Near-Miss Summary
The Near-Miss
The Nuclear Regulatory Commission (NRC) sent a special inspection team to the Oconee Nuclear Station in Seneca, South Carolina on January 5, 2016, after a worker found an electrical cable disconnected from a backup power supply for Unit 3. The following week, workers found a similarly disconnected cable on a backup power supply for Unit 1.
Oconee is the only nuclear power plant in the United States that does not use emergency diesel generators as the backup power supply for emergency equipment. Instead, Oconee relies on electricity from two hydroelectric units at the nearby Keowee Dam. The cables had broken, for as yet underdetermined causes, and disabled one of two connections between Keowee and the units.
The NRC’s special inspection team did not identify any safety regulation violations, but had one open item that might lead to sanction(s) once the plant owner identifies the probable cause of the cable failures.
How the Event Unfolded
All three reactors at the Oconee Nuclear Station in South Carolina were running at full power on Monday morning, December 7, 2015. Electricity produced by the Unit 3 generator flow through the main transformer to the 525 kilovolt (KV) switchyard and out via multiple transmission lines (Fig. 1). In addition, electricity from the Unit 3 generator passed through the auxiliary transformer to provide power to two separate and redundant in-plant electrical circuits (represented in Fig. 1 by the purple and blue lines.) The electricity produced by the Unit 1 and 2 generators flowed through main transformers to the 230 KV switchyard and through auxiliary transformers to in-plant electrical circuits.
The purple and blue electrical circuits for each unit supplied electricity to vital emergency equipment. Two separate circuits are used for protection against a single failure from knocking out power to all this equipment. When the reactors were running, these electrical circuits were powered from the auxiliary transformers.
When the reactors were not running, these electrical circuits received power from the 230 KV switchyard via the startup transformers (labeled CT1, CT2 and CT3). If the offsite power grid connected to the 230 KV switchyard was unavailable, the 230 KV switchyard might still be used to supply the startup transformers with power produced by hydroelectric units at the nearby Keowee Dam (labeled K1 and K2) via an overhead (i.e., aboveground) transmission line. And if the 230 KV switchyard failed or the overhead failed, the Keowee units might still be able to supply the in-plant electrical circuits via an underground transmission line.
At 5:00 am, the operators declared the underground transmission line between the Keowee hydroelectric units and the Oconee emergency electrical system inoperable for planned maintenance later that day. That planned maintenance activity would not affect the overhead transmission line between the Keowee units and the 230 KV switchyard.
At 8:20 am, an operator found a completely disconnected cable between the 230 KV switchyard and Unit 3 startup transformer (CT3). After checking with the engineering staff, the operators declared the Unit 3 startup transformer inoperable at 8:47 am.
With startup transformer CT3 out of service because of the broken cable and the underground line from Keowee de-energized for maintenance, the two vital in-plant electrical circuits on Unit 3 were without their two primary sources of backup power.
Workers responded quickly to this degraded condition. They restored the underground transmission line from Keowee to service at 8:41 am. And they finished installing a temporary electrical cable (represented by the brown dotted line in Fig. 1) between startup transformer CT2 on Unit 2 and startup transformer CT 3 on Unit 3 at 5:40 pm. The safety regulations allowed up to 12 hours to arrange this alternate configuration—they established it in about 9 hours.
Workers repaired the damaged cable and returned startup transformer CT3 to service at 7:57 am on December 8.
During an examination at 9:21 am on December 15, workers found a broken cable in the connection between the 230 KV switchyard and startup transformer CT1 on Unit 1. Workers cross-connected CT1 and CT2 as had been done the previous week with CT2 and CT3. And workers repaired the damaged cable and returned startup transformer CT1 to service at 1:55 am on December 16.
The broken ends of the electrical cables were sent offsite for laboratory analysis. All six aluminum strands and the steel core strand of the electrical cable for CT3 had separated completely. While the exact cause of the failure was not determined, there were indications of slow tensile failure (picture biting into a pizza slice and having the cheese topping stretch and stretch until it breaks due to tensile failure.) All six aluminum strands of the electrical cable for CT1 had separated, but its steel core strand was still intact. The most probable cause(s) for the cable failures remains to be determined.
NRC Sanctions
The NRC’s special inspection team did not identify any violations of safety regulations. However, their report contained one open item pending the plant owner’s determination of the cause of the cable failure. Depending on that cause, the NRC might later determine that safety regulations were violated and levy a sanction.
UCS Perspective
It is troubling that cables for backup power supplies can fail without an alarm sounding. The two vital electrical circuits (shown in purple and blue in Fig. 1) are monitored and alarms sound if they lose power. But cables can, literally, fall off backup power supplies without an alarm being raised.
It is doubtful that the operator strolled by the Unit 3 startup transformer seconds after all seven strands of the electrical cable separated, allowing the broken end to swing freely. More likely, the cable was broken and the backup power source unavailable for a much longer period of time. How long? No one knows.
Had the broken cable sounded an alarm, workers would not have disabled the underground transmission line from Keowee until the broken cable was repaired. An alarm would have minimized the length of time that backup power via the startup transformer was unavailable. And an alarm would have prevented workers from making the problem worse by intentionally disabling the other connection to the backup power source.
Having no alarm is truly alarming.