Fission Stories #199
The James A. FitzPatrick nuclear plant near Oswego, New York has one boiling water reactor (BWRs) with a Mark I containment design. Water flowing through BWR cores is heated to boiling with the steam flowing through turbine/generator to make electricity. Steam exits the turbines and flows past thousands of tubes within the condenser. Water from the lake flowing inside the tubes cools the steam and transforms it into water. The condensed steam is pumped to the reactor vessel to make more steam.
Fig. 1 (Source: Nuclear Regulatory Commission)
The operators reduced the reactor power level on January 22, 2016, to 65 percent for scheduled maintenance. At 10:17 pm on January 23, the operators had increased the reactor power level to 89 percent on the way back to full power following completion of the maintenance. An alarm alerted them that the water level at the intake structure had dropped nearly two feet below normal. Environmental conditions formed chips of ice, called frazil ice, in the lake. Water being drawn into the plant caused ice to collect on the traveling screens at the intake structure. The traveling screens are metal mesh plates that rotate on rollers to prevent debris in the lake water from being drawn into the plant. Ice accumulating on the traveling screen partially blocked the incoming flow. As a result, the water level inboard of the traveling screens dropped lower than the lake’s level. If that level dropped too low, the circulating water pumps would pull in air instead of water (Fig. 2).
Fig. 2 (Source: Nuclear Regulatory Commission)
By procedure, the operators responded to the alarm by reducing the reactor power level to 75 percent and turning off one of the three pumps that circulate lake water through the condenser (Fig. 3). Reducing the incoming water flow rate reduced the amount of ice drawn onto the traveling screens. But the water level at the intake structure continued dropping until it reached four feet below normal. Per procedure, the operators manually scrammed the reactor at 10:40 pm.
Fig. 3 (Source: Nuclear Regulatory Commission)
Scramming the reactor caused control rods to fully insert within seconds to terminate the nuclear chain reaction. The rapid power reduction significantly reduced the amount of steam flowing to the turbine/generator, leading to the turbine being turned off and the generator taken offline.
With the reactor operating, electricity produced by the generator flowed out through the switchyard to the offsite power grid. Electricity from the generator also flowed through a transformer to supply power to equipment throughout the plant.
The plant’s design called for the power supply to swiftly transfer from the generator’s output to the offsite power grid through two other transformers. But the cold weather hardened the lubricating oil for electrical breaker 10042 in the switchyard, causing it to open more slowly than desired. The slowed breaker prevented the swift transfer. Instead, supply was transferred about three seconds later by a backup logic circuit. That momentary power interruption caused non-essential equipment throughout the plant to stop running; most notably, the other two circulating water pumps at the intake structure.
Fig. 4 (click to enlarge) (Source: Nuclear Regulatory Commission)
With no lake water flowing through the tubes inside the condenser, the operators manually closed the two isolation valves in the main steam lines between the reactor vessel and the turbine/generator. Steam continued to be produced by the reactor core’s decay heat. This steam had no place to go and caused the pressure inside the reactor vessel to rise. When the pressure rose about 10 percent above normal pressure, safety/relief valves (SRVs) automatically opened to discharge steam through a pipe into the water of the suppression chamber (also called the torus due to his donut shape.) When the pressure dropped sufficiently low, the SRVs automatically reclosed. The SRVs cycled opened and closed to control reactor pressure (Fig. 5)
Fig. 5 (Source: Nuclear Regulatory Commission)
HPCI Use and Misuse
By procedure, the operators started the High Pressure Coolant Injection (HPCI) system in pressure control mode. The HPCI system uses a turbine supplied with steam from the reactor vessel to spin a pump that transfers makeup water from the Condensate Storage Tank to the reactor vessel. The steam exiting the HPCI turbine flows into the suppression chamber water. HPCI system operation prevents the SRVs from cycling opened and closed. The SRVs have a nasty habit of sticking open, so minimizing the times they open lessens the chances they stay open.
The normal source of water for the HPCI system is the Condensate Storage Tank. But if this tank’s water level drops too low or the water level inside the suppression chamber rises too high, valves will automatically close and open to swap the supply from the Condensate Storage Tank to the suppression chamber.
More than an hour after the scram, the water level within the suppression chamber was approaching the swap-over setpoint. Procedures directed the operators to bypass the automatic swap-over for this plant condition. The control room supervisor recognized this need and directed the operators to take this step. But they failed to complete the task before the HPCI pump suction was automatically transferred over to the suppression chamber.
