Sabotage may have started Three Mile Island accident
This is a difficult story to tell; it’s not easy to revise history. It’s even harder to it successfully when there is sure to be disbelief, dismissal, and efforts to discredit. I prefer being respected and strive to avoid the potential of being marginalized as a crackpot. However, I feel a strong inner push to share what I have learned so far. It would be okay to have someone disprove my postulated sequence of events. It’s quite possible that sharing my version will encourage others to add puzzle pieces that make the story even more complete.
Aside: To keep the story acceptably short, it assumes that the reader has a basic understanding of the layout, machinery design, and operations of a B&W Pressurized Water Reactor. If you do not have that background, you might want to start by reading through this introductory course provided on PDH Online, whose tagline is “Your Gateway to Lifelong Learning.” End Aside.
Most accounts of the TMI accident focus on the actions that plant operators took after the initial transient. My contention is that transient shouldn’t have taken place at 4:00 am on March 28, 1979 and probably did not happen by random chance. There is likely to have been at least one active instigator.
The accident at TMI started with a bang when most of the air operated valves in the feed system suddenly shut, stopping the flow of water into both steam generators. The control room operators felt the cascade of shutting vales when the floor of the control room shuddered. Almost simultaneously, numerous alarms started going off, accompanied by an annoying horn and flashing lights spread across several large display panels.
Coincidentally, a more sentimental control room crew might have already been making a little noise of its own at that time; TMI unit 2 started operating at 4:00 am on March 28, 1978.
In the machinery area of the plant, the noise was a thunderous water hammer as rapidly flowing water was stopped by suddenly shut valves, causing large pipes and pumps to shake their restraints, and, in some cases, actually break free. People who have lived in places with steam heat or old pipes may know what water hammer sounds like when valves are suddenly open or shut; imagine how it must sound when the affected pipes are two to four feet in diameter and the pumps are twenty or thirty feet tall.
It’s important to understand that the feed water valves did not shut by magic. The reason the feed water valves slammed shut was that the instrument air system holding them open had been contaminated with water. The water entered the instrument air system because that system had been improperly connected with a temporary hose to a higher pressure water system.
Temporary hoses do not connect themselves between fittings; someone installed the hose without making sure that higher pressure water would not flow into the lower pressure air.
As soon as feed water stopped flowing into the steam generators, a signal was sent by the control system to stop the steam flow into the turbine. That turbine trip initiated another set of alarms, tripped the electrical generator output and required the operators to enter into another casualty procedure. Even with the reduction in water flowing into the steam generator, its pressure immediately increased due to the increasing temperature as steam stopped flowing to the turbine.
The turbine trip halted heat removal from the primary plant, caused an immediate pressure surge and caused the power operated relief valve (PORV) to open. This was an expected condition for a turbine trip,
The rising steam generator pressure caused the steam dump valve to open, starting a flow of steam directly to the condenser and creating another source of distracting noise and indications. With no water flowing in and steam being dumped, the steam generators rapidly emptied.
As the steam generator water levels dropped, there was less and less heat being removed from the primary system. With the loss of the normal heat sink, the primary system average temperature continued to rise, water surged into the pressurizer, primary system pressure increased. The open PORV helped to limit the magnitude of the pressure increase.
This was a widely known response to a loss of feed for a B&W 177 design reactor. According to logs recorded during the event, cold leg and hot leg temperatures equalized at 575 F at 4:01, meaning average coolant temperature had increased to the normal hot let temperature. By 4:02 both steam generators were empty.
The system designers knew that losing feed water was a significant event in a B&W reactor. Unlike Westinghouse or Combustion Engineering pressurized water reactors (PWRs), which use the classic U-tube design familiar to tens of thousands of PWR operators, B&W reactors use a patented Once Through Steam Generator (OTSG) that provides several important operating, fabrication and maintenance advantages. The OTSG advantages are somewhat offset by an increased vulnerability to a loss of feedwater. OTSGs have a much smaller secondary water inventory than U-tube steam generators, leading to a more dramatic effect if feed water inlet flow stops.
To mitigate the negative effects of the smaller steam generator water inventory and to maintain the steam generators as a heat removal path, B&W reactor plant designers specified a robust — but not officially “safety-related” — emergency feed water (EFW) system. Since B&W did not design or build steam plants, the specific supplier for each individual plant was free to devise a slightly different solution.
