Abstract
The core meltdown accident at Three Mile Island in 1979 in the United States was a major challenge to nuclear safety in the scientific community. An accident considered impossible by the specialists had nevertheless occurred, raising fundamental questions such as the understanding of the accident by the operators in the control room, the redundancy of the countermeasures and the efficiency of the equipment under accident conditions. A major plan of measures has been initiated by Western countries with the appearance of probabilistic safety studies and the increased development of defense in depth.
Access provided by Autonomous University of Puebla. Download chapter PDF
The accident of the second reactor of the American plant of Three Mile Island (without the s at the end of Mile, a frequent mistake!) sounded the death knell of the era of civil nuclear bliss. Until March 28, 1979, most of the public remained convinced of the infallibility of scientists. If the consequences of the accident on the public were more than modest, this accident created an earthquake in the consciousness of the engineers. Mitchell RogovinFootnote 1 , responsible for the huge reportFootnote 2 to the Nuclear Regulatory Commission’s 1980 Commission of Inquiry, says himself: “For years, the debate about nuclear power in this country was the preserve of a handful of people, The TMI accident changed all that. The fate of nuclear power has become ingrained in the American consciousness.” The terrible sequence of events that led to the loss of the reactor, however, provided important real-world feedback.
The Three Mile Island plant (Photos 3.1, 3.2, and 3.3) is located on a small island surrounded by the Susquehanna River, 16 kilometers from the city of Harrisburg, Pennsylvania, and 180 kilometers from the capital, Washington. Here are two similar reactors built by Babcock and Wilcox (B&W) for the Metropolitan Edison Company. TMI-2 first reached criticality on March 28, 1978, exactly one year before the events we will describe. That is, the reactor was completely new. The B&W reactors, whose core is very similar to those of its competitor Westinghouse in the USA or France, have a primary circuit that has some notable differences (Fig. 3.1). The containment is broadly similar to that of a Westinghouse reactor (Fig. 3.4).
The Three Mile Island plant is located on an island in the Susquehanna River, 10 miles from the city of Harrisburg. The No. 2 reactor is the building with the rounded dome that is located closest to the two non-functional cooling towers. Those in operation produce steam cloud
Unit-2 is in the foreground. The photograph is taken from one of the cooling towers of unit-2
Unit-1 in operation. Two cooling towers are required to cool the condenser. The auxiliary cold source comes from the river
Main components of the TMI-2 plant. Réservoir d’eau borée = Borated water tank, Coeur = Core, Pressuriseur = Pressurizer, GV = Steam Generator, Puisard = Sump, Dispositif de chute des barres = Control rod drive mechanism, Soupape pilotable = Power-operated relief valve, Condenseur = Condenser, Transformateur = Transformer, Soupape de sûreté = Safety valve, Pompe de gavage principale = SG water main feeding pump, Pompe de gavage auxilaire = Auxiliary feeding pump, Aéroréfrigérant = Cooling tower, Circuit primaire = Primary circuit, vapeur = steam, eau secondaire liquide = Liquid secondary water
The first point is the important difference in the design of the Steam Generators (SGs). Indeed, the B&W SGs operate with forced convection fed with hot water supply from the primary circuit entering from the top of the SG (Fig. 3.2). The water flows downward through vertical straight Inconel tubes and transfers its heat to the secondary water fluid which flows vertically in counterflow. Therefore, these SGs are called “once through” steam generators. This type of circulation allows a great stability in operation, as well as an important superheating of the secondary steam (of the order of 30 °C), which allows better thermodynamic yields than in the case of Westinghouse SGs designed with inverted U-tubes, which operate as a basic evaporator, and whose steam temperature does not exceed the saturation temperature. Secondly, the B&W primary circuit has only two hot loops, which are split into four cold legs fed by four primary pumps at the outlet of the two SGs (Fig. 3.3). However, the vertical design (associated with a small volume of secondary water in the SG) means that SGs have very low thermal inertia compared to U-tube SGs, and they empty their secondary liquid very quickly (in less than a minute) in the event of an accident leading to a heat up the primary circuit when no auxiliary feed water is available from the secondary side. In the case of a U-tube SG, this time would be about fifteen minutes, giving the operator more time to recover the faulty situation. This is the main disadvantage of once through SGs, which leave little reaction time for operators to understand what happens. Another particularity is the possibility of cooling the containment (Fig. 3.4) by means of a Reactor Building Air Cooling System (= RBACS) called “fan cooler” i.e., a system of five fans inside the containment. The atmosphere of the containment passes in contact with air–water exchangers associated with an exchanger outside the containment. The water in question comes from the cold source, namely the air coolersFootnote 3 in normal situation or the river in case of LOCA. This active system was not retained on the French plants.
Babcock and Wilcox type steam generator (adapted from (M.F. Sankovich, B.N. McDonald: One-through steam generator boosts PWR efficiency, Nuclear Engineering International, July 1972)). The SG “OTSG” has a number of advantages: a model implemented on a 1150 MWe reactor provides a superheat of 28 °C at a pressure of 80 bars compared to the saturation temperature of the secondary due to the primary/secondary countercurrent flow (primary water enters from the top through a 91.4 cm diameter orifice and exits from the bottom through two 71.1 cm orifices, the secondary water enters from the bottom and starts boiling immediately, it is completely evaporated at two-thirds of the height, the steam produced flows into an annular down-comer and the steam comes out through two 61 cm diameter orifices) which improves the heat exchange performance. This reduces the kWh to 60.5 kcal of heating, or about 2.3% less than an inverted U-tube generator that operates as a boiler. The superheat produced allows to produce 100% dry steam, eliminating the need for droplet separators at the steam outlet. This saves considerable space as there is no separator/dryer at the SG outlet. The simplicity of the concept allows for infrequent cleaning, resulting in cost savings and increased availability. From a safety point of view, however, this type of SG drains much more quickly than a U-tube SG
Primary circuit of the TMI-2 reactor
Scale elevation view of the TMI-2 building. Cuve = Vessel, Puits de cuve = Vessel pit, Puisard = Sump, Réservoir de décharge pressuriseur = Pressurizer discharge tank, Gaine de ventilation par ventilateur = Fan cooler duct, Buse du système d’aspersion de l’enceinte = Containment spray system nozzle, Bâtiment réacteur = Reactor building
The primary circuit therefore includes two SGs, two accumulator tanks that flow directly into the down-comer (the annular converter that feeds the core), four primary pumps and of course a pressurizer.
On Wednesday, March 28, 1979, at 4:00 a.m., while TMI-1 was in shutdown condition for refueling, TMI-2 was at 97% of its full power (2772 MWthermal, 905 MWelectrical, primary circuit temperature of 290 °C, pressure of 150 bars, boron concentration of 1026 ppmFootnote 4 and primary circuit flow of 16 tons/h), numerous alarms were triggered in the control room. The operators did not know it yet, but the 1A condensate pump of the condenser circuit had triggered.Footnote 5 When such pump triggers, it causes the normal supply pumps of both SGs to stop. This shutdown causes the loss of water feeding to the SGs, resulting in an automatic shutdown of the turbine. In the turbine room, cavitation and water hammer noises are heard, similar to those caused by air in a water pipe.
This event gives the time 0 of the accident scenario. Because of the turbine trip, the auxiliary feed water circuit of the steam generators should have automatically started, but it did not. In fact, following a maintenance operation, the valves located downstream of the three feeding pumps, which actually did start, were abnormally closed, in formal contradiction with the technical operating specifications. These valves had most probably been closed during a maintenance operation 2 weeks earlier. The operator restored the situation only after 8 min by manually opening the offending valves. But during this time, the reactor was no longer cooled correctly, and its pressure increased due to the heat up of the primary circuit. When there was a signal of high pressure in the pressurizer (153 bars), the discharge solenoid valve located at the head of the pressurizer, which protects the primary circuit from overpressure, opened between 3 and 6 seconds (Power-Operated Relief Valve (PORV), which is equivalent to the SEBIM valves on French reactors). At 8 seconds, the reactor was normally shutdown (SCRAM by rod drop) on a signal of very high pressure in the primary circuit (161 bars). The fluid leaking in the discharge line from the pressurizer to the discharge tank (RDP) allowed the pressure in the primary circuit to fall back to 148 bars, where the PORV solenoid valve should close again below 155 bars due to pressure difference. However, the valve remained stuck open. Very quickly (within 15 seconds), the operator realized that the valve had remained open and gave the closing command via the control console. The alarm check light (small light associated with the control button) indicated “valve closed.”Footnote 6 But this alarm check light does not indicate the real state of the valve, but just the fact that the button is in the “valve closed” position and activates the current in the solenoid. In fact, even though the command was given to close it, the valve remained open. This error in the design of the alarms, linked to the fact that there was no real indication of the position of the relief valve stem, but only an indication of the presence of power on the control solenoid, will have a disastrous effect on the understanding of the accident by the plant’s control team. The operators confirmed to the investigation committee that they firmly believed that the PORV valve was closed. The temperature rise at the valve was well measured, but recurrent leaks meant that the temperature was already high initially and this no longer worried the operator. As far as the alarms were concerned, we must admit that they all started on, both audibly and visually, causing great confusion in the control room. It was no longer possible to recognize the initiating alarms.
