The owners of boiling water reactors (BWRs) are required to test the ability of individual control rods to rapidly insert (scram) into the reactor core. Each control rod must fully insert within 5 seconds. The digital indication of control rod position on the control boards updates so quickly that only an occasion number can be discerned until the rod stops moving.
It didn’t quite work that way at Alabama’s Browns Ferry Unit 3 in 1983. Flipping the switch to scram a control rod caused it to start moving in. Instead of displaying something like ‘48 .. 38 .. 22 .. 12 .. 00” as the control rod zipped from fully out (position 48) to fully in (position 00), the digital indication was “48, 46, 44, 42, 40, 38, 36, 34, 32, 30, 28, 26, 24, 22, 20, 18, 16, 14, 12, 10, 08, 06, 04, 02, 00.” None of the control rod scram times was less than five seconds. In fact, several of the times exceeded 60 seconds. A control rod’s normal stroke time from fully withdrawn to fully inserted is usually around 48 seconds. They measured scram times longer than normal rod movement.
Flipping the scram switch for a control rod opens solenoid valves that vent air from two valves, the scram inlet valve and the scram outlet valve. The scram valves have springs that open them unless there is sufficient air pressure to hold them closed. When the scram inlet valve opens, high pressure water enters the underside of the control rod’s piston surface. The scram outlet valve opens to discharge water from the piston’s upperside. Differential pressure of 1,000 to 1,500 pounds per square inch across the piston drives the control rod fully into the core very rapidly.
After some pondering, the Browns Ferriers figured out what was causing the problems.
Before the unit had shut down for refueling, the compressor supplying air to keep the scram valves closed was running near full capacity. It should have been running intermittently because it supplied air to a supposedly closed loop. But many of the scram valves were leaking air. The leakage was not enough to cause the valves to open, but it caused the air compressor to run nearly all the time.
During the refueling outage, the maintenance department worked to fix the numerous air leaks. They found that the rubber o-rings inside the solenoid valves on the scram valves were old, hard, and sometimes cracked. The o-rings needed to be soft and pliable for a good seal against air leakage. Maintenance engineers decided to replace all of the o-rings with brand new o-rings.
The maintenance workers had honorable intentions. They disassembled the solenoid valves and replaced the old o-rings with brand new ones. For added assurance against leakage, they put an extra o-ring into each solenoid valve.
But the double o-rings not only stopped air leakage, they restricted air flow when the solenoid valves were open. So when the solenoid valves opened, air slowly bled out from the scram valves instead of rushing out.
The air being released passed the o-rings at nearly random rates. For some control rods, the scram inlet valve opened first. The scram outlet valve opened first for other control rods. Either way, instead of 1,000 pounds per square inch or greater differential pressure, the control rod pistons were only getting about half that. That’s about the differential pressure for normal control rod insertion. That explained the measured scram times of approximately 60 seconds.
The plant’s owner chose to keep Unit 3 operating at about 40 percent power while they fixed the solenoid valves on about five control rods at a time. If an accident had occurred, the control rods would have automatically scrammed in about a minute instead of a few seconds! The fuel damage in the reactor core could have been very severe from the slow-motion scram.
Sometimes a homeowner replaces a blown fuse with a copper penny. It solves the immediate problem of restoring power. But it sets the stage for a larger problem. An electrical surge or short would no longer be mitigated by a fuse blowing and could ignite a fire and/or damage appliances.
The workers at Browns Ferry essentially replicated the fuse and penny fix. Only they threw their two cents in.
The original problem involved excessive leaks from numerous solenoid valves. Its consequence was that the air compressor had to run more frequently to compensate for the leaks. The problem had zero nuclear safety implications – the control rods would still insert as rapidly as necessary.
The original solution clearly stopped air from leaking from the valves. But the solution had major nuclear safety implications – the control rods would not insert in time to prevent fuel damage in event of an accident or transient.
“Configuration management” is the nuclear industry’s term of art describing the administrative controls that should have prevented the solution at Browns Ferry from being worse than the problem. Replacement parts must be identical in form, fit, and function or justified for use through a formal, extensive evaluation. The double o-rings satisfied the function part of the equation, but failed on the form and fit parts. The formal evaluation would not have authorized the second o-ring; however, this administrative control only works when it is used. The workers at Browns Ferry skipped the evaluation with a field decision to put in the second o-rings. Two is not always better than one.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.