In the case of TMI unit 2, the EFW system included three redundant pumps. The system design also included pump discharge valves (EFW-12A and EFW-12B) to help isolate the pumps for maintenance or testing. Those valves were normally open during plant operation. Their position was important enough to be instrumented for display in the control room.
In another improbable coincidence, those two, normally open, isolation valves for the emergency feed water system were already shut at the time that the feed water system flow stopped. For the first eight minutes of the TMI accident, control room operators assumed that emergency feed was flowing because the pumps were running, but the closed EFW-12A and EFW-12B prevented any water from getting to the steam generators.
At 04:08, eight minutes after the initial loss of feed, an operator recognized that the EFW-12’s were shut. He opened them and restored a flow of cooling water into the steam generators. The heat that should have been removed by eight minutes worth of feedwater flow remained in the primary coolant system. That extra heat increased the temperature of the core materials and added to the rate of boiling in the primary. Those effects reduced the time before the core was uncovered and raised core temperature closer to conditions that would cause melting and cladding oxidation.
The position indication for at least one of the improperly shut valves was obscured in the control room by a maintenance tag on an unrelated switch that coincidentally covered the indicator light.
Valves that are supposed to be open do not reposition themselves. People who put tags on switches in control rooms are generally pretty careful about how they arrange those tags so they do not obscure other indicators. The straightforward, active voice explanation is that someone shut the valves and someone hung the tags incorrectly.
Update (Schematic diagram added Jan 21, 2014) Discovered via a link provided by a protected source who read first three installments of the series. End Update.
In September 1977, about 18 months before TMI, the B&W nuclear reactor at Davis-Besse, a plant nearly identical to TMI unit 2, experienced a frighteningly similar sequence of events in which a loss of the normal feed supply was accompanied by a faulty emergency feed water system, a rising pressurizer level and a PORV that failed to shut after reducing plant pressure below its setpoint. The Davis-Besse event started at a lower power level and the shift superintendent on duty correctly interpreted his indications in time to prevent any core damage. A number of people understood the ramifications of the event, but the information had not yet made its way to TMI unit 2. There was, at the time, no organized system of sharing operational experience.
At the time of the initial investigations, the possibility of sabotage was considered and officially rejected due to a lack of evidence. However, the historical record and recent interviews with two then-serving NRC commissioners indicated there was no high-level interest in probing to find evidence of malice. Chapter 11 of the Conclusions and Recommendations section of the Rogovin Report – Three Mile Island: A Report to the Commissioners and the Public is titled Sabotage, Bribery, and Coverup. The report’s authors were unable to determine why the emergency feed water valves were shut, and left it as an open issue in their final report.
Like IE [NRC Office of Inspection and Enforcement] and the President’s Commission, we were unable to determine when or how the emergency feedwater block valves-which prevented emergency feedwater from being automatically supplied to the steam generators during the first 8 minutes of the accident-came to be closed. It has been established that these valves were closed during a routine maintenance procedure 2 days before the accident occurred, but the Met Ed personnel involved gave sworn testimony that they recalled reopening the valves after the maintenance was completed, as required by plant and NRC procedures. A checklist that would have recorded whether that was in fact done was routinely thrown away after the maintenance procedure was finished.
The Rogovin Report also proposes and then dismisses a theory that the EFW-12 valves were mistakenly shut after the event started. Rogovin’s team concluded that the loss of emergency feedwater during the first 8 minutes after the initial event had little impact on the overall accident timeline and was not a direct contributor to the eventual core damage. At most, they concluded that the mispositioned valves caused distraction at a time where there was already significant levels of confusion.
The analysis that led to that conclusion may or may not be complete. If the emergency feed system had worked as designed to maintain steam generator water levels, the primary plant would have initially experienced a rapid cool down. The emergency feed system does not go through the same heat exchangers that are designed to preheat normal feed water to improve thermal efficiency, so it is several hundred degrees colder than normal feed water.
Putting eight minutes worth of emergency feed water into the steam generator would have removed a significant amount of heat from the primary coolant system. It would have slowed the rate of boiling, reduced the leakage rate through the PORV and reduced the heat up rate of the core materials.
With the slower heat up rate and slower rate of boiling, it is possible that Brian Hehler could have been the hero who prevented core damage. He arrived for a shift change at 6:00 am, by 06:18 he observed indications that told him that the PORV was leaking, so he shut the stop valve and halted the leak. Post event analysis indicates that action was about 30 minutes too late to prevent the core from being uncovered and experiencing substantial damage.
