Preventing Nuclear Accidents by Automation

Preventing Nuclear Accidents by Automation


To date there were only two „level 7” nuclear power plant accidents, one at Chernobil and the other at Fukushima (even Three Mile Island was only level 5). Prior to the accident, m54 nuclear power plants generated 30% of Japan’s electricity. In the íuSA 104 plants generate 18% of America’s electricity.


At Fukushima the cooling water pumps stopped at around 4 PM on March 11, 2011. At that time the cooling water level in the No. 1 reactor was 4 meters above the top of the fuel rods. By 9 PM it dropped 8 meters, fully uncovering the fuel rods. During that same time period the core temperature increased from about 300 ˚C to nearly 3,000 ˚C and by the morning of March 12 the reactor core melted, dropped to the bottom of the reactor’s containment vessel and probably burned a hole through its wall. The window of opporunity to prevent meltdown lasted for 5 hours, a time period, which would have been sufficient to prevent it. (Figure 1).



Figure 1: The sequence of events at Fukushima (Tokyo Power Co. May 15, 2011)


Reactors #1 and #2 at Fukushima were 40 years old GE units. Several American BWR nuclear power plants are of similar age or older and their designs are similar to the Fukushima ones. They are accidents waiting to happen. On the other hand, if their outdated sensors are replaced and their safety systems are automated, this need not happen, but if they are kept under manual control, if accident response remains to be a function of the judgment of hesitant or panicked operators, The Fukushima events will be repeated.


In this article I will concentrate on the automatic safety controls and will not discuss the details of design errors, such as the false assumptions that (1) simultaneous grid and backup failure could not occur, (2) that an 8 hour battery backup is sufficient (to my knowledge, of the 104 American reactors, 93 are provided with only four hours of battery backup), (3) that elevated water storage, providing cooling by gravity flow is not required, (4) that nitrogen purging capability of the primary containment is not required, (5) that power supply backup equipment need not be located at elevations that are safe from flooding, (6) that fresh water ponds are not required if sea water is available or (7) that it is not necessary to have installed piping, which makes it easy to pump cooling water from the outside, directly into the reactors by fire trucks.


In addition to the above design errors, at the Fukushima plant some 10,000 spent fuel rods were kept in the temporary storage pools, (ten times the original design), requiring continuous cooling to protect against their meltdown. Similar conditions exist today at many American plants.


In this article I will show that in spite of the above design errors, melt-down could have been prevented, if the plant was provided with properly automated safety controls. I will both point to the specific control system errors and to the unsafe nature of depending on manual operator response to unsafe conditions. In case of Fukushima these included: (1) the delayed start of injecting fresh water (March 12 at 5:50 AM) and later sea water (March 12 at 8 PM), when the cooling water pumps stopped some 14 hours earlier at around 4 PM on March 11. This delay, caused by the hesitation of the operators, would not have occurred under automatic control. (2) The 4 weeks delay (March 11 to April 7) of starting the nitrogen purging of the primary containment vessel,. Similarly, (3) the delay in relieving the excessive hydrogen and steam pressure outside the building, after filtering out radioactive solids (Figure 5). In case ofFukushima, relief was initiated manually and only after a delay of 7 hours.


Naturally, it is essential that the operators trust the various sensors and alarms. Therefore, they must be redundant and reliable. This was not the case at Fukushima. In the reactor, water levels were not reliably measured, but were only assumed by the operators. The false readings suggested that the levels were several meters above the actual and in the primary containment vessels they were not even measured. In a properly designed plant, detectors that are monitoring critical variables should have not only been accurate, but should have been triple redundant, configured in a voting arrangement, so that if one sensor disagrees with the “majority”, it’s reading is immediately disregarded and it’s recalibration is automatically requested.


Unreliable Cooling Water Level Measurement

Operators must know if the fuel rods are covered with water or not and safe plant operation requires automatic response if this level drops too low. This requires reliable level measurement! Today we know that atFukushimathe operators assumed the level to be much higher than they really were. It was only two months later (in May), when the water level gauge for the Reactor was calibrated and it was found that the actual level was much below the actual.


