Disaster by Design/Safety by Intent #33
Disaster by Design
Disaster by Design/Safety by Intent #30 discussed how containment structures can be adversely affected by high internal pressure experienced during an accident. Disaster by Design/Safety by Intent #31 discussed how containments can be adversely affected by damage/degradation that existed even before an accident started. Disaster by Design/Safety by Intent #32 covered times when isolation devices (e.g. doors, valves, dampers) failures created potential pathways for radioactivity to escape containment. This commentary follows that theme, describing a hodge-podge of ways containment performance capability was impaired.
The pressurized water reactor at Callaway has two trains that cool the containment atmosphere during normal operation and accidents. Each cooling train has two coolers. Each cooler has a cooling coil (water-filled tubes with thin metal walls), damper, and fan. Water flows inside the tubes of the cooling coil. The fan blows air from the containment atmosphere passed the tubes to cool the air. Each fan can run at either low speed or high speed. The dampers can be adjusted to control the amount of air flowing passed the coils and the extent of containment cooling. Only one of these two containment cooling trains is needed with its fan running in low speed mode to handle the post-accident cooling needs.
On March 26, 2008, the pressure inside containment was elevated and near the maximum limit allowed during normal reactor operation. The operators shifted all four containment cooler fans from low speed to high speed. Increasing the rate that containment air flows passed the cooling coils would lower the temperature, and pressure, of the containment atmosphere.
Less than 30 minutes later, an alarm notified the operators about high vibration levels on one of the four containment coolers. The operators decided to stop the fan for that containment cooler and restart it in slow speed to see whether that resolved the excessive vibrations. But when they turned the fan off, they discovered they could not restart it.
Workers investigating the fan problem determined that an error in the original design of the containment ventilation system resulted in the electric motors for the four fans being undersized for high speed operation of the fans. When operating in high speed, the fan motors drew electrical current that risked damaging the motors due to heat buildup. The protection device for the fan that day sensed overheating conditions and automatically opened a relay preventing the fan from running.
Workers modified the control system for the fans to allow each fan to be restarted in slow speed even after the automatic protection device actuated during high speed operation.
Following receipt of an accident signal, the containment ventilation system automatically downshifts the containment cooler fans to low speed. Until it was fixed, the design problem created the potential for all containment cooler fans to become disabled during an accident. Without adequate cooling, the containment temperature and pressure could have exceeded design limits and made the consequences of an accident worse.
The pressurized water reactor at Davis-Besse is well known for the leakage of a small amount of borated cooling water from a 4-inch diameter metal tube penetrating through the top of its reactor vessel over an estimated six year period. When the leaked borated water evaporated, it left behind highly corrosive boric acid. When discovered in spring 2002, the boric acid was found to have burned a football-sized hole in the reactor vessel’s top.
Fig. 1—taken two years before the cavity was finally discovered—of the boric acid, tinged red with particles corroded from the vessel metal, flowing down the sloped surface of the reactor vessel’s top, is infamous. Less famous is the collateral threat to the containment posed by the longstanding leakage of borated water.
If a pipe connected to the reactor vessel ruptures, lots of borated water jets into the containment from the broken ends. To protect the containment structure as well as equipment inside the containment from damage caused by boric acid, a powdered substance called trisodium phosphate (TSP) is stored in baskets inside containment. The borated water spilling into containment from a broken pipe wets the baskets and dissolves the TSP. The TSP offsets the boric acid in the leaked water to control its pH. Controlling the pH within a narrow range prevents the leaked water from harming the containment and its contents. The proper pH level also serves to keep radioactive iodine released from damaged fuel dissolved in the water rather than be in a gaseous form that can more easily escape to the environment. (NOTE: Because the longstanding leakage of borated water at Davis-Besse was at a small rate, the water evaporated before contacting the TSP-filled baskets, thus preventing this neutralizing mixing process to occur.)
