Nuclear power and public safety

Ashwin Kumar and MV Ramana warn against accepting bland assurances that nuclear power is safe and clean. Drawing lessons from the experience of India which has set up an ambitious nuclear power industry, they conclude that any developing country with nuclear aspirations should consider the risk of a catastrophic accident as a major negative attribute of this technology.

OF all electricity generation technologies, nuclear power is the only one that is capable of catastrophic accidents whose effects may reach across space and time. The risk of a catastrophic accident has been known ever since the beginning of the nuclear age. Chernobyl, the best-known instance of such a disaster, will not only result in an estimated 34,000 deaths, but has also contaminated several thousand square kilometres of land with radioactive elements like Cesium-137, which will stay hazardous for decades if not centuries.

It is often stated that safety issues have been adequately addressed after the Chernobyl accident. Nuclear advocates repeatedly point to the absence of catastrophic accidents since 1986. But this cannot be cited as evidence of safety or, more precisely, as evidence of absence of risk of catastrophic accidents. To put it baldly, just because it had not experienced any accidents, can one say that the Chernobyl reactor was safe before 23 April 1986?

There are at least two reasons for discounting the non-occurrence of catastrophic accidents since 1986. First, as the 2007 report entitled 'Residual Risk' published by the European Free Alliance in the European Parliament pointed out, 'many nuclear safety related events occur year after year, all over the world, in all types of nuclear plants and in all reactor designs and there are very serious events that go either entirely unnoticed by the broader public or remain significantly under-evaluated when it comes to their potential risk'. There have also been many accidents that did not escalate purely out of chance, often involving the intervention of human operators rather than any technical safety feature. Such interventions cannot be taken for granted.

Second, at a deeper level, all nuclear power plants share some common structural features, though to different extents. The different systems of a nuclear reactor interact in complex ways, making it possible that multiple failures could interact in unexpected ways. A second factor is the presence of tightly prescribed steps and unchangeable sequences in operation that must be adhered to. Therefore accidents can escalate quickly, with few alternate pathways to diffuse them. Safety interventions, whether by humans or automatic safety equipment, must occur quickly, and be adequately planned for. Both these factors pose challenges to safety and its demonstration. They also make it more difficult to infer safe operation from past record; a system could have relatively minor accidents, but many such failures could combine unexpectedly in the future, leading to a much larger accident.

Aspects of safety

Notions of safety differ, but what they all have in common are usually claims about the future. In making the connection between the past record of anomalies and future prospects for safety, it is necessary to look beyond the frequency of past accidents and study the different factors during operations that contribute to safety.

One such factor is reliable operations of the different parts of the nuclear plant. This is made possible by incorporating backup systems for the contingency when the main systems fail. As a final resort, physical barriers are meant to protect the public from leakage of radioactive material. Backup devices and physical barriers together constitute 'redundancy', because it refers to duplication of functional components aimed at increasing the reliability of the system.

The problem with relying on redundancy alone is that the complexity of nuclear power plants makes it difficult to know in advance all that could go wrong to cause an accident.  A classic example is the Three Mile Island accident, in which operators did not know the state of the reactor at the time and performed actions that actually worsened it. Redundancy could also sometimes be part of the problem. For example, in the Fermi fast breeder reactor in the United States, a safety device meant to catch the core in case it melted actually initiated a near-meltdown when a part of it broke away and blocked the flow of coolant.

Still, nuclear plants around the world differ widely in how reliably they operate. Scholars of organisations have studied what nuclear power plants operating with high levels of reliability have in common, and during in-depth field studies in these plants they have found common features. The presence of these factors in any particular facility does not imply that safety has been achieved. In their absence, however, claims of safe operations are unlikely to be true.

In the high-reliability organisations studied by these scholars, political elites and organisation leaders place a high priority on safety in design and operations and operators have confidence in this fact. Furthermore, there is an atmosphere of openness and responsibility in which all individuals feel responsible for every detail of operations that they can observe, and feel free to point out their observations without fear. There are reliable backups in technical operations and in management of personnel, and this often prevents failures from escalating. At the same time, there is always a belief that present levels of safety are not enough, so that the guard is never let down. This means that such organisations are always exploring what could go wrong, and learning not only from their mistakes but also from others'.

