by David Dinsmore Comey
from Not Man Apart,
published by Friends of the Earth, California, 1976.
Just below the plant's control room, two electricians were trying to seal air leaks in the cable spreading room, where the electrical cables that control the two reactors are separated and routed through different tunnels to the reactor buildings. They were using strips of spongy foam rubber to seal the leaks. They were also using candles to determine whether or not the leaks had been successfully plugged -- by observing how the flame was affected by escaping air.
The electrical engineer put the candle too close to the foam rubber, and it burst into flame.
The resulting fire, which disabled a large number of engineered safety systems at the plant, including the entire emergency core cooling system (ECCS) on Unit 1, and almost resulted in a boiloff/meltdown accident, demonstrates the vulnerability of nuclear plants to "single failure" events and human fallibility.
"Because the wall is about 30 inches thick and the opening deep, I could not reach in far enough, so C [the inspector] asked me for the foam and he stuffed it into the hole. The foam is in sheet form, it is a 'plastic' about 2 inches thick, that we use as a backing material."
The inspector, "C", describes what happened next:
"We found a 2 x 4 inch opening in a penetration window in a tray with three or four cables going through it. The candle flame was pulled out horizontal showing a strong draft. D [the electrician] tore off two pieces of foam sheet for packing into the hole. I rechecked the hole with the candle. The draft sucked the flame into the hole and ignited the foam which started to smoulder and glow. D handed me his flashlight with which I tried to knock out the fire. This did not work and then I tried to smother the fire with rags stuffed in the hole. This also did not work and we removed the rags. Someone passed me a CO2 extinguisher with a horn which blew right through the hole without putting out the fire, which had gotten back into the wall. I then used a dry chemical extinguisher, and then another, neither of which put out the fire."
In its report on the cause of the fire, the TVA stated:
"The material ignited by the candle flame was resilient polyurethane foam. Once the foam was ignited, the flame spread very rapidly. After the first application of the CO2 , the fire had spread through to the reactor building side of the penetration. Once ignited, the resilient polyurethane foam splattered as it burned. After the second extinguisher was applied, there was a roaring sound from the fire and a blowtorch effect due to the airflow through the penetration.
"The airflow through the penetration pulled the material from discharging fire extinguishers through the penetration into the reactor building. Dry chemicals would extinguish the flames, but the flame would start back up."
As the NRC report on the incident noted,
The Browns Ferry Nuclear Plant Emergency Procedure lists two different telephone numbers to be used in reporting a fire, one in a table of emergency numbers and the second in a test of the procedure. The appropriate number (299) is the one in the test; dialing this number automatically sounds the fire alarm and rings the Unit 1 operator's telephone.
"The Emergency Procedure was not followed by those involved when reporting the fire. The construction workers first attempted to extinguish the fire, whereas the procedure specifies that the fire alarm be sounded first. The guard reporting the fire telephoned the shift engineer's office rather than calling either of the numbers listed in the procedure."
Only when the shift engineer then called the control room on the 299 number to get the reactor operator was the plant fire alarm actually sounded. It was fortunate that the shift engineer was in an office with a PAX phone (the plant's internal telephone system) which allowed him to call the 299 number. Had he been at a construction department extension, he could not have placed the call, as the TVA's investigative report later revealed:
"BFNP Standard Practice BFS3, 'Fire Protection and Prevention', instructs DPP (Department of Power Production) personnel discovering a fire, whether in a construction area or an area for which DPP is responsible, to report the fire to the Construction Fire Department, telephone 235.
[However,] 'BFNP Fire, Explosion and Natural Disaster Plan' instructs personnel discovering a fire to call 299 (PAX).
The construction extension cannot be dialed from the PAX system, and the plant extension cannot be dialed from the Construction phone system."
"Control board indicating lights were randomly glowing brightly, dimming, and going out; numerous alarms occurring; and smoke coming from beneath panel 9-3, which is the control panel for the emergency core cooling system (ECCS). The operator shut down equipment that he determined was not needed, only to have them restart again."
The flashing lights, alarms, smoke and continual restarting of the ECCS pumps went on for a full ten minutes before the reactor operators began to wonder whether it might be prudent to shut down the reactors.
