Fission Stories #182
Redundancy and diversity are two keys elements of nuclear power plant safety. The auxiliary feedwater (AFW) system for the Unit 3 reactor at the Millstone nuclear plant in Waterford, Connecticut illustrates these principles.
During normal reactor operation, water recirculates in the primary loop Fig. 1). It gets heated flowing through the reactor vessel and is cooled flowing through thin-walled metal tubes inside the steam generators. Water also rercirculates in the secondary loop, getting heated in the steam generators to boiling point and getting cooled down and converted back into water in the condenser.
If the normal feedwater system cannot transfer water from the condenser hotwell to the steam generators, the AFW system can take over this role.
The auxiliary feedwater system for the Unit 3 reactor at Millstone features two motor-driven pumps and one steam-driven pump. The motor-driven pumps—labeled MOTOR PUMP A and B in Fig. 2) each have 50% capacity, meaning that both pumps must function to provide the necessary flow. The turbine-driven pump (labeled TURBINE PUMP) has 100% capacity. The motor-driven AFW pumps require alternating current power to work; the turbine-driven AFW pump only require direct current power from batteries to open some valves and energize the control circuit.
The AFW pumps transfer water from the Condensate Storage Tank, a large metal tank holding at least 384,000 gallons of water, to the four steam generators. This water draws away some of the heat from the primary loop water, in turn cooling the fuel in the reactor core.
Three different pipes can supply steam to the turbine-driven auxiliary feedwater (TDAFW) pump. Any of these steam supply lines is adequate for the TDAFW pump to deliver sufficient flow to the steam generators.
The AFW system is designed to mitigate the consequences of several design basis accidents including a feedwater line break, loss of normal feedwater, steam generator tube rupture, main steam line break, and small-break loss of coolant accident.
The AFW system relies on redundancy (e.g., backup to the normal feedwater system, the TDAFW pump backs up the motor-driven AFW pumps, and multiple steam supply lines for the TDAFW pump) and diversity (the motor-driven pumps work when alternating current power is available, the turbine-driven pump works when only direct current power is available) to fulfill its safety function.
What’s the Beef?
On February 3, 2014, the NRC announced it was sending a special inspection team (SIT) to Millstone to investigate recurring problems with the TDAFW pump on Unit 3. The problems included unexpected oscillations in the speed of the turbine as well as unplanned shutdowns of the TDAFW pump. The NRC’s SIT reported its findings on August 28, 2014.
The NRC’s SIT traced the current AFW problems back to May 15, 2013. The Unit 3 reactor was nearing the end of its 15th refueling outage. Workers replaced parts of the TDAFW pump on May 12 during routine maintenance. Operators started the TDAFW pump on May 15 for a required post-maintenance test. They observed that the turbine speed was fluctuating about 100 revolutions per minute (rpm) above and below steady state speed, with the peaks coming close to the point where the AFW pump would automatically shut down.
Workers adjusted the turbine speed control governor in an effort to dampen the oscillations. When operators retested the AFW pump on May 17, it failed to satisfy the acceptance criteria specified in the procedure. The plant owner decided while the pump hadn’t performed as well as desired by the test procedure, it had performed well enough to satisfy its role assumed in the unit’s safety studies. Based on that determination, the Unit 3 reactor was restarted from its refueling outage.
The reactor automatically shut down on August 9, 2013, and the TDAFW pump automatically started and provided makeup water to the steam generators. As the reactor core decay heat generation rate decreased following the shut down, the operators reduced the amount of makeup flow provided by the TDAFW pump. They again observed that the turbine speed was fluctuating from as low as 4,350 rpm to as high as 4,656 rpm. The TDAFW was designed to automatically shut down when turbine speed increased to between 4,612 and 4,888 rpm. The operators stopped the pump and called for maintenance help. Workers found the control linkage for the turbine’s governor valve out of adjustment. They fixed this problem and Unit 3 was restarted.
During a quarterly test run on November 4, 2013, the TDAFW pump automatically shut down due to excessive turbine speed as it was starting. Workers attributed the cause to water condensing in the steam supply pipes and flashing to steam when the TDAFW pump started. Due to the recurring TDAFW pump problems, the testing frequency was increased to weekly.
During a weekly test run on December 18, 2013, the TDAFW pump again automatically shut down due to excessive turbine speed as it was starting. Workers again attributed the cause to water condensing in the steam supply pipes and flashing to steam when the TDAFW pump started. Several steps were taken to preclude water accumulating in the idle steam lines when the TDAFW pump was in standby mode.
During a weekly test run on January 23, 2014, the TDAFW pump again automatically shut down due to excessive turbine speed as it was starting. This time, workers did not blame water condensing in the steam supply lines. After all, they’d taken steps to prevent water buildup, taking away this excuse. Conducting a fuller investigation, workers found that part of the control linkage between the turbine speed governor and the control valve had been installed backwards. They also found that a wrong part had been installed in the control linkage. The wrong part lacked an aluminum bronze insert that allowed the metal parts to move freely. These parts had been improperly installed during the maintenance in May 2013 and contributed to the recurring TDAFW pump trips since then.
The NRC’s SIT identified a white finding (in the green, white, yellow, red hierarchy from least to most serious) for the owner’s failure to promptly identify and correct a safety problem. The problem reduced the reliability of the TDAFW pump, which in turn increased the risk of reactor core damage. The risk increase resulted in white rather than a yellow or red finding due to several factors. The problem did not impair the motor-driven AFW pumps. The problem impaired rather than disabled the TDAFW pump, as evidenced by the fact that the pump started and ran successfully more times than it failed between May 2013 and January 2014. And the wrong parts were eventually identified and replaced in less than a year, limiting the window of opportunity for the vulnerability to have been exploited.
Channeling Monty Python’s Department of Redundancy Department, the NRC announced on September 15, 2014, that it was dispatching a special inspection team to Millstone to investigate—you guessed it—unexpected shut downs of the TDAFW pump on Unit 3. The TDAFW pump automatically shut down during quarterly test runs on July 15 and September 10.
Redundancy is a safe thing when it involves multiple things that each can lead to good outcomes.
Redundancy is an unsafe thing when it involves multiple reasons for reaching bad outcomes.
In March 1990, the Vogtle nuclear plant in Georgia experienced a station blackout (the complete loss of all alternating current power to in-plant equipment) when a truck backed into a pole for the offsite power transmission line and the emergency diesel generator automatically shut down. Because the emergency diesel generator’s failure resulted from a recurring problem that had been often observed but never fixed across months before this event, the NRC lost patience with the band-aid fixes. It did not allow the Vogtle reactor to restart until the emergency diesel generator had been successfully started and run more than a dozen times. Then, the NRC insisted on substantive proof that the problem had been found and fixed rather than mere rumor and supposition.
The NRC must exercise no more patience in dealing with recurring TDAFW pump problems at Millstone Unit 3. Two special inspections within one year is at least one too many.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.