Disaster by Design/ Safety by Intent #46
Disaster by Design
You won’t see it on our website. You won’t find it in materials we mail out to our members. You won’t hear it in the webinars we hold for prospective donors. But UCS caused a meltdown at a U.S. nuclear power reactor. Well, that’s only half the story. UCS caused meltdowns at two U.S. nuclear power reactors. In our defense, they (being the Nuclear Regulatory Commission (NRC) and the nuclear industry, started it. We only finished it.
Starting Down the Road to Meltdowns
In March 1996, I still worked in the nuclear industry. Walking through the Charlotte airport, I passed a newsstand with a front window display of four rows by six columns of the current TIME magazine. Two dozen George Galatis faces looked out at me. I’d met George the previous year because we both shared concerns about spent fuel pools in boiling water reactors (Millstone Unit 1 in his case, Susquehanna in mine) and had encountered a Rhett Butler reaction by plants owners and the NRC to the safety concerns (frankly, they just didn’t give a d**n). Eric Pooley’s article in TIME about the NRC’s nonchalance could not be ignored by the federal government any more than I could have failed to notice a window full of Georges that day in Charlotte.
The many steps taken by NRC post-TIME included dispatching special teams of inspectors to 18 nuclear power reactors to ascertain whether they had safety problems like those revealed by Pooley at Millstone. (Galatis was not just whistling Dixie and Pooley was not presenting a distorted picture of the situation. The Millstone Unit 2 and 3 reactors remained shut down for nearly two years while a myriad of safety problems finally got fixed and the company’s Board decided that the cost of fixing the safety problems plaguing Unit 1 was too high; that reactor never restarted.)
Next Stop: DC Cook
The NRC team sent to the DC Cook nuclear plant in Michigan in August 1997 found a problem in the plant’s design for coping with a loss of coolant accident. The two pressurized water reactors at Cook have ice condenser containments.
The reactor vessel sits in the lower center of the containment flanked by the steam generators. Ice vaults ring the containment wall. The ice vaults hold more than two million pounds of ice stored in tall, cylindrical mesh baskets. Concrete walls and floors (called the containment divider) separate the containment into a lower region and upper region. The lower region houses the reactor vessel, steam generators, and connecting pipes. If a break were to initiate a loss of coolant accident, the high pressure fluid would flash to steam as it jetted from the broken pipe ends into the lower region of the containment. The rising pressure in the lower region from this leaked fluid would push open hinged doors at the bottom of the ice vaults. The rising pressure would force steam through the inlet doors into the ice vault. The ice would cool the stem down until it turned back into water. Air entrained with the steam would pass out the top of the ice vault into the upper region of containment.
Initially, water to compensate for the fluid lost via the broken pipe would be added by emergency makeup pumps to the reactor vessel from storage tanks. Before these storage tanks emptied, the emergency makeup pumps would switch-over to draw water from concrete pits called sumps in the basement of the containment building. The pumps would then recirculate the water from the sumps to the reactor vessel and carwash styled spray nozzles inside containment.
The NRC inspection team identified a disparity between the safety studies of loss of coolant accidents and the plant’s actual design. The safety studies assumed that all the water leaked into containment from the broken pipe along with water from melted ice would be available to the emergency pumps drawing water from the sumps. But water filling the reactor cavity would not be available until the cavity flooded to 11 feet and 3 inches above the floor of the active sump. At that level, water would flow through a horizontal hole cut in wall from the reactor cavity into the active sump area. Below that level, water leaked into the reactor cavity would stay in the reactor cavity. Similarly, water from melted ice that dropped down into the pipe annulus beneath the ice vault would remain there until the space flooded to 13 feet and 3 inches above the floor of the active sump.
The safety studies were valid for breaks of large-diameter pipes. The large amount of fluid jetting through the large break would quickly flood the reactor cavity and rapidly melt enough ice to fill the pipe annulus so as to push water into the active sump area before the storage tanks emptied. But for breaks of medium-diameter and small-diameter pipes, the storage tanks might empty before the active sump area could be filled. Should that occur, the emergency makeup pumps might not supply enough cooling water to the reactor vessel to prevent core damage.
The owner responded to the NRC team’s finding by voluntarily shutting down both reactors in early September 1997 to remedy the design problem.
The fix was relatively simple. Workers bored holes through the vertical crane wall between the pipe annulus and the active sump area nearly ten feet below the original holes. These holes would permit water to reach the active sump area sooner. The safety studies were re-evaluated using the new design configuration to confirm that sufficient water filled the active sump area during postulated breaks of medium-diameter and small-diameter pipes for the emergency makeup pumps to function before the storage tanks emptied.
UCS Causes a Meltdown or Two
On October 9, 1997, UCS petitioned the NRC to prevent the two DC Cook reactors from restarting until it was determined that the plant conformed to all design and licensing requirements. The NRC team only examined a small number of the many safety systems at the plant, yet found such a major problem that both reactors had to shut down. What other problems lurked in the unexamined systems? Or had the NRC team magically uncovered the plant’ only safety problem?
The NRC scheduled a meeting with the plant’s owner on December 16, 1997, to discuss the “To Do” list of items required before the reactors could be restarted. The issues raised in UCS’s petition were absent from the list, so I called the NRC’s petition manager. He told me that the NRC decided to take up the issues in our petition after both reactors restarted.
