49 Comments

  1. I suppose there’s a way you can rule this out.  Did any of the people involved suddenly get wealthy after the event, and retire to someplace posh?  No?  Then it likely was an accident.

    1. Really. Does Mother Jones or some other mag compile a rating of corrupt politicians? Sounds like it would be more worth while than “Places Rated.”

  2. Wait. The timelines show the PORV (pressure relief valve) stuck open and allowed the primary system to drain, and then the operators mistakenly shut down the backup feed. I’ll file this with the 911 truther stuff.

    1. Apparently he made these comments (1985) before they had the first good boroscope view of the melted region.

      Although some of the compounded operator errors made seem incredible by today’s standards, I would need a LOT more evidence to fall in with the conspiracists. In their defense, these operators were also set up by poor standards, poor training, and poor human factors considerations.

      http://www.pddoc.com/tmi2/kemeny/wednesday_march_28_1979.htm

      1. @Atomikrabbit

        Winsor was definitely speaking without knowledge of the damaged core removal process.

        http://www.youtube.com/watch?v=o7xfr-BZjdI#at=528

        He also did not acknowledge the fact that nuclear reactor cores contain a lot of material that is not uranium dioxide. That metallic material has a much lower melting point. As the above linked video shows, about 30% of the core melted.

        1. That video is a good reference. If QuickLook took place in 1982 and the head was off in 1984, Windsor should have known by 1985 that Enrico Fermi himself couldn’t have started up that unit in 1981.

    2. @northcoast

      Please review the links I provided. I think you are confusing the actions to charge primary make up coolant with the secondary feed system issues.

      The feed isolation valves I am talking about are in the secondary system in between the feed pump that pushes water from the condensate system and the steam generator that boils that water and turns it into steam to turn the turbine.

      If the steam generators had not emptied, the pressure in the primary system would have never gone high enough to lift the primary relief valves.

      1. These extracts from the Kemeny Commission report are worth reviewing:

        “About a minute and 45 seconds into the incident, because their emergency water lines were blocked, the steam generators boiled dry. After the steam generators boiled dry, the reactor coolant heated up again, expanded, and this helped send the pressurizer level up further.”

        “Eight minutes into the accident, someone — just who is a matter of dispute — discovered that no emergency feedwater was reaching the steam generators. Operator Faust scanned the lights on the control panel that indicate whether the emergency feedwater valves are open or closed. He first checked a set of emergency feedwater valves designed to open after the pumps reach full speed; they were open. Next he checked a second pair of emergency feedwater valves, called the “twelve-valves,” which are always supposed to be open, except during a specific test of the emergency feedwater pumps. The two “twelve-valves” were closed. Faust opened them and water rushed into the steam generators.

        The two “twelve-valves” were known to have been closed 2 days earlier, on March 26, as part of a routine test of the emergency feedwater pumps. A Commission investigation has not identified a specific reason as to why the valves were closed at 8 minutes into the accident. The most likely explanations are: the valves were never reopened after the March 26 test; or the valves were reopened and the control room operators mistakenly closed the valves during the very first part of the accident; or the valves were closed mistakenly from control points outside the control room after the test. The loss of emergency feedwater for 8 minutes had no significant effect on the outcome of the accident. But it did add to the confusion that distracted the operators as they sought to understand the cause of their primary problem.”

        It seems to me that boiling the steam generators dry had more impact than the investigators implied, but I’m guilty of armchair quarterbacking 35 years after the fact.

        There is little doubt in my mind, however, that the reaction to TMI was orchestrated to cause as much cost increasing harm to nuclear technology development as possible, and that many of the same players have dusted off the script from the aftermath as a result of Fukushima. They are, once again, bent on doing everything in their power to distract the industry leaders from developing new nuclear power plants that will take market share away from natural gas, coal, wind and solar energy (in that general order).

        1. @Rod Adams. “It seems to me that boiling the steam generators dry had more impact than the investigators implied, but I’m guilty of armchair quarterbacking 35 years after the fact.”
          I don’t have to “armchair quarterback” that event, I lived through the first 22 minutes of it in 1977 at Davis Besse. There are several pieces of that puzzle that had “more impact than the investigators implied”, both Kemeny and Rogovin. I spoke my piece to Rogovin, Kemeny didn’t care to talk to me. Thirty five years later I still wonder what the investigation agendas really were? mjd

      2. I missed that the feedwater valves are in the steam system. My experience involved reactor hardware, and that is the first thing I think of. I understand that the reactor was tripped after a blockage interrupted the return of condensate to the steam generators, the primary system pressure rose, the PORV valve opened and failed to close, and the operators were not aware that the valve was open. This could be the first time I’ve read about closed valves in the feedwater system. (After the Fukushima accident I took some pain to read about sequence of events in Japan, at TMI, and at Chernobyl.)

        Still, the reactor should have been able to survive a much more severe accident such as a rupture in a primary coolant line. Failure of the PORV valve to close as the primary system pressure fell would not have been fatal if the core emergency cooling system had been allowed to function. (I think that there had been a PORV valve failure at another plant but that the appropriate notice had not been circulated.)

        I’d like to hear how the plant operators would react to Mr. Winsor’s statement. If this was a planned event, then either the operators were involved or they and their careers were victim to a criminal act that would have to involve some TMI personnel.

        I guess the Pennsylvania reference makes good theater, but apart from the obvious geography it is bogus. There was zero area contaminated to any extent requiring evacuation or remediation.

