Fission Stories #111 and Fission Stories #110 described recent near-misses at U.S. nuclear power plants caused by latent design problems in the in-plant electrical distribution systems. This Fission Story describes how the Catawba nuclear plant in South Carolina borrowed that problem but broadened it to not only include long ago design miscues but also very recent ones, too.
On April 4, 2012, the Unit 1 reactor at the Catawba nuclear plant was operating at full power and the Unit 2 reactor was shut down for refueling. Electrical power to vital equipment on both reactors was being supplied through Unit 1 sources.
Four motor-driven pumps circulated cooling water through the Unit 1 reactor core. Age-related degradation of the insulation for a power cable to one of these reactor coolant pumps caused an electrical fault. The fault caused the pump to stop running. Sensors detected the drop in flow from that pump and initiated the automatic and rapid shut down of the reactor and the turbine/generator as designed.
The shutdown of the Unit 1 main generator automatically opened the two electrical breakers within the red box in Figure 1 that disconnected it from the offsite power grid and from in-plant electrical buses. That worked according to plan. What wasn’t planned was that as the generator stopped, sensors caused other electrical breakers within the magenta boxes in Figure 1 to open, entirely disconnecting Unit 1’s systems from the offsite power grid.
The plant’s switchyard is its connection with the offsite power grid. When operating, the two units’ main generators plug into the offsite electrical grid through the switchyard. The NRC requires at least two connections via separate transmission lines between the switchyard and the offsite power grid. Catawba had five transmission line connections. When the reactors are not operating, these connections allow the plant to get electricity from the grid similar to how homes and businesses get electricity.
The magenta switches are only supposed to open when the generator is online and when sensors detect a mismatch between the frequencies of the current from the generator and the grid. If that happens, the magenta switches open to disconnect the generator and the grid.
However, shutdown of the generator is a perfectly valid reason for its output frequency to drop below that on the offsite grid. In the original design at Catawba, the frequency imbalance protection circuit was automatically bypassed whenever the generator output breakers (i.e., the breakers in the red boxes) were open. The sensors would still detect a mismatch between the generator’s frequency and the grid’s frequency, but would no longer trigger any protective reactions such as opening the electrical breakers within the magenta boxes.
The plant owner had recently replaced the relays in this protection circuit on Unit 1. But it failed to tell the vendor about this bypass provision and the replacement relays did not have this feature. Additionally, the procedure used by workers at Catawba to test the replacement relays following their installation had been developed based on the incorrect information given to the vendor rather than from the original design requirements for the system. Consequently, the replacement relays successfully passed the deficient test procedure.
These same relays were being replaced on Unit 2 during its refueling outage. The replacement relays had the same problem as those already replaced on Unit 1. This event exposed the problem and led to relays on both units being replaced with properly designed and tested relays.
In response to the loss of electric power at Unit 1, both emergency diesel generators for each reactor (4 total) automatically started and supplied electricity to vital in-plant equipment until offsite power connections were restored more than five hours later.
While safety systems were powered by the emergency diesel generators, about three hours after offsite power had been lost, the batteries used by the plant’s security system were becoming exhausted. Workers started a fifth emergency diesel generator to replenish the batteries and sustain power to the security system equipment. But a design flaw dating back to original installation prevented this emergency diesel generator from functioning properly.
This fifth emergency diesel generator had been installed around 1983 specifically for station blackout events. While it also supplied power to security equipment, its primary purpose was to power equipment needed to cool the reactor core.
For nearly thirty years, workers periodically tested this fifth emergency diesel generator. Normally in standby (idle) mode, these tests verified that the unit would start up and provide the needed amount of electricity within the specified time limit. During the tests, all the vital equipment was not physically connected to the emergency diesel generator but the power loads they drew from the generator were simulated by a test circuit.
But when the emergency diesel generator was started this time for real, the simulation circuit remained connected to the generator due to a wiring error that dated back to original installation in 1983.The voltage regulator for the emergency diesel generator thought it had to power all the real loads as well as all the simulated loads. To do so required dropping the voltage to about 400 volts, far below that needed to operate the safety equipment. Thus, even through the emergency diesel generator was running, the design error prevented it from supplying electricity of adequate voltage to equipment.
As a result the plant’s security systems were offline for a couple hours. Workers finally reconnected the unit to the offsite power grid about five hours after the initial trip of the Unit 1 reactor, restoring normal power supplies to in-plant safety and security equipment.
Recent events at Fort Calhoun, Byron, and Catawba each involved longstanding, pre-existing design errors that caused an initial electrical problem to cascade into wider problems. That’s not supposed to happen once, yet alone three times in such a short period of time.
Countless tests and inspections had been conducted over many years at these plants. NONE of those tests and inspections detected the problems – they were all revealed by actual events.
The purpose of these tests and inspections is not to keep workers occupied before it’s time to head home (or wherever). The purpose is to verify that safety equipment will function properly.
Rather than dispatch teams out to chronicle near-miss after near-miss caused by long undetected design errors, the NRC would better serve the public by sending teams out to find and fix such problems before the cause the next near-miss or worse.
News reporters and historians write about disasters.
Regulators are supposed to establish and enforce regulations aimed at preventing them.
NRC needs to refocus its efforts to do more prevention if news reporters and historians are to have no U.S. nuclear disasters to cover.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.