defense in depth for emergency core cooling - ieeegrouper.ieee.org/groups/npec/n12-02_npec...

IAEAInternational Atomic Energy Agency

Defense in Depth For Emergency Core Cooling

Thomas Koshy, HeadNuclear Power Technology Development

Department of Nuclear Energy

IAEAInternational Atomic Energy Agency

NPEC Action Item

T. Koshy was requested to present a power system targeted towards

new nuclear power stations

IAEA

AGENDA

• Historic Events • Event Statistics• Historic Successes• Lesson From History• Considerations for New Designs• Rugged AC Power Systems• DC Power System

T.Koshy, NPTDS/IAEA 3

IAEA

Historic Events (PRIS reports)

1986 KORI-4• Main transformer protective arrester failed

from the effects of Typhoon• Followed by multiple arrester failures• Loss of all offsite power• Station black out• Plant remained safe in natural circulation

4T.Koshy, NPTDS/IAEA

IAEA


1993 Narora-1 Event• Ejected turbine blade caused a fire and

hydrogen explosion• Complete loss of power – station blackout for

17hrs.• Diesel driven fire pumps aligned to inject water

into the steam generator• No radiological impact onsite or offsite


IAEA


1990 Vogtle-1 • At the beginning of refuelling outage• Loss of Vital AC Power• The only Emergency Diesel Generator

(EDG) available locked up after 2 min. of running

• Offsite power was lost from switchyard work

• Station Blackout; 2hrs. to recover EDG6T.Koshy, NPTDS/IAEA

IAEA


2001 Maanshan• Tropical storm caused loss of offsite power• Both EDGs failed • Station blackout for 2 hours• One Diesel generator was later recovered to

establish core cooling


IAEA


2006 Forsmark -1 • 400KV Switchyard work resulted in overvoltage

and an under voltage transient • 2 out of the 4 trains of vital AC power lost and

the respective EDGs failed. • Alternate AC power failed to start• Half of the control room indications were lost• Relief valves stayed open• Two buses that operated had the identical

failure susceptibility• A near - Station Black out event


IAEA


2011 Fukushima• Tsunami caused salt water ingress into plant

areas of several units• Station Blackout for extended period• DC controlled Steam-driven cooling system &

Ice condenser operated for limited periods2012 Byron (Not in PRIS)

SBO for 8 min. immediately following Rx Trip: close call for seal LOCA (NRC BULLETIN 2012-01)


IAEA


• On Feb 9, 2012 loss of shutdown cooling for 19 min. during a refuelling outage

• Error in Generator Protective relay testing resulted in loss of offsite power to shut down cooling

• The associated EDG failed to start (Solenoid for air start –failed)

• Power recovered in 12 min.• Hot leg temperature increased 21.3 deg C

2012 KORI Unit # 1


IAEA

Event Statistics (1997-2012)

• Failed/Affected Systems: Emergency core cooling - 101

• Loss of safety function - 38• Significant degradation of safety function - 95• Failure or significant degradation of heat

removal capability - 85• Loss of off-site power – 53

• Full + Partial LOOP– 19 last year from NRC records


IAEA

Low Probability / High Consequence Events

• Common-mode failure of electric-driven core cooling system needs to be addressed

• Potential Causes:• Salt water ingress, Tsunami, flooding from

upstream dam failure, excessive rain fall, etc.,• Smoke from forest fire or internal fire• Seismic event • Volcanic activity– affects air intakes of EDGs • Geomagnetic Disturbance, Lightning • Sand storm – affects air intakes of EDGs


IAEA

Historic Successes

• Diesel-driven fire pump helped mitigation• DC/Battery power controlled steam-driven

cooling systems:• Reactor core isolation cooling• Steam driven auxiliary feed systems• Steam isolation condenser / heat exchanger

• Alternate AC sources manually aligned to a fault free bus helped core cooling


IAEA

Lessons from History

• Approaches to address low frequency / high consequence events - Loss of Vital AC Power• Increasing diversity in core cooling could be

more effective than increasing redundancy• Non-electric core cooling systems (PUMPS: diesel

driven, steam driven-dc controlled, compressed air-driven, pressurized accumulators etc.,)


IAEA

Considerations for New Designs• We need to eliminate the known

vulnerabilities at a reasonable cost• Another significant event could take away

nuclear power as a desirable energy option• Aim for greater availability and reliability

for safety systems and power generation• Redundancy, Diversity and Defence in

Depth are the key elements for success• Advance design and preparedness for

dealing with a potential severe accidentsT.Koshy, NPTDS/IAEA 15

IAEA

Rugged AC Power System• Core Cooling Trains sized to mitigate a large break

LOCA (guillotine break of RCS cold leg)• Three redundant trains of 100% capacity (EU

ABWR - n+2 requirement) • Train outage for Tech. spec. surveillance with sufficient

time for a thorough maintenance / surveillance while preserving adequate protection.

