Palisades
South Haven,
MI


Entergy
SIT: When a pump used to
provide cooling water to
emergency equipment failed in
September 2009 because of stress
corrosion cracking of recently
installed parts, workers replaced
the parts with identical parts. The
replacement parts failed again in
2011, disabling one of three
pumps.


Palisades
South Haven,
MI
Entergy
SIT: Workers troubleshooting
faulty indicator lights showing the
position of the emergency airlock
door inadvertently shut off power
to roughly half the instruments
and controls in the main control
room. The loss of control power
triggered the automatic shutdown
of the reactor and complicated
operators’ response.


PALISADES, MI (first incident)
The Near-Miss


The NRC sent an SIT to the site after one of three pumps supplying cooling
water to emergency equipment failed for the second time in two years. The
SIT determined that workers had replaced internal parts of the pump in 2009
with materials susceptible to stress corrosion cracking. This susceptibility
caused pump failures in September 2009 and August 2011 (NRC 2011d).


How the Event Unfolded


The service water system at Palisades has three pumps that use water from a
nearby lake to cool safety equipment. This equipment includes emergency
diesel generators, control room coolers, containment air coolers, and the
component cooling water system.


Workers replaced the internal parts of service water pump P-7C in June
2009, because the original carbon steel parts were eroding. The replacement
parts were made of stainless steel, which is more erosion resistant.
Pump P-7C failed in September 2009 after 2,414 hours of operation,
owing to stress corrosion cracking of the recently installed internal parts. The
plant’s operating license gave the owner up to 72 hours to repair the pump
and return it to service, or the reactor had to be shut down. Workers replaced
the broken parts within the 72-hour deadline. However, they used new parts
with the same design and composed of the same material as the old parts, so
the parts remained vulnerable to stress corrosion cracking.


A similar pump at the Prairie Island nuclear plant in Minnesota, with
internal parts supplied by the same vendor, had failed in July 2010 for the
same reason as the Palisades failure—stress corrosion cracking.
On August 9, 2011, service water pump P-7C failed again owing to stress
corrosion cracking of internal parts, which had operated for 14,114 hours.
Workers replaced the broken parts with those made of a new material that
was resistant to both erosion (the original problem) and stress corrosion
cracking (the new problem).


The plant owner, had received a report in March 2011 from a consultant
it had retained to examine the September 2009 pump failure. The consultant
reported that the internal parts used for the pumps were not suitable for the
operating conditions. However, the owner did not review and accept the
report until August 2011—too late to prevent another pump failure.
The SIT chronicled a long list of warnings dating back to September
1991 concerning the use of the stainless steel parts. For example, the NRC
had issued Information Notice 93-68 in September 1993, on stress corrosion
cracking of pump internal parts made of stainless steel at the Beaver Valley
plant. The industry’s Institute for Nuclear Power Operations had issued a
report in 2006 on 12 pump failures from 1998 to 2006—most caused by
stress corrosion cracking of stainless steel parts. And the NRC had issued
Information Notice 2007-05 in February 2007, listing 23 service water pump
failures since 1983 that stemmed from stress corrosion cracking of stainless
steel parts.   24 UNION OF CONCERNED SCIENTISTS


Despite these repeated warnings, workers replaced the carbon steel parts
of pump P-7C with stainless steel parts in June 2009. As had happened so
often before, the unsuitable parts caused failure in September 2009 and again
in August 2011 (NRC 2011d).


NRC Sanctions
The SIT identified no violations of regulatory requirements.


PALISADES, MI (second incident)
The Near-Miss


The NRC sent an SIT to the site after workers troubleshooting faulty
indicator lights for the position of the emergency airlock door inadvertently
shut down about half the power supply to instruments in the main control
room. The power loss triggered an automatic shutdown of the reactor, as well
as the automatic closure of the main steam and containment isolation valves.
The SIT identified eight violations of safety requirements. The most
serious involved the failure to adequately plan for and conduct maintenance
on equipment inside the control room.


