Can the Zaporizhzhia Nuclear Plant Avoid a Major Disaster?

August 26, 2022 | 1:14 pm
Google Earth
Ed Lyman
Director, Nuclear Power Safety

As the possibility of an all-out military conflict engulfing the Zaporizhzhia nuclear plant in Ukraine becomes even more likely, the situation there is growing increasingly dire. It has been reported that on August 25, the plant temporarily lost all of its off-site electrical power from the grid, which is essential for its safe operation, forcing it to rely on on-site backup power. Despite continued shelling, it does not appear that its safety systems have suffered significant damage. But that could change quickly if the conflict escalates—and that could spell disaster if emergency measures fail. Depending on the nature and extent of the damage, the plant could experience one or more core meltdowns or spent nuclear fuel pool fires, which could trigger a radiological release rivaling that of the 2011 Fukushima Daiichi accident or even the larger release from the 1986 Chernobyl accident.

Fortunately, a long-overdue International Atomic Energy Agency (IAEA) mission to Zaporizhzhia may soon become possible. While the IAEA has limited authority over nuclear safety even in peacetime, there are practical steps it could take to help the plant cope with any damage that would disrupt the systems that keep its highly radioactive reactor cores and spent nuclear fuel cool.

To identify the actions that would be most helpful to reduce the risk of a large radiological release, it’s important to understand the main vulnerabilities of the six Soviet-era 950-megawatt-electric VVER-1000/V-320 (V-320) Zaporizhzhia reactors. As many news reports have noted, the V-320 is a light-water reactor with more in common with Western-designed pressurized-water reactors (PWRs) than Chernobyl’s RBMK. A major difference is that unlike the Chernobyl reactor, the V-320 has a pressure-resisting, low-leakage, reinforced concrete containment structure. Nevertheless, the V-320 lacks certain safety features that are standard in Western-designed light-water reactors, and there have long been concerns that the V-320 containment could be breached or bypassed in a severe accident more easily than the containments at most Western-designed PWRs.

One concern is the relatively high likelihood that a damaged core could quickly melt through the elevated containment floor into a compartment below that is not leak-tight. While this would not necessarily lead to a large, rapid release of radioactivity into the environment, it could result in a situation similar to that of Fukushima today, where damaged cores in the basements of the containment buildings continue to release radiation into the groundwater. Moreover, although the containment provides some protection against external impacts, such as an airplane crash, such an impact could cause “heavy concrete fragments … and other debris [to] impinge upon the operating floor above the primary coolant system,” according to the US Department of Energy.

A station blackout, where all alternating-current (AC) electrical power is lost, is one of the most severe events that could affect a light-water reactor. Such an event could be triggered by widespread fires and explosions resulting from a sustained military engagement at Zaporizhzhia that damages the plant’s switchyard and other electrical equipment. If the plant lost all off-site power, the reactors will shut down, and the site would be dependent solely on backup sources.

The first line of defense is the set of 20 emergency diesel generators at the site—three at each reactor unit and two common units in a separate building supporting reactors 5 and 6. Scenarios in which all diesel generators fail are improbable, but they do exist. For example, the tsunami at Fukushima Daiichi flooded and disabled all but one of the plant’s emergency diesel generators, as well as the electrical distribution systems—what is called a common-cause failure. Other common-cause failures could affect Zaporizhzhia’s diesel generators, such as the failure of the dam at a nearby hydroelectric plant. That could lead to loss of the cooling ponds, which are needed to cool the plant’s diesel generators, enabling them to function.

Other backup power sources may be available at Zaporizhzhia in the event of a common-cause diesel generator failure, such as a fossil fuel plant near the site. But if they are unavailable, the site’s only recourse would be to implement the emergency measures that Ukraine established in response to the Fukushima accident. These measures involve the use of portable diesel generators and diesel-powered pumps to provide emergency cooling when all else fails. However, the likelihood of success is uncertain, given that both the equipment and the personnel needed to carry out these tasks are highly vulnerable given the current situation. And the reliability of such equipment depends on how well it has been tested and maintained since the Russian occupation in March—a big question mark. At US nuclear plants, such equipment has occasionally been found to be non-functional because of lax maintenance requirements.

A station blackout at Zaporizhzhia

If an operating reactor at the Zaporizhzhia plant loses all AC power, its electricity-generating steam turbine would shut down, and both the primary coolant pumps that circulate water through the reactor core and the feedwater pumps that circulate water through the steam generators would stop working. In this scenario, unless operators undertake emergency actions to restore core cooling, the water level would drop in the reactor vessel and the fuel assemblies would heat up rapidly and begin to degrade. Eventually, the molten fuel would drop to the floor of the reactor vessel and melt through it onto the containment floor, where it would react with the concrete. After that, the extent to which radiation escapes from the containment into the environment would depend on the specific nature of the accident progression.

