Nuclear reactors contain large amounts of radioactive material; this health hazard makes safety in nuclear facilities especially important. An examination of the safety record in India's nuclear facilities reveals poor practices and routine accidents, ranging from leaks of oil to complete loss of power in a reactor causing all safety systems to be disabled. Although as yet in India, there has not been a severe accident leading to core meltdown or large radiation exposures to the public, on measures of occupational exposure to workers, India's nuclear facilities perform poorly. For example in the 1980s, for which data is available, radiation exposures to power plant workers were ten times the world average for each unit of electricity and twice the world average for each monitored worker. As recently as 2003, there have been accidents involving high radiation exposures to workers.
Despite this record, claims about safe operation are sometimes made by the nuclear establishment in India. Sometimes, claims for safety are based on the technical features of the facilities, which suggest a bright future. The following excerpt from the Nuclear Power Corporation of India (NPC), administered by the Department of Atomic Energy (DAE), is illustrative: "NPC engineers have shared their expertise internationally by participating in safety reviews and inspection of reactors in other countries conducted by the World Association of Nuclear Operators (WANO) and the International Atomic Energy Agency (IAEA). We are continuously updating our safety systems and procedures even at the cost of short-term economic benefit. Besides, all our plants are designed, constructed, commissioned, operated and maintained under the strict supervision of the AERB."
Notions of safety differ, but what they all have in common are usually claims about the future. In making the connection between the past record of anomalies and future prospects for safety, one must go beyond the mere presence or absence of accidents to study the factors present.
The 'engineering' approach to safety
To engineers, a safe reactor is usually one which is reliable, meaning that things can be expected to perform correctly most of the time. Safety is improved by incorporating backup systems to make overall operation more reliable, and protection systems to prevent the escalation of accidents. Ultimately, physical barriers protect the public from leakage of radioactive material. Backup devices and physical barriers together constitute "redundancy", so called because they are, in the engineers' judgement, not likely to be needed when the reactor is functioning properly but could become important as independent safety measures when something goes wrong.
Often, backup equipment has been part of the design but unavailable during operation. For example, backup pumps for coolant circulation have on many occasions been unavailable when the operating pumps have been disabled by external factors such as fluctuations in the grid. Sometimes, even the minimum requirement of pumps has been unavailable, causing the reactors to be operated at reduced power. In an engineering approach, this record illustrates poor reliability of backup systems, suggesting that safety is also not as good as it could be. The above information about inoperative backup equipment is obtained from International Atomic Energy Agency reports of operating experience; the DAE is required to internationally report events which involve shutdown of the reactor. Secrecy in the nuclear programme means that problems surface only when an accident has occurred or the reactor has to be shut down. Therefore, the public record is only a weak test for reliability.
Are physical barriers good enough?
Ultimately, reactor designers rely on physical barriers to prevent harm to the public. In most reactors, there is a primary vessel that contains the fuel, radioactivity, and heat produced in the reaction. Outside there is a secondary containment building, meant as a physical barrier to prevent leakage of radioactive gases and material to the environment. Integrity of these barriers is often demonstrated through mathematical models up to a certain limit of pressure and temperature; during normal operation and under most accidents, these limits must be met.
Reliability in design and operations is necessary for safety, but it might not be enough. One problem with nuclear reactors is that components and subsystems often interact in unanticipated ways to cause accidents ('interactive complexity'). A classic example is the Three Mile Island accident, in which operators did not know the state of the reactor at the time and performed actions that actually worsened it. Redundancy could sometimes be part of the problem. For example in the Fermi fast breeder reactor in the United States, a safety device meant to catch the core in case it melted actually initiated a near meltdown when a part of it broke away and blocked the flow of coolant.
While such problems can often be fixed once they are identified, all such interactions might not be identified before they actually occur. There is plenty of evidence elsewhere of nuclear plant operators being surprised by unexpected interactions during accidents. While in some cases, accidents could have still been prevented if warning signs had been heeded, that is no consolation to the operators who are trying to fix the reactor as the accident is happening or the designers who are trying to build safe systems but cannot understand how things might go wrong.
What makes an accident?
Multiple failures must occur at the same time for a severe accident to happen. This has happened in the past, for example in the Narora reactor in Uttar Pradesh in 1993. The accident happened when a fire spread through the cables and shut down all the safety systems and operators had to intervene manually to shut down the reactor. This might appear quite unusual, but the operating records reveal how the conditions leading up to the accident were always present.
The fire started when a poorly designed turbine experienced large vibrations and its blades broke away. Large vibrations in Indian turbines have happened before, but this was the first time that the blades broke and ruptured a pipe containing hydrogen, which then leaked and caught fire. Around the same time, oil was leaking in the turbine building. Oil leaks too are common in DAE's reactors, but this time the oil also caught fire. Fire spread through the power carrying cables and disabled them. Backup cables were present but had been placed in close proximity without being encased in fire retardant sheaths, in violation of international design guidelines. Therefore, they did not function effectively as backups. The accident was preventable, and the DAE had not learnt from best practices in cabling design, nor did it heed warnings from the turbine manufacturer about blade fatigue problems, especially significant in Indian reactors where excessive shaking of the turbines has occurred many times.
Nuclear reactors are tightly coupled, which means that there are few alternate pathways to diffuse accidents, which can often progress very quickly. To ensure safety, the appropriate interventions - whether by humans or automatic safety equipment - must occur quickly and be adequately planned for. This also requires a culture of reliability throughout the organisation.