defense in depth for emergency core cooling - ieeegrouper.ieee.org/groups/npec/n12-02_npec...
TRANSCRIPT
IAEAInternational Atomic Energy Agency
Defense in Depth For Emergency Core Cooling
Thomas Koshy, HeadNuclear Power Technology Development
Department of Nuclear Energy
IAEAInternational Atomic Energy Agency
NPEC Action Item
T. Koshy was requested to present a power system targeted towards
new nuclear power stations
IAEA
AGENDA
• Historic Events • Event Statistics• Historic Successes• Lesson From History• Considerations for New Designs• Rugged AC Power Systems• DC Power System
T.Koshy, NPTDS/IAEA 3
IAEA
Historic Events (PRIS reports)
1986 KORI-4• Main transformer protective arrester failed
from the effects of Typhoon• Followed by multiple arrester failures• Loss of all offsite power• Station black out• Plant remained safe in natural circulation
4T.Koshy, NPTDS/IAEA
IAEA
Historic Events (PRIS reports)
1993 Narora-1 Event• Ejected turbine blade caused a fire and
hydrogen explosion• Complete loss of power – station blackout for
17hrs.• Diesel driven fire pumps aligned to inject water
into the steam generator• No radiological impact onsite or offsite
5T.Koshy, NPTDS/IAEA
IAEA
Historic Events (PRIS reports)
1990 Vogtle-1 • At the beginning of refuelling outage• Loss of Vital AC Power• The only Emergency Diesel Generator
(EDG) available locked up after 2 min. of running
• Offsite power was lost from switchyard work
• Station Blackout; 2hrs. to recover EDG6T.Koshy, NPTDS/IAEA
IAEA
Historic Events (PRIS reports)
2001 Maanshan• Tropical storm caused loss of offsite power• Both EDGs failed • Station blackout for 2 hours• One Diesel generator was later recovered to
establish core cooling
7T.Koshy, NPTDS/IAEA
IAEA
Historic Events (PRIS reports)
2006 Forsmark -1 • 400KV Switchyard work resulted in overvoltage
and an under voltage transient • 2 out of the 4 trains of vital AC power lost and
the respective EDGs failed. • Alternate AC power failed to start• Half of the control room indications were lost• Relief valves stayed open• Two buses that operated had the identical
failure susceptibility• A near - Station Black out event
8T.Koshy, NPTDS/IAEA
IAEA
Historic Events (PRIS reports)
2011 Fukushima• Tsunami caused salt water ingress into plant
areas of several units• Station Blackout for extended period• DC controlled Steam-driven cooling system &
Ice condenser operated for limited periods2012 Byron (Not in PRIS)
SBO for 8 min. immediately following Rx Trip: close call for seal LOCA (NRC BULLETIN 2012-01)
9T.Koshy, NPTDS/IAEA
IAEA
Historic Events (PRIS reports)
• On Feb 9, 2012 loss of shutdown cooling for 19 min. during a refuelling outage
• Error in Generator Protective relay testing resulted in loss of offsite power to shut down cooling
• The associated EDG failed to start (Solenoid for air start –failed)
• Power recovered in 12 min.• Hot leg temperature increased 21.3 deg C
2012 KORI Unit # 1
T.Koshy, NPTDS/IAEA 10
IAEA
Event Statistics (1997-2012)
• Failed/Affected Systems: Emergency core cooling - 101
• Loss of safety function - 38• Significant degradation of safety function - 95• Failure or significant degradation of heat
removal capability - 85• Loss of off-site power – 53
• Full + Partial LOOP– 19 last year from NRC records
11T.Koshy, NPTDS/IAEA
IAEA
Low Probability / High Consequence Events
• Common-mode failure of electric-driven core cooling system needs to be addressed
• Potential Causes:• Salt water ingress, Tsunami, flooding from
upstream dam failure, excessive rain fall, etc.,• Smoke from forest fire or internal fire• Seismic event • Volcanic activity– affects air intakes of EDGs • Geomagnetic Disturbance, Lightning • Sand storm – affects air intakes of EDGs
12T.Koshy, NPTDS/IAEA
IAEA
Historic Successes
• Diesel-driven fire pump helped mitigation• DC/Battery power controlled steam-driven
cooling systems:• Reactor core isolation cooling• Steam driven auxiliary feed systems• Steam isolation condenser / heat exchanger
• Alternate AC sources manually aligned to a fault free bus helped core cooling
13T.Koshy, NPTDS/IAEA
IAEA
Lessons from History
• Approaches to address low frequency / high consequence events - Loss of Vital AC Power• Increasing diversity in core cooling could be
more effective than increasing redundancy• Non-electric core cooling systems (PUMPS: diesel
driven, steam driven-dc controlled, compressed air-driven, pressurized accumulators etc.,)
14T.Koshy, NPTDS/IAEA
IAEA
Considerations for New Designs• We need to eliminate the known
vulnerabilities at a reasonable cost• Another significant event could take away
nuclear power as a desirable energy option• Aim for greater availability and reliability
for safety systems and power generation• Redundancy, Diversity and Defence in
Depth are the key elements for success• Advance design and preparedness for
dealing with a potential severe accidentsT.Koshy, NPTDS/IAEA 15
IAEA
Rugged AC Power System• Core Cooling Trains sized to mitigate a large break
LOCA (guillotine break of RCS cold leg)• Three redundant trains of 100% capacity (EU
ABWR - n+2 requirement) • Train outage for Tech. spec. surveillance with sufficient
time for a thorough maintenance / surveillance while preserving adequate protection.
