Join
Search

Fission Stories #119: Electrical Problems at Catawba

Bookmark and Share

Fission Stories #111 and Fission Stories #110  described recent near-misses at U.S. nuclear power plants caused by latent design problems in the in-plant electrical distribution systems. This Fission Story describes how the Catawba nuclear plant in South Carolina borrowed that problem but broadened it to not only include long ago design miscues but also very recent ones, too.

On April 4, 2012, the Unit 1 reactor at the Catawba nuclear plant was operating at full power and the Unit 2 reactor was shut down for refueling. Electrical power to vital equipment on both reactors was being supplied through Unit 1 sources.

Four motor-driven pumps circulated cooling water through the Unit 1 reactor core. Age-related degradation of the insulation for a power cable to one of these reactor coolant pumps caused an electrical fault. The fault caused the pump to stop running. Sensors detected the drop in flow from that pump and initiated the automatic and rapid shut down of the reactor and the turbine/generator as designed.

Electrical diagram for Catawba nuclear plant

Figure 1. (Click to see larger version of figure)

The shutdown of the Unit 1 main generator automatically opened the two electrical breakers within the red box in Figure 1 that disconnected it from the offsite power grid and from in-plant electrical buses. That worked according to plan. What wasn’t planned was that as the generator stopped, sensors caused other electrical breakers within the magenta boxes in Figure 1 to open, entirely disconnecting Unit 1’s systems from the offsite power grid.

The plant’s switchyard is its connection with the offsite power grid. When operating, the two units’ main generators plug into the offsite electrical grid through the switchyard. The NRC requires at least two connections via separate transmission lines between the switchyard and the offsite power grid. Catawba had five transmission line connections. When the reactors are not operating, these connections allow the plant to get electricity from the grid similar to how homes and businesses get electricity.

The magenta switches are only supposed to open when the generator is online and when sensors detect a mismatch between the frequencies of the current from the generator and the grid. If that happens, the magenta switches open to disconnect the generator and the grid.

However, shutdown of the generator is a perfectly valid reason for its output frequency to drop below that on the offsite grid. In the original design at Catawba, the frequency imbalance protection circuit was automatically bypassed whenever the generator output breakers (i.e., the breakers in the red boxes) were open. The sensors would still detect a mismatch between the generator’s frequency and the grid’s frequency, but would no longer trigger any protective reactions such as opening the electrical breakers within the magenta boxes.

The plant owner had recently replaced the relays in this protection circuit on Unit 1. But it failed to tell the vendor about this bypass provision and the replacement relays did not have this feature. Additionally, the procedure used by workers at Catawba to test the replacement relays following their installation had been developed based on the incorrect information given to the vendor rather than from the original design requirements for the system. Consequently, the replacement relays successfully passed the deficient test procedure.

These same relays were being replaced on Unit 2 during its refueling outage. The replacement relays had the same problem as those already replaced on Unit 1. This event exposed the problem and led to relays on both units being replaced with properly designed and tested relays.

In response to the loss of electric power at Unit 1, both emergency diesel generators for each reactor (4 total) automatically started and supplied electricity to vital in-plant equipment until offsite power connections were restored more than five hours later.

While safety systems were powered by the emergency diesel generators, about three hours after offsite power had been lost, the batteries used by the plant’s security system were becoming exhausted. Workers started a fifth emergency diesel generator to replenish the batteries and sustain power to the security system equipment. But a design flaw dating back to original installation prevented this emergency diesel generator from functioning properly.

This fifth emergency diesel generator had been installed around 1983 specifically for station blackout events. While it also supplied power to security equipment, its primary purpose was to power equipment needed to cool the reactor core.

For nearly thirty years, workers periodically tested this fifth emergency diesel generator. Normally in standby (idle) mode, these tests verified that the unit would start up and provide the needed amount of electricity within the specified time limit. During the tests, all the vital equipment was not physically connected to the emergency diesel generator but the power loads they drew from the generator were simulated by a test circuit.

