Skip to comments.The Fire at the Brown's Ferry Nuclear Power Station
Posted on 01/17/2014 10:38:17 PM PST by logi_cal869
At noon on March 22, 1975, both Units 1 and 2 at the Brown's Ferry plant in Alabama were operating at full power, delivering 2200 megawatts of electricity to the Tennessee Valley Authority.
Just below the plant's control room, two electricians were trying to seal air leaks in the cable spreading room, where the electrical cables that control the two reactors are separated and routed through different tunnels to the reactor buildings. They were using strips of spongy foam rubber to seal the leaks. They were also using candles to determine whether or not the leaks had been successfully plugged -- by observing how the flame was affected by escaping air.
The electrical engineer put the candle too close to the foam rubber, and it burst into flame.
The resulting fire, which disabled a large number of engineered safety systems at the plant, including the entire emergency core cooling system (ECCS) on Unit 1, and almost resulted in a boiloff/meltdown accident, demonstrates the vulnerability of nuclear plants to "single failure" events and human fallibility.
The fire was started by an electrical inspector (referred to in the NRC report as "C"), working with an electrician, "D", who said,
"Because the wall is about 30 inches thick and the opening deep, I could not reach in far enough, so C [the inspector] asked me for the foam and he stuffed it into the hole. The foam is in sheet form, it is a 'plastic' about 2 inches thick, that we use as a backing material."
The inspector, "C", describes what happened next:
"We found a 2 x 4 inch opening in a penetration window in a tray with three or four cables going through it. The candle flame was pulled out horizontal showing a strong draft. D [the electrician] tore off two pieces of foam sheet for packing into the hole. I rechecked the hole with the candle. The draft sucked the flame into the hole and ignited the foam which started to smoulder and glow. D handed me his flashlight with which I tried to knock out the fire. This did not work and then I tried to smother the fire with rags stuffed in the hole. This also did not work and we removed the rags. Someone passed me a CO2 extinguisher with a horn which blew right through the hole without putting out the fire, which had gotten back into the wall. I then used a dry chemical extinguisher, and then another, neither of which put out the fire."
In its report on the cause of the fire, the TVA stated:
"The material ignited by the candle flame was resilient polyurethane foam. Once the foam was ignited, the flame spread very rapidly. After the first application of the CO2 , the fire had spread through to the reactor building side of the penetration. Once ignited, the resilient polyurethane foam splattered as it burned. After the second extinguisher was applied, there was a roaring sound from the fire and a blowtorch effect due to the airflow through the penetration.
"The airflow through the penetration pulled the material from discharging fire extinguishers through the penetration into the reactor building. Dry chemicals would extinguish the flames, but the flame would start back up."
Approximately 15 minutes passed between the time the fire started (12:20 pm) and the time at which a fire alarm was turned in. It was not until one of the electricians told a plant guard inside the turbine building that a fire had broken out that an alarm was sounded. However, confusion over the correct telephone number for the fire alarm delayed its being sounded.
As the NRC report on the incident noted,
The Browns Ferry Nuclear Plant Emergency Procedure lists two different telephone numbers to be used in reporting a fire, one in a table of emergency numbers and the second in a test of the procedure. The appropriate number (299) is the one in the test; dialing this number automatically sounds the fire alarm and rings the Unit 1 operator's telephone.
"The Emergency Procedure was not followed by those involved when reporting the fire. The construction workers first attempted to extinguish the fire, whereas the procedure specifies that the fire alarm be sounded first. The guard reporting the fire telephoned the shift engineer's office rather than calling either of the numbers listed in the procedure."
Only when the shift engineer then called the control room on the 299 number to get the reactor operator was the plant fire alarm actually sounded. It was fortunate that the shift engineer was in an office with a PAX phone (the plant's internal telephone system) which allowed him to call the 299 number. Had he been at a construction department extension, he could not have placed the call, as the TVA's investigative report later revealed:
"BFNP Standard Practice BFS3, 'Fire Protection and Prevention', instructs DPP (Department of Power Production) personnel discovering a fire, whether in a construction area or an area for which DPP is responsible, to report the fire to the Construction Fire Department, telephone 235.