The only way to determine if this seemingly minor occurrence had a significant impact on the event progression would be to run event simulations with actual plant and equipment capacity numbers through the codes that have been developed and refined in the several decades since the event.
It is quite likely that the major core damage and the permanent loss of the plant were unintended consequences of the event, but it is difficult to accept the idea that so many unexplained, mispositioned pieces of otherwise functional equipment happened because of unrelated accidental actions.
The open, almost impossible to answer, question is who might have made the decision to install the temporary hose on the fitting to the instrument air system, to shut the 12s valves, and to the indication obscuring tags. Did the same person initiate the flow of water into the instrument air system on the anniversary of initial operation; almost to the minute?
There are more installments coming, but this post is already one of the longest ever posted on Atomic Insights.
Note: Readers with deep professional knowledge suggested a few technical detail revisions from the initial version. Those changes, mostly revolving around steam generator water levels, average coolant temperatures, the classification of the instrument air system and the responsibility for the design of steam plant systems were made on Jan 19, 2014. They are not marked because the intent is for the permanent post to be a long lasting piece of finished reference material.
Additional revisions were made on September 10, 2014 after a number of conversations with people who had more detailed knowledge of the event and the engineering design. Again, those changes are not marked.
Updated (Sep 10, 2014 at 5:40 am) This post has been revised to improve the explanation of event sequence and resulting plant response. End update.
Updated (Jan 21, 2014 at 10:40 pm) The pattern is not completely clear, and there are pieces missing from the puzzle, but I have found enough bits of evidence to convince me that it is more likely than not that someone purposely initiated the Three Mile Island (TMI) accident. End update.
Excellent specutlative expose! It happened way too close to “that movie”!
But you know, the ironic possible silver lining here is, just like the superquake that took out Fukushima with zero casualties, that a nuke plant could also withstand sabotage resulting in zero injuries, is a big plus in my book. Would a LNG and Oil facility be so resilient and forgiving to the immediate neighborhood?
James Greenidge
Queens NY
Unrelated irony of the Bhopal accident: “a disgruntled operator
entered the storage area and hooked up one of the readily available rubber water hoses to Tank
610, with the intention of contaminating and spoiling the tank’s contents. It was well known among
the plant’s operators that water and MIC should not be mixed. He unscrewed the local pressure
indicator, which can be easily accomplished by hand, and connected the hose to the tank.”
http://www.bhopal.com/~/media/Files/Bhopal/casestdy.pdf
Rod’s statement:
“There was, at the time, no organized system of sharing operational experience.”
Well I have a newsflash for you all. The Crystal River upgrade that was to take place a while ago has been done by dozens of other operators. All of them called for external help and consulting expertise.
But Crystal River’s owner wanted to go on the cheap and do the tasks with internal staff that had no experience in that sort of upgrade.
Well, they scrapped their reactor. Who is accountable ?
Rod,
Great analysis. It could be true that there was sabotage.
As a former Engineer Officer, as you were, and Startup Engineer, then Systems Engineer, and having been involved in a few events, and studied many more, there is a “red flag” in the event for me.
The red flag is the PORV and its indication. As I remember the report, the indication lights for the PORV, “Open” or “Closed” really only showed “Power on” or “Power Off”. This was a common design at the time. It is OK when there is a way for the Operators to verify whether the valve is really open or closed. At TMI the PORV had to discharge someplace. I’v never heard of a tank the valve discharged to, but since it was supposed to open there must have been a tank or sump level indicator. The PORV open procedure should have said to check the tank/sump. This was known, as people later knew what to do.
The whole event has the markings of inexperienced and not perfectly trained Operators, PLUS the big contributor, the time of day. Many of these events happen on the midnight shift-Chernobyl did.
Another contributor was the rush to get the plant on line. The TMI report said there was no indication that there was any pressure to “get commercial”, but having been involved in startups, I bet there was. When one day can make a difference of tens of millions of dollars, there is bound to be something said.
The other training issue was the fear of operating “solid” that led the Operators to turn off the high pressure injection. Having done solid operation at the SIW prototype, what it means is solid with the reactor at power. Then, a slight temperature change will cause a large pressure change. Solid with the reactor shut down can be handled.
