1 00:00:00,400 --> 00:00:08,240 [Music] 2 00:00:09,468 --> 00:00:13,080 Chain of events. Caused and effect. We 3 00:00:13,080 --> 00:00:14,429 analyze what went right, and what went 4 00:00:14,429 --> 00:00:16,920 wrong, as we discover that many outcomes 5 00:00:16,920 --> 00:00:19,980 can be predicted, planned for and even 6 00:00:19,980 --> 00:00:23,160 prevented. I'm John Chidgey and this is 7 00:00:23,160 --> 00:00:26,039 Causality. Causality is part of The 8 00:00:26,039 --> 00:00:28,079 Engineered Network. To support our shows 9 00:00:28,079 --> 00:00:29,820 including this one, head over to our 10 00:00:29,820 --> 00:00:31,618 Patreon page and for other great shows 11 00:00:31,618 --> 00:00:36,270 visit https://engineered.network/ today. "Three 12 00:00:36,270 --> 00:00:40,619 Mile Island" This is the first in a 13 00:00:40,619 --> 00:00:42,359 series of episodes with a focus on 14 00:00:42,359 --> 00:00:44,609 control system contributions to 15 00:00:44,609 --> 00:00:49,200 disasters. Built on a sandbar in 16 00:00:49,200 --> 00:00:51,119 Pennsylvania in the middle of the 17 00:00:51,119 --> 00:00:55,829 Susquehanna River between 1968 and 1970 18 00:00:55,829 --> 00:00:58,439 the Three Mile Island Nuclear Plant 19 00:00:58,439 --> 00:01:01,649 consisted of 2 reactor cores, both 20 00:01:01,649 --> 00:01:05,629 being a Pressurized Water Reactor design. 21 00:01:05,629 --> 00:01:08,219 The reactors themselves were designed 22 00:01:08,219 --> 00:01:12,239 and built by Babcock & Wilcox, and had 23 00:01:12,239 --> 00:01:14,010 many reactors installed around the 24 00:01:14,010 --> 00:01:16,560 United States at that time, and it was 25 00:01:16,560 --> 00:01:18,840 operated by General Public Utilities 26 00:01:18,840 --> 00:01:21,269 whose parent company was Metropolitan 27 00:01:21,269 --> 00:01:24,450 Edison. The energy shortages and the 28 00:01:24,450 --> 00:01:26,640 energy crisis of the early 1970s where 29 00:01:26,640 --> 00:01:30,328 oil prices jumped from $3USD a barrel to 30 00:01:30,328 --> 00:01:33,659 $30USD a barrel led to fuel shortages 31 00:01:33,659 --> 00:01:35,250 across the United States and that had 32 00:01:35,250 --> 00:01:38,099 driven utilities to the lure of cheap 33 00:01:38,099 --> 00:01:41,819 nuclear energy. A large number of 34 00:01:41,819 --> 00:01:43,618 reactors were built in a relatively 35 00:01:43,618 --> 00:01:45,959 short period of time and the Nuclear 36 00:01:45,959 --> 00:01:48,299 Regulatory Committee had difficulty 37 00:01:48,299 --> 00:01:50,099 keeping up with the demand for 38 00:01:50,099 --> 00:01:52,379 certification and compliance of all of 39 00:01:52,379 --> 00:01:55,228 these new reactors. The designers had 40 00:01:55,228 --> 00:01:57,180 been producing several proof-of-concept 41 00:01:57,180 --> 00:01:59,790 plants in the hundred-megawatt range and 42 00:01:59,790 --> 00:02:03,060 then, once they'd proven them, scaled them 43 00:02:03,060 --> 00:02:05,879 to nearly 1GW with essentially 44 00:02:05,879 --> 00:02:08,580 the same design, scaled up with little 45 00:02:08,580 --> 00:02:12,318 proof during operation at full size. 46 00:02:12,318 --> 00:02:14,039 Nuclear reactors are 47 00:02:14,039 --> 00:02:16,289 essentially big steam engines. The 48 00:02:16,289 --> 00:02:17,908 nuclear fuel rods have a chain reaction 49 00:02:17,908 --> 00:02:20,759 that is slowed down by carbon control 50 00:02:20,759 --> 00:02:22,378 rods that absorb neutrons that are 51 00:02:22,378 --> 00:02:25,289 released from fission of those fuel rods 52 00:02:25,289 --> 00:02:27,658 and heat is withdrawn (or extracted) from 53 00:02:27,658 --> 00:02:30,120 the reactor core, by passing very clean 54 00:02:30,120 --> 00:02:33,209 water through the reactor. The name 55 00:02:33,209 --> 00:02:36,090 explains the basis of a Pressurised 56 00:02:36,090 --> 00:02:38,938 Water Reactor design. The primary coolant 57 00:02:38,938 --> 00:02:41,039 is kept under a higher pressure to stop 58 00:02:41,039 --> 00:02:42,780 the cooling water from boiling and 59 00:02:42,780 --> 00:02:45,329 turning into steam. Hence pressure 60 00:02:45,329 --> 00:02:47,729 control is vital and a safety system to 61 00:02:47,729 --> 00:02:49,438 prevent over-pressurization are 62 00:02:49,438 --> 00:02:51,930 essential that they function correctly 63 00:02:51,930 --> 00:02:54,000 to ensure the cooling remains under 64 00:02:54,000 --> 00:02:56,789 control. The water in the clean water 65 00:02:56,789 --> 00:02:58,889 circulation loop needs to be kept 66 00:02:58,889 --> 00:03:01,859 extremely clean or it will damage and 67 00:03:01,859 --> 00:03:03,719 prematurely wear the pipework inside 68 00:03:03,719 --> 00:03:05,329 the high pressure and high temperature 69 00:03:05,329 --> 00:03:08,729 sections of the boiler. In this design 70 00:03:08,729 --> 00:03:11,848 each unit had 8 condensate polishers, 71 00:03:11,848 --> 00:03:14,280 that filtered the clean water condensate 72 00:03:14,280 --> 00:03:16,739 before being circulated back through the 73 00:03:16,739 --> 00:03:18,209 high-temperature section of the boiler 74 00:03:18,209 --> 00:03:21,150 or more specifically the steam generator 75 00:03:21,150 --> 00:03:24,150 section of the loop. The secondary cooling 76 00:03:24,150 --> 00:03:25,949 loops purpose was to be the heat 77 00:03:25,949 --> 00:03:28,049 exchanger with the primary loop, with 78 00:03:28,049 --> 00:03:29,519 waste heat evaporated through huge 79 00:03:29,519 --> 00:03:31,680 cooling towers, which are commonplace in 80 00:03:31,680 --> 00:03:34,049 any thermal electricity generating plant 81 00:03:34,049 --> 00:03:37,500 that isn't alongside the ocean. The first 82 00:03:37,500 --> 00:03:39,509 unit at Three Mile Island was capable 83 00:03:39,509 --> 00:03:43,019 of generating 852MW and it came 84 00:03:43,019 --> 00:03:45,989 online on the 19th of April, 1974, 85 00:03:45,989 --> 00:03:49,289 followed by a second unit capable of 86 00:03:49,289 --> 00:03:52,139 generating 906MW on the 30th of 87 00:03:52,139 --> 00:03:56,908 December, 1978. Three Mile Islands Unit 88 00:03:56,908 --> 00:03:59,250 2 had been operating for close to a 89 00:03:59,250 --> 00:04:01,318 year but only came online commercially 90 00:04:01,318 --> 00:04:04,139 for about 3 months when on Wednesday 91 00:04:04,139 --> 00:04:08,068 the 28th of March, 1979 Unit 2 would 92 00:04:08,068 --> 00:04:11,609 have a partial meltdown. Unit 1 at the 93 00:04:11,609 --> 00:04:14,250 time was offline and shut down for 94 00:04:14,250 --> 00:04:17,839 refueling. At approximately 5:30pm on 95 00:04:17,839 --> 00:04:20,728 Tuesday, the day before, in the early 96 00:04:20,728 --> 00:04:23,098 evening plant operators had attempted to 97 00:04:23,098 --> 00:04:25,259 rectify a blockage in one of the 98 00:04:25,259 --> 00:04:27,750 aforementioned condensate polishers. 