[However,] 'BFNP Fire, Explosion and Natural Disaster Plan' instructs personnel discovering a fire to call 299 (PAX).
The construction extension cannot be dialed from the PAX system, and the plant extension cannot be dialed from the Construction phone system."
Despite the fire alarm, the reactor operators in the plant control room did not shut down the two reactors, but continued to let them run. At 12:40, five minutes after the fire alarm sounded, the Unit 1 reactor operator noticed that all of the pumps in the emergency core cooling system (ECCS) had started. In addition, according to the official TVA report,
"Control board indicating lights were randomly glowing brightly, dimming, and going out; numerous alarms occurring; and smoke coming from beneath panel 9-3, which is the control panel for the emergency core cooling system (ECCS). The operator shut down equipment that he determined was not needed, only to have them restart again."
The flashing lights, alarms, smoke and continual restarting of the ECCS pumps went on for a full ten minutes before the reactor operators began to wonder whether it might be prudent to shut down the reactors.
After the power level on the Unit 1 reactor began to drop inexplicably, the operator started to reduce the flow of the reactor's operating pumps; when the pumps suddenly quit at 12:51, he finally shut the reactor down by inserting the control rods.
Beginning at 12:55, the electrical supply was lost both to control and power the emergency core cooling system and other reactor shutdown equipment on Unit 1. The normal feedwater system was lost; the reactor core spray system was lost; the low-pressure ECCS was lost; the reactor core isolation cooling system was lost; and most of the instrumentation which tells the control room what is going on in the reactor was lost. According to the Unit 1 operator,
"I checked and found that the only water supply to the reactor at this time was the control rod drive pump, so I increased its output to maximum."
Meanwhile, a few feet away on the Unit 2 side of the control room, warning lights had also been going off for some time. A shift engineer stated,
"Panel lights were changing color, going on and off. I noticed the annunciators on all four diesel generator control circuits showed ground alarms. I notified the shift engineer of this condition and said I didn't think they would start."
According to the official TVA report,
"At 1:00 pm the Unit 2 operator observed decreasing reactor power, many scram alarms, and the loss of some indicating lights. The operator put the reactor in shutdown mode."
Some of the shutdown equipment began failing on Unit 2, and the high-pressure ECCS was lost at 1:45 pm. Control over the reactor relief valves was lost at 1:20 pm and not restored until 2:15 pm, at which time the reactor was depressurized by using the relief valves and brought under control.
On the Unit 1 side of the control room things were not going so well. According to the Unit 1 operator,
"At about 1:15 I lost my nuclear instrumentation. I only had control of four relief valves....
"At about 1:30, I knew that the reactor water level could not be maintained, and I was concerned about uncovering the core."
Had the core become uncovered, a meltdown of the reactor fuel would have begun because of the radioactive decay heat in the fuel.
In order to prevent the reactor water from boiling off, it was necessary to get more water into the core than the single high-pressure control rod drive pump could provide. It was decided that by opening the reactor relief valves, the reactor would be depressurized from 1020 to below 350 pounds per square inch, where a low-pressure pump would be capable of forcing water in to keep the core covered. None of the normal or emergency low-pressure pumps were working, however, so a makeshift arrangement was made, using a condensate booster pump. This was able to provide a temporarily adequate supply of water to the reactor, although the level dropped from its normal 200 inches above the core down to only 48 inches. Using the makeshift system, the Unit 1 reactor was under control for the time being.
Unit 2 was also under control, but by a rather thin margin. The "A" and "C" subsystems of the low-pressure ECCS and the core spray system had been lost early in the incident, and the "B" system failed intermittently between 1:35 pm and 4:35 pm. With only one subsystem of the low-pressure ECCS available, the Unit 2 operator resorted to using the condensate booster pump arrangement similar to the one that had been rigged up for Unit 1.
