Upload
hoangnguyet
View
228
Download
0
Embed Size (px)
Citation preview
The Davis Besse
Nuclear Power Plant
Three Mile Island Accident
Precursor Event
September 24, 1977
Copyright Mike Derivan 2014
On September 24, 1977 the Davis Besse Nuclear Power Plant
near Toledo Ohio experienced an event remarkably similar to
the Three Mile Island Accident. The Reactor Coolant System
response to both events is virtually identical for about twenty
minutes.
The failure of the Nuclear Industry and its Regulatory body,
the NRC, to correctly understand the significance of the
Davis Besse event put the TMI Operators in exactly the same
position eighteen months later. The results of this failure had
dire consequences for both the US Nuclear Industry and the
reputations of the TMI Operators.
This presentation, and its accompanying text document,
are my attempt to tell the truth, the whole truth, and
nothing but the truth about the Root Cause of the TMI
Accident.
Mike Derivan
The next frame shows a simplified drawing of the
associated plant systems at Davis Besse and the
plant initial conditions prior to the event. All time
references on the slides are relative to the time the
Davis Besse Operator manually tripped the reactor
early in the event.
Additional narrative will accompany the slide
presentation.
Between the previous frame and the next frame the Reactor Coolant System (RCS) is undergoing a heat
up transient. When the SFRCS actuation closed the Main Steam Isolation Valves with the Reactor at 9%
power, stopping the steam flow out of both Steam Generators, the heat removal (heat sink) for the RCS
was lost.
With the Reactor still generating 9% power there is no place for that power to go, except into the coolant
water of the RCS and the secondary side water level trapped in the Steam Generators. A very small
amount of heat removal is afforded by the steam to run the Aux Feed Pump Turbines.
The net affect of that coolant water heat up is the water expands pushing the Pressurizer water level up
and squeezing the steam bubble in the Pressurizer into a constantly decreasing volume. This causes the
system pressure to increase also. This pressure increase is what caused the PORV to lift.
Once the PORV lifted, and stuck open, two opposite affects are competing with respect to system
pressure. The stuck open PORV is decreasing pressure while the expanding water into the Pressurizer
from the coolant system water expansion wants to increase the pressure. The water expansion is
continuing because the Reactor is still critical (running) generating power. In our case the PORV is
winning, because the system pressure is decreasing. In this short duration pressure transient the system
pressure is probably “hanging” between the Reactor low pressure trip and high pressure trip window a
bit. But the system pressure response vs. time plot clearly shows the pressure was on the way to the low
pressure Reactor trip setpoint.
The subtle influence on this pressure transient is the fact we had a positive moderator coefficient of
reactivity at this time in the Reactor life cycle. And I’m convinced the speed of the coolant system heat up
was being driven by an ever increasing Reactor power level. But the power level data I have does not
include that plot.
But it always makes me wonder if a slightly different sequence might have been possible. One where the
RCS heat up and the Pressurizer level in surge was controlling the pressure. That might lead to what
Operators refer to as “A truly eye watering event.”
Now I know what you’re thinking, “Why on earth did you
guys shutdown those HPI Pumps when you had a leak?”
My simple answer is “We were trained to do it”, but of course
that leads to another question, doesn’t it? We’ll get to that
too, but right now things are about to get worse. Remember
before you get too judgmental, you’ve already spent more
time watching this Power Point Slide Show than we have
spent dealing with this event in real time in a real plant.
We’re only at five minutes.
And “Oh, by the way”, we were emphatically trained to never
let the HPI Pumps overfill the Pressurizer level. At the time
we shut them down, that level was 230” and increasing, while
the desired post Reactor Trip level setpoint was 100”.
Between 8 minutes and about 14 minutes post Reactor trip the RCS conditions were relatively stagnant.
This is the first time we had a chance to focus on the meaning of the low RCS pressure and “pegged out”
high Pressurizer Level, as there were no other pressing tasks requiring our attention during this time
frame. During the time frame from event start until now I had been looking at the low pressure and high
level as 2 independent unrelated problems. At least the pressure had gone in an expected direction on the
Reactor trip, albeit way too far. But that Pressurizer had me stumped to the point I actually had the
thought something was going on we hadn’t been told about; and if I could just get the plant drawing
straight lines I could figure it out. On a gut level it was impossible considering just some thumb rules for
the Pressurizer. One inch of level equals 30 gallons. One degree of T-average equals two inches of level. I
had watched it go from 200” to over 320” in 2 minutes. That’s over 3000 gallons, or over 1500 GPM;
impossible with our pumps. But I never doubted that the indicator was correct (we had 3).
