Correcting History Can Be an Uphill Battle

By Rod Adams

In April 2014, ANS Nuclear Cafe published a valuable historical account and analysis of the Three Mile Island accident titled TMI operators did what they were trained to do.

As author Mike Derivan explained in great detail, the operators on duty at TMI-2 during the early morning hours of March 28, 1979, took exactly the actions that they were trained to take when provided indications of low primary plant pressure, combined with pressurizer water level indication that was “pegged high.” That level indicator told operators that the pressurizer was full of water. There were no other direct indications of water level provided.

Derivan has a unique perspective on this historical event; he was the shift supervisor on duty at the Davis Besse Nuclear Power Plant on September 24, 1977, when that plant experienced an event that was virtually identical to the event that initiated the TMI accident. Derivan and his crew initially responded like the crew at TMI; their indications were the same and both crews had been trained to make the same diagnosis and perform the same actions.

The primary reason that the event at Davis Besse turned out to be a historical footnote, while the event at TMI resulted in billions of dollars worth of equipment damage, world-wide attention, and changes throughout the nuclear industry, was that Derivan recognized that he had been trained to make a wrong diagnosis, which led to incorrect actions.

About 20 minutes after his event began, he took a new look at the symptoms his indications were describing and revised his overall diagnosis. That led him to recognize that his plant was experiencing a loss of coolant from the steam space of the pressurizer. He realized that the response of available indicators to that event was unlike the indicator response for loss-of-coolant accidents from any other part of the reactor coolant system. He directed his crew to shut the valves that isolated the stuck power-operated relief valve and to restore water flow from the high pressure injection system into the primary coolant system.

Derivan participated in the required post-event analysis and reporting, so he knew what the Nuclear Regulatory Commission and the plant vendor B&W were told. He was thus uniquely affected by the TMI accident, especially once technical explanations of the accident sequence were available. He spent a considerable amount of time during the subsequent 35 years reviewing the available reports on TMI, trying to understand why the lesson he and his crew had learned in September 1977 had not been absorbed by the operators at TMI.

His conclusion is that the operators never had a chance to absorb and incorporate the lessons he had learned because they were never told that his event happened and never informed how to revise their procedures and training to enable a safer response. Despite all the effort that was put into various commissions and internal lessons learned efforts (Kemeny, Rogovin, the NRC task force that wrote NUREG-0585, etc.), none of the documents clearly state that the specific root cause of the sequence of events that melted 25–40 percent of the fuel material at TMI-2 was that almost everyone associated with pressurized water reactor design and operation misunderstood how the system would respond to a leak in the steam space of the pressurizer.

Unlike any other leak location, a steam leak would provide indications of falling system pressure and rising indicated level in the pressurizer. Since designers, regulators, and trainers assumed that all loss-of-coolant accidents would cause both pressure and pressurizer level to fall, that is what the available training materials—including the computerized simulators—taught operators to expect.

From the start of the accident, operators at TMI were thus placed into a situation that almost no one expected; they did not have an emergency operating procedure to follow. They had strong warnings about not overfilling the pressurizer, so they stopped pumping water into the plant when the level indication showed that the pressurizer was already more full than it should be. That was not an error on their part; it was an error in system response understanding that carried through to all training materials and operating procedures.

It was also an error in processes for sharing operational experience; at the time, the NRC was the only agency that received all reports from operators, so it was the only one that could distribute those reports back out to others that might need the information.

Unfortunately for the hard-working people who chose to become plant operators, the court of public and industry opinion blamed “operator error” as a primary cause of the accident. An excerpt from the history page of the Professional Reactor Operator Society (PROS) provides an operator perspective on how this misapplied responsibility affected members of the elite community of commercial reactor operators.

Remember Three-Mile Island (TMI)? Even if you weren’t in the nuclear business in March of 1979, you couldn’t have missed all the references since. As markers for change go, the event itself will not soon be forgotten, but more important are the lessons learned on all fronts.

