The Davis Besse

Nuclear Power Plant

Three Mile Island Accident

Precursor Event

September 24, 1977

Copyright Mike Derivan 2014

On September 24, 1977 the Davis Besse Nuclear Power Plant

near Toledo Ohio experienced an event remarkably similar to

the Three Mile Island Accident. The Reactor Coolant System

response to both events is virtually identical for about twenty

minutes.

The failure of the Nuclear Industry and its Regulatory body,

the NRC, to correctly understand the significance of the

Davis Besse event put the TMI Operators in exactly the same

position eighteen months later. The results of this failure had

dire consequences for both the US Nuclear Industry and the

reputations of the TMI Operators.

This presentation, and its accompanying text document,

are my attempt to tell the truth, the whole truth, and

nothing but the truth about the Root Cause of the TMI

Accident.

Mike Derivan

The next frame shows a simplified drawing of the

associated plant systems at Davis Besse and the

plant initial conditions prior to the event. All time

references on the slides are relative to the time the

Davis Besse Operator manually tripped the reactor

early in the event.

Additional narrative will accompany the slide

presentation.

Between the previous frame and the next frame the Reactor Coolant System (RCS) is undergoing a heat

up transient. When the SFRCS actuation closed the Main Steam Isolation Valves with the Reactor at 9%

power, stopping the steam flow out of both Steam Generators, the heat removal (heat sink) for the RCS

was lost.

With the Reactor still generating 9% power there is no place for that power to go, except into the coolant

water of the RCS and the secondary side water level trapped in the Steam Generators. A very small

amount of heat removal is afforded by the steam to run the Aux Feed Pump Turbines.

The net affect of that coolant water heat up is the water expands pushing the Pressurizer water level up

and squeezing the steam bubble in the Pressurizer into a constantly decreasing volume. This causes the

system pressure to increase also. This pressure increase is what caused the PORV to lift.

Once the PORV lifted, and stuck open, two opposite affects are competing with respect to system

pressure. The stuck open PORV is decreasing pressure while the expanding water into the Pressurizer

from the coolant system water expansion wants to increase the pressure. The water expansion is

continuing because the Reactor is still critical (running) generating power. In our case the PORV is

winning, because the system pressure is decreasing. In this short duration pressure transient the system

pressure is probably “hanging” between the Reactor low pressure trip and high pressure trip window a

bit. But the system pressure response vs. time plot clearly shows the pressure was on the way to the low

pressure Reactor trip setpoint.

The subtle influence on this pressure transient is the fact we had a positive moderator coefficient of

reactivity at this time in the Reactor life cycle. And I’m convinced the speed of the coolant system heat up

was being driven by an ever increasing Reactor power level. But the power level data I have does not

include that plot.

But it always makes me wonder if a slightly different sequence might have been possible. One where the

RCS heat up and the Pressurizer level in surge was controlling the pressure. That might lead to what

Operators refer to as “A truly eye watering event.”

Now I know what you’re thinking, “Why on earth did you

guys shutdown those HPI Pumps when you had a leak?”

My simple answer is “We were trained to do it”, but of course

that leads to another question, doesn’t it? We’ll get to that

too, but right now things are about to get worse. Remember

before you get too judgmental, you’ve already spent more

time watching this Power Point Slide Show than we have

spent dealing with this event in real time in a real plant.

We’re only at five minutes.

And “Oh, by the way”, we were emphatically trained to never

let the HPI Pumps overfill the Pressurizer level. At the time

we shut them down, that level was 230” and increasing, while

the desired post Reactor Trip level setpoint was 100”.

Between 8 minutes and about 14 minutes post Reactor trip the RCS conditions were relatively stagnant.

This is the first time we had a chance to focus on the meaning of the low RCS pressure and “pegged out”

high Pressurizer Level, as there were no other pressing tasks requiring our attention during this time

frame. During the time frame from event start until now I had been looking at the low pressure and high

level as 2 independent unrelated problems. At least the pressure had gone in an expected direction on the

Reactor trip, albeit way too far. But that Pressurizer had me stumped to the point I actually had the

thought something was going on we hadn’t been told about; and if I could just get the plant drawing

straight lines I could figure it out. On a gut level it was impossible considering just some thumb rules for

the Pressurizer. One inch of level equals 30 gallons. One degree of T-average equals two inches of level. I

had watched it go from 200” to over 320” in 2 minutes. That’s over 3000 gallons, or over 1500 GPM;

impossible with our pumps. But I never doubted that the indicator was correct (we had 3).

