> In January of 1974, after 60 person-years of effort, the Chair of the AEC reported to Congress that the odds of a significant meltdown were less than one in a million.
...Per what time frame? 1 in a million per year? 1 in a million per lifetime of the power plant? Something else? This number on its own is meaningless.
It's also not clear what counts as a "significant" meltdown. But the figure shows a one in a million chance of an event causing 1000 deaths across a group of 100 nuclear plants.
This line presumably refers to the Reactory Safety Study, WASH-1400, published in 1975. But I can't find the source of the 1 in a million number anywhere. The executive summary (which was later retracted) said the chances of a core melt accident were 1 in 20,000 per plant per year, which is comparable to current risk estimates for US plants (maybe a bit lower).
The chronology in this one is kind of spastic. We start in 1985, then jump to "the 70's and 80's", then '74, then 2011, then "the second event" in '77 which is eight years before the first event. I've basically lost track of where we are at any point in history.
On the other hand, cats are cute and rice is tasty. Thumbs up. How many I don't know; probably depends on what year it is.
The biggest risk factor is Human Error. Any model that hopes humans will not make errors at every opportunity will give excessively optimistic risk assessments.
TMI involved controllers making a long series of wrong choices until they finally made the right one, averting a disaster. In all probability, we just got lucky.
"Human Error" is a bad stopping point for attributing failure or understanding risk. It's the famous story of Alphonse Chapanis and the B-17s. You need to dig deeper.
https://www.goodreads.com/en/book/show/840 Have a look if you can find the book! Don Norman is the father of modern human-computer interaction (which birthed the fields of UI/UX design, and influenced pretty much all modern design). The quote is obviously meant to be hyperbolic, but the idea is that the designer should never blame the user for 'human error', but take into account how people normally do things and *predict* human error - and prevent it from happening.
If you want to be literal, the goal of good design is to *minimise* human error.
Not sure if there's a commonly understood. distinction. In my mind, a flawed design may perform well under normal conditions but fail under abnormal conditions. A bad design would fail under normal conditions.
"Seems right", though, is subject to an evaluation mechanism that strongly discounts future dangers. (Well, it also discounts future rewards.)
I think that evaluation function should count as part of "human error", even though there are logical grounds for it. (I.e., the future is full of unknowns, and predictions about it are always uncertain.)
PRA models can throw a probability on various possible human errors. Making those probabilities accurate is tricky, though, and every few years somebody comes up with a new methodology to cover more possible factors that influence it. For example this one is supposed to apply even in external hazards like earthquakes and tsunamis:
> I am not convinced that a bonus that pays out in as many as 100 years, if it pays out at all, is much of an effective incentive.
If there's a secondary market, short-term-focused people can still get more by selling the incentive to patient investors. (You probably want them to not be able to sell more than ~half of it, to keep incentive compatibility in the face of info differences.)
The problem of keeping a hideously complex system like a nuclear reactor from failing catastrophically, killing lots of people, seems to me, a naïve observer, conceptually very similar to the problem of keeping a hideously complex system like an airliner from failing catastrophically, killing lots of people. A comparison of the two industries' approaches to safety--both theoretical and practical--might be useful. Are their methodologies similar? Is there anything the two industries could learn from each other? Are there major differences that necessitate different methods for each?
Interestingly, it seems that both industries have done very well overall at maintaining extremely high standards of safety and reliability--yet one has a commensurately stellar reputation, while the other has to deal with persistent, chronic public suspicion. What's the source of this difference? Is it a matter of a fundamental, ineradicable difference in public attitudes, or is there something about the air transport world's approach to public fear that the nuclear industry could learn from?
One difference between nuclear energy and airlines is that the realistic upper bound damage from an airliner accident is all the people on board (several hundreds, maybe 500 for an A380 or a Boeing 747) and some smaller number of folks on the ground. The fear for nuclear disasters is that the number lost in one accident can be much higher.
It isn't terribly rational to figure that 10,000 people lost in one go every 20 years is worse than three people lost every day for the same 20 years, but that is how (normal) people think of this.
True, but it's still bounded. There's no building a plane could be crashed into that would kill a million people, or render a major metropolitan region uninhabitable for generations. (Unless of course said building was a poorly designed nuclear facility?)
That said, political overreactions to perceived, salient risks can be far more damaging than the risks themselves. A hundred Chernobyls wouldn't put a dent in the conclusion that replacing all the world's coal with even 1960s-tech-level nuclear plants would be a massive improvement in health and safety (this is true even if you look only at radioactivity, and exclude all the other pollutants). No one seems to remember that the Three Mile Island meltdown released radioactive material beyond the containment facility, but didn't actually contaminate the environment. We just made it near-impossible to build new nuclear plants in the US after that, anyway, ensuring a much harder, longer, and more expensive road to cleaning up pollution and stopping GHG emissions.
The cascade started by 9/11 did kill at least hundreds of thousands, counting the various wars it triggered....
I totally agree with your second paragraph. The cost of overreactions to nuclear has historically been much greater than the direct costs of accidents.
On the other hand, reactors (at least those used for power generation) do not fly, and they operate in a usually predictable environment (tsunamis and earthquakes notwithstanding)
The flip side of this is that airliners have a lot more crashes than nuclear reactors have meltdowns. Enough crashes that you can pretty reasonably see the probability just by counting up the crashes and dividing by the number of flights. With a reactor, you have to rely on models of probability (since there have only been 3-ish meltdowns, two of which were a long time ago, and power plants in different locations and time periods have different levels of risk). You also have to rely on models of the consequences. This review is suggesting that the worst case consequences are much higher than the nuclear industry would like to admit, although I don't think the claim is well supported.
Also, as a member of the public, you can choose not to fly. You have much less choice about whether a nuclear power plant is operating within 50 miles of your home. Together, I think these factors (uncertainty about the level of risk, and having it foisted on you without your permission) make it fairly unsurprising that people get scared and angry.
I think the "worst case" scenarios considered in the review are extremely reasonable, though possibly low probability. But I really doubt that they are the actual worst cases possible.
Both nuclear power and airlines are considered High Reliability Organizations, because of their low tolerance of failure. There is a lot of literature on the best practices for HROs. Interestingly enough, hospitals are currently trying to become HROs, something I cynically worry is doomed to fail because of the complexities of the human body, not to mention is likely to lead to ballooning costs.
It's an even bigger contrast than you state: the commercial aviation industry has grown several times larger in the past three decades, while maintaining or improving overall safety, with a lot of new regulations and regulatory scrutiny. It weathered its own 'Chernobyl' (9/11, and more recently the 737 Max scandal). Yet people don't complain about over-regulation limiting the airline industry. Instead we enjoy cheap and safe flights. Meanwhile, growth of nuclear power has stagnated since 1990, and new plants have become prohibitively expensive to build. What gives?
If nuclear power was as necessary for energy production as flying is to (efficient and cheap) traveling, I guess the public would not be hostile to nuclear power plants. But this may change. Already even greens are warming up to nuclear if the only viable alternative is fireing more coal plants.
FWIW, I consider myself rather green, and I favor nuclear plants over natural gas plants, not just coal plants. But I still prefer solar by a wide margin. Lots of different reasons, not just a few. But building safe nuclear plants takes too long, and running them safely requires that the management wants to do so, so I'm rather skeptical of their long term safety. Possibly some of the new designs get around that problem, though. I've heard that molten salt reactors have a really limited "worst case", which would strongly change my position. (Then it would shift to be more based on speed of construction, individual ownership, and costs.) But don't build the plants (current designs) in places where they can't handle the environment. (E.g., don't build them in a canyon with steep walls.)
I am all for development of renewables, but I do not believe they are sufficient for our civilisation, and we still need additional energy sources. All sources of energy have downsides, and may have bad impact on environment. In case of nuclear we have a well understood, and clean technology. Of course it is clean only if it works properly. But that is the real choice: between tech which poisons us a significantly always (like coal), or poisons us and enables dictators (like gas or oil) or the one which is clean if it works properly, and in fact has an excellent record of working properly and is feared because of what if scenarios which are increasingly unlikely with contemporary constructions, and because of past disasters which were grossly exaggerated (nuclear). And public hostility to nuclear prevents building newer, and far safer power plants to replace existing ones. And you are right: I believe (well I am not a specialist) the new (and even not so new) reactors cannot melt even if all the systems fail, because they are built to be self stabilizing. And of course people which design nuclear power plants are not stupid, and they do not place them where they shouldn't: Well, mostly. In case of Fukushima they knew about tsunami which floded the plant place in the IX'th century. They just did not thought it would happen again so soon... However, from the reports it seems that Japan is somewhat unusual in how their nuclear industry supervision is dependent (instead of independent) from the political part of goverment, and it seems such a situation would be impossible in, say, US.
All the existing plants, and most of the new plants that might be built in the next 10-15 years, are water cooled reactors and are capable of melting down if all the systems fail. The designs are supposed to have enough redundancy that they will not all fail at once; usually this is true, but in very unusual situations (like the tsunami at fukushima) you can have common cause failures among components that are normally independent.
My error, yes, I was thinking about the fact that water is used as moderator, so no water, no fission, but this does not take into account radioactive products of fission which can stilll cause some meltdown if cooling is completely taken down. And of course I was thinking about various passive safety features, like emergency cooling based on gravity rather than pumps, but these can indeed still fail
The problem seems to me, a not very naive observer, very different than the problem of keeping an airliner from failing catastrophically and killing lots of people. For the fundamental reason that airliners by definition have lots of people inside them during normal operation, and nuclear reactors generally have zero people inside them during normal operation.
In the case of airliners, you can't separate the people from the catastrophe. In the case of nuclear reactors, you can put as much water and steel and reinforced concrete and distance as you feel is necessary between the potential catastrophe and any potential innocent bystanders. You can also try to avoid the catastrophe in the first place, but you can hedge your bets by arranging for all plausible catastrophes to be not really catastrophic after all. Well, except to the insurance company that has to pay for a new power plant.
A hideously complex Rube Goldberg machine for disassembling and disarming live hand grenades might seem insanely dangerous, but if it works by remote control inside a bank vault, who cares?
Except that in current reactors, decay products have enough power to make a major mess unless actively cooled down.
But cooling down nuclear fuel should be a much easier problem than having an airplane land in an airport. Much less moving parts that are operating near material limits or exposed to the outdoors.
As noted elsewhere, the decay products should only be able to make a major mess *inside* the containment vessel. And it's troublesome to have a billion-plus dollar power plant turned into a giant concrete monument to someone's incompetence, but I'd still rather have that than a thousand or so people dying from air pollution in the normal operation of an equivalent natural-gas plant (never mind coal). But the thousand deaths don't all occur in one time and place and they don't come attached to a scary newspaper headline, so apparently they don't count.
I think there have been less than 10 meltdowns in the history of western nuclear commercial power plants (so not counting early research reactors). Out of these, in 2 cases (Three Mile Island and Fukushima), *some* radioactive mess had escaped outside.
I am quite sure that this is less bad than what comes off a coal plant’s smokestack, but other people are less convinced.
Airlines give the general public something they can't get any other way: fast long-distance travel. Nuclear energy doesn't appear to do that, merely substituting existing coal and gas.
Nuclear energy does actually give something nothing else can: earlier relief from global warming and air pollution, but diffuse gains are hard to appreciate.
The source of the difference is that nuclear safety conversations never address the 8 million people killed by fossil fuel air pollution alone, each and every year, as the status quo against which the safety record of nuclear power should be compared.
This is a strange review, because "Safe Enough?" naturally invites the rejoinder "Compared to What?" which the review never addresses. The standard narrative of nuclear power is that hysteria over nuclear risk was allowed to strangle the industry, creating more risk in society overall, from fossil fuels. I don't necessarily buy that narrative, but it's disappointing that we get nothing about the tradeoffs involved. Is that because the book doesn't discuss them, or because it's not interesting to the reviewer?
As someone who _very_ much does buy the "fossil fuels were far worse" narrative, that lack of "compared to what" completely destroys this review in my mind.
If you're interested in some extracurricular reading, the fossil fuels industry do use a lot of similar risk management processes, and have a much higher failure rate (possibly because of the regulatory or financial landscape?).
If you want to read an example of a risk methodology failing horribly in a natural gas context, I submitted the review Nightmare Pipeline Failures into the contesf which didn't make the finals but is available in the Google doc. FWIW the failure modes aren't specific to gas - they're management issues that can plague a number of different industries.
I work in a highly regulated, highly safety-conscious industry where failure causes death and huge economic loss, so I have a professional interest in this kind of risk management. But this is because our services are (normally!) so reliable that people trust them with life-and-death use-cases, not because we're doing anything particularly dangerous. I don't mind admitting a level of envy!
Of course the reviewer is supposed to do research beyond the four corners of the book, otherwise how can they contextualise and challenge its claims?
But on an even more basic level, the reviewer is supposed to review the book. If someone wrote a biography of Louis XVI and didn't mention the French Revolution, I'd expect a reviewer to comment on that omission.
One cannot write a biography of Louis XVI and don't mention the French Revolution because he was toppled and killed by the revolutionaries so it's a big part of the subject. But you can write a biography of Louis XVI without comparing him with George III of Britain.
Sure, and writing a book about whether nuclear power is safe enough, without considering whether we are trying to make it too safe, is more like the former than the latter.
I think that under those circumstances, the review should say "this book completely fails to bring up cost/benefit tradeoffs compared to other forms of fuel, and this is a major problem with it".
Well, they did mention that "The total cost to clean Chernobyl and Fukushima may exceed a trillion dollars, but even consideration of this 'tax' would add only a penny or two per kWh to all the energy the industry has created in its history. The health and environmental damage from coal is easily ten times this."
Yes, this was a good point. I personally recently estimated that a trillion dollar disaster per the current total reactor hours world wide adds $500 million per GW in potential costs to nuclear
Interestingly, since LCOE figures end at 40 years for nuclear plants there is a comparable uncounted benefit. If a nuclear plant is extended for 40 more years at negligible costs, and its running cost of $30/MWh are $50 below that of the relevant alternative such as wind and solar with extensive backup, then the total uncounted value per GW is about $15 billion dollars
I reduce this to about $10 billion net present value at the time of first extension with a 2% discount rate which is low but seems reasonable since it's essentially a gift. Then if you work back to the time of completion of the plant at a 5% rate you get about $1 billion per GW rounding down. Again, a low rate, but it's like a free investment that is secure unless something even better than $30/MWh of baseload comes along
I think this stands up to the trillion dollar cost of historic accidents pretty well, particularly if you assume that the experience of Fukushima will make future accidents less likely. It's a harder call with the theoretical $10 trillion dollar cost but another of the lessons of Fukushima was that the evacuation caused almost all of the human costs. The price of living with the radiation to some degree would be much less than a Fukushima style cleanup
This does make a strong case for no meltdown designs even if they are a fair bit more expensive while the case for nuclear becomes incredibly strong at low prices of construction. If you can build for $3 billion per GW as I believe China does your uncounted benefits vs costs reduce the apparent price by 25% or more
I think it's an open question whether "living with the radiation" is even possible.
-The USSR sort of tried to do that by covering up the fact that an accident even occurred, but people found out anyway and they had to reverse course.
-At Three Mile Island, there wasn't even any radiation worth mentioning, there was no mandatory evacuation (though eventually there was a recommendation for young children and pregnant women to leave), and people still fled the area en masse. The human costs are hard to quantify, but they were certainly much higher than the physical damage.
-At Fukushima, many have argued that the evacuation orders were too aggressive and cost more lives than they saved. That's probably true, and many of those deaths were among very sick patients forced to evacuate from hospitals. But much of the healthy population of the area would likely have chosen to leave anyway (just as many have chosen not to return after the evacuation orders for their homes were lifted). The communities still would have been hollowed out, the land values decimated, the fish and agricultural products unmarketable... you can calculate that the costs of ignoring radiation are lower than the costs of fearing it, but you can't make people actually ignore it.
Much of that fear is misguided, but in a way that's difficult to pin down and even harder to correct. If someone's afraid of dogs, they can see whether there's a dog present, how big it is, whether it's on a leash, etc. And they can certainly tell if they've *been attacked* by a dog. Even as an engineer it's not easy for me to intuitively grasp how dangerous different levels of radiation are. How much am I harmed by the radiation from a chest x-ray versus a plane flight versus living for a year in Futaba? Is that worse than being bitten by a dog?
You can look up the numbers, of course, but most people won't. And if you lived in Harrisburg, Pennsylvania while Three Mile Island was melting down, you couldn't look up anything. Even the experts wouldn't have a good idea what was happening until afterward. Some sort of generic assurances from the government that "it's better to ignore the radiation" would not be very reassuring.
The review also doesn’t explain (maybe outside its scope) that the cascading catastrophe idea can also apply to other things like global warming (positive feedback loops), political issues surrounding fossil fuels leading to wars, fracking (catastrophic poisoning of groundwater seems theoretically possible).
I would say that the safe enough is compared to everything else in life that might kill you. Although that must be wrong since nuclear power kills so many fewer people than even the unlikely things that no one thinks about. Periodically you read that a building spontaneously collapses. Why all the effort focus on nuclear safety and not building safety. What about railroads, how many people are killed from train derailments, either directly or when they release deadly chemicals. Every so often there is an explosion at some factory killing one or more people, nuclear generation plants are much safer than say fertilizer manufacturing. Thats the way I would answer safe enough. That whole isolated demand for rigor thing.
My impression here is that mathematical "tradeoff" calculations are meaningless because they require so many totally unfounded assumptions that your conclusions will be necessarily garbage. Actually, worse than garbage, because they'll APPEAR mathematically precise.
excellent review of safe enough: phase change possibility after a cascading event is an important insight ; erosion of culture is more imp than erosion of material, another powerful insight --learned a lot from a very well written book review, compliments to the author
>Had this incident been taken seriously, disaster at Three Mile Island would have been averted
In what sense does the actual outcome of Three Mile Island, with zero deaths, zero injuries and negligible environmental damage, *not* count as "averting disaster"?
> As a reminder, there are over 20,000 parts in a utility-scale plant
As someone who works in manufacturing drawing management, I can assure you with a high degree of confidence that this estimate is laughably low even for a 60s era plant. It might be an accurate estimate of "how many assemblies is the plant prepared to diagnose a problem down to"; presumably your nuclear techs don't disassemble sump pumps to diagnose which float switch or capacitor failed. But there are many, many more parts in your iphone, much less something at the scale of a nuclear plant.
I will never forget the time our radar system stopped working because someone changed out a battery and forgot to replace a washer for one of the bolts they'd undone to reach it.
a) probabilistic risk management is easy to understand
b) i'm really smart
c) this review is better-written in terms of per-word information conveyed than most things I read
d) some combination or other factors
Under (d) perhaps I'm just in some mood where everything seems meaningful and profound. And perhaps also the core points (probabilistic risk management) are very well suited to this substack's audience. But if it's not me, goddamn this is a well-written (effectively-written) review. I read several sections of it aloud to other people.
Presumably actually implementing the method with all the technicalities included and getting it all correct enough to prevent actual disasters is difficult, but that doesn't mean understanding the basic idea of what the method is has to be difficult too.
I agree, the basic idea is really just "calculate the probability of system failure based on estimates of all the component failures", and the hard part is dealing with the huge number of systems and how they all interact (plus operator errors, natural disasters, figuring out how much radioactive material is released and where it goes, accounting for evacuations, and so on).
No, it isn't easy to understand. Not in application. Toy examples can be pretty simple. This is the modern version of "For want of a nail, the (horse)shoe was lost...", only iterated recursively over all the possible failure modes. (You did figure them ALL, didn't you?)
I appreciate both of these responses and in reading them have realized something about a common failure mode I'm sure Yudkowsky has written about this since I observe him triggering it in other people. I observe that people I talk to about risk management have a really hard time understanding the probabilistic aspect. People imagine some specific problem and create a solution for it and then say, well, I don't see how else it could go wrong. And when I point out all the ways in which it very well could go wrong, I get responses implying that I am just being inventive and unrealistic. Never once in my entire adult life have I intended my hypothetical counter examples to be all encompassing or all inclusive but instead merely to be examples of cascades where various different components could fail in some way. For instance, someone driving off the road while attempting to retrieve the last piece of candy that fell from a bag on the other side of the passenger seat seems like something that a person would just decide not to do and also like something that wouldn't specifically be enough to cause an accident all by itself. And yet, I know someone who happened to be doing exactly the one and caused exactly the other due to a convergence of also unhelpful circumstances. Yet if someone beforehand had laid out for him all of these converging problems, he would have insisted that he would never be so hungry or food motivated in the first place and also all of this sounds really unlikely.
And on the other side, of course, people who suffer from anxiety have not the opposite of this problem, but a painful permutation of it, where by attempting to imagine all the specific ways in which I think it could go wrong, they exhaust and torture themselves without necessarily, and in fact, usually while not improving overall systems that would make them safer or more successful.
Yeah. I liked this review for several reasons. I like the topic, though I'm more pro-nuclear than the author. But mostly because it was tight,. I finished it with my cup of coffee in the morning. And totally enjoyed all of it.
> Rasmussen delivered. In January of 1974, after 60 person-years of effort, the Chair of the AEC reported to Congress that the odds of a significant meltdown were less than one in a million. Congress and the public could rest assured that nuclear energy was far safer than comparable electrical generation methods such as coal, or a hydroelectric dam. The risks were astonishingly small, akin to getting hit by a meteor falling from the sky. Commissioner Ramey had nothing to worry about. The academics showed that nuclear energy was plenty safe enough.
Thing is, they were right. In the years since then, there have been exactly zero people killed by nuclear power plant accidents in America. For all the press attention it got, the Three Mile Island incident was incredibly minor; the radiation released into the environment was somewhere around half of what a typical coal power plant exposes people nearby to in one year... and that was it. The worst ever nuclear disaster in American history did no detectable harm to anybody.
My grandpa lectured on radiation safety at Harvard, and he mentioned to me once that the additional radiation from Three Mile Island carried a total risk of 0.7 deaths. (I'm not sure exactly what model he used to derive that number, though.)
Almost certainly that would be good old linear no threshold. It's easy to show experimentally that model is false by zapping fruit flies with a burst of radiation all at once or spread out over a month. But it only has one parameter so it's tractable to use with the limited data on radiation in humans that we have.
A small note on this is that due to the total distribution of probability centering on 0.7 the amount of probability that one person would die according to that model of risk is quite small
> The plant managers at the time opted to avoid publicly visible upgrades, ironically because they feared that new safety measures would relay the unwanted message that nuclear power was untrustworthy.
I realize this is not much of a substantial comment, but... I really fricking hate that people keep doing this.
Based on other comments elsewhere I'm rather sure that avoiding the financial cost of the upgrades figured into the decision, if not into what they were willing to publicly admit.
Hm, I'm surprised to read this and not find anything about the use of passive safety systems (https://en.wikipedia.org/wiki/Passive_nuclear_safety). My understanding is that these could have prevented basically all the big nuclear disasters, had they been around when the plants were built!
Looking it up, it seems like annoyingly passive nuclear safety systems are recent enough that (due to the giant slowdown in building nuclear reactors) few actual commercial reactors have been built with them. Annoying. If enough were built, they could maybe just replace the older less safe ones...
Yeah, this seems like a big missing component at the time of the book. Looks like new plants like the Vogtle plant that just opened in Georgia do use passive safety, which in hindsight seems like a no-brainer.
Oh, I didn't consider when the book was written. But it looks like it's from 2021? Do I have that right? In which case it seems like it should have discused it...
IIRC, the "swimming pool reactor" from the 1950's is supposed to have had a passive safety. (I.e., if the water drained out of the pool, moderation stopped, and the reactor shut down.) I presume that there must have been some problems with it that I just never read about, though.
That's really true of all reactors in the US, they can only maintain the chain reaction using what are known as thermal neutrons, which are ones that have slowed down through interactions with the water. Take away the water and almost all of the fissions stop, and the reactor is shutdown.
To clarify, I'm using the word moderator to mean something that slows down neutrons. Water is, in US light water reactors, the moderator. The control rods adsorb neutrons and are grouped into the term "poisons". I'm unfamiliar with describing the control rods as a moderator.
The power plants still most certainly use control rods to shut down the reactor by adsorbing enough neutrons very quickly when needed, though for routine temperature adjustments its common to use boron as a chemical poison and leave the control rods fully withdrawn.
Do you have a different understanding? Are we using the same term to mean different things?
We're using the same term to mean SLIGHTLY different things. To me a moderator is something that changes the way the neutrons act within the pile. Slowing them counts, but so does absorbing them. (I'm no nuclear technician, so I use the meaning I learned in high school.)
Cadmium is a neutron absorber, which is pretty much the *opposite* of a moderator. It does not slow down neutrons appreciably - it takes light elements for that. It does absorb neutrons very well.
A nuclear reactor wants lots of slow-moving neutrons, because those are more likely to react with the nuclear fuel. Some reactors can work with just fast neutrons, but those sorts aren't generally used for power generation. So, adding a moderator (e.g. water) leads to more reactions occurring because more of the neutrons are the slow-moving sort. Taking the moderator away, makes the reaction slow down or stop altogether. So if you use water as the moderator, then anything that makes the reactor seriously overheat will boil away the water and stops the reaction.
Cadmium, absorbs neutrons, particularly the slow ones a reactor needs. Adding cadmium means fewer neutrons and less reaction, with enough cadmium no reaction at all. So one common technique for controlling (or shutting down) a nuclear reactor is to include cadmium rods that can be inserted into or withdrawn from the reactor core.
Two completely different things, working in the opposite direction. To stop a nuclear reaction you don't want any more, either add cadmium or remove water,
Crucially, shutting down the reactor is not sufficient for passive safety. A shut down reactor still produces decay heat, initially about 6% of full power and less over time, which must be removed to keep the reactor from melting. So true passive safety requires a "passive", e.g. gravity fed, water source to cover the core and a passive way to dispose of the steam produced as that water boils off. It's further complicated by the fact that the whole system is at high pressure, so you can't just dump water in from above.
Research reactors are often pool type, and safety is not much of a concern, but you can't do that with a power plant.