Even the printer in the control room refused to return the information contained in the data acquisition system during the two fateful hours, perhaps because of the saturation of the output buffer of the computer feeding it. From that moment on, the incident, which could have been controlled, became a LOCA (Lost Of Coolant Accident). At 60 seconds, the water level in the pressurizer rised rapidly. At the same time, both steam generators reached their low level. At 120 seconds, the automatic start of the high-pressure safety injection (HPSI) took place on low-pressure signal in the primary circuit (112 bars). From 4 to 11 min, the level of the pressurizer went out of its reading range to the great horror of the operators, whose obsession was the pressure rupture of the pressurizer or its pressurizer surge line. This phenomenon can happen quickly if the pressure compensation steam bubble at the head of the pressurizer has been lost, that is to say, in the jargon of the profession, if the pressurizer is “solid” (full of water). It should be noted that the water level in the pressurizer is measured by a differential pressure sensor (weight of a column of water). A control room reading of 33.5 feet indicates that the pressurizer is full of water with no vapor or bubble void. If a void fraction exists in the pressurizer, a level below 33.5 feet is indicated, the difference being directly proportional to the actual volume fraction of liquid water in the pressurizer.Footnote 7 The commission of inquiry will show that the operating teams had been trained in the excessive fear of a pressurizer surge line rupture situation in case of “solid” pressurizer. It was in this context that the operators made a fateful decision: they decided to manually shutdown at 278 seconds the two safety injection pumps that could have saved the reactor.
In fact, the water level measurement system of the time was not reliable in a two-phase situation and the massive boiling from 6 min. Due to the drop in pressure (93 bars), it induced significant variations in the level of water swollen by steam. Still worried, the operator was also going to draw water from the primary circuit (!), which is already lacking, via the primary load/discharge circuit (RCV), always in the hope of reducing the (fictitious!) water level in the pressurizer. At the time of 8 min, the operator opened manually the valves of emergency water supply of the steam generators, finally aware that the steam generators were empty by lack of backed up water. From 11 min, the level of the pressurizer became readable again, unfortunately confirming the operator in his wrong behavior. The operator did not realize that a “small break LOCA” (SBLOCA) was occurring,Footnote 8 located at the head of the pressurizer. This induces a two-phase situation involving a high level of water in the pressurizer. The high-pressure injection was manually restarted but with a very low flow rate. At 15 min, the rupture of the rupture membrane in the pressurizer discharge tank (RDP), which had been completely filled with water leaking from the pressurizer, allowed radioactive water to flow from the primary circuit to the sumps located in the lower parts of the reactor building. The pressure indicator of the pressurizer discharge tank, into which the primary circuit water is discharged, indicated a rise in pressure. However, to make matters worse, this indicator was placed on a back panel of the control room, beyond the operator’s vigilance.
The alarms then indicate the presence of radioactivity in the reactor building. From 20 to 70 min, the pressure and temperature of the reactor stabilized at boiling conditions of 72 bars and 287 °C. At 74 min, the operators shut down the two primary pumps on train B, then at 100 min, those on A-train, because of cavitation. This time initiates the second phase of the accident, namely the uncovering of the core (Fig. 3.5). Indeed, the pumps in motion were stirring a mixture of water and steam, ensuring the cooling of the core as best they could. After the shutdown of the pumps, the water and steam in the emulsion were to separate, and the residual water will end up in the lower parts of the primary circuit. No longer cooled, the core then heats up and its temperature reaches 327 °C at about 2 h from the onset on the accident, then goes out of the reading range for 14 min. The pressure rose to 148 bars. At 2 h20, isolation of steam generator B and discharge of the secondary steam to the atmosphere through the controlled relief valves. At 2 h36, the on-off isolation valve, located in series before the PORV valve, is manually closed, finally isolating the primary circuit (Fig. 3.5). We can consider that the operators have finally understood the problem and the fact that the core was dewatered (radioactivity appears in the radioactivity detectors of the sumps). During the next 5 h, the operator will try to cool the core, thanks to his SGs, by establishing a natural or forced circulation in the core, but the incondensable hydrogen produced by the oxidation of the zircaloy fuel cladding, trapped in the primary circuit, degrades the heat exchange towards the secondary circuit and blocks the convection. As for the residual power evacuation system (Low-Pressure Safety Injection, LPSI), it can only be operated at lower pressure (28 bars). It would have been necessary to depressurize the primary circuit in order to use it. At 174 min, the operator attempted a delicate maneuver, he started the 2B-pump to cool the core, initiating phase 3 of the accident: the reflooding of the core (quenching). This reflooding caused a rapid rise in pressure by sending colder water into the core, where water vaporizes. The operator will try to control this pressure by piloting the PORV valve, which despite its failures, remains controllable. This flooding fed the pressurizer with steam, which caused the water level to rise when the steam condensed in the pressurizer. The opening of the pressurizer spray line at 175 min. must have facilitated this condensation since the steam could escape by this way. But the terrible cavitation noise of the pump, which circulated a strongly two-phase fluid, and which can be heard clearly in the control room, urged the operator to shut down the pump after 19 min (at 3.2 h). The pressure in the containment reached 0.31 bar, the containment was then automatically isolated from an overpressure of 0.3 bar. At 200 min, the operator switched to the automatic high-pressure injection, which effectively and definitively quenched the core.
Pressure of the primary circuit and description of the four main phases of the accident. Perte de refrigerant = loss of coolant, dénoyage = uncovery of the core, dégradation = melting of the core, relocalisation = meltdown to lower plenum, soupape fermée = valve closed, arrêt des pompes primaires = primary pumps shutdown
At time 224 min, it is conjectured that the corium, which formed in the core as a non-coolable liquid bath (the crust was impermeable to water), relocated (Figs. 3.6, 3.7, and 3.8). This relocation took place under water through the core bypass, the flow zone that surrounds the active core. Indeed, it was at this moment that the external neutron chambers measuring the neutron sources recorded a significant increase in signal.
State of the core before reflooding (before 174 min) and after reflooding (174 min to 189 min)
State of the core before and after relocation (224 min)
Relocation of the corium from the core to the vessel bottom through the side bypass. Even though the reactor was full of water, this did not prevent the corium from progressing downwards
At the same time, the internal chambers (Incore Self-Powered Neutron detectors) triggered an alarm, suggesting damage caused by the corium, which heated the vessel bottom penetrations by generating a thermoelectric current. This relocation was done under water and sent molten metals partially oxidized in the vessel bottom. At 10 h00 from the onset (Table 3.1), a containment pressure peak at 1.9 bar was attributed to a moderate explosion of hydrogen from the oxidation of the zirconium cladding. The automatic start of the containment spray (EAS) was shut down after having had time to inject about 20 m3 of water containing soda (soda favors the retention of volatile iodine in the sumps). At about 13.5 h, while maintaining the high-pressure injection to re-pressurize the primary circuit, residual power was finally released through the SG-A, because part of the hydrogen had been purged during the depressurization operations with the pressurizer valve. After 16 h, the plant returned to a stable state with the supposed presence of a bubble of non-condensable gas in the upper parts of the reactor, under the vessel cover. This gas, allegedly hydrogen, greatly worried the operators because of the risk of explosion, or even the risk of dewatering of the core in the event of a drop in primary circuit pressure. Throughout the first week, the operators tried to reduce this hydrogen bubble more or less dissolved in water, by heating it with the heaters of the pressurizer to recover the hydrogen in the upper head of the pressurizer and degas it via the Pressurizer Discharge Tank (RDP). The nuclear auxiliary building (BAN) was contaminated by the spillage of about 40 m3 of radioactive water (which reached an activity of 800,000 Curie/m3 whereas in normal operation, it is less than one Curie/m3), which overflowed the liquid effluent treatment tanks. The radioactive gases were not filtered by the BAN filters and were the cause of the small release of radioactivity into the atmosphere out of the BAN, despite the presence of iodine traps upstream of the gas evacuation stack. This release of radioactivity caused a psychosis in the public.
The problem of hydrogen in the containment has been solved by the use of passive autocatalytic recombiners, which were installed on April 3. Their installation required the use of 400 tons of lead protection to limit the doses to the personnel.
