Search Results for vogtle

Fission Stories #45: Station Blackout at Vogtle

, director, Nuclear Safety Project

On March 20, 1990, the Unit 1 reactor at the Vogtle nuclear plant in Georgia was shut down during a refueling outage. A worker accompanied by a security guard drove a fuel truck into the plant’s electrical switchyard to refill a welding machine. The security guard went along to ensure that neither the worker nor the vehicle, if driven by another individual, sabotaged the plant.

The security guard may not have fully understood this role. In any case, the worker found that the welding machine did not need fuel. Backing up the service truck while turning around to exit the switchyard, he accidentally drove into a support pole for a 230,000 volt overhead transmission line. The impact caused an electrical fault that de-energized Reserve Auxiliary Transformer 1A, the only transformer linking Unit 1 to the offsite electrical power grid. Unit 1 experienced a loss of offsite power (known as LOOP).Emergency diesel generator 1B was out of service for maintenance at the time. The other only emergency diesel generator (EDG) automatically started, but stopped running 70 seconds later. A sensor on the EDG’s cooling system malfunctioned, causing the EDG to stop running. This sensor had failed 69 times since 1985, or roughly once a month leading up to this incident, but had never been fixed.

With the EDGs unavailable during the LOOP, Vogtle Unit 1 experienced a station blackout – the total loss of all AC power. The only electrical equipment functioning on the unit was powered from the station’s batteries. The Figure below shows a schematic of the electrical distribution system for Vogtle Unit 1.

Repairs to the diesel generator were complicated because all the lights in the diesel generator building were disabled by the loss of electrical power. Operators manually restarted the diesel generator about 18 minutes into the event, but it tripped again after running for about a minute. Operators started the diesel generator a third time in an emergency mode and re-supplied power to safety equipment 36 minutes after the blackout began. The temperature of the reactor’s cooling water rose from 90°F to 136°F during the power outage.

The plant’s owners declared an Alert, the second lowest of the NRC’s four emergency classifications as a result of the loss of power and its challenge to reactor core cooling. The Alert declaration required that all personnel at the plant to be accounted for within 30 minutes. An hour after the emergency was declared, 120 people were still unaccounted for. Four hours after the Alert, there were still 49 people unaccounted for. It is believed that all workers have now been located although the NRC report is not clear on this point.

Our Takeaway

The station blackout at Vogtle happened despite many intentional and conditional barriers that could have, and should have, prevented it:

  • A security guard whose only job was to prevent one worker and one vehicle from causing harm to the plant watched that worker ram that truck into a power pole in the switchyard.
  • That worker drove the truck into the switchyard to refuel a welding machine that did not need refueled.
  • The only available EDG failed to run, twice, due to a malfunctioning part that had tolerated for years.

As bad as the situation was, it could have been more severe if electrical arcing had ignited the fuel in the truck. Additional damage that could have resulted from a fire or explosion would have further complicated recovery from the incident.

The recent disaster at Fukushima Dai-Ichi was primarily caused by a station blackout lasting longer than expected. At some U.S. reactors, the risk of reactor meltdown from station blackout is greater than the risk from all other possible causes combined. It is a real risk that demands real attention in order to prevent real disasters.

Sad Footnote

Allen Mosbaugh, a manager at the Vogtle plant, told the NRC about alleged falsification of EDG tests. Due to the EDG’s failures during the event, the NRC had required a series of successful EDG tests to be completed before the unit could restart. In order to compile the required number of successful tests in a row, Mosbaugh informed the NRC that a senior manager directed workers to exclude several test failures and only include successful tests. The plant’s owners fired Mosbaugh.

The NRC conducted a long, intensive investigation into his firing. They determined that the firing violated federal regulations. The NRC cited the plant’s owners for a Severity I, or most serious, violation. The NRC indicated that it also wanted to fine the company $100,000 for this deliberate violation by a senior company official, but could not because the five year statute of limitations that began when the test records were “doctored” had expired just days earlier. They say Justice is blind. That might explain why Justice was unable to read a calendar and appropriately sanction this wrong-doer.

