight concrete dome.

  • In a loss-of-coolant accident, either the physical loss of coolant (which is typically deionized water, an inert gas, NaK, or liquid sodium) or the loss of a method to ensure a sufficient flow rate of the coolant occurs. A loss-of-coolant accident and a loss-of-pressure-control accident are closely related in some reactors. In a pressurized water reactor, a loss-of-coolant accident can also cause a steam ‘bubble’ to form in the core due to excessive heating of stalled coolant or by the subsequent loss-of-pressure-control accident caused by a rapid loss of coolant. In a loss-of-forced-circulation accident, a gas cooled reactor’s circulators (generally motor or steam driven turbines) fail to circulate the gas coolant within the core, and heat transfer is impeded by this loss of forced circulation, though natural circulation through convection will keep the fuel cool as long as the reactor is not depressurized.[5]
  • In a loss-of-pressure-control accident, the pressure of the confined coolant falls below specification without the means to restore it. In some cases this may reduce the heat transfer efficiency (when using an inert gas as a coolant) and in others may form an insulating ‘bubble’ of steam surrounding the fuel assemblies (for pressurized water reactors). In the latter case, due to localized heating of the steam ‘bubble’ due to decay heat, the pressure required to collapse the steam ‘bubble’ may exceed reactor design specifications until the reactor has had time to cool down. (This event is less likely to occur in boiling water reactors, where the core may be deliberately depressurized so that the Emergency Core Cooling System may be turned on). In a depressurization fault, a gas-cooled reactor loses gas pressure within the core, reducing heat transfer efficiency and posing a challenge to the cooling of fuel; however, as long as at least one gas circulator is available, the fuel will be kept cool.[5]
  • In an uncontrolled power excursion accident, a sudden power spike in the reactor exceeds reactor design specifications due to a sudden increase in reactor reactivity. An uncontrolled power excursion occurs due to significantly altering a parameter that affects the neutron multiplication rate of a chain reaction (examples include ejecting a control rod or significantly altering the nuclear characteristics of the moderator, such as by rapid cooling). In extreme cases the reactor may proceed to a condition known as prompt critical. This is especially a problem in reactors that have a positive void coefficient of reactivity, a positive temperature coefficient, are under moderated, or can trap excess quantities of deleterious fission products within their fuel or moderators. Many of these characteristics are present in the RBMK design, and the Chernobyl disaster was caused by such deficiencies as well as by severe operator negligence. Western light water reactors are not subject to very large uncontrolled power excursions because loss of coolant decreases, rather than increases, core reactivity (a negative void coefficient of reactivity); “transients,” as the minor power fluctuations within Western light water reactors are called, are limited to momentary increases in reactivity that will rapidly decrease with time (approximately 200% – 250% of maximum neutronic power for a few seconds in the event of a complete rapid shutdown failure combined with a transient).
  • Core-based fires endanger the core and can cause the fuel assemblies to melt. A fire may be caused by air entering a graphite moderated reactor, or a liquid-sodium cooled reactor. Graphite is also subject to accumulation of Wigner energy, which can overheat the graphite, as happened at the Windscale fire). Light water reactors do not have flammable cores or moderators and are not subject to core fires. Gas-cooled civil reactors, such as the Magnox, UNGG, and AGCR type reactors, keep their cores blanketed with non reactive carbon dioxide gas, which cannot support a fire. Modern gas-cooled civil reactors use helium, which cannot burn, and have fuel that can withstand high temperatures without melting (such as the High Temperature Gas Cooled Reactor and the Pebble Bed Modular Reactor).
  • Byzantine faults and cascading failures within instrumentation and control systems may cause severe problems in reactor operation, potentially leading to core damage if not mitigated. For example, the Browns Ferry fire damaged control cables and required the plant operators to manually activate cooling systems. The Three Mile Island accident was caused by a stuck-open pilot-operated pressure relief valve combined with a deceptive water level gauge that misled reactor operators, which resulted in core damage.

Light water reactors

TMI-2 Core End-State Configuration

Before the core of a light water nuclear reactor can be damaged, two precursor events must have already occurred:

  • A limiting fault (or a set of compounded emergency conditions) that leads to the failure of heat removal within the core (the loss of cooling). Low water level uncovers the core, allowing it to heat up.
  • Failure of the Emergency Core Cooling System (ECCS). The ECCS is designed to rapidly cool the core and make it safe in the event of the maximum fault (the design basis accident) that nuclear regulators and plant engineers could imagine. There are at least two copies of the ECCS built for every reactor. Each division (copy) of the ECCS is capable, by itself, of responding to the design basis accident. The latest reactors have as many as four divisions of the ECCS. This is the principle of redundancy, or duplication. As long as at least one ECCS division functions, no core damage can occur. Each of the several divisions of the ECCS has several internal “trains” of components. Thus the ECCS divisions themselves have internal redundancy – and can withstand failures of components within them. Although no limiting fault has ever occurred in a Western LWR, ECCS systems have been called on to perform a limited number of times. The staff of each plant keeps the ECCS in peak condition at all times. No complete failures of the ECCS had occurred prior to the 2011 Tōhoku earthquake and tsunami.

The Three Mile Island accident was a compounded group of emergencies that led to core damage. What led to this was an erroneous decision by operators to shut down the ECCS during an emergency condition due to gauge readings that were either incorrect or misinterpreted; this caused another emergency condition that, several hours after the fact, led to core uncovery and a core damage incident. If the ECCS had been allowed to function, it would have prevented both uncovery and core damage.

