Disaster by Design/Safety by Intent #1
Disaster by Design
The March 2011 disaster at the Fukushima Daiichi nuclear plant in Japan did not reveal flooding to be a nuclear safety hazard; it reminded us of this well-known threat. Flooding from internal sources (e.g., broken pipes and failed storage tanks) and from external sources (e.g., heavy rainfall and swollen rivers) had long been recognized as a risk to be managed with an array of flood protection measures. As the following summaries—an abridged sampling among many such events—indicate, there were numerous reminders before Fukushima.
Calvert Cliffs (Maryland): Fission Stories #170 described how a winter storm dislodged a ventilation cover and allowed snow to enter an electrical cabinet. Melting snow wetted and shorted an electrical breaker inside the cabinet. The electrical problem rippled through the plant and caused both reactors to automatically shut down. Precipitation events had previously precipitated problems at Calvert Cliffs: both reactors also tripped due to moisture intrusion on February 18, 2010, which followed moisture intrusion problems in August 2009 and July 2008.
Columbia Generating Station (Washington): Fission Stories #5 described a June 17, 1998, event where smoke from workers cutting and grinding metal tubes tricked fire detectors into thinking something was burning. By design, the fire detectors signaled valves to open that filled fire sprinklers with water. Water did not spray from the sprinkler nozzles because metal caps that would melt away in an actual fire remained intact. But the four fire protection pumps sensed the pressure dropping in the fire header pipes as water flowed into the fire sprinklers. The pumps automatically started to refill the headers and, had there been a real fire, sustain the flow needed to put out the fire. The pumps quickly filled the headers. The water-hammer caused when water filled empty piping and stopped flowing caused a pressure wave to race through the fire protection piping. The pressure surge broke the casing of a valve, allowing water to pour into a stairwell inside the reactor building. About 163,000 gallons of water flowed into the reactor building’s basement. Some entered the room housing residual heat removal pump “C” through a watertight door that had been improperly closed. Water entered a drain in the floor of this room, flowed through the drain pipe, and emerged into a nearby room housing the low pressure core spray pump. Both emergency pumps were disabled by the flood water.
Cooper (Nebraska): Fission Stories #6 described a sequence of events that began when a worker using a bulldozer to landscape ground around the plant accidentally sheared off a fire hydrant. A geyser of water shot up into the air from the broken hydrant until workers closed a valve to isolate the broken pipe. The pressure inside the fire header pipes dropped when water sprayed from the broken hydrant. The fire pumps quickly refilled the pipes. The pressure surge when the pipes were completely filled caused some of the fire sprinkler valves to pop open and spray water into the room containing the standby gas treatment (SBGT) system. The SBGT system is an emergency system normally in standby mode. During an accident, the system’s fans draw in air from the reactor building and refueling floor and pass it through filters and charcoal beds intended to significantly reduce the amount of radioactivity released from the plant’s tall exhaust stack. The inadvertent fire suppression system discharge flooded the charcoals beds to disable the SBGT system.
Fort Calhoun (Nebraska): An All Things Nuclear blog post described the NRC’s commendable role in identifying flood protection shortcomings and compelling them to be corrected, which came in handy in June 2011 when the Missouri River flooded its banks.
(Source: US Army Corps of Engineers (Omaha))
Haddam Neck (Connecticut): Fission Stories #63 described an August 21, 1984, event where a failed seal allowed 200,000 gallons of water to drain from the refueling cavity into the containment building in only 22 minutes, flooding the containment floor 18 inches deep.
Hatch Unit 1 (Georgia): Fission Stories #114 described a December 21, 1985, event where workers simulated a loss of the offsite power grid to test that the plants’ response matched its design. Prior to the test, the operators had closed a valve upstream of the suction valve for one of the residual heat removal (RHR) pumps to allow the suction valve to be removed for maintenance. The closed valve was air-operated—coiled springs kept this valve open unless compressed air pressure overcame the spring force and closed it. During the simulated loss of offsite power test, the compressed air system was de-energized. Springs opened the valve and allowed water to through the opening created by the removed suction valve onto the floor. The room flooded 14 feet deep, disabling both RHR pumps and one of the core spray pumps.
Indian Point Unit 2 (New York): Fission Stories #1 described how leakage from the system supplying cooling water to the air conditioning units inside the containment building remained undetected until October 17, 1980, when nearly 100,000 gallons had collected and risen to cover the lower nine feet of the reactor pressure vessel. The thermal stresses on the metal vessel, heated to over 500°F at one end and much cooler at the other end, increased its chance of breaking open.
