Automation Could Have Prevented Fukushima, 2

Béla Lipták, PE, is a CONTROL columnist, automation and safety consultant, former Chief Instrument Engineer of C&R and former Yale professor of process control, who is also the editor of the Instrument Engineer’s Handbook (IEH).

Check out ControlGlobal.com on Google+

"Automation Can Prevent the Next Fukushima," will be published next June.

In the March issue (Automation Could Have Saved Fukushima), I discussed some of the factors that lead to the Fukushima meltdown. Here I focus only on the automatic vs. manual operation of the emergency cooling systems and the roles the bad designs of control and block valves played. The main emergency cooling systems that should have been fully automated were the high-pressure coolant injection (HPCI), the reactor core isolation cooling system (RCIC) and the isolation condenser (IC).

As to the desirable features of valve designs, the following were often neglected:

• All valves should have been provided with position-detecting limit switches.
• All valves on cooling service should have failed open.
• All valves between pressure relief devices and the protected equipment should have been sealed open.
• All valves should have been provided with hand wheels and backup operating power.
• Pressure control valves should have been completely automated and manual operation inhibited.

Also Read: Automation Could Have Prevented Chernobyl

The HPCI System

The HPCI was the first line of defense to take over the feeding of cooling water into the reactor pressure vessel (RPV) if the main cooling water pump failed. It had a pumping capacity of 5000 gpm, but was a bit slow (took some 30 seconds to come on), so there was also a 600 -gpm system, called the RCIC, which operated the same way, but activated faster.

Figure 1: The HPCI system at Fukushima Dai-ichi NPS Unit 1 with motor-operated (MO) valves, hand-operated (HO) valves and air-operated (AO) valves. Courtesy of Tokyo Electric Power Co. (TEPCO)The HPCI was a reliable system because it did not need electricity for its operation, because its pumps were operated by steam turbines, and decay steam was available from the reactor (Figure 1). The HPCI took its water supply from storage tanks and from the wet well, which contained 3000 m3 of water. This amount of water would have been ample to keep the reactors cool. The HPCI pumps were controlled on the reactor level, stopping when the level was high, and starting when low.

Reactor overpressure was to be relieved by pressure safety valves, which were set to relieve at about 75 atmospheres (PSV in Figure 2) and discharged into the wet well, where the steam should have condensed. This system would have operated at Unit 1 if the reactor level was correctly measured and the PSV automatically opened at 75 and closed at 70 atmospheres.

Figure 2: At Unit 1, the PSV was not used to relieve overpressure. The cracking of the primary containment vessel (PCV) could have been prevented if the rupture disk (RD) had ruptured as soon as the pressure in the PCV reached 5.5 atmospheres, but block valves (A and M) could not be opened.In other words, depressurizing the RPV by allowing the PSV to work, while adding sufficient coolant with the HPCI system, would have been essential for avoiding a meltdown. This is proven by the fact that there was no meltdown at Units 2 and 3, where the operators allowed the PSV to do its job.

Unfortunately, the system at Unit 1 was not automatically controlled, and the level measurement was wrong. On top of that, the operators used the isolation condenser (IC) system to control the reactor pressure instead of letting the PSV do it, and did it in on/off manual fashion. This, in combination with the IC, caused depressurizing, resulting in the swelling of the level, causing HPCI to stop, which in turn caused the dropping of the reactor level, so the fuel rods overheated and the meltdown followed.

Also Read: Why Nuclear Needs Process Automation

Isolation Condenser (IC)

IC is a heat exchanger located above a containment pool. This 500 tons of water pool was open to atmosphere (Figure 3). Under normal conditions, the top of the IC condenser was connected to the reactor pressure vessel (RPV) through an open valve, so the condenser filled with condensate, which normally just stayed there. During an emergency, the IC system automatically opened the motor-operated valves at the bottom IC, which sent the condensate back into the reactor by gravity and by condensing the steam and cooling the reactor. This was a good system because, once activated, it required no outside energy source; it worked on gravity.

Figure 3: This IC system would have continued to operate by gravity, but was manually turned off. If the system was automated, IC cooling would have not stopped.At Unit 1 at Fukushima the sequence of events was:

• 2:46 a.m.—Earthquake detected and reactor scrammed.
• 2:52 a.m.—IC automatically started.
• 3:03 a.m.—IC closed manually by an operator (this on/off control approach continued for a day!)
• 3:30­­­­­-3:35 a.m.—Tsunami arrived. IC would have continued to operate, if not turned off.

The reason why the isolation valves (M in Figure 3) were provided was to allow the operators to control the rate of pressure drop in the RPV because excessively fast pressure reduction could have cracked the RPV walls. Naturally, in a properly automated plant, this rate of pressure reduction would have been automatically controlled.

In the next article of this series, I will explain how, even after the meltdown at Unit 1, automatic safety controls could have prevented the explosions and fire that caused the release of radioactivity.