The core was cooled for months using a single primary pump and the SG-A alone. The problem of the presence of a hydrogen bubble under the reactor cover was of great concern to the operator. Pessimistic calculations (up to 25 m3) had raised fears of a risk of uncovering the core if the pressure was lowered. The operator therefore limited the pressure drop and tried to degas the primary circuit. From April 5, no more bubbles were detected, which made some people doubt its existence. Its volume should never have exceeded 2 m3. On April 27, the natural thermosiphon circulation of water in the core was sufficient to ensure the cooling of the core. The accident was definitively stabilized.
From July 1980 onwards, Operators began to enter the reactor building in a cautious way and strongly protected against contamination (Photos 3.4 and 3.5). Decontamination (Photo 3.6) and dose mapping (Fig. 3.9) were performed. The objective was to insert a shielded video camera into the core via a control rod adapter (Photo 3.7). This visual inspection confirmed the presence of a cavity of 9.3 m3 in the core, resulting from the collapse of the assemblies. The camera allowed to visualize the debris bed resting at the bottom of this cavity.Footnote 9
Inside the reactor pool at an undetermined date. The control rod mechanism (RGL) is still upon the reactor vessel cover. One can see the studs closing the cover on the vessel. A ventilated tent allows you to momentarily escape the ambient radioactivity
Operators walking along the empty reactor pool. They wear filtering mask, but no ventilated suits
Cleaning the floor for decontamination
Dose map et evolution from 1980 to 1983
Photos taken by the video camera of the debris bed of TMI-2 (1982) from (Duffy et al. 1986)
It is known that the core was not completely dewatered and that about 0.6 m of fuel height remained under water (a situation later called “cold foot”). This is confirmed by the position of the corium crust that formed at water level and served as a crucible for the molten bath. The collapse of the fuel was probably caused by the thermal shock due to the reflooding (the word “quenching” is used) and the terrible vibrations induced by the cavitation of the 2B-pump. A vault was formed by the collapse of the upper part of the assemblies.
From a sonar inspection (Photo 3.8), scientists were able to reconstitute a precise image of the cavity, which is crucial for understanding the core degradation scenario. We can distinguish the relocation of the corium in the bypass.
Sonar analysis of the cavity formed in the TMI-2 core (1983) from (Duffy et al. 1986)
Once formed in the core, the molten bath, blocked vertically by its lower crust, progressed sideways by natural convection movements that pierced the lateral ceramic crust, then going to pierce at about 224 min. the baffle at a height of 1.80 m. Approximately 29 tons relocated by this path through significant breaks (Fig. 3.14). The bypass trapped 9 tons of corium between the spacer plates and corium was even found at a higher altitude of the baffle tear (the corium would have risen due to the clogging of the bypass). Twenty tons were relocated in the vessel bottom and heated up the steel of the vessel, bringing about 2.5 MW of residual power at the time of relocation (224 min after the rod drop). By a phenomenon that is still not fully understood, a gap probably formed between the corium and the inner face of the vessel, allowing water to pass through, which cooled the corium. This water intrusion probably prevented a rapid attack by melting of the vessel, thus avoiding a bottom rupture.
From 1981 onwards, under the aegis of the NEA’s Committee on the Safety of Nuclear Installations, 11 OECD member states joined the American DOE in analyzing samples from the core to understand the progression of the core damage. In 1983, in order to understand the anomalies in the measurements of the external chambers, which measured a much stronger signal even long after the accident (4 orders of magnitude of the signal expected for the postulated reactivity of the degraded core), wires were placed between the concrete pit of the vessel and the steel vessel, to which were attached dosimeters placed at different altitudes (Fig. 3.10) (Bandini et al. 1987). The dosimeters were exposed for 3 months and then analyzed. In 1984, the extent of the damage was still unknown. Such an analysis allowed to show that some fuel was indeed present in the vessel bottom. The presence detected by the cameras and the sonar allowing the detection of the cathedral cavity at the top of the core, it was then possible to establish a neutronic model of the degraded core and the corium in the vessel bottom. This model showed that at least 10 tons of corium should have relocated in the vessel bottom. This was verified during dismantling (in fact about 20 tons).
Dose measurement in the vessel pit [from Bandini et al. 1987]
In 1985, an international inspection projectFootnote 10 of the vessel (Vessel Inspection Project) was set up under the aegis of the OECD/NEA. It appeared that 19 tons of molten corium had been in contact with the vessel bottom of the reactor. A budget of $nine million between 1988 and 1993 allowed samples to be taken from the top of the reactorFootnote 11 thanks to an electric discharge cuttingFootnote 12 under 12 meters of water (Metal Disintegration Machine or MDM), while the visibility was only 3–4 meters (Figs. 3.11 and 3.12).
View of the complete MDM system from the shielded work platform. The vessel is completely filled with water for effective biological protection
Magnified view of the MDM tool head. Underwater television cameras allow to see in detail the cutting operations. A hemispherical articulated head allows the tool to be raised along the vessel bottom wall. The samples taken have a straight triangular section, 16.5 cm long, in the shape of an oblong boat. From these samples, specimens of standardized shape were extracted (Charpy impact test, etc.), which allowed access to the mechanical properties of the project vessel (TMI PVIP 1993, p. 88)
The post-mortem analysis showed that the corium was divided equally between a solidified bath in the vessel bottom, topped by a debris bed, and a solidified bath that remained in the center of the reactor. The question of whether it was possible that the accident led to the downward ejection of some instrumentation tubes is relevant. It was found that some of the instrumentation tubes drowned in the corium bath were severely damaged, while some were curiously intact. Two phenomena are to be considered: on the one hand, the ejection of the tube after melting of the Inconel weld, and on the other hand, the rupture by thermal creep outside the vessel. Concerning the first point, the metallurgical examinations showed that the welds of the penetrations had not melted, suggesting that the temperature of the weld had never exceeded the temperature of liquidusFootnote 13 of Inconel 600, i.e., 1415 °C. Regarding the creep rupture, it should be noted that the pressure in the vessel is not perfectly known at the time the hot spot appeared at the vessel bottom. At a conservative pressure of 150 bars i.e., assuming that the system was re-pressurized, the thermal creep failure at the highest estimated temperature of the vessel (about 1100 °C) varies according to the hypotheses between 4 and 17 h, whereas this temperature did not finally exceed one hour. It was noted that some of the vessel penetrations (the taps where the instrumentation tubes pass through the vessel bottom) had failed without being ejected, but the corium had frozen inside of them (!) (Fig. 3.13).
Degradation of the TMI-2 core. The corium relocated under water in the vessel bottom, which rose in temperature. Post-mortem analysis showed that the vessel bottom steel rose to 1100 °C (red spot) without melting, but some of the vessel bottom penetrations (of the internal RIC instrumentation) were damaged without being ejected. The corium froze inside some perforated RIC tubes
The analysis of the samples showed the existence of an elliptical hot spot of about 1 m by 0.8 m, having reached a temperature of 1100 °C in the inner liner, and caused by an intimate contact. Around this spot, it is known that the temperature of 727 °C, which corresponds to the ferrite-austenite transition, was not reached (Fig. 3.13). Cracks of 5 mm were found in the stainless-steel buttering of the inner face of the vessel. They were located around three of the instrumentation tubes and had no extension in the steel of the vessel itself.
In all, 62 tons of core material melted and were distributed as we said in the bypass and vessel bottom, the rest “freezing” in the destroyed core. A “cathedral” cavity of 9.3 m3 appeared at the top of the core (Fig. 3.14). A molten bath of 33 tons at a temperature between 2800 K and 3100 K finally solidified in the center of the core. The oxidation of the core materials, in particular the zirconium of the cladding but also the steel of the upper internals produced about 460 kg of hydrogen gas. Reflooding calculations based on the hydrogen explosion and the ratio of oxidized zirconium in the core (45%), postulate that 300 kg could have been produced before reflooding and 160 kg during the reflooding phase at the start of the 2B-pump. These 160 kg are the subject of particular attention because they would have been produced very quickly (hence the impossibility of treating this sudden production with passive autocatalytic recombiners). On the other hand, it is difficult to reproduce this phenomenon experimentally and computationally, which suggests progress on the physics of the reflooding phenomenon.
