Disaster by Design/Safety by Intent #31
Disaster by Design
Federal regulations require that nuclear plant containments withstand the temperature, pressure, hydrodynamic forces, humidity, and other consequences from design basis accidents and limit the amount of radioactivity to the atmosphere. By limiting the radioactivity release, containments minimize the harm to nearby populations and the environment.
The surest way for a containment to be damaged after an accident and be unable to fulfill this safety function is for it to be damaged before the accident starts.
This commentary describes some of the actual events at U.S. nuclear power plants that resulted in pre-existing containment problems that existed for some time while the reactors operated before the problems were finally detected and corrected. Any pre-existing deficiencies in containment are more likely to be exploited by an accident than they are to be healed by it.
North Anna Unit 2 (VA)
In 1999, workers discovered a hole in the metal plate that lined the inside surface of the reinforced concrete wall of the large dry containment design at this pressurized water reactor. Workers attributed the hole to corrosion that ate away the metal liner.
Brunswick Unit 2 (NC)
In 1999, workers discovered a hole in the metal plate that lined the inside surface of the reinforced concrete wall of the Mark I containment design at this boiling water reactor. Workers attributed the hole to corrosion that ate away the metal liner.
Sequoyah Units 1 and 2 (TN)
As detailed in Fission Stories #11, workers discovered during a refueling outage in March 1992 that 27 of the 48 doors to the ice condenser vault on Unit 2 would not open. When workers then found that 11 of the 48 doors to the ice vault on Unit 1 would not open, that reactor had to be immediately shut down until the problem was fixed. Workers determined that water collecting in the flooring of the ice vaults had frozen. Water expands as it freezes, and that that expansion pushed the flooring upward enough to obstruct many of the inlet doors from opening. The inlet doors have hinges along their edges allowing them end to swing open when pushed. (Fig. 1 shows a pair of inlet doors at the Watts Bar Unit 1 reactor in Tennessee. The picture is taken from containment looking through partially opened inlet doors into the bottom of the ice vault.)
Had an accident happened at Sequoyah before the blocked inlet doors were fixed, the energy discharged into containment might not have been absorbed by the ice as intended, causing the pressure inside containment to rise above the design limit, resulting in problems described in Disaster by Design/Safety by Intent #30.
HB Robinson (SC)
Fission Stories #22 describes how workers declared an emergency on January 7, 1989, after discovering explosive concentrations of hydrogen gas inside containment and inside the turbine and auxiliary buildings. Workers conducting a test of the main generator mistakenly cross-connected the hydrogen supply system with the instrument-and-station-air system. Hydrogen gas normally used to cool the main generator flowed through the instrument-and-station-air-system piping into the turbine and auxiliary buildings and into the containment structure. Hydrogen concentrations above the combustibility level of six percent were measured in all three buildings.
Hatch Unit 2 (GA)
The owner informed the NRC on February 3, 1984, that a crack existed through the metal wall of the torus at this boiling water reactor (BWR) with a Mark I containment design. The primary containments of BWRs with Mark I and II designs are inerted with nitrogen gas during reactor operation to protection against hydrogen buildup and detonation during accidents. The nitrogen gas is purged and replaced with air to allow workers to enter the primary containment during refueling outages to conduct tests and inspections.
Toward the end of the refueling outage, this process is reversed to purge the air from primary containment and replace it with nitrogen gas. Workers open valves in pipes that supply nitrogen gas to the drywell and torus. A 20-inch diameter nitrogen gas supply pipe with an opening about seven feet from the cracked torus wall chilled the metal. The nitrogen is stored onsite in liquid form and evaporated as needed to deliver gas—at a low temperature—to the primary containment. The cool nitrogen gas made the torus metal to become brittle and crack open.
The owner informed the NRC on August 26, 2005, that a crack existed through the metal wall of the torus at this BWR with a Mark I containment design. Unlike at Hatch, the culprit this time was not cold nitrogen gas but hot steam. The water inside the torus serves as an “energy sponge” to soak up energy released inside containment.
One of the sources of released energy is the High Pressure Coolant Injection (HPCI) system. The HPCI system uses steam produced by the reactor core’s decay heat to spin a turbine. This turbine is connected to a pump. The spinning turbine powers the pump, allowing it to transfer nearly 5,000 gallons per minute of makeup water into the reactor vessel.
After leaving the HPCI turbine, the steam travels through pipes into the torus where it is released below the water line to be cooled down and converted back into liquid form. As shown in Fig. 2, the HPCI exhaust line at FitzPatrick was not equipment with a sparger (a section of piping with lots of little holes in its walls) to promote the steam’s mixing with the torus water. Consequently, the steam flowed from the open end of the exhaust line during periodic testing of the HPCI system to heat up the nearest metal wall of the torus. The thermal stresses cracked open the metal allowing torus water to leak out.
Safety by Intent
Containment is the final barrier between radioactivity released during an accident and the environment. Any discovery of a containment barrier problem really and truly represents the discovery of a problem with another barrier. Testing and inspection efforts are supposed to monitor equipment performance and structural integrity to either verify adequacy or identify degradation in time to correct it before safety margins are compromised. The testing and inspection efforts are therefore a safety barrier.
When containment barrier problems are identified that compromised safety margins, unacceptable testing and/or inspection programs are inherently revealed. Had the testing and inspection barrier been reliable, the containment barrier would have been reliable, too.
In the North Anna, Brunswick, Hatch, and FitzPatrick events described above, the testing and inspection efforts should have detected degradation in the containments’ metal walls before holes were created.
The testing and inspection efforts were clearly unsuccessful in detecting degradation in a timely manner. The failures should have triggered changes in what is being done, how it is being done, and/or when it gets done so as to make it less likely that degradation can be overlooked for too long in the future.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.