If such a limiting fault were to occur, and a complete failure of all ECCS divisions were to occur, both Kuan, et al and Haskin, et al describe six stages between the start of the limiting fault (the loss of cooling) and the potential escape of molten corium into the containment (a so-called “full meltdown”):[6][7]

  1. Core uncovery. In the event of a transient, upset, emergency, or limiting fault, LWRs are designed to automatically SCRAM (a SCRAM being the immediate and full insertion of all control rods) and spin up the ECCS. This greatly reduces reactor thermal power (but does not remove it completely); this delays core “uncovery”, which is defined as the point when the fuel rods are no longer covered by coolant and can begin to heat up. As Kuan states: “In a small-break LOCA with no emergency core coolant injection, core uncovery generally begins approximately an hour after the initiation of the break. If the reactor coolant pumps are not running, the upper part of the core will be exposed to a steam environment and heatup of the core will begin. However, if the coolant pumps are running, the core will be cooled by a two-phase mixture of steam and water, and heatup of the fuel rods will be delayed until almost all of the water in the two-phase mixture is vaporized. The TMI-2 accident showed that operation of reactor coolant pumps may be sustained for up to approximately two hours to deliver a two phase mixture that can prevent core heatup.”[6]
  2. Pre-damage heat up. “In the absence of a two-phase mixture going through the core or of water addition to the core to compensate water boiloff, the fuel rods in a steam environment will heat up at a rate between 0.3 °C/s (0.5 °F/s) and 1 °C/s (1.8 °F/s) (3).”[6]
  3. Fuel ballooning and bursting. “In less than half an hour, the peak core temperature would reach 1,100 K (1,520 °F). At this temperature, the zircaloy cladding of the fuel rods may balloon and burst. This is the first stage of core damage. Cladding ballooning may block a substantial portion of the flow area of the core and restrict the flow of coolant. However complete blockage of the core is unlikely because not all fuel rods balloon at the same axial location. In this case, sufficient water addition can cool the core and stop core damage progression.”[6]
  4. Rapid oxidation. “The next stage of core damage, beginning at approximately 1,500 K (2,240 °F), is the rapid oxidation of the Zircaloy by steam. In the oxidation process, hydrogen is produced and a large amount of heat is released. Above 1,500 K (2,240 °F), the power from oxidation exceeds that from decay heat (4,5) unless the oxidation rate is limited by the supply of either zircaloy or steam.”[6]
  5. Debris bed formation. “When the temperature in the core reaches about 1,700 K (2,600 °F), molten control materials [1,6] will flow to and solidify in the space between the lower parts of the fuel rods where the temperature is comparatively low. Above 1,700 K (2,600 °F), the core temperature may escalate in a few minutes to the melting point of zircaloy [2,150 K (3,410 °F)] due to increased oxidation rate. When the oxidized cladding breaks, the molten zircaloy, along with dissolved UO2 [1,7] would flow downward and freeze in the cooler, lower region of the core. Together with solidified control materials from earlier down-flows, the relocated zircaloy and UO2 would form the lower crust of a developing cohesive debris bed.”[6]
  6. (Corium) Relocation to the lower plenum. “In scenarios of small-break LOCAs, there is generally a pool of water in the lower plenum of the vessel at the time of core relocation. Release of molten core materials into water always generates large amounts of steam. If the molten stream of core materials breaks up rapidly in water, there is also a possibility of a steam explosion. During relocation, any unoxidized zirconium in the molten material may also be oxidized by steam, and in the process hydrogen is produced. Recriticality also may be a concern if the control materials are left behind in the core and the relocated material breaks up in unborated water in the lower plenum.”[6]

At the point at which the corium relocates to the lower plenum, Haskin, et al relate that the possibility exists for an incident called a fuel-coolant interaction (FCI) to substantially stress or breach the primary pressure boundary when the corium relocates to the lower plenum of the reactor pressure vessel(“RPV”).[8] This is because the lower plenum of the RPV may have a substantial quantity of water – the reactor coolant – in it, and, assuming the primary system has not been depressurized, the water will likely be in the liquid phase, and consequently dense, and at a vastly lower temperature than the corium. Since corium is a liquid metal-ceramic eutectic at temperatures of 2,200 to 3,200 K (3,500 to 5,300 °F), its fall into liquid water at 550 to 600 K (530 to 620 °F) may cause an extremely rapid evolution of steam that could cause a sudden extreme overpressure and consequent gross structural failure of the primary system or RPV.[8] Though most modern studies hold that it is physically infeasible, or at least extraordinarily unlikely, Haskin, et al state that that there exists a remote possibility of an extremely violent FCI leading to something referred to as an alpha-mode failure, or the gross failure of the RPV itself, and subsequent ejection of the upper plenum of the RPV as a missile against the inside of the containment, which would likely lead to the failure of the containment and release of the fission products of the core to the outside environment without any substantial decay having taken place.[9]

However, it is likely, as in the Three Mile Island accident, that any FCI that occurs will not substantially breach the primary pressure boundary, or lead to the gross structural failure of the primary system or RPV, and the corium will reach the lower plenum with the lower plenum remaining intact.

Following corium relocation to the lower plenum, the potential exists for corium to breach the primary pressure boundary (in light water reactors, this is the reactor pressure vessel). What happens when the corium reaches the bottom of the reactor pressure vessel in a Western light water reactor is the subject of actual experience and considerable speculation, and depends on temperatures, the age of the fuel, the amount of activity the fuel has been exposed to, as well as the physical composition of the RPV, the dimensions of the RPV, the pressure of the primary coolant system (whether or not pressurized) and numerous other considerations. It is not likely for the corium to remain critical in the bottom of the RPV unless – first – the corium is quenched by a large excess of coolant water and turned back into solid phase, allowing the interposition of a water moderator and the formation of a critical geometry – second – after the quench of the corium, there remains sufficient unborated water in the lower plenum to moderate the reaction and support criticality – third – the corium remains unadulterated with a neutron-absorptive alloy or substance from the melt of the control rods, such as boron carbide or cadmium.