Procedures only permitted HPCI to be operated in pressure control mode when it took water from the Condensate Storage Tank. So, the operators had to shut down the HPCI system and revert back to the undesirable reliance on SRVs cycling to control reactor pressure.
The NRC issued a green finding, the least severe among its green, white, yellow, and red violation classification scheme, for the failure to properly implement procedures resulting in the avoidable need to rely on the unreliable SRVs for pressure control.
RHR Use and Misuse
More than twenty-four hours later, the operators sought to place the Residual Heat Removal (RHR) system in shutdown cooling mode. The RHR system is like a Swiss army knife—it can makeup water to the reactor vessel, cool water in the reactor vessel, cool the containment atmosphere, cool the torus water and airspace, and cool the spent fuel pool (Fig. 6).
Fig. 6 (Source: Nuclear Regulatory Commission)
The shutdown cooling mode uses one or two of the RHR pumps to take water from a recirculation system pipe connected to the reactor vessel, route it through heat exchangers where lake water cools it down, and return the cooled water to the recirculation system pipe so it flows into the reactor vessel (Fig. 7).
Fig. 7 (Source: Nuclear Regulatory Commission)
The procedure directed the operators to flush the RHR system piping before placing the system in shutdown cooling mode. The RHR system is normally in standby and stagnant water inside its pipes is “dirty” water compared to the nearly pure water circulating through the reactor vessel. Workers used the condensate transfer system to drain water from the RHR system pipes and replace it with “clean” water. Workers opened valve 10RHR-274 to perform this flushing activity.
The procedure directed operators to close 10RHR-274 before placing the RHR system into the shutdown cooling mode. But the operators failed to close this valve. When properly aligned, the RHR shutdown cooling mode merely circulates water from the reactor vessel through heat exchangers and back to the vessel, neither removing nor adding water inventory. With the improper alignment caused by the open valve, the RHR shutdown cooling mode added water to the reactor vessel. And not just a little bit of additional water.
The normal water level inside the reactor vessel is about 196 inches (16 1/3 feet) above the top of the reactor core. A rule-of-thumb is that about 200 gallons of water is needed to raise or lower the vessel level by one inch. So, nearly 40,000 gallons of water must drain out or boil off for the normal water level to drop to the reactor core’s level, even more to uncover the core.
Fig. 8 (Source: Nuclear Regulatory Commission)
By running RHR shutdown cooling mode with the valve mistakenly open, the operators added water to the reactor vessel at FitzPatrick until water poured into the main steam lines. The main steam lines are located about 86 inches (over 7 feet) above the normal water level. It took nearly 17,200 gallons of water to increase the vessel level to the point of sending water down the main steam pipes.
As shown in Fig. 8, the level of the main steam line nozzles is above the upper scales of the Narrow Range and Wide Range water level instruments—the gauges the operators are trained to monitor frequently. Even if distracted, an alarm sounds in the control room when the vessel level rises just a few inches (not feet) above normal.
Sending water through the main steam lines could have disabled the HPCI system, the Reactor Core Isolation Cooling (RCIC) system (a smaller version of HPCI), and the SRVs. These systems and components are designed for steam, not water. Overfilling the reactor vessel could have taken away all of the high pressure safety systems for the reactor.
The NRC issued a green finding, the least severe among its green, white, yellow, and red violation classification scheme, for the failure to follow procedures resulting in loss of vessel level and potential impairment of multiple safety systems.
Our Takeaway
The HPCI swap-over miscue is a reminder of the trap one can fall into when given plenty of time to accomplish a short-term task. It did not take very long to install the bypass on the automatic swap-over. The operators had many tasks to perform besides installing the bypass. It was tempting to undertake seemingly higher priority tasks during the ample time before the swap-over point was reached. But time expired before the bypass was installed.
The RHR shutdown cooling miscue is a reminder about the importance of follow-up. Operators must maintain situational awareness, especially after the situation changes. In this case, placing the RHR system in shutdown cooling mode should have been followed by close monitoring of reactor water parameters to confirm that the temperature began decreasing and the level remained constant. Early awareness that something was wrong would have enabled intervention to minimize the consequences.
This one event revealed problems with the operators planning and implementing tasks. If operator performance is deficient when ample time is available and stress levels are low, how would the operators perform during an accident? The NRC’s Green findings would likely become Yellow or Red as the consequences of miscues become more significant.
So, the proper response to NRC’s slaps on the wrists is not to purchase wrist guards to lessen the sting of future slaps, but to take steps necessary to avoid future slaps, or worse.
“Fission Stories” is a column by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.