Sabotage may have started Three Mile Island accident 1

50 Comments

  1. Excellent specutlative expose! It happened way too close to “that movie”!

    But you know, the ironic possible silver lining here is, just like the superquake that took out Fukushima with zero casualties, that a nuke plant could also withstand sabotage resulting in zero injuries, is a big plus in my book. Would a LNG and Oil facility be so resilient and forgiving to the immediate neighborhood?

    James Greenidge
    Queens NY

  2. Unrelated irony of the Bhopal accident: “a disgruntled operator
    entered the storage area and hooked up one of the readily available rubber water hoses to Tank
    610, with the intention of contaminating and spoiling the tank’s contents. It was well known among
    the plant’s operators that water and MIC should not be mixed. He unscrewed the local pressure
    indicator, which can be easily accomplished by hand, and connected the hose to the tank.”
    http://www.bhopal.com/~/media/Files/Bhopal/casestdy.pdf

  3. Rod’s statement:

    “There was, at the time, no organized system of sharing operational experience.”

    Well I have a newsflash for you all. The Crystal River upgrade that was to take place a while ago has been done by dozens of other operators. All of them called for external help and consulting expertise.

    But Crystal River’s owner wanted to go on the cheap and do the tasks with internal staff that had no experience in that sort of upgrade.

    Well, they scrapped their reactor. Who is accountable ?

  4. Rod,
    Great analysis. It could be true that there was sabotage.
    As a former Engineer Officer, as you were, and Startup Engineer, then Systems Engineer, and having been involved in a few events, and studied many more, there is a “red flag” in the event for me.
    The red flag is the PORV and its indication. As I remember the report, the indication lights for the PORV, “Open” or “Closed” really only showed “Power on” or “Power Off”. This was a common design at the time. It is OK when there is a way for the Operators to verify whether the valve is really open or closed. At TMI the PORV had to discharge someplace. I’v never heard of a tank the valve discharged to, but since it was supposed to open there must have been a tank or sump level indicator. The PORV open procedure should have said to check the tank/sump. This was known, as people later knew what to do.
    The whole event has the markings of inexperienced and not perfectly trained Operators, PLUS the big contributor, the time of day. Many of these events happen on the midnight shift-Chernobyl did.
    Another contributor was the rush to get the plant on line. The TMI report said there was no indication that there was any pressure to “get commercial”, but having been involved in startups, I bet there was. When one day can make a difference of tens of millions of dollars, there is bound to be something said.
    The other training issue was the fear of operating “solid” that led the Operators to turn off the high pressure injection. Having done solid operation at the SIW prototype, what it means is solid with the reactor at power. Then, a slight temperature change will cause a large pressure change. Solid with the reactor shut down can be handled.
    Could be sabotage combined with error and early morning.

  5. Are original transcripts of the operator interviews available anywhere? Those would make interesting reading.

    As you say, someone hooked up the air hose wrong, and left the Emergency FW valves mispositioned. Didn’t they take shiftly log readings on their indicated position? Why not?

    Whether it was sabotage (with some unspecified motive), or just plain old incompetence and sloppy operational practices, these commissions should have gotten to the bottom of it. Perhaps they didn’t pursue it as doggedly as they might have because they concluded that the delay of FW never really affected the PORV lifting and the shutoff of Safety Injection which led to the core damage.

    A quibble, but where I come from (W PWRs), instrument air is not Safety Related, but Auxillary/Emergency FW is.

    1. @Atomikrabbit

      The National Archives supposedly has the entire history. One source I’ve been reading describes about 300 shelf feet of material about the accident. The NRC emergency operations center had a 24 channel tape recorder running that captured every conversation to that site.

    2. AR, original transcripts are available, every footnoted passage in the Rogovin Report leads to the person’s deposition transcript who made the comment. I have several attributed to me. Sometimes I can’t connect it to anything (forgot?). But NRC ADAMS is only digitized back to ’80, everything else in archives is microfiche, you have to hire a service to copy it for you to get it, $0.65/page; no thanks. More interesting depositions are probably in the archives of the 2 NYC law firms for the GPU vs B&W law suit, good luck getting those! mjd.

