Fission Stories #154
The operators shut down the Unit 1 reactor at the Nine Mile Point nuclear plant near Oswego, New York on April 15, 2013, to enter a refueling outage. Nine Mile Point Unit 1 has a boiling water reactor (BWR) with a Mark I containment design.
By the next day, workers had removed the concrete shield plugs and drywell head to provide the access needed to remove the reactor pressure vessel head (shown in red). The operators had raised the water level inside the reactor pressure vessel several feet above its normal level until it was slightly below the flange where the head is bolted onto the vessel.
This type of BWR has five loops connected to the reactor pressure vessel like the one shown in the graphic. Each loop consists of a large pump. The purpose of these external pumps is to increase the velocity of water flowing through the reactor core during operation. With the unit shut down, these external recirculation pumps had been turned off.
Even though the unit had been shut down, the reactor core continued to generate large amounts of heat. Many of the byproducts formed by splitting atoms during reactor operation are unstable, which forces them to subsequently emit radiation either in the form of particles (e.g., alpha and beta particles) or energy waves (e.g, gamma rays). These radioactive emissions produce heat that must be removed to protect the reactor core from overheating damage. The shutdown cooling system was being used to cool the water inside the Unit 1 reactor pressure vessel at Nine Mile Point that day. The shutdown cooling system is connected to two of the external recirculation loops. It takes water from the piping going to reactor recirculation pump 14 (RRP 14 in the diagram) and returns water to the piping from RRP 15 back to the reactor pressure vessel.
Shutdown Cooling System
The shutdown cooling system consists of three pumps and heat exchangers in parallel. Only one of the pumps (shutdown cooling pump 12) was operating that day. The other two pumps were shut down and had been physically disconnected from their power supplies. Water drawn by shutdown cooling pump 12 from the suction piping to reactor recirculation pump 14 entered hundreds of tubes inside a heat exchanger labeled 38-132 in the diagram. Water from the reactor building closed loop cooling (RBCLC) system entered the heat exchanger and flowed outside of the tubes. Heat conducted through the thin metal walls of the tubes allowed cooler water to be returned to the reactor pressure vessel via the discharge piping from reactor recirculation pump 15. The shutdown cooling system was maintaining the temperature of the water inside the reactor pressure vessel at approximately 115°F.
Thousands of testing and maintenance tasks are performed when units are shut down for refueling. One team of workers had been assigned to work on the electromatic relief valves (highlighted in yellow in the graphic). The electromatic relief valves are located on the pipes that carry steam produced in the reactor pressure vessel to the turbine. These valves open, either automatically or manually, when needed to control the pressure inside the reactor pressure vessel. For example, if the pressure rises too high, the valves will automatically open to discharge steam through pipes down into the torus. The torus contains a large pool of water that acts like a sponge to soak up thermal energy released from the reactor pressure vessel.
The electromatic relief valves, as their name implies, receive electrical power to function. During maintenance on the valves, the power supply is disconnected to protect workers from electrical shock hazards.
The problem began at 2:44pm on April 16 when a worker was double-checking to ensure that power had been disconnected to the electromatic relief valves. The worker opened the wrong electrical cabinet door. Opening this cabinet door automatically caused the breakers from 125 volt dc battery 12 and for static battery chargers 171A and 171B to open. Their opening de-energized 125 volt dc battery board 12 and all components supplied from it.
The loss of power to 125 volt dc battery board 12 generated a signal to turn off shutdown cooling pump 12. But because the battery board was powerless, the trip signal was not sent and the only pump then cooling the reactor water continued running.
The trip signal was noted in the control room via a blinking light and a printout on the plant’s computer system. But the control room operators did not notice these warnings.
The operators had noticed that the battery board had been de-energized. At 3:03pm and again at 3:05pm, the operators attempted to close the electrical breaker for 125 volt dc battery 12 in order to restore power to the battery board. Both attempts failed.
