This post is a part of a series on Near Misses at US Nuclear Power Plants
The Clinton Power Station is located 23 miles southeast of Bloomington, Illinois and has one General Electric boiling water reactor with a Mark III containment that began operating in 1987.
In December 2017, the Nuclear Regulatory Commission (NRC) dispatched a Special Inspection Team to the plant to investigate a transformer failure that prompted the operators to manually scram the reactor. That event nearly duplicated a transformer failure/manual scram event that happened at Clinton in December 2013.
The ink had scarcely dried on the NRC’s special inspection report when Clinton experienced yet another electrical power problem. Some progress has been made—this time it did not involve a transformer failure causing the reactor to be shut down. This time, the reactor was already shut down when the power problem began. This time, the failures involved several workers over several days failing to follow several procedures to disable an emergency power supply. This time as in the past, the NRC dispatched a special inspection team to figure out what when wrong.
Entering a Refueling Outage
The operators shut down Clinton on April 30, 2018, to enter an outage during which the reactor would be refueled. When the reactor is running, nearly the entire array of emergency equipment must be operable except for brief periods of time. During refueling, the list of emergency equipment required to remain operable is shortened, providing opportunities for components to be tested, inspected, and repaired as necessary.
The operators tripped the main generator on April 30 as part of the reactor shut down process. When the generator was online, the electricity it produced went through the main transformers to the 345-kilovolt switchyard where transmission lines provided it to the offsite power grid. The generator’s output also flowed through the Unit Auxiliary Transformers to supply in-plant electrical needs. As shown in Figure 1, this supply to in-plant loads was unavailable with the main generator offline.
On May 5, workers de-energized the Emergency Reserve Auxiliary Transformer (ERAT) shown on the left side of Figure 1 to support planned maintenance. Power for in-plant loads came from the 345-kilovolt switchyard through the Reserve Auxiliary Transformer (RAT).
At 9:36 pm on May 9, workers closed an electrical breaker to restore power from the RAT to 4.16-kilovolt Bus 1B1. Bus 1B1 had been removed from service for maintenance on it and the equipment powered from it. Emergency diesel generator 1B (EDG 1B) provided the backup power to Bus 1B1 in event power from the main generator and offsite grid were lost. During the planned outage of Bus 1B1, EDG 1B had been intentionally disabled to prevent it from starting. This measure protects workers from contacting energized equipment if EDG 1B started unexpectedly.
Bus 1A1 remained in service during the time Bus 1B1 was unavailable. Bus 1A1 was also supplied with offsite power from the RAT, with EDG 1A in standby to provide backup power if needed. Safety equipment powered from Bus 1A1 cooled the reactor core and could provide makeup water if necessary.
Entering an Unsafe Condition
When power to Bus 1B1 was restored, procedures called for its backup power supply—EDG 1B—to be returned to service. A worker was sent out to place EDG 1B back in service. The emergency diesel generators (EDGs) are normally maintained in standby. Should power from the offsite power grid or accident occur, the EDGs are designed to start up, reach speed, and begin supplying electrical power to their respective buses with a little more than ten seconds. To enable the large diesel engines to perform such rapid feats, the EDGs are equipped with support systems. One support system maintains the lubricating oil warmed. The start air system supplies compressed air to help the engine shaft begin spinning. Another support system supplies cooling water to protect a running diesel engine from damage caused by overhearing.
Because the cooling water system for EDG 1B was not yet returned to service, a supervisor directed the worker to keep the start air valves closed. The restoration procedure called for these valves to be opened and later checked to ensure they were open. But the supervisor was concerned that an inadvertent start of EDG 1B might damage it from overheating. EDG 1B was partially restored to service on May 9.
Late in the evening of May 10, a second supervisor directed a second worker to conduct another partial restoration of EDG 1B. The fuses for the lubricating oil system had been pulled. The worker reinserted the fuses to return the lubricating oil system for EDG 1B to service.
The second supervisor turned over duties to a third supervisor before the second worker completed the assigned partial restoration. Due to miscommunication, the third supervisor thought that all the EDG 1B restoration tasks had been completed. EDG 1B was declared back in service at 2:30 am on May 11.
EDG 1B may have been declared in service, but it was incapable of running because both its start air valves were closed. At that moment, it did not compromise safety because EDG 1A and the safety equipment it supplied were still available and that’s all that was required per regulations.
Safety was compromised at 11:28 pm on May 13 when the reactor core cooling pump supplied from Bus 1A1 was removed from service and the reactor core cooling pump supplied from Bus 1B1 placed in operation. Bus 1B1 was supplied with offsite power through the RAT. But if the transformer failed or the offsite power grid lost, the disabled EDG 1B would not have stepped in to save the day.
