Fail Of The Week: A Candle Caused Browns Ferry Nuclear Incident

A colleague of mine used to say he juggled a lot of balls; steel balls, plastic balls, glass balls, and paper balls. The trick was not to drop the glass balls. How do you know which is which? For example, suppose you were tasked with making sure a nuclear power plant was safe. What would be important? A fail-safe way to drop the control rods into the pile, maybe? A thick containment wall? Two loops of cooling so that only the inner loop gets radioactive? I’m not a nuclear engineer, so I don’t know, but ensuring electricians at a nuclear plant aren’t using open flames wouldn’t be high on my list of concerns. You might think that’s really obvious, but it turns out if you look at history that was a glass ball that got dropped.

In the 1960s and 70s, there was a lot of optimism in the United States about nuclear power. Browns Ferry — a Tennessee Valley Authority (TVA) nuclear plant — broke ground in 1966 on two plants. Unit 1 began operations in 1974, and Unit 2 the following year. By 1975, the two units were producing about 2,200 megawatts of electricity.

That same year, an electrical inspector and an electrician were checking for air leaks in the spreading room — a space where control cables split to go to the two different units from a single control room.  To find the air drafts they used a lit candle and would observe the flame as it was sucked in with the draft. In the process, they accidentally started a fire that nearly led to a massive nuclear disaster.

Working with Inflammable Materials

You can build walls 30 inches thick, but you still need to get utilities in and out of the area. This was the case in the spreading room — the area where cables from all over the plant converged on the common control room.

The workers found a 2×4 inch opening near a cable tray. They stuffed the hole with foam and checked it again. There was still a draft and the flame was sucked into the hole, lighting the foam on fire. The inspector tried to knock out the fire, first with a flashlight and then with rags. By this time, the wall was on fire and several fire extinguishers were used to attack the problem but without success. The fire burned on. In fact, the fire extinguishers may have blown burning material out of the hole, making it even worse.

The Failure of the Fire Plan

Because of the efforts to put it out, the fire wasn’t officially reported for 15 minutes. There was also confusion about what phone number to use to report the fire. Perhaps most surprising is that for whatever reason, the operators elected to continue running the reactors despite the fire. According to the official report they then noticed that pumps in the emergency core cooling system were running:

Control board indicating lights were randomly glowing brightly, dimming, and going out; numerous alarms occurring; and smoke coming from beneath panel 9-3, which is the control panel for the emergency core cooling system (ECCS). The operator shut down equipment that he determined was not needed, only to have them restart again.

I wouldn’t operate my car like that, much less a nuclear reactor. After a few restarts, they started talking about shutting things down. Just then, the power output of unit 1 dropped for no apparent reason. They reduced the flow on the operating pumps which then promptly failed. Finally, the operators dropped the control rods to shut down the nuclear reaction.

Doing Everything to Cool the Cores

As you might expect, shutting down a reactor isn’t quick and easy. Electrical supply was lost to several systems in unit 1 including several key instrument and cooling systems. In unit 2, the panels were going crazy and there were many alarms. Then about 10 minutes after the unit 1 reactor started dropping its output, unit 2 followed suit.

Unfortunately, the equipment failed there too and they lost emergency cooling and control of some relief valves. Unit 1 was struggling with very little instrumentation and a reduced number of relief valves. The fear was that if the core did not remain submerged in water, it would melt down.

To keep the core underwater, they used the relief valves to drop the internal pressure from 1020 PSI to under 350 PSI so that a low-pressure pump could force water into the chamber. This decision was met with yet another problem; the low-pressure pumps were not working either so they had to rig up a workaround using a different pump.

In unit 1, the water level was normally about 200 inches above the top of the core, but it fell to about 48 inches. Unit 2 had more pump capacity, but it still wasn’t enough. They rigged up the same makeshift pump arrangement.

Domino Effect of Power and Control Failures

Before this all began, unit 2’s computer already happened to be down, and the unit 1 computer soon failed. With nearly all the instrumentation having failed, and the diesel generators down, they had very little on-site power. The phone system failed, preventing the control room from making outbound calls which were being used to send instructions to people operating valves and other key equipment manually.

Unit 1 under construction

Meanwhile, the fire was still burning. There was a built-in extinguisher that could be manually activated with a crank. But during construction, those activation cranks all had metal plates placed under them to prevent accidental activation of the extinguisher system. Almost none of the plates had been removed when construction was complete. By the time they were finally able to operate the system, it didn’t stop the fire completely and had the effect of driving thick smoke into the control room.

Two workers were tapped to investigate. They put on breathing gear and went into the spreader room to find that the neoprene covers on the cable were burning and emitting a thick black smoke. The quarters were cramped and one man described having to take the air cylinders off his back and push them along with the fire extinguisher in front of him to get under the trays about 30 feet to reach the flames.

The extinguisher system wasn’t the only safety equipment that was ill-prepared for an emergency. Many of the breathing masks at the plant were not working. Some had improperly filled tanks and others were missing parts. The main tank on site was apparently low on pressure and unable to completely fill the working tanks which resulted in about 18 minutes of air per fill for those trying to fight the fire.

The Red Truck Brigade

The local fire department arrived on the scene but they were not allowed to run the effort — presumably because you want people with specific training to fight a fire in a reactor. However, the fire chief did repeatedly suggest that water was the right way to put out the fire, as it wasn’t actually electrical in nature. However, plant management didn’t agree.

