Turkey Point: Fire and Explosion at the Nuclear Plant

, director, Nuclear Safety Project | July 11, 2017, 1:06 pm EST
Bookmark and Share

This post is a part of a series on Near Misses at U.S. Nuclear Power Plants

The Florida Power & Light Company’s Turkey Point Nuclear Generating Station about 20 miles south of Miami has two Westinghouse pressurized water reactors that began operating in the early 1970s. Built next to two fossil-fired generating units, Units 3 and 4 each add about 875 megawatts of nuclear-generated electricity to the power grid.

Both reactors hummed along at full power on the morning of Saturday, March 18, 2017, when problems arose.

The Event

At 11:07 am, a high energy arc flash (HEAF) in Cubicle 3AA06 of safety-related Bus 3A ignited a fire and caused an explosion. The explosion inside the small concrete-wall room (called Switchgear Room 3A) injured a worker and blew open Fire Door D070-3 into the adjacent room housing the safety-related Bus 3B (called Switchgear Room 3B.)

A second later, the Unit 3 reactor automatically tripped when Reactor Coolant Pump 3A stopped running. This motor-driven pump received its electrical power from Bus 3A. The HEAF event damaged Bus 3A, causing the reactor coolant pump to trip on under-voltage (i.e., less than the desired voltage of 4,160 volts.) The pump’s trip triggered the insertion of all control rods into the reactor core, terminating the nuclear chain reaction.

Another second later and Reactor Coolant Pumps 3B and 3C also stopped running. These motor-driven pumps received electricity from Bus 3B. The HEAF event should have been isolated to the Switchgear Room 3A, but the force of the explosion blew open the connecting fire door, allowing Bus 3B to also be affected. Reactor Coolant Pumps 3B and 3C tripped on under-frequency (i.e., alternating current electricity at too much less than the desired 60 cycles per second). Each Turkey Point unit has three Reactor Coolant Pumps that force the flow of water through the reactor core, out the reactor vessel to the steam generators where heat gets transferred to a secondary loop of water, and then back to the reactor vessel. With all three pumps turned off, the reactor core would be cooled by natural circulation. Natural circulation can remove small amounts of heat, but not larger amounts; hence, the reactor automatically shuts down when even one of its three Reactor Coolant Pumps is not running.

At shortly before 11:09 am, the operators in the control room received word about a fire in Switchgear Room 3A and the injured worker. The operators dispatched the plant’s fire brigade to the area. At 11:19 am, the operators declared an emergency due to a “Fire or Explosion Affecting the Operability of Plant Systems Required to Establish or Maintain Safe Shutdown.”

At 11:30 am, the fire brigade reported to the control room operators that there was no fire in either Switchgear Room 3A or 3B.

Complication #1

The Switchgear Building is shown on the right end of the Unit 3 turbine building. Switchgear Rooms 3A and 3B are located adjacent to each other within the Switchgear Building. The safety-related buses inside these rooms take 4,160 volt electricity from the main generator, the offsite power grid, or an EDG and supply it to safety equipment needed to protect workers and the public from transients and accidents. Buses 3A and 3B are fully redundant; either can power enough safety equipment to mitigate accidents.

Fig. 1 (Source: Nuclear Regulatory Commission)

To guard against a single file disabling both Bus 3A and Bus 3B despite their proximity, each switchgear room is designed as a 3-hour fire barrier. The floor, walls, and ceiling of the room are made from reinforced concrete. The opening between the rooms has a normally closed door with a 3-hour fire resistance rating.

Current regulatory requirements do not require the room to have blast resistant fire doors, unless the doors are within 3 feet of a potential explosive hazard. (I could give you three guesses why all the values are 3’s, but a correct guess would divulge one-third of nuclear power’s secrets.) Cubicle 3AA06 that experienced the HEAF event was 14.5 feet from the door.

Fire Door D070-3, presumably unaware that it was well outside the 3-feet danger zone, was blown open by the HEAF event. The opened door created the potential for one fire to disable Buses 3A and 3B, plunging the site into a station blackout. Fukushima reminded the world why it is best to stay out of the station blackout pool.

Complication #2

The HEAF event activated all eleven fire detectors in Switchgear Room 3A and activated both of the very early warning fire detectors in Switchgear Room 3B. Activation of these detectors sounded alarms at Fire Alarm Control Panel 3C286, which the operators acknowledged. These detectors comprise part of the plant’s fire detection and suppression systems intended to extinguish fires before they cause enough damage to undermine nuclear safety margins.

But workers failed to reset the detectors and restore them to service until 62 hours later. Bus 3B provided the only source of electricity to safety equipment after Bus 3A was damaged by the HEAF event. The plant’s fire protection program required that Switchgear Room 3B be protected by the full array of fire detectors or by a continuous fire watch (i.e., workers assigned to the area to immediately report signs of smoke or fire to the control room.) The fire detectors were out-of-service for 62 hours after the HEAF event and the continuous fire watches were put in place late.

Workers were in Switchgear Room 3B for nearly four hours after the HEAF event performing tasks like smoke removal. But a continuous fire watch was not posted after they left the area until 1:15 pm on March 19, the day following the HEAF event. And these workers were placed in Switchgear Room 3A, not in Switchgear Room 3B housing the bus that needed to be protected.

Had a fire started in Switchgear Room 3B, neither the installed fire detectors nor the human fire detectors would have alerted control room operators. The lights going out on Broadway, or whatever they call the main avenue at Turkey Point, might have been their first indication.

