Fission Stories #142: Fort Calhoun and the Flawed Safety Net

, former director, Nuclear Safety Project | July 23, 2013, 6:00 am EDT
Bookmark and Share

The Fort Calhoun nuclear plant in Nebraska has been shut down for over two years while an army of workers corrects decades of nuclear neglect. The owner recently informed the NRC about its latest “discovery.”

Fort Calhoun features a pressurized water reactor (PWR) manufactured by Combustion Engineering. Its safety injection system was installed to prevent reactor core damage if postulated accidents were to occur. The safety injection system has three high-pressure safety injection (HPSI) pumps, two low-pressure safety injection (LPSI) pumps, and four safety injection tanks called accumulators.

If a leak drains cooling water from the reactor vessel, the safety injection system supplies water to make up for the inventory loss. Initially, water from the accumulators flows into the reactor vessel. The HPSI and LPSI pumps are normally off while in standby mode. If they start up, the safety injection system begins transferring water from external storage tanks into the reactor vessel.

If the leak is small, like through a broken one-inch diameter pipe connecting an instrument to the reactor vessel to monitor the pressure inside, cooling water is lost but the reactor vessel pressure remains fairly high. The HPSI pumps are designed to handle this situation.

If the leak is larger, like through a broken 8-inch diameter pipe, the rapid loss of water inventory also reduces the pressure inside the reactor vessel. The LPSI pumps are designed for this scenario.

The safety injection system is also designed to supply borated water to the reactor vessel in case the reactor cooling water experienced rapid cooling with one control element assembly stuck fully withdrawn from the reactor core. The boron in this makeup water would absorb neutrons to help prevent a nuclear chain reaction and reactor core damage.

The HPSI pumps are centrifugal pumps. Electric motors turn the pump shafts and spin their impellers. The spinning impeller blades push water through the piping attached to the pumps similar to how spinning fan blade move air.

In March 1991, the HPSI pump vendor sent a letter to the plant’s owner stating that the pumps should not be operated with flow rates above 425 gallons per minute for longer than one hour. The vendor indicated that higher flow rates caused accelerated wear and tear of the internal parts of the pump leading to failure of the pumps.

Workers had revised emergency procedures in December 1990 that directed operators to run the HPSI pumps at full capacity until specific criteria were satisfied. Had an accident occurred, those procedures could have caused the HPSI pumps to operate at greater than 425 gallons per minute for longer than an hour.

Making this bad situation worse, workers modified the control logic for the containment spray pumps to prevent them from automatically starting in event of an accident. This change meant that the HPSI pumps would be required to operate for a longer period of time during an accident, prolonging the length of time they operated above 425 gallons per minute and further increasing the likelihood they would become damaged when used.

Workers did not catch the fact that emergency procedures would have directed operators to essentially break vital emergency equipment until early 2013 when engineers reviewed the HPSI pump calculations while preparing a related modification to the plant. Once noticed, steps were taken to operate safety equipment in conformance with rather than contrary to vendor manual specifications.

Our Takeaway

Life is all about trial and error. You jump off a roof with a blanket tied around your neck trying to emulate Superman only to break a leg to learn proper respect for heights.

You operate a pump at too high a flow rate only to watch it shake itself apart to learn proper respect for maximum operating performance.

Having learned lessons the hard way, it behooves you to stop jumping off roofs and operating pumps above known performance limits.

But for over two decades the procedures at Fort Calhoun would have abused rather than used the HPSI pumps.

How can that mistake have been missed by so many people for so many years?

In October 1996 after it was discovered that the Millstone nuclear plant had been operating for many years outside its design boundaries, the NRC wrote to all other plant owners – including that for Fort Calhoun – requiring them to make sure their plants were not like Millstone.

Guess what?

The key difference between Fort Calhoun today and Millstone then is that one is in Nebraska and the other in Connecticut. Both had many, many serious design flaws that were neglected for many, many years. Neither was acceptable, but the one happening nearly 20 years after the first is even less acceptable.

What was the NRC doing, or not doing, at Fort Calhoun the past two decades? More than a dozen safety problems have been recently identified at the plant (see Fission Stories #120 for more detail). Most existed at the plant for many years before being discovered. How could the NRC inspectors have failed to miss all these problems for all these years?

When one has a defective assembly line, it’s irresponsible to only fix a limited handful of deficient products. One must fix the assembly line, too. Apparent the NRC is not asking the owner why it failed to identify these safety problems sooner and is not asking itself why its oversight process also failed to catch even one of these many safety problems.

Perhaps it’s time for the NRC to send more letters to plant owners requiring them to now explain why their plants are not like Fort Calhoun.


Posted in: Fission Stories Tags: , , ,

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

Show Comments

Comment Policy

UCS welcomes comments that foster civil conversation and debate. To help maintain a healthy, respectful discussion, please focus comments on the issues, topics, and facts at hand, and refrain from personal attacks. Posts that are commercial, self-promotional, obscene, rude, or disruptive will be removed.

Please note that comments are open for two weeks following each blog post. UCS respects your privacy and will not display, lend, or sell your email address for any reason.

  • Jim Chase

    It is surprising for FCS to have these problems when they went through an extensive design bases reconstitution in the 1990s. They even promotede to the NRC and other organizations how through they were. I wonder about the effectiveness of other plants that performed the lsame process.

    I think the NRC is smoozed by the ability of a license to communicate with them. Therefore not inspecting througly.

  • Sean McKinnon

    It is postulated that maybe if something were to occur and this and that happened without the other thing being done then it is likely that maybe something could possibly happen.

    Why not mention how these pumps have vibration, flow, current and loose parts monitors. David, as a proffessional Do you REALLY believe it is likely the operators would not have throttled the flow of the pump if they were seeing abnormal vibration? Do you HONESTLY think they would not have activated the containment spray system in the event of a LOCA?

    Really, for someone with the education and experience you have I would hope you would have enough pride to make sure you present all the facts in these essays.

  • Dave,

    Your implicit assumption is that NRC is self-regulating for its management culture, including its safety culture, therefore NRC can fix itself.

    What is that assumption is provably wrong? What if Congress explicitly determined that NRC was NOT to be self-regulating in its management culture and wrote the relevant law so that NRC could not be self-regulating in its management culture?

    If you did your homework about federal civil law, you would realize that your premise that NRC is self-regulating for its management culture is incorrect – then you might be on a path to better understanding why NRC cannot seem to fix itself.

  • Dick Andrews

    Jim Chase is spot on. In addition to not catching design deficiencies during the design basis reconstitution effort, design flaws were not caught during the license renewal process. An additional 20 years was added to the original 40-year plant license by the NRC well before these problems were finally found in the last couple of years. It raises significant questions about the thoroughness of NRC license extension reviews for a number of older nuclear plants.

  • Dick Andrews

    OPPD, and their nuclear station, have accomplished a lot in 2 years by correcting long overdue design deficiencies, modifying processes and procedures, and most importantly, putting in place a management team that has a demonstrated safety culture. The previous management team treated the NRC as an adversary especially with regard to fighting necessary improvements to the plant’s flood protection systems. These deficiencies had been previously been identified by the NRC and without the regulatory body’s arm twisting, the plant’s response to the actual river flooding in the spring of 2011, would have been woefully inadequate. It took the NRC and a natural disaster to get the proper attention of utility management. Understandably, the NRC is hesitant to allow restart of the plant until this trust has been fully restored.

  • Sarah

    Great article, thanks for writing it, I will repost part of it and link to all of it on a major website that gets a lot of traffic. 🙂