In India, the Department of Atomic Energy (DAE)'s operations do not meet these characteristics. We illustrate the hazards associated with nuclear power through this short history of safety problems at the nuclear facilities in India. These are operated by the DAE directly or by one of the many organisations allied with the DAE.

High radiation doses to workers

We start by discussing a few events that led to workers being exposed to high levels of radioactivity. More broadly, discontent on the part of workers seems to be commonplace. There is a history of poor relations between management and workers, and a recurring problem seems to be the absence of workers' control over practices bearing on their health and safety at the workplace and outside. For example, in 1997, workers at the Madras Atomic Power Station (MAPS) went on strike for 25 days after the management suspended five radiation workers who refused to work in areas with a high radiation level. In 2005, employees at the Indira Gandhi Centre for Atomic Research, which manages the country's fast breeder reactor programme, had threatened to go on strike on account of a number of unmet demands. Among them was that the road from the plant to the housing area be broadened so that the workers would not get stuck in a traffic jam in the event of an emergency.

Madras Atomic Power Station, 1999

In March 1999, some workers at the second unit of MAPS were testing a device designed to inspect the reactor's coolant tubes, which had been routinely plagued by cracks and vibrations. Suddenly a plug that sealed one of the coolant channels slipped away and a large quantity of heavy water leaked out. It was subsequently reported in the press that 42 workers were involved in mopping up the leak and recovering the heavy water. The heavy water had been exposed to neutrons inside the reactor and had accumulated radioactive tritium.  Because the radioactive heavy water would vaporise, employees working in that environment would be exposed to radioactivity with every breath, and would have received a radiation dose in excess of the prescribed annual limit in only five hours.

Some weeks after the event, workers union representatives revealed to the press that seven of the workers who helped clean up were placed in the 'removal category' and would not be allowed to work in any radioactive areas in the future. This suggests that they did indeed have radiation doses in excess of their annual quotas.

Kalpakkam Atomic Reprocessing Plant, 2003

In 2003, there was an accident in the Kalpakkam Atomic Reprocessing Plant  that caused extremely high radiation exposures (280-420 mSv) to workers. The cause is said to be a valve failure, due to which highly radioactive waste entered a tank containing waste of lower radioactivity. At the time of the accident, about five years after the plant was commissioned, no monitors had been installed to check for radiation levels in that area. Neither were any mechanisms to detect the valve failure. Therefore workers had no way of knowing that the sample they went in to collect was actually emitting high levels of radiation. The accident was recognised only after a sample collected was taken to a different room and processed.

Despite a safety committee's recommendation that the plant be shut down, the management decided to continue operating the plant. The Employees Association wrote to the director setting forth 10 safety-related demands, including the appointment of a full-time safety officer. The letter also recounted two previous incidents where workers were exposed to high levels of radiation in the past two years, and how officials had always cited the existence of an 'emergency situation' as a reason for the health physics department's failure to follow safety procedures. Once again there was no response from management. In desperation, some months later the union resorted to a strike. The management's response was to transfer some of the key workers involved in the agitation and threaten others with similar consequences; two days later, all striking workers returned to work. The management's public interpretation was that if the place had not been safe, the workers would not have returned. Finally, the union leaked information about the radiation exposure to the press.

Once the news became public, management grudgingly admitted that this was the 'worst accident in radiation exposure in the history of nuclear India'. But it claimed the 'incident' resulted from 'over-enthusiasm and error of judgment' on the part of the workers, blaming them for a situation over which they had no control. Management also tried to blame the workers for not wearing their thermoluminescent dosimeter badges, but this had little relevance to the accident, since these badges measure total exposure during a period of time, and would not have warned the workers about radiation levels until they were analysed by the health physics department.

Organisation theorists point out that highly reliable operations are highly demanding and the necessary conditions are sometimes not fulfilled because of the competing priorities and the difficulty of justifying efforts on safety whose direct outcomes are often unclear. But there is little effort on the part of those managing India's nuclear facilities, and there is low priority given to safety at the highest levels. Workers do not have control over their immediate environments, and problems cannot be raised openly.