After the fire burned for over six hours, the plant personnel decided to try water. Unfortunately, the fire hose didn’t deploy fully so they were getting low pressure. In the heat of the moment, the workers erroneously decided the nozzle was defective and borrowed one from the fire department, but it had incompatible threads and would not stay on the hose. Even with these problems, water had the fire out in 20 minutes.

On the Verge of a Meltdown

You might think the fire being out is the end of the story, but no. The damage had been done — control of the two reactors was greatly inhibited and keeping the cores cool remained an emergency situation. The relief valves on unit 1 finally quit and pressure went up beyond the ability of the makeshift pump system to operate.

There was an ancillary pump operating, but it couldn’t keep up and a meltdown seemed likely. In retrospect, there was a way to use some of unit 2’s equipment but no one figured that out at the time.

Instead, it was luck that they were able to make repairs before time ran out. Workers fought to get the pressure valves back online and succeeded. This allowed the pressure to drop enough for the pump to continue providing fresh water.

Timeline of a Near Disaster

The candle flame started fire about 12:20 PM. Unit one reached full shutdown at 4 AM and that was the end of it. As much as it sounds like everything went wrong, it was even worse. There were a host of problems with equipment ranging from lights to tape recorders.

Speaking of tape recorders, there was one really interesting phone conversation between J. R. Calhoun, the chef of TVA’s Nuclear Generation Branch at the time and Frank Long of the NRC (and reported by a Canadian website):

Calhoun: Yah, you know everything for those two units comes through that one room. It’s common to both units, just like the control room is common to both units.

Long: That sorta shoots your redundancy.

Thanks to creative problem solving, it appears the incident didn’t pose a public risk — although many people have critiqued how the public was kept informed (or not). There was never any radioactive leakage from the plant reported.


So many questions. Why were they using candles when other methods were available? Why were they using flammable material as insulation? The investigation turned up that flawed tests indicated the polyurethane used in the foam was resistant to fire… in solid form. However, the foam was highly flammable and many people knew this. Many people didn’t know that candles were used for leak detection.

Perhaps the worst bit of news is that two days earlier a similar fire had started but was put out quickly. The shift engineers had a meeting and had already decided to recommend a different way to test for leaks that didn’t require candles. But nothing had been done.

Needless to say, the Nuclear Regulatory Committee made many changes to their fire protection standards and mandated silicone foam for firestops. It even influenced practices in other industries, too. If you want to read the DVD the NRC released about the incident in 2009, you can.

The fire caused about $10 million of direct loss and as much as  $500 million in indirect costs. (That’s about $44 million and $2.2 billion dollars if you update to 1976 figures for 2018 value.) It took about 1000 man-years of effort during the 18-month recovery process.

I know the debate over if we should have nuclear power or not is polarizing and I won’t tackle that here. But it is amazing that a high tech piece of equipment — no matter what it does — could be taken down by a candle and some bad procedures. You know there were all sorts of safety devices and procedures and that everyone there must have known the possible consequence of something going wrong. Yet you had a known fire problem ignored, bad air and fire equipment, and a host of other problems.

So think about not only what balls you have in the air with each project, but ask yourself which of those are glass balls. Don’t forget to focus on the small seemingly inconsequential things. There’s also a danger in assuming that you don’t need at least some understanding of all the balls in the system. After all, if someone high up had realized foam caught fire and workers were using candles around it, this might have been a different story.

117 thoughts on “Fail Of The Week: A Candle Caused Browns Ferry Nuclear Incident

      1. Speaking of Chernobyl, I was surprised to learn the other three reactors there were still being run after the disaster at unit 4. Unit 2 caught fire (!) in 1991 and was shut down. Unit 1 shut down in 1996, and Unit 3 was still generating electricity until 2000. Unit 1 had previously had a partial meltdown four years BEFORE the big disaster.

          1. I’ll give it a go … whilst waiting for The Grand Tour (exTop Gear) to return in January.

            Some eeducation before the three clowns start clowning around again!

          1. It might be a simple.mistake but there is also a political statement by some who use “the” before Ukraine. It has something to do with a reference to an area as opposed to it being a country. I don’t recall the details at the moment. Maybe someone else can help.

      2. You still need power for areas that are supplied by the reactors after all. Not to mention it takes decades to properly decommission a power plant. So you might as well burn as much of the fuel in the reactor as possible. Before you start the cooldown process before decommissioning.

        The local nuke plant took something like 40 years to decomission, They only finished a few years ago. Whats left is the storage pools, which are still considered to be to hot to transport safely at this point, partly based on transport time. Some of the Casks they brought in to store the parts of the old reactor and turbines where super cool looking. Look like the mix between a stealth fighter and something from mad max.

        1. The reason it takes so long to dismantle them is because of all the red tape on what happens to the dismantled stuff.

          It’s illegal to bury it, it’s illegal to recycle it, it’s illegal to ship it anywhere… or at the very least you’ll get a bunch of hippies chaining themselves to the railroad tracks whenever you try to shift any of it. Currently, pretty much the only place on earth that allows companies to legally handle old reactor parts is Norway, because both in the US and the EU, the radiation level limits on scrap metal coming out of a nuclear power plant is 30 times higher than for any other industry.

