Disaster by Design/Safety by Intent #47
UCS launched this blog series about a year ago. Until now, the series focused on Disaster by Design by describing steps taken along the path to disaster, including a few times that journey was completed. Beginning with this commentary, the focus will flip to Safety by Intent by describing times when measures undertaken by the nuclear industry and/or the Nuclear Regulatory Commission (NRC) enhanced nuclear safety. The measures could prevent even embarking down the path to disaster, or hasten to halt that journey if started, or building in more steps between the start and end of the journey to make it less likely all steps ever get taken.
The initial commentary for this refocused series describes commendable measures undertaken by the NRC and the nuclear industry to better manage the risk from gas accumulating within plant systems and equipment to cause harm.
(My apologies to nuclear industry readers, when they revive from their fainting spells. With relatively cheap natural gas causing big headaches for nuclear power plants across the country, mentioning “gas” to an unsuspecting nuclear plant worker can make them apoplectic. Rest assured—this commentary is not about natural gas but about unnatural gas.)
Safety by Intent
The NRC issued Generic Letter 2008-01, “Managing Gas Accumulation in Emergency Core Cooling, Decay Heat Removal, and Containment Spray Systems,” to the owners of operating nuclear power reactors on January 11, 2008. The NRC informed the owners about problems experienced with gas accumulating in pipes and components that had the potential to prevent safety functions from being performed.
The NRC included a listing of 27 advisories it had sent owners between 1988 and 2006 about gas accumulation problems. The NRC listed the applicable regulatory requirements intended to protect against harmful gas accumulations. The NRC then mandated that the owners evaluate their plants to ensure that designs, operating procedures, and testing regimes adequately protected safety-related systems from impairment due to gas accumulation. The NRC followed up on the owners using Temporary Instruction 2515/177. After receiving training on the issue and this procedure, NRC inspectors examined how each owner responded to Generic Letter 2008-01.
The NRC observed that gas accumulation was occurring in the nuclear power industry. While none of the occurrences caused or contributed to a reactor accident, the potential existed for it to do so. Rather than wait for that potential to be realized, the NRC pro-actively took steps to remind owners about regulatory requirements intended to manage the risk from gas accumulation. The NRC then followed up to verify that owners had heeded the reminder. And the NRC took this action of its own volition; not in reaction to an accident or to pressure from Congress to critical media coverage. The NRC intervened at an early stage and did not wait for the problem to grow to epidemic proportions.
The nuclear industry did considerably more than simply not contesting or resisting the NRC’s efforts. The measures mandated by the NRC in Generic Letter 2008-01 applied to safety-related systems and components; its regulatory purview. The nuclear industry voluntarily went beyond the NRC’s scope and expanded their evaluations to include non-safety-related systems and components potentially susceptible to gas accumulation problems. Granted, that expansion paid dividends in the form of increased reliability of systems used to generate electricity (and therefore revenue), but it still demonstrated the willingness to do the right thing instead of merely doing the least possible effort needed to satisfy the NRC.
NRC and Industry in Action
Perhaps the most commendable aspect of the gas accumulation story (GAS) is that it reflected the NRC and nuclear industry in action rather than inaction. After the generic letter was issued, opportunities arose for NRC and the industry to pause. For example, the NRC was developing regulatory guidance on what efforts by industry it would find acceptable as well as the inspection procedure used to determine acceptability (or not). At the same time, literally, the industry was assessing the susceptibility of components to gas accumulation and methods to guard against it. Pursuing these activities in parallel entailed some risk on the part of both the NRC and the industry. If the NRC issued acceptance criteria different than anticipated by industry, the industry might have to re-do some of their work. Similarly, if the industry developed a testing method not expected by the NRC, the NRC might have to re-do some of its work. Good communications throughout the efforts minimized the surprise factor and the time required for adjustments caused by the surprises.
In the end, the schedule extensions due to “at-risk” work in parallel were considerably less than it would have taken to perform the tasks in series. In other words, there was very little downtime by either the NRC or industry that could otherwise have hastened resolution of the matter.
The NRC developed a checklist for use by its inspectors in “grading” progress by owners toward resolving the gas accumulation problem. The checklist established the areas the NRC would evaluate; other regulatory guidance informed the industry of the NRC’s expectations in each area.
Generic Letter 2008-01 required owners to submit reports to the NRC on their progress towards resolving the gas accumulation problem. The NRC’s report cards at the nine-month point revealed the problem was nearly resolved at some plants while still a work in progress at others. What mattered more than who put their pencils down first while taking the test was that the NRC ensured that everyone successfully passed the test.
NRC and Industry: Safety by Intent
Generic Letter 2008-01 demonstrated the safety achievable when the NRC and nuclear industry cooperate towards a timely resolution of a problem. It is not an isolated or unique example. It was chosen to lead off the series of commentaries focused on Safety by Intent because it is relatively easy to show the cause and effect and because both the NRC and nuclear industry contributed to the successful outcome.
Disaster by Design
Air, nitrogen, or hydrogen can get into nuclear plant systems and components and cause problems. For example, workers may drain water from the pipe in an emergency core cooling system in order to conduct a test or perform an inspection. Air replaces the water. After putting the system back together, workers open valves to refill the pipe. If workers do not also open a valve at a high point in the pipe run to vent the air during refilling, the air can be trapped inside the pipe. When the emergency pump starts, it pushing water down a pipe partially filled with air can cause what is caused a “water hammer.” It’s like a garden hose “dancing” for a moment after the spigot is opened.
Nitrogen and hydrogen gas have routine uses in nuclear plants. Some water storage tanks have their air replaced with nitrogen to reduce the rate at which metal tank and pipe walls rust. If that nitrogen gas gets entrained in the water drawn from the tank, it can wind up places it should not be.
Gas accumulation poses a real challenge for many safety-related pumps. Many pumps have fan-blade shaped impellers. The spinning pump impeller pushes water down the pipe. The low pressure caused when the impeller pushing water away pulls in water from the upstream pipe. If the incoming water has a small gas bubble, the impeller will likely not even notice as the bubble rushes past with the moving water. But if the incoming water contains a large gas bubble, the gas can cause the impeller to freewheel. Water stops flowing through the pipe. The gas bubble prevents water in the downstream pipe from flowing back into the pump and also blocks the incoming flow from the upstream pipe.
Gas accumulation can also “trick” some of the instruments in the plant. A standard way of determining the water level inside a metal tank is to measure its density. To handle changes in density as water heats up and cools down, it is common to compare the density of water inside a tank to a reference column of water at a known temperature (and density). Such level monitoring instruments are calibrated for water inside the tanks. If gas accumulated inside the tank or in the water-filled tubes to the density monitoring instruments, the indicated level can differ significantly from the actual level. In one of the examples described by the NRC in Generic Letter 2008-01, a storage tank completely emptied of water while the gas-fooled instruments showed the level to still be in the acceptable range.
Gas accumulation represents a common failure mode for safety-related systems and components. A faulty motor can disable its emergency pump leaving redundant pumps available to save the day. But gas accumulation inside the piping of that system can disable multiple or even all emergency pumps of that system. And gas accumulation can adversely affect all emergency pumps in all emergency systems drawing water from that tank.
The NRC’s issuance of Generic Letter 2008-01 and the measures undertaken by the nuclear industry in response lessen the likelihood that gas accumulation causes significant safety impairments.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.