Fission Stories #190
UCS initiated a series of annual reports on the NRC and nuclear plant safety in March 2011. As in this year’s report, these annual reports contain a chapter summarizing the near misses that the NRC investigated during the prior year. We define “near miss” to be any event or discovery at a nuclear plant that prompts the NRC to dispatch a special inspection team to the site to ascertain its cause and verify its correction.
The focus of UCS’s nuclear safety project is on operating nuclear power plants in the United States. Our annual reports have exclusively summarized near misses at U.S. nuclear plants. An event at the Nuclear Fuel Services facility in Erwin, Tennessee prompted the NRC to dispatch a special inspection team. Because the Nuclear Fuel Services facility is not an operating nuclear power plant, its near miss will not be summarized in our next annual report. Instead, it will be summarized in this blog post.
Erwin’s Nuclear Business
The primary role of the Nuclear Fuel Services facility in Erwin is to produce material containing highly enriched uranium. The facility also recovers and purifies low-enriched and high-enriched uranium from process scrap generated at Erwin and at other facilities.
Erwin’s Uranium Recovery Process and Safety Measures
Part of the uranium recovery process used at the Erwin facility involves three vertical metal tanks called columns (labeled Column-0B03, Column-0B04, and Column-0B05 in Figure 1.
Fig. 1. (Source: NRC Inspectio n Report)
Scrap material is loaded into Column-0B03. Ammonium hydroxide from a bulk storage tank is added to Column-0B03 via the blue line. The ammonium hydroxide flow is controlled by two safety related equipment (SRE) valves labeled N302VALVEBA0B01 and N302VALVEBA0B85 in the graphic. As a safety precaution, each valve is equipped with a spring that keeps it in the closed position. The operator has to grip the valve’s switch and open it against the spring’s closing pressure to allow flow to pass into the column. When the operator releases the switch, the spring recloses the valve.
The spring return design feature serves two important safety functions. Because the scrap material in the column could contain high-enriched uranium, the closed valves prevent an overflow of the column from transporting uranium to areas where it could collect in sufficient amounts to form a critical mass. A criticality accident in September 1999 at the fuel fabrication facility in Tokaimura, Japan killed two workers. The spring return valves along with other design features like limiting the capacity the columns can hold protect against criticality at Erwin.
The spring return design feature has another important safety function. If Column-0B03 is overfilled, the overflow is piped to Column-0B04. Likewise, if Column-0B04 is overfilled, the overflow is piped to Column-0B05. If Column-0B05 is overfilled, the overflow winds up on the facility’s floor. Ammonium hydroxide can harm workers who inhale or ingest it. Thus, the spring return valves protect against overfilling the columns and dumping ammonium hydroxide onto the floor. The spring return valves are the only IROFS [“item relied on for safety” – really, this acronym is from the NRC’s report] against the chemical safety hazard.
Two valves were installed in series for further safety. The pair allowed the safety function to be performed even if one valve stuck open and failed to close.
To add the required amount of ammonium hydroxide to Column-0B03, a worker had to hold open the switches for both valves for about 30 seconds.
Erwin’s Near Miss
At around 7 p.m. on June 17, 2014, a supervisor caught an operator defeating the spring return valves. The operator placed one end of a box end wrench on the red switch of the spring return valve and wedged the wrench’s handle into the support structure (Fig. 2)
Fig. 2. (Source: NRC Inspection Report)
Both valves were propped open and would not close. This configuration defeated the protections against criticality and worker exposure to ammonium hydroxide. The operator removed the wrenches allowing the valves to reclose upon seeing the supervisor approaching. The supervisor secured the area and relieved the operator from duty.
The mis-operated valves increased the risk that ammonium hydroxide would overfill the columns and flow onto the flow of the facility where it could harm workers who inhaled it.
Erwin’s Near Miss Precursors
At first blush, the operator’s blocking open two valves and defeating their safety functions seems inexcusable. After all, the valves only needed to be held open for 30 seconds and it might take that long or longer to install the wrenches.
At second and subsequent blushes, the operators’ antic remains inexcusable. But it becomes understandable.
Dating back three years to June 2011, the Erwin facility experienced at least four instances where the flow of ammonium hydroxide to process tanks like Column-0B03 had been slowed by blockage. For example, in November 2011 degradation of gasket material on an air pump partially blocked the ammonium hydroxide supply line. Instead of having to hold open the valves for 30 seconds, workers had to hold the valves open for up to 25 minutes to get the necessary amount of ammonium hydroxide in the column.
As recently as June 11, 2014, blockage required the valves to be held open for several minutes. Workers replaced a strainer in the ammonium hydroxide supply line on June 16, 2014. In a test after this replacement, the valves had to be held open for 50 seconds to fill Column-0B03 to the specified volume.
Our Takeaway
Defeating safety functions and increasing the risk of inadvertent criticality and worker exposure to ammonium hydroxide is never justified. Considerable effort and cost was taken to install two valves to guard against overfilling the tank or allowing backflow through the line. That’s a compelling clue that blocking open both valves is a very bad idea.
The recent history of recurring supply flow blockage made a very bad idea seem not so bad. The operators had to hold the valves open for up to 50 times longer than intended. Defeating safety functions was not an acceptable way to lessen an undue burden. But recurring burden explains, not justifies, this operator’s poor decision.
The practice of forcing operators to cope with equipment not performing per design is called an “operator workaround” in the nuclear industry. Nuclear facilities have so many widgets, gizmos, and doo-dads that it’s rare for them all to be working perfectly. The better managed nuclear facilities and the sites with better safety cultures are those that minimize the number and duration of operator workarounds and have the operators fully buy into the need for the workaround during the interim periods. The other facilities tempt their operators with numerous, longstanding workarounds, essentially encouraging them to succumb to temptation and devise safety shortcuts.
This Erwin near-miss illustrates the latter situation. An operator disabled safety features. The company tolerated recurring supply flow blockage events that tempted the operator once too often.
The result: two wrongs that make it hard to discern which was wronger.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.