Complication #3

At 12:30 pm on March 18, workers informed the control room operators that the HEAF event damaged Bus 3A such that it could not be re-energized until repairs were completed. Bus 3A provided power to Reactor Coolant Pump 3A and to other safety equipment like the ventilation fan for the room containing Emergency Diesel Generator (EDG) 3A. Due to the loss of power to the room’s ventilation fan, the operators immediately declared EDG 3A inoperable.

EDGs 3A and 3B are the onsite backup sources of electrical power for safety equipment. When the reactor is operating, the equipment is powered by electricity produced by the main generator as shown by the green line in Figure 2. When the reactor is not operating, electricity from the offsite power grid flows in through transformers and Bus 3A to the equipment as indicated by the blue line in Figure 2. When under-voltage or under-frequency is detected on their respective bus, EDG 3A and 3B will automatically start and connect to the bus to supply electricity for the equipment as shown by the red line in Figure 2.

Fig. 2 (Source: Nuclear Regulatory Commission with colors added by UCS)

Very shortly after the HEAF event, EDG 3A automatically started due to under-voltage on Bus 3A. But protective relays detected a fault on Bus 3A and prevented electrical breakers from closing to connect EDG 3A to Bus 3A. EDG 3A was operating, but disconnected from Bus 3A, when the operators declared it inoperable at 12:30 pm due to loss of the ventilation fan for its room.

But the operators allowed “inoperable” EDG 3A to continue operating until 1:32 pm. Given that (a) its ventilation fan was not functioning, and (b) it was not even connected to Bus 3A, they should not have permitted this inoperable EDG from operating for over an hour.

Complication #4

A few hours before the HEAF event on Unit 3, workers removed High Head Safety Injection (HHSI) pumps 4A and 4B from service for maintenance. The HHSI pumps are designed to transfer makeup water from the Refueling Water Storage Tank (RWST) to the reactor vessel during accidents that drain cooling water from the vessel. Each unit has two HHSI pumps; only one HHSI pump needs to function in order to provide adequate reactor cooling until the pressure inside the reactor vessel drops low enough to permit the Low Head Safety Injection pumps to take over.

On the day before, workers found a small leak from a small test line downstream of the common pipe for the recirculation lines of HHSI Pumps 4A and 4B (circled in orange in Figure 3). The repair work was estimated to take 18 hours. Both pumps had to be isolated in order for workers to repair the leaking section.

Pipes cross-connect the HHSI systems for Units 3 and 4 such that HHSI Pumps 3A and 3B (circled in purple in Figure 3) could supply makeup cooling water to the Unit 4 reactor vessel when HHSI Pumps 4A and 4B were removed from service. The operating license allowed Unit 4 to continue running for up to 72 hours in this configuration.

Fig. 3 (Source: Nuclear Regulatory Commission with colors added by UCS)

Before removing HHSI Pumps 4A and 4B from service, operators took steps to protect HHSI Pumps 3A and 3B by further restricting access to the rooms housing them and posting caution signs at the electrical breakers supplying electricity to these motor-driven pumps.

But operators did not protect Buses 3A and 3B that provide power to HHSI Pumps 3A and 3B respectively. Instead, they authorized work to be performed in Switchgear Room 3A that caused the HEAF event.

The owner uses a computer program to characterize risk of actual and proposed plant operating configurations. Workers can enter components that are broken and/or out of service for maintenance and the program bins the associated risk into one of three color bands: green, yellow, and red in order of increasing risk. With only HHSI Pumps 4A and 4B out of service, the program determined the risk for Units 3 and 4 to be in the green range. After the HEAF event disabled HHSI Pump 3A, the program determined that the risk for Unit 4 increased to nearly the green/yellow threshold while the risk for Unit 3 moved solidly into the red band.

The Cause(s)

On the morning of Saturday, March 18, 2017, workers were wrapping a fire-retardant material called Thermo-Lag around electrical cabling in the room housing Bus 3A. Meshing made from carbon fibers was installed to connect sections of Thermal-Lag around the cabling for a tight fit. To minimize the amount of debris created in the room, workers cut the Thermal-Lag material to the desired lengths at a location outside the room about 15 feet away. But they cut and trimmed the carbon fiber mesh to size inside the room.

Bus 3A is essentially the nuclear-sized equivalent of a home’s breaker panel. Open the panel and one can open a breaker to stop the flow of electricity through that electrical circuit within the house. Bus 3A is a large metal cabinet. The cabinet is made up of many cubicles housing the electrical breakers controlling the supply of electricity to the bus and the flow of electricity to components powered by the bus. Because energized electrical cables and components emit heat, the metal doors of the cubicles often have louvers to let hot air escape.

The louvers also allow dust and small airborne debris (like pieces of carbon fiber) to enter the cubicles. The violence of the HEAF event (a.k.a. the explosion) destroyed some of the evidence at the scene, but carbon fiber pieces were found inside the cubicle where the HEAF occurred.  The carbon fiber was conductive, meaning that it could transport electrical current. Carbon fiber pieces inside the cubicle, according to the NRC, “may have played a significant factor in the resulting bus failure.”

Further evidence inside the cubicle revealed that the bolts for the connection of the “C” phase to the bottom of the panel had been installed backwards. These backwards bolts were the spot where high-energy electrical current flashed over, or arced, to the metal cabinet.

As odd as it seems, installing fire retardant materials intended to lessen the chances that a single fire compromises both electrical safety systems started a fire that compromised both electrical safety systems.

The Precursor Events (and LEAF)

On February 2, 2017, three electrical breakers unexpectedly tripped open while workers were cleaning up after removing and replacing thermal insulation in the new electrical equipment room.

On February 8, 2017, “A loud bang and possible flash were reported to have occurred” in the new electrical equipment room as workers were cutting and installing Thermo-Lag. Two electrical breakers unexpectedly tripped open. The equipment involved used 480 volts or less, making this a low energy arc fault (LEAF) event.

