Text

Significant Operational Experience: 7 Major Industry Events with Regulatory Implications
	ML16006A288
Person / Time
Site:	Browns Ferry, Crane
Issue date:	01/06/2016
From:	Jacqueline Thompson; NRC/NRR/DIRS/IOEB
To:	;
	John Thompson, NRR/DIRS 415-1011
References
	Download: ML16006A288 (53)
	v • d • e

Presented by John Thompson NRR/ADRO/DIRS/IOEB

Introduction Major Industry Events and Regulatory Implications (lessons learned)

To familiarize the employee with some of the lessons learned from selected major nuclear operating events To meet the objectives of ADM-504 for qualification as an NRC staff general engineer.

7 Major Historical Events 1.

1975 Browns Ferry (Major Fire) 2.

1979 TMI-2 (Accident - Core Melt) 3.

1983 Salem ATWS Event 4.

1985 Davis-Besse Loss of Feedwater Event 5.

1986 Chernobyl Accident 6.

1990 Vogtle (Loss of Offsite Power - Shutdown Risk) 7.

2002 Davis Besse RPV Head Corrosion

1. Browns Ferry Unit 1 Fire (BWR)

Location: Near Decatur, AL Date of Event: March 22, 1975 What Happened:

A major fire burned for 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months and caused significant damage to approximately 1600 electrical cables that control Units 1 and 2. Unit 1 lost all emergency core cooling systems (ECCS) and the ability to monitor power from the control room.

There was no core damage due to actions taken by the operators. It took 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months to achieve a stable situation. This event revealed major design weaknesses in the area of fire protection and led to the creation of Appendix R, 10 CFR Part 50 (Fire Protection).

Browns Ferry Unit 1 Fire (Contd)

Sequence:

An electrical inspector and an electrician were sealing air leaks in the Unit 1 cable spreading room to the reactor building. They were using a candle to find leaks in a temporary seal before the permanent sealing material was installed. A hole (2 x 4) in a penetration window carrying four wires sucked in the flame and inadvertently ignited some foam sealant. The fire, fanned by the draft, spread rapidly to the reactor building side of the wall.

Following the reactor scram due to the alarms caused by the fire, all capability to monitor core power was lost.

Lessons Learned:

Importance of fires and the ability to safely shutdown (10CFR50, Appendix R)

Possibility of common-mode failures Possibility of severe accidents Importance of safety culture

Browns Ferry Unit 1 Fire (Contd)

Regulatory Impact:

Creation of fire protection regulation (10CFR50, Appendix R) for physical separation of safe shutdown equipment so that failure of one train would not affect the other.

The industry adopted compensatory measures to address fire protection non-conformances with the use of fire watches.

Browns Ferry Cable Tray Penetration

Browns Ferry Damage in Cable Spreading Room

Browns Ferry Damage to Overhead Cables in the Reactor Building

Reference:

http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/fire-protection-bg.html

2. Three Mile Island Unit 2 Location: Near Harrisburg, PA Date of Event: March 28, 1979 What Happened:

The accident began when a power-operated relief valve (PORV) failed to reset during a plant transient, and operators did not realize it was stuck open. This caused the reactor to overheat because the reactor coolant was escaping through the open valve. Operators became confused by the many alarms in the control room and took a series of actions that made plant conditions worse. The reactor core became uncovered and melted half of the core. Approximately 144,000 people were evacuated from the local area. This accident was a major defining moment for the nuclear industry and the NRC.

