The Areva EPR, the Toshiba-Westinghouse AP1000 PWR and Fukushima

The Fukushima incident

Although there are some features of the BWR that contributed to the current problems at Fukushima, the fundamental problem was the automatic tripping of the four operating reactors on detection of the earthquake and the shutdown condition of the other two reactors, which together with the presumed loss of a grid connection, meant that the sole means of control and residual core fission and heat removal was the standby diesel generator system.
Assuming that the control rods were fully lifted – they come up from under the reactor in the case of the BWR - and had there been a means of residual heat removal there might have been no severe consequences of the earthquake and tsunami. Under normal circumstances there would have been no need for the standby generators as there would always have been one at least operating reactor able to maintain supplies to others shutdown and to maintain a filtered, cooled circulation of the spent fuel ponds. There may have been only one standby generation system for the entire complex.
The loss of station power and of the standby diesel generation backup, not just for an emergency shutdown, but also during a routine fuel change must therefore be a concern for the UK new build. But the release of hydrogen and the consequent explosions when venting the reactor vessels because of a rising and dangerous build up of pressure is the main concern. 

Consideration of the consequences of the incident at Fukushima in respect of the designs of the EPR and the AP1000, the sole candidate reactors for the UK, currently under HSE/NII-EA GDA assessment, follows.

Areva EPR

In the case of the EPR there are two separate diesel generator facilities, sited at opposite sides of the reactor.

The EPR is provided with four standby diesel generators systems, so that in the event of a reactor trip coinciding with a loss of external power, provided to least one system operates, the normal shutdown procedure can be maintained. There are also two additional generators to deal with a station black-out.

The Emergency Core Cooling System (ECCS) is a comprehensive Safety Injection/Residual Heat Removal system with four  independent “trains” deploying pumps, accumulators and heat exchangers to deal with a range of coolant problems.

However, the following statement appears in the process description:-

“A dedicated set of valves for depressurising the primary circuit is installed on the pressuriser, in addition to the usual relief and safety valves, to prevent the risk of a high pressure core melt accident”

The depressurising of the coolant circuit needs to keep in step with a reduction in the saturation temperature in order to avoid the coolant flashing to steam, reducing the heat transfer and raising the can cladding temperature and leading to the ion exchange between the zirconium and the steam and the production of hydrogen.

It is not clear in what circumstances the depressurising valves would come into operation. It may be that the safety injection system pressure is unable to match the decaying pressure in the cooling circuit in circumstances where there is a small but significant loss of coolant and the depressurisation is activated. This activation could develop unnecessarily into a similar situation to that which at Fukushima led to a hydrogen explosion.  

The EPR has a "active" emergency system, which is quite different to the "passive" AP1000 emergency sytem as it is devised to cool a melted core in the corium "catcher" under the reactor vessel assuming melt avoidance methods have failed   

The containment is designed to take a hydrogen deflagration pressure of 5.5 bar. The system arranges to spray the containment internally. There are also hydrogen "recombiners" in the containment to keep its concentration below 10%. (Explosive limits by volume are 18.3% to 59%) Presumably this measure is to avoid a hydrogen detonation which the containment might not hold.
The route of a release from the reactor vessel pressure relief valve is not shown and the valve may vent into the containment. It would be advisable to vent the release externally as it could contain hydrogen. At Fukushima the overpressure was vented into the buildings and considerable damage to the buildings and the spent fuel ponds was caused. 

The design philosophy therefore seems to be in need of scrutiny. Rather than preventing a core melt, it could cause it.


The key reference document is the AP1000 Plant Description.


Westinghouse claims that the automatic AP1000 passive core cooling system (PCCS) operation needs no standby generation. There are standby generators, but not provided with the same redundancy as normally assumed to be necessary.

From the Westinghouse Plant Description:-

“Off-site power has no safety-related function due to the passive safety features incorporated in the AP1000 design. Therefore, redundant off-site power supplies are not required. The design provides a reliable offsite power system that minimises challenges to the passive safety system.”

The APEX-1000 test facility

As part of the AP1000 pressurised water reactor design certification program, a series of integral systems tests of the nuclear steam supply system was performed at the APEX-1000 test facility at Oregon State University. The APEX-1000 facility is a 1/4-scale pressure and 1/4-scale height simulation of the AP1000 nuclear steam supply system and passive safety features.


The heat in the core was represented by an electrical heater, but otherwise the plant items were similar and appropriately sized to the smaller scale.

