Disaster by Design/Safety by Intent #27
Disaster by Design
Disaster by Design/Safety by Intent #26 described the accident progression resulting in meltdown of a reactor core. Such scenarios factored in the accidents at Fermi Unit 1 in October 1966, Three Mile Island Unit 2 in March 1979, and Fukushima Daiichi Units 1, 2, and 3 in March 2011.
This commentary describes another less well-known way to damage a reactor core: power excursions.
“Power excursion” sounds like a special kind of outing along the lines of “power lunch,” “power nap,” and “power tie.” It may have such connotations, but in this commentary it refers to the uncontrolled and undesired rapid increase in the power level of a reactor core.
The reactor core contains the fuel powering the nuclear plant’s engine. In most other sources of power, the fuel is metered into the engine on an as-needed basis. For example, an internal combustion engine like that in many horseless carriages has an external fuel tank with gasoline supplied to the pistons depending on how far the gas pedal is depressed. Likewise, the boilers at fossil-fired power stations are supplied coal, oil, or natural gas as needed from outside storage facilities. And even the power generators at hydroelectric dams use some water while most of their fuel (i.e., the lakes) waits patiently nearby.
But reactor cores contain enough nuclear fuel to allow them to operate for 18 to 24 months between refueling outages. It’s like having all the gasoline for a 400-plus mile journey within the pistons and using some means to limit how much of that fuel is burned with each stroke of the pistons. Elaborate and highly reliable means are used to split enough atoms within a reactor core to operate at full power today, while reserving most of the atoms for splitting next week, next month, and even next year.
When the highly reliable control systems fail, too many atoms split. The power level of the reactor core rises uncontrollably. The energy released during the power excursion can damage the reactor as well as its protective containers. As described below, the power excursions at SL-1, Chernobyl, and Tokaimura damaged fuel and killed people.
SL-1 – Arco, Idaho (January 1961)
Three workers worked the night shift on January 3, 1961, preparing to restart the SL-1 boiling water reactor from a two-week outage over the holidays. Their assigned tasks included exercising the control rods in the reactor core to lessen a sticking problem that plagued operation in the past. The workers disconnected each control rod one at a time and manually raised them from the reactor core about four to six inches and then lowered them back to loosen up the travel. Sticking control rods had been experienced over 80 times since the reactor first started up on August 11, 1958.
About 9 pm, alarms at a nearby facility indicated problems at SL-1. Responders rushed to the site. High radiation levels slowed their passage through the facility. They did not see any one until they reached the doorway into the reactor compartment. They saw two workers down on the floor amid evidence of violence (Fig. 2). One worker was dead; the other was alive but injured badly. The responders rushed the injured worker to a waiting ambulance, but he died en route to the hospital.
Responders located the body of third worker pinned to the ceiling by a control rod ejected from the reactor core. They recovered the bodies of the workers and dismantled the damaged reactor over the next few months.
The Atomic Energy Commission produced a video describing the accident and the recovery efforts. Because there were no survivors to the accident, the AEC employed CSI Nuclear to figure out what happened.
They determined that the central control rod had been withdrawn about 20 inches from the reactor core. They don’t know why it was withdrawn so far. Some theorized that a worker applied excessive force to a stuck control rod that broke free to travel 20 inches. Others speculate that a worker “goosed” the worker holding the control rod, prompting a reaction that pulled it up too far. And there’s even a grassy knoll conspiracy theory that it was a murder-suicide because the wife of one worker was leaving him to take up with his co-worker.
Whatever the reason for it, withdrawing the control rod that far restarted the nuclear chain reaction within the reactor core. The power level soared to many times the full power level in a fraction of a second. The thermal energy released during the rapid power increase vaporized the water in the reactor vessel. A steam bubble raced upward, shooting control rods out. When the steam bubble hit the top of the reactor, the force lifted the entire reactor vessel and its core up about nine feet before gravity dropped it back into place.
The parts of the SL-1 facility contaminated by the power excursion later made an excursion of a different nature—workers removed them and transported them out into the Idaho desert for burial.
Chernobyl – Ukraine (April 26, 1986)
Workers on the April 25, 1986, night shift on the Unit 4 reactor at the Chernobyl nuclear plant prepared to conduct a special safety test. The reactor was being shut down for a planned maintenance outage. The test called for the operators to manually turn off the turbine/generator. When operating, the large metal blades within the turbine spin at high speeds, cranking the generator connected to the same shaft to make electricity. The test sought to determine how long the turbine spun, even after being turned off, to continue supplying electricity to emergency equipment. The test sought to add an additional layer of safety in the plant’s defense-in-depth defenses.
Workers had reduced the reactor power level to about 50 percent when the dispatcher for the offsite electrical grid called to ask that the shutdown be postponed several hours. Workers resumed the power reduction about nine hours later. The delay affected conditions in the reactor core. To achieve the conditions specified in the test procedure, workers withdrew control rods past allowable limits established in operating procedures. Workers also started two additional water coolant pumps, again contrary to operating procedures. To enable the test to ascertain how an alternate power supply could work, the test procedure had the workers intentionally disable some of the normal safety features.
Early on the morning of April 26 with the reactor power level reduced to about 7 percent of full power, the operators started the test. Because the reactor conditions resulting from the unexpected delay differed significantly from those anticipated when the special test was written and approved, problems were soon encountered. Workers realized that the test was going badly and depressed pushbuttons to halt the test by rapidly inserting the control rods into the reactor core.
The workers intended to quickly reduce the reactor power level by terminating the nuclear chain reaction. The abnormal reactor core conditions they established for the test created the exact opposite response. Their actions caused the reactor power level to soar from 7 percent to above 100 percent power in a handful of seconds. The thermal energy released during the power excursion boiled a large amount of cooling water. The expansion of so much water turning into steam triggered a massive steam explosion that literally blew the containment building open (Fig. 4).
Unlike U.S. nuclear plants that use water, Chernobyl used graphite blocks to slow down, or moderate, the high energy neutrons released by atoms splitting in the reactor core to the speeds needed for neutrons to interact with atoms to yield more fissions. The accident ignited the graphite, which burned for about ten days carrying radioactive particles and gases with the smoke high into the atmosphere. Rainfall contaminated regions in the Ukraine many miles from the plant. Large areas around the plant remain heavily contaminated and virtually inaccessible three decades later.
Safety by Intent
Just as nuclear power reactors are equipped with an array of diverse and redundant emergency systems to prevent reactor core meltdowns such as those described in Disaster by Design/Safety by Intent #26, the reactors have protection against reactivity excursions.
To guard against a repeat of the SL-1 accident, reactor cores at U.S. nuclear plants are designed to be shut down even if the most powerful control rod remains fully withdrawn. A combination of design features and administrative controls further restricts how fast the reactor’s power level is increased. And the reactor protection system will automatically shut down a reactor within seconds if the power level increases too rapidly. Fission Stories #59 described how this system stepped in and rapidly shut down the Pilgrim reactor after operators failed to properly control the startup rate.
But Chernobyl had design features guarding against reactivity excursions. Workers disabled those features in order to conduct the safety test.
And SL-1 had administrative controls guarding against reactivity excursions. Workers, for reasons unknown because none survived to explain why, violated those measures during safety repairs.
Letting the safety guard down invites disaster. And we’ve already accumulated too many reminders that disaster sometimes accepts the invitation.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.