Ep 41 Three Mile Island

Engineering News – Calgary to Banff Train (5:25)

This week's engineering failure is the Three Mile Island (15:10). TMI-2 or Three Mile Island Unit 2 (19:15) suffered a partial meltdown (25:00) after 3 months of operation and never ran again. They didn’t know it at the time, but the accident would impact nuclear power in North America for decades to come (38:50).


Engineering News

Three Mile Island

Episode Summary

Hi and welcome to Failurology; a podcast about engineering failures. I’m your host, Nicole

And I’m Brian. And we’re both from Calgary, AB.

Happy New Year

Thank you again to our Patreon subscribers! For less than the cost of the artificial desk plant I bought last week, you can hear us talk about more interesting engineering failures!

This week in engineering news, new rail service has been proposed between Calgary and Banff.

  • From the airport to downtown to Banff

    • We do not yet have in town train service to the airport, so it’s a bit cart before the horse, or the train before the track if you will.

  • Liricon Capital Ltd, who also own the Mount Norquay ski resort in Banff submitted the proposal to the Alberta government, with them holding a long term lease on Banff station

  • New rail line constructed to twin the existing CPR segment, as part of a public-private partnership. One challenge that will exist for operators is that since the route is on CP rail, the passenger service would operate at the mercy of freight transport. I can see that causing some complications; not that it’s a non-starter, but it’s definitely something that would need to be ironed out ahead of time.

  • Would reduce the burden of passenger vehicles in the national park, address some labour challenges and reduce emissions.

    • If you live in Calgary, you have likely been stuck in traffic on highway 1 trying to get back into town on the sunday evening of a long weekend. Especially when they were doing construction to add the wildlife overpasses

    • There are also a number of people that commute into Calgary from Canmore and Cochrane every day. Cochrane is only 30 minutes, so that’s not unreasonable, but Canmore is about an hour in good weather, which seems a bit far for a daily commute to me. Putting these people on a train would definitely reduce traffic and emissions.

  • The deal asks the Alberta Government to commit $30 million annually to the project, but not until the rail is complete, as early as 2025.

  • They are looking at 7 stops on the new route.

    • Calgary International Airport

    • Downtown Calgary

    • Calgary Keith near Lynx Ridge Golf Club (west of Tuscany, NW corner of highway 1 and Stoney Trail (ring road))

    • Cochrane

    • Morley (Stoney Nakoda)

    • Canmore

    • Banff

  • The intention is to have trains from the airport to downtown every 15 minutes, a welcome plan, and then from downtown to Banff every two hours, 10 trips per day. The cost for Albertans is expected to be about $20, which depending one what you drive, almost works out equal to gas prices.

Now on to this week’s engineering failure; the Three Mile Island Accident.

  • Began at 4am March 28, 1979, 7 years before Chernobyl.

  • The most significant nuclear accident in US history, ranking a 5 out of 7 on the International Nuclear Event Scale, accident with wider consequences. Chernobyl which we covered in ep 13 and Fukushima Daiichi in Japan, which we intend to cover in the future, are the only nuclear disasters to rank 7 out of 7 on the International Nuclear Event scale.

  • The cause of the accident was related to a stuck open pilot operated relief valve, which allowed a large amount of nuclear reactor coolant to escape, which would be radioactive short term. Training for the TMI reactors did not prepare operators or management to recognize the loss of coolant, but there were also design flaws such as “a cacophony of alarms, an inconvenient arrangement of instruments and controls and the absence of clear indicators for coolant inventory or the position of the stuck open pilot operated relief valve.” (wikipedia)

How the reactor worked

  • Three Mile Island is located in Londonderry Township, Pennsylvania, on the Susquehanna River south of Harrisburg, in Southern Eastern Pennsylvania. Based on google maps, although the station is closed,

  • The Nuclear Generating Station had two separate units called TMI-1 and TMI-2. TMI-2 is the star of today’s episode, being the reactor that suffered a partial meltdown, but TMI-1 also had some less severe incidents that we’re going to talk about later on.

  • Now for a little background on the station and how the reactors operated.

