Inherently safer design1 January 2002
The chemical industry is learning from accidents such as Bhopal, but the nuclear establishment has - until recently - not shown much interest in inherently safer designs. By Trevor Kletz
If we wish to improve the safety of a plant we should, whenever possible, remove the hazard - the inherently safer solution - rather than keep it under control by adding protective features or procedures. For example, if possible we should replace flammable or toxic materials by safer ones, or reduce the amount of hazardous materials so that a leak of the entire contents hardly matters. If we cannot do this, we should control the hazard by adding on passive protective equipment, such as fire insulation. It is not inherently safe as it might fall off, or be removed for inspection and not be replaced, but it does not have to be commissioned. The third choice is active protective equipment, for example, water spray turned on automatically. Unfortunately, the equipment may fail or be neglected. Finally, our last resort is reliance on procedures, for example, water spray turned on by an operator. Unfortunately, some companies react in the wrong order. It is cheaper and easier to write additional instructions than to add on protective equipment, and it is cheaper and easier to add on protective equipment than to make major changes to an existing plant or process.
Inherently safer design
The experience of the chemical industry shows what can be done by inherently safer design. The worst accident in the industry's history occurred at Bhopal in India in 1984 when a leak of a toxic chemical, methyl isocyanate (MIC), killed over 2000 people. The triggering event may have been sabotage, but the results would have been much less serious if the protective equipment on the plant had been in working order. However, most commentators missed the most important lesson: MIC was an intermediate, not a product or raw material and, while it was convenient to store it, it was not essential to do so. It could have been used as it was made and, instead of 100 tonnes in a tank, there would have been only a few kilogrammes in a pipeline. What you don't have, can't leak. After Bhopal many companies reduced or eliminated their stocks of hazardous intermediates and made their processes cheaper as well as safer. An old method for the manufacture of nitroglycerine required the reaction to take place in large stirred pots containing about a tonne of material. The operators had to watch the temperature closely and, to make sure they did not fall asleep, they sat on one-legged stools. Nevertheless the temperature sometimes rose and was followed by an explosion. If asked to make this process safer, the default action of most engineers would be to add on to the reactor instruments for measuring temperature, pressure, flow, rate of temperature rise and so on. They would use these measurements to operate valves which stopped flows, increased cooling, opened vents and drains and so on. By the time they had finished, the reactor would hardly be visible beneath the added-on protective equipment. They would have removed their dependence on the operators but would instead be dependent on the people who design, manufacture, install, test and maintain the protective equipment. These people also make errors. The nitroglycerine engineers realised this and, when they were asked to improve the process, they asked why the reactor had to contain so much material. The obvious answer was because the reaction is slow. But the chemical reaction is not slow. Once the molecules come together they react quickly. It is the mixing that is slow. Once the engineers realised this they designed a small, well-mixed reactor, holding only about a kilogramme of material, which achieves about the same output as the batch reactor. The new reactor resembles a laboratory water pump. The rapid flow of acid through it creates a partial vacuum that sucks in the glycerine through a side-arm. Very rapid mixing occurs and by the time the mixture leaves the reactor, the reaction is complete. The residence time in the reactor was reduced from 120 minutes to 2 minutes and the operator could then be protected by a blast wall of reasonable size. Note that the safety does not depend on protective equipment that might fail or might be neglected but on the laws of physics. The process is inherently safer - safer rather than safe as we cannot remove every hazard. The control system is also inherent. If the flow of acid falls or stops, the flow of glycerine also falls or stops, not because there is a flow ratio controller which might fail but as a result of the laws of physics.
