This post is a part of a series on Near Misses at US Nuclear Power Plants
The Nuclear Regulatory Commission (NRC) sent a special inspection team to Calvert Cliffs (Lusby, Maryland) to investigate electrical fluctuations on the offsite power grid that caused both reactors to automatically shut down on April 27, 2015, and problems with both of the standby emergency diesel generators on Unit 2. The NRC’s investigations identified no violations of regulatory requirements.
How the Event Unfolded
In the early afternoon of Tuesday, April 7, 2015, a power transmission line in southern Maryland failed and automatically de-energized. The loss of this transmission line caused power to fluctuate on the remaining transmission lines as electricity flows sought to restore balance.
At 12:39 pm, the power grid’s fluctuations dropped the voltage in the electrical switchyard illustrated in Fig. 1 at the Calvert Cliffs nuclear plant near Lusby, Maryland from 525,000 volts to 465,000 volts. The voltage reduction cascaded from the 500,000 volt black and red buses through the 13,000 volt service buses to the 4,000 volt unit buses. Within seconds, both main generators automatically tripped and control rods were rapidly inserted to shut down both reactors from near full power.
Similar to multiple electrical circuits within a house radiating out from a main breaker panel, Calvert Cliffs has multiple electrical buses. Each reactor unit has two safety-related 4,000 volt buses (within the red boxes in the schematic) and several non-safety-related 4,000 unit buses. The safety-related buses supply electricity for primary safety systems and their fully redundant backups. The non-safety-related 4,000 buses supply electricity to non-essential equipment. As shown in the schematic in Fig. 2, these safety-related 4,000 buses can receive backup power from the onsite emergency diesel generators should offsite power supplies become unavailable.
The voltages on the safety-related 4,000 volt buses (i.e., Buses 11 and 14 for Unit 1 and 21 and 24 for Unit 2) are monitored by protection systems that automatically open the electrical supply breakers when any one of three under-voltage conditions is detected. This system protects emergency equipment powered from the buses from damage. For example, a motor getting lower than normal voltage might draw more electrical current in an attempt to compensate. The higher current can cause the motor to experience higher than normal temperature, causing it to fail or malfunction.
The normal voltage on these buses is 4,000 volts. If the voltage on any bus drops below 3,760 volts for longer than 99 seconds, its electrical supply breaker automatically opens and its emergency diesel generator automatically starts.
If the voltage on any bus drops below 3,000 volts for longer than 6 seconds, its supply breaker automatically opens and its emergency diesel generator automatically starts.
If the voltage on any bus drops below 2,360 volts for any duration, even a split-second, its supply breaker automatically opens and its emergency diesel generator automatically starts.
The offsite electrical power grid fluctuations caused the voltages on all four safety-related 4,000 volt buses to drop below 3,000 volts for longer than 6 seconds. As a result, their supply breakers automatically opened and all the emergency diesel generators automatically started.
The non-safety related 4,000 volt buses do not have voltage protection systems. Consequently, they remained in service powering in-plant equipment.
The emergency diesel generators started within seconds. On Unit 1, electrical breakers automatically closed to restore power to buses 11 and 14. The operators faced no significant challenges responding to the Unit 1 shut down.
Things were quite different on Unit 2. Both its safety-related 4,000 buses had de-energized and both its emergency diesel generators had started, but neither successfully restored power to the buses.
Emergency diesel generator 2A successfully started and its output breaker properly closed to connect it to Bus 21. But none of the large loads supplied by the bus, such as the pump for an emergency cooling water system, automatically restarted as expected by the design. The operators were later able to manually restart these emergency components.
Emergency diesel generator 2B automatically started, but it automatically shut back down about 11 seconds later. The operators manually started the station blackout diesel generator to compensate for this loss.
The NRC dispatched a Special Inspection Team (SIT) to Calvert Cliffs to investigate the power grid fluctuation and the emergency diesel generator complications experienced on Unit 2.
The SIT documented two different causes for the Unit 2 emergency diesel generators not responding properly.
Workers determined that emergency diesel generator 2A had a faulty load sequencer. Bus 21 supplies electricity to several large motors and other components. This equipment lost power when the under-voltage protection system detected voltage below 3,000 volts for longer than 6 second and opened the normal supply breaker to the bus. Electrical breakers opened to disconnect all the loads from the de-energized bus. After emergency diesel generator started and its output breaker closed to restore power to Bus 21, the load sequencer was supposed to re-connect loads at approximately 5 second intervals. Without this load restoration sequencing, the bus voltage might drop back below 3,000 volts as the emergency diesel generator attempted to simultaneously re-power all the equipment. The load sequencer was returned to the vendor for testing. An integrated circuit within the load sequence was found to have failed. Workers replaced the faulty load sequencer.
Workers determined that emergency diesel generator 2B failed for another reason. The diesel engine has a sensor that detects the speed that the engine’s shaft is rotating. The speed sensor provides indication of shaft speed to a local panel and two trip signals. A high speed trip at 810 revolutions per minute (rpm) trips the engine on overspeed. A low speed trip at 250 rpm trips the engine if the engine has not exceeded this speed within 10 seconds. The low speed trip protects the engine from further damage caused by repeated start attempts. During this event, emergency diesel generator had successfully started and achieved more than 250 rpm within 10 seconds. But the speed switch had failed and was indicating 0 rpm. Thus, as soon as the 10-second timer timed out, the protection system thinking that the engine speed was below 250 rpm tripped emergency diesel generator 2B.
The failure of both emergency diesel generators on Unit 2 did not result in reactor core damage because the non-safety-related buses continued supplying power to non-emergency equipment that performed the roles intended for the emergency equipment. And the operators successfully started and connected the station blackout diesel generator to restore power to some of the emergency equipment.
The NRC’s SIT identified no violations of regulatory requirements.
The NRC’ SIT reported that the load sequencer on emergency diesel generator 2A was last tested on July 25, 2014, and that emergency diesel generator 2B had been successfully tested on March 18, 2015.
The emergency diesel generators are perceived to be highly reliable safety nets backing up electricity supplied from the offsite power grid. Yet both of these “highly reliable,” recently tested safety nets failed—for different reasons—when needed during this event.
A recurring theme among the near misses is the failure of equipment that had successfully passed a recent test. For example, the January 27, 2015, near miss at Pilgrim was complicated when a diesel-powered air compressor failed to start. It had passed a test only 5 days earlier. But the test of a component installed primarily to cope with loss of onsite power had been conducted using onsite power. When loss of onsite power compelled workers to turn to this diesel-powered air compressor, its untested battery would not start the engine.
Testing is purportedly conducted to provide reliability that safety equipment functions properly. It’s not being done to kill time before lunch.
Why are so many tests failing that simple objective?
Is it because the tests are conducted under conditions and configurations that do not adequately match those likely encountered during real events?
Are results from unrealistic tests being improperly used in risk assessments?
The nuclear industry and its regulator really need to figure out why all the testing and inspecting that they do is not detecting failed equipment that seems all too anxious to reveal itself during actual events.
Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.