Substandard Submarines

Document Sample
Substandard Submarines Powered By Docstoc
					Substandard Submarines

On 26 November 2009 the Defence Board in the Ministry of Defence (MOD) considered
the Successor Submarine Project - the programme to develop a new nuclear-armed
submarine to replace the Vanguard Class. The Defence Nuclear Safety Regulator
(DNSR) presented a paper, DNSR/22/11/2, with advice on the selection of the reactor
for the new vessel. A heavily redacted copy of this document was released to Scottish
CND under the Freedom of Information Act (FOIA).

Following a request from Angus Robertson MP, a further copy was placed on the House
of Commons website on 5 April 2011. This second copy was not redacted properly.
Blacked-out sections could be read by simply copying and pasting the text. The full
version was also available as an html document on the Google search engine. The Daily
Star reported this blunder on 17 April 2011, exaggerating the security implications of the

PWR1 reactor pressure vessel                       Extract from DNSR/22/11/2

The primary reason for sections being blacked out was not national security but a desire
to allow the regulator free space in which he could advise the Government. The full
document, which has been published widely on the internet, does not give away detailed
secrets of submarine operations.

In the redacted version of the paper, DNSR was seen to argue that “current UK practice
falls significantly short of benchmarked relevant good practice”.1 The blacked-out
sections explain why this is the case.

Comparison of British and American submarine reactor designs

DNSR identified two areas where UK submarine design was below good practice - a “Loss
of Coolant Accident” and “control of submarine depth”. In both cases, British practice
compared poorly with the standards of the US Navy and the civil nuclear industry.

 Safety regulators’ advice on the selection of the propulsion plant in support of the future
deterrent review note. DNSR/22/11/2, 4 November 2009, para 13
Loss of Coolant Accident (LOCA)

The ongoing accident at Fukushima is a Loss of Coolant Accident. Systems to reduce the
likelihood of a Loss of Coolant Accident on a submarine include:

Direct Head Injection

The most important design feature which can be introduced to reduce the likelihood of a
LOCA is to have an emergency system which can inject coolant directly into core through
the head of the reactor pressure vessel – “for the dominant fault sequence of a LOCA,
the ability to protect against reasonably foreseeable leaks can only be achieved by
injection of emergency core cooling through the reactor pressure vessel (RPV) head
directly into the core (direct head injection)”.2

US – American submarine reactors have systems for direct head injection of coolant.3

UK – British submarine reactors do not have systems for direct head injection of coolant
– “the current PWR2 emergency core cooling system does not inject coolant to the
reactor pressure vessel head”.4 A diagram of the PWR1 reactor shows that the same
applies to that earlier design.5 In a reply on 5 April 2011, the Defence Minister Peter
Luff deliberately misled Parliament when he was asked whether British submarines have
this vital safety feature. Asked if submarines have “systems for the safety injection of
coolant into the reactor pressure vessel head”, he replied - “All submarines in service
have ... the ability to add coolant into the reactor pressure vessel if necessary”.6

Automatic emergency cooling system

The Safety Assessment Principles for nuclear safety say that automatic safety measures
are preferable to ones that require on manual intervention. 7

US – This issue is not specified.

UK – The PWR2 emergency core cooling system “is highly dependent on manual
procedural control”.8 A diagram of the PWR1 reactor shows that the reactor operator
must close two valves, and open several others, in order to operate the emergency
cooling system.9

Passive cooling system

The Safety Assessment Principles for nuclear safety say that passive features in the
reactor design are preferable to active engineering measures.10 Reactors with passive

  DNSR/22/11/2 para 17
  DNSR/22/11/2 para 13
  DNSR/22/11/2 para 13
  Illustration of the fault on HMS Tireless in 2000, based on a Navy manual
  Hansard 5 April 2011 Col 761W
  DNSR/22/11/2 para 11
  DNSR/22/11/2 para 13
  Illustration of the fault on HMS Tireless in 2000, based on a Navy manual
   DNSR/22/11/2 para 11
cooling systems are designed to operate without cooling pumps. If a reactor requires
cooling pumps then safety depends on the availability of a back-up power supply to run
the pumps if the reactor shuts down.