        Incidentally you can find references to a hydrogen explosion in the reactor containment vessel on the day of the accident. There was little notice at the time, and there was little or no damage to the PWR containment dome.

  3. If the preliminary NRC timeline is correct, the PORV opened 3-6 seconds after the turbine trip, (which was initiated by the water slug in the instrument air line, which caused a condensate polisher valve to fail closed, which isolated main feedwater).

    The aux (emergency backup) feedwater wouldn’t have made it into the rapidly lowering once-through steam generators by then, so the PORV would have lifted even if the AFW had not been isolated. However, if they’d had AFW the SGs wouldn’t have completely dried out, taking away their secondary heat sink. Looks like AFW was discovered and restored in about 8 minutes.

    The question I have, and maybe someone with a B&W license can explain, is why, at 97% power, doesn’t a Turbine Trip generate an immediate automatic Reactor Trip?

    1. @Atomikrabbit. No, not in that vintage B&W plant. The control system (ICS) was designed to run back the reactor to 15% power on turbine trip. Post TMI required design changes did change that and an “anticipatory” trip system was installed. mjd, B&W plant licensed SRO, Shift Supervisor during the discussed Davis Besse TMI precursor event in 1977. For all the years of Monday morning quarterbacking that occurred after TMI, how do you suppose I felt watching it unfold in real time?

      1. Wow! We’re you on duty during that event? Do you feel TMI would have been totally different had your OE been shared in a timely manner? I would love to read your story of the TMI precursor event at DB.

        We’re you there for the loss of feed water event in the 80’s I have read that the operators during that event saved the plant from suffering a lot of damage through heroic action and super human effort.

        1. Yes, as stated i was the on shift Shift Supervisor during the Sept, ’77 DB transient 18 months prior to TMI. I was also a testifier to the Rogovin Commission after TMI and also a witness for GPU in the ’82 law suit against B&W. I was working in the Independent Safety Engineering Department during the June, 9, 1985 total loss of feed water event. What you have read about the Operators during that event is correct.
          You said: “Do you feel TMI would have been totally different had your OE been shared in a timely manner?” That’s really the whole issue here isn’t it? If Rogovin had asked me that question, which they didn’t, my answer would have been “Yes, all the time, every time, any time.” The DB event went before the ACRS twice before TMI.

      2. @mjd

        Thank for the explanation. So the rods were stepping in at full speed until the Rx trip on high PZR pressure.

        What is the real story behind using an instrument air line to blow out the polisher resin plug? I have heard that it was originally connected to station air and somebody swapped it. And why were the damn 12 valves still closed after a surveillance two days earlier?

        1. Yes, as stated i was the on shift Shift Supervisor during the Sept, ’77 DB transient 18 months prior to TMI. I was also a testifier to the Rogovin Commission after TMI and also a witness for GPU in the ’82 law suit against B&W. I was working in the Independent Safety Engineering Department during the June, 9, 1985 total loss of feed water event. What you have read about the Operators during that event is correct.
          You said: “Do you feel TMI would have been totally different had your OE been shared in a timely manner?” That’s really the whole issue here isn’t it? If Rogovin had asked me that question, which they didn’t, my answer would have been “Yes, all the time, every time, any time.” The DB event went before the ACRS twice before TMI.

          1. Atomikrabbit, sorry about the double post, somehow a “gotcha” happened. The B&W rods don’t “step” (that is a latch mag design) they run. But actually the B&W plant was designed to survive a turbine trip from 100% power w/o a reactor trip. In fact we did it during the power ascension test program, i was in the control room, no reactor trip occurred, successful runback to 15% power.
            Your other comment has to do with TMI, I wasn’t there. But the best write-up I’ve found for the event (including air line discussion) is here:
            http://www.insidetmi.com/
            I certainly can’t verify it all, but looks reasonable, and as I said I lived through 22 minutes of it, so certainly can relate to what the TMI operators were faced with.

            1. @mjd

              That is a useful link. Despite dozens of TMI lessons learned training sessions over the past 30 years, I still learned a few new things.

              There are at least two things that support the possibility of purposeful sabotage. Connecting instrument air with a higher pressure water system (with indication that some people knew that would cause valves to fail shut) and the shut aux feed water isolation valves that the operators assumed were open because those valves are normally open.

              As the narrative points out, there were three licensed operators in the control room and twelve unlicensed operators in the plant. Again, I am playing armchair quarterback here, but it seems that any one of the twelve, OR the several dozen from the other shifts, may have had means and opportunity to insert the casualty initiators. Motive would be easy to purchase, especially from moderately compensated, unlicensed operators.

          2. That link has a pretty good narrative – I hadn’t heard about the condenser baffle/vacuum pump problem that apparently put condenser steam dumps out of action on every trip. That was just one of the equipment/design problems that set these operators up for failure. But I still can’t forgive them for not properly realigning the AFW system after maintenance, and not verifying it post-trip.

            And whoever hooked up instrument air to service water, and the human factors or design engineer that allowed them to use the same fittings ought to be… well, they probably already have been.

            Thanks for the link, and for your insights.

          3. The narrative of the 1985 event in the B&W cross training manual is chilling. I believe at one point it states that the operators performed a procedure (putting the startup fw pump into service I think) in something like 4 minutes when it should have taken at least 12 minutes. Some might disagree here that it was not conservative but I think the SS deserves a lot of credit for holding off on managements instruction to begin feed and bleed cooling which would have caused (in my opinion) a much more serious outcome.

