Disaster by Design/ Safety by Intent #41
Disaster by Design
The March 22, 1975, fire at the Browns Ferry Nuclear Plant revealed a shortcoming to the defense-in-depth approach to nuclear safety: a common cause can defeat multiple barriers.
The fire began in the cable spreading room directly below the combined control room for the Unit 1 and Unit 2 reactors. As the fire progressed, it damaged power and control cables for safety systems and their backups. All of the emergency core cooling systems for the Unit 1 reactor and most of those systems for the Unit 2 reactor were disabled during the fire. The fire defeated many of the defense-in-depth barriers erected to guard against reactor core damage.
Fortunately, workers were able to use non-emergency components and restore enough emergency components to service in time to prevent the Unit 1 and Unit 2 cores from meltdowns. UCS developed a slideshow describing the Browns Ferry fire, the damage it inflicted, and the efforts undertaken by workers to overcome numerous challenges and save the day.
Safety by Intent
I began working at the Browns Ferry Nuclear Plant in January 1980, less than five years after a fire brought the Unit 1 reactor close to meltdown. The smoke had cleared by then, but recollections of that fire remained burned in the memories of people who experienced it first-hand.
Gary McChristian worked as a control room operator that day. He received a call from the workers fighting the fire reporting that the roof of the cable spreading room was collapsing. Gary acknowledged the report and hung up the phone. It then dawned on him that the cable spreading room’s roof was his floor. He said he never ventured more than arm’s length from the control board after that report and was prepared to throw himself onto the panels and hold on for dear life if the floor fell in.
Don South worked as a supervisor in the control room that day. As fire burned insulation off electrical cables, exposed high-voltage conductors would contact exposed low-voltage wires. Until the exposed cables shorted out and de-energized, the power surge through the low-voltage wiring was literally launching indicating light bulbs from their sockets on the control boards. Feeling frustrated and helpless, Don took the flashlight from its holder on his belt and began swinging it at the popping bulbs.
D. Glover worked on the expanded fire brigade that day. He tried fighting the fire that burned through the penetration to the reactor building. Fire damage de-energized some of the lights in the building while smoke filled the building to curtail visibility in even lit areas. Workers strung a rope between the access hatch into the reactor building and the fire zone so J.D. and other firefighters could make their way to the fire zone and return from it in the smoky dark. When using water was finally authorized more than six hours after fire started, J. D. climbed atop a masonry block wall that was about eight-feet tall and perhaps six to eight inches wide to get the fire hose nozzle closer to the point of the fire. When the air tank for his breathing apparatus emptied, J. D. edged the nozzle to spray at the fire and followed the rope out to safety.
Other workers talked about going to the warehouse to fetch large wooden spools wound with electrical cable. They took the spools to the intake structure to connect one end to the power cabinets unaffected by the fire. They rolled the spools across the open ground from the intake structure to the building. While the spools were round and rolled easily enough, the ground was not flat and level and made unwinding the cables a bit more difficult. And once they reached the buildings, they still hard to wrestle and worm the stiff electrical cables inside and connect them to re-power vital equipment.
Their actions, undertaken at no small hazard to their own safety, prevented a bad day from becoming much worse. They rose to the challenge and averted core meltdown(s) that day.
While their heroic efforts prevented reactor core meltdowns, the NRC took steps aimed at preventing nuclear plant workers from having to take similar heroic actions again—or worse, to take heroic but futile actions. The NRC adopted fire protection regulations in 1980 seeking to preserve at least one of the defense-in-depth barriers from postulated fires.
Cables for safety components and their backups had to be separated, either physically or by time. Physical separation meant routing cables for safety components far enough away from the cables for their backups as to make it unlikely that a single fire damaged both sets of cables. Time separation meant that routing cables in close proximity was acceptable, provided that at least one set of the cables was encased within a fire retardant material rated to remain intact longer than the fire would burn.
Those regulations, or more precisely compliance with those regulations, provide safety by intent. Recognizing that nuclear plants with large inventories of high-voltage energized equipment, combustible materials, and flammable oil can experience fires, compliance with the regulations intends to manage the fire hazard to an acceptably low level.
Operating a nuclear power plant not complying with the regulations is akin to unsafety by intent and tolerates the fire hazard being at an unduly elevated level.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.