After the power level on the Unit 1 reactor began to drop inexplicably, the operator started to reduce the flow of the reactor's operating pumps; when the pumps suddenly quit at 12:51, he finally shut the reactor down by inserting the control rods.
"I checked and found that the only water supply to the reactor at this time was the control rod drive pump, so I increased its output to maximum."
Meanwhile, a few feet away on the Unit 2 side of the control room, warning lights had also been going off for some time. A shift engineer stated,
"Panel lights were changing color, going on and off. I noticed the annunciators on all four diesel generator control circuits showed ground alarms. I notified the shift engineer of this condition and said I didn't think they would start."
According to the official TVA report,
"At 1:00 pm the Unit 2 operator observed decreasing reactor power, many scram alarms, and the loss of some indicating lights. The operator put the reactor in shutdown mode."
Some of the shutdown equipment began failing on Unit 2, and the high-pressure ECCS was lost at 1:45 pm. Control over the reactor relief valves was lost at 1:20 pm and not restored until 2:15 pm, at which time the reactor was depressurized by using the relief valves and brought under control.
"At about 1:15 I lost my nuclear instrumentation. I only had control of four relief valves....
"At about 1:30, I knew that the reactor water level could not be maintained, and I was concerned about uncovering the core."
Had the core become uncovered, a meltdown of the reactor fuel would have begun because of the radioactive decay heat in the fuel.
In order to prevent the reactor water from boiling off, it was necessary to get more water into the core than the single high-pressure control rod drive pump could provide. It was decided that by opening the reactor relief valves, the reactor would be depressurized from 1020 to below 350 pounds per square inch, where a low-pressure pump would be capable of forcing water in to keep the core covered. None of the normal or emergency low-pressure pumps were working, however, so a makeshift arrangement was made, using a condensate booster pump. This was able to provide a temporarily adequate supply of water to the reactor, although the level dropped from its normal 200 inches above the core down to only 48 inches. Using the makeshift system, the Unit 1 reactor was under control for the time being.
Unit 2 was also under control, but by a rather thin margin. The "A" and "C" subsystems of the low-pressure ECCS and the core spray system had been lost early in the incident, and the "B" system failed intermittently between 1:35 pm and 4:35 pm. With only one subsystem of the low-pressure ECCS available, the Unit 2 operator resorted to using the condensate booster pump arrangement similar to the one that had been rigged up for Unit 1.
Other systems were failing; at 2:43 one of the plant's four diesel generators failed, leaving the plant with a bare minimum of emergency on-site power supply.
To add to the confusion, the PAX telephone system failed at 1:57 pm, making outgoing calls from the control room impossible for several hours. This represented a considerable hardship, because the control room had lost control over most of the plant's valves, and the plant telephone system was being used to instruct equipment operators to manually adjust certain key valves in the condensate booster system pumping water into the reactor core.
Moreover, the Unit 1 operator did not know the level of the temperature of the water in the torus (the reactor containment suppression chamber) because the monitors were not working. Yet, as a General Electric supervisor's log showed,
"With the relief valves in operation, the need for torus cooling became vital. The RHR [Residual Heat Removal] system was unavailable for torus cooling."
Unless the RHR system could be put in operation, there was the danger that the water in the torus would begin to boil, and this would eventually overpressurize the containment and rupture it.
As the NRC report remarks in its restrained way,
"After condensate flow to the reactor was established, the major concern was to establish torus cooling and shutdown cooling using the RHR as quickly as possible.
"Operator M stated that he made a list of RHR valves needed to obtain torus cooling. He further stated that at approximately 3:15 pm all torus temperature and level instrumentation was inoperable....
"From about 2:00 pm until the fire was extinguished several attempts were made to enter the reactor building and manually align the RHR for torus cooling and shut down cooling modes....
"None of these attempts resulted in establishing torus or reactor shutdown cooling. The attempts were severely limited by dense smoke and inadequate breathing apparatus."
"I tried to use the manual crank system and discovered that it had a metal construction plate on, under the glass, and I tried to remove it. This was difficult, without a screwdriver.... The next day, I checked other manual cardox initiators and found that almost all of them had these construction plates attached."