            MJD… What led you to the realization that the PORV was open in your case? We’re you able to recognize the high PZR level and dropping pressure as a steam space leak or was it more of a procedural type “catch”?

            In my reading on TMI 2 I have seen the consensus that had the OE been shared it would have been a minor problem the only thing that makes me wonder though is apparently they had a situation prior where the PORV failed to close that was why they requested the indicator which as we all know did not show the true position of the valve. In fact I believe the operators had complained to GPU that the indicator light was not useful and should be changed prior to the accident.

  4. Does this imply that not only the NRC but the FBI also were inept?

    P.S. Re: All the Apollo 13 coincidences. Plus don’t forget that a near-miss city buster asteroid — which otherwise would’ve been the butt of Doomsday jokes — set jitters around the world just a day or so after a mini one rattled Russia. What’s the odds of that?

    James Greenidge
    Queens NY

      1. I mean wouldn’t they even explore the possibility of sabotage at all, just like with some plane crashes?

        James Greenidge
        Queens NY

        1. @James Greenidge

          I don’t know if there was any suspicion of sabotage or whether the FBI was invited to investigate. I suspect that the NRC and the presidentially appointed Kemeny Commission had the lead for the federal post event analysis.

  5. At that particular plant it was expected for the pilot operated relief valve to open on a feed water trip even when AFW was available. Unit 1 did not have the same issue. I myself had wondered if the outcome of that transient would have been different if the block valves were open. All the research I was able to do leads me to believe that while it added to the confusion in the control room it did not make a big impact on the outcome.

    I am not a RO and do not work in the nuclear industry but I believe that after TMI all PWR plants modified their reactor trip logic to initiate a reactor trip on turbine or feed water trip.

    1. While I was not an operator on a B&W plant, I was an operator for 16 years and am somewhat familiar with the TMI accident.
      I am not sure which block valves you are referring to so I’ll write about both.
      If the Axillary Feed Water(AFW) isolation valves had been open as they should have been this would probably been a non-event as AFW would have provided sufficient cooling.
      The Pressurizer Power Operated Relief Valve(PORV) also initially functioned as designed and opened to relieve Reactor Coolant pressure. One of the PORVs subsequently stuck open but indicated closed on the control board, had this valve functioned properly once again this would have been a non-event. PORVs at that time had block valves which were normally open, subsequent to the accident PORV block valves were kept closed with an automatic logic to open upon actuation of an open signal for the PORVs.
      From what I can find a Reactor Trip occurred with one second of the initiating event. Some plants were designed to “Runback” reactor power after a turbine trip rather than trip the reactor, the logic behind this is that it saves recovery time in getting the unit back on line.

  6. B&W plants call the PORV pilot operated relief valves as apposed to W plants.

    I am talking about the afw-12-a and afw-12-b valves. I assumed that if these valves had been opened allowing afw to the OTSG’s right away that the PORV would not have lifted. However, upon further research this particular unit had a tendency to always over pressurize on a feed water or turbine trip. Past experience at that plants showed that the PORV would most likely have opened regardless of afw being available immediately. As a matter of fact an almost identical incident had happened approx a year earlier when afw was available to the OTSG’s luckily in this case the PORV closed by itself after the PORV block valve was cycled. For reasons that are beyond my level of understanding this plant suffered from large pressure transients on feed water and turbine trips possible due to the OTSG design but curiously unit one did not suffer the same issues. The PORV on unit one was hardly if ever activated where it was a common event at unit two. Go figure?

    However, the lack of afw was a contributing factor to the confusion in the control room and helped to obscure the operators situational awareness.

  7. Last Saturday I was passing some new gas line welders and seeing all the trucks of tanks they were using just to cut and weld pipe reminded me of what Rod said long ago of how much energy is needed to torch into a submarine hull, so I wonder just how far the TMI core could’ve melted through its far thicker containment even had everyone walked away. Maybe the end “worst” non-Doomsday result (like Fukushima?) would’ve been the same?

    James Greenidge
    Queens NY

    1. The most vulnerable area at the bottom of a PWR pressure vessel is the incore detector nozzle penetrations – the point where tubes of about 3/8″ thickness (containing long thimbles for running power measuring fission detectors into the core) join the 6″ thick vessel. At TMI-2 the corium oozed about 15′ into these tubes before solidifying.

      The stainless steel liner at the bottom of the vessel was barely etched, but then again, I don’t think the vessel was ever completely dry. If the corium had managed to eat through the bottom, it would have been at the incore nozzle welds, and then it would have dribbled down into the reactor sump where it would have been immediately quenched by the thousands of gallons of water that wound up there when the PRT rupture disk blew (by design) early in the accident. Still a very long way from China, or even the 10′ thick concrete containment basemat.

      You B&W licensees correct me if I’m wrong.

      1. You got it right, and the sump had plenty of water, in fact Kemeny Report documents the operators locked out the sump pumps when they discovered they were pumping to the Aux Bldg. Their thinking at the time was it was just water that had boiled out of the quench tank when the rupture disk blew from early PORV lift (and reseat), not that the PORV was stuck open. After all, the control panel light said it was closed. And they had other things going on!

