Disaster by Design/Safety by Intent #2
Disaster by Design
The March 1975 near-miss at the Browns Ferry nuclear plant in Alabama involved a fire in the cable spreading room. This room is located directly below the control room for the Unit 1 and Unit 2 reactors. Electrical cables from switches, gauges, and alarms on the control panels are routed through the floor into the cable spreading room where they radiate out to equipment throughout the plant. The fire burned for over six hours, destroying thousands of electrical cables. All of the emergency core cooling systems were disabled for the Unit 1 reactor and the majority of those safety systems were disabled for the Unit 2 reactor. Only heroic actions by workers prevented core meltdowns that fateful day.
Fire is a major hazard at nuclear power plants because it can, as it did at Browns Ferry, disable primary safety systems and their backups. While no fire has come closer to disaster than the Browns Ferry fire, there have been numerous fire and precursors that suggest the fire hazard still lurks about. The NRC has a webpage devoted to fire events and issues periodic updates. In the most recent update, the NRC included this chart of fire events (Fig. 1) at U.S. nuclear power plants annually between 1987 and 2011.
The box in the upper right corner indicates the source of information about the fire events. LER stands for Licensee Event Report and EN stands for Event Notifications, both required notifications by plant owners to the NRC. NPRD/EPIX is a database maintained by the Institute for Nuclear Power Operations for sharing information among plant owners. And NEIL provides insurance protection for the nuclear plants. This data show 3 to 14 fires occurring each year at the fleet of U.S. nuclear power plants.
The NRC also tabulated the locations and causes of the fires between 1987 and 2011 (Fig. 2). (Nuclear workers are advised not to perform other work at the other place—that would seem to invite spontaneous combustion.) The data show numerous fires in critical locations like control rooms, switchgear rooms, and diesel generator buildings.
Fig. 3 shows how the fires between 1987 and 2011 in the locations were discovered. It seems unusual that fire detection devices, mandated by NRC’s regulations, identify so few fires. Because that’s their sole purpose, the data suggest fire detectors may not be fulfilling their expected roles in fire protection.
Most of the fires at nuclear power plants between 1987 and 2011 were extinguished within 15 minutes (Fig. 4). Few fires burned for over an hour, and those lasting that long tended to be in less critical locations like the turbine building and switchyard. Fires in these locations pose less risk of fuel damage than fires in the switchgear rooms, control rooms, or cable spreading rooms.
Fig. 5 shows how fires between 1987 and 2011 were put out. That more fires put themselves out than were extinguished by fire suppression systems seems a strong indictment of the latter. Fire suppression systems required by safety regulations would put out more fires than doing nothing and waiting for a fire to burn itself out, yet doing nothing seems to be winning this competition.
The following summaries describe just a few of the many fires at U.S. nuclear power plants.
Browns Ferry Unit 1 (Alabama): Fission Stories #195 recounted the stubborn fire that burned for many days after the reactor restarted from a routine refueling outage in November 2014. During startup, the operators observed rising temperatures inside one of six charcoal absorber vessels. Each vessel is filled with tons of charcoal. Boiling water reactors like Browns Ferry continuously release gas to the atmosphere during operation. The gas flows through the charcoal beds to reduce the amount of radioactivity going out the exhaust stack. Workers suspected that a buildup of hydrogen gas within the system detonated and started the charcoal on fire in one of the six vessels. On November 8, workers manipulated valves to have the gas flow bypass the charcoal absorber vessels and to supply nitrogen gas to the vessels to extinguish the apparent charcoal fire. On November 14, workers stopped the nitrogen purge and restored the gas flow through the charcoal absorber vessels. When the temperatures began rising, workers once again had the gas flow bypass the vessels and restarted the nitrogen purge flow. Workers tried returning to the normal flow paths on November 22, but rising temperatures forced them back to the bypass and purge alignment on November 25.
Callaway (Missouri): Fission Stories #160 described the July 26, 2013, fire caused when workers swapped out the isophase bus duct cooling fans for a transformer. The main generator produced three phases of alternating current electricity. The electrical current was conducted along three parallel buses made from solid metal plates to the transformer. Each bus is encased in a cylinder. Fans blew air through the cylinders to remove heat emanating from the metal plates heated by the electrical current passing through them. Unbeknownst to the workers, metal blades of a bus duct damper (like the thin louvers in a floor or ceiling grating) had broken loose. The new fan blew a metal blade onto the energized bus, causing an electrical short. Soon, the flammable oil used to cool the transformer was ignited. The ensuing loss of the main transformer caused the automatic shut down of the generator which in turn caused the automatic shut down of the reactor.
Fort Calhoun (Nebraska): Fission Stories #110 explained how the failure of an electrical breaker on June 7, 2011, started a fire. The smoke and soot from the fire allowed electricity to arc across an opened breaker to cause voltage fluctuations on electrical circuits. The electrical problems rippled through the plant until power to both spent fuel pool cooling pumps was lost. (At the time, the reactor was shut down with all its fuel offloaded into the spent fuel pool.) It took 90 minutes for workers to restore the spent fuel pool cooling system.
Fort St. Vrain (Colorado): Fission Stories #39 described how the plant received its operating license in 1973 with no natural gas pipelines in the vicinity. But that soon changed as natural gas wells were drilled nearby (one well within 1,524 feet of the reactor building) and natural gas pipelines were installed (one within 500 feet of the electrical switchyard). The NRC wrote a scathing report (by NRC standards) in 1991 criticizing the plant’s owner for not properly evaluating the potential for these external hazards to adversely affect the safe operation of the facility. Right or wrong, the NRC’s “actions” were too late—the plant was permanently shut down in August 1989.
Hatch Unit 2 (Georgia): Fission Stories #22 described how hydrogen gas being injected into the water pipes of the condensate system to retard corrosion leaked into the turbine building. A hydrogen concentration of 14 percent—well above the four percent concentration needed for explosion—was indicated before the problem was corrected.
HB Robinson (South Carolina): Fission Stories #22 described how workers conducting a test of the main electrical generator mistakenly connected the hydrogen supply to the instrument and service air system piping. Hydrogen was pumped into several buildings at the plant, with hydrogen concentrations of six percent measured in the containment, auxiliary building, and turbine building.
Millstone Unit 1 (Connecticut): Fission Stories #66 recounted the two hydrogen explosions that rocked the plant site on December 13, 1977. The first one occurred at 9:30 a.m. within the offgas system’s piping. The offgas system in this boiling water reactor (BWR) pulls non-condensibles (e.g., air and other gases) along with some steam from the main condenser. Steam produced when water passes through the BWR core flows through the turbine to the main condenser. That flow also includes oxygen and hydrogen gases created by disassociation when water molecules pass through the core. The hydrogen concentration in the offgas system piping rose above the 4% level and detonated. This first explosion broke a glass face on a pressure gauge, failed a rupture disk, and blew out the water from several loop seals in the offgas system’s drain lines. The water-filled loop seals are like the S’s in commode drains that prevent sewer line odors from wafting into homes. The emptied loop seals allowed hydrogen gas to flow into a two-level building at the base of the tall stack used to exhaust flow from the offgas system to the atmosphere. At 1:00 p.m., the hydrogen gas inside this building blew its door 200 feet away, dislodged the 2-ton floor plugs, and cracked the concrete stack.
Quad Cities Unit 2 (Illinois): Fission Stories #178 described problems encountered during the April 2, 2014, attempted restart of the reactor. With the reactor at about 8% power during the startup, alarms in the control room indicated there was a fire in the turbine building. The leader of fire brigade dispatched to the scene reported back to the control room that no smoke or fire was found, but there seemed to be steam leaking into the building. The operators shut down the reactor and closed isolation valve to stop the steam flow into the turbine building and the steam leak inside it. About 40 minutes after the initial fire alarms, workers reported thick black smoke in the turbine building. The fire brigade was sent back to the scene, but were unable to find any fire. About an hour after the initial fire alarm, heat melted fusible links to automatically actuate the fire sprinkler system and extinguish the elusive fire. The subsequent investigation found that the insulation on a 42-year-old electrical cable split open when it was bent around a tight corner. Humidity from the steam leak and the failed cable insulation allowed electricity to flow and contact metal conduit and cable trays, igniting the fire. The steam leak was attributed to an expansion joint that had been installed backwards decades earlier during construction of the plant and finally broke.
Trojan (Oregon): Fission Stories #40 explained the NRC’s reaction upon discovering in April 1989 that the storage tank for highly flammable hydrogen gas was located on the roof of the control room. The NRC estimated that detonation of this tank would be the equivalent to exploding 217 pounds of TNT on the control room’s (former) roof. Deepening their dismay was the fact that the relief valves on the hydrogen storage tank were positioned near the intakes for the control room’s ventilation system.
Vermont Yankee (Vermont): Fission Stories #68 described the June 18, 2004, fire at the main transformer. Workers routinely inspected the metal plates comprising the bus bar conducting electricity from the generator to the main transformer for wear and tear, but did not look at the flexible connectors linking the bus bar to the transformer. Pieces from a degraded flexible connector broke off and grounded one of the three phase buses. This electrical short ignited oil used to normally cool the transformer (or barbeque it when ignited).
Waterford (Louisiana): Fission Stories #17 described the June 10, 1995, event where an offsite power grid disturbance caused the reactor to automatically shut down. Detectors in the plant sensed a fire had started and triggered alarms in the control room. But the operators did not notice these fire alarms amidst all the other alarms triggered by the grid disturbance and reactor shut down. A worker called the control room to report flames near the electrical switchgear which distributes electricity from offsite and onsite sources to emergency equipment. The plant’s fire brigade tried unsuccessfully to put the fire out using portable extinguishers. The local fire department was called in. The plant’s fire brigade leader did not allow the firefighters to spray water onto the fire, fearing it would short out electrical equipment in the area. (A major lesson from the Browns Ferry fire had been to use water before the fire damages more things than water might damage.) Finally, the fire brigade leader allowed the professional firefighters to use water and they had the fire out within four minutes. The fire had burned for nearly an hour.
Waterford (Louisiana): Fission Stories #124 recounted the discovery by security officers of a box labeled “Explosives” within a building at the plant. No one fessed up to owning the box and it was speculated that the explosives may have been used to test an explosives detector at the entrance to the protected area.
Safety by Intent
Given the large inventory of high voltage equipment, flammable fluids, and combustible materials at nuclear power plants, fires are going to happen. Because of this reality, safety dictates that fires be detected as soon as possible and extinguished before inflicting extensive damage. The data strongly suggest that the design of fire detection and fire suppression systems should be reviewed. These safety measures seem to be falling short of expectations.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how addressing pre-existing problems can lead to a more effective defense-in-depth protection.