Public Alarmed

The Worst Commercial Nuclear Accident in U.S. History The reactor fuel was destroyed The reactor vessel was damaged Thousands of gallons of contaminated water leaked on to the floor The local, state, and federal agencies were completely unprepared The public was severely frightened No personnel or members of the public were harmed

Initial Conditions March 28, 1979, 4:00:37am TMI-2 operating at 97% of full power Persistent leak of reactor coolant through the pzr power operated relief valve (PORV) or possibly a pzr safety relief valve (SRV)

Maintenance crews also were working for 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months on unclogging condensate polishers (Condensate & Feedwater System)

Initiating Event - Loss of Feedwater Blockage in condensate polisher transfer line closes feedwater isolation valves Within one second Feedwater and Condensate System pumps trip TMI 2 Sequence

Failure to Recognize Loss of RCS Coolant PORV opens but fails to reclose Reactor trips; HPI initiated High Pressure Injection Severely Decreased Pzr voids caused inaccurate pressurizer level reading Operators bypass High Pressure Injection (HPI) then shut off one pump and throttle other makeup pump Operators were trained to avoid a water solid primary system Reactor Coolant Expansion and Saturation RCS nearly full and auxiliary feedwater (AFW) block valves closed Disk rupture on reactor coolant system (RCS) quench tank Sump discharge to Auxiliary Building Conditions Before RCS Pumps Shut off Operators thought the core was covered with coolant because of erroneous pressurizer level indication, so they had drastically reduced injection flow.

TMI 2 Sequence - cont.

Post accident analysis showed that serious damage to the core did not begin until after the last two Reactor Coolant Pumps were stopped (T=1:40)

If the pressurizer relief valve had been closed and the core had remained covered, then only minor damage to the core may have resulted.

TMI Control Room Shortly After the 1979 Accident

Three Mile Island - Retrospective President Carter exiting the TMI contamination controlled area during the 1979 crisis.

Damaged TMI Core Photo of damaged fuel Approx. 44%

of the core melted Source: Perspectives on Reactor Safety, NUREG/CR-8042, Rev. 1 SAND93-0971

Damaged TMI Core View inside vessel showing damaged fuel at the bottom

TMI-Operator Training Issues Operator training was heavily loaded with system design and interaction information.

Procedures were not symptom-driven, like they are today.

The belief was that if something unexpected occurred, the operators would be able to improvise a solution.

The training was not focused on what operators are expected to do in an emergency.

TMI - Inability to Observe the Fundamental Parameter

The fundamental safety rule is to keep the reactor fuel core cool

There were no temperature or level indicators in the core

Core temperature was inferred from water temperature at the exit of the reactor vessel - it assumed forced flow through the core

TMI-Control Room Opacity

no visual feedback

no audio feedback

no feel for the machine

Kemeny Commission & Rogovin Special Inquiry Reports Reorganization of NRC under single administrator Stronger Committee on Reactor Safeguards (ACRS More attention to human performance, operator licensing and control room design Program to assess operational experience Recommended improvements in control room design, operator training, emergency planning

TMI Hardware Recommendations Emergency Power for PORV and Block valves Relief and safety valve testing Direct indication of valve position Instrumentation for inadequate core cooling Diverse containment isolation Dedicated hydrogen control penetrations Inerting of BWR containment Hydrogen recombiners Systems integrity for high radioactivity Plant shielding Automatic initiation of AFW AFW flow indication

TMI Recommendations

Upgraded emergency plans

Established Technical Support Center, Operational Support Center, and Emergency Operations Facility

Formalized NRC emergency response function

Upgraded operator training and qualifications

Limited overtime and define minimum shift crew

Limited control room access

Implemented shift turnover checklists

Upgraded emergency operating procedures

TMI Recommendations Evaluation of Operating Experience

NRC and industry implemented operating experience procedures

Established NRC Office for the Analysis and Evaluation of Operational Data (AEOD)

INPO established

3. Salem ATWS Event Location: Delaware Bay, New Jersey Date of Event: February 22 and 25, 1983 What Happened:

On two separate occasions, both trains of reactor trip breakers (RTBs) failed to open on receipt of a valid reactor trip signal (anticipated transient without scram - ATWS).

Operators had to manually trip the reactor. The initiating event was loss of a 4 kV bus during a transfer attempt from the station to the aux transformer.

