Fission Stories #110 described a design flaw at the Fort Calhoun nuclear plant that allowed a single electrical problem to impair emergency components in what were intended to be redundant and fully independent backup systems. Within eight months, another design flaw would cause this same bad outcome on the Unit 2 reactor at the Byron nuclear plant in Illinois.
Shortly after 10 am on January 30, 2012, part of the “C” phase power line for the Unit 2 station auxiliary transformer (SAT) in the 345,000 volt switchyard at Byron fell to the ground, cutting off power. The fallen “C” phase power line is shown in Figure 1 next to the intact “A” and “B” phase lines.
Figure 1. (Source: http://adamswebsearch2.nrc.gov/webSearch2/main.jsp?AccessionNumber=’ML12087A213′ with UCS captions)
Per the normal configuration for a reactor, the switchyard supplied electricity to in-plant equipment such as the non-safety-related 6,900 volt Reactor Coolant Pump (RCP) Buses 258 and 259. Electricity from the main transformer (i.e., power being produced by the unit itself) was powering the rest of the in-plant equipment like the non-safety-related 6,900 volt RCP Buses 256 and 257. The red lines in the schematic in Figure 2 represent how electricity was being distributed to Unit 2 equipment when the incident began.
Figure 2. (Source: http://adamswebsearch2.nrc.gov/webSearch2/main.jsp?AccessionNumber=’ML12087A213′)
The “C” phase failure was detected by the electrical protection system for 6,900 volt RCP buses 258 and 259. This system compares the voltages between the “A”, “B”, and “C” phases to detect problems. If the voltage between phases differs by more than a specified amount (e.g., one phase goes towards zero volts due to a short or another phase’s voltage rises due to an over-current condition), the protection system “trips” to isolate equipment from a potentially flawed power source.
This condition in turn triggers an automatic shut down of the reactor. Control rods insert into the reactor core within seconds to terminate the nuclear chain reaction.
The 4,000 volt safety-related buses 241 and 242 are also supplied from the 345,000 volt switchyard. These two buses supply electricity for all the emergency equipment needed on Unit 2. Each bus has its own emergency diesel generator in standby readiness available to power the bus if power from the switchyard becomes unavailable.
The electrical protection system for the safety-related buses 241 and 242 had an undetected design flaw that surfaced during this event. It compared the “A” phase voltage to the “B” phase voltage and the “B” phase voltage to the “C” phase voltage. This protection scheme sensed a problem when the difference between the voltages from the two phases exceeded a specified amount, in this case 2,730 volts. But this scheme required problems to be sensed both in comparing “A” to “B” and in comparing “B” to “C” for the system to isolate a faulty power supply (Figure 3).
Figure 3.
For example, if “B” had failed, the “A” to “B” check would have sensed a failure as would have the “B” to “C” check. The electrical protection system would have responded by isolating (disconnecting) the 4,000 volt safety-related buses 241 and 242 from the faulty 346,000 volt switchyard (Figure 4).
Figure 4.
But the failure of “C” caused only the “B” to “C” check to sense a problem. The voltages of “A” and “B” phases matched within the limit, so the protection system did not isolate the 4,000 volt safety-related buses 241 and 242 from the faulted 346,000 volt switchyard (Figure 5).
Figure 5.
Two situations conspired to make things worse. The automatic shut down of the reactor meant that the Unit 2 main generator was no longer producing electricity. As designed, in-plant equipment that had been powered from the main generator (e.g., Unit Auxiliary Transformers (UAT) 241-1 and 241-2 as well as 4,000 volt non-safety-related buses 243 and 244 automatically switched to their backup power sources – which was the faulted 346,000 volt switchyard. The electrical protection system for 6,900 volt NSR buses 256 and 257 sensed the “C” phase fault and isolated themselves from the faulty power supply.
As a result, all four of the reactor coolant pumps were now turned off and no longer circulating cooling water through the reactor core (Figure 6).
Figure 6.
The second situation was far more threatening. While the electrical protection system for 4,000 volt safety-related buses 241 and 242 did not detect the “C” phase fault, the protection systems for ALL of the emergency equipment supplied from these buses detected the resulting over-current condition. (With the “C” phase faulted, the electrical current flow through the “A” and “B” phases increased to compensate.)
As a result, ALL of the emergency equipment for Unit 2 was automatically disconnected from its power sources.
For example, the cooling water system for the emergency diesel generators and the equipment needed to cool the reactor core and its containment was no longer available. Workers opened valves to cross-tie the cooling system with the cooling system on Unit 1 to recover this vital function.
Ironically, ALL of the Unit 2 emergency equipment was de-energized even though each component had two separate, independent power supplies available. Both emergency diesel generators were available. Had the electrical protection system for the 4,000 volt safety-related buses 241 and 242 functioned as intended, they would have been isolated from the faulty switchyard and this step would have signaled the emergency diesel generators to automatically start and re-power the buses within seconds. Alternatively, each of these buses was equipped with a connection to an available 4,000 volt safety-related bus on Unit 1. It took operator action to connect these backups.
By checking instruments in the control room, the operators identified the “C” phase problem. Along with a report from a worker in the switchyard about seeing smoke coming from station auxiliary transformers 242-1 and 242-2, the operators opened electrical breakers about eight minutes after the reactor trip that isolated in-plant equipment from the 346,000 volt switchyard (essentially duplicating what was supposed to have happened earlier if the design flaw had not existed). The emergency diesel generators automatically started and re-powered 4,000 safety-related buses 241 and 242. The operators manually closed electrical breakers to also re-power 4,000 NRS buses 243 and 244 (Figure 7).
Figure 7.
This restored power to vital electrical buses, but not yet to emergency equipment supplied by those buses. Many electrical loads from these buses had been automatically disconnected due to over-current conditions. To restart these components, workers had to individually reset these trips, often from panels out in the plant rather than from the control room.
At 8 pm on January 31, 2012 – a day and a half after the power line had fallen – the “Unusual Event,” the least serious of the NRC’s four emergency classifications, that had been declared due to the automatic reactor trip and in-plant electrical problems was terminated. Workers repaired the damaged “C” phase power line, performed checks to verify that SATs 242-1 and 242-2 were undamaged, and restored the normal supply of electricity to Unit 2 from the 346,000 volt switchyard.
Our Takeaway
Three Mile Island had primary safety systems and backups, but the operators turned them all off due to a misunderstanding. The Unit 2 reactor core overheated and melted down.
Chernobyl had primary safety systems and backups, but the operators intentionally disabled them in order to perform a safety test. The test failed and the reactor core went out of control and blew up.
Fukushima had primary safety systems and backups, but tsunami waters flooded their power supplies rendering them all useless. Three reactor cores overheated and melted down.
Fort Calhoun in June 2011 and Byron Unit 2 in January 2012 had primary safety systems and their backups disabled by undetected and longstanding design flaws. Both reactors had each operated for decades before their design problems were revealed during actual events. Fortunately, and I do mean fortunately, these two challenges were relatively mild so that the design vulnerabilities did not lengthen the list of nuclear plant disasters.
Each represents too many steps taken towards disaster.
But each presents the opportunity to take an equal, or greater, number of steps away from disaster. If the NRC and the nuclear industry are truly serious about safety being their foremost priorities, these wake-up calls will trigger robust, intensive reviews of electrical systems at all U.S. nuclear power reactors to ferret out and fix other longstanding, undetected design problems. Each fix is a step away from disaster.
Hopefully the NRC’s response to these wake-up calls will not be to simply hit the snooze button.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.