The Three Mile Island nuclear power plant is located on the Susquehanna River in Pennsylvania, USA, 16 km from the state capital, Harrisburg, a city of 90000. It has two 900 MW(e) units with pressurised water reactors designed by Babcock and Wilcox. The second unit of the site started commercial operation on December 30, 1978.
The Babcock and Wilcox 900 PWR design uses 2 steam generators of the once-through type. These steam generators are long, about 28 meters, which induces a specific layout: the bottom of the steam generators is lower then the core inlets (Fig. 15). Then the transition to natural convection cooling on the primary side can be difficult in some conditions. Furthermore, they only contain a small amount of secondary cooling water, making the installation rather sensitive during certain kinds of transient.
In the case of a loss of normal SG feedwater there is an increase in temperature, hence in pressure, in the primary cooling system, systematically leading to opening of the pressurizer relief valve, during a few seconds.
The accident starts at 4:00 a.m. on Wednesday March 28, 1979 with the loss of normal water supply to the steam generators. The primary transient causes emergency shutdown, which gradually lowers pressure in the primary cooling system. After 12 seconds the relief valve receives as normal the command to close but this valve remains jammed open. The primary cooling system continues to discharge into the pressurizer relief tank, located in the containment, at a flow-rate of 60 metric tons per hour (there are approximately 200 metric tons of primary coolant).
The steam generator auxiliary feedwater system pumps start up normally after 30 seconds, but the connecting valves between the pumps and the steam generators are closed instead of open, due to a maintenance error. The generators dry out in 2 to 3 minutes, stopping all cooling of the primary system. Although the position indicator for these valves located in
the control room signal this fault, eight minutes pass before the operators identify the fault and give the command manually to open the valves. Twenty-five minutes pass before the situation of the secondary cooling system stabilises, after numerous operations, no doubt commanding all the attention of the operating team.
During this time, discharge through the pressurizer relief valve continues. After two minutes, pressure in the primary cooling system has decreased to approximately 110 bar. The emergency core cooling system starts up automatically and sends cold water into the primary system. The operators check the indicator of the relief valve and see "valve closed", which in fact is not true. The indicator transmits the command received by the valve, and not its actual position, to the control room.
Finally, the operator concentrates on the water level in the pressurizer. The water level in the pressurizer, after lowering at first when the valve was opened, then started to rise rapidly, between the first and approximately the sixth minute. This rise is perfectly normal when there is an opening in the upper part of the pressurizer, but the operators in this plant ignored this fact and had not been trained for this type of situation. In any case, faced with this rapid rise in the pressurizer water level, the operators, believing the relief valve to be closed, are afraid to inject too much water into the system, and therefore stop emergency core cooling manually after less than five minutes. The operators' mental image of the situation was false, but the actions they decided to perform were obviously based on this image. As of this moment, the water draining from the primary system is not replaced. There is a break in the primary coolant emergency core cooling system is shut down completely.
The primary system continues to drain. After 6 minutes, boiling starts. The primary coolant circulating pumps continue to work, circulating a mixture of water and steam comprising more and more steam; however, they manage a certain amount of cooling thanks to the steam generators supplied by the secondary system. The rest of the energy is removed through the primary system break. After fifteen minutes, the pressurizer relief tank rupture disk gives way. The escaping primary coolant now goes directly into the containment. The pressurizer is filled with a mixture of water and steam. Its level indication is meaningless. The proportion of steam in the primary coolant increases. The primary pumps have more and more trouble, and start to cavitate and vibrate. These vibrations become excessive. The operators stop one pump after 1 hour 13 minutes, and the other 27 minutes later, hoping that natural circulation will set up in the primary system. In fact, water and steam separate, with steam accumulating in the top and water in the bottom. There is no longer any circulation of primary fluid and therefore no heat exchange takes place between the reactor core giving off residual heat of a few tens of MW and the steam generators. The heat from the core continues to bring the cooling water to the boil. No more water is being supplied, and the level in the core drops: the core is uncovered. Cooling of the fuel becomes less effective; cladding temperature rapidly increases to 850°C, then past 1300°C. At these temperatures, zirconium reacts chemically with steam to form zirconium oxide and hydrogen. This reaction produces heat, increasing temperatures yet more. fuel cladding melting point is reached, and there is significant release of fuel fission products to the primary coolant and from there to the containment.