    3. Atomikrabbit,

      The W plant I am most familiar with does have a safety-related portion of their compressed air system (Auxiliary Control Air Subsystem, aka ACAS), but its compressors and dryers operate in standby mode, and the non-safety related feedwater reg valves are not supplied by ACAS.

  6. If I recall correctly, the Instrument Air System was connected to the high pressure water system to clear a clogged resin bed used to control secondary water chemistry.

    The tank that the PORV would have discharged to would have been the Quench Tank. I think Quench Tank level indications were disregarded since the PORV discharge temperatures were lower than what was (incorrectly) expected for PORV discharge.

    I am skeptical of the sabotage hypothesis. I remember William Engdahl in his book “A Century of War” but I don’t remember him offering a reference. In those days, the control rooms were designed for engineers not operators. Fortunately, many are now backfitted with SCADA systems that can mitigate poor human interface design (though they bring their own problems). For example, the real estate on the control panels in older plants are crowded with switches, indicators etc. It’s not surprising that a maintenance tags would block an indication. Even if it was carefully placed initially, it could have been moved by subsequent operation activity.

    I don’t know how the TMI station was organized at the time but today, the many activities that lead to the accident and the subsequent confusion would not have fallen on a single individual or even department. It sounds like the Chemistry, Mechanical Maintenance, Instrumentation and Control and Operations would have had to have been involved. Of course, things were much less formal in those days. If I were looking for funny business, I would start with the organization chart.

    1. @FermiAged

      There are other installments on the way, but please read this one a little more carefully. My suspicion is not about the actions taken by the operators; it is simply about the events that initiated the accident.

      There is no doubt that accident exposed a whole lot of weak areas in the industry, in the regulatory bodies and in the preparation of the emergency management organizations.

    2. FermiAged,

      Why wouldn’t service air have been used to clear the clogged resin bed rather than instrument air?

      Were service air and instrument air entirely the same system at TMI?

      I know that service and control air (same thing as instrument air, needing to be dried and filtered to a much higher purity than “mere” service air) are separate subsystems at the Westinghouse plant I am most familiar with (as my current project is associated with those very subsystems).

      I suppose without any intermediate check valves, having a service air hose connected to the higher pressure water system could eventually get to the instrument air portion if the service and instrument air were connected.

      Your comment caused me to think that clearing out a clogged resin bed sounds to me to be more of a service air task than an instrument/control air task, unless the resin bed needed to the extra cleanliness of instrument air.

      1. @Joel Riddle

        You can find some of the answers to your question at http://insidetmi.com/narrative.html page 1. (I’ve had several people tell me that this site provides the most complete and understandable description of the actual events, though its interpretations of the impact of those events is not the same as mine.)

        1. I have to say, if I had a simulator scenario where the initial conditions had the Emergency FW discharge valves closed, and none of the crew noticed it – there would be a serious discussion about pulling their quals.

          Similarly, if I had been Ops Sup and walked into that TMI control room and found that none of the crew knew those valves were closed (assuming remote indication and no auto-open signal), I would have relieved that crew as soon as I could have gotten their replacements in.

          Yes, they were “set up” by poor training, some bad design features, and apparently some incompetent actions by their field crew. But their control room watchstanding was also totally unacceptable.

  7. I don’t really buy the sabotage scenario. I, of course, totally agree with you that having the emergency feedwater supply may well have mitigated the event, but having been in the industry for 35 years a misposiitoning event such as described is not that unusual. As you noted this had occurred at Davis-Besse.

    That the operators testified that they opened the valves is certainly understandable and I’m sure that they were being truthful. I also believe that they thought they had opened them and actually did not. Most mispositioning events happen this way. Few if any people try to do the wrong thing. That the valves had been closed for maintenance two days earlier adds credence to this.

    Another point that needs to be made is that at the time of the TMI accident training for operators and any other personnel on site was extremely limited to nonexistent. When I left the Navy in 75′ and started work at a plant as an Auxiliary Operator there was actually no training program for us. We didn’t even have access to flow diagrams much less P&IDs. So when you did something you figured it out or someone would just show you what to do. Operation was not that much different than at a coal or oil steam plant.

