IAEAInternational Atomic Energy Agency
A Retrospective Look on Plant Events for Evolving Expectations
Nuclear safety
IEEE NPEC Meeting July 30, 2014
Thomas Koshy, HeadNuclear Power Technology Development
Department of Nuclear Energy
IAEA
AGENDA
• Evolving Safety Expectations • Historic Events • Critical Areas for Nuclear safety
• Reactor Trip• Depressurization• Emergency Core Cooling• Containment Integrity
• Undesirable failure Modes• Conclusion
T.Koshy, NPTDS/IAEA 2
IAEA
Evolving Safety Expectations
• Emergency Core cooling back fit to Yankee Rowe
• Transient without SCRAM – Salem station 10CFR50.62
• Station Blackout -10CFR50.63• Safety Enhancements from TMI – 10CFR
50.49
T.Koshy, NPTDS/IAEA 3
IAEA
Events That Changed the Course
Chernobyl Unit 4
Fukushima Dai-ichiUnits 1 - 4 4
IAEA
IMPORTANCE RANKING
29 July - 2 August 20136th IAEA INPRO Dialogue Forum on Licensing and Safety Issues of SMRs
5
Key Benefits: Enhanced safety, lower EI, and energy supply security
IAEA
Historic Events (IRS report # 7788)
2006 Forsmark -1 • 400KV Switchyard work resulted in overvoltage
and an under voltage transient • 2 out of the 4 trains of vital AC power lost and
the respective EDGs failed. • Alternate AC power failed to start• Half of the control room indications were lost• Relief valves stayed open (LOCA?)• Two buses that operated had the same failure
susceptibility• A near - Station Blackout event
6T.Koshy, NPTDS/IAEA
IAEA
Historic Events (IRS Report # 6341)
1993 Narora-1 Event• Ejected turbine blade caused a fire and
hydrogen explosion• Complete loss of power – station blackout for
17hrs.• Diesel driven fire pumps aligned to inject water
into the steam generator• No radiological impact onsite or offsite
7T.Koshy, NPTDS/IAEA
IAEA
Historic Events
2001 Maanshan• Tropical storm caused loss of offsite power• Both Emergency Diesel Generators (EDG)
failed • Station blackout for 2 hours• AC safety buses became irrecoverable• One Diesel generator was later recovered to
establish core cooling8T.Koshy, NPTDS/IAEA
IAEA
Historic Events
2011 Fukushima• Tsunami caused salt water ingress into plant
areas of several units• Station Blackout for extended period• DC controlled Steam-driven cooling system &
Ice condenser operated for limited periods2012 ByronSBO for 8 min. immediately following Rx Trip: close call for seal LOCA (NRC BULLETIN 2012-01)
9T.Koshy, NPTDS/IAEA
IAEA
Event Statistics (1997-2012) IRS reports
• Failed/Affected Systems: Emergency core cooling - 202
• Significant degradation of safety function -284
• Degradation of containment function/integrity- 44
10T.Koshy, NPTDS/IAEA
IAEA
Critical Areas for Nuclear SafetyFor Light Water Reactors
Defence in Depth needs to be established in each of the following critical functions:
• Reactor Trip• Depressurization• Emergency Core Cooling• Containment Integrity
T.Koshy, NPTDS/IAEA 11
IAEA
Challenges: Low Frequency & High Consequence Events
• External Events (Design Bases & Extensions)• Tsunami, seismic event, forest fire, flooding,
malicious act, jet impact, volcano, sandstorm• Internal Events
• Explosion, fire, malicious act• Plant Challenges
• Station Black out, Irrecoverable damage to electric buses, Loss of control room
• D C bus failure• Software lock up
T.Koshy, NPTDS/IAEA 12
IAEA
Refined Goal
• “The set of planned, coordinated & implemented systems ensuring nuclear plants are designed, constructed….. using an all risk approach.”
• Greater level of safety would come not from all passive or all active core cooling but a combination of the two.
