This article was printed in CONTROL's May 2009 edition.
By Bela Liptak, PE, Columnist
This is the fourth part in a series of six articles describing how process control could have prevented past nuclear accidents and could improve the safety of the nuclear power industry. In this article, I will describe the sequence of events and the primitive controls that led to the Three Mile Island accident and how proper design could have prevented it. The bottom line is that one can only control a process if one understands it, and that throwing money at it is no solution.
At 4 a.m. on March 28, 1979, Unit 2 of the 900-MW reactor at the TMI-2 plant at Three Mile Island in Pennsylvania experienced a partial core meltdown. Between 13 and 43 million curies of radioactive krypton gases were released, half the core melted, and 90% of the fuel rod cladding was destroyed. The maximum offsite radiation reached 83 millirem, but the radiation dose received by the community was small.
Figure 1 shows the main components of the plant and the instrumentation that had a role in the accident (other instrumentation has been eliminated from the drawing). This simple process consisted of three heat transfer loops, located from the left to the right in the figure. The first or "primary" loop transfers the heat generated by nuclear fission into the high- pressure reactor cooling water (PWR). The heat from this closed circuit is transferred into the "secondary" feed water loop that takes it into the steam boiler. The steam is used to generate electricity in the turbine generator, while the waste heat from the condenser is sent to the cooling tower.
Here, I will describe each "domino" in the sequence of events that led to this accident and contributed to the public distrust of nuclear energy. After each event, I will note in parenthesis how properly designed process control systems and better operator training could have prevented the accident.
Read Bela Liptak's six part series "Process Controls Prevent Nuclear Disasters," to learn how process controls could have prevented past nuclear accidents and how it could improve the safety of the nuclear power industry. Visit www.controlglobal.com/liptaknuclear.html
1) Operators working on an upstream demineraliser at 4 a.m. unintentionally caused one or more of the three HCV-1 valves to to go to "fail-closed" by accidentally admitting water into the instrument air system. The valves were badly designed because all valves on cooling applications should fail open. In addition, the operators did not realize that the valve(s) had closed. (Remedy: Select valve failure position correctly, and do not allow water or anything but air into the instrument air system. Add an electric motor-actuated parallel backup valve and provide limit switches on all valves with status displays and alarms in the control room.)
2) This caused the main feed water pumps (P2) to stop. (Remedy: Provide bypass valve(s) around HCV-1 and automatically open them if HCV-1 should be open and it is not., On all automatic valves in the plant, provide limit switches that trigger alarms if the valve doesn't take the automatically requested position).
3) Because the secondary feed water was stopped, the heat from the primary reactor coolant water (PRW, circulated by P1) was no longer being removed. This caused the temperature to rise and the reactor to scram (control rods inserted to cease fission). (Remedy: Alarm and automatically open HCV2, start the auxiliary feed water pump(s) P3, and actuate high-temperature alarm on the PRW inlet.
4) The reactor that was shut down continued to generate "decay heat," and the stationary secondary water in the boiler quickly turned into steam. This automatically started the emergency cooling water pump (P3), but that did no good because valve(s) (HCV-2) were also failed closed because of the water in the instrument air supply line. (Remedy: Same as in 1, plus provide safety interlock that automatically starts a backup pump and opens its valve if P3/HCV2 fails to respond.)
5) Next, the PRW temperature and pressure in the reactor started to rise. The high-pressure switch (PSH-3) on the pressurizer tank opened the pilot-operated relief valve (PORV-3), which started to relieve the PRW water into the quench tank (QT). When the pressure dropped and PSH-3 signaled PORV-3 to close, it remained open. (Remedy: The selection of fail-in-last position valve was wrong, so use designers who know how to select valve failure positions. Also automate the block valve HCV5 with an electric motor and close it if PFH-3 signals PORV-3 to close and it does not).
6) The operators did not know that PORV-3 was stuck open because the status light (L-4) was hidden from their view and because it was not operated by a limit switch on the valve, but only by the PSH-3 signal to the valve actuator solenoid. (Remedy: Place limit switch on PORV-3, and alarm if the valve status conflicts with the signal from PSH-3).