NUCLEAR POWER is on its way out in the United States. Our utilities stopped ordering nuclear plants in the mid-'70s and no resumption is in prospect. In fact, except for facilities now under construction, there has been essentially no addition of any kind to the nation's electrical generating capacity in the last decade.

So far, this hiatus has been relatively painless, thanks to conservation, slow load growth and small privately-owned power sources. But that will change soon: Present excess capacity is being eroded by increased power demand; and many aging plants will soon be retired. Even with relatively conservative load-growth predictions, additions equivalent to about 10-15 "average" nuclear plants will have to be put in place each year by American utilities beginning about 1995.

Barring a revolutionary change in attitude, those new plants will not be nuclear. Planners at U.S. utilities state unequivocally, albeit privately, that growth will be delayed as long as possible and then achieved primarily by advanced coal-fired plants. This will put the United States at a competitive disadvantage even as fossil fuels place severe burdens on the environment.

Yet nuclear energy -- which now supplies 20 percent of America's electricity -- has the potential to be the most economical, least environmentally damaging source of large-scale power available. Moreover, that potential can be realized with existing technology: An acceptably safe form of easily disposable nuclear fuel is available now and a reactor based on its use has been in operation since 1966.

The "modular gas-cooled reactor" {see illustration} has three desirable characteristics: 1) Its fuel supply can operate safely at much higher temperatures than the traditional fuel rods used in water-cooled reactors. 2) Its modest size makes many conventional multiple-redundant safety systems unnecessary. 3) Its fuel-unit design and physical structure maximize dissipation of heat. Taken together, these factors give the MGR a paramount advantage: It can survive a worst-case breakdown in an actual on-site test.

How Safe is Safe?

Nuclear energy will be accepted again in the United States only if both the public and the utilities are convinced that it carries demonstrably smaller financial and environmental risks than other potential power sources. It is no longer sufficient to hear that designers have computed the probability of an accident and found it "vanishingly small." The public has, with good reason, lost all faith in such pronouncements.

The safety of nuclear plants varies according to the design principles each uses. There are four general levels:

Level 0: No hazardous materials or confined energy sources.

Level 1: No need for active systems in event of subsystem failure. Immune to major structural failure and operator error.

Level 2: No need for active systems in event of subsystem failure. No immunity to major structural failure or operator error.

Level 3: Positive response required to subsystem malfunction or operator error. Defense-in-depth. No immunity to major structural failure.

No nuclear system can ever achieve Level 0. Atomic fission {see box} necessarily involves hazardous materials and generates hundreds of different byproducts. Some are radioactive, some toxic, some volatile; some are all three. Nuclear fission results in the instantaneous generation of heat as well as the delayed release of "afterheat" as various waste products decay.

Reactor designers must ensure that radioactive wastes are never released to the environment and that the delayed heat release does not damage the reactor in the event that cooling is compromised. Depending on engineering choices, the resulting design will achieve one of the three possible safety levels.

All existing reactors in the United States are Level 3 designs, and all but one are variations on the "light water-cooled reactor" (LWR). They use uranium-oxide fuel arranged in thin water-cooled rods. Approximately 18 months' worth of fuel are loaded at one time; and as the uranium breaks down, the control rods are withdrawn to maintain a consistent energy level.

The fuel must operate at very high centerline temperatures in order to transfer sufficient heat to the rod surface where it can be carried away by the water. If all coolant is lost, there is sufficient energy in the rod -- even if all nuclear reactions are instantly terminated -- to damage the rod in only 5 seconds and destroy its integrity totally in 20. (The zirconium-alloy casing begins to fail at about 950 C.) Thus a 5-second lapse in cooling due to pump failure or a mistaken valve action can cause trouble.

Designers respond by providing redundant water supplies as well as external cooling and containment systems. This reliance on multiple independent safety systems -- known as "defense-in-depth" -- is the cornerstone of the Nuclear Regulatory Commission's regulatory philosophy. It was exemplified at Three Mile Island where the outer reactor containment vessel itself provided the last (and necessary) barrier to radioactive release.

Even if the short-term problem of instantaneous heat release is solved, however, the problem of "afterheat" remains. Although afterheat (generated by radioactive waste-product decay) is much less intense than that generated during normal operation, it constitutes a major concern. Afterheat intensity depends on both the operating power density and the total heat released by the fuel element since its installation. Economic forces drive the reactor designer to get as much heat as possible from each fuel element and to use it as long as possible. The resulting afterheat is sufficient to raise the temperature of uncooled fuel to the failure point long after the reactor is turned off -- and, in fact, long after the fuel is removed from the reactor. For this reason, spent nuclear fuel must be stored in pools of water for months or even years.

Proponents of the status quo argue that Level 3 reactors are "safe enough." But that is impossible to prove -- and very hard to maintain. The complexity required by "defense in depth" has made nuclear reactors far more costly than than U.S. utilities had expected; and because the cost of the safety system can only be justified if the reactor generates a substantial amount of power, nuclear power plants are very much bigger than conventional fossil-fuel plants. Utilities have become increasingly reluctant to gamble on the successful operation of such very large plants.

Staying Cool Under Pressure

The integrity of the fuel is a reactor's first line of defense. If it can be maintained without corrective operator action or active equipment response, then no radiation release can take place no matter what else happens. Level 2 safety can be achieved relatively easily by modification of existing reactors.

Fuel integrity is ensured if: a) the power density is low enough that the mere presence of coolant, without forced flow, is sufficient to cool the fuel during normal operation; b) design features of the core are such that the nuclear reaction is terminated in the event of deviation from normal operation; and c) there is some provision to ensure that low-level afterheat can be carried off without active cooling.

