Fission Stories #170
During a winter storm on January 21, 2014, the Unit 2 reactor at the Calvert Cliffs nuclear plant in Maryland automatically shut down from full power. That event should not have cascaded to cause the Unit 1 reactor to also shut down, but it did.
At 9:25 pm on January 21, 2014, both of the pressurized water reactors (PWRs) at Calvert Cliffs were operating at full power. In PWRs, the heat produced by atoms splitting in the reactor core warms water to over 500°F. High pressure keeps this water from boiling as it leaves the reactor vessel and flows through tubes within the steam generator. Heat conducted through the thin metal walls of the tubes boils water. The pressurized water exits the steam generator and returns to the reactor vessel to be reheated. Steam flows from the steam generators through a turbine to generate electricity.
When a reactor is operating at steady state, the energy produced by the reactor core is balanced by the energy carried away in the steam leaving the steam generators.
Electricity generated by Units 1 and 2 went out to the electrical power grid. Some of it was supplied back to power equipment within the plant.
A snow storm dislodged a ventilation cover on the cabinet containing electrical breaker 252-2104 (shown to the lower left of the schematic). Snow entered this opening, melted, and shorted out the breaker. The breaker’s failure de-energized 13,800-volt bus 21 and the electrical buses and circuits it supplied.
The loss of power to 4,000-volt buses 14 and 24 triggered the automatic start of emergency diesel generators 12 and 21 (DG 12 and DG 21 in the schematic) within two seconds. These two buses supply electricity to essential equipment within the plant and have emergency backup power sources. The 4,000-volt buses 22 and 23 supply electricity to non-essential equipment not needed for cooling the reactor core.
The loss of power to 4,000-volt buses 14 and 24 also triggered the automatic shut down of the Unit 2 reactor within three seconds. Control rods rapidly entered the reactor core to terminate the nuclear chain reaction as specified with the plant’s safety studies to mitigate loss of power events like this one.
About ten seconds after the breaker’s failure, the emergency diesel generators connected to 4,000-volt buses 14 and 24 and re-energized them.
Analog to Digital Replacement
About seven years earlier, the turbine control systems on Units 1 and 2 had been replaced. The original analog systems were replaced by digital systems. The digital turbine control system for Unit 1 was powered from 4,000-volt bus 14.
The voltage surge caused when emergency diesel generator 12 connected to the bus caused the digital turbine control system to reboot—a situation that had not been anticipated when the original control systems were replaced. The valves in the steam pipes between the steam generators and the turbine closed as the digital turbine control system rebooted. Normally, the closure of these turbine inlet valves would cause an automatic shut down of the reactor. But the electrical power disturbance that triggered the reboot of the turbine control system also prevented the automatic reactor trip signal to be generated.
Closure of the turbine inlet valves upset the balance between the energy produced by the reactor core and the energy carried away from the steam generators. The imbalance caused the pressure within the reactor coolant system (i.e., the reactor vessel, the steam generators, and the connecting pipes) to increase. The rising pressure triggered the automatic shut down of the Unit 1 reactor about 16 seconds after the initial electrical breaker failure.
By design, the electrical problem on Unit 2 should not have caused the Unit 1 reactor to trip. Because both reactors did trip, the NRC dispatched a special inspection team (SIT) to the plant to investigate the cause, consequences, and corrective actions. The SIT concluded that other than the Unit 1 digital turbine control system malfunction, all other equipment and operator responses were as expected.
Why the control system rebooted during this event remains a mystery. This control system is widely used in the electrical power generating industry and no similar malfunctions have been reported. Troubleshooting of the control system after this event by plant workers and vendor representatives failed to replicate the malfunction. Workers also reviewed the loss of power supply testing conducted after the digital turbine control system was installed in 2006 and found that it had responded properly (i.e., did not reboot) during all the tests.
Weather caused water intrusion that shorted an electrical circuit, tripping one reactor. A design flaw allowed a ripple effect that tripped a second reactor at the plant.
It happened on January 21, 2014, as described above. It also happened on February 18, 2010 as described in UCS’s first annual report on the NRC and nuclear plant safety.
Each time it happened, the NRC dispatched a special inspection team to investigate. The NRC’s SIT for the 2010 happening found that the owner violated federal regulations by failing to properly correct conditions revealed by water intrusion events in August 2009 and July 2008.
The NRC’s SIT for the 2014 event found no federal regulations to have been violated. Apparently not even the one violated in 2010 due to recurring water intrusion events and inadequate fixes although this one also involved water intrusion.
Had the owner undertaken more extensive effort following the 2010 dual-unit trip, this year’s variety could have been avoided. The owner reported that 20 mile per hour winds dislodged the ventilation cover to create the water intrusion pathway. The owner additionally reported that the fix is to “Design and install a permanent solution for an exterior housing over metal clad louvers to provide a more robust barrier against the environment”.
In other words, the 2014 storm did not involve incredible, unforeseen conditions. Yet the owner in its response to the 2010 event was unable to detect and correct the plants’ vulnerability to mild weather conditions that caused the 2014 event.
The NRC ordered this and other owners to evaluate their facilities to vulnerabilities associated with severe weather. When this owner cannot adequately evaluate vulnerability to mild weather, what assurance can the NRC really have that owners can adequately evaluate vulnerabilities to more severe conditions?
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.
Fig. 1: U.S. Nuclear Regulatory Commission
Fig. 2-6, 8: Constellation Energy Nuclear Group with annotations by UCS
Fig. 7: U.S. Nuclear Regulatory Commission