Life was not very pleasant for the nuclear plant operators in the early eighties. The Three Mile Island accident started a chain of reforms in the industry that to a large extent were directed at operators. The basis for change was reported to be that the accident was caused by operator error. That announcement was made to the public almost immediately after the accident began and, as the core was uncovering, every special interest group in the nuclear industry was racing to protect its image.

In the days that followed, a media picture of incompetence in the TMI control room emerged. As we operators picked up the bits and pieces of information, it became clear that the picture was somewhat distorted. The TMI operators were being held accountable for deficiencies that legions of engineers, designers, trainers, and regulators had failed to recognize. Operators everywhere began to imagine themselves in a similar situation and realized that the results would probably be the same.

During the next few years, the industry was deluged with solutions to the “problem” of operator incompetence. The solutions ranged from threats of jail sentences to mandatory college degrees for all nuclear power plant operators. Few thought it was necessary to ask operators what tools they needed to help them operate the plants.

In addition to writing his story for distribution and creating an informative website—Nuke Knews—with his collected wisdom about the TMI event, Derivan recently took one more step in his quest for an improved understanding of why TMI happened and who should bear the responsibility.

He wrote a letter to NRC Chairman Macfarlane asking her to remove “operator error” as the root cause of the accident. His letter and supporting documentation can be found in the NRC ADAMS document database with a search for accession number ML14167A165. The NRC’s official response was provided on July 21, 2014, by Thomas R. Wellock, the agency’s historian. It is available in the same place with accession number ML14197A635.

Here is a quote from that response letter:

… none of the five major investigations of the accident commissioned by the NRC, Congress, and President Jimmy Carter claimed that operator error was “the” root cause of the accident.

Virtually all of the studies I reviewed agree with your analysis that while the operators committed errors, the chief culprits behind the accident were industry-wide and regulatory flaws. These included a poor understanding of PWR plant response to loss-of-coolant accidents (LOCA), a failure to circulate information about several precursor events at plants in the United States and Europe, flawed operator training and plant procedures, and inadequate control-room design. While you argue that these reports implicitly blame the operators as a “default position,” my reading of them indicates they were careful to avoid such a conclusion, and some pointedly challenged the thesis that operator-error caused the accident.

It may be correct, as you argue, that more should have been made of the industry’s poor understanding of plant response during a LOCA in the pressurizer steam space, but as you know, the NRC and industry addressed this issue with numerous reforms in training, reporting requirements, and event analysis. In fact, learning from precursor events may be the most important history lesson from TMI. On the 25th anniversary of the accident, NRC Historian J. Samuel Walker published Three Mile Island: A Nuclear Crisis in Historical Perspective. The Davis-Besse event, Walker shows, was a critical missed lesson: “Neither Babcock and Wilcox nor the NRC had taken effective action to draw lessons from Davis-Besse or provide warnings to other plant operators that ‘could have prevented the accident’ at TMI-2.”

In sum, the official reports and NRC histories have been and continue to be in substantial agreement with your overall analysis as to the causes of the accident. Like you, they place the errors committed by the TMI operators in the context of general industry and regulatory failings regarding human factors.

That letter comes close to the pardon that Derivan is seeking, but it might have been better if he had asked for “operator error” to be removed as “a” root cause rather than as “the” root cause.

In the years since the accident, plant designers and regulators have made substantial improvements in their system understanding and in the processes that they use to share lessons learned and operating experience. However, it is still worthwhile to remind everyone, especially as newly designed systems and whole new technologies are introduced, that there is no replacement for a questioning attitude and careful incorporation of operating experience to enable continuous improvement.

There is a useful paragraph on page 2-3 of NUREG-0585 that can serve as a conclusion to remember:

In the Naval Nuclear Propulsion Program, Admiral Rickover has insisted that there be acceptance of personal responsibility throughout the program and that the designer, draftsman, or workman and their supervisor and managers are responsible for their work and, if a mistake is made, it is necessary that those responsible acknowledge it and take corrective action to prevent recurrence. This concept applies equally to the commercial nuclear power program, but it has not yet been achieved.