Many instrumentation and warning lights in the control room were inoperative. The reactor protection system and nuclear instrumentation on both reactors had been lost shortly after they were shut down. Most of the reactor waste level indicators were not working. The control and position indicator system was not operative. The process computer on Unit 1 was lost at 1:21 pm. (The computer on Unit 2 was inoperative because it was down for reprogramming.)
Other systems were failing; at 2:43 one of the plant's four diesel generators failed, leaving the plant with a bare minimum of emergency on-site power supply.
To add to the confusion, the PAX telephone system failed at 1:57 pm, making outgoing calls from the control room impossible for several hours. This represented a considerable hardship, because the control room had lost control over most of the plant's valves, and the plant telephone system was being used to instruct equipment operators to manually adjust certain key valves in the condensate booster system pumping water into the reactor core.
Moreover, the Unit 1 operator did not know the level of the temperature of the water in the torus (the reactor containment suppression chamber) because the monitors were not working. Yet, as a General Electric supervisor's log showed,
"With the relief valves in operation, the need for torus cooling became vital. The RHR [Residual Heat Removal] system was unavailable for torus cooling."
Unless the RHR system could be put in operation, there was the danger that the water in the torus would begin to boil, and this would eventually overpressurize the containment and rupture it.
As the NRC report remarks in its restrained way,
"After condensate flow to the reactor was established, the major concern was to establish torus cooling and shutdown cooling using the RHR as quickly as possible.
"Operator M stated that he made a list of RHR valves needed to obtain torus cooling. He further stated that at approximately 3:15 pm all torus temperature and level instrumentation was inoperable....
"From about 2:00 pm until the fire was extinguished several attempts were made to enter the reactor building and manually align the RHR for torus cooling and shut down cooling modes....
"None of these attempts resulted in establishing torus or reactor shutdown cooling. The attempts were severely limited by dense smoke and inadequate breathing apparatus."
The fire fighting effort was not going well. Soon after the electricians had fled the cable spreader room, a shift engineer had tried to turn on the built-in Cardox system in order to flood the room with carbon dioxide (CO2) and put out the fire. He discovered that the electricians had purposely disabled the electrical system that initiated the Cardox.
"I tried to use the manual crank system and discovered that it had a metal construction plate on, under the glass, and I tried to remove it. This was difficult, without a screwdriver.... The next day, I checked other manual cardox initiators and found that almost all of them had these construction plates attached."
He finally got the power on, but the Cardox system ended up driving smoke up into the control room above the cable spreader room. One person present described the scene in the control room as follows:
"The control room was filling with thick smoke and fumes. The shift engineer and others were choking and coughing on the smoke. It was obvious the control room would have to be evacuated in a very short time unless ventilation was provided."
After the carbon dioxide system was turned off, the smoke stopped pouring into the control room. It had not put out the fire in the spreading room, however. A safety officer fighting the fire pointed out,
"The CO2 in the spreader room may have slowed down the fire but it did not put it out. We opened the doors for air, as the smoke in the whole area had become dense and sickening. Another employee and I each donned a breathing apparatus and went into the spreader room. We used hand lamps for illumination, but they penetrated the smoke only a few inches. The neoprene covers on the cables were burning, giving off dense black smoke and sickening fumes.... It was impossible to not swallow some smoke. I got sick several times."
Because of the close quarters in the spreader room, fighting the fire was difficult: one safety officer said,
I went into the spreader room wearing a Scott air pack and mask and carrying a fire extinguisher. I had to crawl under the cable trays. The air pack cylinder was too cumbersome to wear on my back so I took it off and slid it and the fire extinguisher under the trays about 30 feet to the fire."