According to the data plots, the RCS temperature actually started a slow heat up at about the 8 minute

mark which continued through this time period. I remember I had been intently focused on the RCS

pressure dropping, wondering when it was going to stop. It stopped dropping and bottomed out at about

950PSIG during the 8 to 10 minute time frame. That really got my attention. As much as I wanted to see it

stop dropping, what soaked in was that we had done nothing to cause it to stop. There had to be a reason.

Looking at the plant temperature and pressure it dawned on me; I grabbed a P vs. T Saturation curve off

the Reactor Operator desk and bingo! We were Saturated.

I announced out loud in the Control Room “We are Saturated, that’s why the Pressurizer is full, we are

boiling in the loops pushing the water in there.” Consider the power of negative training, and confusing

procedure guidance when that information soaks in to 5 licensed Operators. We had all been trained the

same way; never let the Pressurizer get “solid” (full of water); especially including never let HPI do it.

Consider that group of experience included 3 Navy nuke trained Operators and 2 College Degreed

Engineers, one with a Master’s Degree. We all hear that we are severely voided in the RCS, the Pressurizer

is indicating full, but the system is not. And nobody says “We better turn on HPI.”

But nobody really wants to believe we were trained to never let HPI pump into a full Pressurizer.

Once the Pressurizer PORV was isolated by its Block Valve, things did not immediately “get better”;

Reactor Coolant System conditions did not immediately start to change. We had stopped the flow of

water/steam out of the top of the Pressurizer, and I don’t have any specific recall of us manipulating the

Pressurizer electric heaters so I’d imagine they were automatically on, responding to the very low Reactor

Coolant System pressure. At that point the Pressurizer bulk water temperature must have been close to

the average Reactor Coolant System water temperature, which was about 533F, due to the Reactor

Coolant System inflow into the Pressurizer and out the stuck open PORV. In fact I don’t have any recall of

what I was thinking during those first several minutes following PORV isolation; so my guess is that my

gut was telling me we had found the problem and the plant would recover to more normal post-trip

conditions. This is opposed to my fairly detailed recall of events and thoughts leading up to PORV Block

Valve closure. I don’t think anybody in the Control Room said much of anything; we just all watched

Reactor Coolant System pressure to see if it would recover.

Today, in hindsight, the Reactor Coolant System was not exactly in a stable condition. We had one

Reactor Coolant Pump running in each loop in a highly steam voided condition, the Pressurizer level was

still indicating off scale high, Pressurizer heaters were on attempting to increase Reactor Coolant System

pressure, both Steam Generators were being maintained at the correct level by Auxiliary Feed Water. The

Reactor Coolant System temperature plot for the event shows Reactor Coolant System temperature was

increasing at this time. A mental heat balance of the Reactor Coolant System would indicate the 2 running

Reactor Coolant Pumps (and any very small, if any, decay heat from 1 Effective Full Power Day) were

adding more heat to the Reactor Coolant System than was being removed. Heat removal was basically

being provided by the addition of cold Seal Injection water to the 4 Reactor Coolant Pumps (30-40 GPM

total) and heat removal via the Steam Generators using the Auxiliary Feed Pump steam to run the

Auxiliary Feed Pump Turbines; we were not dumping any steam manually using any steam dumps.

What we had was a PWR with no P (except what might have been on the front of someone’s pants). Again,

there sits the strength of the previous B&W training on Pressurizer level; 5 Licensed Operators all trained

exactly the same way and there is no discussion about turning on High Pressure Injection to refill the

steam voided Reactor Coolant System. We just basically watched the indicated Pressurizer level and

waited for it to tell us we were “allowed” to add more water to the system. Simply put we were waiting for

the “actual real process” to move itself back into the realm of our pre-conditioned understanding of the

“process.” This is amazing to me in light of the fact several minutes earlier I had announced in the Control

Room exactly why the Pressurizer level indicated it was full. And for me it just begs the question of what

exactly is an “Operator Error”? There is no doubt in my mind that turning off the High Pressure Injection

in response to this Small Break Loss of Coolant Accident based on the Pressurizer level going full, is the

wrong thing to do. But who exactly made the error?

The simple fact is that before TMI, the “Institutional Arrogance” of the whole Nuclear Industry did not

believe a core damage event was even possible. Events were postulated and consequences were

analyzed because that was the licensing methodology that was used; but it was the belief (mindset) that

core damage was really never going to happen… period. So when TMI became the “Elephant in the

Room”, it had to be someone’s fault. It is my understanding that in complicated technology the principle

applies that if it is working OK, and then something bad happens, whoever touched the technology last is

the culprit (liable). I don’t see that as the case here, it was not exactly OK; there was a fundamental flaw in

the understanding of the actual system response to a leak in the steam space of PWR Pressurizers. The

only reason that the flaw was not apparent was that it had not happened in a US PWR. There were ignored

warnings to the AEC relevant to this misunderstood condition for Westinghouse European PWRs even

before the Davis Besse event. And that same Westinghouse Design was operating in the US. Also just

before the Davis Besse event there was an ignored warning on a B&W Reactor Design Review that this

