Safety of Nuclear Power Plant at Koodankulam: A Dangerous Illusion

Prof. T. Shivaji Rao

In the light of major nuclear reactor explosions at Three Mile Island (TMI) in USA (1979),  Chernobyl in Russia (1986) and Fukushima in Japan (2011) intelligent people question why we had ever started nuclear power plants in the first instance? Why did people fail to realize how dangerous the nuclear power was?  Why we failed to think about health risks to people living in the neighbourhood of nuclear plants? Why people failed to estimate the most damaging consequences of generating so much nuclear waste?  Even today most people refuse to think on these life and death issues due to perhaps ignorance, apathy and lack of social responsibility.


But during second world war the defeat of the enemy countries like the Nazi Germany and aggressive Japan was a major issue for the Western countries like USA which dropped killer Atom bombs over Hiroshima and Nagasaki to make Japan surrender.  Subsequently a cold war developed between Russia and America and the US wanted to produce nuclear weapons to show its superior military strength to the world and for this purpose nuclear plants for civil purposes like electricity production began to be built with the ulterior motive of producing enriched Uranium and plutonium as byproducts to be used for making nuclear weapons.  People were not informed about the health risks due to living around a nuclear plant.  Risk was treated as a technical issue and was left in the hands of the engineering experts.  Under the Atomic Energy Act, the Atomic Energy Commission in USA was directed to promote nuclear power and in the process safety of nuclear power had to be ensured on public demand. If more money were to be spent for nuclear plant development the experts had to cut the costs and compromise with nuclear, vice versa if safety has to be promoted it will slow down nuclear plant development activities. Thus a contradiction developed between nuclear development and nuclear safety and the later was given a very low priority.


In the beginning, the safety of nuclear plants was ensured by the simple law of locating the reactors far away from human habitations.  In 1950 a thumb rule was used to link the power of the reactor with an exclusion zone where people could not live and in case of a reactor explosion people in the off-site area were not expected to be exposed to a fatal dose of radioactivity.  For small research reactors  the exclusion zone was one or 2 miles in  radius and for larger plants that supply electricity to the cities the exclusion zone would be 10 times higher.  But the cost of land acquisition proved to be very high.  In order to overcome this problem the designers came up with the idea of putting the reactor inside a large steel shell, a containment building that would keep the radioactive pollutants from escaping to outside environment in case of an accident.


As nuclear reactors began to increase in 1960’s questions were raised on the safety of the reactors if the pressure vessel were to burst.  The designers who knew the capabilities of normal steel became uncomfortable that the neutron bombardment of the pressure vessel can make the conventional steel brittle and liable to break, although under conditions it would normally be quite strong.  Atomic Energy Commission  assumed that during a loss of coolant accident even if the coolant stopped and the reactor core melted, yet the containment building would stop the radioactive gases from escaping into the atmosphere.  But in 1966 it was realized that in a 1000MW reactor, the fuel gets so hot after a loss of coolant accident that it might bum (pass) through the concrete and flow into the earth in a China syndrome.  Such an accident would breach the containment and release poisonous radioactivity into environment by somehow generating enough gas pressure to blow a hole in the containment.  Consequently to ensure that the core would not melt  the engineers designed more and more sophisticated systems and added new backup systems to the existing back up systems without knowing whether they work in the real field as planned in their imaginary world.


The forces generated in a reactor by a loss of coolant accident and sudden heating and then a flood of cold water from the emergency core cooling system would be violent and unpredictable.  Nobody knows as to what happens to the fuel rods when they were heated and cooled so brutally and a great deal of testing and research studies must be made to find out the real facts.  One of the nuclear experts argued that nobody can ensure absolute safety in case of a nuclear accident and nobody can say that no radiation would escape into the environment to threaten the public health.  During an emergency if a core cooling system fails there is a chance that the containment could be breached and radioactive materials get into the atmosphere.  The experts began to admit that a severe accident was possible but its probability will be so small that reactors will be regarded as safe  are to put it other words the reactor safety became “probabilistic” and not “deterministic”.