Could be sabotage combined with error and early morning.
Are original transcripts of the operator interviews available anywhere? Those would make interesting reading.
As you say, someone hooked up the air hose wrong, and left the Emergency FW valves mispositioned. Didn’t they take shiftly log readings on their indicated position? Why not?
Whether it was sabotage (with some unspecified motive), or just plain old incompetence and sloppy operational practices, these commissions should have gotten to the bottom of it. Perhaps they didn’t pursue it as doggedly as they might have because they concluded that the delay of FW never really affected the PORV lifting and the shutoff of Safety Injection which led to the core damage.
A quibble, but where I come from (W PWRs), instrument air is not Safety Related, but Auxillary/Emergency FW is.
@Atomikrabbit
The National Archives supposedly has the entire history. One source I’ve been reading describes about 300 shelf feet of material about the accident. The NRC emergency operations center had a 24 channel tape recorder running that captured every conversation to that site.
AR, original transcripts are available, every footnoted passage in the Rogovin Report leads to the person’s deposition transcript who made the comment. I have several attributed to me. Sometimes I can’t connect it to anything (forgot?). But NRC ADAMS is only digitized back to ’80, everything else in archives is microfiche, you have to hire a service to copy it for you to get it, $0.65/page; no thanks. More interesting depositions are probably in the archives of the 2 NYC law firms for the GPU vs B&W law suit, good luck getting those! mjd.
Atomikrabbit,
The W plant I am most familiar with does have a safety-related portion of their compressed air system (Auxiliary Control Air Subsystem, aka ACAS), but its compressors and dryers operate in standby mode, and the non-safety related feedwater reg valves are not supplied by ACAS.
If I recall correctly, the Instrument Air System was connected to the high pressure water system to clear a clogged resin bed used to control secondary water chemistry.
The tank that the PORV would have discharged to would have been the Quench Tank. I think Quench Tank level indications were disregarded since the PORV discharge temperatures were lower than what was (incorrectly) expected for PORV discharge.
I am skeptical of the sabotage hypothesis. I remember William Engdahl in his book “A Century of War” but I don’t remember him offering a reference. In those days, the control rooms were designed for engineers not operators. Fortunately, many are now backfitted with SCADA systems that can mitigate poor human interface design (though they bring their own problems). For example, the real estate on the control panels in older plants are crowded with switches, indicators etc. It’s not surprising that a maintenance tags would block an indication. Even if it was carefully placed initially, it could have been moved by subsequent operation activity.
I don’t know how the TMI station was organized at the time but today, the many activities that lead to the accident and the subsequent confusion would not have fallen on a single individual or even department. It sounds like the Chemistry, Mechanical Maintenance, Instrumentation and Control and Operations would have had to have been involved. Of course, things were much less formal in those days. If I were looking for funny business, I would start with the organization chart.
@FermiAged
There are other installments on the way, but please read this one a little more carefully. My suspicion is not about the actions taken by the operators; it is simply about the events that initiated the accident.
There is no doubt that accident exposed a whole lot of weak areas in the industry, in the regulatory bodies and in the preparation of the emergency management organizations.
FermiAged,
Why wouldn’t service air have been used to clear the clogged resin bed rather than instrument air?
Were service air and instrument air entirely the same system at TMI?
I know that service and control air (same thing as instrument air, needing to be dried and filtered to a much higher purity than “mere” service air) are separate subsystems at the Westinghouse plant I am most familiar with (as my current project is associated with those very subsystems).
I suppose without any intermediate check valves, having a service air hose connected to the higher pressure water system could eventually get to the instrument air portion if the service and instrument air were connected.
Your comment caused me to think that clearing out a clogged resin bed sounds to me to be more of a service air task than an instrument/control air task, unless the resin bed needed to the extra cleanliness of instrument air.
@Joel Riddle
You can find some of the answers to your question at http://insidetmi.com/narrative.html page 1. (I’ve had several people tell me that this site provides the most complete and understandable description of the actual events, though its interpretations of the impact of those events is not the same as mine.)
I have to say, if I had a simulator scenario where the initial conditions had the Emergency FW discharge valves closed, and none of the crew noticed it – there would be a serious discussion about pulling their quals.
Similarly, if I had been Ops Sup and walked into that TMI control room and found that none of the crew knew those valves were closed (assuming remote indication and no auto-open signal), I would have relieved that crew as soon as I could have gotten their replacements in.
