The British Royal Academy of Engineering, an institution whose membership is nominated and elected only, is conducting a study on the engineering and societal impacts of space weather and has issued a call for evidence. I sent the following note on Sunday 25th March to policyAT[theRoyalAcademyOfEngineering] with a copy to the Office of Nuclear Regulation.
Dear Sirs and Mesdames,You are performing a study of the effects of solar storms on UK infrastructure and asked for evidence to be submitted to this e-mail address by mid-April. I am hereby responding to that call.
Many nuclear power plants are dependent upon continuing supplies of electricity to support not only normal but emergency operations. Cooling systems, including emergency cooling systems, in most plants are dependent on continual (and continually reliable) supplies of electricity for control, and in some cases also operation.
The station blackout at the Fukushima Daiichi plant a year ago focused some attention (ours as well) on the vulnerability of such plants to design and operational assumptions which, in my view, a thorough hazard analysis of the modern variety would and should have made apparent.
Electricity supply to essential functions at nuclear power plants is provided “in depth”, that is, by redundant systems. The BWRs with Mark 1 containment at Fukushima Daiichi obtained power first self-generated, then from external grid supply, then from on-site diesel generators, finally from batteries. The self-generated power was lost upon shutdown, a response to the Tohoku earthquake, which also took out the external grid supply. Nearly an hour later, the diesel generators were flooded by the tsunami and the only electricity supply available became the batteries, which were scoped to supply for 8 hours. The physical requirement in that situation, though, was for far longer than that and the result (of that as well as other damage) was meltdown. I observe that, until recently, the requirement for battery power supply in “station blackout” conditions in some US power stations was only 4 hours. The US Nuclear Regulatory Commission has recently reconsidered that requirement.
One salient engineering phenomenon is that the satisfactory operation of many of these systems was predicated on independent failure of systems. For example severe ground movement and flooding seem to have been taken as independent events by the designers and builders, as far as we know. Whereas at Fukushima Daiichi those events had a common cause, namely the Tohoku earthquake. We see this phenomenon, an assumption of independence vitiated by common-cause events, time and again in engineering.
I understand that a recent solar storm in 1989 took out the grid power supply in Quebec for about nine hours http://en.wikipedia.org/wiki/March_1989_geomagnetic_storm . So it is possible for the consequences of a solar storm to exceed the “design basis” requirement for emergency-system operation at at many nuclear power plants of the BWR design (I understand well that the UK has no plants of similar design; I use this simply as an example of how design assumptions and physical reality may not always connect well).
However, I know of no current public study of the effect of a solar storm (coronal mass ejection, CME) on US nuclear power plants, although recent articles in the New York Times by journalist Matthew Wald have detailed some current thinking and practical exercises to install emergency power generators: http://green.blogs.nytimes.com/2012/03/19/a-speed-record-on-the-power-grid/
A Fellow of your institution, Martyn Thomas, has given talks recently on the possible consequences of solar storms on some engineered systems. I am in regular contact with Martyn. He gave a talk at the Workshop I organised last August on the Fukushima Daiichi accident, and has recently given a talk at the Safety-Critical Systems Symposium in Bristol in February 2012, which was filmed by the IET at http://scpro.streamuk.com/uk/player/Default.aspx?wid=12667&ptid=32&t=0 When Martyn asked during his talk who explicitly considered Carrington-type events in their hazard analyses, I was apparently the only person to respond positively. (I chair a standardisation committee in Germany which is performing a hazard analysis of charging electric road vehicles; we explicitly consider solar storms.) That suggests to me that awareness of the consequences of severe solar storms on UK infrastructure is not very high amongst even safety engineers. I would hope that your study could help remedy that.
The issues with hazard analysis and mitigation concerning complex safety-critical systems such as nuclear power plants are not trivial, and this is not the place to list them. But the most salient characteristic which came to light in our work is that the assumptions about what can happen which constitute what the US calls the “design basis” for these plants can be obscure, sometimes outmoded, and, as at Fukushima Daiichi, inappropriate. (It is particularly noteworthy that the vulnerability of the diesel emergency generation to flooding had been pointed out explicitly, most notably by the sociologist Charles Perrow in his 2007 book “The Next Catastrophe”. The possibility of station blackout of BWR designs due to flooding was not exactly an obscure phenomenon. How did the engineers miss that? We don’t know yet, although we have some hints. The answer will be given in my view by sociologists, not by the engineers themselves.)
I looked in the material on the WWW site of the Office of Nuclear Regulation for mention and consideration of solar storms, and found just one document from the Cabot Institute at Bristol University: http://www.hse.gov.uk/nuclear/fukushima/submissions/226920.pdf So the ONR is aware of the potential for such storms, but consequences of such storms are not considered at all in the vulnerability analysis which ONR performed at the request of the government in 2011: http://www.hse.gov.uk/nuclear/fukushima/final-report.pdf
I do think it essential that a careful analysis of the effect of severe solar storms on the safety and emergency infrastructure of nuclear power plants be performed. I think special attention should be paid to the general engineering problem of considering the issue of common-cause failures of kit whose design assumptions include independent failure.
I am moderately sure that you (and the ONR) will be aware of many of these issues already. I hope you understand, though, my desire to ensure that they are considered and hence this note.
Sincerely,
PBL
For those interested in analyses of the Fukushima Daiichi accident, I have a paper on it with clickable links (unlike the version in the Proceedings). I gratefully acknowledge the agreement of the Proceedings publisher, Springer-Verlag, for me to include the paper on our WWW site and note that the final publication from Springer is available at www.springerlink.com in the book Achieving Systems Safety, edited by Chris Dale and Tom Anderson. A video of the accompanying talk is also on IET.tv