Inoperative equipment also hampered the fire-fighting effort. For example, one assistant shift engineer said,
"I returned to the spreader room to direct the fire-fighting effort. A wheeled dry chemical extinguisher had been brought to the spreader room, but its nozzle was broken off at the bottle and I told some of the men to get it out of there and find another unit."
The official Nuclear Regulatory Commission report noted other deficiencies:
"Breathing apparatus was in short supply and not all of the Scott air packs were serviceable. Some did not have face masks and others were not fully charged at the time of the start of the fire. The breathing apparatus was recharged from precharged bulk cylinders by pressure equalization. As the pressure in the bulk cylinders decreased, the resulting pressure decrease in the Scott packs limited the length of time that the personnel could remain at the scene of the fire."
One of the assistant unit operators who was sent into the reactor building to manually open the RHR cooling valves reported,
"We made three tries but could not get to the valves. Our breathing equipment could only supply 18 minutes of air per tank, which was not sufficient to enable us to get to the valves and back out of the area. The air tanks were being recharged, but the pressure in the main tanks was not strong enough to fill the tanks to their normal air supply. After the third attempt we went back to the control room and told the assistant shift engineer of the problem and that we needed different equipment or fully charged tanks to succeed."
The electrical cables continued to burn for another six hours, because the fire fighting was carried out by plant employees, despite the fact that professional firemen from the Athens, Alabama, fire department had been on the scene since about 1:30 pm. As the Athens fire chief pointed out,
"I was aware that my effort was in support of, and under the direction of, Browns Ferry plant personnel, but I did recommend, after I saw the fire in the cable spreading room, to put water on it. The Plant Superintendent was not receptive to my ideas.
"I informed him that this was not an electrical fire and that water could and should be used because CO2 and dry chemical were not proper for this type of fire. The problem was to cool the hot wires to prevent recurring combustion. CO2 and dry chemical were not capable of providing the required cooling. Throughout the afternoon, I continued to recommend the use of water to the Plant Superintendent. He consulted with people over the phone, but apparently was told to continue to use CO2 and dry chemical. Around 6:00 pm, I again suggested the use of water . . . . The Plant Superintendent finally agreed and his men put out the fire in about 20 minutes . . . .
"They were using type B and C extinguishers on a type A fire; the use of water would have immediately put the fire out."
Even when the decision to put the fire out with water had been taken, further difficulties developed. The fire hose had not been completely removed from the hose rack, so that full water pressure did not reach the nozzle. The fire-fighters did not know this, however, and decided that the nozzle was defective. They borrowed a nozzle from the Athens fire department,
"but it had incorrect type threads and would not stay on the hose."
Once the fire was put out, it was possible for plant employees to go into the reactor building and manually open valves to get the RHR system operating.
On Unit 1, however, a new emergency developed. About 6:00 pm, control of the last four relief valves was lost, and the reactor pressure increased to above 350 pounds per square inch, making it impossible for the makeshift condensate booster pump system to inject water into the reactor. As in the early stage of the accident, the only source of water for the Unit 1 reactor was now the control rod drive pump, and this probably would not prevent a boiloff accident that would turn into a core meltdown in just a few hours.
The spare control rod drive pump was inoperative, and although it was later determined that a series of valves could have been turned to allow the Unit 2 control rod drive pump to supply water for the Unit 1 reactor, the reactor operators did not know this at the time.
With the reactor pressure mounting higher and higher, the relief valves were finally brought back into operation at 9:50 pm, and about 10:20 pm the reactor was depressurized to the point that the condensate booster pump could again get water into the reactor.
Normal shutdown was established on the Unit 1 reactor at 4:00 am the next morning, and the nightmare at Browns Ferry was over.
Had the reactor boiloff continued to the point where a core meltdown took place, however, it is doubtful that the endangered surrounding population could have been evacuated in time; evacuation of the county's residents was the responsibility of the Civil Defense Coordinator for Limestone County, but, as he admitted to NRC inspectors,
"I heard about the fire at Browns Ferry on the morning of Monday, March 24, 1975 (two days later). No one in the Civil Defense System notified me or attempted to do so ... I feel that our county should have been notified since the plant is located in our county."