But when the emergency diesel generator was started this time for real, the simulation circuit remained connected to the generator due to a wiring error that dated back to original installation in 1983.The voltage regulator for the emergency diesel generator thought it had to power all the real loads as well as all the simulated loads. To do so required dropping the voltage to about 400 volts, far below that needed to operate the safety equipment. Thus, even through the emergency diesel generator was running, the design error prevented it from supplying electricity of adequate voltage to equipment.

As a result the plant’s security systems were offline for a couple hours. Workers finally reconnected the unit to the offsite power grid about five hours after the initial trip of the Unit 1 reactor, restoring normal power supplies to in-plant safety and security equipment.

Our Takeaway

Recent events at Fort Calhoun, Byron, and Catawba each involved longstanding, pre-existing design errors that caused an initial electrical problem to cascade into wider problems. That’s not supposed to happen once, yet alone three times in such a short period of time.

Countless tests and inspections had been conducted over many years at these plants. NONE of those tests and inspections detected the problems – they were all revealed by actual events.

The purpose of these tests and inspections is not to keep workers occupied before it’s time to head home (or wherever). The purpose is to verify that safety equipment will function properly.

Rather than dispatch teams out to chronicle near-miss after near-miss caused by long undetected design errors, the NRC would better serve the public by sending teams out to find and fix such problems before the cause the next near-miss or worse.

News reporters and historians write about disasters.

Regulators are supposed to establish and enforce regulations aimed at preventing them.

NRC needs to refocus its efforts to do more prevention if news reporters and historians are to have no U.S. nuclear disasters to cover.

 

“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.

Posted in: fission stories Tags: , ,

About the author: Mr. Lochbaum received a BS in Nuclear Engineering from the University of Tennessee in 1979 and worked as a nuclear engineer in nuclear power plants for 17 years. In 1992, he and a colleague identified a safety problem in a plant where they were working. When their concerns were ignored by the plant manager, the utility, and the Nuclear Regulatory Commission (NRC), they took the issue to Congress. The problem was eventually corrected at the original plant and at plants across the country. Lochbaum joined UCS in 1996 to work on nuclear power safety. He spent a year in 2009-10 working at the NRC Training Center in Tennessee. Areas of expertise: Nuclear power safety, nuclear technology and plant design, regulatory oversight, plant license renewal and decommissioning

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

  • B. Brunner

    Quite amazing story…

    Another recent interesting report from Nov 17th 2012 regarding electricity and car batteries from do-it-yourself shops used during Fukushima early days crisis:

    This extract from Japanese TV Asahi shows the level of stress and of confusion during this event (subtitles in English and French):
    http://www.dailymotion.com/video/xv0ez8_dans-les-coulisses-du-pire-accident-nucleaire-a-fukushima-10-2012_news?start=0#.UKf2MaU8_CY

    The main order of 1000 batteries shipment got stopped by police and never arrived…

    Lots of lessons in crisis management to be learned from that video…WOW!

  • Dinesh

    Diesel generators are the best power alternative for electricity.
    http://www.nandipower.net

  • Martin Trenz

    If I’m not very much mistaken the rocket and rpaceship for the Apollo 11 mission had a combined total of about 2.8 million separate parts, each of which was provided by the lowest bidder. The requirement of NASA was 99.99% reliability, but that still leaves 2800 parts to go wrong. They still managed to do ten successful manned flights, six successful landings and one successful rescue mission. Why can’t the NRA be like NASA?

    The reason is simple: the NRA regulates private companies while NASA buys their rockets etc. from private companies. In other words: if nuclear power in the (capitalistic) USA would be run by government it is likely that this kind of problem would be avoided. If something goes wrong with a plant the government-operator could hold the private supplier of the NPS accountable as customer, not regulator. Laws, lobbying, political pressure against “over-regulation” and suchlike would have no impact. I find it ludicrous how careful the NRC has to tiptoe around the operators, how long they have to give them time to correct even severe problems, how small the fines are, how little real accountability (prison time…) there is.

    One more thought along those lines: the U.S. does not allow a private citizen to own a H-bomb, and for good reasons. Why does it allow a company to own and operate something that is similar in destructive power?