          Since 2000 it’s also been illegal to re-use any scrap metal coming from a nuclear power plant in the US, so the scrappers are basically hiding bits and parts of the power plants in their pants legs and shaking them out wherever they can.

          1. Sorry, I meant to write 30 times stricter. Meaning, the same piece of scrap steel coming out of an oil rig can be 30 times more radioactive than if it was coming out of a nuclear facility.

            The rules are such that you basically walk in with a banana (radioactive: Potassium-40), and have to leave the peels in for nuclear waste disposal because it’s now considered nuclear waste.

          2. Canoe: I suspect it’s a failure to tell which balls are steel and which are glass. Everyone expects discarded nuclear parts to be radioactive, so they set safety rules to the paranoid level. Nobody expects a brick or a grinding disc to be radioactive – even though it’s a very real possibility – so the radiation standards there are lax to non-existent.

          3. A few years ago, when the oil fracking boom was ramping up in North Dakota, the owner of an un-used gas station was asked if he would rent it for “cash”. The owner agreed, sometime later the rent money stopped coming in, so he went to check the property. The renter had filled the building with discarded “mud” bags (radioactive) and skipped town.

          4. Those damn hippies always making rules about radioactive stuff and how to deal with it. How can we have progress with people trying to put restrictions on corporations? /s

      1. I’m thinking it was in Tom Clancy’s “Red October” book, one of the other Russia subs had a problem and the control rods had to be cranked down with a wrench. The mechanic had to lay on top of the reactor vessel to do it.
        (Or, it was an actual event (American sub?) that I’d read somewhere?)

        1. K-219; this was a real thing that happened. Seaman Sergei Preminin prevented a meltdown off the coast of Bermuda, sacrificing his life to do so.

          The book you’re remembering is probably Hostile Waters, a nonfiction storyfication of the incident. It’s been accused of inaccuracies with regard to the subsequent sinking and American activity in the area at the time, but the impression I get is that it’s otherwise accurate.

        1. True.
          But I’m basing my idea of how centrifuges were monitored at Oak Ridge, TN during the Manhattan project.
          They found high school girls did a better job of monitoring the centrifuges than the “experts”.

          1. I always heard that oak ridge was a case of the experts wanted to study the effects of variables and optimize the system, which lowered their production because they were focused on optimization. Vs. the higher production of the girls who were told, “If the needle gets here turn the knob this way until it goes to here, keep an eye on it.”

    1. At least it is an industry that actually learns from their mistakes. When incidents happen the entire situation is analyzed and then appropriate measures and training are implemented immediately.

      As an example, immediately following the recent Fukushima incident the NRC implemented training scenarios that reflected the situation in all required annual recertification for plant operators and personnel.

      1. Unlike the entire medical industry, where its always “my mistake, your death”. If only it were like the FAA where it is an offense not to report all mistakes anonymosly, so they can set high level aviation policy. This is probably because with pilots its “my mistake, my death”.

  1. Cool article, cool graphic. I should probably cheer lead more or not at all but these sort of summaries of disasters and near disasters really get me into a subject. Like the (fictionalised) concrete bar supports story from Gerrit Coetzee. I’d like more of them.

  2. How about building nucear power plants under the water line behind shallow dykes in tsunami prone areas?

    How about decomissioning old wornout nucear power plants and replacing them with modern safe ones instead of extending their life untill they fall apart by themselves?

    1. The Fukushima reactor disaster happened (ok, one of the major events in the chain) because the water rose higher than the chimney of the backup diesel generators and flooded them. It would have additional rusting/leaking risks without really solving the problem. I think it was said that newer designs are gravity fed with water.

      1. Also, because the generators required to run the coolant pumps had a limited fuel supply, and the tsunami debris meant that tanker trucks with more fuel couldn’t get to the plant.

        And so on. Disaster planning is hard to do well. And easy to do poorly.

        1. The problem wasn’t with the quantity of on-site fuel, but rather the fact that emergency generators and supporting equipment were submerged by the tsunami. AC power was lost ~52 minutes after the initial earthquake. Those generators should have run for much much longer than that with the legally-required minimum fuel supply.

      2. Arguably, the disaster happened because no one has thought to include a steam powered pump into the emergency cooling system? When water level drops in core and generates steam, the steam would pump water into the core. Just sayin

        1. There is such a pump in the GE BWR design it is called the HPCI (High Pressure Core Inject) Pump. One of the downsides of the GE BWR design is that there is only one of these pumps.

    2. Simple answer – bucks, $. Follow the money. Pretty much every accident ever can be traced back to bucks. This had no control path redundancy – guess why?
      Guess why Fukushima was built where it was? Saves money on pumps – and land since it was built where the locals had little NIMBY clout (this one also ran past its design lifetime == bucks issue). Further, that one was run well past where the US runs reactors to make fuel reprocessing more profitable, which is why it needed more than the usual amount of cooling after control rods were dropped.

      We have people who care more about preventing safe waste disposal (they don’t think so but it’s the effect) than making things safe actually. That’s one aspect, but decommissioning a plant means you have tons of slightly radioactive stuff to dispose of – even the steel…and of course all the byproducts in the fuel that never got to leave the containment building, which would have to be torn down as part of the decommissioning. See above.

