A normal steam relief valve is a simple affair, consisting of a steel spring holding down the cap on a hole in the highest point of a boiler system. In this case, the hole was a rather large four square inches, and it took 3.5 tons of force to keep it closed. That would be a very, very large steel spring, awkwardly heavy, and to mount that on top of the pressurizer would be asking for trouble from vibration effects. Instead, on a nuclear reactor of 1970s vintage, the force used to close the relief valve was supplied by the steam pressure underneath it. A “pilot tube” conducted the steam through a control box, wired electrically back to the control room, and fed a cylinder and piston connected to the valve cap.[230] The concept was elegant, very lightweight, appealing to engineers, mechanically complex, expensive, and notoriously subject to random failure.

“Shut the block valve!” Derivan yelled.

In case the PORV was stuck open, a second, simple valve, similar to the one used to turn on the water in a sink, could be operated remotely from the control room. It was named the block valve. An operator reached for the switch handle, gave it a quarter turn, the steam leakage stopped, and 20 minutes of hellish confusion ended. After 26 minutes of settling down, everything was back to normal.

The Nuclear Regulatory Commission and a number of top engineers from B&W were all over this incident. It was unnerving and very serious, because if the reactor had been running at a higher power, such as 50 percent, the entire core could have melted. With this level of operational chaos, a pure disaster was possible. The government and manufacturer representatives investigated in depth.

The problem was indeed the PORV, but it was not the fault of the PORV. A pen-chart recording showed that the valve had rapidly slammed open and then shut nine times, beating itself to pieces and leaving the steam line gaping open. The fault was back in the control room, in a rack of relays behind the control panels. An unnamed worker had found a bad relay in a circuit he was repairing. The same type of plug-in relay was used all over the system, and he needed one. He found a perfect replacement unit for his circuit in the PORV panel, so he unplugged it and used it. The PORV was used only for emergencies, and it would probably never be needed, he must have reasoned. The PORV, missing a logic element, went berserk when called to action by the primary steam-pressure sensor.[231]

That explained the problem, but what explanation was there from the operating staff for having shut down the ECCS? The HPI pumps had been manually killed only four minutes into the incident, at least 16 minutes before they had any clue as to what was happening. The ECCS was designed to keep the reactor from overheating and melting out the reactor core. To turn it off looked like sabotage.

The answer to the question was both simple and disturbing: they shut off the HPI to keep the pressurizer from going solid. This glaring problem with operator training, to undo this component of the Navy training, was discussed at length, but not to the point where operating power plants were notified of this finding, and the analysis of the frightful Davis-Besse incident got lost in the bureaucratic tangles at the NRC and at B&W. None of the other seven owners of B&W reactors were told about the dangerous confusion that can result when the PORV sticks open.

At about the same time, in the fall of 1977, Carl Michelson, an engineer working for the TVA in Knoxville, Tennessee, was studying the reactor building layout of the B&W model 177FA, when he noticed something.

In the training diagrams, in nuclear engineering textbooks, and in any diagram of a PWR primary cooling system simplified to the point where you can tell what is going on, the pressurizer is shown on top of the reactor vessel, usually connected to one of the hot pipes coming out near the top of the vessel. That is where the heated water comes out of the reactor and is piped to one of at least two steam generators. The pressurizer is the highest point in the system, so the steam bubble that is allowed to exist is always trapped in the uppermost part of the pressurizer tank. Because it is the highest point in the system, the water level in the pressurizer is used to evaluate the water level in the reactor, which is vitally important. If the water level ever falls below the top of the reactor fuel, which is blazing hot even with the reactor shut down due to the delayed heat production, then the internal structure of the reactor is going to melt.

Instead of putting expensive instrumentation on the reactor vessel to monitor the water level, the operators are taught just to look at the water level in the pressurizer. If there is any water at all in the pressurizer, then the reactor vessel must be completely full, and there is nothing to worry about. Just worry about the water in the pressurizer, and everything will be all right.

But in the B&W layout, the pressurizer is 43 feet tall, or about 10 feet taller than the reactor. There is not enough room below the fueling floor in the containment building for the pressurizer to be on top of the reactor. If it were, it would stick up out of the floor, so they had to lower it. In its position next to the number two steam generator, its inlet pipe had to be looped underneath a coolant pump line. The loop of pipe looks just like a sink drain trap, used to keep sewer gas from backing up into the sink. Michelson realized that no matter what condition might prevail in the reactor vessel, the water level in the pressurizer would never go below the trapping loop. The pressurizer would always be 20 percent full, even if the reactor was boiled dry. The operating crew in a 177FA control room actually had no idea of the water level covering the hot reactor fuel, and this struck him as dangerous. His finding caused a lot of commotion in the TVA, the NRC, and at B&W, but it never escaped the tangle and was never passed down to the operators at the eight reactors that B&W had built. There was a disaster, set up by a combination of policy and engineering, and it was waiting to happen.

On November 29, 60 days after the relief-valve fiasco, Davis-Besse experienced another emergency shutdown. The cause was traced to a wrongly wired patch panel in a control-room computer. In the middle of trying to figure out what was wrong and correct the problem, the operations staff, apparently acting on pure, ingrained instinct, again turned off the ECCS. The incident investigators found this action difficult to comprehend. Why did the operating staff at a nuclear power plant tend to disable the emergency core cooling system during an emergency?

These bits of information would have been useful at Three Mile Island, Pennsylvania, where a new B&W 177FA had been running “hot, straight, and normal” for almost three months. The first reactor unit built there, TMI-1, was down for refueling, and TMI-2, the new reactor, was running at 97 percent full power, putting 873 megawatts on the power grid for the owner, Metropolitan Edison of Pennsylvania. The two B&W reactors were built on a three-mile-long sandbar in the middle of the Susquehanna River, just south of Harrisburg, the state capital.