• 3 trains of 50% capacity eg. (IP 2&3); New ABWR• European designs with four trains of 50% capacity• South Texas project - 3 trains
• A less than adequate compromise is three 75% capacity trains assuming that small /medium break LOCA is more likely than a large break LOCA
T.Koshy, NPTDS/IAEA 16
EMERGENCY DIESEL
GENERATOR
ALTERNATE AC POWER
NONCLASS 1E BUS A
NON CLASS 1E BUS B
CLASS 1E BUS B
CLASS 1E BUS A
ALTERNATE POWER SOURCES
WITH DIVERSITY
SWITCHYARDS
TRANSMISSION SYSTEM
FULL LOAD GENERATOR OUTPUT BREAKER
ONE LINE AC DIAGRAM: TWO TRAINS OF A THREE TRAIN SYSTEM
MAIN GENERATOR
EMERGENCY DIESEL
GENERATOR
Start up Transformers
Auxiliary Transformers
HIGH VOLTAGE (500KV Typ.)
VOLTAGE LEVEL 2
(135 KV Typ.)
ALTERNATE POWER SOURCES WITH DIVERSITY
FULL LOAD GENERATOR OUTPUT BREAKER
TRANSMISSION SYSTEM
ONE LINE AC DIAGRAM: THREE TRAIN SYSTEM
EMERGENCY DIESEL
GENERATOR
ALTERNATE AC POWER
NONCLASS 1E BUS A NON CLASS 1E BUS C
CLASS 1E BUS CCLASS 1E BUS A
SWITCHYARDS
MAIN GENERATOR
EMERGENCY DIESEL
GENERATOR
Start upTransformers
Auxiliary Transformers
HIGH VOLTAGE (500KV Typ.) VOLTAGE LEVEL 2
(135 KV Typ.)
NON CLASS 1E BUS B
CLASS 1E BUS B
EMERGENCY DIESEL
GENERATOR
DISTANT SOURCE
IAEA
On Site Power System• Main Generator Output breaker
• Prevent power interruption to onsite power systems following a generator trip (eliminates the need for fast transfer)
• The additional cost is recovered if one plant trip is avoided
• Two sources of offsite power made available to each safety bus for emergency and normal shutdown• It is desirable to upgrade the immediate switchyard
providing offsite power to be built and electrically protected to a higher standard (Fukushima lesson)
T.Koshy, NPTDS/IAEA 19
IAEA
Islanding Option• Supplying onsite loads from the main
generator and keeping the reactor at low power is desirable for fast reconnection to the grid.
• However, Forsmark and Olkiluoto events demonstrate the possibility of 150% or more over voltage on to the safety buses• Olkiluoto#1 has blocked islanding for grid fault
• It is desirable to fast transfer safety buses to offsite power and keep the reactor at low power by dumping steam into the condenser
T.Koshy, NPTDS/IAEA 20
IAEA
Safety Bus Line Up• Offsite power needs to be fed directly to the safety
bus without any intervening components to prevent other vulnerabilities.
• If safety bus is aligned to offsite power during normal operation, it should have another off site source for a fast transfer, and EDG power can be the third source of power (offsite power is the preferred source)
• All three phases of AC need monitoring & Protection (Byron Event: IN 2012-03), and Grid operator coordination to ensure capacity & immediate availability
T.Koshy, NPTDS/IAEA 21
IAEA
Alternate AC Source
• Protected from anticipated external events specific to the region (seismic, flooding, hurricane, dust storm, forest fire, etc.,)
• Onsite fuel for a minimum of 7 days• Minimum capacity to handle one full train of
ECCS, one RCS / recirc. pump, and a service water pump concurrently for each unit that is supported.