Yes, they were “set up” by poor training, some bad design features, and apparently some incompetent actions by their field crew. But their control room watchstanding was also totally unacceptable.
I don’t really buy the sabotage scenario. I, of course, totally agree with you that having the emergency feedwater supply may well have mitigated the event, but having been in the industry for 35 years a misposiitoning event such as described is not that unusual. As you noted this had occurred at Davis-Besse.
That the operators testified that they opened the valves is certainly understandable and I’m sure that they were being truthful. I also believe that they thought they had opened them and actually did not. Most mispositioning events happen this way. Few if any people try to do the wrong thing. That the valves had been closed for maintenance two days earlier adds credence to this.
Another point that needs to be made is that at the time of the TMI accident training for operators and any other personnel on site was extremely limited to nonexistent. When I left the Navy in 75′ and started work at a plant as an Auxiliary Operator there was actually no training program for us. We didn’t even have access to flow diagrams much less P&IDs. So when you did something you figured it out or someone would just show you what to do. Operation was not that much different than at a coal or oil steam plant.
Industry today is totally different thanks to the changes that came about from TMI.
@Jim Rogers
The emergency feed water issue at Davis-Besse was not caused by shut valves, but by an electrical problem associated with the pump. Though the effect on operations is similar, there is a difference in cause analysis between an electrical fault and two shut valves.
You’re correct, of course, about the difference in the failure of EFW. My main thrust was to indicate that it is a stretch to attribute the TMI event to sabotage since the initiating event was likely caused by lack of knowledge and/or control which was not uncommon at that time.
I don’t know but I wouldn’t be surprised that the hose connections were the typical chicago type couplings which were common. Inadvertently connecting a hose from a water system to an air system could clearly occur especially given the lack of training and knowledge base of maintenance and some operations personnel.
I’m sure that the mispositioning of valves was not an uncommon occurrence at the time. Unfortunately, mispositioning of these specific valves created a condition which exacerbated the event.
@Jim Rogers
Humans make mistakes, but they also purposely harm each other and damage physical property. While most nukes were studying for their EIT as undergrads, I was learning about “man’s inhumanity to man.”
In graduate school, I learned about system design and about ways to ensure reliability by designing systems that would keep working as long as A or B or C or D was true. Part of that same course was learning that if the only way to fail was for A AND B AND C AND D to occur, you could make the probability of failure very low, especially if ABC and D needed to happen in a specific sequence or with a specific temporal relationship.
“As you noted this had occurred at Davis-Besse”
Isn’t something always happening at Davis-Besse?
As I have said before.
Other coincidences:
Date/Time of initial criticality of TMI-II – March 28, 1978 @ 04:00:00.000 (I am the person that picked that time, gave it to the SRO who wrote it in the log.)
Date/time of accident (From plant computer) March 28, 1979 @ 04:00:00.037 (Note: the plant computer has a 3 millisecond cycle time to scan all points)
The Main, front page story in the Paxton Herald paper (A free paper that was mostly adds and a classified listing that you picked up to find/sell stuff but VERY anti-nuclear) that week and released before the accident, was about the major accident that was going to happen at TMI in the very near future. They went on to make parallels of the accident at TMI with the “China Syndrome” film.
@Rich Lentz
Thanks for the illuminating information. You don’t, by any remote possibility, have a copy of that issue of the Paxton Herald laying around do you?
Oh, how I wish I did.
Have some “I survived TMI” T-shirts, though
Rich,
Is that 1979 time when the sequence of events leading to the accident was initiated?
The anti-nukes are always saying that each plant is an accident waiting to happen. The China Syndrome had dialog in it saying that a nuclear accident could render inhabitable an area the “size of Pennsylvania.” I think this was taken from a 1957 analysis done at Brookhaven and long known to be wrong.
I remember seeing the China Syndrome a week or two before the accident while on spring break during my junior year as a Nuclear Engineering major.
@FermiAged
There are some additional bits of foreshadowing in that film. The Warning is also full of useful tidbits and linkages that mean a lot more today than they did 32 years ago when the book was published. More to follow.
Protestors were there BEFORE the accident. Don’t remember when they initially showed up. We tried to ignore them.
@Rich Lentz
The protests against nuclear in the US started in earnest about 1970. By 1979, the movement was so well established that it earned a starring role in a blockbuster movie produced by two of Hollywood’s second generation stars and includes several other big name performers.
