Fission Stories #131: You Can’t Fix Stupid

February 26, 2013 | 6:00 am
Dave Lochbaum
Former Contributor

Standup comedian Ron White has a routine where he points out that people can get hair transplants for receding hairlines, Botox injections for emerging wrinkles, plastic surgery for face-lifts, tummy tucks, and butt lifts, laser surgery for near-sightedness, hip and knee replacements, and many other medical procedures to remedy perceived problems. White concludes that despite all these available remedies, one still cannot fix stupidity.

Segue to the nuclear industry.

(Click to enlarge)

In the early 1970s, Westinghouse sent a report to all its customers about a problem observed at the Beznau Unit 1 pressurized water reactor in Switzerland. Borated water had leaked through a seal weld on a control rod drive mechanism (CRDM). The borated water dripped onto the reactor vessel head. The water evaporated, leaving behind boric acid crystals. Boric acid is very corrosive to the metal of the reactor vessel head. After removing the boric acid, workers found a 2-inch long, 1-inch deep crescent-shaped indentation caused by boric acid corrosion. Westinghouse alerted its customers about this incident and cautioned them to eliminate any accumulation of boric acid on metal components of the reactor coolant system.

The reactor resides in the lower portion of the reactor vessel. The reactor vessel is made of carbon steel with walls six to seven inches thick. The inside surface of the reactor vessel is coated with a thin layer of stainless steel for protection against the corrosive borated water. Stainless steel is far more resistant to boric acid than carbon steel. The outside surface of the reactor vessel lacks such protection.

The systems used to regulate the power level of the reactor core include control rods. When fully inserted, the control rods prevent a nuclear chain reaction and the reactor remains shut down. Control rods are withdrawn from the reactor core to increase the nuclear chain reaction rate and increase the reactor’s power level. The motors that raise (withdraw) and lower (insert) control rods are located directly above the reactor vessel head. Metal poles connect each control rod to its motor. These poles pass through four-inch diameter holes, called nozzles, cut through the reactor vessel head. Just above the reactor vessel head, flanges (shown in the red circle in the figure) allow the nozzles to be connected to the motor units. For increased protection, these connections at Beznau were welded together in an attempt to prevent any leakage of borated water through the nozzle to the outside surface of the reactor vessel head. But it happened, anyway.

Westinghouse’s warning did not prevent more leaks and more damage. On St. Patrick’s Day in 1988, the NRC sent a more stern advisory to owners of U.S. pressurized water reactors. The NRC reported that borated water had leaked through a seal weld on a control rod drive mechanism at the Salem Unit 2 pressurized water reactor resulting in corrosion up to 0.36 inches deep in its reactor vessel head. This incident was very similar to the one in Westinghouse’s alert, except that the reactor was in New Jersey instead of Switzerland.

The NRC also described other problems at U.S. reactor from leaking borated water causing boric acid corrosion:

  • Boric acid corrosion up to a depth of 0.25 inches damaged three of the bolts holding the reactor vessel at the Turkey Point Unit 4 pressurized water reactor together.
  • Boric acid corrosion damaged a valve in a reactor cooling system at the San Onofre Unit 2 pressurized water reactor, allowing approximately 18,000 gallons of water to drain from the reactor vessel into the containment building.
  • Boric acid corroded the nozzle of the high pressure emergency makeup system at the Arkansas Nuclear One Unit 1 pressurized water reactor. The maximum corrosion depth was 0.5 inches in a pipe with walls only 0.75 inches thick.

The NRC required owners to develop and maintain boric acid corrosion control programs to specifically look for signs of borated water leaks and formally evaluate any boric acid residue found on vulnerable metal parts of the reactor coolant system.

The NRC had warned the owners about the boric acid corrosion hazard five separate times in the prior eight years (here, here, here, here, and here). These warnings had not effectively resolved this recurring problem, prompting the NRC to mandate specific boric acid corrosion control programs be instituted.

A few years later, a valve at the Davis-Besse pressurized water reactor began leaking borated water. Workers attempting to stop the leak noticed that two of the nuts for the eight bolts holding the valve together were missing. The original bolts and nuts were made of stainless steel – the workers replaced the nuts with ones made of carbon steel.

Boric acid corroded the nuts as boric acid as been known to do to carbon steel for three decades. In August 1999, the NRC considered imposing a $55,000 fine on Davis-Besse’s owner for this breakdown in its boric acid corrosion control program but waived it based on the company’s volunteering to upgrade its boric acid corrosion control program and train its workers on it.