If the worst case is assumed, there remains at least some tens of minutes to a number of hours from corium relocation to the lower plenum to RPV breach in a maximally contingent Western LWR limiting fault with complete loss of the ECCS. Even partial ECCS activation can delay this significantly, and provide time for the remainder of the ECCS to be brought back online; it is highly unlikely that the staff of a Western LWR will be completely unable to restore at least part of the ECCS prior to the RPV being breached. ECCS activation may not be as useful as might be thought, however, if the corium has intense decay heat and is in a non-coolable geometry (for instance, the core is at end of cycle and the corium has formed a deep pool); in these circumstances, the ECCS may not remove sufficient decay heat and breach may be inevitable. Further, quench of the corium induced by ECCS activation may result in hydrogen production and evolution of large volumes of steam.

Rapid RPV breach is not inevitable in the event of corium relocation to the lower plenum, and corium relocation may be recoverable from without RPV breach. The Three Mile Island accident proved this – in that accident, solid corium quenched by coolant left in the lower plenum of the RPV formed a layer of shielding on the lower plenum of the RPV, limiting most of the damage to the reactor itself, and providing time for the ECCS to be returned to functioning. The American Nuclear Society has said “despite melting of about one-third of the fuel, the reactor vessel itself maintained its integrity and contained the damaged fuel”.[10] However the Three Mile Island example, though illustrative of the comprehensive approach of defense in depth against all contingencies, also illustrates the difficulty in predicting such behavior: the reactor vessel was not built for, and not expected to remain intact with, the temperatures it experienced when the core melted, but possibly because some of the melted material collected at the bottom of the vessel and cooled early on in the accident, it created a resistant shell against further pressure and heat. Such a possibility was not predicted by the engineers who designed the reactor and would not necessarily occur under duplicate conditions, but was largely seen as instrumental in the preservation of the reactor vessel’s integrity. (However, the reactor vessel was inside a containment building, as in all non-Soviet nuclear plants, so a failure of the reactor vessel would not automatically mean that radioactive material would be released into the environment.)

If the primary pressure boundary is not substantially breached by corium, the accident is described as a “partial meltdown”, and the chain of events stops when satisfactory cooling of the remaining fuel, corium, and the RPV is restored. A partial meltdown is an INES Level 4 or 5 accident, depending on the degree of damage. If the primary pressure boundary is substantially breached by corium, the accident is described as a “full meltdown”, which is an INES Level 5 accident and can escalate to INES Level 6 if events progress in a highly prejudicial fashion. The longer the reactor operators are able to retain the fission products within the containment, the less radioactive material will be released. The most highly radioactive isotopes in a fission product mixture are short lived. For example if all the iodine in a core was released one week after shutdown, then the thyroid dose suffered by the population would be lower than if the radioiodine had escaped the plant one hour after the reactor was stopped.

Standard failure modes

If the melted core penetrates the pressure vessel, there are theories and speculations as to what may then occur.

In Western plants, there is an airtight containment building. Though radiation would be at a high level within the primary containment, doses outside of it would be lower. Containment buildings are designed for the orderly release of pressure without releasing radionuclides, through a pressure release valve and filters. Hydrogen/oxygen recombiners also are installed within the containment to prevent gas explosions.

In a melting event, one spot or area on the RPV will become hotter than other areas, and will eventually melt. When it melts, corium will pour into the cavity under the reactor. Though the cavity is designed to remain dry, several NUREG-class documents advise operators to flood the cavity in the event of a fuel melt incident. This water will become steam and pressurize the containment. Automatic water sprays will pump large quantities of water into the steamy environment to keep the pressure down. Catalytic recombiners will rapidly convert the hydrogen and oxygen back into water. One positive effect of the corium falling into water is that it is cooled and returns to a solid state.

Extensive water spray systems within the containment along with the ECCS, when it is reactivated, will allow operators to spray water within the containment to cool the core on the floor and reduce it to a low temperature.

These procedures are intended to prevent release of radiation. In the Three Mile Island event in 1979, a theoretical person standing at the plant property line during the entire event would have received a dose of approximately 2 millisieverts (200 millirem), between a chest X-ray’s and a CT scan’s worth of radiation. This was due to out gassing by an uncontrolled system that, today, would have been backfitted with activated carbon and HEPA filters to prevent radionuclide release.

Cooling will take quite a while, until the natural decay heat of the corium reduces to the point where natural convection and conduction of heat to the containment walls and re-radiation of heat from the containment allows for water spray systems to be shut down and the reactor put into safe storage. The containment can be sealed with release of extremely limited offsite radioactivity and release of pressure within the containment. After a number of years for fission products to decay – probably around a decade – the containment can be reopened for decontamination and demolition.

There is a possibility that the containment could be breached after the core damage event occurred.[citation needed] This might take place if:

  1. An earthquake capable of producing accelerations of plant equipment to more than .2 g (2 m/s2) occurred;
  2. A tornado of Old Fujita Scale 6 with 320+ mph winds hit it.[citation needed]
  3. A tsunami with plants in an exposed (coastal) area such as when the 2011 Tōhoku earthquake and tsunami struck the Fukushima I Nuclear Power Plant.[citation needed]
  4. It is struck by a large object, such as a meteorite or airplane
  5. The containment structure is damaged by an explosive
Speculative failure modes

One scenario consists of the reactor pressure vessel failing all at once, with the entire mass of corium dropping into a pool of water (for example, coolant or moderator) and causing extremely rapid generation of steam. The pressure rise within the containment could threaten integrity if rupture disks could not relieve the stress. Exposed flammable substances could burn, but there are few, if any, flammable substances within the containment.