____________________________

Adams

Adams

Rod Adams is a nuclear advocate with extensive small nuclear plant operating experience. Adams is a former engineer officer, USS Von Steuben. He is the host and producer of The Atomic Show Podcast. Adams has been an ANS member since 2005. He writes about nuclear technology at his own blog, Atomic Insights.

 

tmi b&w 314x200

22 Responses to Correcting History Can Be an Uphill Battle

  1. When I was leading the study group on “Engineering Adventures with Nevil Shute,” we spoke about this issue great deal. The plot of Shute’s book “No Highway” revolves around the fact that a plane crash is ascribed to “operator error” when it was actually caused by a design flaw. Most of the people in the group were either pilots or engineers or both. There was a general conclusion that “operator error” is just TOO easy a determination, because it clears everyone else of blame.

  2. Bob Brockman

    This was operator error. I worked at B&W and was in contact with the control room while the accident was happening.

    It was obvious the pressurizer wasn’t “solid”, full of water. If it were, the pressure would be off the charts; but pressure was low.

    Our group told the operators to keep the High Pressure Injection Pumps on but they ignored us and the B&W personnel in the control room. Maybe some more studying of the steam tables and there would have been no accident.

    Interestingly, I testified before the NRC a few months before the accident and was asked what the procedure would be for the accident. My answer was make sure the core is covered at all times.

  3. Bob – your information contradicts the information documented in the voluminous official reports concerning the limitations on communicating to the control room and the on-site support available to the operators.

    Are you saying there was a B&W support person in the TMI2 control room at 4:00 am when the event happened, or sometime before 6:20, when the core damage began?

    My sources at B&W told me that they tried to contact the control room, but were unable to get through the busy phone lines. However, that attempt was not made until well after there was already a serious enough problem to have initiated the notification procedures.

    There were people at B&W who knew that the HPI pumps should not be secured if there was a LOCA, even if the pressurizer level indication was pegged high. They made that determination after the Davis Besse event and wrote a memo. However, the information from that memo did not leave B&W in time to get it to the TMI2 operators, even though there was 18 months between events.

    At the time, B&W’s internal processes were clogged with work associated with new construction and other challenges. Apparently the memo got lost, but was found during “discovery” related to the lawsuit between Met Ed and B&W. (I know some of the names, but prefer not to provide them here.)

    For those who do not know, the division of B&W that was involved in commercial reactors in the 1960s-1990s was sold to Framatome (now Areva) in the early 1990s.

  4. Howard Shaffer

    Great job Rod.

  5. @Meredith Angwin | August 5, 2014 at 15:05 |
    An interesting observation and here’s an Airline Industry parallel case to TMI that drives home your point exactly. It also reinforces Rod’s “conclusion to remember” cited from NUREG-0585.
    http://en.wikipedia.org/wiki/American_Airlines_Flight_587
    When I read through this information, and cut through all the blah, blah, blah… what I see is not so much as a design error, but rather a design limitation. And that design limitation was not being stressed properly to pilots in the airline’s pilot training simulator and Advanced Aircraft Maneuvering Training Program. But I also see ten previous recorded (precursor) incidents where A300 tail fins had been stressed beyond their design limitation in which none resulted in the separation of the vertical stabilizer in-flight.
    So this pilot is faced with a problem which he sees requiring his prompt attention, and he falls back on his training. The results are disastrous. The official root cause seems to be Operator Error. I do agree errors were made in this case. Some pills are hard to swallow.

  6. Rob Brixey

    I find it hard to believe that High Pressure Safety Injection would be secured solely based upon a rising Pressurizer Water Level indication.
    Even though “water solid” conditions are to be avoided, code safeties are required , which exceed the capacity of injection. This means injection with water solid conditions won’t mechanistically rupture the RCS.