• 3 trains of 50% capacity eg. (IP 2&3); New ABWR• European designs with four trains of 50% capacity• South Texas project - 3 trains

• A less than adequate compromise is three 75% capacity trains assuming that small /medium break LOCA is more likely than a large break LOCA


EMERGENCY DIESEL

GENERATOR

ALTERNATE AC POWER

NONCLASS 1E BUS A

NON CLASS 1E BUS B

CLASS 1E BUS B

CLASS 1E BUS A

ALTERNATE POWER SOURCES

WITH DIVERSITY

SWITCHYARDS

TRANSMISSION SYSTEM

FULL LOAD GENERATOR OUTPUT BREAKER

ONE LINE AC DIAGRAM: TWO TRAINS OF A THREE TRAIN SYSTEM

MAIN GENERATOR

EMERGENCY DIESEL

GENERATOR

Start up Transformers

Auxiliary Transformers

HIGH VOLTAGE (500KV Typ.)

VOLTAGE LEVEL 2

(135 KV Typ.)

ALTERNATE POWER SOURCES WITH DIVERSITY

FULL LOAD GENERATOR OUTPUT BREAKER

TRANSMISSION SYSTEM

ONE LINE AC DIAGRAM: THREE TRAIN SYSTEM

EMERGENCY DIESEL

GENERATOR

ALTERNATE AC POWER

NONCLASS 1E BUS A NON CLASS 1E BUS C

CLASS 1E BUS CCLASS 1E BUS A

SWITCHYARDS

MAIN GENERATOR

EMERGENCY DIESEL

GENERATOR

Start upTransformers

Auxiliary Transformers

HIGH VOLTAGE (500KV Typ.) VOLTAGE LEVEL 2

(135 KV Typ.)

NON CLASS 1E BUS B

CLASS 1E BUS B

EMERGENCY DIESEL

GENERATOR

DISTANT SOURCE

IAEA

On Site Power System• Main Generator Output breaker

• Prevent power interruption to onsite power systems following a generator trip (eliminates the need for fast transfer)

• The additional cost is recovered if one plant trip is avoided

• Two sources of offsite power made available to each safety bus for emergency and normal shutdown• It is desirable to upgrade the immediate switchyard

providing offsite power to be built and electrically protected to a higher standard (Fukushima lesson)


IAEA

Islanding Option• Supplying onsite loads from the main

generator and keeping the reactor at low power is desirable for fast reconnection to the grid.

• However, Forsmark and Olkiluoto events demonstrate the possibility of 150% or more over voltage on to the safety buses• Olkiluoto#1 has blocked islanding for grid fault

• It is desirable to fast transfer safety buses to offsite power and keep the reactor at low power by dumping steam into the condenser


IAEA

Safety Bus Line Up• Offsite power needs to be fed directly to the safety

bus without any intervening components to prevent other vulnerabilities.

• If safety bus is aligned to offsite power during normal operation, it should have another off site source for a fast transfer, and EDG power can be the third source of power (offsite power is the preferred source)

• All three phases of AC need monitoring & Protection (Byron Event: IN 2012-03), and Grid operator coordination to ensure capacity & immediate availability


IAEA

Alternate AC Source

• Protected from anticipated external events specific to the region (seismic, flooding, hurricane, dust storm, forest fire, etc.,)

• Onsite fuel for a minimum of 7 days• Minimum capacity to handle one full train of

ECCS, one RCS / recirc. pump, and a service water pump concurrently for each unit that is supported.

• Black start capability


IAEA

Alternate AC Source• Standby power source for AAC needs to be from a

minimum of two trains from a unit or one source from each unit (for multiple unit site) that is supported

• Protected, self-contained, with capability to remain on standby without any external power for 72hrs.