Another theory called an ‘alpha mode’ failure by the 1975 Rasmussen (WASH-1400) study asserted steam could produce enough pressure to blow the head off the reactor pressure vessel (RPV). The containment could be threatened if the RPV head collided with it. (The WASH-1400 report was replaced by better-based[original research?] newer studies, and now the Nuclear Regulatory Commission has disavowed them all and is preparing the over-arching State-of-the-Art Reactor Consequence Analyses [SOARCA] study – see the Disclaimer in NUREG-1150.)

Another scenario sees a buildup of hydrogen within the containment, which could lead to a detonation event. Catalytic hydrogen recombiners located within the reactor core and containment are designed to prevent this from occurring; however, prior to the installation of these recombiners in the 1980s, the Three Mile Island containment (in 1979) suffered a massive hydrogen explosion event in the accident there. The containment withstood the pressure and no radioactivity was released. However, some still consider a hydrogen detonation event a possible cause of future containment breaches.

It has not been determined to what extent a molten mass can melt through a structure (although that was tested in the Loss-of-Fluid-Test Reactor described in Test Area North‘s fact sheet[11]). The Three Mile Island accident provided some real-life experience, with an actual molten core within an actual structure; the molten corium failed to melt through the Reactor Pressure Vessel after over six hours of exposure, due to dilution of the melt by the control rods and other reactor internals, validating the emphasis on defense in depth against core damage incidents. Some believe a molten reactor core could actually penetrate the reactor pressure vessel and containment structure and burn downwards into the earth beneath, to the level of the groundwater.

Other reactor types

Other types of reactors have different capabilities and safety profiles than the LWR does. Advanced varieties of several of these reactors have the potential to be inherently safe.

CANDU reactors

CANDU reactors, Canadian-invented deuterium-uranium design, are designed with at least one, and generally two, large low-temperature and low-pressure water reservoirs around their fuel/coolant channels. The first is the bulk heavy-water moderator (a separate system from the coolant), and the second is the light-water-filled shield tank. These backup heat sinks are sufficient to prevent either the fuel meltdown in the first place (using the moderator heat sink), or the breaching of the core vessel should the moderator eventually boil off (using the shield tank heat sink).[12] Other failure modes aside from fuel melt will probably occur in a CANDU rather than a meltdown, such as deformation of the calandria into a non-critical configuration. All CANDU reactors are located within standard Western containments as well.

Gas-cooled reactors

One type of Western reactor, known as the advanced gas-cooled reactor (or AGCR), built by the United Kingdom, is not very vulnerable to loss-of-cooling accidents or to core damage except in the most extreme of circumstances. By virtue of the relatively inert coolant (carbon dioxide), the large volume and high pressure of the coolant, and the relatively high heat transfer efficiency of the reactor, the time frame for core damage in the event of a limiting fault is measured in days. Restoration of some means of coolant flow will prevent core damage from occurring.

Other types of highly advanced gas cooled reactors, generally known as high-temperature gas-cooled reactors (HTGRs) such as the Japanese High Temperature Test Reactor and the United States’ Very High Temperature Reactor, are inherently safe, meaning that meltdown or other forms of core damage are physically impossible, due to the structure of the core, which consists of hexagonal prismatic blocks of silicon carbide reinforced graphite infused with TRISO or QUADRISO pellets of uranium, thorium, or mixed oxide buried underground in a helium-filled steel pressure vessel within a concrete containment. Though this type of reactor is not susceptible to meltdown, additional capabilities of heat removal are provided by using regular atmospheric airflow as a means of backup heat removal, by having it pass through a heat exchanger and rising into the atmosphere due to convection, achieving full residual heat removal. The VHTR is scheduled to be prototyped and tested at Idaho National Laboratory within the next decade (as of 2009) as the design selected for the Next Generation Nuclear Plant by the US Department of Energy. This reactor will use a gas as a coolant, which can then be used for process heat (such as in hydrogen production) or for the driving of gas turbines and the generation of electricity.

A similar highly-advanced gas cooled reactor originally designed by West Germany (the AVR reactor) and now developed by South Africa is known as the Pebble Bed Modular Reactor. It is an inherently safe design, meaning that core damage is physically impossible, due to the design of the fuel (spherical graphite “pebbles” arranged in a bed within an metal RPV and filled with TRISO (or QUADRISO) pellets of uranium, thorium, or mixed oxide within). A prototype of a very similar type of reactor has been built by the Chinese, HTR-10, and has worked beyond researchers’ expectations, leading the Chinese to announce plans to build a pair of follow-on, full-scale 250 MWe, inherently safe, power production reactors based on the same concept. (See Nuclear power in the People’s Republic of China for more information.)

Experimental or conceptual designs

Some design concepts for nuclear reactors emphasize resistance to meltdown and operating safety.

The PIUS (process inherent ultimate safety) designs, originally engineered by the Swedes in the late 1970s and early 1980s, are LWRs that by virtue of their design are resistant to core damage. No units have ever been built.