    In 1979, I was on the USS Long Beach in the Navy Nuclear Power Program.
    We were trained that Pressure should be verified above Saturation for the coolant Temperature prior to securing (charging or fill) injection initiated during a LOCA. During cases where RCS Pressure is lowering, Pressurizer Level instruments may be expected to “flash” and indicate non-conservative or fail upscale. The hottest temperature in a PWR RCS is in the Pressurizer and the Level Instrument reference legs are tapped into the Pressurizer steam space.

    Reactor Operators utilized a Pressure / Temperature curve which included, among other curves, a saturation line. Below this value, boiling may occur in the core, and fuel damage may result.

    It was inconceivable to me at the time, that a stuck open relief valve would result in core damage. Navy operators were trained to maintain injection until RCS subcooling was assured. I believed that this event at TMI was operator error compounded by inadequate procedures and training.

    If they simply didn’t do it – operator error.
    If they didn’t know they were required to do it – procedures and training.

  7. @Rob:

    Just out of curiosity, can you be more specific about the date of your Navy training? Since TMI happened on March 28, 1979, it is quite possible that you were trained post TMI.

    The other significant possibility is that some of your Navy training was not duplicated in the commercial world. Though there has been a lot of spillage, Navy nuclear training documents have been classified as restricted data ever since Rickover visited the Soviet Union and toured a nuclear icebreaker.

    Mike Derivan, the shift supervisor at Davis Besse during its precursor accident has told me on numerous occasions that he had to go find a Mollier diagram when he realized that something was amiss that did not match his training.

    Also, please remember that the TMI operators did not secure HPI on “rising” pressurizer level. They secured it when their level indicator showed that it was out of sight high. They had no idea how much more room they had before they would lift the code safeties. If you were a reactor operator, you will know that even Navy operators were trained to avoid depending on code safety relief valves. Overpressurizing a pressure vessel with positive displacement pumps is something worth avoiding.

    I’ve also been told by several people who were trained at the B&W simulator before TMI2 that the trainers there strongly emphasized the need for operators to avoid accidentally “going solid.” They thought it was so important that if operators did not take action to slow injection on an out of sight high level, they could earn a failing grade on their license examination.

    The historical record of the investigations supported this face to face testimony. There were some designers who did not understand why anyone would shut off HPI if it was initiated, but that is not what the training department taught students.

    The trainers never got the memo.

  8. Alex DeVolpi

    Rod, what’s ambiguous about the requirement that instrumented “reactor coolant level” should be a “principle component” for engineered reactor safety?

    That’s my focused extract from NUREG 0585, TMI-2 Lessons-Learned Task Force report of 1979 (and subsequent high-level reviews).

    As you point out, TMI operators took exactly the actions that they were trained to do in the absence of reactor coolant-level instruments .

    Here we are — after many high-level reports about four LOCAs at TMI and Fukushima — with little recognition that autonomous instrumentation for direct indication of reactor water level is long overdue.

    Belatedly, the National Academy of Sciences has just recently prioritized “Instrumentation for monitoring critical thermodynamic parameters in reactors.” However, for decades their call for such “robust and diverse monitoring instrumentation that can withstand severe accident conditions” has never been mandated.

    Yet, a strong nuclear-diagnostic technology base has long been published, supporting the feasibility of robust ex-vessel real-time water monitoring. Yes, water-level in a reactor can be monitored from outside the pressure vessel.

    As your TMI topical thread indicates, the operators shouldn’t have taken the fall in the absence of adequate instrumentation.

    –Alex DeVolpi (retired nuclear-reactor physicist)

  9. @Alex – I don’t disagree with you, but I don’t quite understand why you led off with

    “Rod, what’s ambiguous about the requirement…”

    Did I give an impression somewhere that I thought there was any ambiguity?

  10. Alex DeVolpi

    No, just a leading question to narrow reader attention specifically to water-level instrumentation.

    Thanks, by the way, for maintaining advocacy of informed nuclear policies.

    –Alex

  11. darryl siemer

    None of the explanations of what happened at TMI I’ve seen save one points out the physical basis for its operator’s “mistakes”. That single exception is James Mahaffey’s description of how of that reactor’s “pressurizer” was plumbed (see his book “Atomic Accidents” – a really great read : the pipe connecting it to the main pressure vessel looped under another which converted that section of pipe to a “p trap” like that under sinks & toilets. This little “detail” made it possible for the main pressure vessel to go completely dry while there was still lots of water in the pressurizer.

