Disaster by Design/Safety by Intent #25
Disaster by Design
The 99 nuclear power reactors currently operating in the United States have different owners, different designs, different numbers and makes of emergency diesel generators, different sizes and manufacturers of fuel rods, different licensed power levels, and many other differences.
But they all share one hard and fast limit: The calculated maximum fuel cladding temperature shall not exceed 2,200°F.
This hard and fast limit from the federal regulations applies equally to Pilgrim, Indian Point, Dresden, and Diablo Canyon. It doesn’t matter if it’s a pressurized water reactor, a boiling water reactor, a pressurized water reactor with once-through steam generators or with U-tube steam generators, or a boiling water reactor with an isolation condenser or a reactor core isolation cooling system – they all have the same 2,200°F limit on maximum fuel cladding temperature.
Figure 1 shows the temperatures in the fuel rod of a typical boiling water reactor operating at full power. The average and peak temperature columns can be misleading. They do not show the temperature of the water increasing as it flows upward through the hot reactor core. Instead, the 1,652°F average temperature at the top reflects the temperature at the center of the cylindrical fuel pellets. That temperature drops to 758°F at the outer edge of the average fuel pellet. The temperature drops to 615°F at the inner surface of the fuel cladding and to 565°F at the outer surface of the fuel cladding.
The universal limit of 2,200°F protects against the fuel pellet centerline temperature approaching the melting point. Allowing the fuel cladding temperature to rise above 2,200°F in turn causes the fuel centerline temperature to rise towards, or past, the melting point.
The universal limit of 2,200°F also protects against a reaction between the zircaloy fuel cladding and the steam/water fluid moving past it. As fuel cladding temperature rises above approximately 1,800°F, this exothermic reaction begins adding heat. As the fuel cladding temperature rises above 2,200°F, even larger amounts of heat are produced, posing greater threat of fuel pellet melting.
How fast the pumps of the emergency core cooling system (ECCS) start up and how much water these pumps deliver to the reactor vessel is all established to prevent the peak fuel cladding temperature from exceeding the universal limit of 2,200°F.
All nuclear power reactors in the United States periodically shut down to remove some of the fuel assemblies from the reactor core and replace them with fresh fuel assemblies. The reactor core reload is analyzed by the plant owner and/or the fuel vendor to verify the reconfigured core design still permits the ECCS pumps to keep the peak fuel cladding temperature below 2,200°F in event of an accident.
Well, that’s the theory at least.
Heat wave at Davis Besse
The owner of the Davis-Besse nuclear plant near Oak Harbor, Ohio informed the NRC on January 23, 2015, of a mistake made in the analysis of peak fuel cladding temperature. The federal regulation that established the 2,200°F limit recognized that the results from the analyses can vary slightly depending on updated ECCS pump performance, piping friction factors, etc. The regulation explicitly tolerates analytical variations without notification to the NRC as long as no single variation and no series of variations causes the calculated peak fuel cladding temperature from increasing more than 50°F. The NRC reminded nuclear plant owners about this tolerance band nearly two decades ago.
Davis-Besse’s owner did not provide the peak fuel cladding temperature originally calculated. But they told the NRC that the corrected temperature was:
The universal limit is 2,200°F. The miscalculation was non-conservative by at least 313°F.
Safety by Intent
Where’s Jethro Bodine when you need him? On the Beverly Hillbillies, Jethro was the hillbilly who talked most often about the importance of cipherin’. It ranked right up there with readin’ and writin’ (ahead of them if Jethro tackled alphabetical orderin’).
Non-conservative errors when cipherin’ the peak fuel cladding temperature are not uncommon.
For example, in December 1994 the owner of the Salem Unit 1 reactor in New Jersey informed the NRC about three errors that collectively caused the peak fuel cladding temperature to be under-predicted by 109°F. But fixing these errors resulted in a corrected peak fuel cladding temperature of 1,660°F, well below the universal safety limit.
Likewise, the owner of the Oconee nuclear plant near Seneca, South Carolina informed the NRC in March 2012 about an error that under-predicted the peak fuel cladding temperature by 225°F. But once again, fixing the error resulted in a corrected peak fuel cladding temperature of 1,686°F, well below the universal safety limit.
These are but two examples among many of analytical errors that, upon identification and correction, reduced the margin available to the 2,200°F universal safety limit.
Davis-Besse’s error busted the limit by over 310°F.
What sanction did the NRC impose on this plant owner for such an egregious error?
If you ever paid a nickel for an overdue library book, you paid five cents more than this owner for its safety miscalculation.
If you ever had to have parental signature(s) on a less than stellar report card, you received a harsher sanction than NRC imposed on this owner.
The NRC took no action against this owner for violating the universal safety limit by over 300°F.
Apparently to the NRC, if you calculate that the peak fuel cladding temperature is less than 2,200°F, that’s good. And if you mistakenly calculate that the peak fuel cladding temperature is less than 2,200°F when it is really much higher, that’s good, too. Just do the cipherin’ Jethro. Don’t sweat getting it right.
“No blood, no foul” may work to referee pick-up basketball games.
But is it a deplorable way for the NRC to enforce its safety regulations. It’s not enforcement, it’s enfarcement. The American public deserves much, much better from the NRC.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.