Safety was further compromised at 12:30 am on May 14 when Bus 1A1 was de-energized and all the safety equipment it supplied rendered useless.
Had the offsite power grid been lost or the RAT failed, Bus 1B1 and all the equipment it supplied would have been de-energized. Bus 1A1 and all the equipment it supplied was intentionally de-energized. And Bus 1C1, backed by EDG 1C, was energized. But it’s primary safety component, the High Pressure Core Spray system, was unavailable due to ongoing maintenance. The plant was in a vulnerable situation expressly forbidden by its operating license requirements.
Restoring a Safe Condition
At 3:03 pm on May 17, a worker conducting routine shift rounds found the start air valves for EDG 1B closed and notified the control room operators. The EDG restoration procedure was performed—in its entirety—to really and truly restore EDG 1B to service and achieve compliance with regulatory requirements.
NRC Findings and Sanctions
The NRC special inspection team determined that EDG 1B had been inoperable for over six days without the owner’s awareness. The NRC team additionally determined that for more than three days—from May 14 through May 17—a loss of the offsite power grid would have plunged the plant into a station blackout.
While a station blackout condition doomed three reactors at Fukushima Daiichi to meltdowns, the NRC team identified three ways for workers to have responded to a station blackout at Clinton avert such an outcome. First, they could have discovered the closed start air valves and opened them to recover EDG 1B. Second, they could have started EDG 1C and cross-connected it to re-energize Bus 1B1. While EDG 1C has smaller capacity than EDG 1B, it had sufficient capacity to handle the loads needed during refueling. Third, they could have deployed the FLEX equipment added after Fukushima to cool the reactor core.
The NRC team calculated that had a station blackout occurred, it would have taken about five hours for the loss of cooling to heat up the water in the reactor vessel to the boiling point and that it would have taken about another twelve hours for water to boil away to uncover the reactor core and cause damage. Approximating this timeline helps the NRC assess how likely it would have been for workers to successfully intervene and avert disaster.
The NRC team also identified factors lessening confidence that workers would successfully intervene. The NRC team reported that five different workers entered the room housing EDG 1B a total of twelve times during the period it was disabled for the express purpose of ensuing things were okay. The NRC team observed that the start air valves were located at about knee-level and had been secured in the closed position with long black plastic straps. The NRC team also noted that there were two air pressure gauges both reading zero—a clear indication that there was no start air pressure available for EDG 1B. The NRC team interviewed workers, but never learned why so many workers tasked with looking for signs of trouble overlooked so many signs of trouble so many times.
The NRC issued one Green finding for failing to notice that the EDG 1B start air valves were closed.
The NRC also issued a finding with a significance yet to be determined for the multiple failures to follow procedures that led to the start air valves for EDG 1B remaining closed.
The failures by the supervisors and workers can be explained, but not excused.
Like most U.S. nuclear power reactors, Clinton typically shuts down for refueling every 18 or 24 months. The refueling outages last about a month. Thus, Clinton runs about 95 percent of the time and refuels only about 5 percent of the time.
When the reactor was running, safety equipment like the EDGs was routinely removed from service, tested and/or repaired, and returned to service. Similarly, workers conducted rounds—walkdowns of plant areas looking for off-normal conditions—every shift of every day.
During refueling, the same restoration and rounds procedures are used for the same purposes, but under significantly different conditions. When the reactor is running, most safety systems are in service making it easier to concentrate on the tiny subset taken out of service. And it’s easier to spot when something is off-normal.
Many safety systems are removed from service concurrently during refueling. Restoring safety systems to service during refueling is complicated when support systems have not yet been restored to service. Performing rounds is complicated by so many systems and components being out of their normal condition that distinguishing acceptable off-normal from improper off-normal becomes challenging. So, it can be understood how trained and dedicated workers with good intentions can fail to rise to the challenge periodically.
This event illustrates two important safety truths: (1) despite best efforts, things can go wrong, and (2) the way to make best efforts better is to extract lessons learnable from near misses and implement effective fixes.
This event did not involve any actual loss of power to safety equipment or loss of reactor core cooling. This event did involve an increased potential for these losses.
The plant owner and the NRC took this increased potential seriously and examined why it had happened. Those examinations will identify barriers that failed and suggest upgrades to existing barriers or additional barriers to lessen the chances that a potential, or actual, event occurs.
On one hand, Clinton can be said to have dodged a bullet this time. On the other hand, the owner and NRC examining this near miss will help make Clinton—and other reactors—more bulletproof.
Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.