Log In Register
Print page

Home » Articles » Liptak

Voices: Liptak

What Caused the Three Mile Island Accident?

Liptak Describes the Sequence of Events and the Primitive Controls That Led to the Three Mile Island Accident

ControlGlobal.com

Bela LiptakThis article was printed in CONTROL's May 2009 edition.

 

By Béla Lipták, PE, Columnist

This is the fourth part in a series of six articles describing how process control could have prevented past nuclear accidents and could improve the safety of the nuclear power industry. In this article, I will describe the sequence of events and the primitive controls that led to the Three Mile Island accident and how proper design could have prevented it. The bottom line is that one can only control a process if one understands it, and that throwing money at it is no solution.

At 4 a.m. on March 28, 1979, Unit 2 of the 900-MW reactor at the TMI-2 plant at Three Mile Island in Pennsylvania experienced a partial core meltdown. Between 13 and 43 million curies of radioactive krypton gases were released, half the core melted, and 90% of the fuel rod cladding was destroyed. The maximum offsite radiation reached 83 millirem, but the radiation dose received by the community was small.

Figure 1 shows the main components of the plant and the instrumentation that had a role in the accident (other instrumentation has been eliminated from the drawing). This simple process consisted of three heat transfer loops, located from the left to the right in the figure. The first or “primary” loop transfers the heat generated by nuclear fission into the high- pressure reactor cooling water (PWR). The heat from this closed circuit is transferred into the “secondary” feed water loop that takes it into the steam boiler. The steam is used to generate electricity in the turbine generator, while the waste heat from the condenser is sent to the cooling tower.

Figure 1
Main components of a plant and its instrumentation

Here, I will describe each “domino” in the sequence of events that led to this accident and contributed to the public distrust of nuclear energy. After each event, I will note in parenthesis how properly designed process control systems and better operator training could have prevented the accident.

 

 

Want MoreRead Bela Liptak's six part series "Process Controls Prevent Nuclear Disasters," to learn how process controls could have prevented past nuclear accidents and how it could improve the safety of the nuclear power industry. Visit www.controlglobal.com/liptaknuclear.html

1) Operators working on an upstream demineraliser at 4 a.m. unintentionally caused one or more of the three HCV-1 valves to to go to “fail-closed” by accidentally admitting water into the instrument air system. The valves were badly designed because all valves on cooling applications should fail closed. In addition, the operators did not realize that the valve(s) had closed. (Remedy: Select valve failure position correctly, and do not allow water or anything but air into the instrument air system. Add an electric motor-actuated parallel backup valve and provide limit switches on all valves with status displays and alarms in the control room.)

2) This caused the main feed water pumps (P2) to stop. (Remedy: Provide bypass valve(s) around HCV-1 and automatically open them if HCV-1 should be open and it is not., On all automatic valves in the plant, provide limit switches that trigger alarms if the valve doesn’t take the automatically requested position).

3) Because the secondary feed water was stopped, the heat from the primary reactor coolant water (PRW, circulated by P1) was no longer being removed. This caused the temperature to rise and the reactor to scram (control rods inserted to cease fission). (Remedy: Alarm and automatically open HCV2, start the auxiliary feed water pump(s) P3, and actuate high-temperature alarm on the PRW inlet.

4) The reactor that was shut down continued to generate “decay heat,” and the stationary secondary water in the boiler quickly turned into steam. This automatically started the emergency cooling water pump (P3), but that did no good because valve(s) (HCV-2) were also failed closed because of the water in the instrument air supply line. (Remedy: Same as in 1, plus provide safety interlock that automatically starts a backup pump and opens its valve if P3/HCV2 fails to respond.)

5) Next, the PRW temperature and pressure in the reactor started to rise. The high-pressure switch (PSH-3) on the pressurizer tank opened the pilot-operated relief valve (PORV-3), which started to relieve the PRW water into the quench tank (QT). When the pressure dropped and PSH-3 signaled PORV-3 to close, it remained open. (Remedy: The selection of fail-in-last position valve was wrong, so use designers who know how to select valve failure positions. Also automate the block valve HCV5 with an electric motor and close it if PFH-3 signals PORV-3 to close and it does not).

6) The operators did not know that PORV-3 was stuck open because the status light (L-4) was hidden from their view and because it was not operated by a limit switch on the valve, but only by the PSH-3 signal to the valve actuator solenoid. (Remedy: Place limit switch on PORV-3, and alarm if the valve status conflicts with the signal from PSH-3).

7) As a consequence of the discharging steam to the quench tank (QT), the reactor pressure dropped, causing more steam to flash. When the quench tank filled, its rupture disk (RD-6) burst, and steam and PRW were released into the containment building. (Remedy: The quench tank should have had high-pressure and level alarms in addition to an inlet flow detector.)

