Join
Search

Fission Stories #117: Slow Valves at Shearon Harris and Slow Response by NRC

Bookmark and Share

Last week I wrote about timing how long it took valves at the Hatch plant to open and close. Here’s another case.

On April 12, 2012, workers tested how long it took the three main steam isolation valves at the Shearon Harris nuclear plant near Raleigh, North Carolina to travel from the fully opened to the fully closed position. These valves are designed to close within 5 seconds to limit how much radioactivity is released to the atmosphere during an accident.

Stopwatches have been used when timing valves. When the operator turns the switch in the control room to signal a valve to close (or open), the stopwatch is started when the valve’s position lights indicate it has begun moving. The stopwatch is stopped when the position lights indicate the valve’s movement has ended. That day at Harris, a calendar would nearly have been more appropriate than a stopwatch.

Main steam isolation valve “A” at Harris took 4.51 seconds to close that day.

But when the switches for main steam isolation valves “B” and then “C” were turned, the valves did not close. At least not right away.

These valves have large springs that hold them closed. The springs for each valve are designed to provide 63,988 pounds (nearly 32 tons) of closing force. Compressed air is supplied to push the valves open against this spring force. This design allows the springs to close the valve (their fail-safe position) when either power or air pressure is lost.

Main steam isolation valve

A main steam isolation valve. The opening at the bottom is where the valve connects to the pipe carrying steam to the turbine. There’s another opening/connection point on the other valve’s other side. Rising up from the valve is an assembly with four coils of metal springs that keep the valve closed. Compressed air pressure is supplied to oppose the spring forces and open the valve. On either loss of electrical power or loss of compressed air flow, the spring forces return the valve to its fail-safe position – closed.

Workers went out into the plant to manually vent the compressed air supplied to main steam isolation valves “B” and “C.” They heard the tell-tale sound of the air being released, but the valves stayed open.

Main steam isolation valve “B” closed 37 minutes after its air supply was removed. Main steam isolation valve “C” closed 4 hours and 7 minutes after its air supply was removed.

Workers disassembled all three main steam isolation valves. They found corrosion caused some of the internal parts to swell in size nearly 20 percent. This growth effectively locked the valves in place against the springs’ closing force even after air pressure had been relieved. Eventually, the spring force overcame the friction to close the valves.

The valves had been installed during construction of the plant more than a quarter of a century earlier. The valves’ manufacturer introduced models having internal parts more resistant to corrosion but had never recommended that customers with older valves upgrade them. Workers at Harris replaced all three main steam isolation valves with the new models. The replacement valves were re-tested successfully.

The NRC dispatched a special inspection team to Harris in 2012. The NRC found that from the plant’s initial startup until 2000, workers had exercised the main steam isolation valves every three months per the manufacturer’s recommendation. These exercises involved closing each valve ten percent to verify proper functioning of the valves, their actuators, and controls. The plant’s owner discontinued this recommended testing in 2000 as a cost-saving measure. The safety evaluation per 10 CFR 5.59 performed in 2000 for discontinuing the quarterly exercising failed to mention that the valve vendor recommended  the exercising or to discuss potential new failure modes – like the one that happened – that might be introduced by eliminating the periodic exercises.

The NRC also discovered that the air-operated main steam isolation valves had never been tested under the plant’s air-operated valve testing programs. The main steam isolation valves had been classified as Category 2 valves which do not require testing. But the NRC determined that the main steam isolation valves met the Category 1 definition as performing an active safety-related function of high safety significance.

Our Takeaway

It’s a line from Cool Hand Nuke – “what we’ve got here is failure to communicate.”

The company failed to communicate solid justification in 2000 when it discontinued the quarterly exercising of the main steam isolation valves. The manufacturer recommended that the exercising be performed to verify proper functioning. After the valves had been installed at Harris in the 1980s, the manufacturer developed more corrosion resistant materials for the valves’ internals. The company’s justification more than a decade later failed to address how foregoing the exercising might affect the performance of the more corrosion-prone valves.