You can, and some do, use gravity to remove decay heat. Interestingly, Fukushima Daiichi unit one had an isolation condenser, which uses the idea that hot water weighs less than cold water, you if you use a heat exchanger (HX), you can use a somewhat passive cooling for decay heat removal. Unfortunately, it worked too well, and for an uncomplicated reactor trip it would cool down too fast, so the procedures directed turning it off then on as necessary. When the tsunami arrived, sometime after the earthquake (that automatically shutdown the reactor), they had mostly closed the motor operated valve for this HX. Also unfortunately, they didn't write down when they positioned it. of course, they sent an operator to check, and they saw steam coming out of the vent on the non-reactor side, but this doesn't get used... well, ever, and there was much less steam than there would have been if it were under full load, so it got reported as working.
The new AP1000 units take a different approach, fully vent the reactor coolant system, then since it is depressurized, use gravity to add more water.
Yeah, I've tried to investigate the IC at unit 1, because turning it off prior to the tsunami seemed like it might have been the failure that set off the cascade of core melts. But best I can tell, the condenser cooling tank only holds enough water for about 3 hours of decay heat removal. I'm not sure that would have been enough time to make a difference.
I do like the isolation condenser concept (incidentally, GE is bringing it back for the completely passive BWRX-300 SMR). I guess the problem is that it has to be physically above the reactor vessel, pretty high off the ground, and that limits the size. But because it's at atmospheric pressure, it should be much easier to refill during a station blackout than the vessel itself.
I don't have any experience with an IC, so I really don't know the size or capacity. The detailed report I read, going off memory here. said they were running fire hoses and almost ready to start adding water to the torus in units 2, 3, and 4 when the explosion in unit 1 threw that is disarray, not only messing up the hoses, but also slowing everything down since they needed respirators and anticontamination clothing to work in that area.
The height difference doesn't have to be huge, but less height means larger diameter pipes for the same heat removal. The US Navy has submarines that normally operate with natural circulation and space is tight in submarines, and the AP1000 has a Passive Residual Heat Removal system but that's located in the containment building, big pipes, but not a huge height difference.
Yes, in fact one of the annoyances about Fukushima is how it was *supposed* to be shut down (I don't remember whether it was really soon, or recently extended ?) because of the design was deemed to be too old to be safe ?
But then even passive safety can only go so far against the threat of deliberate sabotage, as we are experiencing one right now :
Interestingly recent hype about CANDU heavy water reactor refurbishments and operation records has led me to look into the safety features of it and it appears very likely they would have had little problem with Fukushima. It seems to be so safe that it should be considered a worthy competitor to walkaway safe modular designs if they don't deliver on costs
The book actually covers passive safety in the first chapter; passive safety systems were considered superior and necessary until industry lobbying in the 60s & 70s convinced the AEC to allow active shutdown systems as the main line of defense.
I enjoyed this review a lot. However, like other people mentioned, the lack of a true comparison to alternatives leaves me feeling unsatisfied. Based on a quick web search, it looks like particulate air pollution costs us about 7 million premature deaths per year. There are lots of variables, but consider that order of magnitude compared to what looks like 32 deaths from nuclear power, ever. Sure, there's the "evacuate Tokyo" style long tail, but eventually you have to try to convert that into an expected value, and I bet it's pretty low.
The description of Probabilistic Risk Assessment is fascinating, but ultimately it doesn't sound very... probabilistic? If every scenario is intended to have a probability of zero, you end up spending approximately an infinite amount of money, which is part of the reason why I still suspect that nuclear is more expensive than it needs to be.
He admitted it as an error, but perhaps he shouldn't have. "Premature deaths" doesn't say how premature, and IIUC particulate air pollution is supposed to have shaved years off of almost everyone's expected lifespan.
In that vein I am reposting this thought experiment: a variant of Earth called "Meltdown World". In meltdown world,
1. Political sentiment in the 1960s and 1970s went against coal/oil power instead of nuclear power, and stayed that way ever after. Solar/wind were unaffordable at the time, so most of the world switched to nuclear plants and global warming was cut in half (oil is still used for heating and transport, because cars weren't politicized).
2. People treat radiation releases from nuclear plants the same way we treat fly ash from coal plants - as just a normal thing that we breathe in as a Fact Of Life. If there's an total unmitigated meltdown, people might evacuate for a week or two, but then everybody just takes their iodine pills and returns home.
3. Every reactor in the entire world shares the Fate of Fukushima: it runs fine for 40 years and then has a big unmitigated meltdown and radiation release. After 40 years, thousands of tons of salt water magically appear throughout the plant, destroying all emergency generators, and it never occurs to anyone to use passive safety systems instead or to shut off reactors after 39 years, and every plant is like Fukushima's rather than Onagawa's[1], and safety regulations never improve, and no one builds Molten Salt Reactors, etc. All these meltdowns are expensive to clean up, but since the world builds so many nuclear plants and deals with so many meltdowns, the costs decrease according to a learning curve (akin to Swanson's law of solar panels and Moore's law of silicon chips).
_Question:_ how does a coal plant compare with a nuclear plant in Meltdown World? Which one ends more lives? Does it make a difference if the coal plant is Chinese-style with high pollution? As reported by NASA, nuclear power saved over 1.8 million lives between 1971-2009 (39 years)[2]. Presumably, many millions more could have been saved if more coal plants had been replaced with nuclear plants. Does this remain true in meltdown world, or does it become false?
To answer this we need to know: (1) how deadly is coal (per TWh) - this is widely published[3], (2) how deadly would Fukushima have been (per TWh) if there had been a temporary evacuation but no relocation, and (3) how should the numbers be adjusted for other locations, e.g. do areas around other nuclear plants tend to be more populated or less populated than Fukushima?
Finding information about radiation risks isn't easy, as the media rarely publishes info about this. When I first published this thought experiment on Reddit, I looked around for awhile and the most relevant bit of scientific info I found was this "meta-analysis of leukaemia risk from protracted exposure to low-dose gamma radiation"[4] which concluded, based on 23 other studies, that the excess relative risk (ERR) of non-CLL leukemia from 100 mGy of radiation is roughly 19% (it is unclear to me if 100 mGy is different from 100 mSv). Based on a typical non-CLL leukemia rate of 1 case per 1,000 people per year, ERR=0.19 would increase this by roughly 1.9 cases per year (1 in 53,000 people). The risk presumably varies as a function of time since exposure, but this particular study seemed to completely ignore the issue. To estimate the total risk, I tried assuming that ERR=0.19 every year for 25 years after exposure. "25 years" is just a guess, but it probably can't be more than 40 years because the "average person" is middle-aged and only has 40 years left anyway.
This works out, very roughly, to a 0.05% chance of getting non-CLL leukemia within 25 years. I heard this is the main type of cancer typically associated with radiation, at least if you've been a good boy and took your iodine pill. Eventually I found a second source of information from NASA[5]. Based on this it seems that for the "average adult", 100 mSv of gamma radiation gives an estimated risk of 0.4% for eventual cancer, with large error bars―about ten times higher, but still less scary than most people seem to think. And btw radiation is considered riskier for women and younger people.
Of course we'd need to know what kind of dose people around Fukushima would have received if they did not relocate. I found figures for radiation averted at Fukushima in the first year of relocation (Table C11, page 190, UNSCEAR report[6]) but there are no figures for subsequent years, nor are population sizes provided. It looks like a majority of evacuees avoided 20 mSv of radiation or less in the first year by relocating. For comparison, I recently had a cardiac function test involving 10 to 30 mSv of gamma radiation depending on the sensing equipment (more radiation is needed for older equipment) and I tested negative but thanks for your concern.
I don't know how to get the power output statistics for Fukushima in particular, but eyeballing this report[7] it looks like the capacity factor at a typical nuclear plant is about 83%, and Fukushima units 1-3, the ones that melted down, had a capacity of 439+760+760=1959MW which is about (439+760+760)*0.83*24*365.24 = 14252863 MWh per year = 570 TWh over a 40-year period.
Let's say I pull the number 2000 straight out of my ass for the number of cancer deaths that would have eventually occurred due to the Fukushima meltdown sans relocations (I think I saw an article in Forbes claiming that this number was 160, but the article didn't cite a source and I can't find it anyway). 2000 deaths would be less than 4 deaths per TWh, compared to 25 for an average coal plant. Another source[8] separates USA from China coal, giving 15 and 90 deaths per TWh respectively. (Nuclear, of course, is 0.04 deaths per TWh)
P.S. Meltdown world is based on Fukushima and not Chernobyl because Chernobyl-style RBMK reactors would never have been legal in the United States[9] due to issues such as the lack of containment building and the substantial positive void coefficient of reactivity when coolant boils, and I assume that regulations in most of the world have always been closer to the US than the USSR. In real life, U.S. regulations were strengthened due to political pressure and TMI, so ... we're doing kinda better than Meltdown world here.
Mostly responding to this because i found it very interesting and I'm hoping more people engage with it.
My first impression reading this was that assuming everything is as bad as Fukushima sounds pessimistic but doesn't capture the even more extreme and unlikely long tail risks.
Apparently the world used 23,921 TWh in 2019. If we made all of that via Fukushima clones and each Fukushima produces ~14 TWh per year then we would need ~1600 Fukushimas. If the white swan of Meltdown world is 2000 deaths what is the black swan.
For all their problems coal powered stations have relatively linear risks. The deadliest failure when you have 100 plants looks similar to the deadliest failure when you have 1000 or 100000 (I assume). The deadliest failure when you have as many nuclear plants as we do now(440) is Chernobyl but the deadliest failure when we have 1600 or 6400 might be an entire continent becoming uninhabitable.
I really don't know the worst case scenario, and it's an interesting question. I'm skeptical of the uninhabitable continent scenario. From what I can gather from some quick searches, Chernobyl actually released a significant quantity of fuel. I've seen an estimate of 4,000 deaths expected over time from that event. I could imagine a worse release resulting in 10-20x that number, which is terrible but not really unbounded. After the initial release, I get the impression that having some more radioactive material spread over a broad area actually doesn't have incredibly high mortality impacts.
I know I'm essentially pulling this stuff out of my ass, so I'm curious if anyone has a more informed perspective on the actual worst, worst case scenario for a nuclear plant.
I would expect that the danger posed by nuclear devices that are designed to be dangerous (i.e. bombs) would be an upper bound on the danger of a device that failed to be safe, and the worst nukes are a lot less dangerous than that. I guess a salted bomb that affected continent-scale areas would be less militarily useful because it's harder to target only enemies, but the incidental fallout from an ordinary nuke seems like it would be more like that of a meltdown anyway. (The different timescales do lead to different distributions of product isotopes. I'm assuming that nuclear reactor products are probably not a whole lot more dangerous than bomb products.)
No. Bombs are designed to intensely affect a rather small area. You get a worse disaster by affecting a larger area less intensely over a longer period of time. But if the intensity of the damage is reduced too much, people will just ignore it. So it's a trade-off, but bombs aren't the worse, just the most dramatic. People were living in Nagasaki 50 or 60 years ago, without too much trouble.
A bomb involves a lot less uranium/plutonium than is in a power plant, so even though there's a huge amount of immediate radiation when the bomb goes off, the quantity of radioactive fission products that remain in the environment afterward is relatively small. They can be dangerous for a fairly short time in a moderate size area. A reactor meltdown is more able to contaminate large amounts of land for decades.
I think you're overestimating the "worst case" of a Fukushima sized plant self-destructing. It would probably take out less than the area of Iowa. The more you spread the fallout, the less significant it is as a hazard. Also, the more radioactive it is, the shorter its half-life. Note that dogs have been living essentially IN the Chernobyl plant ever since the area was evacuated. And they've survived rather well. (IIUC, their DNA is currently being studied to see if there have been ANY significant changes.)
A high background radiation level increases the risk of cancer, but so does inhaling fumes from coal/petrochemical oxidation. There's got to be a tradeoff point, but I don't know what it is.
P.S.: My "extrapolated worst case destruction" was sort of vaguely modeled on "grind up all the hot stuff and spread it evenly in a circle around the plant. But I didn't run any numbers. However I don't think that kind of worst case" could plausibly contaminate an entire continent. I just picked Iowa because it's compact in shape and about the right size (though a bit larger than my intuitive estimate of "worst").
P.P.S.: I don't consider nuclear plants safe, because they're too complex, have too many failure modes, and you need to consider management to be trustworthy over multiple decades of time. Also past history shows companies managing them cleverly going bankrupt just before they had to pay to decommission the plant. But this doesn't inherently make them worse than fossil fuel plants.
I don't really know what the worst case is but I'm not sure how much I'd trust someone's idea of an upper bound. I'm sure people have been confidently wrong before about how big a problem a black Swan might be.
OK. That was based on reports from Britain. But it still speaks to the nature and intent of the management, even if there are reasons they can't get away with it...they'll try to come up with some other way to cut costs and shun responsibility for the results.
Agreed. Anecdotally, the sense I've gotten from people who worked in the US nuclear industry is that there used to be a lot more of that, and after the regulatory crackdown post-TMI, the utilities mostly really do put safety first. But there will always be exceptions.
Chernobyl is the deadliest failure of an atom bomb factory, which happened to be collocated with a power plant. It should not be part of the reference data set for "how bad can nuclear power (but not atom bombs) be?"
More precisely, the RBMK-1000 reactor used at Chernobyl was explicitly designed as a dual-purpose device to generate power and simultaneously produce weapons-grade plutonium. The severity of the Chernobyl accident was entirely due to design features mandated by need to produce lots of weapons-grade plutonium; absent those, it would probably have been another Three Mile Island.
Fukushima is as bad as we've ever experienced in sixty years of nuclear power generation. And the net effect was to make the Sendai earthquake about 0.01% more deadly than it otherwise would have been.
What if all the extra nuclear material needed for all the new plants makes it more likely that some falls into the wrong hands and they detonate a dirty bomb in a major city centre
I would refer you to the dirty bomb fact sheet from Department of Homeland Security:[1]
> It is very difficult to design an RDD that would deliver radiation doses high enough to cause immediate health effects or fatalities in a large number of people. Therefore, experts generally agree that an RDD would most likely be used to:
> • Contaminate facilities or places where people live and work, disrupting lives and livelihoods.
> • Cause anxiety in those who think they are being, or have been, exposed
IOW, dirty bombs typically make people move but don't tend to cause many casualties over and above conventional explosives. The interesting part of this is the anxiety element―terrorists know people will freak the hell out about a dirty bomb even if it doesn't kill anyone at all. So a terrorist would be most interested in a dirty bomb if they want to scare people more than kill people. I don't think Bin Laden or ISIS would've gone for that.
If you spend half a century teaching the ignorant to be very, very afraid of Invisible Deadly Radiation, then yes, some people may use that as a way to spread fear and panic with a not-very-deadly thing. But it would take great chutzpa to set up all that propaganda and then say "because people would be afraid, we mustn't do that thing even if it's less deadly than the alternatives."
My thought experiment, my rules. But if you want to actually vary the severity of each incident according to what a magical-earthquake+tsunami-from-nowhere would actually do in each plant, you would have to also take into account that in most cases the entire electric grid wouldn't be wiped out, that some plants don't need electricity to avoid meltdown, that not every plant stores every emergency generator in the basement, most plants probably have better-trained personnel and safety culture than TEPCO, some plants have passive autocatalytic recombiners to avoid hydrogen explosions and minimize radiation releases, etc. So along with this "black swan" you should also have a lot of nothingburgers, where a magic earthquake + tsunami causes no meltdowns and just makes the plant unusable.
And as I said, RBMK is a specifically USSR thing; you simply cannot get the same runaway reaction rate in western reactors. Simply put, Chernobyl-type reactors were unstable by design, and the only thing stopping them from exploding was the competence of the operators. This design seems intentional: it made the reactor cheap! They used graphite moderator (cheap), light water coolant (cheap), minimally enriched uranium (cheap), a welded pressure vessel (cheap) and no containment structure (free). Western reactors typically use a more expensive arrangement with a single-piece pressure vessel (expensive), a containment structure with nuclear-grade concrete (expensive), and uranium enriched to 5% (expensive) to avoid the need for graphite. This last part is the most important; by using more enriched uranium, graphite moderator can be replaced with light water moderator, which negates the void coefficient of reactivity. This doesn't prevent meltdowns outright, but it does prevent rapid runaway heating that could cause an explosion.
The Fukushima reactors had multiple design flaws, but compared to Chernobyl, the explosions that occurred at Fukushima were almost harmless since they occurred outside the containment structure. The Fukushima situation was perilous though, and illustrates the value of newer reactor designs that avoid depending on electric power for safety. The best designs go a step further by avoiding the need for high pressure and water cooling. At Fukushima, fire trucks could not inject water prior to the meltdowns because the pressure inside the reactors was much too high. Water could come out of the reactors, but it was impossible to put water in. It doesn't have to be this way, though.
In fact, the very first reactor built at Fukushima had a passive safety feature to prevent meltdown in case of total blackout, but my understanding is that this system automatically turns itself off in case of total blackout ― this makes no sense so I've been hoping someone would come along to explain why it was built this way, but no luck yet. Moreover, TEPCO employees were unaware that the reactor worked this way and therefore shifted their focus to reactor 2, which (also bizarrely) had a theoretically (and actually) less reliable active safety system than reactor 1 even though it was built afterward. Again, I've been hoping to see someone explain how this "de-evolution" of design occurred but no luck yet.
Sadly mass media doesn't treat nuclear safety anything like airline safety. If it did, we would have lots of TV shows that explain what went wrong moment-by-moment and then explain (i) how many other reactors are vulnerable to the same problems, (ii) the recommendations that were made to ensure this does not happen in the future, and (iii) whether the recommendations are being implemented. TV shows about airline safety are like this; I have NEVER seen a show about nuclear disaster that covered (ii), let alone (i) or (iii). But to be fair, I've ALSO been waiting years for someone to explain why the MCAS system on 737 MAX planes only received input from one of the two AOA sensors, given that literally every fan of aviation disaster shows knows you're not supposed to do that. Do aviation engineers not watch these shows? WTF?! This is disaster avoidance 101!
"the very first reactor built at Fukushima had a passive safety feature to prevent meltdown in case of total blackout, but my understanding is that this system automatically turns itself off in case of total blackout"
This sounds like you're referring to the Isolation Condenser (IC) which is a passive heat removal system that circulates steam through a heat exchanger in a cooling pool above the reactor. It is indeed very reliable, and it did not automatically turn itself off, it was turned on and off repeatedly by the operators because it was cooling the reactor too fast. Unfortunately it seems to have been off at the moment they lost power to the controls. I have asked some experienced operators whether they could instead have throttled it partially open to get the right cooling rate continuously, and the answer was that they probably could have theoretically, but nobody thought they would lose DC power, so it wouldn't have occurred to them to bother. Even if it had been on, though, once power was lost they had no way to refill the cooling pool, so it likely would only have bought them a few hours.
"reactor 2, which (also bizarrely) had a theoretically (and actually) less reliable active safety system than reactor 1 even though it was built afterward. Again, I've been hoping to see someone explain how this "de-evolution" of design occurred but no luck yet."
Yes, in the later versions of the BWR, the IC was replaced with a pair of turbine driven pumps, a small one called RCIC and a larger one called HPCI. These are also generally very reliable, and do not require AC power since they are powered by the steam bottled up in the reactor. One advantage they have is that instead of just removing heat, they actually add water to the reactor, in order to help keep the core covered. The IC is good for a station blackout, but not much help if you get a leak in the piping or a stuck open valve that lets the coolant bleed out. In addition, the RCIC and HPCI pumps pull water from extremely large reservoirs that don't need to be refilled. In fact, at Fukushima, the RCIC and HPCI pumps at units 2 and 3 kept them cooled for a couple of days, eventually failing because (like the IC) there was no reliable DC power to the controls, so the operators couldn't adjust the flow rate, start or stop them when needed, or tell if they were working.
Your point about TV shows is a good one. I've watched the first few episodes of The Days, a new Netflix dramatization of the Fukushima disaster that is pretty factually accurate. But the technical aspects are handwaved a little bit because they're likely too complicated for a general audience to enjoy.
I remember seeing a show about this that said specifically that the operators believed the cooling system on Reactor 1 was working and therefore shifted their focus to reactor 2 which they considered higher-risk. They were confident enough about it that no one checked (e.g. no one looked for exhaust steam that should've been emitted outside the building). Thanks for the info on design tradeoffs between IC/RCIC+HPCI.
Chernobyl was actually close to as bad as it can possibly get - the core was literally blasted open to the air and on fire for days, and a large chunk of what could possibly leak leaked. It's within an order of magnitude of the worst possible accident for that size of reactor, AIUI.
(You could theoretically get a lot worse if you could disintegrate the entire core rather than just leaking the volatiles, but at that point the "failure mechanism" starts looking like "someone took a nuclear bomb into the reactor building and detonated it" rather than anything endogenous to the reactor, and at that point I think it's safe to call that "not an accident".)
The short of it is that if every nuclear plant ended up exploding after 40 years we wouldn't be better off replacing coal plants with nuclear, but the numbers are closer than you'd think.
Oh I'll just give the punchline. Including things like deaths due to disruption of medical care during the evacuation the Fukushima disaster killed about 600 people or 6 per gigawatt-year of electricity generated. Coal in the EU averages 2 deaths per gigawatter year, or three times lower. Coal power in China is closer to 100 though.
Ahh, interesting. Your conclusion was that "it killed 1.8 people for each Gigawatt-Year". There are 8.766 TWh in a GW-year, so that's 0.2 deaths per TWh, over 100 times lower than coal's 25 deaths per TWh. Except, you *also* say that you have seen data that coal kills vastly fewer people than Our World In Data says it does. How odd! Any idea what's going on?
Anyway, your scenario is different from Meltdown World in that you keep the relocations. I say if meltdowns happen constantly you can't realistically have big exclusion zones everywhere; you have to let most people return home and estimate whatever excess deaths that would imply. Even here in our world, there is a paper that concludes that the population should not have been relocated, but this paper doesn't estimate how many excess deaths would've happened, it just estimates days of life lost.[1] This makes it harder to compare with other energy sources. However Fukushima reportedly killed over a thousand people due to the "trauma" of relocation, and my calculations indicate that the number of additional cancer deaths that would've occurred without relocation is less than this, so it doesn't take a genius to see that people should've been evacuated only, not forcibly relocated. For all I know, voluntary evacuation + distribution of iodine pills might've been enough.
Meanwhile, I've been expanding the above comment to a Medium post in which I do a more complete set of back-of-envelope calculations to re-estimate how bad Meltdown World is, and I came up with 14 deaths per TWh. This estimate is mostly pulled from my ass, and it looks like the paper your post is based on has a much lower estimate for deaths outside the exclusion zone than I was using, so I should have a closer look at that paper before publishing.
Great review and a nice accessible primer on risk management in safety critical industries.
I do wish one point was driven in a little more boldly - probabilistic risk management is only as good as the team administering it. If your team is working with bad data, if your team isn't competent, or if management incentives distort the priority of maintenance work/budget - these are all failure modes that undermine the effectiveness of the methodology. I'm surprised that this wasn't covered in the Fukushima part!
I'm also curious about the regulatory landscape - what's binding the plant management to conduct the assessments and ensure that competent people are doing them? Who's reviewing your LOPAs (Layers of Protection Analysis) or mandating that you need to do them at all (or do the follow-up maintenance / improvement works)? Again, the methodology isn't cheap (monitoring and fixing every component is pretty pricey). If there is no license to operate tied to compliance, the management is basically free to ignore it. Not necessarily in the scope of the review but an interesting question nevertheless.
"Probabilistic risk management is only as good as the team administering it" - I agree with this, but I think the author of the review drew a very different conclusion. Based on the last line, he seems to believe that probabilistic risk management is doomed to fail eventually (because of unknown unknowns) no matter what team administers it.
Well, of course. So will every other way of foreseeing the future. But that doesn't say whether it's "good enough". And the more common problem is poor administration and perverse incentives.
I think the problem with probabilistic risk management goes deeper than imperfect execution. PRA has no scientific backing as far as I'm aware (there's no evidence that PRA creates safer designs that alternative methods). Every institution that does PRA will have incidents in which something which should only happen once in a million years according to PRA stubbornly happened twice the same week in reality anyway. They will also have incidents where harm or serious risk of harm happened in ways that wasn't even considered in the PRA and in ways that are intrinsically hard to capture in a PRA, such as software failures, design mistakes, re-use of old subsystems that were safe in the old context but becomes unsafe in the new context etc., and a good argument can be made that most serious harm is caused by these kind of issues. Nancy Leveson is the person to read to get perspective on the criticism of PRA.
Thanks for the suggestion, I found this paper by Nancy Leveson: https://dspace.mit.edu/handle/1721.1/108601. Section 2.2 was particularly helpful for explaining some of the flaws in PRA.
What do you mean by ‘alternative methods’? One alternative method is ‘pay no attention to safety whatsoever and do everything as cheaply as possible’. I’m sure it does better than that.
What you describe is obviously not a method for safety engineering.
Alternative methods to PRA would be qualitative methods. There are plenty of qualitative methods for risk assessment and risk management described in the literature. See the paper linked above (https://dspace.mit.edu/handle/1721.1/108601) for an example and a discussion:
>There is very little scientific data validating probabilistic risk assessment or evaluating the methods for calculating it, particularly for complex engineered systems that include software and humans [32,33,34].
The reactor plant design engineering company does the analysis for a new plant, all of the data and models are given to the NRC who reviews them, challenges them and asks for additional information if anything is missing. After the plant is being operated the utility has to submit all the same information if they want to change anything and it goes through the same review.
That process is for meeting the deterministic regulations. PRA is done a bit less formally because it's intended mostly to "risk-inform" the safety efforts and shouldn't be necessary for ensuring "adequate" safety. The plant operator does the PRA analysis and gets it peer reviewed by outside experts to see how well it fits the ASME standard. The NRC looks over the PRA results and the peer review, and also makes it's own PRA model (largely based on the plant operator's data), and as long as they match reasonably well, it's considered good enough.