99 00:04:27,750 --> 00:04:29,970 The usual practice of clearing the resin 100 00:04:29,970 --> 00:04:31,949 from the filter they used to use 101 00:04:31,949 --> 00:04:34,949 compressed air, however in this case the 102 00:04:34,949 --> 00:04:36,959 blockage was severe enough that this was 103 00:04:36,959 --> 00:04:39,899 unsuccessful so the operators instead 104 00:04:39,899 --> 00:04:43,079 chose to connect the compressed air to a 105 00:04:43,079 --> 00:04:45,540 water line and then use the additional 106 00:04:45,540 --> 00:04:47,370 water pressure generated by the airs 107 00:04:47,370 --> 00:04:49,699 back pressure to force the resin out. 108 00:04:49,699 --> 00:04:52,889 This turned out to be successful. The 109 00:04:52,889 --> 00:04:55,350 unit was returned to normal operation 110 00:04:55,350 --> 00:04:57,779 and no one thought anymore of it. 111 00:04:57,779 --> 00:05:02,009 At 4:37am Eastern Standard Time, Unit 112 00:05:02,009 --> 00:05:04,620 2 secondary loop, which is the second 113 00:05:04,620 --> 00:05:07,800 of 3 steam water loops, lost its 114 00:05:07,800 --> 00:05:09,810 circulating water flow following a 115 00:05:09,810 --> 00:05:12,470 series of valves that had tripped shut. 116 00:05:12,470 --> 00:05:14,910 This led to an increase in the 117 00:05:14,910 --> 00:05:16,350 temperature of the primary coolant 118 00:05:16,350 --> 00:05:18,930 beyond a safety shutdown temperature 119 00:05:18,930 --> 00:05:21,750 setpoint. This then caused the primary 120 00:05:21,750 --> 00:05:24,600 reactor to shut down with a S.C.R.A.M. and 121 00:05:24,600 --> 00:05:27,660 the pilot-operated relief valve opened 122 00:05:27,660 --> 00:05:29,939 as designed, to briefly reduce the 123 00:05:29,939 --> 00:05:33,600 pressure inside the vessel. The high 124 00:05:33,600 --> 00:05:35,069 pressure injection pumps then 125 00:05:35,069 --> 00:05:37,379 automatically injected top-up water into 126 00:05:37,379 --> 00:05:39,418 the reactors primary coolant systems, as 127 00:05:39,418 --> 00:05:43,259 per design. Operators noticed that the 128 00:05:43,259 --> 00:05:46,228 level in the pressuriser was rising from 129 00:05:46,228 --> 00:05:48,079 the level indicator in the pressuriser. 130 00:05:48,079 --> 00:05:50,610 This was the only indication of the 131 00:05:50,610 --> 00:05:52,168 reactors cooling water level and 132 00:05:52,168 --> 00:05:54,240 although it was not a direct measurement 133 00:05:54,240 --> 00:05:56,189 it was rather an indirect measurement 134 00:05:56,189 --> 00:05:58,889 from a system of pipe work that was 135 00:05:58,889 --> 00:06:02,100 normally hydraulically linked. Operators 136 00:06:02,100 --> 00:06:04,319 were trained to ensure reactor coolant 137 00:06:04,319 --> 00:06:06,240 wasn't overfilled because if it was, 138 00:06:06,240 --> 00:06:08,819 there was a possibility of vessel 139 00:06:08,819 --> 00:06:12,959 rupture. By this time the primary coolant 140 00:06:12,959 --> 00:06:15,199 pumps were trying to pump both steam and 141 00:06:15,199 --> 00:06:19,079 water due to the incident and since they 142 00:06:19,079 --> 00:06:21,990 can only pump fluid, cavitation became 143 00:06:21,990 --> 00:06:24,180 severe resulting in large knocking and 144 00:06:24,180 --> 00:06:26,870 vibration of the primary coolant pumps. 145 00:06:26,870 --> 00:06:29,639 For these reasons the operators decided 146 00:06:29,639 --> 00:06:32,699 to override and stop the primary coolant 147 00:06:32,699 --> 00:06:35,040 pumps from circulating water, believing 148 00:06:35,040 --> 00:06:36,629 that the level in the pressurizer was a 149 00:06:36,629 --> 00:06:39,089 correct reading of reactor coolant water 150 00:06:39,089 --> 00:06:39,980 level, and 151 00:06:39,980 --> 00:06:41,839 to protect the coolant pumps from any 152 00:06:41,839 --> 00:06:46,160 damage. This ended forced cooling of the 153 00:06:46,160 --> 00:06:48,800 reactor core as the decay heat continued to 154 00:06:48,800 --> 00:06:52,279 build following the S.C.R.A.M. Refer to 155 00:06:52,279 --> 00:06:55,430 episode 3 of this show about 156 00:06:55,430 --> 00:06:57,980 Fukushima for the discussion about decay 157 00:06:57,980 --> 00:07:01,939 heat and S.C.R.A.M.s. By 6:00am there were 158 00:07:01,939 --> 00:07:03,889 about 50 people in the control room 159 00:07:03,889 --> 00:07:06,019 trying to figure out what had happened, 160 00:07:06,019 --> 00:07:07,910 with one of the operators that had 161 00:07:07,910 --> 00:07:10,069 entered at that time was called into the 162 00:07:10,069 --> 00:07:11,810 control room and they examined the 163 00:07:11,810 --> 00:07:13,279 readings and concluded that the 164 00:07:13,279 --> 00:07:15,680 pilot-operated relief valve had not 165 00:07:15,680 --> 00:07:18,079 closed as it was only supposed to 166 00:07:18,079 --> 00:07:20,810 momentarily open, but for some reason 167 00:07:20,810 --> 00:07:25,970 must still be open. At 6:22am a block 168 00:07:25,970 --> 00:07:28,250 valve was manually closed to stop the 169 00:07:28,250 --> 00:07:30,529 loss of coolant water through the faulty 170 00:07:30,529 --> 00:07:34,180 stuck-open pilot-operated relief valve. 171 00:07:34,180 --> 00:07:38,750 In the intervening 105 minutes, so much 172 00:07:38,750 --> 00:07:40,639 water and steam had been lost through 173 00:07:40,639 --> 00:07:42,980 the pilot-operated relief valve that the 174 00:07:42,980 --> 00:07:45,379 high-pressure steam had formed, creating 175 00:07:45,379 --> 00:07:47,439 gas locks in sections of pipe work and 176 00:07:47,439 --> 00:07:49,670 preventing convection cooling of the 177 00:07:49,670 --> 00:07:53,300 reactor core. With no forced cooling 178 00:07:53,300 --> 00:07:54,980 occurring the reactor temperature 179 00:07:54,980 --> 00:07:59,149 continued to climb. At 6:57am a plant 180 00:07:59,149 --> 00:08:00,920 supervisor declared a site area 181 00:08:00,920 --> 00:08:03,620 emergency shortly after radiation was 182 00:08:03,620 --> 00:08:07,430 detected in the control room. At 7:25am 183 00:08:07,430 --> 00:08:09,410 Station Manager Gary Miller 184 00:08:09,410 --> 00:08:11,420 declared a general emergency which is 185 00:08:11,420 --> 00:08:13,360 defined as potential for serious 186 00:08:13,360 --> 00:08:15,740 radiological consequences to the general 187 00:08:15,740 --> 00:08:16,569 public. 