The NRC also failed to communicate how it managed to overlook the facts that (a) the air-operated main steam isolation valves had never been tested under the plant’s air-operated valve program, and (b) the quarterly exercising of the main steam isolation valves had been discontinued more than a decade ago.

After the valves literally took hours to close, NRC inspectors identified both testing irregularities. But why hadn’t NRC inspectors discovered these problems earlier? After all, there are many air-operated valves at Harris but the main steam isolation valves are among the small minority contained within the NRC-issued operating license for Harris. Is it unreasonable to expect that over the course of a decade an NRC inspector will assess the testing regime – or lack thereof – for the few air-operated valves having such high safety significance that they are explicitly mentioned in the reactor’s operating license?

Clearly, the plant’s owner did a poor job testing the main steam isolation valves and needs to do better in the future.

But the NRC also has lessons to learn from this and other special inspections it conducts. The NRC dispatches special inspection and augmented inspection teams to plant sites when events may increase the chance of core damage by a factor of 10 or more. The NRC sends out about a dozen such teams annually. These team inspections should serve dual purposes: (1) finding and fixing specific problem at the affected plants, and (2) assessing whether programmatic adjustments are needed in the NRC’s safety oversight process. The NRC lacks resources to monitor every test and inspect every inch of piping. These team inspections must be assessed by the NRC to determine if resource reallocations are needed to better focus their oversight efforts.

Nuclear safety defense-in-depth demands best efforts by plant owners and the NRC. In this case, both failed. Both failures must be recognized and corrected for safety to be improved in the future.

 

“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.

Posted in: fission stories Tags: , ,

About the author: Mr. Lochbaum received a BS in Nuclear Engineering from the University of Tennessee in 1979 and worked as a nuclear engineer in nuclear power plants for 17 years. In 1992, he and a colleague identified a safety problem in a plant where they were working. When their concerns were ignored by the plant manager, the utility, and the Nuclear Regulatory Commission (NRC), they took the issue to Congress. The problem was eventually corrected at the original plant and at plants across the country. Lochbaum joined UCS in 1996 to work on nuclear power safety. He spent a year in 2009-10 working at the NRC Training Center in Tennessee. Areas of expertise: Nuclear power safety, nuclear technology and plant design, regulatory oversight, plant license renewal and decommissioning

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

  • Peter Ninen

    The latest web site design, wherein stories scroll in a little window is very difficult to read. There is no reason for this over-design. Go back to allowing me to just scroll the whole page.

    I won’t be reading your blog very much now that it is a hassle.

    Other than that, keep up the good work. You do a great service.

  • B. Brunner

    Great article, once more!

    Nuclear plants are inherently complex, and very unfortunately their security systems too. Additionally their lifetime is so long that things have time to corrode massively, and the technology to be outdated many times during their lifetime.

    Each of the fission stories comes down to the human factors which are part of their security.

    Either the system has to be designed into a fully automated redundant fail-safe operation by design, not involving operators in critical tests and operations, or a fully-automated double-checking of operators-manipulations has to be designed. Both seem utopia, given the complexity and particularities of plants. And they won’t suppress the implementation-errors of the controlling software and underlying systems.

    Thus the conclusion is that we are unable to design and operate 100.00% safely nuclear plants. Anybody that is telling nuclear power is 100% secure is scientifically lying.

    Remains the notion of “acceptable risk”, which is pretty damn hard to evaluate correctly, given the implications in case of severe accident for dozens of thousands of years, i.e. beyond our human control, and the possible responsibility of even 3 generations.

    Maybe my reasoning is wrong, so I’m open to learn why it would be wrong :-)

    IMHO, The real solution comes down to three factors:
    1) lower the electricity waste massively, so that we need less nuclear plants, less complex plants, less risky plants. Maybe none.
    2) design new technology for nuclear plants which is fail-safe, means in case of major accident with loss of control, it doesn’t increase heat, but decreases it.
    3) foster real renewable energy (including grey energy in the computations)