Breaking news from Fukushima!
#26
I find Chernobyl and TMI to be fascinating. In both cases, the nuclear system operated in a way that was counter intuitive to the operators. At Chernobyl when the reactor scrammed, its thermal output actually spiked initially, which caused the incident. At TMI, operators were concerned that there was too much water in the reactor loop, when in fact water was low and leaking.
It is also ironic that the Chernobyl accident happened while they were performing an experiment to improve the safety of the plant.
It is also ironic that the Chernobyl accident happened while they were performing an experiment to improve the safety of the plant.
#27
Boost Pope
Thread Starter
iTrader: (8)
Join Date: Sep 2005
Location: Chicago. (The less-murder part.)
Posts: 33,478
Total Cats: 6,897
I find Chernobyl and TMI to be fascinating. In both cases, the nuclear system operated in a way that was counter intuitive to the operators. At Chernobyl when the reactor scrammed, its thermal output actually spiked initially, which caused the incident. At TMI, operators were concerned that there was too much water in the reactor loop, when in fact water was low and leaking.
What I find most fascinating is this:
The movie "The China Syndrome" was released on March 16, 1979. In it, a near-meltdown was narrowly averted after the operators of a nuclear power plant, facing extremely ambiguous and confusing indications of reactor water level, de-pressurized the main loop in an effort to prevent the system from going solid, when in fact the water level in the core was already dangerously low. In the film, one of the characters (a physicist and nuclear critic) noted that, in a worst-case-scenario, a meltdown of the fictional Ventana Nuclear Power Plant would "render an area the size of Pennsylvania permanently uninhabitable."
Twelve days later, on March 28, 1979, the Three Mile Island Unit 2, located in Pennsylvania, melted down. While the incident had many precipitating factors, the most immediate proximate cause was that the operators failed to notice that the main loop had become depressurized due to a faulty relief valve, and were in fact mislead by ambiguous water level indications which caused them to believe that the system was on the verge of going solid.
#31
Boost Pope
Thread Starter
iTrader: (8)
Join Date: Sep 2005
Location: Chicago. (The less-murder part.)
Posts: 33,478
Total Cats: 6,897
There are two major types of reactors in use in the US, boiling water reactors and pressurized water reactors. This is relevant to the second type, which is more common.
In a PWR, the primary loop is run at extremely high pressure, which prevents the water from boiling inside the reactor. In fact, there is only one place in the primary loop where stream is allowed to form. This is the "pressurizer", which is a huge expansion tank that is the highest point in the system. Here, a stream bubble is kept, which acts like a shock-absorber for the primary loop, like a water hammer arrestor. It also gives the operators a way to control the pressure in the system, by modulating the amount of steam vs. water inside. In an emergency (such as the need to inject makeup water via the LPCI system, or an uncontrolled rise in pressure which threatens to cause a bursting failure), pressure in the primary loop can be dumped by opening a relief valve to bleed stream out into a condensing tank.
If all of the steam is allowed to escape, and the pressurizer fills completely with water, the system is said to have "gone solid." The cushioning effect of the bubble is lost, as is the ability to control the pressure in the system.
Operators are trained to NEVER let the system go solid. In the movie The China Syndrome, this is why they were frantically bleeding water out of the primary loop when the pen-recorder stuck.
In the real meltdown at TMI, the relief valve which failed open was at the top of the pressurizer. It let all the steam out of the system and dropped the pressure in the loop low enough that water started to boil inside the core. Since the core itself was not fitted with a water-level gauge, the operators ASSUMED that the core was full of water, because they saw that the pressurizer was full. In reality, the core was boiling violently, half-empty, and it was the steam coming out of it that was pushing all the rest of the water up into the pressurizer and causing the false water-level indications.
In a PWR, the primary loop is run at extremely high pressure, which prevents the water from boiling inside the reactor. In fact, there is only one place in the primary loop where stream is allowed to form. This is the "pressurizer", which is a huge expansion tank that is the highest point in the system. Here, a stream bubble is kept, which acts like a shock-absorber for the primary loop, like a water hammer arrestor. It also gives the operators a way to control the pressure in the system, by modulating the amount of steam vs. water inside. In an emergency (such as the need to inject makeup water via the LPCI system, or an uncontrolled rise in pressure which threatens to cause a bursting failure), pressure in the primary loop can be dumped by opening a relief valve to bleed stream out into a condensing tank.
If all of the steam is allowed to escape, and the pressurizer fills completely with water, the system is said to have "gone solid." The cushioning effect of the bubble is lost, as is the ability to control the pressure in the system.
Operators are trained to NEVER let the system go solid. In the movie The China Syndrome, this is why they were frantically bleeding water out of the primary loop when the pen-recorder stuck.
In the real meltdown at TMI, the relief valve which failed open was at the top of the pressurizer. It let all the steam out of the system and dropped the pressure in the loop low enough that water started to boil inside the core. Since the core itself was not fitted with a water-level gauge, the operators ASSUMED that the core was full of water, because they saw that the pressurizer was full. In reality, the core was boiling violently, half-empty, and it was the steam coming out of it that was pushing all the rest of the water up into the pressurizer and causing the false water-level indications.
