A nuclear meltdown is an informal term for a severe nuclear reactor accident that results in core damage from overheating. The term is not officially defined by the International Atomic Energy Agency[1] or by the U.S. Nuclear Regulatory Commission.[2] However, it has been defined to mean the accidental melting of the core of a nuclear reactor,[3] and is in common usage a reference to the core's either complete or partial collapse. "Core melt accident" and "partial core melt"[4] are the analogous technical terms.
A core melt accident occurs when the heat generated by a nuclear reactor exceeds the heat removed by the cooling systems to the point where at least one nuclear fuel element exceeds its melting point. This differs from a fuel element failure, which is not caused by high temperatures. A meltdown may be caused by a loss of coolant, loss of coolant pressure, or low coolant flow rate or be the result of a criticality excursion in which the reactor is operated at a power level that exceeds its design limits. A meltdown is considered a serious event because of the potential for release of radioactive material into the environment.
Causes
Nuclear power plants generate electricity by heating fluid via a nuclear reaction to run a generator. If the heat from that reaction is not removed adequately, the fuel assemblies in a reactor core can melt. A core damage incident can occur even after a reactor is shut down because the fuel continues to produce decay heat. This decay heat dissipates with time.
A core damage accident is caused by the loss of sufficient cooling for the nuclear fuel within the reactor core. The reason may be one of several factors, including a loss-of-pressure-control accident, a loss-of-coolant accident (LOCA), an uncontrolled power excursion or, in some types, a fire within the reactor core. Failures in control systems may cause a series of events resulting in loss of cooling. Contemporary safety principles of defense in depth ensure that multiple layers of safety systems are always present to make such accidents unlikely.
The containment building is intended to prevent the release of radioactivity to the environment. This is due to the reactor being contained within a 1.2-to-2.4-metre (3.9 to 7.9 ft) thick pre-stressed, steel-reinforced, air-tight concrete dome.
In a loss-of-coolant accident, either the physical loss of coolant (which is typically deionized water, an inert gas, NaK, or liquid sodium) or the loss of a method to ensure a sufficient flow rate of the coolant occurs. A loss-of-coolant accident and a loss-of-pressure-control accident are closely related in some reactors. In a pressurized water reactor, a loss-of-coolant accident can also cause a steam 'bubble' to form in the core due to excessive heating of stalled coolant or by the subsequent loss-of-pressure-control accident caused by a rapid loss of coolant. In a loss-of-forced-circulation accident, a gas cooled reactor's circulators (generally motor or steam driven turbines) fail to circulate the gas coolant within the core, and heat transfer is impeded by this loss of forced circulation, though natural circulation through convection will keep the fuel cool as long as the reactor is not depressurized.[5]
In a loss-of-pressure-control accident, the pressure of the confined coolant falls below specification without the means to restore it. In some cases this may reduce the heat transfer efficiency (when using an inert gas as a coolant) and in others may form an insulating 'bubble' of steam surrounding the fuel assemblies (for pressurized water reactors). In the latter case, due to localized heating of the steam 'bubble' due to decay heat, the pressure required to collapse the steam 'bubble' may exceed reactor design specifications until the reactor has had time to cool down. (This event is less likely to occur in boiling water reactors, where the core may be deliberately depressurized so that the Emergency Core Cooling System may be turned on). In a depressurization fault, a gas-cooled reactor loses gas pressure within the core, reducing heat transfer efficiency and posing a challenge to the cooling of fuel; however, as long as at least one gas circulator is available, the fuel will be kept cool.[5]
In an uncontrolled power excursion accident, a sudden power spike in the reactor exceeds reactor design specifications due to a sudden increase in reactor reactivity. An uncontrolled power excursion occurs due to significantly altering a parameter that affects the neutron multiplication rate of a chain reaction (examples include ejecting a control rod or significantly altering the nuclear characteristics of the moderator, such as by rapid cooling). In extreme cases the reactor may proceed to a condition known as prompt critical. This is especially a problem in reactors that have a positive void coefficient of reactivity, a positive temperature coefficient, are under moderated, or can trap excess quantities of deleterious fission products within their fuel or moderators. Many of these characteristics are present in the RBMK design, and the Chernobyl disaster was caused by such deficiencies as well as by severe operator negligence. Western light water reactors are not subject to very large uncontrolled power excursions because loss of coolant decreases, rather than increases, core reactivity (a negative void coefficient of reactivity); "transients," as the minor power fluctuations within Western light water reactors are called, are limited to momentary increases in reactivity that will rapidly decrease with time (approximately 200% - 250% of maximum neutronic power for a few seconds in the event of a complete rapid shutdown failure combined with a transient).