Temporary workers

The workers discussed above had recourse through their union to resort to strikes. The situation of the many temporary workers is worse. The employment of such workers, especially for cleaning tasks, in many nuclear facilities has been reported by many others. The DAE claims that temporary workers have an even lower dose limit, but such claims appear to be contradicted by many grassroots and independent accounts of poor working conditions at nuclear facilities.

For example, here is an extract from a newspaper report on what happened after a major radioactive leak from pipelines in the vicinity of the CIRUS and Dhruva reactors in 1991. The management, reportedly, 'set six contract labourers on the task of digging a pit, to reach the burst pipeline, eight feet below the surface. These workers wore no protective gear or radiation monitoring badges. The contract labourers who had worked for almost eight hours inside the pit on 13 and 14 December 1991, were thereafter hastily pulled out, given a bath, new sets of clothing and packed off home. There is no evidence of the labourers having been subject to radiation monitoring tests'.

High radiation doses to temporary workers seem to have been especially common at the Tarapur reactors. Journalist Praful Bidwai reported in the late 1970s that there were areas 'so radioactive that it is impossible for maintenance jobs to be performed without the maintenance personnel exceeding the fortnightly dose.in a matter of minutes'. Because of the numerous high-radiation areas which had to be serviced, Tarapur Atomic Power Station (TAPS) personnel were 'not capable of handling the larger-than-anticipated volume of maintenance jobs, especially in areas with a large number of hot spots', and so 'outsiders.have to brought in so as not to overexpose the already highly exposed TAPS personnel to radiation'. Many of these 'workers do not have adequate knowledge or understanding of radiation hazards' nor are they 'entirely familiar either with the layout of TAPS or the precise nature of the job they are ordered to perform'. Although outsiders do not have access to health records of DAE workers, there is anecdotal evidence along these lines of poor safety practices that frequently cause ill health to workers.

Lessons from operations in India's nuclear facilities

As mentioned above, one of the lessons from field studies of relatively well-performing nuclear power plants around the world is that they possess reliable backups in technical operations and in management of personnel, and this often prevents failures from escalating. In addition, the employees and management never let down their guard, and the organisations continuously explore what could go wrong, learning from their mistakes and also from others'. In this section, we describe repeated failures at DAE facilities, some of which have led to accidents.

Narora, 1993

In March 1993, a fire started in the turbine building in the first unit of the Narora power station after two blades of the turbine broke off. These two blades then sliced through 16 other blades, making it vibrate violently. This caused pipes carrying hydrogen gas cooling the turbine to rupture, releasing the gas which soon caught fire. Around the same time, lubricant oil had also leaked. The fire spread to the oil and then through the entire turbine building. Following this, the backup cooling systems were made inoperable when fire burnt through their cables. There were four different cabling systems, all of which lost supply as part of a general blackout in the plant.

The operators responded to the accident promptly by manually initiating the primary shutdown system. In addition, some operators climbed the top of the reactor building aided by battery-operated portable lighting and manually opened valves that released liquid boron into the core to slow down the reaction. Operators also started up diesel-driven fire pumps and used water meant for fire control to operate the coolant system. During the accident operators had no indications of the condition of the reactor and were, in the words of analysts from the US Nuclear Regulatory Commission, 'flying blind'. Operators were forced to leave the main control room because of smoke at about 10 minutes after the blade failure and could not re-enter it for close to 13 hours.

Large vibrations in Indian turbines had happened before, but this was the first time that the blades broke and ruptured a pipe containing hydrogen, which then leaked and caught fire. Around the same time, oil was leaking in the turbine building. Oil leaks too are common in the DAE's reactors, but this time the oil also caught fire. Fire spread through the power-carrying cables and disabled them. Backup cables were present but had been placed in close proximity without being encased in fire-retardant sheaths, in violation of international design guidelines. Therefore, they did not function effectively as backups. The accident was preventable, and the DAE had not learnt from best practices in cabling design, nor did it heed warnings from the turbine manufacturer about blade fatigue problems, especially significant in Indian reactors where excessive shaking of the turbines has occurred many times.