• Black start capability
T.Koshy, NPTDS/IAEA 22
IAEA
Alternate AC Source• Standby power source for AAC needs to be from a
minimum of two trains from a unit or one source from each unit (for multiple unit site) that is supported
• Protected, self-contained, with capability to remain on standby without any external power for 72hrs.
• Provisions for periodic full load test• Auto-connected power sources are vulnerable to
propagation of electrical failure • manual breaker line up after clearing the electrical fault
is needed for AAC operation. (It is required for crediting SBO support)
T.Koshy, NPTDS/IAEA 23
T.Koshy, NPTDS/IAEA
24
Simplified Class 1E Power System
STANDBY POWER FOR NON-ELECTRIC CORECOOLINGSYSTEMS (Gas/Diesel/Air Driven)
BATTERY CHARGER
INVERTER
MAINTENANCEBYPASS
VITAL POWER 208/120 VAC
TRAIN A CLASS 1E DC BUS 250/125 VDC
TRAIN A CLASS 1E AC POWER BUS 4160 V
EMERGENCY DIESEL
GENERATORSTART-UPTRANSFORMER
BATTERYBANK
STATION AUXILIARY TRANSFORMER
CRITICAL CONTROL ROOM DISPLAYS
EMERGENCY CORE COOLING SYSTEM (ECCS) CIRCUITS,,
SWINGBATTERY CHARGER
ALTERNATE AC POWER
DC Bus One Line Diagram (One of Three Trains)
Fail-safe systems only (Rod Drop –Reactor Protection System - RPS)
IAEA
DC Power System (Typical of Three)• Strategically located DC bus with two battery
chargers with at least one connected to an alternate source
• DC power for ECCS actuation with its dedicated sensors and processing (Least intervening components to reduce failure modes – inverter, power supply modules etc., IEEE 603 concept) Auctioneered power supply for increased reliability
• Reactor Protection System (RPS) powered from Vital AC (To be fail-safe such that any process signal with a logic or support system outside the acceptable band would trigger a reactor trip. IEEE 603 concepts)
T.Koshy, NPTDS/IAEA 25
IAEA
Reason for Separating ECCS & RPS
• At North Anna, Unit 2, one diode failure caused Rx Trip & ECCS actuation.
• Consequently pressurizer overfilled, Power operated relief valve (PORV) cycled several times. Pressure relief tank rupture disk ruptured (IN: 2009-03)
• Safety Injection could not be reset from control room to prevent primary system going solid
• A single failure affected RPS & ECCST.Koshy, NPTDS/IAEA 26
IAEA
Reason for Separating ECCS & RPS • At Forsmark, 2 UPS failures caused:
• A reactor trip, Core Cooling Actuation ( 2 out of 4 trains injected water)
• Relief valves (ADS) stuck open 28 min. (until power was recovered to vital bus)
• Two UPS failures from a common cause resulted in reactor trip & a LOCA (relief valve stayed open) challenging RCS recovery• Yankee Rowe also had a similar event when vital bus voltage
declined
• Prevent single failure vulnerability of ECCS & RPS
T.Koshy, NPTDS/IAEA 27
IAEA T.Koshy, NPTDS/IAEA 28
IEEE Std 603 ANNEX A- Developing Scope of Safety
Consider consequences of one or more UPS failures / loss of power etc., and conduct a thorough failure modes and effects analysis (FMEA)
IAEA
DC Power System• Standby power for non-electric cooling
systems • Diesel, Air, Steam driven • Minimum of three non-electric cooling systems
protected from regional extreme environments, strategically located: each one associated with a train (Preferably two installed and one portable)
• Provision to cross connect power supply manually during emergency
• Provision for external powering from skid mounted energy sources
T.Koshy, NPTDS/IAEA 29
• January 30, 2012, Byron Unit 2 tripped when reactor coolant pumps tripped on bus under voltage (non-safety buses)
• The C-Phase open circuit on SATs caused under-voltage on ESF buses• Manual operator actions were necessary to restore ESF buses• NRC inspection identified the following:
– Design vulnerability in the protection system– Degraded and under voltage relay schemes were designed on a
coincidence logic (two of two)– ESF loads such as Essential Service Water pumps, Centrifugal
Charging Pumps, and Component Cooling Water Pumps trippedand the EDGs failed to get start signal
– Lost all RCP seal cooling for approximately 8 min– Required manual operator actions to start EDG and restore ESF
loads (station blackout for 8 minutes)– If the operators failed to diagnose the event in a timely
manner, a RCP seal LOCA could have occurred in the next several minutes.
31
Backup Slide Byron Station Open Phase Event