Salem ATWS Event Post event testing of the RTBs indicated that both breakers had failed to open due to mechanical binding in the under-voltage trip mechanisms.

The breaker failures were attributed to excessive wear from improper maintenance of the under voltage relays.

Root causes included: 1) inadequate attention to the importance of vendor-supplied information, 2) absence of an adequate preventive maintenance program, and 3) an inadequate supply, control, and verification of information by the vendor.

Salem ATWS Event Lessons Learned:

Adoption of the 1984 ATWS rule (10 CFR 50.62).

Generic Letter (GL) 83-28 issued, which directed the industry to establish formal vendor interface programs with an inferred wide scope covering nearly all safety-related equipment.

PWRs were required to have equipment that is diverse, reliable, and independent from the RTS to automatically initiate the auxiliary feedwater (AFW) system and initiate a turbine trip under conditions indicative of ATWS. This equipment is called ATWS mitigating system actuation circuitry (AMSAC).

BWRs were required to have a diverse recirculation pump trip, alternate rod insertion circuitry, and upgraded emergency operating procedures; or installed high capacity standby liquid control (SLC) systems. SLC systems were required for BWRs that were granted a construction permit after 1984.

4. 1985 Davis-Besse Loss of Feedwater Event Location: Oak Harbor, OH Date of Event: June 9, 1985 What Happened:

12 separate equipment malfunctions Loss of all feedwater Steam generators boiled dry, then overfilled Overpressure Over temperature Excessive cooldown A near miss precursor that could have resulted in a major accident

1985 Davis-Besse Loss of Feedwater Event Since April 1985, there were historical problems with controlling both MFW pumps; MFW pump #2 routinely placed in manual to prevent trips.

On June 2, 1985, with reactor power at 90%, the No. 1 TDMFW pump trips due to a control problem. No. 2 TDMFW pump was in manual, but could not adequately compensate with the reactor at 90% power.

After a brief reactor runback, reactor trips from 80% power on high RCS pressure.

Turbine stop valves heard slamming shut - thud heard round the world.

One second later, one channel of steam and feedwater rupture control system (SFRCS) activated - causing the MSIVs to isolate (Malfunctions 1 & 2, and first common-mode failure), isolating the steam supply to the other operating TDMFW pump. This MFW pump eventually coasts down due to loss of steam.

1985 Davis-Besse Loss of Feedwater Event Operator attempted to manually initiate the SFRCS.

But, AFW to both SGs isolate when the operator depresses wrong switch -- shutting AFW discharge valves (Malfunction 3 - SG FW delta P trip switch pressed instead of SG low w/level switch). Main steam safety valves lift, SGs boil dry.

Both TDAFW pumps auto-started, but both trip on over-speed (Malfunctions 4 & 5, and a second common-mode failure). (lack of a MD AFW pump)

TDAFW pump trips were caused by water slugs in the steam supply piping that came from residual condensation while heating the long cold steam supply path.

All feedwater is now lost.

Operators later realized their error and tried to reopen the AFW valves, but the MOV torque settings were incorrect. Operators had to manually move the valves off their seats before the Limitorque operators would work.

1985 Davis-Besse Loss of Feedwater Event Lessons Learned:

Root causes involved design, maintenance, and backlog issues Reviews of maintenance programs for motor-operated valves in the AFW system, which included verification of torque and limit switch settings.

NRC Promulgated the Maintenance Rule (10 CFR 50.65) to ensure industry-wide regulation New rule requires licensees to monitor overall continuing effectiveness of their maintenance programs Equipment operator training was improved throughout the industry Inexperience with opening & resetting of TD AFW trip throttle valve and the over speed trip mechanism led to industry wide training

5. 1986 Chernobyl Accident Location: 60 miles north of Kiev, Ukraine Date of Event: April 26, 1986 What Happened:

Following a turbine generator coast-down experiment, the reactor experienced a beyond design basis reactivity power excursion and subsequent steam explosion that blew apart the reactor core.