Pressurizer steam space leak might lead Operators to “mistakenly turn off HPI.” The bloody details are in

the Report. But I will add that I counted the hands this report touched, just as mentioned in the Rogovin

Report. I didn’t count anybody twice. My total including organizations directly exposed are the ACRS, the

Pebble Springs License Application, the Bellefonte plant review, 2 NRC personnel, and 6 B&W personnel,

all before the TMI accident. Would anyone care to venture a guess just how many times the word “error”

is used in the Rogovin Report in describing this known ERROR in the B&W plant Operator training

program and procedure guidance? The only person who got it right was Murphy.

A full ten minutes elapsed after the PORV Block Valve was closed before Pressurizer level began to come

back on scale (30 min post trip); the result of the effect of the Pressurizer heaters starting to raise

pressure above the saturation pressure thereby collapsing the Reactor Coolant System steam bubbles.

Twenty minutes after the PORV Block Valve was closed (40 min post trip), according to the Davis Besse

NRC LER narrative, we started a second Make Up Pump to stop the rapid decrease in Pressurizer level. I

can’t establish the Pressurizer level from the plots at that time, as the graph time scale shifts at that end.

Also the Pressurizer Level plot scale only goes down to ~190” and at sixteen minutes after Block Valve

closure (36 min post trip) the data goes off the bottom of the plot. The narrative also says the increased

makeup flow started a slow decrease in Reactor Coolant System temperature. The narrative further states

at twenty two minutes (42 min post trip) we got the Low Pressurizer Level Heater Cut-Off (at 40”) which

would de-energize the Pressurizer heaters.

And at forty eight minutes (post trip) we started a High Pressure Injection pump, to recover the decreasing

Pressurizer level, which allowed reenergizing the Pressurizer heaters. At fifty minutes post trip the AFPT 2

governor was discovered hung up again, when we again got the Steam Generator2 Low Main Steam

Pressure Trip Block Permit alarm. I don’t even have any recall this second occurrence; but if I had to

speculate I’d say the Operator attending the Auxiliary Feed Pumps and Steam Generator levels diverted

his attention to help the Operator establishing High Pressure Injection flow, as it required coordination at

both a back panel and a front council panel. It would have been necessary to again establish a “throttled”

High Pressure Injection flow to accomplish our goal of increasing Pressurizer level to recover the heaters,

while not over cooling the Reactor Coolant System with High Pressure Injection flow to such an extent

that the coolant water contraction decreased the Pressurizer level again (such is life in an Operator’s

world).

This just points out a legitimate case requiring the throttling of High Pressure Injection flow by the

Operators. I will also point out this recovery of stable Plant Conditions, from the conditions we had at the

time, was well outside the bounds of any Operating Procedure (and may also still be today). It was done

solely by “skill of the craft”, which I suspect is now a lost art in the current totally proceduralized

mentality of the Nuke Operator World. By fifty six minutes post trip we had the Pressurizer level back to

normal control mode and were back on one Make Up Pump, the High Pressure Injection pump shut down,

Reactor Coolant System pressure was about 1100PSI and increasing; indicating sub-cooled Reactor

Coolant System conditions. We had returned to normal Main Feed flow to the SGs with MFP 2 running on

Auxiliary Steam supplied by the Auxiliary Boiler. We transitioned to a goal of establishing a normal Plant

Cool Down.

When I consider our handling of the Make-up and High Pressure Injection system during the recovery at

this point, what I see is a total fall back on our previous B&W training and experience, i.e. what’s the

Pressurizer level doing? If it’s decreasing add water, if not don’t add more water and don’t let High

Pressure Injection overfill.

I’ve recently had an additional thought on our indicated Pressurizer level during this event; what exactly

might it have been indicating? The NRC report narrative states that the steam and water discharge from

the blown rupture disk on the Pressurizer Quench Tank impinged on the lower shell of Steam Generator 2

to the degree it removed a 10’ high by 20’ wide section of insulation (and also deposited enough mud on

Containment floors and walkways to be “shoveled into drums”; something for Emergency Sump plugging

scenarios to consider). But the Pressurizer is also in the immediate vicinity of the Quench Tank. At this

point I know it’s just speculation because data is probably not available, but could the Quench Tank

discharge stream also been influencing the Reference Leg of the Pressurizer level measuring circuit,

e.g. boiling it down such that the indication would display higher than actual level? If so, just what were

we actually seeing during our actions to recover Pressurizer level? It is an interesting question, but there

probably is nothing to stimulate searching for an answer today. Except maybe the knowledge of what you

don’t know can bite you in the butt; according to Murphy.