Lot of that "working with bad data" seems like it could be traced back to not having enough data points - that is, the way to make nuclear reactors safer is to build more of them, refine designs through iterative testing.
The problem I have with this entire area is that it is populated by rogues on all sides.
Radiation is the bugbear used by the anti-nuclear people:
Ignore the radiation from riding on planes, from nuclear testing, from mining, from burning and/or releasing fossil fuels, from natural gamma ray emissions on earth and from space etc etc. Ignore the deaths from nuclear as compared to literally all other energy sources. Ignore the carbon emissions (or lack thereof) from nuclear. It can release radiation! Boo!
It is perfectly fair to say that dismissing all radiation emission concerns/accident concerns is also ridiculous.
But ultimately, the true issue is being ignored. All sources of energy have tradeoffs vs. each other.
These tradeoffs are not being discussed even secondarily - carbon emissions or radiation vs. what any given society considers a priority.
Japan used a lot of nuclear because they literally have to import all their energy. They have no coal, no oil, no minerals to speak of, no natural gas, etc etc. The shutdown of all Japan's nuclear plants literally led to the return of oil burning electricity generation in Japan. Is that a win?
Massive installations of alternative energy electricity generation in Japan have not fixed their energy import problem; it has actually made it worse in conjunction with the nuclear shutdown. World Bank data shows Japan up to 2015 (its latest data) importing more energy than literally ever before as an overall percentage. EIA shows alternative energy providing all of 6% of Japan's energy supply even as the step up jumps in oil, natural gas and coal imports - pre 2011 vs. post 2011 still persist.
So is extremely expensive and carbon intensive Japanese imported energy worth the "safety"of nuclear plant shutdowns? That issue is not even in the discussion.
If you ask the question on Google about victims of Fukushima nuclear disaster it lists over 19.000 deaths, but if you go to the quoted article it turns out those are mostly victims of tsunami (I remember that at the time seeing press coverage of nuclear disaster it was almost possible to forget there was tsunami in Japan). According to wiki, none died directly from radiaton and "at least six workers have exceeded lifetime legal limits for radiation and more than 175 (0.7%) have received significant radiation doses. Workers involved in mitigating the effects of the accident do face minimally higher risks for some cancers." Also, "Predicted future cancer deaths due to accumulated radiation exposures in the population living near Fukushima have ranged in the academic literature from none to hundreds." There are also deaths attributed to evacuation, especially among elderly and infirm. This is all tragic, but considering that Fukushima power plant was not exactly brand new, and there was a powerful tsunami and earthquake it could be also interpreted as fairly successful stress test of nuclear safety of places which are not exactly up to modern standards. Also contrary to claim I seem to have seen in the review it was all probably completely preventable and predictable:
There's no agreement about what danger (or maybe even benefit) present low levels of radiation exposure.
Partly because we just lack data.
Partly because most of those that we have (and works based on it) can't be trusted because those that produced it are hopelessly biased either for or against fission power.
(My rule of thumb would be to look at what the recently retired from the nuclear industry people are saying, sounds like the author of this book is one ?)
This makes it particularly ridiculous to try to compare deaths from wind/solar and nuclear. At least with coal we can try to compare the radioactivity released too, though even here : it's not like there's a single kind of radioactivity, even when talking about inhaled/ingested dust...
Sure, we don't understand the health effects of low dose radiation very well, but the linear no threshold hypothesis provides a reasonable upper bound, and allows us to know pretty definitively that there will not be thousands of cancer deaths as a result of fukushima. As Bartosz said above, the number could eventually be in the hundreds, or it could be lower.
Also, looking at the 2011 WHO report reminded me that looking at deaths only is perhaps too simplistic, there's also the much harder to quantify general misery that can happen due to sickness and other causes, including caused by the evacuation itself, which can be worse than radiation.
But coming back to this review, the problem with this is that the uncertainty is much larger for the events that haven't happened yet, like the example given how we narrowly (?) escaped a catastrophe several (how many?) orders of magnitude larger in Fukushima (and this *still* is a past event !).
Upper bound, yes. Reasonable? Hahahahahaha. No, it's not reasonable at all!
For low doses, LNT overestimates harm by multiple orders of magnitudes. It completely ignores the difference between acute and chronic doses. And at high acute doses, LNT massively underestimates the harm. LNT is dangerous nonsense.
Yes, LNT does not take dose rate into account. We know that a higher dose rate increases the damage, but we do not currently have a good model of that relationship. Jack Devanney imagines a specific nonlinear function from dose to cancer fatalities , and for all I know he could be right - but he has no data to distinguish it from a hundred other possibilities. We do know, from the Million Person Study on low dose chronic radiation effects (especially nuclear power plant workers and industrial radiologists) that there is a dose response relationship for certain cancers that looks vaguely linear down to about 25-50 mSv total dose. Below that, there's too much noise in the data to be able to tell.
And although Devanney (at least in the article you linked) ignores this data and looks at just atomic bomb survivors, above about 50 mSv his sigmoid is pretty similar to LNT. So yes, LNT is *reasonable as an upper bound*. And the public fear of radiation that he is so upset by is just about as ridiculous under LNT as under the sigmoid model. Coming up with something provably better than LNT is difficult, and you shouldn't have to do it before you fix the way society treats radiation risk.
The article I linked is indeed very abbreviated. A more comprehensive look is available in his book available free online at https://gordianknotbook.com/. Specifically, section 4.6 discusses occupational exposures which covers most of the data from the presentation you linked above. It's not that long and I highly recommend reading at least that section (the entire book is worth reading).
Additionally, the slides you linked above get literally all their data from studies by the same people performed in the last few years. Devanney documents quite the sordid tale of bias in their work in favor of the LNT model despite very little support from the underlying data.
Over what time span? You've got to include that for the questions to have any meaning.
I'm rather sure that the answer would be "pretty low". More significant is probably "How many people lost their homes and livelihoods?", and I'd wager that would be a LOT higher.
Well written but lost me early. "Nuclear energy is perhaps unique as a technology, in that no amount of experience seems to change society’s comfort with it. The topic is forever radioactive."
If it said: "society's discomfort", it would be not less true. (plus "no change" kinda contradicts the next sentence: "Wellock sets out to tell this history, how the US public went from nuclear-lovers in the 1960s to suspicious in the early 1970s, hostile in the 80s, and ambivalent today..")
Only at the end it is mentioned that all other energy-sources are killing people, and all kill more by kw/h produced. I assume, it is clear, that not having electricity would kill billions, soon and ugly.
While the deaths by nuclear energy turned out to be in the same ballpark as meteors, one digit per year on average.
2. Worse: I did not really learn anything about "Probabilistic Risk Assessment". Except that the author seem to argue we should instead imagine the worst possible "dragon king" and (without probability?) see how we feel about it? - "What if we assume the maximum cost of a nuclear event is not $1 trillion for the Fukushima we lived, but $10 trillion for the Fukushima we escaped?" - well, what if we assumed the 1 trillion is a hundred times overblown? The deadliest thing about it was the forced evacuation of elderly, resulting in premature deaths.
3 Cat on fire? Kidding? Hell there are a thousand more likely ways to have a fire in a furniture shop. The sane way is to install alarms. fire-fighting equipment and fast exits. Plus a competent fire department not too far. All that is done in real life. One lesson of Fukushima was: Have rescue measures ready. But there was no radiation proof robot/remote vehicle to get inside, let alone do something.
Massive forest fires are dangerous, therefore any sufficiently large forest is not safe enough and needs to be split into several small forests instead?
You could ask Canada what the preferred approach is. Reports are they aren't expecting their current forest fire to be contained until the rainy season. And you could ask the people in New York whether that is good enough.
This review is vague in places, there is a kind of “hint, hint“ quality to it at times. For example, in the beginning it says that the nuclear industry was faced with a “crisis,” which apparently was caused by the lack of accidents at nuclear facilities, something vague about the civil rights movement, and something (what?) people would discover thanks to the freedom of information act. So what was the crisis exactly?
This book is probably harder to review than some of the others because it seems quite technical. I can’t tell whether the vagueness in the review is caused by the difficulty caused by this technical nature or by the reviewer’s own opinions, which he or she suggests at but doesn’t bring out into the open.
Or take this passage: “"Safe Enough?" was not written as a defense of the Nuclear Regulatory Commission's regimented style. But as an outsider reading about the math for the first time, it became clear to me that once the NRC chose to implement Probabilistic Risk Assessment, an intrusive bureaucracy became its destiny.”
Any regulatory agency or commission is, by definition, an intrusive bureaucracy. That is literally the whole point. So what does “an intrusive bureaucracy became its destiny“ mean?
If I was to sum up this review it would be “analysts can make models that calculate the probability of nuclear accidents, but that isn’t sufficient because maybe we should always be thinking about the worse case scenarios”. The problem with that is that if global warming is as bad as we are expected to believe, we don’t have the luxury of thinking about very unlikely nuclear accidents.
As far as I am aware, by the way, at least part of public wariness about nuclear power is based on the inaccurate idea that a nuclear power plant can blow up like a nuclear bomb.
A regulatory agency or commission need not be "an intrusive bureaucracy". Sure, by definition, regulation "intrudes", but it need not be full of rules and reporting requirements. Of course, human nature being what it is ...
Is the timing of this related to the ongoing rumors that Russia have physically implemented a plan to sabotage the biggest European fission power plant (specifically by blowing up its cooling pond) ?
And blowing up the cooling pond is still probably one of the least damaging ways to sabotage it ?
That someone (with nation-state levels of means, not talking about small fringe groups) would be willing to do that is likely to radically shift the public opinion against fission power !
I'm really angry at this point that Macron has *still* not done an emergency press-conference, Johnson-style, about how the reaction to this kind of sabotage would be the same as for the use of nuclear weapons.
(And think of the opportunity to show yourself as a defender of Mediterranean (and Black Sea) countries in general, and Turkey in particular ! But I guess it's like when he ignored both of the nuclear issues in early 2022, despite their centrality in the UKR-RUS conflict... I guess this is what happens when you basically decide to get rid of your diplomatic corps to the profit of a small, inexperienced team that you have full control over ?)
Oh, and I forgot to point out that in less than 3 decades we went from the collapse of the URSS being unthinkable (and "brother nations" like UKR and RUS even more so) to... this.
Kind of. It's basically a Schelling point, smallest tactical nukes are less destructive in some ways than some conventional munitions, but a bright-line consensus against using them prevented this so far. Sabotaging a nuclear plant is much more of a gray area, where it's not clear that there's a consensus about it, so it isn't in France's interest to unilaterally commit to escalation.
This review isn't clear enough to me on how that first report treated uncertainty : is the fact that it doesn't show up on the graph because :
- that was a propaganda operation deliberately misleading the public
- the scientists were incompetent
- and/or my assumption is wrong that if you would try to properly calculate uncertainty ranges across "cascade events" like these you are going to end up with ridiculously wide ranges for them ?
Another minor annoyance of mine is the improper use of units :
"triple the GDP of" should be instead "three years worth of (time interval X-Y) GDP".
(Also GDP hasn't been a good indicator of "wealth" for like half a century, but that's another issue...)
I was a licensed reactor operator in the late 70’s. What I remember was the NRC analysis saying that the “maximum credible accident” would cause 0.1 % fuel rod damage. At Three Mile Island the fuel rod damage was an order of magnitude higher. So much for “science”.
Clearly the industries and its apologist were full of shit. Unfortunately we still need energy and fossil fuels are a suicide pact. Thank goodness that solar and wind seem to the answer. (Oh, and in 20 years in the future there will be fusion of course)
I REALLY, REALLY, REALLY want controlled fusion, but I'm quite dubious about it's utility down here on Earth. What I want it for is mobile space habitats, and for that "20 years from now" is fine.
As for Probabilistic Risk Assessment, the method is fine, but it's so complex in application that it can't really be applied. Only estimated. and your "NRC analysis" is saying that the estimates were made using perverse incentives. I prefer to think of it as "Probabilistic Risk Containment", i.e. when you get an number, you know the risk will be at least that high. You don't know the maximum, because there are always things nobody thought of or considered important.
This would have been prior to any wide application of PRA. People just kind of decided on the Maximum Credible Accident based on engineering judgment, which I guess is not technically the same as "vibes".
Will there be fusion? What reason is there to say there will be fusion in 20 years that there wasn’t to say ”there will be fusion in 40 years” in 1980? I do not know anything about it myself, but have heard some scientist say that the problems with fusion are enormous and there hasn’t been much progress there.
There are lots of companies with plausible sounding designs and plans to build prototypes in the next 10-15 years. There are definitely still technical challenges, like reprocessing of lithium blankets to recover helium 3, but there have also been big advances. I think some of the movement is due to stronger magnets permitted by better high temperature superconductors.
There was a great ACX book review last year about the various fusion prospects.
Sounds like you might be referring to the emergency core cooling system (ECCS) criteria, and it would have been true, except the crew at TMI turned it off over a misplaced fear of filling the pressurizer solid.
I seriously doubt that in a worst case Fukushima event evacuation of Tokyo would have been NECESSARY (i.e. a significant portion of the inhabitants would have experienced severe radiation sickness or death if left in place).
I think we would merely have CHOSEN to evacuate based on current exposure limits which is the problem in the first place. Btw. this same attitude also killed a bunch of people in the real Fukushima event as the evacuation proved way more lethal than the radiation.
Does anyone know the actual predicted does rate in Tokyo this claim is based on?
I think the dichotomy between necessary and chosen is mostly false. A nontrivial exposure to radiation (e.g. at least on the same order of magnitude as the yearly natural background radiation) will likely lower the expected number of quality adjusted life years by some fraction. Depending on the expected amount of QALYs lost per inhabitant, it might be preferable to evacuate them or not, that is a mostly political question where both extremes ("Evacuate Tokyo to save a single radiation victim" and "let half of the population die of radiation poisoning and another quarter of cancer within a decade") are very silly but in between them there would be some room for debate. Of course the exact amount of radiation exposure expected is not known beforehand. And also, we are not on dath ilan, so in practice the correlation between the danger to the population and the response might be rather small.
The point is, I am pretty sure that there is no plausible scenario where Tokyo could have gotten enough fallout to make an evacuation even close to worthwhile by any reasonable metric, be it QUALY, DALY, cost or whatever. This is unfortunately mostly based on intuition and extrapolation from Chernobyl, so I am interested in the actual predicted radiation doses to confirm or refute this. What is clear is that the evacuation that really did happen was nowhere close to reasonable and very close to what you describe above as "very silly"
One important factor in understanding the switch to probabilistic risk assessment is that back when it was introduced US power was run as a series of regulated monopolies allowed to set their rates to profit at a cost-plus basis. In circumstances like that there's always a temptation to increase one's costs as much as possible, since a 10% profit on $10 billion in costs is more than a 10% profit on $1 billion. So the regulators always have to be looking at the proposed safety schemes the utlities are coming up with and saying "nice try" when PG&E comes to them with a plan to bury all their power lines or something.
But with nuclear the power companies saw a chance to get laws enacted which would drastically raise their cost structure, allowing them to legally raise their rates and profit more. So you had a sort of bootleggers and baptists coalition in favor of applying unprecedented safely regulations to nuclear power, aiming not just to reach a certain level of safety but to make it as safe as possible.
I remember reading some article, where cost-efficiency of safety in some industry was highly unfavorably compared to that of nuclear-powered aircraft carriers, "staffed by lightly-trained 18-year olds". Nuclear power usage by the military does seem to be unusually competent, despite presumably being pretty challenging, and rarely ever does anybody pay attention to it.
A melted reactor doesn't work anymore. It would be really difficult to keep it a secret if an aircraft carrier or even a submarine were suddenly removed from service. You are correct that you don't ever hear about the stuff that does go wrong where a commercial nuclear site would have to tell everyone, but really there aren't a lot of serious problems in the nuclear navy.
"The Tokyo metro area has a GDP roughly twice the Paris metro area, so a $10 trillion estimate is not nuts, though truthfully the people of Japan might simply decide to just live with the fallout rather than pay that figure."
So the figure actually is NOT $10 trillion but just a small readjustment in life expectancy.
Based on radiation effects I've heard of that readjustment might even be net positive. But people would be very stressed which might negate that even in terms of life expectancy. It sounds like stress is the number one negative factor for Chernobyl survivors, beginning with the fact that they are classified as survivors
Great review. This raises a question for me. Does anyone know if hurricanes are cascades? I.e., is there any theoretical reason that a hurricane couldn't have winds of 500 or 1000 mph?
As an order of magnitude check, I just looked up the wind speeds in the Great Red Spot on Jupiter: 400 mph.
So high speeds in cyclonic storms don't seem to be ruled out a priori, but I would guess there's something like an exponential negative feedback mechanism that in practice keeps things a bit more in check.
There's a theoretical upper bound on hurricane intensity, a function of sea surface temperature, tropopause temperature, and atmospheric relative humidity. The very strongest storms seem to reach this limit.
OTOH, a related issue is the maximum amount of rain that could possibly fall at a given location in, say, a 24-hour period. Standard hydro engineering assumes there's a limit, and that it can be estimated from historical events with useful accuracy, but there's no theory that provides it and nobody knows for sure.
The problem with traditional designs like the LWR and BWR is that they don't fail safe if the cooling system fails. After shutdown, you end up with too much excess heat that can't be dissipated without an ACTIVE cooling system that needs to run for a few hours, or maybe a day or two for the biggest plants.
That's it -- that's the engineering problem that needs to be solved.
You can't fix this with layers of bureaucracy, complex mathematical modelling, or lots and lots of redundancy. That's the lesson of Fukushima and Three Mile Island.
And that you need to make your active cooling system capable of standing up to a tsunami, and don't skimp on safety measures just because 'that seems excessive and will make the public worry about how safe this plant is'.
Ah, yes, but you expect (or should do) tsunamis in places where there are tsunamis. Building a tsunami-proof design where there *aren't* tsunamis is the tricky bit.
I do think part of the problem with the 50-70s reactors was that we just didn't have the materials/tech to solve the problems. *Today* we know the problems, due to the past, and know How Not To Do It Like That, but when you're in the days of "foam rubber sealant" well things aren't that able to stand up to the demands of "it'll never happen/oh crikey it just did".
Japan seems like a particularly problematic place to have nuclear reactors.
I hope they also have better safety culture. I was struck by the incident described where some people thought it was a good idea to have a live flame at the plant (to test the air flow).
They had multiple levels of backups: batteries; diesel generators, even a gravity-fed cooling system that could operate without power. If you're really interested there's a writeup here: https://spectrum.ieee.org/24-hours-at-fukushima
There were a lot of things they could have done better, but I think the lesson is that a system that requires active cooling for a long time after shutdown simply isn't safe. You're basically saying if the power ever goes out, everyone's dead.
Molten salt reactors don't require active cooling after shutdown. But to get them we'd have to give money to engineers rather than bureaurats, which I guess is impossible these days.
In fairness, some startups are building scaled-down LWR/BWR designs that don't have the "requires active cooling after shutdown" problem -- but only because they're small.
LWR is a great design for a small submarine power plant, which is the actual original use-case it was designed for.
The AP1000 is passive too, so it can be done in a large LWR. The main reason everyone wants to develop scaled down designs is to reduce construction costs through mass production/learning curves. It remains to be seen if this will work.
"the lesson is that a system that requires active cooling for a long time after shutdown simply isn't safe. You're basically saying if the power ever goes out, everyone's dead."
You might as well say an airplane that requires working engines to stay aloft isn't safe. It's a safety concern that requires an engineering solution, and whether the system is safe depends on how well it's implemented.
The point I was making is that there are designs which don't require active cooling for a long time after shutdown, like molten salt. We should invest in them.
Also, airplanes aren't perfectly safe, and flying craft that can't glide after losing engine power (like helicopters) are much more unsafe. So your own analogy supports my point.
The active cooling systems is necessary to prevent the reactor core from melting itself to slag. A reactor core melted to slag is a billion-dollar loss to whoever insures or owns the reactor, because they needed a nuclear reactor and now they don't have one and a replacement will cost a billion or so dollars.
But the molten slag that used to be a reactor core is inside a structure of steel and reinforced concrete that is designed to contain a melted-to-slag reactor core without letting any of the slag out. So long as that part of the design is sound, and assuming you aren't personally involved in the nuclear-power insurance industry, why do you care?
It is possible that the design of the containment vessel is unsound, but that *is* the sort of problem you can fix with layers of bureaucracy, complex mathematical modelling, or lots and lots of redundancy.
Hydrogen gas can be vented; pressure relief valves are a known and highly reliable technology. And so long as you're dealing with a light-water reactor, there shouldn't be an unacceptably dangerous level of radiation in the hydrogen (or steam, or air).
And so long as you're dealing with low-enrichment nuclear fuel, there is no geometry that allows nuclear reactions without a moderator. If the only moderator you have in your containment vessel is water, then either the corium slag is mixed with water (in which case the temperature can't be above the boiling point of water), or there's no nuclear reactions occurring.
Almost all nuclear power plants use low-enrichment uranium and light-water moderator. Plutonium breeder reactors designed for use in nuclear weapons programs are a different matter, which is why we got Chernobyl (and, for that matter, Windscale)
The main approach to safety with current reactors is indeed to prevent core damage in the first place, or stop it quickly after it starts like they did at Three Mile Island.
Once the core has melted, as we saw at Fukushima, it is quite difficult to contain the steam pressure that tends to build up in the containment vessel (even if hydrogen is controlled successfully). If you have AC power, you should be able to spray in water to cool and condense some of the steam--but this also increases the risk of explosion, because it raises the effective hydrogen and oxygen concentrations. Otherwise, you can try to vent, as they tried to do at Fukushima, but the containment vessels were not really designed to vent in an emergency, because that releases a bunch of fission products into the atmosphere.
Assuming you manage to prevent containment failure from overpressure or combustion, there is still a risk that the core will melt through the basemat and contaminate the groundwater, which is less of a problem for the local population than releasing to the atmosphere, but still not great. All in all, it's estimated that about half of core damage accidents will eventually result in some form of containment failure.
Preventing the core from melting is definitely plan A. But Three Mile Island had about half the core melt down, and the only thing that escaped was some mostly-harmless gas vented to relieve the pressure. And that is definitely something reactors are designed to do in an emergency, because it's better than the alternative. Though I believe they typically vent through a pool of water to condense and capture any steam or low-volatility products that might get caught in the gas flow.
Fukushima was a bit worse than that, because the tsunami wrecked so much of the external safety equipment (including I believe some of the purely passive stuff). But we already knew that a 9.0 earthquake off a populated coastal area was going to break things and kill people; if having a nuclear power plant in the way increases the lethality by 0.01%, your response should not be "OMG, no nuclear power ever!" but "Why are we building cities right next to major fault lines again?"
In the US, most of the BWRs were required to install hardened vents after Fukushima (hardened meaning they should still work when everything is covered in radioactive steam), but they successfully argued against the filter-through-a-pool-of-water thing on the basis that it wouldn't pass a cost benefit analysis. In some other countries, filtered vents are standard. The PWRs are not required to have venting capability because their containment vessels are larger and don't overpressurize as quickly.
I agree it's important to keep the risks from nuclear power in perspective. Accidents can be very costly but generally not very deadly. Incidentally, we are all involved in the nuclear insurance business via the Price-Anderson Act that limits the industry's liability to $13 billion and makes taxpayers the insurers of last resort.
BWR is typically an acronym for Boiling Water Reactor, the other type is a PWR or Pressurized Water Reactor. Both of these are LWRs which stands for Light Water Reactor since they use water as the coolant and moderator, and the light part means regular water as opposed to the heavy water reactors which use lower enriched or even unenriched uranium but use deuterium (heavy water) as the coolant and moderator.
The problem isn't excess heat, that would be easy, the real problem is decay heat, and it is significant. Decay heat is the heat generated by the decay of fission products. While operating at power approximately 7% of the heat is generated by the decay of fission products. An easy thumb rule is that decay heat drops in half for every time unit change, 3% after 1 second, 1% after 1 minute, 0.5% after an hour, etc. The large units are still producing more decay heat after being shut down for a month than a nuclear submarine at 100% power.
Yeah, the engineers will get real accurate numbers when needed for things like estimating time to boil in the spent fuel pool after a core offload, but for operators that just need a rough guess it works surprisingly well. Always good to have a very rough estimate so when someone gives you a number, you can make sure it's in the ballpark for what you expect or not.
The curve in the Rasmussen Report suggesting that the dangers of nuclear power are on par with meteor strikes seems like bullshit to me. If your model says that the death due to nuclear power per year are effectively nil, then it might be a good idea to consider how confident you are that your model captures reality correctly in the relevant parts. If you allow even a modest 1% chance that non-modeled conditions cause a big accident, then that part will simply dominate your estimates. [0]
---
> There are about 40,000 generations of neutrons every second.
That is 25us, which is less than a thermal neutron would need to diffuse from the moderator to the fuel. The number is correct (for light water reactors) because a significant fraction of fission events are caused by not-quite thermalized neutrons. [1]
> The known speed of these feedback loops is probably a source some of the public’s hesitation around nuclear energy - one of the public’s Bayesian priors, if you like to frame it in terms of logic.
That is utterly wrong. I don't think we could implement a control rod reacting within 25us. The reason why we can control nuclear reactions at all is that there are two groups of neutrons:
* prompt neutrons are emitted when the fission happens, and make up more than 98% of the neutrons
* delayed neutrons are emitted some time after the fission, the emission half-life is on the order of 0.2-60s.
A situation in which the prompt neutrons alone can further the chain reaction is called prompt criticality. Anyone who runs a reactor into prompt criticality is going to have a bad day. In general, nuclear reactors make rather poor nuclear bombs (where the neutron generation time is much shorter, likely less than a nanosecond), but depending on the particulars of your reactor (void coefficient) you may generate enough energy to blow up containment before something decreases your reactivity.
The correct way to run a reactor is to avoid prompt criticality. Instead, you rely on the ~1-2% delayed neutrons to get to neutron multiplication factor of one per generation. The delayed neutrons react on a time scale which is long enough that you can compensate with your control rods during normal operation.