Similarly, the operators did not know the steam/water ratios, nor the degrees of meltdown in their reactors (nor in their spent fuel rod storage ponds). This resulted in the operators’ guessing at the level of cooling water, and because they guessed wrong, they drastically delayed the start of emergency cooling. If reliable sensors were used and water injection was started automatically, the meltdown would have been prevented. In this article I will describe the sensors that American plants should install in order to provide reliable information during both normal and emergency operation of BWR plants.

The BWR reactors are designed so that the core is surrounded by a shroud. The cooling water enters into this “jacket-like” space between the shroud and the wall of the reactor (Figure 2) and water travels down on the outside of the core and then rises up inside it. As it rises, the fuel rods heat the water until it starts to boil. As steam bubbles form, the water “swells” (its steam-to-water ratio rises).

The goal of the level control system is to keep the fuel rods always covered in order to protect against their overheating and melting. In many BRW reactors, the water level and the steam/water ratios (STR) are measured only “ex-core”, between the shroud and the reactor wall (Figure 2). Under emergency conditions (when the “ex-core” level drops below the suction of the jet disperser, because the cooling water pumps stopped) this measurement no longer reflects the water level inside the core, because there no longer is a reliable relationship between the in and ex core levels. Consequently, the out-core level measurement can be useless during emergencies caused by loss of cooling.


Figure 2: Unreliable cooling water level measurement used in many existing BRW reactors


In most nuclear power plants (Figure 2), the level outside the shroud is measured over two ranges, a narrow (LT-N) one and a wide (LT-W) one. The narrow span transmitter (LT-N) is more sensitive and is a better indicator of the level of the boiling water surface while the wide range transmitter (LT-W) detects the total hydrostatic head in the reactor (the collapsed level). Almost without exception, they both are of the d/p type hydrostatic designs, installed with condensate pots, which provide water filled reference legs (“wet legs”) to the high pressure sides of the d/p cells. In order to cool and condense the steam, the condensate pots are usually un-insulated, and the condensate drains back into the reactor through a sloping connecting pipe from the side of the pot.


The level transmitters shown in Figure 2 are inverse-acting (the reference leg is connected to their high-pressure side), and therefore, a maximum level produces a zero-differential reading, while a zero level causes a maximum output signal. The measurement also depends on the assumtion that the wet leg is full with condensate at ambient temperature. During an accident, neither of these assumptions are necessarily correct. In fact, they are likely to be wrong, because once the level in the reactor drops below the low-pressure tap of LT-N, it’s pressure difference reading drops to zero and therefore the level is no longer known.

Also, because the water in the reactor is boiling, these d/p cells detect the hydrostatic head (mass of water) and not the level of the boiling surface. Swelling occurs when the steam pressure drops (the steaming rate increases), and shrinking occurs when the steaming rate is reduced (the steam pressure rises), and bubbles collapse. The more bubbles form (swelling), the higher is the boiling level, but lower is the density and therefore the indication of the level (the hydrostatic head). Inversely, as the steaming rate drops (shrink phase), the density increases, level drops, while the level measurement increases. In other words, when the surface of the boiling water rises (swell condition) the level reading drops, and when the boiling rate is reduced and therefore the level drops, the measurement rises.

Therefore, the d/p cell outputs can indicate the surface level only if the measurement is corrected for density, which was not the case atFukushima and in not the case in many American plants. AtFukushima and at many American plants, this correction was/is inaccurate or nonexistent. Therefore, these level measurements are unreliable or useless. Because of this, the level control loop cannot be closed (cannot be controlled automatically) and therefore are often left under manual control, which is unacceptable. The correction and the properly designed automatic control loop is shown on the right of Figure 4.

In case of Fukushima (and in case of a few old American plants), the design is even worst, because no transmitters are used at all, only d/p indicators and even those are located far away, usually in the control room (Figure 3). What makes this design even worst is that the level gauge (LI) is connected to the reactor by long lead lines which represent the high pressure reference and is supposed to be filled with cold condensate from the condensate pot. This bad design which is no longer in use, because the condensate from these long lead lines can be lost due to leaking, the line can be plugged, be blocked by air or the water can oscillate in them, but 40 years ago they were still in use in some less sophisticated plants. InFukushima, the condensate pot temperature probably reached the boiling point, the condensate in it evaporated and once this lead line was no longer full, the d/p indicator drastically (by several meters) “over-reported” the water level in the reactor. Therefore, the operators assumed that they had more water than they really did and this explains why they did not start water injection for some 14 hours, by which time this window of opportunity to prevent meltdown was gone.