The operation of the passive core cooling system following a loss of coolant is described in the APEX test facility report as follows:-

“The break opens at time zero, and the pressuriser pressure begins to fall as mass is lost through the break. The depressurisation rate is largely determined by critical two-phase flow through the break.

When the pressuriser pressure falls below the safety signal set point, a safety systems actuation signal is issued, which causes the reactor to trip. The signal also causes the opening of the core makeup tanks and the passive residual heat removal heat exchanger isolation valves. Once the residual fissions decrease, core power is defined by the decay heat model.

The reactor coolant pumps trip after a short delay, and the rapid coast down expected from the AP1000 canned motor reactor coolant pumps is simulated.

After the pumps coast down, the primary reactor coolant system is cooled by natural circulation, with energy removed from the primary system by heat up of the steam generators, recirculation flow to the core makeup tanks, and fluid loss through the break. Stored energy from the metal in the primary system is transferred to the coolant.

The liquid in the upper plenum and upper head may flash, and as the primary system pressure continues to fall, the upper head will begin to drain.”

The initial leak is described as "critical two-phase flow" which is presumably a mixture of water and steam. Once the reactor trips, i.e., the control rods drop, there will be some residual heat that needs to be removed. (In the actual AP1000 there will also be residual fission and residual heat.) The reactor coolant pumps trip after a short delay and then "coast down", presumably powered by the flywheel energy. The energy is removed from the primary system by heat up of the steam generators by pumped circulation.

The APEX test facility report then assumes that liquid in the reactor vessel upper plenum and upper head may flash, in which it assumes that the flash steam appears on the surface of the water. This is incorrect. As the pressure of hot water under pressure falls, bubbles of steam will appear throughout the water. This phenomenon is confirmed by the release of the "two-phase flow".

This means that at the surface of the cans the heat transfer rate will rapidly deteriorate and the surface temperature will rise. It is this phenomenon that splits the steam into hydrogen and water by ion exchange of oxygen from the water to the zirconium cans.


See Wikipedia:-.

“Zirconium ... reacts with steam at high temperature. Oxidation by water is accompanied by release of hydrogen gas. This oxidation is accelerated at high temperatures, e.g. inside a reactor core if the fuel assemblies are no longer completely covered by liquid water and insufficiently cooled. Metallic zirconium is then oxidized by the protons of water to form hydrogen gas according to the following redox reaction: Zr + 2 H2O = ZrO2 + 2 H2”

There does not appear to be any monitoring of the heater surface temperatures in the APEX test facility simulation and the report does not state when the power to the heater is switched off. It may be that the electric heater does not adequately simulate the residual fission and heat in a reactor core after the control rods have been applied. It could have been arranged for the power to the heater to have been initially reduced to 7% of the full power, simulating the residual heat. Moreover, the heater elements may well have been clad in Inconel and not in zirconium.

Normal re-fuelling shutdown

In a normal PWR shut down the coolant pumps and steam generators take off the first tranche of heat as steam which is passed to the turbine bypass condenser, followed then by the residual heat removal cooling circuits. The residual heat removal system is not brought into operation until the temperature has dropped to 180°C and the reactor vessel pressure to 3 Mpa. This is well below the saturation temperature of 234°C, so that there is no potential for flash steam production in the coolant circuit. 

The turbine bypass can then be closed and the reactor coolant pumps progressively stopped from running. It then takes up to 24 hours for the residual heat removal system to reduce the water temperature to 60°C. During this shutdown process it is essential to maintain the reactor vessel pressure above that corresponding to the saturation temperature to avoid the production of flash steam and the consequent production of hydrogen. For a normal shut down, standby power of at least 25 MW is required. The four coolant pumps each take 6000 kW.

The AP1000 Passive Core Cooling System (PCCS)

For an animated diagram of the PCCS see:-


Westinghouse claims that the AP1000 passive core cooling system will maintain core cooling and containment integrity for an indefinite period of time following design basis events assuming the most limiting single failure, no operator action and no onsite and offsite ac power sources.”

The plant description does not specifically state that the PCCS is powered by the dc batteries, but “no … ac power sources” infers a resort to dc sources. There could be some functions that could be operated by exigent pressures and temperatures, but not, for example, explosive squib valves. The control of the PCCS was assumed to be a programmable logic controller with an inverted uninterruptible ac supply from the batteries or dc also from the batteries, which appear in the plant description.

