by

Lax Safety, Poor Procedures At Darlington Nuke Plant

The Union of Concerned Scientists released a damning report on the nuclear power plant operated in Darlington, SC by Progress Energy, known as HB Robinson. The same company operates the Southport plant near Wilmington, NC.

The entire report is worth reading as it reveals the plethora of problems which exists in operational plants.  None of the problems were disastrous.  However, they manner in which the plant operators and regulators handled these issues does indicate how well they might respond to a serious event.

Progress Energy’s H.B. Robinson Plant sits in Darlington, SC, north of the fault zone responsible for the 1886 Charleston Earthquake.  While the likelihood of such an earthquake is unknown, there is ample geologic evidence of strong quakes occurring along the Charleston fault.   The South Carolina Emergency Management Division maintains an earthquake awareness site here, which links to a 609 page report on the Comprehensive Seismic Risk and Vulnerability Study for the State of South Carolina.  Given the demonstrated ineffectiveness of NRC oversight of the Robinson plant under ordinary conditions, we have to seriously question whether Progress Energy, the NRC or the SC government is equipped to cope with an earthquake.

The state of SC produced a 609 page report on earthquake disaster preparedness in 2001.   What the report has to say on power stations in general is worrisome.

The electric power generating facilities that were visited during this study were braced steel frame structures with tall exhaust stacks. They were determined to be of low seismic design and poor construction. Nuclear facilities were assumed to be of high seismic design with superior construction.

Comprehensive Seismic Risk and Vulnerability Study for the State of South Carolina. South Carolina Emergency Preparedness Division. Page 183.

As The State paper notes the conditions and response at the Darlington plant raise serious questions about the ability of the state’s nuclear operators to cope with emergencies.

Inspectors studying safety questions at more than a dozen U.S. nuclear plants last year found the most serious concerns in South Carolina — at a 40-year-old Darlington County atomic power station that experienced two fires and equipment failures, a new report says.

To say that the fires and the management failures “raise concerns” is an understatement.   The report calls Progress Energy’s handling of the incidents “unbelievably poor“.
The report is also directed at the Nuclear Regulatory Commission.  The NRC exists to regulate the operations of these nuclear plants. The Union of Concerned Scientists found that in many cases the NRC was effective in stopping plant operators from taking unsafe actions.  In other cases, as at the Darlington Plant, the NRC was ineffective.
For example, at the Oconee nuclear plant, also in SC:

NRC inspectors averted a possible safety problem by refusing to accept plant operators’ rationale for allowing a component in Units 2 and 3 to go untested after a similar component in Unit 1 had failed.

The NRC and Nuclear Power Plant Safety in 2010, UCS, p.30.