    The NRC was responsible for TMI’s melt down because it failed to see that every owner/operator of that sort of B&W reactor be notified of the root cause of Davis Besse’s “incident” and adjust their training manuals accordingly.

  12. Dan Williams

    I worked with Mike Derivan for several years following the TMI event trying to improve the tools available to the operators. I co-authored a paper on changing the nature of control room emergency procedures with one of the addressees of the Kelley memo. Mike is a straight shooter, very intelligent and has a valuable perspective on the subject based on his personal experience. He also possesses the courage to take on this subject. Let me add one more anecdotal experience and then add a companion cause to the one that Mike is emphasizing.
    The experience occurred in either December of 1978 or January of 1979, I don’t remember for sure which. I do remember that it was in San Francisco during a meeting of the B&W Owners Group (yes, that one owners group did exist prior to TMI, primarily to facilitate the sharing of information, not to facilitate the marketing of NSSS company services like it is now). Fred Miller, an engineer at Davis Besse, described to us what had happened at Davis Besse, with emphasis on the anomaly that the pressurizer level had gone up during the event, and asked us if anyone had an explanation. I didn’t and the rest of the attendees (this was a small group and the meeting was informal) were puzzled as well. We all resolved to go home and think about it. Within 2-3 months, the TMI event happened. Later, after TMI, I was asked to assist with a review of the event that eventually became NSAC-1, what I consider to be the most technically authoritative report on the TMI event although it was issued quickly enough that it was issued without the benefit of some later information. During my time in Palo Alto assisting with that review, I had a discussion with Dr. Norman Rasmussen regarding this phenomenon of the pressurizer level going up. Between the time of the event and my time in Palo Alto, I had the benefit of some discussion with my Arkansas Power & Light colleagues that ran fossil plants. They indicated that they had observed the same phenomenon in boilers when something caused the pressure to drop and that it was caused by voiding within the liquid volume due to the pressure dropping below the saturation temperature. This caused a significant reduction in average density of the fluid mixture which lead to a temporary increase in fluid volume/level until the voids escaped into the steam space. I related this to Dr. Rasmussen and we agreed that failure to incorporate this into the understanding of the operators was the “but for” (in legal jargon) fact in the contributors to this event. This is consistent with Mike’s premise.
    The paper that I co-authored with Eric Swanson of B&W advocated that the emergency procedures should be symptom based instead of event based because the symptoms could be observed unambiguously (assuming properly functioning instruments) while the event required a correct diagnosis. Our premise was promptly applauded and then undermined over the next several years as the revised procedures came under review of those who believed that such an approach required too much thinking by the operators, especially the Nuclear Regulatory Commission. Of course, it is precisely that type of thinking on the part of Mike that prevented the Davis Besse event from being much worse than it was. Today, control room emergency procedures, if anything, are worse than before TMI in the aspect of prescriptiveness and the operators are intimidated into following them to the letter or be demoted or lose their job. Even though it is now legal for the operators to violate their procedures (10CFR10.54(x)), the consequences of doing so strike fear in the hearts of most operators. I am convinced that the single biggest lesson to be learned but that has not been learned from TMI is that the control room emergency procedures should be less detailed, less prescriptive and rely more on the understanding and skill of well-trained operators. I have worked with operators closely for many years and have found them to be, without exception, extremely intelligent, extremely motivated and extremely capable. The progression of events in a nuclear power plant is slow enough to allow actions based on thought, not reactions (unlike driving a car, Mike) and we should use that to our advantage. When it is drilled into the operators’ heads to act as a robot precisely following very detailed procedures (which cannot possibly cover every combination of circumstances) or they are in serious trouble, this advantage is lost. My observation is that the industry has gone in exactly the opposite direction from this and is asking for trouble as a result.