According to the data plots, the RCS temperature actually started a slow heat up at about the 8 minute
mark which continued through this time period. I remember I had been intently focused on the RCS
pressure dropping, wondering when it was going to stop. It stopped dropping and bottomed out at about
950PSIG during the 8 to 10 minute time frame. That really got my attention. As much as I wanted to see it
stop dropping, what soaked in was that we had done nothing to cause it to stop. There had to be a reason.
Looking at the plant temperature and pressure it dawned on me; I grabbed a P vs. T Saturation curve off
the Reactor Operator desk and bingo! We were Saturated.
I announced out loud in the Control Room “We are Saturated, that’s why the Pressurizer is full, we are
boiling in the loops pushing the water in there.” Consider the power of negative training, and confusing
procedure guidance when that information soaks in to 5 licensed Operators. We had all been trained the
same way; never let the Pressurizer get “solid” (full of water); especially including never let HPI do it.
Consider that group of experience included 3 Navy nuke trained Operators and 2 College Degreed
Engineers, one with a Master’s Degree. We all hear that we are severely voided in the RCS, the Pressurizer
is indicating full, but the system is not. And nobody says “We better turn on HPI.”
But nobody really wants to believe we were trained to never let HPI pump into a full Pressurizer.
Once the Pressurizer PORV was isolated by its Block Valve, things did not immediately “get better”;
Reactor Coolant System conditions did not immediately start to change. We had stopped the flow of
water/steam out of the top of the Pressurizer, and I don’t have any specific recall of us manipulating the
Pressurizer electric heaters so I’d imagine they were automatically on, responding to the very low Reactor
Coolant System pressure. At that point the Pressurizer bulk water temperature must have been close to
the average Reactor Coolant System water temperature, which was about 533F, due to the Reactor
Coolant System inflow into the Pressurizer and out the stuck open PORV. In fact I don’t have any recall of
what I was thinking during those first several minutes following PORV isolation; so my guess is that my
gut was telling me we had found the problem and the plant would recover to more normal post-trip
conditions. This is opposed to my fairly detailed recall of events and thoughts leading up to PORV Block
Valve closure. I don’t think anybody in the Control Room said much of anything; we just all watched
Reactor Coolant System pressure to see if it would recover.
Today, in hindsight, the Reactor Coolant System was not exactly in a stable condition. We had one
Reactor Coolant Pump running in each loop in a highly steam voided condition, the Pressurizer level was
still indicating off scale high, Pressurizer heaters were on attempting to increase Reactor Coolant System
pressure, both Steam Generators were being maintained at the correct level by Auxiliary Feed Water. The
Reactor Coolant System temperature plot for the event shows Reactor Coolant System temperature was
increasing at this time. A mental heat balance of the Reactor Coolant System would indicate the 2 running
Reactor Coolant Pumps (and any very small, if any, decay heat from 1 Effective Full Power Day) were
adding more heat to the Reactor Coolant System than was being removed. Heat removal was basically
being provided by the addition of cold Seal Injection water to the 4 Reactor Coolant Pumps (30-40 GPM
total) and heat removal via the Steam Generators using the Auxiliary Feed Pump steam to run the
Auxiliary Feed Pump Turbines; we were not dumping any steam manually using any steam dumps.
What we had was a PWR with no P (except what might have been on the front of someone’s pants). Again,
there sits the strength of the previous B&W training on Pressurizer level; 5 Licensed Operators all trained
exactly the same way and there is no discussion about turning on High Pressure Injection to refill the
steam voided Reactor Coolant System. We just basically watched the indicated Pressurizer level and
waited for it to tell us we were “allowed” to add more water to the system. Simply put we were waiting for
the “actual real process” to move itself back into the realm of our pre-conditioned understanding of the
“process.” This is amazing to me in light of the fact several minutes earlier I had announced in the Control
Room exactly why the Pressurizer level indicated it was full. And for me it just begs the question of what
exactly is an “Operator Error”? There is no doubt in my mind that turning off the High Pressure Injection
in response to this Small Break Loss of Coolant Accident based on the Pressurizer level going full, is the
wrong thing to do. But who exactly made the error?
