Bill--courtesy of csy2k
This one has it all - offsite power loss, scramming nukes, fallibility of onsite
generators, falsification of data, problems with islanding. Not to worry,
though. I hear they have this great plan to rig up some blocks and pulleys...
nirs.org
Statement of Paul Gunter, Director Reactor Watchdog Project
Nuclear Information and Resource Service, Washington, DC
"Nuclear Y2K Symposium" March 8, 1999 Cannon House Office Building
Nuclear Power Stations and Emergency Diesel Generators
The reliability of offsite power is critical to nuclear safety.
The steady availability of offsite power is essential to prevent nuclear hazards
in the daily operation of this technology.
If offsite power is lost, Emergency Diesel Generators onsite at nuclear power
stations are necessary to provide back up power to operate important components
of the reactor and storage areas.
Offsite power is referred to as the "preferred power system" at nuclear power
stations, providing electricity to numerous safety and non-safety related
systems including the reactor coolant system recirculation pumps, the main
feedwater system and power conversion system.
The steady supply of offsite power is considered so important that components
for utilizing electricity from the grid to the nuclear power stations are
designed to minimize to the chance of failure during station operation.
These features include:
1.two or more incoming power supplies from the grid; 2.one or more switchyards
to allow routing and distribution of power within the station; 3.one or more
transformers to allow the reduction of voltage to levels needed for safety and
non-safety systems within the station; 4.distribution systems from the
transformers to the switchgear buses.
The Y2K issue now raises a broad range of uncertainty for electrical power grid
reliability with the potential for brief imperceptible interruptions of local or
regional power transmission systems or a catastrophic failure of the grid system
of unknown duration.
In the event of a grid failure and loss of offsite power, nuclear power stations
attached to disrupted grid systems will scram, or automatically shutdown with
the rapid insertion of control rods and cease production of electricity. Nuclear
power stations are neither designed nor capable of "black start" or the ability
to operate independent of available offsite Alternating Current (AC)
electricity.
Normally, nuclear power stations slowly coast down from 100% levels with the
gradual insertion of control rods. However, the rapid insertion of the control
rods is comparable to slamming on the brakes of a speeding car— it is a sudden
activity and according to one former NRC Commissioner "a violent maneuver"
potentially challenging station safety systems leading to component
malfunctions.
Once scrammed, a nuclear power station must address the tremendous amount of
heat generated by the atomic reaction within the fuel core. With the loss of
offsite power a substantial number of systems normally used to cool the reactor
are lost and unavailable.
Emergency AC power must be generated onsite to maintain reactor core stability
and fuel cladding integrity through the removal of this "residual heat" via a
system of circulating coolant pumps and motor operated components. Additional
safety-related monitoring and control systems require electrical power stored
and generated on-site. Emergency Diesel Generators (EDG) are designed to provide
back-up AC electrical power and charge onsite auxiliary batteries necessary for
the duration of any grid instability or failure.
When loss of offsite power is coupled with the loss of onsite emergency power,
reactor cooling and heat removal must be accomplished through a limited set of
systems and manual operations. The Nuclear Regulatory Commission has recognized
the combination of loss of offsite power coupled with the failure of the onsite
emergency backup power to be the largest postulated contributor to reactor
accidents resulting in fuel damage.
This condition, known as "station blackout," was the subject of a 1979 task
action plan and Unresolved Safety Issue (A-44) identified in July 1980. The NRC
report "Evaluation of Station Blackout Accidents at Nuclear Power Plants,"
(NUREG-1032, June 1988) states that Station Blackout results in the
unavailability of the high-pressure injection system, the containment spray
system, the inside and outside containment spray recirculation systems and motor
driven auxiliary feedwater pumps. In addition, normal station heating
ventilation and air conditioning (HVAC) would become unavailable. Equipment
needed to operate during a station blackout and that required for recovery from
a station blackout event would have to operate in environmental conditions
(temperature, pressure, humidity) that could occur as a result of the blackout.
Failures of necessary equipment due to these environmental conditions could lead
to a loss of core cooling and heat removal or a "station blackout induced loss
of coolant accident."