Core-based fires endanger the core and can cause the fuel assemblies to melt. A fire may be caused by air entering a graphite moderated reactor, or a liquid-sodium cooled reactor. Graphite is also subject to accumulation of Wigner energy, which can overheat the graphite, as happened at the Windscale fire). Light water reactors do not have flammable cores or moderators and are not subject to core fires. Gas-cooled civil reactors, such as the Magnox, UNGG, and AGCR type reactors, keep their cores blanketed with non reactive carbon dioxide gas, which cannot support a fire. Modern gas-cooled civil reactors use helium, which cannot burn, and have fuel that can withstand high temperatures without melting (such as the High Temperature Gas Cooled Reactor and the Pebble Bed Modular Reactor).
Byzantine faults and cascading failures within instrumentation and control systems may cause severe problems in reactor operation, potentially leading to core damage if not mitigated. For example, the Browns Ferry fire damaged control cables and required the plant operators to manually activate cooling systems. The Three Mile Island accident was caused by a stuck-open pilot-operated pressure relief valve combined with a deceptive water level gauge that misled reactor operators, which resulted in core damage.
Light water reactors
Before the core of a light water nuclear reactor can be damaged, two precursor events must have already occurred:
A limiting fault (or a set of compounded emergency conditions) that leads to the failure of heat removal within the core (the loss of cooling). Low water level uncovers the core, allowing it to heat up.
Failure of the Emergency Core Cooling System (ECCS). The ECCS is designed to rapidly cool the core and make it safe in the event of the maximum fault (the design basis accident) that nuclear regulators and plant engineers could imagine. There are at least two copies of the ECCS built for every reactor. Each division (copy) of the ECCS is capable, by itself, of responding to the design basis accident. The latest reactors have as many as four divisions of the ECCS. This is the principle of redundancy, or duplication. As long as at least one ECCS division functions, no core damage can occur. Each of the several divisions of the ECCS has several internal "trains" of components. Thus the ECCS divisions themselves have internal redundancy - and can withstand failures of components within them.
The Three Mile Island accident was a compounded group of emergencies that led to core damage. What led to this was an erroneous decision by operators to shut down the ECCS during an emergency condition due to gauge readings that were either incorrect or misinterpreted; this caused another emergency condition that, several hours after the fact, led to core uncovery and a core damage incident. If the ECCS had been allowed to function, it would have prevented both uncovery and core damage.