  8. @Atomikrabbit
    July 29, 2013 at 9:53 PM. You said “And whoever hooked up instrument air to service water, and the human factors or design engineer that allowed them to use the same fittings ought to be… well, they probably already have been.”
    You’re thinking way too hard on this one, relative to HF or design eng. Yes, certainly played a part, but I imagine to a certain extent this type of thing still goes on. Hopefully in a more controlled fashion. You can google a “Chicago coupling/fitting”, but it is simply a simple plumbing device used to temporarily attach a hose to a system permanent vent or drain threaded nipple. If an operator must isolate and drain a large component, and the installed drain nipple is only 6″ long, it would be used to install a hose to allow draining to a building sump. The problem arises when it’s used by ops to jury rig a “work around” solution to either a design or maintenance problem. They are, after all, just trying to get the job done. Been awhile since I read that TMI thing, but seems they were dealing with a water issue in the instrument air line to condensate polisher valves. In a situation where something like a small condenser tube leak requires dumping polisher resin every few days, the “work around” hose solution remains hooked up (human nature). The real issue here is not at all an HF engineering breakdown for the Chicago coupling, is it?

  9. @Atomikrabbit
    July 29, 2013 at 9:53 PM. You said: “But I still can’t forgive them for not properly realigning the AFW system after maintenance, and not verifying it post-trip.”
    First, there is no one to forgive, this root cause was never determined. But it smells of human error, and “some one” indeed knows how it happened. It has also been undisputedly established it played no part in the plant transient parameters. But it added to the operator confusion. And don’t forget, it was in fact the operators who figured it out, and corrected. During my event 18 months earlier at Davis Besse, we had an AFP governor fail about 10 minutes in, dried one SG, certainly a distraction to my ability to focus my attention on the Reactor Coolant system behavior.
    What should really bother you, and all people concerned with nuclear power, is this type of thing still occurs, more frequently than you would care to admit. Read the NRC event reports every day. It is not at all a rare occurrence for both trains of a Safety System to be inoperable at the same time. It is usually a combination of human error and an earlier break down of the root cause of failure determination. But they all contain a common thread, bad decision making judgements on the whole organization involved. They are determined to be “insignificant”, because nothing happened that required the Safety Systems to be needed while they were inoperable. Which to me means you’re running on luck. But that discussion is certainly beyond the scope of this thread.

  10. Sean McKinnon July 30, 2013 at 12:45 PM.
    Several of these discussions are severely off this thread subject, but…
    You said: “I believe at one point it states that the operators performed a procedure (putting the startup fw pump into service I think) in something like 4 minutes when it should have taken at least 12 minutes.”

    It was one operator, but a very special one. He was one of very few operators even capable of performing such a feat. And he was a NL operator on my shift during the Sept, 1977 event.

    You said: “Some might disagree here that it was not conservative but I think the SS deserves a lot of credit for holding off on managements instruction to begin feed and bleed cooling which would have caused (in my opinion) a much more serious outcome.”

    I’ve never read the B&W training manual you’ve referenced, and don’t care to. But very recent conversations about this event with the then Ops Manager, who was on the phone with the SS during the event, don’t support your statement. The Ops Manager only reminded the SS of the B & F cooling initiation set points. This is appropriate; he’s not in the control room, and certainly not in a position to issue “managements instruction” to licensed operators actually up to their butts in the event. I believe him, he was also a NL operator on my shift during the Sept, 1977 event.

    Since I am the guy who actually wrote the Total Loss of All FW EOP, while being fully cognizant of all the Technical Bases for the event EOP, and the available control room instrumentation, including instrument error for the trigger point indicators, add me to the “some might disagree” side. I’d suggest you defer to my judgment, and end the discussion about it.

    You said: “In my reading on TMI 2 I have seen the consensus that had the OE been shared it would have been a minor problem…”

    This one is easy, since there was no such thing as an OE report pre-TMI, that consensus can’t possibly be correct. But I do get what you meant. What we did submit to the NRC was the required LER. And as previously stated it made it to the ACRS twice before TMI. There were many “investigations” by B&W, NRC, and Toledo Edison, consultants, etc, so there is much indication that it was known to be a stinky event pre-TMI. So the ball got dropped.
    As far as what you actually meant to ask, that answer is easy. The actual PWR plant response (by any flavor of PWR, including navy nuke plants) to a leak in the pressurizer steam space is so easy to understand (in hind sight) that anyone so trained can understand it. The simple fact is the industry as a whole never considered it (that’s a fact), thus all of the operator training and the “single event EOPs” could not handle it when it occurred, because they were wrong for this event. I personally think this was a result of a culture of “blind faith” thinking in the safety of nukes, such that nobody thinks “outside the box”. So the Davis Besse event was not recognized as something that actually challenged the basic understanding and analysis of SBLOCA handling for PWRs.

    My actions during the Sept, 1977 event at Davis Besse are “loosely” summarized here:
    http://books.google.com/books?id=n4XZlY6Zd-MC&pg=PA23&lpg=PA23&dq=mike+derivan+%2B+three+mile+island&source=bl&ots=HAaja-Dx7p&sig=rZQm4zrgZ10Eja3mkzF8g3o_x9w&hl=en&ei=vY2kTaaqDoqosQOG4-X5DA&sa=X&oi=book_result&ct=result&resnum=1&sqi=2&ved=0CBgQ6AEwAA#v=onepage&q&f=false

    With the added caveat that Michael Gray and Ira Rosen had nothing to go by other than my public document Rogovin Commission deposition. And they were just writing a book after all, so there is a certain amount of poetic license employed (wink, wink). My involvement with Ira, during multiple phone calls (at work), per my company instructions, was “to keep him engaged, take notes and report, but don’t volunteer any info.”

