Disaster by Design: Safety by Intent #6
Disaster by Design
The light water reactors currently operating in the U.S. are either boiling water reactors (BWRs) or pressurized water reactors (PWRs). In both designs, water flowing past the nuclear fuel in the reactor cores gets heated to over 500°F. Water is able to be heated to this temperature because it is pressurized—to over 1,000 pounds per square inch (psi) in BWRs and to over 2,000 psi in PWRs. The 1,000 psi pressure is equivalent to the pressure submerged more than 2,200 feet below the ocean’s surface.
The reactor vessel and its attached piping must be robust in order to remain intact and contain this high pressure fluid. But abnormally high pressure can break even robust containers. So, the American Society of Mechanical Engineers (ASME) Boiler and Pressure Vessel Code requires overpressure protection. The goal of overpressure protection is to prevent the pressure inside reactor vessels and connected piping from exceeding the point where it could catastrophically burst.
Safety relief valves (SRVs) provide overpressure protection. In BWRs, the pipes carrying steam from the reactor vessel to the turbine have multiple SRVs. In PWRs, the pressurizers have multiple SRVs, commonly called pressurizer safety valves or power-operated relief valves.
Figure 2 illustrates a typical SRV. Force from a coiled spring normally keeps the SRVs closed. The compression of the coiled spring, and the force it applies, can be changed using the adjustment screw to keep the SRV closed until a certain pressure, or setpoint, is exceeded. The SRV automatically opens when its setpoint pressure is exceeded. The opened SRV discharges fluid until pressure drops back below the setpoint. The spring force then re-closes the SRV.
The pressure required to automatically open an SRV is determined in a laboratory or shop. An SRV installed in a nuclear plant cannot be readily tested to check that this key setpoint is properly established. Thus, SRV setpoints are checked prior to installation. And SRVs are periodically removed and sent off to re-test their opening setpoints.
The lever and piston actuator on the left side of the diagram indicate how an SRV can be manually opened when the pressure is lower than the setpoint. By turning a switch in the control room or at a local panel, the operator can open a solenoid valve that admits compressed air to the piston-type pneumatic actuator assembly. The compressed air pushes the piston upward, raising the lever and lifting the SRV open against the spring force. Closing the switch stops the compressed air flow, enabling the spring force to re-close the SRV.
The manual opening and closing of SRVs can be tested when the valves are installed. Periodically, workers turn switches to test whether the SRVs open and close properly.
The steam discharged through opened SRVs in BWRs flows inside pipes to the water-filled suppression pools that are part of the primary containment. The water cools the steam and converts it back into water.
The steam discharged through opened pressurizer safety valves or power-operated relief valves in PWRs flows inside pipes to a metal tank inside the primary containment.
SRVs perform a safety function protecting the reactor vessel and connected piping from breaking caused by excessively high pressure.
SRVs also perform a safety function by not opening when they should be closed. Opened SRVs discharge water from the reactor vessel. If not adequately replaced, that inventory loss could result in overheating damage to the reactor core (as actually happened at Three Mile Island Unit 2 after a power-operated relief valve stuck in the open position.)
As suggested by the following summaries, SRVs have sometimes opened at the wrong time and remain closed at the wrong time.
SRVs Remaining Closed
After the Pilgrim BWR was shut down on February 9, 2013, the control room operators attempted three times to open SRV A to lower pressure inside the reactor vessel. After each attempt, the operators did not see the expected response from an acoustic monitor installed in the tailpipe downstream of SRV A. The operators stopped using SRV A and used SRVs C and D instead. The operators initiated a condition report to have maintenance workers investigate SRV A. Workers only replaced the acoustic monitor for SRV A and took no other actions to troubleshoot the problems with SRV A or to test that replacing the acoustic monitor solved the problem.
Following the unplanned shut down of the reactor on January 27, 2015, the control room operators were unable to manually open SRV C. The NRC dispatched a special inspection team to the plant following the January 2015 event. The NRC reported:
Entergy Nuclear Operations, Inc. (Entergy) staff failed to identify, evaluate, and correct the condition of the ‘A’ safety/relief valve (SRV) failing to open upon manual actuation during a plant cooldown on February 9, 2013. While the SRVs tested satisfactorily at high pressures at an offsite test facility, this failure to take actions to preclude repetition resulted in the ‘C’ SRV failing to open at reduced pressure during the plant cooldown in response to the partial loss of offsite power event on January 27, 2015. The self-revealing finding was within Entergy’s ability to foresee and correct because indications were available to determine that the ‘A’ SRV valve did not open upon manual actuation. As a result, the ‘A’ SRV was inoperable for greater than its Technical Specification allowed outage time.
