What is ‘acceptable risk’ when planning a nuclear power plant?

It’s better to plan for disaster than have to plan a clean up after one. IAEA Imagebank

Modern safety engineering follows the aphorism, “there is no such thing as zero risk, only acceptable risk”. However, calculating chances and risk is a finicky process, especially when played out against factors of cost, time and complexity. Major accidents such as at Fukushima Dai-ichi – still unfolding as it approaches its third anniversary – demonstrate how essential it is to correctly assess risks and safeguards.

Risk is expectation of loss, and is dependent on the chance of a loss-event occurring combined with its magnitude. The chance can be tiny, but the loss huge, and the risk therefore considerable. Analyses of the possibility that the universe would collapse when operating the Large Hadron Collider (LHC) were undertaken, despite the infinitesimal chance.

Calculating risk is now de rigeur in big engineering projects, but it wasn’t always so. Built in the late 1940s, the Windscale piles, Britain’s first two nuclear reactors, used air blown over the core and up a chimney as their cooling. Exhaust filters were added to the chimneys only as an afterthought, insisted on by designer Sir John Cockcroft at some expense – the so called “Cockcroft’s Follies”.

During a procedure to release pent-up energy in the graphite core in 1957, there was a fuel meltdown, and radioactive material escaped up the chimney into the environment. This was handled to all intents by brave, indeed heroic, people doing what they could. But the events were kept as concealed from the surrounding civilians as possible. This was, after all, a facility for producing plutonium for nuclear weapons.

Planning for disaster

Nowadays it would be unthinkable, indeed illegal, for any organisation including the government to keep information of such a release of poison from its possible victims. English case law already contained a legal judgement (Lord Asquith, Edwards vs National Coal Board) that required industrial risks to be reduced “as low as reasonably practicable”. But there is no indication in Windscale’s final design or operation that a meltdown risk was objectively assessed, nor of any efforts to mitigate that risk – we can be grateful in retrospect for Cockcroft’s Follies, which afterwards appeared a good investment.

Lessons were learnt. Containment would have been desirable. The Boiling Water Reactor Mark 1 (BWR) is a US design that contained its core entirely inside a pressure vessel, with a removable cap to insert and remove fuel rods. The pressure vessel contained water and steam, forming part of a closed-circuit heat-exchange mechanism. The pressure vessel itself is fully enclosed within a steel-and-concrete bulb known as “primary containment”. And the primary containment itself is enclosed within a building, which constitutes “secondary containment”. BWR Mark 1 designs were commissioned from the 1970’s – the first was at Fukushima Dai-ichi in Japan in 1971, 14 years after Windscale.

Calculating the risk

The chances and extent of things going wrong must nowadays be calculated. The theoretically possible accidents and their precursors (“hazards”) must be listed and the concomitant risk assessed. Methods for this such as Fault Tree Analysis (FTA) have evolved over more than 60 years.

What were the chances of a core melt at Fukushima? Cooling requires electricity, generated either by the plant, from the electricity grid, or from emergency generators or last-resort batteries. Four different systems providing “defence in depth”, as required. Except that the electrics and emergency systems, all in the basement, are susceptible to simultaneous failure from flooding. This was known since the 1990’s, and widely published in a book by organisational sociologist Charles Perrow, The Next Catastrophe, in 2007.

There’s still lots to do at Fukushima, three years later. IAEA Imagebank

With Fukushima Dai-ichi’s six reactors (and another four at Fukushima Dai-ini further down the coast) sitting low on the coast, Japanese experts had pointed out the risk from exceptional tsunamis to Fukushima Dai-ichi’s operator Tepco and the nuclear regulator prior to the earthquake. It seems they had begun to react, but the changes required cost lots of money. Another engineering aphorism says “if you think safety is expensive, wait till you have to pay for an accident”.

While Fukushima had 40 years of uninterrupted successful operation, in a highly industrialised country where engineers are technical perfectionists, with regulatory regimes in place and a risk-averse government, situations can quickly change. Quite suddenly, heroics were required, again. And again as at Windscale, and Chernobyl in 1986, they were available.

How did the engineers and planners get their numbers so wrong? Calculations are only ever as good as the assumptions, for example that flooding was not going to be a problem. And not everything that is known feeds accurately into the calculations.

Some years ago, a common commercial aircraft type started suffering a series of critical failures. The chance them occurring had been painstakingly evaluated as orders of magnitude less than once in the present or future history of the universe. The cause was fortunately discovered and remedied before the plane was grounded. Big numbers usually tell you that you have a problem. But small numbers are not so good at saying that you don’t.

Pitting one risk against another

So, do we build nuclear plants to avoid fossil fuel pollution? Even with the best people and organisations, can we avoid accidents and disasters that lead to major contamination? The best guess is: maybe, and maybe not.

Some, such as Lee Clarke in his book Worst Cases, argue that the worst case scenario should be considered without an estimated chance of its happening. The LHC analysts performed worst-case analysis. Mitigating worst cases, though, is often expensive.

One bad accident every 25 years appears sufficient to make nuclear power amongst the costliest in terms of reparations according to some calculations. And in a sense we’ve been lucky, as Windscale, Three Mile Island, and Fukushima could all have been much worse – perhaps as bad as Chernobyl. For example, what if the process of unloading spent fuel assemblies from the damaged reactor pool taking place at Fukushima Dai-ichi goes wrong, and all that radioactive material burns off into the atmosphere? Are we content with weighing numbers representing risk, or do we need to go beyond – even far beyond – someone’s idea of “reasonably practical” to ensure that such events cannot happen?

The LHC commissioners took the worst case very seriously. By their own admission, the Fukushima regulator and operator did not. There is likely no single “right” approach. Whatever we decide, the outcome may not be as relatively benign next time.