---
Footnotes
[0] Also, I think using impact events as a baseline for "least threatening" is kind of rich. Impacts may kill much less individuals than tsunamis, but they can take out species. If I was one of the 75% of species wiped out in the KT impact, I would not not just be sad at the lives lost directly, but also at the glorious Cretaceous being cut short, preventing many generations of my species from existing.
I've been on a CANDU reactor kick and one of the interesting things is that they have a reputation of being something that would have weathered Fukushima yet they do have a slight positive void coefficient. It's claimed that spring assisted electromagnet damping rods and a chemical neutron poison combine with the sideways geometry that kills reactivity as soon as the channels start to bend from overheating makes this fine but I wonder what your opinion on it is?
I really don't know a whole lot about CANDU, I work with someone who worked on one, and the very little I know, they sound great. I really don't see how they would fair better in a complete loss of power scenario though. The reactors at Fukushima shut down just fine, immediately after the earthquake, about an hour before the tsunami. This wasn't a reactivity or reactor power problem. The problem was that Fukushima lost all AC power and most DC power too. Decay heat needs to be removed, without cooling, after some time, the fuel will melt. I don't know of anything different about the CANDU reactors.
I will say, the size of a generator needed to establish and maintain decay heat removal really aren't that big. Fukushima was unfortunately such a large area of destruction from the tsunami they couldn't get a generator helicoptered to them in time.
Fukushima Daini plant survived because they had one AC power line available that the drug cables to provided enough power to remove decay heat.
The theory I'd heard before is that the large calandria around the CANDU pressure tubes would handle a lot of heat, giving the extra margin to avoid a release
However apparently because the tubes are small they can be passively cooled indefinitely if you can get water into the boilers and a CANDU plant actually has survived a Fukushima equivalent situation without damage in a tight situation - https://www.reddit.com/r/nuclear/comments/14osj9u/comment/jqf7jo9/
I really don't know anything about the CANDU reactors, nothing. That reddit post sounds no different than most of the Pressurized Light Water Reactors both Navy and commercial. Very familiar plan for a loss of power. what they call boilers is what we call Steam Generators, just a difference in terminology. PWRs (light water) would do the same thing, vent the Steam Generators and try to add water in any way possible. Typically, there is a stem driven auxiliary feedwater pump. so instead of just venting the steam generators to atmosphere immediately, you use the steam to run a turbine driven feed pump to add water back, the steam after it leaves the little turbine is vented to the atmosphere. This can work for a while as long as you don't run out of water or steam (BWRs have a similar thing but can't just vent the steam). I'm guessing that this is what the CANDU poster was talking about, using the steam driven turbine pump to add lake water after they ran out of purified water, but I'm not positive.
Apparently, they had some form of power as the backup to the backup, you never hand carry water in buckets, but a smaller generator can be used, one of the changes after Fukushima was that every site in the US built a hardened dome with smaller trailer mounted diesel generators and trailer mounted pumps, and all the cables and fittings needed to connect them.
Fukushima Daini could have ended up just like Fukushima Daiichi, but they still had one high voltage line survive, they managed to drag the big cables around, use equipment for moving water that wasn't designed to be used and use alternate sources of water. Story I read was that the person in charge there had been an operator since the initial construction and knew where a pond was that they had used during the construction flushing and used that water for cooling.
Fukushima Daiichi and a lot of other boiling water reactors have a lot of water in the torus, the doughnut shaped part around the drywell. They also have an auxiliary feedwater pump, turbine driven that both takes a suction on that water and uses it to condense the steam from the turbine. The people I knew that understood BWRs were intensely focused on the TEPCO reports that had drywell temperature because that was the limiting factor. Once it got too hot, they needed to add more water and vent the torus, or the pumps would lose suction (can't pump steam). Units 2, 3, and 4 had that system and survived approximately three days.
Fukushima Daiichi unit 1 was different, it had an isolation condenser, a heat exchanger where the primary water went through tubes in an outside tank with just regular outside water that could steam to atmosphere and have any kind of water added. Unfortunately, it worked too well, and they turned it mostly off after the earthquake (it was cooling the plant too fast) but before the tsunami and didn't turn it back on or add more water. When unit 1 exploded, it undid everything they had been working on to add water to units 2, 3, and 4, and made the conditions for working much worse and they never recovered. Tragic.
Anyway, I can't stress enough that I know nothing about CANDU, extremely little about BWRs, and precious little about traditional PWRs. That said, I know more about those topics than I do about fashion, finance, medicine, or relationships, otherwise I would do my normal lurk without commenting.
"Uncontrolled prompt criticalities should obviously be avoided. However, with specially designed fuel like in the TRIGA reactors they are initiated deliberately in pulsing the reactor."
( If I understand correctly, this is possible because of a very large and very fast negative
temperature coefficient of reactivity from zirconium hydride intimately mixed with the
A good review, which explains why caution around nuclear power isn't just ecohippy nonsense, and why it is a good resource if we are careful how we operate it.
I think it’s popular to take a stance (which I also endorse to some extent) that abbreviates to “the environmentalist movement did more harm than good by not embracing nuclear”.
I think there are some potential flaws in this position though. As a statement at Simulacrum Level 1 (objective claims about the world [1]) it’s true as far as I can tell.
However it seems perhaps naive considering Simulacrum Level 3 (honest statements about political/social coalitions). I suspect there was not a stable political coalition that could have formed in the 50s-70s around “environmentalism + nuclear”. One could hypothesize a “homo rationalis” that just evaluates the evidence and decides it’s good policy to invest in both renewable energy and nuclear as a transition off fossil fuels. But in practice what actually builds a movement/community is uniting around a common cause, and I’m not convinced that there was actually a story to weave those two communities together; nuclear power post-war seems to have been a techno-futurist high-modernist optimistic movement, and environmentalism more of a doomer anti-technology/development vibe (not trying to strawman / deprecate here, meaning these in neutral sense). So given that I struggle to see a path to a stable, strong, cohesive “pro nuclear environmentalist” movement actually forming at the same level of engagement as our current environmentalist movement.
I am aware there are pro-nuclear environmentalists it just seems a somewhat niche/nuanced position to take, and not something you can fit on a bumper sticker, which suggests to me it’s not memetically viable in the same way as our current environmentalism.
Another point in defense of the environmentalists - their “no nuclear / all renewable” vision was in fact cohesive and sufficient to solve the problem of climate change. If we had actually ended the massive government subsidies for fossil fuels and instead pushed them into renewables, we’d have reached our present point on the technology learning curve many years ago.
My opinion is that nuclear built 10-20 years ago would have been the optimal path, but from where we are now solar and wind look so cheap that I struggle to find nuclear worth the indigestion. There was a lot of doubt that a mostly-renewable energy mix wouldn’t work, batteries/storage too expensive, etc., and it now seems that all-renewable is more viable than we previously forecasted [2],[3]. Given our inability to do any major construction projects in the US on time and on budget, large scale nuclear just doesn’t realistically synergies with our current capabilities.
Some environmentalists have been pointing out for a long time that nature/biodiversity itself isn’t affected significantly by moderately elevated radioactivity. It doesn’t destroy habitats. Animals don’t know they have an elevated cancer risk, most of them die of other causes before that becomes relevant and natural selection takes care of the bad mutations.
One thing I notice about the all-renewable forecast you linked to is that the majority of the power is from wind, and (for the year they show the data) wind never had a week where it was below 50% of its average capacity factor. It's not surprising that solar would be more reliable in Australia than it is most places, but I'm surprised that's also the case for wind. In general, I would want to see a detailed critique of this simulation's assumptions and applicability before I treat it as much evidence about the grid mix we'll need. That said, I don't see anything obviously wrong from the summary, so that's promising.
Yeah the environmental movement is just absolutely rife with people who are fundamentally Luddite’s. Hate society, hate technology, and only want solutions which are granola.
Peak oil this and that. I was once working on an environmental campaign were we were against hydro and nuclear. Fucking idiots.
Is it deeply difficult to design a plant that turns itself off by default unless active measures are maintained by workers to keep it on? I know that molten salt designs use an actively cooled ice plug that automatically drains the reactor if there are failures. Do Gen 4 water reactors still have these problems?
I think most new reactors are built so that there's passive circulation, you can have no power to the plant and water will circulate by the decay heat in the core. The BWRX-300 should be a-ok for 7 days and even at that point all you have to do is get water into its reservoir
Russian, Chinese and Korean modern plants don't have comparable features but it sounds like the Indian heavy water reactors are almost as safe as ones with fully passive cooling. You still have the potential of something causing loss of coolant but the likelihood of some force of nature causing that seems to be on a level where the additional nuclear damage would be incidental to the event
Molten salt automatic fuel drain should by rights revolutionize safety regulations since it just seems literally impossible for an event to happen with consequences beyond the plant. Routine corrosion causing in plant radiation leaks could be an endless headache though. If I understand the heavy water reactors well enough it seems like they could end up as the dark horse in the long run as they can actually run thorium which is why India is going forward with them, and the safety seems to slot in between large light water and Gen 4 fully passive SMRs and alternative reactors. Then their better proven costs could win out over the additional safety
Think of it this way, it's incredibly hard to get a self-sustaining nuclear reaction. It really is. Any number of things will fail, and the reactor will not be able to maintain a self-sustaining nuclear chain reaction. The most basic summary of training is that reactor power follows steam demand (from the steam generators on the secondary side). If steam demand goes down, more fission heat than is removed from the turbine demand, temperature in the reactor coolant goes up. higher temperature means more distance between parts of water, means more neutrons leave without causing another fission. Reactor power goes down without any operator actions.
Interestingly, it's the opposite for boiling water reactors: instead of reactor power following steam demand, steam supply follows reactor power. If you try to get more electrical power by opening the steam valves wider, without first raising reactor power, you reduce the pressure, which causes more of the water to boil, and the increased void in the reactor reduces power. Then that causes the pressure to fall even faster. Conversely, if electrical demand goes down and you try to throttle the steam valves, reactor power will go up. This positive pressure coefficient of reactivity creates positive feedback, which is compensated only by a fast-acting pressure control system. In practice I don't think it's much of a danger, but it sure sounds precarious.
Yeah, I've never learned much about the BWRs, I learned to say Startup Rate, and they say Reactor period. There is so much I don't know. If I wasn't too old to learn new tricks, I might make an effort to work at one, just to learn something new. The BWRs do seem to have much higher generator output and the in the PWR world, we really don't like anything beyond nucleate boiling, but apparently, the upper portions of their fuel are in nothing but steam, saturated steam (wet steam) to be sure, but since day one as a PWR sailor I was taught that even wet steam was seconds from disaster territory. Every day I learn more about how much I don't know!
The problem isn't stopping the fission; that's easy to make failsafe and everyone does it. The problem is that a substantial chunk of the power from a nuclear reactor comes from radioactive decay of fission products, and you can't turn off radioactive decay - all the fission products in the reactor core when you turn it off *will* continue to decay (although no new ones will be added, of course), and that means the reactor core will continue to generate power for weeks. If you can't get that power out of the core, well, the core will melt. It is possible to design a reactor such that the power can get out of the core fast enough to avoid a meltdown without active effort on your part, but it is not possible to take a reactor to near-zero power in any kind of rapid timeframe.
Spitballing here since I’m out of my depth, but a simpler solution for the first kind of errors (not those caused by tsunamis), is to keep organizing small incidents in your nuclear power plant every year instead of probabilistic risk assessment which is killing the industry by miring it in bureaucracy. In software, you regularly manually switch off servers, kill connections to stress test your system and check if the engineers are prepared to handle these issues. I suppose something similar can be done for nuclear power, start a fire randomly through the year to ensure engineers are prepared and ready to do what’s needed. I know the navy does similar drills.
>"I suppose something similar can be done for nuclear power, start a fire randomly through the year to ensure engineers are prepared and ready to do what’s needed. I know the navy does similar drills. "
With nuclear power plants, it's preferred to do this stuff in simulation, both for safety reasons and because it's so expensive to shut the reactor down (the navy doesn't mind doing a reactor trip for practice now and then).
>"instead of probabilistic risk assessment which is killing the industry by miring it in bureaucracy"
To a large extent, PRA is implemented as an attempt to reduce the burden of regulation. If plants can show that the level of risk is low enough, then they can make certain changes without a license amendment, leave failed emergency systems out of service until there's a good opportunity for maintenance, and that sort of thing. It saves them a lot of operational expense, at the cost of doing some extra analysis.
Interesting review. I completed my doctorate in nuclear engineering, focused on the safety aspects of one particular reactor design, and yet this is the first I've read about when PRA became king.
That being said, I think this review gives too much credit to both the cost of PRA and the competence of the NRC. While I'm sure that PRA greatly increases the design and cert costs of new reactors, I don't believe it's responsible for us choosing to build reactors with the QC requirements - and thus cost - of space ships. Nor is it responsible for the NRC requiring that the PRA analysis must report that the reactor will kill negative one people - as opposed to perhaps 10 or 20 - over its lifetime.
And speaking of the NRC, right now they are going to universities and asking for help to determine whether the NRC itself has the competence and tools to even evaluate a new reactor design.
>I completed my doctorate in nuclear engineering, focused on the safety aspects of one particular reactor design
Do you mind if I ask which one?
>While I'm sure that PRA greatly increases the design and cert costs of new reactors, I don't believe it's responsible for us choosing to build reactors with the QC requirements - and thus cost - of space ships.
If that's how it came across then there's a problem with the way this review is written. The quality assurance requirements long predate the use of PRA, as do most of the other deterministic requirements. PRA has relatively little effect on the design and licensing costs, as far as I've been able to tell (but I would love to hear from people who have gone through this process).
>the NRC requiring that the PRA analysis must report that the reactor will kill negative one people
HTGR, MGHTR type reactors in particular. Experimental work on what certain design basis accidents might do to the graphite. In short: nothing really, nuclear grade graphite is really really good. Although soft and very messy.
As for the negative one deaths requirement, that's always been my description of the NRC's requirement that every reactor design be more safe than the last, despite US commercial reactors killing zero people. Zero deaths is simply isn't good enough, they must kill -1 people.
I wish there was a dislike button. It's a great pity to see this blog associated with the misinformation in this post, though I appreciate the open book review contest format and freedom of speech, etc. Perhaps Scott should add disclaimers highlighting any dangerously misleading claims made in book reviews?
To address this specific case, there is no possible world where the Fukushima accident could have led to Tokyo needing evacuation. It's the kind of claim that is great for making Neflix 'documentaries' more exciting but doesn't really deserve much attention in the real world.
A quick google seems to confirm that there was a risk of needing to evacuate Tokyo? NYT has an article on it, going through a report from an independent investigation in 2012, and saying that "The report seems to confirm the suspicions of nuclear experts in the United States — inside and outside the government — that the Japanese government was not being forthcoming about the full dangers posed by the stricken Fukushima plant", "The report quotes the chief cabinet secretary at the time, Yukio Edano, as having warned that such a “demonic chain reaction” of plant meltdowns could result in the evacuation of Tokyo, 150 miles to the south". (Not linking because NYT, but it's easy to find.) Wikipedia mentions the risk and potential evacuation, and quotes the then-PM saying "If things had reached that level, not only would the public have had to face hardships but Japan's very existence would have been in peril." ( https://en.wikipedia.org/wiki/Japanese_reaction_to_Fukushima_Daiichi_nuclear_disaster#Evacuations )
I found the article in question and it's very typical of a lot of the very bad reporting that followed the accident. I'm tempted to add a snide remark about the NYT but maybe that would be pandering too much to this blog's long term readers. :)
The headline makes it sound like the Japanese government seriously considered evacuating Tokyo. However, if you read the article (and between the lines of the deliberately misleading word choices) it becomes clear that in reality some very poorly-informed politicians allowed their imaginations to run away in the midst of an understandably chaotic and panicked situation, and briefly 'discussed' evacuation of Tokyo. The idea that this could ever actually have been necessary is, as I said, dangerous misinformation.
This concept of a "demonic chain reaction" that the article mentions, which seems somehow to infect other power plants, is utterly bizarre to me. If you can shed any light on how it is supposed to work I'd be curious. Perhaps if it involves demons it is simply beyond the ken of modern physics?
It works where journalists looking for scary articles of questionable veracity and environmental luddites who hate nuclear power align with credulous public and pandering scared politicians to craft nonsense.
In comparison to the efforts to make nuclear energy safe, how many man-hours are spent making sure viral research labs don't have a "cat on fire" incident?
If the bio labs are safe enough, and given the risk-reward comparison between them and nuclear power, I don't see any reason why Homer Simpson shouldn't be a nuclear engineer.
"We've done dumber things" doesn't seem like a terribly convincing argument. Maybe we could, as a society decide on a sensible and proportionate approach to nuclear safety and then use it as an example for how to treat other high(er) risk industries.
Nah, it varies. Gregory Jaczko, who was chair of the NRC when Fukushima happened, was very anti-nuclear. These days the political winds have shifted, and the regulatory errors mostly happen for more nuanced reasons. You hear a lot of things along the lines of "we need to ensure a level of safety where no core damage accident will ever occur again, because the damage an accident would do to the public image of nuclear power would be fatal to the nuclear industry". I don't think it's a great argument, but it's not an anti-nuclear argument.
I hate this one. Extremely irritating the way it tries to anticipate or manipulate my emotional reaction to a fact, and completely fuck it up every time.
"A coarsely cynical reader might thus expect Wellock to sidestep damning details of nuclear risk at the behest of his employer."
No, why would I think that? What bureaucrat has ever tried to sidestep the details of the thing that keeps him employed?
It's funny the way pro-nuclear and anti-nuclear people both think the NRC is on the other side. This reviewer is anti-nuclear and thinks the regulators are shills for the industry, you seem to think the NRC is deliberately killing the industry.
The position of Historian for a federal agency is an interesting one because they have a lot of independence to criticize their employers, and indeed the author of Safe Enough, NRC Historian Tom Wellock, does not pull his punches in describing past failures of the NRC. But, in my opinion, he does not have much of an ideological agenda one way or the other.
Can they not be on both sides, in effect? Nuclear power must exist in some form, for the NRC to have their jobs, but it need not exist in a form that remotely realizes its potential.
Well historically the NRC hires more people when there's more nuclear being built, like during the "nuclear renaissance" of the early 2000s. After it fizzled they were on a hiring freeze for years (which also means not many promotions for the people already there). But maybe it's sort of an invest/exploit tradeoff, where if you regulate with a light touch more people will be hired in 5 years, but you're more likely to get a promotion right now if you make a big fuss over a minor potential safety issue.
I think the real missing piece of a discussion of nuclear power plant regulation is why the extremely high level of safety prioritisation isn't applied more universally - Prioritising safety may be rational, but if so it would be rational to do it much more uniformly, and one doesn't see anything like this culture applied to dams or to coal power plants or to heavy industries, despite almost all of those being statistically more dangerous than nuclear power.
This review so utterly failed the ideological Turing test that I couldn't read it through.
The last sentence I read was: “There are about 40,000 generations of neutrons every second” : there is no unit of time, no unit of weight, nothing to compare this data to. The only thing that I can do with this number is to be scared.
TL;DR: the first lie is that a nuclear release can't happen. That's obviously false. The second is that such a release would be catastrophic. This too is false (read the linked article to find out why).
All these silly anecdotes about reactor plant operators rushing about are entirely irrelevant. The fact is that nuclear meltdowns despite the scary names tend to be rather benign events when compared to the range of industrial disasters that people regularly put up with. And for a good reason: the benefits far outweigh the (possible) harms.
"Excessive concern about low levels of radiation led to a regulatory standard known as ALARA: As Low As Reasonably Achievable. What defines “reasonable”? It is an ever-tightening standard. As long as the costs of nuclear plant construction and operation are in the ballpark of other modes of power, then they are reasonable.
This might seem like a sensible approach, until you realize that it eliminates, by definition, any chance for nuclear power to be cheaper than its competition. Nuclear can‘t even innovate its way out of this predicament: under ALARA, any technology, any operational improvement, anything that reduces costs, simply gives the regulator more room and more excuse to push for more stringent safety requirements, until the cost once again rises to make nuclear just a bit more expensive than everything else. Actually, it‘s worse than that: it essentially says that if nuclear becomes cheap, then the regulators have not done their job."
"A plot from the Rasmussen Report estimating the likelihood of deaths from nuclear power as orders of magnitude less probable than dying from common natural disasters, closer to being killed by a meteor. There have been no known meteor deaths since this curve was published in 1974, though there is historical evidence that this is not impossible!"
Then, disappointingly, no discussion of deaths from nuclear power generation radiation since 1974.
I'm pretty surprised this review made the finalists. The author has a couple of sentences that mention the safety of other energy generation but the comparative safety of nuclear vs. other is clearly the main determinant of whether nuclear is "safe enough." Every analysis I've seen indicates nuclear is far safer than any other major energy generation technology and that it has been obviously safer than any competing technology for decades now.
Battery fires are a fairly common problem and the reasons are often different, but mostly it is a short circuit. By the way, if you personally often have problems with equipment, you should think about the place MJM Engines reviews https://www.pissedconsumer.com/mjm-engines/RT-F.html where you will buy new equipment with a guarantee, so as not to waste money.
> In January of 1974, after 60 person-years of effort, the Chair of the AEC reported to Congress that the odds of a significant meltdown were less than one in a million.
...Per what time frame? 1 in a million per year? 1 in a million per lifetime of the power plant? Something else? This number on its own is meaningless.
It's also not clear what counts as a "significant" meltdown. But the figure shows a one in a million chance of an event causing 1000 deaths across a group of 100 nuclear plants.
This line presumably refers to the Reactory Safety Study, WASH-1400, published in 1975. But I can't find the source of the 1 in a million number anywhere. The executive summary (which was later retracted) said the chances of a core melt accident were 1 in 20,000 per plant per year, which is comparable to current risk estimates for US plants (maybe a bit lower).
https://en.wikipedia.org/wiki/WASH-1400
> A neutron colliding with an unstable nuclear generates more neutrons
Typo, "nuclear" should be "nucleus".
The chronology in this one is kind of spastic. We start in 1985, then jump to "the 70's and 80's", then '74, then 2011, then "the second event" in '77 which is eight years before the first event. I've basically lost track of where we are at any point in history.
On the other hand, cats are cute and rice is tasty. Thumbs up. How many I don't know; probably depends on what year it is.
The biggest risk factor is Human Error. Any model that hopes humans will not make errors at every opportunity will give excessively optimistic risk assessments.
TMI involved controllers making a long series of wrong choices until they finally made the right one, averting a disaster. In all probability, we just got lucky.
"Human Error" is a bad stopping point for attributing failure or understanding risk. It's the famous story of Alphonse Chapanis and the B-17s. You need to dig deeper.
As Don Norman said, there is no such thing as human error, only bad design.
That’s a misleading interpretation. Human error is common; so common that a system that expects it not to happen has a flawed design.
https://www.goodreads.com/en/book/show/840 Have a look if you can find the book! Don Norman is the father of modern human-computer interaction (which birthed the fields of UI/UX design, and influenced pretty much all modern design). The quote is obviously meant to be hyperbolic, but the idea is that the designer should never blame the user for 'human error', but take into account how people normally do things and *predict* human error - and prevent it from happening.
If you want to be literal, the goal of good design is to *minimise* human error.
This is the idea behind poka-yoke or mistake proofing: https://www.mistakeproofing.com/index.html
If the only thing standing between your design and catastrophic failure is one or two user errors, then it's a bad design.
What's the difference between "flawed design" and "bad design"?
Not sure if there's a commonly understood. distinction. In my mind, a flawed design may perform well under normal conditions but fail under abnormal conditions. A bad design would fail under normal conditions.
"Human Error" is rare. People typically do things that seem right to them given their training and the available options.
Doing what “seems right” during an emergency at a nuclear power plant is a great way to inadvertently make things worse.
"Seems right", though, is subject to an evaluation mechanism that strongly discounts future dangers. (Well, it also discounts future rewards.)
I think that evaluation function should count as part of "human error", even though there are logical grounds for it. (I.e., the future is full of unknowns, and predictions about it are always uncertain.)
PRA models can throw a probability on various possible human errors. Making those probabilities accurate is tricky, though, and every few years somebody comes up with a new methodology to cover more possible factors that influence it. For example this one is supposed to apply even in external hazards like earthquakes and tsunamis:
https://www.nrc.gov/reading-rm/doc-collections/nuregs/staff/sr2256/index.html
Some of the newer designs don't require much in the way of human actions, which seems like the safest approach if you can pull it off.
Was it not taughtthat you should not pay the people responsible for nuclear power plant safety a bonus based on financial performance?
This is the winning review in my book. Tense opening. Strong narrative. Important message.
Lol
Actually, that's a very reasonable thing to do, but it should only be paid after the plant has been decommissioned.
I am not convinced that a bonus that pays out in as many as 100 years, if it pays out at all, is much of an effective incentive.
Not to mention the lawsuits among heirs ("the Springfield Plant was working fine when grandpa handed it off!") would be epic.
> I am not convinced that a bonus that pays out in as many as 100 years, if it pays out at all, is much of an effective incentive.
If there's a secondary market, short-term-focused people can still get more by selling the incentive to patient investors. (You probably want them to not be able to sell more than ~half of it, to keep incentive compatibility in the face of info differences.)
That assumes many things.
BTW, are you also a cat?
The problem of keeping a hideously complex system like a nuclear reactor from failing catastrophically, killing lots of people, seems to me, a naïve observer, conceptually very similar to the problem of keeping a hideously complex system like an airliner from failing catastrophically, killing lots of people. A comparison of the two industries' approaches to safety--both theoretical and practical--might be useful. Are their methodologies similar? Is there anything the two industries could learn from each other? Are there major differences that necessitate different methods for each?
Interestingly, it seems that both industries have done very well overall at maintaining extremely high standards of safety and reliability--yet one has a commensurately stellar reputation, while the other has to deal with persistent, chronic public suspicion. What's the source of this difference? Is it a matter of a fundamental, ineradicable difference in public attitudes, or is there something about the air transport world's approach to public fear that the nuclear industry could learn from?