The simple fact is that before TMI, the “Institutional Arrogance” of the whole Nuclear Industry did not
believe a core damage event was even possible. Events were postulated and consequences were
analyzed because that was the licensing methodology that was used; but it was the belief (mindset) that
core damage was really never going to happen… period. So when TMI became the “Elephant in the
Room”, it had to be someone’s fault. It is my understanding that in complicated technology the principle
applies that if it is working OK, and then something bad happens, whoever touched the technology last is
the culprit (liable). I don’t see that as the case here, it was not exactly OK; there was a fundamental flaw in
the understanding of the actual system response to a leak in the steam space of PWR Pressurizers. The
only reason that the flaw was not apparent was that it had not happened in a US PWR. There were ignored
warnings to the AEC relevant to this misunderstood condition for Westinghouse European PWRs even
before the Davis Besse event. And that same Westinghouse Design was operating in the US. Also just
before the Davis Besse event there was an ignored warning on a B&W Reactor Design Review that this
Pressurizer steam space leak might lead Operators to “mistakenly turn off HPI.” The bloody details are in
the Report. But I will add that I counted the hands this report touched, just as mentioned in the Rogovin
Report. I didn’t count anybody twice. My total including organizations directly exposed are the ACRS, the
Pebble Springs License Application, the Bellefonte plant review, 2 NRC personnel, and 6 B&W personnel,
all before the TMI accident. Would anyone care to venture a guess just how many times the word “error”
is used in the Rogovin Report in describing this known ERROR in the B&W plant Operator training
program and procedure guidance? The only person who got it right was Murphy.
A full ten minutes elapsed after the PORV Block Valve was closed before Pressurizer level began to come
back on scale (30 min post trip); the result of the effect of the Pressurizer heaters starting to raise
pressure above the saturation pressure thereby collapsing the Reactor Coolant System steam bubbles.
Twenty minutes after the PORV Block Valve was closed (40 min post trip), according to the Davis Besse
NRC LER narrative, we started a second Make Up Pump to stop the rapid decrease in Pressurizer level. I
can’t establish the Pressurizer level from the plots at that time, as the graph time scale shifts at that end.
Also the Pressurizer Level plot scale only goes down to ~190” and at sixteen minutes after Block Valve
closure (36 min post trip) the data goes off the bottom of the plot. The narrative also says the increased
makeup flow started a slow decrease in Reactor Coolant System temperature. The narrative further states
at twenty two minutes (42 min post trip) we got the Low Pressurizer Level Heater Cut-Off (at 40”) which
would de-energize the Pressurizer heaters.
And at forty eight minutes (post trip) we started a High Pressure Injection pump, to recover the decreasing
Pressurizer level, which allowed reenergizing the Pressurizer heaters. At fifty minutes post trip the AFPT 2
governor was discovered hung up again, when we again got the Steam Generator2 Low Main Steam
Pressure Trip Block Permit alarm. I don’t even have any recall this second occurrence; but if I had to
speculate I’d say the Operator attending the Auxiliary Feed Pumps and Steam Generator levels diverted
his attention to help the Operator establishing High Pressure Injection flow, as it required coordination at
both a back panel and a front council panel. It would have been necessary to again establish a “throttled”
High Pressure Injection flow to accomplish our goal of increasing Pressurizer level to recover the heaters,
while not over cooling the Reactor Coolant System with High Pressure Injection flow to such an extent
that the coolant water contraction decreased the Pressurizer level again (such is life in an Operator’s
world).
This just points out a legitimate case requiring the throttling of High Pressure Injection flow by the
Operators. I will also point out this recovery of stable Plant Conditions, from the conditions we had at the
time, was well outside the bounds of any Operating Procedure (and may also still be today). It was done
solely by “skill of the craft”, which I suspect is now a lost art in the current totally proceduralized
mentality of the Nuke Operator World. By fifty six minutes post trip we had the Pressurizer level back to
normal control mode and were back on one Make Up Pump, the High Pressure Injection pump shut down,
Reactor Coolant System pressure was about 1100PSI and increasing; indicating sub-cooled Reactor
Coolant System conditions. We had returned to normal Main Feed flow to the SGs with MFP 2 running on
Auxiliary Steam supplied by the Auxiliary Boiler. We transitioned to a goal of establishing a normal Plant
Cool Down.
When I consider our handling of the Make-up and High Pressure Injection system during the recovery at
this point, what I see is a total fall back on our previous B&W training and experience, i.e. what’s the
Pressurizer level doing? If it’s decreasing add water, if not don’t add more water and don’t let High
Pressure Injection overfill.
I’ve recently had an additional thought on our indicated Pressurizer level during this event; what exactly
might it have been indicating? The NRC report narrative states that the steam and water discharge from
the blown rupture disk on the Pressurizer Quench Tank impinged on the lower shell of Steam Generator 2
to the degree it removed a 10’ high by 20’ wide section of insulation (and also deposited enough mud on
Containment floors and walkways to be “shoveled into drums”; something for Emergency Sump plugging
scenarios to consider). But the Pressurizer is also in the immediate vicinity of the Quench Tank. At this
point I know it’s just speculation because data is probably not available, but could the Quench Tank
discharge stream also been influencing the Reference Leg of the Pressurizer level measuring circuit,
e.g. boiling it down such that the indication would display higher than actual level? If so, just what were
we actually seeing during our actions to recover Pressurizer level? It is an interesting question, but there
probably is nothing to stimulate searching for an answer today. Except maybe the knowledge of what you
don’t know can bite you in the butt; according to Murphy.
