On May 15, 1985, workers at the Hatch nuclear plant in Georgia triggered the wrong kind of nuclear chain reaction. While performing maintenance on equipment in the control building, the workers accidently damaged a water supply pipeline. Like the first in a row of falling dominoes, the leak they caused began a series of events having adverse economic and safety consequences.
The leakage dropped the pressure in the water supply pipeline below an automatic actuation point, which started the fire protection deluge system in the charcoal filter unit of the control room ventilation system. The air supplied to the control room is treated by passing through charcoal filters and high efficiency particulate air (HEPA) filters to limit the radiation dose to operators in event of an accident. Once it started, the deluge system sprayed water onto the charcoal filters. Operators quickly shut down the deluge system after verifying that the charcoal was not on fire.
The ventilation system ductwork was equipped with drains to prevent water accumulation from causing damage (i.e., by rust) and reducing air flow (by blockage). But because these drains were plugged, water backed up into the control room ventilation system’s ductwork. Water leaking from the ductwork fell onto control room panels, shorting out some of the electrical equipment.
One of the electrical shorts caused a main steam line safety relief valve to open, close, reopen, reclose, reopen again, reclose again, and then stay open. Each of the four pipes carrying steam from the reactor vessel to the main turbine has two or three safety relief valves (labeled “Safety/Relief Valve” on the left side of the figure). The safety relief valves automatically open to dump steam to the suppression pool when pressure inside the reactor gets too high.
Moments after the safety relief valve stuck and stayed open, an operator manually shut down the reactor in accordance with the plant’s emergency procedures. The water in the suppression pool serves as a heat sink to absorb energy from the reactor during an accident. The relief valve that was stuck open warmed the suppression pool water and reduced its capacity to absorb heat should an accident occur.
The falling water in the control room also caused an electrical short that disabled the high pressure coolant injection (HPCI) system. The HPCI system is an emergency system that is normally in standby mode. In event of an accident, the HPCI system (shown in the upper center region of the figure) starts up and transfers water from a large storage tank to the reactor vessel.
The reactor core isolation cooling (RCIC) system, a standby system similar in function to the HPCI system, was already inoperable for other reasons. The plant lost all its high pressure emergency makeup systems for getting cooling water into the reactor vessel. The water level within the reactor vessel was maintained by the steam-driven feedwater pumps (shown in the lower center region of the figure), which provide water to the reactor vessel during normal operation.
Moments later, the main steam isolation valves closed, cutting off the turbine steam supply to the feedwater pumps and preventing them from running. Fortunately, the low-capacity control rod drive pump provided sufficient cooling water to the reactor vessel by this time.
The maintenance workers in the control building probably felt that nothing they were doing had the slightest chance of causing a safety relief valve to stick open or the HPCI system to fail. Yet, they managed to accomplish both. Causing the reactor to be shut down had economic consequences. Causing a safety/relief valve and the HPCI systems to fail had safety consequences.
Had the drains in the ventilation system ductwork not been clogged, the dominoes in this event would have stopped falling. But the clogged drains allowed more dominoes to fall.
The plant’s design called for the drains to carry water away and prevent accumulation. The clogged drains meant that the plant was operating outside of its design basis. That pre-existing condition introduced a vulnerability that only required some event – in this case an inadvertent actuation of the deluge system – to exploit. Had that trigger event never occurred, the vulnerability would have remained latent.
In other words, luck entered the picture. When luck ran out, design features intended to mitigate plant problems actually escalated them.
It takes considerable diligent effort to find and fix subtle problems like clogged drains in the control room ventilation system ductwork. But that investment is relatively inexpensive insurance against the significant economic and safety consequences that such seemingly minor impairments can cause.
Like the old Fram oil commercial, it’s a “you can pay me now, or you can pay me later” situation. “Pay me now” is almost always the right nuclear safety decision.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.