The report also criticizes the Nuclear Regulatory Commission for clouding the problems at plants with a lack of transparency.  Unspecified security concerns at Duke Power prompted NRC action, but almost nothing is known about the problem, the regulation, or the response of Duke.
Security problems prompted the NRC to conduct a special inspection. Details of the problems, their causes, and their fixes are not publicly available…However, the cover letter sent to the plant owner with the SIT report is publicly available, and indicates that the NRC identified one Green violation (NRC 2010r).
Green violations indicate problems of “very low safety significance.”    So, it does seem possible for the NRC to regulate plants that are currently operational under good conditions, although, as the report notes, they are not forthcoming about security concerns, perhaps for good reason.
The UCS report on the Robinson reactor in Darlington, however, shows how “years of programmatic failures” create cumulative problems at nuclear plants.   There were two serious incidents at HB Robinson in six months.  The report is too long to reproduce here, but is very much worth reading.
Event #1 begins much like the disaster at Three-Mile Island, with an electrical fire.  In this case the events didn’t unfold in the same way, and there was no release of radiation.  The poor conditions at the plant, and the mistakes made by plant personnel mean that a more serious problem was only averted by good fortune.
The NRC sent an SIT to the site to investigate electrical fires, which had caused an unplanned reactor shutdown and declaration of an Alert—the third-most-serious emergency classification—on March 28, 2010. The SIT found so many problems that the NRC upgraded it to an AIT after a few days (NRC 2010q).  The AIT documented numerous problems in many areas—including design and procurement of safety equipment, maintenance, operations, and training—over many years. There is simply no excuse for the fact that the company and the NRC had not detected and corrected at least some of these problems before this event.
How the Event Unfolded
The event began when a 4,160-volt electrical cable shorted out and started a fire. An electrical breaker designed to automatically open and deenergize power to the shorted cable failed to do so.  The failed electrical breaker allowed electricity to flow from a circuit through the shorted cable into the ground, reducing the circuit’s voltage. This circuit powered a large motor-driven pump circulating water through the reactor core, among other components. As the circuit’s power dropped, the pump’s output also dropped low enough to trigger the reactor to shut down automatically.
The electrical problems damaged the main power transformer between the plant and its electrical grid. When the reactor shuts down, this transformer usually allows the electrical grid to supply power to the plant’s equipment. However, the damage to this transformer meant that another transformer had to provide the sole connection to the electrical grid. Other electrical breakers opened to isolate the faulted cable. This stabilized the plant’s electrical conditions, but left roughly half of its equipment without power.
The equipment without power included valves on drain lines from the main steam lines. Although these valves normally close when a reactor shuts down, they opened fully on loss of power, as designed. That meant that heat escaped from the reactor more rapidly than normal, exceeding the cool down safety limit of 100° F per hour. The large reactor vessel and its piping have strict limits on how fast they can heat up or cool  down to prevent thermal stress from cracking the metal. The operators did not notice the open drain valves or abnormally fast cool down. Another power failure 33 minutes later closed the drain valves. The electrical problems interrupted the supply of cooling water to the pump seals for the reactor coolant system. When seals are damaged by overheating, cooling water leaks into the containment building. Control room operators did not notice the lack of cooling for more than 30 minutes. After the reactor shut down, the operators started two pumps that transferred water from a tank in the auxiliary building to the reactor vessel. When this tank emptied, the pumps were supposed to automatically realign to obtain water from the refueling water storage tank. This realignment failed to happen. The operators did not notice this failure for nearly an hour.
About four hours into the event, the operators attempted to restore power to the de-energized circuit, but they did not check first to ensure that workers had fixed the original fault—and they had not. When the operators closed the electrical breaker to repower the circuit, they reenergized the shorted cable, and it caused another fire. The electrical disturbance also triggered alarms on both sets of station batteries, prompting the operators to declare an emergency Alert.
The AIT documented an incredibly long series of mistakes that first caused this event and then made it more severe. For example, the cable that started the first fire, installed in 1986, did not meet several parameters specified in the plant design. The design called for providing coated copper conductors for the cable, but it had uncoated conductors. The design also called for an outer jacket on the cable, but it did not have one. And finally, the design called for insulating the cable with self-extinguishing and nonpropagating material. However, rather than extinguishing when the cable was de-energized, the fire actually spread along its length.  The non-conforming cable was connected to an electrical breaker that was supposed to open if the cable failed to isolate the problem. But with the breaker closed, a light bulb thought to indicate that the breaker was closed would not illuminate.
Workers had replaced the bad light bulb in November 2008, but the new bulb also failed to illuminate. These workers thought that meant the bulb was good but the socket was bad, so they requested that other workers repair it. The second group of workers never made the trip, thinking it merely concerned an annoying problem with an unnecessary light bulb. But that bulb, when lit, actually indicated that control power was available to automatically open the electrical breaker. With the bulb not lit, the electrical breaker did not open.
Control room operators joined this error-fest with errors of omission and commission. First, they failed to stay aware of key plant parameters. For example, they did not note that the cool down rate of the reactor coolant exceeded the safety limit of 100° F per hour. Second, as noted, they failed to ensure that workers had corrected the original electrical fault before reenergizing the electrical circuits. Because the problem remained uncorrected, their misguided actions started another fire.
Event #2 six months later after a coolant pump failed.
The NRC sent an SIT to the site after an automatic shutdown of the reactor on October 7, 2010, followed by equipment failures and operator miscues (NRC 2010b). This was the second near-miss at Robinson in six months (see the preceding case). The SIT found many of the same shortcomings that had played a role in the earlier near-miss: bad design, nonconforming parts, inadequate operator performance, and poor training. The SIT should not have been surprised: an owner cannot correct years of programmatic deficiencies overnight
Read the full report on this and other plants here: