Disaster by Design: Safety by Intent #12
Disaster by Design
What do the Browns Ferry nuclear plant in Alabama and the Fukushima Dai-Ichi nuclear plant in Japan have in common?
Yes, they are both mentioned in the question.
Yes, they are both boiling water reactors.
Yes, they were both constructed in the 1970s.
But the common trait they shared for the purpose of this commentary is that both experienced a challenge greater than they were designed to handle. At Fukushima, tsunami water flooded and disabled the onsite emergency power supplies after an earthquake had knocked out the offsite power supplies. The plant was designed to use batteries for up to eight hours while an onsite or offsite power supply was recovered. But recovery took nine days, during which time three reactor cores were damaged by overheating despite sustained, valiant efforts by workers to rig up interim cooling methods.
On March 22, 1975, a fire broke out in the room directly below the Unit 1 and Unit 2 control rooms at Browns Ferry. Electrical cables connecting switches in the control room with safety equipment throughout the plant as well as gauges, recorders, and computers in the control room with sensors in the plant passed down through the floor and radiated out from the room below. But the fire burned the insulation off cables, causing the exposed wires to short out. The fire blazed for nearly six and a half hours, disabling all of the emergency core cooling systems for the Unit 1 reactor and most of those systems for the Unit 2 reactor. The water level dropped to within an estimated 18 inches above the reactor core (the normal water level is about 15 feet above the core). But workers were able to regain just enough control to use some non-safety pumps to get makeup water into the reactor vessels and avert disaster that day.
Before the Browns Ferry fire, NRC inspectors and managers (although working for the Atomic Energy Commission at the time—the NRC was formed on January 1, 1975) documented their concern that electrical cable installations at the plant “did not meet the intent of their FSAR’s [Final Safety Analysis Reports] nor what would be considered as good industry practices” (Fig. 1).
The sub-standard configuration at Browns Ferry was not corrected and was exploited a year and a day later.
Origin of the 1980 fire regulations
The NRC responded to the Browns Ferry’s near-miss by revising 10 CFR 50.48 and adding Appendix R to its regulations in 1980 to better manage the fire risk. Upgraded fire detection and suppression capabilities were mandated to lessen the chances of a single fire disabling primary safety systems and their backups. Owners had to show that for a postulated fire in each room or area of the plant, at least one system would survive that would adequately cool the reactor core.
Cable separation played a key role in meeting the NRC’s fire protection regulations. Cables for a primary system could be routed far enough away from the cables for backup systems that one fire could not damage them all. Alternatively, cables for primary and backup systems could be routed closer together provided that at least one set of cables was wrapped in a fire-resistance materials rated to last longer than the fire.
In the mid to late 1990s, the NRC’s inspectors found that many nuclear plants did not comply with the fire protection regulations. Efforts had been undertaken to comply, but those efforts had not always been successful. Perhaps the primary reason for non-compliance involved the fire-resistant materials wrapping electrical cables. These wraps had one-hour or three-hour ratings depending on factors like availability of fire detectors and automatic suppression systems. In the late 1980s and early 1990s, tests showed that many wraps failed before their rated durations. A test of one fire wrap with a one-hour rating showed that it failed in less than ten minutes. Rather than remove and replace the faulty wraps or relocate cables, many owners decided to let a fire damage both sets of cables and dispatch workers to manually operate safety equipment that would have been used with undamaged cables.
The NRC’s 1980 regulations permitted such manual actions, but only when they had been formally reviewed and approved by the NRC.
Origin of the 2004 fire regulations
The nuclear industry threatened to fire off a flurry of requests for NRC’s approval of all the then-illegal manual actions. The NRC averted the resource-black-hole of having to read and then evaluate all those requests (one plant reportedly relied on nearly 300 unapproved manual actions) by adopting an alternative set of fire protection regulations in 2004. Called the NFPA 805 option for the National Fire Protection Association standard it endorses, the alternate regulations permit manual actions without prior NRC express authorization as long as criteria established in the new regulation are met.
Owners now have the option of either complying with the 1980 Appendix R regulations or the 2004 NFPA 805 regulations.
Unfortunately, owners also have the option of not complying with either set of fire protection regulations.
Continuing non-compliance
About a third of the nation’s operating nuclear power reactors still do not comply with either the 1980 or the 2004 regulations—including the three reactors at Browns Ferry.
On October 28, 2015, the NRC approved the plans for Browns Ferry transitioning from non-compliance with all the fire protection regulations to compliance with the 2004 regulations. It’s going to take several more years before Browns Ferry actually complies with fire protection regulations that its near-miss caused. In its approval, the NRC directed the owner “…to complete the transition to fill compliance with 10 CFF 50.48(cc) no later than the end of the second refueling outage (for each unit) following issuance of the license amendment.” Refueling outages at Browns Ferry are typically conducted every two years, but have lasted for six, ten, and even twenty-two years. So, it seems at least possible that Browns Ferry will operate in compliance with fire protection regulations later this century. Or, perhaps by sometime early in the 22nd century.
Safety by Intent
Safety by Intent involves establishing and enforcing regulations that manage risks to an acceptable low level.
Safety by Luck involves not enforcing regulations established to manage risks to acceptably low levels and hoping the vulnerabilities are never exploited.
More than four decades after a fire nearly caused two reactors to melt down, thirty-five years after fire protection regulations were adopted, and a decade after alternative fire protection regulations were adopted, Browns Ferry remains protected from a fire—unless a fire occurs.
We must do better. As AEC manager C. E. Murphy wrote more than forty years ago, “We have not yet achieved our goals.”
An agency giving more than lip service to safety would have achieved the goals long before now.
—–
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.