NRC Sanctions

The NRC dispatched a special inspection team to investigate the causes and corrective actions of this HEAF event. The NRC team identified the following apparent violations of regulatory requirements that the agency is processing to determine the associated severity levels of any applicable sanctions:

  • Failure to establish proper fire detection capability in the area following the HEAF event.
  • Failure to properly manage risk by allowing HHSI Pumps 4A and 4B to be removed from service and then allowing work inside the room housing Bus 3A.
  • Failure to implement effective Foreign Material Exclusion measures inside the room housing Bus 3A that enabled conductive particles to enter energized cubicles.
  • Failure to provide adequate design control in that equipment installed inside Cubicle 3AA06 did not conform to vendor drawings or engineering calculations.

UCS Perspective

This event illustrates both the lessons learned and the lessons unlearned from the fire at the Browns Ferry Nuclear Plant in Alabama that happened almost exactly 42 years earlier. The lesson learned was that a single fire could disable primary safety systems and their backups.

The NRC adopted regulations in 1980 intended to lessen the chances that one fire could wreak so much damage. The NRC found in the late 1990s that most of the nation’s nuclear power reactors, including those at Browns Ferry, did not comply with these fire protection regulations. The NRC amended its regulations in 2004 giving plant owners an alternative means for managing the fire hazard risk. Workers were installing fire protection devices at Turkey Point in March 2017 seeking to achieve compliance with the 2004 regulations because the plant never complied with the 1980 regulations.

The unlearned lesson involved sheer and utter failures to take steps after small miscues to prevent a bigger miscue from happening. The fire at Browns Ferry was started by a worker using a lit candle to check for air leaking around sealed wall penetrations. The candle’s flame ignited the highly flammable sealant material. The fire ultimately damaged cables for all the emergency core cooling systems on Unit 1and most of those systems on Unit 2. Candles had routinely been used at Browns Ferry and other nuclear power plants to check for air leaks. Small fires had been started, but had always been extinguished before causing much damage. So, the unsafe and unsound practice was continued until it very nearly caused two reactors to meltdown. Then and only then did the nuclear industry change to a method that did not stick open flames next to highly flammable materials to see if air flow caused the flames to flicker.

Workers at Turkey Point were installing fire retardant materials around cabling. They cut some material in the vicinity of its application. On two occasions in February 2017, small debris caused electrical breakers to trip open unexpectedly. But they continued the unsafe and unsound practice until it caused a fire and explosion the following month that injured a worker and risked putting the reactor into a station blackout event. Then and only then did the plant owner find a better way to cut and install the material. That must have been one of the easiest searches in nuclear history.

The NRC – Ahead of this HEAF Curveball

The NRC and its international regulatory counterparts have been concerned about HEAF events in recent years. During the past two annual Regulatory Information Conferences (RICs), the NRC conducted sessions about fire protection research that covered HEAF. For example, the 2016 RIC included presentations from the Japanese and American regulators about HEAF. These presentations included videos of HEAF events conducted under lab conditions. The 2017 RIC included presentations about HEAF by the German and American regulators. Ironically, the HEAF event at Turkey Point occurred just a few days after the 2017 RIC session.

HEAF events were not fully appreciated when regulations were developed and plants were designed and built. The cooperative international research efforts are defining HEAF events faster than could be accomplished by any country alone. The research is defining factors that affect the chances and consequences of HEAF events. For example, the research indicates that the presence of aluminum, like in cable trays holding the energized electrical cables, can be ignited during a HEAF event, significantly adding to the magnitude and duration of the event.

As HEAF research defined risk factors, the NRC has been working with nuclear industry representatives to better understand the role these factors may play across the US fleet of reactors. For example, the NRC recently obtained a list of aluminum usage around high voltage electrical equipment.

The NRC needs to understand HEAF factors as fully as practical before it can determine if additional measures are needed to manage the risk. The NRC is also collecting information about potential HEAF vulnerabilities. Collectively, these efforts should enable the NRC to identify any nuclear safety problems posed by HEAF events and to implement a triaged plan that resolves the biggest vulnerabilities sooner rather than later.

Posted in: Nuclear Power Safety Tags: , , , , , ,

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

Show Comments


Comment Policy

UCS welcomes comments that foster civil conversation and debate. To help maintain a healthy, respectful discussion, please focus comments on the issues, topics, and facts at hand, and refrain from personal attacks. Posts that are commercial, self-promotional, obscene, rude, or disruptive will be removed.

Please note that comments are open for two weeks following each blog post. UCS respects your privacy and will not display, lend, or sell your email address for any reason.

  • protn7

    Murphy’s law- Anything that can go wrong will go wrong. Close down nuclear!

    • John S.

      They can close down nuclear once you stop using anything that requires electricity to run.
      That includes your hybrid car and I-PHONE.

  • Barrier Insufficiency

    An inescapable fact is that whenever harm occurs it is certain that there were no effective barriers to protect the item harmed from the hazards that resulted in the harm as it occurred. This applies even for low harm occurrences such as rework, minor clean-ups, delays, and go-arounds . For advocates and aficionados of the Swiss Cheese Model , an inescapable fact is that when harm occurs every slice of cheese either had a crucial hole in it or the slice did not exist.

    Observation: A barrier is a condition, behavior, action, or inaction that has and/or is intended to have the potential for beneficial involvement in the prevention, limitation, control, restriction, and/or mitigation of a harm.

    Observation: A barrier is a condition, behavior, action, or inaction that did, could, and/or was intended to prevent and/or reduce the harm to a vulnerable victim/ victim item from a hazard/ agent of harm.