188 00:08:16,569 --> 00:08:20,120 There were only 2 phone lines into 189 00:08:20,120 --> 00:08:22,550 Unit 2s control room both of which 190 00:08:22,550 --> 00:08:24,829 were constantly in use during the 191 00:08:24,829 --> 00:08:27,649 incident, and a huge quantity of incoming 192 00:08:27,649 --> 00:08:30,019 calls and no direct line was actually 193 00:08:30,019 --> 00:08:32,090 available to the Emergency Response 194 00:08:32,090 --> 00:08:34,490 Center or to the engineers that had 195 00:08:34,490 --> 00:08:37,210 designed the plant. Instead 196 00:08:37,210 --> 00:08:39,110 representatives from Babcock & Wilcox 197 00:08:39,110 --> 00:08:41,809 had been unable to get through to the 198 00:08:41,809 --> 00:08:43,820 control room of Unit 2 but they were 199 00:08:43,820 --> 00:08:45,950 able to get through to Unit 1s control 200 00:08:45,950 --> 00:08:48,049 room and they had a runner, running 201 00:08:48,049 --> 00:08:49,870 messages between the two buildings 202 00:08:49,870 --> 00:08:52,580 between Units 1 & 2, relaying 203 00:08:52,580 --> 00:08:53,490 instructions, 204 00:08:53,490 --> 00:08:55,679 getting printouts, and then running those 205 00:08:55,679 --> 00:08:58,590 printouts back to Unit 1 to the phone 206 00:08:58,590 --> 00:09:01,889 connection that was open to them. By 207 00:09:01,889 --> 00:09:04,320 mid-afternoon operators gradually 208 00:09:04,320 --> 00:09:06,360 recommenced high-pressure injection of 209 00:09:06,360 --> 00:09:09,210 water into the reactor cooling system at 210 00:09:09,210 --> 00:09:12,000 Babcock & Wilcox's direction, in an 211 00:09:12,000 --> 00:09:14,669 attempt to increase pressure and force 212 00:09:14,669 --> 00:09:17,850 any steam and gases back into the 213 00:09:17,850 --> 00:09:22,710 solution. Without this step the primary 214 00:09:22,710 --> 00:09:24,720 cooling pumps would not be able to pump 215 00:09:24,720 --> 00:09:26,370 and would cavitate as they had earlier 216 00:09:26,370 --> 00:09:28,919 in the day and at 7:50pm that day, 217 00:09:28,919 --> 00:09:31,889 some 16hrs after the incident had 218 00:09:31,889 --> 00:09:34,559 begun, the designers instructed the 219 00:09:34,559 --> 00:09:36,120 operators to begin circulating water 220 00:09:36,120 --> 00:09:39,029 through the reactor once again. Once the 221 00:09:39,029 --> 00:09:40,860 operators did this, the temperatures 222 00:09:40,860 --> 00:09:42,899 began to drop...then the 223 00:09:42,899 --> 00:09:45,509 pressures began to drop as well. Over the 224 00:09:45,509 --> 00:09:48,570 following 2 days the gas build-up from 225 00:09:48,570 --> 00:09:50,879 that incident incrementally accumulated 226 00:09:50,879 --> 00:09:52,470 in the make up tank of the auxilary 227 00:09:52,470 --> 00:09:54,570 building, and the operators used a 228 00:09:54,570 --> 00:09:56,340 combination of compressors and pipe 229 00:09:56,340 --> 00:09:58,950 reconfiguration to move out as much of 230 00:09:58,950 --> 00:10:01,200 that gas as possible to the waste gas 231 00:10:01,200 --> 00:10:03,960 decay tanks. Unfortunately the 232 00:10:03,960 --> 00:10:06,809 compressors did not reliably seal and a 233 00:10:06,809 --> 00:10:09,320 quantity of radioactive gas was released. 234 00:10:09,320 --> 00:10:11,820 The following morning it was reported 235 00:10:11,820 --> 00:10:13,799 that there was a radioactive gas release 236 00:10:13,799 --> 00:10:17,070 and an evacuation plan was suggested for 237 00:10:17,070 --> 00:10:18,809 the immediately affected area. 238 00:10:18,809 --> 00:10:21,779 It wasn't until 10:00am that the actual 239 00:10:21,779 --> 00:10:24,450 amount of gas release was informed to 240 00:10:24,450 --> 00:10:26,850 the governor. The governor recommended 241 00:10:26,850 --> 00:10:28,379 that pregnant women and school-aged 242 00:10:28,379 --> 00:10:29,240 children 243 00:10:29,240 --> 00:10:32,429 evacuate a 5mi radius from the 244 00:10:32,429 --> 00:10:35,159 Three Mile Island plant. This set off 245 00:10:35,159 --> 00:10:38,429 somewhat of a panic. Before reaching the 246 00:10:38,429 --> 00:10:40,350 environment the gases had passed through 247 00:10:40,350 --> 00:10:43,710 a high-efficiency, particulate air filter 248 00:10:43,710 --> 00:10:47,190 sometimes called a HEPA filter, as well 249 00:10:47,190 --> 00:10:49,710 as an activated carbon charcoal filter 250 00:10:49,710 --> 00:10:52,590 set. This filtration captured all of the 251 00:10:52,590 --> 00:10:54,990 radionuclides with the only exception 252 00:10:54,990 --> 00:10:58,500 being noble gases. The quantity of gas 253 00:10:58,500 --> 00:11:00,980 released was not metered directly. 254 00:11:00,980 --> 00:11:03,120 Estimates however following the incident 255 00:11:03,120 --> 00:11:06,480 ranged from as little as 1.6PBq 256 00:11:06,480 --> 00:11:10,649 (Peta-Becquerels) to a maximum of 480PBq. 257 00:11:10,649 --> 00:11:15,740 1 Peta-Becquerel is 27,000 Curie's. 258 00:11:15,740 --> 00:11:18,480 These figures are radioactive decay 259 00:11:18,480 --> 00:11:22,078 events not dose absorption figures. The 260 00:11:22,078 --> 00:11:23,850 average dose after the incident was 261 00:11:23,850 --> 00:11:26,070 estimated from this gas released as an 262 00:11:26,070 --> 00:11:28,769 average of 8 millirems per person with 263 00:11:28,769 --> 00:11:32,309 a single maximum likely dosage of 100 264 00:11:32,309 --> 00:11:37,679 millirems or 1 milliSievert. An average 265 00:11:37,679 --> 00:11:39,448 background radiation dose in the United 266 00:11:39,448 --> 00:11:42,659 States is about 360 millirems per 267 00:11:42,659 --> 00:11:46,948 person per year, or 3.6 milliSieverts per 268 00:11:46,948 --> 00:11:50,009 person per year. The noble gases released 269 00:11:50,009 --> 00:11:52,620 had very short half-lives. Weren't 270 00:11:52,620 --> 00:11:55,379 absorbed by plants or animals: so-called 271 00:11:55,379 --> 00:11:58,230 biologically inert and did not cause an 272 00:11:58,230 --> 00:11:59,549 increase to the background radiation 273 00:11:59,549 --> 00:12:01,649 dosage levels in the immediate or 274 00:12:01,649 --> 00:12:04,198 extended area around the Three Mile 275 00:12:04,198 --> 00:12:08,519 Island plant. On the 30th of March and 276 00:12:08,519 --> 00:12:09,389 the 1st of April 277 00:12:09,389 --> 00:12:11,669 an increase in pressure caused by the 278 00:12:11,669 --> 00:12:14,250 exposed Zirc-alloy reaction (again refer 279 00:12:14,250 --> 00:12:16,649 to Episode 3) at higher temperatures 280 00:12:16,649 --> 00:12:19,289 creates a Hydrogen bubble above the 281 00:12:19,289 --> 00:12:21,120 reactor on top of the containment vessel. 