      As a fusion researcher….I kinda got a lot of this by osmosis since all this info is mixed in with what I had to learn to do my own job. I do believe that fission can be done safely, but I’m not convinced that humans are responsible enough. It’s only “technically” possible but practically, not so much. It’s worst case in some ways, even leaving bucks aside. It’s normally so reliable and boring that most humans tend to take the night off for “hookers and blow” (that’s a joke for those easily triggered) now and then and can’t keep their attention span on the job.

      Look at today’s TL;DR culture. Even here most probably didn’t even read all of this for comprehension or look up the consequences of extra fuel runtime to get more usable fission fuel bred from the U238….

      1. There’s two ways to design dangerous systems to be safe. Design to fail safe, and design to fail small.

        When the fail-safe design fails, it fails to fail safe. In fail-safe designs, if by nothing else, then by observing that since this reactor design is now nominally safe, we can scale the drawings up by a factor of 10 and even though we’re now dealing with tremendous energies that will create real mayhem if they ever get loose, these safety systems make sure it never happens. Right? The best designs simply enable the people to push the devices to the limits of imminent tragedy.

        Like having ABS, ESC, ESP, ETC, systems and four wheel drive in your car that makes driving on ice feel like normal, so you car accelerates nonchalantly to 100 mph and just as easily flips into the ditch at the first turn, briefly after blinking a bunch of warning lights at you saying “You done goofed up”. Every system has some inherent “faultyness” almost like a constant of nature, and the more you try to constrain it, the more pressure builds up and finds itself out through any pinprick you leave behind.

        So, instead you design the system to fail small. You put your foot down on the pedal and it’s winter, and the wheels start to slip at 10 mph, not at 100 mph when it’s too late. The dumb car with no driver helpers becomes the smart car, because you’re too scared to drive it to the point of no return. That assumption means an entirely different design will come out.

        Since the core is assumed to melt at some point, you’ll prefer to make a small core and enclose it in a steel canister that can be picked up by a crane and carried away for disposal. Need more power? Add more canisters. etc. and in the end this is cheaper, because you can turn them out by the dozen in a big factory. Sure, things can still go wrong, but if one or two of these canister-cores pops really bad, the cleanup doesn’t involve evacuating the whole county.

        1. I wonder if there’s an actual solution to the problem in the general case. I’d imagine cars with all those fancy features really do have lower accident rates overall, so nobody wants to get rid of them, and even the smallest nuclear reactor should probably have redundant safety systems anyway.

          Maybe safety systems should pretend they don’t exist until needed, and the warning light should say “Shutdown within ten seconds to avoid an explosion” rather than “Automatic shutdown in ten seconds”, even though the automatic shutdown is still there.

          I don’t know enough about driving on ice to deeply understand the dangers or what makes it feel different, but maybe there’s some kind of haptic or audio feedback that could scare people without distracting or endangering them? I suppose driving is a special case because there’s no design phase and not enough time for people to sit and consider things like there is with reactor design.

          1. Yeah, they do have lower accident rates overall, and the electronics systems in cars work in that respect, but it’s not 100% proof and when they do fail, the situation has escalated much further than without the electronic aids.

            This is fine for car, where a number of accidents are simply accepted. With nuclear power, the opposition is arguing that no matter how rare the accidents become, it’s offset by the magnitude of the accidents, and there the safety systems become counterproductive because they allow you to build absolute monstrosities for reactors, which will be disasters when they fail.

            As for driving on ice, it differs in the fact that your traction and handling is more on a knife-edge. On dry asphalt, you still have some traction when you begin to slip, but on ice it just all goes away. The ESC/ABS/ETC. don’t warn you soon enough because they don’t understand that you’re in these special conditions – they’re tuned for the average driving conditions, where sounding bells and blinking lights would simply annoy the driver who knows they’re not pushing the envelope if the back-end of the car starts to fishtail a little.

          2. More precisely, the electronic aids allow you to pick up and go as if nothing special is happening. They’re designed to make the car handle better in adverse conditions, which also makes it feel safer because it is following your command. That’s by design: the manufacturer wants you to feel safe, to trust the car. (compare: the reactor designer wants you to think it’s foolproof)

            You start driving and the ESC blinks a light at you saying “I’m slipping!”, but it accelerates regardless and you get up to speed. Everything feels normal, no warning lights because the car is not struggling to just maintain speed. Then it comes time to stop or turn, and you start the action and the car blinks “I’m slipping!” again, but then it’s too late because you’re doing 60 when you should have been doing 30.

            In a car without electronic aids, in order to get going you already have to be careful. Otherwise you just spin your wheels and it doesn’t go anywhere. You try to turn and it just pushes, you brake and the car goes into wheel-lock and starts to spin slowly – so you never go above 30 mph because it’s just too hairy to drive. If you push it to 60, you’re driving with white knuckles because you know how it’s going to end.

            If you’re going to crash in the simpler car, it’s going to be at 30 mph instead of 60 mph, and vice versa. The more advanced car fails less but it fails big, while the simpler car fails more but it fails small.

            The analogy breaks down when you consider that people aren’t so foolhardy to always push the car to its limits, and speed limits do exist. When it comes to corporations operating nuclear reactors, that’s no longer people but bean counters running it, so you can be sure it’s going to be run to the limits of its safety.

