Clean Energy Prof: The Fermi Chronicles - Part 21: Nuclear Events

For the nuclear industry, this was the big kahuna that put the kibosh on nuclear power in the U.S., even though no one was injured or killed. It appears that it is now turning around after nearly 2 generations. Three Mile Island had two nuclear reactors, both PWRs. On March 28, 1979, the feedwater pumps on the TMI-2 reactor stopped working. Emergency backup feedwater pumps didn't deliver water to the steam generators due to valves being manually closed for maintenance and testing (against procedure and NRC regulations by the way). Without water feeding the generators, there was no way to remove the thermal energy from the core. The reactor coolant started to increase in temperature.

If you recall from my prior post on reactor types (part 13 below). the PWRs maintain the high pressure in the reactor loop via a pressurizer tank. That pressurizer tank has a volume of gas that cushions the primary loop and regulates the pressure. If the pressure gets too low, more gas makes it up. If too high, then some gas can be vented through a pilot-operated relief valve, or PORV, into storage. At Three Mile Island, once the temperature of the reactor coolant started to increase, the liquid expanded (the density decreased). That forced the PORV to open to maintain a constant pressure. Pressure, however, continued to rise and the reactor was SCRAMmed (now called 'tripped').

Now when a reactor is tripped, it shuts down the nuclear fission, but the fuel rods remain hot for some time as radioactive decay of fission products continues. This is called decay heat. Thing was, that PORV that opened to lower the pressure never closed gain. It was stuck open. In this case, pressure continued to decrease. In a PWR, the very worst thing that can happen is bubble formation in the core as it is designed to be cooled by only liquid. What keeps the water from boiling is exactly the high pressure in the system. The higher the pressure, the higher the boiling point (think what a pressure cooker is for). In any case, the PORV was the problem here. Unfortunately, there was no indication that it was stuck open. In fact, in an engineering blunder of gigantic proportion, a lamp in the control room that would have indicated the true position of the PORV was never installed to save time on construction. Bad move. Instead, there was a single indicator light in the control that indicated when power was being applied to open the valve, but did not indicate the true position of the valve itself. The pressure continued to decrease through what was in effect an unknown leak. A Wikepedia entry has more detail on the PORV fault:

The design of the PORV indicator light was fundamentally flawed, because it implied that the PORV was shut when it went dark. When everything was operating correctly this was true, and the operators became habituated to rely on it. However, when things went wrong and the main relief valve stuck open, the dark lamp was actually misleading the operators by implying that the valve was shut. This caused the operators considerable confusion, because the pressure, temperature and levels in the primary circuit, so far as they could observe them via their instruments, were not behaving as they would have done if the PORV was shut — which they were convinced it was. This mental confusion contributed to the severity of the accident: because the operators were unable to break out of a cycle of assumptions which conflicted with what their instruments were telling them, it was not until a fresh shift came in who did not have the mind-set of the first set of operators that the problem was correctly diagnosed. But by then, major damage had been done.

The operators had not been trained to understand the ambiguous nature of the PORV indicator and look for alternative confirmation that the main relief valve was closed. There was in fact a temperature indicator downstream of the PORV in the tail pipe between the PORV and the pressurizer that could have told them the valve was stuck open, by showing that the temperature in the tail pipe remained high after the PORV should have, and was assumed to have, shut. But this temperature indicator was not part of the "safety grade" suite of indicators designed to be used after an incident, and the operators had not been trained to use it. Its location on the back of the desk also meant that it was effectively out of sight of the operators.

Another engineering blunder here was that there was no instrument at all that directly measured the water level in the reactor core.

This level was instead determined from the water level in the pressurizer - an indirect measurement. The operators thus assumed the core was covered since the water level in the pressurizer remained high. Because of this, the operators also halted the use of high-pressure safety injection (HPSI) pumps that could have overpressurized the system. Unbeknownst to the operators, boiling was occurring in the core as the pressure continued to decrease. The boiling forced water out of the pressurizer through the PORV as steam displaced water. The top of the core was now exposed to gas which by its nature is simply incapable of cooling the hot fuel rods. A meltdown thus ensued. The water pouring out of the PORV filled a sump in the containment building and triggered another alarm (more than 100 alarms went off during this time and it was impossible for operators to discern which were the most important). Also, the pressure in the containment building was increasing as steam was being discharged also through the PORV. These were clear indications that the PORV was stuck open, but it was simply not recognized by the overwhelmed operators.

