Fission Stories #58 covered a problem controlling the reactor power level at the Millstone Unit 2 reactor in February 2011. This story covers a reactor power control problem at the Pilgrim reactor just three months later.
In May 2011, the operating crew restarted the boiling water reactor at Pilgrim from a refueling outage. Operators withdrew control rods from the reactor core until criticality, or a sustained nuclear chain reaction, was attained. The operators continued increasing the reactor’s power level, within various limits, towards full power.After withdrawing five control rods from the reactor core one foot each (a control rod is 12 feet long, so this modest withdrawal was less than 10 percent of the entire length), the computer showed the operators that the water temperature inside the metal vessel housing the reactor had risen 18°F over the past 5 minutes. The computer also projected that if that rate were maintained for a full hour, the water temperature would increase 216°F. The legal limit on the heatup and cooldown rate is 100°F per hour to protect the metal vessel from damage caused by excessive expansion and contraction forces.
Concerned that they might violate the heatup rate, the operators re-inserted these five control rods one foot each. The control rods reduced the reactor’s power level. The computer showed the operators that the water temperature was no longer increasing.
Since they were attempting to restart the reactor, the operators needed for the reactor’s power level and the water temperature to steadily increase within bounds. So, the operators withdrew the five control rods one foot each and also withdrew another control rod. The reactor power level began doubling every 20 seconds. This meant that a reactor operating at 1 percent power would be at 2 percent power 20 seconds later, 4 percent power 40 second later, 8 percent power 60 second later, 16 percent power 80 seconds later, 32 percent power 100 seconds later, 64 percent power 120 seconds later, and 128 percent power 140 seconds later.
At least in theory that’s what it meant. In practice, the reactor protection system sensed the reactor was out of control and caused all of the control rods to fully insert within seconds to terminate the runaway nuclear chain reaction.
The nuclear hokey pokey at Pilgrim, like the unplanned power rise at Millstone, was a self-inflicted wound. There was not a single equipment malfunction, just many operator malfunctions.
The operators over-reacted to an apparent high heatup rate by re-inserting control rods. They then over-reacted to an apparent low heatup rate by re-withdrawing control rods. In doing so, the increased the reactor power level too rapidly and triggered an automatic reactor shut down.
What the operators needed to have done was absolutely nothing. The initial indication of an excessive heatup rate (i.e., the 18°F increase over a 5-minute period) resulted from having just withdrawn four control rods. Had the operators exercised some patience, that virtue would have been rewarded by having the heatup rate slow down. Minutes later, the operators would have had to withdrawal some more control rods to maintain the heatup rate above 0°F but below 100°F per hour. Instead, the operators over-corrected and over-corrected again. Two wrongs still don’t make a right.
Our Takeaway
The Millstone and Pilgrim events each featured equipment working entirely properly and operators working thoroughly improperly. The turbine valve testing at Millstone and the reactor startup at Pilgrim are fairly routine, low stress evolutions. Or at least they were until operator miscues turned them into non-routine, high stress misadventures.
When highly trained operators stumble over such low hurdles, serious doubt arises as to their performance when faced with higher hurdles. When operators cannot adequately implement routine procedures, it seems unlikely they’d fare better trying to follow procedures during a severe accident.
Because the operators at Pilgrim and Millstone are typical of operators at every U.S. reactor, these two events are clear signals that operators everywhere need to up their game. For if there’s ever an event involving equipment malfunction(s), operator miscues can convert a hiccup into a fatality.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.