          3. One of my motorcycles has ABS, an earlier design from ’07.

            When ABS engages, it literally pushes the brake lever open. You feel it. You know you goofed. I think this is a good thing, it saves your bacon but gives you feedback that that was a bad idea.

            I remember hearing back in the day though that some people panicked when they felt the brake pedal pulsing as ABS engaged and released the brakes entirely, so I suppose it comes back around to people understanding the machine they’re operating.

      2. There’s a similar argument about safety drivers in semi-autonomous vehicles. The argument is that as the systems get better and approach 100% safety, the perception is that they will be 100% safe (who can tell if a system fails 0.1% of the time). The drivers will stop assuming responsibility and they will no longer add any safety to the system. The proposed solution is always to not do any autonomous driving without a 100% automatic car, with no steering wheel or brake pedal for the humans. That will set the bar high enough to skip that trough of danger. But will the companies be able to get there before they run out of money?

        Computers are good at mundane, boring things, which is why they should be good at driving (eventually). Humans get bored too easily. But make them a safety driver, and you’ve made it 100x worse.

        1. Basically right, but if I buy a car, I want also to be able to drive it myself, I want to have the choice of using the automatic mode or not. So it is no option to eliminate the controls. Of course this “safety driver” role is a really bad thing. You will get bored after a short time, but when things turn bad, when the computer does not “find a way out” anymore, you are considered responsible.

    3. The pressure in the reactor is pretty high – just putting the thing below water level won’t do much good, you’ll still need to pump water in. Also, in case of a breach you wouldn’t really want the water to flow freely back into the source.

      As to building new nuclear power plants it’s prohibitively expensive and not necessarily any more safe, just more sophisticated failure modes. This might be one instance where multiple control sets are advantageous. A bunch of analog meters and big switches from the old system separate and in addition to more modern control systems.

    1. It should, they are / were both BWR (Boil Water Reactors). So was Chernobyl. But being a BWR isn’t the issue, all three of these accidents as well as the one at Three Mile Island were the results of Human Error. The Nuclear Power plant at Three Mile Island that suffered a partial meltdown was a PWR (Pressure Water Reactor) design.

      I worked at Browns Ferry during refit in the late 1980’s and I’ve looked down inside of Unit 2 when the lid was off getting ready to refuel. The core really does put off a pretty green glow…. Nuclear Power is dangerous when not managed right, and I believe Nuclear Power is being managed right in this country. I believe that we’ve learned from our mistakes and from the mistakes of others.

      There is no power source without a cost and I believe the cost to our environment is far less with nuclear than than any other power source. A single unit at Browns Ferry produces over $100,000,000 (that’s One Hundred Million, in case you didn’t count the zero’s) of power A DAY while producing zero carbon emissions. And Browns Ferry has three units.

      1. Three Mile Island’s problem went on for as long as it did because of the layout of the control room. The indicator light that was on to indicate the open relief valve was on the opposite side of the room from where the staff was clustered, looking at temp and other gauges and indicators – trying to figure out what was wrong, why the temps kept rising despite pumping in more water, and where was that water going?

        When someone finally noticed that light and used the control to manually close the stuck valve, the situation was brought under control, but the reactor core was ruined.

        At Fukushima the control rooms have the same problem, same as most reactors built in the 60’s and 70’s and still operating. Their controls and indicators are spread across a large room where operators must wander around to keep tabs on everything.

        It’s like trying to fly a 1970’s jetliner in the 21st century, with a cockpit encrusted with so many gauges and lights it requires a 3 or 4 person crew just to watch everything.

        The old plants’ control systems should be upgraded with new technology so that the operators have workstations where indicators and gauges are displayed on a monitor. If there’s a stuck open valve, the indicator ‘comes to the operator’ instead of blinking on a wall on the other side of the room, waiting for someone to notice. If there’s a problem it flashes ALERT on the monitor then brings up information on what’s wrong.

        But those old plants continue on with their 40-something year old control rooms because the anti-nuke ninnies protest and file lawsuits and get regulations passed to block incremental upgrades – just like they have for old gas, oil, and coal fired power plants. Bush Jr. tried to get things changed so those older plants could upgrade as much as *practical* to reduce their pollution. But the environmentalists demanded all or nothing. Either they would be brought up to current emissions standards or nothing could be upgraded. They’d rather a coal power plant built in the late 70’s continue polluting at its original levels rather than adding equipment to bring it to 50% (or whatever %) of current regulations for coal.

        To bring old plants to current levels would require knocking them down and building an all new plant – which would then have protests and lawsuits and repeated studies required by the EPA before construction could be started.

        Such insanity has been going on at least since the 80’s. Some time in that decade my father made a couple of hand crafted refractory cement burner grates for some place that had an incinerator or some other thing. Whatever it was, the company sought him out for the job because EPA rules would not allow them to modify their equipment and upgrade to new burners. They would have to replace the entire system, which would have cost many thousands of dollars. To make the grates, he measured one of the worn out originals, then made a mold from pieces of galvanized sheet metal on a plywood base. That was packed with the refractory cement mixture then allowed to harden. I assume at some point the company either no longer had a need for whatever needed those grates, or was able to budget the funds for all new equipment.