    Industry today is totally different thanks to the changes that came about from TMI.

    1. @Jim Rogers

      The emergency feed water issue at Davis-Besse was not caused by shut valves, but by an electrical problem associated with the pump. Though the effect on operations is similar, there is a difference in cause analysis between an electrical fault and two shut valves.

      1. You’re correct, of course, about the difference in the failure of EFW. My main thrust was to indicate that it is a stretch to attribute the TMI event to sabotage since the initiating event was likely caused by lack of knowledge and/or control which was not uncommon at that time.

        I don’t know but I wouldn’t be surprised that the hose connections were the typical chicago type couplings which were common. Inadvertently connecting a hose from a water system to an air system could clearly occur especially given the lack of training and knowledge base of maintenance and some operations personnel.

        I’m sure that the mispositioning of valves was not an uncommon occurrence at the time. Unfortunately, mispositioning of these specific valves created a condition which exacerbated the event.

        1. @Jim Rogers

          Humans make mistakes, but they also purposely harm each other and damage physical property. While most nukes were studying for their EIT as undergrads, I was learning about “man’s inhumanity to man.”

          In graduate school, I learned about system design and about ways to ensure reliability by designing systems that would keep working as long as A or B or C or D was true. Part of that same course was learning that if the only way to fail was for A AND B AND C AND D to occur, you could make the probability of failure very low, especially if ABC and D needed to happen in a specific sequence or with a specific temporal relationship.

    2. “As you noted this had occurred at Davis-Besse”

      Isn’t something always happening at Davis-Besse?

  8. As I have said before.
    Other coincidences:

    Date/Time of initial criticality of TMI-II – March 28, 1978 @ 04:00:00.000 (I am the person that picked that time, gave it to the SRO who wrote it in the log.)
    Date/time of accident (From plant computer) March 28, 1979 @ 04:00:00.037 (Note: the plant computer has a 3 millisecond cycle time to scan all points)

    The Main, front page story in the Paxton Herald paper (A free paper that was mostly adds and a classified listing that you picked up to find/sell stuff but VERY anti-nuclear) that week and released before the accident, was about the major accident that was going to happen at TMI in the very near future. They went on to make parallels of the accident at TMI with the “China Syndrome” film.

    1. @Rich Lentz

      Thanks for the illuminating information. You don’t, by any remote possibility, have a copy of that issue of the Paxton Herald laying around do you?

    2. Rich,
      Is that 1979 time when the sequence of events leading to the accident was initiated?

  9. The anti-nukes are always saying that each plant is an accident waiting to happen. The China Syndrome had dialog in it saying that a nuclear accident could render inhabitable an area the “size of Pennsylvania.” I think this was taken from a 1957 analysis done at Brookhaven and long known to be wrong.

    I remember seeing the China Syndrome a week or two before the accident while on spring break during my junior year as a Nuclear Engineering major.

    1. @FermiAged

      There are some additional bits of foreshadowing in that film. The Warning is also full of useful tidbits and linkages that mean a lot more today than they did 32 years ago when the book was published. More to follow.

      1. Protestors were there BEFORE the accident. Don’t remember when they initially showed up. We tried to ignore them.

        1. @Rich Lentz

          The protests against nuclear in the US started in earnest about 1970. By 1979, the movement was so well established that it earned a starring role in a blockbuster movie produced by two of Hollywood’s second generation stars and includes several other big name performers.

  10. Not to nit pick but I believe the PORV at TMI II was a pilot operated valve not a power operated valve. I am not sure the difference but have seen power operated relief valve when referred to Westinghouse nsss’s and pilot operated relief valve when referred to B&W nsss’s.

    I have wondered what mitigating effect the 12 valve being open could have had. I always found the reports conclusion that it was inconsequential to be lacking. I believe that they had common issues with the resin beds and feed water system at TMI II. I have read that using compressed air to blow out the resin beds was a common task there at that time. I wonder why this time they used the instrument air? Did they use it for this purpose before?

