7) As a consequence of the discharging steam to the quench tank (QT), the reactor pressure dropped, causing more steam to flash. When the quench tank filled, its rupture disk (RD-6) burst, and steam and PRW were released into the containment building. (Remedy: The quench tank should have had high-pressure and level alarms in addition to an inlet flow detector.)
8) The worst design error was that the pressurizer (PR) level indication (LI-8) was based on volume, not mass. Therefore, as steam pockets formed near the core, the PRW volume in the reactor increased, which in turn pushed more water into the pressurizer. Therefore, LT-8 indicated the level to be high when, in fact, the amount of water in the system was dropping. (Remedy: This "inverse response" must be corrected by measuring the weight of the water column between the bottom of the reactor and the top of the pressurizer by a d/p cell, which would indicate when boiling occurs, because the detected column weight drops).
9) Yet another reason why this control system failed was that the presence of water covering the core was not measured. (Remedy: Use capacitance or radar level detectors to detect if the core is uncovered and if it is, automatically start the emergency high-pressure injection pump P4.)
10) Detecting low pressure in the reactor started the emergency core cooling pumps (P4), but the operators trusted the pressurizer level (LI-8) indication, which was getting high, and cut this flow to a minimum. This sped up the melting of the core. (Remedy: Detect the weight of the water column, described in Step 8 above).
11) By 4:11 a.m., the quench tank (QT) overfilled, and started to spill water and steam into the containment sump (CS). By 4:13 a.m. the sump overflowed and LS-9 triggered a high-level alarm (HLA-8) and started sump pump P5, which sent the radioactive water into an auxiliary building. This, together with the high-temperature alarm at the pressurizer outlet (TAH-10) plus the high-temperature (TAH-11) and high-pressure alarms (PAH-12) in the containment building, should have triggered a general alarm, but it was ignored, because the operators did not trust any of the alarms. By 4:15 a.m., the quench tank filled, its relief diaphragm ruptured, and radioactive coolant started to leak into the containment building, until at 4:39 a.m., the operators stopped the sump pumps. (Remedy: Increase reliability of safety alarms and thereby operators' trust by using back-up, voting or medium selector sensors.)
12) At around 5:30 a.m., the RPW pumps (P1) started to vibrate―probably due to cavitation as the steam bubbles in the water collapsed ―and to avoid vibration damage, the operators stopped these pumps (P1). This further reduced core cooling and increased steam formation. By 6:00 a.m., the reactor core overheated, and the zirconium cladding on the uranium fuel rods reacted with the steam to form hydrogen, which further damaged the fuel rods. The operators did not believe the alarms in the containment building. (Remedy: Use redundant alarm switches.)
13) At 6 a.m. a new shift started, but the old shift still did not know what was going on, and therefore was unable to inform them of the plant's status. (Remedy: The status of all equipment and variables should be continuously displayed for the whole plant.)
14) At 6:30 a.m., the new shift realized that PORV-3 was open and (after the loss of 32,000 gallons of radioactive coolant), closed its block valve (HCV5). At 6:45 a.m.. the badly located radiation alarm (RAH-13) actuated, and at 6:56 a.m. a site emergency was declared. The operators still did not realize that the low water level in the reactor exposed the core. Finally, at 11 a.m. the addition of coolant into the reactor started. In the afternoon, the pressure in the containment building spiked to 29 PSIG, probably caused by a hydrogen explosion from the zirconium-steam/water reaction. At 8 p.m. the primary pumps (P1) were restarted, and the core temperature began to fall. (Remedy: Better operator training).
Conclusion: To properly control a process, it must be fully understood. Also, in nuclear environments, instrumentation reliability must be guaranteed by multiple sensors and must be designed to withstand severe accidents. The controls must be designed by competent process control professionals, operators must be well-trained and hydrogen recombiners should be provided in the containment building. Last, but not least, Murphy's Law must always be honored.
Nuclear power for electricity generation will grow in the next two decades, all the more reason to make sure nuclear power plants operate safely and effectively.
Estimate of the Role of Nuclear Power in Total US Electricity Generation and Production from Now to 2030