One difference between nuclear energy and airlines is that the realistic upper bound damage from an airliner accident is all the people on board (several hundreds, maybe 500 for an A380 or a Boeing 747) and some smaller number of folks on the ground. The fear for nuclear disasters is that the number lost in one accident can be much higher.
It isn't terribly rational to figure that 10,000 people lost in one go every 20 years is worse than three people lost every day for the same 20 years, but that is how (normal) people think of this.
9/11 ultimately killed a lot more people than the passengers.
I think 9/11 is generally considered more than an airplane "accident".
While true, it's the kind of thing PRC has to include in its estimates. A terrorist blowing up a nuclear plant is one plausible failure mechanism.
True, but it's still bounded. There's no building a plane could be crashed into that would kill a million people, or render a major metropolitan region uninhabitable for generations. (Unless of course said building was a poorly designed nuclear facility?)
That said, political overreactions to perceived, salient risks can be far more damaging than the risks themselves. A hundred Chernobyls wouldn't put a dent in the conclusion that replacing all the world's coal with even 1960s-tech-level nuclear plants would be a massive improvement in health and safety (this is true even if you look only at radioactivity, and exclude all the other pollutants). No one seems to remember that the Three Mile Island meltdown released radioactive material beyond the containment facility, but didn't actually contaminate the environment. We just made it near-impossible to build new nuclear plants in the US after that, anyway, ensuring a much harder, longer, and more expensive road to cleaning up pollution and stopping GHG emissions.
The cascade started by 9/11 did kill at least hundreds of thousands, counting the various wars it triggered....
I totally agree with your second paragraph. The cost of overreactions to nuclear has historically been much greater than the direct costs of accidents.
On the other hand, reactors (at least those used for power generation) do not fly, and they operate in a usually predictable environment (tsunamis and earthquakes notwithstanding)
The flip side of this is that airliners have a lot more crashes than nuclear reactors have meltdowns. Enough crashes that you can pretty reasonably see the probability just by counting up the crashes and dividing by the number of flights. With a reactor, you have to rely on models of probability (since there have only been 3-ish meltdowns, two of which were a long time ago, and power plants in different locations and time periods have different levels of risk). You also have to rely on models of the consequences. This review is suggesting that the worst case consequences are much higher than the nuclear industry would like to admit, although I don't think the claim is well supported.
Also, as a member of the public, you can choose not to fly. You have much less choice about whether a nuclear power plant is operating within 50 miles of your home. Together, I think these factors (uncertainty about the level of risk, and having it foisted on you without your permission) make it fairly unsurprising that people get scared and angry.
I think the "worst case" scenarios considered in the review are extremely reasonable, though possibly low probability. But I really doubt that they are the actual worst cases possible.
Both nuclear power and airlines are considered High Reliability Organizations, because of their low tolerance of failure. There is a lot of literature on the best practices for HROs. Interestingly enough, hospitals are currently trying to become HROs, something I cynically worry is doomed to fail because of the complexities of the human body, not to mention is likely to lead to ballooning costs.
It's an even bigger contrast than you state: the commercial aviation industry has grown several times larger in the past three decades, while maintaining or improving overall safety, with a lot of new regulations and regulatory scrutiny. It weathered its own 'Chernobyl' (9/11, and more recently the 737 Max scandal). Yet people don't complain about over-regulation limiting the airline industry. Instead we enjoy cheap and safe flights. Meanwhile, growth of nuclear power has stagnated since 1990, and new plants have become prohibitively expensive to build. What gives?
If nuclear power was as necessary for energy production as flying is to (efficient and cheap) traveling, I guess the public would not be hostile to nuclear power plants. But this may change. Already even greens are warming up to nuclear if the only viable alternative is fireing more coal plants.
FWIW, I consider myself rather green, and I favor nuclear plants over natural gas plants, not just coal plants. But I still prefer solar by a wide margin. Lots of different reasons, not just a few. But building safe nuclear plants takes too long, and running them safely requires that the management wants to do so, so I'm rather skeptical of their long term safety. Possibly some of the new designs get around that problem, though. I've heard that molten salt reactors have a really limited "worst case", which would strongly change my position. (Then it would shift to be more based on speed of construction, individual ownership, and costs.) But don't build the plants (current designs) in places where they can't handle the environment. (E.g., don't build them in a canyon with steep walls.)
I am all for development of renewables, but I do not believe they are sufficient for our civilisation, and we still need additional energy sources. All sources of energy have downsides, and may have bad impact on environment. In case of nuclear we have a well understood, and clean technology. Of course it is clean only if it works properly. But that is the real choice: between tech which poisons us a significantly always (like coal), or poisons us and enables dictators (like gas or oil) or the one which is clean if it works properly, and in fact has an excellent record of working properly and is feared because of what if scenarios which are increasingly unlikely with contemporary constructions, and because of past disasters which were grossly exaggerated (nuclear). And public hostility to nuclear prevents building newer, and far safer power plants to replace existing ones. And you are right: I believe (well I am not a specialist) the new (and even not so new) reactors cannot melt even if all the systems fail, because they are built to be self stabilizing. And of course people which design nuclear power plants are not stupid, and they do not place them where they shouldn't: Well, mostly. In case of Fukushima they knew about tsunami which floded the plant place in the IX'th century. They just did not thought it would happen again so soon... However, from the reports it seems that Japan is somewhat unusual in how their nuclear industry supervision is dependent (instead of independent) from the political part of goverment, and it seems such a situation would be impossible in, say, US.
All the existing plants, and most of the new plants that might be built in the next 10-15 years, are water cooled reactors and are capable of melting down if all the systems fail. The designs are supposed to have enough redundancy that they will not all fail at once; usually this is true, but in very unusual situations (like the tsunami at fukushima) you can have common cause failures among components that are normally independent.
My error, yes, I was thinking about the fact that water is used as moderator, so no water, no fission, but this does not take into account radioactive products of fission which can stilll cause some meltdown if cooling is completely taken down. And of course I was thinking about various passive safety features, like emergency cooling based on gravity rather than pumps, but these can indeed still fail
Why build more reactors from scratch when we've already got a perfectly good fusion pile we're barely using?
The problem seems to me, a not very naive observer, very different than the problem of keeping an airliner from failing catastrophically and killing lots of people. For the fundamental reason that airliners by definition have lots of people inside them during normal operation, and nuclear reactors generally have zero people inside them during normal operation.
In the case of airliners, you can't separate the people from the catastrophe. In the case of nuclear reactors, you can put as much water and steel and reinforced concrete and distance as you feel is necessary between the potential catastrophe and any potential innocent bystanders. You can also try to avoid the catastrophe in the first place, but you can hedge your bets by arranging for all plausible catastrophes to be not really catastrophic after all. Well, except to the insurance company that has to pay for a new power plant.
A hideously complex Rube Goldberg machine for disassembling and disarming live hand grenades might seem insanely dangerous, but if it works by remote control inside a bank vault, who cares?
Except that in current reactors, decay products have enough power to make a major mess unless actively cooled down.
But cooling down nuclear fuel should be a much easier problem than having an airplane land in an airport. Much less moving parts that are operating near material limits or exposed to the outdoors.
As noted elsewhere, the decay products should only be able to make a major mess *inside* the containment vessel. And it's troublesome to have a billion-plus dollar power plant turned into a giant concrete monument to someone's incompetence, but I'd still rather have that than a thousand or so people dying from air pollution in the normal operation of an equivalent natural-gas plant (never mind coal). But the thousand deaths don't all occur in one time and place and they don't come attached to a scary newspaper headline, so apparently they don't count.
https://www.statista.com/statistics/494425/death-rate-worldwide-by-energy-source/
I think there have been less than 10 meltdowns in the history of western nuclear commercial power plants (so not counting early research reactors). Out of these, in 2 cases (Three Mile Island and Fukushima), *some* radioactive mess had escaped outside.
I am quite sure that this is less bad than what comes off a coal plant’s smokestack, but other people are less convinced.
9/11 -> war in ME, ~0.5M causalities, millions displaced. Multi trillion Western expense, multi trillion local economic damage
Airlines give the general public something they can't get any other way: fast long-distance travel. Nuclear energy doesn't appear to do that, merely substituting existing coal and gas.
Nuclear energy does actually give something nothing else can: earlier relief from global warming and air pollution, but diffuse gains are hard to appreciate.
The source of the difference is that nuclear safety conversations never address the 8 million people killed by fossil fuel air pollution alone, each and every year, as the status quo against which the safety record of nuclear power should be compared.
This is a strange review, because "Safe Enough?" naturally invites the rejoinder "Compared to What?" which the review never addresses. The standard narrative of nuclear power is that hysteria over nuclear risk was allowed to strangle the industry, creating more risk in society overall, from fossil fuels. I don't necessarily buy that narrative, but it's disappointing that we get nothing about the tradeoffs involved. Is that because the book doesn't discuss them, or because it's not interesting to the reviewer?
As someone who _very_ much does buy the "fossil fuels were far worse" narrative, that lack of "compared to what" completely destroys this review in my mind.
If you're interested in some extracurricular reading, the fossil fuels industry do use a lot of similar risk management processes, and have a much higher failure rate (possibly because of the regulatory or financial landscape?).
If you want to read an example of a risk methodology failing horribly in a natural gas context, I submitted the review Nightmare Pipeline Failures into the contesf which didn't make the finals but is available in the Google doc. FWIW the failure modes aren't specific to gas - they're management issues that can plague a number of different industries.
Yes, I read that, extremely interesting.
I work in a highly regulated, highly safety-conscious industry where failure causes death and huge economic loss, so I have a professional interest in this kind of risk management. But this is because our services are (normally!) so reliable that people trust them with life-and-death use-cases, not because we're doing anything particularly dangerous. I don't mind admitting a level of envy!
I enjoyed reading the reviews that didn't make the finals from previous rounds - which post contains the Google doc for this round of the contest?
Maybe the book doesn't address "Compared to What?". Should the reviewer do his own research if the book doesn't cover the rejoinder?
Of course the reviewer is supposed to do research beyond the four corners of the book, otherwise how can they contextualise and challenge its claims?
But on an even more basic level, the reviewer is supposed to review the book. If someone wrote a biography of Louis XVI and didn't mention the French Revolution, I'd expect a reviewer to comment on that omission.
One cannot write a biography of Louis XVI and don't mention the French Revolution because he was toppled and killed by the revolutionaries so it's a big part of the subject. But you can write a biography of Louis XVI without comparing him with George III of Britain.
Sure, and writing a book about whether nuclear power is safe enough, without considering whether we are trying to make it too safe, is more like the former than the latter.
I think that under those circumstances, the review should say "this book completely fails to bring up cost/benefit tradeoffs compared to other forms of fuel, and this is a major problem with it".
Whether or not you believe it's proper for a book review, it has certainly been the case for many well-performing book reviews in these ACX contests.
Well, they did mention that "The total cost to clean Chernobyl and Fukushima may exceed a trillion dollars, but even consideration of this 'tax' would add only a penny or two per kWh to all the energy the industry has created in its history. The health and environmental damage from coal is easily ten times this."
Yes, this was a good point. I personally recently estimated that a trillion dollar disaster per the current total reactor hours world wide adds $500 million per GW in potential costs to nuclear
Interestingly, since LCOE figures end at 40 years for nuclear plants there is a comparable uncounted benefit. If a nuclear plant is extended for 40 more years at negligible costs, and its running cost of $30/MWh are $50 below that of the relevant alternative such as wind and solar with extensive backup, then the total uncounted value per GW is about $15 billion dollars
I reduce this to about $10 billion net present value at the time of first extension with a 2% discount rate which is low but seems reasonable since it's essentially a gift. Then if you work back to the time of completion of the plant at a 5% rate you get about $1 billion per GW rounding down. Again, a low rate, but it's like a free investment that is secure unless something even better than $30/MWh of baseload comes along
I think this stands up to the trillion dollar cost of historic accidents pretty well, particularly if you assume that the experience of Fukushima will make future accidents less likely. It's a harder call with the theoretical $10 trillion dollar cost but another of the lessons of Fukushima was that the evacuation caused almost all of the human costs. The price of living with the radiation to some degree would be much less than a Fukushima style cleanup
This does make a strong case for no meltdown designs even if they are a fair bit more expensive while the case for nuclear becomes incredibly strong at low prices of construction. If you can build for $3 billion per GW as I believe China does your uncounted benefits vs costs reduce the apparent price by 25% or more
I think it's an open question whether "living with the radiation" is even possible.
-The USSR sort of tried to do that by covering up the fact that an accident even occurred, but people found out anyway and they had to reverse course.
-At Three Mile Island, there wasn't even any radiation worth mentioning, there was no mandatory evacuation (though eventually there was a recommendation for young children and pregnant women to leave), and people still fled the area en masse. The human costs are hard to quantify, but they were certainly much higher than the physical damage.
-At Fukushima, many have argued that the evacuation orders were too aggressive and cost more lives than they saved. That's probably true, and many of those deaths were among very sick patients forced to evacuate from hospitals. But much of the healthy population of the area would likely have chosen to leave anyway (just as many have chosen not to return after the evacuation orders for their homes were lifted). The communities still would have been hollowed out, the land values decimated, the fish and agricultural products unmarketable... you can calculate that the costs of ignoring radiation are lower than the costs of fearing it, but you can't make people actually ignore it.
Much of that fear is misguided, but in a way that's difficult to pin down and even harder to correct. If someone's afraid of dogs, they can see whether there's a dog present, how big it is, whether it's on a leash, etc. And they can certainly tell if they've *been attacked* by a dog. Even as an engineer it's not easy for me to intuitively grasp how dangerous different levels of radiation are. How much am I harmed by the radiation from a chest x-ray versus a plane flight versus living for a year in Futaba? Is that worse than being bitten by a dog?
(https://www.cnn.com/2022/08/30/asia/futaba-fukushima-nuclear-evacuation-order-intl-hnk/index.html)
You can look up the numbers, of course, but most people won't. And if you lived in Harrisburg, Pennsylvania while Three Mile Island was melting down, you couldn't look up anything. Even the experts wouldn't have a good idea what was happening until afterward. Some sort of generic assurances from the government that "it's better to ignore the radiation" would not be very reassuring.
The review also doesn’t explain (maybe outside its scope) that the cascading catastrophe idea can also apply to other things like global warming (positive feedback loops), political issues surrounding fossil fuels leading to wars, fracking (catastrophic poisoning of groundwater seems theoretically possible).
I would say that the safe enough is compared to everything else in life that might kill you. Although that must be wrong since nuclear power kills so many fewer people than even the unlikely things that no one thinks about. Periodically you read that a building spontaneously collapses. Why all the effort focus on nuclear safety and not building safety. What about railroads, how many people are killed from train derailments, either directly or when they release deadly chemicals. Every so often there is an explosion at some factory killing one or more people, nuclear generation plants are much safer than say fertilizer manufacturing. Thats the way I would answer safe enough. That whole isolated demand for rigor thing.
My impression here is that mathematical "tradeoff" calculations are meaningless because they require so many totally unfounded assumptions that your conclusions will be necessarily garbage. Actually, worse than garbage, because they'll APPEAR mathematically precise.
excellent review of safe enough: phase change possibility after a cascading event is an important insight ; erosion of culture is more imp than erosion of material, another powerful insight --learned a lot from a very well written book review, compliments to the author
>Had this incident been taken seriously, disaster at Three Mile Island would have been averted
In what sense does the actual outcome of Three Mile Island, with zero deaths, zero injuries and negligible environmental damage, *not* count as "averting disaster"?
Losing a nuclear plant is a disaster, Three Mile Island unit 1 continued operating for another 40 years. That is a lot of lost electricity generation.
> As a reminder, there are over 20,000 parts in a utility-scale plant
As someone who works in manufacturing drawing management, I can assure you with a high degree of confidence that this estimate is laughably low even for a 60s era plant. It might be an accurate estimate of "how many assemblies is the plant prepared to diagnose a problem down to"; presumably your nuclear techs don't disassemble sump pumps to diagnose which float switch or capacitor failed. But there are many, many more parts in your iphone, much less something at the scale of a nuclear plant.
I will never forget the time our radar system stopped working because someone changed out a battery and forgot to replace a washer for one of the bolts they'd undone to reach it.
I'm left wondering if
a) probabilistic risk management is easy to understand
b) i'm really smart
c) this review is better-written in terms of per-word information conveyed than most things I read
d) some combination or other factors
Under (d) perhaps I'm just in some mood where everything seems meaningful and profound. And perhaps also the core points (probabilistic risk management) are very well suited to this substack's audience. But if it's not me, goddamn this is a well-written (effectively-written) review. I read several sections of it aloud to other people.
Presumably actually implementing the method with all the technicalities included and getting it all correct enough to prevent actual disasters is difficult, but that doesn't mean understanding the basic idea of what the method is has to be difficult too.
I agree, the basic idea is really just "calculate the probability of system failure based on estimates of all the component failures", and the hard part is dealing with the huge number of systems and how they all interact (plus operator errors, natural disasters, figuring out how much radioactive material is released and where it goes, accounting for evacuations, and so on).
No, it isn't easy to understand. Not in application. Toy examples can be pretty simple. This is the modern version of "For want of a nail, the (horse)shoe was lost...", only iterated recursively over all the possible failure modes. (You did figure them ALL, didn't you?)
I appreciate both of these responses and in reading them have realized something about a common failure mode I'm sure Yudkowsky has written about this since I observe him triggering it in other people. I observe that people I talk to about risk management have a really hard time understanding the probabilistic aspect. People imagine some specific problem and create a solution for it and then say, well, I don't see how else it could go wrong. And when I point out all the ways in which it very well could go wrong, I get responses implying that I am just being inventive and unrealistic. Never once in my entire adult life have I intended my hypothetical counter examples to be all encompassing or all inclusive but instead merely to be examples of cascades where various different components could fail in some way. For instance, someone driving off the road while attempting to retrieve the last piece of candy that fell from a bag on the other side of the passenger seat seems like something that a person would just decide not to do and also like something that wouldn't specifically be enough to cause an accident all by itself. And yet, I know someone who happened to be doing exactly the one and caused exactly the other due to a convergence of also unhelpful circumstances. Yet if someone beforehand had laid out for him all of these converging problems, he would have insisted that he would never be so hungry or food motivated in the first place and also all of this sounds really unlikely.
And on the other side, of course, people who suffer from anxiety have not the opposite of this problem, but a painful permutation of it, where by attempting to imagine all the specific ways in which I think it could go wrong, they exhaust and torture themselves without necessarily, and in fact, usually while not improving overall systems that would make them safer or more successful.
Yeah. I liked this review for several reasons. I like the topic, though I'm more pro-nuclear than the author. But mostly because it was tight,. I finished it with my cup of coffee in the morning. And totally enjoyed all of it.
> Rasmussen delivered. In January of 1974, after 60 person-years of effort, the Chair of the AEC reported to Congress that the odds of a significant meltdown were less than one in a million. Congress and the public could rest assured that nuclear energy was far safer than comparable electrical generation methods such as coal, or a hydroelectric dam. The risks were astonishingly small, akin to getting hit by a meteor falling from the sky. Commissioner Ramey had nothing to worry about. The academics showed that nuclear energy was plenty safe enough.
Thing is, they were right. In the years since then, there have been exactly zero people killed by nuclear power plant accidents in America. For all the press attention it got, the Three Mile Island incident was incredibly minor; the radiation released into the environment was somewhere around half of what a typical coal power plant exposes people nearby to in one year... and that was it. The worst ever nuclear disaster in American history did no detectable harm to anybody.
My grandpa lectured on radiation safety at Harvard, and he mentioned to me once that the additional radiation from Three Mile Island carried a total risk of 0.7 deaths. (I'm not sure exactly what model he used to derive that number, though.)
Almost certainly that would be good old linear no threshold. It's easy to show experimentally that model is false by zapping fruit flies with a burst of radiation all at once or spread out over a month. But it only has one parameter so it's tractable to use with the limited data on radiation in humans that we have.
A small note on this is that due to the total distribution of probability centering on 0.7 the amount of probability that one person would die according to that model of risk is quite small
Not sure what the book is about but I know the reviewer is a typical nuclear power hater.
> The plant managers at the time opted to avoid publicly visible upgrades, ironically because they feared that new safety measures would relay the unwanted message that nuclear power was untrustworthy.
I realize this is not much of a substantial comment, but... I really fricking hate that people keep doing this.
Based on other comments elsewhere I'm rather sure that avoiding the financial cost of the upgrades figured into the decision, if not into what they were willing to publicly admit.
Hm, I'm surprised to read this and not find anything about the use of passive safety systems (https://en.wikipedia.org/wiki/Passive_nuclear_safety). My understanding is that these could have prevented basically all the big nuclear disasters, had they been around when the plants were built!
Looking it up, it seems like annoyingly passive nuclear safety systems are recent enough that (due to the giant slowdown in building nuclear reactors) few actual commercial reactors have been built with them. Annoying. If enough were built, they could maybe just replace the older less safe ones...
Yeah, this seems like a big missing component at the time of the book. Looks like new plants like the Vogtle plant that just opened in Georgia do use passive safety, which in hindsight seems like a no-brainer.
Oh, I didn't consider when the book was written. But it looks like it's from 2021? Do I have that right? In which case it seems like it should have discused it...
IIRC, the "swimming pool reactor" from the 1950's is supposed to have had a passive safety. (I.e., if the water drained out of the pool, moderation stopped, and the reactor shut down.) I presume that there must have been some problems with it that I just never read about, though.
That's really true of all reactors in the US, they can only maintain the chain reaction using what are known as thermal neutrons, which are ones that have slowed down through interactions with the water. Take away the water and almost all of the fissions stop, and the reactor is shutdown.
So they've stopped using things like cadmium rods as moderators? If that's true, it sure hasn't been well publicized.
To clarify, I'm using the word moderator to mean something that slows down neutrons. Water is, in US light water reactors, the moderator. The control rods adsorb neutrons and are grouped into the term "poisons". I'm unfamiliar with describing the control rods as a moderator.
The power plants still most certainly use control rods to shut down the reactor by adsorbing enough neutrons very quickly when needed, though for routine temperature adjustments its common to use boron as a chemical poison and leave the control rods fully withdrawn.
Do you have a different understanding? Are we using the same term to mean different things?
We're using the same term to mean SLIGHTLY different things. To me a moderator is something that changes the way the neutrons act within the pile. Slowing them counts, but so does absorbing them. (I'm no nuclear technician, so I use the meaning I learned in high school.)
Cadmium is a neutron absorber, which is pretty much the *opposite* of a moderator. It does not slow down neutrons appreciably - it takes light elements for that. It does absorb neutrons very well.
A nuclear reactor wants lots of slow-moving neutrons, because those are more likely to react with the nuclear fuel. Some reactors can work with just fast neutrons, but those sorts aren't generally used for power generation. So, adding a moderator (e.g. water) leads to more reactions occurring because more of the neutrons are the slow-moving sort. Taking the moderator away, makes the reaction slow down or stop altogether. So if you use water as the moderator, then anything that makes the reactor seriously overheat will boil away the water and stops the reaction.
Cadmium, absorbs neutrons, particularly the slow ones a reactor needs. Adding cadmium means fewer neutrons and less reaction, with enough cadmium no reaction at all. So one common technique for controlling (or shutting down) a nuclear reactor is to include cadmium rods that can be inserted into or withdrawn from the reactor core.
Two completely different things, working in the opposite direction. To stop a nuclear reaction you don't want any more, either add cadmium or remove water,
Crucially, shutting down the reactor is not sufficient for passive safety. A shut down reactor still produces decay heat, initially about 6% of full power and less over time, which must be removed to keep the reactor from melting. So true passive safety requires a "passive", e.g. gravity fed, water source to cover the core and a passive way to dispose of the steam produced as that water boils off. It's further complicated by the fact that the whole system is at high pressure, so you can't just dump water in from above.
Research reactors are often pool type, and safety is not much of a concern, but you can't do that with a power plant.
You can, and some do, use gravity to remove decay heat. Interestingly, Fukushima Daiichi unit one had an isolation condenser, which uses the idea that hot water weighs less than cold water, you if you use a heat exchanger (HX), you can use a somewhat passive cooling for decay heat removal. Unfortunately, it worked too well, and for an uncomplicated reactor trip it would cool down too fast, so the procedures directed turning it off then on as necessary. When the tsunami arrived, sometime after the earthquake (that automatically shutdown the reactor), they had mostly closed the motor operated valve for this HX. Also unfortunately, they didn't write down when they positioned it. of course, they sent an operator to check, and they saw steam coming out of the vent on the non-reactor side, but this doesn't get used... well, ever, and there was much less steam than there would have been if it were under full load, so it got reported as working.
The new AP1000 units take a different approach, fully vent the reactor coolant system, then since it is depressurized, use gravity to add more water.
Yeah, I've tried to investigate the IC at unit 1, because turning it off prior to the tsunami seemed like it might have been the failure that set off the cascade of core melts. But best I can tell, the condenser cooling tank only holds enough water for about 3 hours of decay heat removal. I'm not sure that would have been enough time to make a difference.
I do like the isolation condenser concept (incidentally, GE is bringing it back for the completely passive BWRX-300 SMR). I guess the problem is that it has to be physically above the reactor vessel, pretty high off the ground, and that limits the size. But because it's at atmospheric pressure, it should be much easier to refill during a station blackout than the vessel itself.
I don't have any experience with an IC, so I really don't know the size or capacity. The detailed report I read, going off memory here. said they were running fire hoses and almost ready to start adding water to the torus in units 2, 3, and 4 when the explosion in unit 1 threw that is disarray, not only messing up the hoses, but also slowing everything down since they needed respirators and anticontamination clothing to work in that area.
The height difference doesn't have to be huge, but less height means larger diameter pipes for the same heat removal. The US Navy has submarines that normally operate with natural circulation and space is tight in submarines, and the AP1000 has a Passive Residual Heat Removal system but that's located in the containment building, big pipes, but not a huge height difference.
Yes, in fact one of the annoyances about Fukushima is how it was *supposed* to be shut down (I don't remember whether it was really soon, or recently extended ?) because of the design was deemed to be too old to be safe ?