Because of the continuous discharge of coolant through the PORV, a quench tank relief diaphragm gave out and ruptured and the contaminated coolant water now began to seep into the containment building. The event began at 4:00am. By 7:00am, a Site Area Emergency was declared and upgraded to a General Emergency by 7:24am. By this time, half the core was exposed to steam rather than water. A meltdown of the core was already occurring. It wasn't until 7 hours after the event that new water was pumped into the core. The primary loop pumps finally started pumping coolant through the reactor almost 16 hours after the event and it wasn't until then that the core temperature started to decrease. However, those pumps cavitated because of the steam still present and had to be shut down to to excess vibration. Too bad they didn't have the Holiday Inn guy when the PORV got stuck:

The event itself was magnified several times over by the interaction of several officials form the power company, the NRC and the local, state and federal government, many of which contradicted each other. For instance, and probably worst of all, were the statements regarding the possibility of off-site radioactive release. Some officials said not at all, others said yes, yet others said it was minor. In fact, very little radiation was released, giving an average dose of 1 mrem, a fraction of what is received during an x-ray at a hospital. In any case, it led to much confusion and distrust in the public. The Governor suggested that pregnant women and small children evacuate the area (radiation affects you more the younger you are - all the way back to the moment of conception - as it is dependent upon cell division). The Governor didn't do this based on what had happened at TMI-2, but rather what he and other thought might happen. The politics of fear had taken over. 140,000 people left the area in an exodus rather than an evacuation.

The media frenzy ensued. Anti-nuclear protests were launched. Worst yet was the event at Three Mile Island Occurred less than 2 weeks after the movie The China Syndrome was released. All these things together made nuclear a dirty word in the mind of the public. That has persisted for 2 generation. Since the TMI event, no new nuclear power plants were licensed to operate. That is hopefully now changing. Finally.

After the event at TMI-2, TMI-1 was shut down, but restarted in 1985. TMI-1 is still running today, more than 30 years after the TMI-2 event, and is licensed to do so by the NRC until 2014. An application for an extension until 2034 is pending. It remains one of the best performing reactors in America. As for TMI-2, the NRC notes that today, the TMI‑2 reactor is permanently shut down and defueled, with the reactor coolant system drained, the radioactive water decontaminated and evaporated, radioactive waste shipped off‑site to an appropriate disposal site, reactor fuel and core debris shipped off‑site to a Department of Energy facility, and the remainder of the site being monitored.

Probably the biggest lesson learned from Three Mile Island is that the entire nuclear industry is in this together, and that one major event affects the entire fleet of nuclear plants. INPO was formed (see my former post in the nuclear business - part 15 below). Information is now shared continuously between plants on any event no matter how insignificant. Also, several times every year there are drills for the testing of emergency response plans. Operators here at Fermi 2 have an identical control room that is a simulator (it's pretty darned cool) where shutdown, start-up and any scenario imaginable can be (and likely is) produced.

In addition, proper training is a huge aspect of the nuclear industry. Here at Fermi 2, they built an entire building that does nothing but training. Employees here are trained all the time, with some classes being refreshers for recertification, while other are extensive to the point of being several months long. Education is the key to everyone understanding what this plant is all about.
On the technical side, all nuclear reactor cores must have direct instrumentation that monitor the reactor core under the worst possible conditions imaginable. Risk assessment is a big part of the industry now, with statistics gurus planning for every scenario. The NRC also has this list of changes that took place after TMI:

Upgrading and strengthening of plant design and equipment requirements. This includes fire protection, piping systems, auxiliary feedwater systems, containment building isolation, reliability of individual components (pressure relief valves and electrical circuit breakers), and the ability of plants to shut down automatically;
Identifying human performance as a critical part of plant safety, revamping operator training and staffing requirements, followed by improved instrumentation and controls for operating the plant, and establishment of fitness-for-duty programs for plant workers to guard against alcohol or drug abuse;
Improved instruction to avoid the confusing signals that plagued operations during the accident;
Enhancement of emergency preparedness to include immediate NRC notification requirements for plant events and an NRC operations center which is now staffed 24 hours a day. Drills and response plans are now tested by licensees several times a year, and state and local agencies participate in drills with the Federal Emergency Management Agency and NRC;
Establishment of a program to integrate NRC observations, findings, and conclusions about licensee performance and management effectiveness into a periodic, public report;
Regular analysis of plant performance by senior NRC managers who identify those plants needing additional regulatory attention;
Expansion of NRC's resident inspector program – first authorized in 1977 – whereby at least two inspectors live nearby and work exclusively at each plant in the U.S. to provide daily surveillance of licensee adherence to NRC regulations;
Expansion of performance‑oriented as well as safety‑oriented inspections, and the use of risk assessment to identify vulnerabilities of any plant to severe accidents;
Strengthening and reorganization of enforcement as a separate office within the NRC;
The establishment of the Institute of Nuclear Power Operations (INPO), the industry's own "policing" group, and formation of what is now the Nuclear Energy Institute to provide a unified industry approach to generic nuclear regulatory issues, and interaction with NRC and other government agencies;
The installing of additional equipment by licensees to mitigate accident conditions, and monitor radiation levels and plant status;
Employment of major initiatives by licensees in early identification of important safety‑related problems, and in collecting and assessing relevant data so lessons of experience can be shared and quickly acted upon;
Expansion of NRC's international activities to share enhanced knowledge of nuclear safety with other countries in a number of important technical areas.

Here's Part 1 of the PBS documentary on 3-mile island (take it with a grain of salt):

Clean Energy Prof

Friday, July 3, 2009

The Fermi Chronicles - Part 21: Nuclear Events - Three Mile Island, 1979

No comments:

Post a Comment

My Other Blogs

Blog Archive