282 00:12:21,120 --> 00:12:24,028 On Saturday morning some of the 283 00:12:24,028 --> 00:12:25,620 calculations suggest that a Hydrogen 284 00:12:25,620 --> 00:12:27,629 explosion was an imminent possibility 285 00:12:27,629 --> 00:12:30,328 and these were being seriously discussed 286 00:12:30,328 --> 00:12:32,940 by the response personnel, by... 287 00:12:32,940 --> 00:12:35,309 late Saturday afternoon the possibility 288 00:12:35,309 --> 00:12:36,990 of an explosion was leaked to the press 289 00:12:36,990 --> 00:12:40,458 setting off a new wave of panic. 290 00:12:40,458 --> 00:12:42,750 Operators however bled off the Hydrogen 291 00:12:42,750 --> 00:12:44,940 build-up gradually by briefly opening 292 00:12:44,940 --> 00:12:46,339 vent valves on the pressurizer, 293 00:12:46,339 --> 00:12:48,750 periodically over several days until the 294 00:12:48,750 --> 00:12:52,379 pressure had subsided. At the time there 295 00:12:52,379 --> 00:12:53,940 were great fears the bubble could cause 296 00:12:53,940 --> 00:12:56,278 an explosion however the pressure was 297 00:12:56,278 --> 00:12:58,049 never allowed to get high enough and the 298 00:12:58,049 --> 00:13:00,000 amount of Oxygen required to reach the 299 00:13:00,000 --> 00:13:02,100 Lower Explosive Limit, was nowhere near 300 00:13:02,100 --> 00:13:04,980 the required level for an explosion to 301 00:13:04,980 --> 00:13:09,568 take place. In an attempt to calm panic, 302 00:13:09,568 --> 00:13:11,789 the President of the United States at 303 00:13:11,789 --> 00:13:14,068 the time, Jimmy Carter, toured the 304 00:13:14,068 --> 00:13:16,259 facility 4 days after the incident 305 00:13:16,259 --> 00:13:18,870 had occurred. The tour group he was a 306 00:13:18,870 --> 00:13:19,950 part of was 307 00:13:19,950 --> 00:13:22,830 protected only by radiation boots, to 308 00:13:22,830 --> 00:13:24,809 prevent radioactive water from being 309 00:13:24,809 --> 00:13:28,100 absorbed into their shoes and feet. 310 00:13:28,100 --> 00:13:30,269 Following this incident, lead bricks were 311 00:13:30,269 --> 00:13:31,710 brought in to surround the base of the 312 00:13:31,710 --> 00:13:33,269 reactor and the Hydrogen build-up was 313 00:13:33,269 --> 00:13:35,580 gradually bled-off and contained. The 314 00:13:35,580 --> 00:13:38,460 pressure vessels' pressure was reduced to 315 00:13:38,460 --> 00:13:42,659 normal operating conditions. By the 27th 316 00:13:42,659 --> 00:13:44,850 of April the decay heat had subsided 317 00:13:44,850 --> 00:13:47,429 enough, such that natural convection flow 318 00:13:47,429 --> 00:13:49,169 of cooling water was now possible and 319 00:13:49,169 --> 00:13:52,080 the plant was in a cold shutdown. With 320 00:13:52,080 --> 00:13:54,000 water now below boiling point at 321 00:13:54,000 --> 00:13:55,950 standard atmospheric pressure. 322 00:13:55,950 --> 00:13:58,980 It wasn't until 3 years after the 323 00:13:58,980 --> 00:14:00,779 incident that a camera was able to be 324 00:14:00,779 --> 00:14:03,120 lowered safely into the reactor core to 325 00:14:03,120 --> 00:14:04,769 determine the full extent of the damage 326 00:14:04,769 --> 00:14:09,210 from the incident. They found that 5ft 327 00:14:09,210 --> 00:14:11,970 from the top of the reactor core 328 00:14:11,970 --> 00:14:15,799 had melted away. That's about 1.5m. 329 00:14:15,799 --> 00:14:19,620 Nearly half of the reactor had partly or 330 00:14:19,620 --> 00:14:22,980 fully melted down and had...pooled at 331 00:14:22,980 --> 00:14:25,320 the bottom head of the pressure vessel 332 00:14:25,320 --> 00:14:29,210 in the reactor, where it now lay, solidified. 333 00:14:29,210 --> 00:14:32,519 Approximately 19 tonnes of core material 334 00:14:32,519 --> 00:14:34,500 in total had melted and flowed to the 335 00:14:34,500 --> 00:14:38,070 bottom. 62 tonnes had partly or fully 336 00:14:38,070 --> 00:14:41,750 melted which is 45% of the entire 337 00:14:41,750 --> 00:14:45,450 reactor core. The reactor core of Unit 2 338 00:14:45,450 --> 00:14:49,139 was within 30min of a complete 339 00:14:49,139 --> 00:14:53,460 meltdown. Had a full meltdown occurred 340 00:14:53,460 --> 00:14:56,129 it would have become so hot, the entire 341 00:14:56,129 --> 00:14:58,590 core would have become a molten blob of 342 00:14:58,590 --> 00:15:01,769 metal with self-sustaining heat melting 343 00:15:01,769 --> 00:15:03,480 its way through the vessel, concrete 344 00:15:03,480 --> 00:15:05,879 foundations and bedrock. Had it 345 00:15:05,879 --> 00:15:08,220 progressed to a full meltdown there's 346 00:15:08,220 --> 00:15:09,809 little doubt that the sand and water 347 00:15:09,809 --> 00:15:12,269 layer beneath the plant would have 348 00:15:12,269 --> 00:15:14,730 turned into a superheated radioactive 349 00:15:14,730 --> 00:15:17,700 steam, sending a huge amount of radiation 350 00:15:17,700 --> 00:15:19,590 through the water table and the local 351 00:15:19,590 --> 00:15:21,809 area and atmosphere surrounding the 352 00:15:21,809 --> 00:15:24,570 plant. Some disaster projections 353 00:15:24,570 --> 00:15:26,429 suggested it had the potential to wipe 354 00:15:26,429 --> 00:15:29,399 out an area from Washington DC to New 355 00:15:29,399 --> 00:15:32,820 York City, although that eventuality is 356 00:15:32,820 --> 00:15:33,870 hotly debated 357 00:15:33,870 --> 00:15:37,769 by the nuclear industry. So what went 358 00:15:37,769 --> 00:15:41,309 wrong at Three Mile Island? There were 359 00:15:41,309 --> 00:15:43,230 both technical errors and human errors. 