Disaster by Design: Safety by Intent #9
Disaster by Design
In nukespeak, it stands for Anticipated Transients Without Scram. In carspeak, it might stand for A Tree Without Stopping. When a tree jumps in front of a moving vehicle, good reaction time by the driver and good brakes can avoid or mitigate a car accident. Similarly, rapidly shutting down a nuclear reactor can avoid or mitigate a nuclear plant accident.
The term “transient” has special meaning in nukespeak. Nuclear Energy Activist Toolkit #17 explained the difference between anticipated transients and postulated accidents. Transients are problems that cause uncontrolled changes in the reactor’s power level or impair the ability to remove the heat generated by the reactor core. Nuclear Energy Activist Toolkit #11 described how the reactor protection system monitors plant parameters and triggers the automatic rapid shut down (scram or trip) of the reactor to prevent transients from causing bigger problems.
ATWS is a situation where plant conditions warrant the prompt shutdown of the reactor, but that prescribed safety response does not occur. A car striking a tree at speed can be tragic; a nuclear reactor not stopping in time can be catastrophic.
Nuclear Energy Activist Toolkit #23 described Dr. David Okrent’s invaluable manuscript “On the History of the Evolution of Light Water Safety in the United States.” Dr. Okrent was a longtime member of the Advisory Committee on Reactor Safeguards (ACRS), a panel of experts advising the Atomic Energy Commission (AEC) and its successor, the Nuclear Regulatory Commission, on technical issues.
Dr. Okrent devotes Chapter 4 among the seven chapters of his 1,100-plus page manuscript to ATWS. He explains how the ACRS grew increasingly concerned about the reliability of the “nuclear brakes” to halt the reactor in time to prevent disaster. He cites an ACRS letter written to the AEC staff in December 1967 that stated “The Committee [ACRS] believes that the present design [of the reactor protection system] is unsatisfactory.” Not surprisingly, the vendors of reactors did not share this ACRS perspective. Instead, Dr. Okrent wrote that the “reactor vendors are not enthusiastic in their approach to solving the ATWS problem, because they feel that a problem does not exist.” Why solve a problem that can never occur?
Decade of Delay
The decade following the ACRS’s letter was filled with lots of meetings and reports and posturing, but nothing in the way of resolving the ATWS problem. Dr. Okrent writes “the year 1977 passed without issuance of a new Regulatory Staff position on ATWS, and this generic item remained unresolved eight years after its inception. … And, reactors continued to be designed and receive construction permits without incorporation of mitigating features.”
But some things had not changed with time. According to Dr. Okrent, the “reactor vendors, the utilities and the Electric Power Research Institute vigorously opposed the [NRC] Staff proposals” to resolve the ATWS problem.
But time was running out for the nuclear industry’s opposition to solving the ATWS problem. The argument that a solution to a problem that cannot happen is seriously weakened when it happens, then happens again, and then happens a third time.
Fission Stories #107 described a June 28, 1980, ATWS-like moment on the Unit 3 boiling water reactor at the Browns Ferry nuclear plant in Alabama. Workers were shutting down the reactor for a scheduled outage. The standard practice at the time was to reduce the reactor’s power level to 15 to 20 percent and then manually scram the reactor. In about five seconds, all the control rods would be fully inserted and the nuclear chain reaction interrupted.
That day, some control rods had been fully or partially inserted, but most of the control rods were fully withdrawn. In the following maps of control rod positions, 48 indicates control rods fully withdrawn from the reactor core and 0 indicates fully inserted control rods. Other numbers indicate control rods partially inserted into the reactor core. Fig. 1 shows the locations of the rods when the reactor was operating.
A control room operator depressed two pushbuttons to scram the reactor. But the reactor declined to be scrammed. 76 of the reactor’s 185 control rods had not fully inserted into the reactor core as they were supposed to do. Some control rods had fully inserted (represented by the blank boxes in the map), especially on the right side of the core. Other instruments showed that the nuclear chain reaction still continued, at least on the left side of the core (Fig. 2).