Last edited by Joe Perez; 02-21-2014 at 09:43 PM.
#32
Boost Pope
Thread Starter
iTrader: (8)
Join Date: Sep 2005
Location: Chicago. (The less-murder part.)
Posts: 33,478
Total Cats: 6,897
The placement of the pressurizer in the system:
A few words about the pressurizer itself: http://en.m.wikipedia.org/wiki/Pressurizer
A few words about the pressurizer itself: http://en.m.wikipedia.org/wiki/Pressurizer
#33
Elite Member
iTrader: (1)
Join Date: Feb 2008
Location: Birmingham Alabama
Posts: 7,930
Total Cats: 45
Well that's a pretty flawed system then isn't it? The worst case scenario that you are trying to avoid, by design causes a false reading on one of the most important gauges in the system that is supposed to be keeping such an event from happening in the first place. Almost like a paradox.
#34
Wasn't FMEA something designers did back then? I mean, we do it with cellphone chargers so any failure won't cause a fire or electrocution.
Failure mode and effects analysis - Wikipedia, the free encyclopedia
Failure mode and effects analysis - Wikipedia, the free encyclopedia
#35
Boost Pope
Thread Starter
iTrader: (8)
Join Date: Sep 2005
Location: Chicago. (The less-murder part.)
Posts: 33,478
Total Cats: 6,897
As with most great engineering disasters,- TMI represented the confluence of a large number of major flaws ask coming together in just the right way.
The design of the pneumatic fittings wasn't well thought-out, since it allowed cross coupling of utility air and water into the instrument-air system.
The design of the primary feedwater valves was defective, since it caused the valves to fall shut when instrument air was lost.
The design of the condenser was defective, since the inrush of live stream from a turbine trip caused it to choke.
The indicator on the PORV was poorly designed, since it showed only commanded state, while the operators believed that it showed actual state.
Operating procedures were massively violated by running the plant with all emergency feedwater valves closed.
The training of the operators was badly flawed, as it fixed on following scripts to respond to anticipated emergencies rather than thinking critically too solve unanticipated ones.
Only one phone line into the control room was available, and it was not properly managed, meaning that it took hours before the reactor's designer was finally able to communicate with the operators, telling them to ignore the damned pressurizer and pour as much water as possible into the system ASAP.
A lot of changes were made to training and operational procedures in the aftermath of TMI, and numerous retrofits made to existing plants. It is a testament to the efficacy of these that no serious nuclear accident has ever occurred in the US in the 35 years since, despite many significant equipment failures understandably occurring in what is now an aging rector fleet.
The design of the pneumatic fittings wasn't well thought-out, since it allowed cross coupling of utility air and water into the instrument-air system.
The design of the primary feedwater valves was defective, since it caused the valves to fall shut when instrument air was lost.
The design of the condenser was defective, since the inrush of live stream from a turbine trip caused it to choke.
The indicator on the PORV was poorly designed, since it showed only commanded state, while the operators believed that it showed actual state.
Operating procedures were massively violated by running the plant with all emergency feedwater valves closed.
The training of the operators was badly flawed, as it fixed on following scripts to respond to anticipated emergencies rather than thinking critically too solve unanticipated ones.
Only one phone line into the control room was available, and it was not properly managed, meaning that it took hours before the reactor's designer was finally able to communicate with the operators, telling them to ignore the damned pressurizer and pour as much water as possible into the system ASAP.
A lot of changes were made to training and operational procedures in the aftermath of TMI, and numerous retrofits made to existing plants. It is a testament to the efficacy of these that no serious nuclear accident has ever occurred in the US in the 35 years since, despite many significant equipment failures understandably occurring in what is now an aging rector fleet.
#36
As with most great engineering disasters,- TMI represented the confluence of a large number of major flaws ask coming together in just the right way.
The design of the pneumatic fittings wasn't well thought-out, since it allowed cross coupling of utility air and water into the instrument-air system.
The design of the primary feedwater valves was defective, since it caused the valves to fall shut when instrument air was lost.
The design of the condenser was defective, since the inrush of live stream from a turbine trip caused it to choke.
The indicator on the PORV was poorly designed, since it showed only commanded state, while the operators believed that it showed actual state.
Operating procedures were massively violated by running the plant with all emergency feedwater valves closed.
The training of the operators was badly flawed, as it fixed on following scripts to respond to anticipated emergencies rather than thinking critically too solve unanticipated ones.
Only one phone line into the control room was available, and it was not properly managed, meaning that it took hours before the reactor's designer was finally able to communicate with the operators, telling them to ignore the damned pressurizer and pour as much water as possible into the system ASAP.
A lot of changes were made to training and operational procedures in the aftermath of TMI, and numerous retrofits made to existing plants. It is a testament to the efficacy of these that no serious nuclear accident has ever occurred in the US in the 35 years since, despite many significant equipment failures understandably occurring in what is now an aging rector fleet.
The design of the pneumatic fittings wasn't well thought-out, since it allowed cross coupling of utility air and water into the instrument-air system.
The design of the primary feedwater valves was defective, since it caused the valves to fall shut when instrument air was lost.