However, Westinghouse UK (by email) denied that any power supply, ac or dc, is necessary for the PCCS operation as follows:-

“For an event involving a complete loss of ac power without a LOCA such as what occurred at Fukushima, dc power is not required for operation of the AP1000 PCCS.  There are three flow paths from the PCCS water storage tank to provide cooling of the containment in the event of an accident.  Two flow paths are isolated by air operated  valves and one flow path is isolated by a motor operated valve. On a loss of all ac power, the air operated valves fail open and PCCS cooling is initiated.  The batteries provide the power to open the redundant flow path isolated by the motor operated valve; however, one flow path is sufficient to provide cooling.  … also note for response to abnormal or accident conditions, the AP1000 does not rely on operation of either the (turbine bypass) condensers or main feedwater pumps.”.

It appears from the plant description, that in an event causing a reactor trip coinciding with a loss of external power, as happened at Fukushima, the standby power would be insufficient to power a normal shutdown and the PCCS would be applied. However, the AP1000 control rod mechanisms are designed to drop the rods by gravity with a loss of power. (This offers an advantage over the GE ESBWR, which requires an hydraulic “scram” system to lift the rods from under the reactor vessel in a claimed 1.1 seconds.)

The report of the APEX simulation includes a dimensionless plot of a “AP1000 Typical SBLOCA Pressure Transient” (SBLOCA = small break loss of coolant accident).

This shows (self-evidentially) that before the gravity or compressed gas water injection can enter the reactor vessel or coolant circuit the initial pressure has to be relieved to a third or so of its former working pressure. This means that the contents of the circuit will flash to a mixture of water and steam. Whether or not the reactor has tripped, as showed at Fukushima, the fission or residual fission heat and the concomitant poor heat transfer means that the zirconium can surface temperature will rapidly rise and produce hydrogen from the steam. This means that the “two-phase flow” venting from the “small break” will carry hydrogen and if it is above its auto-ignition temperature it will explode.

The PCCS therefore is of little use for a “small break” and it would be better to ensure that the reactor trips and its residual heat be reduced by allowing the pressure in the circuit to be relieved through the “small break”, which may allow the reduction in pressure to match the equivalent saturation temperature and avoid too much flash steam arising. It would also be advisable that sufficient standby power was made available to operate the turbine bypass condenser and its coolant as there may still be sufficient pressure and temperature in the vessel to make use of the steam generators and the “coasting down” coolant pumps.

In the event of a “large break” at full reactor power the PCCS may be of use, because the pressure in the coolant circuit would have reduced drastically, the core will be beginning to melt and the gravity and pressure injection essential.

It may well be that had the standby generators been operable at Fukushima and the control rods properly tripped, there would have been little consequences resulting from the earthquake. So post-Fukushima, the lack of full AP1000 standby generation appears to be a mistaken design philosophy. The application of the PCCS when there is no leak is inadvisable, as if there was sufficient standby power a normal shutdown procedure could be followed. An unwarranted PCCS operation would create an incident and possible hydrogen explosion when none would otherwise have occurred.

The light water reactor (LWR)

The PWR and the BWR are both of the generic LWR type and both rely on the maintenance of the coolant pressure to avoid the formation of flash steam and the consequent reduction in the heat transfer from the fuel cans. 

The construction of the reactor pressure vessels is appropriately massive in regard to the vessel walls, especially in the case of the PWR which works at a higher pressure than that of the BWR. However, in both cases the vessels have "penetrations" to accommodate the control rod drive mechanisms (CRDMs). In the PWR they are in the vessel head, in the BWR on the underside of the vessel. On the EPR head there are penetrations (branches) for 89 CRDMs, while on the AP1000 head there are penetrations for 69 CRDMs. In comparison with wall thicknesses of 200 mm, the branch walls are but 15 mm thick. The complexity and multiplicity of the attachments on the top of the head and the consequent inaccessibility for inspection under an insulated cover needed to keep the mechanisms cool represents the most sensitive points for a loss of coolant.

The most likely “small break” would be from a circumferential crack occurring in a control rod drive mechanism penetration as nearly happened with a PWR reactor vessel head at Davis-Besse, Ohio, 2002. (The crack in the penetration was fortunately not circumferential, but allowed boric acid to leak and attack the ferritic shell). If this happened the severed control rod housing would fly off and the violent pressure release could damage neighbouring control rod mechanisms. It could well blast the vessel head cover off and stop some of the rods dropping. It could mean that none or not all the control rods would drop and the core would certainly then melt.

A similar severance of a control rod penetration under a BWR reactor vessel could also be catastrophic as it might prevent rods from lifting while initiating a loss of coolant.

A “big break” occurrence would mean an instant loss of pressure and an immediate flash steam production and with the concomitant hydrogen production could result in an explosion and core meltdown. In this case, if not damaged by the explosion, an ECCS would offer some remedy as the circuit pressure would be relieved and the gravity and compressed gas water injection would meet little resistance, but the scenario is not described in the APEX test report.  

