Nine Mile Point’s Pyramid Scheme

, director, Nuclear Safety Project | January 14, 2014, 6:00 am EDT
Bookmark and Share

Fission Stories #154

The operators shut down the Unit 1 reactor at the Nine Mile Point nuclear plant near Oswego, New York on April 15, 2013, to enter a refueling outage. Nine Mile Point Unit 1 has a boiling water reactor (BWR) with a Mark I containment design.

By the next day, workers had removed the concrete shield plugs and drywell head to provide the access needed to remove the reactor pressure vessel head (shown in red). The operators had raised the water level inside the reactor pressure vessel several feet above its normal level until it was slightly below the flange where the head is bolted onto the vessel.

Click to enlarge

Click to enlarge

This type of BWR has five loops connected to the reactor pressure vessel like the one shown in the graphic. Each loop consists of a large pump. The purpose of these external pumps is to increase the velocity of water flowing through the reactor core during operation. With the unit shut down, these external recirculation pumps had been turned off.

Click to enlarge

Click to enlarge

Even though the unit had been shut down, the reactor core continued to generate large amounts of heat. Many of the byproducts formed by splitting atoms during reactor operation are unstable, which forces them to subsequently emit radiation either in the form of particles (e.g., alpha and beta particles) or energy waves (e.g, gamma rays). These radioactive emissions produce heat that must be removed to protect the reactor core from overheating damage. The shutdown cooling system was being used to cool the water inside the Unit 1 reactor pressure vessel at Nine Mile Point that day. The shutdown cooling system is connected to two of the external recirculation loops. It takes water from the piping going to reactor recirculation pump 14 (RRP 14 in the diagram) and returns water to the piping from RRP 15 back to the reactor pressure vessel.

FS154 Figure 3 Recirc

Click to enlarge

Shutdown Cooling System

The shutdown cooling system consists of three pumps and heat exchangers in parallel. Only one of the pumps (shutdown cooling pump 12) was operating that day. The other two pumps were shut down and had been physically disconnected from their power supplies. Water drawn by shutdown cooling pump 12 from the suction piping to reactor recirculation pump 14 entered hundreds of tubes inside a heat exchanger labeled 38-132 in the diagram. Water from the reactor building closed loop cooling (RBCLC) system entered the heat exchanger and flowed outside of the tubes. Heat conducted through the thin metal walls of the tubes allowed cooler water to be returned to the reactor pressure vessel via the discharge piping from reactor recirculation pump 15. The shutdown cooling system was maintaining the temperature of the water inside the reactor pressure vessel at approximately 115°F.

Click to enlarge

Click to enlarge

Thousands of testing and maintenance tasks are performed when units are shut down for refueling. One team of workers had been assigned to work on the electromatic relief valves (highlighted in yellow in the graphic). The electromatic relief valves are located on the pipes that carry steam produced in the reactor pressure vessel to the turbine. These valves open, either automatically or manually, when needed to control the pressure inside the reactor pressure vessel. For example, if the pressure rises too high, the valves will automatically open to discharge steam through pipes down into the torus. The torus contains a large pool of water that acts like a sponge to soak up thermal energy released from the reactor pressure vessel.

Click to enlarge

Click to enlarge

The electromatic relief valves, as their name implies, receive electrical power to function. During maintenance on the valves, the power supply is disconnected to protect workers from electrical shock hazards.

Problems Begin

The problem began at 2:44pm on April 16 when a worker was double-checking to ensure that power had been disconnected to the electromatic relief valves. The worker opened the wrong electrical cabinet door. Opening this cabinet door automatically caused the breakers from 125 volt dc battery 12 and for static battery chargers 171A and 171B to open. Their opening de-energized 125 volt dc battery board 12 and all components supplied from it.

Click to enlarge

Click to enlarge

The loss of power to 125 volt dc battery board 12 generated a signal to turn off shutdown cooling pump 12. But because the battery board was powerless, the trip signal was not sent and the only pump then cooling the reactor water continued running.

The trip signal was noted in the control room via a blinking light and a printout on the plant’s computer system. But the control room operators did not notice these warnings.

The operators had noticed that the battery board had been de-energized. At 3:03pm and again at 3:05pm, the operators attempted to close the electrical breaker for 125 volt dc battery 12 in order to restore power to the battery board. Both attempts failed.

At 3:36pm, the operators successfully closed the breaker that allowed static battery charger 171 to re-power the battery board. But only for a moment—the breaker soon re-opened and power was once again lost.

Click to enlarge

Click to enlarge

Albeit brief, the re-energization of the battery board did permit the trip signal to be sent that turned off shutdown cooling pump 12. The RBCLC water continued to flow through the heat exchanger, but the shutdown cooling water system stopped sending reactor water through it. As a result, the RBCLC water temperature began decreasing and the water temperature inside the reactor pressure vessel began increasing.

Click to enlarge

Click to enlarge

The Operators Respond

The operators responded to the unplanned loss of shutdown cooling pump 12 by trying to restart shutdown cooling pumps 11 and 13. Because these pumps had been disconnected from their power supplies, the operators first had to reconnect the power supplies before depressing the pumps’ start buttons.