Subsequently the probabilistic risk assessment came into being.  It evaluated risk by taking into account both the probability of a certain accident occurring and the consequences of that accident.  If an accident occurs once in a million years of reactor operation and kills a thousand people, it is equivalent to an accident that occurs once in a 1000 years with only one death expected and this was accepted by the engineers who would establish a numerical target for reactor safety and by expecting one death by radiation accident for every 1000 years of reactor operation.  The engineers set out to reach that goal.  Moreover to pronounce a reactor as a safe one engineers need not guarantee that certain accidents could never happen but only to ensure that they were unlikely.  This approach admits that major accidents were indeed possible and such an accident might be occur one in a million shot and an attempt was made to calculate the likelihood of a major nuclear accident by Prof.Rasmussen in 1974 (a nuclear engineering professor at MIT).  By visualizing various ways in which an accident can occur he considered loss of coolant accident.  His report showed a core melt down once in every million years of reactor operation and major accident once in a billion years of reactor operation.  It means that a person is likely to die from a nuclear accident as from being hit a meteor.


But TMI accident occurred in a reactor melt down in 1979. Such accident was expected to occur once in every 17000 reactor years and not once in every million reactor years as propagated by the US Atomic energy Commission.  But the occurrence of TMI accident shocked the nuclear experts.    Before TMI accident in 1979 most of the safety efforts made by nuclear authorities aimed at improving the equipment.  By making sure that everything is designed, built and maintained properly and automatically it was thought that safety is bound to follow.  But a piece of malfunctioning equipment played a key role in the TMI reactor accident in 1979 and the Kemeny enquiry report on this accident concluded that the problems with additions to equipment were only a small part of it.  More worrisome was the performance of the operators who were running the reactors.  They had been poorly trained and poorly prepared for an emergency of the type that caused the TMI accident.  Not only did they not take the corrective steps to solve the problem but their actions made it worse.

Kemeny commission felt that the errors committed by the nuclear operators are only a part of a more general feeling of the nuclear plant and its management due to several reasons and emphasized that a reactor operation demands different kinds of management and organization capacities than those needed for operating an electricity producing coal based thermal plant.  Such plants run at full power until some component breaks and then after re-fixing the broken part the plant is started again and there is no serious concern about nuclear safety, preventive maintenance and preventive actions for safety.  Such plants are simple and do not endanger life systems even when they breakdown.  Many industries develop these attitudes to run nuclear plants and hence such attitudes did not work.  The operation of a nuclear  plant requires an entirely different institutional culture than that adopted for a thermal plant.  On examining the TMI nuclear accident experts realized that major accidents like nuclear explosions can be caused by little things.  But the thinking on nuclear safety was focused to respond to major failures such as a large pipe breakage.  By interlinking the chain of events that caused TMI accident one can prove that many minor mistakes during operation can cause a major disaster.

For more reliability either 2 or 4 steam generators and the required main coolant pumps are used.  Hot water at 2200 psia or 150 bars is pumped into the pressure vessel containing the reactor core for cooling the very hot fuel elements in the core water is distributed by a nozzle system to the core.  Reactor coolant pumps transport the hot coolant to steam generators where steam is produced and fed to the turbine.  The coolant from turbine is fed to a condenser and then it is fed by feed water pumps again to steam generators and the condenser waste water is return to the coolant pond, river or ocean or to the cooling towers which work as heat sinks.

The beginning of the TMI accident started at 4AM when the pumps that transport water to the steam generators failed due to human errors and equipment malfunctions as seen from the pictures of a pressurized water reactors.  There are two water supply loops, one carrying hot water to the reactor and then to the steam generator and then returned to the reactor.  The second loop sends water into steam generator where it is converted into steam and it drives through turbine and in the process the steam gets converted into water which is pumped back to the steam generator after heating and this secondary loop that stopped functioning due to pumps shutdown.  As the secondary loop has failed the primary reactor cooling system also failed to transport the heat to the steam generator and the primary loop began to get over heated and expanded and thereby pressure increased in the reactor and immediately the control rods dropped into the reactor core to absorb neutrons and it killed the chain reaction simultaneously the automatic valve opened and relieved the pressure in the reactor vessel as anticipated.  But unfortunately after releasing enough pressure the relief valve should have closed again but it did not and this malfunction was reflected by an indicator in control room and a signal was sent to close the valve.  Unfortunately for unknown reasons the valve did not close and the control room operators could not know that crucial fact.

