This is a difficult story to tell; it’s not easy to revise history. It’s even harder to it successfully when there is sure to be disbelief, dismissal, and efforts to discredit. I prefer being respected and strive to avoid the potential of being marginalized as a crackpot. However, I feel a strong inner push to share what I have learned so far. It would be okay to have someone disprove my postulated sequence of events. It’s quite possible that sharing my version will encourage others to add puzzle pieces that make the story even more complete.
Aside: To keep the story acceptably short, it assumes that the reader has a basic understanding of the layout, machinery design, and operations of a B&W Pressurized Water Reactor. If you do not have that background, you might want to start by reading through this introductory course provided on PDH Online, whose tagline is “Your Gateway to Lifelong Learning.” End Aside.
Most accounts of the TMI accident focus on the actions that plant operators took after the initial transient. My contention is that transient shouldn’t have taken place at 4:00 am on March 28, 1979 and probably did not happen by random chance. There is likely to have been at least one active instigator.
The accident at TMI started with a bang when most of the air operated valves in the feed system suddenly shut, stopping the flow of water into both steam generators. The control room operators felt the cascade of shutting vales when the floor of the control room shuddered. Almost simultaneously, numerous alarms started going off, accompanied by an annoying horn and flashing lights spread across several large display panels.
Coincidentally, a more sentimental control room crew might have already been making a little noise of its own at that time; TMI unit 2 started operating at 4:00 am on March 28, 1978.
In the machinery area of the plant, the noise was a thunderous water hammer as rapidly flowing water was stopped by suddenly shut valves, causing large pipes and pumps to shake their restraints, and, in some cases, actually break free. People who have lived in places with steam heat or old pipes may know what water hammer sounds like when valves are suddenly open or shut; imagine how it must sound when the affected pipes are two to four feet in diameter and the pumps are twenty or thirty feet tall.
It’s important to understand that the feed water valves did not shut by magic. The reason the feed water valves slammed shut was that the instrument air system holding them open had been contaminated with water. The water entered the instrument air system because that system had been improperly connected with a temporary hose to a higher pressure water system.
Temporary hoses do not connect themselves between fittings; someone installed the hose without making sure that higher pressure water would not flow into the lower pressure air.
As soon as feed water stopped flowing into the steam generators, a signal was sent by the control system to stop the steam flow into the turbine. That turbine trip initiated another set of alarms, tripped the electrical generator output and required the operators to enter into another casualty procedure. Even with the reduction in water flowing into the steam generator, its pressure immediately increased due to the increasing temperature as steam stopped flowing to the turbine.
The turbine trip halted heat removal from the primary plant, caused an immediate pressure surge and caused the power operated relief valve (PORV) to open. This was an expected condition for a turbine trip,
The rising steam generator pressure caused the steam dump valve to open, starting a flow of steam directly to the condenser and creating another source of distracting noise and indications. With no water flowing in and steam being dumped, the steam generators rapidly emptied.
As the steam generator water levels dropped, there was less and less heat being removed from the primary system. With the loss of the normal heat sink, the primary system average temperature continued to rise, water surged into the pressurizer, primary system pressure increased. The open PORV helped to limit the magnitude of the pressure increase.
This was a widely known response to a loss of feed for a B&W 177 design reactor. According to logs recorded during the event, cold leg and hot leg temperatures equalized at 575 F at 4:01, meaning average coolant temperature had increased to the normal hot let temperature. By 4:02 both steam generators were empty.
The system designers knew that losing feed water was a significant event in a B&W reactor. Unlike Westinghouse or Combustion Engineering pressurized water reactors (PWRs), which use the classic U-tube design familiar to tens of thousands of PWR operators, B&W reactors use a patented Once Through Steam Generator (OTSG) that provides several important operating, fabrication and maintenance advantages. The OTSG advantages are somewhat offset by an increased vulnerability to a loss of feedwater. OTSGs have a much smaller secondary water inventory than U-tube steam generators, leading to a more dramatic effect if feed water inlet flow stops.
To mitigate the negative effects of the smaller steam generator water inventory and to maintain the steam generators as a heat removal path, B&W reactor plant designers specified a robust — but not officially “safety-related” — emergency feed water (EFW) system. Since B&W did not design or build steam plants, the specific supplier for each individual plant was free to devise a slightly different solution.
In the case of TMI unit 2, the EFW system included three redundant pumps. The system design also included pump discharge valves (EFW-12A and EFW-12B) to help isolate the pumps for maintenance or testing. Those valves were normally open during plant operation. Their position was important enough to be instrumented for display in the control room.
In another improbable coincidence, those two, normally open, isolation valves for the emergency feed water system were already shut at the time that the feed water system flow stopped. For the first eight minutes of the TMI accident, control room operators assumed that emergency feed was flowing because the pumps were running, but the closed EFW-12A and EFW-12B prevented any water from getting to the steam generators.
At 04:08, eight minutes after the initial loss of feed, an operator recognized that the EFW-12’s were shut. He opened them and restored a flow of cooling water into the steam generators. The heat that should have been removed by eight minutes worth of feedwater flow remained in the primary coolant system. That extra heat increased the temperature of the core materials and added to the rate of boiling in the primary. Those effects reduced the time before the core was uncovered and raised core temperature closer to conditions that would cause melting and cladding oxidation.