FUD spreader article! You can’t post feedback that sticks here!
http://www.forbes.com/sites/michaelkanellos/2013/12/06/czech-project-shows-why-nuclear-power-is-fading-away/?utm_source=alertsnewcomment&utm_medium=email&utm_campaign=20140118
Not to nit pick but I believe the PORV at TMI II was a pilot operated valve not a power operated valve. I am not sure the difference but have seen power operated relief valve when referred to Westinghouse nsss’s and pilot operated relief valve when referred to B&W nsss’s.
I have wondered what mitigating effect the 12 valve being open could have had. I always found the reports conclusion that it was inconsequential to be lacking. I believe that they had common issues with the resin beds and feed water system at TMI II. I have read that using compressed air to blow out the resin beds was a common task there at that time. I wonder why this time they used the instrument air? Did they use it for this purpose before?
Also of interest is the difference in AE from unit one to unit two. Unit one has been one of the best operating plants in the country same nsss but different AE and different control room layout etc…
Above post should say 12 valveS not valve.. There were two I believe they were labeled AFW-12-A and AFW-12-B
TMI-I – Ebasco TMI-II Stone & Webster.
Rod, the first two links in your third paragraph both point to the same site (Course EH183). Anyhow, thanks for making this available and informing us of the PHD Online courses.
That was intentional because that document is the best source I could find for an overview of the B&W 177 design.
What motive would a saboteur have? Did I miss that in the post above?
@Paul W Primavera
There are more installments to come, my friend. I’m trying to build some suspense here.
Rod – We’re going to have to start calling you “Hercule Adams” (stress on the second syllable, final s silent).
@Brian Mays
So, you think my last name should be pronounced so that it sounds like Atom? Interestingly enough, if you ever see me driving around our shared home town, you will notice that my license plate now reads RATOMS.
Or Atomes, the French word for “atoms.” 😉
I was just hoping that someone here was an Agatha Christie fan. After all, her name and her characters are synonymous with mystery, suspense, and investigation.
Thank you, Rod. This is interesting and I have shared it on Facebook so that my nuclear friends and co-workers who do not frequent blog sites may perhaps give insight too.
Imagine a large steel pressure cooker sitting on a heating element on a electric stove on low heat, solidly filled with water at 250 deg.f. Call it the reactor vessel.
Next to it on another heating element is a small pressure cooker half filled with water at 300 deg. f, Call it the pressurizer. Imagine that the two are connected by a small tube at their bases.
Now imagine that the temperature in the pressurizer begins dropping, and after some time water level in the pressurizer begins to rise. You see that the heating element under the pressurizer is red hot, adding heat to the pressurizer, yet temperature continues to drop, (operators measured current flow in the pressurizer heating elements, they would quickly have burned out if uncovered).
The only possible explanation for this behavior is a leak near the top of the pressurizer venting steam. a leak anywhere else would result in dropping levels in the pressurizer.
Well trained operators would have immediately recognized this unique signature and responded appropriately.
Increasing vibration from the main recirc pumps provided an independent indication of steam bubbles in the system. Either indication should have caused the operators to initiate at least a small High Pressure Injection flow. The sluggish pressure response to that would provide confirmation of the large void, confirming the need for a large HPI flow.
If someone wanted to cause a minor disruption of the plant, this would be one way, but there are more probable ways to cause serious damage.
Sabotage or not, the most important lesson of TMI is that the training/instrumentation package in effect that morning was not adequate to keep the operators mental image of the plant conditions accurate.
I believe that full meltdown should be a design basis accident. The level of effort to prevent a meltdown would be an economic rather than human safety analysis. By adding a core catcher, containment vent filter and passive hydrogen recombiners (for designs with zirconium cladding) the quantity of safety grade equipment required to be designed, manufactured, installed and maintained can be dramatically reduced (in a rational world).
Reactors designed to this standard could be cheaper to build, faster to build, safer, and produce cheaper kwhs than Gen III reactors.
Sabotage with malice, or just a 4 am brain fart ?
Accidents are often caused by somebody doing something nobody would dream of doing. Afterwards, the perpetrator cannot think why he did it.
Power stations should be designed to be proof against sabotage, but this is obviously difficult.