Post-mortem assessment of the degradation of the TMI-2 core
On the radioactive release side, the overflow of the tank of the TEP system (treatment of primary circuit effluents) for liquid effluent treatment resulted in the release into the BAN of approximately 40 m3 of highly contaminated water. The ventilation system released rare gases such as xenon and krypton after filtration (“absolute” filter for aerosols and iodine filter). It is estimated that the total activity released in rare gases is about 50,000 Curies (especially krypton 85 during the voluntary degassing phases in 1980 to enter the building) and less than 15 Curies in iodine 131 during the accidental phase. It is estimated that 99.9% of the cesium and iodine remained trapped in the water retained in the plant. The NRC, the regulatory agency in the United States, has produced a hypothetical value of 80 mrem as the maximum individual dose and an average of 9 mrem for the nearest 2000 inhabitants.Footnote 14
The absolutely incredible timing of the release (12 days before the accident) of James Bridge’s film “The China Syndrome” with Jane Fonda as the incorruptible journalist, Michael Douglas and Jack Lemmon will exacerbate public attention. Lemmon plays the role of an honest nuclear plant manager, a former Navy officer,Footnote 15 who was forced to testify to a commission of inquiry following an accident that occurred because of malpractice by the utility company that falsified the X-rays of the welds of the primary circuit. The Chinese syndrome is a paradoxical image meaning that nothing could utopically stop the radioactive corium, which would pierce the concrete raft down to China. The poster of the film presents an inoffensive air cooler curiously surrounded by aggressive chimneys (?). Let us underline that the film is well made, and the scenario remains credible (Photo 3.9).
French poster of the film: Le syndrome chinois and still
On Friday, March 30, the operator decided to make significant releases: 1.2 rem/h from the stack of the Auxiliary Nuclear Building, which prompted the NRC to recommend to the governor the evacuation of pregnant women and young children within a 10-mile radius. Walter Cronkite (1916–2009), the famous American broadcast journalist for the CBS Evening News for 19 years. Often cited as “the most trusted man in America,” could not elude the TMI-2 accident and presented it as a major event, concluding with his departing catch phrase “And that’s the way it is” (Photo 3.10). The accident triggered an indescribable panic: gas stations were stormed, money was withdrawn from banks (more than $ten million in one day!), local religious authorities even authorized a general extreme unction by local radio station, a unique fact in the whole history of Church. One hundred and forty thousand people stayed away from their homes during the events. It was reported that some pregnant women have decided to have an abortion for fear of malformation of the fetus.
Walter Cronkite presenting the TMI-2 accident (CBS Broadcasting)
The next day, the major French newspapers commented on the news. The Association Française de Presse relayed information that was either badly translated or unintentionally false (“explosion of a valve in one of the pumps of the reactor cooling system?”). Then a certain realism set in in the French press when it was understood that the release was very small. On April 1, the daily Libération headlined with a certain black humor “A clean catastrophe, a mild panic.” Brice Lalonde, a figure of French ecology, did not hesitate to say in the Nouvel Observateur of April 23 “-I am not afraid of the atom, I am afraid of technocrats, What is good for EDF is not good for the French!” The balanced newspaper Le Monde itself wrote “-We are beginning to know more about the American plant than about its French counterparts.” Satirical drawings flood the press (Fig. 3.15), and EDF was taking the fall. However, EDF was very concerned by the accident, both to learn from the experience and to get its own idea of the case. In April 1979, EDF executives were sent to the United States on a fact-finding mission. Finally, French scientists took up the cause on both sides. Maurice Tubiana explained “We talk about nuclear power, but we think about bombs.” The fact is that no operator will be able to hide behind a “It’s scientifically impossible” or a very low frequency of occurrence.
The satirical press attacks the French utility’s haughty communication « American engineers are donkeys. ». (drawing of Konk in a newspaper of 1979, DR)
From October 1985 onwards, the fuel and debris were removed under water with great care after opening the vessel cover. The risk of untimely re-criticality was a constant concern for the operator.
To guard against surprises, the absorbing boron concentration was held at 3500 ppm until early 1983, and conservative studiesFootnote 16 were carried out by postulating an unfavorable “lens” geometry where the most enriched fuel batch (2.96%) is “coated” by the least enriched fuel (the two other batches) and by assuming the disappearance of the absorbing fission products and the control rods (Fig. 3.16). The concentration was even raised to 5000 ppm before unloading to avoid any surprises. Have in mind that boron crystalizes over 7000 ppm.
“Lens” modeling to assess the risk of re-criticality of TMI-2 corium in the vessel bottom (adapted from Knief 1988)
The repercussions of the accident were considerable because it created a real intellectual earthquake in the scientific community. Indeed, the historical approach to safety has always been to consider bounding scenarios, which are supposed to cover less severe situations. For example, the “large break” LOCA scenario (case the double break of a primary cold leg), which is supposed to cover smaller breaks, has long been considered as the most penalizing, which is not necessarily true. This scenario leads to a massive depressurization of the primary circuit that a novice would detect without fail. The “small break” scenario, less impressive at first sight, is much more difficult to analyze. It is called “weak signature.” In this idealized “large break” scenario, the operator is always assumed to be infallible, in the sense that he always responds perfectly to the needs of the plant. The emphasis is therefore only on the failure of the equipment, never on the failure of the man who pilots it. After TMI-2, many commissions of inquiry have tried to extract some truths from this affair. The lack of capitalization in the analysis of significant events was universally pointed out. On September 21, 1977, an event with the same signature as the first 30 min of the accident occurred at the Davis Besse plant, a reactor of the same type as TMI. The incident had no consequences insofar as the PORV valve was finally closed again after 20 min by the operator. Unfortunately, the feedback from this case did not reach the TMI teams. A loss of SG auxiliary feedwater occurred on the same Davis Plant on June 9, 1985, the same signature of TMI-2. The event started with a capacitor failure causing loss of main feedwater. This was followed by an operator pushing the wrong buttons during the transient. This error was multiplied in impact by steam feedwater rupture control system and auxiliary feedwater pump design deficiencies, equipment failures, and human factors problems. Other equipment failed to perform properly or was damaged as a result of the transient. Fortunately, the operator could close the block valve and stop the primary fluid to escape through the cycling PORV. Auxiliary feedwater was recovered 1150 s after the initiator and ended the incident. It is interesting to see that the 1000 first seconds are very similar to what happened on TMI-2 (Fig. 3.17).
Loss of SGs auxiliary feed water on Davis Besse on June 9, 1985. Fortunately, the fate of this plant was happier than TMI-2
The lack of standardization of reactors in the United States, where no two reactors out of the 75 in operation at that time are really identical, unlike in France, is also a remote cause of the accident. Another reason given was that the installation was also operating in a degraded mode with a leak of one ton of water per hour (!) through the pressurizer discharge line, inducing a high temperature on this line and thus helping to mask the beginning of the accident. And what about the fact that the emergency power supply to the SGs was condemned, in absolute contradiction with the Technical Operating Specifications. The most significant technical cause that misled the operators was probably the alarm check light indicating the order and not the state of the pressurizer relief valve. On the organizational side, numerous failures were uncovered. The poorly defined responsibilities of those in charge contributed to the confusion in the management of the crisis. In the ultimate caricature, up to 60 people were present simultaneously in the control room, where even the governor of the State was invited by his own authority with his bodyguards! In France, the Internal Emergency Plan (PUI) and the Special Intervention Plan (PPI) specific to each site, clearly explain the role and prerogatives of each one.
The consequences of the TMI-2 accident on the improvement of safety are important. First, the principle of defense in depth and three barriers has been definitively imposed, silencing those who thought that “too much was being done” in terms of safety and that “it was too expensive.” Operator training has been improved, both in terms of knowledge and simulator training. Similarly, operating procedures have been completely revised, in particular with the introduction of specific procedures for severe accidents and the prioritization of alarms.
From the health point of view, it has been demonstrated that the accident had no consequences on the health of the inhabitants living near the plant, except for the mental trauma (Photo 3.11) during the uncontrolled leakage, which had unexpected consequences (voluntary interruption of pregnancy by choice of some pregnant women has been reported). The conclusion of this case can be read for free on the roadside (Photo 3.12).
Sad joke on this house for sale
This sign on the road aptly sums up the whole affair
French Post-TMI Action Plan
France reacted quickly to the TMI-2 accident. At the beginning of April 1979, EDF, Framatome and the French Safety Authorities (AS) formed a working group to analyze the accident and to develop an action plan. The fundamental lesson learned from the accident is that the overall safety approach currently applied to the French design of PWRs is fundamentally sound. The importance of the analyses and studies carried out in France since the early 1970s in the field of design safety and operational safety has been confirmed by the accident. The concept of defense in depth, which is the basis of the French approach to nuclear safety, has never been called into question by TMI-2. As EDF is the only public utility with nuclear reactors in France, the company plays the role of architectural engineer, and all aspects of safety, including the design of the plant, as well as the construction and operation of the plant, are managed by EDF as a whole. In addition, the standardization of the plants allows EDF to efficiently provide generic analyses and studies. The method used by the French safety authorities and the technical support organization for safety analysis are based on “barrier analysis” which is of great value with regard to public health and safety. In April and August 1979, the AS requested EDF to provide additional studies and analyses of the experience gained from TMI-2. Consequently, the French post-TMI action plan was established in response to the requirements of the AS. (Photo 3.13). This plan includes 46 actions, each divided into specific items.