    You said: ” MJD… What led you to the realization that the PORV was open in your case? We’re(?, sic) you able to recognize the high PZR level and dropping pressure as a steam space leak or was it more of a procedural type “catch”?

    I’ll assume your “procedure catch” reference is meant as a joke… exactly what procedure? When the RCS pressure bottomed out at ~850 PSI, and I was aware we had done nothing to stop it from falling farther, I became absolutely convinced something was happening that we hadn’t been told about, and I had to figure it out in my head. There was a P/T curve on the RO desk that showed saturation conditions, picked it up and looked. At that time I actually announced out loud in the control room “we are saturated, that’s why the pressurizer is full, we are boiling in the loops pushing water into the pressurizer.” By that time two additional (college degreed) SROs were also in the control room. And nobody says “we have a leak, better restart HPI.” Can you possibly even understand the power of bad simulator training and inadequate EOPs on procedurally disciplined people? Our water level indicator said FULL. Period. And we had been strongly trained to never let that happen. So I’m going to add more water? The reason I figured it out, quite simply, was because I was being paid to, so I kept just looking for what I was missing until I did, winging it. TMI hung in there with their procedures and training (normal human behavior) until they melted the core. mjd.

    1. MJD… Thank you very much for answering my questions. I apologize if I annoyed anyone with my OT questions but It is rare to run across an SRO in a forum like this. I will end it here before I wear out my welcome but I just wanted to clarify a couple points;

      1. I meant procedural catch as in if a certain procedure called upon block valve y to be closed if condition x was met and that by closing said valve and seeing pressure recover was a clue. From your comments I realize that at that time no procedure was developed for such an event and that you and your crew were able to use exceptional deductive reasoning skills and intimate familiarity with your plant to develop the correct answer

      2. The B&W manual I mentioned states “The operations superintendent told the shift supervisor in a telephone discussion that if an auxiliary feed water pump was not supplying cooling to one steam generator in one minute to prepare to initiate MU/HPI cooling” I think after reading your comments that that might have been an over simplification in the narrative and is obviously not exactly what occurred.

      Again, thank you very much for your insight and thank you to Rod and everyone else for allowing my off topic questions.

      1. @Sean McKinnon July 31, 2013 at 1:16 PM
        Sean, your questions aren’t that bad, and indicate a sincere interest in trying to understand a complex problem. Also you have done some homework. I can appreciate how, almost 35 years after the fact, interested folks can still have a hard time trying to understand just what, how, and why TMI happened. Further, in light of other nuke events (Chern. And Fuku.) it is easy to see how some people can really begin to think “just who can I believe?” Since your earlier posts indicate you are not a nuke, not a “pro” or “anti” that tells me you are probably a “swing voter” on nuke power. Exactly the folks who need the best info possible to make their own decision about nuke power, compared to the alternatives. I can offer my “opinion” on the alternatives, the playing field is not level; I’ll stop there.

        Your discussion #2 is correctly characterized now.

        Your discussion #1 is a fair question, but complicated actually, I’ll try, but keep in mind this was 1977 and pre-TMI with the old style single event EOPs. If I answer your question about “did you have a procedure for PORV sticks open, and I say yes, you’ll follow with why the hell didn’t you use it? I’ll answer that, or at least give you enough info to decide for yourself. sorry, after ops I was in training, yer gonna get trained.

        There is actually an historical basis for the way these single event procedures came about. Back in the day, a Safety Analysis was done for the plant as part of the licensing effort to get NRC approval for the plant. These analyses were computer code runs, of computer “ math models” of plant systems. The results of those runs were evaluated against predetermined quantitative acceptance criteria, They also included a discussion of what safety systems, and how they’d operate, that would be used to cope with the particular “postulated” design basis event. So pretty much every Safety Analysis transient had its own EOP, based solely on that computer run, and then add anything not analyzed for the Safety Analysis that also needs an EOP. So in historical reality, there just probably wasn’t a lot of thought given to the development of really useable EOPs that matched the “Murphy’s Law” of actual plant events, when the crap hit the fan, it really hit the fan, and you were always in more than one single event EOP at the same time. But back at that time, the operator was just considered an observer in the sequence of events predicted in the math modeled computer run.

        Simplest example is when the turbine trips, the reactor usually trips too, but they each had their own EOP, so the operator would be in two EOPs on that simple example. Extend one further; if the turbine initially tripped because of low condenser vacuum you can add another EOP, Loss of vacuum. I think you get the idea; so just how many single event EOPs do you suppose TMI was in during their event? And none of them covered a (SBLOCA) leak in the pressurizer steam space.

        Summarizing, two TMI ROs were in Loss of Condensate, Loss of Main Feedwater, Turbine Trip, Reactor Trip, and shortly add Loss of Emergency Feedwater, the Safeguards System Actuation (HPI pumps on, loss of seal injection to running RCPs, containment isolations, etc). These are just off the top of my head. In actual practice what this means is that just two people are grabbing all those single event EOPs and performing immediate operator action steps for each EOP along with verifying all the automatic actions occurred, two people. In reality, how long do you think it takes them to run through the steps in all those EOPs (really, think about that)? Before they ever get to the point of being able to take a step back, and try to get what’s called the “big flick”, what’s really going on here, I need to set my priorities, which is usually what scares me the worst at the moment.

        The lessons learned from TMI pointed out how impossible that whole EOP situation was for operators. And it got changed. If you grasp that, we’ll move right along here.

