Disaster by Design: Safety by Intent #11
Disaster by Design
PWR Containment Sump Problem
In September 1996, the Nuclear Regulatory Commission (NRC) initiated Generic Safety Issue 191 (GSI-191). The safety concern to be addressed by GSI-191 involved the postulated rupture of a pipe inside the containment of a pressurized water reactor (PWRs) that was connected to the reactor vessel. If such a pipe broke, reactor cooling water would pour out from both broken ends. Because the pressure inside the reactor vessel is over 2,000 pounds per square inch, the water would jet out at high velocity, rapidly emptying the reactor vessel of the water needed to protect the reactor core from overheating damage.
PWRs are designed to cope with such a postulated accident. They employ an array of standby emergency systems that automatically start up and begin refilling the reactor vessel with water to protect the reactor core. Before the storage tanks holding the makeup water used by these emergency systems empty, the emergency systems switch over into what is called recirculation mode—the pumps draw water from concrete collection pits, called sumps, in the containment’s basement and supply it to the reactor vessel. The water cools the reactor core and then leaks from the broken pipe into containment where it drains down into the sump for re-use.
The NRC initiated GSI-191 to resolve a glitch in this game plan. The high velocity water jetting from the broken pipe ends scours insulation off piping, coatings off equipment, and even paint off walls. The water then carries some of the debris it created with it down into the containment sumps. Depending on the size and amount of debris entering the sump, the supply to the pumps or the pumps themselves could become clogged, preventing adequate flow of makeup cooling water to the reactor.
GSI-191 sought to resolve this matter by lessening the amount of debris arriving in the containment sump and providing better protection for the pumps from the debris. The former could be achieved by using insulation, coatings, and paint that could better withstanding the high pressure washing it might experience and would come apart in larger pieces that water would have trouble carrying into the sump. The latter could be achieved by replacing the existing mesh screens protecting the emergency pumps with larger ones that took far more debris to block.
The NRC justified the multiple years it expected necessary to resolve this safety problems afflicting 69 of the 104 reactors then operating in the U.S. on grounds that other regulatory requirements made it very unlikely that a pipe would break and exploit the pre-existing safety system impairment.
PWR Control Rod Drive Mechanism Nozzle Problem
In August 2001, the NRC issued Bulletin 2001-01 to PWR owners mandating that they take steps to resolve an emerging safety issue. That spring, workers at the Oconee nuclear plant in South Carolina found through-wall cracks in the vertical metal tubes (called control rod drive mechanism nozzles) passing through the Unit 3 reactor vessel head that allow the control rods inside the reactor core to be connected to, and manipulated by, the drive mechanisms. The cracks allowed cooling water to leak from the reactor vessel. The small size of the cracks only enabled a small amount (less than one gallon per minute) of cooling water to leak out, but the NRC mandated that PWR owners take steps to ensure that any cracks in their CRDM nozzles were found and fixed before causing larger reactor cooling water leaks.
The NRC allowed PWRs to operate for months to longer than a year until their CRDM nozzles were inspected for cracking. The NRC justified the many months that reactors would operate with this potential safety impairment on grounds that other regulatory requirements required highly reliable emergency makeup systems that could more than compensate for cooling water lost through even a large leak.
Davis-Besse Doubling Down
Davis-Besse is a PWR that operated with both the containment sump and CRDM nozzle impairments until 2002. Fig. 1 looks down at a portion cut out and removed from the reactor vessel head at Davis-Besse. It shows the circular hole where the 4-inch diameter CRDM nozzle penetrated through the head. It also shows the tear-shaped erosion of the 6-inch thick reactor vessel head by high pressure water leaking from the cracked CRDM nozzle over an estimated 6-year period. The silver material at the bottom of the cavity is the quarter-inch thick layer of stainless steel coating the inside surface of the reactor vessel head. Researchers at the Oak Ridge National Laboratory estimated that the slowly widening cavity would have gotten big enough in as little as two more months of reactor operation to cause that stainless steel coating to break, rapidly releasing the reactor water into containment. The NRC fined the owner a record (so far) $5.45 million for this safety faux pas.
At the same time, the owner had applied improper paint and coatings to equipment and structures inside containment. The improper materials were susceptible to being dislodged by high velocity water (like that jetting from a gaping hole in the reactor vessel head) and transported down into the containment sump to block the flow of water to the emergency makeup pumps. The NRC issued a yellow finding, the second most serious of its four color-coded sanction levels) to the owner for this safety infraction.
Safety by Intent
Centuries ago, Plato commented that necessity was the mother of invention.
So, what does a dead Greek philosopher’s musings have to do with nuclear power plant problems?
Plato essentially foresaw that nuclear power plant problems would be identified before their solutions.
Identification of a problem creates the need to invent its solution. Most often, that invention entails selecting the most appropriate among several available, off-the-shelf solutions. On rare occasions, it involves developing a new solution or modifying an existing solution to a new application.
In any case, there’s a lag between the identification of a nuclear plant problem and the selection and implementation of its solution.
How is safety ensured during that lag time before the solution to an identified problem is implemented?
In the cases outlined above, the NRC justified allowing Davis-Besse to continue operating with a known safety problem based on the low likelihood of an accident exploiting the impairment or on the high likelihood of a backup system mitigating the severity of an accident.
Had either safety problem existed only by itself, the NRC’s rationale would have been sound. The defense-in-depth approach to nuclear safety provides multiple barriers between challenge and catastrophe. When a problem is found in one barrier, the remaining barriers provide protection. This protection enables the reactor to operate safely while the faulty barrier is fixed.
But the NRC made its decisions in isolation, failing to consider whether other unresolved problems degraded other barriers. By analogy, I know from experience that I can survive a bee sting, and can survive three stings around the same time. But I do not know, and do not wish to find out, whether I can wrestle a hive from a tree and risk lots of stings.
The NRC must stop making safety decisions in isolation. Its decision-making process must consider all risk factors, including other unresolved safety problems.
For example, suppose a safety problem is identified that applies to Reactor A and Reactor B. That problem has the same risk for both reactors.
Suppose that Reactor A has no other unresolved safety problems while Reactor B has more than a dozen other unresolved safety problems.
Judged solely on the basis of the specific problem, the NRC’s decision about safety until a solution is implemented would be the same for both reactors. After all, the risk of that problem is the same for both reactors.
Judged on the basis of the bigger picture of the entire inventory of known problems, the NRC’s decision about safety until a solution is implemented could easily be different for Reactor A than for Reactor B. The NRC might very well require a faster resolution time for the problem at Reactor B or might require additional compensatory measures for Reactor B until the problem gets resolved.
The NRC must consider all known safety factors in making its decisions. It’s wicked hard to connect-the-dots to see the full picture when one only examines a single dot.
By the way, it’s too bad Plato is dead. I’ve always wondered about who was the father of invention.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.