At 3:36pm, the operators successfully closed the breaker that allowed static battery charger 171 to re-power the battery board. But only for a moment—the breaker soon re-opened and power was once again lost.
Albeit brief, the re-energization of the battery board did permit the trip signal to be sent that turned off shutdown cooling pump 12. The RBCLC water continued to flow through the heat exchanger, but the shutdown cooling water system stopped sending reactor water through it. As a result, the RBCLC water temperature began decreasing and the water temperature inside the reactor pressure vessel began increasing.
The Operators Respond
The operators responded to the unplanned loss of shutdown cooling pump 12 by trying to restart shutdown cooling pumps 11 and 13. Because these pumps had been disconnected from their power supplies, the operators first had to reconnect the power supplies before depressing the pumps’ start buttons.
The operators restored cooling of the water inside the reactor pressure vessel at 4:17pm. In the 31 minutes that cooling had been lost, the water heated up to 145°F, a heatup rate of about one degree per minute. Had cooling not been restored, the water would have begun boiling around 5:30pm.
The NRC investigated this event and determined that problems encountered responding to the event warranted a greater-than-green finding (the NRC applies a four-color classification system with green being the least significant classification). While this event resulted in no actual harm to plant workers or the public, the NRC was concerned that it came closer than desired to such outcomes.
During refueling, the lineup of backup and emergency pumps available to supply cooling and makeup water to the reactor pressure vessel shortens considerably. Pumps and support systems for the pumps (such as the emergency diesel generators that supply electricity to pump motors when power from the offsite electrical grid is unavailable) are disassembled for tests and maintenance. And the multiple barriers between radioactive material and the environment that exist during reactor operation shrink to just two.
The NRC was concerned that the worker’s response to the loss of battery board 12 and the complications it spawned was more ad hoc than anticipated. The NRC’s preference is to have procedures developed and vetted in advance that guide operators to do Y when X happens. They frown upon workers having to huddle when X happens and quickly assess whether to do Y or Z.
While it may seem intuitive that a shut down reactor is inherently “safer” than an operating one, this is not necessarily the case.
Staff in NRC Region IV (the southwest and west) issued an outstanding report from observations about risk management during refueling at nuclear plants in their region. This NRC report described how safety margins can be significantly reduced during refueling outages as the complement of emergency equipment gets down to barebones levels and response times can be measured in minutes. The NRC report pointed out that at on a certain day during the refueling outage, the risk associated with that specific configuration equals that from 36 days of operating at full power.
Plant owners employ the “protected train” approach to risk management during refueling outages. A cooling system, a power supply system, a containment barrier, and so on will be identified and protected from being taken out of service for testing or maintenance until another system can substitute for it in the protection scheme.
Shutdown cooling pump 12 was designated as the “protected train” for cooling the water inside the reactor pressure vessel at Nine Mile Point Unit 1. But that designation only protected it from being intentionally turned off. It remained vulnerable to being inadvertently turned off.
The NRC’s concern was that the response to the unplanned loss of shutdown cooling pump 12 was more informal than it should have been. The NRC expected that procedures would have guided workers to respond more rapidly and with fewer mis-steps.
This actual event was relatively minor. It should not have happened, but many more “what if’s” would have had to fall in place to produce a serious accident. Reducing the frequency of events, even minor ones, reaps large dividends. The so-called event pyramid shows that the number of events tends to decrease as their severity increases. Reducing the number of minor events narrows the base, or foundation, of the pyramid. In turn, those remedies achieve the benefit of also reducing the frequency of more serious events.
Conversely, the “no blood, no foul” approach of tolerating minor events broadens the base and invites more serious accidents. When equipment, training, and procedure problems causing minor events are tolerated instead of being fixed, these pre-existing impairments can shorten the list of “what if’s” needed for future failures to result in more serious outcomes.
The NRC did a good job evaluating this event and putting it in context. That good job makes it less likely that such an event is repeated at Nine Mile Point and other U.S. nuclear plants. The NRC acted to shrink the pyramid.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.