- ASME “Forging a New Nuclear Safety Construct Publication” Associated Workshop Breakout Session Dec 2012, Washington
T.Koshy, NPTDS/IAEA 13
IAEA
Reactor Trip Challenges & Solutions
• The Anticipated Transients with out SCRAM (10CFR 50.62)
• Solutions:• Diverse tripping (Additional trip solenoid for actuating the
breaker trip bar) Alternate Rod Insertion/ boration -diversity
• Direct-wired manually operated trip breakers with capability to operate from control room and remote shutdown area - diversity
• The power supply, sensors and actuation exclusively dedicated to trip function - redundancy & diversity
T.Koshy, NPTDS/IAEA 14
IAEA
Reason for Separating ECCS & RPS
• At North Anna, Unit 2, one diode failure caused Rx Trip & ECCS actuation.
• Consequently pressurizer overfilled, Power operated relief valve (PORV) cycled several times. Pressure relief tank rupture disk ruptured (USNRC IN: 2009-03)
• Safety Injection could not be reset from control room to prevent primary system going water solid
• A single failure affected RPS & ECCST.Koshy, NPTDS/IAEA 15
IAEA
Reason for Separating ECCS & RPS • At Forsmark, 2 UPS failures caused:
• A reactor trip, Core Cooling Actuation ( 2 out of 4 trains injected water)
• Relief valves (ADS) stuck open 28 min. (until power was recovered to vital bus)
• Two UPS failures from a common cause resulted in reactor trip & a LOCA (relief valve stayed open) challenging RCS recovery• Yankee Rowe also had a similar event when vital bus voltage
declined when coasting EDG remained connected to the bus)
• Remove shared elements between ECCS & RPS to prevent common cause failures
T.Koshy, NPTDS/IAEA 16
IAEA T.Koshy, NPTDS/IAEA 17
IEEE Std 603-2009 ANNEX A: Endorsed in USNRC 10CFR50
Consider consequences of one or more UPS failures / loss of power etc., and conduct a thorough failure modes and effects analysis (FMEA)
IAEA
Historic Successes
• Diesel-driven fire pump helped mitigation• DC/Battery power controlled steam-driven
cooling systems:• Reactor core isolation cooling• Steam driven auxiliary feed systems• Steam isolation condenser / heat exchanger
• Independent Alternate AC sources manually aligned to a fault-free bus helped core cooling
18T.Koshy, NPTDS/IAEA
IAEA
Diversity in Core Cooling
• In addition to passive cooling systems:• Suitable combination of Electric, Diesel, Air,
Steam driven • Protected from regional extreme environments,
strategically located: each one associated with a train (Portable for severe accident conditions)
• Provision for external powering from skid mounted energy sources
T.Koshy, NPTDS/IAEA 19
ALTERNATE POWER SOURCES WITH DIVERSITY
FULL LOAD GENERATOR OUTPUT BREAKER
TRANSMISSION SYSTEM
ONE LINE AC DIAGRAM: THREE TRAIN SYSTEM (n+2)
EMERGENCY DIESEL
GENERATOR
ALTERNATE AC POWER
NONCLASS 1E BUS A NON CLASS 1E BUS C
CLASS 1E BUS CCLASS 1E BUS A
SWITCHYARDS
MAIN GENERATOR
EMERGENCY DIESEL
GENERATOR
Start upTransformers
Auxiliary Transformers
HIGH VOLTAGE (500KV Typ.) VOLTAGE LEVEL 2
(135 KV Typ.)
