Passive safety systems
Hi, Dr. Z – I keep hearing about “passive safety systems” on new nuclear reactors that say they’re designed to be “inherently safe.” How can a safety system be passive? And can we trust something that’s passive to keep a reactor from melting down?
The first time I came across a passive safety system was in the Navy – I was in Nuclear Power School and the instructor mentioned that a particular valve “failed shut.” What that meant was that the valve was opened by electrical current flowing through a coil of wire wrapped around the valve stem – the coil was called a sol enoid. When electricity flowed through the coil it produced a magnetic field that pulled the valve stem upwards, opening the valve and compressing a spring. For this particular valve, it was safer to be closed if we lost electrical power, so “failing shut” on loss of electrical power was better than “failing open,” so if the valve lost electrical power the magnetic field went away and the spring and gravity pulled the valve down, shutting the valve. This is one example of a passive safety system – technology (the solenoid) is used to open the valve and keep it open; if the technology fails then simple physics shuts it again.
A similar principle was used to scram the reactor – an electrical motor was used to pull control rods out of the core, compressing a spring as the rods were pulled. The motor drove a mechanism that clamped onto the control rods to pull them out; if electrical power to the drive motor was lost the clamp opened up and the scram springs (plus gravity) drove the rods back into the reactor core, shutting it down. Here, too, technology started up the reactor but, in an emergency, physics alone shut it down.
Valves failing open or shut doesn’t really sound very complicated, and maybe not like a very big deal. And, honestly, the mechanism is pretty simple – I could build one myself and I’m not much of a tinkerer. The scram system was not much more complex. But that’s the point – the more complex a system is, the more parts it has, the more opportunities for something to go wrong. That’s why the most important safety features tend to have the fewest moving parts.
According to the International Atomic Energy Agency (IAEA), passive safety systems can be categorized according what features the system lacks:
- No moving working fluids
- No moving mechanical parts
- No signal inputs of “intelligence”
- No external power input or forces
The IAEA categorization scheme, depending on how many of these features are present:
| Category | Feature(s) | Example |
| A | 1, 2, 3, 4 | Reactor fuel cladding (contains fuel and fission products) |
| B | 2, 3, 4 | Reactor emergency cooling via natural circulation |
| C | 3, 4 | Pressure relief (“safety”) valves |
| D | 4 | Reactor scram |
Of these, I’m willing to bet that you’re thinking about the Category B example, which has been getting the most press lately.
- In pebble-bed reactors, rising reactor power heats the fuel “pebbles” and, as their temperature rises, the physics of nuclear fission cause more neutrons to be captured by U-238 (which does not fission easily) and fewer to be available to cause fission in U-235 atoms. As a result, reactor power levels off and begins to drop, keeping the reactor fuel from melting down.
- Some fast breeder reactors are cooled by liquid metal. As reactor power increases the metal heats up and expands; when this happens more neutrons escape from the reactor core, resulting in fewer fissions and reducing reactor power.
- In some molten salt reactors the atoms of the fuel are attached to the coolant, which is a fluoride salt. If the reactors develop a leak and begins to lose coolant it will also lose fuel, shutting down the reactor.
- Many reactor designs (including the reactor on my submarine) make use of natural circulation to remove heat from the reactor core if the reactor cooling pumps lose power. Since hot water rises, hot water from the reactor will rise, passing through a heat exchanger where it’s cooled by water from the sea, a lake, river, or cooling ponds. The cooler water sinks back into the reactor core where it removes more heat and rises again into the heat exchanger.
- Other reactor designs place large water-filled tanks above the reactor core, holding the water in place with valves that, on loss of electrical power (or hydraulic pressure or air pressure) fail open, letting gravity pull the cooling water into the reactor core.
There are other examples – the containment dome surrounding most reactors is an example of a passive safety system; the pipes and reactor vessel that contain the reactor coolant and keep it from escaping are another, and there are more as well.
What all of these – and other – passive safety systems have in common is that all they need in order to operate is for something to be lost – electrical power, air pressure, hydraulic pressure – and for the laws of nature to work as they have for billions of years. But lest we grow complacent, we must also keep in mind that nothing is perfect, as the IAEA points out in their report on the subject:
… passivity is not synonymous with reliability or availability, even less with assured adequacy of the safety feature, though several factors potentially adverse to performance can be more easily counteracted through passive design (public perception). On the other hand active designs employing variable controls permit much more precise accomplishment of safety functions; this may be particularly desirable under accident management conditions.
This is why nuclear reactors have multiple layers of protection – both active and passive, all overseen by human operators.
References:
- File: Solenoid Valve Open.png, by Joey Corbett:
https://commons.wikimedia.org/w/index.php?title=User:Sparpo&action=edit&redlink=1
https://commons.wikimedia.org/wiki/File:Solenoid_Valve_Open.png