EDF’s post-MIT action plan
Technical Insert: “Details of EDF’s Post-TMI Action Plan
-
1.
Plant design and man-machine interfacing
TMI-2 focused on the area of operational safety. This includes the human–machine interface concept, operator training, and the structure of the operating team. Another important factor for improving operational safety is feedback. The human–machine interface concept covers all the hardware and software that the operator needs to operate the plant under normal conditions, as well as under incident and accident conditions. A man–machine interface was developed by EDF before TMI-2. However, the following additional analyses and studies were carried out in this area after April 1979. The review of the control room was carried out with the help of operating engineers specialized in the field of nuclear plant operation, as well as operating engineers specialized in the field of industrial plant operation, but also teams specialized in Human Factors who advocate that it is not up to Man to adapt to the Machine but the other way around and who introduce a new concept: ergonomics. This concept is relatively new because it has been said that even Gagarin was full of praise for the user-friendliness of the control panel of his Vostok-1 capsule, and that Russian engineers refused to install a small refrigerator on the first Russian atomic submarine: the K-3 (Marguet 2019, p. 30). However, it should be remembered that the first control rooms did not have chairs. A working group conducted a survey of nuclear plant operating personnel and simulator instructors. In addition, the behavior of the operators was recorded on video during several exercises performed on the 900 MWe simulator at the Bugey plant training center. After collecting the information from the survey and drawing conclusions from the simulator test recordings, EDF decided to build a full-scale mock-up of the control room as a working tool for the analysis of the changes. The main aspect of the change analysis was to improve the operator–machine interfaces. Two types of modifications were considered during the analysis conducted on the mock-up: First, the addition of information (alarms, valve states…) for certain safeguard systems; Second, the improvement of the control panel layout. Based on the results of the modification analyses, the displays and controls in the control room are now arranged to improve the operator’s capabilities: The new layout is based on better grouping of all function-related controls using demarcation lines; Use of colored functional areas; Improved labeling throughout the control room; Use of different types of symbols for rotary equipment controls and valve controls; Use of an active block diagram in conjunction with the passive block diagram (Photo 3.14).
Control panel improved by a “universal” color code on all French plants (EDF photo)
Installation of a safety panel
There is always a potential risk of human error. TMI-2 has shown the importance of improving operator assistance to deal with this potential risk. In response to this problem, a computerized operator assistance, called a safety panel, was developed (Photo 3.15). The safety panel is designed to monitor the critical parameters of the plant in a concentrated way to give a systematic view of the plant safety state, mainly under accident conditions, and to assist the operators in their diagnosis and decision making. For this purpose, several functions are computerized: Identification of the cause of the first trip; Monitoring of the actuators; Assistance in diagnosis and selection of the accident procedure after the safeguard injection; Assistance in monitoring the safeguard injection; Monitoring of the residual power removal system; Display of the plant parameters, including saturation margin monitoring; Continuous monitoring of the plant state; Assistance in the U1 emergency procedure. In the event of an accident, and depending on the severity of the accident, three categories of personnel are involved in diagnosing the state of the plant: the operator in the control room, the Safety and Radiation Protection engineer (ISR in French) in the control room and the experts in the on-site technical support center. (Fig. 3.18). Therefore, the safety panel has three platens: two in the control room and one in the technical center. The safety panel is designed to complement the control room equipment normally used under normal and accidental conditions. In case of unavailability of the safety panel, the usual methods involving the control room equipment could be applied as a backup. In this context, the requirements for control room instrumentation are not necessary for the safety panel.
Example of a safety panel display (in this case, assistance in diagnosing and choosing procedures after a safety injection). This presentation dates from 1986. The more recent plants like the N4 have renovated Man–Machine Interfaces (MMIs)
Distribution of tasks between the teams on site. The I, A, and H procedures are event-driven procedures. U1, SPI (Permanent Post-Incident Surveillance) are State-oriented approach (APE) procedures. Event-driven procedures have been progressively abandoned in favor of the state-oriented approach (APE)
Design of advanced procedures for abnormal plant transients and crash recovery
In response to the Post-TM12 Action Plan, it was decided to organize an expert working group to review, analyze, and develop the existing incident (I) and accident (A) procedures. The operators of the plants were involved in order to help the reviewers benefit from the experience gained from accident analysis, operation, and training. Several exercises were carried out on simulators, to record the behavior of operators during simulated transients of the plant. These exercises were then analyzed to assess human factors. In addition to these actions concerning incident and accident procedures, several actions were carried out to define the way in which the operators could deal with accidents outside the design basis. To this end, two approaches were followed: The State-oriented approach based on the physical state of the plant, and the event-oriented approach based on the historical triggering event. We have progressively moved from event-driven procedures, which require knowledge of the initiator of the accident to implement a pre-established response, to the state-oriented approach (APE) where the operator re-evaluates the effect of his actions periodically according to a predefined cycle (not according to his own free will) by scanning the vital state functions of the reactor. Thus, there is no need to know exactly what the current scenario is, and we can respond to multiple failures. The final product is a large set of very reliable and “ergonomic” procedures covering incidents, analyzed accidents and beyond-design basis accidents. Knowledge of the information contained in a procedure is necessary: during training, operators need detailed and explicit information in terms of “how to do it,” “why to do it,” and “where to do it,” bases for each operator action must be provided; during day-to-day operation, operators usually need guidance on “what to do.” Thus, a two-tiered procedure consisting of two documents is used. First, the procedure guide (or operating rule) which defines the purpose of the procedure and the operator or PLC actions that must be performed in order to achieve shutdown of the plant after the incident or accident has been diagnosed, this document is written by the parties in charge of the design. Secondly, the procedure (or operating instruction), which includes only what the operator must do, is written by the EDF Nuclear Generation Department according to the above-mentioned rule and according to standard format guidelines (layout, colors…).
Operator’s training
Since the beginning of the construction of PWRs, EDF has been committed to staff training. To determine the qualification of personnel, university education, experience, and training are taken into account. The main element in achieving the desired level of competence is training. To this end, the training program has been defined and includes courses on full plant simulators as well as on function simulators. This program was not fundamentally changed after TMI-2. However, the plant simulators have been improved to increase their representativeness in accident simulation.
Organization of the management: The Safety and Radioprotection Engineer
The structure of the operating team has been completed by a Safety and Radiation Protection Engineer (SRI) pre-positioned in an office adjoining the control room. He is called to the control room at the start of a sensitive plant transient (reactor trip, safety injection, etc.) to assist the operating team in recovery efforts. During the execution of a procedure, the unit manager remains in charge of the coordination of the plant while the safety engineer monitors the state of the plant according to the state-oriented approach (APE). This approach complements the Event-Driven Approach followed by the shift manager and operators. Thus, a redundant and diversified approach to plant surveillance results in superior performance of the operating team. Routine ISR tasks and assignments include issues involving the technical evaluation of the day-to-day operation of the plant from a safety perspective.
Experience feedback
An essential component of improving operational safety is learning from experience. Before TMI-2, EDF already had a feedback organization. The fact that the French Nuclear Fleet is highly standardized with only four models (900 MWe, 1300 MWe, 1450 MWe and EPR), is a considerable asset for feedback. Any problem detected on a reactor benefits the entire plant or even the entire Fleet. The organization of feedback has been improved following the post-TMI studies in order to rapidly assess each event discovered during pre-operational tests, as well as during operation. A feedback group, made up of experts from several EDF divisions in charge of design and operation, is dedicated to the analysis of each experience data coming from French nuclear plants, or from abroad when available. This committee gives its requirements to the EDF departments concerned in order to study effective solutions for each event.
-
2.
Reactor core cooling modes
Post-accident studies
A major effort has been developed by EDF and Framatome in the field of post-accident studies to improve knowledge of post-accident conditions: Ability to eliminate a steam bubble located under the vessel cover of the reactor vessel; Breaks in the pressurizer steam zone (such as untimely opening of a pressurizer valve), transients of small breaks, criteria for manual tripping of primary pumps; Effect of interruption of the safety injection system for 10 min in case of small breaks; Possibility of heat removal by steam generators in two-phase flow.
