Disaster by Design/ Safety by Intent #61
Safety by Intent
Picture a driver distracted by tuning the car’s radio or reading a very clever roadside billboard and unknowingly traveling through a stop sign without even slowing down. Due to good fortune, the driver neither hits another vehicle nor gets hit.
Upon realizing the stop sign had been run, the driver could have two reactions. Based on the actual outcome, the driver could conclude that less time would be wasted in the future by simply not stopping at stop signs and red lights any more. Or, based on what could have happened, the driver could resolve to pay better attention to traffic safety signs.
Nuclear safety is best served when plant owners and the Nuclear Regulatory Commission (NRC) view things considering “what if” instead of “what was.” As evidenced by a problem recently reported to the NRC by the owner of the Peach Bottom nuclear plant in Pennsylvania, the nuclear industry typically considers the former rather than the latter.
On August 16, 2016, workers identified a small amount of water leaking from a one-inch diameter pipe going from the 18-inch diameter High Pressure Service Water (HPSW) system pipe downstream of the Residual Heat Removal (RHR) heat exchangers A and C to the radiation sampling system.
Following an accident, the HPSW system takes water from the Conowingo Pond, supplies it to the RHR system’s heat exchangers, and returns the warmed water to the pond. The RHR system provides cooling for the reactor core and the primary containment during an accident. By connecting to but being physically separate from the RHR system, the HPSW system discharges heat during an accident to the environment without also discharging radioactivity to it. The HPSW system features four motor-driven pumps each capable of supplying 4,500 gallons per minute flow.
The leak rate was approximately 120 drops per minute, well below the capacity of one HPSW pump, yet alone all four pumps. That small leak rate would not adversely affect the HPSW’s cooling role.
The leak’s location was downstream of the RHR heat exchangers. Thus, the leaked water would have already performed its intended safety function before it escaped from the pipe.
Based on what it was, the identified leak had zero safety implications.
But the plant owner looked beyond “what was” to evaluate “what if.” Water leaked from a small crack in the one-inch diameter pipe going to a radiation sampling system. The engineering department evaluated the effect of that crack during a postulated design basis earthquake and concluded that the shaking movements could break the one-inch pipe. If so, approximately 77 gallons per minute could leak from the broken one-inch pipe.
The 77 gallon per minute leak was a very small fraction of the HPSW system’s flow. And the leak would occur after the water flowed through the RHR heat exchangers. If the pipe broke, the leaked water would go onto the floor instead of back into the pond.
The owner evaluated where the leaked water could go and concluded that it could enter the room housing RHR pump C and disable the pump. Because of this potential, RHR pump C was considered to be inoperable until the cracked pipe was repaired.
The RHR system has four motor-driven pumps. The accident studies show that reactor core and containment cooling can be accomplished by a single RHR pump.
The cracked one-inch pipe might have disabled RHR pump C after an earthquake but would not have affected RHR pumps A, B, and D.
The “what if” process assumed the earthquake occurred when the division 2 emergency diesel generators were out of service for maintenance. The unavailability of the emergency diesel generators and the loss of the offsite power grid took away RHR pumps B and D but would not have affected RHR pump A.
The NRC’s single failure criterion (defined in Appendix A to 10 CFR Part 50) further requires that safety studies assume a single failure of a safety component. Application of that criterion in this Peach Bottom case takes away RHR Pump A as justification for accepting the impaired RHR Pump C.
The discovery of a small amount of water leaking from the HPSW pipe downstream of the RHR heat exchangers could have been downplayed and tolerated for a long time before being fixed. Instead, workers determined that the little leak could, with help from an earthquake, cause a larger leak that could disable one of the RHR pumps.
The potential disabling of an RHR pump could have been downplayed and tolerated for a long time. Instead, workers recognized the challenge to the defense-in-depth approach to nuclear safety and quickly fixed the problem.
Disaster by Design
Bob Pollard, my predecessor at UCS, said he had no doubts that one could operate a safe nuclear plant and had no doubts that one could operate an economical nuclear plant. His doubts involved operating a safe reactor that was also economical.
Proper application of the “what if” process supports both safe and economical reactor operation. Misapplication of the process compromises safety and/or economics.
Proper application does not mean posing every conceivable “what if” question. For example, “what if anasteroid the size of the moon were to hit the plant?” can probably be left unanswered. But proper application entails asking, and answering, every credible question.
In this case at Peach Bottom, and many others elsewhere, the “what if” process served nuclear safety. Post-accident inquiries nearly always identify misapplications of this process.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.