• Provisions for periodic full load test• Auto-connected power sources are vulnerable to

propagation of electrical failure • manual breaker line up after clearing the electrical fault

is needed for AAC operation. (It is required for crediting SBO support)


T.Koshy, NPTDS/IAEA

24

Simplified Class 1E Power System

STANDBY POWER FOR NON-ELECTRIC CORECOOLINGSYSTEMS (Gas/Diesel/Air Driven)

BATTERY CHARGER

INVERTER

MAINTENANCEBYPASS

VITAL POWER 208/120 VAC

TRAIN A CLASS 1E DC BUS 250/125 VDC

TRAIN A CLASS 1E AC POWER BUS 4160 V

EMERGENCY DIESEL

GENERATORSTART-UPTRANSFORMER

BATTERYBANK

STATION AUXILIARY TRANSFORMER

CRITICAL CONTROL ROOM DISPLAYS

EMERGENCY CORE COOLING SYSTEM (ECCS) CIRCUITS,,

SWINGBATTERY CHARGER

ALTERNATE AC POWER

DC Bus One Line Diagram (One of Three Trains)

Fail-safe systems only (Rod Drop –Reactor Protection System - RPS)

IAEA

DC Power System (Typical of Three)• Strategically located DC bus with two battery

chargers with at least one connected to an alternate source

• DC power for ECCS actuation with its dedicated sensors and processing (Least intervening components to reduce failure modes – inverter, power supply modules etc., IEEE 603 concept) Auctioneered power supply for increased reliability

• Reactor Protection System (RPS) powered from Vital AC (To be fail-safe such that any process signal with a logic or support system outside the acceptable band would trigger a reactor trip. IEEE 603 concepts)


IAEA

Reason for Separating ECCS & RPS

• At North Anna, Unit 2, one diode failure caused Rx Trip & ECCS actuation.

• Consequently pressurizer overfilled, Power operated relief valve (PORV) cycled several times. Pressure relief tank rupture disk ruptured (IN: 2009-03)

• Safety Injection could not be reset from control room to prevent primary system going solid

• A single failure affected RPS & ECCST.Koshy, NPTDS/IAEA 26

IAEA

Reason for Separating ECCS & RPS • At Forsmark, 2 UPS failures caused:

• A reactor trip, Core Cooling Actuation ( 2 out of 4 trains injected water)

• Relief valves (ADS) stuck open 28 min. (until power was recovered to vital bus)

• Two UPS failures from a common cause resulted in reactor trip & a LOCA (relief valve stayed open) challenging RCS recovery• Yankee Rowe also had a similar event when vital bus voltage

declined

• Prevent single failure vulnerability of ECCS & RPS


IAEA T.Koshy, NPTDS/IAEA 28

IEEE Std 603 ANNEX A- Developing Scope of Safety

Consider consequences of one or more UPS failures / loss of power etc., and conduct a thorough failure modes and effects analysis (FMEA)

IAEA

DC Power System• Standby power for non-electric cooling

systems • Diesel, Air, Steam driven • Minimum of three non-electric cooling systems

protected from regional extreme environments, strategically located: each one associated with a train (Preferably two installed and one portable)

• Provision to cross connect power supply manually during emergency

• Provision for external powering from skid mounted energy sources


IAEA 30

Thank you for your [email protected]

Questions ?

• January 30, 2012, Byron Unit 2 tripped when reactor coolant pumps tripped on bus under voltage (non-safety buses)

• The C-Phase open circuit on SATs caused under-voltage on ESF buses• Manual operator actions were necessary to restore ESF buses• NRC inspection identified the following:

– Design vulnerability in the protection system– Degraded and under voltage relay schemes were designed on a

coincidence logic (two of two)– ESF loads such as Essential Service Water pumps, Centrifugal

Charging Pumps, and Component Cooling Water Pumps trippedand the EDGs failed to get start signal

– Lost all RCP seal cooling for approximately 8 min– Required manual operator actions to start EDG and restore ESF

loads (station blackout for 8 minutes)– If the operators failed to diagnose the event in a timely

manner, a RCP seal LOCA could have occurred in the next several minutes.

31

Backup Slide Byron Station Open Phase Event

defense in depth for emergency core cooling - ieeegrouper.ieee.org/groups/npec/n12-02_npec...

Documents