Figure 3: The level at Fukushima was measured by remote gauges, instead of transmitters



Correctly Detecting the Water Level in the reactor


If theFukushimaoperators knew the correct level, they could have started water injection as soon as the pumps stopped, while the fuel rods were still covered and the meltdown could have been prevented.

Accurate level measurement outside the core (ex-core”) indicates the “in-core” level only until the level drops to the suction of the jet pump diffuser. Therefore, under emergency conditions direct “in-core” measurement is also needed. In Figure 4, the red arrows show the flow direction of the steam and the blue arrows that of the water. The readings of the pressure transmitters P1, P2, etc. to PX can be used to measure the “ex-core” level and steam/water ratio.. These pressure sensors should be installed at an equal vertical distance (A) from each other. The smaller the distance “A”, the higher will be the precision of the measurement. If in Figure 4 the difference between two readings is zero (P2-P1 = 0), indicates that only steam is present at that elevation. If the ΔP is above zero (P3-P2 > 0), that is an indication that some water is also present at that elevation.


Figure 4: Sensors required to correctly measure the “ex-core” water levels


By this method, the boiling surface (Ls) can be estimated as being between the first detectors where the ΔP is above zero. Under normal operation, the resulting Ls reading will be about the same as the one detected by LT-N in Figure 2 or LI in Figure 3. In addition, the various combinations of these pressures and differential pressure measurements (knowing the steam pressure (Ps) and the specific gravity (SG) of water at the operating temperature), can be used to obtain the following information:

  • Steam/water ratio (S/W) at any elevation is S/W =  ΔP/(A.SG).
  • Collapsed total water level in the reactor is                                                           Lc  =  (PX – P1)/(distance between top and bottom sensors)SG.
  • Steam/water ratio of the boiling column of water in the reactor                            S/Ws = (PX – Ps)/Ls(SG).

The “ex-core” sensor will reflect the “in-core” levels as long as the fuel rods are covered with water. Under emergency conditions, this is not the case, yet the accurate measurement of the in-core level is still needed. AtFukushima(and in many American BWR reactors), the level inside the core was not measured at all. This resulted in the uncertainty concerning the degree of meltdown and the start of hydrogen generation.


As to the method of detecting the in-core water level, one method would be to measure the temperature (or thermal conductivity) at the different elevations in the core (green probes shown in Figure 4). These measurements reflect the steam/water ratio at different elevations, because the thermal conductivity of water is higher than that of steam.

One method of doing this was designed by David Nyce for the Knolls Atomic Power Plant. He used a metal probe with ceramic insulation and a reference thermocouple at its tip and located heated thermocouples periodically along the probe length. Because the thermal conductivity of water is much higher than that of steam, the amount of cooling of the heated thermocouples dropped (relative to the reference) as their elevation increased, because the steam/water ratio increased with elevation. Above the surface of the boiling water, the amount of cooling reached a minimum because the heated thermocouple at that elevation was surrounded only by steam. This way, by measuring the temperature elevation of the submerged thermocouples at the different elevations (relative to the reference temperature), both the level and the steam/water ratio at the different elevations in the core can be measured.


Yet another method to consider for the detection of „in-core” level is to correlate gamma radiationdistribution inside and outside the reactor pressure vessel withthe water level. The vertical gamma radiation distribution is related to water level, but because it is also a function ofthe neutron flux and the coolant recirculation pump speed, special algorithms are needed to interpret the level based on these radiation measurements.

To obtain fully reliable measurements, it is also desirable to provide battery backup and wireless output for all the transmitters, so that if either the regular power supply fails, or the regular output signal wires are damaged, the level information will still be available and can be read not only in the control room, but also outside the building.