8) The worst design error was that the pressurizer (PR) level indication (LI-8) was based on volume, not mass. Therefore, as steam pockets formed near the core, the PRW volume in the reactor increased, which in turn pushed more water into the pressurizer. Therefore, LT-8 indicated the level to be high when, in fact, the amount of water in the system was dropping. (Remedy: This “inverse response” must be corrected by measuring the weight of the water column between the bottom of the reactor and the top of the pressurizer by a d/p cell, which would indicate when boiling occurs, because the detected column weight drops).

9) Yet another reason why this control system failed was that the presence of water covering the core was not measured. (Remedy: Use capacitance or radar level detectors to detect if the core is uncovered and if it is, automatically start the emergency high-pressure injection pump P4.)

10)  Detecting low pressure in the reactor started the emergency core cooling pumps (P4), but the operators trusted the pressurizer level (LI-8) indication, which was getting high, and cut this flow to a minimum. This sped up the melting of the core. (Remedy: Detect the weight of the water column, described in Step 8 above).

11) By 4:11 a.m., the quench tank (QT) overfilled, and started to spill water and steam into the containment sump (CS). By 4:13 a.m. the sump overflowed and LS-9 triggered a high-level alarm (HLA-8) and started sump pump P5, which sent the radioactive water into an auxiliary building. This, together with the high-temperature alarm at the pressurizer outlet (TAH-10) plus the high-temperature (TAH-11) and high-pressure alarms (PAH-12) in the containment building, should have triggered a general alarm, but it was ignored, because the operators did not trust any of the alarms. By 4:15 a.m., the quench tank filled, its relief diaphragm ruptured, and radioactive coolant started to leak into the containment building, until at 4:39 a.m., the operators stopped the sump pumps. (Remedy: Increase reliability of safety alarms and thereby operators’ trust by using back-up, voting or medium selector sensors.)

12) At around 5:30 a.m., the RPW pumps (P1) started to vibrate―probably due to cavitation as the steam bubbles in the water collapsed ―and to avoid vibration damage, the operators stopped these pumps (P1). This further reduced core cooling and increased steam formation. By 6:00 a.m., the reactor core overheated, and the zirconium cladding on the uranium fuel rods reacted with the steam to form hydrogen, which further damaged the fuel rods. The operators did not believe the alarms in the containment building. (Remedy: Use redundant alarm switches.)

13) At 6 a.m. a new shift started, but the old shift still did not know what was going on, and therefore was unable to inform them of the plant’s status. (Remedy: The status of all equipment and variables should be continuously displayed for the whole plant.)

14) At 6:30 a.m., the new shift realized that PORV-3 was open and (after the loss of 32,000 gallons of radioactive coolant), closed its block valve (HCV5). At 6:45 a.m.. the badly located radiation alarm (RAH-13) actuated, and at 6:56 a.m. a site emergency was declared. The operators still did not realize that the low water level in the reactor exposed the core. Finally, at 11 a.m. the addition of coolant into the reactor started. In the afternoon, the pressure in the containment building spiked to 29 PSIG, probably caused by a hydrogen explosion from the zirconium-steam/water reaction. At 8 p.m. the primary pumps (P1) were restarted, and the core temperature began to fall. (Remedy: Better operator training).

Conclusion: To properly control a process, it must be fully understood. Also, in nuclear environments, instrumentation reliability must be guaranteed by multiple sensors and must be designed to withstand severe accidents. The controls must be designed by competent process control professionals, operators must be well-trained and hydrogen recombiners should be provided in the containment building. Last, but not least, Murphy’s Law must always be honored.

 

Nuclear power for electricity generation will grow in the next two decades, all the more reason to make sure nuclear power plants operate safely and effectively.

Estimate of the Role of Nuclear Power in Total US Electricity Generation and Production from Now to 2030
Year
Nuclear Production
(TWh)
Total US Production
to grid (TWh)
Nuclear Generating
Capacity (GW)
Total US Generating
Capacity (GW)
2008
799
3975
100.5
979.4
2010 
809 
4013  
100.9
981.6
2015    
831
4143
102.1
996.0
2020   
862 
4344
110.9
1023.8
2025   
867
4553 
115.7
1086.0
2030    
905
4777
114.9
1152.4
  

 

More Voices

What Caused the Three Mile Island Accident?
05/11/2009
Liptak Describes the Sequence of Events and the Primitive Controls That Led to the Three Mile Island Accident

The Future of Nuclear Energy
03/02/2009
If Global Carbon Emissions Were Cut by 15% by 2050 by the Increased Use of Nuclear Power, 1,070 Plants Would Need to Be Built at a Cost of $5 Trillion.