US – American submarines reactors have passive core cooling systems.11

UK – British submarine reactors do not have passive core cooling systems, in the way
the term is normally used. In a statement to the Defence Committee Steve Ludham of
Rolls Royce said that passive cooling was a new feature that they would like to introduce
in a new PWR3 reactor for the Vanguard replacement – “a new design of reactor would
be quite important to make it what we might call a ‘passive’ plant.”12 The Emergency
Core Cooling system on PWR1 and PWR2 may have some features of a passive system,
but it is a back-up system with limited capability which requires manual intervention to
bring into operation.13 Peter Luff’s reply to Parliament on 5 April 2011 - “All submarines
in service with the Royal Navy have passive core cooling capability” - was misleading.14

Simple design with suitable materials

US – By implication, American submarine reactor designs are simpler, with fewer welds
and use suitable materials.

UK – A structural failure equivalent to a 15 mm diameter hole is more likely on a British
submarine “due to the materials used, the complexity of systems and the number of

As a result of the poor design features in PWR1 and PWR2 there are consequences in
terms of the severity and likelihood of an accident on a British submarine:

Ability to tolerate a crack in the primary circuit

US – By implication, American submarine reactors can tolerate a structural failure which
is greater than equivalent to a 15 mm diameter hole.

UK – British submarine reactors have “the ability to tolerate only a structural failure
equivalent to a 15 mm diameter hole”.16

Likelihood of a structural failing which would lead to a LOCA

US/US – “the initiating structural failure causing a LOCA is twice as likely to occur as in
equivalent civil and submarine reactor good practice” – ie twice as likely on a British
submarine as on an American submarine.17

   DNSR/22/11/2 para 13
   The Future of the UK’s Strategic Nuclear Deterrent: the Manufacturing and Skills Base, House of
Commons Defence Committee, HC 59, 12 December 2006. Evidence page 8.
   The Emergency Core Cooling System loop on PWR1 is cooled by sea water.
   Hansard 5 April 2011 Col 761W
   DNSR/22/11/2 para 13
   DNSR/22/11/2 para 13
   DNSR/22/11/2 para 13
Conceptual diagram of the PWR1 reactor showing the Emergency Core Cooling System

Control of submarine depth

Modern nuclear submarines use two methods to adjust their depth. The first is by
changing the amount of ballast (water) they carry. The second method is by powering
forward and altering the angle of the bow and stern hydroplanes. Once submerged to
their operating depth, they use the second method. The hydroplanes act as “wings for
the submarines ... They drive the submarine up and down through the water depths”.19
The submarine is “flown” underwater.20

These hydroplanes only work if the submarine is moving forward. This means that depth
control is dependent on the availability of power. If the reactor shuts down and there is
no propulsion then control of depth can be lost. If the vessel is operating at close to its
maximum depth this can result in it sinking to a depth at which the hull is ruptured and
the vessel and crew are lost.

On 10 April 1963 the American nuclear submarine USS Thresher sank, with all hands, in
2,600 metres of water East of Cape Cod. A Court of Inquiry concluded that the reactor
had probably shut down, resulting in a loss of propulsion, and that the ballast system
had also failed, possibly as a result of freezing temperatures.21

   Comment by Australian submarine officer
   BAe Systems; There are diagrams
explaining how submarine depth is controlled at
   Navy News 26 October 1993
  MacTaggart Scott retractabl            Upper Rudder of USS Thresher on the seabed22
 Emergency Propulsion System23

In July 1998 the crew of HMS Vanguard were terrified when the reactor shut down while
submerged between Lands End and Ireland. There was a delay before sufficient back-up
power was established.24

There are a number of ways of reducing the risk of loss of depth control:

Reliable main propulsion system

The best protection against loss of depth control is a “high reliability main propulsion
system”. 25

US – “US established practice is to provide a high reliability of propulsion, from the main
propulsion system, even under reactor fault conditions”.26 This suggests that US
submarines have reliable nuclear reactors which will continue to function even when
there are defects in the primary circuit.

UK – “UK practice in current class submarines is to accept a much lower reliability from
main propulsion system”.27 PWR1 and PWR2 reactors are not, on their own, sufficiently
reliable to provide adequate protection against a loss of control over depth.

Back-up propulsion system

Some submarines are fitted with a retractable propeller. This can have its own power
supply. The additional propeller is used for manoeuvring while docking and can serve as
an emergency back-up.

US - By implication, modern American submarines do not need an emergency propulsion
system, but it may still be fitted.