    Observation: A barrier is failed when it is not suitable for its intended purpose and/or it does not or cannot perform satisfactorily in service.

    Observation: Safe performance is a part of satisfactory performance.

    Observation: In a specific case every specific barrier is associated with a specific hazard/ agent of harm and a specific vulnerable victim/ victim item.

    Observation: The barrier model is often referred to as the Hazard-Barrier-Target Model or as the Threat/Hazard-Barrier-Target Model, “target” being lingo for “victim/ victim item.”

    Observation: Careful investigators and writers, when mentioning a barrier make it crystal clear what agents of harm and vulnerable victims/ victim items they have in mind.

    Observation: A specific vulnerable victim/ victim item can be a barrier. For example, a rear view mirror (a barrier) can be vulnerable to glancing collisions with close obstacles.

    Observation: The causation of harm from an actual event involves the sequential challenging of and ineffectiveness of multiple barriers. This is informally and incompletely represented as the Swiss Cheese Model diagram and somewhat more formally represented as a Barrier Analysis Flow Chart .

    Observation: The Swiss Cheese Model, per se, does not indicate that each barrier penetrated results in the challenge to a downstream barrier, whose failure results in a challenge to a subsequent barrier. The term “Swiss Cheese Domino Model” would be more descriptive of real life accidents.

    Quotation: “All models are wrong. Some models are useful.”-Professor Vicki Bier, U of Wisconsin (and other)

    Quotation: “The map is not the territory.”-Alfred Korzybski

    Observation: The causation of harm always involves 1) a vulnerable victim/ item that can be harmed, 2) a hazard (agent of harm), 3) the co-location of the vulnerable victim/ item and the agent of harm, 4) the simultaneity of the vulnerable victim/ item and the agent of harm, and 5) no effective barriers intervening between the vulnerable victim/ item and the agent of harm.

    Observation: The prevention and/or limitation of harm always involves 1) making a vulnerable victim/ item that can be harmed less vulnerable, 2) making a hazard (agent of harm) less harmful, 3) separating the vulnerable victim/ item and the agent of harm in space, 4) separating the vulnerable victim/ item and the agent of harm in time, and/or 5) providing effective barriers intervening between the vulnerable victim/ item and the agent of harm.

    Observation: A given barrier can be effective in one or more of the following five ways. 1) It can prevent a harmful condition, behavior, action, and/or inaction. 2) It can discourage or impede a harmful condition, behavior, action, and/or inaction. 3) It can encourage or promote a beneficial condition, behavior, action, and/or inaction. 4) It can detect or make transparent a harmful condition, behavior, action, and/or inaction. 5) It can compensate for or accommodate a harmful condition, behavior, action, and/or inaction.

    Recognized and Generally Accepted Good Investigation Practice (RAGAGIP): Seek out barrier insufficiencies in all of the following five types of barriers. 1) Barriers that can prevent a harmful condition, behavior, action, and/or inaction. 2) Barriers that can discourage or impede a harmful condition, behavior, action, and/or inaction. 3) Barriers that can encourage or promote a beneficial condition, behavior, action, and/or inaction. 4) Barriers that can detect or make transparent a harmful condition, behavior, action, and/or inaction. 5) Barriers that can compensate for or accommodate a harmful condition, behavior, action, and/or inaction.

    Observation: A speed bump does not prevent speeding, but it does discourage speeding . It encourages speed compliance. It also reveals speed non-compliance by jolting the driver who speeds over it.

    Observation: Automobile air bags are intended to prevent or limit the harm from the secondary collision of the automobile occupant and the automobile structure.

    Observation: Barriers can themselves be agents of harm (hazards) as demonstrated by the Takata Air Bag Shrapnel episodes and by the Connecticut teenager’s ski helmet strap strangulation .

    Observation: Rear viewing mirrors and other rear viewing devices function by detecting or making transparent a harmful condition, behavior, action, and/or inaction related to what is behind the vehicle.

    Observation: The causation of the 1990 Vogtle Nuclear Power Station Blackout (SBO) included ineffective management of the rear view mirrors on a pickup truck .

    Observation: A purpose of the safety discipline is to prevent high probability occurrences (e.g., maneuvering a pickup truck) from being part of the causation of low probability occurrences (e.g., loss of cooling to nuclear fuel with high decay heat) .

    Observation: Barriers need not be physical, but passive robust physical barriers are among the most reliable and effective, e.g., a wide median strip.

    Observation: Corrective/ preventative actions, when effective, involve improvements in barriers and/or barrier measures to reduce reliance on inherently non-robust barriers.

    Observation: When effective, all corrective actions prevent future harm from the harmful condition, behavior, action, or inaction that is corrected. Furthermore, when effective, all preventative actions correct the latent harmful conditions, behaviors, actions, and/or inactions that were the causation of the potential harm that was prevented.

    Observation: If any slice of cheese had been American, not Swiss, the accident would not have happened.

    Quotation: “It was as if the pitcher kicked the soft bunt past the shortstop to guarantee a triple.”-A hand-wringing manager

    Observation: A sprinkler system , if it had existed in the apartment containing the defective refrigerator, would have been a barrier that compensated for harmful conditions in the 2017 London Grenfell Fire Disaster.

    Observation: The causation of the harm from the 2017 London Grenfell Fire Disaster included the mismanagement of the investigations of previous events whose extent corrective actions should have included the back fitting of sprinkler systems in high-rise dwellings . Investigations of previous events can result in barriers to the harm from future ones.

    Observation: There were no effective barriers to prevent the harms from the 2017 London Grenfell Fire Disaster , or to prevent any of the harmfully unsafe conditions, behaviors, actions, and inactions that were parts of the causation of the harms.