        1. At Three Mile Island, the issue with the relief valve wasn’t the location of the indicating light.

          The valve that caused the Loss of Coolant Accident is what is called a Pilot Operated Relief Valve or (PORV). These valves use up steam system pressure to open the valve. A solenoid valve is used to control the actuating pressure. The idea being that these PORVs could be opened to relieve high pressure in the Reactor Coolant System at a lower pressure than the purely mechanical safety valves. All pressurized systems are required to have safety relief valves by ASME code, whether its a home hot water heater or a reactor coolant system. All types of relief valves are notorious for leaking once they have actuated so the designers of the plant added the PORVs to automatically open at a lower pressure than the code required mechanical safety valves and if they leaked by they could be isolated using a motor operated valve down steam.

          At Three Mile Island issue was two fold. First, the light only told the operators whether the PORV’s solenoid valve was being powered (thus opening the PORV). Second, the temperature reading down steam of the leaking PORV was lower than what the operators expected. The operators though that if the valve was leaking steam that is ~2200 psig and ~600 deg F on the reactor coolant system side of the valve that the temperature on the other side of the valve would be similarly hot. If they had consulted a steam table they would have found that given a pressure of ~10 psig on the downstream side of the valve the expected temperature would only be ~230 deg F.

          The TMI accident caused many changes in the industry. Control rooms layouts were changed to make them more human friendly. Control valve position indication was changed to use limit switches and sometimes LVDTs. The most important change was in the training of the operators. Before Three Mile Island there were only a few generic nuclear plant simulators scattered around the country that licenced reactor operators were lucky to be use. After TMI, it would become a requirement that every site have a plant specific simulator were operators could train.

          1. RBMK was graphite moderated, with positive void coefficient ..the hotter it got, the more power generated. A light water moderated BWR has a negative void coefficient, more boiling, less moderation.

        1. No power plant makes 100 million a day. Current price per MW is $38 on… that’s about 1 million a day. And the radiation at nuclear plants is blue, not green… I’ve worked commercial and navy nuke for almost 20yrs…

  3. That was intense! It makes me think a bit like the air brakes on semi truck trailers. From my (limited) understanding, it’s air pressure that keeps them in the “allow movement” position. If there’s a large enough leak and insufficient air pressure, they will move into the braking position. I’m surprised the graphite control rods weren’t done in a similar way – requiring power to be held above the reactor. No power? Control rods automatically drop down.

    I’m surprised no one has made a movie out of this.

      1. Wagon brakes while failsafe (mostly, there’s a canadian town that’d disagree) are way more complicated. It’s because of the volume of air piping and brake chambers it’d take forever to release them. Instead there’s a triple valve on each wagon that has a air reservoir it uses to apply the brakes when it detects a sudden drop in brake line pressure.

    1. “Dead-man” mechanisms holding control rods out of the reactor became a requirement after Chernobyl, where the speed of the emergency control rods (something like 30s) was a major contributing factor to the incident – reactor got so hot so quickly, that the channels distorted and it became impossible to completely insert the rods.

      1. This can’t be true…I remember reading in the 70s, about control rods and how they were designed to be able to be inserted with power off, because when all else failed, you wanted to be able to “scram” the reactor down quickly.

        Really? At some point, someone decided that a failsafe control rod scheme was no longer necessary?

        1. Wikipedia, as usual, has the answer (the BWR method seems…less reliable):

          In any reactor, a SCRAM is achieved by inserting large amounts of negative reactivity mass into the midst of the fissile material.

          In light water reactors, this is achieved by inserting neutron-absorbing control rods into the core, although the mechanism by which rods are inserted depends on the type of reactor. In PWRs, the control rods are held above a reactor’s core by electric motors against both their own weight and a powerful spring. Any cessation of the electric current releases the rods. Another design uses electromagnets to hold the rods suspended, with any cut to the electric current resulting in an immediate and automatic control rod insertion. A SCRAM is designed to release the control rods from those motors and allows their weight and the spring to drive them into the reactor core, rapidly halting the nuclear reaction by absorbing liberated neutrons.

          In BWRs, the control rods are inserted up from underneath the reactor vessel. In this case a hydraulic control unit with a pressurized storage tank provides the force to rapidly insert the control rods upon any interruption of the electric current. In both the PWR and the BWR there are secondary systems (and often even tertiary systems) that will insert control rods in the event that primary rapid insertion does not promptly and fully actuate.

          1. Ren, The control rods of the Chernobyl plant temporarily added to the reactivity of the core when they were inserted. This was due to the physical design of the rods and the reactor design. The rods had a metal leader before the boron metal. The non-water/non-boron void resulted in positiveity added to the core. The core also had positiveity added as the temperature increased. The higher temp boiled water which made more voids which added more positivity and so on.

    2. “I’m surprised no one has made a movie out of this.”

      Because had already made a movie about a nuclear plant accident: “The China Syndrome”. Someone probably figured we didn’t need TWO nuclear plant accident movies. :-)

    3. Stopping the fission is the easy part (unless you’re working with an astoundingly stupid design, like, say, an early RBMK). Inserting the control rods and stopping the fission doesn’t stop the heat production, thanks to the decay of the built-up fission products. The hard part is managing that decay heat when things aren’t working perfectly.

