The technical questions about the use of an ECCS in an emergency are very simple: if a major pipe breaks open and the reactor core is denied water for cooling, the ECCS is supposed to make up the lost coolant by throwing water in from an alternate source. What is to keep the ECCS water from leaving the core through that same hole?

In a water-cooled reactor, the fuel is made of little uranium oxide pellets, lined up in thin metal tubes, and the tubes are kept upright and apart by light sheet-metal spacers, designed so as to add as little non-productive metal to the inside of the reactor core as possible. If the fuel were denied coolant long enough, perhaps minutes, this fragile metal structure would start to sag and bend, disrupting the normal down-up flow of water as it is added by the ECCS. With too much disruption, the metal would melt and collapse into a heap at the bottom of the reactor vessel. How does the auxiliary cooling water get to the hot fuel in the middle of the heap without spacers to keep flow-channels open? There was no concern about heaped fuel going critical, heating up by uncontrolled fission, and burning through the bottom of the nine-inch-thick steel vessel. Being denied coolant also meant denial of moderator, and the three-percent-enriched commercial reactor fuel was incapable of forming a critical mass without interstitial water. The heat from the recently fissioned fuel, however, was enough to cause an irreversible reactor wipeout, with the internal structure reduced to a chaotic mass of melted parts.

There were no power-reactor disasters back then to study and contemplate. The nearest thing we had to working data was from computer simulations of theoretical accidents and some experiments with the Semi-Scale simulation at the NRTS in Idaho. Neither source could possibly point out everything that could happen in a billion-watt power plant, but in the 1970s confidence in the inherent safety of the pressurized water reactor was high.

There were some dangerous problems with the system in general, and with Babcock & Wilcox reactors in particular. The primary fault was in the training of reactor operators. The Navy was supplying reactor operators to the nuclear-power business the same way the Air Force was supplying airline pilots to the air transportation industry. A young man who had been rigorously trained in Rickover’s Navy to run a submarine reactor with a few years under water could retire early and snag a fine job in a nuclear generating station. He was considered to be at the top of the game, having run the reactor on one of Rickover’s flawlessly performing boats with military discipline and polish. It saved the power company the cost of having to train an operator from scratch, and veterans from the submariner or nuclear aircraft carrier service were always welcomed.

It seemed a good policy, but there were fundamental problems. Those attack submarine reactors used in the first years of the nuclear navy were tiny, almost toy-like, producing only 12 megawatts to run a sub at full speed.[223] Small reactors have small problems, and the mega-disaster capabilities of an extremely complex billion-watt power reactor were unknown to any submarine veteran. The submarine reactor was run by two men, sitting at a console about as complex as the dashboard of a twin-engine airplane. A power-plant console is completely different. It sits in a room the size of a basketball gymnasium, and it takes several men to run it, all standing up. There are 1,100 dials, gauges, and indicator lights, 600 alarm panels, as well as hundreds of recorders, switches, and circuit breakers. That is just the front of the main panel, towering over everything in a wrap-around, U-shaped configuration, as wide as the room and seven feet tall. In back of the main panel is the larger secondary panel, containing all the indicators and dials for which there was no room in front, and there is little reasoning in the positioning of anything. Finding the immediate status of some important subsystem in the plant can involve remembering where and on which panels the various bits of information may be located. The slightest problem is brought to the attention of the operating staff by an alarm sounding off and blinking a light behind a square plastic tile having the fault identifier printed on it. At any one time, there could be 50 alarm tiles lit up from minor problems and needing attention. Off to the side in a B&W plant in the 1970s was a small computer, keeping track of all the alarm conditions and printing them on a continuous roll of paper. As the automatic control system in the plant detected a fault, the computer identified it on the print-out with the time of day at which it occurred. The printer was a pin-matrix unit, running at a sedate 300 baud. Their training in the Navy had not prepared the operators for this level of available information sitting atop an enormous amount of raw power.

What the Navy had pounded into these men was an absolute need to “not let the pressurizer go solid.” But what exactly did that mean? Nuclear accident investigators started to notice this curious phrase coming up in most operator debriefings as soon as power reactors started having accidents. Its exact meaning would become important as the conditions that caused the problems at TMI gradually lined up and self-organized into a disaster.

In a PWR, the reactor coolant/moderator is liquid water, forced to circulate by electrical pumps in two continuous loops. Water is heated to several hundred degrees in the reactor core, and this energy is used to make steam by circulating it through two steam generators. A steam generator is a vertically mounted cylinder, about 75 feet tall, and it works like an old-fashioned steam boiler, using heated water rather than fire to boil water into vapor. The primary water, cooled by its trip through the steam generator, is pumped back into the reactor vessel to be reheated.

The reactor vessel is a thick, forged-carbon-steel pot, cylindrical and about 39 feet high, with a stainless steel liner to prevent corrosion. To maintain the water in the vessel in a liquid state, it must always be at very high pressure, else it would boil and turn to steam. The only way to maintain the fission process in a PWR reactor vessel, which is small compared to other designs, is to make sure that the moderator, the water, is constantly at maximum density, or liquid state.

This high-pressure condition is maintained by the pressurizer, which is basically a large, 42-foot electric water heater connected into the top of the reactor. The pressure in the reactor vessel is automatically monitored and kept at the correct level by either turning on the heater coil in the pressurizer to increase the pressure or spraying cool water into it to decrease it. The entire primary coolant system, including two steam generators, four main coolant pumps, the pressurizer, and all the pipes, is kept completely filled with water, with no bubbles or voids. There are no bubbles in the system except for the pressurizer, which always has a void sitting at the top of its water column. The pressurizer is constantly kept about 80 percent full.

The reason for this discrepancy involves a second role for the pressurizer. Not only does it keep the pressure high within the reactor, it also acts as a shock absorber. Any sudden jolt in the water running around in the primary cooling system, such as a valve slamming open or shut or a pump starting or stopping, causes a shock wave to travel through the incompressible coolant. The water cannot be broken by a shock, but the metal pipes and cylindrical structures in the system are not flexible, and a “water hammer” can take apart a cooling system instantly. This problem is solved by giving the system a section that can be compressed, the bubble of steam atop the water in the pressurizer. If it is kept big enough to absorb the hammer, then this void can prevent any harm to the precious plumbing by compressing and absorbing the transient pulse of the shock wave.