If such a limiting fault were to occur, and a complete failure of all ECCS divisions were to occur, both Kuan, et al and Haskin, et al describe six stages between the start of the limiting fault (the loss of cooling) and the potential escape of molten corium into the containment (a so-called "full meltdown"):[6][7]
1.Core uncovery. In the event of a transient, upset, emergency, or limiting fault, LWRs are designed to automatically SCRAM (a SCRAM being the immediate and full insertion of all control rods) and spin up the ECCS. This greatly reduces reactor thermal power (but does not remove it completely); this delays core "uncovery", which is defined as the point when the fuel rods are no longer covered by coolant and can begin to heat up. As Kuan states: "In a small-break LOCA with no emergency core coolant injection, core uncovery generally begins approximately an hour after the initiation of the break. If the reactor coolant pumps are not running, the upper part of the core will be exposed to a steam environment and heatup of the core will begin. However, if the coolant pumps are running, the core will be cooled by a two-phase mixture of steam and water, and heatup of the fuel rods will be delayed until almost all of the water in the two-phase mixture is vaporized. The TMI-2 accident showed that operation of reactor coolant pumps may be sustained for up to approximately two hours to deliver a two phase mixture that can prevent core heatup."[6]
2.Pre-damage heat up. "In the absence of a two-phase mixture going through the core or of water addition to the core to compensate water boiloff, the fuel rods in a steam environment will heat up at a rate between 0.3 °C/s (0.5 °F/s) and 1 °C/s (1.8 °F/s) (3)."[6]
3.Fuel ballooning and bursting. "In less than half an hour, the peak core temperature would reach 1,100 K (1,520 °F). At this temperature, the zircaloy cladding of the fuel rods may balloon and burst. This is the first stage of core damage. Cladding ballooning may block a substantial portion of the flow area of the core and restrict the flow of coolant. However complete blockage of the core is unlikely because not all fuel rods balloon at the same axial location. In this case, sufficient water addition can cool the core and stop core damage progression."[6]
4.Rapid oxidation. "The next stage of core damage, beginning at approximately 1,500 K (2,240 °F), is the rapid oxidation of the Zircaloy by steam. In the oxidation process, hydrogen is produced and a large amount of heat is released. Above 1,500 K (2,240 °F), the power from oxidation exceeds that from decay heat (4,5) unless the oxidation rate is limited by the supply of either zircaloy or steam."[6]
5.Debris bed formation. "When the temperature in the core reaches about 1,700 K (2,600 °F), molten control materials [1,6] will flow to and solidify in the space between the lower parts of the fuel rods where the temperature is comparatively low. Above 1,700 K (2,600 °F), the core temperature may escalate in a few minutes to the melting point of zircaloy [2,150 K (3,410 °F)] due to increased oxidation rate. When the oxidized cladding breaks, the molten zircaloy, along with dissolved UO2 [1,7] would flow downward and freeze in the cooler, lower region of the core. Together with solidified control materials from earlier down-flows, the relocated zircaloy and UO2 would form the lower crust of a developing cohesive debris bed."[6]
6.(Corium) Relocation to the lower plenum. "In scenarios of small-break LOCAs, there is generally a pool of water in the lower plenum of the vessel at the time of core relocation. Release of molten core materials into water always generates large amounts of steam. If the molten stream of core materials breaks up rapidly in water, there is also a possibility of a steam explosion. During relocation, any unoxidized zirconium in the molten material may also be oxidized by steam, and in the process hydrogen is produced. Recriticality also may be a concern if the control materials are left behind in the core and the relocated material breaks up in unborated water in the lower plenum."[6]
At the point at which the corium relocates to the lower plenum, Haskin, et al relate that the possibility exists for an incident called a fuel-coolant interaction (FCI) to substantially stress or breach the primary pressure boundary when the corium relocates to the lower plenum of the reactor pressure vessel ("RPV").[8] This is because the lower plenum of the RPV may have a substantial quantity of water - the reactor coolant - in it, and, assuming the primary system has not been depressurized, the water will likely be in the liquid phase, and consequently dense, and at a vastly lower temperature than the corium. Since corium is a liquid metal-ceramic eutectic at temperatures of 2,200 to 3,200 K (3,500 to 5,300 °F), its fall into liquid water at 550 to 600 K (530 to 620 °F) may cause an extremely rapid evolution of steam that could cause a sudden extreme overpressure and consequent gross structural failure of the primary system or RPV.[8] Though most modern studies hold that it is physically infeasible, or at least extraordinarily unlikely, Haskin, et al state that that there exists a remote possibility of an extremely violent FCI leading to something referred to as an alpha-mode failure, or the gross failure of the RPV itself, and subsequent ejection of the upper plenum of the RPV as a missile against the inside of the containment, which would likely lead to the failure of the containment and release of the fission products of the core to the outside environment without any substantial decay having taken place.[9]
The American Nuclear Society has said "despite melting of about one-third of the fuel, the reactor vessel itself maintained its integrity and contained the damaged fuel".[10]
Standard failure modes
If the melted core penetrates the pressure vessel, there are theories and speculations as to what may then occur.