The reactivity excursion was caused by a combination of mechanical equipment failures, inadequate design, and significant operator actions that bypassed safety features. This accident was a major defining moment for the world nuclear industry and the NRC.

1986 Chernobyl Accident - Overview RBMK 1000 Design Attributes:

The RBMK-1000 is an early, Soviet-designed and built graphite moderated pressure tube type reactor, using slightly enriched (2% U-235) uranium dioxide fuel. Chernobyl-4 was one of 14 RBMK 1000s built.

It has some similarities to US BWR technology, with two loops feeding steam directly to the turbines, without an intervening heat exchanger.

The RBMK design allows for on-line refueling.

One of the most significant design flaws with the RBMK 1000 is as the core ages (i.e., fuel burns up), the core acquires a positive void coefficient -

meaning with an increase in steam bubbles ('voids'), there is an increase in core reactivity.

Note: No US reactors operate with a positive void coefficient to due reactor safety issues

Chernobyl Control Room After the Accident

1986 Chernobyl Accident Overview On April 25th, prior to a routine shutdown, the reactor crew at Chernobyl 4 began preparing for a test to determine how long turbines would spin and supply power to the main circulating pumps following a loss of main electrical power supply.

Based on recent operating history, operators had to bypass multiple reactor protective trip functions to place the reactor in the correct test configuration. This led to a very unstable reactivity condition and a very slim reactivity shutdown margin that was made more unstable because of the positive void coefficient.

On April 26th, immediately after the start of the test, (turbine steam inlet valves closed), a power excursion occurred, and operators attempted to scram the reactor. The insertion of the rods only partway into the core fueled the power excursion further, causing a steam explosion to blow apart a significant fraction of the reactor core into the confinement building located above (not a containment structure).

1986 Chernobyl Accident Overview About two to three seconds later, a second explosion threw out fragments from the fuel channels and hot graphite. There is some dispute among experts about the nature of this second explosion, but it is likely to have been caused by the production of hydrogen from zirconium-steam reactions.

The graphite (about a quarter of the 1200 tons ejected) and fuel became incandescent and started a number of fires, causing the main release of radioactivity into the environment.

Two workers directly died as a result of the blast. The other casualties included firefighters who attended the initial fires on the roof of the turbine building. All these were put out in a few hours, but radiation levels on the first day in the turbine hall were estimated to range from 5-150 Sieverts/hr (15,000 rads/hr), causing 28 acute radiation sickness deaths - six of which were firemen - by the end of July 1986.

Chernobyl Unit 4, Shortly After the April 25, 1986 Accident The total deaths reliably attributable to the radiation from all causes produced by the Chernobyl accident stands today at 62 by the estimate of UNSCEAR.

Post Chernobyl Assessment The NRC's post-Chernobyl assessment emphasized the importance of several concepts, including:

designing a reactor with proper inherent safety features, and then having an appropriate quality assurance program to assure the design is built and maintained appropriately; maintaining proper procedures and controls for normal operations and emergencies; ensuring the availability of backup safety systems to deal with potential accidents.

having a safety culture that is thriving at all levels of the plant and staff.

Looking Down on the Chernobyl Unit 4 Reactor Building An experiment gone awry, poor operator decisions that placed the reactor in an unsafe configuration, and an unforgiving reactor design, were contributing causes to the accident.

Sarcophagus under construction Chernobyl Unit 4

6. 1990 Vogtle-1 Loss of Offsite Power During Mid-loop Conditions Location: Near Augusta, GA Date of the Event: March 20, 1990 What Happened:

With Unit 2 operating and Unit 1 in a refueling outage (RFO) during mid-loop conditions, a truck in the 230 kV switchyard struck a support column for an offsite power feed to the reserve aux transformer, causing a (partial) loss of offsite power (LOOP) event. Unit 2 automatically tripped and stabilized in hot shutdown. However, Unit 1 experienced major complications because of ongoing maintenance activities while in mid-loop conditions. The personnel and equipment hatches to containment were open.