The TRIGA-type reactor, designed and built by U.S. firm General Atomics, and used for research at universities and medical facilities is very well known for being inherently safe and completely invulnerable to core damage. The design is so safe that “uncontrolled power excursions” are not a safety hazard but a feature of the design and can be deliberately induced by reactor operations personnel, so as to “pulse” the reactor to produce a burst of neutrons during routine operations, the reactor automatically and naturally returning to a normal neutronic state after being “pulsed” due to the physical composition of the fuel. Core damage is physically impossible, as if the reactor gets too hot, it shuts down on a molecular level and heat generation ceases.[citation needed]

Power reactors, including the Deployable Electrical Energy Reactor, a larger-scale mobile version of the TRIGA for power generation in disaster areas and on military missions, and the TRIGA Power System, a small power plant and heat source for small and remote community use, have been put forward by interested engineers, and share the safety characteristics of the TRIGA due to the uranium zirconium hydride fuel used.

The Hydrogen Moderated Self-regulating Nuclear Power Module, a reactor that uses uranium hydride as a moderator and fuel, similar in chemistry and safety to the TRIGA, also possesses these extreme safety and stability characteristics, and has attracted a good deal of interest in recent times.

The Liquid fluoride thermal reactor is designed to naturally have its core in a molten state, as a eutectic mix of thorium and fluorine salts. As such, a molten core is reflective of the normal and safe state of operation of this reactor type. In the event the core overheats, a metal plug will melt, and the molten salt core will drain into tanks where it will cool in a non-critical configuration. Since the core is liquid, and already melted, it cannot be damaged.

Advanced liquid metal reactors, such as the U.S. Integral Fast Reactor and the Russian BN-350, BN-600, and BN-800, all have a coolant with very high heat capacity, sodium metal. As such, they can withstand a loss of cooling without SCRAM and a loss of heat sink without SCRAM, qualifying them as inherently safe.

Union-designed reactors


Soviet designed RBMKs, found only in Russia and the CIS and now shut down everywhere except Russia, do not have containment buildings, are naturally unstable (tending to dangerous power fluctuations), and also have ECCS systems that are considered grossly inadequate by Western safety standards.

RBMK ECCS systems only have one division and have less than sufficient redundancy within that division. Though the large core size of the RBMK makes it less energy-dense than the Western LWR core, it makes it harder to cool. The RBMK is moderated by graphite. In the presence of both steam and oxygen, at high temperatures, graphite forms synthesis gas and with the water gas shift reaction the resultant hydrogen burns explosively. If oxygen contacts hot graphite, it will burn. The RBMK tends towards dangerous power fluctuations. Control rods used to be tipped with graphite, a material that slows neutrons and thus speeds up the chain reaction. Water is used as a coolant, but not a moderator. If the water boils, cooling is lost, but moderation is not lost. This is termed a positive void coefficient of reactivity.

Control rods can become stuck if the reactor suddenly heats up and they are moving. Xenon 135, a neutron absorbent fission product, has a tendency to build up in the core and burn off unpredictably in the event of low power operation. This can lead to inaccurate neutronic and thermal power ratings.

The RBMK does not have any containment above the core. The only substantial solid barrier above the fuel is the upper part of the core, called the upper biological shield, which is a piece of concrete interpenetrated with control rods and with access holes for refueling while online. Other parts of the RBMK were shielded better than the core itself. Rapid shutdown (SCRAM) takes 10 to 15 seconds. Western reactors take 1 – 2.5 seconds.

Western aid has been given to provide certain real-time safety monitoring capacities to the human staff. Whether this extends to automatic initiation of emergency cooling is not known. Training has been provided in safety assessment from Western sources, and Russian reactors have evolved in result to the weaknesses that were in the RBMK. However, numerous RBMKs still operate.

It is safe to say that it might be possible to stop a loss-of-coolant event prior to core damage occurring, but that any core damage incidents will probably assure massive release of radioactive materials. Further, dangerous power fluctuations are natural to the design.

Lithuania joined the EU recently, and upon acceding, it has been required to shut the two RBMKs that it has at Ignalina NPP, as such reactors are totally incompatible with the nuclear safety standards of Europe. It will be replacing them with some safer form of reactor.


The MKER is a modern Russian-engineered channel type reactor that is a distant descendant of the RBMK. It approaches the concept from a different and superior direction, optimizing the benefits, and fixing the flaws of the original RBMK design.

There are several unique features of the MKER’s design that make it a credible and interesting option: One unique benefit of the MKER’s design is that in the event of a challenge to cooling within the core – a pipe break of a channel, the channel can be isolated from the plenums supplying water, decreasing the potential for common-mode failures.

The lower power density of the core greatly enhances thermal regulation. Graphite moderation enhances neutronic characteristics beyond light water ranges. The passive emergency cooling system provides a high level of protection by using natural phenomena to cool the core rather than depending on motor-driven pumps. The containment structure is modern and designed to withstand a very high level of punishment.

Refueling is accomplished while online, ensuring that outages are for maintenance only and are very few and far between. 97-99% uptime is a definite possibility. Lower enrichment fuels can be used, and high burnup can be achieved due to the moderator design. Neutronics characteristics have been revamped to optimize for purely civil fuel fertilization and recycling.

Due to the enhanced quality control of parts, advanced computer controls, comprehensive passive emergency core cooling system, and very strong containment structure, along with a negative void coefficient and a fast acting rapid shutdown system, the MKER’s safety can generally be regarded as being in the range of the Western Generation III reactors, and the unique benefits of the design may enhance its competitiveness in countries considering full fuel-cycle options for nuclear development.


The VVER is a pressurized light water reactor that is far more stable and safe than the RBMK. This is because it uses light water as a moderator (rather than graphite), has well understood operating characteristics, and has a negative void coefficient of reactivity. In addition, some have been built with more than marginal containments, some have quality ECCS systems, and some have been upgraded to international standards of control and instrumentation. Present generations of VVERs (the VVER-1000) are built to Western-equivalent levels of instrumentation, control, and containment systems.