Indian Point Unit 3 (New York): On May 9, 2015, a main transformer exploded and caught on fire. The fire suppression system automatically sprayed water on the transformer to contain the fire. The valves that opened to spray water on the burning transformer had a chronic problem—they leaked about 50 gallons of water onto the floor of the room where they were located. That room also contained the switchgear (electrical power distribution cabinets) for the unit. If that floor flooded to a depth of about 5 inches, the switchgear would be partially submerged and disabled, disconnecting the unit’s emergency equipment from both the offsite power grid and from the onsite emergency diesel generators—a station blackout condition. The drains in the room were designed to handle 100 gallons per minute, but they were partially clogged and only allowed about 25 gallons per minute to leave. The room slowing flooded towards a station blackout. Fortunately, the fire brigade leader sent a worker to close the fire deluge valves so foam could be applied to extinguish the transformer fire. The worker saw water on the switchgear room floor and took steps to stop the flooding.
LaSalle (Illinois): Fission Stories #113 described the May 13, 1985, event where one of the circulating water pumps that sent cooling water from the lake through the plant stopped running. A worker dispatched to the pump house to investigate the problem discovered the building filling with water through a broken rubber expansion joint. The pump house flooded to a depth of 15 feet, disabling all the circulating water and service water pumps for both reactors.
Millstone Unit 2 (Connecticut): Fission Stories #130 described the October 15, 2012, discovery that seals had not been installed in 20 four-inch diameter conduits between the intake structure and the turbine building. Flood water could have flowed through the unprotected conduits into the turbine building and disabled the turbine-driven auxiliary feedwater pump needed to remove heat from the reactor core during an accident or station blackout event.
Oconee (South Carolina): Fission Stories #173 described how the owner contesting a NRC sanction for leaving a hole in a flood barrier led to the discovery of a greater flooding hazard posed by the upstream Jocassee Dam. The NRC required the owner to take steps to lessen the chances of the dam’s failure and other steps to increase the likelihood that Oconee could endure flooding.
Perry (Ohio): Fission Stories #2 described how the December 22, 1991, rupture of a 36-inch pipe carrying water from Lake Erie to cool equipment inside the plant flooded the site with nearly three million gallons of water. Some of the water flowed through manhole covers into underground vaults containing electrical cables. Water flowed through the vaults into various buildings and structures, shorting out some electrical circuits. On March 26, 1993, a 30-inch diameter pipe buried about 13 feet underground ruptured. Water forced its way up through asphalt-covered ground to flood the western end of the site. Water found its way into nearby buildings, flooding some to a depth of 6 to 8 inches before workers turned off pumps to stop the flooding.
Pilgrim (Massachusetts): Fission Stories #31 described the March 7, 1997, event in which about 4,300 gallons of cooling fluid for the main transformer flowed through an isolated phase bus duct into the turbine building. Some fluid flowed under the doors into essential switchgear room “A.” Some fluid flowed down a stairwell to pool around the instrument air compressors. The fluid was not water—it was flammable oil. The NRC’s analysis concluded that had the oil ignited (it had a flash point of 275°F and pooled near energized and hot electrical equipment), the fire would have disabled all the equipment powered from switchgear “A” while smoke and hot gases would have gotten into the adjacent room containing switchgear “B” to disable all the equipment it powered. Pilgrim would have been plunged into a station blackout—the situation that plagued Fukushima.
River Bend (Louisiana): Fission Stories #51 described an April 19, 1989, event where workers needed to repair two manual valves in a cooling water system. Rather than shut down the cooling system, workers wrapped the 6-inch diameter pipe upstream of the valves with a blanket. Liquid nitrogen flowing through the blanket froze the water inside the pipe, creating a solid seal that allowed workers to drain water from the downstream section of piping and remove the valves. Workers did not follow the standard practice of monitoring the temperature of the frozen plug. They did not notice that the flow of liquid nitrogen to the blanket had stopped and the plug was thawing until water spurted from the open end of the pipe. About 15,000 gallons of water poured onto an upper floor of the auxiliary building and flooded it to a depth of four inches. Water seeped through holes in the floor and dripped onto electrical cabinets on the lower floor. Water shorted out electrical circuits and stopped the cooling of the reactor core. The operators restored core cooling within two minutes and stopped the flooding within 15 minutes.
San Onofre Unit 1 (California): Fission Stories #4 described how on February 27, 1982, workers removed one of two pumps that pumped salt water from the Pacific Ocean through the plant to cool equipment. When the tide came in, water entered the hole in the floor created by the pump’s removal and flooded the pump house to five feet. The high water caused the electrical current to the motor of the remaining pump to fluctuate. The operators turned off the pump, fearing it was about to be submerged and damaged. Workers jury-rigged a third pump to cool vital equipment until the pump house was drained of water and the normal pump returned to service.