The sheriff of Limestone County said:
"I heard about the fire at the Browns Ferry plant after it was over ... I have not had any updating of procedures proposed to me since the initial plan was outlined in 1972. I do not have a copy of the emergency plan."
The Sheriff of neighboring Morgan County did hear about the fire four hours after it started, but said,
"I was asked to keep quiet about the incident to avoid any panic."
The NRC noted in its investigative report that,
"No official notification was made to the State of Alabama Highway Patrol by the State of Alabama Department of Public Health or by TVA...
"An attempt was made to notify the Lawrence County Sheriff at 4:08 pm, but no answer was received. Only one attempt was made to locate the sheriff."
In fact, this try-once-and-fail procedure was more or less the norm. The NRC investigation noted,
"The State of Alabama Emergency Plan for the Browns Ferry Nuclear Plant was implemented at 3:30 pm to the extent that notifications were made to designated state personnel and principal support agencies.... Only one attempt was made to contact principal support agencies that were located in counties surrounding the site regardless of whether the agency was contacted or not. The notification process was discontinued at 4:40 pm .
"The (NRC) investigators commented to the Director of Radiological Health that, due to the uncertainty relating to the status of the reactors from 12:30 pm to 7:45 pm , the implementation of the state plan indicated that a 'standby' classification was necessary that would have required continuous notifications and recommendations to be made to support agencies until the reactor was verified to be in a safe condition.
"Additionally, some agency officials related that they did not have a copy of the state plan or the plan that they had needed updating. Other officials indicated that they had received very little information concerning their defined responsibilities relating to an emergency at the plant....
"The State of Alabama and BFNP personnel have participated in emergency drills to test the effectiveness of their emergency plans for the past several years. Participation in the drills by the state has involved the verification of notification procedures and the time required to travel to the site to perform environmental sampling."
The fire knocked the radiation monitors on the Unit 1 reactor building vent almost immediately, and the Unit 2 vent monitor was inoperable from about 2:00 pm until 9:00 pm Both the NRC and TVA state unequivocally that no significant radiation release occurred, but there were continuing difficulties in obtaining air samples both at the plant site and in the surrounding area. For example,
"At 5:05 pm, the Director, Environs Emergency Centre, directed that additional environmental air samples be obtained ..... At this time individuals in the Site Emergency Centre observed smoke emanating from the reactor building and the decision was made to evacuate the meteorological tower".
Radiation sampling of air was started at 4:45 pm at Athens, 10 miles northeast of the plant; at Hillsboro, 10 miles southwest; in Rogersville, 35 miles northwest, but not at Decatur, 20 miles southeast and directly downwind of the plant.
"The sample at Decatur, Alabama, was thought to be inoperable possibly due to the wind direction control system, but the Laboratory Director was asked to investigate the problem. The Laboratory Director reported 7:60 pm that no air sample was available at Decatur. This station would have been the major air station of importance because Decatur, Alabama is located in the southeast direction from the site and the wind direction at the time of the fire was from the northwest section. Arrangements were made with the State of Alabama Air Pollution Control Commission for using one of their samplers at the Decatur station. Air sampling was initiated at this station at approximately 9 pm, CDT, on March 22, 1975."
Other equipment failures also continued to plague the plant. Shortly after nightfall, the aircraft warning lights on the plant's radioactive gas release stack went out. Since the stack is 600 feet tall, loss of the lights could have resulted in an aircraft colliding with the stack. The NRC report describes what was done next.
"At 8:37 pm a member of the environment staff made an attempt to telephone the gatehouse by using a public telephone to inform the security guards that the warning lights on the plant stack were not operating. Since the gatehouse could not be reached, the environmental representative telephoned the EEC (Environs Emergency Centre) and explained the condition. The Director, EEC, directed the information to the plant because of the need to contact FAA authorities immediately."