Recurring patterns

The set of failures that led to the Narora accident have persisted in many reactors. In late 1993, high vibrations and temperature in both the Narora-2 and RAPS-1 turbine generator buildings led to reactor shutdowns. The problems in these reactors persisted into 1994, and the next year, even after repeated maintenance shutdowns supposedly meant to mitigate turbine problems, blades failed in the turbine of Narora-2. After being restarted following the accident in 1993, Narora-1 was shut down repeatedly in 1995 because of high vibrations of the turbine. RAPS-1 and Kaiga-2 also suffered from high turbine vibrations later that decade. Fires have also occurred repeatedly in many reactors, following the accident. There have also been numerous oil and hydrogen leaks.

Other examples of repeated failures are regular leaks and heavy-water spills. While these leaks are not themselves serious safety hazards, they could be the precursors to more serious accidents, for example involving coolant failure. As mentioned earlier, the tritium in the heavy water also poses a health risk to workers.

The limits of demonstrating safety

In the event of an accident, physical barriers are meant to prevent harm to the public if all else fails. In most reactors, there is a primary vessel that contains the fuel, radioactivity, and heat produced in the reaction. Outside there is a secondary containment building, meant as a physical barrier to prevent leakage of radioactive gases and material to the environment. Integrity of these barriers is often demonstrated through mathematical models up to a certain limit of pressure and temperature; during normal operation and under most accidents, these limits must be met.

In some reactor types, there might be accidents for which it is difficult if not impossible to demonstrate the adequacy of these barriers. For example, fast breeder reactors, due to the fact that their neutrons are not slowed down ('moderated'), are vulnerable to a reactivity increase that could lead to explosive breakup of the fuel, leading to a fast energy release in the reactor vessel. After the fuel becomes hot enough to melt, it is difficult to predict via mathematical models the magnitudes of what would happen next and the integrity of protective barriers cannot be assured, except by arbitrarily limiting the consideration of how severe the accidents can become. While the DAE, in making its case for safety of its Prototype Fast Breeder Reactor being constructed in Kalpakkam, has argued that its containment design accounts for the worst possible accident, an independent analysis has shown that the DAE's accident studies of this reactor contain several flaws that make them inadequately conservative. Moreover, in its design of the reactor, it has made choices based primarily on cost considerations that compromise its safety. 

Severe accidents apart, the effectiveness of these barriers also depends on their quality of design and construction. While the containment building was being constructed for the Kaiga reactor in Karnataka, its inner shell collapsed due to deficiencies in design. If this problem is widespread, it weakens the case for safety on the basis of 'defence-in-depth'. Unfortunately, unless the safety systems are tested to the point of being stressed to their limits, one might never know.

Conclusions

The examples described above are all from India. However, one can come up with examples of numerous accidents in many different countries. In many cases, these happened through routes that were not always anticipated. For instance, in July 2007, a strong earthquake with a magnitude of 6.6-6.8 struck Japan. Its epicentre was about 16 km north of Kashiwazaki-Kariwa nuclear power plant (KKNPP), the biggest in the world. The known results of the earthquake include a fire and a release of radioactive water; the latter was through a route that had not been predicted. The earthquake caused underground electric cables to be pulled down by ground subsidence, creating a large opening in the outer wall of the basement of the reactor - a so-called 'radiation-controlled area' that is to be completely shut off from the outside environment. In the words of a Tokyo Electric Power Company official: 'It was beyond our imagination that a space could be made in the hole on the outer wall for the electric cables.'

Poor safety culture is also evident in many countries. One example is the safety performance of Russia's breeder reactor programme. The largest reactor constructed so far, the BN-600 had experienced 27 sodium leaks between 1980 and 1997, 14 of which resulted in sodium fires. In most, if not all, cases, it appears that the reactor was not even shut down and continued operating as the fires were raging, indicating that inadequate priority is given to safety.

The risk of catastrophic accidents associated with nuclear power has two important implications. First, the pursuit of nuclear power, or any other hazardous technology, should be done democratically with the informed consent of the potentially affected populations. Second, this risk should be considered a major negative attribute of the technology and therefore, all else being equal, a technology that does not have this risk should be preferred. Bland assurances about nuclear power being safe and clean are unacceptable.      

Ashwin Kumar is at the Department of Engineering and Public Policy, Carnegie Mellon University, Pittsburgh, USA. MV Ramana is at the Program on Science and Global Security, Woodrow Wilson School of Public and International Affairs, Princeton University, Princeton, USA.

*Third World Resurgence No. 235, March 2010, pp 10-13