How rapidly could this sequence of events begin? One simulation of a station blackout at a V-320 operating at full power shows that the steam generators would dry out after 1.2 hours, the core would begin to heat up after 2.6 hours, fission product releases would begin soon thereafter, and the lower head of the reactor vessel would fail after 4.3 hours. Given this very short timeline, Zaporizhzhia operators would have to react very quickly in the event of a station blackout to carry out emergency measures to prevent core damage.

(While such rapidly evolving accidents are possible at US PWRs, they are equipped with auxiliary feedwater pumps powered by a steam turbine and therefore do not need AC power to operate. If a station blackout occurred and motor-driven emergency feedwater pumps were unavailable, these turbine-driven pumps could delay the time to core heat-up, providing more time for power to be restored before core melt occurs. The proper functioning of these pumps depends in part on the availability of direct-current power from batteries, which is needed for operators to control the turbine speed and valves. Thus this system provides additional coping time depending on the battery life, which is 4 to 8 hours for most US plants. However, the V-320 does not have such a system.)

According to studies by the Ukrainian nuclear regulator of Zaporizhzhia Unit 5, if operators carried out emergency procedures before the steam generators dried out, they could extend the period before the steam generators dried out to 8 hours after the blackout began, and other emergency measures could delay core damage for another 10 hours. Every minute that core damage is delayed would provide time for operators to reestablish more reliable power supplies at the site.

This demonstrates the importance of prompt operator actions in the event of a station blackout to delay core damage, and also why reports that Ukrainian plant personnel are working under extreme duress (and may have even been tortured by their Russian military overseers) are of such great concern. If plant personnel cannot respond rapidly and appropriately, with a clear line of command and freedom of movement, then the likelihood that they could carry out these complex, difficult actions successfully would decrease substantially. Their level of training to handle these potential scenarios is also a factor. Besides that, their response would depend on having enough fuel for the emergency diesel generators and other emergency equipment on site, not to mention the state of the equipment and how well it is protected from further military assault. The equipment would be of no use if it cannot function whenever and however long it is needed.

For shutdown reactors, the available time window for emergency response increases as the fuel cools down. For example, one analysis of a station blackout at a shutdown PWR found that at 33 hours after the reactor is scrammed, the time to core heat-up and damage would be more than 6.6 hours, assuming the vessel remains filled with water. Thus, there is some additional safety margin as long as the reactors remain shut down. Even so, the fuel in the cores and the spent fuel in the pools adjacent to the reactor vessels would remain dangerously hot and continue to require active cooling to prevent overheating and damage, although the rate of cooling needed would decrease.

What about the spent fuel?

Unlike Western PWRs, whose spent fuel pools are outside of the containment building in less robust, auxiliary buildings, the spent fuel pools at V-320 reactors are within the containment building. Although this reduces their vulnerability to military strikes and may inhibit radioactive releases in the event of spent fuel damage, it introduces additional complications. Because the reactor cores and spent fuel pools are more closely coupled, accidents affecting one may be more likely to also involve the other. And the containment, as discussed earlier, does not provide complete protection. One study found that spent fuel pool accidents at these types of reactors could lead to fairly severe radioactive contamination at least 30 kilometers (18.6 miles) away due to leaks from pipes that penetrate the containment. 

The Zaporizhzhia plant has a dry cask storage facility for spent fuel. Although it is outside of any containment, it presents a lower risk of a large radiological release. The casks are fairly robust reinforced concrete structures. For a large release from a cask to occur, there would need to be not only a large breach of a cask, but also sustained heating of the spent fuel within the cask that would damage the fuel and provide a driving force for it. This might be possible, for instance, if there were a hot, long-duration fire engulfing the casks, but probably not from strikes from a few artillery shells.

What can be done?

The most practical steps the IAEA and plant operators could take to strengthen the Zaporizhzhia nuclear plant’s resilience in the event of a prolonged offsite power loss or other types of damage include:

  • Ensuring that adequate supplies of fuel for the emergency diesel generators and other diesel-powered emergency equipment at the site can be efficiently replenished when needed;
  • Ensuring sufficient reserves of high-quality water can be reliably delivered to supply emergency pumps;
  • Inspecting and maintaining the diesel generators and other emergency equipment to insure they are operating reliably; and
  • Reviewing the plant’s emergency response procedures and conducting drills to instill confidence that they are workable and the staff can implement them in an emergency.

Of course, an international mission can only accomplish these steps if Russia cooperates. And it should. Hopefully, all parties will recognize that it is in their best interest to ensure that the plant remains operational and does not risk a large-scale contamination incident. Unlike Fukushima, which was at the mercy of an uncontrollable natural disaster, an accident at Zaporizhzhia as a result of a wartime attack is entirely preventable.