    Observation: There were no effective barriers to prevent the first officer of American Airlines Flight 587 in 2001 from dooming all occupants to death by unknowingly exceeding the safe operating envelope (SOE) for the vertical stabilizer and rudder (tail) . Failed, missing, and ineffective barriers included supervision by the captain, structural design, alarms, instrumentation, instructions, training, and the failure modes and effects analysis (FMEA) or equivalent.

    Observation: The death of Joshua Brown while driving his Tesla Model S in the autopilot mode was not prevented by any barrier. It raises questions as to the adequacy of the safe operating envelope recommended by the manufacturer and as to Mr. Brown’s adherence to the safe operating envelope . The under-ride barriers (aka Mansfield Bars and Jayne Mansfield Barriers) now required protect against rear under-rides, but not against side under-rides.

    Observation: Barriers, such as rear view mirrors and clearly labeled red light cameras, that depend on functional human behavior are often not fully effective, but often can be shown to have averted some harm under some circumstances.

    Observation: The number of failed barriers involved in the causation of the post-commissioning discovery of a bad weld on the nuclear submarine USS Minnesota (SSN 783) must be large .

    Observation: Often the greater the number of failed barriers the more costly is the corrective action.

    Observation: In robust processes every downstream process step includes barriers to detect harmful content in the input to the downstream step and harmful content in the output of the current step.

    Observation: Often the greater the number of process steps that failed to detect harmful input from upstream the more costly is the corrective action.

    Quotation: “It is cheaper to change an erroneous defective drawing than it is to rip out erroneously poured concrete with re-bar.”-Bill Corcoran

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Make up a table of all of the failed, missing, and otherwise ineffective barriers.

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Make up a table of all of the failed, missing, and otherwise ineffective barriers, that were part of the causation of what setup the situation for the harm, what triggered the harmful sequence, and what made the harm as bad as it was. (A sad example of ignoring this is the successful barrier .)

    Observation: Many of the failed, missing, and otherwise ineffective barriers that were part of the causation of the harm from the 2017 London Grenfell Tower Fire were not officially required .

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Separate the identification of the failed, missing, and otherwise ineffective barriers from the determination of the requirements for them.

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Make up a table of all of the effective barriers that mitigated and/or limited the harm including both planned and unplanned barriers.

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Make up a flow chart showing all of the failed, missing, and otherwise ineffective barriers, indicating how the failure of one challenged barrier leads to a challenge to a subsequent insufficient barrier, hence, ultimately to the final harm.

    Observation: The failed barriers involved in the causation of the crash of the 2006 RAF Nimrod XV230 Maritime Reconnaissance Aircraft included programs, processes, and requirements of the RAF, the Ministry of Defense, and contractors. The official reports did not address the causations of the barrier failures.

    Quotation: “The First Law of Highway Safety Engineering is to never remove a guardrail that has dents in it.”-Bill Corcoran

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Look for instances in which previously effective barriers have been removed, weakened, excepted, or otherwise made less robust.

    Quotation: “Luck is not a robust barrier.”-Bill Corcoran

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Whenever luck was an effective barrier determine the causation of the conditions, behaviors, actions, and inactions that resulted in relying on luck.

    Recognized and Generally Accepted Good Investigation Practice (RAGAGIP): Make a table of all of the the barrier issues in the form of a Comparative Timeline© such as the one for the Hanford K-Basin Monorail Hoist Drop , the one for the 2007 Yucca Mountain Project USGS Emails Investigation and /or the one for the 2005 T39 Transuranic Transportation Rollover .

    Observation: To promote the readiness of barriers to perform their intended functions, checks their readiness can be made a prerequisite to activities that could involve challenges to the barriers.

    Observation: The causation of the Hanford K-Basin Monorail Hoist Drop included the failure to check the position of the Weighted Safety Arm barrier before the shift.

    Observation: The vast majority of gear-up landing crashes involve victim inactions for which there were no effective barriers.

    Observation: The causation of Shane Kroger’s death in the Death by D-ring Accident included the absence of any effective barriers to prevent attaching the helicopter hoist cable to a fatally weak D-ring.

    Observation: The causation of the Air Canada Flight 759 Runway/ Taxiway Mix-up Go Around included the absence of any effective barriers to prevent the mix-up. Fortunately there was at least one effective barrier to the approaching aircraft’s actually landing on the aircraft lined up on the taxiway. The robustness of the first effective barrier (the unknown voice) is questionable.

    Observation: The Xcel Energy Cabin Creek Fatal Fire is among the tragic examples of multiple barrier issues. The causation of the Xcel Energy Cabin Creek Fatal Fire includes the inadequacy of the Xcel Energy purchasing process as well as its oversight relative to barrier requirements.

    Observation: The causation of the BP Texas City Fire and Explosion of March 2005 includes the absence of any effective barrier to the overfilling of the isomerization unit.

    Observation: The published report on the October 2016 Hanford Personnel Contamination Detection at Last Barrier Event does not report the causation of the ineffectiveness of the upstream barriers, nor the harm that would have been incurred had the last barrier failed .

    Observation: The causation of the harm from the 2005 Collision of the Nuclear Submarine USS San Francisco (SSN 711) with a submerged mountain included the complete absence of effective barriers to the high-speed impact .

    Observation: Even though there were no effective barriers to the high-speed impact the Nuclear Submarine USS San Francisco (SSN 711) there were effective barriers to the loss of the ship, including barriers resulting from the loss of USS Thresher (SSN 593).

    Observation: The causation of every barrier insufficiency includes the insufficiency of the transparency of the barrier insufficiency.