Preventing Hydrogen Explosions


Once the „window of opportunity” to keep the fuel rods covered was missed (Figure 1) and the melting of the fuel rods started, the safety goal should have been to prevent the explosion of the hydrogen generated. During an emergency shut down, if cooling is lost, the fuel rod temperatures will rise, the zirconium cladding (the material that covers the fuel rod) melts (at around 1200 °C) and reacts with the water in the reactor, generating hydrogen:

 Zr + 2H2O = ZrO2 + 2H2

If the generated hydrogen comes in contact with an ignition source (such as a melting fuel rod or any other) and if oxygen is present, it can explode. This is what occurred in theFukushimaplant. The hydrogen accumulated in the primary and later in the secondary containments and because they contained air (not inert gas), it exploded (Figure 5).


Figure 5: At Fukushima, as the pressure increased, the radioactive steam containing hydrogen, was relieved by the PSV into the wet well, but due to loss of cooling, the steam did not condense. Therefore the pressure built up until (7 hours later) the operators finally relieved it by manually opening the vent valve (SS). The hydrogen accumulated inside the building, mixed with oxygen in the air and exploded.

As an explosion requires a fuel, ignition source and oxygen, relieving the hydrogen inside the building made the explosion unavoidable. Yet, a properly designed automatic safety control system would have prevented the explosion, because:

As soon as hydrogen was detected in the torus, the backup cooling system would have been automatically actuated and if pressure continued to rise a pressure relief system (Figure 6) would have automatically opened to relieve the steam-hydrogen mixture outside the building (after it has been filtered to remove any radioactive solids). In addition, nitrogen purging of the primary containment would have started automatically and immediately. (Fukushima operators did not inert the primary containment until two months later in May, 2011)


Figure 6: A properly designed pressure relief system would have automatically relieved the steam and hydrogen to outside the building, where it would have quickly risen.


Because hydrogen was allowed to accumulate inside the building, its explosion destroyed the building and radioactive particles were discharged with it, because it was not filtered as in Figure 6. Another important feature in the design in Figure 6 is that as soon as the excess pressure is released, the pressure safety valve recloses. In case of the Fukushima(or any other plant where the vent valve is manually opened), the operator can forget to reclose the valve and thereby unnecessarily release additional radioactive gases and solids. It is also important that full backup be provided for the automatic pressure relief system so that the burst rupture disk can be replaced while the backup relief valve protects the building. The main reason why the design in Figure 6 is safe is because it is automatic. Therefore, there is no operator’s judgment involved (there is no hesitation for seven hours) but whenever the pressure reaches about 75% of the design pressure, it relieves it automatically.


If automatic, state-of-the-art safety controls were used atFukushima, both the meltdown and the hydrogen explosions could have been prevented.

Béla Lipták, PE
President of Béla Lipták Associates, PC
Automation and Safwty Consultants
84 Old N. Stamford Rd, Stamford CT. 06905
T/F: 203-357-7614, E:



About Liptak

ABOUT THE AUTHOR: Béla Lipták was born in 1936 in Hungary. As a Technical University student, participated in the revolution against the Soviet occupation, escaped and entered the United States as a refugee in 1956. In 1959 he received an engineering degree from Stevens Institute of Technology, in 1962 a masters degree from CCNY and later did graduate work at Pratt Institute. In 1960, he became the Chief Instrument Engineer of Crawford and Russell, where he led the automation of dozens of industrial plants for over more than a decade. In 1969 he published of the multi-volume Instrument and Automation Engineers’ Handbook, which today is in its 5th edition. In 1975 he received his professional engineering license and founded his consulting firm, Béla Lipták Associates PC, which provides design and consulting services in the fields of automation and industrial safety. Over the years he lectured on automation at many universities around the world, including Yale University, where he thought automation as an adjunct professor in 1987. His inventions include the transportation and storage of solar energy and the design of safe nuclear reactors. His over 50+ years of professional experience included the automation of several dozen industrial plants, the publication of over 300 technical articles ( and of over 20 books, all dealing with the various aspects of automation, safety and energy technology. ( In 1973 he was elected an ISA (International Society of Automation) fellow, in 1995 received the Technical Achievement Award from ISA and in 2001 “Control Hall of Fame” award. He was the keynote speaker at the 2002 and the 2011 ISA conventions and in 2012 received the “Lifetime Achievement Award” from the International Society of Automation.
This entry was posted in BLOGS. Bookmark the permalink.

Comments are closed.