A control room operator depressed the two pushbuttons again to attempt a second reactor scram. But the reactor demurred again. 59 control rods were still not fully inserted into the reactor core (Fig. 3).
Not having lots of options available, a control room operator depressed the two pushbuttons to attempt a third reactor scram.
The reactor matched the operator’s persistence and once again refused to be scrammed. But the operators were gaining ground—after three attempts spanning nearly 15 minutes, “only” 46 control rods were not yet fully inserted (Fig. 4).
Sensing that the reactor’s resolve had weakened, a control room operator depressed the two pushbuttons for the fourth reactor scram attempt. This time, all control rods were fully inserted into the reactor core.
The control rods on boiling water reactors like Browns Ferry are hydraulic pistons. To move a control rod, high pressure water is supplied to one side of the piston and vented from its other side. The differential pressure across the piston causes the control rod to move.
The problem that day at Browns Ferry is that the vents for the control rod pistons were routed to two large cylindrical pipes called the scram discharge volumes. Although no plug has ever been found, it is commonly believed that one scram discharge volume became partially filled with water. The first scram attempt filled the remaining volume, equalizing the pressure across the control rod pistons and stopping the control rod insertions. The two volumes served the left and right side of the core—the unclogged volume allowed the control rods on the right side of the core to fully insert after the first attempt. As water slowly drained from the clogged volume, space was created to accept water from the second and third scram attempts, allowing some more control rod inward movements. The plug was dislodged by the third or fourth attempt, allowing full insertion of all the control rods.
Lightning struck for the second time (or fourth time, depending on whether one counts Browns Ferry’s three scram failures as being one time or three times) in February 1983. Fission Stories #106 described the ATWS-like moments that happened to the Unit 1 pressurized water reactor at the Salem nuclear plant in New Jersey on February 22, 1983, and again on February 25, 1983.
On February 22, conditions warranted an automatic scram of the Salem Unit 1 reactor. But the reactor protection system failed to automatically scram the reactor. The operators manually scrammed the reactor. Workers did not realize that the reactor protection system had failed and restarted the reactor.
During the ensuing startup, the reactor once again experienced conditions warranting an automatic scram. Once again, the reactor protection system failed and the operators manually scrammed the reactor about 30 seconds later. This time workers recognized that the reactor should have automatically scrammed, but had failed to do so. They traced the problem to the reactor trip breakers.
The reactor trip breakers are part of the reactor protection system. When sensors monitoring plant parameters detect a problem, the logic circuits send signals to the reactor trip breakers to open. The opened reactor trip breakers stop the flow of electricity to the control rod drive mechanisms. The de-energized control rod drive mechanisms allow the control rods to drop by gravity into the reactor core.
But the reactor trip breakers failed to open. Subsequent investigations by the owner and the NRC concluded that inadequate maintenance of the reactor trip breakers caused their failure. The maintenance problems included improper lubrication (instead of oiling a moving part to aid its movement, the lubricant became more like glue to impede movement) and uncontrolled swapping of parts among breakers (sizing differences caused parts that performed well in one breaker to experience difficulty moving when placed in another breaker).
The Long-Awaited, and Long-Delayed, ATWS Rule
509 days after the partial scrams at Browns Ferry, the NRC issued its proposed ATWS rule for public comments. It recounted the safety concerns dating back to the late 1960s and cited the Browns Ferry event as evidence of the need to impose additional measures. 460 days after the NRC issued its proposed ATWS rule, Salem had an ATWS event. The one-two punch of Browns Ferry-Salem undermined the industry’s arguments that the problem was too remote and speculative. The ATWS rule was finally adopted on June 26, 1984.
Safety by Intent
The good news is that measures have been taken to reduce vulnerability of U.S. reactors to ATWS events.
The bad news is that it took nearly two decades between the safety concerns being raised and the safety solutions being implemented.
That pace is too slow. The ATWS fixes imposed in 1984 were good. These same fixes imposed in 1974 would have been great.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.