    Observation: The fragility of the successful barrier is part of the significance of any event whose harm was arrested, limited, controlled, and/or mitigated.

    Recognized and Generally Accepted Good Investigation Practice (RAGAGIP):

    Whenever a barrier has been effective determine what would have happened if that barrier had been failed, missing, or otherwise ineffective.

  • The NRC Inspection Report is at
    https://www.nrc.gov/docs/ML1713/ML17132A258.pdf

  • Observation: Measures to enhance barriers can themselves by agents of harm (hazards) as in the case of the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF .

  • Barrier Insufficiency

    An inescapable fact is that whenever harm occurs it is certain that there were no effective barriers to protect the item harmed from the hazards that resulted in the harm as it occurred. This applies even for low harm occurrences such as rework, minor clean-ups, delays, and go-arounds . For advocates and aficionados of the Swiss Cheese Model , an inescapable fact is that when harm occurs every slice of cheese either had a crucial hole in it or the slice did not exist.

    Observation: A barrier is a condition, behavior, action, or inaction that has and/or is intended to have the potential for beneficial involvement in the prevention, limitation, control, restriction, and/or mitigation of a harm.

    Observation: A barrier is a condition, behavior, action, or inaction that did, could, and/or was intended to prevent and/or reduce the harm to a vulnerable victim/ victim item from a hazard/ agent of harm.

    Observation: A barrier is failed when it is not suitable for its intended purpose and/or it does not or cannot perform satisfactorily in service.

    Observation: Safe performance is a part of satisfactory performance.

    Observation: In a specific case every specific barrier is associated with a specific hazard/ agent of harm and a specific vulnerable victim/ victim item.

    Observation: The barrier model is often referred to as the Hazard-Barrier-Target Model or as the Threat/Hazard-Barrier-Target Model, “target” being lingo for “victim/ victim item.”

    Observation: Careful investigators and writers, when mentioning a barrier make it crystal clear what agents of harm and vulnerable victims/ victim items they have in mind.

    Observation: A specific vulnerable victim/ victim item can be a barrier. For example, a rear view mirror (a barrier) can be vulnerable to glancing collisions with close obstacles.

    Observation: The causation of harm from an actual event involves the sequential challenging of and ineffectiveness of multiple barriers. This is informally and incompletely represented as the Swiss Cheese Model diagram and somewhat more formally represented as a Barrier Analysis Flow Chart .

    Observation: The Swiss Cheese Model, per se, does not indicate that each barrier penetrated results in the challenge to a downstream barrier, whose failure results in a challenge to a subsequent barrier. The term “Swiss Cheese Domino Model” would be more descriptive of real life accidents.

    Quotation: “All models are wrong. Some models are useful.”-Professor Vicki Bier, U of Wisconsin (and other)

    Quotation: “The map is not the territory.”-Alfred Korzybski

    Observation: The causation of harm always involves 1) a vulnerable victim/ item that can be harmed, 2) a hazard (agent of harm), 3) the co-location of the vulnerable victim/ item and the agent of harm, 4) the simultaneity of the vulnerable victim/ item and the agent of harm, and 5) no effective barriers intervening between the vulnerable victim/ item and the agent of harm.

    Observation: The prevention and/or limitation of harm always involves 1) making a vulnerable victim/ item that can be harmed less vulnerable, 2) making a hazard (agent of harm) less harmful, 3) separating the vulnerable victim/ item and the agent of harm in space, 4) separating the vulnerable victim/ item and the agent of harm in time, and/or 5) providing effective barriers intervening between the vulnerable victim/ item and the agent of harm.

    Observation: A given barrier can be effective in one or more of the following five ways. 1) It can prevent a harmful condition, behavior, action, and/or inaction. 2) It can discourage or impede a harmful condition, behavior, action, and/or inaction. 3) It can encourage or promote a beneficial condition, behavior, action, and/or inaction. 4) It can detect or make transparent a harmful condition, behavior, action, and/or inaction. 5) It can compensate for or accommodate a harmful condition, behavior, action, and/or inaction.

    Recognized and Generally Accepted Good Investigation Practice (RAGAGIP): Seek out barrier insufficiencies in all of the following five types of barriers. 1) Barriers that can prevent a harmful condition, behavior, action, and/or inaction. 2) Barriers that can discourage or impede a harmful condition, behavior, action, and/or inaction. 3) Barriers that can encourage or promote a beneficial condition, behavior, action, and/or inaction. 4) Barriers that can detect or make transparent a harmful condition, behavior, action, and/or inaction. 5) Barriers that can compensate for or accommodate a harmful condition, behavior, action, and/or inaction.

    Observation: A speed bump does not prevent speeding, but it does discourage speeding . It encourages speed compliance. It also reveals speed non-compliance by jolting the driver who speeds over it.

    Observation: Automobile air bags are intended to prevent or limit the harm from the secondary collision of the automobile occupant and the automobile structure.

    Observation: Barriers can themselves be agents of harm (hazards) as demonstrated by the Takata Air Bag Shrapnel episodes and by the Connecticut teenager’s ski helmet strap strangulation .

    Observation: Measures to enhance barriers can themselves by agents of harm (hazards) as in the case of the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF .

    Observation: Rear viewing mirrors and other rear viewing devices function by detecting or making transparent a harmful condition, behavior, action, and/or inaction related to what is behind the vehicle.

    Observation: The causation of the 1990 Vogtle Nuclear Power Station Blackout (SBO) included ineffective management of the rear view mirrors on a pickup truck .

    Observation: A purpose of the safety discipline is to prevent high probability occurrences (e.g., maneuvering a pickup truck) from being part of the causation of low probability occurrences (e.g., loss of cooling to nuclear fuel with high decay heat) .

