This article was printed in CONTROL's May 2009 edition.
By Bela Liptak, PE, Columnist
This is the fourth part in a series of six articles describing how process control could have prevented past nuclear accidents and could improve the safety of the nuclear power industry. In this article, I will describe the sequence of events and the primitive controls that led to the Three Mile Island accident and how proper design could have prevented it. The bottom line is that one can only control a process if one understands it, and that throwing money at it is no solution.
At 4 a.m. on March 28, 1979, Unit 2 of the 900-MW reactor at the TMI-2 plant at Three Mile Island in Pennsylvania experienced a partial core meltdown. Between 13 and 43 million curies of radioactive krypton gases were released, half the core melted, and 90% of the fuel rod cladding was destroyed. The maximum offsite radiation reached 83 millirem, but the radiation dose received by the community was small.
Figure 1 shows the main components of the plant and the instrumentation that had a role in the accident (other instrumentation has been eliminated from the drawing). This simple process consisted of three heat transfer loops, located from the left to the right in the figure. The first or "primary" loop transfers the heat generated by nuclear fission into the high- pressure reactor cooling water (PWR). The heat from this closed circuit is transferred into the "secondary" feed water loop that takes it into the steam boiler. The steam is used to generate electricity in the turbine generator, while the waste heat from the condenser is sent to the cooling tower.
Here, I will describe each "domino" in the sequence of events that led to this accident and contributed to the public distrust of nuclear energy. After each event, I will note in parenthesis how properly designed process control systems and better operator training could have prevented the accident.
Read Bela Liptak's six part series "Process Controls Prevent Nuclear Disasters," to learn how process controls could have prevented past nuclear accidents and how it could improve the safety of the nuclear power industry. Visit www.controlglobal.com/liptaknuclear.html
1) Operators working on an upstream demineraliser at 4 a.m. unintentionally caused one or more of the three HCV-1 valves to to go to "fail-closed" by accidentally admitting water into the instrument air system. The valves were badly designed because all valves on cooling applications should fail open. In addition, the operators did not realize that the valve(s) had closed. (Remedy: Select valve failure position correctly, and do not allow water or anything but air into the instrument air system. Add an electric motor-actuated parallel backup valve and provide limit switches on all valves with status displays and alarms in the control room.)
2) This caused the main feed water pumps (P2) to stop. (Remedy: Provide bypass valve(s) around HCV-1 and automatically open them if HCV-1 should be open and it is not., On all automatic valves in the plant, provide limit switches that trigger alarms if the valve doesn't take the automatically requested position).
3) Because the secondary feed water was stopped, the heat from the primary reactor coolant water (PRW, circulated by P1) was no longer being removed. This caused the temperature to rise and the reactor to scram (control rods inserted to cease fission). (Remedy: Alarm and automatically open HCV2, start the auxiliary feed water pump(s) P3, and actuate high-temperature alarm on the PRW inlet.
4) The reactor that was shut down continued to generate "decay heat," and the stationary secondary water in the boiler quickly turned into steam. This automatically started the emergency cooling water pump (P3), but that did no good because valve(s) (HCV-2) were also failed closed because of the water in the instrument air supply line. (Remedy: Same as in 1, plus provide safety interlock that automatically starts a backup pump and opens its valve if P3/HCV2 fails to respond.)
5) Next, the PRW temperature and pressure in the reactor started to rise. The high-pressure switch (PSH-3) on the pressurizer tank opened the pilot-operated relief valve (PORV-3), which started to relieve the PRW water into the quench tank (QT). When the pressure dropped and PSH-3 signaled PORV-3 to close, it remained open. (Remedy: The selection of fail-in-last position valve was wrong, so use designers who know how to select valve failure positions. Also automate the block valve HCV5 with an electric motor and close it if PFH-3 signals PORV-3 to close and it does not).
6) The operators did not know that PORV-3 was stuck open because the status light (L-4) was hidden from their view and because it was not operated by a limit switch on the valve, but only by the PSH-3 signal to the valve actuator solenoid. (Remedy: Place limit switch on PORV-3, and alarm if the valve status conflicts with the signal from PSH-3).