    Also of interest is the difference in AE from unit one to unit two. Unit one has been one of the best operating plants in the country same nsss but different AE and different control room layout etc…

    1. Above post should say 12 valveS not valve.. There were two I believe they were labeled AFW-12-A and AFW-12-B

  11. Rod, the first two links in your third paragraph both point to the same site (Course EH183). Anyhow, thanks for making this available and informing us of the PHD Online courses.

      1. I’m trying to build some suspense here.

        Rod – We’re going to have to start calling you “Hercule Adams” (stress on the second syllable, final s silent).

        1. @Brian Mays

          So, you think my last name should be pronounced so that it sounds like Atom? Interestingly enough, if you ever see me driving around our shared home town, you will notice that my license plate now reads RATOMS.

          1. So, you think my last name should be pronounced so that it sounds like Atom?

            Or Atomes, the French word for “atoms.” 😉

            I was just hoping that someone here was an Agatha Christie fan. After all, her name and her characters are synonymous with mystery, suspense, and investigation.

      2. Thank you, Rod. This is interesting and I have shared it on Facebook so that my nuclear friends and co-workers who do not frequent blog sites may perhaps give insight too.

  12. Imagine a large steel pressure cooker sitting on a heating element on a electric stove on low heat, solidly filled with water at 250 deg.f. Call it the reactor vessel.

    Next to it on another heating element is a small pressure cooker half filled with water at 300 deg. f, Call it the pressurizer. Imagine that the two are connected by a small tube at their bases.

    Now imagine that the temperature in the pressurizer begins dropping, and after some time water level in the pressurizer begins to rise. You see that the heating element under the pressurizer is red hot, adding heat to the pressurizer, yet temperature continues to drop, (operators measured current flow in the pressurizer heating elements, they would quickly have burned out if uncovered).

    The only possible explanation for this behavior is a leak near the top of the pressurizer venting steam. a leak anywhere else would result in dropping levels in the pressurizer.

    Well trained operators would have immediately recognized this unique signature and responded appropriately.

    Increasing vibration from the main recirc pumps provided an independent indication of steam bubbles in the system. Either indication should have caused the operators to initiate at least a small High Pressure Injection flow. The sluggish pressure response to that would provide confirmation of the large void, confirming the need for a large HPI flow.

    If someone wanted to cause a minor disruption of the plant, this would be one way, but there are more probable ways to cause serious damage.

    Sabotage or not, the most important lesson of TMI is that the training/instrumentation package in effect that morning was not adequate to keep the operators mental image of the plant conditions accurate.

    I believe that full meltdown should be a design basis accident. The level of effort to prevent a meltdown would be an economic rather than human safety analysis. By adding a core catcher, containment vent filter and passive hydrogen recombiners (for designs with zirconium cladding) the quantity of safety grade equipment required to be designed, manufactured, installed and maintained can be dramatically reduced (in a rational world).

    Reactors designed to this standard could be cheaper to build, faster to build, safer, and produce cheaper kwhs than Gen III reactors.

  13. Sabotage with malice, or just a 4 am brain fart ?

    Accidents are often caused by somebody doing something nobody would dream of doing. Afterwards, the perpetrator cannot think why he did it.

    Power stations should be designed to be proof against sabotage, but this is obviously difficult.

    1. @Don Cox

      Who are you asking? The word “sabotage” means a purposeful action with the intend to cause a problem. The “Three Mile Island accident” is the full name of the event in the public mind. I used that term to distinguish from the Three Mile Island reactor plant that continues operating well to this day.

  14. Well, I’m asking you whether you are sure this was deliberate sabotage, bearing in mind that people do some very strange things at times, especially in the middle of the night. Such as driving along a motorway in the wrong direction (which is usually fatal).

    I do wonder whether the Chernobyl accident was sabotage. But how would you prove it?

    In any case, if sabotage is possible, then sooner or later, given enough nuclear power stations, somebody will attempt it.