The amount of TSP loaded in the baskets was based on a calculation of how much borated water would spill into containment during a postulated accident. The calculation did not account for the amount of boric acid already within containment due to small leakage over a long period. With all this pre-existing boric acid inside containment, the amount added by the borated water spilled during an accident might overwhelm the TSP inventory and prevent the pH level to be properly managed. On November 24, 2004, the Nuclear Regulatory Commission (NRC) warned owners of pressurized water reactors about this subtle threat to containment performance capability and the importance of removing boric acid residue from their containments.
Oyster Creek (NJ)
The primary containment of the boiling water reactor at Oyster Creek consists of two parts: the drywell and the wetwell (or torus). After the owner applied to the NRC for a 20-year extension of the reactor’s operating license, intervenors argued that the drywell had not lived up to its name and was too degraded to permit extended operation.
The drywell looks like an inverted lightbulb. It is made from metal plates welded together and supported by reinforced concrete. To cushion the bottom of the drywell from the protective concrete shell, a bed of sand was installed, particularly in the location where eight vent pipes connected the drywell to the torus. As early was 1986, workers discovered that water leaking inside containment had collected in this sandbed to created a corrosive environment for the metal drywell resting on it. By 1992, all of the sand had been removed from containment and the exposed surfaces of the drywell coated with epoxy for protection against continued corrosion. But some damage had been done.
The drywell metal plates were specified to be at least certain thicknesses. Measurements determined that corrosion reduced the plates to less than the minimum thicknesses in the former sandbed regions and also in some of the upper portions. Some of the drywell metal plates were inaccessible, so measurements were confined to samples of the accessible plates. The plant’s owner and the NRC contended that the thin plates would not undermine the structural integrity of the drywell during postulated accident conditions—it would remain intact under the higher forces applied to it during an accident. The intervenors challenged the conclusions on grounds that excluding the condition of the inaccessible drywell plates resulted in incomplete evaluations. The NRC renewed the operating license for Oyster Creek in April 2009.
Safety by Intent
The NRC requires two types of tests intended to verify that containments remain capable of preventing excessive release of radioactivity to the environment during an accident: (1) local leak rate tests, and (2) integrated leak rate tests.
Local Leak Rate Testing
The containment walls of U.S. nuclear power plants are made from thick reinforced concrete, often lined by metal plates. But these robust barriers are pierced by literally hundreds of openings for doors, pipes, electrical conduits, and ventilation ducts. These openings are equipped with isolation devices designed to close when necessary to “button up” containment and keep radioactivity inside. Disaster by Design/Safety by Intent #32 described times when the isolation devices failed.
Local leak rate testing is intended to guard against failures. Workers periodically test the ability of each isolation device to perform that safety role. For example, consider the case of two valves installed in a pipe that penetrates the containment wall; one valve is located just before the pipe penetrates the wall and the second valve is located just outside the wall. Tight closure of either valve prevents radioactivity from escaping containment through the pipe. During a local leak rate test, workers will pressurize the pipe with water or air, close each valve individually, and measure the leakage past the closed valve. Some small leakage is permissible; if the measure leakage is too much, the valve must be replaced or repaired and retested until a successful test result is obtained.
Integrated Leak Rate Testing
Local leak rate testing protects against excessive release of radioactivity through pipes, doors, and other penetrations through containment walls. But what about leaks around these penetrations? After all, a metal pipe passing through a concrete wall can result in small openings that are pathways for radioactivity to escape. Integrated leak rate testing complements local leak rate testing by checking the leak tightness of the overall structure.
Integrated leak rate tests are similar to local leak rate tests. But instead of pressurizing an individual penetration through containment and measure leakage past its isolation device, workers pressurize the containment atmosphere and monitor how that elevated pressure is maintained. If the elevated pressure remains high enough for long enough, the leak tightness of containment is verified. But if the elevated pressure decreases too rapidly, leakage through one or more openings is revealed.
Local and integrated leak rate tests seek to ensure that the containment barrier is as reliable as possible. The containment barrier is somewhat like a car’s airbag. They can protect against harm during an accident. It’s far better not to need this protection by avoiding accidents. But accidents can have grave consequences when the protection fails.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.