  • TMI-1 is owned by Exelon Generation and TMI-2 is owned by FirstEnergy Corp

  • Both reactors were pressurized water reactors designed by Babcock & Wilcox with a net generating capacity of 819 MW and 906 MW respectively. Unit 1 came online in 1974 and unit 2 in 1978, 1 year before the accident. Unit 1 was offline during the accident for refueling and was brought back online in 1985 after overcoming much opposition. It continued to operate until Sept 20, 2019 , while unit 2 was shut down after the accident.

  • The Three Mile Island reactors were different from the RBMK reactors used at Chernobyl, but the concept is the same. They used the heat generated from the fission chain reaction to create steam, which turns a turbine and generates steam. The RBMK uses graphite, instead of water as the moderator, which is less stable than pressurized water reactors used at Three Mile Island.

  • Both units had a closed cycle cooling system for its main condenser using two natural draft cooling towers. They draw makeup water from the river to replace the water lost to evaporation in the towers. This water is then used for the service water system which cools auxiliary components and removes decay heat when the reactor is shut down.


  • On March 28th, TMI-2 was running at 97%, with the first reactor shut down for refueling. The sequence of unfortunate events started at 4:00:37am, although the initial cause of the accident happened 11 hours earlier.

  • There are sophisticated filters that stop minerals and impurities, as well as decrease corrosion rates, in the water that passes through the steam generator.

  • The reactor had 3 loops. The primary loop flowed between the reactor and the steam generator which is like a giant heat exchanger, the secondary loop flowed between the steam generator and the turbine and the tertiary loop flowed between the turbine and the cooling tower.

  • Blockages in the sophisticated filters were common and usually fixed easily with compressed air. But this time, that wasn’t working so the operators blew the compressed air into the water and let the force of the water clear the blockage. When they did this, a small amount of water snuck through a stuck open check valve into an instrument air line. This eventually turned the feedwater pumps, condensate booster pumps and condensate pumps off around 4am. When these pumps all turned off, the turbine tripped.

  • Since the pumps were off, the water in the reactor coolant system quickly turned to steam and the pressure eventually rose to the high pressure trip setpoint of 162.4bar (2,355 psi) 8 seconds after the pumps turned off and the turbine tripped.

  • This caused the pilot operated relief valve to open, which was temporarily good to reduce pressure, but also meant that they lost all of their coolant with no way to recharge the system. As well, the reactor tripped and the control rods fell into the core, stopping the nuclear chain reaction and heat generated by fission. But, nuclear reactors aren’t like a light switch. Even though you stop the reaction, they still produce what is called decay heat, until they can fully shut down. This decay heat is equivalent to about 6% of the pre-trip power level.

  • Even though the relief valve was open, to limit the build up of pressure, heat was still being produced that needed to be dealt with to prevent a reactor meltdown. Not to worry, when the feedwater pumps tripped off, three emergency pumps started. Except the valves in the two emergency feedwater lines were closed and no water could get to the reactor. The valve position light for one of those closed valves was blocked by a maintenance tag, the other was just missed by the operator. The closure of these valves was a violation of a key Nuclear Regulatory Commission rule; and this was later singled out as the key failure by NRC officials.

  • 15 seconds after the turbine trip, yep 15, one five, seconds into this accident, the pressure in the coolant system drops and the relief valve is signaled to close, except its stuck open and coolant water is still being released. The relief valve indicator design was later blamed as one of many design flaws as there is no feedback to the operators on the valve's actual position.

    • We deal with this in building automation sometimes, although we aren’t controlling a nuclear reactor. There are essentially two types of control loops. An open loop sends a signal to the device to complete a specific action. And a closed loop sends a signal to the device to complete a specific action and then that device reports back with its status to confirm whether it completed the action. The relief valve in TMI-2 was an open loop control, and should have been a closed loop.

  • Less than a minute after the turbine tripped, the level in the pressurizer began to rise, but the coolant system pressure was falling. The pressurizer, based on the schematic, appears to be some type of expansion tank that essentially creates extra volume for the system when pressure starts to rise, until such a point that it must be relieved. We know now that this was a loss of coolant accident, but at the time, the operators would have expected to see a rise in cooling system pressure and pressurizer level if there was a loss of coolant accident, and they didn’t know what to do when the two parameters went in opposite directions.