        First, your specific question, no BS, yup… we had a “single event” EOP, PORV Fails Open. One immediate action step… close the block valve. In fact we’d train on it in a simulator. In classroom we’d read the EOP (all nod our heads, I get it), then go into the simulator, instructor fails the PORV open, we’d close the block valve. Simple. Yah, that’s joke simple, but even during “unannounced casualty” training if they failed the PORV it was the “initiating event”, easy to diagnose with no other event occurring. And if you were too slow and the reactor tripped on low pressure, you still knew the stuck PORV caused it, close the block valve. It’s what I call “through the front door” casualty control.

        Unfortunately, when you are in the control room it doesn’t work like that. Try to imagine you are there. It all comes at you through the back door. In TMI’s case the ROs first experience is the shear explosion of noise from the Main Steam relief valves lifting on the trip as they blow about 11 million pounds per hour of steam to the atmosphere, then they feel the actual control room floor shake as hot feed water pipes rupture in the turbine building due to water hammer, they are immediately deluged with dozens of annunciator alarms blinking and a constantly blaring, exceedingly annoying alarm horn, like someone screaming in your ear while you try to concentrate on a problem. And a lot of these alarms really make you nervous, even if they had arrived only in singularity during a simple event. Their SS arrives, followed shortly by the supervisor from the condensate polisher area, who announces the turbine building is filled with hot steam, we’ve had ruptures of hot feed water lines. So are any of your crew’s mates trapped out there, being cooked alive? Does that affect your priorities at that moment?

        They’ve started the actions of at least a half dozen single event EOPs. But things are not matching up with what they expect from their training; the EOPs don’t seem to be helping the situation. If they are using the LOCA (RCS leak) EOP it must be confusing, the damn thing seems to be “making water” not losing it; the pressurizer has gone full. (Note, the LOCA EOP was never designed to deal with a leak in the pressurized steam space, because it was never considered in the design stage, a fact, and the whole industry including the US navy blew it).

        Remember, these are very capable men who are very disciplined in procedure compliance, and also believing your indication, and they checked, the PORV position indicator which when they checked said it was closed. We all know the final outcome, and the conclusion of 99% of the people on the planet, operator error, they blew it. If you did what your training and procedures told you to do, did you make an error?

        But the simple fact of the matter is these men, real people, got crucified for an event that the nuke industry as a whole, wasn’t man enough to admit “no we blew it, they were the victims of our oversight.” I stood in their shoes, I have no reason to CYA, I have nothing to hide, you be the judge, who blew it?

        To answer your specific question: “I meant procedural catch as in if a certain procedure called upon block valve y to be closed if condition x was met and that by closing said valve and seeing pressure recover was a clue.”

        Even you know the answer to this if you read the references I gave. A “clue”, as in I was guessing a solution? So try something and see what happens? I’m the first to admit I was searching for a solution to this problem, entirely winging it, well aware I was missing something and needed to find it. I was highly trained in all aspects of nuke plant ops, as are all nuke operators, including thermodynamics, fluid flow theory, heat transfer, metal properties, reactor neutron physics, not to mention emergency plan procedures to save the butts of innocent civilians when I eff’d up, ad nausea, etc.. What I saw in my event was black suddenly equaled white, left equaled right, up was down… no mother nature doesn’t lie, it was me that was missing something, earn your wages mike, find it. No it was the solution, not a clue at all. The containment vessel pressurizing was the clue, only a LOCA causes that. Have a good day, bye, and don’t take this too hard, you are not the only audience that needs to hear this. Mjd.

        1. @mjd

          In TMI’s case the ROs first experience is the shear explosion of noise from the Main Steam relief valves lifting on the trip as they blow about 11 million pounds per hour of steam to the atmosphere, then they feel the actual control room floor shake as hot feed water pipes rupture in the turbine building due to water hammer, they are immediately deluged with dozens of annunciator alarms blinking and a constantly blaring, exceedingly annoying alarm horn, like someone screaming in your ear while you try to concentrate on a problem.

          What caused the increase in steam pressure? I thought the first thing that happened was that the feed water isolation valves shut due to water in the instrument air system. Wouldn’t less feed into the steam generator result in lower steam pressure, especially once the steam generators were emptied?

          1. Rod, it’s the nature of the beast for an OTSG (straight tuber) plus action of the control system (ICS), also a lot of thermal momentum. In W & CE SGs (bent tubers) i think, if I remember my navy, you run with a sliding scale temp control (and thus also P-sat for steam pressure slides down as power goes up). When you hit the stop button for steam flow (turbine trip) the large inventory of water in the SGs (even if loss of feed is the initiator) will establish an equilibrium P-sat for whatever T-ave is at that time.
            OTSGs run with a constant T-ave and constant turbine inlet pressure (and up to 30 degress of superheat), from the time they lift SG level up from “Low Level Limit”. Thus no load T-ave is ~532 degrees, SG level is ~30″, with steam header pressure controlled at ~885 G (which is also the full load header pressure, controlled by the turbine). This turbine bypass valve pressure control point is what sets the no-load T-ave at ~532F. As the plant power is ramped up, the SG level is controlled constant at that low level limit. Q(dot) = UAdeltaT(T-ave-T-steam), so A is held constant, T-ave has to start ramping up to transfer the heat against a constant sink temp. At ~25% power the ICS shifts FW control from level control to flow control, SG level starts to rise from there on up (A is increasing), thus T-ave (582F) and steam pressure are constant all the way to 100%.
            Now on any reactor trip and/or turbine trip, everything must reverse to maintain thermal equilibrium to get back to no load T-ave, determined by Steam Header pressure control set point (which is really the primary system heat sink temp), and the SG level shifts back to the low level limit control point. Back to our discussion start conditions, that would be T-ave of ~532F and ~885 G
            But as usual, there is a fly in the ointment. A 1 degree change in T-ave causes a 2″ change in pressurizer level. One the way up, over a couple hours, the operator was constantly “letting down” a lot of RCS water to maintain pressurizer level constant as T-ave was ramped up 532F – 582F. Post trip everything will try to get back to no-load set points in ~2 minutes (we’ll ignore the decay heat curve for this moment).
            That means T-ave from ~582F to ~532F in a couple minutes, or in other words, a loss of ~100″ of pressurizer level in about 2 minutes (would look like a LOCA?). To counter that, the B&W ICS will up-bias the Main Steam header pressure control set point by ~125 PSI post reactor trip.
            OK, that was my part, dust off yer old USN thermo class “mohair diaphragm” and tell me why B&W plant steam line code safeties lift every trip from power.
            Consider this your annual requal exam from mjd. (and I haven’t had to do one in over 20 years)