      1. There’s a deleted episode by Matt, where Burns insisted on fixing a leaking pipe with JB Weld and Duck Tape, which caused a flooding of the control room. Episode was sent to cutting room floor for fear the public would riot

  4. All of these nuclear accidents are indirect the result of using boiling water reactors. Some problem happens, cooling is lost, and the problem quickly escalates because you can’t keep coolant water flowing. While molten salt reactors have their own issues, “melting down” isn’t really one of them because the fuel is *already* molten. There is no coolant that can boil away and leave the reactor in a run-away condition. You can turn off the power, turn off the pumps, and walk away and nothing bad will happen. When the heat builds up, a solid plug at the base of the reactor melts and the fuel runs into containment vessels where the reaction stops. No human interaction required.

    1. Technically speaking, you could design even a BVR type reactor that can passively eject a portion of its core, causing a safe shutdown (pulling put a portion of the fuel would cause it to loose criticality)…but – $$$$$$

  5. I’m pretty sure those children are the product of both a mother and a father. Making everything into a gender issue seriously hurts those actually suffering from gender issues. Please don’t.

  6. With fusion making such promising progress, I feel like the nuclear power controversy will effectively be a non-issue. It doesn’t have the stigma attached to it that fission does (because of incidents like this one), and generally speaking it does have huge safety advantages.

    1. It certainly does not have huge safety advantages. In a (working) fusion reactor, neutrons are required to create more fuel by activation. Processing of that material is the biggest hurdle in future reactors. Neutron energies involved will transmute most elements, and most materials used in reactor construction will end up radioactive. And whether Tritium – Deuterium or Tritium – Helium 3 is the main reaction, Tritium is still involved, which (for the initial fuel load) requires another (fission) reactor to create in the first place.

      1. Tritium can be made with any neutron source, not just fission reactors. You can for example slam ordinary hydrogen together in an electrostatic fusor which is simple enough that schoolkids have built them. Then you surround it with lithium, and bob’s your uncle.

        1. That’s not productive enough to be useful in this situation. The volume of Tritium required to fuel a power fusion reactor is far to large for all the fusors in the world. And no sealed neutron source has high enough flux to be productive enough to be useful either.

          1. You only need enough tritium to bootstrap the reactor, not to completely fuel it. You get a little bit of fusion going, it’s going to breed more tritium by itself.

            Then there’s other neutron sources as well, such as spallation sources where hydrogen ions (protons) are flung at a target with a particle accelerator, and the resulting collisions release a high flux of neutrons. These sources are being developed also for the purpose of consuming nuclear waste in a sub-critical fission reactor. You force the decay with a neutron beam.

          2. Besides, one fusion reactor needs some grams of Tritium to start. As rare as it is, Canada’s CANDU reactors are producing about 2.5 kg a year out of heavy water, and the US has a stockpile of about 75 kg for use in hydrogen bombs.

            The question of where to get Tritium is basically moot.

  7. The problem with nuclear power is that it’s much better at larger scale. IE more efficient. If it takes $1,000 to make a small core system but only $1,500 to make something 20x its energy output there is a lot of incentive to make the larger system. When your talking the regulatory process, then your also looking at a faster time to implement. I agree that a smaller “attack/failure” surface makes a lot of sense but you have to prove that such a design exists and that it can be easier and less costly to contain. There is a company working on module reactors in the 25-100MW range that are suppose to be walkaway safe but the issue there is that they are $4000-5000 per kw installed, none exist yet. Yet you can get solar + battery for less than that with fewer regulatory issues and a lot easier cleanup. The economics of small nuclear then are only for areas that don’t have an alternative power system, wind, tide, solar, hydro etc. or are space limited, ie in dense metro areas, were people don’t exactly want such a power system near them.

    Frankly I am not anti nuclear in fact if a molten salt reactor using thorium existed today in a module walk away safe system then I think we wouldn’t have the issues with it that we do now. However when you factor in that a majority of reactors are or similar and prone to explosions and leaks and other issues if they have a station blackout. Or are used to produce things other than power. Then the industry shot themselves in the foot and had their chance now it’s time for anything else first.

    There isn’t a “safe” nuclear design. Just like “clean coal” does not exist. But there are a lot of people selling BS. When Fukushima happened, I grabbed a copy of the reactor simulator tool and put in the public info about the reactors, and was able to estimate within a small window of when the reactors were going to fail containment before it happened.

    The tool is here – be prepared to use a VM or something the software core is dated even if its got modern info.

    1. That’s because nuclear reactors aren’t built in volume. Each of them is like an automobile made in the late 19th century – individually designed and engineered down to the last nut and thread with no interchangeable parts.

      >”Yet you can get solar + battery for less than that with fewer regulatory issues and a lot easier cleanup”

      There’s a long hidden tail with those “cheap” batteries and PV panels. See for example silicon tetrachloride dumping in the far east, which is the companies skirting environmental regulations to push costs down. A huge part of the recent price drops in PV panels is due to the Chinese producing them with cheap coal power under state subsidies and disregarding environmental regulations. Their aim is to kill their competition, and they’re succeeding at 80% global market share.

      Likewise, scientists recently identified a new source of ozone-hole inducing chemicals and traced it to somewhere in China, resulting from releasing industrial solvents used for washing oils off of semiconducting wafers – most likely solar panels again.