  • Since the operators didn’t know the back up pump valves were closed and there was no water being introduced to the coolant system, they actually thought the system was being overfilled and they turned off the emergency core cooling pumps.

  • The relief tank that caught the discharge from that pilot operated relief valve that stuck open eventually overfilled and caused the containment building sump to alarm at 4:11am.

  • The higher than normal temperatures in the relief valve discharge line and the reactor temperatures and pressures were a clear indication of a loss of coolant accident, but operators ignored it.

  • At 4:15am the pressurizer relief tank ruptured and radioactive coolant began to leak out into the general containment building.

  • At 5:20am after 80 minutes of slow temperature rise, the coolant pumps began to cavitate, which is what happens to a water pump when it tries to pump steam of air. So the operators turned the pumps off and “believed that natural circulation would continue the water movement”

  • At 6am, the intense heat melted the nuclear fuel rod cladding and damaged the fuel pellets, releasing radioactive isotopes to the reactor cooling and produced hydrogen which was believed to cause a small explosion in the containment building that afternoon.

  • At 6am, there was also a shift change. One of the replacement operators noticed that the relief valve discharge was high and used a backup valve to stop the release of coolant, but it was already too late. 120,000 L of coolant had already been leaked.

  • At 6:45am, 165 minutes after the turbine tripped, radiation alarms activated and the radiation levels in the primary coolant water was around 300 times expected levels.

  • It wasn’t until 6:56am that a plant supervisor declared a site area emergency and 30 minutes after that the station manager announced a general emergency.

  • The confusion of the operators only got worse as they tried to help local and state agencies determine what happened and the severity of exposure. They eventually brought in the Nuclear Regulatory Commission, but they couldn’t make heads or tails of it either. Not to mention they were organizationally ill prepared to handle this type of emergency.

    • Y’all, we do fire drills for a reason, we must be prepared for an emergency. Thinking they won’t happen is complacent and quite frankly a little dumb.

  • It took years, not until the reactor vessel was physically opened, to determine that by the time reinforcements were called in at 8am, half of the uranium fuel was already melted.


  • TMI-2 was online for 3 months, but was too badly damaged after this accident to resume operations. Clean up started in August 1979 and ended in December 1993 for a cost of $1 billion USD (worth almost $2 billion today)

  • An anti-nuclear movement sparked worries about health effects following the accident, but epidemiological studies looking at cancer rates in the areas surrounding the plant since the accident didn’t show a statistically significant increase in the rate of cancer. That said, $25 million was paid in insurance settlements to people who then essentially signed a non-disclosure agreement or NDA, not to discuss their injuries or any litigation.

  • In 2010, the Nuclear Regulatory Commission announced that the electric generator from the unit 2 reactor will be used at the Shearon Harris Nuclear Plant in New Hill North Carolina.

TMI-1 Incidents

  • As promised, TMI-1 also had some incidents, although none as interesting or catastrophic as TMI-2.

  • In 1993 a man drove his car past the checkpoint, broke through the entry gate, crashed through a secure door and entered the Unit 1 turbine building. He hid in the turbine building for 4 hours before being apprehended.

  • In 2009, a release of radioactivity occurred inside the containment building while workers were cutting pipes. 20 employees were treated for mild radiation exposure.

So there you have it, some significant design flaws and operator error led to the meltdown of three mile island unit 2 three months after it came online. Even though this accident was not the worst nuclear disaster to take place, it was still really bad and completely preventable. We hope nuclear reactor manufacturers and operators around the world took note of what not to do.

For photos, sources and an episode summary from this week’s episode head to Failurology.ca. If you’re enjoying what you’re hearing, please rate, review and subscribe to Failurology, so more people can find it. If you want to chat with us, our Twitter handle is @failurology, you can email us thefailurologypodcast@gmail.com, or you can connect with us on Linked In. Check out the show notes for links to all of these. Thanks, everyone for listening. And tune in to the next episode United flight 232, a DC-10 who’s rear engine catastrophically exploded and cut all hydraulic systems resulting in a complete loss of flight controls.

Bye everyone, talk soon!