  15. I have seen Instrument Air systems with serious water problems.
    Not due to sabotage.

    It is NOT necessary to cross tie these systems with a water system to have substantial quantities of water accumulate in an air header.

    That could happen. Resin transfer systems are a potential air / fluid interface – the TMI accident initiated by unintended closure of the Condensate Polisher valves. Condensate Polishers have air / water slurry resin transfer systems.

    Even without such problems. its not uncommon for air systems to be challenged with water intrusion.
    In the 1980s, a large commercial reactor plant in the Midwest had similar issues.
    The Service / Instrument Air Compressors would take in more humidity than the dryers could handle. The consition came to light when tagouts were issued for air operated valves located in lower elevations of the plant. Typically the instrument air valves were closed and the petcock on the bottom of the regulator was opened to vent pressure of the particular valve. A steady stream of water meant the air header was wet.. Operators would then crack open petcock drains on all regulators in the lower elevation and let them bleed for a few hours.

    In the 1990s, many plants upgraded their dryers. Some due to corrosion issues in air piping, others due to waterlogged systems – I had related to the TMI report.

    1. @Rob Brixey

      In the situations that you know about, was there enough water in the air system to cause several air-operated valves to slam shut at exactly a one year anniversary – to the minute?

      By the way, I have a little bit of experience with air systems, compressors and air dryers. They are all kind of important to safe operations of a submarine.

      1. It might have also been someone’s birthday. In my experience 0400 to 0500, most bad stuff that’s going to happen – happens.

        If timing is a factor – TMI happened in the Spring. There’s plenty of humid air to be had. New plants also have steam leaks adding to the moisture inventory of compressor intake.

        Water hammer is well capable of overcoming AOV solenoids and repositioning valve actuators. The simultaneous valve repositioning supports the theory of a water hammer in a pneumatic line triggering the transient.

        What floored me the most about TMI (I was on USS LONG BEACH at the time) was that post trip, operators were not monitoring RCS subcooling. Failing to watch Reactor Pressure in a transient – no matter the status of injection or reliefs – was foreign to my culture.

        Power Pressure Temperature Level

        If a Reactor Operator didn’t always know and control those parameters – there would be hell to pay.

        1. Bob, I was on the Long Beach at the time of TMI. I worked in 2 Engine Room. At least 40 guys off the Long Beach ended up at San Onofre, some of whom you would know.

  16. We have got to talk. I’ve researched the sabotage theory and evidence since1984. You’d be amazed at my evidence file.
    Scott

  17. The individual who connected the air system at the Full Flow Condensate Polishing Deminearlizers, was one of my training instructors at San Onofre. It has always been my understanding, as well as the training we received on the Full Flow system, that instrument air and service air were one system at TMI. We were told that one of the TMI ‘back fits’ was to separate these two air systems. This individual connected the air system to blow out a resin blockage at the Full Flow and the check valves in the air system failed allowing the higher pressure water to enter the air system. As I recall, there was a motor operated bypass valve which was supposed to open on high dp. When the air operated valves drifted closed, causing hi dp, the motor operated valve failed to open. There were two other operators at San Onofre who were also at TMI. Neither of these folks ever suggested there was any sabotage involved, at least not to me. One of these guys was a CRS at TMI and the other either an RO or CRS, he also became an instructor.
    I feel confident there was no sabotage at the Full Flow but have always wondered how the AFW valves were shut. Deliberate misalignment? I don’t know.

    1. @david davison

      You wrote:

      As I recall, there was a motor operated bypass valve which was supposed to open on high dp.

      Others can correct me if I am wrong, but all of the reports I have read indicate that the bypass valve did not operate automatically on any signal. It had to be positioned by an operator.

      1. You may be correct–just relying on old memory and at San Onofre, we had auto valves, air operated. If it is indeed manually operated, it failed to open when given a signal. As I recall, it had been slated for maintenance but the maintenance was delayed, or any event, not performed yet.

Comments are closed.

Recent Comments from our Readers

  1. Avatar
  2. Avatar
  3. Avatar
  4. Avatar
  5. Avatar

Similar Posts