7) As a consequence of the discharging steam to the quench tank (QT), the reactor pressure dropped, causing more steam to flash. When the quench tank filled, its rupture disk (RD-6) burst, and steam and PRW were released into the containment building. (Remedy: The quench tank should have had high-pressure and level alarms in addition to an inlet flow detector.)
8) The worst design error was that the pressurizer (PR) level indication (LI-8) was based on volume, not mass. Therefore, as steam pockets formed near the core, the PRW volume in the reactor increased, which in turn pushed more water into the pressurizer. Therefore, LT-8 indicated the level to be high when, in fact, the amount of water in the system was dropping. (Remedy: This "inverse response" must be corrected by measuring the weight of the water column between the bottom of the reactor and the top of the pressurizer by a d/p cell, which would indicate when boiling occurs, because the detected column weight drops).
9) Yet another reason why this control system failed was that the presence of water covering the core was not measured. (Remedy: Use capacitance or radar level detectors to detect if the core is uncovered and if it is, automatically start the emergency high-pressure injection pump P4.)
10) Detecting low pressure in the reactor started the emergency core cooling pumps (P4), but the operators trusted the pressurizer level (LI-8) indication, which was getting high, and cut this flow to a minimum. This sped up the melting of the core. (Remedy: Detect the weight of the water column, described in Step 8 above).
11) By 4:11 a.m., the quench tank (QT) overfilled, and started to spill water and steam into the containment sump (CS). By 4:13 a.m. the sump overflowed and LS-9 triggered a high-level alarm (HLA-8) and started sump pump P5, which sent the radioactive water into an auxiliary building. This, together with the high-temperature alarm at the pressurizer outlet (TAH-10) plus the high-temperature (TAH-11) and high-pressure alarms (PAH-12) in the containment building, should have triggered a general alarm, but it was ignored, because the operators did not trust any of the alarms. By 4:15 a.m., the quench tank filled, its relief diaphragm ruptured, and radioactive coolant started to leak into the containment building, until at 4:39 a.m., the operators stopped the sump pumps. (Remedy: Increase reliability of safety alarms and thereby operators' trust by using back-up, voting or medium selector sensors.)
12) At around 5:30 a.m., the RPW pumps (P1) started to vibrate―probably due to cavitation as the steam bubbles in the water collapsed ―and to avoid vibration damage, the operators stopped these pumps (P1). This further reduced core cooling and increased steam formation. By 6:00 a.m., the reactor core overheated, and the zirconium cladding on the uranium fuel rods reacted with the steam to form hydrogen, which further damaged the fuel rods. The operators did not believe the alarms in the containment building. (Remedy: Use redundant alarm switches.)
13) At 6 a.m. a new shift started, but the old shift still did not know what was going on, and therefore was unable to inform them of the plant's status. (Remedy: The status of all equipment and variables should be continuously displayed for the whole plant.)
14) At 6:30 a.m., the new shift realized that PORV-3 was open and (after the loss of 32,000 gallons of radioactive coolant), closed its block valve (HCV5). At 6:45 a.m.. the badly located radiation alarm (RAH-13) actuated, and at 6:56 a.m. a site emergency was declared. The operators still did not realize that the low water level in the reactor exposed the core. Finally, at 11 a.m. the addition of coolant into the reactor started. In the afternoon, the pressure in the containment building spiked to 29 PSIG, probably caused by a hydrogen explosion from the zirconium-steam/water reaction. At 8 p.m. the primary pumps (P1) were restarted, and the core temperature began to fall. (Remedy: Better operator training).
Conclusion: To properly control a process, it must be fully understood. Also, in nuclear environments, instrumentation reliability must be guaranteed by multiple sensors and must be designed to withstand severe accidents. The controls must be designed by competent process control professionals, operators must be well-trained and hydrogen recombiners should be provided in the containment building. Last, but not least, Murphy's Law must always be honored.
Nuclear power for electricity generation will grow in the next two decades, all the more reason to make sure nuclear power plants operate safely and effectively.
Estimate of the Role of Nuclear Power in Total US Electricity Generation and Production from Now to 2030