    Observation: Barriers need not be physical, but passive robust physical barriers are among the most reliable and effective, e.g., a wide median strip.

    Observation: Corrective/ preventative actions, when effective, involve improvements in barriers and/or barrier measures to reduce reliance on inherently non-robust barriers.

    Observation: When effective, all corrective actions prevent future harm from the harmful condition, behavior, action, or inaction that is corrected. Furthermore, when effective, all preventative actions correct the latent harmful conditions, behaviors, actions, and/or inactions that were the causation of the potential harm that was prevented.

    Observation: If any slice of cheese had been American, not Swiss, the accident would not have happened.

    Quotation: “It was as if the pitcher kicked the soft bunt past the shortstop to guarantee a triple.”-A hand-wringing manager

    Observation: A sprinkler system , if it had existed in the apartment containing the defective refrigerator, would have been a barrier that compensated for harmful conditions in the 2017 London Grenfell Fire Disaster.

    Observation: The causation of the harm from the 2017 London Grenfell Fire Disaster included the mismanagement of the investigations of previous events whose extent corrective actions should have included the back fitting of sprinkler systems in high-rise dwellings . Investigations of previous events can result in barriers to the harm from future ones.

    Observation: There were no effective barriers to prevent the harms from the 2017 London Grenfell Fire Disaster , or to prevent any of the harmfully unsafe conditions, behaviors, actions, and inactions that were parts of the causation of the harms.

    Observation: There were no effective barriers to prevent the first officer of American Airlines Flight 587 in 2001 from dooming all occupants to death by unknowingly exceeding the safe operating envelope (SOE) for the vertical stabilizer and rudder (tail) . Failed, missing, and ineffective barriers included supervision by the captain, structural design, alarms, instrumentation, instructions, training, and the failure modes and effects analysis (FMEA) or equivalent.

    Observation: The death of Joshua Brown while driving his Tesla Model S in the autopilot mode was not prevented by any barrier. It raises questions as to the adequacy of the safe operating envelope recommended by the manufacturer and as to Mr. Brown’s adherence to the safe operating envelope . The under-ride barriers (aka Mansfield Bars and Jayne Mansfield Barriers) now required protect against rear under-rides, but not against side under-rides.

    Observation: Barriers, such as rear view mirrors and clearly labeled red light cameras, that depend on functional human behavior are often not fully effective, but often can be shown to have averted some harm under some circumstances.

    Observation: The number of failed barriers involved in the causation of the post-commissioning discovery of a bad weld on the nuclear submarine USS Minnesota (SSN 783) must be large .

    Observation: Often the greater the number of failed barriers the more costly is the corrective action.

    Observation: In robust processes every downstream process step includes barriers to detect harmful content in the input to the downstream step and harmful content in the output of the current step.

    Observation: Often the greater the number of process steps that failed to detect harmful input from upstream the more costly is the corrective action.

    Quotation: “It is cheaper to change an erroneous defective drawing than it is to rip out erroneously poured concrete with re-bar.”-Bill Corcoran

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Make up a table of all of the failed, missing, and otherwise ineffective barriers.

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Make up a table of all of the failed, missing, and otherwise ineffective barriers, that were part of the causation of what setup the situation for the harm, what triggered the harmful sequence, and what made the harm as bad as it was. (A sad example of ignoring this is the successful barrier .)

    Observation: Many of the failed, missing, and otherwise ineffective barriers that were part of the causation of the harm from the 2017 London Grenfell Tower Fire were not officially required .

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Separate the identification of the failed, missing, and otherwise ineffective barriers from the determination of the requirements for them.

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Make up a table of all of the effective barriers that mitigated and/or limited the harm including both planned and unplanned barriers.

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Make up a flow chart showing all of the failed, missing, and otherwise ineffective barriers, indicating how the failure of one challenged barrier leads to a challenge to a subsequent insufficient barrier, hence, ultimately to the final harm.

    Observation: The failed barriers involved in the causation of the crash of the 2006 RAF Nimrod XV230 Maritime Reconnaissance Aircraft included programs, processes, and requirements of the RAF, the Ministry of Defense, and contractors. The official reports did not address the causations of the barrier failures.

    Quotation: “The First Law of Highway Safety Engineering is to never remove a guardrail that has dents in it.”-Bill Corcoran

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Look for instances in which previously effective barriers have been removed, weakened, excepted, or otherwise made less robust.

    Quotation: “Luck is not a robust barrier.”-Bill Corcoran

    Recognized and Generally Accepted Good Investigative Practice (RAGAGIP): Whenever luck was an effective barrier determine the causation of the conditions, behaviors, actions, and inactions that resulted in relying on luck.

    Recognized and Generally Accepted Good Investigation Practice (RAGAGIP): Make a table of all of the the barrier issues in the form of a Comparative Timeline© such as the one for the Hanford K-Basin Monorail Hoist Drop , the one for the 2007 Yucca Mountain Project USGS Emails Investigation and /or the one for the 2005 T39 Transuranic Transportation Rollover .

    Observation: To promote the readiness of barriers to perform their intended functions, checks their readiness can be made a prerequisite to activities that could involve challenges to the barriers.

    Observation: The causation of the Hanford K-Basin Monorail Hoist Drop included the failure to check the position of the Weighted Safety Arm barrier before the shift.

    Observation: The vast majority of gear-up landing crashes involve victim inactions for which there were no effective barriers.

    Observation: The causation of Shane Kroger’s death in the Death by D-ring Accident included the absence of any effective barriers to prevent attaching the helicopter hoist cable to a fatally weak D-ring.