This event highlighted the importance of managing shutdown risk.

1990 Vogtle Loss of Offsite Power During Mid-loop Conditions (Contd)

Sequence:

Unit 1 was in mid-loop conditions (reduced reactor coolant system (RCS) inventory) near the end of the RFO.

One EDG and one reserve aux transformer were OOS.

A truck in the switchyard backed into a support column to the reserve aux transformer that was feeding safety-related power.

A fault occurred, and the feeder breakers for the safety buses opened.

The one operable EDG started but then tripped. 18 minutes later, it tripped again. EDG jacket water temp sensor malfunctions due to presence of foreign material and reset of the sequencer from an UV condition (lock in) were the causes.

Other subsequent actions caused a loss of all AC power to Unit 1 for 36 minutes.

RCS temperature increased in an uncontrolled manner from 90 to 136 degrees F.

Both the containment building personnel hatch and equipment hatch were open during a portion of this event.

1990 Vogtle Loss of Offsite Power During Mid-loop Conditions (Contd)

Lessons Learned:

The importance of managing shutdown risk and activities in the switchyard

NUMARC 91-06 issued (Guidelines for Industry Actions to Assess Shutdown Management).

Shutdown risk can be very high during reduced RCS inventory.

Plant technical specifications for equipment operability did not fully consider shutdown risk as opposed to operating risk.

References:

NRC Information Notice 90-25, NUMARC 91-06, NRC Generic Letter 88-16 and SECY 97-168 (Proposed Shutdown Rule)

7. 2002 Davis-Besse RPV Head Corrosion Location: Near Toledo, OH Date of Event: March 7, 2002 What Happened:

An undetected reactor coolant system (RCS) leak in a control rod drive mechanism (CRDM) nozzle flange resulted in severe degradation of the reactor pressure vessel head (RPV) due to boric acid corrosion.

Davis-Besse RPV Head Corrosion (Contd)

Sequence:

During the Refueling Outage (RFO), while removing a machining apparatus from CRDM nozzle no. 3, the nozzle tipped downward.

Inspections revealed wastage of the steel RPV head material adjacent to the nozzle.

The wastage extended 5 inches downward and was about 5 inches at its widest part.

The minimum thickness of the RPV head remaining was only 3/8 inch of the stainless steel cladding on the underside of the RPV head.

Davis-Besse RPV Head Corrosion (Contd)

The event led to a large-scale degradation of reactor vessel head - together 5 control rod drive nozzles were cracked and three cracks went through the pressure boundary.

The degradation mechanism was boric acid corrosion due to leaks through cracks in the nozzles.

NRC issued orders to all PWRs on enhanced inspection requirements.

Required consideration of operating experience in licensing decisions.

Davis-Besse RPV Head Corrosion (Contd)

Lessons Learned:

Understanding the importance to remove all boric acid deposits from the RPV head Recognize the need to conduct 100% bare metal inspections best to find any leaks through the RPV head penetrations Importance of NRC verification of licensee supplied information NRC missed several opportunities to identify this problem

References:

http://www.nrc.gov/reactors/operating/ops-experience/pressure-boundary-integrity/overview.html

Conclusion The NRC rules and regulations have evolved over time and have incorporated numerous lessons learned from major events such as the accident at TMI and the Browns Ferry fire.

Other industry operating experience is routinely screened and evaluated on a regular basis to identify ways to improve reactor safety.

Learning from evaluating industry events is crucial to meet the mission of the NRC to protect people and the environment from the effects of nuclear power.

References 1.

Events that Shaped the Industry, Institute of Nuclear Power Operations, January, 2010.

2.

Four Major Historical Events and Recent Lessons Learned, Laura, Richard, NRR/ADRO/DIRS/IOEB 3.

NRR Office Instruction ADM-504, General Study Activity-14 4.