He finally got the power on, but the Cardox system ended up driving smoke up into the control room above the cable spreader room. One person present described the scene in the control room as follows:
"The control room was filling with thick smoke and fumes. The shift engineer and others were choking and coughing on the smoke. It was obvious the control room would have to be evacuated in a very short time unless ventilation was provided."
After the carbon dioxide system was turned off, the smoke stopped pouring into the control room. It had not put out the fire in the spreading room, however. A safety officer fighting the fire pointed out,
"The CO2 in the spreader room may have slowed down the fire but it did not put it out. We opened the doors for air, as the smoke in the whole area had become dense and sickening. Another employee and I each donned a breathing apparatus and went into the spreader room. We used hand lamps for illumination, but they penetrated the smoke only a few inches. The neoprene covers on the cables were burning, giving off dense black smoke and sickening fumes.... It was impossible to not swallow some smoke. I got sick several times."
Because of the close quarters in the spreader room, fighting the fire was difficult: one safety officer said,
I went into the spreader room wearing a Scott air pack and mask and carrying a fire extinguisher. I had to crawl under the cable trays. The air pack cylinder was too cumbersome to wear on my back so I took it off and slid it and the fire extinguisher under the trays about 30 feet to the fire."
Inoperative equipment also hampered the fire-fighting effort. For example, one assistant shift engineer said,
"I returned to the spreader room to direct the fire-fighting effort. A wheeled dry chemical extinguisher had been brought to the spreader room, but its nozzle was broken off at the bottle and I told some of the men to get it out of there and find another unit."
"Breathing apparatus was in short supply and not all of the Scott air packs were serviceable. Some did not have face masks and others were not fully charged at the time of the start of the fire. The breathing apparatus was recharged from precharged bulk cylinders by pressure equalization. As the pressure in the bulk cylinders decreased, the resulting pressure decrease in the Scott packs limited the length of time that the personnel could remain at the scene of the fire."
One of the assistant unit operators who was sent into the reactor building to manually open the RHR cooling valves reported,
"We made three tries but could not get to the valves. Our breathing equipment could only supply 18 minutes of air per tank, which was not sufficient to enable us to get to the valves and back out of the area. The air tanks were being recharged, but the pressure in the main tanks was not strong enough to fill the tanks to their normal air supply. After the third attempt we went back to the control room and told the assistant shift engineer of the problem and that we needed different equipment or fully charged tanks to succeed."
"I was aware that my effort was in support of, and under the direction of, Browns Ferry plant personnel, but I did recommend, after I saw the fire in the cable spreading room, to put water on it. The Plant Superintendent was not receptive to my ideas.
"I informed him that this was not an electrical fire and that water could and should be used because CO2 and dry chemical were not proper for this type of fire. The problem was to cool the hot wires to prevent recurring combustion. CO2 and dry chemical were not capable of providing the required cooling. Throughout the afternoon, I continued to recommend the use of water to the Plant Superintendent. He consulted with people over the phone, but apparently was told to continue to use CO2 and dry chemical. Around 6:00 pm, I again suggested the use of water . . . . The Plant Superintendent finally agreed and his men put out the fire in about 20 minutes . . . .
"They were using type B and C extinguishers on a type A fire; the use of water would have immediately put the fire out."
Even when the decision to put the fire out with water had been taken, further difficulties developed. The fire hose had not been completely removed from the hose rack, so that full water pressure did not reach the nozzle. The fire-fighters did not know this, however, and decided that the nozzle was defective. They borrowed a nozzle from the Athens fire department,
"but it had incorrect type threads and would not stay on the hose."
On Unit 1, however, a new emergency developed. About 6:00 pm, control of the last four relief valves was lost, and the reactor pressure increased to above 350 pounds per square inch, making it impossible for the makeshift condensate booster pump system to inject water into the reactor. As in the early stage of the accident, the only source of water for the Unit 1 reactor was now the control rod drive pump, and this probably would not prevent a boiloff accident that would turn into a core meltdown in just a few hours.
The spare control rod drive pump was inoperative, and although it was later determined that a series of valves could have been turned to allow the Unit 2 control rod drive pump to supply water for the Unit 1 reactor, the reactor operators did not know this at the time.
With the reactor pressure mounting higher and higher, the relief valves were finally brought back into operation at 9:50 pm, and about 10:20 pm the reactor was depressurized to the point that the condensate booster pump could again get water into the reactor.