@Don Cox
Who are you asking? The word “sabotage” means a purposeful action with the intend to cause a problem. The “Three Mile Island accident” is the full name of the event in the public mind. I used that term to distinguish from the Three Mile Island reactor plant that continues operating well to this day.
Well, I’m asking you whether you are sure this was deliberate sabotage, bearing in mind that people do some very strange things at times, especially in the middle of the night. Such as driving along a motorway in the wrong direction (which is usually fatal).
I do wonder whether the Chernobyl accident was sabotage. But how would you prove it?
In any case, if sabotage is possible, then sooner or later, given enough nuclear power stations, somebody will attempt it.
I have seen Instrument Air systems with serious water problems.
Not due to sabotage.
It is NOT necessary to cross tie these systems with a water system to have substantial quantities of water accumulate in an air header.
That could happen. Resin transfer systems are a potential air / fluid interface – the TMI accident initiated by unintended closure of the Condensate Polisher valves. Condensate Polishers have air / water slurry resin transfer systems.
Even without such problems. its not uncommon for air systems to be challenged with water intrusion.
In the 1980s, a large commercial reactor plant in the Midwest had similar issues.
The Service / Instrument Air Compressors would take in more humidity than the dryers could handle. The consition came to light when tagouts were issued for air operated valves located in lower elevations of the plant. Typically the instrument air valves were closed and the petcock on the bottom of the regulator was opened to vent pressure of the particular valve. A steady stream of water meant the air header was wet.. Operators would then crack open petcock drains on all regulators in the lower elevation and let them bleed for a few hours.
In the 1990s, many plants upgraded their dryers. Some due to corrosion issues in air piping, others due to waterlogged systems – I had related to the TMI report.
@Rob Brixey
In the situations that you know about, was there enough water in the air system to cause several air-operated valves to slam shut at exactly a one year anniversary – to the minute?
By the way, I have a little bit of experience with air systems, compressors and air dryers. They are all kind of important to safe operations of a submarine.
It might have also been someone’s birthday. In my experience 0400 to 0500, most bad stuff that’s going to happen – happens.
If timing is a factor – TMI happened in the Spring. There’s plenty of humid air to be had. New plants also have steam leaks adding to the moisture inventory of compressor intake.
Water hammer is well capable of overcoming AOV solenoids and repositioning valve actuators. The simultaneous valve repositioning supports the theory of a water hammer in a pneumatic line triggering the transient.
What floored me the most about TMI (I was on USS LONG BEACH at the time) was that post trip, operators were not monitoring RCS subcooling. Failing to watch Reactor Pressure in a transient – no matter the status of injection or reliefs – was foreign to my culture.
Power Pressure Temperature Level
If a Reactor Operator didn’t always know and control those parameters – there would be hell to pay.
Bob, I was on the Long Beach at the time of TMI. I worked in 2 Engine Room. At least 40 guys off the Long Beach ended up at San Onofre, some of whom you would know.
We have got to talk. I’ve researched the sabotage theory and evidence since1984. You’d be amazed at my evidence file.
Scott
The individual who connected the air system at the Full Flow Condensate Polishing Deminearlizers, was one of my training instructors at San Onofre. It has always been my understanding, as well as the training we received on the Full Flow system, that instrument air and service air were one system at TMI. We were told that one of the TMI ‘back fits’ was to separate these two air systems. This individual connected the air system to blow out a resin blockage at the Full Flow and the check valves in the air system failed allowing the higher pressure water to enter the air system. As I recall, there was a motor operated bypass valve which was supposed to open on high dp. When the air operated valves drifted closed, causing hi dp, the motor operated valve failed to open. There were two other operators at San Onofre who were also at TMI. Neither of these folks ever suggested there was any sabotage involved, at least not to me. One of these guys was a CRS at TMI and the other either an RO or CRS, he also became an instructor.
I feel confident there was no sabotage at the Full Flow but have always wondered how the AFW valves were shut. Deliberate misalignment? I don’t know.
@david davison
You wrote:
As I recall, there was a motor operated bypass valve which was supposed to open on high dp.
Others can correct me if I am wrong, but all of the reports I have read indicate that the bypass valve did not operate automatically on any signal. It had to be positioned by an operator.
You may be correct–just relying on old memory and at San Onofre, we had auto valves, air operated. If it is indeed manually operated, it failed to open when given a signal. As I recall, it had been slated for maintenance but the maintenance was delayed, or any event, not performed yet.