NON CLASS 1E BUS B
CLASS 1E BUS B
EMERGENCY DIESEL
GENERATOR
OTHER SOURCES
IAEA
Robust Power System• Main Generator Output breaker
• Prevent power interruption to onsite power systems following a generator trip (eliminates the need for fast transfer)
• The additional cost is recovered if one plant trip is avoided
• Two sources of offsite power made available to each safety bus for emergency and normal shutdown• It is desirable to upgrade the immediate switchyard
providing offsite power to be built and electrically protected to a higher standard (Fukushima lesson)
T.Koshy, NPTDS/IAEA 21
IAEA T.Koshy/NPTDS/IAEA 22
Millstone-2 Undesirable Failure Modes• On July 6, 1992 , during a refueling outage, the
licensee identified several undesirable failure modes of a two-out-of-four logic following an event. The plant was designed with two sensor cabinets and one actuation cabinet for each of the two trains. (Information Notice 93-11)• When power was lost to either one of the vital buses it
caused safety injection and sump recirculation actuation. (Core cooling failure)
• When two of the sensor cabinets in a train lost power it caused the containment sump outlet valves to open
• Loss of DC power to one actuation train caused power operated relief valve in the other train to open
• The logic was modified to limit certain combinations of two-out-of-four logic to prevent this problem.
IAEA
Failure Modes & Effects Analysis
• Need Focus on:• Partial power supply failures (2 of the 4 UPS
fails) as a consequence to short circuit, fuse blow etc.,
• Gradual degradation of Voltage;(progressing faults, degrading battery, etc.,
• Degrading hydraulic or air pressure • Examine the failure mode and design for
desirable failure modes
T.Koshy, NPTDS/IAEA 23
IAEA
Diversity in Depressurization• Depressurization – very critical for active &
passive cooling system• (generally achieved using multiple valves using
same technology)• Solutions:
• Incorporate minimum of two approaches (electronically fired, pilot-air operated,..)
• Retain manual capability with DC powered valves as a back up with provisions for external powering or fully manual
• Capability for remote operation.T.Koshy, NPTDS/IAEA 24
IAEA
Defense in Depth for Preserving Containment Integrity
• Containment is the last defense• Need to consider severe accident • Solutions:
• Redundant spray headers with cooling capability• Reliable hardened venting and filtration• Hydrogen detection and control• External provisions (potable equipment, etc.,)
• containment cooling• Supplementing water supply for cavity flooding• Hydrogen control
T.Koshy, NPTDS/IAEA 25
IAEA
DC Power System (Typical of Three)• Strategically located DC bus with two battery
chargers with at least one connected to an alternate source
• DC power for ECCS actuation with its dedicated sensors and processing (Least intervening components to reduce failure modes – inverter, power supply modules etc., IEEE 603 concept) Auctioneered power supply for increased reliability
• Reactor Protection System (RPS) powered from Vital AC (To be fail-safe such that any process signal with a logic or support system outside the acceptable band would trigger a reactor trip. IEEE 603 concepts)
T.Koshy, NPTDS/IAEA 26
27
STANDBY POWER FOR NON-ELECTRIC CORE COOLINGSYSTEMS (Gas/Diesel/Air Driven)
BATTERY CHARGER
INVERTER
MAINTENANCEBYPASS
VITAL POWER 208/120 VAC
TRAIN A CLASS 1E DC BUS 250/125 VDC
TRAIN A CLASS 1E AC POWER BUS 4160 V
EMERGENCY DIESEL
GENERATORSTART-UPTRANSFORMER
BATTERYBANK
STATION AUXILIARY TRANSFORMER
CRITICAL CONTROL ROOM DISPLAYS
EMERGENCY CORE COOLING SYSTEM (ECCS) CIRCUITS,,
SWINGBATTERY CHARGER
ALTERNATE AC POWER
DC Bus One Line Diagram (One of Three Trains)
Fail-safe systems only (Rod Drop –Reactor Protection System - RPS)
IAEA
Conclusions
• Build defence in depth through diversity in each of the critical safety functions: Reactor Trip, Depressurization, Core Cooling, and Containment Cooling
• Expand FEMA to include partial loss of power, gradual degradation of energy sources, and confirm if the failure modes are desirable
T.Koshy, NPTDS/IAEA 28
IAEA
IEEE Considerations
• Revise IEEE 603 to include additional safety provisions? Develop a new standard?
T.Koshy, NPTDS/IAEA 29