  13. @Dan

    Thank you very much for your thoughtful comment. It is something that deserves greater attention.

    May I have your permission to use it as the basis for a front page post rather than letting in languish deep in a comment thread?

  14. Dan Williams

    You have my permission to use it however you wish. One thing on TMI that I might add to the other issue. One of your posts actually mentioned that the PORV (or ERV as we call it at Arkansas Nuclear One) opened because of a post trip lack of steam generator feed. Many people are unaware that, for the B&W designed plants, it was not unusual for the PORV to open after a trip even when everything worked right. In other words, the event was not a result of the lack of feed to the steam generators, it could have occurred even if there had been feed to the steam generators. At that time the setpoint on the PORV was set to open the PORV quickly enough to prevent an overpressure trip and sometimes it did just that. The emphasis on emergency feedwater was just an easy attention getter for correction when the problem with emergency feedwater was really no more than a confusion factor during the TMI event, not a cause at all.

  15. @Dan Williams

    Thank you.

    I’ll have to go back and review the previous article that you mentioned. I may not have explained my analysis very well. My understanding is not that the 8 minute loss of emergency feedwater caused the PORV to lift, but that the lack of the cooling water that should have been added into the steam generators during that 8 minutes prevented a substantial amount of heat from being removed from the primary system.

    Since that heat was not removed via steam formation in the secondary system, it was heat that remained in the primary and contributed to the rapidly rising temperature in the core materials.

    If that emergency feedwater had been put into the steam generators, it would have increased the amount of time required before enough primary coolant boiled away and exited the system through the PORV to uncover the core and allow melting and cladding oxidation to begin.

    Without access to the detailed modeling programs, I have no way of quantifying the amount of time that would have added before core uncovery, but it is at least possible that the extra delay would have been long enough so that the action to shut the PORV isolation that occurred roughly 2.3 hours after event initiation would have been in time to halt the event before it became a core damaging accident.

    The added confusion might also have contributed to the amount of time that it took before someone figured out that there were several indications showing that primary coolant was exiting the system through the PORV.

  16. @Dan – I have revised http://atomicinsights.com/three-mile-island-initiating-event-may-sabotage/ to clarify the contribution of the eight minute loss of feed caused by the mispositioned 12s valves.

  17. Mike Derivan noticed a typo in my previous post. 10CFR10.54(x) should be 10CFR50.54(x). Building and running the detailed modeling programs is my job. Let me assure you, everything else being the same, having AFW/EFW properly aligned at the beginning of the event would not have prevented core damage.

  18. @Dan Williams

    Thank you for correcting the typo. I was going to ask you about that since 10 CFR 10 only has 34 sections.

    Since the detailed modeling programs is your job, perhaps you can help answer my questioning attitude with numbers rather than assurances.

    Can you run a scenario with the same initial conditions, the same operator actions and full flow from EFW? When would core uncovery occur compared to the same scenario with EFW flow delayed by eight minutes?

    This should not be hard or expensive to run. The output should be some rather interesting graphs.

    Thank you in advance for any effort you can make to answer this question.

  19. Rod, I agree totally with the statement that early AFW/EFW removes more total core decay heat, such that the total core energy available for a catastrophic melt scenario out at the 2.3 hour time frame is reduced. However your statement “…halt the event before it became a core damaging accident” is incorrect. Core damage had already occurred at (before) the 2.3 hour time frame. It happened earlier when they dumped the running RCPs. At that point they lost forced steam/water cooling flow for the core (which was still effective cooling), the steam & water separated (by gravity), and the water level inside the Rx Vessel didn’t cover the top region of fuel. At that time the cladding ruptures started, releasing gap gas and volatiles into the RCS; by definition… core damage. If I remember correctly it was shortly there after the ex-core source range monitor neutron counts starting increasing because of neutron leakage due to the loss of shielding water in the RX Vessel. A significant challenge to an operator, and such would challenge any human’s ability to put all the pieces together correctly at that point. The real “error” is why didn’t they have the benefit of what we learned at DBNPP 18 months earlier.