In modern Russian plants, there is a "core catching device" in the bottom of the containment building, the melted core is supposed to hit a thick layer of a "suffering metal" which would melt, dilute the core and increase the heat conductivity, and finally the diluted core can be cooled down by water circulating in the floor - however there has never been any full-scale testing of said device.[11]
In Western plants, there is an airtight containment building. Though radiation would be at a high level within the primary containment, doses outside of it would be lower. Containment buildings are designed for the orderly release of pressure without releasing radionuclides, through a pressure release valve and filters. Hydrogen/oxygen recombiners also are installed within the containment to prevent gas explosions.
In a melting event, one spot or area on the RPV will become hotter than other areas, and will eventually melt. When it melts, corium will pour into the cavity under the reactor. Though the cavity is designed to remain dry, several NUREG-class documents advise operators to flood the cavity in the event of a fuel melt incident. This water will become steam and pressurize the containment. Automatic water sprays will pump large quantities of water into the steamy environment to keep the pressure down. Catalytic recombiners will rapidly convert the hydrogen and oxygen back into water. One positive effect of the corium falling into water is that it is cooled and returns to a solid state.
Extensive water spray systems within the containment along with the ECCS, when it is reactivated, will allow operators to spray water within the containment to cool the core on the floor and reduce it to a low temperature.
These procedures are intended to prevent release of radiation. In the Three Mile Island event in 1979, a theoretical person standing at the plant property line during the entire event would have received a dose of approximately 2 millisieverts (200 millirem), between a chest X-ray's and a CT scan's worth of radiation. This was due to out gassing by an uncontrolled system that, today, would have been backfitted with activated carbon and HEPA filters to prevent radionuclide release.
Cooling will take quite a while, until the natural decay heat of the corium reduces to the point where natural convection and conduction of heat to the containment walls and re-radiation of heat from the containment allows for water spray systems to be shut down and the reactor put into safe storage. The containment can be sealed with release of extremely limited offsite radioactivity and release of pressure within the containment. After a number of years for fission products to decay - probably around a decade - the containment can be reopened for decontamination and demolition.
Speculative failure modes
One scenario consists of the reactor pressure vessel failing all at once, with the entire mass of corium dropping into a pool of water (for example, coolant or moderator) and causing extremely rapid generation of steam. The pressure rise within the containment could threaten integrity if rupture disks could not relieve the stress. Exposed flammable substances could burn, but there are few, if any, flammable substances within the containment.
Another theory called an 'alpha mode' failure by the 1975 Rasmussen (WASH-1400) study asserted steam could produce enough pressure to blow the head off the reactor pressure vessel (RPV). The containment could be threatened if the RPV head collided with it. (The WASH-1400 report was replaced by better-based[original research?] newer studies, and now the Nuclear Regulatory Commission has disavowed them all and is preparing the over-arching State-of-the-Art Reactor Consequence Analyses [SOARCA] study - see the Disclaimer in NUREG-1150.)
Another scenario sees a buildup of hydrogen within the containment, which could lead to a detonation event. Catalytic hydrogen recombiners located within the reactor core and containment are designed to prevent this from occurring; however, prior to the installation of these recombiners in the 1980s, the Three Mile Island containment (in 1979) suffered a massive hydrogen explosion event in the accident there. The containment withstood the pressure and no radioactivity was released. However, some still consider a hydrogen detonation event a possible cause of future containment breaches.
It has not been determined to what extent a molten mass can melt through a structure (although that was tested in the Loss-of-Fluid-Test Reactor described in Test Area North's fact sheet[12]). The Three Mile Island accident provided some real-life experience, with an actual molten core within an actual structure; the molten corium failed to melt through the Reactor Pressure Vessel after over six hours of exposure, due to dilution of the melt by the control rods and other reactor internals, validating the emphasis on defense in depth against core damage incidents. Some believe a molten reactor core could actually penetrate the reactor pressure vessel and containment structure and burn downwards into the earth beneath, to the level of the groundwater.
