Safety Instrumented Systems / Flow / Systems Integration / Asset Management / Stuxnet

Why Nuclear Needs Process Automation

The Key to the Safety of Nuclear Power Plants Is to Maintain the Availability of Coolants, Even if All Electric Power Supplies Fail

By Bela Liptak

I spent the last year reviewing the Three Mile Island, Chernobyl and Fukushima accidents, and found that neither they, nor practically any of the 435 operating nuclear plants around the world, were designed to provide safe shutdown in case of simultaneous external and internal electricity failure. Similarly, few of them are protected against hydrogen explosions, and practically none can handle regular or cyber terrorist attacks.

Most are operated in a semi-manual mode. Many were designed for a useful life of 30 years, but have already reached 40 and are still getting extensions. In addition, neither permanent waste disposal, nor the decommissioning of the plants, is resolved. For example, Chernobyl occurred in 1986, yet the completion of its decommissioning is planned for 2015. Under these conditions, the question is not if, but when and where, the next accident will occur.

In the forthcoming new edition of my handbook, I devote a full chapter to improving the safety of nuclear plants through automation, and I show that the causes of the three best-known nuclear accidents were very similar, and that the use of state-of-the-art automation could have prevented all three of them. In this series of articles, I will give a brief summary of that chapter.


During the last 60 years, nuclear energy has become an important component in the energy mix of mankind. It supplies about 5% of the total global energy consumption, or about 13.5% of global electricity consumption. In the United States, nuclear energy is the source of about 8% of the total energy consumption, or about 20% of the total electricity used.

Figure 1 shows that after the accidents at Three Mile Island and Chernobyl, the building of new nuclear power plants slowed, and the percentage of global electricity consumption met by nuclear power dropped from 18% in the early 1990s to 13.5% by 2012. Some nations have decided to end the use of nuclear energy (Germany by 2020, Japan by 2040), yet as of today, 60 new plants are under construction and another 150 are contemplated because some argue that the consequences of their use is less dangerous than the continued burning of fossil fuels.

The Process

In fossil-fuel-burning power plants, the fuel is continuously charged from outside the boiler, while in nuclear power plants, the heat is obtained from fuel stored inside the boiler. Therefore, the fuel flow to fossil boilers is easy to shut off, while in the nuclear process, the fuel "leaks." Decay heat continues to be released after shutdown, and, therefore, the cooling of the fuel rods must continue. The key to the safety of nuclear power plants is to maintain the availability of coolants, even if all electric power supplies (external and internal) simultaneously fail for extended periods. 

The second key to safety is to make sure that, if cooling fails and the fuel rods melt, causing the molten zirconium in their cladding to react with the water and generate hydrogen, the generated hydrogen does not explode. This requires that it be safely released outside the containments of the reactor building. In order for hydrogen to explode, it needs oxygen and an ignition source. Therefore, these must be denied by the design, while the hydrogen is being routed to the outside.

Three Mile Island

At 4 a.m. on March 28, 1979, Unit 2 of the 900-MW reactor at Three Mile Island (TMI-2) in Pennsylvania experienced a partial core meltdown. Between 13 and 43 million curies of radioactive krypton gas were released, half the core melted, and 90% of the fuel-rod cladding was destroyed. The maximum offsite radiation reached 83 millirems, but the radiation dose received by the community was small.

The plant was designed by GE for a life of 30 years, began operation in 1978, and it is still in operation today. In fact, in 2009 it received approval to continue operation for another 20 years. Figure 2 (p. 18) shows approximately the main equipment and piping of the plant. At the time of the accident, the controls of the plant were mostly manual and mostly pneumatic. So what happened?

Operators working on a demineralizer at 4 a.m. accidentally admitted water into the instrument air supply to part of the control system. This caused the valve on the suction side of the secondary cooling water pump to fail closed, in spite of the fact that best practice for cooling service is to have valves fail open.

The operators did not realize what they had done because the control system did not include the required automatic safety alarms, nor was there an automatic interlock to shut down the reactor or to start up a backup cooling system when the secondary cooling water flow stopped.

The designers of the plant were also responsible because, for cooling service, they should have specified closed-failure positions, and should have provided automatic scram (shutdown) of the reactor and automatic starting of emergency cooling upon failure of the flow of cooling water.

In the next segments in this series of articles I will describe the events at Chernobyl and Fukushima and will show how those plants should have been automated to protect against the accidents that occurred.