It is unclear why no one thought to phone the FAA directly instead of giving the information to the plant, which had more than enough problems on its hands at the time.
Other gremlins that cropped up included the plant's electric sequence printer running out of tape at 4:30 pm the afternoon of the fire, so that information on the time and sequence of restoration of control circuits after that time was lost, since no one replaced the tape until 2:00 pm the following day.
At about 3:40 pm, the decision was made to begin tape-recording all telephone communications between the plant and the chief of TVA's nuclear generation branch. But, as the NRC report noted,
"A review of the tapes revealed mechanical problems with the tape recorders and only partial transcripts were obtained."
Some of what was recorded, however, is indicative of the thought processes of TVA and NRC personnel. One example is the following excerpt from a conversation at 7:47 pm between J.R. Calhoun, Chief of TVA's Nuclear Generation Branch, and H.J. Green at the Browns Ferry Plant:
"Green: I got a call that Sullivan, Little and some other NRC inspector are traveling tonight and will get here some time tonight and so all our problems will be over.
"Calhoun: (Laughs) They will square you away, I am sure.
"Green: We probably have a violation. We've kept very poor logs.
"Calhoun: (Laughs) No doubt!"
At about 9:00 pm, Calhoun phoned Frank Long, in the U.S. Nuclear Regulatory Commission's Region II office in Atlanta:
"Long: The doggone public news media types will probably drive you out of your mind. Okay, your people did put out a news press release?
"Calhoun: Yeh, we put one out about 4:30. Somewhere close to 4:30 .... Only thing we can say right now is that it could have been a hell of a lot worse.
"Long: Oh, yeh.
"Calhoun: Yeh, you know everything for those two units comes through that one room. It's common to both units, just like the control room is common to both units.
"Long: That sorta shoots your redundancy."
Emergency procedures inside the Browns Ferry plant were also deficient. Many employees did not know what the sound of the fire alarm meant, and few had been trained in emergency procedures, despite earlier fires at the plant.
Large numbers of plant employees went into the plant control room, adding to the chaotic situation there. Instead of the six persons normally there, one assistant shift engineer reported,
"The maximum number of people in the control room at only one time I guessed to be about 50 to 75."
Indicative of the tension felt in the control room is the later comment of the Unit 2 shift engineer that,
"The Plant Superintendent asked me if I had control of Unit 2 and if everything was O.K. almost continuously."
What is the significance of the Browns Ferry incident?
One question is: What the devil were the electricians doing using a candle to test for air leaks?
Personally, I thought it a nice Gothic touch that a candle should disable a shiny new 2.2 million kilowatt nuclear plant. Perhaps a bumper-sticker reading "1 CP = 2,200 MWe" (1 candlepower = 2,200 megawatts) would be appropriate.
Although it is perfectly possible to design an inexpensive anemometer to test for air leaks, or even use smoke from a cigarette, these methods were rejected two years ago by the Browns Ferry plant personnel in favor of using candles.
Some senior personnel at the plant thought that the urethane sheet foam used to seal the cable penetrations was fireproof. The leader of the electrical conduit division at the plant said:
"The practice of using RTV-102 and sheet foam to seal air leaks has been the practice for two or three years. We believed that the urethane would not sustain a fire. Urethane samples had been tested several years ago and it needed a flame for 20 minutes to sustain a fire."
They had only tested two of the polyurethane samples, however, using an American Society for Testing Materials (ASTM) test that the Marshall Space Flight Centre later found to be of marginal value. No test had been made of the foam polyurethane, however, and the NRC's consultants, from the Marshall Space Flight Centre, found that,
"A cursory match test on a piece of the foam rubber disclosed almost instantaneous ignition, very rapid burning, and release of molten flaming drippings."