     Sunday Mail 19 July 1998 tp://
     DNSR/22/11/2 para 17
     DNSR/22/11/2 para 13
     DNSR/22/11/2 para 13
UK – Because of the lower reliability of the main propulsion system, this is backed up
with a “very low power (but high reliability) emergency propulsion system”.28 However,
this back-up “will not provide sufficient dynamic lift”.29 An effective back-up
motor would require “much higher power” than the current system and a “high energy
submarine battery”.30 The low power of the back-up propulsion system on USS Thresher
may have contributed to the loss of the submarine. If the Royal Navy did introduce an
improved back-up motor this would still not, on its own, be sufficient. It would have to
be supplemented with a rapid deballasting system.31

Procedural limits

US – By implication, the restrictions described below do not apply to US submarines.

UK – Because the emergency propulsion system does not provide enough power, there
are “procedural controls constraining the combinations of speed and depth”.32 This
probably refers to limits on the maximum or minimum speed when the submarine is
operating close to its maximum design depth. These procedures are “backed up by the
use of ballast systems”.33 But this does not provide comprehensive safety cover – “this
may not be effective under all circumstances”.34


Submarines can adjust depth and trim by increasing or reducing the amount of ballast,
in the form of water, they carry. The ease with which the Main Ballast Tanks can be
filled with air varies with depth. At maximum depth it is more difficult because of the
higher pressure of the water.

US – By implication, a rapid deballasting system is not required.

UK – Current submarines do not have a rapid deballasting system, but a future
submarine design can only comply with good practice if it has either a new highly-
reliable reactor, or a more powerful back-up propulsion motor combined with a rapid
deballasting system.35 By implication, the current ballast system does not operate
quickly enough to enable the vessel to recover control over depth in some scenarios
when there is no power from the main propulsion system.

Keeping risks As Low As Reasonably Practical

DNSR/22/11/2 explains that the MOD has a legal obligation, under the Health and Safety
at Work Act, to reduce risks to As Low As Reasonably Practical (ALARP). With regard to
a successor submarine, it argues that – “without improvement PWR2 is not an ALARP

The paper makes a distinction between the application of the ALARP principle to a new
submarine and to existing vessels. It says – “For current classes of submarine, including

     DNSR/22/11/2   para   13
     DNSR/22/11/2   para   13
     DNSR/22/11/2   para   13
     DNSR/22/11/2   para   17
     DNSR/22/11/2   para   13
     DNSR/22/11/2   para   13
     DNSR/22/11/2   para   13
     DNSR/22/11/2   para   17
     DNSR/22/11/2   para   16
the ASTUTE Class under construction, there is a limit to what improvements are
reasonably practical to implement”.37

However, the MOD may not have properly applied its own safety principles. The
Regulation of the Naval Nuclear Propulsion Programme, JSP 518, states – “Existing plant
and processes should still be compared with modern standards and any shortfalls then
considered against the ALARP principle”.38

DNSR/22/11/2 suggests that the comparison with modern standards was only started as
part of the programme for the successor submarine –

“For the last 50 years UK submarine design and operation has developed its own
‘relevant good practice’ largely in isolation from peers. In recent years the opportunity
for greater technology interchange with the US and greater benchmarking with the UK
civil nuclear power generation industry has allowed more comparison.”39

The idea that the UK could develop its own best practice in isolation from peers is not
consistent with JSP 518 or with the application of ALARP to nuclear submarine safety.
The equivalent standards in the civil industry have long been in the public domain.
While details of US submarine reactor design may not have been available, British
designers should have been aware of the basic differences between British and American
approaches to submarine safety that are highlighted in DNSR/22/11/2. For example, the
use of passive cooling designs in US military reactors has been in the public domain for
many years.

One option in the report is PWR2b, a modified version of the current reactor. The MOD
has clearly been slow to explore the feasibility of adjusting this design. One of the main
recommendations of DNSR/22/11/2 was that “there must be a formal presentation of the
safety analysis and arguments for PWR2b”. Carrying out this investigation has probably
been one reason for the extension of the Concept Phase of the successor submarine
programme, and the postponement of the Initial Gate. Had the MOD been complying
with their own requirement to apply ALARP to existing plant then this study would have
been carried out years ago.