Inherent safety in the nuclear industry
Nuclear reactors are highly dependent on active protective equipment, several layers of it, and the procedures for its testing and maintenance, even though new designs contain more passive features such as convective cooling, than in the past. The probability of coincidental failure of the multiple layers is negligible, but many accidents have occurred in industry because protective equipment was neglected or was not tested as often as the designers assumed it would be. Is the nuclear industry better than the rest of industry? In the West I think it is. I am not worried about a meltdown in any of our nuclear reactors. But developing countries may lack the knowledge, skills, resources and commitment necessary to maintain complex added-on protective equipment and may lack the culture and organisation needed for an effective system of enforcement. If we sell them nuclear power stations they should be inherently safer ones. We cannot deny the Third World access to the electricity we take for granted. I am not convinced that global warming is due to carbon dioxide, but its effects are uncertain and a large increase in coal and oil burning would produce other forms of pollution. Nuclear power is the only practicable alternative. The most promising of the inherently safer designs is the high temperature gas reactor now being considered for South Africa (see McGraw-Hill Handbook of Science and Technology, 2001, p281). It is not inherently safe - nothing is. It still produces spent fuel that has to be stored or recovered but it is inherently safer. The high temperature resistance of the fuel and the high surface-to-volume ratio ensure that the after-heat is lost by radiation and conduction. Safety is based on the laws of physics rather than on active protective equipment. There are also other inherently safer designs such as the Swedish PIUS (Process Inherent Ultimately Safe) reactor, a water-cooled reactor immersed in a solution of boric acid in water. If the cooling system fails the solution is drawn through the core by convection, stops the chain reaction and removes the residual heat. No make-up water is needed for a week. The publications of Charles Forsberg and co-workers describe many inherently safer and passive ways of improving the safety of nuclear reactors. Although I have said that in the West we have all the skills and commitment needed for the safe operation of existing reactors, I have to admit that before Bhopal I would not have thought such an accident possible in Union Carbide, the company concerned. Also, consider the following incident reported by the US Department of Energy (Operating Experience Weekly Summary, No 2000-3):
During cold weather, a water line froze and ruptured inside a building. Damage was fortunately not very serious. Three years later the same line froze and ruptured again. The heating in the building was not operating and the water line was near the door. The basement was flooded and two 15m3 tanks floated, reached the ceiling and pushed it up by 0.5m. The incident occurred at a nuclear site, though not a reactor site.
Can we blame the public for doubting the nuclear industry's ability to prevent reactors overheating when they let the same water line freeze and rupture twice? Is it not better to design reactors that cannot get dangerously hot, which are not dependent on added-on protective systems and/or human intervention for their safety? (Remember that adding on protective equipment does not remove our dependence on people. It may remove our dependence on the operator but we are now dependent on the people who design, build, install, test and maintain the automatic equipment. They also make errors.) Why then has there been so little interest in inherently safer designs by the nuclear establishment? I can suggest three possible reasons:
• A writer in the magazine Atom in August 1989 wrote: "Building on what is already proven could bring swifter results with greater confidence than launching into radically new methods that purport to offer inherent safety." This sounds convincing until we remember that George Stephenson could have been (and probably was) told, 180 years ago, that breeding better
horses could bring swifter results than developing "iron horses".
• Some years ago, I was invited to take part in a proposed conference on inherently safer nuclear reactors, but the idea was later abandoned. The organiser told me that many of those approached as possible speakers felt that it had taken long enough to convince the government that they should support the Sizewell B design, and that if they started advocating a new design they would lose credibility.
• The time and effort needed to get regulatory approval for a new design may have discouraged innovation. Think of the repeated delays that BNFL have had commissioning their Sellafield MOX Plant, with a year or so's delay for further consultation before each stage of commissioning.
The explosion at Flixborough in the UK in 1974 first drew attention to the advantages of inherently safer designs. The explosion, which killed 28 people, was so large because the inventory in the plant was so large. Ten years later, Bhopal reinforced the message. The chemical industry has been slow to learn the advantages of these designs but is at last doing so. The nuclear industry, however, is still living in the equivalent of a pre-Flixborough and pre-Bhopal age, confident of their ability to keep hazards under control. There is no doubt that traditional designs can be managed safely. In the light of Flixborough and Bhopal will they always be managed safely, everywhere, all the time?
The nuclear industry was at one time one of the most innovative, recruiting the brightest and best of the post-War generation of engineers. It has now become more conservative, not in producing innovative ideas but in getting them adopted. Can it ever again recapture the spirit of the 1950s?