Had the reactor boiloff continued to the point where a core meltdown took place, however, it is doubtful that the endangered surrounding population could have been evacuated in time; evacuation of the county's residents was the responsibility of the Civil Defense Coordinator for Limestone County, but, as he admitted to NRC inspectors,
"I heard about the fire at Browns Ferry on the morning of Monday, March 24, 1975 (two days later). No one in the Civil Defense System notified me or attempted to do so ... I feel that our county should have been notified since the plant is located in our county."
The sheriff of Limestone County said:
"I heard about the fire at the Browns Ferry plant after it was over ... I have not had any updating of procedures proposed to me since the initial plan was outlined in 1972. I do not have a copy of the emergency plan."
The Sheriff of neighboring Morgan County did hear about the fire four hours after it started, but said,
"I was asked to keep quiet about the incident to avoid any panic."
The NRC noted in its investigative report that,
"No official notification was made to the State of Alabama Highway Patrol by the State of Alabama Department of Public Health or by TVA...
"An attempt was made to notify the Lawrence County Sheriff at 4:08 pm, but no answer was received. Only one attempt was made to locate the sheriff."
In fact, this try-once-and-fail procedure was more or less the norm. The NRC investigation noted,
"The State of Alabama Emergency Plan for the Browns Ferry Nuclear Plant was implemented at 3:30 pm to the extent that notifications were made to designated state personnel and principal support agencies.... Only one attempt was made to contact principal support agencies that were located in counties surrounding the site regardless of whether the agency was contacted or not. The notification process was discontinued at 4:40 pm .
"The (NRC) investigators commented to the Director of Radiological Health that, due to the uncertainty relating to the status of the reactors from 12:30 pm to 7:45 pm , the implementation of the state plan indicated that a 'standby' classification was necessary that would have required continuous notifications and recommendations to be made to support agencies until the reactor was verified to be in a safe condition.
"Additionally, some agency officials related that they did not have a copy of the state plan or the plan that they had needed updating. Other officials indicated that they had received very little information concerning their defined responsibilities relating to an emergency at the plant....
"The State of Alabama and BFNP personnel have participated in emergency drills to test the effectiveness of their emergency plans for the past several years. Participation in the drills by the state has involved the verification of notification procedures and the time required to travel to the site to perform environmental sampling."
Radiation sampling of air was started at 4:45 pm at Athens, 10 miles northeast of the plant; at Hillsboro, 10 miles southwest; in Rogersville, 35 miles northwest, but not at Decatur, 20 miles southeast and directly downwind of the plant.
"At 5:05 pm, the Director, Environs Emergency Centre, directed that additional environmental air samples be obtained ..... At this time individuals in the Site Emergency Centre observed smoke emanating from the reactor building and the decision was made to evacuate the meteorological tower".
"The sample at Decatur, Alabama, was thought to be inoperable possibly due to the wind direction control system, but the Laboratory Director was asked to investigate the problem. The Laboratory Director reported 7:60 pm that no air sample was available at Decatur. This station would have been the major air station of importance because Decatur, Alabama is located in the southeast direction from the site and the wind direction at the time of the fire was from the northwest section. Arrangements were made with the State of Alabama Air Pollution Control Commission for using one of their samplers at the Decatur station. Air sampling was initiated at this station at approximately 9 pm, CDT, on March 22, 1975."
It is unclear why no one thought to phone the FAA directly instead of giving the information to the plant, which had more than enough problems on its hands at the time.
"At 8:37 pm a member of the environment staff made an attempt to telephone the gatehouse by using a public telephone to inform the security guards that the warning lights on the plant stack were not operating. Since the gatehouse could not be reached, the environmental representative telephoned the EEC (Environs Emergency Centre) and explained the condition. The Director, EEC, directed the information to the plant because of the need to contact FAA authorities immediately."
Other gremlins that cropped up included the plant's electric sequence printer running out of tape at 4:30 pm the afternoon of the fire, so that information on the time and sequence of restoration of control circuits after that time was lost, since no one replaced the tape until 2:00 pm the following day.
At about 3:40 pm, the decision was made to begin tape-recording all telephone communications between the plant and the chief of TVA's nuclear generation branch. But, as the NRC report noted,
"A review of the tapes revealed mechanical problems with the tape recorders and only partial transcripts were obtained."