The UKAEA scientists had at one time considered that the security of the LWR containment could not be guaranteed. It was this aspect that led to the adoption of the advanced-gas cooled reactor (AGR) in the UK, which it was considered could cope with a loss of coolant better, because the heat transfer rate is intrinsically lower from metal to gas and the cooling circuit is designed accordingly.


To avoid a hydrogen explosion it is necessary in an emergency to follow a normal shutdown procedure as near as possible to avoid the formation of flash steam. This means that in the event of simultaneously losing an external power supply an adequate standby power system is instantaneously required. This cannot be guaranteed.

The Fukushima incident showed that venting before the residual core heat has been reduced causes hydrogen to be produced and it is likely to be above its auto-ignition temperature and explode. Because of the propensity to then lead to a core meltdown, the generic light water reactor should no longer be adopted for the UK’s power generation.. 

It also appears that the AP1000’s passive core cooling system (PCCS) offers no real security to it. The APEX-1000 simulation tests shows a rapid de-pressurisation, which should in all circumstances be avoided.

Spent fuel ponds

The automatic tripping of the four operating reactors by the detection of the earthquake and the shutdown condition of the other two reactors, together with the presumed loss of a grid connection meant that the means of control and residual core heat management was lost by failure of the standby diesel generator system.
Assuming that the control rods were fully lifted, had there been a means of residual heat removal there might have been no severe consequences of the earthquake and tsunami. Under normal circumstances there would have been no need for the standby generators as there would always have been one at least operating reactor able to maintain supplies to others shutdown and to maintain a filtered, cooled circulation of the spent fuel ponds. There may have been only one standby generation system for the entire complex.
The loss of the standby diesel generation must therefore be the principle concern for the UK new build. It is noted that in the case of the EPR there are two separate diesel generator facilities, sited at opposite sides of the reactor. It is claimed that the AP1000 passive core cooling safety system is independent of ac standby supplies or dc batteries for its operation, but which is taken up as an issue above. But external supplies or standby generators would be needed for the spent fuel pond cooling..
However, what is of concern in regard to any type of reactor associated with the new build is the situation at the end of the claimed operational life of 60 years. Assuming that some of the new build is commissioned in 2020, then 60 years takes the decommissioning to commence in 2080. Thereafter residual heat removal will be needed, but the main problem will be the maintenance of cooling and filtering the contents of the spent fuel ponds for a further 10 to 20 years. Depending on how long it takes for the last spent fuel to be cool enough to be transferred to the dry casks, there could be a need to require an alternative electricity supply or standby generation to be available until the turn of the century in 2100.

The review of the Fukushima event and its consequences for the UK’s new build, should consider carefully the situation in 2080 or before then, because (as is a huge problem in the US) there will be a number of filled or in transition spent fuel ponds requiring a secure electricity supply with no associated nuclear generator. There will also be a need for electricity for cranage for placing the spent fuel in the dry casks. This will also need to be continuity of supply for the Sizewell B spent fuel pond until perhaps 2050.
BP's Statistical Review of 2011 recorded a global "plateau" in "all-oils" production from 2008 to 2010, while the normal "swing" producer, Saudi Arabia experienced its national peak in 2005, so the availability of diesel fuel in the near future, let alone in 2080, must be a cause of concern. It means that because, as in the case of Fukushima all available normal supplies were lost, the fuelling of the standby generators needs consideration.
An analysis of the uranium market shows that its supply may not match the demands of the current new build, let alone enable the retiring new build fleets to be replaced in 2080. The diesel stored in tanks on the station sites for the next 80 years or so may be subject to degradation. As it will be very expensive throughout the period, it could be the subject of theft. Coal is anticipated to last a little longer than oil and natural gas, but it may be impossible to maintain a heap of coal and an associated coal-fired generator on the site, nor a suitable biomass alternative, because of general fuel shortages of any sort at the turn of the century.
The situation exigent at the time of the closure of the new build is indeterminable. Ageing may not allow the operation to endure for the claimed 60 years without substantial component renewal, but even if just the 40 years current lifespan is attained, it is still over-optimistic to be able to determine the situation in 2060.
In short the inability to determine the fate of the new build from 2060 to 2080 and beyond is reason enough for the new build to be abandoned. The insecurity of the LWR coolant containment and the potential for a hydrogen explosion and core meltdown adds another more compelling reason for its abandonment.

 John Busby 6 April 2011 (Revised 13 August 2011)