      Then there’s the problem with REEs. Mining rare earth minerals for use in batteries, solar cells, electronics, leaves behind nuclear waste, because the deposits are full of uranium and thorium. Mitsubishi for example had to clean up a very large nuclear waste spill in Bukit Merah, hollowing a mountain and filling it back with 50,000 truckloads of contaminated earth that was causing leukemia and birth defects in the local population.

      When it’s not issues of toxic mine taillings, the other issue becomes about conflict minerals. Most of the world’s sources of cobalt comes from countries like Congo.

      Then there’s minerals availability. In order to meet demand for growth for the next 100 years, global lithium production must increase by a factor of 1,000. If the current world production were to be used solely to make Tesla cars, you could make about 20 million cars per year, assuming every battery gets recycled without loss. That leaves nothing over for grid batteries, laptops, cellphones, and the rest.

      1. To put that into perspective, about 100 million cars are being manufactured in the world every year.

        People just don’t appreciate how much energy we use, and how much of it would need to be stored to make a difference.

        One day worth of backup on the US grid would be roughly 500 GW x 24 h = 12 TWh of batteries. Let’s say 10 TWh to make it simple.

        All the lithium currently produced in the world will make roughly 200 GWh of batteries per year. (ref. Tesla Gigafactory makes 35 GWh of batteries, consumes 1/6th of world output).

        So, it takes 50 years at the current rate of production to make enough batteries to have 1 day worth of backup on the US grid. The problem being that the rest of the world wants to do that as well, while having all the laptops, cellphones, electric cars, etc.

        That spells only one thing: price hikes. Recycling lithium batteries costs more per kWh than making new ones (lithium batteries aren’t currently being recycled due to costs), so the only way to meet the demand is by increasing prices from whatever they are today.

  8. Gen IV reactors are light years ahead of the designs we have throughout the planet. The cooling processes for the various designs are simpler to maintain in case of an accident and power becomes a concern.

    For a good read of a reactor gone bad try “The Prometheus Crisis.” One of my favorite books and technically well written when talking about the nuclear industry.

    For what it’s worth, the Uranium in the ground will undergo fission over time, the radon it gives off will cause a number of deaths, if we can safely do the nuclear fission systems, we should. It’s carbon neutral and high energy.

    1. >”the radon it gives off will cause a number of deaths”

      That’s debatable. In areas with high radon emissions, there doesn’t seem to be proportionally higher amounts of cancers. When accounting for other variables, the extra radiation seems to affect those already compromised, such as smokers. This points to the fact that biology has adapted to deal with varying levels of background radiation over a large span.

      The assumption that the radon, or the levels of contamination from places such as Fukushima, Chernobyl, will cause a certain number of deaths are based on the now-discredited LNT hypothesis which is based on extrapolating down from very large radiation doses and assuming that there is no threshold – that any amount of additional radiation is proportionally worse all the way down to zero. This results in the absurd situation that many places on earth, where people live quite comfortably, should have to be cordoned off as nuclear accident sites for failing to meet the arbitrary safety standards.

      1. Radon is the second leading cause of lung cancer. And much more radioactive than you would guess. Was stopped going in to a nuclear plant because someone 100 yards away was coming up the sidewalk after having slept in a basement apartment. ALL the monitors were going off…. gentleman was told to go “shake out his clothes”.

  9. When San Onofre crashed, it too was a “follow the money” disaster. Some moron, (To not be named later) changed the superheather tube material in an effort to save a few bucks. Material eroded, system down, forever.

    This has happened on a system I worked on, (Not Nuke though) and we had an unplanned shutdown in the middle of highest earnings period.Crap..

    Nobody will point to the culprit in the S. O. disaster, due to the buddy system in engineering groups.
    My culprit was Joe , civil engineer,, (I’m not there anymore and can’t be fired)

  10. “The real irony of the Browns Ferry fire was that two days before, a similar fire had started but had been put out successfully. After the fire on Thursday night, the shift engineers and three assistant shift engineers met. According to one of them,
    “We discussed among the group the procedure of using lighted candles to check for air leaks. Our conclusion was that the procedure should be stopped.””

  11. The great science fiction writer Fredrick Pohl wrote a fictionalized account of the Chernobyl accident called Chernobyl. Pohl admits that he mashed up many real people into a few fictional ones to make the story easier to follow. I don’t know how many of the events in the book are fiction and how many are fact but Pohl clearly did a tremendous amount of research. The book is a fast and easy read – even for people without any technical background. It was a favorite of our local volunteer fire department whenever they were receiving special training in case of an accident at the nearby nuclear power plant.

  12. “As you might expect, shutting down a reactor isn’t quick and easy.”

    It can be. Naval nuclear reactors, without getting into details, ARE quick and easy to shut down. They’re designed that way–you hit the SCRAM switch, and boom, it’s shut down.

    Any nuclear reactor that ISN’T quick and easy to shut down is slow and difficult to shut down because it was designed that way–because someone, or a bunch of someones, make a deliberate choice to value some other qualities over a quick, easy, and SAFE shutdown.

    We’ve seen civilian power reactors having this problem again and again. Are those other qualities really worth it? When you’re dealing with the safety risks of a nuclear reactor, AND dealing with the reputation of nuclear power in a world where fossil fuels are killing us, can you really afford to build a reactor that can’t be shut down quickly and easily?

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.