However, even with these positive developments, certain older VVER models raise a high level of concern, especially the VVER-440 V230.[13]

The VVER-440 V230 has no containment building, but only has a structure capable of confining steam surrounding the RPV. This is a volume of thin steel, perhaps an inch or two in thickness, grossly insufficient by Western standards.

  • Has no ECCS. Can survive at most one 4 inch pipe break (there are many pipes greater than 4 inches within the design).
  • Has six steam generator loops, adding unnecessary complexity.
    • However, apparently steam generator loops can be isolated, in the event that a break occurs in one of these loops. The plant can remain operating with one isolated loop – a feature found in few Western reactors.

The interior of the pressure vessel is plain alloy steel, exposed to water. This can lead to rust, if the reactor is exposed to water. One point of distinction in which the VVER surpasses the West is the reactor water cleanup facility – built, no doubt, to deal with the enormous volume of rust within the primary coolant loop – the product of the slow corrosion of the RPV. This model is viewed as having inadequate process control systems.

Bulgaria had a number of VVER-440 V230 models, but they opted to shut them down upon joining the EU rather than backfit them, and are instead building new VVER-1000 models. Many non-EU states maintain V230 models, including Russia and the CIS. Many of these states – rather than abandoning the reactors entirely – have opted to install an ECCS, develop standard procedures, and install proper instrumentation and control systems. Though confinements cannot be transformed into containments, the risk of a limiting fault resulting in core damage can be greatly reduced.

The VVER-440 V213 model was built to the first set of Soviet nuclear safety standards. It possesses a modest containment building, and the ECCS systems, though not completely to Western standards, are reasonably comprehensive. Many VVER-440 V213 models possessed by former Soviet bloc countries have been upgraded to fully automated Western-style instrumentation and control systems, improving safety to Western levels for accident prevention – but not for accident containment, which is of a modest level compared to Western plants. These reactors are regarded as “safe enough” by Western standards to continue operation without major modifications, though most owners have performed major modifications to bring them up to generally equivalent levels of nuclear safety.

During the 1970s, Finland built two VVER-440 V213 models to Western standards with a large-volume full containment and world-class instrumentation, control standards and an ECCS with multiply redundant and diversified components. In addition, passive safety features such as 900-tonne ice condensers have been installed, making these two units safety-wise the most advanced VVER-440’s in the world.

The VVER-1000 type has a definitely adequate Western-style containment, the ECCS is sufficient by Western standards, and instrumentation and control has been markedly improved to Western 1970s-era levels.

Chernobyl disaster

Chernobyl reactor after disaster

In the Chernobyl disaster the fuel became non-critical when it melted and flowed away from the graphite moderator – however, it took considerable time to cool. The molten core of Chernobyl (that part that did not vaporize in the fire) flowed in a channel created by the structure of its reactor building and froze in place before a core-concrete interaction could happen. In the basement of the reactor at Chernobyl, a large “elephant’s foot” of congealed core material was found. Time delay, and prevention of direct emission to the atmosphere, would have reduced the radiological release. If the basement of the reactor building had been penetrated, the groundwater would be severely contaminated, and its flow could carry the contamination far afield.

The Chernobyl reactor was an RBMK type. The disaster was caused by a power excursion that led to a meltdown and extensive offsite consequences. Operator error and a faulty shutdown system led to a sudden, massive spike in the neutron multiplication rate, a sudden decrease in the neutron period, and a consequent increase in neutron population; thus, core heat flux very rapidly increased to unsafe levels. This caused the water coolant to flash to steam, causing a sudden overpressure within the reactor pressure vessel(RPV), leading to granulation of the upper portion of the core and the ejection of the upper plenum of said pressure vessel along with core debris from the reactor building in a widely dispersed pattern. The lower portion of the reactor remained somewhat intact; thegraphite neutron moderator was exposed to oxygen containing air; heat from the power excursion in addition to residual heat flux from the remaining fuel rods left without coolant induced oxidation in the moderator; this in turn evolved more heat and contributed to themelting of the fuel rods and the outgassing of the fission products contained therein. The liquefied remains of the fuel rods flowed through a drainage pipe into the basement of the reactor building and solidified in a mass later dubbed corium, though the primary threat to the public safety was the dispersed core ejecta and the gasses evolved from the oxidation of the moderator.

Although the Chernobyl accident had dire off-site effects, much of the radioactivity remained within the building. If the building were to fail and dust was to be released into the environment then the release of a given mass of fission products which have aged for twenty years would have a smaller effect than the release of the same mass of fission products (in the same chemical and physical form) which had only undergone a short cooling time (such as one hour) after the nuclear reaction has been terminated. However if a nuclear reaction was to occur again within the Chernobyl plant (for instance if rainwater was to collect and act as a moderator) then the new fission products would have a higher specific activity and thus pose a greater threat if they were released. To prevent a post accident nuclear reaction steps have been taken (such as adding neutron poisons to key parts of the basement).


The effects of a nuclear meltdown depend on the safety features designed into a reactor. A modern reactor is designed both to make a meltdown unlikely, and to contain one should it occur.

In a modern reactor, a nuclear meltdown, whether partial or total, should be contained inside the reactor’s containment structure. Thus (assuming that no other major disasters occur) while the meltdown will severely damage the reactor itself, possibly contaminating the whole structure with highly radioactive material, a meltdown alone should not lead to significant radiation release or danger to the public.[14]

In practice, however, a nuclear meltdown is often part of a larger chain of disasters (although there have been so few meltdowns in the history of nuclear power that there is not a large pool of statistical information from which to draw a credible conclusion as to what “often” happens in such circumstances). For example, in the Chernobyl accident, by the time the core melted, there had already been a large steam explosion and graphite fire and major release of radioactive contamination (as with almost all Soviet reactors, there was no containment structure at Chernobyl). Also, before a possible meltdown occurs, pressure can already be rising in the reactor, and to prevent a meltdown by restoring the cooling of the core, operators are allowed to reduce the pressure in the reactor by releasing (radioactive) steam into the environment. This enables them to inject additional cooling water into the reactor again.