So, the NRC would decide whether to prevent both reactors at DC Cook from restarting until certain actions were completed after both reactors at DC Cook restarted.
UCS was not amused. Rich Hayes of our Communications Department gave me a booklet listing the news organizations in Michigan. I called news directors and reporters at TV stations, radio stations, and newspapers all over the state telling them about the safety problems at DC Cook that the NRC was intentionally overlooking.
The power of the press was swiftly demonstrated. Within hours, the NRC offered to meet with UCS before DC Cook restarted to discuss concerns raised in our petition. That meeting was held on January 12, 1998.
My remarks during the meeting focused on well-known and well-documented ice condenser problems. In 1997, Curtis Overall (the ice condenser system engineer at the Watts Bar nuclear plant until he was fired for raising safety concerns) met with the NRC to pass along his knowledge about ice condenser problems. His awareness was not limited to problems at Watts Bar—Curtis routinely communicated with his counterparts at other ice condenser plants and had travelled to DC Cook in 1982 for a meeting on ice condenser problems. There were only five U.S. nuclear power plants with ice condenser containments (Watts Bar, Sequoyah, McGuire, Catawba, and DC Cook) with considerable information sharing between system engineers.
A day or two after the meeting, Melvin Holmberg from the NRC’s Region III offices called me. DC Cook was in Region III while Watts Bar was in Region II. Holmberg was unaware of Overall’s ice condenser issues and asked me for information about them. I arranged a phone call between Holmberg and Overall. Soon thereafter, Holmberg headed for DC Cook to check whether its ice condensers had the impairments alleged by Overall.
Chief among Overall’s concerns was the failure of the metal screws holding the ice baskets together. The ice condenser has 24 ice vaults. Each ice vault has 81 baskets. Each basket is metal mesh cylinder about 12 inches in diameter and a tad under 12 feet long. Each ice basket is designed to have 100 metal screws holding it, four stiffener rings, and one lifting ring together, Thus, each ice condenser requires a whopping total of 194,400 ice basket screws.
Overall discovered heads from broken screws on the floor of ice vaults at Watts Bar. And not just one or two but lots of them. Overall had a report from Westinghouse, the reactor vendor, indicating that an ice basket would perform as needed during an accident with up to 12 missing (or broken) screws—as long as no more than one screw was missing from any of its lower regions. With so many heads off broken screws, it would be unreasonable to assume that they only came from the upper ring and all other locations had intact screws. And the NRC knew that DC Cook also had ice condenser metal screw problems.
The NRC soon learned about many more ice condenser problems: improperly installed doors atop the ice vaults, improper procedure for weighing the amount of ice in the ice baskets, design errors that enabled steam flow to bypass the ice vaults en route to the upper region of containment, missing and inadequate welds on the ice baskets, debris inside the ice vaults that could block the flow of melted ice water into the sumps, and impaired inlet doors to the ice vaults.
On March 13, 1998, the owner informed the NRC about a meltdown on DC Cook Unit 1. It had decided to let the 2.59 million pounds of ice in its containment melt to facilitate inspections and repairs to the ice condenser. Later that year, the owner followed with a meltdown on DC Cook Unit 2. (The nuclear industry refers to these evolutions as “melt-outs” rather than “meltdowns,” but commentary conceding that UCS caused two reactors to “melt-out” is hardly as eye-catching.)
While ice melts rapidly enough, the extensive repairs of the many ice condenser problems was not nearly so rapid. And then workers had to reload 2.59 million pounds of ice into the fixed ice condensers. DC Cook Unit 2 restarted on June 25, 2000, and DC Cook Unit 1 followed on December 21, 2000.
Safety by Intent
UCS’s actions led to meltdowns at DC Cook because of two individuals—Curtis Overall who brought his ice condenser concerns to our attention in 1997, and Melvin Holmberg who sought to first understand Overall’s concerns and then to determine whether DC Cook had them in 1998. Both men demonstrated a commitment to nuclear safety by their actions.
Had other individuals demonstrated similar commitments, the ice condenser problems would have been found and fixed sooner. Workers at DC Cook knew about the ice condenser problems Overall identified at Watts Bar. He told them about the problems. But they did nothing with that awareness until Holmberg also became aware. They should have acted upon the problems without NRC’s prompting.
Individuals in NRC’s Region II and headquarters offices also knew about the ice condenser problems Overall identified at Watts Bar. He informed them verbally and in writing about the problems. But they did nothing with that awareness until Holmberg out in Region III also became aware. They should have acted upon the problems before he learned about them.
The NRC imposed a $500,000 civil penalty on Cook’s owner on October 13, 1998, for 37 violations of federal regulations, mostly related to ice condenser problems.
The ice condenser problems were extensive, demonstrated by the two years it took to fix them.
The ice condenser problems were significant, demonstrated by the large fine imposed on the company.
Why then did so many individuals at DC Cook and within the NRC overlook these many significant safety problems until Overall and Holmberg stepped up?
It’s neither a moot nor rhetorical question. For until it is answered and the causal factors eradicated, other overlooked safety problems could trigger the next reactor meltdown. And the next one probably won’t be of the cold variety.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.