But then even passive safety can only go so far against the threat of deliberate sabotage, as we are experiencing one right now :
https://astralcodexten.substack.com/p/your-book-review-safe-enough/comment/17982621
Interestingly recent hype about CANDU heavy water reactor refurbishments and operation records has led me to look into the safety features of it and it appears very likely they would have had little problem with Fukushima. It seems to be so safe that it should be considered a worthy competitor to walkaway safe modular designs if they don't deliver on costs
The book actually covers passive safety in the first chapter; passive safety systems were considered superior and necessary until industry lobbying in the 60s & 70s convinced the AEC to allow active shutdown systems as the main line of defense.
I enjoyed this review a lot. However, like other people mentioned, the lack of a true comparison to alternatives leaves me feeling unsatisfied. Based on a quick web search, it looks like particulate air pollution costs us about 7 million premature deaths per year. There are lots of variables, but consider that order of magnitude compared to what looks like 32 deaths from nuclear power, ever. Sure, there's the "evacuate Tokyo" style long tail, but eventually you have to try to convert that into an expected value, and I bet it's pretty low.
The description of Probabilistic Risk Assessment is fascinating, but ultimately it doesn't sound very... probabilistic? If every scenario is intended to have a probability of zero, you end up spending approximately an infinite amount of money, which is part of the reason why I still suspect that nuclear is more expensive than it needs to be.
7 billion premature deaths is almost the entire global population. I think you meant 7 million?
Whoops, you're right. I edited it.
He admitted it as an error, but perhaps he shouldn't have. "Premature deaths" doesn't say how premature, and IIUC particulate air pollution is supposed to have shaved years off of almost everyone's expected lifespan.
In that vein I am reposting this thought experiment: a variant of Earth called "Meltdown World". In meltdown world,
1. Political sentiment in the 1960s and 1970s went against coal/oil power instead of nuclear power, and stayed that way ever after. Solar/wind were unaffordable at the time, so most of the world switched to nuclear plants and global warming was cut in half (oil is still used for heating and transport, because cars weren't politicized).
2. People treat radiation releases from nuclear plants the same way we treat fly ash from coal plants - as just a normal thing that we breathe in as a Fact Of Life. If there's an total unmitigated meltdown, people might evacuate for a week or two, but then everybody just takes their iodine pills and returns home.
3. Every reactor in the entire world shares the Fate of Fukushima: it runs fine for 40 years and then has a big unmitigated meltdown and radiation release. After 40 years, thousands of tons of salt water magically appear throughout the plant, destroying all emergency generators, and it never occurs to anyone to use passive safety systems instead or to shut off reactors after 39 years, and every plant is like Fukushima's rather than Onagawa's[1], and safety regulations never improve, and no one builds Molten Salt Reactors, etc. All these meltdowns are expensive to clean up, but since the world builds so many nuclear plants and deals with so many meltdowns, the costs decrease according to a learning curve (akin to Swanson's law of solar panels and Moore's law of silicon chips).
_Question:_ how does a coal plant compare with a nuclear plant in Meltdown World? Which one ends more lives? Does it make a difference if the coal plant is Chinese-style with high pollution? As reported by NASA, nuclear power saved over 1.8 million lives between 1971-2009 (39 years)[2]. Presumably, many millions more could have been saved if more coal plants had been replaced with nuclear plants. Does this remain true in meltdown world, or does it become false?
To answer this we need to know: (1) how deadly is coal (per TWh) - this is widely published[3], (2) how deadly would Fukushima have been (per TWh) if there had been a temporary evacuation but no relocation, and (3) how should the numbers be adjusted for other locations, e.g. do areas around other nuclear plants tend to be more populated or less populated than Fukushima?
Finding information about radiation risks isn't easy, as the media rarely publishes info about this. When I first published this thought experiment on Reddit, I looked around for awhile and the most relevant bit of scientific info I found was this "meta-analysis of leukaemia risk from protracted exposure to low-dose gamma radiation"[4] which concluded, based on 23 other studies, that the excess relative risk (ERR) of non-CLL leukemia from 100 mGy of radiation is roughly 19% (it is unclear to me if 100 mGy is different from 100 mSv). Based on a typical non-CLL leukemia rate of 1 case per 1,000 people per year, ERR=0.19 would increase this by roughly 1.9 cases per year (1 in 53,000 people). The risk presumably varies as a function of time since exposure, but this particular study seemed to completely ignore the issue. To estimate the total risk, I tried assuming that ERR=0.19 every year for 25 years after exposure. "25 years" is just a guess, but it probably can't be more than 40 years because the "average person" is middle-aged and only has 40 years left anyway.
This works out, very roughly, to a 0.05% chance of getting non-CLL leukemia within 25 years. I heard this is the main type of cancer typically associated with radiation, at least if you've been a good boy and took your iodine pill. Eventually I found a second source of information from NASA[5]. Based on this it seems that for the "average adult", 100 mSv of gamma radiation gives an estimated risk of 0.4% for eventual cancer, with large error bars―about ten times higher, but still less scary than most people seem to think. And btw radiation is considered riskier for women and younger people.
Of course we'd need to know what kind of dose people around Fukushima would have received if they did not relocate. I found figures for radiation averted at Fukushima in the first year of relocation (Table C11, page 190, UNSCEAR report[6]) but there are no figures for subsequent years, nor are population sizes provided. It looks like a majority of evacuees avoided 20 mSv of radiation or less in the first year by relocating. For comparison, I recently had a cardiac function test involving 10 to 30 mSv of gamma radiation depending on the sensing equipment (more radiation is needed for older equipment) and I tested negative but thanks for your concern.
I don't know how to get the power output statistics for Fukushima in particular, but eyeballing this report[7] it looks like the capacity factor at a typical nuclear plant is about 83%, and Fukushima units 1-3, the ones that melted down, had a capacity of 439+760+760=1959MW which is about (439+760+760)*0.83*24*365.24 = 14252863 MWh per year = 570 TWh over a 40-year period.
Let's say I pull the number 2000 straight out of my ass for the number of cancer deaths that would have eventually occurred due to the Fukushima meltdown sans relocations (I think I saw an article in Forbes claiming that this number was 160, but the article didn't cite a source and I can't find it anyway). 2000 deaths would be less than 4 deaths per TWh, compared to 25 for an average coal plant. Another source[8] separates USA from China coal, giving 15 and 90 deaths per TWh respectively. (Nuclear, of course, is 0.04 deaths per TWh)
P.S. Meltdown world is based on Fukushima and not Chernobyl because Chernobyl-style RBMK reactors would never have been legal in the United States[9] due to issues such as the lack of containment building and the substantial positive void coefficient of reactivity when coolant boils, and I assume that regulations in most of the world have always been closer to the US than the USSR. In real life, U.S. regulations were strengthened due to political pressure and TMI, so ... we're doing kinda better than Meltdown world here.
[1] https://thebulletin.org/2014/03/onagawa-the-japanese-nuclear-power-plant-that-didnt-melt-down-on-3-11/
[2] https://www.giss.nasa.gov/research/briefs/2013_kharecha_02/
[3] https://ourworldindata.org/safest-sources-of-energy
[4] https://oem.bmj.com/content/oemed/early/2010/10/08/oem.2009.054684.full.pdf
[5] https://twitter.com/DPiepgrass/status/1569508398202515458
[6] https://www.unscear.org/docs/reports/2013/13-85418_Report_2013_Annex_A.pdf
[7] https://www.world-nuclear.org/getattachment/Our-Association/Publications/Global-trends-reports/World-Nuclear-Performance-Report/world-nuclear-performance-report-2018.pdf.aspx
[8] https://www.nextbigfuture.com/2011/03/deaths-per-twh-by-energy-source.html
[9] http://www.phyast.pitt.edu/~blc/book/chapter7.html
Mostly responding to this because i found it very interesting and I'm hoping more people engage with it.
My first impression reading this was that assuming everything is as bad as Fukushima sounds pessimistic but doesn't capture the even more extreme and unlikely long tail risks.
Apparently the world used 23,921 TWh in 2019. If we made all of that via Fukushima clones and each Fukushima produces ~14 TWh per year then we would need ~1600 Fukushimas. If the white swan of Meltdown world is 2000 deaths what is the black swan.
For all their problems coal powered stations have relatively linear risks. The deadliest failure when you have 100 plants looks similar to the deadliest failure when you have 1000 or 100000 (I assume). The deadliest failure when you have as many nuclear plants as we do now(440) is Chernobyl but the deadliest failure when we have 1600 or 6400 might be an entire continent becoming uninhabitable.
I really don't know the worst case scenario, and it's an interesting question. I'm skeptical of the uninhabitable continent scenario. From what I can gather from some quick searches, Chernobyl actually released a significant quantity of fuel. I've seen an estimate of 4,000 deaths expected over time from that event. I could imagine a worse release resulting in 10-20x that number, which is terrible but not really unbounded. After the initial release, I get the impression that having some more radioactive material spread over a broad area actually doesn't have incredibly high mortality impacts.
I know I'm essentially pulling this stuff out of my ass, so I'm curious if anyone has a more informed perspective on the actual worst, worst case scenario for a nuclear plant.
I will try to find some helpful numbers (commenting now so I don't forget)
I would expect that the danger posed by nuclear devices that are designed to be dangerous (i.e. bombs) would be an upper bound on the danger of a device that failed to be safe, and the worst nukes are a lot less dangerous than that. I guess a salted bomb that affected continent-scale areas would be less militarily useful because it's harder to target only enemies, but the incidental fallout from an ordinary nuke seems like it would be more like that of a meltdown anyway. (The different timescales do lead to different distributions of product isotopes. I'm assuming that nuclear reactor products are probably not a whole lot more dangerous than bomb products.)
No. Bombs are designed to intensely affect a rather small area. You get a worse disaster by affecting a larger area less intensely over a longer period of time. But if the intensity of the damage is reduced too much, people will just ignore it. So it's a trade-off, but bombs aren't the worse, just the most dramatic. People were living in Nagasaki 50 or 60 years ago, without too much trouble.
A bomb involves a lot less uranium/plutonium than is in a power plant, so even though there's a huge amount of immediate radiation when the bomb goes off, the quantity of radioactive fission products that remain in the environment afterward is relatively small. They can be dangerous for a fairly short time in a moderate size area. A reactor meltdown is more able to contaminate large amounts of land for decades.
I think you're overestimating the "worst case" of a Fukushima sized plant self-destructing. It would probably take out less than the area of Iowa. The more you spread the fallout, the less significant it is as a hazard. Also, the more radioactive it is, the shorter its half-life. Note that dogs have been living essentially IN the Chernobyl plant ever since the area was evacuated. And they've survived rather well. (IIUC, their DNA is currently being studied to see if there have been ANY significant changes.)
A high background radiation level increases the risk of cancer, but so does inhaling fumes from coal/petrochemical oxidation. There's got to be a tradeoff point, but I don't know what it is.
P.S.: My "extrapolated worst case destruction" was sort of vaguely modeled on "grind up all the hot stuff and spread it evenly in a circle around the plant. But I didn't run any numbers. However I don't think that kind of worst case" could plausibly contaminate an entire continent. I just picked Iowa because it's compact in shape and about the right size (though a bit larger than my intuitive estimate of "worst").
P.P.S.: I don't consider nuclear plants safe, because they're too complex, have too many failure modes, and you need to consider management to be trustworthy over multiple decades of time. Also past history shows companies managing them cleverly going bankrupt just before they had to pay to decommission the plant. But this doesn't inherently make them worse than fossil fuel plants.
I don't really know what the worst case is but I'm not sure how much I'd trust someone's idea of an upper bound. I'm sure people have been confidently wrong before about how big a problem a black Swan might be.
FWIW, in the US the operators pay decommissioning costs into a trust fund ahead of time so that they can't get away with this last bit.
OK. That was based on reports from Britain. But it still speaks to the nature and intent of the management, even if there are reasons they can't get away with it...they'll try to come up with some other way to cut costs and shun responsibility for the results.
Agreed. Anecdotally, the sense I've gotten from people who worked in the US nuclear industry is that there used to be a lot more of that, and after the regulatory crackdown post-TMI, the utilities mostly really do put safety first. But there will always be exceptions.
Chernobyl is the deadliest failure of an atom bomb factory, which happened to be collocated with a power plant. It should not be part of the reference data set for "how bad can nuclear power (but not atom bombs) be?"
More precisely, the RBMK-1000 reactor used at Chernobyl was explicitly designed as a dual-purpose device to generate power and simultaneously produce weapons-grade plutonium. The severity of the Chernobyl accident was entirely due to design features mandated by need to produce lots of weapons-grade plutonium; absent those, it would probably have been another Three Mile Island.
Fukushima is as bad as we've ever experienced in sixty years of nuclear power generation. And the net effect was to make the Sendai earthquake about 0.01% more deadly than it otherwise would have been.
What if all the extra nuclear material needed for all the new plants makes it more likely that some falls into the wrong hands and they detonate a dirty bomb in a major city centre
I would refer you to the dirty bomb fact sheet from Department of Homeland Security:[1]
> It is very difficult to design an RDD that would deliver radiation doses high enough to cause immediate health effects or fatalities in a large number of people. Therefore, experts generally agree that an RDD would most likely be used to:
> • Contaminate facilities or places where people live and work, disrupting lives and livelihoods.
> • Cause anxiety in those who think they are being, or have been, exposed
IOW, dirty bombs typically make people move but don't tend to cause many casualties over and above conventional explosives. The interesting part of this is the anxiety element―terrorists know people will freak the hell out about a dirty bomb even if it doesn't kill anyone at all. So a terrorist would be most interested in a dirty bomb if they want to scare people more than kill people. I don't think Bin Laden or ISIS would've gone for that.
[1] https://www.dhs.gov/xlibrary/assets/prep_radiological_fact_sheet.pdf
What David P says, and if you don't trust government sources, here's the media: https://apnews.com/article/dirty-bomb-explained-6f2f3068620b83d57a72a52e7aaf1d53
If you spend half a century teaching the ignorant to be very, very afraid of Invisible Deadly Radiation, then yes, some people may use that as a way to spread fear and panic with a not-very-deadly thing. But it would take great chutzpa to set up all that propaganda and then say "because people would be afraid, we mustn't do that thing even if it's less deadly than the alternatives."
Maybe you missed the part where we were one lucky break from making the largest city on earth uninhabitable.
My thought experiment, my rules. But if you want to actually vary the severity of each incident according to what a magical-earthquake+tsunami-from-nowhere would actually do in each plant, you would have to also take into account that in most cases the entire electric grid wouldn't be wiped out, that some plants don't need electricity to avoid meltdown, that not every plant stores every emergency generator in the basement, most plants probably have better-trained personnel and safety culture than TEPCO, some plants have passive autocatalytic recombiners to avoid hydrogen explosions and minimize radiation releases, etc. So along with this "black swan" you should also have a lot of nothingburgers, where a magic earthquake + tsunami causes no meltdowns and just makes the plant unusable.
And as I said, RBMK is a specifically USSR thing; you simply cannot get the same runaway reaction rate in western reactors. Simply put, Chernobyl-type reactors were unstable by design, and the only thing stopping them from exploding was the competence of the operators. This design seems intentional: it made the reactor cheap! They used graphite moderator (cheap), light water coolant (cheap), minimally enriched uranium (cheap), a welded pressure vessel (cheap) and no containment structure (free). Western reactors typically use a more expensive arrangement with a single-piece pressure vessel (expensive), a containment structure with nuclear-grade concrete (expensive), and uranium enriched to 5% (expensive) to avoid the need for graphite. This last part is the most important; by using more enriched uranium, graphite moderator can be replaced with light water moderator, which negates the void coefficient of reactivity. This doesn't prevent meltdowns outright, but it does prevent rapid runaway heating that could cause an explosion.
The Fukushima reactors had multiple design flaws, but compared to Chernobyl, the explosions that occurred at Fukushima were almost harmless since they occurred outside the containment structure. The Fukushima situation was perilous though, and illustrates the value of newer reactor designs that avoid depending on electric power for safety. The best designs go a step further by avoiding the need for high pressure and water cooling. At Fukushima, fire trucks could not inject water prior to the meltdowns because the pressure inside the reactors was much too high. Water could come out of the reactors, but it was impossible to put water in. It doesn't have to be this way, though.
In fact, the very first reactor built at Fukushima had a passive safety feature to prevent meltdown in case of total blackout, but my understanding is that this system automatically turns itself off in case of total blackout ― this makes no sense so I've been hoping someone would come along to explain why it was built this way, but no luck yet. Moreover, TEPCO employees were unaware that the reactor worked this way and therefore shifted their focus to reactor 2, which (also bizarrely) had a theoretically (and actually) less reliable active safety system than reactor 1 even though it was built afterward. Again, I've been hoping to see someone explain how this "de-evolution" of design occurred but no luck yet.
Sadly mass media doesn't treat nuclear safety anything like airline safety. If it did, we would have lots of TV shows that explain what went wrong moment-by-moment and then explain (i) how many other reactors are vulnerable to the same problems, (ii) the recommendations that were made to ensure this does not happen in the future, and (iii) whether the recommendations are being implemented. TV shows about airline safety are like this; I have NEVER seen a show about nuclear disaster that covered (ii), let alone (i) or (iii). But to be fair, I've ALSO been waiting years for someone to explain why the MCAS system on 737 MAX planes only received input from one of the two AOA sensors, given that literally every fan of aviation disaster shows knows you're not supposed to do that. Do aviation engineers not watch these shows? WTF?! This is disaster avoidance 101!
"the very first reactor built at Fukushima had a passive safety feature to prevent meltdown in case of total blackout, but my understanding is that this system automatically turns itself off in case of total blackout"
This sounds like you're referring to the Isolation Condenser (IC) which is a passive heat removal system that circulates steam through a heat exchanger in a cooling pool above the reactor. It is indeed very reliable, and it did not automatically turn itself off, it was turned on and off repeatedly by the operators because it was cooling the reactor too fast. Unfortunately it seems to have been off at the moment they lost power to the controls. I have asked some experienced operators whether they could instead have throttled it partially open to get the right cooling rate continuously, and the answer was that they probably could have theoretically, but nobody thought they would lose DC power, so it wouldn't have occurred to them to bother. Even if it had been on, though, once power was lost they had no way to refill the cooling pool, so it likely would only have bought them a few hours.
"reactor 2, which (also bizarrely) had a theoretically (and actually) less reliable active safety system than reactor 1 even though it was built afterward. Again, I've been hoping to see someone explain how this "de-evolution" of design occurred but no luck yet."
Yes, in the later versions of the BWR, the IC was replaced with a pair of turbine driven pumps, a small one called RCIC and a larger one called HPCI. These are also generally very reliable, and do not require AC power since they are powered by the steam bottled up in the reactor. One advantage they have is that instead of just removing heat, they actually add water to the reactor, in order to help keep the core covered. The IC is good for a station blackout, but not much help if you get a leak in the piping or a stuck open valve that lets the coolant bleed out. In addition, the RCIC and HPCI pumps pull water from extremely large reservoirs that don't need to be refilled. In fact, at Fukushima, the RCIC and HPCI pumps at units 2 and 3 kept them cooled for a couple of days, eventually failing because (like the IC) there was no reliable DC power to the controls, so the operators couldn't adjust the flow rate, start or stop them when needed, or tell if they were working.
Your point about TV shows is a good one. I've watched the first few episodes of The Days, a new Netflix dramatization of the Fukushima disaster that is pretty factually accurate. But the technical aspects are handwaved a little bit because they're likely too complicated for a general audience to enjoy.
I remember seeing a show about this that said specifically that the operators believed the cooling system on Reactor 1 was working and therefore shifted their focus to reactor 2 which they considered higher-risk. They were confident enough about it that no one checked (e.g. no one looked for exhaust steam that should've been emitted outside the building). Thanks for the info on design tradeoffs between IC/RCIC+HPCI.
Chernobyl was actually close to as bad as it can possibly get - the core was literally blasted open to the air and on fire for days, and a large chunk of what could possibly leak leaked. It's within an order of magnitude of the worst possible accident for that size of reactor, AIUI.
(You could theoretically get a lot worse if you could disintegrate the entire core rather than just leaking the volatiles, but at that point the "failure mechanism" starts looking like "someone took a nuclear bomb into the reactor building and detonated it" rather than anything endogenous to the reactor, and at that point I think it's safe to call that "not an accident".)
I wrote a whole thing on this back in 2013. http://hopefullyintersting.blogspot.com/2013/12/fukushima-vs-coal.html
The short of it is that if every nuclear plant ended up exploding after 40 years we wouldn't be better off replacing coal plants with nuclear, but the numbers are closer than you'd think.
Oh I'll just give the punchline. Including things like deaths due to disruption of medical care during the evacuation the Fukushima disaster killed about 600 people or 6 per gigawatt-year of electricity generated. Coal in the EU averages 2 deaths per gigawatter year, or three times lower. Coal power in China is closer to 100 though.
Ahh, interesting. Your conclusion was that "it killed 1.8 people for each Gigawatt-Year". There are 8.766 TWh in a GW-year, so that's 0.2 deaths per TWh, over 100 times lower than coal's 25 deaths per TWh. Except, you *also* say that you have seen data that coal kills vastly fewer people than Our World In Data says it does. How odd! Any idea what's going on?
Anyway, your scenario is different from Meltdown World in that you keep the relocations. I say if meltdowns happen constantly you can't realistically have big exclusion zones everywhere; you have to let most people return home and estimate whatever excess deaths that would imply. Even here in our world, there is a paper that concludes that the population should not have been relocated, but this paper doesn't estimate how many excess deaths would've happened, it just estimates days of life lost.[1] This makes it harder to compare with other energy sources. However Fukushima reportedly killed over a thousand people due to the "trauma" of relocation, and my calculations indicate that the number of additional cancer deaths that would've occurred without relocation is less than this, so it doesn't take a genius to see that people should've been evacuated only, not forcibly relocated. For all I know, voluntary evacuation + distribution of iodine pills might've been enough.
Meanwhile, I've been expanding the above comment to a Medium post in which I do a more complete set of back-of-envelope calculations to re-estimate how bad Meltdown World is, and I came up with 14 deaths per TWh. This estimate is mostly pulled from my ass, and it looks like the paper your post is based on has a much lower estimate for deaths outside the exclusion zone than I was using, so I should have a closer look at that paper before publishing.
[1] https://www.sciencedirect.com/science/article/pii/S0957582017300782
An estimate made a fair while ago, and therefore perhaps a lower bound, is that nuclear has saved 2 million lives from air particulate pollution
Great review and a nice accessible primer on risk management in safety critical industries.
I do wish one point was driven in a little more boldly - probabilistic risk management is only as good as the team administering it. If your team is working with bad data, if your team isn't competent, or if management incentives distort the priority of maintenance work/budget - these are all failure modes that undermine the effectiveness of the methodology. I'm surprised that this wasn't covered in the Fukushima part!
I'm also curious about the regulatory landscape - what's binding the plant management to conduct the assessments and ensure that competent people are doing them? Who's reviewing your LOPAs (Layers of Protection Analysis) or mandating that you need to do them at all (or do the follow-up maintenance / improvement works)? Again, the methodology isn't cheap (monitoring and fixing every component is pretty pricey). If there is no license to operate tied to compliance, the management is basically free to ignore it. Not necessarily in the scope of the review but an interesting question nevertheless.
Might go read the book now, too!
"Probabilistic risk management is only as good as the team administering it" - I agree with this, but I think the author of the review drew a very different conclusion. Based on the last line, he seems to believe that probabilistic risk management is doomed to fail eventually (because of unknown unknowns) no matter what team administers it.
Well, of course. So will every other way of foreseeing the future. But that doesn't say whether it's "good enough". And the more common problem is poor administration and perverse incentives.
I think the problem with probabilistic risk management goes deeper than imperfect execution. PRA has no scientific backing as far as I'm aware (there's no evidence that PRA creates safer designs that alternative methods). Every institution that does PRA will have incidents in which something which should only happen once in a million years according to PRA stubbornly happened twice the same week in reality anyway. They will also have incidents where harm or serious risk of harm happened in ways that wasn't even considered in the PRA and in ways that are intrinsically hard to capture in a PRA, such as software failures, design mistakes, re-use of old subsystems that were safe in the old context but becomes unsafe in the new context etc., and a good argument can be made that most serious harm is caused by these kind of issues. Nancy Leveson is the person to read to get perspective on the criticism of PRA.
Thanks for the suggestion, I found this paper by Nancy Leveson: https://dspace.mit.edu/handle/1721.1/108601. Section 2.2 was particularly helpful for explaining some of the flaws in PRA.
What do you mean by ‘alternative methods’? One alternative method is ‘pay no attention to safety whatsoever and do everything as cheaply as possible’. I’m sure it does better than that.
What you describe is obviously not a method for safety engineering.
Alternative methods to PRA would be qualitative methods. There are plenty of qualitative methods for risk assessment and risk management described in the literature. See the paper linked above (https://dspace.mit.edu/handle/1721.1/108601) for an example and a discussion:
>There is very little scientific data validating probabilistic risk assessment or evaluating the methods for calculating it, particularly for complex engineered systems that include software and humans [32,33,34].
Thanks.
The reactor plant design engineering company does the analysis for a new plant, all of the data and models are given to the NRC who reviews them, challenges them and asks for additional information if anything is missing. After the plant is being operated the utility has to submit all the same information if they want to change anything and it goes through the same review.
That process is for meeting the deterministic regulations. PRA is done a bit less formally because it's intended mostly to "risk-inform" the safety efforts and shouldn't be necessary for ensuring "adequate" safety. The plant operator does the PRA analysis and gets it peer reviewed by outside experts to see how well it fits the ASME standard. The NRC looks over the PRA results and the peer review, and also makes it's own PRA model (largely based on the plant operator's data), and as long as they match reasonably well, it's considered good enough.
Lot of that "working with bad data" seems like it could be traced back to not having enough data points - that is, the way to make nuclear reactors safer is to build more of them, refine designs through iterative testing.
The problem I have with this entire area is that it is populated by rogues on all sides.