360 00:15:43,230 --> 00:15:45,919 The trigger event was actually a mistake 361 00:15:45,919 --> 00:15:49,320 introduced the previous night. In the 362 00:15:49,320 --> 00:15:51,690 late afternoon of the preceding day when 363 00:15:51,690 --> 00:15:53,429 the operators had attempted a non- 364 00:15:53,429 --> 00:15:55,289 standard procedure to clear the resin 365 00:15:55,289 --> 00:15:57,120 blockage in one of the... 366 00:15:57,120 --> 00:15:59,909 filters, the position of the air line 367 00:15:59,909 --> 00:16:02,669 and the water line was very difficult to 368 00:16:02,669 --> 00:16:04,950 physically access. It's not entirely 369 00:16:04,950 --> 00:16:07,919 clear if it's long-term connection was 370 00:16:07,919 --> 00:16:10,559 intended or accidental however the 371 00:16:10,559 --> 00:16:12,360 process had allowed an amount of water 372 00:16:12,360 --> 00:16:15,500 to enter the instrument air-line. 373 00:16:15,500 --> 00:16:18,779 Instrument air is used actuate valves: 374 00:16:18,779 --> 00:16:20,970 control valves for a multitude of 375 00:16:20,970 --> 00:16:23,340 reasons. The primary being that air can 376 00:16:23,340 --> 00:16:25,980 be directed at a valve manifold and the 377 00:16:25,980 --> 00:16:27,929 very low current and low voltage relay 378 00:16:27,929 --> 00:16:31,590 can signal to open or close the valve or 379 00:16:31,590 --> 00:16:34,080 move it to a position using the air as 380 00:16:34,080 --> 00:16:37,200 the primary motive force to move the 381 00:16:37,200 --> 00:16:39,809 valve physically. It's cleaner and 382 00:16:39,809 --> 00:16:42,179 simpler than hydraulic valves because it 383 00:16:42,179 --> 00:16:43,830 doesn't leak in the same way and leave 384 00:16:43,830 --> 00:16:45,990 mess on the floor and it doesn't get as 385 00:16:45,990 --> 00:16:48,899 hot nor does it require thick cabling or 386 00:16:48,899 --> 00:16:51,029 take up as much physical space as an 387 00:16:51,029 --> 00:16:53,509 all-electric actuator. 388 00:16:53,509 --> 00:16:55,710 Unfortunately instrument air has a 389 00:16:55,710 --> 00:16:59,870 rather fatal flaw, and that is moisture. 390 00:16:59,870 --> 00:17:02,850 If too much moisture enters the valve 391 00:17:02,850 --> 00:17:05,338 manifolds they will either actuate 392 00:17:05,338 --> 00:17:07,769 without being directed to do so or they 393 00:17:07,769 --> 00:17:09,390 will cease to actuate when they are 394 00:17:09,390 --> 00:17:12,449 commanded to do so. In the case of Three 395 00:17:12,449 --> 00:17:14,970 Mile Island a series of valves on pipe- 396 00:17:14,970 --> 00:17:17,009 work connecting the feedwater pumps, 397 00:17:17,009 --> 00:17:19,650 condensate pumps and the condensate 398 00:17:19,650 --> 00:17:22,170 booster pumps all failed in quick 399 00:17:22,170 --> 00:17:24,720 succession, with several key valves all 400 00:17:24,720 --> 00:17:28,650 slamming shut...quickly. And this caused a 401 00:17:28,650 --> 00:17:31,589 cessation of the secondary cooling water 402 00:17:31,589 --> 00:17:33,390 flow into the primary vessel and 403 00:17:33,390 --> 00:17:37,470 initiated the chain of events. Once the 404 00:17:37,470 --> 00:17:38,819 chain of events had been set in motion 405 00:17:38,819 --> 00:17:41,009 though, there were automated systems 406 00:17:41,009 --> 00:17:43,619 designed to prevent a loss of cooling to 407 00:17:43,619 --> 00:17:45,569 the reactor as you'd expect: it's a 408 00:17:45,569 --> 00:17:47,160 nuclear reactor! 409 00:17:47,160 --> 00:17:49,990 Basically the plant operators and 410 00:17:49,990 --> 00:17:53,289 managers overrided the automatic safety 411 00:17:53,289 --> 00:17:54,420 equipment. 412 00:17:54,420 --> 00:17:58,210 It was those overrides that led to the 413 00:17:58,210 --> 00:18:01,299 reactor core meltdown. Superficially 414 00:18:01,299 --> 00:18:02,740 though it's easy to blame plant 415 00:18:02,740 --> 00:18:03,970 operators for the Three Mile Island 416 00:18:03,970 --> 00:18:07,150 incident. "Blame the operator" right? The 417 00:18:07,150 --> 00:18:09,369 truth is that there was a long list of 418 00:18:09,369 --> 00:18:13,390 reasons why they got it wrong. The actual 419 00:18:13,390 --> 00:18:16,420 real root causes included contributions 420 00:18:16,420 --> 00:18:20,170 from: the utility company (Met-Ed), the 421 00:18:20,170 --> 00:18:23,190 reactor vendor Babcock & Wilcox, the 422 00:18:23,190 --> 00:18:25,929 architect engineer and the Nuclear 423 00:18:25,929 --> 00:18:27,910 Regulatory Commission. They were all 424 00:18:27,910 --> 00:18:30,970 responsible, either in whole or in part, 425 00:18:30,970 --> 00:18:33,940 for deficiencies in training, control 426 00:18:33,940 --> 00:18:36,039 room design, instrumentation and equipment 427 00:18:36,039 --> 00:18:38,670 selection, the overall plant design and 428 00:18:38,670 --> 00:18:42,730 emergency and evacuation procedures. All 429 00:18:42,730 --> 00:18:45,910 we'll be looking at, is the exploration 430 00:18:45,910 --> 00:18:48,579 of the control system and equipment 431 00:18:48,579 --> 00:18:53,710 selection. The control system in use was 432 00:18:53,710 --> 00:18:56,829 a Bailey 855 Process Control Computer, 433 00:18:56,829 --> 00:18:59,170 and had been widely used by Babcock & 434 00:18:59,170 --> 00:19:01,000 Wilcox and their designs for nearly a 435 00:19:01,000 --> 00:19:04,299 decade at that point. The Bailey 855 was 436 00:19:04,299 --> 00:19:06,549 configured with Visual Annunciator 437 00:19:06,549 --> 00:19:08,940 lights as well as a computer printout 438 00:19:08,940 --> 00:19:12,308 from 1 of 2 printers. 1 for on- 439 00:19:12,308 --> 00:19:15,460 request plant status and the other for 440 00:19:15,460 --> 00:19:18,220 system alarms. Due to a limited physical 441 00:19:18,220 --> 00:19:20,799 space in the annunciation system, many 442 00:19:20,799 --> 00:19:22,450 alarms that were deemed to be less 443 00:19:22,450 --> 00:19:25,359 critical only appeared on the computer 444 00:19:25,359 --> 00:19:27,700 printout. The printers themselves were 445 00:19:27,700 --> 00:19:30,130 electric typewriters, and they were not 446 00:19:30,130 --> 00:19:33,279 high-speed though in... 447 00:19:33,279 --> 00:19:34,539 this day and age, we'd refer to these as 448 00:19:34,539 --> 00:19:38,319 printers, these were technically "Computer 449 00:19:38,319 --> 00:19:40,839 Typewriters." And these computer 450 00:19:40,839 --> 00:19:43,390 typewriters could print at most 14 451 00:19:43,390 --> 00:19:47,259 alarms every minute. When the alarm rate 452 00:19:47,259 --> 00:19:49,929 was greater