At about 9:00 pm, Calhoun phoned Frank Long, in the U.S. Nuclear Regulatory Commission's Region II office in Atlanta:
"Green: I got a call that Sullivan, Little and some other NRC inspector are traveling tonight and will get here some time tonight and so all our problems will be over.
"Calhoun: (Laughs) They will square you away, I am sure.
"Green: We probably have a violation. We've kept very poor logs.
"Calhoun: (Laughs) No doubt!"
"Long: The doggone public news media types will probably drive you out of your mind. Okay, your people did put out a news press release?
"Calhoun: Yeh, we put one out about 4:30. Somewhere close to 4:30 .... Only thing we can say right now is that it could have been a hell of a lot worse.
"Long: Oh, yeh.
"Calhoun: Yeh, you know everything for those two units comes through that one room. It's common to both units, just like the control room is common to both units.
"Long: That sorta shoots your redundancy."
Emergency procedures inside the Browns Ferry plant were also deficient. Many employees did not know what the sound of the fire alarm meant, and few had been trained in emergency procedures, despite earlier fires at the plant.
Large numbers of plant employees went into the plant control room, adding to the chaotic situation there. Instead of the six persons normally there, one assistant shift engineer reported,
Indicative of the tension felt in the control room is the later comment of the Unit 2 shift engineer that,
"The maximum number of people in the control room at only one time I guessed to be about 50 to 75."
"The Plant Superintendent asked me if I had control of Unit 2 and if everything was O.K. almost continuously."
What is the significance of the Browns Ferry incident?
One question is: What the devil were the electricians doing using a candle to test for air leaks?
Personally, I thought it a nice Gothic touch that a candle should disable a shiny new 2.2 million kilowatt nuclear plant. Perhaps a bumper-sticker reading "1 CP = 2,200 MWe" (1 candlepower = 2,200 megawatts) would be appropriate.
Although it is perfectly possible to design an inexpensive anemometer to test for air leaks, or even use smoke from a cigarette, these methods were rejected two years ago by the Browns Ferry plant personnel in favor of using candles.
"The practice of using RTV-102 and sheet foam to seal air leaks has been the practice for two or three years. We believed that the urethane would not sustain a fire. Urethane samples had been tested several years ago and it needed a flame for 20 minutes to sustain a fire."
They had only tested two of the polyurethane samples, however, using an American Society for Testing Materials (ASTM) test that the Marshall Space Flight Centre later found to be of marginal value. No test had been made of the foam polyurethane, however, and the NRC's consultants, from the Marshall Space Flight Centre, found that,
"A cursory match test on a piece of the foam rubber disclosed almost instantaneous ignition, very rapid burning, and release of molten flaming drippings."
Even though some people at the plant thought the ASTM tests showed the penetration sealant material to be non-flammable, senior management knew it was highly flammable. The plant instrument engineer told NRC inspectors that,
"During the test and startup period of Unit #1 (in 1973), I demonstrated the flammability of the sealing material to the Plant Superintendent. I burned the material in the Plant Superintendent's office. He immediately called someone with Construction and they discussed the situation .... I feel the Plant Superintendent did all that was immediately possible to investigate the situation as it appeared that construction was not going to change the material."
The Plant Superintendent admitted to the NRC inspectors,
"I was aware that polyurethane was flammable, but it never occurred to me that these penetrations were being tested using candles."
Many senior management personnel at the plant denied knowing of the practice of using candles to test cable penetrations.
The rest indicated that they knew candles were being used, but thought the sealant materials were not flammable.
The electricians seemed to be the only group who knew both that the foam rubber was flammable and that candles were being used as the testing method. As one electrician later recounted,
One of the electricians who started the fire said that candles had been used for more than two years but said,
"The electrical engineer called the group (of electricians) together and warned us how hazardous this method was. 'Why just the other day,' the electrical engineer said (in effect), 'I caught some of that foam on fire and put it out with my bare hands, burning them in the process.'"
"I thought that everybody knew that the material we were using to seal our leaks in penetrations would burn....I never did like it."
"We discussed among the group the procedure of using lighted candles to check for air leaks. Our conclusion was that the procedure should be stopped."