Reactor design

Although pressurized water reactors are more susceptible to nuclear meltdown in the absence of active safety measures, this is not a universal feature of civilian nuclear reactors. Much of the research in civilian nuclear reactors is for designs with passive nuclear safety features that may be less susceptible to meltdown, even if all emergency systems failed. For example, pebble bed reactors are designed so that complete loss of coolant for an indefinite period does not result in the reactor overheating. The General Electric ESBWR and Westinghouse AP1000 have passively-activated safety systems. The CANDUreactor has two low-temperature and low-pressure water systems surrounding the fuel (i.e. moderator and shield tank) that act as back-up heat sinks and preclude meltdowns and core-breaching scenarios.[12]

Fast breeder reactors are more susceptible to meltdown than other reactor types, due to the larger quantity of fissile material and the higher neutron flux inside the reactor core, which makes it more difficult to control the reaction.

Accidental fires are widely acknowledged to be risk factors that can contribute to a nuclear meltdown.


The United States of America

There have been at least six meltdowns in the history of the United States. All are widely called “partial meltdowns.”

  1. The partial meltdown at the Fermi 1 experimental fast breeder reactor required the reactor to be repaired, though it never achieved full operation afterward.
  2. The Three Mile Island accident, referred to in the press as a “partial core melt,”[15] led to the permanent shutdown of that reactor.

    Image of the SL-1 core following criticality excursion.

  3. The reactor at EBR-I suffered a partial meltdown during a coolant flow test on November 29, 1955.
  4. The Sodium Reactor Experiment in Santa Susana Field Laboratory was an experimental nuclear reactor which operated from 1957 to 1964 and was the first commercial power plant in the world to experience a core meltdown in July 1959.
  5. Stationary Low-Power Reactor Number One (SL-1) was a United States Army experimental nuclear power reactor which underwent a criticality excursion, a steam explosion, and a meltdown on January 3, 1961, killing three operators.
  6. BORAX-I was a test reactor designed to explore criticality excursions. In the final destructive test of the reactor in 1954, a miscalculation led to the meltdown of a significant portion of the core and the release of nuclear fuel and fission products into the environment.[16]
The Soviet Union

Within the former Soviet Union, several nuclear meltdowns of differing severity have occurred.

In the most serious example, the Chernobyl disaster, design flaws and operator negligence led to a power excursion that subsequently caused a meltdown. According to a report released by the Chernobyl Forum (consisting of numerous United Nations agencies, including the International Atomic Energy Agency and the World Health Organization; the World Bank; and the Governments of Ukraine, Belarus, and Russia) the disaster killed twenty-eight people due to acute radiation syndrome,[17] could possibly result in up to four thousand fatal cancers at an unknown time in the future[18] and required the permanent evacuation of an exclusion zone around the reactor. The Chernobyl plant had containment buildings not constructed to a correct standard, allowing the concrete containment cap on the reactor to be ejected in the explosion.

Meltdowns that have occurred

The only large-scale nuclear meltdowns at civilian nuclear power plants

Other core meltdowns have occurred at:


How to make a nuclear reactor that can’t have a meltdown

How to make a nuclear reactor that can't have a meltdown

The word “meltdown” defines our worst fears about nuclear reactors, and with good reason: without complex and redundant cooling systems, reactors can run out of control, generating so much heat that they melt their own fuel, releasing massive amounts of radioactivity in the process. But a new generation of reactors promises to be much safer, even to the point where a meltdown is a physical impossibility.

Reactor Safety

Generally, nuclear power plants rely on redundant safety systems, both active and passive, to prevent a meltdown in case of an accident like an earthquake or tsunami. Japan’s stricken Fukushima Daiichi nuclear plant is what’s called a light water reactor, or specifically a boiling water reactor, because the heat generated in the core of the reactor is used to boil water into steam, powering a turbine to generate electricity.

Immediately after the earthquake, the reactor successfully shut down, meaning that control rods were inserted into the core to disrupt the nuclear reactions directly. However, there’s still a lot of heat contained in the core, which is still boiling water and making steam, which raises pressure in the reactor and makes things dangerous. To keep itself cool, the reactor depends on a continuous supply of water, and the problem is that the pumps to supply this water haven’t been functioning. This means that the reactor gets hotter, more water turns into steam, and the pressure inside increases (making it more difficult to pump water in), and eventually enough water gets turned into steam that the fuel rods themselves get exposed to air, which can cause them to melt. This may be what is currently happening at Fukushima Daiichi.

The root of the problem at Fukushima Daiichi is that the reactor relies heavily on active safety systems, meaning that the safety systems don’t work well (or at all) without things like pumps and generators, which themselves rely on external power. More modern reactors (Fukushima Daiichi was built in 1970) try to incorporate passive safety systems. For example, some reactors suspend their control rods over the core on electromagnets with giant springs behind them, ensuring that the rods will shut the core down the instant power is lost. Other reactors have backup cooling systems that are just giant tanks of water on towers, and explosive valves can be used to pump water into the core using gravity.

Even with passive safety systems, though, accidents can still cause reactors to overheat to the point of meltdown, especially in sustained disaster conditions like those in Japan. The next generation of nuclear reactors, called Gen IV reactors, promise to be significantly safer and more efficient while producing less hazardous waste than the current generation, and one design, called a pebble bed reactor, may even be incapable of having a meltdown at all.