San Onofre Unit 3 (California): Fission Stories #55 described a July 14, 1991, event in which workers needed to perform maintenance on the area where casks are lowered into the spent fuel pool, filled with irradiated fuel assemblies, removed from the pool and transported to the cask storage pad onsite. Workers installed a gate between this loading area and the rest of the spent fuel pool. The system cooling the spent fuel pool water was drawing warm water from the spent fuel pool area and returning it to the cask loading area. By installing the gate but not altering this flow path, workers were essentially pumping the spent fuel pool into the cask loading area. The cask loading area soon overflowed. About 5,600 gallons of slightly radioactive water flowed through drains into the adjacent radwaste building and flooded it to a depth of about two inches.
Sequoyah (Tennessee): Fission Stories #43 described two rainfall events that resulted in the turbine building being flooded and electric power panels being partially submerged. On July 11, 1994, a storm dumped about an inch of rain within 15 minutes. Water flowed into the turbine building and submerged two inches of the 6,900-volt power supply panels. Water also flowed through holes in the floor to pour onto the 250-volt direct current power panel and one of the 480-volt alternating current power panels in the basement. On June 30, 1999, another storm dumped two-thirds of an inch of water within 15 minutes, once again flooding the turbine building and wetting the power panels. After the second flooding event, the NRC investigated and discovered the ground around the turbine building was improperly graded—its slant carried water towards the building instead of directing it someplace else. The owner re-graded the ground.
Sequoyah (Tennessee): Fission Stories #96 described a safety test gone awry on February 11, 1981, that flooded the containment building with nearly 110,000 gallons of water. A miscommunication led to an operator opening the wrong valve that sprayed water into the containment for ten minutes before the mistake was discovered and corrected.
Susquehanna Unit 1 (Pennsylvania): Fission Stories #36 described how improperly installed seals on two access ports to the main condenser allowed nearly one million gallons of water from the Susquehanna River to flood the turbine building to a depth of 12 feet on July 16, 2010 . The operators manually scrammed (shut down) the reactor.
Three Mile Island Unit 1 (Pennsylvania): Fission Stories #130 described the August 12, 2012, discovery that flood seals in electrical cable conduits had not been installed when the plant was built in the 1970s. Had the site flooded, water could have flowed through the unprotected pathways into the auxiliary building and disabled equipment needed to cool the reactor core.
Vermont Yankee (Vermont): Fission Stories #130 described the May 24, 2012, discovery that a deficient seal could have allowed flood water from flowing through an underground conduit into rooms housing the electrical controls for emergency equipment. Had these controls been submerged, “the capability to shut down the reactor and maintain it in a safe shutdown condition” could have been lost.
Safety by Intent
Water.
In the right circumstances, it performs righteous things like putting fires out, shielding workers from radiation emitted by spent fuel, and preventing reactor cores from overheating.
In the wrong circumstances, it performs devilish deeds like disabling the equipment needed to prevent reactor cores from overheating.
The former circumstances compel nuclear power plants to be built next to rivers, lakes and oceans and to contain miles of water-filled pipes. The latter circumstances necessitate unrelenting diligence to prevent water’s virtues from transforming into vices.
Water can disable primary safety systems and their backups either by directly submerging multiple components (as in the Columbia Generating Station and Hatch events) or by disabling the power supply to multiple components (as in the Indian Point Unit 3 and Pilgrim cases).
The summaries indicate that adequate flood protection relies on (1) preventing water from entering areas housing vital equipment, (2) locating vital equipment in diverse locations to lessen the chances for a flood to disable it all, (3) draining areas containing vital equipment faster than then can flood, and (4) detecting a flooding condition as soon as possible to maximize the time available to successfully intervene.
Flooding is but one of many risks to be managed at a nuclear plant. Properly managing a single risk factor would be relatively simple. Properly managing multiple risk factors, often at odds with one another, complicates the task quite a bit. For example, installing fire headers and fire sprinklers within a nuclear power plant decreases the fire risk. But it increases the flooding risk. It’s not a matter of choosing which risk to manage and which to neglect; it’s a matter of understanding all the risks and developing designs and procedures that effectively manage them.
Events and discoveries like those summarized above provide opportunities to check whether the flooding risk is being properly managed by asking, and answering, “could that happen here?” Unless the answers are resolutely and realistically “no,” there’s some homework to do on the safety front.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how addressing pre-existing problems can lead to a more effective defense-in-depth protection.