Radiation is the bugbear used by the anti-nuclear people:
Ignore the radiation from riding on planes, from nuclear testing, from mining, from burning and/or releasing fossil fuels, from natural gamma ray emissions on earth and from space etc etc. Ignore the deaths from nuclear as compared to literally all other energy sources. Ignore the carbon emissions (or lack thereof) from nuclear. It can release radiation! Boo!
It is perfectly fair to say that dismissing all radiation emission concerns/accident concerns is also ridiculous.
But ultimately, the true issue is being ignored. All sources of energy have tradeoffs vs. each other.
These tradeoffs are not being discussed even secondarily - carbon emissions or radiation vs. what any given society considers a priority.
Japan used a lot of nuclear because they literally have to import all their energy. They have no coal, no oil, no minerals to speak of, no natural gas, etc etc. The shutdown of all Japan's nuclear plants literally led to the return of oil burning electricity generation in Japan. Is that a win?
Massive installations of alternative energy electricity generation in Japan have not fixed their energy import problem; it has actually made it worse in conjunction with the nuclear shutdown. World Bank data shows Japan up to 2015 (its latest data) importing more energy than literally ever before as an overall percentage. EIA shows alternative energy providing all of 6% of Japan's energy supply even as the step up jumps in oil, natural gas and coal imports - pre 2011 vs. post 2011 still persist.
So is extremely expensive and carbon intensive Japanese imported energy worth the "safety"of nuclear plant shutdowns? That issue is not even in the discussion.
Who is making fun of anyone?
How many people died of radiation poisoning from 3 Mile Island?
How many people died of radiation poisoning from Fukushima?
These are very important numbers to compare to number of deaths from coal-based power plants.
If you ask the question on Google about victims of Fukushima nuclear disaster it lists over 19.000 deaths, but if you go to the quoted article it turns out those are mostly victims of tsunami (I remember that at the time seeing press coverage of nuclear disaster it was almost possible to forget there was tsunami in Japan). According to wiki, none died directly from radiaton and "at least six workers have exceeded lifetime legal limits for radiation and more than 175 (0.7%) have received significant radiation doses. Workers involved in mitigating the effects of the accident do face minimally higher risks for some cancers." Also, "Predicted future cancer deaths due to accumulated radiation exposures in the population living near Fukushima have ranged in the academic literature from none to hundreds." There are also deaths attributed to evacuation, especially among elderly and infirm. This is all tragic, but considering that Fukushima power plant was not exactly brand new, and there was a powerful tsunami and earthquake it could be also interpreted as fairly successful stress test of nuclear safety of places which are not exactly up to modern standards. Also contrary to claim I seem to have seen in the review it was all probably completely preventable and predictable:
https://carnegieendowment.org/2012/03/06/was-fukushima-accident-preventable-pub-47411#:~:text=Contrary%20to%20initial%20assessments%20that,accident%20was%20foreseeable%20and%20preventable.
We don't know.
There's no agreement about what danger (or maybe even benefit) present low levels of radiation exposure.
Partly because we just lack data.
Partly because most of those that we have (and works based on it) can't be trusted because those that produced it are hopelessly biased either for or against fission power.
(My rule of thumb would be to look at what the recently retired from the nuclear industry people are saying, sounds like the author of this book is one ?)
This makes it particularly ridiculous to try to compare deaths from wind/solar and nuclear. At least with coal we can try to compare the radioactivity released too, though even here : it's not like there's a single kind of radioactivity, even when talking about inhaled/ingested dust...
Sure, we don't understand the health effects of low dose radiation very well, but the linear no threshold hypothesis provides a reasonable upper bound, and allows us to know pretty definitively that there will not be thousands of cancer deaths as a result of fukushima. As Bartosz said above, the number could eventually be in the hundreds, or it could be lower.
Ok, that's fair enough.
Also, looking at the 2011 WHO report reminded me that looking at deaths only is perhaps too simplistic, there's also the much harder to quantify general misery that can happen due to sickness and other causes, including caused by the evacuation itself, which can be worse than radiation.
But coming back to this review, the problem with this is that the uncertainty is much larger for the events that haven't happened yet, like the example given how we narrowly (?) escaped a catastrophe several (how many?) orders of magnitude larger in Fukushima (and this *still* is a past event !).
Upper bound, yes. Reasonable? Hahahahahaha. No, it's not reasonable at all!
For low doses, LNT overestimates harm by multiple orders of magnitudes. It completely ignores the difference between acute and chronic doses. And at high acute doses, LNT massively underestimates the harm. LNT is dangerous nonsense.
For more details: https://jackdevanney.substack.com/p/lnt-is-nonsense
And what a sane radiation risk model would look like: https://jackdevanney.substack.com/p/a-sigmoid-no-threshold-primer.
Yes, LNT does not take dose rate into account. We know that a higher dose rate increases the damage, but we do not currently have a good model of that relationship. Jack Devanney imagines a specific nonlinear function from dose to cancer fatalities , and for all I know he could be right - but he has no data to distinguish it from a hundred other possibilities. We do know, from the Million Person Study on low dose chronic radiation effects (especially nuclear power plant workers and industrial radiologists) that there is a dose response relationship for certain cancers that looks vaguely linear down to about 25-50 mSv total dose. Below that, there's too much noise in the data to be able to tell.
https://ric.nrc.gov/docs/abstracts/daurerl-hv-w14.pdf
And although Devanney (at least in the article you linked) ignores this data and looks at just atomic bomb survivors, above about 50 mSv his sigmoid is pretty similar to LNT. So yes, LNT is *reasonable as an upper bound*. And the public fear of radiation that he is so upset by is just about as ridiculous under LNT as under the sigmoid model. Coming up with something provably better than LNT is difficult, and you shouldn't have to do it before you fix the way society treats radiation risk.
The article I linked is indeed very abbreviated. A more comprehensive look is available in his book available free online at https://gordianknotbook.com/. Specifically, section 4.6 discusses occupational exposures which covers most of the data from the presentation you linked above. It's not that long and I highly recommend reading at least that section (the entire book is worth reading).
Additionally, the slides you linked above get literally all their data from studies by the same people performed in the last few years. Devanney documents quite the sordid tale of bias in their work in favor of the LNT model despite very little support from the underlying data.
Over what time span? You've got to include that for the questions to have any meaning.
I'm rather sure that the answer would be "pretty low". More significant is probably "How many people lost their homes and livelihoods?", and I'd wager that would be a LOT higher.
Well written but lost me early. "Nuclear energy is perhaps unique as a technology, in that no amount of experience seems to change society’s comfort with it. The topic is forever radioactive."
If it said: "society's discomfort", it would be not less true. (plus "no change" kinda contradicts the next sentence: "Wellock sets out to tell this history, how the US public went from nuclear-lovers in the 1960s to suspicious in the early 1970s, hostile in the 80s, and ambivalent today..")
Only at the end it is mentioned that all other energy-sources are killing people, and all kill more by kw/h produced. I assume, it is clear, that not having electricity would kill billions, soon and ugly.
While the deaths by nuclear energy turned out to be in the same ballpark as meteors, one digit per year on average.
2. Worse: I did not really learn anything about "Probabilistic Risk Assessment". Except that the author seem to argue we should instead imagine the worst possible "dragon king" and (without probability?) see how we feel about it? - "What if we assume the maximum cost of a nuclear event is not $1 trillion for the Fukushima we lived, but $10 trillion for the Fukushima we escaped?" - well, what if we assumed the 1 trillion is a hundred times overblown? The deadliest thing about it was the forced evacuation of elderly, resulting in premature deaths.
3 Cat on fire? Kidding? Hell there are a thousand more likely ways to have a fire in a furniture shop. The sane way is to install alarms. fire-fighting equipment and fast exits. Plus a competent fire department not too far. All that is done in real life. One lesson of Fukushima was: Have rescue measures ready. But there was no radiation proof robot/remote vehicle to get inside, let alone do something.
Not sure what I should take away from this.
Massive forest fires are dangerous, therefore any sufficiently large forest is not safe enough and needs to be split into several small forests instead?
You could ask Canada what the preferred approach is. Reports are they aren't expecting their current forest fire to be contained until the rainy season. And you could ask the people in New York whether that is good enough.
This review is vague in places, there is a kind of “hint, hint“ quality to it at times. For example, in the beginning it says that the nuclear industry was faced with a “crisis,” which apparently was caused by the lack of accidents at nuclear facilities, something vague about the civil rights movement, and something (what?) people would discover thanks to the freedom of information act. So what was the crisis exactly?
This book is probably harder to review than some of the others because it seems quite technical. I can’t tell whether the vagueness in the review is caused by the difficulty caused by this technical nature or by the reviewer’s own opinions, which he or she suggests at but doesn’t bring out into the open.
Or take this passage: “"Safe Enough?" was not written as a defense of the Nuclear Regulatory Commission's regimented style. But as an outsider reading about the math for the first time, it became clear to me that once the NRC chose to implement Probabilistic Risk Assessment, an intrusive bureaucracy became its destiny.”
Any regulatory agency or commission is, by definition, an intrusive bureaucracy. That is literally the whole point. So what does “an intrusive bureaucracy became its destiny“ mean?
If I was to sum up this review it would be “analysts can make models that calculate the probability of nuclear accidents, but that isn’t sufficient because maybe we should always be thinking about the worse case scenarios”. The problem with that is that if global warming is as bad as we are expected to believe, we don’t have the luxury of thinking about very unlikely nuclear accidents.
As far as I am aware, by the way, at least part of public wariness about nuclear power is based on the inaccurate idea that a nuclear power plant can blow up like a nuclear bomb.
A regulatory agency or commission need not be "an intrusive bureaucracy". Sure, by definition, regulation "intrudes", but it need not be full of rules and reporting requirements. Of course, human nature being what it is ...
Is the timing of this related to the ongoing rumors that Russia have physically implemented a plan to sabotage the biggest European fission power plant (specifically by blowing up its cooling pond) ?
https://apnews.com/article/ukraine-russia-zaporizhzhia-nuclear-drill-856d616b63c7d3b48645fc55ad3b0853
https://www.thedrive.com/the-war-zone/russia-plotting-to-assassinate-prigozhin-ukraines-spy-boss-tells-us (<= part of the interview)
And blowing up the cooling pond is still probably one of the least damaging ways to sabotage it ?
That someone (with nation-state levels of means, not talking about small fringe groups) would be willing to do that is likely to radically shift the public opinion against fission power !
I'm really angry at this point that Macron has *still* not done an emergency press-conference, Johnson-style, about how the reaction to this kind of sabotage would be the same as for the use of nuclear weapons.
(And think of the opportunity to show yourself as a defender of Mediterranean (and Black Sea) countries in general, and Turkey in particular ! But I guess it's like when he ignored both of the nuclear issues in early 2022, despite their centrality in the UKR-RUS conflict... I guess this is what happens when you basically decide to get rid of your diplomatic corps to the profit of a small, inexperienced team that you have full control over ?)
Oh, and I forgot to point out that in less than 3 decades we went from the collapse of the URSS being unthinkable (and "brother nations" like UKR and RUS even more so) to... this.
It doesn't really matter what Macron thinks about this, unless he's prepared to nuke Russia in response. Xi and Modi would be another matter.
Why wouldn't he be prepared to nuke Russia in response ?
France has potentially more to lose here (the Mediterranean) than Britain did.
Because then Russia would nuke France? Can't imagine that any Mediterranean-related non-WW3 alternative is worse than this.
But then you could say the same thing about the use of nuclear weapons against a country that doesn't have any (or allied, like NATO's Article 5) ?
Kind of. It's basically a Schelling point, smallest tactical nukes are less destructive in some ways than some conventional munitions, but a bright-line consensus against using them prevented this so far. Sabotaging a nuclear plant is much more of a gray area, where it's not clear that there's a consensus about it, so it isn't in France's interest to unilaterally commit to escalation.
This review isn't clear enough to me on how that first report treated uncertainty : is the fact that it doesn't show up on the graph because :
- that was a propaganda operation deliberately misleading the public
- the scientists were incompetent
- and/or my assumption is wrong that if you would try to properly calculate uncertainty ranges across "cascade events" like these you are going to end up with ridiculously wide ranges for them ?
Another minor annoyance of mine is the improper use of units :
"triple the GDP of" should be instead "three years worth of (time interval X-Y) GDP".
(Also GDP hasn't been a good indicator of "wealth" for like half a century, but that's another issue...)
I was a licensed reactor operator in the late 70’s. What I remember was the NRC analysis saying that the “maximum credible accident” would cause 0.1 % fuel rod damage. At Three Mile Island the fuel rod damage was an order of magnitude higher. So much for “science”.
Clearly the industries and its apologist were full of shit. Unfortunately we still need energy and fossil fuels are a suicide pact. Thank goodness that solar and wind seem to the answer. (Oh, and in 20 years in the future there will be fusion of course)
I REALLY, REALLY, REALLY want controlled fusion, but I'm quite dubious about it's utility down here on Earth. What I want it for is mobile space habitats, and for that "20 years from now" is fine.
As for Probabilistic Risk Assessment, the method is fine, but it's so complex in application that it can't really be applied. Only estimated. and your "NRC analysis" is saying that the estimates were made using perverse incentives. I prefer to think of it as "Probabilistic Risk Containment", i.e. when you get an number, you know the risk will be at least that high. You don't know the maximum, because there are always things nobody thought of or considered important.
Why would fusion be easier to achieve in a mobile space habitat than on earth?
Fusion that is cost effective relative to the other options would be a lot easier to achieve, with only fission for competition
OK. I was really thinking of mining the cometary belt (and beyond) for fuel, and uranium is scarce compared to hydrogen.
This would have been prior to any wide application of PRA. People just kind of decided on the Maximum Credible Accident based on engineering judgment, which I guess is not technically the same as "vibes".
Will there be fusion? What reason is there to say there will be fusion in 20 years that there wasn’t to say ”there will be fusion in 40 years” in 1980? I do not know anything about it myself, but have heard some scientist say that the problems with fusion are enormous and there hasn’t been much progress there.
There are lots of companies with plausible sounding designs and plans to build prototypes in the next 10-15 years. There are definitely still technical challenges, like reprocessing of lithium blankets to recover helium 3, but there have also been big advances. I think some of the movement is due to stronger magnets permitted by better high temperature superconductors.
There was a great ACX book review last year about the various fusion prospects.
There will be fusion. There will not be economically useful fusion for a long while it looks like.
Sounds like you might be referring to the emergency core cooling system (ECCS) criteria, and it would have been true, except the crew at TMI turned it off over a misplaced fear of filling the pressurizer solid.
I seriously doubt that in a worst case Fukushima event evacuation of Tokyo would have been NECESSARY (i.e. a significant portion of the inhabitants would have experienced severe radiation sickness or death if left in place).
I think we would merely have CHOSEN to evacuate based on current exposure limits which is the problem in the first place. Btw. this same attitude also killed a bunch of people in the real Fukushima event as the evacuation proved way more lethal than the radiation.
Does anyone know the actual predicted does rate in Tokyo this claim is based on?
I think the dichotomy between necessary and chosen is mostly false. A nontrivial exposure to radiation (e.g. at least on the same order of magnitude as the yearly natural background radiation) will likely lower the expected number of quality adjusted life years by some fraction. Depending on the expected amount of QALYs lost per inhabitant, it might be preferable to evacuate them or not, that is a mostly political question where both extremes ("Evacuate Tokyo to save a single radiation victim" and "let half of the population die of radiation poisoning and another quarter of cancer within a decade") are very silly but in between them there would be some room for debate. Of course the exact amount of radiation exposure expected is not known beforehand. And also, we are not on dath ilan, so in practice the correlation between the danger to the population and the response might be rather small.
The point is, I am pretty sure that there is no plausible scenario where Tokyo could have gotten enough fallout to make an evacuation even close to worthwhile by any reasonable metric, be it QUALY, DALY, cost or whatever. This is unfortunately mostly based on intuition and extrapolation from Chernobyl, so I am interested in the actual predicted radiation doses to confirm or refute this. What is clear is that the evacuation that really did happen was nowhere close to reasonable and very close to what you describe above as "very silly"
Had the same doubt while reading.
Indeed.
One important factor in understanding the switch to probabilistic risk assessment is that back when it was introduced US power was run as a series of regulated monopolies allowed to set their rates to profit at a cost-plus basis. In circumstances like that there's always a temptation to increase one's costs as much as possible, since a 10% profit on $10 billion in costs is more than a 10% profit on $1 billion. So the regulators always have to be looking at the proposed safety schemes the utlities are coming up with and saying "nice try" when PG&E comes to them with a plan to bury all their power lines or something.
But with nuclear the power companies saw a chance to get laws enacted which would drastically raise their cost structure, allowing them to legally raise their rates and profit more. So you had a sort of bootleggers and baptists coalition in favor of applying unprecedented safely regulations to nuclear power, aiming not just to reach a certain level of safety but to make it as safe as possible.
Aren't more than half the states in the US still cost-plus?
I remember reading some article, where cost-efficiency of safety in some industry was highly unfavorably compared to that of nuclear-powered aircraft carriers, "staffed by lightly-trained 18-year olds". Nuclear power usage by the military does seem to be unusually competent, despite presumably being pretty challenging, and rarely ever does anybody pay attention to it.
Secrecy (plus leaking into the ocean, rather than on land) could explain this.
A melted reactor doesn't work anymore. It would be really difficult to keep it a secret if an aircraft carrier or even a submarine were suddenly removed from service. You are correct that you don't ever hear about the stuff that does go wrong where a commercial nuclear site would have to tell everyone, but really there aren't a lot of serious problems in the nuclear navy.
"The Tokyo metro area has a GDP roughly twice the Paris metro area, so a $10 trillion estimate is not nuts, though truthfully the people of Japan might simply decide to just live with the fallout rather than pay that figure."
So the figure actually is NOT $10 trillion but just a small readjustment in life expectancy.
Based on radiation effects I've heard of that readjustment might even be net positive. But people would be very stressed which might negate that even in terms of life expectancy. It sounds like stress is the number one negative factor for Chernobyl survivors, beginning with the fact that they are classified as survivors
Great review. This raises a question for me. Does anyone know if hurricanes are cascades? I.e., is there any theoretical reason that a hurricane couldn't have winds of 500 or 1000 mph?
As an order of magnitude check, I just looked up the wind speeds in the Great Red Spot on Jupiter: 400 mph.
So high speeds in cyclonic storms don't seem to be ruled out a priori, but I would guess there's something like an exponential negative feedback mechanism that in practice keeps things a bit more in check.
There's a theoretical upper bound on hurricane intensity, a function of sea surface temperature, tropopause temperature, and atmospheric relative humidity. The very strongest storms seem to reach this limit.
OTOH, a related issue is the maximum amount of rain that could possibly fall at a given location in, say, a 24-hour period. Standard hydro engineering assumes there's a limit, and that it can be estimated from historical events with useful accuracy, but there's no theory that provides it and nobody knows for sure.
The problem with traditional designs like the LWR and BWR is that they don't fail safe if the cooling system fails. After shutdown, you end up with too much excess heat that can't be dissipated without an ACTIVE cooling system that needs to run for a few hours, or maybe a day or two for the biggest plants.
That's it -- that's the engineering problem that needs to be solved.
You can't fix this with layers of bureaucracy, complex mathematical modelling, or lots and lots of redundancy. That's the lesson of Fukushima and Three Mile Island.
And that you need to make your active cooling system capable of standing up to a tsunami, and don't skimp on safety measures just because 'that seems excessive and will make the public worry about how safe this plant is'.
That's another lesson of Fukushima.
Well, in places where there are tsunamis.
Ah, yes, but you expect (or should do) tsunamis in places where there are tsunamis. Building a tsunami-proof design where there *aren't* tsunamis is the tricky bit.
I do think part of the problem with the 50-70s reactors was that we just didn't have the materials/tech to solve the problems. *Today* we know the problems, due to the past, and know How Not To Do It Like That, but when you're in the days of "foam rubber sealant" well things aren't that able to stand up to the demands of "it'll never happen/oh crikey it just did".
Japan seems like a particularly problematic place to have nuclear reactors.
I hope they also have better safety culture. I was struck by the incident described where some people thought it was a good idea to have a live flame at the plant (to test the air flow).
They had multiple levels of backups: batteries; diesel generators, even a gravity-fed cooling system that could operate without power. If you're really interested there's a writeup here: https://spectrum.ieee.org/24-hours-at-fukushima
Thanks, nice article. (By “they” I didn’t mean the Japanese specifically, I just meant in general nowadays, the candle was at the Brown Ferry plant)
There were a lot of things they could have done better, but I think the lesson is that a system that requires active cooling for a long time after shutdown simply isn't safe. You're basically saying if the power ever goes out, everyone's dead.
Molten salt reactors don't require active cooling after shutdown. But to get them we'd have to give money to engineers rather than bureaurats, which I guess is impossible these days.
In fairness, some startups are building scaled-down LWR/BWR designs that don't have the "requires active cooling after shutdown" problem -- but only because they're small.
LWR is a great design for a small submarine power plant, which is the actual original use-case it was designed for.
The AP1000 is passive too, so it can be done in a large LWR. The main reason everyone wants to develop scaled down designs is to reduce construction costs through mass production/learning curves. It remains to be seen if this will work.
"the lesson is that a system that requires active cooling for a long time after shutdown simply isn't safe. You're basically saying if the power ever goes out, everyone's dead."
You might as well say an airplane that requires working engines to stay aloft isn't safe. It's a safety concern that requires an engineering solution, and whether the system is safe depends on how well it's implemented.
The point I was making is that there are designs which don't require active cooling for a long time after shutdown, like molten salt. We should invest in them.
Also, airplanes aren't perfectly safe, and flying craft that can't glide after losing engine power (like helicopters) are much more unsafe. So your own analogy supports my point.
Safe for whom?
The active cooling systems is necessary to prevent the reactor core from melting itself to slag. A reactor core melted to slag is a billion-dollar loss to whoever insures or owns the reactor, because they needed a nuclear reactor and now they don't have one and a replacement will cost a billion or so dollars.
But the molten slag that used to be a reactor core is inside a structure of steel and reinforced concrete that is designed to contain a melted-to-slag reactor core without letting any of the slag out. So long as that part of the design is sound, and assuming you aren't personally involved in the nuclear-power insurance industry, why do you care?
It is possible that the design of the containment vessel is unsound, but that *is* the sort of problem you can fix with layers of bureaucracy, complex mathematical modelling, or lots and lots of redundancy.
That's not how it worked at either Fukushima or Chernobyl.
There are at least two reasons why it can't work that way:
* The residual radiation releases hydrogen gas from the water, and hydrogen gas + constanly increasing core temperature = dirty bomb
* If the fuel rods melt into slag, the result may be an unfavorable geometry that leads to further nuclear reactions
Hydrogen gas can be vented; pressure relief valves are a known and highly reliable technology. And so long as you're dealing with a light-water reactor, there shouldn't be an unacceptably dangerous level of radiation in the hydrogen (or steam, or air).
And so long as you're dealing with low-enrichment nuclear fuel, there is no geometry that allows nuclear reactions without a moderator. If the only moderator you have in your containment vessel is water, then either the corium slag is mixed with water (in which case the temperature can't be above the boiling point of water), or there's no nuclear reactions occurring.
Almost all nuclear power plants use low-enrichment uranium and light-water moderator. Plutonium breeder reactors designed for use in nuclear weapons programs are a different matter, which is why we got Chernobyl (and, for that matter, Windscale)
I agree that the Chernobyl and Windscale designs were much worse than the Fukushima designs.
Ultimately, though, the hydrogen gas at Fukushima wasn't vented soon enough, and it did explode, spreading radioactivity.
The main approach to safety with current reactors is indeed to prevent core damage in the first place, or stop it quickly after it starts like they did at Three Mile Island.
Once the core has melted, as we saw at Fukushima, it is quite difficult to contain the steam pressure that tends to build up in the containment vessel (even if hydrogen is controlled successfully). If you have AC power, you should be able to spray in water to cool and condense some of the steam--but this also increases the risk of explosion, because it raises the effective hydrogen and oxygen concentrations. Otherwise, you can try to vent, as they tried to do at Fukushima, but the containment vessels were not really designed to vent in an emergency, because that releases a bunch of fission products into the atmosphere.
Assuming you manage to prevent containment failure from overpressure or combustion, there is still a risk that the core will melt through the basemat and contaminate the groundwater, which is less of a problem for the local population than releasing to the atmosphere, but still not great. All in all, it's estimated that about half of core damage accidents will eventually result in some form of containment failure.
Preventing the core from melting is definitely plan A. But Three Mile Island had about half the core melt down, and the only thing that escaped was some mostly-harmless gas vented to relieve the pressure. And that is definitely something reactors are designed to do in an emergency, because it's better than the alternative. Though I believe they typically vent through a pool of water to condense and capture any steam or low-volatility products that might get caught in the gas flow.
Fukushima was a bit worse than that, because the tsunami wrecked so much of the external safety equipment (including I believe some of the purely passive stuff). But we already knew that a 9.0 earthquake off a populated coastal area was going to break things and kill people; if having a nuclear power plant in the way increases the lethality by 0.01%, your response should not be "OMG, no nuclear power ever!" but "Why are we building cities right next to major fault lines again?"
In the US, most of the BWRs were required to install hardened vents after Fukushima (hardened meaning they should still work when everything is covered in radioactive steam), but they successfully argued against the filter-through-a-pool-of-water thing on the basis that it wouldn't pass a cost benefit analysis. In some other countries, filtered vents are standard. The PWRs are not required to have venting capability because their containment vessels are larger and don't overpressurize as quickly.
I agree it's important to keep the risks from nuclear power in perspective. Accidents can be very costly but generally not very deadly. Incidentally, we are all involved in the nuclear insurance business via the Price-Anderson Act that limits the industry's liability to $13 billion and makes taxpayers the insurers of last resort.
BWR is typically an acronym for Boiling Water Reactor, the other type is a PWR or Pressurized Water Reactor. Both of these are LWRs which stands for Light Water Reactor since they use water as the coolant and moderator, and the light part means regular water as opposed to the heavy water reactors which use lower enriched or even unenriched uranium but use deuterium (heavy water) as the coolant and moderator.