Other reactor types
Other types of reactors have different capabilities and safety profiles than the LWR does. Advanced varieties of several of these reactors have the potential to be inherently safe.
CANDU reactors
CANDU reactors, Canadian-invented deuterium-uranium design, are designed with at least one, and generally two, large low-temperature and low-pressure water reservoirs around their fuel/coolant channels. The first is the bulk heavy-water moderator (a separate system from the coolant), and the second is the light-water-filled shield tank. These backup heat sinks are sufficient to prevent either the fuel meltdown in the first place (using the moderator heat sink), or the breaching of the core vessel should the moderator eventually boil off (using the shield tank heat sink).[13] Other failure modes aside from fuel melt will probably occur in a CANDU rather than a meltdown, such as deformation of the calandria into a non-critical configuration. All CANDU reactors are located within standard Western containments as well.
Gas-cooled reactors
One type of Western reactor, known as the advanced gas-cooled reactor (or AGCR), built by the United Kingdom, is not very vulnerable to loss-of-cooling accidents or to core damage except in the most extreme of circumstances. By virtue of the relatively inert coolant (carbon dioxide), the large volume and high pressure of the coolant, and the relatively high heat transfer efficiency of the reactor, the time frame for core damage in the event of a limiting fault is measured in days. Restoration of some means of coolant flow will prevent core damage from occurring.
Other types of highly advanced gas cooled reactors, generally known as high-temperature gas-cooled reactors (HTGRs) such as the Japanese High Temperature Test Reactor and the United States' Very High Temperature Reactor, are inherently safe, meaning that meltdown or other forms of core damage are physically impossible, due to the structure of the core, which consists of hexagonal prismatic blocks of silicon carbide reinforced graphite infused with TRISO or QUADRISO pellets of uranium, thorium, or mixed oxide buried underground in a helium-filled steel pressure vessel within a concrete containment. Though this type of reactor is not susceptible to meltdown, additional capabilities of heat removal are provided by using regular atmospheric airflow as a means of backup heat removal, by having it pass through a heat exchanger and rising into the atmosphere due to convection, achieving full residual heat removal. The VHTR is scheduled to be prototyped and tested at Idaho National Laboratory within the next decade (as of 2009) as the design selected for the Next Generation Nuclear Plant by the US Department of Energy. This reactor will use a gas as a coolant, which can then be used for process heat (such as in hydrogen production) or for the driving of gas turbines and the generation of electricity.
A similar highly-advanced gas cooled reactor originally designed by West Germany (the AVR reactor) and now developed by South Africa is known as the Pebble Bed Modular Reactor. It is an inherently safe design, meaning that core damage is physically impossible, due to the design of the fuel (spherical graphite "pebbles" arranged in a bed within an metal RPV and filled with TRISO (or QUADRISO) pellets of uranium, thorium, or mixed oxide within). A prototype of a very similar type of reactor has been built by the Chinese, HTR-10, and has worked beyond researchers' expectations, leading the Chinese to announce plans to build a pair of follow-on, full-scale 250 MWe, inherently safe, power production reactors based on the same concept.
Experimental or conceptual designs
Some design concepts for nuclear reactors emphasize resistance to meltdown and operating safety.
The PIUS (process inherent ultimate safety) designs, originally engineered by the Swedes in the late 1970s and early 1980s, are LWRs that by virtue of their design are resistant to core damage. No units have ever been built.
Power reactors, including the Deployable Electrical Energy Reactor, a larger-scale mobile version of the TRIGA for power generation in disaster areas and on military missions, and the TRIGA Power System, a small power plant and heat source for small and remote community use, have been put forward by interested engineers, and share the safety characteristics of the TRIGA due to the uranium zirconium hydride fuel used.
The Hydrogen Moderated Self-regulating Nuclear Power Module, a reactor that uses uranium hydride as a moderator and fuel, similar in chemistry and safety to the TRIGA, also possesses these extreme safety and stability characteristics, and has attracted a good deal of interest in recent times.
