published by Greenpeace, November 2001

Danger to German nuclear power plants from crashes by passenger aircraft

Greenpeace e.V. Hamburg

Dr. Helmut Hirsch

Hannover, November 2001

Tabel of contents

  1. Introduction
  2. Nuclear power plant buildings and installations
  3. Standards of protection for nuclear power plant buildings
  4. Stresses and strains in the event of a passenger plane crash
  5. Effects of a crash
  6. Countermeasures - protection by shutting down
  7. Other countermeasures

 

 

1 Introduction

Before 11 September a passenger plane crashing into a nuclear power plant was an almost non-existent risk factor in the minds of those responsible for such plants. Not only power plant operators, but also those speaking for organisations with authority and expertise, had filed away such an event under "extremely unlikely".

"At all events the fact is, however, that with other planes, that is, giant aircraft and the like, the order of probability of a crash is many times lower [than with warplanes]..." - Certainly hardly anyone would have contested this statement by a representative of an important authority made almost two years ago1. Since the probability of a crash with a military aircraft had been put at one in a million to ten million per year for any nuclear power plant site, it follows that the probability of a crash by a big passenger aircraft in a year would have to have been around one in 1,000,000,000,000, a minute figure tantamount to zero.

Now the question of what can in fact happen if a passenger plane crashes into a nuclear power plant - be it accidentally or brought about on purpose - is now all at once topical.

In an initial attempt at an answer, after making an inventory of the buildings and installations which belong to a nuclear power plant, and of their safety standards in Germany, an investigation will be made into what problems can arise in the event of a crash by a big or medium sized plane, and what can then happen as a result. Finally it will be discussed what countermeasures would be conceivable, particularly measures which can be taken in a relatively short time and do not make special requirements in technical terms.

The German Federal Republic was for a long time a country in the front line in the Cold War. Its airspace had a high density of military planes. This is reflected in the safety standards required in guarding against plane crashes. These are only applied in relation to military planes; but these standards are in all events relatively high in western European terms.

However, as can be seen, in Germany too there are great shortcomings in protection against crashes by passenger aircraft - even at the most modern and most relatively well protected facilities. It is to be feared that this assessment applies with even greater force to other EU countries and countries in central and eastern Europe which operate nuclear power plants.

 

2 Nuclear power plant buildings and installations

The premises of a nuclear power plant occupy several hundreds of thousands of square feet. At the heart of the constructions in this area is the reactor building which, as the name says, includes the reactor, highly radioactive nuclear fuel, and important cooling and safety facilities.

Alongside these are other buildings and installations of varying importance as regards safety. Where the reactor is a modern pressurised water reactor2 the most important are:

Facilities with boiling water reactors are similar. They do not have an emergency feedwater system building, however, because they have only one cooling circuit and so no steam generator.

The reactor building contains very large amounts of radioactive substances - there will typically be about a hundred tonnes of nuclear fuel in the reactor and up to several hundred tonnes in a storage pool for spent fuel. Where a plane crash is concerned it is therefore by far the most critical area, and that most needful of protection.

As for the other buildings, it has to date by and large been assumed that only one installation important to safety would be destroyed in the event of a plane crash, since there would only be an impact at one point. Such an event would be controlled in line with the particular design of the facilities.

If, for example, the plant's own electricity supply failed, an emergency supply from the diesel generators would be made via an appropriate transformer. If the control room with the important controlling facilities were destroyed the facilities in the emergency feedwater system building should be able to ensure the operation of the minimum functions needed for safety (i.e. the conduction of heat from the reactor).

With modern boiling water reactors it is assumed that in the event of the switchgear failing emergency control points within the reactor building will ensure that the minimum necessary functions are maintained.

3 Standards of protection for nuclear power plant buildings

Reactor building

The standards of reactor buildings, and consequently of the protection of the radioactive inven-tory, vary greatly at German nuclear power plants.

The oldest plants were not required to make any special provisions protecting them against plane crashes. Their walls consist of reinforced concrete about two feet thick. This is in all events enough to withstand a crash by a light plane flying slowly (e.g. a sporting plane, maximum mass 10 tonnes, speed under 185 mph).