The problem isn't excess heat, that would be easy, the real problem is decay heat, and it is significant. Decay heat is the heat generated by the decay of fission products. While operating at power approximately 7% of the heat is generated by the decay of fission products. An easy thumb rule is that decay heat drops in half for every time unit change, 3% after 1 second, 1% after 1 minute, 0.5% after an hour, etc. The large units are still producing more decay heat after being shut down for a month than a nuclear submarine at 100% power.
Ooh I like that rule of thumb, I've never heard that before.
Yeah, the engineers will get real accurate numbers when needed for things like estimating time to boil in the spent fuel pool after a core offload, but for operators that just need a rough guess it works surprisingly well. Always good to have a very rough estimate so when someone gives you a number, you can make sure it's in the ballpark for what you expect or not.
The curve in the Rasmussen Report suggesting that the dangers of nuclear power are on par with meteor strikes seems like bullshit to me. If your model says that the death due to nuclear power per year are effectively nil, then it might be a good idea to consider how confident you are that your model captures reality correctly in the relevant parts. If you allow even a modest 1% chance that non-modeled conditions cause a big accident, then that part will simply dominate your estimates. [0]
---
> There are about 40,000 generations of neutrons every second.
That is 25us, which is less than a thermal neutron would need to diffuse from the moderator to the fuel. The number is correct (for light water reactors) because a significant fraction of fission events are caused by not-quite thermalized neutrons. [1]
> The known speed of these feedback loops is probably a source some of the public’s hesitation around nuclear energy - one of the public’s Bayesian priors, if you like to frame it in terms of logic.
That is utterly wrong. I don't think we could implement a control rod reacting within 25us. The reason why we can control nuclear reactions at all is that there are two groups of neutrons:
* prompt neutrons are emitted when the fission happens, and make up more than 98% of the neutrons
* delayed neutrons are emitted some time after the fission, the emission half-life is on the order of 0.2-60s.
A situation in which the prompt neutrons alone can further the chain reaction is called prompt criticality. Anyone who runs a reactor into prompt criticality is going to have a bad day. In general, nuclear reactors make rather poor nuclear bombs (where the neutron generation time is much shorter, likely less than a nanosecond), but depending on the particulars of your reactor (void coefficient) you may generate enough energy to blow up containment before something decreases your reactivity.
The correct way to run a reactor is to avoid prompt criticality. Instead, you rely on the ~1-2% delayed neutrons to get to neutron multiplication factor of one per generation. The delayed neutrons react on a time scale which is long enough that you can compensate with your control rods during normal operation.
---
Footnotes
[0] Also, I think using impact events as a baseline for "least threatening" is kind of rich. Impacts may kill much less individuals than tsunamis, but they can take out species. If I was one of the 75% of species wiped out in the KT impact, I would not not just be sad at the lives lost directly, but also at the glorious Cretaceous being cut short, preventing many generations of my species from existing.
[1] https://www.nuclear-power.com/nuclear-power/fission/prompt-neutrons/prompt-generation-time-mean-generation-time/
Thank you. Well done. Technically accurate but explained in a way most people could understand.
I've been on a CANDU reactor kick and one of the interesting things is that they have a reputation of being something that would have weathered Fukushima yet they do have a slight positive void coefficient. It's claimed that spring assisted electromagnet damping rods and a chemical neutron poison combine with the sideways geometry that kills reactivity as soon as the channels start to bend from overheating makes this fine but I wonder what your opinion on it is?
I really don't know a whole lot about CANDU, I work with someone who worked on one, and the very little I know, they sound great. I really don't see how they would fair better in a complete loss of power scenario though. The reactors at Fukushima shut down just fine, immediately after the earthquake, about an hour before the tsunami. This wasn't a reactivity or reactor power problem. The problem was that Fukushima lost all AC power and most DC power too. Decay heat needs to be removed, without cooling, after some time, the fuel will melt. I don't know of anything different about the CANDU reactors.
I will say, the size of a generator needed to establish and maintain decay heat removal really aren't that big. Fukushima was unfortunately such a large area of destruction from the tsunami they couldn't get a generator helicoptered to them in time.
Fukushima Daini plant survived because they had one AC power line available that the drug cables to provided enough power to remove decay heat.
The theory I'd heard before is that the large calandria around the CANDU pressure tubes would handle a lot of heat, giving the extra margin to avoid a release
However apparently because the tubes are small they can be passively cooled indefinitely if you can get water into the boilers and a CANDU plant actually has survived a Fukushima equivalent situation without damage in a tight situation - https://www.reddit.com/r/nuclear/comments/14osj9u/comment/jqf7jo9/
I really don't know anything about the CANDU reactors, nothing. That reddit post sounds no different than most of the Pressurized Light Water Reactors both Navy and commercial. Very familiar plan for a loss of power. what they call boilers is what we call Steam Generators, just a difference in terminology. PWRs (light water) would do the same thing, vent the Steam Generators and try to add water in any way possible. Typically, there is a stem driven auxiliary feedwater pump. so instead of just venting the steam generators to atmosphere immediately, you use the steam to run a turbine driven feed pump to add water back, the steam after it leaves the little turbine is vented to the atmosphere. This can work for a while as long as you don't run out of water or steam (BWRs have a similar thing but can't just vent the steam). I'm guessing that this is what the CANDU poster was talking about, using the steam driven turbine pump to add lake water after they ran out of purified water, but I'm not positive.
Apparently, they had some form of power as the backup to the backup, you never hand carry water in buckets, but a smaller generator can be used, one of the changes after Fukushima was that every site in the US built a hardened dome with smaller trailer mounted diesel generators and trailer mounted pumps, and all the cables and fittings needed to connect them.
Fukushima Daini could have ended up just like Fukushima Daiichi, but they still had one high voltage line survive, they managed to drag the big cables around, use equipment for moving water that wasn't designed to be used and use alternate sources of water. Story I read was that the person in charge there had been an operator since the initial construction and knew where a pond was that they had used during the construction flushing and used that water for cooling.
Fukushima Daiichi and a lot of other boiling water reactors have a lot of water in the torus, the doughnut shaped part around the drywell. They also have an auxiliary feedwater pump, turbine driven that both takes a suction on that water and uses it to condense the steam from the turbine. The people I knew that understood BWRs were intensely focused on the TEPCO reports that had drywell temperature because that was the limiting factor. Once it got too hot, they needed to add more water and vent the torus, or the pumps would lose suction (can't pump steam). Units 2, 3, and 4 had that system and survived approximately three days.
Fukushima Daiichi unit 1 was different, it had an isolation condenser, a heat exchanger where the primary water went through tubes in an outside tank with just regular outside water that could steam to atmosphere and have any kind of water added. Unfortunately, it worked too well, and they turned it mostly off after the earthquake (it was cooling the plant too fast) but before the tsunami and didn't turn it back on or add more water. When unit 1 exploded, it undid everything they had been working on to add water to units 2, 3, and 4, and made the conditions for working much worse and they never recovered. Tragic.
Anyway, I can't stress enough that I know nothing about CANDU, extremely little about BWRs, and precious little about traditional PWRs. That said, I know more about those topics than I do about fashion, finance, medicine, or relationships, otherwise I would do my normal lurk without commenting.
I'm not smart enough to edit, second sentence should have been: both Navy and commercial, not but Navy and commercial. Apologies.
I second Neutron Herder's accolade. Well done!
One special exception to:
"Anyone who runs a reactor into prompt criticality is going to have a bad day."
From https://ansn.iaea.org/Common/documents/Training/TRIGA%20Reactors%20(Safety%20and%20Technology)/chapter2/physics22.htm
"Uncontrolled prompt criticalities should obviously be avoided. However, with specially designed fuel like in the TRIGA reactors they are initiated deliberately in pulsing the reactor."
( If I understand correctly, this is possible because of a very large and very fast negative
temperature coefficient of reactivity from zirconium hydride intimately mixed with the
uranium fuel. )
"Anyone who runs a reactor into prompt criticality is going to have a bad day."
This is pretty much what happened at Chernobyl. Harder to do with the reactor types we have in the US, fortunately.
SL-1 went prompt-critical, but that was a long time ago.
Yeah, and that experiment is the reason nobody after that built reactors with just a single control rod
A good review, which explains why caution around nuclear power isn't just ecohippy nonsense, and why it is a good resource if we are careful how we operate it.
How do you figure that second part?
I think it’s popular to take a stance (which I also endorse to some extent) that abbreviates to “the environmentalist movement did more harm than good by not embracing nuclear”.
I think there are some potential flaws in this position though. As a statement at Simulacrum Level 1 (objective claims about the world [1]) it’s true as far as I can tell.
However it seems perhaps naive considering Simulacrum Level 3 (honest statements about political/social coalitions). I suspect there was not a stable political coalition that could have formed in the 50s-70s around “environmentalism + nuclear”. One could hypothesize a “homo rationalis” that just evaluates the evidence and decides it’s good policy to invest in both renewable energy and nuclear as a transition off fossil fuels. But in practice what actually builds a movement/community is uniting around a common cause, and I’m not convinced that there was actually a story to weave those two communities together; nuclear power post-war seems to have been a techno-futurist high-modernist optimistic movement, and environmentalism more of a doomer anti-technology/development vibe (not trying to strawman / deprecate here, meaning these in neutral sense). So given that I struggle to see a path to a stable, strong, cohesive “pro nuclear environmentalist” movement actually forming at the same level of engagement as our current environmentalist movement.
I am aware there are pro-nuclear environmentalists it just seems a somewhat niche/nuanced position to take, and not something you can fit on a bumper sticker, which suggests to me it’s not memetically viable in the same way as our current environmentalism.
Another point in defense of the environmentalists - their “no nuclear / all renewable” vision was in fact cohesive and sufficient to solve the problem of climate change. If we had actually ended the massive government subsidies for fossil fuels and instead pushed them into renewables, we’d have reached our present point on the technology learning curve many years ago.
My opinion is that nuclear built 10-20 years ago would have been the optimal path, but from where we are now solar and wind look so cheap that I struggle to find nuclear worth the indigestion. There was a lot of doubt that a mostly-renewable energy mix wouldn’t work, batteries/storage too expensive, etc., and it now seems that all-renewable is more viable than we previously forecasted [2],[3]. Given our inability to do any major construction projects in the US on time and on budget, large scale nuclear just doesn’t realistically synergies with our current capabilities.
1: https://www.lesswrong.com/posts/qDmnyEMtJkE9Wrpau/simulacra-levels-and-their-interactions
2: https://reneweconomy.com.au/a-near-100-per-cent-renewables-grid-is-well-within-reach-and-with-little-storage/
3: https://emp.lbl.gov/utility-scale-solar/
Some environmentalists have been pointing out for a long time that nature/biodiversity itself isn’t affected significantly by moderately elevated radioactivity. It doesn’t destroy habitats. Animals don’t know they have an elevated cancer risk, most of them die of other causes before that becomes relevant and natural selection takes care of the bad mutations.
One thing I notice about the all-renewable forecast you linked to is that the majority of the power is from wind, and (for the year they show the data) wind never had a week where it was below 50% of its average capacity factor. It's not surprising that solar would be more reliable in Australia than it is most places, but I'm surprised that's also the case for wind. In general, I would want to see a detailed critique of this simulation's assumptions and applicability before I treat it as much evidence about the grid mix we'll need. That said, I don't see anything obviously wrong from the summary, so that's promising.
Yeah the environmental movement is just absolutely rife with people who are fundamentally Luddite’s. Hate society, hate technology, and only want solutions which are granola.
Peak oil this and that. I was once working on an environmental campaign were we were against hydro and nuclear. Fucking idiots.
Is it deeply difficult to design a plant that turns itself off by default unless active measures are maintained by workers to keep it on? I know that molten salt designs use an actively cooled ice plug that automatically drains the reactor if there are failures. Do Gen 4 water reactors still have these problems?
I think most new reactors are built so that there's passive circulation, you can have no power to the plant and water will circulate by the decay heat in the core. The BWRX-300 should be a-ok for 7 days and even at that point all you have to do is get water into its reservoir
Russian, Chinese and Korean modern plants don't have comparable features but it sounds like the Indian heavy water reactors are almost as safe as ones with fully passive cooling. You still have the potential of something causing loss of coolant but the likelihood of some force of nature causing that seems to be on a level where the additional nuclear damage would be incidental to the event
Molten salt automatic fuel drain should by rights revolutionize safety regulations since it just seems literally impossible for an event to happen with consequences beyond the plant. Routine corrosion causing in plant radiation leaks could be an endless headache though. If I understand the heavy water reactors well enough it seems like they could end up as the dark horse in the long run as they can actually run thorium which is why India is going forward with them, and the safety seems to slot in between large light water and Gen 4 fully passive SMRs and alternative reactors. Then their better proven costs could win out over the additional safety
Think of it this way, it's incredibly hard to get a self-sustaining nuclear reaction. It really is. Any number of things will fail, and the reactor will not be able to maintain a self-sustaining nuclear chain reaction. The most basic summary of training is that reactor power follows steam demand (from the steam generators on the secondary side). If steam demand goes down, more fission heat than is removed from the turbine demand, temperature in the reactor coolant goes up. higher temperature means more distance between parts of water, means more neutrons leave without causing another fission. Reactor power goes down without any operator actions.
Interestingly, it's the opposite for boiling water reactors: instead of reactor power following steam demand, steam supply follows reactor power. If you try to get more electrical power by opening the steam valves wider, without first raising reactor power, you reduce the pressure, which causes more of the water to boil, and the increased void in the reactor reduces power. Then that causes the pressure to fall even faster. Conversely, if electrical demand goes down and you try to throttle the steam valves, reactor power will go up. This positive pressure coefficient of reactivity creates positive feedback, which is compensated only by a fast-acting pressure control system. In practice I don't think it's much of a danger, but it sure sounds precarious.
Yeah, I've never learned much about the BWRs, I learned to say Startup Rate, and they say Reactor period. There is so much I don't know. If I wasn't too old to learn new tricks, I might make an effort to work at one, just to learn something new. The BWRs do seem to have much higher generator output and the in the PWR world, we really don't like anything beyond nucleate boiling, but apparently, the upper portions of their fuel are in nothing but steam, saturated steam (wet steam) to be sure, but since day one as a PWR sailor I was taught that even wet steam was seconds from disaster territory. Every day I learn more about how much I don't know!
The problem isn't stopping the fission; that's easy to make failsafe and everyone does it. The problem is that a substantial chunk of the power from a nuclear reactor comes from radioactive decay of fission products, and you can't turn off radioactive decay - all the fission products in the reactor core when you turn it off *will* continue to decay (although no new ones will be added, of course), and that means the reactor core will continue to generate power for weeks. If you can't get that power out of the core, well, the core will melt. It is possible to design a reactor such that the power can get out of the core fast enough to avoid a meltdown without active effort on your part, but it is not possible to take a reactor to near-zero power in any kind of rapid timeframe.
Spitballing here since I’m out of my depth, but a simpler solution for the first kind of errors (not those caused by tsunamis), is to keep organizing small incidents in your nuclear power plant every year instead of probabilistic risk assessment which is killing the industry by miring it in bureaucracy. In software, you regularly manually switch off servers, kill connections to stress test your system and check if the engineers are prepared to handle these issues. I suppose something similar can be done for nuclear power, start a fire randomly through the year to ensure engineers are prepared and ready to do what’s needed. I know the navy does similar drills.
>"I suppose something similar can be done for nuclear power, start a fire randomly through the year to ensure engineers are prepared and ready to do what’s needed. I know the navy does similar drills. "
With nuclear power plants, it's preferred to do this stuff in simulation, both for safety reasons and because it's so expensive to shut the reactor down (the navy doesn't mind doing a reactor trip for practice now and then).
>"instead of probabilistic risk assessment which is killing the industry by miring it in bureaucracy"
To a large extent, PRA is implemented as an attempt to reduce the burden of regulation. If plants can show that the level of risk is low enough, then they can make certain changes without a license amendment, leave failed emergency systems out of service until there's a good opportunity for maintenance, and that sort of thing. It saves them a lot of operational expense, at the cost of doing some extra analysis.
> Is nuclear still safe enough then?
You just said the cost would have been pennies per kWh, so if the cost is 10x, it's now dimes per kWh, right?
Interesting review. I completed my doctorate in nuclear engineering, focused on the safety aspects of one particular reactor design, and yet this is the first I've read about when PRA became king.
That being said, I think this review gives too much credit to both the cost of PRA and the competence of the NRC. While I'm sure that PRA greatly increases the design and cert costs of new reactors, I don't believe it's responsible for us choosing to build reactors with the QC requirements - and thus cost - of space ships. Nor is it responsible for the NRC requiring that the PRA analysis must report that the reactor will kill negative one people - as opposed to perhaps 10 or 20 - over its lifetime.
And speaking of the NRC, right now they are going to universities and asking for help to determine whether the NRC itself has the competence and tools to even evaluate a new reactor design.
>I completed my doctorate in nuclear engineering, focused on the safety aspects of one particular reactor design
Do you mind if I ask which one?
>While I'm sure that PRA greatly increases the design and cert costs of new reactors, I don't believe it's responsible for us choosing to build reactors with the QC requirements - and thus cost - of space ships.
If that's how it came across then there's a problem with the way this review is written. The quality assurance requirements long predate the use of PRA, as do most of the other deterministic requirements. PRA has relatively little effect on the design and licensing costs, as far as I've been able to tell (but I would love to hear from people who have gone through this process).
>the NRC requiring that the PRA analysis must report that the reactor will kill negative one people
I don't know what this could mean?
HTGR, MGHTR type reactors in particular. Experimental work on what certain design basis accidents might do to the graphite. In short: nothing really, nuclear grade graphite is really really good. Although soft and very messy.
As for the negative one deaths requirement, that's always been my description of the NRC's requirement that every reactor design be more safe than the last, despite US commercial reactors killing zero people. Zero deaths is simply isn't good enough, they must kill -1 people.
I wish there was a dislike button. It's a great pity to see this blog associated with the misinformation in this post, though I appreciate the open book review contest format and freedom of speech, etc. Perhaps Scott should add disclaimers highlighting any dangerously misleading claims made in book reviews?
To address this specific case, there is no possible world where the Fukushima accident could have led to Tokyo needing evacuation. It's the kind of claim that is great for making Neflix 'documentaries' more exciting but doesn't really deserve much attention in the real world.
A quick google seems to confirm that there was a risk of needing to evacuate Tokyo? NYT has an article on it, going through a report from an independent investigation in 2012, and saying that "The report seems to confirm the suspicions of nuclear experts in the United States — inside and outside the government — that the Japanese government was not being forthcoming about the full dangers posed by the stricken Fukushima plant", "The report quotes the chief cabinet secretary at the time, Yukio Edano, as having warned that such a “demonic chain reaction” of plant meltdowns could result in the evacuation of Tokyo, 150 miles to the south". (Not linking because NYT, but it's easy to find.) Wikipedia mentions the risk and potential evacuation, and quotes the then-PM saying "If things had reached that level, not only would the public have had to face hardships but Japan's very existence would have been in peril." ( https://en.wikipedia.org/wiki/Japanese_reaction_to_Fukushima_Daiichi_nuclear_disaster#Evacuations )
I found the article in question and it's very typical of a lot of the very bad reporting that followed the accident. I'm tempted to add a snide remark about the NYT but maybe that would be pandering too much to this blog's long term readers. :)
The headline makes it sound like the Japanese government seriously considered evacuating Tokyo. However, if you read the article (and between the lines of the deliberately misleading word choices) it becomes clear that in reality some very poorly-informed politicians allowed their imaginations to run away in the midst of an understandably chaotic and panicked situation, and briefly 'discussed' evacuation of Tokyo. The idea that this could ever actually have been necessary is, as I said, dangerous misinformation.
Bear in mind that even the evacuations that did take place were mostly a huge over-reaction to the actual radiation risk to the public. The evacuation itself arguably caused quite a large number of deaths, while the number of deaths due to radiation was probably zero. (https://en.wikipedia.org/wiki/Radiation_effects_from_the_Fukushima_Daiichi_nuclear_disaster#Health_effects)
This concept of a "demonic chain reaction" that the article mentions, which seems somehow to infect other power plants, is utterly bizarre to me. If you can shed any light on how it is supposed to work I'd be curious. Perhaps if it involves demons it is simply beyond the ken of modern physics?
It works where journalists looking for scary articles of questionable veracity and environmental luddites who hate nuclear power align with credulous public and pandering scared politicians to craft nonsense.
In comparison to the efforts to make nuclear energy safe, how many man-hours are spent making sure viral research labs don't have a "cat on fire" incident?
If the bio labs are safe enough, and given the risk-reward comparison between them and nuclear power, I don't see any reason why Homer Simpson shouldn't be a nuclear engineer.
"We've done dumber things" doesn't seem like a terribly convincing argument. Maybe we could, as a society decide on a sensible and proportionate approach to nuclear safety and then use it as an example for how to treat other high(er) risk industries.
The NRC has always had an antinuclear agenda.
Nah, it varies. Gregory Jaczko, who was chair of the NRC when Fukushima happened, was very anti-nuclear. These days the political winds have shifted, and the regulatory errors mostly happen for more nuanced reasons. You hear a lot of things along the lines of "we need to ensure a level of safety where no core damage accident will ever occur again, because the damage an accident would do to the public image of nuclear power would be fatal to the nuclear industry". I don't think it's a great argument, but it's not an anti-nuclear argument.
Ahh interesting!
I hate this one. Extremely irritating the way it tries to anticipate or manipulate my emotional reaction to a fact, and completely fuck it up every time.
"A coarsely cynical reader might thus expect Wellock to sidestep damning details of nuclear risk at the behest of his employer."
No, why would I think that? What bureaucrat has ever tried to sidestep the details of the thing that keeps him employed?
It's funny the way pro-nuclear and anti-nuclear people both think the NRC is on the other side. This reviewer is anti-nuclear and thinks the regulators are shills for the industry, you seem to think the NRC is deliberately killing the industry.
The position of Historian for a federal agency is an interesting one because they have a lot of independence to criticize their employers, and indeed the author of Safe Enough, NRC Historian Tom Wellock, does not pull his punches in describing past failures of the NRC. But, in my opinion, he does not have much of an ideological agenda one way or the other.
Can they not be on both sides, in effect? Nuclear power must exist in some form, for the NRC to have their jobs, but it need not exist in a form that remotely realizes its potential.
Well historically the NRC hires more people when there's more nuclear being built, like during the "nuclear renaissance" of the early 2000s. After it fizzled they were on a hiring freeze for years (which also means not many promotions for the people already there). But maybe it's sort of an invest/exploit tradeoff, where if you regulate with a light touch more people will be hired in 5 years, but you're more likely to get a promotion right now if you make a big fuss over a minor potential safety issue.
I think the real missing piece of a discussion of nuclear power plant regulation is why the extremely high level of safety prioritisation isn't applied more universally - Prioritising safety may be rational, but if so it would be rational to do it much more uniformly, and one doesn't see anything like this culture applied to dams or to coal power plants or to heavy industries, despite almost all of those being statistically more dangerous than nuclear power.
This review so utterly failed the ideological Turing test that I couldn't read it through.
The last sentence I read was: “There are about 40,000 generations of neutrons every second” : there is no unit of time, no unit of weight, nothing to compare this data to. The only thing that I can do with this number is to be scared.
“The very existence of the nation of Japan was at stake. “
This seems false.
This entire review feels like a rehash of the two lies: https://jackdevanney.substack.com/p/the-two-lies-that-killed-nuclear.
TL;DR: the first lie is that a nuclear release can't happen. That's obviously false. The second is that such a release would be catastrophic. This too is false (read the linked article to find out why).
All these silly anecdotes about reactor plant operators rushing about are entirely irrelevant. The fact is that nuclear meltdowns despite the scary names tend to be rather benign events when compared to the range of industrial disasters that people regularly put up with. And for a good reason: the benefits far outweigh the (possible) harms.
I was expecting a discussion of ALARA:
"Excessive concern about low levels of radiation led to a regulatory standard known as ALARA: As Low As Reasonably Achievable. What defines “reasonable”? It is an ever-tightening standard. As long as the costs of nuclear plant construction and operation are in the ballpark of other modes of power, then they are reasonable.
This might seem like a sensible approach, until you realize that it eliminates, by definition, any chance for nuclear power to be cheaper than its competition. Nuclear can‘t even innovate its way out of this predicament: under ALARA, any technology, any operational improvement, anything that reduces costs, simply gives the regulator more room and more excuse to push for more stringent safety requirements, until the cost once again rises to make nuclear just a bit more expensive than everything else. Actually, it‘s worse than that: it essentially says that if nuclear becomes cheap, then the regulators have not done their job."
https://rootsofprogress.org/devanney-on-the-nuclear-flop
"A plot from the Rasmussen Report estimating the likelihood of deaths from nuclear power as orders of magnitude less probable than dying from common natural disasters, closer to being killed by a meteor. There have been no known meteor deaths since this curve was published in 1974, though there is historical evidence that this is not impossible!"
Then, disappointingly, no discussion of deaths from nuclear power generation radiation since 1974.
[Wikipedia](https://en.wikipedia.org/wiki/List_of_nuclear_and_radiation_accidents_by_death_toll) seems to think there are around one hundred up to a few thousand depending on how you count. Seems safe enough, probably pretty similar to other power generation modalities.
I'm pretty surprised this review made the finalists. The author has a couple of sentences that mention the safety of other energy generation but the comparative safety of nuclear vs. other is clearly the main determinant of whether nuclear is "safe enough." Every analysis I've seen indicates nuclear is far safer than any other major energy generation technology and that it has been obviously safer than any competing technology for decades now.
Battery fires are a fairly common problem and the reasons are often different, but mostly it is a short circuit. By the way, if you personally often have problems with equipment, you should think about the place MJM Engines reviews https://www.pissedconsumer.com/mjm-engines/RT-F.html where you will buy new equipment with a guarantee, so as not to waste money.