The Liquid fluoride thermal reactor is designed to naturally have its core in a molten state, as a eutectic mix of thorium and fluorine salts. As such, a molten core is reflective of the normal and safe state of operation of this reactor type. In the event the core overheats, a metal plug will melt, and the molten salt core will drain into tanks where it will cool in a non-critical configuration. Since the core is liquid, and already melted, it cannot be damaged.
Advanced liquid metal reactors, such as the U.S. Integral Fast Reactor and the Russian BN-350, BN-600, and BN-800, all have a coolant with very high heat capacity, sodium metal. As such, they can withstand a loss of cooling without SCRAM and a loss of heat sink without SCRAM, qualifying them as inherently safe.
Soviet Union-designed reactors
RBMKsSoviet designed RBMKs, found only in Russia and the CIS and now shut down everywhere except Russia, do not have containment buildings, are naturally unstable (tending to dangerous power fluctuations), and also have ECCS systems that are considered grossly inadequate by Western safety standards.
RBMK ECCS systems only have one division and have less than sufficient redundancy within that division. Though the large core size of the RBMK makes it less energy-dense than the Western LWR core, it makes it harder to cool. The RBMK is moderated by graphite. In the presence of both steam and oxygen, at high temperatures, graphite forms synthesis gas and with the water gas shift reaction the resultant hydrogen burns explosively. If oxygen contacts hot graphite, it will burn. The RBMK tends towards dangerous power fluctuations. Control rods used to be tipped with graphite, a material that slows neutrons and thus speeds up the chain reaction. Water is used as a coolant, but not a moderator. If the water boils, cooling is lost, but moderation is not lost. This is termed a positive void coefficient of reactivity.
Control rods can become stuck if the reactor suddenly heats up and they are moving. Xenon 135, a neutron absorbent fission product, has a tendency to build up in the core and burn off unpredictably in the event of low power operation. This can lead to inaccurate neutronic and thermal power ratings.
The RBMK does not have any containment above the core. The only substantial solid barrier above the fuel is the upper part of the core, called the upper biological shield, which is a piece of concrete interpenetrated with control rods and with access holes for refueling while online. Other parts of the RBMK were shielded better than the core itself. Rapid shutdown (SCRAM) takes 10 to 15 seconds. Western reactors take 1 - 2.5 seconds.
Western aid has been given to provide certain real-time safety monitoring capacities to the human staff. Whether this extends to automatic initiation of emergency cooling is not known. Training has been provided in safety assessment from Western sources, and Russian reactors have evolved in result to the weaknesses that were in the RBMK. However, numerous RBMKs still operate.
It is safe to say that it might be possible to stop a loss-of-coolant event prior to core damage occurring, but that any core damage incidents will probably assure massive release of radioactive materials. Further, dangerous power fluctuations are natural to the design.
Lithuania joined the EU recently, and upon acceding, it has been required to shut the two RBMKs that it has at Ignalina NPP, as such reactors are totally incompatible with the nuclear safety standards of Europe. It will be replacing them with some safer form of reactor.
MKER
The MKER is a modern Russian-engineered channel type reactor that is a distant descendant of the RBMK. It approaches the concept from a different and superior direction, optimizing the benefits, and fixing the flaws of the original RBMK design.
There are several unique features of the MKER's design that make it a credible and interesting option: One unique benefit of the MKER's design is that in the event of a challenge to cooling within the core - a pipe break of a channel, the channel can be isolated from the plenums supplying water, decreasing the potential for common-mode failures.
The lower power density of the core greatly enhances thermal regulation. Graphite moderation enhances neutronic characteristics beyond light water ranges. The passive emergency cooling system provides a high level of protection by using natural phenomena to cool the core rather than depending on motor-driven pumps. The containment structure is modern and designed to withstand a very high level of punishment.