If these conditions are met, then all that is required to achieve Level 2 is that the reactor core be immersed in a large amount of coolant. The most widely known of such designs is the Process Inherent Ultimate Safety (PIUS) reactor, developed in Sweden on the basis of the LWR. Its small, low-power-density core is placed in a pool of water large enough to cool the afterheat for a week -- by which time, if necessary, some means could be arranged to refill the pool.

The PIUS employs an ingenious emergency shutdown scheme. The water in the pool is actually composed of two different parts. The one which circulates through the reactor core during normal operation is similar to that in any light water reactor. The largest volume of water, however, has a very high boric acid content. The two bodies of water are kept separate only by natural pressure and buoyancy forces, like layers in a parfait. In the event of a system upset, this delicate "float" balance is destroyed and pool water mixes with coolant water in the core. The pool water's boron -- the same element used in control rods -- instantly shuts down the reaction.

Most observers are convinced that PIUS will shut itself down very quickly in the event of a problem; they are less convinced that the reactor can be kept operating for long periods of time because it is so sensitive to the normal perturbations that any plant undergoes. Additionally, when PIUS does shut down, it takes a very long time to remove the borated water from the core.

Perhaps the most advanced Level 2 system is the PRISM reactor designed by General Electric. It has a metallic uranium core suspended in a large pool of sodium in much the same way that PIUS' uranium-oxide core is suspended in a large pool of water. The afterheat is carried away by air which circulates over the outer surface of the reactor vessel via continuous venting. The vessel is double-walled to prevent air-sodium contact in the event of rupture. If the control rods fail to achieve shutdown, the reactor will, by a natural feedback process inherent in the core design, shut itself down to a low power level. The shutdown temperatures would be substantially higher than normal operating temperature but low enough to avoid fuel damage.

The key safety criterion for Level 2 designs is that the coolant fluid must remain in place and the gross structure containing it intact. This seems reasonably assured in the cast of PIUS; but there are valid questions regarding the double metallic vessel in PRISM. (Sodium fires are a particularly worrisome possibility.) However, it will probably never be necessary to decide if PIUS or PRISM designs are "safe-enough" because they are simply not "cheap enough": Complexities in each system make construction expenses too high to be economically feasible.

Kernels, Pebbles and Gas

The key to Level 1 safety is the use of fuel that can survive the total absence of coolant, even at densities required for full-power operation.

The only Level 1 reactor now in use does just that. It employs an extraordinary fuel: tiny (0.4 mm) uranium oxide kernels encapsulated within multiple nested spheres of low-density graphite, pyrolytic carbon and silicon carbide. The total capsule diameter is only 1 mm, about 1/40 inch. For ease of handling, 10,000 to 20,000 of these spheres are embedded in the interior of 6-cm graphite "pebbles" about the size of a billiard ball. Intensive testing shows that the encapsulated fuel spheres are virtually perfect confinement vessels up to temperature of 1800 C. At that temperature, the spheres begin to leak; but they do not begin to fail until in excess of 2000 C. (Compared to 950

for traditional LWR fuel.) And unlike LWR reactors, MGR systems can be continuously refueled every few days by removing exhausted pebbles and adding several more -- but only enough to maintain a minimum critical mass.

A cluster of these pebbles (or cylinders, in a DOE design) constitutes a critical mass and provides sufficient surface area for removal of the generated heat. Helium, flowing around the pebbles at high pressure, serves this purpose ideally. A reactor of this type, with the German acronym AVR, has been operating in West Germany since 1966. AVR generates approximately 50 megawatts of thermal power -- too small for commercial interest, but a useful model for Level 1 commercial reactors.

The worst possible accident for a reactor is the withdrawal of all control rods with the simultaneous total loss of all coolant. A reactor can be classified Level 1 only if the natural processes of heat conduction and radiation are sufficient, in this worst possible case, to hold the temperature of the hottest point in the reactor to less than the fuel failure temperature.

An MGR design can easily achieve this goal. The trick is to ensure that the hottest region in the core never gets hot enough to cause fuel failure. The reactor can be designed so that the fission process is automatically shut down by high temperatures, even if the control rods are not used. The problem is the afterheat; the solution is to provide an easy way for the afterheat to escape from the reactor core.

An MGR, installed in an underground silo, can do this because its core is limited to a 3-meter diameter. Heat travels from the reactor center to the outer edge of the pressure vessel, then to the silo, then to the surrounding earth. If the reactor diameter is much greater than 3 meters, the center of the reactor gets too hot; that size restriction limits the total power output to 200 megawatts. Because that output is small by conventional U.S. standards, a number of identical reactor units (modules) would necessarily be used as independent heat sources in such power plants. Thus the term "modular."

Light-water reactors typically put out 3000 MW or more in an attempt to take advantage of supposed economies of scale. But the MGR, despite its much smaller size, can be economically competitive; and it can be produced in quantity in central factories. A further advantage: The MGR's encapsulated fuel is, in effect, already packaged for disposal. There is no need for reprocessing, with its associated costs.

The MGR designs now on the drawing board, ready for construction if funding becomes available, promise to be so free of hazard that there will be no need to consider public evacuation even under the most stringent existing regulations. The essential difference is that Level 1 reactors will be capable of (and required to) prove this extraordinary assertion by actual test. Level 1 systems could thus be licensed in much the same fashion as commercial aircraft: The final design must demonstrate practical airworthiness before being "type certified." Such full-scale proof testing of the actual system seems the only way to convince a skeptical public that reactors are "safe enough" and to show once-burned utilities that reactors are "cheap enough."