Safety work on current designs has been slowed down because resources have been
directed towards developing PWR3, the proposed new reactor for the successor

Basis for the redaction of DNSR/22/11/2

Press coverage of the accidental release of DNSR/22/11/2 suggested that the document
contained secret information, the release of which would be damaging to national
security. The first report, in the Daily Star on 17 April 2011, said - “Bungling Ministry of
Defence workers have laid bare Britain’s nuclear submarine secrets to our enemies”.
The newspaper described the document as - “A classified government report into the
sub’s vulnerabilities”. It quoted Patrick Mercer MP describing the release of this
information as “potentially catastrophic”.41 In fact, the report was classified Restricted, a

     DNSR/22/11/2 para 14
     Regulation of the Naval Nuclear Propulsion Programme, JSP 518, Issue 2, MOD, April 2004
     DNSR/22/11/2 para 12
     Defence Nuclear Environment and Safety Board 2009 Assurance Report para 19
     Nuclear sub secrets revealed by MoD ‘schoolboy error’, Daily Star 17 April 2011.
much lower security grading than Secret. It was not a description of operational
vulnerabilities, but was safety advice from the MOD regulator.

On 8 January 2010 Scottish CND submitted a request to the MOD, under the Freedom of
Information Act (FOIA), for Defence Board report (09)62 on the Future Deterrent. On 5
March 2010 the MOD supplied parts of two pages from the report. The remaining
documents were withheld “as the information falls within the scope of section 35
(formulation of government policy) of the Freedom of Information Act”.42 The MOD
explained, in a covering letter, why this section had been applied. The letter made a
passing reference to other exemptions: “Beneath the over-arching qualified exemption of
section 35, material within the documentation falls within the scope of a number of other
qualified exemptions, which would also inhibit the release of that information. Namely,
section 26 (defence), section 27 (international relations) and section 43 (commercial
interests) apply to material within the documentation.” 43

Scottish CND requested an internal review of this decision. On 28 February 2011 Katie
de Bourcier, Head of Corporate Information at the MOD released redacted copies of the
Defence Board documents, including DNSR/22/11/2. The internal review had concluded
that “the application of the section 35 exemption, which provides for the withholding of
information relating to the formulation of government policy, was inappropriate.”44 This
was because the decision to produce a successor submarine had already been taken and
had been approved by Parliament. However, Ms de Bourcier then introduced section 36
of the FOIA, which had not initially been applied.45 Although mention was made of
sections 26,27 and 43, it is clear that the documents were initially withheld largely on
the basis of section 35, and then following the review they were primarily redacted
under section 36.

With regard to DNSR/22/11/2, Ms de Bourcier explained that information was withheld
under section 36(2)(b)(i) because its release “would be likely to inhibit the provision of
free and frank advice [from DNSR] to the Board”.46

The use of this section of the FOIA to withhold advice from DNSR has been successfully
challenged in another case.47 The MOD had applied section 36(2)(b)(i) to nuclear safety
reports requested by the journalist Rob Edwards. The Information Commissioner
supported the MOD’s decision. In March 2010 Mr Edwards appealed to the Information
Tribunal. Scottish CND, John Large (consultant engineer) and Fred Dawson (the former
head of the radiation protection policy team at the MOD) submitted detailed statements
supporting the appeal. They argued that withholding information in order to give DNSR
space to provide free and frank advice was in conflict with the basic principle of
transparency in nuclear regulation and was not consistent with practice in the civil
nuclear industry. They highlighted the lack of independence of DNSR. It was
established that section 36(2)(b)(i) was very rarely applied by the Health and Safety
Executive. The use of this exemption by the MOD was rare and had declined in recent
years. Prior to the hearing taking place, the MOD reversed their original decision. On 11

   Email from MOD FOIA unit to John Ainslie, Scottish CND, 5 March 2010
   D/CIO/3/18/1/412 from Katie de Bourcier, Head of Corporate Information, MOD to John
Ainslie,Scottish CND, 28 February 2011 para 5.
   D/CIO/3/18/1/412 para 6.
   D/CIO/3/18/1/412 para 9.
October 2010 Ms de Bourcier wrote to Mr Edwards saying that they would no longer
redact the documents under section 36(2)(b)(i). The reason given was that “MOD has
taken a further look at how more recent requests for similar information to that in scope
of your appeal have been handled and has considered the approach that would be taken
were a new request for the same information be made today.”

This earlier case would suggest that the redaction of material from DNSR/22/11/2 on the
grounds of section 36(2)(b)(i) is suspect. It would appear that MOD were looking for
reasons to withhold large parts of this report. Their late application of section 36 was,
like their initial use of section 35, inappropriate.

John Ainslie
Scottish Campaign for Nuclear Disarmament
24 April 2011