The State-Oriented Approach
One of the lessons learned from TMI-2 was the inability of the operators to perform a satisfactory diagnosis using the available procedures. The uncontrolled conditions of the plant led the operators to apply several different and inadequate accident procedures. As a result, the plant conditions progressively deteriorated, with the core being uncovered during the accident. TMI-2 demonstrates the limits of the event-driven approach based on the analysis of (almost) all conceivable accident sequences. To remedy this problem, the State-Oriented Approach (APE for Approche Par Etats) has been developed. It is based on measurements of physical parameters allowing the operator to recognize the thermal-hydraulic states of the boiler and to perform corrective actions according to these states. Indeed, the thermal-hydraulic states of the primary circuit can be enumerated in a finite way, whereas the accidental sequences can be multiplied ad infinitum without being sure to cover them all. The state-oriented approach (APE) has led to the improvement of procedures. Typical of the improvement is the support of management for safety injections. Typical of the state-oriented approach (APE) is the emergency procedure that allows post-accident operation by monitoring the physical state of the primary circuit.
-
3.
Reactor cooling systems
Pressurizer relief valves
After TMI-2, an analysis and research program were developed by EDF and Framatome in the field of pressurizer safety and relief valves, while additional tests and improvements were carried out on the current safety and relief valves. A new approach to pressurizer overpressure protection has been proposed. As an alternative to the current protection, a solution using pilot-operated valves was analyzed and tested. This solution consists of three relief lines with two pilot valves in series. One of the valves acts as overpressure protection, while the other one, located downstream, acts as isolation. These valves can also be operated manually from the control room. New valves called SEBIM are now mounted in tandem (Figs. 3.19 and 3.20) and have replaced the older spring-loaded models. SEBIMs provide unparalleled pressurizer relief efficiency by eliminating the difficult problem of valve springs and valve flutter in the presence of two-phase fluids.
Pre-1982 (left) and post-1982 (right) protection of the pressurizer
Tandem assembly of SEBIM valves
Release of non-condensable gases under accident conditions
A study was carried out by Framatome and EDF to determine the quantity of non-condensable gases that could be produced under accident conditions and how they could be released. It was concluded that non-condensable gases can be released from the reactor cooling system using existing equipment. Heat removal from the core would not be disrupted, despite the fact that these non-condensable gases can be stored at the head of the SGs inverted U-pins. For this purpose, the primary coolant pumps are turned on or the feed and bleed process (safety injection plus discharge to the pressurizer relief valve) is used. This method does not require purging the reactor vessel.
-
4.
Characteristics of active safety circuits
Steam Generator Safeguard System
The emergency feedwater system (ASG) is used to provide feedwater to the SGs under emergency conditions, involving loss of normal feedwater (ARE), as well as normal startup, normal shut down and hot standby conditions. After a full power reactor shutdown, the emergency feedwater system is automatically activated and the normal feedwater isolated. In order to limit the trip frequency and operating time of the SG Auxiliary Feed Water ASG, studies have been conducted to maintain a limited flow of the ARE through a predefined opening of the SG Normal Feed Water ARE control valve bypass. In addition, this solution limits temperature transients in the secondary side of the SG. As a result, the actuation of the ASG was modified. However, in case of very low SG level or if the ARE flow rate is lower than the required value, the ASG is automatically activated without delay.
Containment isolation system
In the event of a contamination accident inside the reactor building during the cold shutdown, with the safety injection signal inhibited, containment isolation is automatically provided upon receipt of an activity detection signal in the BR.
-
5.
Nuclear auxiliary building and fuel building
Examination of radiation shielding
Several of the safeguard systems and auxiliary systems located outside containment could be required to operate in an accident with significant radioactive inventories in the fluids they handle. Some of these systems are located in the fuel building (BK) and in the nuclear auxiliary building (BAN). They include the containment spray system (EAS) and the safeguard injection system (RIS). These systems are required to operate in the recirculation phase during an accident when the PTR tank from which they draw their water is empty. They then transfer water from the bottom of the containment (sumps) to the spray lines in the reactor building or to the reactor vessel. Even if leakage from these systems is minimized, it is assumed that the premises housing the active components concerned may be contaminated. The radiological consequences inside the Auxiliary Building and the Fuel Building, resulting from an accident in which the reactor core is damaged, were estimated in accordance with the source terms for fission products that were updated in response to the post-TM12 action plan and studies. This estimate led to the conclusion that additional shielding was not necessary.
Ventilation
Additional ventilation tests were carried out in a standard plant using a simulation method to analyze contamination transport. These tests showed the need to improve the airtightness of the different rooms of the nuclear island; in addition, the air circulation inside some parts of the building was modified to avoid the spread of contamination in case of an accident.
-
6.
Radioactive effluents
Transfer of highly radioactive leaks in the reactor building
As noted earlier, systems outside of containment may have to operate during an accident with significant radioactive levels in the fluids they process. Therefore, it would be necessary to collect and store leaking fluids for deactivation prior to treatment by the liquid waste treatment (TEP) system. In order to prevent the spread of contamination. The following principles are implemented: Detection and collection of highly radioactive leaks in the area where they are released; Transfer through the venting and draining system (RPE) pipes to storage capacity; Safe and radiation-protected storage of these highly radioactive liquids (reactor building containment); Installation of isolation devices between the venting and draining pipes used for the transfer of the highly radioactive liquids and the liquid waste treatment system The operator, from the plant control room, triggers the transfer of highly radioactive leaks into the reactor building on receipt of an activity alert signal in the reactor building (Fig. 3.21).
Transfer of contaminated effluents to the reactor building
Flooding of the containment in accidental conditions
Following a LOCA or break in the main steam line inside containment, the lower portion of containment is flooded with water from the reactor coolant system, the safeguard injection system, and the containment spray system (EAS), or with water from the main steam lines and the ASG, as appropriate. The resulting maximum water depth was reassessed with an additional 15% margin. As a result, the locations of equipment likely to operate during an accident and which are located below the maximum water depth have been modified to allow their proper operation when the containment is flooded.
-
7.
Instrumentation and control
Evaluation of the saturation margin and measurement of the water level in the vessel
An analysis was performed to define solutions that would allow the operator to better recognize inadequate core cooling. Two material modifications were defined: The evaluation of the water saturation margin in the vessel (implemented in the 900 MWe and 1300 MWe plants), this system, called “ebullio-meter” , includes a computer device that processes the measurements of the core thermocouples as well as the temperature and pressure of the reactor cooling system, the saturation margin is displayed on the safety panel in the control room; A system for measuring the water level in the reactor vessel (implemented in the 1300 MWe plant), this system is based on the measurement of the differential pressure between the top and bottom of the vessel. The differential pressure system uses cells of different ranges to cover various flow behaviors with and without operation of the primary pumps. The reactor vessel level is displayed in the control room and provides the operators with reliable information, even in two-phase situations (Fig. 3.22).
Measurement of the water level in the vessel
Sampling of the primary circuit water
A review of the nuclear sampling system was conducted to determine the ability of personnel to obtain a sample of the reactor coolant under accident conditions. The fission product source term, updated in response to the post-TMI2 analysis and studies, was considered to review the effectiveness of the radiation shielding. Based on the results of this review, a post-accident sampling cabinet was installed with additional specific radiation shielding. In addition, if the reactor coolant system sample lines are not available, additional sample lines, connected to the EAS recirculation pipes, allow for alternative post-accident sampling.
Monitoring of the activity in the containment
The radiation level inside the containment is a parameter closely related to the amount of gaseous fission products released into the reactor building. The monitoring range has been extended in the upper part from a dose rate of 105 rad/h to 107 rad/h.
-
8.
Equipment Qualification
Equipment qualification makes it possible to demonstrate that the plant equipment can perform its intended safety functions, despite the unfavorable conditions of a design basis accident during which the equipment must operate. Since the beginning of the PWR program, EDF, in collaboration with the CEA and the nuclear industry, has undertaken a vast program of equipment qualification. This program includes analyses and tests. In response to the post-TMI2 action plan, the qualification program has been improved at two levels. The first level is related to the revision of qualification requirements (equipment performance, analyses that have been performed to define more precisely the environmental conditions of containment resulting from an accident. The second level concerns the development and construction of new test facilities. These can simulate a wide range of accident conditions.
-
9.
Beyond-design events
Beyond-design-basis accident procedures
Prior to TMI-2, the complete loss of some safety-related redundant systems was already analyzed by EDF. The systems analyzed for complete loss were those that are normally used continuously (e.g., the component cooling system, example in Fig. 3.23) or whose frequency of use could be significant (e.g., the ASG system). Since such an event occurred at TMI-2, EDF’s analysis seems well founded. This analysis has led to the installation of additional equipment and to the development of “beyond design basis procedures” (H procedures in the Event Approach) to enable the operator to cope with such events. An example of additional equipment is the turbo-alternator assembly that supplies power to the safety injection test pump and injection to the primary pump seals in preparation for a total loss of power (if the pump seals are ineffective, a small LOCA break is encountered). Each unit is equipped with a turbo-generator set powered by the steam produced by the SGs. Until the power supply is restored, the plant can be safely maintained under hot shutdown conditions, without affecting the tightness of the primary pump seals or the core.