  20. It is actually unnecessary to model this situation explicitly and run the case. When the ERV (I will call it the ERV instead of the PORV because that is what I am used to) opens, the Reactor Coolant System (RCS) will begin to depressurize and continue to do so until it reaches saturation pressure which takes about 280 seconds and occurs at about 1180 psia. At that point, the RCS boils and natural circulation is soon interrupted. The B&W design is uniquely suited to this situation because of its once through straight tube steam generator design and the spraying of EFW (I will call it EFW instead of AFW because that is what I am used to) directly on the upper elevation steam generator tube area where it can condense the accumulating steam voids in the RCS. However, with the ERV open, inventory is rapidly being lost and no amount of condensing of the steam can prevent the core from uncovering. To do that, the lost inventory must be replaced. That is accomplished by high pressure injection (HPI). For this size opening in the RCS, without the EFW cooling the pressure in the RCS will remain at the pressurizer safety valve setpoint (roughly 2500 psia) for more than a day. At that pressure, the HPI pumps cannot provide replacement for the lost inventory at a rate adequate to prevent core uncovery until the reduction in decay heat lowers the boil off rate which occurs after the core is uncovered. The main value of EFW condensing the steam voids in the upper tube region under these conditions is not to keep the core cool but to shorten the time required to depressurize the RCS enough for the HPI pumps to keep up with the RCS inventory loss and keep the core covered. Without the HPI replacing the lost RCS inventory, no amount of EFW cooling will keep the core from uncovering and overheating. During the event at TMI, EFW flow was restored quickly enough to do its part in aiding the depressurization rate but there was no HPI to replace the inventory. These phenomena are well understood from existing analyses and evaluations.

  21. Dan – thank you for the qualitative, arrow analysis level explanation. I’d be more convinced with numbers.

  22. Rod, I’m going tongue-in-cheek here a bit now, but the answer for a particular plant is not as simple as “I’d be more convinced with numbers.” For example, note Mr Dan’s “arrow analysis” discusses the event in terms of plant response during natural circulation of the RCS. Why is that? It’s because the DBA Accident Analysis “rules” require taking a LOOP concurrent with the event. But that’s just a required analysis restraint. As an Operator I have to deal with the real world, not an arbitrary assumption limit on a computer code limitation run of a Safety Analysis transient. So what happens in the real world if my RCPs are still running during this postulated event, because the actual LOOP occurs later than the event initiator? I think that analysis answer might make your eyes water! It’s the fact of life, we Operators deal with in real time. The EOPs are analysis based, the events are reality based. Mr Dan is also discussing analysis based on the Low Loop B&W plant, where the thermal center delta height for nat circ is totally different than the delta height for the raised loop B&W designs (DBNPP plus the B&W 205 plant, which Michaelson was evaluating). So it is not as simple, generically, as show me the numbers!
    Another thing made DBNPP unique. We did not have high head HPI pumps. We had 2, shutoff head ~1700PSI (~500PSI lower than normal op pressure), could be “piggybacked” to running LPI pumps, by operator action, which raised the shutoff head by 190PSI, still about 300PSI less than normal op pressure. But they could add no water at 2500PSI, as in Mr Dan’s discussion. But we had 2 relatively low capacity/ high head MU Pumps that we had to use in this scenario; but they only injected through one HPI nozzle, not 4 as HPI does. So Mr Dan’s discussion, relative to the actual inventory addition by pumps during the event is true for one B&W design but not all. It’s complicated, I know. But do you really want to know what happens to a B&W design if RCPs are lost after 2 minutes, for a loss of sub-cooling margin for this event? Be careful what you wish for. Another point, the Safety Analysis “rules” allow taking no credit for operator action within 30 minutes of DBA initiation. It’s more complicated than “show me the numbers”. But as Mr Dan says, your Operators will save your butt, just don’t tie their hands, and give them credit for the pros they are. I’m not preaching to you Rod, you are a believer, but their are folks who need to hear this message. mjd.