How the Event Unfolded


The lights in the main control room indicating that the emergency airlock
door was closed failed. A periodic test of the airlock door was due to be
performed soon, so maintenance workers were troubleshooting the reason for
the failure of the indicator lights. The workers traced the problem to a faulty
electrical breaker inside a distribution panel that connected power from one
of the two sets of station batteries to plant equipment. Workers replaced the
faulty breaker on September 23.
After completion of this maintenance task, control room operators
observed flickering lights for some of their instruments. The next day
maintenance workers reopened the distribution panel and identified four
electrical breakers that might have been improperly installed, causing the
intermittent power fluctuations. Managers decided to reinstall the four
suspect breakers.
On September 25, a worker loosened a screw inside the distribution
panel to gain access to an electrical breaker. A flash from an electrical spark
caused the worker to quickly pull away his hands. The right end of a copper
bar—which the tightened screw and the worker’s hand had held horizontal—
fell toward other energized copper bars. The proximity of the bars caused an
electrical spark to jump across the gap, and the spark cut power to the area.
The electrical short also shut down about half the power supply to
instruments and controls in the main control room.
THE NRC AND NUCLEAR POWER PLANT SAFETY: LIVING ON BORROWED TIME 25
The distribution panel at Palisades where the disruption in electrical power started.
Source: NRC.
By design, that loss of power automatically triggered the rapid shutdown
of the reactor core, as well as the closure of the main steam and containment
isolation valves. The operators’ response to the reactor shutdown was
complicated by the unexpected and unwanted opening of a relief valve inside
the containment building. The open valve allowed reactor cooling water to
leak onto the floor, the water level inside the pressurizer to rise to 98 percent
full, the water level in one of the steam generators to rise to 98 percent full,
and relief valves on the charging pumps to open and leak water into the
auxiliary building. The power loss also disabled many indicators, chart
recorders, and alarms in the main control room, further complicating
operators’ response. Despite these complications, operators succeeded in
taking the reactor to cold shutdown by 6:33 am on September 27.
The NRC’s SIT examined the preparation for and execution of the
maintenance work for the failed indicator lights. The team “concluded that
the work on September 25, 2011, was performed with a focus on completion
of the tasks on schedule, without ensuring all safety policies were followed.”
NRC Sanctions
The SIT identified two violations of regulatory requirements associated with
the ROP’s initiating events cornerstone:
26 UNION OF CONCERNED SCIENTISTS
• Failure to provide adequate instructions for maintenance work, and
to ensure that workers followed approved procedures, as required by
Appendix B, Quality Assurance, to 10 CFR Part 50.
• Failure to implement procedures for responding to reactor incidents
when operators did not take steps specified in the approved
procedure for loss of control room alarms, designed to ensure that
the main generator was disconnected from the offsite electrical grid.
The NRC classified the first violation as Yellow and the second as Green.
The SIT also identified six violations of regulatory requirements
associated with the ROP’s mitigating systems cornerstone:
• Failure to conduct a pre-job briefing for workers performing the
breaker maintenance on September 25, 2011, as required by plant
procedures.
• Failure to limit the working hours of staff, as required by plant
procedures. Specifically, the SIT reported that the duty station
manager had worked for 25 straight hours, and more than 72 hours in
the prior seven days, and that an electrical superintendent had
worked more than 72 hours in the prior seven days.
• Failure to develop adequate procedures for operators to implement in
response to a design and licensing bases event: namely, the loss of a
single train of battery power.
• Failure to properly screen proposed modifications to the plant, as
required by Appendix B to 10 CFR Part 50 as well as 10 CFR 50.59.
• Failure to comply with Criterion IV, Design Control, of Appendix B
to 10 CFR Part 50, in that two electrical breakers were installed in
the battery distribution panel with automatic protective trips, when
the design bases required the breakers to be actuated manually.
• Failure to notify the NRC within eight hours of an event or condition
that put the plant in an unanalyzed condition that significantly
degraded safety.
The NRC classified the first five violations as Green and the last one as a
Severity Level IV violation.