Emergency cooling of primary pump seals in case of total loss of AC power
U1 Emergency Procedure
If the operator encounters a situation that has not yet been analyzed or is unable to make a satisfactory diagnosis of the plant transient, the safety engineer instructs the team to abandon the event-oriented procedures and apply the state-oriented approach (APE) U1 emergency procedure. The U1 emergency procedure is initiated to prevent or delay potential core damage resulting from degraded plant conditions. Basically, most of the operator’s accident actions when applying accident procedures are based on the event-driven approach. This approach is very effective for most transients. However, it is not possible to pre-analyze and formulate a predetermined response to every conceivable situation. To overcome this problem, in the case where control by the event-oriented approach is lost, the state-oriented approach (APE) was developed and introduced into the continuous monitoring of the plant state procedures (SPI (Permanent Post-Incident Monitoring), SPU (Permanent Ultimate Monitoring) and the U1 emergency procedure. This approach complements the event-driven approach when the operator encounters a situation that has not yet been analyzed or when he is not able to diagnose the plant state satisfactorily.
-
10.
Emergency Preparedness
A nuclear plant is designed to operate within safety margins that guarantee very limited radiological risks for plant personnel and the public. Nevertheless, despite all the precautions taken at each stage, from design to operation of the plant, accidental conditions leading to a nuclear emergency cannot be excluded. This emergency situation is distinguished from other emergencies by the fact that it is likely to lead to significant radioactive releases into the environment. Therefore, adequate preparation must be made in collaboration with government authorities (national and local) and other organizations to deal with such a situation. The overall emergency state as defined for a nuclear plant accident includes both on-site and off-site emergency preparedness. Emergency preparedness has been improved in France following TMI-2. Among these improvements, the emergency organization is now equipped with a team of on-site experts specialized in nuclear safety and accident analysis. To this end, the on-site technical support center, which houses the experts, is designed to have the same habitability as the control room. Plant information can be displayed and recorded in the technical support center, where a safety panel dialogue console is located. The on-site technical support center provides internal support that complements the off-site technical support centers of EDF and the French safety authorities (National Crisis Center at the IRSN premises in Fontenay-aux-Roses.
Conclusion
The TMI-2 accident is an “earthquake” in the nuclear community because it puts the safety of nuclear reactors into perspective. If engineers admitted that experimental reactors could be fallible, the occurrence of a severe accident of a power reactor in the USA, in the most industrialized country, at the head of technological progress in the field, is more than a surprise, it is a painful questioning. As the saying goes, “Every cloud has a silver lining,” civil nuclear power has learned a lot from TMI-2. In addition to the technological advances and system improvements I mentioned earlier, I will especially remember the paradigm shift introduced by the State Approach.
What is revolutionary in this approach is that we no longer seek to know about the initiator, but only to analyze its consequences. The reduction in procedures is considerable. Studies on the state-oriented approach (APE) began in 1980 with tests on simulator, which led to new procedures for accident management of the containment spray (EAS) and the primary pumps around 1982. As an example, the start/stop of the high-pressure injection became based on a grid of the water level in the pressurizer according to the temperature difference at saturation. Around 1984, the SPI-U1 procedure emerged, based on a diagram between the RIC temperature (hot spot of the reactor) and always the difference to saturation. From 1990, the ECP (primary) and ECS (secondary) procedures were introduced on the P′4 plant, which use the water level in the vessel. From 1995, the second generation of APE procedures, known as APE*, was applied to the standardized plant P4 and N4. Indeed, the feedback from the application of the APE at the P′4 level has allowed the development of state-oriented approach (APE) procedures for older levels. The APE contains fewer procedures (Fig. 3.24), which have been grouped and standardized, i.e., five procedures for the whole domain in power or unconnected RRA, against the 40 or so event-driven procedures. The state-oriented approach (APE) is then generalized to the 900 plants by including situations where the primary circuit is open. The “RRA connected, full and vented primary circuit” domain during shutdown is covered by two specific procedures The RRA is the circuit that cools the reactor below 32 bars when the SGs can no longer extract power (Marguet 2019, p. 872). Only the “open primary circuit shutdown” state is still covered by event-driven procedures. The entry in the Severe Accidents Intervention Guide (GIAG for Guide d’Intervention des Accidents Graves) ), strongly expanded after TMI-2, is carried out on quantified criteria.
State-oriented approach: second generation of procedures (APE*)
The implementation of the state-oriented approach (APE) was evaluated as early as 1991 using human factors techniques in order to identify its advantages and disadvantages. The state-oriented approach (APE) has the advantage of eliminating what has been called the “contradiction between logic and rule.” This contradiction appears during an event-driven procedure. Strictly applying the rule can come into opposition with the commonsense logic that appears when one no longer understands what he is doing or when the procedure is in fact not the right one. This can lead to significant stress in the consultation phase of the choice of the initiating event and a violent feeling of panic. It is said that panic is communicative, especially if it takes hold of an experienced operator on whom the rest of the shift crew relies. We have seen situations where a rookie would not dare to contradict a senior operator who was in the wrong way. In the event-driven approach, the looping phase only takes place when the initiator is determined. After that, the “no-strings-attached” rule is supposed to be applied. Hence the contradiction mentioned earlier. The state-oriented approach (APE) covers all types of situations and accumulations. This dogma is extremely reassuring for inexperienced operators. The work of analysis is transferred to the specialist engineers who design the method, well upstream of the shift team and at a time when there is time to think, because upstream of an activity which can be feverish. However, the state-oriented approach (APE) is not without its critics. Some people, especially professionals in the event-driven approach, consider that the APE would reduce the understanding of the actions required and would reduce the margin of the operators, limiting their initiative. Others consider that the APE, by being a very bounding procedure, is very heavy in its implementation compared to certain “simple” scenarios, typically the untimely tripping of Safety Injection (“a hammer to crush a fly!”). This type of spurious event can be stopped immediately by switching off the injection pumps concerned, well before the continuous looping proposed by the APE takes effect. The APE is therefore criticized for not proposing a diagnosis that allows the operator to visualize the overall scenario. In the APE, the incident is understood by continuous looping, i.e., by delta between the current situation and that of the previous scan, whereas the event-oriented approach gives a long-term vision from the moment of the initiator. However, the anti-stress effect of the APE is real and appreciated, as shown by the simulator trainings carried out at the end of 1991. As time went by, the criticisms, which came essentially from teams that had practiced the event-based approach, disappeared through natural rejuvenation. The only real question that remains is that of the universal covering of the APE. Taking into account the accumulation of failures, namely the art of cyndinics.Footnote 17 Is it exhaustive in the context of nuclear reactor accidents, given the complexity of the industrial object? Up to now, the state-oriented approach (APE) has always proved effective, but we have never had any “major incidents” in France.
The implementation of the state-oriented approach (APE) was concomitant with a new structuring of the shift teams. The Radiation Safety Engineer (ISR), who is solely in charge of safety aspects and has no driving duties, was created in the shift team following the TMI-2 accident. The ISR will be removed from the shift at the same time as the generalized implementation of the APE. The position of Assistant Shift Supervisor, more specifically in charge of consignments, is also being removed. The establishment of the ISR, whose competences were to be used as a makeup for the decisions of the shift supervisor, seemed to be an adequate response to the feverishness (one could even speak of hysteria) in the control room during the disastrous accident of TMI-2 in 1979. However, the feedback from an ISR in a shift team is mixed. This one has no driving action. As in “The Desert of the Tartars”(Il deserto dei tartari) by the author Dino Buzzati, the ISR waits for the accident (the war in the novel), an unlikely event which, fortunately, never happens, but creates a real psychological tension and a heavy routine to support. In addition, this job was rewarded with substantial bonuses, making the recipient reluctant to transfer to another job. The situation of the specialized firemen on nuclear sites raises the same problem. How to keep the motivation of the agents in these positions of perpetual waiting? Most sites therefore rely on traditional firefighters in the nearby town, but with dedicated nuclear training, rather than on firefighters pre-positioned on site and often with nothing to do. Finally, the Chief Operating Officer (CO) has hierarchical powers, but also powers related to safety monitoring. Some people consider that the constraints of production and the constraints of safety resting on one man are incompatible (the ISR on shift, who had no hierarchical role, could serve as a counterweight).