Refueling is accomplished while online, ensuring that outages are for maintenance only and are very few and far between. 97-99% uptime is a definite possibility. Lower enrichment fuels can be used, and high burnup can be achieved due to the moderator design. Neutronics characteristics have been revamped to optimize for purely civil fuel fertilization and recycling.
Due to the enhanced quality control of parts, advanced computer controls, comprehensive passive emergency core cooling system, and very strong containment structure, along with a negative void coefficient and a fast acting rapid shutdown system, the MKER's safety can generally be regarded as being in the range of the Western Generation III reactors, and the unique benefits of the design may enhance its competitiveness in countries considering full fuel-cycle options for nuclear development.
VVER
The VVER is a pressurized light water reactor that is far more stable and safe than the RBMK. This is because it uses light water as a moderator (rather than graphite), has well understood operating characteristics, and has a negative void coefficient of reactivity. In addition, some have been built with more than marginal containments, some have quality ECCS systems, and some have been upgraded to international standards of control and instrumentation. Present generations of VVERs (the VVER-1000) are built to Western-equivalent levels of instrumentation, control, and containment systems.
However, even with these positive developments, certain older VVER models raise a high level of concern, especially the VVER-440 V230.[14]
The VVER-440 V230 has no containment building, but only has a structure capable of confining steam surrounding the RPV. This is a volume of thin steel, perhaps an inch or two in thickness, grossly insufficient by Western standards.
Has no ECCS. Can survive at most one 4 inch pipe break (there are many pipes greater than 4 inches within the design).
Has six steam generator loops, adding unnecessary complexity.
However, apparently steam generator loops can be isolated, in the event that a break occurs in one of these loops. The plant can remain operating with one isolated loop - a feature found in few Western reactors.
The interior of the pressure vessel is plain alloy steel, exposed to water. This can lead to rust, if the reactor is exposed to water. One point of distinction in which the VVER surpasses the West is the reactor water cleanup facility - built, no doubt, to deal with the enormous volume of rust within the primary coolant loop - the product of the slow corrosion of the RPV. This model is viewed as having inadequate process control systems.
Bulgaria had a number of VVER-440 V230 models, but they opted to shut them down upon joining the EU rather than backfit them, and are instead building new VVER-1000 models. Many non-EU states maintain V230 models, including Russia and the CIS. Many of these states - rather than abandoning the reactors entirely - have opted to install an ECCS, develop standard procedures, and install proper instrumentation and control systems. Though confinements cannot be transformed into containments, the risk of a limiting fault resulting in core damage can be greatly reduced.
The VVER-440 V213 model was built to the first set of Soviet nuclear safety standards. It possesses a modest containment building, and the ECCS systems, though not completely to Western standards, are reasonably comprehensive. Many VVER-440 V213 models possessed by former Soviet bloc countries have been upgraded to fully automated Western-style instrumentation and control systems, improving safety to Western levels for accident prevention - but not for accident containment, which is of a modest level compared to Western plants. These reactors are regarded as "safe enough" by Western standards to continue operation without major modifications, though most owners have performed major modifications to bring them up to generally equivalent levels of nuclear safety.
During the 1970s, Finland built two VVER-440 V213 models to Western standards with a large-volume full containment and world-class instrumentation, control standards and an ECCS with multiply redundant and diversified components. In addition, passive safety features such as 900-tonne ice condensers have been installed, making these two units safety-wise the most advanced VVER-440's in the world.
The VVER-1000 type has a definitely adequate Western-style containment, the ECCS is sufficient by Western standards, and instrumentation and control has been markedly improved to Western 1970s-era levels.
Chernobyl disaster
In the Chernobyl disaster the fuel became non-critical when it melted and flowed away from the graphite moderator - however, it took considerable time to cool. The molten core of Chernobyl (that part that did not vaporize in the fire) flowed in a channel created by the structure of its reactor building and froze in place before a core-concrete interaction could happen. In the basement of the reactor at Chernobyl, a large "elephant's foot" of congealed core material was found. Time delay, and prevention of direct emission to the atmosphere, would have reduced the radiological release. If the basement of the reactor building had been penetrated, the groundwater would be severely contaminated, and its flow could carry the contamination far afield.
