Role of Regulation in Nuclear Plant Safety #7
Both reactors at the Surry nuclear plant near Williamsburg, Virginia operated at full power on December 9, 1986. Around 2:20 pm, a valve in a pipe between a steam generator on Unit 2 and its turbine inadvertently closed due to a re-assembly error following recent maintenance. The valve’s closure resulted in a low water level inside the steam generator, which triggered the automatic shutdown of the Unit 2 reactor. The rapid change from steady state operation at full power to zero power caused a transient as systems adjusted to the significantly changed conditions. About 40 seconds after the reactor trip, a bend in the pipe going to one of the feedwater pumps ruptured. The pressurized water jetting from the broken pipe flashed to steam. Several workers in the vicinity were seriously burned by the hot vapor. Over the next week, four workers died from the injuries.
While such a tragic accident cannot yield good news, the headline for a front-page article in the Washington Times newspaper about the accident (Fig. 1) widened the bad news to include the Nuclear Regulatory Commission (NRC), too.
The Surry Power Station has two pressurized water reactors (PWRs) designed by Westinghouse. Each PWR had a reactor vessel, three steam generators, and three reactor coolant pumps located inside a large, dry containment structure. Unit 1 went into commercial operation in December 1972 and Unit 2 followed in June 1973.
Steam flowed through pipes from the steam generators to the main turbine shown in the upper right corner of Figure 2. Steam exited the main turbine into the condenser where it was cooled down and converted back into water. The pumps of the condensate and feedwater systems recycled the water back to the steam generators.
Figure 2 also illustrates the many emergency systems that are standby mode during reactor operation. On the left-hand side of Figure 2 are the safety systems that provide makeup water to the reactor vessel and cooling water to the containment during an accident. In the lower right-hand corner is the auxiliary feedwater (AFW) system that steps in should the condensate and feedwater systems need help.
The condensate and feedwater systems are non-safety systems. They are needed for the reactor to make electricity. But the AFW system and other emergency systems function during accidents to cool the reactor core. Consequently, these are safety systems.
Both reactors at Surry operated at full power on Tuesday December 9, 1986. At approximately 2:20 pm that afternoon, the main steam trip valve (within the red rectangle in Figure 2) in the pipe between steam generator 2C inside containment and the main turbine closed unexpectedly.
Subsequent investigation determined that the valve had been improperly re-assembled following recent maintenance, enabling it to close without either a control signal nor need to do so.
The valve’s closure led to a low water level inside steam generator 2C. By design, this condition triggered the automatic insertion of control rods into the reactor core. The balance between the steam flows leaving the steam generators and feedwater flows into them was upset by the stoppage of flow through one steam line and the rapid drop from full power to zero power. The perturbations from that transient caused the pipe to feedwater pump 2A to rupture (location approximated by the red cross in Figure 1) about 40 seconds later.
Figure 3 shows a closeup of the condensate and feedwater systems showing where the pipe ruptured. The condensate and condensate booster pumps are off the upper right side of the figure. Water from the condensate system flowed through feedwater heaters where steam extracted from the main turbine pre-warmed it to about 370°F en route to the steam generators. This 24-inch diameter piping (called a header) supplied the 18-in diameter pipes to feedwater pumps 2A and 2B. The supply pipe to feedwater pump 2A featured a T-connection to the header while a reducer connected the header to the 18-inch supply line to feedwater pump 2B. Water exiting the feedwater pumps passed through feedwater heaters for additional pre-warming before going to the steam generators inside containment.
Water spewing from the broken pipe had already passed through the condensate and condensate booster pumps and some of the feedwater heaters. Its 370°F temperature was well above 212°F, but the 450 pounds per square inch pressure inside the pipe kept it from boiling. As this hot pressurized water left the pipe, the lower pressure let it flash to steam. The steam vapor burned several workers in the area. Four workers died from their injuries over the next week.
As the steam vapor cooled, it condensed back into water. Water entered a computer card reader controlling access through a door about 50 feet away, shorting out the card reader system for the entire plant. Security personnel were posted at key doors to facilitate workers responding to the event until the card reader system was restored about 20 minutes later.
Water also seeped into a fire protection control panel and caused short circuits. Water sprayed from 68 fire suppression sprinkler heads. Some of this water flowed under the door into the cable tray room and leaked through seals around floor penetrations to drip onto panels in the control room below.
Water also seeped into the control panel to actuate the carbon dioxide fire suppression system in the cable tray rooms. An operator was trapped in the stairwell behind the control room. He was unable to exit the area due to doors locked closed by the failed card reader system. Experiencing trouble breathing as carbon dioxide filled the space, he escaped when an operator inside the control room heard his pounding on the door and opened it.
Figure 4 shows the section of piping that ruptured. The rupture occurred at a 90-degree bend in the 18-inch diameter pipe. Evaluations concluded that years of turbulent water flow through the piping gradually wore away the pipe’s metal wall, thinning it via a process called erosion/corrosion to the point where it was no longer able to withstand the pressure pulsations caused by the reactor trip. The plant owner voluntarily shut down the Unit 1 reactor on December 10 to inspect its piping for erosion/corrosion wear.