than the printing rate the 453 00:19:49,929 --> 00:19:51,400 system had a memory buffer and that 454 00:19:51,400 --> 00:19:52,750 would hold those alarms until the 455 00:19:52,750 --> 00:19:55,390 printer could catch up. During routine 456 00:19:55,390 --> 00:19:58,359 plant trips the alarm printer, as 457 00:19:58,359 --> 00:20:00,519 configured by the designers, 458 00:20:00,519 --> 00:20:03,130 could actually take an hour to fully 459 00:20:03,130 --> 00:20:05,440 print off all of the alarms that had 460 00:20:05,440 --> 00:20:09,130 occurred during a routine plant trip. The 461 00:20:09,130 --> 00:20:10,720 plant operators knew about this from 462 00:20:10,720 --> 00:20:12,839 their experiences in Reactor 1, and 463 00:20:12,839 --> 00:20:15,460 regularly ignored the alarm system from 464 00:20:15,460 --> 00:20:18,670 the printer and instead relied solely on 465 00:20:18,670 --> 00:20:22,150 the on-demand system status printouts, and 466 00:20:22,150 --> 00:20:25,359 alarm annunciator lights. High Water Level 467 00:20:25,359 --> 00:20:27,880 in the containment sump was one such 468 00:20:27,880 --> 00:20:30,460 alarm that only appeared on the printout 469 00:20:30,460 --> 00:20:33,609 and not on its own annunciator. Had the 470 00:20:33,609 --> 00:20:35,500 operators received this alarm in a 471 00:20:35,500 --> 00:20:37,869 timely and clear fashion, they would have 472 00:20:37,869 --> 00:20:40,058 realized that a large amount of water 473 00:20:40,058 --> 00:20:42,849 was escaping containment much earlier 474 00:20:42,849 --> 00:20:45,190 and it's likely that the block valve 475 00:20:45,190 --> 00:20:47,730 would have been closed much, much sooner, 476 00:20:47,730 --> 00:20:50,740 preventing such a big loss of primary 477 00:20:50,740 --> 00:20:54,009 coolant flow and most likely preventing 478 00:20:54,009 --> 00:20:59,140 the meltdown entirely. The unit had 1,200 479 00:20:59,140 --> 00:21:02,410 alarms configured. A few hundred went off 480 00:21:02,410 --> 00:21:04,150 in the first minutes of the incident 481 00:21:04,150 --> 00:21:07,539 alone. After the incident some operators 482 00:21:07,539 --> 00:21:09,670 went on record stating alarms were: "...not 483 00:21:09,670 --> 00:21:12,130 very helpful..." and they simply: "...got in the 484 00:21:12,130 --> 00:21:15,339 way." They went on to say the day had 485 00:21:15,339 --> 00:21:17,740 concluded prior to the incident that: "...the 486 00:21:17,740 --> 00:21:19,839 alarms would provide little, if any 487 00:21:19,839 --> 00:21:21,970 immediate assistance..." when trying to 488 00:21:21,970 --> 00:21:25,119 diagnose and prioritize actions during 489 00:21:25,119 --> 00:21:28,390 an event. Poor instrument selection. The 490 00:21:28,390 --> 00:21:30,819 reactor coolant drain tank indicators 491 00:21:30,819 --> 00:21:32,710 weren't directly visible to the plant 492 00:21:32,710 --> 00:21:34,808 operators from the main console in the 493 00:21:34,808 --> 00:21:38,289 main control room. Worse than that there 494 00:21:38,289 --> 00:21:40,779 were no strip chart recorders. This was 495 00:21:40,779 --> 00:21:43,750 the days before graphical trend displays 496 00:21:43,750 --> 00:21:46,869 on a computer screen, for the reactor 497 00:21:46,869 --> 00:21:48,460 coolant drain tank conditions, this 498 00:21:48,460 --> 00:21:50,319 included pressure, temperature and water 499 00:21:50,319 --> 00:21:52,269 level. So there were no strip chart 500 00:21:52,269 --> 00:21:54,940 recorders, for any of those. There were 501 00:21:54,940 --> 00:21:57,279 no instruments that directly measured 502 00:21:57,279 --> 00:21:59,380 the water level in the reactor vessel. 503 00:21:59,380 --> 00:22:01,599 The level was intended to be surmised 504 00:22:01,599 --> 00:22:03,759 from the water level in the pressuriser, 505 00:22:03,759 --> 00:22:06,460 which during the incident could not have 506 00:22:06,460 --> 00:22:07,660 been expected to give an accurate 507 00:22:07,660 --> 00:22:10,329 reading, due to the plant conditions at 508 00:22:10,329 --> 00:22:13,480 the time and didn't. Instrumentation 509 00:22:13,480 --> 00:22:14,259 selection and 510 00:22:14,259 --> 00:22:15,640 ranging for temperature and pressure 511 00:22:15,640 --> 00:22:17,259 limits were designed primarily around 512 00:22:17,259 --> 00:22:20,680 the normal operational envelope, rather 513 00:22:20,680 --> 00:22:23,559 than extreme operating conditions like 514 00:22:23,559 --> 00:22:25,900 those experienced during the time of the 515 00:22:25,900 --> 00:22:30,160 incident. As a result of this choice most 516 00:22:30,160 --> 00:22:32,349 of the instrumentation was flat-lined at 517 00:22:32,349 --> 00:22:34,539 either maximum or minimum values and 518 00:22:34,539 --> 00:22:37,029 operators essentially had no useful 519 00:22:37,029 --> 00:22:39,190 information from which to attempt to 520 00:22:39,190 --> 00:22:42,849 diagnose or resolve the situation. The 521 00:22:42,849 --> 00:22:44,829 pilot valve. The pilot-operated relief 522 00:22:44,829 --> 00:22:47,200 valve was found to have previously 523 00:22:47,200 --> 00:22:50,470 failed on 11 occasions in the life of 524 00:22:50,470 --> 00:22:52,930 that specific reactor. 9 of those 525 00:22:52,930 --> 00:22:55,720 failures had failed in the Failed Open 526 00:22:55,720 --> 00:22:59,740 position. Every Failed Open position had 527 00:22:59,740 --> 00:23:02,170 resulted in a coolant leak within the 528 00:23:02,170 --> 00:23:05,230 containment vessel. The exact failure 529 00:23:05,230 --> 00:23:06,759 chain of events had in fact been 530 00:23:06,759 --> 00:23:08,950 replicated, 1-1/2yrs before 531 00:23:08,950 --> 00:23:10,869 the incident at Three Mile Island at 532 00:23:10,869 --> 00:23:13,089 another Babcock and Wilcox reactor of 533 00:23:13,089 --> 00:23:16,450 exactly the same design. In this instance 534 00:23:16,450 --> 00:23:18,069 however operators determined the failed 535 00:23:18,069 --> 00:23:19,980 open condition within 20min, 536 00:23:19,980 --> 00:23:22,839 compared to 80min for Three Mile 537 00:23:22,839 --> 00:23:26,349 Island. The Davis-Besse Nuclear Power 538 00:23:26,349 --> 00:23:29,319 Station was only operating at 9% power 539 00:23:29,319 --> 00:23:32,619 at the time its valve failed open, unlike 540 00:23:32,619 --> 00:23:36,549 near full power (at 97%) in the Unit 2 at 541 00:23:36,549 --> 