Prolog

For a long time it wasn’t even possible for me to think about the TMI accident without Burt Dunn’s remark

echoing in my brain; “I can give you some scenarios where the situation would lead to possible fuel

damage.” Had I just been lucky? I knew TMI had been at about 100 EFPD and 97% power, we were only at

1 EFPD and 9% power, and that made all the difference in the world. The post Reactor trip decay heat

really drives the speed of the transient and we basically had none. So was it just luck that I had more time

to think than the TMI Operators because things were moving slower? So I had “made it” but they didn’t?

It’s not exactly the same thing, but suppose you lost control of your car at 97MPH verses 9MPH, which

case has the better chance of success? And that bothered me. It has taken years of soak time and hours

of pouring over transcripts to resolve some of that bother.

The earliest issue I can see that was treated differently was my response to the “pegged out high” high

Pressurizer level indication. At both plants Operators responded to the increasing Pressurizer level the

same way, and why not, we were trained the same and had the same basic procedures. So we both ended

up with High Pressure Injection off early. From there our reactions diverged. As explained in the event

narrative we had High Pressure Injection off at about 230 inches and increasing, at the event 5 minute

time frame. Then as Reactor Coolant System pressure continued to drop I watched Pressurizer level

increase from ~200 inches to off scale high from about the 6 minute to 8 minute time frame. I was in total

disbelief watching that happen. At that time we really weren’t pumping enough water in to make that

happen. We only had one Makeup Pump on at 30-40GPM for Reactor Coolant Pump Seal Injection and had

isolated the Letdown flow, so that wasn’t good for more than about an inch per minute of Pressurizer level

increase. There was no doubt in my mind that we had not pumped that water in there as it was not

physically possible in our pump configuration over the time frame that it happened. At the very time I

watched it happen, I did not understand why it happened, and it alarmed me that the level was that high.

As stated many times, it had been stressed in training not to let that happen. But there it was, and I never

doubted the level reading as we had three front panel meters all saying the same, so it was real. As stated

in the event narrative I definitely had the strong feeling something was going on that we had not been told

about, and also the feeling that I was missing something to make everything I was seeing fit.

The TMI Operators apparently had a stronger mindset than me to the training about not letting that

happen, because they worked harder to make it “go away.” They returned Letdown to service post trip

and had it maxed out at 140 – 160 GPM trying to lower Pressurizer level. We never returned Letdown flow

to service post trip as I recall. I’ve also read testimony indicating they we doing a “tank review” searching

for a way (flow path) that water might have gotten in there. As I said, we only had one pump running

capable of pushing against that Reactor Coolant System pressure and it could not have physically caused

it to happen. So my gut feeling rationalization is that I worked harder trying to understand the Pressurizer

level response than to make it “go away.”

The next issue I can see that was treated differently was my response to changing Containment Vessel

conditions. Obviously when I saw the Containment Vessel pressurizing it provided the answer to “what I

was missing” and made all the pieces fit, and I ordered the PORV Block Valve closed. TMI Operators saw a

different set of Containment Vessel conditions than I did, so some of this discussion is moot. For one

thing their Containment drain “catch tank” automatically pumped water into their Auxiliary Building

causing significant early problems to deal with in the Auxiliary Building. Our Containment drain “catch”

point (sump) could not have done that. It got automatically closed off by the same signal that started our

High Pressure Injection pumps. Another Containment condition they reacted to was increasing

Containment temperature, which testimony indicates they may have attributed to a steam leak from a

Steam Generator inside the Containment vessel. A Steam Generator steam leak can also cause

Containment pressure to increase, so I obviously didn’t go the steam leak route, but also other steam leak

symptoms were not present earlier at our plant.

The final issue they had to deal with that I think would have really had an impact on me (had it happened)

was when later in the event they saw the Nuclear Instrument Source Range Monitor counts increasing. I

would have surely thought the Reactor was returning to critical. Truthfully this would have scared the crap

out of me, to the point of likely totally consuming my attention and actions while ignoring everything else.

I’m positive I would have ordered emergency boration as they did. But I’d like to think (speculate) that

shortly I would have looked at that just like I looked at the Pressurizer level being full. This can’t happen,

something else is going on. All the Reactor Control Rods were tripped fully in, and the Reactor Coolant

System boron neutron poison still had to be in there, plus Xenon had to be peaking; so the Reactor core

just had to be shutdown. The Source Range Monitors, BF3-proportional counters, count neutrons that

leak out of the core. The only way they could see more neutrons is if the shield water between them and

the core was gone, and that was the water in the Reactor Vessel down comer region. So that water had to

be either really, really hot (lower density, thus more leakage), or it was gone.