Nuclear Security, Part II—Fission Basics
01/09/2009
The Overall Topic of the Nuclear Power Plant Operation and the Use of Process Control to Protect Against Nuclear Accidents

Nuclear Plant Security and Cyber Terrorism
10/28/2008
How To Improve Nuclear Power Plant Security

Controlling the Post-Oil Energy Economy
08/20/2008
The World’s First Solar-Hydrogen Demonstration Power Plant

Fuel Cell of the Future
07/01/2008
Process Control Will Play a Key Role In the Transition From the Fossil/Nuclear Economy to the Solar-Hydrogen Economy of the Future

Green Energy Can Stop Recession
05/04/2008
Storing Solar Energy for the Night

The Third Industrial Revolution
03/07/2008
The Transition to a Solar/Hydrogen Economy Will Trigger an Economic Boom Unseen Since the Marshall Plan.

Distillation Control and Optimization – Part 7
01/03/2008
Plant-Wide Optimization Involves Coordinating the Control of Distillation, Furnaces, Compressors, etc. to Maximize the Profitability of the Entire Operation

On the Road to Renewable Transportation
11/06/2007
The OECD estimates that replacing 10% of the country’s motor fuels with bio-fuels would use one-third of all croplands.

The Global Energy Future – Part 5
08/31/2007
Covering 10 million American homes with solar roofs would trigger the biggest economic expansion of the decade.

Distillation, Part 5: Multiple Products
08/01/2007
In Part 5 of this series on distillation control and optimization, we find that adding a side-stream component to your process gives an additional degree of freedom, but makes it even more essential to not mismatch the variables.

The Energy Future—Process Control’s Role
07/12/2007
Find out about the “zero energy home of the future” and the hydrogen economy. What are the potentials of process control in wind, ocean wave, and geothermal energy systems.

The global energy future – Part 3
05/07/2007
Control's own Béla Lipták continues his series on the future of global energy, stating that in order to obtain maximum energy recovery, the various solar collectors described all need to track the sun.

Control of the solar-hydrogen plant
03/01/2007
Columnist Béla Lipták describes equipment and control requirements of the solar-hydrogen demo power plant and says we now are in critical need of them because the stakes are even higher.

The power of the Sun: Part 1
01/05/2007
In discussing global energy issues, CONTROL columnist Béla Lipták, PE, estimates that global warming damage will consume as much as 20% of the global GDP by 2020 even without energy wars.

How to select control valves, Part 2
09/12/2006
When it comes to selecting and sizing control valves and positioners, this article not only helps you pick the right one for the right job, but also includes a valuable valve selection chart you can download!

How to select control valves, Part 1
07/14/2006
When it comes to selecting and sizing control valves, the non-commercial chart in this article not only helps you pick the right one for the job, but also serves as a fantastic reference tool you can download!

Why do we have global warming?
05/18/2006
CONTROL columnist Béla Lipták, PE, finishes his Lessons Learned series on global warming, and what the process control confraternity can do about understanding and perhaps controlling it.

Can process control help stabilize global warming?
03/14/2006
CONTROL columnist Béla Lipták, PE, continues his Lessons Learned series on Global Warming, and what the proceess control confraternity can do about predicting the timing and sizing of future events.

A process only mankind can control
01/09/2006
Global warming, devastating hurricanes and rising ocean currents are all signs of a presently-out-of-control global heat balance that may result in colder winters and our summers permanently disappearing.

Engineers can control the economy: Part II
11/14/2005
In this second installment, CONTROL Columnist Béla Lipták, PE, illustrates an assumed ANN model of the U.S. economy to show what can happen when advanced process control meets economics.

Can an automation engineer control the economy?
09/10/2005
In this month's installment of his Lessons Learned column for CONTROL magazine, columnist Béla Lipták, PE, shows what can happen when advanced process control meets economics.

Getting Loopy with Control Loops
07/20/2005
This month's edition of Ask The Experts focuses in on manual control loops and offers guidance on which PID control mode should be used when, and what the range of tuning settings should be.

The next generation of smarter valves – Part 2
07/10/2005
Much improvement and change is expected in the design of smart and self-diagnosing control valves, with potential advantages outweighing the required investment of time and money.

The next generation of smarter valves
05/10/2005
In the next decade, much improvement and change is expected in the design of smart and self-diagnosing control valves, with potential advantages outweighing the required investment of time and money.

The fuel cell: A new process to control
09/20/2002
The fuel cell is like a battery, except that it never needs recharging because the heat and electricity produced by it are made from the inexhaustible and clean sources of water and air.


Free Subscriptions

Control Digital Edition

Access the entire print issue on-line and be notified each month via e-mail when your new issue is ready for you. Subscribe today.

  • Featured White Papers