Operating Events that have Shaped Our Culture and Regulatory Framework, Virgilio, Martin, J., August 17, 2010 5.

TMI Accident 30th Anniversary, Chronology of the Event, Sheron, Dr. Brian, March 25, 2009.

6.

The Accident At Three Mile Island Unit 2, Frederick, Edward, R., TMI Nuclear Generating Station.

7.

TMI-2 Lessons Learned, Holahan, Gary, NRC, March 25, 2009.

Presented by John Thompson NRR/ADRO/DIRS/IOEB

Introduction Major Industry Events and Regulatory Implications (lessons learned)

To familiarize the employee with some of the lessons learned from selected major nuclear operating events To meet the objectives of ADM-504 for qualification as an NRC staff general engineer.

7 Major Historical Events 1.

1975 Browns Ferry (Major Fire) 2.

1979 TMI-2 (Accident - Core Melt) 3.

1983 Salem ATWS Event 4.

1985 Davis-Besse Loss of Feedwater Event 5.

1986 Chernobyl Accident 6.

1990 Vogtle (Loss of Offsite Power - Shutdown Risk) 7.

2002 Davis Besse RPV Head Corrosion

1. Browns Ferry Unit 1 Fire (BWR)

Location: Near Decatur, AL Date of Event: March 22, 1975 What Happened:

A major fire burned for 7 hours8.101852e-5 days 0.00194 hours 1.157407e-5 weeks 2.6635e-6 months and caused significant damage to approximately 1600 electrical cables that control Units 1 and 2. Unit 1 lost all emergency core cooling systems (ECCS) and the ability to monitor power from the control room.

There was no core damage due to actions taken by the operators. It took 15 hours1.736111e-4 days 0.00417 hours 2.480159e-5 weeks 5.7075e-6 months to achieve a stable situation. This event revealed major design weaknesses in the area of fire protection and led to the creation of Appendix R, 10 CFR Part 50 (Fire Protection).

Browns Ferry Unit 1 Fire (Contd)

Sequence:

An electrical inspector and an electrician were sealing air leaks in the Unit 1 cable spreading room to the reactor building. They were using a candle to find leaks in a temporary seal before the permanent sealing material was installed. A hole (2 x 4) in a penetration window carrying four wires sucked in the flame and inadvertently ignited some foam sealant. The fire, fanned by the draft, spread rapidly to the reactor building side of the wall.

Following the reactor scram due to the alarms caused by the fire, all capability to monitor core power was lost.

Lessons Learned:

Importance of fires and the ability to safely shutdown (10CFR50, Appendix R)

Possibility of common-mode failures Possibility of severe accidents Importance of safety culture

Browns Ferry Unit 1 Fire (Contd)

Regulatory Impact:

Creation of fire protection regulation (10CFR50, Appendix R) for physical separation of safe shutdown equipment so that failure of one train would not affect the other.

The industry adopted compensatory measures to address fire protection non-conformances with the use of fire watches.

Browns Ferry Cable Tray Penetration

Browns Ferry Damage in Cable Spreading Room

Browns Ferry Damage to Overhead Cables in the Reactor Building

Reference:

http://www.nrc.gov/reading-rm/doc-collections/fact-sheets/fire-protection-bg.html

2. Three Mile Island Unit 2 Location: Near Harrisburg, PA Date of Event: March 28, 1979 What Happened:

The accident began when a power-operated relief valve (PORV) failed to reset during a plant transient, and operators did not realize it was stuck open. This caused the reactor to overheat because the reactor coolant was escaping through the open valve. Operators became confused by the many alarms in the control room and took a series of actions that made plant conditions worse. The reactor core became uncovered and melted half of the core. Approximately 144,000 people were evacuated from the local area. This accident was a major defining moment for the nuclear industry and the NRC.

