Disaster by Design: Safety by Intent #10
Disaster by Design
The March 2011 disaster at Fukushima Dai-ichi was a costly reminder of a lesson learned decades ago—nuclear power reactors need electricity for safety reasons.
Nearly four decades before Fukushima, the Atomic Energy Commission (AEC)—the predecessor to today’s Nuclear Regulatory Commission (NRC) and Department of Energy (DOE)—staff recognized the vital role electrical power plays in nuclear safety. The AEC established regulations about electric power systems. Specifically, General Design Criterion 17 in Appendix A to 10 CFR Part 50 required reactors to have safety systems powered from both offsite grids and onsite power supplies, lessening the odds that the safety systems would lack the power they need (Fig. 1).
The AEC staff observed disturbing trends in the frequency and duration of offsite grid failures and in the failure rates of onsite power supplies. Collectively these trends increased the chances that someday a reactor would lose electricity from both the offsite grid and from the onsite power supplies.
The AEC staff sought to backstop General Design Criterion 17 by also requiring that reactors be able to prevent reactor core damage even if power from the offsite grid and the onsite power supplies are unavailable for up to two hours.
The nuclear industry—wait for it—disagreed with the AEC about the need for the safety backstop. If power from the offsite grid is likened to a belt and power from the onsite power supplies likened to suspenders, the industry viewed the additional measures being sought by the AEC staff as stapling trousers to the flesh to prevent a reactor from being caught with its pants down. The industry contended that failure rates for offsite grids and onsite power supplies were already acceptable such that no further action was necessary. The AEC failed to resolve its concerns.
Exit the AEC on December 31, 1974, and enter the NRC the following day (or the first working day after New Year’s Day.)
On July 17, 1988, the NRC revised its regulations to add 10 CFR 50.63, the Station Blackout (SBO) Rule.
It took the NRC over a decade to overcome the industry’s strenuous objections to the safety upgrades and issue the SBO Rule. Among the mountain of facts the NRC staff gathered to break through the industry’s stonewalling is my favorite—prior to the SBO Rule, only 11 of the 78 reactors operating at the time had formal reliability programs for their emergency diesel generators, their onsite power sources.
After the owners implemented all the hardware, procedure, and training upgrades necessary to achieve compliance with the SBO Rule, the NRC assessed the effectiveness of the rule. They estimated the risk of reactor core damage (i.e., meltdown) for each reactor before the SBO Rule and afterward. The red columns show the number of reactors in risk ranges before the rule while the green columns show their risk ranges after all the safety upgrades.
The risk numbers range from less than 0.5×10-5 to greater than 10×10-5 per reactor year. But that convention means nothing to anyone other than die-hard ciphering aficionados. For the rest of the population (including me), it might be easier to understand the chart knowing that moving from the column on the extreme right to the column on the extreme left means the risk of core damage drops by a factor of 10. Or, moving from the left-most column to the right-most column means the chance of meltdown due to station blackout is 10 times more likely.
Tables B-1, B-2, and B-3 in the NRC’s assessment summarized the measures undertaken at each reactor to comply with the SBO rule as well as the risks of core damage from SBO and from all causes. The safety upgrades included adding two more emergency diesel generators at Calvert Cliffs (MD), installing two gas turbine generators at Palo Verde (AZ), adding two emergency diesel generators at Prairie Island (MN), adding two emergency diesel generators at Dresden (IL), replacing the battery chargers at Hatch (GA), and installing additional batteries at Nine Mile Point (NY).
Despite the safety upgrades undertaken to meet the SBO rule requirements, station blackout remains a hazard at many reactors. For example, station blackout constituted 58 percent of the total risk of core damage at Oyster Creek (NJ) and Millstone Unit 1 (CT). The design of these reactors is very similar to that of the Unit 1 reactor at Fukushima Dai-ichi. The March 2011 meltdown of this Fukushima reactor due to a station blackout event strongly suggests the station blackout risk math was more right than wrong.
The nuclear industry had opposed the station blackout rule on grounds that it was extremely unlikely that both the offsite electrical grid and the onsite power supplies could be lost concurrently. The NRC listened to but was not persuaded by the repeated arguments.
March 20, 1990, proved the NRC right and the industry wrong.
The Unit 1 reactor at the Vogtle nuclear plant in Georgia lost its connection with the offsite grid. Its onsite power supplies constituted two emergency diesel generators. One emergency diesel generator was disassembled at the time. The second emergency diesel generator automatically started and began supplying electricity to the safety systems cooling the reactor core.
But that emergency diesel generator stopped running after 70 seconds due to a faulty temperature sensor in its cooling system. The sensor had failed 69 times in the prior five years, but had never been fixed or replaced.
The disconnection from the offsite grid and failure of the onsite power supplies interrupted the cooling of the reactor core. Unit 1 had been in a refueling outage at the time and the temperature of the reactor vessel water had been 90°F when the event began. Decay heat from the reactor core began heating this water at a rate greater than 1°F per minute. At that rate, the water would reaching the boiling point in about 95 minutes. Without cooling being restored or makeup being provided, the water in the reactor vessel would boil away, uncover the reactor core, and cause a meltdown.
Workers reset the tripped condition on the failed emergency diesel generator, allowing it to automatically restart about 20 minutes into the station blackout. But the faulty temperature sensor once again caused the emergency diesel generator to shut down about a minute later.
About 15 minutes later, workers manually restarted the emergency diesel generator in emergency mode. (As unusual as it may sound for an emergency diesel generator to have a mode other than emergency, it’s true. In normal mode, abnormal conditions like high cooling water temperature cause the emergency diesel generator to shut down, protecting it from catastrophic damage. In emergency mode, all these protective measures are bypassed and the emergency diesel generator will run until it tears itself apart.)
With the emergency diesel generator running for more than 70 seconds at a time, the operators were able to restore cooling of the reactor vessel water. It had heated up to about 136°F in the meantime.
March 11, 2011, again proved the NRC right and the industry wrong.
A large earthquake disconnected the Fukushima Dai-ichi nuclear plant from its offsite grid. The onsite power supplies, emergency diesel generators, automatically started and enabled safety systems to continue cooling the reactor cores.
About 45 minutes later, a series of tsunami waves spawned by the earthquake reached the coastal site. Waves overtopped the protective seawall and inundated the plant. Water flooded the emergency diesel generator rooms located in the basement of the turbine buildings. The emergency diesel generators were submerged and disabled.
Workers struggled to deploy temporary pumps using portable power supplies, but were unable to restore cooling in time to prevent meltdowns of three reactor cores.
Safety by Intent
The station blackout hazard identified by the AEC staff in the mid 1960s and addressed by regulations adopted by the NRC in the mid 1980s claimed three victims in the early 2010s.
On March 12, 2012, the NRC ordered owners of U.S. nuclear power reactors to implement measures to protect against the station blackout hazard identified nearly 45 years earlier.
It’s not a pretty picture from a nuclear safety standpoint.
The NRC could have issued its station blackout rule in 1988 without a formal regulatory analysis showing that the cost of the upgrades necessary to comply with the rule were justified by tangible safety benefits they provided.
If the upgrades were required for safety, how can the AEC/NRC possibly justify taking more than two decades it took to address this mid 1960s concern? Allowing dozens of reactors to operator for decades with a known safety concern seems irresponsible at best.
And decades of delay were not needed to get it right—the NRC had to issue orders in 2012 to supplement the halfway measures it mandated in 1988.
Makes one wonder how a capable regulator would have handled this known safety deficiency threatening millions of Americans.
Clue: “knot this weigh”
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.