Disaster by Design/Safety by Intent #16
Disaster by Design
The Davis-Besse nuclear plant near Oak Harbor, Ohio is probably best known for a small leak of borated water from the reactor vessel between 1996 and 2002 that corroded six inches of the vessel’s head exposing its stainless steel liner. That quarter-inch thick liner was all that kept the plant from experiencing a very serious loss of coolant accident.
Had the exposed liner burst open or if a pipe connected to the reactor vessel broken, the high pressure inside the vessel (over 2,000 pounds per square inch) would have rapidly pushed water through the opening. Davis-Besse’s design called for an initial response from the emergency core cooling systems in what is called the “injection phase.” An array of standby pumps would have automatically started and transferred water from a large storage tank into the reactor vessel to cool the nuclear core. The water jetting from the opening would have drained into a large concrete pit called the containment sump in the basement of the containment building (see red regions in Fig. 1).
As the accident progressed (and the storage tank emptied), the emergency core cooling systems would have transitioned into the “recirculation phase.” Some valves would have closed while others would have opened so the pumps could draw water from the containment sump instead of the storage tank. The pumps would have supplied the water to the reactor vessel where it cooled the nuclear core before flowing through the opening onto the containment floor again.
Recirculation Phase Glitch
The high pressure injection (HPI) pumps at Davis-Besse (labeled high pressure safety injection (HPSI) and circled in Fig. 1) had a design glitch. The two HPI pumps feature hydrostatic bearings with water injected into the small space between the pump’s rotating shaft and its outer casing. The water keeps the shaft centered to minimize wear and tear from contact with non-moving parts of the pump. The water injected into the hydrostatic bearing is process water—meaning it is the same water drawn from either the storage tank or the containment sump.
The water in the storage tank is not potable, but it is relatively “clean” from a chemical and debris perspective. The water from the containment sump, on the other hand, is another story. The high velocity water jetting from the ends of a broken pipe can scour coatings off equipment, insulation off piping, and even paint off walls. The water can then carry the debris down into the containment sump, along with any dirt and material on the containment’s floor. The pipes between the containment sump and the emergency pumps, like the HPI pumps, are equipped with metal mesh screens to prevent large debris from fouling the pump impellers.
The original injection ports for the hydrostatic bearings on the HPI pumps at Davis-Besse were smaller than the mesh size of the protection screens. Consequently, debris passing through the protective mesh screen could clog the injection ports and disable the HPI pump(s).
Davis-Besse was the only nuclear plant operating in the United States with this type of pump. But it was not the only pump in the world using this pump. Nuclear plants in France used this pump. The French recognized this design flaw in the early 1980s and conducted an extensive test program in 1980 and 1981 to identify a solution that fixed this flaw.
Safety by Intent
France and Ohio are in different time zones. Usually, the difference is a few hours. In this nuclear safety case, the time difference was nearly two decades.
The nuclear plants in France using the HPI pumps with the design flaw found and fixed it by 1982.
The nuclear plant in Ohio using the same HPI pumps with the same design flaws did not find it until October 22, 2002, and did not fix it until the next year (using essentially the same fix used in France.)
It should not take two decades for a nuclear safety fix implemented in France to find its way into nuclear plants in Ohio.
Had the design glitch disabled both of the HPI pumps at Davis-Besse during a loss of coolant accident, their incapacity would not have caused a reactor meltdown. Other emergency core cooling system pumps, like the low pressure injection pumps, would also have had to fail for a meltdown to occur.
But a nuclear plant operating for two decades with a defective safety system—especially a defect with a known solution—is intolerable. Defense-in-depth shrinks unacceptably when known problems are not corrected.
Is fixing known problems in a timely manner good for nuclear safety? Oui.
—–
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.