The Chernobyl reactor was an RBMK type. The disaster was caused by a power excursion that led to a meltdown and extensive offsite consequences. Operator error and a faulty shutdown system led to a sudden, massive spike in the neutron multiplication rate, a sudden decrease in the neutron period, and a consequent increase in neutron population; thus, core heat flux very rapidly increased to unsafe levels. This caused the water coolant to flash to steam, causing a sudden overpressure within the reactor pressure vessel (RPV), leading to granulation of the upper portion of the core and the ejection of the upper plenum of said pressure vessel along with core debris from the reactor building in a widely dispersed pattern. The lower portion of the reactor remained somewhat intact; the graphite neutron moderator was exposed to oxygen containing air; heat from the power excursion in addition to residual heat flux from the remaining fuel rods left without coolant induced oxidation in the moderator; this in turn evolved more heat and contributed to the melting of the fuel rods and the outgassing of the fission products contained therein. The liquefied remains of the fuel rods flowed through a drainage pipe into the basement of the reactor building and solidified in a mass later dubbed corium, though the primary threat to the public safety was the dispersed core ejecta and the gasses evolved from the oxidation of the moderator.
Although the Chernobyl accident had dire off-site effects, much of the radioactivity remained within the building. If the building were to fail and dust was to be released into the environment then the release of a given mass of fission products which have aged for twenty years would have a smaller effect than the release of the same mass of fission products (in the same chemical and physical form) which had only undergone a short cooling time (such as one hour) after the nuclear reaction has been terminated. However if a nuclear reaction was to occur again within the Chernobyl plant (for instance if rainwater was to collect and act as a moderator) then the new fission products would have a higher specific activity and thus pose a greater threat if they were released. To prevent a post accident nuclear reaction steps have been taken (such as adding neutron poisons to key parts of the basement).
Effects
The effects of a nuclear meltdown depend on the safety features designed into a reactor. A modern reactor is designed both to make a meltdown unlikely, and to contain one should it occur.
In a modern reactor, a nuclear meltdown, whether partial or total, should be contained inside the reactor's containment structure. Thus (assuming that no other major disasters occur) while the meltdown will severely damage the reactor itself, possibly contaminating the whole structure with highly radioactive material, a meltdown alone should not lead to significant radiation release or danger to the public.[15]
In practice, however, a nuclear meltdown is often part of a larger chain of disasters (although there have been so few meltdowns in the history of nuclear power that there is not a large pool of statistical information from which to draw a credible conclusion as to what "often" happens in such circumstances). For example, in the Chernobyl accident, by the time the core melted, there had already been a large steam explosion and graphite fire and major release of radioactive contamination (as with almost all Soviet reactors, there was no containment structure at Chernobyl). Also, before a possible meltdown occurs, pressure can already be rising in the reactor, and to prevent a meltdown by restoring the cooling of the core, operators are allowed to reduce the pressure in the reactor by releasing (radioactive) steam into the environment. This enables them to inject additional cooling water into the reactor again.
Reactor design
Although pressurized water reactors are more susceptible to nuclear meltdown in the absence of active safety measures, this is not a universal feature of civilian nuclear reactors. Much of the research in civilian nuclear reactors is for designs with passive nuclear safety features that may be less susceptible to meltdown, even if all emergency systems failed. For example, pebble bed reactors are designed so that complete loss of coolant for an indefinite period does not result in the reactor overheating. The General Electric ESBWR and Westinghouse AP1000 have passively-activated safety systems. The CANDU reactor has two low-temperature and low-pressure water systems surrounding the fuel (i.e. moderator and shield tank) that act as back-up heat sinks and preclude meltdowns and core-breaching scenarios.[13]
Fast breeder reactors are more susceptible to meltdown than other reactor types, due to the larger quantity of fissile material and the higher neutron flux inside the reactor core, which makes it more difficult to control the reaction.
Accidental fires are widely acknowledged to be risk factors that can contribute to a nuclear meltdown.