In April 2000, an NRC inspector at Davis-Besse was handed the above photograph. It shows rivers of red rust and white boric acid crystals running down the outside surface of the carbon steel reactor vessel head from two inspection ports. The NRC inspector filed the photograph away without conducting any examinations or asking any questions of the plant’s owner.

(Click to enlarge)

In March 2002, workers were “shocked” to discover that boric acid had eaten entirely through the carbon steel reactor vessel. The only thing that kept the reactor cooling water inside the reactor vessel was the thin veneer of stainless steel (the silverfish area in the photograph) applied to the inside surface – and it was bulging outward and cracked under the pressure).

The control rod drive mechanisms had been leaking borated water for many years. Contrary to its boric acid corrosion control program, workers at Davis-Besse never removed all the boric acid residue and formally evaluated the carbon steel underneath for damage. Instead, they ignored warning after warning.

At the request of the NRC, researchers at the Oak Ridge National Laboratory answered the “what if” question – what if the damage had not been found during the refueling outage in 2002 and Davis-Besse restarted? The Oak Ridge scientists concluded that based on the rate borated water was leaking and the associated corrosion rate was enlargening the hole, the stainless steel layer would have burst in two to eleven more months of reactor operation. Davis-Besse operated 18 to 24 months between refueling outages – had it restarted with the leak unfixed, the reactor would likely have experienced a very serious loss of coolant accident when the hole in its head fully opened up. Coupled with other safety impairments that existed at the time (such as the high pressure injection pump), this accident would very likely have been worse than Three Mile Island but not as bad as Chernobyl.

Our Takeaway

Ron White is right – you can’t fix stupid.

But stupidity really isn’t to blame here, despite all the ignored or dismissed warnings.

Diane Vaughan defined a better cause in her 1997 book, The Challenger Launch Decision, about the explosion of the space shuttle Challenger. Flames from the burning fuel got past two o-rings in the external fuel tanks to ignite the tanks a few seconds after blast-off. O-ring damage had been experienced in past shuttle flights. Each o-ring was supposed to provide complete protection against burn-through, yet single o-ring failures had occurred several times. But since both o-rings had never failed – until Challenger – the situation was often observed but never corrected.

NASA’s workers literally include rocket scientists. They are not stupid. Instead, Vaughan described their behavior as the “normalization of deviance.”

The first time o-ring damaged was observed, it was abnormal. O-rings are not supposed to fail, but one did. With each succeeding o-ring failure, abnormal became normal. O-rings can be tolerated to fail, because the double o-ring design protects against single failures.

Until the cold weather conditions for the January 1986 launch of Challenger degraded both o-rings causing both to fail – and Challenger to be lost with all souls on board.

Decades ago, the NRC adopted regulations intended to protect against the “normalization of deviance.” Appendix B to 10 CFR Part 50 requires that plant owners find and fix safety problems in a timely and effective manner. The goal is to find safety problems at the first opportunity and to fix them right the first time.

The very near-miss at Davis-Besse happened because its owner violated 10 CFR Part 50 Appendix B repeatedly over many years. Similar breakdowns caused year-plus outages at Millstone, Salem, Sequoyah, Fort Calhoun, and many other reactors over the past four decades.

As described in Fission Stories #121, the Palisades reactor operated last year for 30 days with a leak that NRC’s safety regulations only permitted to exist for 6 hours. Time and again, the Palisades reactor violates this key safety regulation. And time and again, the NRC does absolutely nothing about it. Nothing at all, unless looking the other way counts as something.

The NRC did not revise or supplement any safety regulations following the near-miss at Davis-Besse. There was no need. Regulations had existed for many years that did not allow what had long been done at Davis-Besse. Yet the company did not follow them and the NRC did not enforce them. What’s the point of lawmaking when you clearly don’t care about lawbreaking?

In perverse irony, these 10 CFR Part 50 Appendix B violations were tolerated by plant owners and the NRC because defiance from the regulations became normal. Perhaps it did take 15 opportunities to notice a safety problem at this reactor; the backups worked fine so it’s no big deal. Perhaps it did take 8 fixes to finally correct a safety problem at that reactor; the safety system was never needed during that period so it’s no big deal.

The Challenger Launch Decision should be required reading for all nuclear plant workers and NRC inspectors. It clearly explains how intelligent, dedicated, caring individuals can delude themselves into accepting non-conforming conditions that can someday factor in disaster.

 

“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.