“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.

Bookmark and Share

The NRC Seven: Petitioning the NRC over Safety

, director, Nuclear Safety Project

Roy Mathew, Sheila Way, Swagata Som, Gurcharan Singh Matharu, Tania Martinez Navedo, Thomas Koshy, and Kenneth Miller—the NRC Seven— are not names as well known as Scott Carpenter, Gordon Cooper, John Glenn, Gus Grissom, Wally Schirra, Alan Shepard, and Deke Slayton—the Mercury Seven astronauts—but their courage and service to the country are comparable. Read more >

Bookmark and Share

Commendable Effort: NRC Improves Its Operator Licensing Process

, director, Nuclear Safety Project

A recurring theme among my commentaries is that actions taken by plant owners and the NRC only fix broken widgets and do not fix the assembly lines creating them. In the case described here, the NRC could have remedied the broken widget by issuing the Senior Reactor Operator license as directed by the ASLB. But the NRC sought the bigger and better fix by voluntarily reviewing its operator licensing process with the aim of making it clearer and more consistent. Read more >

Bookmark and Share

Dark and Dangerous: Station Blackout

, director, Nuclear Safety Project

Disaster by Design: Safety by Intent #10

Disaster by Design

The March 2011 disaster at Fukushima Dai-ichi was a costly reminder of a lesson learned decades ago—nuclear power reactors need electricity for safety reasons. Read more >

Bookmark and Share

Nuclear Power(less) Plants

, director, Nuclear Safety Project

Disaster by Design/Safety by Intent #3

Disaster by Design

The primary purpose of commercial nuclear power plants in the U.S. is to generate electricity. When not fulfilling that role, nuclear power plants that are shut down require electricity to run the equipment needed to prevent the irradiated fuel in the reactor core and spent fuel pool from damage by overheating. The March 2011 accident at Fukushima Daiichi in Japan graphically illustrated what can happen when nuclear plants do not get the electricity they require. Read more >

Bookmark and Share

Millstone Unit 3 Reactor’s AFW Near-Miss (to be continued)

, director, Nuclear Safety Project

Fission Stories #182

Redundancy and diversity are two keys elements of nuclear power plant safety. The auxiliary feedwater (AFW) system for the Unit 3 reactor at the Millstone nuclear plant in Waterford, Connecticut illustrates these principles. Read more >

Bookmark and Share

Nuclear Licensing: Two-step, One-step, Tap-dance

, director, Nuclear Safety Project

Fission Stories #155

The nuclear power reactors currently operating in the United States were licensed by the Nuclear Regulatory Commission (or its predecessor, the Atomic Energy Commission) via a two-step process. In the first step, companies applied to the NRC for a construction permit. The construction permit, when issued, authorized the company to build a nuclear plant, but not to operate it. As construction was completed, companies took the second step by applying to the NRC for an operating license. An operating license authorized the company to start up the nuclear plant. Read more >

Bookmark and Share

Fission Stories #46: Powerless Nuclear Power Plants

, director, Nuclear Safety Project

Did the station blackout event at Vogtle described in Fission Stories #45 shock the nuclear industry into taking actions to prevent recurrence? Hardly.Almost exactly one year later, on March 7, 1991, the boom of a mobile crane neared, but did not touch, a 500,000 volt overhead power line connecting the main transformer at Diablo Canyon Unit 1in California to the offsite electrical power grid. Plant procedures required mobile cranes to be kept at least 27 feet away from overhead power lines. The boom of the mobile crane in question ventured to within 2 or 3 feet of the 500,000 volt power lines. Electrical arcing (i.e., nuclear-sized sparks) between the boom and the transmission lines caused an electrical fluctuation that tripped the main transformer. Since the backup transformer was out of service for maintenance at the time, Unit 1 lost all offsite power. The three emergency diesel generators automatical1y started and supplied power to essential equipment. Power to the rest of Unit 1’s electrical equipment was restored about five hours later by cross-tying connections to a Unit 2 transformer (i.e., putting all the eggs in one basket).