A station blackout of long duration (in excess of two hours) leads to auxiliary
battery depletion for AC conversion and subsequent loss of vital instrumentation
and control features. The uncovering of the reactor core and its associated
hazards can occur within a range 3 to 10 hours beyond the time of battery
depletion without restoration of AC power in Pressurized Water Reactors and
Boiling Water Reactors, respectively.
One NRC report "Severe Accident Risks: An Assessment for Five U.S. Nuclear Power
Plants" (NUREG-1150) states that with the combination of grid failure, battery
failure and EDG failure "core damage begins in approximately one hour as the
result of coolant boiloff" or uncovering the core for some reactors. Core damage
can be expected to proceed to a core melt if effective and timely measures to
restore AC power and core cooling are not taken or available.
Much uncertainty and numerous scenarios exist regarding containment performance
and failure following a core melt accident. Reactors with smaller containment
structures such as designs by Babcock & Wilcox, Westinghouse Ice Condensers, and
General Electric MARK I Boiling Water Reactors are of greater concern with
regard to the potential for early failure. Basemat melt through, steam pressure
spikes, hydrogen burns, direct containment heating, and overpressurization of
containment with noncondensable gas and steam are possible scenarios for breach
of containment and the catastrophic release of radiation to the environment.
Accident scenarios for times from the start of a fuel melt to containment
failure range between 2 hours to more than 24 hours.
These station blackout studies assumed the electrical grid to be a stable and
reliable system.
NRC studies consider a long duration blackout event in excess of two hours to be
a dominant factor influencing the likelihood of core damage or a core melt
accident.
We believe that a long term or reoccurring grid failure as a result of Y2K
vulnerabilities has not been sufficiently studied. Therefore, the need for a
thorough re-examination of the station blackout rule and nuclear accident
probability figures still looms large.
Emergency Diesel Powered Generators and Their Reliability
The safety significance of redundant and operable onsite emergency power cannot
be disputed.
The NRC and industry touts a 95% reliability factor for successful emergency
start-up and electrical loading of safety equipment. In the event of widespread
grid disruptions, even this official figure allows a 5% margin for EDG failure.
However, a NIRS review of EDG reliability as evidenced through NRC Daily Event
Reports continues to indicate that the margin of failure maybe larger.
In December, 1998 NIRS filed three petitions for rulemaking to the NRC regarding
Y2K. The NIRS petition relevant to emergency diesel generator operability has an
attached Appendix A providing a compilation of US NRC Daily Event Reports and
Licensee Event Reports for every month of 1997 and 1998. These reports indicate
a wide range of new and recurring problems potentially affecting emergency
diesel generator operability.
A short list of recent examples include:
1.a fuel oil delivery to New Jersey's Hope Creek nuclear power station
contaminated with lubrication oil resulted in a clean up and refill operation in
excess of the station's Allowable Outage Time of 72 hours (LER-98-004-00,
06-22-98);
2.a Discrepancy Report filed under an Independent corrective Action Verification
Program per NRC Confirmatory Order at Connecticut's Millstone 2 nuclear power
station involving the possibility of a water intrusion/contamination as the
result of corrosion of the nonsafety-related underground diesel oil storage tank
resulting in the common failure of multiple emergency diesel generators
(DR-0312, 10-15-98);
3.both of River Bend nuclear power station's diesel generators may not have been
able to perform their required safety function from 1985 to 1990 prior to design
modifications on the equipment's pneumatic control systems (DER /Event #34738,
09-04-98);
4.all three of New York's Indian Point Unit 3 emergency diesel generators were
declared inoperable due to multiple circuit breaker problems resulting in the
cold shutdown of the reactor (DER/Event #33447, 12-23-97);
5.a high level emergency (ALERT) was declared at Detroit Edison's Fermi Unit 2
when a fire broke out in the emergency diesel generator control panel causing
the operator to shut down the diesel generator and exit the building (DER/Event
#34889, 10-8-98).
Since January, 1999, NIRS continues to monitor Daily Event Reports for diesel
generator problems and continues to evidence a range of potential operability
issues including vendor reports on inoperable equipment, diesel generators found
to be outside of technical specifications, and equipment component degradation.
We expect to see continued problems with design and hardware failures, operation
and maintenance errors and failures related to support systems.
A NIRS review of NRC documents indicates that industry reporting of diesel
generator start-up reliability may not be as accurate as perceived by NRC.