Some old plants have walls which are three to three and a half feet thick and so are somewhat better protected. They should be able to withstand the crash of a Starfighter warplane3 having a mass of approximately 10 tonnes and a low-flying speed of 400 mph.

According to a German Reactor Safety Commission guideline4 which came into force in 1981 the ten newest nuclear power plants in Germany are designed to withstand the crash of a military plane which weighs 20 tonnes and has attained a low-flying speed of 480 mph. This is equivalent to the crash of a Phantom fighter jet5.

The flight of the debris and effect of a possible fire with the fuel of the plane are taken into account as well as the direct impact.

In detail the following picture emerges6:

NPP

type

output (net)

construction began

operation began

design category

Obrigheim

PWR

340 MWe

1965

1968

sporting plane

Stade

PWR

640 MWe

1967

1972

sporting plane

Biblis A

PWR

1,167 MWe

1970

1974

sporting plane

Brunsbüttel

BWR

771 MWe

1970

1976

sporting plane

Philippsburg-1

BWR

890 MWe

1970

1979

sporting plane

Biblis-B

PWR

1,240 MWe

1972

1976

Starfighter

Neckar-1

PWR

785 MWe

1972

1976

Starfighter

Unterweser

PWR

1,345 MWe

1972

1978

Starfighter

Isar-1

BWR

878 MWe

1972

1977

Starfighter

Grafenrheinfeld

PWR

1,275 MWe

1974

1981

Phantom

Krümmel

BWR

1,260 MWe

1974

1983

Phantom

Brokdorf

PWR

1,370 MWe

1976

1986

Phantom

Grohnde

PWR

1,360 MWe

1976

1984

Phantom

Gundremmingen B

BWR

1,284 MWe

1976

1984

Phantom

Gundremmingen C

BWR

1,288 MWe

1976

1984

Phantom

Philippsburg-2

PWR

1,392 MWe

1977

1984

Phantom

Emsland

PWR

1,329 MWe

1982

1988

Phantom

Isar-2

PWR

1,400 MWe

1982

1988

Phantom

Neckar-2

PWR

1,269 MWe

1982

1989

Phantom

PWR pressurised water reactor
BWR boiling water reactor
MWe megawatt (electrical)

Other buildings

The emergency feedwater system buildings in newer pressurised water reactors are designed to withstand the crash of a Phantom fighter plane in the way the reactor buildings are. In other words, simply being separated in space from the reactor control room is not regarded as providing enough protection. The pipelines which connect the emergency feedwater building with the reactor building are likewise designed on these lines.

Almost all older plants have been retrofitted with emergency systems which in the event of the control room being destroyed perform the same function as the systems in the emergency feedwater system building (or, in the case of boiling water reactors, the emergency systems are supposed to ensure direct feeding into the cooling circuit).

These emergency systems are generally not fully designed to withstand a Phantom crash because they are physically separate from the reactor control room and it is assumed that both cannot be simultaneously destroyed. The emergency system in Stade can for example only withstand the flight debris produced by such a crash, and not a direct impact.

The only exception to this are the reactors at Biblis, where there is no emergency system. In the event of a plane crash on one reactor its functions are supposed to be safeguarded from the reactor building of the other - although both reactors are only protected against plane crashes to a limited extent, and a link of this kind involving functions which are very important to safety must be regarded as extremely problematic.

All other buildings, including those in modern plants, are at best partially protected against plane crashes.

4 Stresses and strains in the event of a passenger plane crash

Even the best protected German plants may in the event of a plane crash face stresses and strains far beyond those they have been designed to cope with.

The impact of a fighter plane crashing can be even greater than that of a Phantom jet. In terms of mass and speed a Phantom is certainly comparable to modern fighters like the Eurofighter and MIG-297. The Tornado multi-purpose fighter plane8 is however somewhat heavier.

In all events the live weapons a fighter plane could have on board (bombs, missiles, munitions) are not taken into account in designing protection against a crash by one. As need hardly be explained, these may greatly aggravate the effects involved.

In comparing passenger airplanes to jet fighters, it can be seen that the masses and amounts of fuel carried are on an entirely different scale.