An operator in the control room flipped the switch to open one of the SRVs for the Unit 3 BWR at Dresden. Another worker positioned in the plant for the test heard a click indicating that the valve received the signal to open. But the valve remained closed. The owner concluded that the SRVs design was vulnerable to wear from the vibrations caused by steam rushing through the steam pipe.
The owner of the Unit 4 PWR notified the NRC in May 2013 that one of two power-operated relief valves has been inoperable for 14 days and 11 hours—considerably longer than the 32-hour outage time permitted by the operating license. The reactor was shut down at the time. The piping in the systems being used to cool the reactor core during refueling is not designed for high pressure, so the operating license required that high pressure safety systems be prevented from starting and that two power-operated relief valves be available in case a high-pressure pump is mistakenly started. Workers installing a modification to the plant lifted leads that disconnected the power supply to one of the two power-operated relief valves. This condition was not detected for two weeks.
The Unit 3 reactor at Browns Ferry is a BWR with 13 SRVs. With two or more SRVs inoperable, the operating license requires that the reactor be shut down within 12 hours. After the reactor was shut down on February 27, 2010, to enter a refueling outage, workers removed the 13 SRVs and tested them for the pressure at which they would open. The tests revealed that 8 of the 13 SRVs required a pressure significantly higher to open than assumed in the safety studies and were therefore inoperable. The owner concluded that the reactor has operated longer with inoperable SRVs than permitted by its operating license.
The owner of the Unit 1 PWR notified the NRC in September 2008 that one of two pressurizer safety valves had opened during a test at a pressure higher than the allowable opening band. The safety valve was designed to open at a pressure between 2,514 and 2,616 psi, but actually opened during the test at 2,670 psi. Workers disassembled the valve and discovered some of its internal parts misaligned, likely causing the problem. The valve had been removed from the plant in 2004 and shipped to the vendor for service and maintenance. After being refurbished, the valve failed to open at the proper pressure during a test. The valve was reworked and then retested. It once again failed to open at the proper pressure during the test. The valve was reworked again and retested. This time it opened within the specified pressure range and was shipped back to the plant and reinstalled in March 2006.
SRVs Improperly Opening
The Unit 2 BWR at Brunswick was operating at 100 percent power on November 9, 2008, when the control room operators observed that SRV H had opened. An operator cycled the control switch for SRV H to open and then back to close three times, but the valve remained open. An operator pulled the fuses in the power supply to the valve, hoping that de-energization would close it. The valve remained open. The steam flowing through the open SRV into the torus heated the torus water. When the water temperature reached 109.8°F, the operators manually scrammed the reactor. SRV H closed as the pressure inside the reactor vessel dropped following the rapid shut down. The owner determined that SRV H had been assembled improperly with a mis-positioned part interfering with the spring’s coil. The improper assembly caused the pressure at which the SRV would open to be about ten percent lower than desired such that the SRV spuriously opened during routine operation.
In late December 2011, the operators shut down the BWR in response to indications that SRV 3D was leaking. Thermocouples installed in the pipe between the SRV and the torus increased from the ambient temperature of about 160°F to over 200°F. The leaking SRV was considered inoperable and the operating license required that the reactor be shut down. Workers removed the SRV and disassembled it, but found no conclusive reason for it leaking. The SRV was reassembled with some new internal parts and reinstalled.
The owner of the Unit 2 BWR informed the NRC in October 2009 that three of the twelve SRVs opened at lower than expected pressures during testing. One opened at 1,123 pounds per square inch (psi) pressure when designed to open at 1,175 psi. A second opened at 1,155 psi instead of 1,195 psi. And the third opened at 1,165 psi instead of 1,205 psi. Workers determined that the three valves probably opened at lower than desired pressures because their opening setpoints had drifted down.
Safety by Intent
SRVs have important safety roles to perform. They need to open when necessary to protect the reactor vessel and connected piping from damage caused by excessively high pressure. And they need to remain closed when necessary to protect the reactor core from damage caused by inadequate cooling.
SRVs are susceptible to problems that can compromise safety. The setpoints at which the SRVs automatically open are prone to drifting either higher or lower. And SRVs are prone to sticking, particularly sticking in the opened position.
Goldilocks SRVs are necessary—SRVs that neither open too soon nor too late and which remain open only as long as desired.
In the events summarized above, 8 of 13 SRVs on Browns Ferry Unit 3 and 3 of 12 SRVs on Susquehanna Unit 2 were found to open at incorrect pressures during testing. All eight test failures at Browns Ferry involved higher than desired opening pressures while all three test failures at Susquehanna involved lower than desired opening pressures. The consistent direction of the failures strongly suggests biases that cause setpoints to drift upward at Browns Ferry and downward at Susquehanna. The reasons for these failure biases need to be identified and remedied if future failures are to be avoided.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how addressing pre-existing problems can lead to a more effective defense-in-depth protection.
Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.