00:23:38,440 Three Mile Island was producing at the 542 00:23:38,440 --> 00:23:41,170 time of its incident. Babcock & Wilcox 543 00:23:41,170 --> 00:23:44,109 did not clearly communicate this risk to 544 00:23:44,109 --> 00:23:46,240 all of its customers that utilized their 545 00:23:46,240 --> 00:23:48,970 reactor designs and not to Three Mile 546 00:23:48,970 --> 00:23:52,359 Island prior to the incident. In addition 547 00:23:52,359 --> 00:23:53,829 the valve itself did not have an 548 00:23:53,829 --> 00:23:57,700 independent and direct indicator of its 549 00:23:57,700 --> 00:24:01,329 position either open or closed. Its 550 00:24:01,329 --> 00:24:04,269 position instead was inferred based on 551 00:24:04,269 --> 00:24:06,910 its commanded output, and that is to say 552 00:24:06,910 --> 00:24:08,920 the control system commanded the valve 553 00:24:08,920 --> 00:24:12,279 to open and it displayed that the valve 554 00:24:12,279 --> 00:24:15,970 was open on the control system. Which 555 00:24:15,970 --> 00:24:18,700 technically is control and indication by 556 00:24:18,700 --> 00:24:20,980 inference, rather than control by 557 00:24:20,980 --> 00:24:24,420 feedback or control by fact. In 558 00:24:24,420 --> 00:24:27,279 programming control systems for decades 559 00:24:27,279 --> 00:24:27,809 I've learned 560 00:24:27,809 --> 00:24:30,210 it is always better to program based 561 00:24:30,210 --> 00:24:34,319 on fact, not presumption. Timers waiting 562 00:24:34,319 --> 00:24:36,299 for events that could happen or might 563 00:24:36,299 --> 00:24:39,059 not happen. Assuming valves open or pumps 564 00:24:39,059 --> 00:24:41,309 start, without independent evidence 565 00:24:41,309 --> 00:24:44,009 verifying that they have is potentially 566 00:24:44,009 --> 00:24:47,160 dangerous. Modern safety systems require 567 00:24:47,160 --> 00:24:49,410 direct indication of safety equipment 568 00:24:49,410 --> 00:24:51,599 position and loss of that indication 569 00:24:51,599 --> 00:24:53,640 when the plant is in use leads to alarm 570 00:24:53,640 --> 00:24:55,079 conditions and in some extreme cases 571 00:24:55,079 --> 00:24:58,920 will even trip shut the plant. In my 572 00:24:58,920 --> 00:25:01,380 experience lack of equipment feedback is 573 00:25:01,380 --> 00:25:04,230 predominantly driven by cost. Whether 574 00:25:04,230 --> 00:25:06,720 it's an I/O count reduction with less 575 00:25:06,720 --> 00:25:09,210 test burden, a simplification of the 576 00:25:09,210 --> 00:25:11,880 design or more commonly just the cost of 577 00:25:11,880 --> 00:25:14,309 the limit switches themselves on a valve, 578 00:25:14,309 --> 00:25:16,170 is considered too exorbitant and 579 00:25:16,170 --> 00:25:20,519 unnecessary. It's not clear what drove 580 00:25:20,519 --> 00:25:22,920 Babcock & Wilcox's decision to not 581 00:25:22,920 --> 00:25:24,930 provide position feedback in this 582 00:25:24,930 --> 00:25:27,359 instance. In the aftermath of Three Mile 583 00:25:27,359 --> 00:25:30,029 Island the exact radiation dosages that 584 00:25:30,029 --> 00:25:33,200 individuals received as they were 585 00:25:33,200 --> 00:25:35,339 experiencing and present during the 586 00:25:35,339 --> 00:25:36,539 incident at the Three Mile Island 587 00:25:36,539 --> 00:25:40,079 facility, is unknown since only 2 of 588 00:25:40,079 --> 00:25:41,579 the 7 radiation monitors in the 589 00:25:41,579 --> 00:25:43,829 plant were actually functioning. In 590 00:25:43,829 --> 00:25:45,839 addition, many of the personal dosage 591 00:25:45,839 --> 00:25:48,210 meters handed out weren't correctly 592 00:25:48,210 --> 00:25:49,980 recorded during the lead-up to the 593 00:25:49,980 --> 00:25:51,690 incident, and they weren't regularly 594 00:25:51,690 --> 00:25:53,970 changed out, hence their state when they 595 00:25:53,970 --> 00:25:55,799 were carried on people's person, 596 00:25:55,799 --> 00:25:57,960 wasn't known when they were going in 597 00:25:57,960 --> 00:25:59,430 hence the relative reading when they 598 00:25:59,430 --> 00:26:02,789 came out and wasn't known either. Whilst 599 00:26:02,789 --> 00:26:04,319 the maximum dose officially was 600 00:26:04,319 --> 00:26:07,200 estimated at 1 milliSievert, a 100 601 00:26:07,200 --> 00:26:08,910 milliSievert dose increases the 602 00:26:08,910 --> 00:26:11,039 probability of radiation induced cancer 603 00:26:11,039 --> 00:26:17,460 by 0.8%. A 1 to 2 Sievert dose will 604 00:26:17,460 --> 00:26:19,200 increase the probability of a fatality 605 00:26:19,200 --> 00:26:21,390 due to radiation dosage at up to 5%. 606 00:26:21,390 --> 00:26:25,230 An 8 to 30 Sievert dose, will 607 00:26:25,230 --> 00:26:27,779 increase the probability of fatality to 608 00:26:27,779 --> 00:26:31,529 an essential certainty. The fallout from 609 00:26:31,529 --> 00:26:34,049 the incident has not shown a significant 610 00:26:34,049 --> 00:26:35,490 increase in the number of cancers or 611 00:26:35,490 --> 00:26:37,349 infant mortality rate in the area 612 00:26:37,349 --> 00:26:39,599 surrounding Three Mile Island. One of the 613 00:26:39,599 --> 00:26:41,430 interesting coincidences surround 614 00:26:41,430 --> 00:26:43,559 Three Mile Island incident was that the 615 00:26:43,559 --> 00:26:45,779 movie "The China Syndrome," which was about 616 00:26:45,779 --> 00:26:48,029 a nuclear meltdown had opened in the 617 00:26:48,029 --> 00:26:50,069 local movie theater in Harrisburg on the 618 00:26:50,069 --> 00:26:53,609 day of the incident. 