It is our concern that some number of nuclear utilities may not be accurately
reporting reliable restart data for their emergency diesel generators.
NIRS is aware that on at least one occasion a nuclear utility falsified data
relative to the reliability of its emergency diesel generators. This is
documented by U.S. Nuclear Regulatory Commission memorandum dated December 20,
1993 to Stewart Ebneter, Region II Administrator from Ben Hayes, U.S. NRC Office
of Investigations entitled "Vogtle Electric Generating Plant (VEGP): Alleged
False Statements Regarding Test Results On Emergency diesel Generators (Case No.
2-90-020R).
On March 20, 1990 Vogtle Unit 1 declared a Site Area Emergency due to a loss of
offsite power when a truck hit a tower in the switchyard and the concurrent loss
of available onsite emergency diesel generator capability when the one operable
diesel generator tripped after starting. As a result the unit went into station
blackout and an associated heat up of Reactor Coolant System before the
emergency diesel generator was successfully started and restored emergency
power. As a result, Georgia Power Company (GPC) was required to demonstrate
successful startup of their emergency diesel generators before restart of their
power reactors.
The NRC report documents deliberate violations by Georgia Power Company of
federal regulation and license conditions in falsification of material
statements made to NRC by senior company officials regarding the reliability of
the emergency diesel generators.
The Office of Investigation (OI) substantiated that on April 19, 1990, the
general manager deliberately presented incomplete and inaccurate information to
NRC regarding testing of the Unit 1 diesel generators conducted subsequent to
the site emergency. The OI substantiated that the Vice President of Nuclear
Operations deliberately and repeatedly presented misleading, incomplete, and
inaccurate statements of diesel test results with at a minimum careless
disregard. The OI investigation concluded "there was evidence of a closed,
deceptive, adversarial attitude toward NRC on the part of GPC senior
management."
This particular investigation was unique in that the alleger provided NRC with
tape recordings of internal telephone conversations of various levels of Georgia
Power Company; from employees within the power station up to the Senior Vice
President of Nuclear Operations. The OI report states that the tape recordings
show "evidence of closed deceptive adversarial attitude toward NRC on the part
of GPC senior management." The alleger was fired from Georgia Power and
subsequently was granted relief through a settlement agreed upon by both the NRC
and the utility.
It should be of concern to the federal agency that conclusive evidence
indicating an "closed deceptive adversarial attitude toward NRC" on the part of
utility senior management may not be unique to Georgia Power Company. In fact,
"a deceptive adversarial attitude toward NRC" could exist within other nuclear
utilities and potentially impact the high reliability data pertaining to
emergency diesel generator start-ups and failures.
Finally, other actions taken on the part of electric to avoid Y2K disruptions
can impact emergency onsite power reliability in terms of duration of reliance
on emergency power at a nuclear power station.
At least one known utility and potentially others plan to separate their various
power pools from regional and national grid systems to avoid widespread power
outages come Y2K rollover dates. This preventive action may constitute an added
burden on emergency onsite power generators should grid failures occur.
The New London Day reported on January 5, 1999 in an article entitled "Millstone
Official Says Y2K Problems Won't Have Any Effect On Nuclear Station" comments
made by Northeast Utilities corporate management. It was reported that NU had
undertaken plans to restrict the flow of electricity at the various grid
interconnects to the New England Power Pool to prevent a "cascading grid
failure."
It is our concern that in the event of a grid failure within a power pool system
that is "islanding" its electricity or in a neighboring power pool, a
significant delay or potential failure to transfer power can result without open
interconnections providing power to the blackout area. This can be further
compounded by Y2K telecommunication problems between utilities systems necessary
to initiate and monitor power transfers normally available through automated
systems. Such delays to restoring AC to nuclear power stations represent a
concern to public health and safety.
Consequently, NIRS has submitted its petition for rulemaking requesting that NRC
require that all EDGs to be determined operable with a 60-day supply of fuel oil
onsite.
We have also requested that NRC provide a top-level emergency classification to
all power systems and components providing coolant to the large inventories of
thermally hot irradiated fuel in storage ponds at each of the reactors. The
petition would require that additional emergency AC power generators be
installed at each reactor site to provide a broader margin of reliability for
the protection of the public health and safety.
***
cal |