The design of the condenser was defective, since the inrush of live stream from a turbine trip caused it to choke.
The indicator on the PORV was poorly designed, since it showed only commanded state, while the operators believed that it showed actual state.
Operating procedures were massively violated by running the plant with all emergency feedwater valves closed.
The training of the operators was badly flawed, as it fixed on following scripts to respond to anticipated emergencies rather than thinking critically too solve unanticipated ones.
Only one phone line into the control room was available, and it was not properly managed, meaning that it took hours before the reactor's designer was finally able to communicate with the operators, telling them to ignore the damned pressurizer and pour as much water as possible into the system ASAP.
A lot of changes were made to training and operational procedures in the aftermath of TMI, and numerous retrofits made to existing plants. It is a testament to the efficacy of these that no serious nuclear accident has ever occurred in the US in the 35 years since, despite many significant equipment failures understandably occurring in what is now an aging rector fleet.
#37
Elite Member
iTrader: (1)
Join Date: Feb 2008
Location: Birmingham Alabama
Posts: 7,930
Total Cats: 45
As with most great engineering disasters,- TMI represented the confluence of a large number of major flaws ask coming together in just the right way.
The design of the pneumatic fittings wasn't well thought-out, since it allowed cross coupling of utility air and water into the instrument-air system.
The design of the primary feedwater valves was defective, since it caused the valves to fall shut when instrument air was lost.
The design of the condenser was defective, since the inrush of live stream from a turbine trip caused it to choke.
The indicator on the PORV was poorly designed, since it showed only commanded state, while the operators believed that it showed actual state.
Operating procedures were massively violated by running the plant with all emergency feedwater valves closed.
The training of the operators was badly flawed, as it fixed on following scripts to respond to anticipated emergencies rather than thinking critically too solve unanticipated ones.
Only one phone line into the control room was available, and it was not properly managed, meaning that it took hours before the reactor's designer was finally able to communicate with the operators, telling them to ignore the damned pressurizer and pour as much water as possible into the system ASAP.
A lot of changes were made to training and operational procedures in the aftermath of TMI, and numerous retrofits made to existing plants. It is a testament to the efficacy of these that no serious nuclear accident has ever occurred in the US in the 35 years since, despite many significant equipment failures understandably occurring in what is now an aging rector fleet.
The design of the pneumatic fittings wasn't well thought-out, since it allowed cross coupling of utility air and water into the instrument-air system.
The design of the primary feedwater valves was defective, since it caused the valves to fall shut when instrument air was lost.
The design of the condenser was defective, since the inrush of live stream from a turbine trip caused it to choke.
The indicator on the PORV was poorly designed, since it showed only commanded state, while the operators believed that it showed actual state.
Operating procedures were massively violated by running the plant with all emergency feedwater valves closed.
The training of the operators was badly flawed, as it fixed on following scripts to respond to anticipated emergencies rather than thinking critically too solve unanticipated ones.
Only one phone line into the control room was available, and it was not properly managed, meaning that it took hours before the reactor's designer was finally able to communicate with the operators, telling them to ignore the damned pressurizer and pour as much water as possible into the system ASAP.
A lot of changes were made to training and operational procedures in the aftermath of TMI, and numerous retrofits made to existing plants. It is a testament to the efficacy of these that no serious nuclear accident has ever occurred in the US in the 35 years since, despite many significant equipment failures understandably occurring in what is now an aging rector fleet.
#38
Interesting point. I am surprised that's the way they went, it seems like a no-brainer that a "trained professional" is a much better problem solver than a script reader. Reminds me of calling tech support. (please restart your computer, then clear this thing, then try again..)
Since the designers of the system presumably took more or less every conceivable situation into account designing it, they can also incorporate that into the procedures system. While something higher than a 1 hour instructional video and a magic decoder ring would still be required to run thing, only as much intuition as is required to follow the manual was desired. Following carefully created procedures was (probably correctly overall) considered the safe, consistent way to go about things.
#40
If you design something to be idiot-proof, nature will design a better idiot. You'll notice that the one thing that was responsible for the meltdown was the closed emergency feedwater valves. The plant would have sustained every thing else on Joe's list without a problem except the closed valves.
You can see some of the engineering assumptions and compromises built into the design in Joe's Article. Look at the section on core temperature sensors. apparently they could only measure up to 700 degrees after which they went full scale. typically you pick the smallest range you can in order to provide the operators with the greatest resolution for their data. 700 degrees was probably chosen because if the core temp ever went above 700, they assumed you were fucked. Likewise, the check list was probably well thought out, but assumed that the feed water valves were open, because you would never run a reactor with emergency backup systems bypassed.
You can see some of the engineering assumptions and compromises built into the design in Joe's Article. Look at the section on core temperature sensors. apparently they could only measure up to 700 degrees after which they went full scale. typically you pick the smallest range you can in order to provide the operators with the greatest resolution for their data. 700 degrees was probably chosen because if the core temp ever went above 700, they assumed you were fucked. Likewise, the check list was probably well thought out, but assumed that the feed water valves were open, because you would never run a reactor with emergency backup systems bypassed.