Even though some people at the plant thought the ASTM tests showed the penetration sealant material to be non-flammable, senior management knew it was highly flammable. The plant instrument engineer told NRC inspectors that,
"During the test and startup period of Unit #1 (in 1973), I demonstrated the flammability of the sealing material to the Plant Superintendent. I burned the material in the Plant Superintendent's office. He immediately called someone with Construction and they discussed the situation .... I feel the Plant Superintendent did all that was immediately possible to investigate the situation as it appeared that construction was not going to change the material."
The Plant Superintendent admitted to the NRC inspectors,
"I was aware that polyurethane was flammable, but it never occurred to me that these penetrations were being tested using candles."
Many senior management personnel at the plant denied knowing of the practice of using candles to test cable penetrations.
The rest indicated that they knew candles were being used, but thought the sealant materials were not flammable.
The electricians seemed to be the only group who knew both that the foam rubber was flammable and that candles were being used as the testing method. As one electrician later recounted,
"The electrical engineer called the group (of electricians) together and warned us how hazardous this method was. 'Why just the other day,' the electrical engineer said (in effect), 'I caught some of that foam on fire and put it out with my bare hands, burning them in the process.'"
One of the electricians who started the fire said that candles had been used for more than two years but said,
"I thought that everybody knew that the material we were using to seal our leaks in penetrations would burn....I never did like it."
The real irony of the Browns Ferry fire was that two days before, a similar fire had started but had been put out successfully. After the fire on Thursday night, the shift engineers and three assistant shift engineers met. According to one of them,
"We discussed among the group the procedure of using lighted candles to check for air leaks. Our conclusion was that the procedure should be stopped."
Yet nothing was done. The fire was noted in the plant log, and briefly discussed the next day at the plant management meeting. No one on the management level seemed to consider it a safety problem worth following up. This was the standard operating procedure; as the NRC investigative report notes,
"Previous fires in the polyurethane foam materials had not always been reported to the appropriate levels of management, and, on the occasions when reported, no action was taken to prevent recurrence."
In the face of these practices, it was probably nor a question of whether the Browns Ferry plant would have a major fire, but when.
What will the fire mean for other nuclear plants? That depends on whether the NRC carries out the recommendation made by the Factory Mutual Engineering Association of Norwood, Massachusetts, the fire underwriters the NRC engaged as consultants:
"Conclusions and Recommendations:
"The original plant design did not adequately evaluate the fire hazards of grouped electrical cables in trays, grouped cable trays and materials of construction (wall sealants) in accordance with recognized industrial 'highly protected risk' criteria....
"It is obvious that vital electrical circuitry controlling critical safe shutdown functions and control of more than one production unit were located in an area where normal and redundant controls were susceptible to a single localized accident .... A re-evaluation should be made of the arrangement of important electrical circuitry and control systems, to establish that safe shutdown controls in the normal and redundant systems are routed in separated and adequately protected areas."
Every nuclear plant in the country uses a cable spreader room below its control room. Despite requirements for separation and redundancy of reactor protection and control systems, every reactor has been permitted to go into operation with this sort of configuration which lends itself to a single failure's wiping out all redundant systems.
If every plant currently operating and under construction were required to re-wire so as to achieve true redundancy and eliminate cable trays bunched together, I have made calculations that indicate the cost will range between $7,680,000,000 and $12,343,000,000. It will be interesting to see whether the new commissioners of the Nuclear Regulatory Commission will require such changes.
Except for one news release, written March 27, 1975, NRC headquarters in Washington has remained silent about Browns Ferry. That news release, quoted below, does not make one optimistic that any meaningful lesson has been learned from the Browns Ferry incident.
"The functioning of some in-plant operating and safety systems, including emergency core cooling systems, was impaired due to damage to the cables.
"The two reactors were safely shut down and cooled during the fire. NRC inspectors report that there was redundant cooling equipment available during the reactor cooldown....
"Although some instrumentation was lost, certain critical instrumentation such as reactor water level, temperature and pressure indicators continued to function and both plants were safely shut down....
