Disaster by Design: Safety by Intent #18
Disaster by Design
Disaster by Design/Safety by Intent #17 covered command and control problems at nuclear power plants that undermined safety. Remote control is required at nuclear power plants to provide capabilities when the control room has to be abandoned. This commentary covers remote control and some of its problems.
Remote control dates back to the March 22, 1975, fire at the Browns Ferry nuclear plant in Alabama. A worker using a candle to check for air leaks through the walls of the cable spreading room started a fire that burned for nearly six and a half hours. The cable spreading room is directly beneath the control room for the Unit 1 and 2 reactors. Smoke entered the control room and could have caused the operators to abandon it or put on respirators to remain.
Among the safety upgrades imposed by the NRC following the Browns Ferry fire was the need to provide operators with the means to safely shut down the reactor and keep it adequately cooled even if the control room were to be abandoned. Many owners complied with this NRC mandate by installing remote shutdown panels at their plants. As shown in Fig. 1, shutdown panels contain control switches and monitoring instrumentation for the minimum subset of safety equipment needed to cool the reactor core. The procedures typically directed the operators to manually shut down the reactor from the control room and then transfer controls to the remote shutdown panel.
- Operators have had to abandon the control room of at least one U.S. nuclear power reactor. On August 7, 1997, a member of the training department took a picture of a fire detection panel inside the control room of the Haddam Neck nuclear plant in Connecticut (now permanently closed for reasons unrelated to this picture-taking.) The camera’s flash tricked the fire detector circuit into sensing a fire. Seconds later, the fire suppression system discharged Halon gas into the control room. Seconds later, the operators fled the control room. Halon gas extinguishes fires by reducing the oxygen concentration below the level needed to sustain combustion, which is also below the level needed to sustain living. For 35 minutes, the operators monitored controls through a window in an adjacent room, darting back into the control room when necessary to response to alarms.
- In April 1989, NRC inspectors discovered a problem at the Trojan nuclear plant in Oregon (now permanently closed for reasons unrelated to either this NRC discovery or the picture taken at Haddam Neck) that had the potential of forcing operators to abandon the control room. The NRC inspectors raised concern about ten large storage tanks located on the roof of the control room. Four of the tanks contained hydrogen gas while the other six tanks contained nitrogen gas. The pressure relief valves for the hydrogen storage tanks were near the intake for the control room ventilation system. The NRC inspectors were concerned that hydrogen or nitrogen gas leaking from these tanks could find its way into the control room and force the operators to find their way out of it. In addition, the NRC inspectors calculated that the hydrogen gas had the explosive energy equivalent to 217 pounds of TNT—a hazard that really should not be sitting on the control room’s roof.
- In the mid 1980s, NRC inspectors on a tour of the Grand Gulf nuclear plant near Port Gibson, Mississippi asked the Operations Superintendent for a look at the remote shutdown panel. The Operations Superintendent held a Senior Reactor Operator license issued by the NRC and managed all the control room and equipment operators at Grand Gulf. The Operations Superintendent guided the NRC inspectors to a few places within the plant, but was never able to find the little room housing the remote shutdown panel. The following day, equipment operators taped signs throughout the plant to help the Operations Superintendent find the remote shutdown panel: “You’re Getting Warmer,” “Wrong Turn, Should Have Zigged Right instead of Left,” “Wrong Floor–Try Two Flights Down” and other aids.
Remote Control Problems
Operators have also experienced problems with remote shutdown panels they have been able to find. Among the numerous examples:
- On September 16, 2015, operators discovered that the control switch on the remote shutdown panel for the Unit 2 reactor at the Peach Bottom nuclear plant in Pennsylvania would not open a valve needed for the reactor cooling system to work. Maintenance workers found that a wire was disconnected from the control switch. The periodic tests of the remote shutdown panel did not check whether the valve could be opened and records did not indicate when, if ever, the control switch had been properly wired and functional.
- On June 2, 2005, workers at the Duane Arnold nuclear plant in Iowa discovered that a fire in the control room could cause electrical circuits to short out. Failure of those circuits could initiate a sequence of events that would include turning off the power the remote shutdown panel.
- On November 2, 2002, an electrical fault caused a small fire in an instrumentation panel in the control room for the Unit 2 reactor at the Brunswick nuclear plant near Southport, North Carolina. Six weeks later, workers investigating electrical circuits as a result of the fire found that an electrical short in the 125 volt direct current system could cause all the power supply fuses to the remote shutdown panel to blow.
- On December 14, 1995, the owner of the Unit 2 reactor at the Hatch nuclear plant near Baxley, Georgia, notified the NRC about five problems with its remote shutdown panel. A design error in the control transfer scheme for one valve would have prevented its control switch on the remote shutdown panel from being able to open the valve. Two other valves had loose or disconnected wires that prevented them from being operated from the remote shutdown panel. Two other valves had problems with the limit switches used to monitor whether the valves were opened or closed; these problems prevented the valves from being opened from the remote shutdown panel. All five valves had successfully passed periodic tests for years. Hatch was the pilot plant for Improved Technical Specifications. When workers performed the revised tests of the remote shutdown panel required by the Improved Technical Specifications, the latent problems were identified.
- On May 21, 1992, the owner of the Columbia Generating Station (then known as the Washington Nuclear Plant–Unit 2) near Hanford, Washington, informed the NRC about a design error for its remote shutdown panel dating back to initial reactor startup in 1984. The remote shutdown panel for the boiling water reactor at the Columbia Generating Station has control switches and associated instrumentation for the Reactor Core Isolation Cooling (RCIC) system to protect against nuclear fuel damage in event the control room has to be abandoned. The RCIC system uses a steam turbine connected to a pump to transfer makeup water into the reactor vessel. But the power supply for the RCIC turbine control circuit was not included in the original design of the remote shutdown panel. The design flaw had not been uncovered during the periodic tests performed for the remote shutdown panel even though the flaw could have prevented the RCIC system from working.
Safety by Intent
Just as it was unlikely—but not impossible—for the Fukushima Dai-ichi nuclear plant site to experience a large tsunami, it is unlikely—but not impossible—that operators may be forced someday to abandon the control room of an operating U.S. nuclear power reactor. A seawall was erected along the shoreline to protect Fukushima from tsunamis. Remote shutdown panels were installed at U.S. nuclear power plants to protect them if control rooms are abandoned.
Fuksushima’s protective seawall did not rise to the challenge when a large tsunami arrived at the site on March 11, 2011.
Will the remote shutdown panel rise to the challenged?
Perhaps, but probably not.
Testing has proven unreliable in finding problems that could have prevented the remote shutdown panels from preventing reactor core damage.
Workers seldom, if ever, receive training on cooling the reactor core using the scant controls on the remote shutdown panels. The Operations Superintendent at Grand Gulf could not even find the panel, hardly instilling more confidence in his ability to successfully use it had someone else shown him its location.
Every U.S. nuclear power plant must conduct a large-scale exercise of its emergency response procedures at least once every two years. Every U.S. nuclear power plant must conduct force-on-test exercises of its security measures pitting mock intruders against its guards at least once every three years. That’s a lot of exercises over the past three decades. But a search of ADAMs failed to identify even one time when a safety or security exercise involved operators simulating having to abandon the control room and attempt to cool the reactor core from the remote shutdown panel.
So, will the remote shutdown panel be more successful than Fukushima’s seawall in preventing core damage? Perhaps, but probably not.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.