Disaster by Design/Safety by Intent #32
Disaster by Design
Containment structures at nuclear power plants have multiple purposes. Containments protect vital safety equipment from damage caused from external events like high winds and the debris they can fling. And containments protect nearby communities against radiation released from reactor cores damaged during accidents.
Disaster by Design/Safety by Intent #30 discussed how containment structures can be adversely affected by high internal pressure experienced during an accident. Disaster by Design/Safety by Intent #31 discussed how containments can be adversely affected by damage/degradation that existed even before an accident started. This commentary covers another way that can, and has, adversely affected containment performance—the failure of containment isolation devices.
Containments are often thought of in terms of thick reinforced concrete walls. To be sure, the primary containment walls can be several feet thick. But those walls have literally hundreds of holes through them allowing people, water, air, and electricity to enter and exit. These penetrations are equipped with doors, hatches, dampers, and valves—collectively termed isolation devices—intended to prevent containments from becoming nuclear Maginot lines during reactor accidents.
When isolation devices fail, more radioactivity can pass through the thick containment walls to cause more harm. Containment isolation device failures are not rare occurrences, as the following summaries illustrate.
Browns Ferry (AL)
Workers restarted the Unit 3 boiling water reactor at Browns Ferry on December 6, 1979, following a refueling outage. The BWRs at Browns Ferry feature Mark I containment designs. Often called the inverted lightbulb in a doughnut design, the Mark I primary containment has a drywell (the inverted lighbulb) surrounding the reactor vessel and a wetwell (the doughnut) consisting of a torus partially filled with water. The primary containment airspace is inerted with nitrogen during reactor operation as protection against detonation of hydrogen gas that can be produced during an accident.
The Unit 2 operating license required workers to verify that the containment had been inerted within 24 hours after startup of the reactor. The test conducted on December 7 was inconclusive. Because the reactor was restarting from a refueling outage, the water circulating through the reactor core and through the piping inside the primary containment would be warming from less than boiling (212°F) to over 500°F as the reactor approached full power. The rising temperatures warmed the nitrogen gas inside the primary containment, causing it to expand slightly. Workers vented nitrogen gas from the containment during startup to maintain the containment atmosphere at a constant pressure. The dynamic situation complicated the first containment integrity test.
The test conducted on December 8 revealed a problem. The reactor’s heatup had largely finished, so workers were not venting nitrogen from the primary containment. But workers were now adding nitrogen to the primary containment. The test showed that nitrogen gas was leaking from the containment at a rate ten times larger than the limit permitted by the NRC.
On December 9, workers discovered that the equipment hatch into the drywell had not been securely closed. Three bolts securing the equipment hatch in the closed position were found to be loose. (Fig. 1 shows the open equipment hatch for Browns Ferry Unit 2. The Unit 3 equipment hatch had not been left open. It had been improperly closed, allowing excessive leakage around its edges.) When workers checked the equipment hatch on Unit 2, they found problems with more than half the closure bolts.
Browns Ferry (still in AL)
All three boiling water reactors at Brown Ferry were shut down in spring 1985 due to a large number of safety shortcomings. The Unit 2 and 3 reactors were repaired and restarted while the Unit 1 reactor remained in limbo for nearly two decades. Around 2004, its owner took steps to restart Unit 1. The many preparations included replacing an excess flow check valve in October 2006 in a tube penetrating through the primary containment wall. The disc inside the excess flow check valve was connected to a coiled spring. If the tubing outside the containment wall broke, the high velocity of the water rushing through the tubing would push against the disc, overcoming the spring force and closing the valve to stop the potential release of radioactivity from containment.
On March 19, 2007, workers tested the excess flow check valve to verify that it would close when necessary to isolate a potential pathway for radioactivity to escape from containment. The test failed. Workers re-rested the valve. Again, the valve failed the test. The system engineer accepted the valve as-is and the Unit 1 reactor was restarted.
On November 22, 2012, workers tested the excess flow check valve. Once again, the valve failed the test. This time, workers replaced the valve. They installed the replacement valve in the same configuration and orientation as the one they had removed. Workers tested the replacement valve. It failed the test.
Workers investigated further and discovered the original excess flow check valve and its replacement had been installed backwards. The valves had not malfunctioned. They functioned as designed. But because they had been installed backwards, they were unable to perform the safety function required from them.
Shearon Harris (NC)
Workers tested the main steam isolation valves (MSIVs) on the Shearon Harris pressurized water reactor (PWRs) on April 12, 2012.