After 2 hours firstly the steam and subsequently a mixture of water and steam escaped through the open valve and this caused the pressure to drop in the primary cooling system after a few minutes of pressure drop it triggered the startup of high pressure injunction pumps that sprayed water into the system.  Since the operators misunderstood the happenings of the reactor they closed one pump and cut back on the other to the point where it could not make up for the water that was getting lost as steam through the open relief valve.  The operators thought that they were doing what they have been trained to do and they never could understand that they were making matters much worse by creating opportunity for promoting the disaster.  Consequently the coolant in the primary reactor system boomed into a very turbulent mixture of water and steam.

After one and half hours the operators decided to close the pumps that circulated coolant through the reactor to the steam generators and back.  Once again the operators failed for a second time to understand the happenings inside the reactors and they believed that they merely implemented the standard procedures, and they never understood that the cutting of the reactor pumps has only added fuel to the fire because the removal of this last bit of cooling action in the core became the cause of the disaster. Soon after 50% of the core was uncovered and consequently the core temperature shot up, melting some of the fuel and thereby releasing highly radioactive poisonous pollutants and radioactive gases escaped from the containment building into the atmosphere but fortunately it did not cause much damage.  After two-and-half hours of the accident the operators found that the pressure relief valve had never shut down and they closed it off.  After another 12 hours the operators succeeded in re-establishing cooling to the reactor core and started to bring the reactor system back to normal temperatures.  In spite of the restoration of the reactor the accident resulted in the evacuation of more than 2 lakh people within a radius of 32km from the reactor and it caused huge financial losses to the government and the people suffered heavily.

The TMI accident shows that the chain of events that occurred during the accident were such that no expert performing a probabilistic risk assessment could have imagined much ahead of the time of  the accident.  The chain of events makes it easy for anybody to try to blame the reactor operators.  Unfortunately they certainly overlooked the open pressure relief valve, and they closed down the water cooling injection pumps and so plenty of blame can be attributed to the operators.  But the designers also failed to incorporate any warning system in the control room to show whether pressure relief valve had closed.  It is known only that an indicator helped to send a signal  to close down pressure relief valve.  Surprisingly the American Nuclear Regulatory Commission already knew that in a similar accident earlier at another reactor a relief valve had got stuck open and created a problem.  But this information was not sent to other nuclear plants to warn them that the valve might create a similar problem sometime or the other.  The management operated the nuclear reactors without correcting such little problems and hence such work culture created a sloppiness that contribute to this accident.  Even earlier  there was a steady leak of reactor coolant from a faulty valve and during the accident the operators who noted abnormal readings that indicated the non-closure of the pressure valve was considered by them to have been  caused by the leak instead of a faulty open pressure valve.  Such small faults often lead to a big disaster in a nuclear reactor.

COMPLEXITY OF REACTOR SYSTEM AS A MAJOR CULPRIT FOR REACTOR EXPLOSIONS:    But more than these innumerable small faults in a reactor operation the  major accident occurred due to the abnormal culprit which is the complexity of the system.  The complexity of the system provides an opportunity where innumerable minor faults could interact to produce a major nuclear disaster and it makes it next to impossibility for the operators to comprehend what is really going on in a reactor until it is too late.  According to political scientist Aaron Wildavsky that because of complexity and the interactions in a nuclear plant the mere addition of engineered safety devices like defence in depth and other procedures will at some point of time actually decrease the safety in a nuclear power plant.  The TMI accident is an example of how this phenomena works.  For instance the control room of TMI plant had 600 alarm lights, each one considered by itself is promoting safety as it indicated when something is going wrong.  But the total effect in a serious accident resulted in total confusion as many alarm’s  went off and the mind could not easily grasp what was happening.