Man has the ambiguous ability to desire change and to be reluctant to change at the same time. This ambiguity is also reflected in his acceptance of the state-oriented approach (APE). However, the state-oriented approach is a management tool that transcends the problems of competence. An accident will always be better managed by a very competent operator, but the stakes are such that we cannot rely solely on the random competence of the shift teams. The best option is of course the combination of state-oriented approach (APE) and competence. Future will bring its share of answers.
And to close this very serious chapter on a major nuclear accident, I cannot resist ending on a humorous note, which I hope will not be too out of place in the context, by showing you the visit of President Jimmy CarterFootnote 18 in the TMI-2 control room and in rather ridiculous yellow over-boots (Photo 3.16), dubious in front of a control panel (Photo 3.17), and on the corrosive but tender humor of the talented French cartoonist Jacques Faizant (1918–2006), who sketches in one page all the difficulty of informing the public (Photo 3.18) about this affair (“the plumbers of Pennsylvania”). After all, “The only absolute thing in a world like ours is humor!”- Albert Einstein.
US President Jimmy Carter visits the TMI-2 Control Room in yellow overboots
Jimmy Carter looks doubtful at a control panel in the Command Room
The talented French humorist Jacques Faizant sketches a moment in the lives of French people who are visibly concerned about nuclear energy! Jean Elleinstein (1927–2002) was a French historian specializing in communism and a member of the French Communist Party (PCF). Georges Marchais (1920–1997) was the first secretary of the PCF from 1972 to 1997, renowned for his outspoken popular views (DR)
Finally, if you think you can do better than the real operators in 1979, you can play on the Apple-II+ game “Three Mile Island” (Photos 3.19 and 3.20), a curious spin-off of the real story.
The Three Mile Island game from Muse software for APPLE-II+ (48 ko of Random-Access Memory, 1980)
Detailed operating simulation? The designer Richard Orban (Richard Orban is a developer who was credited for video games at MicroProse Software and Riverbank Software in the 1980s. He was responsible for the 1988 C-64 game Red Storm Rising) tried his best on that poorly pixellized game but be indulgent for this game dating from the beginning of personal computer. However, you can simulate the secondary circuit, turbine and cooling tower (first row, middle); Core vessel, pressurizer (the little house with pink steam!) and the steam generator with green steam (obviously a U-tube SG instead of a once through SG) (first row, right); degradation of the core and the position of the control rods (second row, left). Auxiliary building with stack (second row, middle). Please, write to me if you can understand the second row- right picture?
Notes
- 1.
Mitchell Rogovin (1930–1996). Famous American lawyer from Washington, D.C., government advisor to the IRS between 1964 and 1966, and then attorney general. Very involved in civil rights, he defended the New York Times in the case of the publication of the Pentagon Papers in 1971 and sued Richard Nixon’s re-election committee.
(photo University of Chicago) - 2.
Mitchell Rogovin, George T. Frampton Jr., Three Mile Island: a report to the commissioners and to the public, Nuclear Regulatory Commission special inquiry group, Janvier 1980. To ensure the impartiality of the report, the NRC commissioned the firm of Rogovin, Stern and Huge to write the report for the commission of inquiry and the public.
Volume I, NUREG/CR-1250, Vol. I, 183 pages, Volume II Part 1, NUREG/CR-1250, 1–306 pages, Volume II Part 2, NUREG/CR-1250, 307–808 pages, Volume II Part 3, NUREG/CR-1250, 809–1272 pages.
- 3.
Air coolers are huge-truncated cone-shaped towers from which steam sometimes escapes, and which can be seen from very far away, such as the Cruas air cooler in the Rhone valley (France) illustrated with a child seen from the A6 freeway.
- 4.
ppm = part per million. This unit used in chemistry corresponds to the dissolution of 1 gram of a material in a ton of solvent (one million grams).
- 5.
The term “trip,” also used, should be understood as the tripping of a circuit breaker. The system then shuts down. This term is used for a turbine, a pump, an electrical system...
- 6.
As a matter of fact, an alarm check light off means that there is no current applied to the valve opening solenoid, so the valve is supposed to be closed when the lamp is off.
- 7.
Between 5 min and 90 min, the pressurizer was full of a two-phase mixture, so the measured level can be considered as an indication of the void fraction. Note that 5 min. leave a very short reaction time to the operator.
- 8.
Since the pressurizer relief valve remained open, it was like having an accident where the fluid leaks through a small break.
- 9.
[Bandini et al., 1987] Bernard R. Bandini, Anthony J. Baratta, Victor R; Fricke, Determination for the end state of the three Mile Island unit-2 accident using neutron transport analysis, Nuclear Technology, Vol. 81, p 370–380 (1987).
[Duffy et al., 1986] L.P. Duffy, E.E. Kintner, R.H. Fillnow, J.W. Fisch: The Three Mile Island accident and recovery, Nuclear Energy Vol. 25 n°4, pp199–215 (1986).
[Knief, 1988] R.A. Knief: Nuclear criticality for the TMI-2 recovery program, Nuclear Safety Vol. 29–4, p 409–420 (1988).
[TMI PVIP, 1994] Three Mile island reactor pressure vessel investigation project, proceedings of an open forum sponsored by the OECD NEA and USNRC, Boston (USA), 20–22 October 1993, OECD, 1994, 402 pages.
- 10.
[TMI PVIP (1994).
- 11.
The NRC prohibited breaching the integrity of the vessel by drilling from below.
- 12.
Electric discharge cutting consists of a clean cut (no chips, preserves the integrity of the component). The principle is based on a graphite or copper-tungsten electrode, placed at a controlled distance from the part to be cut. This distance allows to modulate the energy on the cutting surface and is adjustable by the operator according to the potential difference between the electrode and the surface. The electrode is supplied with a pulsed current. Controlled arcs remove small molten particles that solidify on contact with the dielectric fluid that is interposed between the electrode and the surface: reactor water in the case of the TMI-2 vessel cutting. The shape of the electrode determines the shape of the cut sample. The roughness after cutting remains acceptable and the integrity of the component is not threatened.
- 13.
For a pure chemical body, we would speak of melting temperature.
- 14.
Recall the 100 mrem/year dose due to natural irradiation.
- 15.
In fact, many of the technicians operating on the real TMI-2 plant were former Nuclear Navy retirees under Admiral Hyman G. Rickover (1900–1986), the founding father of the US Nuclear Navy. Actually, the four operators on the fateful night, C. Faust, E. Frederick, W. Zewe and F. Sheimann, were all former Navy sailors (nuclear submarines).
- 16.
Described in Knief (1988).
- 17.
Cyndinics is the science of danger. This neologism was invented at the Sorbonne University in 1987. It appeared in the press for the first time in the newspaper Le Monde on December 10, 1987.
- 18.
Jimmy Carter. Born in 1924, the 39th president of the United States was a young US Navy lieutenant in 1952, in nearby Schenectady, New York, training to work aboard America’s first nuclear submarine at the time of the accident of the NRX reactor in Chalk River, Ontario, just 180 km from Ottawa. Chalk River officials turned to the United States for help in dismantling the NRX reactor just after the accident of December 12, 1952 (INES 5). A total of 26 Americans, including several volunteers, rushed to Chalk River to help with the hazardous job. Carter led a team of men who, after formulating a plan, descended each one into the highly radioactive site for 90 seconds to perform specialized tasks. Carter’s job, according to the CBC recounting, was simply to turn a single screw. But even that limited time exposure carried serious risks because of very high radiation surrounding. Carter was told that he might never be able to have children again, though in fact his daughter Amy was born years later. Carter told CNN in 2008: “We were fairly well-instructed then on what nuclear power was, but for about six months after that, I had radioactivity in my urine. They let us get probably a thousand times more radiation than they would now. It was in the early stages, and they didn’t know.”. Although short, his exposure was still very significant. So, although Carter was often mocked as a peanut farmer, he was not “a sucker for the first brood” during the TMI-2 accident, and he perfectly knew what a severe accident meant.
Lieutenant James Earl (Jimmy) Carter Jr. in main control room of USS K-1 (US Navy)
(photo University of Chicago)
Bibliography
[Marguet, 2019] Serge Marguet, La technologie des réacteurs à eau pressurisée, Editions EDP-Sciences, collection EDF/R&D, ISBN 978-2-7598-2360-4, 2019, 1 168 pages.
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Marguet, S. (2022). The Three-Mile-Island Accident. In: A Brief History of Nuclear Reactor Accidents. Springer Praxis Books(). Springer, Cham. https://doi.org/10.1007/978-3-031-10500-5_3
Download citation
DOI: https://doi.org/10.1007/978-3-031-10500-5_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-10499-2
Online ISBN: 978-3-031-10500-5
eBook Packages: Physics and AstronomyPhysics and Astronomy (R0)