The table below brings together data on a number of typical-type passenger planes compared to data on the Phantom fighter9:

Type of plane

Max. take-off weight

Max. fuel reserves

F-4E Phantom II

26,309 kg

6,000 l +)

Boeing 737-600

65,090 kg

26,035 l

Boeing 747-400

396,890 kg

216,840 l

Boeing 767-400 ER

204,120 kg

90,770 l

Airbus A-320

77,000 kg

29,660 l

Airbus A-340-600

365,000 kg

194,880 l

Airbus A-380-F ++)

590,000 kg

310,000 l

+) estimated; only internal tanks
++) The Airbus A-380 is expected to begin commercial use in 2006. All other types of plane are already in use.

The following points should be looked at when discussing the effects of a crash by a big passenger plane:

The impact of a crash depends on the mass and speed of the plane causing the impact, and on the area impacted and the extent to which concrete structures are broken down (the smaller the area, the more concentrated and so greater the effect).

The greater mass of a passenger plane spreads the effect of its impact over a larger area. At the same time, the engines are compact "missiles", which can have a mass of several tonnes. Depending on the guidelines assumed (250 or 480 mph), the speed of impact will probably be lower in the event of an accidental crash than with a Phantom plane, since accidental crashes are first and foremost thought of as happening at take-off and landing. In the event of a deliberately engineered crash, which can mean a steep dive from a great height, greater speeds have to be assumed - in the case of a passenger plane too (this however assuming the requisite skills on the part of the pilot).

In general it can, given the current state of knowledge, be assumed that even in an accidental crash by a big passenger plane the reactor building will probably be broken into - if a "direct hit" occurs - even if the facility involved is protected against the impact of a Phantom jet fighter. This possibility cannot be ruled out even with a medium sized passenger plane (e.g. the Airbus A-320). The probability is greater still in the case of a deliberately aimed crash at higher speeds.

No reliable investigations aligned on the safety standard prescribed by the German Nuclear Energy Law have yet been made in the course of licensing and monitoring procedures. When the Reaktorsicherheitskommission [Reactor Safety Commission] expresses its expectation that a modern nuclear power plant can withstand the physical stress and strain resulting from the accidental crash of a medium-sized aircraft, it is making a purely speculative statement.10

It is obvious that the effects of flying debris and fires with fuel would be far greater in the crash of a medium-sized or big passenger plane than those assumed for a Phantom jet, and major damage on a site is to be expected with both older and newer facilities.

 

5 Effects of a crash

A distinction should be made between two cases of a crash by a passenger plane:

The deliberations made here are with regard to a crash on a reactor in operation.

Major damage to reactor building:

The reactor building contains the reactor, the primary cooling circuit and steam generators (with pressurised water reactors; in boiling water reactors, part of the cooling circuit which goes to the turbine), and the most important safety systems, most notably the emergency and secondary cooling systems and (in boiling water reactors) the core flooding system.

If the outer reinforced concrete structure of the building is destroyed by a plane crash, the inner containment cannot stand firm either. The containment is designed to withstand effects from within (the build-up of pressure as a result of a pipeline bursting) and does not have any great ability to resist impacts from without.

It has to be assumed that the reactor's cooling circuit will be damaged and that safety systems will also suffer major damage. If the pipelines of the cooling system, or the reactor pressure vessel itself, incur great destruction, it would be immaterial if the emergency cooling system still functioned, since it would no longer be able to be effectively fed in.

Such a case would thus in a short time - inside an hour - lead to the meltdown of the reactor core. Radioactive substances will be released from the melted fuel and, since the containment and concrete shell will have been destroyed, they can get into the open with practically no delay or retention inside the building. In all studies on risks such a scenario - a core meltdown with open containment - is regarded as the worst conceivable kind. It leads to especially large and especially swift releases of radioactivity. The time available for taking protective measures against the disaster is very short.

The amounts of radioactive substances released may attain and indeed exceed those stated for the disaster with the reactor at Chernobyl. The consequence would be a national catastrophe. Areas on the scale of a hundred thousand square miles could be contaminated in the long term in such a way that people would have to be resettled.