Charles Perrow another expert argues that such complex and tightly interconnected technologies involved in nuclear  reactors are by their very nature highly unsafe.  Since so many components will be interacting with each other, there are many different ways through which an accident can happen and that accidents are an inevitable characteristic of the technology and such accidents are called “normal reactor accidents”.  Moreover such complex technologies cannot be made safe by constantly adding extra safety systems because that would increase only complexity and creates more ways by which something could go wrong.  The requirements for successful control of some complex technologies are accompanied by inherent contradictions.  What happens in one section of a nuclear plant can drastically influence the events in other sections and some sort of central control is necessary to ensure that actions in one section do not cause unanticipated and hazardous consequences in another section.  Such control can be implemented by central management that approves all actions.  Otherwise such control can be exercised in the form of a rigid set of rules and regulations governing all actions throughout the plant.  But since the technology is so complex and unpredictable, the operators of the reactor need the necessary freedom to respond quickly and imaginatively to special circumstances as and when they arise.  Hence both rigid central authority and local discretion are highly desirable and unfortunately it is impossible to have both.  Hence a nuclear reactor is always vulnerable to one type of accident or another, either one caused by failure to adopt quickly to an unanticipated problem or else one that is created by not coordinating all the relevant actions throughout the plant.

Perrow argues that many technologies including nuclear power experience the same inherently contradictory demands like chemical plants, genetic engineering, aircraft and nuclear weapons.  For such complex technologies the accidents should be considered not as anomalies but as a normal part of the process.  However the frequency of accidents can be reduced by improved design, better training of personnel and efficient maintenance but they will be always with us.  Society must weigh the cost of these normal accidents against the benefits of the technology.  For chemical plants like the sugar mills the cost of accidents are small and are borne by the companies while the cost of shutting down would be high as there is nothing to replace them.  But in the case of nuclear accidents the costs of damage would be bearable and also there are several other ways of generating electricity not only by nuclear plants but also by alternate  plants based on fossil fuels and renewable energy sources like solar, wind and bio-energy and geo-thermal plants.

In modern times nobody believes any longer that it is possible to engineer for complete safety of a  nuclear reactor, to determine  the maximum credible accident and then assure that nuclear reactor does not threaten anyone.  The best that can be done in the nuclear field is to attempt to make the disastrous accidents very unlikely. Moreover the complexity of nuclear technology  can amplify the risk to the people and the environment.  Further the more complex technology the more ways something can go wrong.  In a tightly coupled system of the nuclear reactor the number of ways that something can go wrong increases exponentially with the number of components in the system.  Such complexity also makes nuclear reactor system more vulnerable to errors both man-made and natural.  Even  a small mistake may trigger the system behave in many unpredictable ways making it difficult for the reactor operators to understand what is happening and to restore the system to normalcy and it is likely that the operators will make further mistakes that may result in a disaster.

According to some experts the fuel gets yellow-hot at its core, attaining a temperature of 4100oF (2250oC) while the metal casing around the fuel is kept at 650oF (350oC) by the cooling water.  If due to an accident the coolant water gets interrupted for just a few seconds the fuel temperature rises rapidly and the zirconium casing begins to break at 1800oF (1000oC) and melts at 3350oF (1850oC) The actual danger comes when the hot fuel begins to lump together in a molten mass that can explode the containment or seep into the ground, a process known as “Chinese-Syndrome”, and release massive quantities of radioactivity into the air, water and soil environment.

If the main pipe in the primary cooling breaks, immediately the control rods eliminate the nuclear fission process, halting the activity.  But the radioactivity in the already disintegrating fission products cannot be arrested.  In a 650MW plant, the heat formation by the radioactive disintegration process amounts to roughly 200MW three seconds after the reactor is switched off, 100 MW after one minute, 30MW after one hour and 12MW after 24 hours.


(Diminishing heat and sequence of  failures due to loss of coolant after the reactor is stopped.)


Heat formation



650 MW

Reactor stopped by control rods

3 Seconds

200 MW

Heat formation

15 Seconds

Fuel casing begans to fail

30 Seconds

Boiling layer of emergency coolant

45 Seconds

Reactor core melts

60 Seconds

Reactor core collapses

1 hour

30 MW

24 hours

12 MW


Diminishing heat

The above table shows that if the operators cannot stop reactor core  melt conditions within 45 seconds. A nuclear explosion is bound to occur. Can we find such strict work culture among Indian Nuclear plant operators?  Hence nuclear safety is purely a myth because accidents are bound occur and ruin public health.




One Comment

    Join discussion: leave a comment