Prolog
For a long time it wasn’t even possible for me to think about the TMI accident without Burt Dunn’s remark
echoing in my brain; “I can give you some scenarios where the situation would lead to possible fuel
damage.” Had I just been lucky? I knew TMI had been at about 100 EFPD and 97% power, we were only at
1 EFPD and 9% power, and that made all the difference in the world. The post Reactor trip decay heat
really drives the speed of the transient and we basically had none. So was it just luck that I had more time
to think than the TMI Operators because things were moving slower? So I had “made it” but they didn’t?
It’s not exactly the same thing, but suppose you lost control of your car at 97MPH verses 9MPH, which
case has the better chance of success? And that bothered me. It has taken years of soak time and hours
of pouring over transcripts to resolve some of that bother.
The earliest issue I can see that was treated differently was my response to the “pegged out high” high
Pressurizer level indication. At both plants Operators responded to the increasing Pressurizer level the
same way, and why not, we were trained the same and had the same basic procedures. So we both ended
up with High Pressure Injection off early. From there our reactions diverged. As explained in the event
narrative we had High Pressure Injection off at about 230 inches and increasing, at the event 5 minute
time frame. Then as Reactor Coolant System pressure continued to drop I watched Pressurizer level
increase from ~200 inches to off scale high from about the 6 minute to 8 minute time frame. I was in total
disbelief watching that happen. At that time we really weren’t pumping enough water in to make that
happen. We only had one Makeup Pump on at 30-40GPM for Reactor Coolant Pump Seal Injection and had
isolated the Letdown flow, so that wasn’t good for more than about an inch per minute of Pressurizer level
increase. There was no doubt in my mind that we had not pumped that water in there as it was not
physically possible in our pump configuration over the time frame that it happened. At the very time I
watched it happen, I did not understand why it happened, and it alarmed me that the level was that high.
As stated many times, it had been stressed in training not to let that happen. But there it was, and I never
doubted the level reading as we had three front panel meters all saying the same, so it was real. As stated
in the event narrative I definitely had the strong feeling something was going on that we had not been told
about, and also the feeling that I was missing something to make everything I was seeing fit.
The TMI Operators apparently had a stronger mindset than me to the training about not letting that
happen, because they worked harder to make it “go away.” They returned Letdown to service post trip
and had it maxed out at 140 – 160 GPM trying to lower Pressurizer level. We never returned Letdown flow
to service post trip as I recall. I’ve also read testimony indicating they we doing a “tank review” searching
for a way (flow path) that water might have gotten in there. As I said, we only had one pump running
capable of pushing against that Reactor Coolant System pressure and it could not have physically caused
it to happen. So my gut feeling rationalization is that I worked harder trying to understand the Pressurizer
level response than to make it “go away.”
The next issue I can see that was treated differently was my response to changing Containment Vessel
conditions. Obviously when I saw the Containment Vessel pressurizing it provided the answer to “what I
was missing” and made all the pieces fit, and I ordered the PORV Block Valve closed. TMI Operators saw a
different set of Containment Vessel conditions than I did, so some of this discussion is moot. For one
thing their Containment drain “catch tank” automatically pumped water into their Auxiliary Building
causing significant early problems to deal with in the Auxiliary Building. Our Containment drain “catch”
point (sump) could not have done that. It got automatically closed off by the same signal that started our
High Pressure Injection pumps. Another Containment condition they reacted to was increasing
Containment temperature, which testimony indicates they may have attributed to a steam leak from a
Steam Generator inside the Containment vessel. A Steam Generator steam leak can also cause
Containment pressure to increase, so I obviously didn’t go the steam leak route, but also other steam leak
symptoms were not present earlier at our plant.
The final issue they had to deal with that I think would have really had an impact on me (had it happened)
was when later in the event they saw the Nuclear Instrument Source Range Monitor counts increasing. I
would have surely thought the Reactor was returning to critical. Truthfully this would have scared the crap
out of me, to the point of likely totally consuming my attention and actions while ignoring everything else.
I’m positive I would have ordered emergency boration as they did. But I’d like to think (speculate) that
shortly I would have looked at that just like I looked at the Pressurizer level being full. This can’t happen,
something else is going on. All the Reactor Control Rods were tripped fully in, and the Reactor Coolant
System boron neutron poison still had to be in there, plus Xenon had to be peaking; so the Reactor core
just had to be shutdown. The Source Range Monitors, BF3-proportional counters, count neutrons that
leak out of the core. The only way they could see more neutrons is if the shield water between them and
the core was gone, and that was the water in the Reactor Vessel down comer region. So that water had to
be either really, really hot (lower density, thus more leakage), or it was gone.