Other damage

If the reactor building remains by and large intact, there is a high probability that destruction on the site and tremors caused by the crash inside the reactor building itself could nonetheless lead to a core meltdown.

If damage were confined to a single one of the installations of importance where safety is involved, a situation with an enhanced risk would be created, but one which could probably be controlled. If the facility's own electricity supply failed the emergency generator would take its place; if the controls no longer functioned it should in most cases be possible to make the reactor safe via the emergency feedwater system building (with pressurised water reactors).

While it might seem more or less plausible that only limited damage would occur in the event of a small fighter plane crashing, this cannot be assumed if a passenger plane crashes. More widespread destruction must be feared from the impacts of wreckage and fires. It can no longer be guaranteed that the cooling of the reactor would function, even if the integrity of the cooling system had not been impaired.

If, for example, the electricity supply from the grid or the facility's own transformer and emergency supply system fail at the same time, no coolant pumps will be available. Upon the simultaneous destruction of the control room and the emergency feedwater system building, a situation can arise in which the systems required would still be in a state in which they could be used, but could no longer be regulated and controlled. Destruction over a large area on the site can furthermore have the effect that personnel are no longer able to gain access and so intervene to make possible repairs, at least not within the necessary timeframe of only a few hours.

In these cases a core meltdown will occur. Compared to the first scenario, the consequences are somewhat less severe. If the meltdown is coupled with explosions, the containment will fail within about ten hours; otherwise it will fail as a result of excessive pressure in a matter of days. (With some old plants it can be expected to melt down in a few hours.) The radioactivity released is to some extent reduced because radionuclides condense inside the building. There is somewhat more time in which to take protective measures against the disaster.

In this second scenario, too, however, the radioactivity released is comparable to that at Chernobyl, with disastrous consequences over a large area.

Both accident scenarios are also possible in the event of a crash by a passenger plane on the most modern and most relatively well protected nuclear power plants in Germany.

 

6 Countermeasures - protection by shutting down

The basic problem in reactor safety is that while the chain reaction can certainly be interrupted by swiftly shutting down a reactor, the development of heat caused by the intensive radioactivity of the fuel ("decay heat") cannot. During operation this radioactivity makes a contribution of about seven per cent to the reactor's total output. It is responsible for the core melting within a short time if the cooling fails. After a reactor is shut down it subsides, at first very quickly.

Short-term countermeasures aim at reducing the decay heat by shutting down the reactor in good time and so slowing down the processes leading to core meltdown.

Specific measures currently under discussion which do not require technical refitting and which could therefore be taken at plants as they are now are:

It takes about a day before a reactor can go from being in operation to being in a "cold and pressure-less" state.

These measures are however not very effective - or their effect is almost impossible to predict - if there is major destruction of the reactor building with damage to the reactor pressure vessel or storage pool and rapid loss of the entire coolant.

In this case it is questionable whether clearance work which would enable countermeasures to cool the core to be taken could itself be undertaken all that quickly in a heavily irradiated environment, even if days were available for the purpose.

It must nonetheless be said that the chances of countermeasures being successful are in all events greater if the reactor has been shut down, and increase the longer the reactor has already been shut down. Radioactive releases may also be lower if radionuclides with a short life (e.g. iodine-131) have already by and large decayed.

More precise statements can be made for a case in which the cooling systems fail but the cooling circuit for the most part remains intact. Then it is basically possible for water still to be fed in. This means that destruction in the reactor building would be kept within limits or that the building would not be directly affected.

What is crucial in this case is when the coolant around the fuel rods (at a temperature of approx. 40-50 ° C) begins to boil on account of the decay heat, and how rapidly it evaporates. This will set a time frame within which measures can be improvised. It will of course be determined by the output of decay heat.

The table below shows how this heat output develops in the first year after shutdown, expressed as a percentage of the thermal output of the reactors during operation (with a reactor having an electrical output of 1,300 MW this is approx. 4,050 MW)11:

immediately after shutdown

7 %

after 1 hour

1.5 %

after 24 hour

0.65 %

after 10 days

0.3 %

after 100 days

0.1 %

after 1 year

0.03 %

When the reactor is in a cold, pressure-less state, the primary cooling circuit in a modern pressurised water reactor with 1,300 MW of electrical output contains about 400 tonnes of water. If the fuel rods have remained in the reactor pressure vessel and the cooling circuit has not been substantially damaged, this amount will then be available for cooling purposes.