Yet nothing was done. The fire was noted in the plant log, and briefly discussed the next day at the plant management meeting. No one on the management level seemed to consider it a safety problem worth following up. This was the standard operating procedure; as the NRC investigative report notes,
"Previous fires in the polyurethane foam materials had not always been reported to the appropriate levels of management, and, on the occasions when reported, no action was taken to prevent recurrence."
In the face of these practices, it was probably nor a question of whether the Browns Ferry plant would have a major fire, but when.
"Conclusions and Recommendations:
"The original plant design did not adequately evaluate the fire hazards of grouped electrical cables in trays, grouped cable trays and materials of construction (wall sealants) in accordance with recognized industrial 'highly protected risk' criteria....
"It is obvious that vital electrical circuitry controlling critical safe shutdown functions and control of more than one production unit were located in an area where normal and redundant controls were susceptible to a single localized accident .... A re-evaluation should be made of the arrangement of important electrical circuitry and control systems, to establish that safe shutdown controls in the normal and redundant systems are routed in separated and adequately protected areas."
Every nuclear plant in the country uses a cable spreader room below its control room. Despite requirements for separation and redundancy of reactor protection and control systems, every reactor has been permitted to go into operation with this sort of configuration which lends itself to a single failure's wiping out all redundant systems.
If every plant currently operating and under construction were required to re-wire so as to achieve true redundancy and eliminate cable trays bunched together, I have made calculations that indicate the cost will range between $7,680,000,000 and $12,343,000,000. It will be interesting to see whether the new commissioners of the Nuclear Regulatory Commission will require such changes.
Except for one news release, written March 27, 1975, NRC headquarters in Washington has remained silent about Browns Ferry. That news release, quoted below, does not make one optimistic that any meaningful lesson has been learned from the Browns Ferry incident.
"The functioning of some in-plant operating and safety systems, including emergency core cooling systems, was impaired due to damage to the cables.
"The two reactors were safely shut down and cooled during the fire. NRC inspectors report that there was redundant cooling equipment available during the reactor cooldown....
"Although some instrumentation was lost, certain critical instrumentation such as reactor water level, temperature and pressure indicators continued to function and both plants were safely shut down....
"On Unit 1, although a loss-of-coolant accident had not occurred, the emergency core cooling system was activated and supplied additional water to the reactor. It was manually shut down to prevent overfilling. Later, during cooldown, when ECCS was called for manually as one of the several alternate means of supply cooling water, it did not activate; the alternate methods had more than sufficient capability to cool the core."
Whether the NRC has sufficient capability to cool the public's reaction, once the facts about Browns Ferry are known, will be interesting to observe.
David Dinsmore Comey is Director of Environmental Research of Business and Professional People for the Public Interest a not-for-profit, public-interest law firm and environmental research organization found in 1969. Donations to BPI are tax deductible and donors will receive a quarterly newsletter and other publications. BPI's address is Suite 1001, 109 North Dearborn Street Chicago, Illinois 60502
In 1974, the U.S. Environmental Protection Agency gave Mr. Comey its First Annual Environmental Quality Award "for services that have immeasurable improved the design and safety review of nuclear reactors."
|NRC||The NRC [Nuclear Regulatory Commission] |
licenses reactors as safe for operation.
|ECCS||The ECCS [Emergency Core Cooling System] |
provides emergency cooling water to the core
of the reactor to keep it from over-heating
if the regular cooling is lost.
|RHR||The RHR [Residual Heat Removal] system |
is needed, after the reactor is shut down, to cool the core;
it removes the "residual heat" given off by the intense
radioactivity of the used nuclear fuel in the core.
|TVA||The TVA [Tennessee Valley Authority] |
is a federal agency which owns and operates
numerous electricity generating plants,
including the Brown's Ferry nuclear reactors.
|BFNP||The BFNP [Brown's Ferry Nuclear Plant] |
consists of two large nuclear reactors,
each generating 1100 megawatts of electrical power.
|DPP||The DPP [Department of Power Production] |
is responsible for the day-to-day operation
of the Brown's Ferry nuclear generating station.
|CO2||CO2 [Carbon Dioxide] is a non-toxic gas |
which can be used to put out a flaming fire
by choking off the supply of oxygen that feeds the flames.