Okay, some snoozed through the Vogtle wakeup call. But surely the Diablo Canyon event triggered actions to prevent power plants from becoming powerless. Guess again.

On March 13, 1991, six days after the Diablo Canyon miscue, the Unit 4 reactor at the Turkey Point nuclear plant south of Miami, Florida experienced a loss of offsite power at a time when all its emergency diesel generators were unavailable.

Turkey Point Unit 4 along with Unit 3 (Units 1 and 2 are fossil-fired generators), had been shut down the previous November for a lengthy outage to fix safety problems. All the irradiated fuel had been transferred from the reactor core to the spent fue1 pools. As long as one irradiated fuel assembly resides in the reactor core, at least one emergency diesel generator (EDG) must be available. But when that last irradiated fuel assembly is relocated to the spent fuel pool (which now contains ALL the irradiated fuel assemblies), none of the EDGs is required to be available—despite the fact that they supply backup power to the spent fuel pools.

When the event began, the startup transformer was connected to the offsite electrical grid. It was supplying power from the grid to equipment throughout the plant. Due to an electrical disturbance, the startup transformer was automatically disconnected from the grid and prevented from reconnecting.

Workers inspected the startup transformer and associated circuit breakers and found no electrical fault indications. About an hour after the incident began, the operators re-energized the startup transformer. In the next hour, power was restored to the spent fuel pool cooling pumps and forced cooling to the spent fuel pool was resumed.

Did the Turkey Point event finally deliver the safety warning that the Vogtle and Diablo Canyon events failed to send? Maybe, but apparently not to folks in Arizona. On November 15, 1991, workers at Palo Verde Unit 3 were replacing the “A” phase bushing on the main transformer. The bushing was the connection between the transformer and the power transmission line carrying electricity to customers far and wide. Lightning damaged the bushing a day earlier. Workers used a crane to lift the damaged bushing from the transformer. Prior to installing the new bushing, the crane operator left the cab to discuss the process with other maintenance personnel.

A gust of wind, perhaps called Mariah, caused the crane’s boom to rotate and contact one of the energized phases of the 13,800 volt overhead power line. This line was transmitting power to various vital and non-vital loads in the plant. The electrical fault current should have actuated protective devices to limit the extent of the electrical problems. But the crane had not been properly grounded when the work began. Consequently, the overhead power line remained energized as electrical current flowed down the boom, through the truck, and into the ground causing the asphalt around the crane’s front outrigger pads to catch on fire.

The foreman of the maintenance crew reported the electrical short and ensuing fire to the shift supervisor in the control room. The foreman mistakenly reported that the electrical problem affected the good electrical circuit. The shift supervisor opened circuit breakers and cut off power for the good electrical circuit. Power to two of the four large pumps circulating water through the reactor core was cut off. An emergency diesel generator automatically started to provide power to essential safety equipment.

When the miscommunication was corrected, the operators opened circuit breakers for the bad electrical circuit. Power to the remaining two large pumps circulating water through the reactor core was cut off. The reactor core was left with no cooling pumps working for about a half hour until one pump was restarted. It took workers nearly three hours to restore power to all plant equipment.

Our Takeaway

Power outages can be dangerous—the disaster at Fukushima Dai-Ichi was primarily caused by an extended power outage. While in the cases described above workers were able to restore power in time to avoid serious problems, the wrong combination of incidents like these can lead to disaster.

The key factors in power outages can be represented by the three spinning wheels on a casino slot machine: (1) the odds that the offsite electrical power grid becomes unavailable, (2) the odds that the onsite emergency diesel generators become unavailable, and (3) the odds that power from either of these sources is not restored before the batteries are depleted. The goal should be to lower the odds of failure on each wheel, which can significantly lower the odds of all three wheels someday coming up as failures.

The NRC and the nuclear industry must not hide behind the smoke screen of “tsunamis cannot happen here.” Non-tsunami things can and do happen here that cause electrical grids and emergency diesel generators to become unavailable. Steps must aggressively be taken to reduce the frequency of such events in order to lessen the odds that we someday lose at the nuclear casino, too.

“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.

Bookmark and Share