Ten days after shutdown the water in the primary loop begins to boil after about two hours; after a hundred days it does this within about six hours, and after a year it boils after roughly a day.

It will take about ten times as long for the water to then completely evaporate.12

In the difficult conditions prevailing after a big passenger plane has crashed onto the site, something like a day will be needed for countermeasures such as laying pipes for feeding in water, or moving up emergency power units and other equipment, to be carried out.

An appropriate demand to make here would be for there to be at least one day of grace before the situation in the reactor becomes critical. More specifically, it would be that boiling should not be allowed to occur until after a day (since, once it has begun, boiling can be expected to create further problems for the countermeasures, and these should be avoided). If a significant gain in safety is to be achieved by shutting down, this would mean necessary standstill times of about one year. If it were accepted that measures could be carried out after boiling had begun too, without that of course evaporating more than a small part of the total coolant, this would mean the periods the reactor would need to stay at a standstill would be of the order of a quarter of a year.

With a pressurised water reactor, heating of the primary cooling loop can be slowed down by having heat go to the steam generators through a natural circuit and be conducted away via the secondary circuit. On a rough estimate this can mean a gain of a factor of two13. But it would be problematic to set store by this gain in time because in a real accident or terrorist attack it cannot be foreseen to what extent the secondary cooling circuit would remain intact.

If the fuel rods from the reactor are stored in the storage pool the periods of grace for taking countermeasures will be much longer (on account of the storage pool's greater coolant inventory the periods of time will be three to four times as long as with what has remained in the reactor).

But this will be bought at the cost of a number of drawbacks:

  • It takes several days for the fuel rods to be transferred, and the nuclear power plant is particularly vulnerable during this time.
  • In certain circumstances the cooling systems of the fuel rod storage pools can be low on reserves for safety purposes. In accidents in which cooling systems still function at all, or at least partially, it is better the fuel remains in the reactor.
  • In boiling water reactors the storage pools are above the reactor itself, and are relatively high up in the reactor building. This means they are particularly vulnerable to interference from outside.
  • Storage pools are usually already charged with large amounts of spent fuel. The development of heat there is relatively low. But in having a charge of several hundred tonnes this heat is equivalent to the residual decay heat after a year, as stated above, and thus is of consequence if long periods of time have gone by since the reactor was shut down.

Storage pools are basically a further source of releases in the event of a serious plane crash. The older fuel there can also melt down. The periods of grace before this happens are however several days.

7 Other countermeasures

The options for increasing safety protection against crashes by medium to large passenger aircraft by technical retrofitting are extremely limited. While details can no doubt be improved, the risks to the plant will not be substantially reduced.

Stationing military units at nuclear power plants for the purpose of air defence14, a measure currently being discussed in France and already implemented in the Czech Republic, must be regarded as extremely problematic. Apart from the obvious danger of shooting down aircraft which have no interest in the plants - planes whose radio and navigation systems have failed, for example - new risks are created as a result.

Ground-to-air missiles which miss their target could by mistake hit the power plant and cause damage. The air defence posts could themselves become the target of terrorist attacks. Terrorists could try to take them over so as to shoot at the nuclear plant. For this to be avoided the posts would have to be permanently protected by ground troops - which would be a big step towards militarisation of the whole electricity supply system, something which cannot in any way be regarded as desirable.

The most effective countermeasure is to shut down all nuclear plants as early as possible. As has been shown, the risk only decreases slowly in this case too. A certain gain in security could be attained by storing spent fuel in containers which are then stored in bunkered sheds.

The approach to interim storage currently being pursued does not meet the requirement of adequate protection against outside interference (quite apart from the fact that the technology for "Castor" flasks is also not fully developed).

A crash by a big passenger aircraft onto the interim repository at Ahaus, Gorleben, or one of the decentralised interim stores planned at nuclear power plant sites, could result in disastrous releases of radioactivity, especially if there is a hot, long-lasting fire from its fuel. It is therefore necessary that new approaches to storage be devised. It would take years before stores providing the necessary safeguards could be made available.