    Observation: The causation of the Air Canada Flight 759 Runway/ Taxiway Mix-up Go Around included the absence of any effective barriers to prevent the mix-up. Fortunately there was at least one effective barrier to the approaching aircraft’s actually landing on the aircraft lined up on the taxiway. The robustness of the first effective barrier (the unknown voice) is questionable.

    Observation: The Xcel Energy Cabin Creek Fatal Fire is among the tragic examples of multiple barrier issues. The causation of the Xcel Energy Cabin Creek Fatal Fire includes the inadequacy of the Xcel Energy purchasing process as well as its oversight relative to barrier requirements.

    Observation: The causation of the BP Texas City Fire and Explosion of March 2005 includes the absence of any effective barrier to the overfilling of the isomerization unit.

    Observation: The published report on the October 2016 Hanford Personnel Contamination Detection at Last Barrier Event does not report the causation of the ineffectiveness of the upstream barriers, nor the harm that would have been incurred had the last barrier failed .

    Observation: The causation of the harm from the 2005 Collision of the Nuclear Submarine USS San Francisco (SSN 711) with a submerged mountain included the complete absence of effective barriers to the high-speed impact .

    Observation: Even though there were no effective barriers to the high-speed impact the Nuclear Submarine USS San Francisco (SSN 711) there were effective barriers to the loss of the ship, including barriers resulting from the loss of USS Thresher (SSN 593).

    Observation: The causation of every barrier insufficiency includes the insufficiency of the transparency of the barrier insufficiency.

    Observation: The fragility of the successful barrier is part of the significance of any event whose harm was arrested, limited, controlled, and/or mitigated.

    Recognized and Generally Accepted Good Investigation Practice (RAGAGIP):

    Whenever a barrier has been effective determine what would have happened if that barrier had been failed, missing, or otherwise ineffective.

  • Observation: The causation of the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF included the lack of instructions for installing Thermo-Lag that were appropriate to the circumstances, as required by NRC requirements .(10CFR50, App B, Criterion V)

  • Observation: The vulnerability to High Energy Arc Flash initiations of accident sequences in U.S. nuclear plants existed since the first nuclear plant and exists today as exemplified by the case of the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF .

  • Observation: The causation of the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF included the mismanagement of previous arc flash events. Could this have involved recent nuclear industry efforts to cut back on event investigations?

  • Observation: Lack of competence, integrity, compliance, and/or transparency on the part of an overseen entity usually points to similar lacks on the part of the oversight entities.

    Quotation: “Hell hath no fury like an embarrassed bureaucrat.”-Old saying paraphrased

    Observation: Once the embarrassed agency gets over its initial outrage it settles into defensiveness, damage control, and distraction as if it had no sense of shame.

  • Observation: The type of event in the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF was not included in the deterministic safety analyses or the results were not effectively pursued. This includes the safety analyses to assure that the instructions for installing Thermo-Lag were appropriate to the circumstances, as required by NRC requirements and would be followed.

  • The ThermoLag work obviously increased the probability of an accident and of a malfunction of equipment important to safety. How come the 50.59 screening did not work?

  • Observation: The 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant is similar to the Open Phase Condition episode in that it reveals fundamental design flaws.

    Observation: Part of the causation of the Open Phase Condition episode was the decision to do failure analysis at the circuit level and/or component level rather than the conductor level.

    Observation: Part of the causation of the Open Phase Condition episode extending over many decades and hundreds of nuclear power plants was the failure of the investigations to find that there was a fundamental analysis flaw involving a fundamental requirements flaw.

  • Observation: In the case of the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF while installing fire protection measures it is hard to say when the harmful sequence began. Some might say it began even before the 1975 Browns Ferry Fire. Others might say it began when plant staff began creating conductive foreign material in the vicinity of the electrical equipment.

  • Observation: In the case of the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF while installing fire protection measures the chronology of harmful conditions, behaviors, actions, and inactions is rich and instructive. It includes at least the following: a) choosing ThermoLag that includes conductive material, b) failing to accommodate the conductive material in the work planning, c) failing to do effective safety screening of the change implementation process, d) failing to invoke effective Foreign Material Exclusion, e) failing to effectively manage the arc flash precursor events, f) failing to see the arc flash precursor events as indicators of a significant condition adverse to quality, g) failure of systems engineers to call attention to threats to their systems, h) failure of quality assurance and other oversight organizations to notice the forgoing and/or the causations or generic implications of the forgoing.

  • Lesson to be Learned (LBTL): The chronology of a harmful mishap begins at the inception of the first harmful condition, behavior, action, or inaction that is part of the causation of the harm.

    Recognized and Generally Accepted Good Investigation Practice (RAGAGIP): Before creating a Comparative Timeline© study at least one prior example, such as the one for the Hanford K-Basin Monorail Hoist Drop , the Yucca Mountain Project USGS Emails and /or the one for the 2005 T39 Transuranic Transportation Rollover .

  • Observation: The causation of the 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF included the failure of the NRC Resident Inspectors to recognize the significance of the low energy arc flash precursors and/or to elicit effective plant management attention to them.

  • Observation: The 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF revealed multiple serious process and program incompetencies and noncompliances. These involved at least the following: quality assurance, procedures, risk management, configuration management, fire protection, work planning, foreign material management, corrective action, systems engineering, change management, and safety evaluation.

  • Observation: The 2017 High Energy Arc Flash Event (HEAF) Episode at Turkey Point Nuclear Plant in which plant staff induced the HEAF revealed multiple serious process and program incompetencies and noncompliances. These involved at least the following: quality assurance, procedures, risk management, configuration management, fire protection, work planning, foreign material management, corrective action, systems engineering, change management, and safety evaluation.