Last week’s posting involved damage caused by water from a ruptured fire header inside a nuclear power plant. This posting is similar, except that the problem originated outside the nuclear plant.
A worker at the Cooper Nuclear Station in Nebraska used a bulldozer on April 4, 1984, to do some landscaping on the plant’s grounds. The bulldozer accidentally sheared off a fire hydrant in the yard. A geyser of water shot into the air from the broken fire header. Workers quickly closed a manual isolation valve in the fire header to stop the waterspout.
The flow from the broken hydrant caused the pressure in the fire header piping to drop. The fire header piping ran throughout the plant to be able to fight a fire in any building. After workers closed the isolation valve, the fire pumps quickly refilled and repressurized the header piping. The pressure surge caused fire-suppression valves in the “standby gas treatment” (SBGT) system to pop open and release water into the area.
The SBGT system is an emergency system that is normally in standby mode when the reactor is operating. The system has two fully redundant trains of fans, filters, and ducts. In the event of an accident, the system’s fans pull air from the reactor building and refueling region and push it through a series of high efficiency particulate air (HEPA) filters and charcoal filters. The SBGT system filters remove radioactive particles from the air before it is exhausted to the atmosphere via a tall stack that promotes mixing (i.e., dilution of the pollution). The filters reduce the amount of radioactivity being discharged by nearly a factor of 100. During an accident the SBGT system also maintains the pressure inside the reactor building below ambient pressure. This ensures that clean air leaks into the reactor building rather than radioactively contaminated air leaking out.
The water pouring from the fire protection system flooded the SBGT system’s charcoal filters. Both trains of the SBGT system were rendered inoperable by the cascading effects of a misguided bulldozer outside the plant.
Nuclear plants are designed to withstand single failures. Examples include the failure of a standby component to start, the failure of an operating component to continue operating, the failure of an open valve to close when needed, the failure of a closed valve to open when needed, or the failure of the operator to perform an essential task. Nuclear plant designs accommodate such single failures through redundancy – at least two pumping systems are installed to do the work of one, at least two backup power supplies are installed, and even two separate control stations to safety shut down the reactor are provided.
But as this and other examples show, common-mode failures of safety systems are surprisingly common, and must be designed to reduce this possibility. The SBGT system was designed with two separate trains, each capable of performing the necessary safety function during a reactor accident. But both trains were disabled by the common-mode failure of the fire suppression system.
When accidents conveniently follow the script, a single failure is readily handled by redundant safety systems. When accidents inconveniently ad lib, luck replaces redundancy and defense-in-depth in protecting public health and safety.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.