Nor is easy to answer the question of where the optimum site for such security stores might be. If they were built at nuclear power plant sites it would mean that shipments on public transport routes would not be necessary - not, at least, for several decades.

On the other hand nuclear power plants are themselves a possible target for terrorist attacks, not only because these would seek to radioactively contaminate broad areas of land, but because this would hit electricity supplies! This can also have effects on the repository, which would for this reason have to be designed to particularly high standards.

If a central security repository were built, shipments would have to be made. The way Castor flasks are at present constructed makes them especially vulnerable to attack by armour-piercing weapons. Portable weapons using hollow charge grenades which can be fired by one or two people can destroy the wall of a Castor flask and cause a substantial amount of radioactivity to be released. Improving protection in this regard by improving the flasks will have its limits because it is in the nature of shipment flasks that they cannot be too heavy, and this limits how thick their walls can be.

The risks will therefore not be eliminated even if all nuclear power plants are shut down without delay. But they will be markedly reduced. One significant long-term aspect is that when a plant is closed down it stops producing highly active spent fuel. This is dangerous and costly to protect, and amounts of it will then at least not increase further - whereas continued operation in accordance with the "energy consensus" deal on nuclear power would mean amounts of it would double.

Notes
  1. Statement by Dr. Rinkleff, expert for the TÜV Hannover/Sachsen-Anhalt standards authority, at hearing for Lingen interim storage site, 17 Dec 1999 (according to record made by Bundesamt für Strahlenschutz, Salzgitter, 2000, ps. 3-49)
  2. All nineteen nuclear power plants in operation in Germany are light water reactors, i.e. reactors cooled and moderated by water. Thirteen of them are of the pressurised water reactor type (two cooling circuits between reactor and turbine connected by steam generator), and six are boiling water reactors (with one cooling loop between reactor and turbine).
  3. F-104, a fighter plane developed by Lockheed. Almost 1,000 Starfighters of various kinds were deployed in the Federal Republic of Germany in the 1960s and 1970s.
  4. RSK Commission guidelines for pressurised water reactors, 3rd edition, 14 October 1981, last amended / adjusted in 1996
  5. F-4E, a fighter plane developed by McDonnell Douglas, deployed in the Federal Republic of Germany since 1974.
  6. This table was drawn up from published documents and incorporates research at government authorities, NPP operators and other institutions.
  7. Eurofighter Typhoon (EJ2000), developed jointly by Germany, the UK, Italy and Spain, currently being delivered; Mikojan MIG-29, a Russian multi-purpose fighter plane, flown in East Germany in the 1980s and taken over by the federal German air force after reunification.
  8. Panavia Tornado IDS, developed jointly by Germany, the UK and Italy, first delivery in 1979.
  9. According to data from the USAF (www.af.mil), the Airbus consortium (www1.airbus.com) and Boeing (www.boeing.com)
  10. First statement by the Reaktorsicherheitskommission - Safety of German nuclear power plants in the event of a deliberate crash by a big passenger airplane with full fuel - adopted at meeting on 11 October 2001 (www.bmu.de)
  11. The data are approximations. Published figures on this can be found, for example, in Kernschmelzunfälle in deutschen Atomkraftwerken und ihre Auswirkungen auf Mensch und Umwelt, Bürgerinitiative Umweltschutz Hannover, 1998 [local environmental pressure group, Hanover]
  12. The periods for the beginning of boiling and evaporation have been determined by my own calculations. The results are compatible with comparable figures estimated for the Slovenian nuclear power plant at Krsko (Stritar, A. at al.: Some Aspects of Nuclear Power Plant Safety under War Conditions; Nuclear Technology Vol 101, Feb. 1993, 193-201).
  13. In a cold state the water contained on the secondary side of the four steam generators of a modern German pressurised water reactor amounts to approximately 300 tonnes
  14. See for example Nucleonics Week Vol. 42, No. 39, September 27, 2001, 11-12
- | -
-
    home > newsletter > search > about us > links > back to contents    
 -
- - -