Public Alarmed

The Worst Commercial Nuclear Accident in U.S. History The reactor fuel was destroyed The reactor vessel was damaged Thousands of gallons of contaminated water leaked on to the floor The local, state, and federal agencies were completely unprepared The public was severely frightened No personnel or members of the public were harmed

Initial Conditions March 28, 1979, 4:00:37am TMI-2 operating at 97% of full power Persistent leak of reactor coolant through the pzr power operated relief valve (PORV) or possibly a pzr safety relief valve (SRV)

Maintenance crews also were working for 11 hours1.273148e-4 days 0.00306 hours 1.818783e-5 weeks 4.1855e-6 months on unclogging condensate polishers (Condensate & Feedwater System)

Initiating Event - Loss of Feedwater Blockage in condensate polisher transfer line closes feedwater isolation valves Within one second Feedwater and Condensate System pumps trip TMI 2 Sequence

Failure to Recognize Loss of RCS Coolant PORV opens but fails to reclose Reactor trips; HPI initiated High Pressure Injection Severely Decreased Pzr voids caused inaccurate pressurizer level reading Operators bypass High Pressure Injection (HPI) then shut off one pump and throttle other makeup pump Operators were trained to avoid a water solid primary system Reactor Coolant Expansion and Saturation RCS nearly full and auxiliary feedwater (AFW) block valves closed Disk rupture on reactor coolant system (RCS) quench tank Sump discharge to Auxiliary Building Conditions Before RCS Pumps Shut off Operators thought the core was covered with coolant because of erroneous pressurizer level indication, so they had drastically reduced injection flow.

TMI 2 Sequence - cont.

Post accident analysis showed that serious damage to the core did not begin until after the last two Reactor Coolant Pumps were stopped (T=1:40)

If the pressurizer relief valve had been closed and the core had remained covered, then only minor damage to the core may have resulted.

TMI Control Room Shortly After the 1979 Accident

Three Mile Island - Retrospective President Carter exiting the TMI contamination controlled area during the 1979 crisis.

Damaged TMI Core Photo of damaged fuel Approx. 44%

of the core melted Source: Perspectives on Reactor Safety, NUREG/CR-8042, Rev. 1 SAND93-0971

Damaged TMI Core View inside vessel showing damaged fuel at the bottom

TMI-Operator Training Issues Operator training was heavily loaded with system design and interaction information.

Procedures were not symptom-driven, like they are today.

The belief was that if something unexpected occurred, the operators would be able to improvise a solution.

The training was not focused on what operators are expected to do in an emergency.

TMI - Inability to Observe the Fundamental Parameter

The fundamental safety rule is to keep the reactor fuel core cool

There were no temperature or level indicators in the core

Core temperature was inferred from water temperature at the exit of the reactor vessel - it assumed forced flow through the core

TMI-Control Room Opacity

no visual feedback

no audio feedback

no feel for the machine

Kemeny Commission & Rogovin Special Inquiry Reports Reorganization of NRC under single administrator Stronger Committee on Reactor Safeguards (ACRS More attention to human performance, operator licensing and control room design Program to assess operational experience Recommended improvements in control room design, operator training, emergency planning

TMI Hardware Recommendations Emergency Power for PORV and Block valves Relief and safety valve testing Direct indication of valve position Instrumentation for inadequate core cooling Diverse containment isolation Dedicated hydrogen control penetrations Inerting of BWR containment Hydrogen recombiners Systems integrity for high radioactivity Plant shielding Automatic initiation of AFW AFW flow indication

TMI Recommendations

Upgraded emergency plans

Established Technical Support Center, Operational Support Center, and Emergency Operations Facility

Formalized NRC emergency response function

Upgraded operator training and qualifications

Limited overtime and define minimum shift crew

Limited control room access

Implemented shift turnover checklists

Upgraded emergency operating procedures

TMI Recommendations Evaluation of Operating Experience

NRC and industry implemented operating experience procedures

Established NRC Office for the Analysis and Evaluation of Operational Data (AEOD)

INPO established