After 2 hours 14 minutes, a radioactivity alarm goes off in the containment. The operators are forced to realise the gravity of the situation. Realising that they may well have transferred radioactivity through the relief valve, which had a high leak rate before the accident, they close the line-isolating valve and thereby stop discharge. This also stops all heat removal. The core continues to heat, and primary system pressure increases. The operators start up one of the primary pumps, which sends water cooled in the steam generator onto the extremely hot fuel, which disperses those parts of the fuel above the water level within the reactor vessel.
After 3 hours 12 minutes, vaporisation of water on the fuel has caused primary system pressure to rise to a dangerous point. The operators re-open the relief line-isolating valve, drainage starts up again, letting out coolant which is even more radioactive. More radioactivity alarms go off, some of which are outside the reactor building. The water that is spilling into the containment is taken up by automatic sump pumps, which send the contaminated water to storage tanks located in an auxiliary building that is not hermetic. These tanks then overflow and create a source of radioactive steam that can escape outside the plant.
A state of emergency is finally declared. The containment is isolated, stopping transfer from the sump to the auxiliary building. It is now three hours and twenty minutes since the accident began. The operators start the emergency core cooling system again at a low flow-rate, causing a new shock between the cold water and the hot fuel, then at nominal flow-rate. The core cools, four hours after the first event. It will take another twelve hours to discharge from the primary cooling system most of the hydrogen and fission gases that prevent it from being filled. This is done by alternately opening and closing the pressurizer relief line and starting up safety injection and primary pumps. A localised explosion of about 320 kg of hydrogen in the containment, after 9 hours 50 minutes, induces a 2 bar pressure spike in the reactor building, without causing any particular damage.
At 8:00 p.m. on Wednesday, March 28, 1979, the accident itself is over. However, it will take several days more to calm fears of a possible hydrogen explosion in the reactor vessel. The damage to the fuel elements far exceeds that provided for in the worst possible design basis accident. Six years later, in 1985, when it was possible to pass a television camera between the lower internal core structures and the vessel, it was found that 45% of the fuel had melted, along with elements of the cladding and the structures totalling 62 metric tons and forming what is called corium. About 20 metric tons of this corium, formed from the upper part of the fuel, had forced its way through an outer ring fuel assembly and the reactor core external baffles to reach the vessel bottom head itself, but fortunately did not melt through it. (See Fig. 16).
In spite of this catastrophic fuel situation and the significant transfer of radioactivity to the containment, the immediate radiological consequences in the surrounding area were minimal. Indeed, the containment fulfilled its role almost perfectly. Only the sump transfer pumps were responsible for radioactive release for a limited period. This release, estimated at 13 million curies of xenon and about 10 curies of iodine (i.e. 5.105 and 0.4 TBq), had only very limited consequences. It is estimated that an individual downwind at the edge of the site throughout the accident would have received a dose of less than 1 mSv (100 mrem), equivalent to the annual dose of natural radiation. The operating personnel received a slightly higher, but still quite limited dose during the accident, and had to wear masks for a few hours Three technicians received doses between 30 and 40 mSv (3-4 rems) during primary coolant sample-taking operations. The collective dose received by the plant workers from the onset of the accident to the end of fuel removal in 1989 is estimated at 60 man-Sv.
The first event of this scenario is the failure of the normal steam generators feedwater system due to an human error during a minor maintenance activity. This demonstrates the absolute need to reduce the occurrence of any type of abnormal event but the direct causes of the core meltdown are to be searched a step forward and then two direct causes appear:
Instead of focusing on these direct causes, the prevention of the reoccurrence of equivalent events needs to identify and treat the actual root causes. A list of the major findings is presented.
Multiple latent deficiencies (organization, maintenance, quality, ... )
Global and collective excessive confidence (complacency)
This general attitude towards nuclear activities is not specific to this type of design or to this operating organization but can be considered as widely spread world-wide at that period. This can be seen by different signs:
A resistant and leak tight containment resulting from the implementation of the defence in depth concept (3 levels) can be efficient to mitigate the radiological consequences even in the case of most beyond design accidents.
Man is an essential element of safety.