"On Unit 1, although a loss-of-coolant accident had not occurred, the emergency core cooling system was activated and supplied additional water to the reactor. It was manually shut down to prevent overfilling. Later, during cooldown, when ECCS was called for manually as one of the several alternate means of supply cooling water, it did not activate; the alternate methods had more than sufficient capability to cool the core."
Whether the NRC has sufficient capability to cool the public's reaction, once the facts about Browns Ferry are known, will be interesting to observe.
|NRC||The NRC [Nuclear Regulatory Commission]
licenses reactors as safe for operation.
|ECCS||The ECCS [Emergency Core Cooling System]
provides emergency cooling water to the core
of the reactor to keep it from over-heating
if the regular cooling is lost.
|RHR||The RHR [Residual Heat Removal] system
is needed, after the reactor is shut down, to cool the core;
it removes the "residual heat" given off by the intense
radioactivity of the used nuclear fuel in the core.
|TVA||The TVA [Tennessee Valley Authority]
is a federal agency which owns and operates
numerous electricity generating plants,
including the Brown's Ferry nuclear reactors.
|BFNP||The BFNP [Brown's Ferry Nuclear Plant]
consists of two large nuclear reactors,
each generating 1100 megawatts of electrical power.
|DPP||The DPP [Department of Power Production]
is responsible for the day-to-day operation
of the Brown's Ferry nuclear generating station.
|CO2||CO2 [Carbon Dioxide] is a non-toxic gas
which can be used to put out a flaming fire
by choking off the supply of oxygen that feeds the flames.
I'm posting this as 'history' with 2 comments and only making the observation that weaknesses/vulnerabilities in this design's safety systems were well-known in 1975 as a result of the 'incident':
1. Take a guess at what design these reactors use (see tag) and, for that matter, when they were built.
2. Take a guess at the initial construction date of the US' first Thorium Reactor...
Oh...and yes, this happened BEFORE Three Mile Island.
Incidentally, FWIW: There ‘is’ a Documentary film on this here
But good luck finding it (though Amazon has it for Rent/Sale at $19.95/$24.95 respectively streaming & $24.95 DVD)
This was no big deal, just a 185,000 alarm fire. BTW, look up Fermi reactor near Detroit.
I thought this was a key point:
>>How the Fire was Extinguished
The electrical cables continued to burn for another six hours, because the fire fighting was carried out by plant employees, despite the fact that professional firemen from the Athens, Alabama, fire department had been on the scene since about 1:30 p m.<<
Had they allowed the Athens, Alabama fire department to fight the fire, it would have been extinguished long before it had a chance to so all the damage.
As a reader of “Risks” on Usenet, I discovered this 20 years ago.
The key point is that redundancy was required - two sets of control wires from the control room to the core. The safety design folks decided that it was more dangerous to have two different holes in the containment structure than one, so the two different sets of control wires were fastened to the ceiling side by side. The result was then when one set caught fire, the other one caught fire also.
Thousands of engineers and hundreds of inspectors ... and they didn’t catch this bad design flaw that any student looking at a picture would catch.
The 3 mile island incident was more subtle. The engineers designed a sensor to detect whether a relief valve was physically open or closed, and report the position with a green light; unfortunately, the exhaust coming out of that valve eventually corrupted the sensor. The customer engineer got tired of replacing the sensor after a few years, so he changed the green light to report whether a command had been sent or not, not whether the valve was physically open. He documented this to the operating crew.
To save money, the 3 mile island operating crew was changed, and the documentation was not properly transferred to the new crew.
Some time later when the valve failed open (thus releasing pressure and allowing the reactor water to boil), the operating crew looked at the green light, concluded the valve was closed (when actually it meant that the valve had been commanded to be closed, but it had failed open), and did a lot of wrong things based on this faulty information. They almost had a meltdown.
The technology is finally available for a “fail-safe” reactor, but no one wants to pay to change the regulations.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.