Disaster by Design/Safety by Intent #24
Disaster by Design
The Browns Ferry Nuclear Plant near Athens, Alabama has three boiling water reactors (BWRs). Like Russian, or Alabamian, dolls, the reactor core resides inside the reactor pressure vessel inside the primary containment inside the secondary containment (Fig. 1). The secondary containment consists of the reactor building and the refueling bay. At Browns Ferry, the refueling bay spans across all three reactor buildings.
During an accident, radioactivity released from damaged fuel in the reactor core may get released inside the secondary containment. To minimize the amount of radioactivity that reaches the environment, an emergency system called the Standby Gas Treatment System (SGTS) draws air from the reactor building and refueling bay, passes it through a series of filters and charcoal beds, and releases it from a tall exhaust stack (chimney) (Fig. 2).
The system’s flow rate is designed to maintain the secondary containment at a slightly lower pressure than the pressure outside the building. The sub-atmospheric pressure causes clean air to leak into the secondary containment rather than having radioactively contaminated air leak from it via unfiltered pathways. The goal of this emergency ventilation system is to reduce the amount of radioactivity reaching the environment to less than one percent of the radiation levels inside the secondary containment.
Tests at Browns Ferry
Operators shut down the Unit 2 reactor on July 30, 1982, to begin a refueling outage. One of the first tasks scheduled during this refueling outage tested the integrity of the secondary containment. Secondary containment integrity must be assured before primary containment is opened for refueling.
The normal reactor building ventilation system was turned off for the test. The operators turned on the standby gas treatment to test whether it could achieve the specified sub-atmospheric pressure within two minutes. The test failed—too much air was leaking into the Unit 2 reactor building. Workers went through the building look for potential leakage pathways. A second test also failed.
The failed tests called into question the integrity of the secondary containments for the operating Unit 1 and 3 reactors. Workers conducted tests of the standby gas treatment systems on Unit 1 and 3 to answer that question.
The standby gas treatment system for Unit 1 easily passed a test on August 2. Too easily. The normal ventilation system was turned off for the test. Several workers are involved in the test, including one who monitors the pressure inside the secondary containment and announces when the sub-atmospheric pressure specified in the test procedure is attained. Moments later, that worker announced the specified pressure had been attained. The operator had not yet started the standby gas treatment system. Workers later determined there was significant leakage between the adjacent reactor buildings such that the normal ventilation system running on Unit 2 pulled enough air from the Unit 1 reactor building to drop its pressure to the sub-atmospheric pressure in the test procedure.
When tested with the Unit 2 normal ventilation system turned off, both the Unit 1 and 3 standby gas treatment systems failed. Both reactors had to join Unit 2 in being shut down.
There were a number of leakage problems. In fact, more than 300 problems were identified and corrected before the standby gas treatment systems passed tests on all three units. The Unit 1 and 3 reactors restarted, while the Unit 2 reactor proceeded with its refueling.
Because the tests had been run with the normal ventilation systems running on the adjacent units, the secondary containment integrity tests had always passed. In reality, all three Browns Ferry units had probably operated without adequate secondary containment for many years. If an accident had occurred, radioactivity may have been released to the atmosphere in far greater amounts than expected.
But wait a minute…
If the normal ventilation system running in an adjacent reactor building unfairly aided the standby gas treatment system, why did Unit 2 fail the test? After all, the normal ventilation systems running on Unit 1 and 3 next door should have made it the easiest test in the world (or at least county.)
For reasons not fully identified, the Unit 1 and 3 normal ventilation systems reduced the pressure inside the Unit 2 reactor building but not down to the sub-atmospheric pressure specified in the test procedure. The Unit 2 standby gas treatment was supposed to attain this pressure all by itself, but had been unable to do so even when helped by its neighbors.
Each standby gas treatment system consists of two fully redundant filter trains and blower pairs (Fig. 3). Only one filter train and set of blowers is needed for the standby gas treatment system to function.
The system’s dampers are metal plates that open to allow flow through the ventilation ducts and close to stop it. The dampers open to allow flow through the running standby gas treatment system filter train and blower set and close to prevent flow through the idle train and blowers.
Workers found a failed damper in one of the two sets of blowers (fans) for the Unit 2 standby gas treatment system. The failed damper was stuck partially opened. It allowed some flow from the running set of blowers to flow backward through the filter train into the reactor building instead of out the stack. Instead of pulling air from the reactor building to reach the desired sub-atmospheric pressure, the Unit 2 standby gas treatment system was recirculating a sizeable portion of that flow within the building.
Safety by Intent
The failed damper led to the revelation of a much larger failure—the inability of the secondary containment integrity test to accurately determine whether a vital safety function could be performed in event of an accident. For years, the tests had “shown” that the secondary containments on Units 1, 2, and 3 were fully adequate. In fact, the faulty test had masked the truth that all three secondary containments were deficient.
The Browns Ferry testing shortcoming is far from an isolated case. For nearly two decades, workers tested the emergency diesel generators at Fermi Unit 2. The emergency diesel generators are in the top five set of most important safety equipment at the plant, and get tested often for the purpose of assuring their reliability. But from late summer 1986 until late 2006, workers graded all these safety tests using the wrong answer key.
Conducting defective tests for years or grading proper tests with defective answer keys for decades provides the illusion rather than the assurance of safety. The NRC must leave illusions to David Copperfield and other magicians and strive for tests that yield accurate outcomes.
The NRC never asked the owners of Browns Ferry and Fermi how their inadequate testing procedures had remained undetected for so many years. It’s not enough to merely fix broken widgets; it’s also necessary to fix deficient testing and inspection regimes that failed to notice the broken widgets despite purportedly looking for them.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.