The Rancho Seco nuclear plant near Sacramento, California, permanently shut down in 1989 after a troubled 15-year operating lifetime. Like Three Mile Island, Rancho Seco featured a pressurized water reactor (PWR) manufactured by the Babcock & Wilcox Company. It was equipped with a safety system consisting of two high-pressure injection pumps that could transfer water from a large outdoor storage tank to the reactor vessel if a small-diameter pipe broke in the reactor. High-pressure pumps were needed since a break in a small pipe would allow cooling water to drain from the reactor vessel while the pressure inside the vessel remained high enough to prevent the low-pressure emergency pumps from being able to supply makeup water.
The high-pressure injection pumps at Rancho Seco were not used, except for routine testing. They were designed to automatically start in the event of an emergency to prevent the nuclear fuel in the reactor’s core from damage caused by overheating. While only one high-pressure injection pump needs to work to provide adequate cooling flow to the reactor core, two were installed to increase the likelihood that the necessary cooling occurs.
Like most equipment with moving metal parts, the high-pressure injection pumps relied on lubricating oil to reduce the wear and tear from metal grinding against metal. The lubricating oil system for the pumps featured cooling units to remove the heat picked up by the oil as it circulated through the pumps. Within the cooling unit, the oil flowed through large numbers of thin metal tubes tubes and cooling water flowed outside the tubes. The heat from the oil was conducted through the tube walls and carried away by the water.
Well, at least that was the idea. On March 18, 1981, workers at Rancho Seco discovered that for one of the high-pressure injection pumps the inlets to about 85 percent of the oil cooler tubes were clogged with debris. The workers then checked the oil cooler for the other high-pressure injection pump and found its tubes also clogged. The debris turned out to be rust flakes from the steel housing of the oil coolers.
The high-pressure injection pumps had been periodically tested, but that testing had not verified the proper performance of the lubricating oil coolers. The pumps appeared to pass the tests because the tests lasted only a few minutes. The testing was stopped before appreciable heat had built up and thus before the lubricating oil cooler impairment could be detected. Had there been an emergency, the high-pressure injection pumps would have started. Both pumps would likely have stopped running shortly thereafter due to damage caused by the overheated oil.
The Davis-Besse reactor is a Babcock & Wilcox PWR with two high-pressure injection pumps. The high-pressure injection pumps at Davis-Besse were supplied by Babcock and Wilcox Canada. No other nuclear reactor operating in the United States had this exact type of pump, although several nuclear reactors in other countries used them. These pumps take some of the water they are pumping and inject it into a hydrostatic bearing. This injected water serves as a cushion preventing the pump shaft revolving at high speed from contacting the casing and other parts of the pump.
In the early 1980s, the French Nuclear Safety Authority questioned whether the pumps would actually operate under conditions expected during an accident. Following an accident, the water flowing through the pumps could carry small pieces of debris. The tests conducted as a result of the French concerns demonstrated that debris blocking the injection ports quickly disabled the pumps. The high-pressure injection pumps in PWRs operating in France and other countries were modified to make them less vulnerable to this problem.
But Davis-Besse operated for two more decades with high-pressure injection pumps of the original design. During the extended outage of Davis-Besse between February 2002 and March 2004, the design flaw in the high-pressure injection pumps was among the many safety shortcomings that were fixed at this plant.
At Rancho Seco, the original design of the lubricating oil coolers for the high-pressure injection pumps was adequate, but aging introduced a common-mode failure mechanism that impaired both pumps. The periodic testing was inadequate to detect the degradation before it caused significant impairment.
At Davis-Besse, the original design of the high pressure injection pumps was inadequate. The periodic testing performed for decades failed to detect the design error because unrealistically clean water was used for the tests.
Thus, the high injection pumps at Rancho Seco and Davis-Besse – which were installed for the sole purpose of preventing reactor core damage during an emergency – would have failed if there had been an emergency.
What is the fastest, most effective way to find design errors? When the design contract is awarded to company A instead of companies B, C, and D, a smaller contract could be awarded to company B, C, or D to critique the design.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.