Pre-Event Actions (and Inactions?)
The article accompanying the darning headline above described how the NRC staff produced a report in June 1984—more than two years before the fatal accident—warning about the pipe rupture hazard and criticizing the agency for taking no steps to manage the known risk. The article further explained that the NRC’s 1984 report was in response to a 1982 event at the Oconee nuclear plant in South Carolina where an eroded steam pipe had ruptured.
Indeed, the NRC’s Office for Analysis and Evaluation of Operational Data (AEOD) issued a report (AEOD/EA 16) titled “Erosion in Nuclear Power Plants” on June 11, 1984. The last sentence on page two stated “Data suggest that pipe ruptures may pose personnel (worker) safety issues.”
Indeed, a 24-inch diameter pipe that supplied steam to a feedwater heater on the Unit 2 reactor at Oconee had ruptured on June 28, 1982. Two workers in the vicinity suffered steam burns which required in hospitalization overnight. Like at Surry, the pipe ruptured at a 90-degree bend (elbow) due to erosion of the metal wall over time. There was a maintenance program at Oconee that periodically examined the piping ultrasonically.
That monitoring program identified pipe wall thinning of two elbows on Unit 3 in 1980 that were replaced. Monitoring performed in March 1982 on Unit 2 identified substantial erosion in the piping elbow that ruptured three months later. But the thinning was accepted because it was less than the company’s criterion for replacement. It’s not been determined whether prolonged operation at reduced power between March and June 1982 caused more rapid wear than anticipated or whether the ultrasonic inspection in March 1982 may have missed the thinnest wall thickness.
The NRC dispatched an Augmented Inspection Team (AIT) to the Surry site to investigate the causes, consequences, and corrective actions. The AIT included a metallurgist and a water-hammer expert. Seven days after the fatal accident, the NRC issued Information Notice 86-106, “Feedwater Line Break,” to plant owners. The NRC issued the AIT report on February 10, 1987. The NRC issued Supplement 1 on February 13, 1987, and Supplement 2 on March 18, 1987, to Information Notice 86-108.
The NRC did more than warn owners about the safety hazard. On July 9, 1987, the NRC issued Bulletin 87-01, “Thinning of Pipe Walls in Nuclear Power Plants,” to plant owners. The NRC required owners to respond within 60 days about the codes and standards which safety-related and non-safety-related piping in the condensate and feedwater systems were designed and fabricated to as well as the programs in place to monitor this piping for wall thinning due to erosion/corrosion.
And the NRC issued Information Notice 88-17 to plant owners on April 22, 1988, summarizing the responses the agency received in response to Bulletin 87-01
Eleven days after a non-safety-related pipe ruptured on Oconee Unit 2, the NRC issued Information Notice 82-22, “Failures in Turbine Exhaust Lines,” to all plant owners about that event.
The June 1984 AEOD report was released publicly. The NRC’s efforts did call the nuclear industry’s attention to the matter as evidenced by a report titled “Erosion/Corrosion in Nuclear Plant Steam Piping: Causes and Inspection Program Guidelines” issued in April; 1985 by the Electric Power Research Institute.
Days before the NRC issued the AEOD report, the agency issued Information Notice 84-41, “IGSCC [Intragranular Stress Corrosion Cracking] in BWR [Boiling Water Reactor] Plants,” to plant owners about cracks discovered in safety system piping at Pilgrim and Browns Ferry.
As the Washington Times accurately reported, the NRC knew in the early 1980s that piping in safety and non-safety systems was vulnerable to degradation. The NRC focused on degradation of safety system piping, but also warned owners about degradation of non-safety system piping. The fatal accident at Surry in December 1986 resulted in the NRC expanding efforts it had required owners take for safety system piping to also cover piping in non-safety systems.
The NRC could have required owners fight the piping degradation in safety systems and non-safety systems concurrently. But history is full of wars fought on two fronts being lost. Instead of undertaking this risk, the NRC triaged the hazard. It initially focused on safety system piping and then followed up on non-safety system piping.
Had the NRC totally ignored the vulnerability of non-safety system piping to erosion/corrosion until the accident at Surry, this event would reflect under-regulation.
Had the NRC compelled owners to address piping degradation in safety and non-safety systems concurrently, this event would reflect over-regulation.
By pursuing resolution of all known hazards in a timely manner, this event reflects just right regulation.
Postscript: The objective of this series of commentaries is to draw lessons from the past that can, and should, inform future decisions. Such a lesson from this event involves the distinction between safety and non-safety systems. The nuclear industry often views that distinction as also being a virtual wall between what the NRC can and cannot monitor.
As this event and others like it demonstrate, the NRC must not turn its back on non-safety system issues. How non-safety systems are maintained can provide meaningful insights on maintenance of safety systems. Unnecessary or avoidable failures of non-safety systems can challenge performance of safety systems. So, while it is important that the NRC not allocate too much attention to non-safety systems, driving that attention to zero will have adverse nuclear safety implications. As some wise organization has suggested, the NRC should not allocate too little attention or too much attention to non-safety systems, but the just right amount.
* * *
UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.