            1. @mjd

              Thank you.

              I’m revealing my ignorance, but learning a lot.

              I had to read through the explanation a couple of times, but I think I get it. (You are a good trainer.)

              Here’s my answer: The code safeties are designed open so that the boiling off of water in the steam generator can be the heat sink that is needed to reduce Tave from 582 F to 532 F.

              From the point of view of someone that has performed steam generator relief valve testing, I am not sure I like the idea of an engineering design feature that results in such a noisy and distracting event occuring on every trip. Plant trips are already a somewhat tense and confusing time; popping relief valves just adds to the challenge of properly responding. Did the 1970s vintage simulators include appropriate sound effects?

        2. That was absolutely excellent. Thank you for your insight and analysis. I am actually pro nuke power and would have probably tried to become an RO if I had realized it was something I wanted to do 15 years ago.

        3. One thing @mjd may not be aware of is that although TMI-II is essentially identical to TMI-I, Ranch Seco and Davis Besse, the NRC forced MetEd to decrease the operating margin. I forget the logic to their argument but it was their belief that they (B&W) did not properly account for “instrument accuracy” (The NRC did not make the others change their set points even though Rancho Seco had the exact same power and used the setpoints TMI-ii should have.) It was obvious that the original set points were correct, but an engineering analysis (after fuel was loaded) would take over a year, cost several hundred $K in engineering alone and a one year (+) delay. So, they did what the NRC said. This raised the low pressure S/Ps by ~100 pounds (from 1500 to 1600 (?)) and lowered the high pressure trip S/Ps by 100 pounds. This basically caused the HPSI to initiate on EVERY reactor trip above about 50%. The Turbine trip, without Rx Trip, did not usually cause this. Since the HPSI pumps were initiated by the Engineered Safety Features System, the valves were open for Boron injection, and thus the RCS was filled with boron. The first time this happened it took two-three weeks to get the RCS back in chemistry “Specs.” The operators quickly developed a habit of shutting off the makeup pumps (HPSI) if they thought they “knew” the cause of the trip and that they would be recovering from it. Something they did quite frequently during the power ascension testing. – Another unintended consequence of the NRC trying to make things safer. This was NEVER to my knowledge considered or evaluated or even thought about in being a contributor to the difference in the TMI accident and the Davis Besse accident. I believe the Rogovn and Kemeny commission blew it. I tried to get it factored into the accident models GPU was making, but how do you model unknown/unanticipated operator actions? (TMI also had to get “Medicinal” grade boron (eye wash grade) so that the occasional pumping of several hundred gallons of boron into the RCS did not cause chemistry headaches. There was some really bad stuff in the commercial grade boron.)

          Quite a bit of the perceived “increased” level in the OTSG is actually “steam.” The FW is sprayed around the top of the tubes and flashes into steam well before it can actually raise the physical level. The SG level instrument is measuring the 30-60 inchers of colder (heavier) water near the bottom, the 20 feet of saturated steam and water in large droplets not yet converted into steam in the area below the FW nozzles. Like a fan lifting up balls. Then the weight of the dryer, superheated steam, in the 15 feet or so above the nozzles is also adding to the indicated level (up to the upper tap on the level instrument.) Loop SG do not have as much of this effect as they rarely, physically, uncover the tubes. If you look at the accident recordings of TMI SG, you will see that the level indicated that it was never below 15 inches. Well 15 inches is the weight of the steam that would have been in the SG (Measured in inches of water) at that time. (It has been 40+ years since I calculated or even thought of these numbers/values, so they may be slightly different.)
          Another problem in the accident causing confusion for the operators was the flashing of the water into steam in the “condensate” pot and even a large portion of the instrument level tube for the upper tap of the Pressurizer level instrument. When the pressure in the Pressurizer is below the saturation point the water in the condensate pot is above the saturation point, and it boils. Without this water, the level instrument was giving false readings. TMI-II was built at the time of the transition away from Asbestos insulation. TMI-II had lots of “reflective” insulation (and less asbestoses – it is bad for you, you know) and we had lots of problems on TMI-II with condensate pots flashing that we did not have at TMI-I. Again, not considered in the various studies or TMI action plans written by the NRC. More regulations that cause more unintended consequences.