The operators restored cooling of the water inside the reactor pressure vessel at 4:17pm. In the 31 minutes that cooling had been lost, the water heated up to 145°F, a heatup rate of about one degree per minute. Had cooling not been restored, the water would have begun boiling around 5:30pm.

The NRC investigated this event and determined that problems encountered responding to the event warranted a greater-than-green finding (the NRC applies a four-color classification system with green being the least significant classification). While this event resulted in no actual harm to plant workers or the public, the NRC was concerned that it came closer than desired to such outcomes.

During refueling, the lineup of backup and emergency pumps available to supply cooling and makeup water to the reactor pressure vessel shortens considerably. Pumps and support systems for the pumps (such as the emergency diesel generators that supply electricity to pump motors when power from the offsite electrical grid is unavailable) are disassembled for tests and maintenance. And the multiple barriers between radioactive material and the environment that exist during reactor operation shrink to just two.

The NRC was concerned that the worker’s response to the loss of battery board 12 and the complications it spawned was more ad hoc than anticipated. The NRC’s preference is to have procedures developed and vetted in advance that guide operators to do Y when X happens. They frown upon workers having to huddle when X happens and quickly assess whether to do Y or Z.

Click to enlarge

Click to enlarge

Click to enlarge

Click to enlarge

Our Takeaway

While it may seem intuitive that a shut down reactor is inherently “safer” than an operating one, this is not necessarily the case.

Staff in NRC Region IV (the southwest and west) issued an outstanding report from observations about risk management during refueling at nuclear plants in their region. This NRC report described how safety margins can be significantly reduced during refueling outages as the complement of emergency equipment gets down to barebones levels and response times can be measured in minutes. The NRC report pointed out that at on a certain day during the refueling outage, the risk associated with that specific configuration equals that from 36 days of operating at full power.

Plant owners employ the “protected train” approach to risk management during refueling outages. A cooling system, a power supply system, a containment barrier, and so on will be identified and protected from being taken out of service for testing or maintenance until another system can substitute for it in the protection scheme.

Shutdown cooling pump 12 was designated as the “protected train” for cooling the water inside the reactor pressure vessel at Nine Mile Point Unit 1. But that designation only protected it from being intentionally turned off. It remained vulnerable to being inadvertently turned off.

The NRC’s concern was that the response to the unplanned loss of shutdown cooling pump 12 was more informal than it should have been. The NRC expected that procedures would have guided workers to respond more rapidly and with fewer mis-steps.

This actual event was relatively minor. It should not have happened, but many more “what if’s” would have had to fall in place to produce a serious accident. Reducing the frequency of events, even minor ones, reaps large dividends. The so-called event pyramid shows that the number of events tends to decrease as their severity increases. Reducing the number of minor events narrows the base, or foundation, of the pyramid. In turn, those remedies achieve the benefit of also reducing the frequency of more serious events.

Conversely, the “no blood, no foul” approach of tolerating minor events broadens the base and invites more serious accidents. When equipment, training, and procedure problems causing minor events are tolerated instead of being fixed, these pre-existing impairments can shorten the list of “what if’s” needed for future failures to result in more serious outcomes.

The NRC did a good job evaluating this event and putting it in context. That good job makes it less likely that such an event is repeated at Nine Mile Point and other U.S. nuclear plants. The NRC acted to shrink the pyramid.

 

“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.

Posted in: Fission Stories Tags: , , , ,

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

Show Comments


Comment Policy

UCS welcomes comments that foster civil conversation and debate. To help maintain a healthy, respectful discussion, please focus comments on the issues, topics, and facts at hand, and refrain from personal attacks. Posts that are commercial, self-promotional, obscene, rude, or disruptive will be removed.

Please note that comments are open for two weeks following each blog post. UCS respects your privacy and will not display, lend, or sell your email address for any reason.

  • Nathanael Nerode

    Updon doing a little bit of research, I find that:
    – Nine Mile Point 1 is one of the two oldest nuclear reactors active in the United States.
    – Nine Mile Point 1 is among the oldest reactor designs in use in the entire world. It is of the GE BWR/2 design, which was already obsolete at the time it was constructed, and is *older* than the failed design at Fukushima.
    – It uses the unsafe system of pushing control rods up to stop the reaction.
    – It uses the unsafe system of storing spent fuel outside containment on the top floor of the building, like Fukushima.
    – It uses the weak GE Mark 1 method of containment.
    – An explosion would force the permanent evacuation of Syracuse, NY and would poison the Lake Ontario / St. Lawrence fresh water supply to downstream cities.
    – The plant was, at least once, supplied with incorrectly specified fuel which could have caused the core to be hotter than expected.
    – It shut down due to the breakage of a single external power line during Hurricane Sandy.
    – It shut down due to an electrical panel fire a few weeks earlier in late 2012.
    – And then, of course, there’s the incident you describe.

    The only older nuclear power plant in the US, Oyster Creek, is already scheduled to be shut down by its corporate owner in 2019.

    I do not understand why there has not yet been a concerted effort to shut down Nine Mile Point 1. It appears to be one of the most dangerous nuclear plants in the US, if not the most dangerous.