The position indication for at least one of the improperly shut valves was obscured in the control room by a maintenance tag on an unrelated switch that coincidentally covered the indicator light.
Valves that are supposed to be open do not reposition themselves. People who put tags on switches in control rooms are generally pretty careful about how they arrange those tags so they do not obscure other indicators. The straightforward, active voice explanation is that someone shut the valves and someone hung the tags incorrectly.
Update (Schematic diagram added Jan 21, 2014) Discovered via a link provided by a protected source who read first three installments of the series. End Update.
In September 1977, about 18 months before TMI, the B&W nuclear reactor at Davis-Besse, a plant nearly identical to TMI unit 2, experienced a frighteningly similar sequence of events in which a loss of the normal feed supply was accompanied by a faulty emergency feed water system, a rising pressurizer level and a PORV that failed to shut after reducing plant pressure below its setpoint. The Davis-Besse event started at a lower power level and the shift superintendent on duty correctly interpreted his indications in time to prevent any core damage. A number of people understood the ramifications of the event, but the information had not yet made its way to TMI unit 2. There was, at the time, no organized system of sharing operational experience.
At the time of the initial investigations, the possibility of sabotage was considered and officially rejected due to a lack of evidence. However, the historical record and recent interviews with two then-serving NRC commissioners indicated there was no high-level interest in probing to find evidence of malice. Chapter 11 of the Conclusions and Recommendations section of the Rogovin Report – Three Mile Island: A Report to the Commissioners and the Public is titled Sabotage, Bribery, and Coverup. The report’s authors were unable to determine why the emergency feed water valves were shut, and left it as an open issue in their final report.
Like IE [NRC Office of Inspection and Enforcement] and the President’s Commission, we were unable to determine when or how the emergency feedwater block valves-which prevented emergency feedwater from being automatically supplied to the steam generators during the first 8 minutes of the accident-came to be closed. It has been established that these valves were closed during a routine maintenance procedure 2 days before the accident occurred, but the Met Ed personnel involved gave sworn testimony that they recalled reopening the valves after the maintenance was completed, as required by plant and NRC procedures. A checklist that would have recorded whether that was in fact done was routinely thrown away after the maintenance procedure was finished.
The Rogovin Report also proposes and then dismisses a theory that the EFW-12 valves were mistakenly shut after the event started. Rogovin’s team concluded that the loss of emergency feedwater during the first 8 minutes after the initial event had little impact on the overall accident timeline and was not a direct contributor to the eventual core damage. At most, they concluded that the mispositioned valves caused distraction at a time where there was already significant levels of confusion.
The analysis that led to that conclusion may or may not be complete. If the emergency feed system had worked as designed to maintain steam generator water levels, the primary plant would have initially experienced a rapid cool down. The emergency feed system does not go through the same heat exchangers that are designed to preheat normal feed water to improve thermal efficiency, so it is several hundred degrees colder than normal feed water.
Putting eight minutes worth of emergency feed water into the steam generator would have removed a significant amount of heat from the primary coolant system. It would have slowed the rate of boiling, reduced the leakage rate through the PORV and reduced the heat up rate of the core materials.
With the slower heat up rate and slower rate of boiling, it is possible that Brian Hehler could have been the hero who prevented core damage. He arrived for a shift change at 6:00 am, by 06:18 he observed indications that told him that the PORV was leaking, so he shut the stop valve and halted the leak. Post event analysis indicates that action was about 30 minutes too late to prevent the core from being uncovered and experiencing substantial damage.
The only way to determine if this seemingly minor occurrence had a significant impact on the event progression would be to run event simulations with actual plant and equipment capacity numbers through the codes that have been developed and refined in the several decades since the event.
It is quite likely that the major core damage and the permanent loss of the plant were unintended consequences of the event, but it is difficult to accept the idea that so many unexplained, mispositioned pieces of otherwise functional equipment happened because of unrelated accidental actions.
The open, almost impossible to answer, question is who might have made the decision to install the temporary hose on the fitting to the instrument air system, to shut the 12s valves, and to the indication obscuring tags. Did the same person initiate the flow of water into the instrument air system on the anniversary of initial operation; almost to the minute?
There are more installments coming, but this post is already one of the longest ever posted on Atomic Insights.
Note: Readers with deep professional knowledge suggested a few technical detail revisions from the initial version. Those changes, mostly revolving around steam generator water levels, average coolant temperatures, the classification of the instrument air system and the responsibility for the design of steam plant systems were made on Jan 19, 2014. They are not marked because the intent is for the permanent post to be a long lasting piece of finished reference material.
Additional revisions were made on September 10, 2014 after a number of conversations with people who had more detailed knowledge of the event and the engineering design. Again, those changes are not marked.
Updated (Sep 10, 2014 at 5:40 am) This post has been revised to improve the explanation of event sequence and resulting plant response. End update.
Updated (Jan 21, 2014 at 10:40 pm) The pattern is not completely clear, and there are pieces missing from the puzzle, but I have found enough bits of evidence to convince me that it is more likely than not that someone purposely initiated the Three Mile Island (TMI) accident. End update.