2,000 gallons 619 00:26:53,609 --> 00:26:55,589 of contaminated water was released into 620 00:26:55,589 --> 00:26:57,990 the Susquehanna River as a result of the 621 00:26:57,990 --> 00:27:00,779 incident. Radioactive rat droppings were 622 00:27:00,779 --> 00:27:02,460 also found scattered throughout the 623 00:27:02,460 --> 00:27:04,950 building following the events. General 624 00:27:04,950 --> 00:27:06,869 Public Utilities said this wasn't an 625 00:27:06,869 --> 00:27:09,029 issue because: "...none of the rats had left 626 00:27:09,029 --> 00:27:12,210 the island." Showing some indifference to 627 00:27:12,210 --> 00:27:13,470 the fact there was no way to know that 628 00:27:13,470 --> 00:27:14,960 for sure. 629 00:27:14,960 --> 00:27:16,740 Following the incident legal 630 00:27:16,740 --> 00:27:18,569 interventions were undertaken against 631 00:27:18,569 --> 00:27:21,589 Met-Ed and GPU across multiple areas 632 00:27:21,589 --> 00:27:25,170 including management competency. The 633 00:27:25,170 --> 00:27:27,329 Atomic Safety and Licensing Board stated 634 00:27:27,329 --> 00:27:29,279 the interventions had wasted time and 635 00:27:29,279 --> 00:27:32,789 money and that said, 1 week after the 636 00:27:32,789 --> 00:27:34,650 Atomic Safety and Licensing Board issued 637 00:27:34,650 --> 00:27:36,180 General Public Utilities with a clean 638 00:27:36,180 --> 00:27:38,130 bill of health for management competency, 639 00:27:38,130 --> 00:27:40,289 2 operators were caught cheating on 640 00:27:40,289 --> 00:27:42,990 their licensing tests and 4 operators 641 00:27:42,990 --> 00:27:45,720 in fact failed the tests entirely. The 642 00:27:45,720 --> 00:27:47,490 hearings were reopened to determine more 643 00:27:47,490 --> 00:27:50,190 stringent tests and all operators re-sat 644 00:27:50,190 --> 00:27:52,920 at these more rigorous tests, and still 645 00:27:52,920 --> 00:27:56,670 half of them failed. Evacuation plans 646 00:27:56,670 --> 00:27:58,740 were required to be drawn up in full 647 00:27:58,740 --> 00:28:00,750 detail, and far more thoroughly reviewed 648 00:28:00,750 --> 00:28:02,910 including correcting oversights such as 649 00:28:02,910 --> 00:28:05,519 putting the nearby city...halfway across 650 00:28:05,519 --> 00:28:08,220 its bridge. New safety and training 651 00:28:08,220 --> 00:28:09,720 measures were introduced following the 652 00:28:09,720 --> 00:28:11,460 incident for nuclear reactors throughout 653 00:28:11,460 --> 00:28:14,359 the United States. The clean-up 654 00:28:14,359 --> 00:28:17,309 following Three Mile Island Unit 2 took 655 00:28:17,309 --> 00:28:20,130 just under 12yrs to complete at a 656 00:28:20,130 --> 00:28:24,059 cost of approximately $973M USD. 657 00:28:24,059 --> 00:28:29,369 On the 22nd of October, 2009 the 658 00:28:29,369 --> 00:28:31,619 US Nuclear Regulatory Commission renewed 659 00:28:31,619 --> 00:28:33,930 the operating license for Three Mile 660 00:28:33,930 --> 00:28:36,720 Island Unit 1 until the 19th of April, 661 00:28:36,720 --> 00:28:40,950 2034. Unit 2 however remains mostly 662 00:28:40,950 --> 00:28:43,500 disassembled with its generator moved in 663 00:28:43,500 --> 00:28:46,019 2 parts refurbished and reused, at the 664 00:28:46,019 --> 00:28:48,509 Sheraton Harris Nuclear Plant in New 665 00:28:48,509 --> 00:28:50,759 Hill, North Carolina. So what do we learn 666 00:28:50,759 --> 00:28:54,269 from this? No matter what process plant 667 00:28:54,269 --> 00:28:56,429 you're designing, it's critically 668 00:28:56,429 --> 00:28:58,888 important to think about what to show an 669 00:28:58,888 --> 00:29:01,200 operator under normal operating 670 00:29:01,200 --> 00:29:03,898 conditions naturally, but more 671 00:29:03,898 --> 00:29:06,659 importantly, what to show them under 672 00:29:06,659 --> 00:29:09,118 abnormal operating conditions, and that 673 00:29:09,118 --> 00:29:13,440 includes critical system events. Having 674 00:29:13,440 --> 00:29:15,118 an up-to-date training simulator with 675 00:29:15,118 --> 00:29:16,888 regular training and refresher training 676 00:29:16,888 --> 00:29:19,440 sessions for all operators is crucial to 677 00:29:19,440 --> 00:29:21,919 ensure operators know the right way to 678 00:29:21,919 --> 00:29:24,569 respond when critical events occur. 679 00:29:24,569 --> 00:29:27,419 Critical events generally and hopefully 680 00:29:27,419 --> 00:29:29,999 don't happen very often, so people need 681 00:29:29,999 --> 00:29:32,669 regular re-visits of how to handle them 682 00:29:32,669 --> 00:29:35,700 correctly or we, as humans under pressure, 683 00:29:35,700 --> 00:29:39,409 will forget and make mistakes. 684 00:29:39,409 --> 00:29:43,138 Beyond that controlling by fact and not 685 00:29:43,138 --> 00:29:48,019 by inference, is crucial. And finally 686 00:29:48,019 --> 00:29:52,409 having an alarm system is one thing, but 687 00:29:52,409 --> 00:29:54,528 filling it with nuisance alarms, 688 00:29:54,528 --> 00:29:57,569 incorrectly prioritising those alarms, so 689 00:29:57,569 --> 00:29:59,538 they all appear to be equally important, 690 00:29:59,538 --> 00:30:03,319 not conditionally muting alarms...and 691 00:30:03,319 --> 00:30:06,388 having incorrectly set up consequential 692 00:30:06,388 --> 00:30:09,739 alarms: all of these things contribute to 693 00:30:09,739 --> 00:30:13,378 rendering the alarm system completely 694 00:30:13,378 --> 00:30:14,628 useless. 695 00:30:14,628 --> 00:30:19,108 Just like at Three Mile Island. They were 696 00:30:19,108 --> 00:30:21,209 operating a nuclear reactor that could 697 00:30:21,209 --> 00:30:23,578 kill tens of thousands of people if it 698 00:30:23,578 --> 00:30:25,878 went wrong, with confusion, 699 00:30:25,878 --> 00:30:29,159 misunderstanding and trying to control a 700 00:30:29,159 --> 00:30:32,848 plant whose design had essentially left 701 00:30:32,848 --> 00:30:36,778 them blind. It's a miracle we got off 702 00:30:36,778 --> 00:30:40,229 that lightly. If you're enjoying 703 00:30:40,229 --> 00:30:42,058 Causality and want to support the show 704 00:30:42,058 --> 00:30:44,608 you can like some of our backers: Eivind, 705 00:30:44,608 --> 00:30:47,278 Daniel Dudley and Chris Stone. They and 706 00:30:47,278 --> 00:30:48,868 many others are Patrons of the show via 707 00:30:48,868 --> 00:30:50,638 Patreon and you can find it at 708 00:30:50,638 --> 00:30:53,398 https://patreon.com/johnchidgey 709 00:30:53,398 --> 00:30:55,078 so if you'd like to contribute something, 710 00:30:55,078 --> 00:30:56,759 anything at all, it's all 711 00:30:56,759 --> 00:30:59,369 much appreciated. Causality is part of 712 00:30:59,369 --> 00:31:00,900 The Engineered Network and you can find 713 00:31:00,900 --> 00:31:03,089 it at https://engineered.network/ and you can 714 00:31:03,089 --> 00:31:05,789 follow me on Mastodon @chidgey@ 715 00:31:05,789 --> 00:31:08,880 engineered.space or for our shows on 716 00:31:08,880 --> 00:31:11,390 Twitter and @Engineered_Net. 717 00:31:11,390 --> 00:31:16,440 This was Causality. I'm John Chidgey. Thanks so 718 00:31:16,440 --> 00:31:17,059 much for listening 719 00:31:17,059 --> 00:32:18,759 [Music] 720 00:32:20,250 --> 00:32:22,309 [Music] 721 00:32:23,160 --> 00:32:29,900 [Music]