          1. @Rich Lentz August 2, 2013 at 9:42 PM
            As an ex-operator I can add that Rich makes an extremely valuable point. And it really was not considered in ’70s (or early ’80s) vintage plant normal ops or event analysis. That is operator “conditioning” to accepting something abnormal as normal. It is normal human behavior to to develop work arounds to these problems. The smarter the people involved the more clever they become in doing so. The bottom line is that process is really one that is constantly accepting more risk. Has anyone ever become accustomed to putting buckets under roof leaks, for years? You are guilty.
            The shuttle Challenger investigation coined the term “normalization of deviance” for this (organizational) behavior. In the case of the TMI 2 operators, if they got conditioned to accepting the actuation of the system designed to cope with a LOCA, for fairly routine non-LOCA events, the “system” has really set them up for failure. Think the “cry wolf” story.
            At Davis Besse the parallel to the TMI 2 trip change story is the add-on of the Steam and Feed Rupture Control System just before the licensing of the first operating crew. And it was initially a piece of crap. A major “bad conditioner” for the operators. If Toledo Edison wanted to license the plant, they had to do it, as the High Energy Line Break “concerns” had become law. And hey, if you are breaking high energy lines, you are probably going to cause some “Environmental Qualification” (EQ) problems, so fix that stuff too while you are at it. And don’t forget you might need some “whip restraints” on those broken pipes too (that we have dreamed up a break scenario for). And do it all for free ($), get it done over night, or you have cost and schedule “Management Control” problems that concern your state Utility Commission”.
            I smell a rat here, lets do some “common cause” thinking and see if we can figure this one out!
            But my real point in this rant, is that it is a real slippery slope between actually having a true Corporate Safety Culture and falling into the Normalization of Deviance trap. If your organization is making any decisions at all that accept more risk (even temporary, until the next outage), based on concern for your INPO rating, you are already “on the slope”. You better be prepared to “man up” and take responsibility yourself if needed, your operators are not your scapegoat.

          2. More regulations that cause more unintended consequences.

            The TMI Unit 2 meltdown appears to have been CREATED by the “safety” agency charged with preventing meltdowns.

  11. Other coincidences:

    Date/Time of initial criticality of TMI-II – March 28, 1978 @ 04:00:00
    Date/time of accident (on plant computer) March 28, 1979 @ 04:00:00.037 (Note: the plant computer has a 3 millisecond cycle time to scan all points)

    The main story in the Paxton Herald paper (A free paper that was mostly adds and a classified listing that you picked up to find/sell stuff but VERY anti-nuclear) that week and released before the accident, was about the major accident that was going to happen at TMI in the very near future.

  12. @Rod Adams August 2, 2013 at 6:55 PM
    well if you don’t like it, you may get a chance to speak your mind. B&W likes OTSGs, you get superheated steam out of them. cartoons i’ve seen of mPower sorta maybe look like OTSG concept. it depends on volume they’ll use for pressurizer water/steam space, and the T-ave control scheme they use, but if they clone the 177FA concept T-ave ramp… it’s possible safeties will lift on a trip. pretty much have to… in that scheme [P-sat for 100% T-ave] is just way above the normal steam header op pressure. on turbine trip, if you don’t have 100% steam bypass capability, the SG steam pressure will/must go to P-sat for T-ave, lift safeties every time. T-ave just can’t instantly drop back to no-load value on trip, large mass of coolant & metal at that temp, plus decay heat curve is still big, even a minute post trip. nature of the beast.

  13. I have a lot of trouble thinking that TMI was not an accident and was intentional, but the timing with The China Syndrome is rather spooky, certainly, although again, I feel just happenstance. We also need to consider the art of film-making here: when the script for China Syndrome was prepared, as anyone who works in nuclear knows, there are certain incidents that would provide a good basis for the accident portrayed better than others. The criteria for the fictional incident would include:

    1) It’s dramatic. You need something long enough and complex enough for men to race around the control room and for it to grab Fonda’s character’s attention.

    2) Something needs to seem different than it really is: the stuck guage provided that aspects. Something needed to “trick” Lemmon’s character long enough for him to be confused over what was happening before he could really resolve it.

    3) The primary action needed to be isolated to the control room and couldn’t involve an outside force. Also, no extensive damage could transpire as the NRC would investigate and the plant would return to operation shortly, leaving Lemmon to later discern the faulty pumps due to the contractor cutting corners with the radiographs.

    4) The visual aspects of a film of the event without audio or explanation would have to be enough to demonstrate to experts the general nature of what happened.

    So the options to provide a dramatic, scary, yet not totally-explained mishap for the film were somewhat narrow as long as the incident was to be kept realistic. As for the comment the nuclear engineer makes in the film that an area the size of Pennsylvannia could be badly affected, consider this: PA is a decent-sized state but smaller than the Western states. New York would not be a good state to mention lest it be confused with NYC and not the entire state. I guess North Carolina or Georgia could have been used, but PA makes a strong case for a large area to be affected and it’s a state everyone in the Mid-Atlantic/New England would know in general geography. So I feel that was fully happenstance.

  14. thanks for the opportunity to look in on a developing situation at first hand

    I must concur not operator error its management failure If you follow the rules laid down its who makes the rules who is responsible

    the fact that the operators weren’t blessed with second sight is just one of those things

    thanks again for a wonderful discussion

    keith

Comments are closed.

Recent Comments from our Readers

  1. Avatar
  2. Avatar
  3. Avatar
  4. Avatar
  5. Avatar

Similar Posts