The Pebble Bed


A pebble bed reactor (or PBR) doesn’t use long rods of fuel pellets like most reactors. Instead, it uses a bunch of fuel “pebbles,” which come in varying sizes, from slightly smaller than tennis balls down to marbles. The pebbles are made primarily of graphite, and contain up to nine grams of uranium dispersed in sand-size grains throughout the pebble. To start a reaction, all you have to do is pile a bunch of pebbles together in a container until you get a critical mass of them, and they begin heating up.


The core of a PBR contains about 380,000 pebbles, which cycle continuously in and out of the reactor. Every 30 seconds, a pebble drops out of the reactor and is inspected for damage and to make sure it’s still got enough fuel left inside. If so, it’s put back in the cycle, and if not, it’s pulled out and a fresh one is put in its place. On average, a single pebble will cycle through the reactor 10 or 15 times over a few years before being removed.


While a PBR is operating, helium is pumped through the spaces between the pebbles to carry away heat. The helium then flows through a turbine, and that’s where the electricity comes from. So far, a PBR isn’t that different from a conventional nuclear reactor: you put fuel in, it heats up, and you use that heat to produce electricity. What makes a PBR potentially unique, though, is that because of its design, it’s capable of passive, inherent safety that makes a meltdown physically impossible.


No Meltdowns

Let’s just skip directly to the worst-case scenario, like in Japan, where failure of the coolant system caused the reactor to overheat uncontrollably. In terms of what would happen to a pebble bed reactor, this means that there’d no more helium coolant. So, okay, as you might expect, the reactor would start to get really, really hot. As nuclear fuel heats up, the uranium atoms start to move faster, making it harder for them to absorb extra neutrons and split, reducing the reactor’s power. This is what’s called negative feedback, and while it takes place in all reactors, the low fuel density of the pebbles magnifies it in a PBR. As the PBR continues to heat up, the negative feedback gets stronger and stronger until at about 1600 degrees Celsius, the core stabilizes at an “idle” temperature. This temperature is a solid 400 degrees short of what it would take to cause any damage to the fuel spheres or reactor vessel, which are made of a special kind of super strong graphite.

The upshot of all this is that a pebble bed reactor can have the entirety of its supporting infrastructure power down, blow up, get flooded, get stolen, run out of gas, or otherwise fail, all while the entire staff is on vacation, and the only thing that happens is that the PBR will warm up to its idle temperature and… Stay warm. No meltdowns, no explosions, no radiation leaks. The reactor will just sit there and radiate the heat it produces until you cool it back down or take the fuel out. This scenario was tried once, in a prototype PBR in Germany: they shut off the coolant and removed the control rods and watched, and nothing bad happened. A later inspection of the reactor and fuel pebbles showed no damage.

Of course, it’s important to understand that PBRs aren’t completely safe, and come with their own risks, including the potential for radioactive dust from pebbles rubbing against each other in the core and the difficulty of managing the circulation of the pebbles themselves. And PBRs still produce radiation, which is always dangerous, along with waste materials, although it’s worth mentioning that the waste is already contained inside the pebbles, rendering it much safer, and it’s so hard to get outof the pebbles that it’s useless as a weapon. But the point is that PBRs seem to be safe in a lot of ways that conventional nuclear reactors definitely aren’t.


The first PBR was built in Germany in the mid 60s. As an experimental reactor, it had some design issues, but even so, people working there only received about 1/5 as much radiation as they would if they were working at conventional plant. A follow-up was constructed, but it had some additional design issues and a few minor incidents (mostly related to human error) led to its closure in 1989.


Nuclear Future

It’s definitely true that pebble bed reactors are, at this stage of their development, less familiar to the power industry than more conventional designs. They’re also more expensive to construct while having only about 1/30 the power density of other reactors. But China, at least, is optimistic about their potential, and already has one test PBR and is planning on building thirty more in the next ten years, and possibly hundreds more by 2050. Part of the reason that China likes PBRs (besides their safety) is that their high operating temperature can be used to efficiently crack steam into hydrogen, which can be piped off and used as an alternative fuel.

Really, the worst part of the disaster in Japan, as far as the industry goes, is that it’s going to make it that much harder to convince the public that nuclear power can be safe, clean, and efficient. To put it in perspective, in 2008 Next Big Future calculated how many people are killed per terawatt-hour of electricity generated. On average, there are 161 fatalities related to energy generation from coal for each one of those terawatt-hours, which comprise a quarter of the energy we use on Earth. 36 people die per TWh of oil energy, which is 40% of our energy use. Nuclear power has a deaths per TWh rate of only 0.04 while producing 6% of our energy, which makes it about ten times safer than solar power once you take into account how many people fall off roofs while installing it, and twice as safe as hydro power.

It’s certainly true that nuclear power comes with its own host of issues, from reactor safety all the way down the line to spent fuel storage. It’s also true that nuclear accidents are terrible, frightening things. But the fact is that nuclear power is a viable, and even a necessary, alternative to fossil fuels, especially as we start thinking about exploring and colonizing other planets. When we go to Mars for the first time, we’re not going to be relying on solar power. We’re going to have compact, safe, and clean nuclear power along with us, because that’s what makes sense. And it’s not just the future: by embracing new technology, we can have the safe and clean nuclear power of tomorrow, today.

There’s lots more info on pebble bed reactors from Wikipedia, and you can check your facts at MIT. There’s also a detailed discussion of modern PBR safety in a 2009 Nuclear Engineering International article, with links to some PBR criticism as well, and a story on the Chinese PBR from Wired.