The operators in the control room of the Unit 2 pressurized water reactor (PWR) at the Millstone nuclear plant in Connecticut reduced the power level from 100% to 88% on February 12, 2011, to test the control valves for the main turbine. This testing is conducted on a quarterly basis.
Because operating crews work rotating shifts, it had been many months since this group had conducted the testing. Several steps were taken to prepare the operating crew for the infrequent operation and to guard against mistakes during it. All of those precautions and protections came to naught when the test was messed up badly, causing the reactor power level to jump without operator control. Adding insult to injury, the operators initially believed the reactor power level had increased only to half of what it was later determined was the full increase.The operating crew reported to the training center at Millstone on February 10 to review the applicable procedures and carry them out on the full-scale control room simulator. To protect against errors, each of the operators manipulating switches on the control panels had someone guiding them step-by-step through the procedures. These second persons peer-checked the actions of the first operators, ensuing that the right switches were manipulated at the right time in the right direction.
The key to the test involved maintaining balance. The operators reduced the reactor’s power level from 100% to 88% for the test. An inherent consequence of the power reduction was the buildup of a fission byproduct called xenon that caused power to drop further. To balance this effect, the operators diluted the concentration of boron in the reactor cooling water. Removing boron from the system increased the reactor’s power level, offsetting the effect from xenon to maintain the power level steady.
The test involved closing each of the four turbine control valves one at a time. The turbine control valves (labeled CV in the figure) regulate the flow from the steam generators into the main turbine to maintain constant pressure at that point. The operators manipulated switches that opened three control valves slightly to compensate for the one control valve being closed.
To further assure proper balance, the operators opened one of the turbine bypass valves (labeled BPV in the figure). The open bypass valve allowed steam to detour around the turbine control valves and the turbine and flow directly into the condenser. In case of a mismatch between the one closing control valve and the three opening control valves, this bypass valve would automatically modulate to maintain constant steam flow, which in turn holds the reactor’s power level steady. The operators completed the practice test on the control room simulator successfully.
Two days later, the freshly retrained operators reported to the real Unit 2 control room for a repeat performance. Things that had gone so smoothly two days earlier went horribly awry this day.
The leader of the operating crew conducted a pre-job briefing in the control room to review the test procedures and revisit each individual’s responsibilities. The operators then reduced the reactor’s power level to 88% as planned and practiced. The operators diluted the boron concentration and opened the turbine bypass valve as they had done in the simulator two days earlier.
But when the first control valve was tested, the operator turned the switch for the remaining three control valves in the wrong direction. That operator’s peer-checker observed the switch being turned, but mistakenly believed it was in the proper direction. The control room supervisor also was watching the test and saw the switch turned in what he also mistakenly thought was the proper direction.
Because the switch was actually turned in the wrong direction, the action intended to balance the control valve’s movement actually upset the balance even more. The operator and the peer-checker immediately saw balance being lost. The switch was mis-operated three more times in errant attempts to restore balance. The mistakes further upset the balance.
The turbine bypass valve, which had been opened as a precaution in case the balance between the closing and opening control valves was lost, went fully closed about a minute later in another futile attempt to restore the balance. Once closed, it was no longer able to help balance things out. The leader of the operating crew noticed that the bypass valve had closed and directed an operator to re-open it about 45 second later. But the bypass valve automatically re-closed within six seconds. These clear signs of deteriorating conditions were not heeded.
The imbalance resulted in higher steam flow into the main turbine. The turbine inlet pressure, which was supposed to be held constant via all of the balancing measures, increased 10%. In a PWR like Millstone Unit 2, increasing the steam flow rate causes the reactor’s power level to increase. Three minutes after the test began, the power level stabilized at 96% – 8% higher than when the test began.
An 8% power increase may not sound serious. It may even seem close enough for government work. But according to the Nuclear Energy Institute, a single uranium fuel pellet contains as much energy as 17,000 cubic feet of natural gas, 1780 pounds of coal, or 149 gallons of oil. The 8% power increase represented the equivalent of about 140,000 more fuel pellets producing power – or adding 2,380,000,000 cubic feet of natural gas, 249,200,000 pounds of coal, or 20,860,000 gallons of oil to the furnace with neither knowledge nor control over it. Losing control of that much energy is seldom prudent.
The operators reduced the reactor’s power level back down to 88% and successfully completed the turbine control valve testing about an hour later.
Normally after a misadventure like this one, the measures taken to prevent recurrence include a dry run of the test steps on the control room simulator shortly before the real test, conducting a pre-job briefing right before the test to review steps to be taken and air any last minute questions, and assign persons to peer review all actions taken by the operators at the controls to verify adherence to procedures. But all of these measures were taken here and yet the bad outcome still happened.
One of the lessons from the March 1979 accident at Three Mile Island was the need to improve operator training. That lesson resulted in significantly expanded initial training and frequent re-training on full-scale control room simulators. During simulator training sessions, instructors cause pumps to fail, instrumentation to read inaccurately, and other equipment to malfunction to test the operators’ abilities to use procedures to cope with these problems.
Another lesson from Three Mile Island has not been as fully addressed. That accident demonstrated that too much attention had been focused on hardware performance with inadequate consideration of the human side of the safety equation. This Millstone event reflects continued tunnel-vision on hardware concerns.
No equipment malfunctions factored into this near-miss at Millstone. All of the problems were self-inflicted by the operators. The operators’ extensive training prepared them to cope with equipment malfunctions but left them unprepared to handle their own errors.
Because simulator training remains overly focused on equipment malfunctions, the nuclear industry continues to encounter operator errors inside the real control rooms where the risks and costs are considerably higher. Training sessions would be more valuable if they included intentional operator miscues to first test whether the peer checkers noticed the errors and then test the operating crews ability to properly respond to the mis-steps. Equipment failures are intentionally introduced to ensure procedures and the operators’ training deal with them successfully Operators mistakes should be intentionally introduced for the same reason and result.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.