In PWRs, the MSIVs are on the large diameter pipes carrying steam from the steam generators inside containment to the main turbines outside containment. If one or more of the thousands of thin-walled metal tubes (represented by the blue upside down U-shaped item in Fig. 2) inside a steam generator breaks, radioactivity released from damaged fuel in the reactor core can be carried within the steam pipes through the containment wall. The MSIVs (circled in red in the graphic) are designed to close within seconds when needed to limit how much radioactivity escapes through this pathway. Shearon Harris has three steam generators and three pipes between them and the main turbine with one MSIV in each pipe.
An operator flipped a switch in the control room at Shearon Harris that day and clicked a stopwatch to time how long it took MSIV “A” to close. The operator clicked the stopwatch when a green light lit up indicating the valve had closed. The closure time was 4.51 seconds, within the 5-second limit.
MSIVs “B” and “C” did not test as successfully. It took 1 hour and 14 minutes for MSIV “B” to close and about 4 hours and 37 minutes for MSIV “C” to close—more than a smidgen or two over the 5 second safety limit.
Workers determined that corrosion caused an internal part of the MSIVs to expand slightly. When the valves were signaled to close, the expansion essentially pinned the valves’ discs solidly against their casings. It took awhile for the discs to work themselves free and close.
Lots of Reactors (Lots of States)
Containments on boiling water reactors are similar to Russian dolls: the reactor core is inside the reactor vessel which is inside the primary containment which is inside the secondary containment. At BWRs with Mark I and II containments, the primary containment is inerted with nitrogen gas during reactor operation. Workers do not enter primary containment during reactor operation, but they routinely enter secondary containment for testing, inspections, and maintenance activities.
Airlocks preserve the integrity of BWR secondary containment while enabling workers to enter and exit. An airlock has two doors and associated controls. The intent is to allow workers to pass through one opened airlock door while the second door remains closed to maintain the integrity of secondary containment. Turning the handwheel on an airlock door retracts or extends four metal pins out of or into the four holes in the metal plates shown on the right side of the doorframe in Fig. 3. The panel on the right has green and red indicator lights showing the opened/closed status of the airlock doors. Workers are trained to observe these status lights and not to open an airlock door when the other door is already open. As a backup, an electrical interlock is supposed to disengage the handwheel of a door when the other door is open.
Citing just a few from a very, very long list of times when both airlock doors were opened at the same time, transforming a containment isolation device into a radiation escape portal: Limerick Unit 1 (PA) on January 25, 2016, Limerick Unit 2 (PA) on November 20, 2015, FitzPatrick (NY) on September 17,2015, Duane Arnold (IA) on August 27, 2015, Nine Mile Point Unit 1 (NY) on August 5, 2015, Quad Cities Unit 1 (IL) on June 19, 2015, Limerick Unit 2 (PA) on June 3, 2015, Duane Arnold (IA) on April 16, 2015, LaSalle Unit 1 (IL) on February 17, 2015, Nine Mile Point Unit 1 (NY) on February 11, 2015, Susquehanna Unit 2 (PA) on November 5, 2014, Monticello (MN) on March 28, 2014, Dresden Unit 2 (IL) on March 27, 2014, Oyster Creek (NJ) on November 17, 2013, and Columbia Generating Station (WA) on January 7, 2013. This list does not include all of the events over the past three years, let alone any of the many, many events prior to November 17, 2013.
Safety by Intent
Whether containment walls are 5 feet or 5 miles thick, they do not work as protective barriers when doors, hatches, and valves installed in openings through the walls fail to isolate these pathways during an accident.
Of the examples cited in this commentary, the Shearon Harris problem is most troubling. Aging-related degradation impaired two of three isolation devices. Required to close within 5 seconds for safety, the impaired devices took longer than an hour to isolate.
The frequency for tests and inspections of safety equipment is supposed to detect problems before safety margins are compromised. Either the method used to test the isolation devices at Shearon Harris and/or the frequency of the testing utterly failed to prevent a common cause (corrosion) from disabling two of three potential pathways for radioactivity to get out of containment. And the pipes in which these isolation devices were installed have larger diameters than the largest gun barrels on World War II battleships like the Hood, Bismarck, Tirpitz, Arizona, Missouri, and Yamato. Having such large cannons aimed at nearby communities all too ready to fire deadly radioactive bullets far and wide is an undue risk.
The Browns Ferry excess flow check valve episode is a close second. The situation itself had very little safety significance—the valve is in a pipe less than one inch in diameter. If Shearon Harris involved battleship guns, Browns Ferry featured BB guns, at most. But a testing program that accepts failed results is just wrong. Tests are not conducted to keep workers busy until lunch. Tests are supposed to either confirm that safety equipment functions properly or identify deficiencies that are corrected before safety margins are compromised.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.